DPP: Update Auth-I derivation operations
This is not properly defined in the technical specification and will need to be clarified there. Change the implementation to use a design that is more likely to be used in the cleaned up tech spec. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
parent
77ae98511d
commit
2b406eecee
2 changed files with 28 additions and 32 deletions
|
@ -687,7 +687,7 @@ static struct wpabuf * dpp_build_conf_req_attr(struct dpp_authentication *auth,
|
|||
|
||||
if (dpp_derive_auth_i(auth, auth_i) < 0)
|
||||
goto fail;
|
||||
clear_len += 4 + auth->new_curve->hash_len;
|
||||
clear_len += 4 + auth->curve->hash_len;
|
||||
}
|
||||
#endif /* CONFIG_DPP3 */
|
||||
clear = wpabuf_alloc(clear_len);
|
||||
|
@ -738,11 +738,11 @@ skip_e_nonce:
|
|||
wpabuf_put_le16(clear, wpabuf_len(pe));
|
||||
wpabuf_put_buf(clear, pe);
|
||||
}
|
||||
if (auth->waiting_new_key && auth->new_curve) {
|
||||
if (auth->waiting_new_key) {
|
||||
wpa_printf(MSG_DEBUG, "DPP: Initiator Authentication Tag");
|
||||
wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG);
|
||||
wpabuf_put_le16(clear, auth->new_curve->hash_len);
|
||||
wpabuf_put_data(clear, auth_i, auth->new_curve->hash_len);
|
||||
wpabuf_put_le16(clear, auth->curve->hash_len);
|
||||
wpabuf_put_data(clear, auth_i, auth->curve->hash_len);
|
||||
}
|
||||
#endif /* CONFIG_DPP3 */
|
||||
|
||||
|
@ -2139,15 +2139,14 @@ dpp_conf_req_rx(struct dpp_authentication *auth, const u8 *attr_start,
|
|||
"Missing Initiator Authentication Tag");
|
||||
goto fail;
|
||||
}
|
||||
if (rx_auth_i_len != auth->new_curve->hash_len ||
|
||||
os_memcmp(rx_auth_i, auth_i,
|
||||
auth->new_curve->hash_len) != 0) {
|
||||
if (rx_auth_i_len != auth->curve->hash_len ||
|
||||
os_memcmp(rx_auth_i, auth_i, auth->curve->hash_len) != 0) {
|
||||
dpp_auth_fail(auth,
|
||||
"Mismatch in Initiator Authenticating Tag");
|
||||
wpa_hexdump(MSG_DEBUG, "DPP: Received Auth-I",
|
||||
rx_auth_i, rx_auth_i_len);
|
||||
wpa_hexdump(MSG_DEBUG, "DPP: Derived Auth-I'",
|
||||
auth_i, auth->new_curve->hash_len);
|
||||
auth_i, auth->curve->hash_len);
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -2363,15 +2363,12 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
|
|||
size_t Sx_len;
|
||||
unsigned int hash_len;
|
||||
const char *info = "New DPP Protocol Key";
|
||||
const u8 *addr[4];
|
||||
size_t len[4];
|
||||
const u8 *addr[3];
|
||||
size_t len[3];
|
||||
u8 tmp[DPP_MAX_HASH_LEN], k[DPP_MAX_HASH_LEN];
|
||||
struct wpabuf *pcx = NULL, *pex = NULL;
|
||||
|
||||
if (!auth->new_curve)
|
||||
return -1;
|
||||
|
||||
hash_len = auth->new_curve->hash_len;
|
||||
hash_len = auth->curve->hash_len;
|
||||
|
||||
/*
|
||||
* Configurator: S = pc * Pe
|
||||
|
@ -2379,11 +2376,13 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
|
|||
* k = HKDF(bk, "New DPP Protocol Key", S.x)
|
||||
* = HKDF-Expand(HKDF-Extract(bk, S.X), "New DPP Protocol Key",
|
||||
* len(new-curve-hash-out))
|
||||
* Auth-I = H(k, E-nonce | Pc.x | Pe.x)
|
||||
* Note: Assume this H(k, ..) is actually H(k | ..)
|
||||
* Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x)
|
||||
*
|
||||
* auth->own_protocol_key, auth->peer_protocol_key, and auth->curve have
|
||||
* already been updated to use the new keys and curve.
|
||||
* auth->own_protocol_key and auth->peer_protocol_key have already been
|
||||
* updated to use the new keys. The new curve determines the size of
|
||||
* the (new) protocol keys and S.x. The other parameters (bk, hash
|
||||
* algorithm, k) are determined based on the initially determined curve
|
||||
* during the (re)authentication exchange.
|
||||
*/
|
||||
|
||||
if (dpp_ecdh(auth->own_protocol_key, auth->peer_protocol_key,
|
||||
|
@ -2395,13 +2394,12 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
|
|||
/* tmp = HKDF-Extract(bk, S.x) */
|
||||
addr[0] = Sx;
|
||||
len[0] = Sx_len;
|
||||
res = dpp_hmac_vector(hash_len, auth->bk, auth->new_curve->hash_len,
|
||||
1, addr, len, tmp);
|
||||
res = dpp_hmac_vector(hash_len, auth->bk, hash_len, 1, addr, len, tmp);
|
||||
if (res < 0)
|
||||
goto fail;
|
||||
wpa_hexdump_key(MSG_DEBUG, "DPP: HKDF-Extract(bk, S.x)",
|
||||
tmp, hash_len);
|
||||
/* k = HKDF-Expand(tmp, "New DPP Protocol Key", len(new-curve-hash-out))
|
||||
/* k = HKDF-Expand(tmp, "New DPP Protocol Key", len(hash-output))
|
||||
*/
|
||||
res = dpp_hkdf_expand(hash_len, tmp, hash_len, info, k, hash_len);
|
||||
if (res < 0)
|
||||
|
@ -2411,11 +2409,9 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
|
|||
"DPP: k = HKDF-Expand(\"New DPP Protocol Key\")",
|
||||
k, hash_len);
|
||||
|
||||
/* Auth-I = H(k | E-nonce | Pc.x | Pe.x) */
|
||||
addr[0] = k;
|
||||
len[0] = hash_len;
|
||||
addr[1] = auth->e_nonce;
|
||||
len[1] = auth->new_curve->nonce_len;
|
||||
/* Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x) */
|
||||
addr[0] = auth->e_nonce;
|
||||
len[0] = auth->curve->nonce_len;
|
||||
|
||||
if (auth->configurator) {
|
||||
pcx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
|
||||
|
@ -2428,14 +2424,15 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
|
|||
}
|
||||
if (!pcx || !pex)
|
||||
goto fail;
|
||||
addr[2] = wpabuf_head(pcx);
|
||||
len[2] = wpabuf_len(pcx) / 2;
|
||||
addr[3] = wpabuf_head(pex);
|
||||
len[3] = wpabuf_len(pex) / 2;
|
||||
addr[1] = wpabuf_head(pcx);
|
||||
len[1] = wpabuf_len(pcx) / 2;
|
||||
addr[2] = wpabuf_head(pex);
|
||||
len[2] = wpabuf_len(pex) / 2;
|
||||
|
||||
if (dpp_hash_vector(auth->new_curve, 4, addr, len, auth_i) < 0)
|
||||
if (dpp_hmac_vector(hash_len, k, hash_len, 3, addr, len, auth_i) < 0)
|
||||
goto fail;
|
||||
wpa_hexdump_key(MSG_DEBUG, "DPP: Auth-I = H(k | E-nonce | Pc.x | Pe.x)",
|
||||
wpa_hexdump_key(MSG_DEBUG,
|
||||
"DPP: Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x)",
|
||||
auth_i, hash_len);
|
||||
ret = 0;
|
||||
fail:
|
||||
|
|
Loading…
Reference in a new issue