commit 6786f6544a2d00a785993c0c7068f2038670ed36
author Anastasiia N <anastasiian@chromium.org> Mon Sep 20 14:10:56 2021 +0200
committer Commit Bot <commit-bot@chromium.org> Thu Sep 23 13:11:35 2021 +0000
tree 79231b8f5a81b379d5106f8725b1db6e44534f95
parent 020f8577c4ea4ffdf0e2ed86fc39f97a40ab2d9e

cryptohome: Use point's X coordinate for derivation of recovery secret

Use point's affine X coordinate for HKDF computation to derive the
recovery secret.

BUG=b:194678588
TEST=cros_run_unit_tests --board=${BOARD} --packages cryptohome

Change-Id: I471b026a50056b90da4529b7516729f0e73e159d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3169653
Tested-by: Anastasiia N <anastasiian@chromium.org>
Commit-Queue: Anastasiia N <anastasiian@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>

cryptohome/cryptorecovery/recovery_crypto.cc

diff --git a/cryptohome/cryptorecovery/recovery_crypto.cc b/cryptohome/cryptorecovery/recovery_crypto.cc
index fc10c5f..3160002 100644
--- a/cryptohome/cryptorecovery/recovery_crypto.cc
+++ b/cryptohome/cryptorecovery/recovery_crypto.cc
@@ -183,9 +183,18 @@
     LOG(ERROR) << "Failed to perform point multiplication";
     return false;
   }
-  brillo::SecureBlob recovery_dh;
-  if (!ec_.PointToSecureBlob(*point_dh, &recovery_dh, context.get())) {
-    LOG(ERROR) << "Failed to convert EC_POINT to SecureBlob";
+  // Get point's affine X coordinate.
+  crypto::ScopedBIGNUM recovery_dh_x =
+      ec_.GetAffineCoordinateX(*point_dh, context.get());
+  if (!recovery_dh_x) {
+    LOG(ERROR) << "Failed to get affine X coordinate of point_dh";
+    return false;
+  }
+  brillo::SecureBlob hkdf_secret;
+  // Convert X coordinate to fixed-size blob.
+  if (!BigNumToSecureBlob(*recovery_dh_x, ec_.FieldElementSizeInBytes(),
+                          &hkdf_secret)) {
+    LOG(ERROR) << "Failed to convert recovery_dh_x BIGNUM to SecureBlob";
     return false;
   }
   const EC_POINT* dealer_pub_point =
@@ -196,7 +205,7 @@
     LOG(ERROR) << "Failed to convert dealer_pub_key to a SecureBlob";
     return false;
   }
-  if (!ComputeHkdfWithInfoSuffix(recovery_dh, GetRecoveryKeyHkdfInfo(),
+  if (!ComputeHkdfWithInfoSuffix(hkdf_secret, GetRecoveryKeyHkdfInfo(),
                                  dealer_pub_key, /*salt=*/brillo::SecureBlob(),
                                  HkdfHash::kSha256, /*result_len=*/0,
                                  recovery_key)) {
@@ -517,12 +526,21 @@
     LOG(ERROR) << "Failed to perform point addition";
     return false;
   }
-  brillo::SecureBlob destination_dh;
-  if (!ec_.PointToSecureBlob(*point_dest, &destination_dh, context.get())) {
-    LOG(ERROR) << "Failed to convert EC_POINT to SecureBlob";
+  // Get point's affine X coordinate.
+  crypto::ScopedBIGNUM destination_dh_x =
+      ec_.GetAffineCoordinateX(*point_dest, context.get());
+  if (!destination_dh_x) {
+    LOG(ERROR) << "Failed to get affine X coordinate of point_dest";
     return false;
   }
-  if (!ComputeHkdfWithInfoSuffix(destination_dh, GetRecoveryKeyHkdfInfo(),
+  brillo::SecureBlob hkdf_secret;
+  // Convert X coordinate to fixed-size blob.
+  if (!BigNumToSecureBlob(*destination_dh_x, ec_.FieldElementSizeInBytes(),
+                          &hkdf_secret)) {
+    LOG(ERROR) << "Failed to convert destination_dh_x BIGNUM to SecureBlob";
+    return false;
+  }
+  if (!ComputeHkdfWithInfoSuffix(hkdf_secret, GetRecoveryKeyHkdfInfo(),
                                  dealer_pub_key, /*salt=*/brillo::SecureBlob(),
                                  HkdfHash::kSha256, /*result_len=*/0,
                                  destination_recovery_key)) {