diff --git a/fido2/crypto.h b/fido2/crypto.h index a0b17f2..497ebf5 100644 --- a/fido2/crypto.h +++ b/fido2/crypto.h @@ -49,7 +49,6 @@ void generate_private_key(uint8_t * data, int len, uint8_t * data2, int len2, ui void crypto_ecc256_make_key_pair(uint8_t * pubkey, uint8_t * privkey); void crypto_ecc256_shared_secret(const uint8_t * pubkey, const uint8_t * privkey, uint8_t * shared_secret); -// Key must be 32 bytes #define CRYPTO_TRANSPORT_KEY NULL #define CRYPTO_MASTER_KEY NULL @@ -61,6 +60,7 @@ void crypto_aes256_decrypt(uint8_t * buf, int lenth); void crypto_aes256_encrypt(uint8_t * buf, int lenth); void crypto_reset_master_secret(); +void crypto_load_master_secret(uint8_t * key); extern const uint8_t attestation_cert_der[]; diff --git a/fido2/ctap.c b/fido2/ctap.c index 2e62a01..2d3bb48 100644 --- a/fido2/ctap.c +++ b/fido2/ctap.c @@ -1253,6 +1253,9 @@ static void ctap_state_init() { // Set to 0xff instead of 0x00 to be easier on flash memset(&STATE, 0xff, sizeof(AuthenticatorState)); + // Fresh RNG for key + ctap_generate_rng(STATE.key_space, KEY_SPACE_BYTES); + STATE.is_initialized = INITIALIZED_MARKER; STATE.remaining_tries = PIN_LOCKOUT_ATTEMPTS; STATE.is_pin_set = 0; @@ -1286,6 +1289,8 @@ void ctap_init() } } + crypto_load_master_secret(STATE.key_space); + if (ctap_is_pin_set()) { printf1(TAG_STOR,"pin code: \"%s\"\n", STATE.pin_code); @@ -1303,7 +1308,6 @@ void ctap_init() printf1(TAG_ERR, "DEVICE LOCKED!\n"); } - if (ctap_generate_rng(PIN_TOKEN, PIN_TOKEN_SIZE) != 1) { printf2(TAG_ERR,"Error, rng failed\n"); @@ -1513,4 +1517,3 @@ void ctap_reset() crypto_reset_master_secret(); // Not sure what the significance of this is?? } - diff --git a/targets/stm32l442/src/crypto.c b/targets/stm32l442/src/crypto.c index 1a4af35..6d7a351 100644 --- a/targets/stm32l442/src/crypto.c +++ b/targets/stm32l442/src/crypto.c @@ -53,12 +53,8 @@ static const uint8_t * _signing_key = NULL; static int _key_len = 0; // Secrets for testing only -static uint8_t master_secret[32] = "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff" - "\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00"; - -static uint8_t transport_secret[32] = "\x10\x01\x22\x33\x44\x55\x66\x77\x87\x90\x0a\xbb\x3c\xd8\xee\xff" - "\xff\xee\x8d\x1c\x3b\xfa\x99\x88\x77\x86\x55\x44\xd3\xff\x33\x00"; - +static uint8_t master_secret[64]; +static uint8_t transport_secret[32]; void crypto_sha256_init() @@ -66,9 +62,20 @@ void crypto_sha256_init() sha256_init(&sha256_ctx); } + +void crypto_load_master_secret(uint8_t * key) +{ +#if KEY_SPACE_BYTES < 96 +#error "need more key bytes" +#endif + memmove(master_secret, key, 64); + memmove(transport_secret, key+64, 32); +} + void crypto_reset_master_secret() { - ctap_generate_rng(master_secret, 32); + memset(master_secret, 0, 64); + ctap_generate_rng(master_secret, 64); } @@ -96,7 +103,7 @@ void crypto_sha256_hmac_init(uint8_t * key, uint32_t klen, uint8_t * hmac) if (key == CRYPTO_MASTER_KEY) { key = master_secret; - klen = sizeof(master_secret); + klen = sizeof(master_secret)/2; } if(klen > 64) @@ -125,7 +132,7 @@ void crypto_sha256_hmac_final(uint8_t * key, uint32_t klen, uint8_t * hmac) if (key == CRYPTO_MASTER_KEY) { key = master_secret; - klen = sizeof(master_secret); + klen = sizeof(master_secret)/2; } @@ -224,7 +231,7 @@ void generate_private_key(uint8_t * data, int len, uint8_t * data2, int len2, ui crypto_sha256_hmac_init(CRYPTO_MASTER_KEY, 0, privkey); crypto_sha256_update(data, len); crypto_sha256_update(data2, len2); - crypto_sha256_update(master_secret, 32); + crypto_sha256_update(master_secret, 32); // TODO AES crypto_sha256_hmac_final(CRYPTO_MASTER_KEY, 0, privkey); }