Migration to the new system of secure functions to derive keys based on OTP, if available, and pico_serial as a fallback. PIN is also an input vector, which defines a separated domain.

PIN is used to derive encryption key, derive session key and derive verifier. From session key is derived encryption key. As a consequence, MKEK functionalities are not necessary anymore, since key device is handled by this new set directly. Some MKEK functions are left for compatibility purposes and for the silent migration to new format. It also applies for double_hash_pin and hash_multi, which are deprecated. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2025-10-08 00:33:23 +02:00
parent 51c13b0f0b
commit 898c88dc6d
5 changed files with 134 additions and 141 deletions
--- a/src/fido/fido.h
+++ b/src/fido/fido.h
@@ -51,7 +51,7 @@ extern void init_fido();
 extern mbedtls_ecp_group_id fido_curve_to_mbedtls(int curve);
 extern int mbedtls_curve_to_fido(mbedtls_ecp_group_id id);
 extern int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecp_keypair *key);
-extern int load_keydev(uint8_t *key);
+extern int load_keydev(uint8_t key[32]);
 extern int encrypt(uint8_t protocol, const uint8_t *key, const uint8_t *in, uint16_t in_len, uint8_t *out);
 extern int decrypt(uint8_t protocol, const uint8_t *key, const uint8_t *in, uint16_t in_len, uint8_t *out);
 extern int ecdh(uint8_t protocol, const mbedtls_ecp_point *Q, uint8_t *sharedSecret);