From bb3ea71a23bcd675bc45981cb2403109c6d4948d Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Fri, 3 Feb 2017 14:37:30 +0200
Subject: [PATCH] ERP: Fix rIK derivation

Unlike the EMSKname and rRK derivations, rIK derivation is actually
using the "optional data" component in the context data (see RFC 5295).
RFC 6696 defines that optional data to be the cryptosuite field for rIK.
This was missing from the previous implementation and that resulted in
incorrect rIK being derived.

In addition, the rIK Label string does not actually include the "EAP "
prefix in the way as the rRK Label in RFC 6696 does. This would also
have resulted in incorrect rIK value.

Fix rIK derivation by adding the cryptosuite value into the KDF context
data and fixing the label string. This change is not backwards
compatible and breaks all ERP use cases (including FILS shared key
authentication) with older (broken) and new (fixed)
hostapd/wpa_supplicant builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 src/eap_peer/eap.c          | 8 +++++---
 src/eap_server/eap_server.c | 8 +++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 1c6116aab..cd43934d0 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -489,7 +489,7 @@ static void eap_peer_erp_init(struct eap_sm *sm)
 	u8 *emsk = NULL;
 	size_t emsk_len = 0;
 	u8 EMSKname[EAP_EMSK_NAME_LEN];
-	u8 len[2];
+	u8 len[2], ctx[3];
 	char *realm;
 	size_t realm_len, nai_buf_len;
 	struct eap_erp_key *erp = NULL;
@@ -550,9 +550,11 @@ static void eap_peer_erp_init(struct eap_sm *sm)
 	erp->rRK_len = emsk_len;
 	wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len);
 
+	ctx[0] = EAP_ERP_CS_HMAC_SHA256_128;
+	WPA_PUT_BE16(&ctx[1], erp->rRK_len);
 	if (hmac_sha256_kdf(erp->rRK, erp->rRK_len,
-			    "EAP Re-authentication Integrity Key@ietf.org",
-			    len, sizeof(len), erp->rIK, erp->rRK_len) < 0) {
+			    "Re-authentication Integrity Key@ietf.org",
+			    ctx, sizeof(ctx), erp->rIK, erp->rRK_len) < 0) {
 		wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP");
 		goto fail;
 	}
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 08cc17187..ebfaa122f 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -415,7 +415,7 @@ static void eap_server_erp_init(struct eap_sm *sm)
 	u8 *emsk = NULL;
 	size_t emsk_len = 0;
 	u8 EMSKname[EAP_EMSK_NAME_LEN];
-	u8 len[2];
+	u8 len[2], ctx[3];
 	const char *domain;
 	size_t domain_len, nai_buf_len;
 	struct eap_server_erp_key *erp = NULL;
@@ -476,9 +476,11 @@ static void eap_server_erp_init(struct eap_sm *sm)
 	erp->rRK_len = emsk_len;
 	wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len);
 
+	ctx[0] = EAP_ERP_CS_HMAC_SHA256_128;
+	WPA_PUT_BE16(&ctx[1], erp->rRK_len);
 	if (hmac_sha256_kdf(erp->rRK, erp->rRK_len,
-			    "EAP Re-authentication Integrity Key@ietf.org",
-			    len, sizeof(len), erp->rIK, erp->rRK_len) < 0) {
+			    "Re-authentication Integrity Key@ietf.org",
+			    ctx, sizeof(ctx), erp->rIK, erp->rRK_len) < 0) {
 		wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP");
 		goto fail;
 	}