diff options
| author | Yicheng Li <yichengli@chromium.org> | 2020-07-23 17:57:08 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-08-18 05:55:41 +0000 |
| commit | 4b4bbc8d761225b260625584dadbc6d4e623ef2d (patch) | |
| tree | a540022243de10afb4b677c119611564609f728b /include/u2f.h | |
| parent | 4e9e48219c254654027040a09a181f377784b281 (diff) | |
| download | chrome-ec-4b4bbc8d761225b260625584dadbc6d4e623ef2d.tar.gz | |
Reland "u2f: Append hmac of auth time secret to versioned KH"stabilize-quickfix-13421.74.B-cr50_stabstabilize-quickfix-13421.100.B-cr50_stabstabilize-13421.99.B-cr50_stabstabilize-13421.96.B-cr50_stabstabilize-13421.89.B-cr50_stabstabilize-13421.80.B-cr50_stabstabilize-13421.73.B-cr50_stabstabilize-13421.53.B-cr50_stabstabilize-13421.42.B-cr50_stabstabilize-13421.103.B-cr50_stabstabilize-13421.102.B-cr50_stabrelease-R86-13421.B-cr50_stabfirmware-zork-13421.B-cr50_stab
This is a reland of d2627d12bb21308f49a72cadaf47a0a86730a960 with one
modification: The versioned key handle header (the old "key handle"
concept) is now used in the derivation of authorization_hmac. This is
to tie the key handle to the authorization secret.
Original change's description:
> u2f: Append hmac of auth time secret to versioned KH
>
> When generating versioned KHs, u2fd should send a public derivative
> (sha256) of the user's auth time secret to cr50. Cr50 derives an
> hmac of it and appends this authorization_hmac to the KH.
>
> When signing versioned KHs, u2fd may supply the unhashed auth time
> secret. Cr50 will check the authorization_hmac if no power button press.
> If the reconstructed hmac matches authorization_hmac, power button press
> is waived.
>
> Currently for v1, we will just prepare the authorization_hmac but not
> enforce it. This is because fingerprint and PIN are unable to unlock
> the same secret.
>
> While we waive power button press for v1, we can enforce
> authorization_hmac whenever auth-time secrets is ready.
>
> BUG=b:144861739
> TEST=- Use a known 32-byte "auth-time secret"
> - Compute the sha256 of the auth-time secret (this is public)
> - u2f_generate with the computed "authTimeSecretHash"
> - Add code to u2f_sign command handler such that cr50 computes
> the sha256 of the supplied auth-time secret at u2f_sign time
> and require power button press if the hmac doesn't match.
> - u2f_sign with the true auth-time secret -> observe in logging
> that hmac matches, and no power button press required.
> - u2f_sign with a wrong auth-time secret -> observe in logging
> that hmac doesn't match, and power button press is required
> for signing.
>
> Cq-Depend: chromium:2321731
> Change-Id: Ib9ae913667f8178ac7a4790f861d7dada972c4a0
> Signed-off-by: Yicheng Li <yichengli@chromium.org>
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2317047
> Reviewed-by: Andrey Pronin <apronin@chromium.org>
> Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
BUG=b:144861739
TEST=See original CL's TEST above
Cq-Depend: chromium:2327865
Change-Id: Ia1b0b4a585ec604398cfa730354ae1a91e7bc00b
Signed-off-by: Yicheng Li <yichengli@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2355177
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Diffstat (limited to 'include/u2f.h')
| -rw-r--r-- | include/u2f.h | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/include/u2f.h b/include/u2f.h index 61b9677185..6680ef5300 100644 --- a/include/u2f.h +++ b/include/u2f.h @@ -31,6 +31,8 @@ extern "C" { #define U2F_MAX_ATTEST_SIZE 256 /* Size of largest blob to sign */ #define U2F_P256_SIZE 32 +#define SHA256_DIGEST_SIZE 32 + #define ENC_SIZE(x) ((x + 7) & 0xfff8) /* EC (uncompressed) point */ @@ -53,15 +55,24 @@ struct u2f_ec_point { #define U2F_KH_VERSION_1 0x01 +#define U2F_AUTHORIZATION_SALT_SIZE 16 + struct u2f_key_handle { uint8_t origin_seed[U2F_P256_SIZE]; - uint8_t hmac[U2F_P256_SIZE]; + uint8_t hmac[SHA256_DIGEST_SIZE]; }; -struct u2f_versioned_key_handle { +struct u2f_versioned_key_handle_header { uint8_t version; uint8_t origin_seed[U2F_P256_SIZE]; - uint8_t hmac[U2F_P256_SIZE]; + uint8_t kh_hmac[SHA256_DIGEST_SIZE]; +}; + +struct u2f_versioned_key_handle { + struct u2f_versioned_key_handle_header header; + /* Optionally checked in u2f_sign. */ + uint8_t authorization_salt[U2F_AUTHORIZATION_SALT_SIZE]; + uint8_t authorization_hmac[SHA256_DIGEST_SIZE]; }; /* TODO(louiscollard): Add Descriptions. */ @@ -70,6 +81,11 @@ struct u2f_generate_req { uint8_t appId[U2F_APPID_SIZE]; /* Application id */ uint8_t userSecret[U2F_P256_SIZE]; uint8_t flags; + /* + * If generating versioned KH, derive an hmac from it and append to + * the key handle. Otherwise unused. + */ + uint8_t authTimeSecretHash[SHA256_DIGEST_SIZE]; }; struct u2f_generate_resp { @@ -93,6 +109,7 @@ struct u2f_sign_req { struct u2f_sign_versioned_req { uint8_t appId[U2F_APPID_SIZE]; /* Application id */ uint8_t userSecret[U2F_P256_SIZE]; + uint8_t authTimeSecret[U2F_P256_SIZE]; uint8_t hash[U2F_P256_SIZE]; uint8_t flags; struct u2f_versioned_key_handle keyHandle; |