ERP: Fix rIK derivation
Unlike the EMSKname and rRK derivations, rIK derivation is actually using the "optional data" component in the context data (see RFC 5295). RFC 6696 defines that optional data to be the cryptosuite field for rIK. This was missing from the previous implementation and that resulted in incorrect rIK being derived. In addition, the rIK Label string does not actually include the "EAP " prefix in the way as the rRK Label in RFC 6696 does. This would also have resulted in incorrect rIK value. Fix rIK derivation by adding the cryptosuite value into the KDF context data and fixing the label string. This change is not backwards compatible and breaks all ERP use cases (including FILS shared key authentication) with older (broken) and new (fixed) hostapd/wpa_supplicant builds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
eeea363cab
commit
bb3ea71a23
2 changed files with 10 additions and 6 deletions
|
@ -489,7 +489,7 @@ static void eap_peer_erp_init(struct eap_sm *sm)
|
|||
u8 *emsk = NULL;
|
||||
size_t emsk_len = 0;
|
||||
u8 EMSKname[EAP_EMSK_NAME_LEN];
|
||||
u8 len[2];
|
||||
u8 len[2], ctx[3];
|
||||
char *realm;
|
||||
size_t realm_len, nai_buf_len;
|
||||
struct eap_erp_key *erp = NULL;
|
||||
|
@ -550,9 +550,11 @@ static void eap_peer_erp_init(struct eap_sm *sm)
|
|||
erp->rRK_len = emsk_len;
|
||||
wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len);
|
||||
|
||||
ctx[0] = EAP_ERP_CS_HMAC_SHA256_128;
|
||||
WPA_PUT_BE16(&ctx[1], erp->rRK_len);
|
||||
if (hmac_sha256_kdf(erp->rRK, erp->rRK_len,
|
||||
"EAP Re-authentication Integrity Key@ietf.org",
|
||||
len, sizeof(len), erp->rIK, erp->rRK_len) < 0) {
|
||||
"Re-authentication Integrity Key@ietf.org",
|
||||
ctx, sizeof(ctx), erp->rIK, erp->rRK_len) < 0) {
|
||||
wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP");
|
||||
goto fail;
|
||||
}
|
||||
|
|
|
@ -415,7 +415,7 @@ static void eap_server_erp_init(struct eap_sm *sm)
|
|||
u8 *emsk = NULL;
|
||||
size_t emsk_len = 0;
|
||||
u8 EMSKname[EAP_EMSK_NAME_LEN];
|
||||
u8 len[2];
|
||||
u8 len[2], ctx[3];
|
||||
const char *domain;
|
||||
size_t domain_len, nai_buf_len;
|
||||
struct eap_server_erp_key *erp = NULL;
|
||||
|
@ -476,9 +476,11 @@ static void eap_server_erp_init(struct eap_sm *sm)
|
|||
erp->rRK_len = emsk_len;
|
||||
wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len);
|
||||
|
||||
ctx[0] = EAP_ERP_CS_HMAC_SHA256_128;
|
||||
WPA_PUT_BE16(&ctx[1], erp->rRK_len);
|
||||
if (hmac_sha256_kdf(erp->rRK, erp->rRK_len,
|
||||
"EAP Re-authentication Integrity Key@ietf.org",
|
||||
len, sizeof(len), erp->rIK, erp->rRK_len) < 0) {
|
||||
"Re-authentication Integrity Key@ietf.org",
|
||||
ctx, sizeof(ctx), erp->rIK, erp->rRK_len) < 0) {
|
||||
wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP");
|
||||
goto fail;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue