diff options
author | Vincent Palatin <vpalatin@chromium.org> | 2017-05-30 18:19:26 +0200 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-06-29 10:37:40 -0700 |
commit | 3fdda8b6f1a127bff83ed7e30316a837b941875c (patch) | |
tree | 988892479b674929b9baa3ffb2a5406de561f5ac /include/u2f_impl.h | |
parent | f7c89fc709daee2fb1474d3f918c11a4a0b71daa (diff) | |
download | chrome-ec-3fdda8b6f1a127bff83ed7e30316a837b941875c.tar.gz |
Add U2F implementation
Add the common code to support FIDO U2F (Universal second factor
authentication) protocol implementation: the APDU parsing and standard
commands execution, plus a few non-standard flags and hooks.
The u2f.h header is the unmodified copy from the U2F v1.1
Specifications archive.
Mostly copied over from the cr52 code-base.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:35545754
TEST=with follow-up CLs, run U2FTest on Eve.
CQ-DEPEND=CL:*390230
Change-Id: I636d4a77ea69d69b5ab18a958e58ee6fcb2476bc
Reviewed-on: https://chromium-review.googlesource.com/518136
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Diffstat (limited to 'include/u2f_impl.h')
-rw-r--r-- | include/u2f_impl.h | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/include/u2f_impl.h b/include/u2f_impl.h new file mode 100644 index 0000000000..6a14f5a151 --- /dev/null +++ b/include/u2f_impl.h @@ -0,0 +1,111 @@ +/* Copyright 2017 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +/* U2F implementation-specific callbacks and parameters. */ + +#ifndef __CROS_EC_U2F_IMPL_H +#define __CROS_EC_U2F_IMPL_H + +#include "common.h" +#include "cryptoc/p256.h" + +/* APDU fields to pass around */ +struct apdu { + uint8_t p1; + uint8_t p2; + uint16_t len; + const uint8_t *data; +}; + +/* + * Parses an APDU-framed message according to the u2f protocol. + * + * @return 0 on failure, output buffer's byte count on success. + */ +unsigned u2f_apdu_rcv(uint8_t *buffer, unsigned in_len, unsigned max_len); + +/* ---- Physical presence ---- */ + +enum touch_state { + POP_TOUCH_NO = 0, /* waiting for a user touch */ + POP_TOUCH_YES = 1, /* touch recorded and latched */ +}; + +/* + * Check whether the user presence event was latched. + * + * @param consume reset the latched touch event and the presence LED. + * @return POP_TOUCH_NO or POP_TOUCH_YES. + */ +enum touch_state pop_check_presence(int consume); + +/* ---- platform cryptography hooks ---- */ + +/** + * Generate an origin-specific ECDSA keypair. + * + * Calculates a diversified chip-unique 256b value. + * + * @param seed ptr to store 32-byte seed to regenerate this key on this chip + * @param d pointer to ECDSA private key + * @param pk_x pointer to public key point + * @param pk_y pointer to public key point + * + * @return EC_SUCCESS if a valid keypair was created. + */ +int u2f_origin_keypair(uint8_t *seed, p256_int *d, + p256_int *pk_x, p256_int *pk_y); + +/** + * Reconstitute the origin ECDSA private key from its seed. + * + * @param seed value returned by origin_keypair. + * @param d ptr to store the retrieved private key. + * @return EC_SUCCESS if we retrieved the key. + */ +int u2f_origin_key(const uint8_t *seed, p256_int *d); + +/*** + * Generate a hardware derived 256b private key. + * + * @param kek ptr to store the generated key. + * @param key_len size of the storage buffer. Should be 32 bytes. + * @return EC_SUCCESS if a valid key was created. + */ +int u2f_gen_kek(const uint8_t *origin, uint8_t *kek, size_t key_len); + +/** + * Generate a hardware derived ECDSA keypair for individual attestation. + * + * @param seed ptr to store 32-byte seed to regenerate this key on this chip + * @param d pointer to ECDSA private key + * @param pk_x pointer to public key point + * @param pk_y pointer to public key point + * + * @return EC_SUCCESS if a valid keypair was created. + */ +int g2f_individual_keypair(p256_int *d, p256_int *pk_x, p256_int *pk_y); + +/* ---- protocol extensions ---- */ + +/* Use non-standard extensions to the U2F protocol */ +int use_g2f(void); + +/* Non-standardized command status responses */ +#define U2F_SW_CLA_NOT_SUPPORTED 0x6E00 +#define U2F_SW_WRONG_LENGTH 0x6700 +#define U2F_SW_WTF 0x6f00 +/* Additional flags for the P1 fields */ +#define G2F_ATTEST 0x80 /* fixed attestation cert */ +#define G2F_CONSUME 0x02 /* consume presence */ + +/* Vendor command to enable/disable the extensions */ +#define U2F_VENDOR_MODE U2F_VENDOR_LAST + +/* call extensions for unsupported U2F INS */ +unsigned u2f_custom_dispatch(uint8_t ins, struct apdu apdu, uint8_t *buf, + unsigned *ret_len) __attribute__((weak)); + +#endif /* __CROS_EC_U2F_IMPL_H */ |