2 files changed, 33 insertions, 5 deletions

diff --git a/include/u2f.h b/include/u2f.h
index 61b9677185..6680ef5300 100644
--- a/include/u2f.h
+++ b/include/u2f.h
@@ -31,6 +31,8 @@ extern "C" {
 #define U2F_MAX_ATTEST_SIZE   256 /* Size of largest blob to sign */
 #define U2F_P256_SIZE	      32
 
+#define SHA256_DIGEST_SIZE    32
+
 #define ENC_SIZE(x) ((x + 7) & 0xfff8)
 
 /* EC (uncompressed) point */
@@ -53,15 +55,24 @@ struct u2f_ec_point {
 
 #define U2F_KH_VERSION_1 0x01
 
+#define U2F_AUTHORIZATION_SALT_SIZE 16
+
 struct u2f_key_handle {
 	uint8_t origin_seed[U2F_P256_SIZE];
-	uint8_t hmac[U2F_P256_SIZE];
+	uint8_t hmac[SHA256_DIGEST_SIZE];
 };
 
-struct u2f_versioned_key_handle {
+struct u2f_versioned_key_handle_header {
 	uint8_t version;
 	uint8_t origin_seed[U2F_P256_SIZE];
-	uint8_t hmac[U2F_P256_SIZE];
+	uint8_t kh_hmac[SHA256_DIGEST_SIZE];
+};
+
+struct u2f_versioned_key_handle {
+	struct u2f_versioned_key_handle_header header;
+	/* Optionally checked in u2f_sign. */
+	uint8_t authorization_salt[U2F_AUTHORIZATION_SALT_SIZE];
+	uint8_t authorization_hmac[SHA256_DIGEST_SIZE];
 };
 
 /* TODO(louiscollard): Add Descriptions. */
@@ -70,6 +81,11 @@ struct u2f_generate_req {
 	uint8_t appId[U2F_APPID_SIZE]; /* Application id */
 	uint8_t userSecret[U2F_P256_SIZE];
 	uint8_t flags;
+	/*
+	 * If generating versioned KH, derive an hmac from it and append to
+	 * the key handle. Otherwise unused.
+	 */
+	uint8_t authTimeSecretHash[SHA256_DIGEST_SIZE];
 };
 
 struct u2f_generate_resp {
@@ -93,6 +109,7 @@ struct u2f_sign_req {
 struct u2f_sign_versioned_req {
 	uint8_t appId[U2F_APPID_SIZE]; /* Application id */
 	uint8_t userSecret[U2F_P256_SIZE];
+	uint8_t authTimeSecret[U2F_P256_SIZE];
 	uint8_t hash[U2F_P256_SIZE];
 	uint8_t flags;
 	struct u2f_versioned_key_handle keyHandle;
diff --git a/include/u2f_impl.h b/include/u2f_impl.h
index 5bd69309c6..2c63d11d87 100644
--- a/include/u2f_impl.h
+++ b/include/u2f_impl.h
@@ -76,13 +76,14 @@ int u2f_origin_user_keyhandle(const uint8_t *origin, const uint8_t *user,
  * @param user pointer to user secret
  * @param seed pointer to origin-specific random seed
  * @param version the version byte to pack; should be greater than 0.
- * @param key_handle buffer to hold the output key handle
+ * @param key_handle_header buffer to hold the output key handle header
  *
  * @return EC_SUCCESS if a valid keypair was created.
  */
 int u2f_origin_user_versioned_keyhandle(
 	const uint8_t *origin, const uint8_t *user, const uint8_t *seed,
-	uint8_t version, struct u2f_versioned_key_handle *key_handle);
+	uint8_t version,
+	struct u2f_versioned_key_handle_header *key_handle_header);
 
 /**
  * Generate an origin and user-specific ECDSA keypair from the specified
@@ -101,6 +102,16 @@ int u2f_origin_user_versioned_keyhandle(
 int u2f_origin_user_keypair(const uint8_t *key_handle, size_t key_handle_size,
 			    p256_int *d, p256_int *pk_x, p256_int *pk_y);
 
+/**
+ * Derive an hmac from the given salt, key handle and hash. The salt is to make
+ * sure the hmac is different for different key handles of one user. The key
+ * handle header is encoded into the authorization hmac to protect against
+ * swapping auth time secret.
+ */
+int u2f_authorization_hmac(const uint8_t *authorization_salt,
+			   const struct u2f_versioned_key_handle_header *header,
+			   const uint8_t *auth_time_secret_hash, uint8_t *hmac);
+
 /***
  * Generate a hardware derived 256b private key.
  *