ERP: Fix rIK derivation

Unlike the EMSKname and rRK derivations, rIK derivation is actually
using the "optional data" component in the context data (see RFC 5295).
RFC 6696 defines that optional data to be the cryptosuite field for rIK.
This was missing from the previous implementation and that resulted in
incorrect rIK being derived.

In addition, the rIK Label string does not actually include the "EAP "
prefix in the way as the rRK Label in RFC 6696 does. This would also
have resulted in incorrect rIK value.

Fix rIK derivation by adding the cryptosuite value into the KDF context
data and fixing the label string. This change is not backwards
compatible and breaks all ERP use cases (including FILS shared key
authentication) with older (broken) and new (fixed)
hostapd/wpa_supplicant builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-02-03 14:37:30 +02:00 committed by Jouni Malinen
parent eeea363cab
commit bb3ea71a23
2 changed files with 10 additions and 6 deletions

View file

@ -489,7 +489,7 @@ static void eap_peer_erp_init(struct eap_sm *sm)
u8 *emsk = NULL; u8 *emsk = NULL;
size_t emsk_len = 0; size_t emsk_len = 0;
u8 EMSKname[EAP_EMSK_NAME_LEN]; u8 EMSKname[EAP_EMSK_NAME_LEN];
u8 len[2]; u8 len[2], ctx[3];
char *realm; char *realm;
size_t realm_len, nai_buf_len; size_t realm_len, nai_buf_len;
struct eap_erp_key *erp = NULL; struct eap_erp_key *erp = NULL;
@ -550,9 +550,11 @@ static void eap_peer_erp_init(struct eap_sm *sm)
erp->rRK_len = emsk_len; erp->rRK_len = emsk_len;
wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len); wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len);
ctx[0] = EAP_ERP_CS_HMAC_SHA256_128;
WPA_PUT_BE16(&ctx[1], erp->rRK_len);
if (hmac_sha256_kdf(erp->rRK, erp->rRK_len, if (hmac_sha256_kdf(erp->rRK, erp->rRK_len,
"EAP Re-authentication Integrity Key@ietf.org", "Re-authentication Integrity Key@ietf.org",
len, sizeof(len), erp->rIK, erp->rRK_len) < 0) { ctx, sizeof(ctx), erp->rIK, erp->rRK_len) < 0) {
wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP"); wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP");
goto fail; goto fail;
} }

View file

@ -415,7 +415,7 @@ static void eap_server_erp_init(struct eap_sm *sm)
u8 *emsk = NULL; u8 *emsk = NULL;
size_t emsk_len = 0; size_t emsk_len = 0;
u8 EMSKname[EAP_EMSK_NAME_LEN]; u8 EMSKname[EAP_EMSK_NAME_LEN];
u8 len[2]; u8 len[2], ctx[3];
const char *domain; const char *domain;
size_t domain_len, nai_buf_len; size_t domain_len, nai_buf_len;
struct eap_server_erp_key *erp = NULL; struct eap_server_erp_key *erp = NULL;
@ -476,9 +476,11 @@ static void eap_server_erp_init(struct eap_sm *sm)
erp->rRK_len = emsk_len; erp->rRK_len = emsk_len;
wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len); wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len);
ctx[0] = EAP_ERP_CS_HMAC_SHA256_128;
WPA_PUT_BE16(&ctx[1], erp->rRK_len);
if (hmac_sha256_kdf(erp->rRK, erp->rRK_len, if (hmac_sha256_kdf(erp->rRK, erp->rRK_len,
"EAP Re-authentication Integrity Key@ietf.org", "Re-authentication Integrity Key@ietf.org",
len, sizeof(len), erp->rIK, erp->rRK_len) < 0) { ctx, sizeof(ctx), erp->rIK, erp->rRK_len) < 0) {
wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP"); wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP");
goto fail; goto fail;
} }