From 16626dff9b110f86584d6c4198c00a857e0d5727 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 8 May 2020 21:13:32 +0300 Subject: [PATCH] DPP2: Derive bk ("base key") Split ke derivation into two parts so that the previously used internal-only PRK gets stored as the bk in the authentication state. This new key will be needed for deriving additional keys with DPP R2. Signed-off-by: Jouni Malinen --- src/common/dpp.c | 35 +++++++++++++++++------------------ src/common/dpp.h | 1 + 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/src/common/dpp.c b/src/common/dpp.c index b668e8f41..76580d642 100644 --- a/src/common/dpp.c +++ b/src/common/dpp.c @@ -1713,13 +1713,12 @@ static int dpp_derive_k2(const u8 *Nx, size_t Nx_len, u8 *k2, } -static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke, - unsigned int hash_len) +static int dpp_derive_bk_ke(struct dpp_authentication *auth) { - size_t nonce_len; + unsigned int hash_len = auth->curve->hash_len; + size_t nonce_len = auth->curve->nonce_len; u8 nonces[2 * DPP_MAX_NONCE_LEN]; const char *info_ke = "DPP Key"; - u8 prk[DPP_MAX_HASH_LEN]; int res; const u8 *addr[3]; size_t len[3]; @@ -1731,10 +1730,7 @@ static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke, return -1; } - /* ke = HKDF(I-nonce | R-nonce, "DPP Key", M.x | N.x [| L.x]) */ - - /* HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */ - nonce_len = auth->curve->nonce_len; + /* bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */ os_memcpy(nonces, auth->i_nonce, nonce_len); os_memcpy(&nonces[nonce_len], auth->r_nonce, nonce_len); addr[num_elem] = auth->Mx; @@ -1754,20 +1750,23 @@ static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke, num_elem++; } res = dpp_hmac_vector(hash_len, nonces, 2 * nonce_len, - num_elem, addr, len, prk); + num_elem, addr, len, auth->bk); if (res < 0) return -1; - wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)", - prk, hash_len); + wpa_hexdump_key(MSG_DEBUG, + "DPP: bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x])", + auth->bk, hash_len); - /* HKDF-Expand(PRK, info, L) */ - res = dpp_hkdf_expand(hash_len, prk, hash_len, info_ke, ke, hash_len); - os_memset(prk, 0, hash_len); + /* ke = HKDF-Expand(bkK, "DPP Key", length) */ + res = dpp_hkdf_expand(hash_len, auth->bk, hash_len, info_ke, auth->ke, + hash_len); if (res < 0) return -1; - wpa_hexdump_key(MSG_DEBUG, "DPP: ke = HKDF-Expand(PRK, info, L)", - ke, hash_len); + wpa_hexdump_key(MSG_DEBUG, + "DPP: ke = HKDF-Expand(bk, \"DPP Key\", length)", + auth->ke, hash_len); + return 0; } @@ -3153,7 +3152,7 @@ static int dpp_auth_build_resp_ok(struct dpp_authentication *auth) goto fail; } - if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0) + if (dpp_derive_bk_ke(auth) < 0) goto fail; /* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */ @@ -4160,7 +4159,7 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr, wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", wrapped2, wrapped2_len); - if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0) + if (dpp_derive_bk_ke(auth) < 0) goto fail; unwrapped2_len = wrapped2_len - AES_BLOCK_SIZE; diff --git a/src/common/dpp.h b/src/common/dpp.h index de987dd93..e81526fc8 100644 --- a/src/common/dpp.h +++ b/src/common/dpp.h @@ -264,6 +264,7 @@ struct dpp_authentication { u8 k1[DPP_MAX_HASH_LEN]; u8 k2[DPP_MAX_HASH_LEN]; u8 ke[DPP_MAX_HASH_LEN]; + u8 bk[DPP_MAX_HASH_LEN]; int initiator; int waiting_auth_resp; int waiting_auth_conf;