cr50: Support legacy U2F key handles

The new U2F functions make use of a new key derivation
scheme. This adds a flag clients can specify that
allows the new functions to also sign requests
using a legacy key handle. This will allow continued
support of legacy key handles in Chrome OS whilst
allowing the legacy code to be removed from cr50.

BUG=b:112603199, b:123161715
TEST=with new cr50 and u2fd patched to send new param:
     - register legacy key handle with Google
     - restart u2fd with user keys and no fallback
     - check login fails
     - restart u2fd with user keys and fallback
     - check login succeeds

Signed-off-by: Louis Collard <louiscollard@chromium.org>
Change-Id: Ib3164e9c0856d51b958fa8db181153b5b2227850
Reviewed-on: https://chromium-review.googlesource.com/1580622
Reviewed-by: Andrey Pronin <apronin@chromium.org>

1 files changed, 6 insertions, 0 deletions

diff --git a/include/u2f.h b/include/u2f.h
index 003f047175..1a445f8f4a 100644
--- a/include/u2f.h
+++ b/include/u2f.h
@@ -151,6 +151,12 @@ typedef struct {
 #define G2F_ATTEST      0x80    // Fixed attestation key
 #define G2F_CONSUME     0x02    // Consume presence
 
+// The key handle format was changed when support for user secrets was added.
+// U2F_SIGN requests that specify this flag will first try to validate the
+// key handle as a new format key handle, and if that fails, will fall back
+// to treating it as a legacy key handle (without user secrets).
+#define SIGN_LEGACY_KH  0x40
+
 // U2F Attest format for U2F Register Response.
 #define U2F_ATTEST_FORMAT_REG_RESP      0