Lines Matching +full:csr +full:- +full:2 +full:l
4 * Copyright (c) 2018-2020, The Linux Foundation
26 /* The mandatory to support and the default NIST P-256 curve needs to
28 { "prime256v1", 32, 32, 16, 32, "P-256", 19, "ES256" },
29 { "secp384r1", 48, 48, 24, 48, "P-384", 20, "ES384" },
30 { "secp521r1", 64, 64, 32, 66, "P-521", 21, "ES512" },
31 { "brainpoolP256r1", 32, 32, 16, 32, "BP-256", 28, "BS256" },
32 { "brainpoolP384r1", 48, 48, 24, 48, "BP-384", 29, "BS384" },
33 { "brainpoolP512r1", 64, 64, 32, 64, "BP-512", 30, "BS512" },
103 if (curve->hash_len == 32) in dpp_hash_vector()
105 if (curve->hash_len == 48) in dpp_hash_vector()
107 if (curve->hash_len == 64) in dpp_hash_vector()
109 return -1; in dpp_hash_vector()
128 return -1; in dpp_hkdf_expand()
145 return -1; in dpp_hmac_vector()
158 return -1; in dpp_hmac()
173 const u8 *addr[2]; in dpp_pbkdf2_f()
174 size_t len[2]; in dpp_pbkdf2_f()
184 * Uc = PRF(P, Uc-1) in dpp_pbkdf2_f()
188 if (dpp_hmac_vector(hash_len, password, password_len, 2, addr, len, in dpp_pbkdf2_f()
190 return -1; in dpp_pbkdf2_f()
196 return -1; in dpp_pbkdf2_f()
219 return -1; in dpp_pbkdf2()
223 left -= plen; in dpp_pbkdf2()
245 return crypto_ec_key_set_pub(ike_group, buf, buf + len / 2, len / 2); in dpp_set_pubkey_point()
257 return -1; in dpp_get_pubkey_hash()
261 return -1; in dpp_get_pubkey_hash()
276 key = crypto_ec_key_gen(curve->ike_group); in dpp_gen_keypair()
305 "DPP: Unsupported curve (group=%d) in pre-assigned key", in dpp_set_keypair()
320 der = crypto_ec_key_get_subject_public_key(bi->pubkey); in dpp_bootstrap_key_hash()
322 return -1; in dpp_bootstrap_key_hash()
341 bi->curve = dpp_get_curve_name(curve); in dpp_keygen()
342 if (!bi->curve) { in dpp_keygen()
344 return -1; in dpp_keygen()
348 bi->pubkey = dpp_set_keypair(&bi->curve, privkey, privkey_len); in dpp_keygen()
350 bi->pubkey = dpp_gen_keypair(bi->curve); in dpp_keygen()
351 if (!bi->pubkey) in dpp_keygen()
353 bi->own = 1; in dpp_keygen()
355 der = crypto_ec_key_get_subject_public_key(bi->pubkey); in dpp_keygen()
377 os_memmove(pos, pos + 1, end - pos); in dpp_keygen()
379 os_free(bi->pk); in dpp_keygen()
380 bi->pk = base64; in dpp_keygen()
385 return -1; in dpp_keygen()
397 /* HKDF-Extract(<>, M.x) */ in dpp_derive_k1()
400 return -1; in dpp_derive_k1()
401 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=M.x)", in dpp_derive_k1()
404 /* HKDF-Expand(PRK, info, L) */ in dpp_derive_k1()
408 return -1; in dpp_derive_k1()
410 wpa_hexdump_key(MSG_DEBUG, "DPP: k1 = HKDF-Expand(PRK, info, L)", in dpp_derive_k1()
424 /* HKDF-Extract(<>, N.x) */ in dpp_derive_k2()
428 return -1; in dpp_derive_k2()
429 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)", in dpp_derive_k2()
432 /* HKDF-Expand(PRK, info, L) */ in dpp_derive_k2()
436 return -1; in dpp_derive_k2()
438 wpa_hexdump_key(MSG_DEBUG, "DPP: k2 = HKDF-Expand(PRK, info, L)", in dpp_derive_k2()
446 unsigned int hash_len = auth->curve->hash_len; in dpp_derive_bk_ke()
447 size_t nonce_len = auth->curve->nonce_len; in dpp_derive_bk_ke()
448 u8 nonces[2 * DPP_MAX_NONCE_LEN]; in dpp_derive_bk_ke()
455 if (!auth->Mx_len || !auth->Nx_len) { in dpp_derive_bk_ke()
457 "DPP: Mx/Nx not available - cannot derive ke"); in dpp_derive_bk_ke()
458 return -1; in dpp_derive_bk_ke()
461 /* bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */ in dpp_derive_bk_ke()
462 os_memcpy(nonces, auth->i_nonce, nonce_len); in dpp_derive_bk_ke()
463 os_memcpy(&nonces[nonce_len], auth->r_nonce, nonce_len); in dpp_derive_bk_ke()
464 addr[num_elem] = auth->Mx; in dpp_derive_bk_ke()
465 len[num_elem] = auth->Mx_len; in dpp_derive_bk_ke()
467 addr[num_elem] = auth->Nx; in dpp_derive_bk_ke()
468 len[num_elem] = auth->Nx_len; in dpp_derive_bk_ke()
470 if (auth->peer_bi && auth->own_bi) { in dpp_derive_bk_ke()
471 if (!auth->Lx_len) { in dpp_derive_bk_ke()
473 "DPP: Lx not available - cannot derive ke"); in dpp_derive_bk_ke()
474 return -1; in dpp_derive_bk_ke()
476 addr[num_elem] = auth->Lx; in dpp_derive_bk_ke()
477 len[num_elem] = auth->secret_len; in dpp_derive_bk_ke()
480 res = dpp_hmac_vector(hash_len, nonces, 2 * nonce_len, in dpp_derive_bk_ke()
481 num_elem, addr, len, auth->bk); in dpp_derive_bk_ke()
483 return -1; in dpp_derive_bk_ke()
485 "DPP: bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x])", in dpp_derive_bk_ke()
486 auth->bk, hash_len); in dpp_derive_bk_ke()
488 /* ke = HKDF-Expand(bk, "DPP Key", length) */ in dpp_derive_bk_ke()
489 res = dpp_hkdf_expand(hash_len, auth->bk, hash_len, info_ke, auth->ke, in dpp_derive_bk_ke()
492 return -1; in dpp_derive_bk_ke()
495 "DPP: ke = HKDF-Expand(bk, \"DPP Key\", length)", in dpp_derive_bk_ke()
496 auth->ke, hash_len); in dpp_derive_bk_ke()
507 int ret = -1; in dpp_ecdh()
514 return -1; in dpp_ecdh()
551 const u8 *addr[2]; in dpp_bi_pubkey_hash()
552 size_t len[2]; in dpp_bi_pubkey_hash()
556 if (sha256_vector(1, addr, len, bi->pubkey_hash) < 0) in dpp_bi_pubkey_hash()
557 return -1; in dpp_bi_pubkey_hash()
559 bi->pubkey_hash, SHA256_MAC_LEN); in dpp_bi_pubkey_hash()
565 if (sha256_vector(2, addr, len, bi->pubkey_hash_chirp) < 0) in dpp_bi_pubkey_hash()
566 return -1; in dpp_bi_pubkey_hash()
568 bi->pubkey_hash_chirp, SHA256_MAC_LEN); in dpp_bi_pubkey_hash()
581 return -1; in dpp_get_subject_public_key()
587 "DPP: Could not parse URI public-key SubjectPublicKeyInfo"); in dpp_get_subject_public_key()
588 return -1; in dpp_get_subject_public_key()
591 bi->curve = dpp_get_curve_ike_group(crypto_ec_key_group(key)); in dpp_get_subject_public_key()
592 if (!bi->curve) { in dpp_get_subject_public_key()
599 bi->pubkey = key; in dpp_get_subject_public_key()
603 return -1; in dpp_get_subject_public_key()
622 if (root->type != JSON_OBJECT) { in dpp_parse_jws_prot_hdr()
629 if (!token || token->type != JSON_STRING) { in dpp_parse_jws_prot_hdr()
634 token->string); in dpp_parse_jws_prot_hdr()
635 if (os_strcmp(token->string, "dppCon") != 0) { in dpp_parse_jws_prot_hdr()
638 token->string); in dpp_parse_jws_prot_hdr()
643 if (!token || token->type != JSON_STRING) { in dpp_parse_jws_prot_hdr()
648 token->string); in dpp_parse_jws_prot_hdr()
649 if (os_strcmp(token->string, curve->jws_alg) != 0) { in dpp_parse_jws_prot_hdr()
651 "DPP: Unexpected JWS Protected Header alg=%s (expected %s based on C-sign-key)", in dpp_parse_jws_prot_hdr()
652 token->string, curve->jws_alg); in dpp_parse_jws_prot_hdr()
655 if (os_strcmp(token->string, "ES256") == 0 || in dpp_parse_jws_prot_hdr()
656 os_strcmp(token->string, "BS256") == 0) { in dpp_parse_jws_prot_hdr()
658 } else if (os_strcmp(token->string, "ES384") == 0 || in dpp_parse_jws_prot_hdr()
659 os_strcmp(token->string, "BS384") == 0) { in dpp_parse_jws_prot_hdr()
661 } else if (os_strcmp(token->string, "ES512") == 0 || in dpp_parse_jws_prot_hdr()
662 os_strcmp(token->string, "BS512") == 0) { in dpp_parse_jws_prot_hdr()
665 *hash_func = -1; in dpp_parse_jws_prot_hdr()
668 token->string); in dpp_parse_jws_prot_hdr()
696 return -1; in dpp_check_pubkey_match()
699 return -1; in dpp_check_pubkey_match()
707 return -1; in dpp_check_pubkey_match()
713 return -1; in dpp_check_pubkey_match()
729 int res, hash_func = -1; in dpp_process_signed_connector()
736 wpa_printf(MSG_DEBUG, "DPP: C-sign-key group: %s", curve->jwk_crv); in dpp_process_signed_connector()
746 prot_hdr = base64_url_decode(pos, end - pos, &prot_hdr_len); in dpp_process_signed_connector()
754 "DPP: signedConnector - JWS Protected Header", in dpp_process_signed_connector()
773 "DPP: Missing dot(2) in signedConnector"); in dpp_process_signed_connector()
777 signed_end = end - 1; in dpp_process_signed_connector()
778 info->payload = base64_url_decode(pos, end - pos, &info->payload_len); in dpp_process_signed_connector()
779 if (!info->payload) { in dpp_process_signed_connector()
786 "DPP: signedConnector - JWS Payload", in dpp_process_signed_connector()
787 info->payload, info->payload_len); in dpp_process_signed_connector()
796 wpa_hexdump(MSG_DEBUG, "DPP: signedConnector - signature", in dpp_process_signed_connector()
812 hash = os_malloc(curve->hash_len); in dpp_process_signed_connector()
816 signed_len = signed_end - signed_start + 1; in dpp_process_signed_connector()
833 hash, curve->hash_len, in dpp_process_signed_connector()
834 signature, signature_len / 2, in dpp_process_signed_connector()
835 signature + signature_len / 2, in dpp_process_signed_connector()
836 signature_len / 2); in dpp_process_signed_connector()
867 "DPP: Failed to parse local C-sign-key information"); in dpp_check_signed_connector()
894 int res = -1; in dpp_gen_r_auth()
896 /* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */ in dpp_gen_r_auth()
897 nonce_len = auth->curve->nonce_len; in dpp_gen_r_auth()
899 if (auth->initiator) { in dpp_gen_r_auth()
900 pix = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0); in dpp_gen_r_auth()
901 prx = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key, in dpp_gen_r_auth()
903 if (auth->own_bi) in dpp_gen_r_auth()
905 auth->own_bi->pubkey, 0); in dpp_gen_r_auth()
908 brx = crypto_ec_key_get_pubkey_point(auth->peer_bi->pubkey, 0); in dpp_gen_r_auth()
910 pix = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key, in dpp_gen_r_auth()
912 prx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0); in dpp_gen_r_auth()
913 if (auth->peer_bi) in dpp_gen_r_auth()
915 auth->peer_bi->pubkey, 0); in dpp_gen_r_auth()
918 brx = crypto_ec_key_get_pubkey_point(auth->own_bi->pubkey, 0); in dpp_gen_r_auth()
923 addr[num_elem] = auth->i_nonce; in dpp_gen_r_auth()
927 addr[num_elem] = auth->r_nonce; in dpp_gen_r_auth()
932 len[num_elem] = wpabuf_len(pix) / 2; in dpp_gen_r_auth()
936 len[num_elem] = wpabuf_len(prx) / 2; in dpp_gen_r_auth()
941 len[num_elem] = wpabuf_len(bix) / 2; in dpp_gen_r_auth()
946 len[num_elem] = wpabuf_len(brx) / 2; in dpp_gen_r_auth()
953 wpa_printf(MSG_DEBUG, "DPP: R-auth hash components"); in dpp_gen_r_auth()
956 res = dpp_hash_vector(auth->curve, num_elem, addr, len, r_auth); in dpp_gen_r_auth()
958 wpa_hexdump(MSG_DEBUG, "DPP: R-auth", r_auth, in dpp_gen_r_auth()
959 auth->curve->hash_len); in dpp_gen_r_auth()
977 int res = -1; in dpp_gen_i_auth()
979 /* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */ in dpp_gen_i_auth()
980 nonce_len = auth->curve->nonce_len; in dpp_gen_i_auth()
982 if (auth->initiator) { in dpp_gen_i_auth()
983 pix = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0); in dpp_gen_i_auth()
984 prx = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key, in dpp_gen_i_auth()
986 if (auth->own_bi) in dpp_gen_i_auth()
988 auth->own_bi->pubkey, 0); in dpp_gen_i_auth()
991 if (!auth->peer_bi) in dpp_gen_i_auth()
993 brx = crypto_ec_key_get_pubkey_point(auth->peer_bi->pubkey, 0); in dpp_gen_i_auth()
995 pix = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key, in dpp_gen_i_auth()
997 prx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0); in dpp_gen_i_auth()
998 if (auth->peer_bi) in dpp_gen_i_auth()
1000 auth->peer_bi->pubkey, 0); in dpp_gen_i_auth()
1003 if (!auth->own_bi) in dpp_gen_i_auth()
1005 brx = crypto_ec_key_get_pubkey_point(auth->own_bi->pubkey, 0); in dpp_gen_i_auth()
1010 addr[num_elem] = auth->r_nonce; in dpp_gen_i_auth()
1014 addr[num_elem] = auth->i_nonce; in dpp_gen_i_auth()
1019 len[num_elem] = wpabuf_len(prx) / 2; in dpp_gen_i_auth()
1023 len[num_elem] = wpabuf_len(pix) / 2; in dpp_gen_i_auth()
1027 len[num_elem] = wpabuf_len(brx) / 2; in dpp_gen_i_auth()
1032 len[num_elem] = wpabuf_len(bix) / 2; in dpp_gen_i_auth()
1040 wpa_printf(MSG_DEBUG, "DPP: I-auth hash components"); in dpp_gen_i_auth()
1043 res = dpp_hash_vector(auth->curve, num_elem, addr, len, i_auth); in dpp_gen_i_auth()
1045 wpa_hexdump(MSG_DEBUG, "DPP: I-auth", i_auth, in dpp_gen_i_auth()
1046 auth->curve->hash_len); in dpp_gen_i_auth()
1059 struct crypto_ec_point *L = NULL, *BI = NULL; in dpp_auth_derive_l_responder() local
1062 int ret = -1; in dpp_auth_derive_l_responder()
1064 /* L = ((bR + pR) modulo q) * BI */ in dpp_auth_derive_l_responder()
1066 ec = crypto_ec_init(crypto_ec_key_group(auth->peer_bi->pubkey)); in dpp_auth_derive_l_responder()
1071 BI = crypto_ec_key_get_public_key(auth->peer_bi->pubkey); in dpp_auth_derive_l_responder()
1072 bR = crypto_ec_key_get_private_key(auth->own_bi->pubkey); in dpp_auth_derive_l_responder()
1073 pR = crypto_ec_key_get_private_key(auth->own_protocol_key); in dpp_auth_derive_l_responder()
1075 L = crypto_ec_point_init(ec); in dpp_auth_derive_l_responder()
1077 if (!q || !BI || !bR || !pR || !sum || !L || !lx || in dpp_auth_derive_l_responder()
1079 crypto_ec_point_mul(ec, BI, sum, L) || in dpp_auth_derive_l_responder()
1080 crypto_ec_point_x(ec, L, lx) || in dpp_auth_derive_l_responder()
1081 crypto_bignum_to_bin(lx, auth->Lx, sizeof(auth->Lx), in dpp_auth_derive_l_responder()
1082 auth->secret_len) < 0) in dpp_auth_derive_l_responder()
1085 wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len); in dpp_auth_derive_l_responder()
1086 auth->Lx_len = auth->secret_len; in dpp_auth_derive_l_responder()
1093 crypto_ec_point_deinit(L, 1); in dpp_auth_derive_l_responder()
1103 struct crypto_ec_point *L = NULL, *sum = NULL, *BR = NULL, *PR = NULL; in dpp_auth_derive_l_initiator() local
1105 int ret = -1; in dpp_auth_derive_l_initiator()
1107 /* L = bI * (BR + PR) */ in dpp_auth_derive_l_initiator()
1109 ec = crypto_ec_init(crypto_ec_key_group(auth->peer_bi->pubkey)); in dpp_auth_derive_l_initiator()
1113 BR = crypto_ec_key_get_public_key(auth->peer_bi->pubkey); in dpp_auth_derive_l_initiator()
1114 PR = crypto_ec_key_get_public_key(auth->peer_protocol_key); in dpp_auth_derive_l_initiator()
1115 bI = crypto_ec_key_get_private_key(auth->own_bi->pubkey); in dpp_auth_derive_l_initiator()
1117 L = crypto_ec_point_init(ec); in dpp_auth_derive_l_initiator()
1119 if (!BR || !PR || !bI || !sum || !L || !lx || in dpp_auth_derive_l_initiator()
1121 crypto_ec_point_mul(ec, sum, bI, L) || in dpp_auth_derive_l_initiator()
1122 crypto_ec_point_x(ec, L, lx) || in dpp_auth_derive_l_initiator()
1123 crypto_bignum_to_bin(lx, auth->Lx, sizeof(auth->Lx), in dpp_auth_derive_l_initiator()
1124 auth->secret_len) < 0) in dpp_auth_derive_l_initiator()
1127 wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len); in dpp_auth_derive_l_initiator()
1128 auth->Lx_len = auth->secret_len; in dpp_auth_derive_l_initiator()
1134 crypto_ec_point_deinit(L, 1); in dpp_auth_derive_l_initiator()
1150 /* HKDF-Extract(<>, N.x) */ in dpp_derive_pmk()
1153 return -1; in dpp_derive_pmk()
1154 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)", in dpp_derive_pmk()
1157 /* HKDF-Expand(PRK, info, L) */ in dpp_derive_pmk()
1161 return -1; in dpp_derive_pmk()
1163 wpa_hexdump_key(MSG_DEBUG, "DPP: PMK = HKDF-Expand(PRK, info, L)", in dpp_derive_pmk()
1174 int ret = -1, res; in dpp_derive_pmkid()
1175 const u8 *addr[2]; in dpp_derive_pmkid()
1176 size_t len[2]; in dpp_derive_pmkid()
1179 /* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */ in dpp_derive_pmkid()
1185 len[0] = wpabuf_len(nkx) / 2; in dpp_derive_pmkid()
1187 len[1] = wpabuf_len(pkx) / 2; in dpp_derive_pmkid()
1195 wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 2", addr[1], len[1]); in dpp_derive_pmkid()
1196 res = sha256_vector(2, addr, len, hash); in dpp_derive_pmkid()
1210 /* Role-specific elements for PKEX */
1212 /* NIST P-256 */
1238 /* NIST P-384 */
1272 /* NIST P-521 */
1318 /* Brainpool P-256r1 */
1344 /* Brainpool P-384r1 */
1378 /* Brainpool P-512r1 */
1426 switch (curve->ike_group) { in dpp_pkex_get_role_elem()
1455 return crypto_ec_key_set_pub(curve->ike_group, x, y, curve->prime_len); in dpp_pkex_get_role_elem()
1473 /* Qi = H([MAC-Initiator |] [identifier |] code) * Pi */ in dpp_pkex_derive_Qi()
1476 wpa_printf(MSG_DEBUG, "DPP: MAC-Initiator: " MACSTR, in dpp_pkex_derive_Qi()
1496 "DPP: H([MAC-Initiator |] [identifier |] code)", in dpp_pkex_derive_Qi()
1497 hash, curve->hash_len); in dpp_pkex_derive_Qi()
1503 ec = crypto_ec_init(curve->ike_group); in dpp_pkex_derive_Qi()
1509 hash_bn = crypto_bignum_init_set(hash, curve->hash_len); in dpp_pkex_derive_Qi()
1514 wpa_printf(MSG_INFO, "DPP: Qi is the point-at-infinity"); in dpp_pkex_derive_Qi()
1548 /* Qr = H([MAC-Responder |] [identifier |] code) * Pr */ in dpp_pkex_derive_Qr()
1551 wpa_printf(MSG_DEBUG, "DPP: MAC-Responder: " MACSTR, in dpp_pkex_derive_Qr()
1571 "DPP: H([MAC-Responder |] [identifier |] code)", in dpp_pkex_derive_Qr()
1572 hash, curve->hash_len); in dpp_pkex_derive_Qr()
1578 ec = crypto_ec_init(curve->ike_group); in dpp_pkex_derive_Qr()
1584 hash_bn = crypto_bignum_init_set(hash, curve->hash_len); in dpp_pkex_derive_Qr()
1589 wpa_printf(MSG_INFO, "DPP: Qr is the point-at-infinity"); in dpp_pkex_derive_Qr()
1624 * v1: info = MAC-Initiator | MAC-Responder in dpp_pkex_derive_z()
1625 * v2: info = Protocol Version-Initiator | Protocol Version-Responder in dpp_pkex_derive_z()
1629 /* HKDF-Extract(<>, IKM=K.x) */ in dpp_pkex_derive_z()
1632 return -1; in dpp_pkex_derive_z()
1633 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)", in dpp_pkex_derive_z()
1636 info_len = 2 * ETH_ALEN; in dpp_pkex_derive_z()
1638 info_len = 2; in dpp_pkex_derive_z()
1642 return -1; in dpp_pkex_derive_z()
1659 /* HKDF-Expand(PRK, info, L) */ in dpp_pkex_derive_z()
1670 res = -1; in dpp_pkex_derive_z()
1674 return -1; in dpp_pkex_derive_z()
1676 wpa_hexdump_key(MSG_DEBUG, "DPP: z = HKDF-Expand(PRK, info, L)", in dpp_pkex_derive_z()
1695 int res = -1; in dpp_reconfig_derive_ke_responder()
1696 u8 nonces[2 * DPP_MAX_NONCE_LEN]; in dpp_reconfig_derive_ke_responder()
1698 own_key = dpp_set_keypair(&auth->curve, net_access_key, in dpp_reconfig_derive_ke_responder()
1710 if (auth->curve != curve) { in dpp_reconfig_derive_ke_responder()
1713 auth->curve->name, curve->name); in dpp_reconfig_derive_ke_responder()
1717 auth->own_protocol_key = dpp_gen_keypair(curve); in dpp_reconfig_derive_ke_responder()
1718 if (!auth->own_protocol_key) in dpp_reconfig_derive_ke_responder()
1721 if (random_get_bytes(auth->e_nonce, auth->curve->nonce_len)) { in dpp_reconfig_derive_ke_responder()
1722 wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce"); in dpp_reconfig_derive_ke_responder()
1725 wpa_hexdump_key(MSG_DEBUG, "DPP: E-nonce", in dpp_reconfig_derive_ke_responder()
1726 auth->e_nonce, auth->curve->nonce_len); in dpp_reconfig_derive_ke_responder()
1729 ec = crypto_ec_init(curve->ike_group); in dpp_reconfig_derive_ke_responder()
1737 pR = crypto_ec_key_get_private_key(auth->own_protocol_key); in dpp_reconfig_derive_ke_responder()
1746 wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len); in dpp_reconfig_derive_ke_responder()
1748 /* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */ in dpp_reconfig_derive_ke_responder()
1750 /* HKDF-Extract(C-nonce | E-nonce, M.x) */ in dpp_reconfig_derive_ke_responder()
1751 os_memcpy(nonces, auth->c_nonce, curve->nonce_len); in dpp_reconfig_derive_ke_responder()
1752 os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len); in dpp_reconfig_derive_ke_responder()
1753 if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len, in dpp_reconfig_derive_ke_responder()
1754 Mx, curve->prime_len, prk) < 0) in dpp_reconfig_derive_ke_responder()
1756 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len); in dpp_reconfig_derive_ke_responder()
1758 /* HKDF-Expand(PRK, "dpp reconfig key", L) */ in dpp_reconfig_derive_ke_responder()
1759 if (dpp_hkdf_expand(curve->hash_len, prk, curve->hash_len, in dpp_reconfig_derive_ke_responder()
1760 "dpp reconfig key", auth->ke, curve->hash_len) < 0) in dpp_reconfig_derive_ke_responder()
1763 "DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)", in dpp_reconfig_derive_ke_responder()
1764 auth->ke, curve->hash_len); in dpp_reconfig_derive_ke_responder()
1767 crypto_ec_key_deinit(auth->reconfig_old_protocol_key); in dpp_reconfig_derive_ke_responder()
1768 auth->reconfig_old_protocol_key = own_key; in dpp_reconfig_derive_ke_responder()
1795 int res = -1; in dpp_reconfig_derive_ke_initiator()
1797 u8 nonces[2 * DPP_MAX_NONCE_LEN]; in dpp_reconfig_derive_ke_initiator()
1799 pr = dpp_set_pubkey_point(auth->conf->connector_key, in dpp_reconfig_derive_ke_initiator()
1806 crypto_ec_key_deinit(auth->peer_protocol_key); in dpp_reconfig_derive_ke_initiator()
1807 auth->peer_protocol_key = pr; in dpp_reconfig_derive_ke_initiator()
1814 if (auth->curve != curve) { in dpp_reconfig_derive_ke_initiator()
1817 auth->curve->name, curve->name); in dpp_reconfig_derive_ke_initiator()
1822 ec = crypto_ec_init(curve->ike_group); in dpp_reconfig_derive_ke_initiator()
1826 cI = crypto_ec_key_get_private_key(auth->conf->connector_key); in dpp_reconfig_derive_ke_initiator()
1830 PR = crypto_ec_key_get_public_key(auth->peer_protocol_key); in dpp_reconfig_derive_ke_initiator()
1839 wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len); in dpp_reconfig_derive_ke_initiator()
1841 /* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */ in dpp_reconfig_derive_ke_initiator()
1843 /* HKDF-Extract(C-nonce | E-nonce, M.x) */ in dpp_reconfig_derive_ke_initiator()
1844 os_memcpy(nonces, auth->c_nonce, curve->nonce_len); in dpp_reconfig_derive_ke_initiator()
1845 os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len); in dpp_reconfig_derive_ke_initiator()
1846 if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len, in dpp_reconfig_derive_ke_initiator()
1847 Mx, curve->prime_len, prk) < 0) in dpp_reconfig_derive_ke_initiator()
1849 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len); in dpp_reconfig_derive_ke_initiator()
1851 /* HKDF-Expand(PRK, "dpp reconfig key", L) */ in dpp_reconfig_derive_ke_initiator()
1852 if (dpp_hkdf_expand(curve->hash_len, prk, curve->hash_len, in dpp_reconfig_derive_ke_initiator()
1853 "dpp reconfig key", auth->ke, curve->hash_len) < 0) in dpp_reconfig_derive_ke_initiator()
1856 "DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)", in dpp_reconfig_derive_ke_initiator()
1857 auth->ke, curve->hash_len); in dpp_reconfig_derive_ke_initiator()
1887 json_add_string(jws_prot_hdr, "kid", conf->kid); in dpp_build_jws_prot_hdr()
1889 json_add_string(jws_prot_hdr, "alg", conf->curve->jws_alg); in dpp_build_jws_prot_hdr()
1916 vector[2] = (const u8 *) signed2; in dpp_build_conn_signature()
1919 vector_len[2] = signed2_len; in dpp_build_conn_signature()
1921 curve = conf->curve; in dpp_build_conn_signature()
1922 hash = os_malloc(curve->hash_len); in dpp_build_conn_signature()
1925 if (curve->hash_len == SHA256_MAC_LEN) { in dpp_build_conn_signature()
1927 } else if (curve->hash_len == SHA384_MAC_LEN) { in dpp_build_conn_signature()
1929 } else if (curve->hash_len == SHA512_MAC_LEN) { in dpp_build_conn_signature()
1940 hash, curve->hash_len); in dpp_build_conn_signature()
1942 sig = crypto_ec_key_sign_r_s(conf->csign, hash, curve->hash_len); in dpp_build_conn_signature()
2012 own_key = dpp_set_keypair(&pfs->curve, net_access_key, in dpp_pfs_init()
2020 pfs->ecdh = crypto_ecdh_init(pfs->curve->ike_group); in dpp_pfs_init()
2021 if (!pfs->ecdh) in dpp_pfs_init()
2024 pub = crypto_ecdh_get_pubkey(pfs->ecdh, 0); in dpp_pfs_init()
2025 pub = wpabuf_zeropad(pub, pfs->curve->prime_len); in dpp_pfs_init()
2029 pfs->ie = wpabuf_alloc(5 + wpabuf_len(pub)); in dpp_pfs_init()
2030 if (!pfs->ie) in dpp_pfs_init()
2032 wpabuf_put_u8(pfs->ie, WLAN_EID_EXTENSION); in dpp_pfs_init()
2033 wpabuf_put_u8(pfs->ie, 1 + 2 + wpabuf_len(pub)); in dpp_pfs_init()
2034 wpabuf_put_u8(pfs->ie, WLAN_EID_EXT_OWE_DH_PARAM); in dpp_pfs_init()
2035 wpabuf_put_le16(pfs->ie, pfs->curve->ike_group); in dpp_pfs_init()
2036 wpabuf_put_buf(pfs->ie, pub); in dpp_pfs_init()
2038 wpa_hexdump_buf(MSG_DEBUG, "DPP: Diffie-Hellman Parameter element", in dpp_pfs_init()
2039 pfs->ie); in dpp_pfs_init()
2051 if (peer_ie_len < 2) in dpp_pfs_process()
2052 return -1; in dpp_pfs_process()
2053 if (WPA_GET_LE16(peer_ie) != pfs->curve->ike_group) { in dpp_pfs_process()
2055 return -1; in dpp_pfs_process()
2058 pfs->secret = crypto_ecdh_set_peerkey(pfs->ecdh, 0, peer_ie + 2, in dpp_pfs_process()
2059 peer_ie_len - 2); in dpp_pfs_process()
2060 pfs->secret = wpabuf_zeropad(pfs->secret, pfs->curve->prime_len); in dpp_pfs_process()
2061 if (!pfs->secret) { in dpp_pfs_process()
2063 return -1; in dpp_pfs_process()
2065 wpa_hexdump_buf_key(MSG_DEBUG, "DPP: DH shared secret", pfs->secret); in dpp_pfs_process()
2074 crypto_ecdh_deinit(pfs->ecdh); in dpp_pfs_free()
2075 wpabuf_free(pfs->ie); in dpp_pfs_free()
2076 wpabuf_clear_free(pfs->secret); in dpp_pfs_free()
2083 struct crypto_csr *csr = NULL; in dpp_build_csr() local
2086 unsigned int hash_len = auth->curve->hash_len; in dpp_build_csr()
2093 /* TODO: use auth->csrattrs */ in dpp_build_csr()
2097 key = auth->own_protocol_key; in dpp_build_csr()
2102 wpabuf_free(auth->priv_key); in dpp_build_csr()
2103 auth->priv_key = priv_key; in dpp_build_csr()
2105 csr = crypto_csr_init(); in dpp_build_csr()
2106 if (!csr || crypto_csr_set_ec_public_key(csr, key)) in dpp_build_csr()
2109 if (name && crypto_csr_set_name(csr, CSR_NAME_CN, name)) in dpp_build_csr()
2112 /* cp = HKDF-Expand(bk, "CSR challengePassword", 64) */ in dpp_build_csr()
2113 if (dpp_hkdf_expand(hash_len, auth->bk, hash_len, in dpp_build_csr()
2114 "CSR challengePassword", cp, DPP_CP_LEN) < 0) in dpp_build_csr()
2117 "DPP: cp = HKDF-Expand(bk, \"CSR challengePassword\", 64)", in dpp_build_csr()
2122 crypto_csr_set_attribute(csr, CSR_ATTR_CHALLENGE_PASSWORD, in dpp_build_csr()
2139 buf = crypto_csr_sign(csr, key, hash_sign_algo); in dpp_build_csr()
2142 wpa_hexdump_buf(MSG_DEBUG, "DPP: CSR", buf); in dpp_build_csr()
2146 crypto_csr_deinit(csr); in dpp_build_csr()
2154 struct crypto_csr *csr; in dpp_validate_csr() local
2161 unsigned int hash_len = auth->curve->hash_len; in dpp_validate_csr()
2162 int ret = -1; in dpp_validate_csr()
2164 csr = crypto_csr_verify(csrbuf); in dpp_validate_csr()
2165 if (!csr) { in dpp_validate_csr()
2167 "DPP: CSR invalid or invalid signature"); in dpp_validate_csr()
2171 attr = crypto_csr_get_attribute(csr, CSR_ATTR_CHALLENGE_PASSWORD, in dpp_validate_csr()
2175 "DPP: CSR does not include challengePassword"); in dpp_validate_csr()
2197 "DPP: Unexpected cp length (%zu) in CSR challengePassword", in dpp_validate_csr()
2201 wpa_hexdump_key(MSG_DEBUG, "DPP: cp from CSR challengePassword", in dpp_validate_csr()
2204 /* cp = HKDF-Expand(bk, "CSR challengePassword", 64) */ in dpp_validate_csr()
2205 if (dpp_hkdf_expand(hash_len, auth->bk, hash_len, in dpp_validate_csr()
2206 "CSR challengePassword", exp_cp, DPP_CP_LEN) < 0) in dpp_validate_csr()
2209 "DPP: cp = HKDF-Expand(bk, \"CSR challengePassword\", 64)", in dpp_validate_csr()
2213 "DPP: CSR challengePassword does not match calculated cp"); in dpp_validate_csr()
2220 crypto_csr_deinit(csr); in dpp_validate_csr()
2262 "DPP: Generated random point E-id"); in dpp_gen_reconfig_id()
2268 id->ec = ec; in dpp_gen_reconfig_id()
2270 id->e_id = e_id; in dpp_gen_reconfig_id()
2272 id->csign = csign; in dpp_gen_reconfig_id()
2274 id->pp_key = ppkey; in dpp_gen_reconfig_id()
2292 int ret = -1; in dpp_update_reconfig_id()
2294 pp = crypto_ec_key_get_public_key(id->pp_key); in dpp_update_reconfig_id()
2295 e_prime_id = crypto_ec_point_init(id->ec); in dpp_update_reconfig_id()
2296 a_nonce = crypto_ec_point_init(id->ec); in dpp_update_reconfig_id()
2298 q = crypto_ec_get_order(id->ec); in dpp_update_reconfig_id()
2299 generator = crypto_ec_get_generator(id->ec); in dpp_update_reconfig_id()
2301 /* Generate random 0 <= a-nonce < q in dpp_update_reconfig_id()
2302 * A-NONCE = a-nonce * G in dpp_update_reconfig_id()
2303 * E'-id = E-id + a-nonce * P_pk */ in dpp_update_reconfig_id()
2305 crypto_bignum_rand(bn, q) || /* bn = a-nonce */ in dpp_update_reconfig_id()
2306 crypto_ec_point_mul(id->ec, generator, bn, a_nonce) || in dpp_update_reconfig_id()
2307 crypto_ec_point_mul(id->ec, pp, bn, e_prime_id) || in dpp_update_reconfig_id()
2308 crypto_ec_point_add(id->ec, id->e_id, e_prime_id, e_prime_id)) in dpp_update_reconfig_id()
2311 crypto_ec_point_debug_print(id->ec, a_nonce, in dpp_update_reconfig_id()
2312 "DPP: Generated A-NONCE"); in dpp_update_reconfig_id()
2313 crypto_ec_point_debug_print(id->ec, e_prime_id, in dpp_update_reconfig_id()
2314 "DPP: Encrypted E-id to E'-id"); in dpp_update_reconfig_id()
2316 crypto_ec_key_deinit(id->a_nonce); in dpp_update_reconfig_id()
2317 crypto_ec_key_deinit(id->e_prime_id); in dpp_update_reconfig_id()
2318 id->a_nonce = crypto_ec_key_set_pub_point(id->ec, a_nonce); in dpp_update_reconfig_id()
2319 id->e_prime_id = crypto_ec_key_set_pub_point(id->ec, e_prime_id); in dpp_update_reconfig_id()
2320 if (!id->a_nonce || !id->e_prime_id) in dpp_update_reconfig_id()
2337 crypto_ec_point_deinit(id->e_id, 1); in dpp_free_reconfig_id()
2338 crypto_ec_key_deinit(id->csign); in dpp_free_reconfig_id()
2339 crypto_ec_key_deinit(id->a_nonce); in dpp_free_reconfig_id()
2340 crypto_ec_key_deinit(id->e_prime_id); in dpp_free_reconfig_id()
2341 crypto_ec_key_deinit(id->pp_key); in dpp_free_reconfig_id()
2342 crypto_ec_deinit(id->ec); in dpp_free_reconfig_id()
2360 /* E-id = E'-id - s_C * A-NONCE */ in dpp_decrypt_e_id()
2377 crypto_ec_point_debug_print(ec, e_id, "DPP: Decrypted E-id"); in dpp_decrypt_e_id()
2394 int ret = -1, res; in dpp_derive_auth_i()
2404 hash_len = auth->curve->hash_len; in dpp_derive_auth_i()
2410 * = HKDF-Expand(HKDF-Extract(bk, S.X), "New DPP Protocol Key", in dpp_derive_auth_i()
2411 * len(new-curve-hash-out)) in dpp_derive_auth_i()
2412 * Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x) in dpp_derive_auth_i()
2414 * auth->own_protocol_key and auth->peer_protocol_key have already been in dpp_derive_auth_i()
2421 if (dpp_ecdh(auth->own_protocol_key, auth->peer_protocol_key, in dpp_derive_auth_i()
2427 /* tmp = HKDF-Extract(bk, S.x) */ in dpp_derive_auth_i()
2430 res = dpp_hmac_vector(hash_len, auth->bk, hash_len, 1, addr, len, tmp); in dpp_derive_auth_i()
2433 wpa_hexdump_key(MSG_DEBUG, "DPP: HKDF-Extract(bk, S.x)", in dpp_derive_auth_i()
2435 /* k = HKDF-Expand(tmp, "New DPP Protocol Key", len(hash-output)) in dpp_derive_auth_i()
2439 return -1; in dpp_derive_auth_i()
2442 "DPP: k = HKDF-Expand(\"New DPP Protocol Key\")", in dpp_derive_auth_i()
2445 /* Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x) */ in dpp_derive_auth_i()
2446 addr[0] = auth->e_nonce; in dpp_derive_auth_i()
2447 len[0] = auth->curve->nonce_len; in dpp_derive_auth_i()
2449 if (auth->configurator) { in dpp_derive_auth_i()
2450 pcx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0); in dpp_derive_auth_i()
2451 pex = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key, in dpp_derive_auth_i()
2454 pcx = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key, in dpp_derive_auth_i()
2456 pex = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0); in dpp_derive_auth_i()
2461 len[1] = wpabuf_len(pcx) / 2; in dpp_derive_auth_i()
2462 addr[2] = wpabuf_head(pex); in dpp_derive_auth_i()
2463 len[2] = wpabuf_len(pex) / 2; in dpp_derive_auth_i()
2468 "DPP: Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x)", in dpp_derive_auth_i()
2517 return -1; in dpp_hpke_suite()
2532 int ret = -1; in dpp_test_gen_invalid_key()
2534 ec = crypto_ec_init(curve->ike_group); in dpp_test_gen_invalid_key()
2535 x = wpabuf_put(msg, curve->prime_len); in dpp_test_gen_invalid_key()
2536 y = wpabuf_put(msg, curve->prime_len); in dpp_test_gen_invalid_key()
2542 key = crypto_ec_key_gen(curve->ike_group); in dpp_test_gen_invalid_key()
2552 y[curve->prime_len - 1] ^= 0x01; in dpp_test_gen_invalid_key()
2597 signature[signature_len - 1] ^= 0x01; in dpp_corrupt_connector_signature()