From dda5c25e855fc4bff14df13bb6742bcff7fa9493 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Tue, 6 Sep 2022 21:35:23 +0200
Subject: [PATCH] Fix computing HMAC of key path.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/fido/cmd_authenticate.c |  7 +++++--
 src/fido/fido.c             | 13 +++++++++----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/fido/cmd_authenticate.c b/src/fido/cmd_authenticate.c
index 8ba02ee..5b6db49 100644
--- a/src/fido/cmd_authenticate.c
+++ b/src/fido/cmd_authenticate.c
@@ -53,9 +53,12 @@ int cmd_authenticate() {
         mbedtls_ecdsa_free(&key);
         if (ret != 0)
             return SW_WRONG_DATA();
-        ret = mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), d, 32, req->appId, 32, hmac);
+        uint8_t key_base[U2F_APPID_SIZE + KEY_PATH_LEN];
+        memcpy(key_base, req->appId, U2F_APPID_SIZE);
+        memcpy(key_base + U2F_APPID_SIZE, req->keyHandle, KEY_PATH_LEN);
+        ret = mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), d, 32, key_base, sizeof(key_base), hmac);
         mbedtls_platform_zeroize(d, sizeof(d));
-        if (memcmp(req->keyHandle + 32, hmac, sizeof(hmac)) != 0)
+        if (memcmp(req->keyHandle + KEY_HANDLE_LEN, hmac, sizeof(hmac)) != 0)
             return SW_WRONG_DATA();
         return SW_CONDITIONS_NOT_SATISFIED();
     }
diff --git a/src/fido/fido.c b/src/fido/fido.c
index 25e81be..c5498aa 100644
--- a/src/fido/fido.c
+++ b/src/fido/fido.c
@@ -111,10 +111,15 @@ int derive_key(const uint8_t *app_id, bool new_key, uint8_t *key_handle, mbedtls
             return r;
         }
     }
-    if (new_key == true && (r = mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), outk, 32, app_id, 32, key_handle + 32)) != 0)
-    {
-        mbedtls_platform_zeroize(outk, sizeof(outk));
-        return r;
+    if (new_key == true) {
+        uint8_t key_base[U2F_APPID_SIZE + KEY_PATH_LEN];
+        memcpy(key_base, app_id, U2F_APPID_SIZE);
+        memcpy(key_base + U2F_APPID_SIZE, key_handle, KEY_PATH_LEN);
+        if ((r = mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), outk, 32, key_base, sizeof(key_base), key_handle + 32)) != 0)
+        {
+            mbedtls_platform_zeroize(outk, sizeof(outk));
+            return r;
+        }
     }
     if (key != NULL) {
         mbedtls_ecp_group_load(&key->grp, MBEDTLS_ECP_DP_SECP256R1);