[Bug]: iotsafe_hkdf_extract only works for SHA256_DIGEST

[bolons]

Contact Details

Nasir Simbolon bolons@gmail.com

Version

latest code in the repository

Description

I am testing the example in IDE/iotsafe-raspberrypi. I have iotsafe applet to test.
TLS 1.3 connection is established when client and server uses digest SHA256 in HKDF extract function but fail when uses SHA384 or SHA512 with error 'mac verification fail'.
I found the failure when using SHA384 or SHA512 due to a bugs in the code https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/port/iotsafe/iotsafe.c. In line:

ret = hexbuffer_conv(resp, prk, 32);

This line always make PRK to have 32 bytes length (that works for SHA256) but will fail when using SHA384 that expect 48 bytes length or SHA512 that expect 64 bytes length.

My workaround is below. My modification is just to prove the concept. With these code I found that TLS 1.3 connection is established when using SHA384

if(digest == WC_SHA256)
     ret = hexbuffer_conv(resp, prk, 32);
else if(digest == WC_SHA384)
     ret = hexbuffer_conv(resp, prk, 48);
else
     ret = hexbuffer_conv(resp, prk, 64);

I have provided logs before and after code modification.

Build Configuration on RaspberryPi:

./autogen.sh
./configure CFLAGS="-DWOLFSSL_TRUST_PEER_CERT -DDEBUG_WOLFSSL -DWOLFSSL_DEBUG_TLS -DDEBUG_IOTSAFE" --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe
make all
cd IDE/iotsafe-rapberrypie/ 
make

Reproduction steps

After build and install, Run program: wolfssl/IDE/iotsafe-raspberrypi/main.bin -ip [IP_ADDR] -h [hostname] -p 443 -t 25 -d [device modem]

Relevant log output

---part of log showing the bugs reside-
#log part 1.Before fixing. IOTSafe return HKDF Extract with 48 bytes (0x30) But wolfssl only use 32 bytes (0x20) of them as PRK
--
Enter iotsafe_hkdf_extract
IOTSAFE PK HKDF Extract
salt: 18CF6A21EED823D4EB93B489F6C561EEB673C3CC7322B67E49B7C46BAE2D126ED5B0D0802DF8B17DCD06704144B4732A
ikm: 93832A92A60EB4ECF51C33FD2ACA411EF21419A034F1B76A7537B3910A597881
hash: 7
>>> AT+CSIM=186,"814A000058D12093832A92A60EB4ECF51C33FD2ACA411EF21419A034F1B76A7537B3910A597881D53018CF6A21EED823D4EB93B489F6C561EEB673C3CC7322B67E49B7C46BAE2D126ED5B0D0802DF8B17DCD06704144B4732A91020002"

>>> AT

<<<

<<< +CSIM: 4,"6130"

<<<

<<< OK

>>> AT+CSIM= 10,"01C0000030"

<<<

<<< +CSIM: 100,"BE16EA56D9C43325CB0FA2544ACC3C5879F90F8C4AA9E6D98C52F5DBB0D6C3D41717A7D34071F8EA66B6A796AFA528C19000"

<<<

<<< OK


Derive Client Handshake Secret
  PRK
        be 16 ea 56 d9 c4 33 25 cb 0f a2 54 4a cc 3c 58 |...V..3%...TJ.<X
        79 f9 0f 8c 4a a9 e6 d9 8c 52 f5 db b0 d6 c3 d4 |y...J....R......
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
  Info
        00 30 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 |.0.tls13 c hs tr
        61 66 66 69 63 30 1d 4a 4f ed 3f fc ed 75 75 e2 |affic0.JO.?..uu.
        cd f5 b1 e4 1f 75 7e db 2f bb 63 6e 01 10 c1 98 |.....u~./.cn....
        28 bc 0a 02 62 d3 de 46 a3 e7 07 c2 fa df f0 56 |(...b..F.......V
        17 c7 9b 40 8b a3                               |...@..
  Digest 7
  OKM
        d0 b2 d7 64 84 0d af fe bc f8 ed 4c df bc dd 41 |...d.......L...A
        cc f0 f0 13 e4 98 45 5b 16 0e 39 5f c3 27 30 75 |......E[..9_.'0u
        fb f7 4d 51 39 d9 4d 30 41 c5 f7 f5 54 38 73 bb |..MQ9.M0A...T8s.
Derive Server Handshake Secret
  PRK
        be 16 ea 56 d9 c4 33 25 cb 0f a2 54 4a cc 3c 58 |...V..3%...TJ.<X
        79 f9 0f 8c 4a a9 e6 d9 8c 52 f5 db b0 d6 c3 d4 |y...J....R......
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
  Info
        00 30 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 |.0.tls13 s hs tr
        61 66 66 69 63 30 1d 4a 4f ed 3f fc ed 75 75 e2 |affic0.JO.?..uu.
        cd f5 b1 e4 1f 75 7e db 2f bb 63 6e 01 10 c1 98 |.....u~./.cn....
        28 bc 0a 02 62 d3 de 46 a3 e7 07 c2 fa df f0 56 |(...b..F.......V
        17 c7 9b 40 8b a3                               |...@..
  Digest 7
  OKM
        55 5e d7 3d cd 8b 89 d0 18 ef 6d fd 31 3b 0e 5d |U^.=......m.1;.]
        60 ca 66 90 62 02 bb 1e a5 30 a2 e0 79 df 61 fe |`.f.b....0..y.a.
        2a 30 f3 98 52 14 bf 65 39 c6 90 1f 2b 74 49 60 |*0..R..e9...+tI`

----
#Log part 2. After fixing. IOTSafe return HKDF Extract with 48 bytes (0x30) and  wolfssl only use 48 as PRK.
-------------
Enter iotsafe_hkdf_extract

IOTSAFE PK HKDF Extract
salt: F9CC33D303748335B290FFD8417BE394B4FE2BD87E9CD75D458F952CE3C7B3524FA926FAD454B08E5838958E3DF1AD8C
ikm: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
hash: 7
>>> AT+CSIM=218,"814A000068D130000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D530F9CC33D303748335B290FFD8417BE394B4FE2BD87E9CD75D458F952CE3C7B3524FA926FAD454B08E5838958E3DF1AD8C91020002"

>>> AT

<<<

<<< +CSIM: 4,"6130"

<<<

<<< OK

>>> AT+CSIM= 10,"01C0000030"

<<<

<<< +CSIM: 100,"E740592D134093B25A7FD3AF06355713CFB5927207EA363D34C81C13713A4B1D6FB299040DA71922CDDF96E49ABA6E189000"

<<<

<<< OK

Derive Client Traffic Secret
  PRK
        e7 40 59 2d 13 40 93 b2 5a 7f d3 af 06 35 57 13 |.@Y-.@..Z....5W.
        cf b5 92 72 07 ea 36 3d 34 c8 1c 13 71 3a 4b 1d |...r..6=4...q:K.
        6f b2 99 04 0d a7 19 22 cd df 96 e4 9a ba 6e 18 |o......"......n.
  Info
        00 30 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 |.0.tls13 c ap tr
        61 66 66 69 63 30 e9 13 87 ce f1 54 10 3f 41 ad |affic0.....T.?A.
        9b 7f c1 f4 91 ee 53 52 e9 cd 9b 84 9c c8 21 b0 |......SR......!.
        fe ff dd 3a dc 4b a2 7f c5 7e ca f8 4a 0a 5c 6f |...:.K...~..J.\o
        89 ae 64 00 56 91                               |..d.V.
  Digest 7
  OKM
        78 89 13 89 5e 8d a5 ae 7d ad 3a 23 da 36 db 7a |x...^...}.:#.6.z
        1c f7 f5 27 14 d1 f3 9f 03 23 d7 c4 67 80 c1 5b |...'.....#..g..[
        bc 48 26 6e 9e 2b 2e 6c fd fa 43 ff 9e e6 49 fc |.H&n.+.l..C...I.

[danielinux]

Hello @bolons
Thank you for testing our IoT-Safe module. The current implementation indeed only supports SHA256, as we had not tested the code against an applet supporting different hash sizes. The API documentation mentions this when describing the interface.

As the changes you introduced are currently working with your applet I will work on a patch to support other sizes as suggested, and update the docs.

[danielinux]

Hi again @bolons

Could you please confirm that PR #7176 works with different hash sizes in your applet so I can go ahead and submit for reviews?

Thanks,

--
Daniele, wolfSSL

[bolons]

hello @danielinux

Thank you for the reply.
I can confirm that SHA384 worked in my applet. TLS 1.3 was established between woflssl-iotsafe and openssl in the server.
As for SHA512, haven't tested yet. My iotsafe applet supports SHA512 but don't know how to 'force' wolfssl and openssl server agree to use SHA512.

If you know how to configure either wolfssl or openssl in the server so that they use SHA512, let me know. I want to test SHA512 too.

[danielinux]

Hi,
Thanks for your feedback. I am not sure how to force SHA512, it does not seem to be in any of the supported TLS 1.3 ciphersuites.

I'll go ahead with the PR. I'll ask around if there is a way to activate SHA512 with a TLS 1.3 ciphersuite.