search

named-data-iot / ndn-lite

A lightweight NDN protocol stack with high-level application support including security bootstrapping, access control, trust management, etc.
https://ndn-lite.named-data.net
GNU Lesser General Public License v3.0
44 stars 16 forks source link

ndn_lite_default_hmac_sha256 computes T(1) incorrectly #30

Closed yoursunny closed 5 years ago

yoursunny commented 5 years ago

According to RFC5869 section 2.3:

T(0) = empty string (zero length)
T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)

And section 2.1:

When the message is composed of several elements we use concatenation
(denoted |) in the second argument; for example, HMAC(K, elem1 |
elem2 | elem3).

Given T(0) is empty, if info is also empty, the HMAC key used to compute T(1) should be 0x01.

As of a4dcb80458dff521ac8767b0e0067c1e14fab98d, ndn_lite_default_hkdf invokes:

uint8_t t_first[2] = {0x00, 0x01};
for (int i = 0; i < iter; ++i) {
  if (i == 0) {
    struct abstract_hmac_key t_key;
    ndn_lite_default_hmac_load_key(&t_key, t_first, sizeof(t_first));
    ndn_lite_default_hmac_sha256(prk, NDN_SEC_SHA256_HASH_SIZE, &t_key, t);
    memcpy(okm + i * NDN_SEC_SHA256_HASH_SIZE, t, NDN_SEC_SHA256_HASH_SIZE);
  }
}

This code uses t_first (i.e. 0x00 0x01) as HMAC key to compute T(1), which differs from RFC5869's definition.

tianyuan129 commented 5 years ago

Commit 1c407556693ac807c1167cf170b19ed341d724c5 will address this problem. Thank you for pointing this out.