DPP: Update Auth-I derivation operations

This is not properly defined in the technical specification and will
need to be clarified there. Change the implementation to use a design
that is more likely to be used in the cleaned up tech spec.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-03-09 20:49:17 +02:00 committed by Jouni Malinen
parent 77ae98511d
commit 2b406eecee
2 changed files with 28 additions and 32 deletions

View file

@ -687,7 +687,7 @@ static struct wpabuf * dpp_build_conf_req_attr(struct dpp_authentication *auth,
if (dpp_derive_auth_i(auth, auth_i) < 0)
goto fail;
clear_len += 4 + auth->new_curve->hash_len;
clear_len += 4 + auth->curve->hash_len;
}
#endif /* CONFIG_DPP3 */
clear = wpabuf_alloc(clear_len);
@ -738,11 +738,11 @@ skip_e_nonce:
wpabuf_put_le16(clear, wpabuf_len(pe));
wpabuf_put_buf(clear, pe);
}
if (auth->waiting_new_key && auth->new_curve) {
if (auth->waiting_new_key) {
wpa_printf(MSG_DEBUG, "DPP: Initiator Authentication Tag");
wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG);
wpabuf_put_le16(clear, auth->new_curve->hash_len);
wpabuf_put_data(clear, auth_i, auth->new_curve->hash_len);
wpabuf_put_le16(clear, auth->curve->hash_len);
wpabuf_put_data(clear, auth_i, auth->curve->hash_len);
}
#endif /* CONFIG_DPP3 */
@ -2139,15 +2139,14 @@ dpp_conf_req_rx(struct dpp_authentication *auth, const u8 *attr_start,
"Missing Initiator Authentication Tag");
goto fail;
}
if (rx_auth_i_len != auth->new_curve->hash_len ||
os_memcmp(rx_auth_i, auth_i,
auth->new_curve->hash_len) != 0) {
if (rx_auth_i_len != auth->curve->hash_len ||
os_memcmp(rx_auth_i, auth_i, auth->curve->hash_len) != 0) {
dpp_auth_fail(auth,
"Mismatch in Initiator Authenticating Tag");
wpa_hexdump(MSG_DEBUG, "DPP: Received Auth-I",
rx_auth_i, rx_auth_i_len);
wpa_hexdump(MSG_DEBUG, "DPP: Derived Auth-I'",
auth_i, auth->new_curve->hash_len);
auth_i, auth->curve->hash_len);
goto fail;
}
}

View file

@ -2363,15 +2363,12 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
size_t Sx_len;
unsigned int hash_len;
const char *info = "New DPP Protocol Key";
const u8 *addr[4];
size_t len[4];
const u8 *addr[3];
size_t len[3];
u8 tmp[DPP_MAX_HASH_LEN], k[DPP_MAX_HASH_LEN];
struct wpabuf *pcx = NULL, *pex = NULL;
if (!auth->new_curve)
return -1;
hash_len = auth->new_curve->hash_len;
hash_len = auth->curve->hash_len;
/*
* Configurator: S = pc * Pe
@ -2379,11 +2376,13 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
* k = HKDF(bk, "New DPP Protocol Key", S.x)
* = HKDF-Expand(HKDF-Extract(bk, S.X), "New DPP Protocol Key",
* len(new-curve-hash-out))
* Auth-I = H(k, E-nonce | Pc.x | Pe.x)
* Note: Assume this H(k, ..) is actually H(k | ..)
* Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x)
*
* auth->own_protocol_key, auth->peer_protocol_key, and auth->curve have
* already been updated to use the new keys and curve.
* auth->own_protocol_key and auth->peer_protocol_key have already been
* updated to use the new keys. The new curve determines the size of
* the (new) protocol keys and S.x. The other parameters (bk, hash
* algorithm, k) are determined based on the initially determined curve
* during the (re)authentication exchange.
*/
if (dpp_ecdh(auth->own_protocol_key, auth->peer_protocol_key,
@ -2395,13 +2394,12 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
/* tmp = HKDF-Extract(bk, S.x) */
addr[0] = Sx;
len[0] = Sx_len;
res = dpp_hmac_vector(hash_len, auth->bk, auth->new_curve->hash_len,
1, addr, len, tmp);
res = dpp_hmac_vector(hash_len, auth->bk, hash_len, 1, addr, len, tmp);
if (res < 0)
goto fail;
wpa_hexdump_key(MSG_DEBUG, "DPP: HKDF-Extract(bk, S.x)",
tmp, hash_len);
/* k = HKDF-Expand(tmp, "New DPP Protocol Key", len(new-curve-hash-out))
/* k = HKDF-Expand(tmp, "New DPP Protocol Key", len(hash-output))
*/
res = dpp_hkdf_expand(hash_len, tmp, hash_len, info, k, hash_len);
if (res < 0)
@ -2411,11 +2409,9 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
"DPP: k = HKDF-Expand(\"New DPP Protocol Key\")",
k, hash_len);
/* Auth-I = H(k | E-nonce | Pc.x | Pe.x) */
addr[0] = k;
len[0] = hash_len;
addr[1] = auth->e_nonce;
len[1] = auth->new_curve->nonce_len;
/* Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x) */
addr[0] = auth->e_nonce;
len[0] = auth->curve->nonce_len;
if (auth->configurator) {
pcx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
@ -2428,14 +2424,15 @@ int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
}
if (!pcx || !pex)
goto fail;
addr[2] = wpabuf_head(pcx);
len[2] = wpabuf_len(pcx) / 2;
addr[3] = wpabuf_head(pex);
len[3] = wpabuf_len(pex) / 2;
addr[1] = wpabuf_head(pcx);
len[1] = wpabuf_len(pcx) / 2;
addr[2] = wpabuf_head(pex);
len[2] = wpabuf_len(pex) / 2;
if (dpp_hash_vector(auth->new_curve, 4, addr, len, auth_i) < 0)
if (dpp_hmac_vector(hash_len, k, hash_len, 3, addr, len, auth_i) < 0)
goto fail;
wpa_hexdump_key(MSG_DEBUG, "DPP: Auth-I = H(k | E-nonce | Pc.x | Pe.x)",
wpa_hexdump_key(MSG_DEBUG,
"DPP: Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x)",
auth_i, hash_len);
ret = 0;
fail: