xref: /freebsd/contrib/wpa/src/common/dpp.c (revision 28f4385e45a2681c14bd04b83fe1796eaefe8265)
1 /*
2  * DPP functionality shared between hostapd and wpa_supplicant
3  * Copyright (c) 2017, Qualcomm Atheros, Inc.
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 #include <openssl/opensslv.h>
11 #include <openssl/err.h>
12 #include <openssl/asn1.h>
13 #include <openssl/asn1t.h>
14 
15 #include "utils/common.h"
16 #include "utils/base64.h"
17 #include "utils/json.h"
18 #include "common/ieee802_11_common.h"
19 #include "common/ieee802_11_defs.h"
20 #include "common/wpa_ctrl.h"
21 #include "crypto/crypto.h"
22 #include "crypto/random.h"
23 #include "crypto/aes.h"
24 #include "crypto/aes_siv.h"
25 #include "crypto/sha384.h"
26 #include "crypto/sha512.h"
27 #include "drivers/driver.h"
28 #include "dpp.h"
29 
30 
31 #ifdef CONFIG_TESTING_OPTIONS
32 enum dpp_test_behavior dpp_test = DPP_TEST_DISABLED;
33 u8 dpp_pkex_own_mac_override[ETH_ALEN] = { 0, 0, 0, 0, 0, 0 };
34 u8 dpp_pkex_peer_mac_override[ETH_ALEN] = { 0, 0, 0, 0, 0, 0 };
35 u8 dpp_pkex_ephemeral_key_override[600];
36 size_t dpp_pkex_ephemeral_key_override_len = 0;
37 u8 dpp_protocol_key_override[600];
38 size_t dpp_protocol_key_override_len = 0;
39 u8 dpp_nonce_override[DPP_MAX_NONCE_LEN];
40 size_t dpp_nonce_override_len = 0;
41 
42 static int dpp_test_gen_invalid_key(struct wpabuf *msg,
43 				    const struct dpp_curve_params *curve);
44 #endif /* CONFIG_TESTING_OPTIONS */
45 
46 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
47 	(defined(LIBRESSL_VERSION_NUMBER) && \
48 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
49 /* Compatibility wrappers for older versions. */
50 
51 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
52 {
53 	sig->r = r;
54 	sig->s = s;
55 	return 1;
56 }
57 
58 
59 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
60 			   const BIGNUM **ps)
61 {
62 	if (pr)
63 		*pr = sig->r;
64 	if (ps)
65 		*ps = sig->s;
66 }
67 
68 #endif
69 
70 
71 static const struct dpp_curve_params dpp_curves[] = {
72 	/* The mandatory to support and the default NIST P-256 curve needs to
73 	 * be the first entry on this list. */
74 	{ "prime256v1", 32, 32, 16, 32, "P-256", 19, "ES256" },
75 	{ "secp384r1", 48, 48, 24, 48, "P-384", 20, "ES384" },
76 	{ "secp521r1", 64, 64, 32, 66, "P-521", 21, "ES512" },
77 	{ "brainpoolP256r1", 32, 32, 16, 32, "BP-256", 28, "BS256" },
78 	{ "brainpoolP384r1", 48, 48, 24, 48, "BP-384", 29, "BS384" },
79 	{ "brainpoolP512r1", 64, 64, 32, 64, "BP-512", 30, "BS512" },
80 	{ NULL, 0, 0, 0, 0, NULL, 0, NULL }
81 };
82 
83 
84 /* Role-specific elements for PKEX */
85 
86 /* NIST P-256 */
87 static const u8 pkex_init_x_p256[32] = {
88 	0x56, 0x26, 0x12, 0xcf, 0x36, 0x48, 0xfe, 0x0b,
89 	0x07, 0x04, 0xbb, 0x12, 0x22, 0x50, 0xb2, 0x54,
90 	0xb1, 0x94, 0x64, 0x7e, 0x54, 0xce, 0x08, 0x07,
91 	0x2e, 0xec, 0xca, 0x74, 0x5b, 0x61, 0x2d, 0x25
92  };
93 static const u8 pkex_init_y_p256[32] = {
94 	0x3e, 0x44, 0xc7, 0xc9, 0x8c, 0x1c, 0xa1, 0x0b,
95 	0x20, 0x09, 0x93, 0xb2, 0xfd, 0xe5, 0x69, 0xdc,
96 	0x75, 0xbc, 0xad, 0x33, 0xc1, 0xe7, 0xc6, 0x45,
97 	0x4d, 0x10, 0x1e, 0x6a, 0x3d, 0x84, 0x3c, 0xa4
98  };
99 static const u8 pkex_resp_x_p256[32] = {
100 	0x1e, 0xa4, 0x8a, 0xb1, 0xa4, 0xe8, 0x42, 0x39,
101 	0xad, 0x73, 0x07, 0xf2, 0x34, 0xdf, 0x57, 0x4f,
102 	0xc0, 0x9d, 0x54, 0xbe, 0x36, 0x1b, 0x31, 0x0f,
103 	0x59, 0x91, 0x52, 0x33, 0xac, 0x19, 0x9d, 0x76
104 };
105 static const u8 pkex_resp_y_p256[32] = {
106 	0xd9, 0xfb, 0xf6, 0xb9, 0xf5, 0xfa, 0xdf, 0x19,
107 	0x58, 0xd8, 0x3e, 0xc9, 0x89, 0x7a, 0x35, 0xc1,
108 	0xbd, 0xe9, 0x0b, 0x77, 0x7a, 0xcb, 0x91, 0x2a,
109 	0xe8, 0x21, 0x3f, 0x47, 0x52, 0x02, 0x4d, 0x67
110 };
111 
112 /* NIST P-384 */
113 static const u8 pkex_init_x_p384[48] = {
114 	0x95, 0x3f, 0x42, 0x9e, 0x50, 0x7f, 0xf9, 0xaa,
115 	0xac, 0x1a, 0xf2, 0x85, 0x2e, 0x64, 0x91, 0x68,
116 	0x64, 0xc4, 0x3c, 0xb7, 0x5c, 0xf8, 0xc9, 0x53,
117 	0x6e, 0x58, 0x4c, 0x7f, 0xc4, 0x64, 0x61, 0xac,
118 	0x51, 0x8a, 0x6f, 0xfe, 0xab, 0x74, 0xe6, 0x12,
119 	0x81, 0xac, 0x38, 0x5d, 0x41, 0xe6, 0xb9, 0xa3
120 };
121 static const u8 pkex_init_y_p384[48] = {
122 	0x76, 0x2f, 0x68, 0x84, 0xa6, 0xb0, 0x59, 0x29,
123 	0x83, 0xa2, 0x6c, 0xa4, 0x6c, 0x3b, 0xf8, 0x56,
124 	0x76, 0x11, 0x2a, 0x32, 0x90, 0xbd, 0x07, 0xc7,
125 	0x37, 0x39, 0x9d, 0xdb, 0x96, 0xf3, 0x2b, 0xb6,
126 	0x27, 0xbb, 0x29, 0x3c, 0x17, 0x33, 0x9d, 0x94,
127 	0xc3, 0xda, 0xac, 0x46, 0xb0, 0x8e, 0x07, 0x18
128 };
129 static const u8 pkex_resp_x_p384[48] = {
130 	0xad, 0xbe, 0xd7, 0x1d, 0x3a, 0x71, 0x64, 0x98,
131 	0x5f, 0xb4, 0xd6, 0x4b, 0x50, 0xd0, 0x84, 0x97,
132 	0x4b, 0x7e, 0x57, 0x70, 0xd2, 0xd9, 0xf4, 0x92,
133 	0x2a, 0x3f, 0xce, 0x99, 0xc5, 0x77, 0x33, 0x44,
134 	0x14, 0x56, 0x92, 0xcb, 0xae, 0x46, 0x64, 0xdf,
135 	0xe0, 0xbb, 0xd7, 0xb1, 0x29, 0x20, 0x72, 0xdf
136 };
137 static const u8 pkex_resp_y_p384[48] = {
138 	0xab, 0xa7, 0xdf, 0x52, 0xaa, 0xe2, 0x35, 0x0c,
139 	0xe3, 0x75, 0x32, 0xe6, 0xbf, 0x06, 0xc8, 0x7c,
140 	0x38, 0x29, 0x4c, 0xec, 0x82, 0xac, 0xd7, 0xa3,
141 	0x09, 0xd2, 0x0e, 0x22, 0x5a, 0x74, 0x52, 0xa1,
142 	0x7e, 0x54, 0x4e, 0xfe, 0xc6, 0x29, 0x33, 0x63,
143 	0x15, 0xe1, 0x7b, 0xe3, 0x40, 0x1c, 0xca, 0x06
144 };
145 
146 /* NIST P-521 */
147 static const u8 pkex_init_x_p521[66] = {
148 	0x00, 0x16, 0x20, 0x45, 0x19, 0x50, 0x95, 0x23,
149 	0x0d, 0x24, 0xbe, 0x00, 0x87, 0xdc, 0xfa, 0xf0,
150 	0x58, 0x9a, 0x01, 0x60, 0x07, 0x7a, 0xca, 0x76,
151 	0x01, 0xab, 0x2d, 0x5a, 0x46, 0xcd, 0x2c, 0xb5,
152 	0x11, 0x9a, 0xff, 0xaa, 0x48, 0x04, 0x91, 0x38,
153 	0xcf, 0x86, 0xfc, 0xa4, 0xa5, 0x0f, 0x47, 0x01,
154 	0x80, 0x1b, 0x30, 0xa3, 0xae, 0xe8, 0x1c, 0x2e,
155 	0xea, 0xcc, 0xf0, 0x03, 0x9f, 0x77, 0x4c, 0x8d,
156 	0x97, 0x76
157 };
158 static const u8 pkex_init_y_p521[66] = {
159 	0x00, 0xb3, 0x8e, 0x02, 0xe4, 0x2a, 0x63, 0x59,
160 	0x12, 0xc6, 0x10, 0xba, 0x3a, 0xf9, 0x02, 0x99,
161 	0x3f, 0x14, 0xf0, 0x40, 0xde, 0x5c, 0xc9, 0x8b,
162 	0x02, 0x55, 0xfa, 0x91, 0xb1, 0xcc, 0x6a, 0xbd,
163 	0xe5, 0x62, 0xc0, 0xc5, 0xe3, 0xa1, 0x57, 0x9f,
164 	0x08, 0x1a, 0xa6, 0xe2, 0xf8, 0x55, 0x90, 0xbf,
165 	0xf5, 0xa6, 0xc3, 0xd8, 0x52, 0x1f, 0xb7, 0x02,
166 	0x2e, 0x7c, 0xc8, 0xb3, 0x20, 0x1e, 0x79, 0x8d,
167 	0x03, 0xa8
168 };
169 static const u8 pkex_resp_x_p521[66] = {
170 	0x00, 0x79, 0xe4, 0x4d, 0x6b, 0x5e, 0x12, 0x0a,
171 	0x18, 0x2c, 0xb3, 0x05, 0x77, 0x0f, 0xc3, 0x44,
172 	0x1a, 0xcd, 0x78, 0x46, 0x14, 0xee, 0x46, 0x3f,
173 	0xab, 0xc9, 0x59, 0x7c, 0x85, 0xa0, 0xc2, 0xfb,
174 	0x02, 0x32, 0x99, 0xde, 0x5d, 0xe1, 0x0d, 0x48,
175 	0x2d, 0x71, 0x7d, 0x8d, 0x3f, 0x61, 0x67, 0x9e,
176 	0x2b, 0x8b, 0x12, 0xde, 0x10, 0x21, 0x55, 0x0a,
177 	0x5b, 0x2d, 0xe8, 0x05, 0x09, 0xf6, 0x20, 0x97,
178 	0x84, 0xb4
179 };
180 static const u8 pkex_resp_y_p521[66] = {
181 	0x00, 0x46, 0x63, 0x39, 0xbe, 0xcd, 0xa4, 0x2d,
182 	0xca, 0x27, 0x74, 0xd4, 0x1b, 0x91, 0x33, 0x20,
183 	0x83, 0xc7, 0x3b, 0xa4, 0x09, 0x8b, 0x8e, 0xa3,
184 	0x88, 0xe9, 0x75, 0x7f, 0x56, 0x7b, 0x38, 0x84,
185 	0x62, 0x02, 0x7c, 0x90, 0x51, 0x07, 0xdb, 0xe9,
186 	0xd0, 0xde, 0xda, 0x9a, 0x5d, 0xe5, 0x94, 0xd2,
187 	0xcf, 0x9d, 0x4c, 0x33, 0x91, 0xa6, 0xc3, 0x80,
188 	0xa7, 0x6e, 0x7e, 0x8d, 0xf8, 0x73, 0x6e, 0x53,
189 	0xce, 0xe1
190 };
191 
192 /* Brainpool P-256r1 */
193 static const u8 pkex_init_x_bp_p256r1[32] = {
194 	0x46, 0x98, 0x18, 0x6c, 0x27, 0xcd, 0x4b, 0x10,
195 	0x7d, 0x55, 0xa3, 0xdd, 0x89, 0x1f, 0x9f, 0xca,
196 	0xc7, 0x42, 0x5b, 0x8a, 0x23, 0xed, 0xf8, 0x75,
197 	0xac, 0xc7, 0xe9, 0x8d, 0xc2, 0x6f, 0xec, 0xd8
198 };
199 static const u8 pkex_init_y_bp_p256r1[32] = {
200 	0x93, 0xca, 0xef, 0xa9, 0x66, 0x3e, 0x87, 0xcd,
201 	0x52, 0x6e, 0x54, 0x13, 0xef, 0x31, 0x67, 0x30,
202 	0x15, 0x13, 0x9d, 0x6d, 0xc0, 0x95, 0x32, 0xbe,
203 	0x4f, 0xab, 0x5d, 0xf7, 0xbf, 0x5e, 0xaa, 0x0b
204 };
205 static const u8 pkex_resp_x_bp_p256r1[32] = {
206 	0x90, 0x18, 0x84, 0xc9, 0xdc, 0xcc, 0xb5, 0x2f,
207 	0x4a, 0x3f, 0x4f, 0x18, 0x0a, 0x22, 0x56, 0x6a,
208 	0xa9, 0xef, 0xd4, 0xe6, 0xc3, 0x53, 0xc2, 0x1a,
209 	0x23, 0x54, 0xdd, 0x08, 0x7e, 0x10, 0xd8, 0xe3
210 };
211 static const u8 pkex_resp_y_bp_p256r1[32] = {
212 	0x2a, 0xfa, 0x98, 0x9b, 0xe3, 0xda, 0x30, 0xfd,
213 	0x32, 0x28, 0xcb, 0x66, 0xfb, 0x40, 0x7f, 0xf2,
214 	0xb2, 0x25, 0x80, 0x82, 0x44, 0x85, 0x13, 0x7e,
215 	0x4b, 0xb5, 0x06, 0xc0, 0x03, 0x69, 0x23, 0x64
216 };
217 
218 /* Brainpool P-384r1 */
219 static const u8 pkex_init_x_bp_p384r1[48] = {
220 	0x0a, 0x2c, 0xeb, 0x49, 0x5e, 0xb7, 0x23, 0xbd,
221 	0x20, 0x5b, 0xe0, 0x49, 0xdf, 0xcf, 0xcf, 0x19,
222 	0x37, 0x36, 0xe1, 0x2f, 0x59, 0xdb, 0x07, 0x06,
223 	0xb5, 0xeb, 0x2d, 0xae, 0xc2, 0xb2, 0x38, 0x62,
224 	0xa6, 0x73, 0x09, 0xa0, 0x6c, 0x0a, 0xa2, 0x30,
225 	0x99, 0xeb, 0xf7, 0x1e, 0x47, 0xb9, 0x5e, 0xbe
226 };
227 static const u8 pkex_init_y_bp_p384r1[48] = {
228 	0x54, 0x76, 0x61, 0x65, 0x75, 0x5a, 0x2f, 0x99,
229 	0x39, 0x73, 0xca, 0x6c, 0xf9, 0xf7, 0x12, 0x86,
230 	0x54, 0xd5, 0xd4, 0xad, 0x45, 0x7b, 0xbf, 0x32,
231 	0xee, 0x62, 0x8b, 0x9f, 0x52, 0xe8, 0xa0, 0xc9,
232 	0xb7, 0x9d, 0xd1, 0x09, 0xb4, 0x79, 0x1c, 0x3e,
233 	0x1a, 0xbf, 0x21, 0x45, 0x66, 0x6b, 0x02, 0x52
234 };
235 static const u8 pkex_resp_x_bp_p384r1[48] = {
236 	0x03, 0xa2, 0x57, 0xef, 0xe8, 0x51, 0x21, 0xa0,
237 	0xc8, 0x9e, 0x21, 0x02, 0xb5, 0x9a, 0x36, 0x25,
238 	0x74, 0x22, 0xd1, 0xf2, 0x1b, 0xa8, 0x9a, 0x9b,
239 	0x97, 0xbc, 0x5a, 0xeb, 0x26, 0x15, 0x09, 0x71,
240 	0x77, 0x59, 0xec, 0x8b, 0xb7, 0xe1, 0xe8, 0xce,
241 	0x65, 0xb8, 0xaf, 0xf8, 0x80, 0xae, 0x74, 0x6c
242 };
243 static const u8 pkex_resp_y_bp_p384r1[48] = {
244 	0x2f, 0xd9, 0x6a, 0xc7, 0x3e, 0xec, 0x76, 0x65,
245 	0x2d, 0x38, 0x7f, 0xec, 0x63, 0x26, 0x3f, 0x04,
246 	0xd8, 0x4e, 0xff, 0xe1, 0x0a, 0x51, 0x74, 0x70,
247 	0xe5, 0x46, 0x63, 0x7f, 0x5c, 0xc0, 0xd1, 0x7c,
248 	0xfb, 0x2f, 0xea, 0xe2, 0xd8, 0x0f, 0x84, 0xcb,
249 	0xe9, 0x39, 0x5c, 0x64, 0xfe, 0xcb, 0x2f, 0xf1
250 };
251 
252 /* Brainpool P-512r1 */
253 static const u8 pkex_init_x_bp_p512r1[64] = {
254 	0x4c, 0xe9, 0xb6, 0x1c, 0xe2, 0x00, 0x3c, 0x9c,
255 	0xa9, 0xc8, 0x56, 0x52, 0xaf, 0x87, 0x3e, 0x51,
256 	0x9c, 0xbb, 0x15, 0x31, 0x1e, 0xc1, 0x05, 0xfc,
257 	0x7c, 0x77, 0xd7, 0x37, 0x61, 0x27, 0xd0, 0x95,
258 	0x98, 0xee, 0x5d, 0xa4, 0x3d, 0x09, 0xdb, 0x3d,
259 	0xfa, 0x89, 0x9e, 0x7f, 0xa6, 0xa6, 0x9c, 0xff,
260 	0x83, 0x5c, 0x21, 0x6c, 0x3e, 0xf2, 0xfe, 0xdc,
261 	0x63, 0xe4, 0xd1, 0x0e, 0x75, 0x45, 0x69, 0x0f
262 };
263 static const u8 pkex_init_y_bp_p512r1[64] = {
264 	0x50, 0xb5, 0x9b, 0xfa, 0x45, 0x67, 0x75, 0x94,
265 	0x44, 0xe7, 0x68, 0xb0, 0xeb, 0x3e, 0xb3, 0xb8,
266 	0xf9, 0x99, 0x05, 0xef, 0xae, 0x6c, 0xbc, 0xe3,
267 	0xe1, 0xd2, 0x51, 0x54, 0xdf, 0x59, 0xd4, 0x45,
268 	0x41, 0x3a, 0xa8, 0x0b, 0x76, 0x32, 0x44, 0x0e,
269 	0x07, 0x60, 0x3a, 0x6e, 0xbe, 0xfe, 0xe0, 0x58,
270 	0x52, 0xa0, 0xaa, 0x8b, 0xd8, 0x5b, 0xf2, 0x71,
271 	0x11, 0x9a, 0x9e, 0x8f, 0x1a, 0xd1, 0xc9, 0x99
272 };
273 static const u8 pkex_resp_x_bp_p512r1[64] = {
274 	0x2a, 0x60, 0x32, 0x27, 0xa1, 0xe6, 0x94, 0x72,
275 	0x1c, 0x48, 0xbe, 0xc5, 0x77, 0x14, 0x30, 0x76,
276 	0xe4, 0xbf, 0xf7, 0x7b, 0xc5, 0xfd, 0xdf, 0x19,
277 	0x1e, 0x0f, 0xdf, 0x1c, 0x40, 0xfa, 0x34, 0x9e,
278 	0x1f, 0x42, 0x24, 0xa3, 0x2c, 0xd5, 0xc7, 0xc9,
279 	0x7b, 0x47, 0x78, 0x96, 0xf1, 0x37, 0x0e, 0x88,
280 	0xcb, 0xa6, 0x52, 0x29, 0xd7, 0xa8, 0x38, 0x29,
281 	0x8e, 0x6e, 0x23, 0x47, 0xd4, 0x4b, 0x70, 0x3e
282 };
283 static const u8 pkex_resp_y_bp_p512r1[64] = {
284 	0x80, 0x1f, 0x43, 0xd2, 0x17, 0x35, 0xec, 0x81,
285 	0xd9, 0x4b, 0xdc, 0x81, 0x19, 0xd9, 0x5f, 0x68,
286 	0x16, 0x84, 0xfe, 0x63, 0x4b, 0x8d, 0x5d, 0xaa,
287 	0x88, 0x4a, 0x47, 0x48, 0xd4, 0xea, 0xab, 0x7d,
288 	0x6a, 0xbf, 0xe1, 0x28, 0x99, 0x6a, 0x87, 0x1c,
289 	0x30, 0xb4, 0x44, 0x2d, 0x75, 0xac, 0x35, 0x09,
290 	0x73, 0x24, 0x3d, 0xb4, 0x43, 0xb1, 0xc1, 0x56,
291 	0x56, 0xad, 0x30, 0x87, 0xf4, 0xc3, 0x00, 0xc7
292 };
293 
294 
295 static void dpp_debug_print_point(const char *title, const EC_GROUP *group,
296 				  const EC_POINT *point)
297 {
298 	BIGNUM *x, *y;
299 	BN_CTX *ctx;
300 	char *x_str = NULL, *y_str = NULL;
301 
302 	if (!wpa_debug_show_keys)
303 		return;
304 
305 	ctx = BN_CTX_new();
306 	x = BN_new();
307 	y = BN_new();
308 	if (!ctx || !x || !y ||
309 	    EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) != 1)
310 		goto fail;
311 
312 	x_str = BN_bn2hex(x);
313 	y_str = BN_bn2hex(y);
314 	if (!x_str || !y_str)
315 		goto fail;
316 
317 	wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str);
318 
319 fail:
320 	OPENSSL_free(x_str);
321 	OPENSSL_free(y_str);
322 	BN_free(x);
323 	BN_free(y);
324 	BN_CTX_free(ctx);
325 }
326 
327 
328 static int dpp_hash_vector(const struct dpp_curve_params *curve,
329 			   size_t num_elem, const u8 *addr[], const size_t *len,
330 			   u8 *mac)
331 {
332 	if (curve->hash_len == 32)
333 		return sha256_vector(num_elem, addr, len, mac);
334 	if (curve->hash_len == 48)
335 		return sha384_vector(num_elem, addr, len, mac);
336 	if (curve->hash_len == 64)
337 		return sha512_vector(num_elem, addr, len, mac);
338 	return -1;
339 }
340 
341 
342 static int dpp_hkdf_expand(size_t hash_len, const u8 *secret, size_t secret_len,
343 			   const char *label, u8 *out, size_t outlen)
344 {
345 	if (hash_len == 32)
346 		return hmac_sha256_kdf(secret, secret_len, NULL,
347 				       (const u8 *) label, os_strlen(label),
348 				       out, outlen);
349 	if (hash_len == 48)
350 		return hmac_sha384_kdf(secret, secret_len, NULL,
351 				       (const u8 *) label, os_strlen(label),
352 				       out, outlen);
353 	if (hash_len == 64)
354 		return hmac_sha512_kdf(secret, secret_len, NULL,
355 				       (const u8 *) label, os_strlen(label),
356 				       out, outlen);
357 	return -1;
358 }
359 
360 
361 static int dpp_hmac_vector(size_t hash_len, const u8 *key, size_t key_len,
362 			   size_t num_elem, const u8 *addr[],
363 			   const size_t *len, u8 *mac)
364 {
365 	if (hash_len == 32)
366 		return hmac_sha256_vector(key, key_len, num_elem, addr, len,
367 					  mac);
368 	if (hash_len == 48)
369 		return hmac_sha384_vector(key, key_len, num_elem, addr, len,
370 					  mac);
371 	if (hash_len == 64)
372 		return hmac_sha512_vector(key, key_len, num_elem, addr, len,
373 					  mac);
374 	return -1;
375 }
376 
377 
378 static int dpp_hmac(size_t hash_len, const u8 *key, size_t key_len,
379 		    const u8 *data, size_t data_len, u8 *mac)
380 {
381 	if (hash_len == 32)
382 		return hmac_sha256(key, key_len, data, data_len, mac);
383 	if (hash_len == 48)
384 		return hmac_sha384(key, key_len, data, data_len, mac);
385 	if (hash_len == 64)
386 		return hmac_sha512(key, key_len, data, data_len, mac);
387 	return -1;
388 }
389 
390 
391 static int dpp_bn2bin_pad(const BIGNUM *bn, u8 *pos, size_t len)
392 {
393 	int num_bytes, offset;
394 
395 	num_bytes = BN_num_bytes(bn);
396 	if ((size_t) num_bytes > len)
397 		return -1;
398 	offset = len - num_bytes;
399 	os_memset(pos, 0, offset);
400 	BN_bn2bin(bn, pos + offset);
401 	return 0;
402 }
403 
404 
405 static struct wpabuf * dpp_get_pubkey_point(EVP_PKEY *pkey, int prefix)
406 {
407 	int len, res;
408 	EC_KEY *eckey;
409 	struct wpabuf *buf;
410 	unsigned char *pos;
411 
412 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
413 	if (!eckey)
414 		return NULL;
415 	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
416 	len = i2o_ECPublicKey(eckey, NULL);
417 	if (len <= 0) {
418 		wpa_printf(MSG_ERROR,
419 			   "DDP: Failed to determine public key encoding length");
420 		EC_KEY_free(eckey);
421 		return NULL;
422 	}
423 
424 	buf = wpabuf_alloc(len);
425 	if (!buf) {
426 		EC_KEY_free(eckey);
427 		return NULL;
428 	}
429 
430 	pos = wpabuf_put(buf, len);
431 	res = i2o_ECPublicKey(eckey, &pos);
432 	EC_KEY_free(eckey);
433 	if (res != len) {
434 		wpa_printf(MSG_ERROR,
435 			   "DDP: Failed to encode public key (res=%d/%d)",
436 			   res, len);
437 		wpabuf_free(buf);
438 		return NULL;
439 	}
440 
441 	if (!prefix) {
442 		/* Remove 0x04 prefix to match DPP definition */
443 		pos = wpabuf_mhead(buf);
444 		os_memmove(pos, pos + 1, len - 1);
445 		buf->used--;
446 	}
447 
448 	return buf;
449 }
450 
451 
452 static EVP_PKEY * dpp_set_pubkey_point_group(const EC_GROUP *group,
453 					     const u8 *buf_x, const u8 *buf_y,
454 					     size_t len)
455 {
456 	EC_KEY *eckey = NULL;
457 	BN_CTX *ctx;
458 	EC_POINT *point = NULL;
459 	BIGNUM *x = NULL, *y = NULL;
460 	EVP_PKEY *pkey = NULL;
461 
462 	ctx = BN_CTX_new();
463 	if (!ctx) {
464 		wpa_printf(MSG_ERROR, "DPP: Out of memory");
465 		return NULL;
466 	}
467 
468 	point = EC_POINT_new(group);
469 	x = BN_bin2bn(buf_x, len, NULL);
470 	y = BN_bin2bn(buf_y, len, NULL);
471 	if (!point || !x || !y) {
472 		wpa_printf(MSG_ERROR, "DPP: Out of memory");
473 		goto fail;
474 	}
475 
476 	if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
477 		wpa_printf(MSG_ERROR,
478 			   "DPP: OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
479 			   ERR_error_string(ERR_get_error(), NULL));
480 		goto fail;
481 	}
482 
483 	if (!EC_POINT_is_on_curve(group, point, ctx) ||
484 	    EC_POINT_is_at_infinity(group, point)) {
485 		wpa_printf(MSG_ERROR, "DPP: Invalid point");
486 		goto fail;
487 	}
488 	dpp_debug_print_point("DPP: dpp_set_pubkey_point_group", group, point);
489 
490 	eckey = EC_KEY_new();
491 	if (!eckey ||
492 	    EC_KEY_set_group(eckey, group) != 1 ||
493 	    EC_KEY_set_public_key(eckey, point) != 1) {
494 		wpa_printf(MSG_ERROR,
495 			   "DPP: Failed to set EC_KEY: %s",
496 			   ERR_error_string(ERR_get_error(), NULL));
497 		goto fail;
498 	}
499 	EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
500 
501 	pkey = EVP_PKEY_new();
502 	if (!pkey || EVP_PKEY_set1_EC_KEY(pkey, eckey) != 1) {
503 		wpa_printf(MSG_ERROR, "DPP: Could not create EVP_PKEY");
504 		goto fail;
505 	}
506 
507 out:
508 	BN_free(x);
509 	BN_free(y);
510 	EC_KEY_free(eckey);
511 	EC_POINT_free(point);
512 	BN_CTX_free(ctx);
513 	return pkey;
514 fail:
515 	EVP_PKEY_free(pkey);
516 	pkey = NULL;
517 	goto out;
518 }
519 
520 
521 static EVP_PKEY * dpp_set_pubkey_point(EVP_PKEY *group_key,
522 				       const u8 *buf, size_t len)
523 {
524 	EC_KEY *eckey;
525 	const EC_GROUP *group;
526 	EVP_PKEY *pkey = NULL;
527 
528 	if (len & 1)
529 		return NULL;
530 
531 	eckey = EVP_PKEY_get1_EC_KEY(group_key);
532 	if (!eckey) {
533 		wpa_printf(MSG_ERROR,
534 			   "DPP: Could not get EC_KEY from group_key");
535 		return NULL;
536 	}
537 
538 	group = EC_KEY_get0_group(eckey);
539 	if (group)
540 		pkey = dpp_set_pubkey_point_group(group, buf, buf + len / 2,
541 						  len / 2);
542 	else
543 		wpa_printf(MSG_ERROR, "DPP: Could not get EC group");
544 
545 	EC_KEY_free(eckey);
546 	return pkey;
547 }
548 
549 
550 static void dpp_auth_fail(struct dpp_authentication *auth, const char *txt)
551 {
552 	wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
553 }
554 
555 
556 struct wpabuf * dpp_alloc_msg(enum dpp_public_action_frame_type type,
557 			      size_t len)
558 {
559 	struct wpabuf *msg;
560 
561 	msg = wpabuf_alloc(8 + len);
562 	if (!msg)
563 		return NULL;
564 	wpabuf_put_u8(msg, WLAN_ACTION_PUBLIC);
565 	wpabuf_put_u8(msg, WLAN_PA_VENDOR_SPECIFIC);
566 	wpabuf_put_be24(msg, OUI_WFA);
567 	wpabuf_put_u8(msg, DPP_OUI_TYPE);
568 	wpabuf_put_u8(msg, 1); /* Crypto Suite */
569 	wpabuf_put_u8(msg, type);
570 	return msg;
571 }
572 
573 
574 const u8 * dpp_get_attr(const u8 *buf, size_t len, u16 req_id, u16 *ret_len)
575 {
576 	u16 id, alen;
577 	const u8 *pos = buf, *end = buf + len;
578 
579 	while (end - pos >= 4) {
580 		id = WPA_GET_LE16(pos);
581 		pos += 2;
582 		alen = WPA_GET_LE16(pos);
583 		pos += 2;
584 		if (alen > end - pos)
585 			return NULL;
586 		if (id == req_id) {
587 			*ret_len = alen;
588 			return pos;
589 		}
590 		pos += alen;
591 	}
592 
593 	return NULL;
594 }
595 
596 
597 int dpp_check_attrs(const u8 *buf, size_t len)
598 {
599 	const u8 *pos, *end;
600 	int wrapped_data = 0;
601 
602 	pos = buf;
603 	end = buf + len;
604 	while (end - pos >= 4) {
605 		u16 id, alen;
606 
607 		id = WPA_GET_LE16(pos);
608 		pos += 2;
609 		alen = WPA_GET_LE16(pos);
610 		pos += 2;
611 		wpa_printf(MSG_MSGDUMP, "DPP: Attribute ID %04x len %u",
612 			   id, alen);
613 		if (alen > end - pos) {
614 			wpa_printf(MSG_DEBUG,
615 				   "DPP: Truncated message - not enough room for the attribute - dropped");
616 			return -1;
617 		}
618 		if (wrapped_data) {
619 			wpa_printf(MSG_DEBUG,
620 				   "DPP: An unexpected attribute included after the Wrapped Data attribute");
621 			return -1;
622 		}
623 		if (id == DPP_ATTR_WRAPPED_DATA)
624 			wrapped_data = 1;
625 		pos += alen;
626 	}
627 
628 	if (end != pos) {
629 		wpa_printf(MSG_DEBUG,
630 			   "DPP: Unexpected octets (%d) after the last attribute",
631 			   (int) (end - pos));
632 		return -1;
633 	}
634 
635 	return 0;
636 }
637 
638 
639 void dpp_bootstrap_info_free(struct dpp_bootstrap_info *info)
640 {
641 	if (!info)
642 		return;
643 	os_free(info->uri);
644 	os_free(info->info);
645 	EVP_PKEY_free(info->pubkey);
646 	os_free(info);
647 }
648 
649 
650 const char * dpp_bootstrap_type_txt(enum dpp_bootstrap_type type)
651 {
652 	switch (type) {
653 	case DPP_BOOTSTRAP_QR_CODE:
654 		return "QRCODE";
655 	case DPP_BOOTSTRAP_PKEX:
656 		return "PKEX";
657 	}
658 	return "??";
659 }
660 
661 
662 static int dpp_uri_valid_info(const char *info)
663 {
664 	while (*info) {
665 		unsigned char val = *info++;
666 
667 		if (val < 0x20 || val > 0x7e || val == 0x3b)
668 			return 0;
669 	}
670 
671 	return 1;
672 }
673 
674 
675 static int dpp_clone_uri(struct dpp_bootstrap_info *bi, const char *uri)
676 {
677 	bi->uri = os_strdup(uri);
678 	return bi->uri ? 0 : -1;
679 }
680 
681 
682 int dpp_parse_uri_chan_list(struct dpp_bootstrap_info *bi,
683 			    const char *chan_list)
684 {
685 	const char *pos = chan_list;
686 	int opclass, channel, freq;
687 
688 	while (pos && *pos && *pos != ';') {
689 		opclass = atoi(pos);
690 		if (opclass <= 0)
691 			goto fail;
692 		pos = os_strchr(pos, '/');
693 		if (!pos)
694 			goto fail;
695 		pos++;
696 		channel = atoi(pos);
697 		if (channel <= 0)
698 			goto fail;
699 		while (*pos >= '0' && *pos <= '9')
700 			pos++;
701 		freq = ieee80211_chan_to_freq(NULL, opclass, channel);
702 		wpa_printf(MSG_DEBUG,
703 			   "DPP: URI channel-list: opclass=%d channel=%d ==> freq=%d",
704 			   opclass, channel, freq);
705 		if (freq < 0) {
706 			wpa_printf(MSG_DEBUG,
707 				   "DPP: Ignore unknown URI channel-list channel (opclass=%d channel=%d)",
708 				   opclass, channel);
709 		} else if (bi->num_freq == DPP_BOOTSTRAP_MAX_FREQ) {
710 			wpa_printf(MSG_DEBUG,
711 				   "DPP: Too many channels in URI channel-list - ignore list");
712 			bi->num_freq = 0;
713 			break;
714 		} else {
715 			bi->freq[bi->num_freq++] = freq;
716 		}
717 
718 		if (*pos == ';' || *pos == '\0')
719 			break;
720 		if (*pos != ',')
721 			goto fail;
722 		pos++;
723 	}
724 
725 	return 0;
726 fail:
727 	wpa_printf(MSG_DEBUG, "DPP: Invalid URI channel-list");
728 	return -1;
729 }
730 
731 
732 int dpp_parse_uri_mac(struct dpp_bootstrap_info *bi, const char *mac)
733 {
734 	if (!mac)
735 		return 0;
736 
737 	if (hwaddr_aton2(mac, bi->mac_addr) < 0) {
738 		wpa_printf(MSG_DEBUG, "DPP: Invalid URI mac");
739 		return -1;
740 	}
741 
742 	wpa_printf(MSG_DEBUG, "DPP: URI mac: " MACSTR, MAC2STR(bi->mac_addr));
743 
744 	return 0;
745 }
746 
747 
748 int dpp_parse_uri_info(struct dpp_bootstrap_info *bi, const char *info)
749 {
750 	const char *end;
751 
752 	if (!info)
753 		return 0;
754 
755 	end = os_strchr(info, ';');
756 	if (!end)
757 		end = info + os_strlen(info);
758 	bi->info = os_malloc(end - info + 1);
759 	if (!bi->info)
760 		return -1;
761 	os_memcpy(bi->info, info, end - info);
762 	bi->info[end - info] = '\0';
763 	wpa_printf(MSG_DEBUG, "DPP: URI(information): %s", bi->info);
764 	if (!dpp_uri_valid_info(bi->info)) {
765 		wpa_printf(MSG_DEBUG, "DPP: Invalid URI information payload");
766 		return -1;
767 	}
768 
769 	return 0;
770 }
771 
772 
773 static const struct dpp_curve_params *
774 dpp_get_curve_oid(const ASN1_OBJECT *poid)
775 {
776 	ASN1_OBJECT *oid;
777 	int i;
778 
779 	for (i = 0; dpp_curves[i].name; i++) {
780 		oid = OBJ_txt2obj(dpp_curves[i].name, 0);
781 		if (oid && OBJ_cmp(poid, oid) == 0)
782 			return &dpp_curves[i];
783 	}
784 	return NULL;
785 }
786 
787 
788 static const struct dpp_curve_params * dpp_get_curve_nid(int nid)
789 {
790 	int i, tmp;
791 
792 	if (!nid)
793 		return NULL;
794 	for (i = 0; dpp_curves[i].name; i++) {
795 		tmp = OBJ_txt2nid(dpp_curves[i].name);
796 		if (tmp == nid)
797 			return &dpp_curves[i];
798 	}
799 	return NULL;
800 }
801 
802 
803 static int dpp_parse_uri_pk(struct dpp_bootstrap_info *bi, const char *info)
804 {
805 	const char *end;
806 	u8 *data;
807 	size_t data_len;
808 	EVP_PKEY *pkey;
809 	const unsigned char *p;
810 	int res;
811 	X509_PUBKEY *pub = NULL;
812 	ASN1_OBJECT *ppkalg;
813 	const unsigned char *pk;
814 	int ppklen;
815 	X509_ALGOR *pa;
816 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
817 	ASN1_OBJECT *pa_oid;
818 #else
819 	const ASN1_OBJECT *pa_oid;
820 #endif
821 	const void *pval;
822 	int ptype;
823 	const ASN1_OBJECT *poid;
824 	char buf[100];
825 
826 	end = os_strchr(info, ';');
827 	if (!end)
828 		return -1;
829 
830 	data = base64_decode((const unsigned char *) info, end - info,
831 			     &data_len);
832 	if (!data) {
833 		wpa_printf(MSG_DEBUG,
834 			   "DPP: Invalid base64 encoding on URI public-key");
835 		return -1;
836 	}
837 	wpa_hexdump(MSG_DEBUG, "DPP: Base64 decoded URI public-key",
838 		    data, data_len);
839 
840 	if (sha256_vector(1, (const u8 **) &data, &data_len,
841 			  bi->pubkey_hash) < 0) {
842 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
843 		os_free(data);
844 		return -1;
845 	}
846 	wpa_hexdump(MSG_DEBUG, "DPP: Public key hash",
847 		    bi->pubkey_hash, SHA256_MAC_LEN);
848 
849 	/* DER encoded ASN.1 SubjectPublicKeyInfo
850 	 *
851 	 * SubjectPublicKeyInfo  ::=  SEQUENCE  {
852 	 *      algorithm            AlgorithmIdentifier,
853 	 *      subjectPublicKey     BIT STRING  }
854 	 *
855 	 * AlgorithmIdentifier  ::=  SEQUENCE  {
856 	 *      algorithm               OBJECT IDENTIFIER,
857 	 *      parameters              ANY DEFINED BY algorithm OPTIONAL  }
858 	 *
859 	 * subjectPublicKey = compressed format public key per ANSI X9.63
860 	 * algorithm = ecPublicKey (1.2.840.10045.2.1)
861 	 * parameters = shall be present and shall be OBJECT IDENTIFIER; e.g.,
862 	 *       prime256v1 (1.2.840.10045.3.1.7)
863 	 */
864 
865 	p = data;
866 	pkey = d2i_PUBKEY(NULL, &p, data_len);
867 	os_free(data);
868 
869 	if (!pkey) {
870 		wpa_printf(MSG_DEBUG,
871 			   "DPP: Could not parse URI public-key SubjectPublicKeyInfo");
872 		return -1;
873 	}
874 
875 	if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) {
876 		wpa_printf(MSG_DEBUG,
877 			   "DPP: SubjectPublicKeyInfo does not describe an EC key");
878 		EVP_PKEY_free(pkey);
879 		return -1;
880 	}
881 
882 	res = X509_PUBKEY_set(&pub, pkey);
883 	if (res != 1) {
884 		wpa_printf(MSG_DEBUG, "DPP: Could not set pubkey");
885 		goto fail;
886 	}
887 
888 	res = X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pub);
889 	if (res != 1) {
890 		wpa_printf(MSG_DEBUG,
891 			   "DPP: Could not extract SubjectPublicKeyInfo parameters");
892 		goto fail;
893 	}
894 	res = OBJ_obj2txt(buf, sizeof(buf), ppkalg, 0);
895 	if (res < 0 || (size_t) res >= sizeof(buf)) {
896 		wpa_printf(MSG_DEBUG,
897 			   "DPP: Could not extract SubjectPublicKeyInfo algorithm");
898 		goto fail;
899 	}
900 	wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey algorithm: %s", buf);
901 	if (os_strcmp(buf, "id-ecPublicKey") != 0) {
902 		wpa_printf(MSG_DEBUG,
903 			   "DPP: Unsupported SubjectPublicKeyInfo algorithm");
904 		goto fail;
905 	}
906 
907 	X509_ALGOR_get0(&pa_oid, &ptype, (void *) &pval, pa);
908 	if (ptype != V_ASN1_OBJECT) {
909 		wpa_printf(MSG_DEBUG,
910 			   "DPP: SubjectPublicKeyInfo parameters did not contain an OID");
911 		goto fail;
912 	}
913 	poid = pval;
914 	res = OBJ_obj2txt(buf, sizeof(buf), poid, 0);
915 	if (res < 0 || (size_t) res >= sizeof(buf)) {
916 		wpa_printf(MSG_DEBUG,
917 			   "DPP: Could not extract SubjectPublicKeyInfo parameters OID");
918 		goto fail;
919 	}
920 	wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey parameters: %s", buf);
921 	bi->curve = dpp_get_curve_oid(poid);
922 	if (!bi->curve) {
923 		wpa_printf(MSG_DEBUG,
924 			   "DPP: Unsupported SubjectPublicKeyInfo curve: %s",
925 			   buf);
926 		goto fail;
927 	}
928 
929 	wpa_hexdump(MSG_DEBUG, "DPP: URI subjectPublicKey", pk, ppklen);
930 
931 	X509_PUBKEY_free(pub);
932 	bi->pubkey = pkey;
933 	return 0;
934 fail:
935 	X509_PUBKEY_free(pub);
936 	EVP_PKEY_free(pkey);
937 	return -1;
938 }
939 
940 
941 static struct dpp_bootstrap_info * dpp_parse_uri(const char *uri)
942 {
943 	const char *pos = uri;
944 	const char *end;
945 	const char *chan_list = NULL, *mac = NULL, *info = NULL, *pk = NULL;
946 	struct dpp_bootstrap_info *bi;
947 
948 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: URI", uri, os_strlen(uri));
949 
950 	if (os_strncmp(pos, "DPP:", 4) != 0) {
951 		wpa_printf(MSG_INFO, "DPP: Not a DPP URI");
952 		return NULL;
953 	}
954 	pos += 4;
955 
956 	for (;;) {
957 		end = os_strchr(pos, ';');
958 		if (!end)
959 			break;
960 
961 		if (end == pos) {
962 			/* Handle terminating ";;" and ignore unexpected ";"
963 			 * for parsing robustness. */
964 			pos++;
965 			continue;
966 		}
967 
968 		if (pos[0] == 'C' && pos[1] == ':' && !chan_list)
969 			chan_list = pos + 2;
970 		else if (pos[0] == 'M' && pos[1] == ':' && !mac)
971 			mac = pos + 2;
972 		else if (pos[0] == 'I' && pos[1] == ':' && !info)
973 			info = pos + 2;
974 		else if (pos[0] == 'K' && pos[1] == ':' && !pk)
975 			pk = pos + 2;
976 		else
977 			wpa_hexdump_ascii(MSG_DEBUG,
978 					  "DPP: Ignore unrecognized URI parameter",
979 					  pos, end - pos);
980 		pos = end + 1;
981 	}
982 
983 	if (!pk) {
984 		wpa_printf(MSG_INFO, "DPP: URI missing public-key");
985 		return NULL;
986 	}
987 
988 	bi = os_zalloc(sizeof(*bi));
989 	if (!bi)
990 		return NULL;
991 
992 	if (dpp_clone_uri(bi, uri) < 0 ||
993 	    dpp_parse_uri_chan_list(bi, chan_list) < 0 ||
994 	    dpp_parse_uri_mac(bi, mac) < 0 ||
995 	    dpp_parse_uri_info(bi, info) < 0 ||
996 	    dpp_parse_uri_pk(bi, pk) < 0) {
997 		dpp_bootstrap_info_free(bi);
998 		bi = NULL;
999 	}
1000 
1001 	return bi;
1002 }
1003 
1004 
1005 struct dpp_bootstrap_info * dpp_parse_qr_code(const char *uri)
1006 {
1007 	struct dpp_bootstrap_info *bi;
1008 
1009 	bi = dpp_parse_uri(uri);
1010 	if (bi)
1011 		bi->type = DPP_BOOTSTRAP_QR_CODE;
1012 	return bi;
1013 }
1014 
1015 
1016 static void dpp_debug_print_key(const char *title, EVP_PKEY *key)
1017 {
1018 	EC_KEY *eckey;
1019 	BIO *out;
1020 	size_t rlen;
1021 	char *txt;
1022 	int res;
1023 	unsigned char *der = NULL;
1024 	int der_len;
1025 	const EC_GROUP *group;
1026 	const EC_POINT *point;
1027 
1028 	out = BIO_new(BIO_s_mem());
1029 	if (!out)
1030 		return;
1031 
1032 	EVP_PKEY_print_private(out, key, 0, NULL);
1033 	rlen = BIO_ctrl_pending(out);
1034 	txt = os_malloc(rlen + 1);
1035 	if (txt) {
1036 		res = BIO_read(out, txt, rlen);
1037 		if (res > 0) {
1038 			txt[res] = '\0';
1039 			wpa_printf(MSG_DEBUG, "%s: %s", title, txt);
1040 		}
1041 		os_free(txt);
1042 	}
1043 	BIO_free(out);
1044 
1045 	eckey = EVP_PKEY_get1_EC_KEY(key);
1046 	if (!eckey)
1047 		return;
1048 
1049 	group = EC_KEY_get0_group(eckey);
1050 	point = EC_KEY_get0_public_key(eckey);
1051 	if (group && point)
1052 		dpp_debug_print_point(title, group, point);
1053 
1054 	der_len = i2d_ECPrivateKey(eckey, &der);
1055 	if (der_len > 0)
1056 		wpa_hexdump_key(MSG_DEBUG, "DPP: ECPrivateKey", der, der_len);
1057 	OPENSSL_free(der);
1058 	if (der_len <= 0) {
1059 		der = NULL;
1060 		der_len = i2d_EC_PUBKEY(eckey, &der);
1061 		if (der_len > 0)
1062 			wpa_hexdump(MSG_DEBUG, "DPP: EC_PUBKEY", der, der_len);
1063 		OPENSSL_free(der);
1064 	}
1065 
1066 	EC_KEY_free(eckey);
1067 }
1068 
1069 
1070 static EVP_PKEY * dpp_gen_keypair(const struct dpp_curve_params *curve)
1071 {
1072 	EVP_PKEY_CTX *kctx = NULL;
1073 	EC_KEY *ec_params;
1074 	EVP_PKEY *params = NULL, *key = NULL;
1075 	int nid;
1076 
1077 	wpa_printf(MSG_DEBUG, "DPP: Generating a keypair");
1078 
1079 	nid = OBJ_txt2nid(curve->name);
1080 	if (nid == NID_undef) {
1081 		wpa_printf(MSG_INFO, "DPP: Unsupported curve %s", curve->name);
1082 		return NULL;
1083 	}
1084 
1085 	ec_params = EC_KEY_new_by_curve_name(nid);
1086 	if (!ec_params) {
1087 		wpa_printf(MSG_ERROR,
1088 			   "DPP: Failed to generate EC_KEY parameters");
1089 		goto fail;
1090 	}
1091 	EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
1092 	params = EVP_PKEY_new();
1093 	if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
1094 		wpa_printf(MSG_ERROR,
1095 			   "DPP: Failed to generate EVP_PKEY parameters");
1096 		goto fail;
1097 	}
1098 
1099 	kctx = EVP_PKEY_CTX_new(params, NULL);
1100 	if (!kctx ||
1101 	    EVP_PKEY_keygen_init(kctx) != 1 ||
1102 	    EVP_PKEY_keygen(kctx, &key) != 1) {
1103 		wpa_printf(MSG_ERROR, "DPP: Failed to generate EC key");
1104 		goto fail;
1105 	}
1106 
1107 	if (wpa_debug_show_keys)
1108 		dpp_debug_print_key("Own generated key", key);
1109 
1110 	EVP_PKEY_free(params);
1111 	EVP_PKEY_CTX_free(kctx);
1112 	return key;
1113 fail:
1114 	EVP_PKEY_CTX_free(kctx);
1115 	EVP_PKEY_free(params);
1116 	return NULL;
1117 }
1118 
1119 
1120 static const struct dpp_curve_params *
1121 dpp_get_curve_name(const char *name)
1122 {
1123 	int i;
1124 
1125 	for (i = 0; dpp_curves[i].name; i++) {
1126 		if (os_strcmp(name, dpp_curves[i].name) == 0 ||
1127 		    (dpp_curves[i].jwk_crv &&
1128 		     os_strcmp(name, dpp_curves[i].jwk_crv) == 0))
1129 			return &dpp_curves[i];
1130 	}
1131 	return NULL;
1132 }
1133 
1134 
1135 static const struct dpp_curve_params *
1136 dpp_get_curve_jwk_crv(const char *name)
1137 {
1138 	int i;
1139 
1140 	for (i = 0; dpp_curves[i].name; i++) {
1141 		if (dpp_curves[i].jwk_crv &&
1142 		    os_strcmp(name, dpp_curves[i].jwk_crv) == 0)
1143 			return &dpp_curves[i];
1144 	}
1145 	return NULL;
1146 }
1147 
1148 
1149 static EVP_PKEY * dpp_set_keypair(const struct dpp_curve_params **curve,
1150 				  const u8 *privkey, size_t privkey_len)
1151 {
1152 	EVP_PKEY *pkey;
1153 	EC_KEY *eckey;
1154 	const EC_GROUP *group;
1155 	int nid;
1156 
1157 	pkey = EVP_PKEY_new();
1158 	if (!pkey)
1159 		return NULL;
1160 	eckey = d2i_ECPrivateKey(NULL, &privkey, privkey_len);
1161 	if (!eckey) {
1162 		wpa_printf(MSG_INFO,
1163 			   "DPP: OpenSSL: d2i_ECPrivateKey() failed: %s",
1164 			   ERR_error_string(ERR_get_error(), NULL));
1165 		EVP_PKEY_free(pkey);
1166 		return NULL;
1167 	}
1168 	group = EC_KEY_get0_group(eckey);
1169 	if (!group) {
1170 		EC_KEY_free(eckey);
1171 		EVP_PKEY_free(pkey);
1172 		return NULL;
1173 	}
1174 	nid = EC_GROUP_get_curve_name(group);
1175 	*curve = dpp_get_curve_nid(nid);
1176 	if (!*curve) {
1177 		wpa_printf(MSG_INFO,
1178 			   "DPP: Unsupported curve (nid=%d) in pre-assigned key",
1179 			   nid);
1180 		EC_KEY_free(eckey);
1181 		EVP_PKEY_free(pkey);
1182 		return NULL;
1183 	}
1184 
1185 	if (EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
1186 		EC_KEY_free(eckey);
1187 		EVP_PKEY_free(pkey);
1188 		return NULL;
1189 	}
1190 	return pkey;
1191 }
1192 
1193 
1194 typedef struct {
1195 	/* AlgorithmIdentifier ecPublicKey with optional parameters present
1196 	 * as an OID identifying the curve */
1197 	X509_ALGOR *alg;
1198 	/* Compressed format public key per ANSI X9.63 */
1199 	ASN1_BIT_STRING *pub_key;
1200 } DPP_BOOTSTRAPPING_KEY;
1201 
1202 ASN1_SEQUENCE(DPP_BOOTSTRAPPING_KEY) = {
1203 	ASN1_SIMPLE(DPP_BOOTSTRAPPING_KEY, alg, X509_ALGOR),
1204 	ASN1_SIMPLE(DPP_BOOTSTRAPPING_KEY, pub_key, ASN1_BIT_STRING)
1205 } ASN1_SEQUENCE_END(DPP_BOOTSTRAPPING_KEY);
1206 
1207 IMPLEMENT_ASN1_FUNCTIONS(DPP_BOOTSTRAPPING_KEY);
1208 
1209 
1210 static struct wpabuf * dpp_bootstrap_key_der(EVP_PKEY *key)
1211 {
1212 	unsigned char *der = NULL;
1213 	int der_len;
1214 	EC_KEY *eckey;
1215 	struct wpabuf *ret = NULL;
1216 	size_t len;
1217 	const EC_GROUP *group;
1218 	const EC_POINT *point;
1219 	BN_CTX *ctx;
1220 	DPP_BOOTSTRAPPING_KEY *bootstrap = NULL;
1221 	int nid;
1222 
1223 	ctx = BN_CTX_new();
1224 	eckey = EVP_PKEY_get1_EC_KEY(key);
1225 	if (!ctx || !eckey)
1226 		goto fail;
1227 
1228 	group = EC_KEY_get0_group(eckey);
1229 	point = EC_KEY_get0_public_key(eckey);
1230 	if (!group || !point)
1231 		goto fail;
1232 	dpp_debug_print_point("DPP: bootstrap public key", group, point);
1233 	nid = EC_GROUP_get_curve_name(group);
1234 
1235 	bootstrap = DPP_BOOTSTRAPPING_KEY_new();
1236 	if (!bootstrap ||
1237 	    X509_ALGOR_set0(bootstrap->alg, OBJ_nid2obj(EVP_PKEY_EC),
1238 			    V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1)
1239 		goto fail;
1240 
1241 	len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
1242 				 NULL, 0, ctx);
1243 	if (len == 0)
1244 		goto fail;
1245 
1246 	der = OPENSSL_malloc(len);
1247 	if (!der)
1248 		goto fail;
1249 	len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
1250 				 der, len, ctx);
1251 
1252 	OPENSSL_free(bootstrap->pub_key->data);
1253 	bootstrap->pub_key->data = der;
1254 	der = NULL;
1255 	bootstrap->pub_key->length = len;
1256 	/* No unused bits */
1257 	bootstrap->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
1258 	bootstrap->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1259 
1260 	der_len = i2d_DPP_BOOTSTRAPPING_KEY(bootstrap, &der);
1261 	if (der_len <= 0) {
1262 		wpa_printf(MSG_ERROR,
1263 			   "DDP: Failed to build DER encoded public key");
1264 		goto fail;
1265 	}
1266 
1267 	ret = wpabuf_alloc_copy(der, der_len);
1268 fail:
1269 	DPP_BOOTSTRAPPING_KEY_free(bootstrap);
1270 	OPENSSL_free(der);
1271 	EC_KEY_free(eckey);
1272 	BN_CTX_free(ctx);
1273 	return ret;
1274 }
1275 
1276 
1277 int dpp_bootstrap_key_hash(struct dpp_bootstrap_info *bi)
1278 {
1279 	struct wpabuf *der;
1280 	int res;
1281 	const u8 *addr[1];
1282 	size_t len[1];
1283 
1284 	der = dpp_bootstrap_key_der(bi->pubkey);
1285 	if (!der)
1286 		return -1;
1287 	wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
1288 			der);
1289 
1290 	addr[0] = wpabuf_head(der);
1291 	len[0] = wpabuf_len(der);
1292 	res = sha256_vector(1, addr, len, bi->pubkey_hash);
1293 	if (res < 0)
1294 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
1295 	else
1296 		wpa_hexdump(MSG_DEBUG, "DPP: Public key hash", bi->pubkey_hash,
1297 			    SHA256_MAC_LEN);
1298 	wpabuf_free(der);
1299 	return res;
1300 }
1301 
1302 
1303 char * dpp_keygen(struct dpp_bootstrap_info *bi, const char *curve,
1304 		  const u8 *privkey, size_t privkey_len)
1305 {
1306 	unsigned char *base64 = NULL;
1307 	char *pos, *end;
1308 	size_t len;
1309 	struct wpabuf *der = NULL;
1310 	const u8 *addr[1];
1311 	int res;
1312 
1313 	if (!curve) {
1314 		bi->curve = &dpp_curves[0];
1315 	} else {
1316 		bi->curve = dpp_get_curve_name(curve);
1317 		if (!bi->curve) {
1318 			wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s",
1319 				   curve);
1320 			return NULL;
1321 		}
1322 	}
1323 	if (privkey)
1324 		bi->pubkey = dpp_set_keypair(&bi->curve, privkey, privkey_len);
1325 	else
1326 		bi->pubkey = dpp_gen_keypair(bi->curve);
1327 	if (!bi->pubkey)
1328 		goto fail;
1329 	bi->own = 1;
1330 
1331 	der = dpp_bootstrap_key_der(bi->pubkey);
1332 	if (!der)
1333 		goto fail;
1334 	wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
1335 			der);
1336 
1337 	addr[0] = wpabuf_head(der);
1338 	len = wpabuf_len(der);
1339 	res = sha256_vector(1, addr, &len, bi->pubkey_hash);
1340 	if (res < 0) {
1341 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
1342 		goto fail;
1343 	}
1344 	wpa_hexdump(MSG_DEBUG, "DPP: Public key hash", bi->pubkey_hash,
1345 		    SHA256_MAC_LEN);
1346 
1347 	base64 = base64_encode(wpabuf_head(der), wpabuf_len(der), &len);
1348 	wpabuf_free(der);
1349 	der = NULL;
1350 	if (!base64)
1351 		goto fail;
1352 	pos = (char *) base64;
1353 	end = pos + len;
1354 	for (;;) {
1355 		pos = os_strchr(pos, '\n');
1356 		if (!pos)
1357 			break;
1358 		os_memmove(pos, pos + 1, end - pos);
1359 	}
1360 	return (char *) base64;
1361 fail:
1362 	os_free(base64);
1363 	wpabuf_free(der);
1364 	return NULL;
1365 }
1366 
1367 
1368 static int dpp_derive_k1(const u8 *Mx, size_t Mx_len, u8 *k1,
1369 			 unsigned int hash_len)
1370 {
1371 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
1372 	const char *info = "first intermediate key";
1373 	int res;
1374 
1375 	/* k1 = HKDF(<>, "first intermediate key", M.x) */
1376 
1377 	/* HKDF-Extract(<>, M.x) */
1378 	os_memset(salt, 0, hash_len);
1379 	if (dpp_hmac(hash_len, salt, hash_len, Mx, Mx_len, prk) < 0)
1380 		return -1;
1381 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=M.x)",
1382 			prk, hash_len);
1383 
1384 	/* HKDF-Expand(PRK, info, L) */
1385 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k1, hash_len);
1386 	os_memset(prk, 0, hash_len);
1387 	if (res < 0)
1388 		return -1;
1389 
1390 	wpa_hexdump_key(MSG_DEBUG, "DPP: k1 = HKDF-Expand(PRK, info, L)",
1391 			k1, hash_len);
1392 	return 0;
1393 }
1394 
1395 
1396 static int dpp_derive_k2(const u8 *Nx, size_t Nx_len, u8 *k2,
1397 			 unsigned int hash_len)
1398 {
1399 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
1400 	const char *info = "second intermediate key";
1401 	int res;
1402 
1403 	/* k2 = HKDF(<>, "second intermediate key", N.x) */
1404 
1405 	/* HKDF-Extract(<>, N.x) */
1406 	os_memset(salt, 0, hash_len);
1407 	res = dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk);
1408 	if (res < 0)
1409 		return -1;
1410 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
1411 			prk, hash_len);
1412 
1413 	/* HKDF-Expand(PRK, info, L) */
1414 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k2, hash_len);
1415 	os_memset(prk, 0, hash_len);
1416 	if (res < 0)
1417 		return -1;
1418 
1419 	wpa_hexdump_key(MSG_DEBUG, "DPP: k2 = HKDF-Expand(PRK, info, L)",
1420 			k2, hash_len);
1421 	return 0;
1422 }
1423 
1424 
1425 static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke,
1426 			 unsigned int hash_len)
1427 {
1428 	size_t nonce_len;
1429 	u8 nonces[2 * DPP_MAX_NONCE_LEN];
1430 	const char *info_ke = "DPP Key";
1431 	u8 prk[DPP_MAX_HASH_LEN];
1432 	int res;
1433 	const u8 *addr[3];
1434 	size_t len[3];
1435 	size_t num_elem = 0;
1436 
1437 	if (!auth->Mx_len || !auth->Nx_len) {
1438 		wpa_printf(MSG_DEBUG,
1439 			   "DPP: Mx/Nx not available - cannot derive ke");
1440 		return -1;
1441 	}
1442 
1443 	/* ke = HKDF(I-nonce | R-nonce, "DPP Key", M.x | N.x [| L.x]) */
1444 
1445 	/* HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */
1446 	nonce_len = auth->curve->nonce_len;
1447 	os_memcpy(nonces, auth->i_nonce, nonce_len);
1448 	os_memcpy(&nonces[nonce_len], auth->r_nonce, nonce_len);
1449 	addr[num_elem] = auth->Mx;
1450 	len[num_elem] = auth->Mx_len;
1451 	num_elem++;
1452 	addr[num_elem] = auth->Nx;
1453 	len[num_elem] = auth->Nx_len;
1454 	num_elem++;
1455 	if (auth->peer_bi && auth->own_bi) {
1456 		if (!auth->Lx_len) {
1457 			wpa_printf(MSG_DEBUG,
1458 				   "DPP: Lx not available - cannot derive ke");
1459 			return -1;
1460 		}
1461 		addr[num_elem] = auth->Lx;
1462 		len[num_elem] = auth->secret_len;
1463 		num_elem++;
1464 	}
1465 	res = dpp_hmac_vector(hash_len, nonces, 2 * nonce_len,
1466 			      num_elem, addr, len, prk);
1467 	if (res < 0)
1468 		return -1;
1469 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)",
1470 			prk, hash_len);
1471 
1472 	/* HKDF-Expand(PRK, info, L) */
1473 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info_ke, ke, hash_len);
1474 	os_memset(prk, 0, hash_len);
1475 	if (res < 0)
1476 		return -1;
1477 
1478 	wpa_hexdump_key(MSG_DEBUG, "DPP: ke = HKDF-Expand(PRK, info, L)",
1479 			ke, hash_len);
1480 	return 0;
1481 }
1482 
1483 
1484 static void dpp_build_attr_status(struct wpabuf *msg,
1485 				  enum dpp_status_error status)
1486 {
1487 	wpa_printf(MSG_DEBUG, "DPP: Status %d", status);
1488 	wpabuf_put_le16(msg, DPP_ATTR_STATUS);
1489 	wpabuf_put_le16(msg, 1);
1490 	wpabuf_put_u8(msg, status);
1491 }
1492 
1493 
1494 static void dpp_build_attr_r_bootstrap_key_hash(struct wpabuf *msg,
1495 						const u8 *hash)
1496 {
1497 	if (hash) {
1498 		wpa_printf(MSG_DEBUG, "DPP: R-Bootstrap Key Hash");
1499 		wpabuf_put_le16(msg, DPP_ATTR_R_BOOTSTRAP_KEY_HASH);
1500 		wpabuf_put_le16(msg, SHA256_MAC_LEN);
1501 		wpabuf_put_data(msg, hash, SHA256_MAC_LEN);
1502 	}
1503 }
1504 
1505 
1506 static void dpp_build_attr_i_bootstrap_key_hash(struct wpabuf *msg,
1507 						const u8 *hash)
1508 {
1509 	if (hash) {
1510 		wpa_printf(MSG_DEBUG, "DPP: I-Bootstrap Key Hash");
1511 		wpabuf_put_le16(msg, DPP_ATTR_I_BOOTSTRAP_KEY_HASH);
1512 		wpabuf_put_le16(msg, SHA256_MAC_LEN);
1513 		wpabuf_put_data(msg, hash, SHA256_MAC_LEN);
1514 	}
1515 }
1516 
1517 
1518 static struct wpabuf * dpp_auth_build_req(struct dpp_authentication *auth,
1519 					  const struct wpabuf *pi,
1520 					  size_t nonce_len,
1521 					  const u8 *r_pubkey_hash,
1522 					  const u8 *i_pubkey_hash,
1523 					  unsigned int neg_freq)
1524 {
1525 	struct wpabuf *msg;
1526 	u8 clear[4 + DPP_MAX_NONCE_LEN + 4 + 1];
1527 	u8 wrapped_data[4 + DPP_MAX_NONCE_LEN + 4 + 1 + AES_BLOCK_SIZE];
1528 	u8 *pos;
1529 	const u8 *addr[2];
1530 	size_t len[2], siv_len, attr_len;
1531 	u8 *attr_start, *attr_end;
1532 
1533 	/* Build DPP Authentication Request frame attributes */
1534 	attr_len = 2 * (4 + SHA256_MAC_LEN) + 4 + (pi ? wpabuf_len(pi) : 0) +
1535 		4 + sizeof(wrapped_data);
1536 	if (neg_freq > 0)
1537 		attr_len += 4 + 2;
1538 #ifdef CONFIG_TESTING_OPTIONS
1539 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ)
1540 		attr_len += 5;
1541 #endif /* CONFIG_TESTING_OPTIONS */
1542 	msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_REQ, attr_len);
1543 	if (!msg)
1544 		return NULL;
1545 
1546 	attr_start = wpabuf_put(msg, 0);
1547 
1548 	/* Responder Bootstrapping Key Hash */
1549 	dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
1550 
1551 	/* Initiator Bootstrapping Key Hash */
1552 	dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
1553 
1554 	/* Initiator Protocol Key */
1555 	if (pi) {
1556 		wpabuf_put_le16(msg, DPP_ATTR_I_PROTOCOL_KEY);
1557 		wpabuf_put_le16(msg, wpabuf_len(pi));
1558 		wpabuf_put_buf(msg, pi);
1559 	}
1560 
1561 	/* Channel */
1562 	if (neg_freq > 0) {
1563 		u8 op_class, channel;
1564 
1565 		if (ieee80211_freq_to_channel_ext(neg_freq, 0, 0, &op_class,
1566 						  &channel) ==
1567 		    NUM_HOSTAPD_MODES) {
1568 			wpa_printf(MSG_INFO,
1569 				   "DPP: Unsupported negotiation frequency request: %d",
1570 				   neg_freq);
1571 			wpabuf_free(msg);
1572 			return NULL;
1573 		}
1574 		wpabuf_put_le16(msg, DPP_ATTR_CHANNEL);
1575 		wpabuf_put_le16(msg, 2);
1576 		wpabuf_put_u8(msg, op_class);
1577 		wpabuf_put_u8(msg, channel);
1578 	}
1579 
1580 #ifdef CONFIG_TESTING_OPTIONS
1581 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_REQ) {
1582 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
1583 		goto skip_wrapped_data;
1584 	}
1585 #endif /* CONFIG_TESTING_OPTIONS */
1586 
1587 	/* Wrapped data ({I-nonce, I-capabilities}k1) */
1588 	pos = clear;
1589 
1590 #ifdef CONFIG_TESTING_OPTIONS
1591 	if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_REQ) {
1592 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
1593 		goto skip_i_nonce;
1594 	}
1595 	if (dpp_test == DPP_TEST_INVALID_I_NONCE_AUTH_REQ) {
1596 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-nonce");
1597 		WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
1598 		pos += 2;
1599 		WPA_PUT_LE16(pos, nonce_len - 1);
1600 		pos += 2;
1601 		os_memcpy(pos, auth->i_nonce, nonce_len - 1);
1602 		pos += nonce_len - 1;
1603 		goto skip_i_nonce;
1604 	}
1605 #endif /* CONFIG_TESTING_OPTIONS */
1606 
1607 	/* I-nonce */
1608 	WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
1609 	pos += 2;
1610 	WPA_PUT_LE16(pos, nonce_len);
1611 	pos += 2;
1612 	os_memcpy(pos, auth->i_nonce, nonce_len);
1613 	pos += nonce_len;
1614 
1615 #ifdef CONFIG_TESTING_OPTIONS
1616 skip_i_nonce:
1617 	if (dpp_test == DPP_TEST_NO_I_CAPAB_AUTH_REQ) {
1618 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-capab");
1619 		goto skip_i_capab;
1620 	}
1621 #endif /* CONFIG_TESTING_OPTIONS */
1622 
1623 	/* I-capabilities */
1624 	WPA_PUT_LE16(pos, DPP_ATTR_I_CAPABILITIES);
1625 	pos += 2;
1626 	WPA_PUT_LE16(pos, 1);
1627 	pos += 2;
1628 	auth->i_capab = auth->allowed_roles;
1629 	*pos++ = auth->i_capab;
1630 #ifdef CONFIG_TESTING_OPTIONS
1631 	if (dpp_test == DPP_TEST_ZERO_I_CAPAB) {
1632 		wpa_printf(MSG_INFO, "DPP: TESTING - zero I-capabilities");
1633 		pos[-1] = 0;
1634 	}
1635 skip_i_capab:
1636 #endif /* CONFIG_TESTING_OPTIONS */
1637 
1638 	attr_end = wpabuf_put(msg, 0);
1639 
1640 	/* OUI, OUI type, Crypto Suite, DPP frame type */
1641 	addr[0] = wpabuf_head_u8(msg) + 2;
1642 	len[0] = 3 + 1 + 1 + 1;
1643 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1644 
1645 	/* Attributes before Wrapped Data */
1646 	addr[1] = attr_start;
1647 	len[1] = attr_end - attr_start;
1648 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1649 
1650 	siv_len = pos - clear;
1651 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len);
1652 	if (aes_siv_encrypt(auth->k1, auth->curve->hash_len, clear, siv_len,
1653 			    2, addr, len, wrapped_data) < 0) {
1654 		wpabuf_free(msg);
1655 		return NULL;
1656 	}
1657 	siv_len += AES_BLOCK_SIZE;
1658 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1659 		    wrapped_data, siv_len);
1660 
1661 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
1662 	wpabuf_put_le16(msg, siv_len);
1663 	wpabuf_put_data(msg, wrapped_data, siv_len);
1664 
1665 #ifdef CONFIG_TESTING_OPTIONS
1666 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ) {
1667 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
1668 		dpp_build_attr_status(msg, DPP_STATUS_OK);
1669 	}
1670 skip_wrapped_data:
1671 #endif /* CONFIG_TESTING_OPTIONS */
1672 
1673 	wpa_hexdump_buf(MSG_DEBUG,
1674 			"DPP: Authentication Request frame attributes", msg);
1675 
1676 	return msg;
1677 }
1678 
1679 
1680 static struct wpabuf * dpp_auth_build_resp(struct dpp_authentication *auth,
1681 					   enum dpp_status_error status,
1682 					   const struct wpabuf *pr,
1683 					   size_t nonce_len,
1684 					   const u8 *r_pubkey_hash,
1685 					   const u8 *i_pubkey_hash,
1686 					   const u8 *r_nonce, const u8 *i_nonce,
1687 					   const u8 *wrapped_r_auth,
1688 					   size_t wrapped_r_auth_len,
1689 					   const u8 *siv_key)
1690 {
1691 	struct wpabuf *msg;
1692 #define DPP_AUTH_RESP_CLEAR_LEN 2 * (4 + DPP_MAX_NONCE_LEN) + 4 + 1 + \
1693 		4 + 4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE
1694 	u8 clear[DPP_AUTH_RESP_CLEAR_LEN];
1695 	u8 wrapped_data[DPP_AUTH_RESP_CLEAR_LEN + AES_BLOCK_SIZE];
1696 	const u8 *addr[2];
1697 	size_t len[2], siv_len, attr_len;
1698 	u8 *attr_start, *attr_end, *pos;
1699 
1700 	auth->waiting_auth_conf = 1;
1701 	auth->auth_resp_tries = 0;
1702 
1703 	/* Build DPP Authentication Response frame attributes */
1704 	attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) +
1705 		4 + (pr ? wpabuf_len(pr) : 0) + 4 + sizeof(wrapped_data);
1706 #ifdef CONFIG_TESTING_OPTIONS
1707 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP)
1708 		attr_len += 5;
1709 #endif /* CONFIG_TESTING_OPTIONS */
1710 	msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_RESP, attr_len);
1711 	if (!msg)
1712 		return NULL;
1713 
1714 	attr_start = wpabuf_put(msg, 0);
1715 
1716 	/* DPP Status */
1717 	if (status != 255)
1718 		dpp_build_attr_status(msg, status);
1719 
1720 	/* Responder Bootstrapping Key Hash */
1721 	dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
1722 
1723 	/* Initiator Bootstrapping Key Hash (mutual authentication) */
1724 	dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
1725 
1726 	/* Responder Protocol Key */
1727 	if (pr) {
1728 		wpabuf_put_le16(msg, DPP_ATTR_R_PROTOCOL_KEY);
1729 		wpabuf_put_le16(msg, wpabuf_len(pr));
1730 		wpabuf_put_buf(msg, pr);
1731 	}
1732 
1733 	attr_end = wpabuf_put(msg, 0);
1734 
1735 #ifdef CONFIG_TESTING_OPTIONS
1736 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_RESP) {
1737 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
1738 		goto skip_wrapped_data;
1739 	}
1740 #endif /* CONFIG_TESTING_OPTIONS */
1741 
1742 	/* Wrapped data ({R-nonce, I-nonce, R-capabilities, {R-auth}ke}k2) */
1743 	pos = clear;
1744 
1745 	if (r_nonce) {
1746 		/* R-nonce */
1747 		WPA_PUT_LE16(pos, DPP_ATTR_R_NONCE);
1748 		pos += 2;
1749 		WPA_PUT_LE16(pos, nonce_len);
1750 		pos += 2;
1751 		os_memcpy(pos, r_nonce, nonce_len);
1752 		pos += nonce_len;
1753 	}
1754 
1755 	if (i_nonce) {
1756 		/* I-nonce */
1757 		WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
1758 		pos += 2;
1759 		WPA_PUT_LE16(pos, nonce_len);
1760 		pos += 2;
1761 		os_memcpy(pos, i_nonce, nonce_len);
1762 #ifdef CONFIG_TESTING_OPTIONS
1763 		if (dpp_test == DPP_TEST_I_NONCE_MISMATCH_AUTH_RESP) {
1764 			wpa_printf(MSG_INFO, "DPP: TESTING - I-nonce mismatch");
1765 			pos[nonce_len / 2] ^= 0x01;
1766 		}
1767 #endif /* CONFIG_TESTING_OPTIONS */
1768 		pos += nonce_len;
1769 	}
1770 
1771 #ifdef CONFIG_TESTING_OPTIONS
1772 	if (dpp_test == DPP_TEST_NO_R_CAPAB_AUTH_RESP) {
1773 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-capab");
1774 		goto skip_r_capab;
1775 	}
1776 #endif /* CONFIG_TESTING_OPTIONS */
1777 
1778 	/* R-capabilities */
1779 	WPA_PUT_LE16(pos, DPP_ATTR_R_CAPABILITIES);
1780 	pos += 2;
1781 	WPA_PUT_LE16(pos, 1);
1782 	pos += 2;
1783 	auth->r_capab = auth->configurator ? DPP_CAPAB_CONFIGURATOR :
1784 		DPP_CAPAB_ENROLLEE;
1785 	*pos++ = auth->r_capab;
1786 #ifdef CONFIG_TESTING_OPTIONS
1787 	if (dpp_test == DPP_TEST_ZERO_R_CAPAB) {
1788 		wpa_printf(MSG_INFO, "DPP: TESTING - zero R-capabilities");
1789 		pos[-1] = 0;
1790 	} else if (dpp_test == DPP_TEST_INCOMPATIBLE_R_CAPAB_AUTH_RESP) {
1791 		wpa_printf(MSG_INFO,
1792 			   "DPP: TESTING - incompatible R-capabilities");
1793 		if ((auth->i_capab & DPP_CAPAB_ROLE_MASK) ==
1794 		    (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE))
1795 			pos[-1] = 0;
1796 		else
1797 			pos[-1] = auth->configurator ? DPP_CAPAB_ENROLLEE :
1798 				DPP_CAPAB_CONFIGURATOR;
1799 	}
1800 skip_r_capab:
1801 #endif /* CONFIG_TESTING_OPTIONS */
1802 
1803 	if (wrapped_r_auth) {
1804 		/* {R-auth}ke */
1805 		WPA_PUT_LE16(pos, DPP_ATTR_WRAPPED_DATA);
1806 		pos += 2;
1807 		WPA_PUT_LE16(pos, wrapped_r_auth_len);
1808 		pos += 2;
1809 		os_memcpy(pos, wrapped_r_auth, wrapped_r_auth_len);
1810 		pos += wrapped_r_auth_len;
1811 	}
1812 
1813 	/* OUI, OUI type, Crypto Suite, DPP frame type */
1814 	addr[0] = wpabuf_head_u8(msg) + 2;
1815 	len[0] = 3 + 1 + 1 + 1;
1816 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1817 
1818 	/* Attributes before Wrapped Data */
1819 	addr[1] = attr_start;
1820 	len[1] = attr_end - attr_start;
1821 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1822 
1823 	siv_len = pos - clear;
1824 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len);
1825 	if (aes_siv_encrypt(siv_key, auth->curve->hash_len, clear, siv_len,
1826 			    2, addr, len, wrapped_data) < 0) {
1827 		wpabuf_free(msg);
1828 		return NULL;
1829 	}
1830 	siv_len += AES_BLOCK_SIZE;
1831 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1832 		    wrapped_data, siv_len);
1833 
1834 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
1835 	wpabuf_put_le16(msg, siv_len);
1836 	wpabuf_put_data(msg, wrapped_data, siv_len);
1837 
1838 #ifdef CONFIG_TESTING_OPTIONS
1839 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP) {
1840 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
1841 		dpp_build_attr_status(msg, DPP_STATUS_OK);
1842 	}
1843 skip_wrapped_data:
1844 #endif /* CONFIG_TESTING_OPTIONS */
1845 
1846 	wpa_hexdump_buf(MSG_DEBUG,
1847 			"DPP: Authentication Response frame attributes", msg);
1848 	return msg;
1849 }
1850 
1851 
1852 static int dpp_channel_ok_init(struct hostapd_hw_modes *own_modes,
1853 			       u16 num_modes, unsigned int freq)
1854 {
1855 	u16 m;
1856 	int c, flag;
1857 
1858 	if (!own_modes || !num_modes)
1859 		return 1;
1860 
1861 	for (m = 0; m < num_modes; m++) {
1862 		for (c = 0; c < own_modes[m].num_channels; c++) {
1863 			if ((unsigned int) own_modes[m].channels[c].freq !=
1864 			    freq)
1865 				continue;
1866 			flag = own_modes[m].channels[c].flag;
1867 			if (!(flag & (HOSTAPD_CHAN_DISABLED |
1868 				      HOSTAPD_CHAN_NO_IR |
1869 				      HOSTAPD_CHAN_RADAR)))
1870 				return 1;
1871 		}
1872 	}
1873 
1874 	wpa_printf(MSG_DEBUG, "DPP: Peer channel %u MHz not supported", freq);
1875 	return 0;
1876 }
1877 
1878 
1879 static int freq_included(const unsigned int freqs[], unsigned int num,
1880 			 unsigned int freq)
1881 {
1882 	while (num > 0) {
1883 		if (freqs[--num] == freq)
1884 			return 1;
1885 	}
1886 	return 0;
1887 }
1888 
1889 
1890 static void freq_to_start(unsigned int freqs[], unsigned int num,
1891 			  unsigned int freq)
1892 {
1893 	unsigned int i;
1894 
1895 	for (i = 0; i < num; i++) {
1896 		if (freqs[i] == freq)
1897 			break;
1898 	}
1899 	if (i == 0 || i >= num)
1900 		return;
1901 	os_memmove(&freqs[1], &freqs[0], i * sizeof(freqs[0]));
1902 	freqs[0] = freq;
1903 }
1904 
1905 
1906 static int dpp_channel_intersect(struct dpp_authentication *auth,
1907 				 struct hostapd_hw_modes *own_modes,
1908 				 u16 num_modes)
1909 {
1910 	struct dpp_bootstrap_info *peer_bi = auth->peer_bi;
1911 	unsigned int i, freq;
1912 
1913 	for (i = 0; i < peer_bi->num_freq; i++) {
1914 		freq = peer_bi->freq[i];
1915 		if (freq_included(auth->freq, auth->num_freq, freq))
1916 			continue;
1917 		if (dpp_channel_ok_init(own_modes, num_modes, freq))
1918 			auth->freq[auth->num_freq++] = freq;
1919 	}
1920 	if (!auth->num_freq) {
1921 		wpa_printf(MSG_INFO,
1922 			   "DPP: No available channels for initiating DPP Authentication");
1923 		return -1;
1924 	}
1925 	auth->curr_freq = auth->freq[0];
1926 	return 0;
1927 }
1928 
1929 
1930 static int dpp_channel_local_list(struct dpp_authentication *auth,
1931 				  struct hostapd_hw_modes *own_modes,
1932 				  u16 num_modes)
1933 {
1934 	u16 m;
1935 	int c, flag;
1936 	unsigned int freq;
1937 
1938 	auth->num_freq = 0;
1939 
1940 	if (!own_modes || !num_modes) {
1941 		auth->freq[0] = 2412;
1942 		auth->freq[1] = 2437;
1943 		auth->freq[2] = 2462;
1944 		auth->num_freq = 3;
1945 		return 0;
1946 	}
1947 
1948 	for (m = 0; m < num_modes; m++) {
1949 		for (c = 0; c < own_modes[m].num_channels; c++) {
1950 			freq = own_modes[m].channels[c].freq;
1951 			flag = own_modes[m].channels[c].flag;
1952 			if (flag & (HOSTAPD_CHAN_DISABLED |
1953 				    HOSTAPD_CHAN_NO_IR |
1954 				    HOSTAPD_CHAN_RADAR))
1955 				continue;
1956 			if (freq_included(auth->freq, auth->num_freq, freq))
1957 				continue;
1958 			auth->freq[auth->num_freq++] = freq;
1959 			if (auth->num_freq == DPP_BOOTSTRAP_MAX_FREQ) {
1960 				m = num_modes;
1961 				break;
1962 			}
1963 		}
1964 	}
1965 
1966 	return auth->num_freq == 0 ? -1 : 0;
1967 }
1968 
1969 
1970 static int dpp_prepare_channel_list(struct dpp_authentication *auth,
1971 				    struct hostapd_hw_modes *own_modes,
1972 				    u16 num_modes)
1973 {
1974 	int res;
1975 	char freqs[DPP_BOOTSTRAP_MAX_FREQ * 6 + 10], *pos, *end;
1976 	unsigned int i;
1977 
1978 	if (auth->peer_bi->num_freq > 0)
1979 		res = dpp_channel_intersect(auth, own_modes, num_modes);
1980 	else
1981 		res = dpp_channel_local_list(auth, own_modes, num_modes);
1982 	if (res < 0)
1983 		return res;
1984 
1985 	/* Prioritize 2.4 GHz channels 6, 1, 11 (in this order) to hit the most
1986 	 * likely channels first. */
1987 	freq_to_start(auth->freq, auth->num_freq, 2462);
1988 	freq_to_start(auth->freq, auth->num_freq, 2412);
1989 	freq_to_start(auth->freq, auth->num_freq, 2437);
1990 
1991 	auth->freq_idx = 0;
1992 	auth->curr_freq = auth->freq[0];
1993 
1994 	pos = freqs;
1995 	end = pos + sizeof(freqs);
1996 	for (i = 0; i < auth->num_freq; i++) {
1997 		res = os_snprintf(pos, end - pos, " %u", auth->freq[i]);
1998 		if (os_snprintf_error(end - pos, res))
1999 			break;
2000 		pos += res;
2001 	}
2002 	*pos = '\0';
2003 	wpa_printf(MSG_DEBUG, "DPP: Possible frequencies for initiating:%s",
2004 		   freqs);
2005 
2006 	return 0;
2007 }
2008 
2009 
2010 static int dpp_autogen_bootstrap_key(struct dpp_authentication *auth)
2011 {
2012 	struct dpp_bootstrap_info *bi;
2013 	char *pk = NULL;
2014 	size_t len;
2015 
2016 	if (auth->own_bi)
2017 		return 0; /* already generated */
2018 
2019 	bi = os_zalloc(sizeof(*bi));
2020 	if (!bi)
2021 		return -1;
2022 	bi->type = DPP_BOOTSTRAP_QR_CODE;
2023 	pk = dpp_keygen(bi, auth->peer_bi->curve->name, NULL, 0);
2024 	if (!pk)
2025 		goto fail;
2026 
2027 	len = 4; /* "DPP:" */
2028 	len += 4 + os_strlen(pk);
2029 	bi->uri = os_malloc(len + 1);
2030 	if (!bi->uri)
2031 		goto fail;
2032 	os_snprintf(bi->uri, len + 1, "DPP:K:%s;;", pk);
2033 	wpa_printf(MSG_DEBUG,
2034 		   "DPP: Auto-generated own bootstrapping key info: URI %s",
2035 		   bi->uri);
2036 
2037 	auth->tmp_own_bi = auth->own_bi = bi;
2038 
2039 	os_free(pk);
2040 
2041 	return 0;
2042 fail:
2043 	os_free(pk);
2044 	dpp_bootstrap_info_free(bi);
2045 	return -1;
2046 }
2047 
2048 
2049 struct dpp_authentication * dpp_auth_init(void *msg_ctx,
2050 					  struct dpp_bootstrap_info *peer_bi,
2051 					  struct dpp_bootstrap_info *own_bi,
2052 					  u8 dpp_allowed_roles,
2053 					  unsigned int neg_freq,
2054 					  struct hostapd_hw_modes *own_modes,
2055 					  u16 num_modes)
2056 {
2057 	struct dpp_authentication *auth;
2058 	size_t nonce_len;
2059 	EVP_PKEY_CTX *ctx = NULL;
2060 	size_t secret_len;
2061 	struct wpabuf *pi = NULL;
2062 	const u8 *r_pubkey_hash, *i_pubkey_hash;
2063 #ifdef CONFIG_TESTING_OPTIONS
2064 	u8 test_hash[SHA256_MAC_LEN];
2065 #endif /* CONFIG_TESTING_OPTIONS */
2066 
2067 	auth = os_zalloc(sizeof(*auth));
2068 	if (!auth)
2069 		return NULL;
2070 	auth->msg_ctx = msg_ctx;
2071 	auth->initiator = 1;
2072 	auth->waiting_auth_resp = 1;
2073 	auth->allowed_roles = dpp_allowed_roles;
2074 	auth->configurator = !!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR);
2075 	auth->peer_bi = peer_bi;
2076 	auth->own_bi = own_bi;
2077 	auth->curve = peer_bi->curve;
2078 
2079 	if (dpp_autogen_bootstrap_key(auth) < 0 ||
2080 	    dpp_prepare_channel_list(auth, own_modes, num_modes) < 0)
2081 		goto fail;
2082 
2083 #ifdef CONFIG_TESTING_OPTIONS
2084 	if (dpp_nonce_override_len > 0) {
2085 		wpa_printf(MSG_INFO, "DPP: TESTING - override I-nonce");
2086 		nonce_len = dpp_nonce_override_len;
2087 		os_memcpy(auth->i_nonce, dpp_nonce_override, nonce_len);
2088 	} else {
2089 		nonce_len = auth->curve->nonce_len;
2090 		if (random_get_bytes(auth->i_nonce, nonce_len)) {
2091 			wpa_printf(MSG_ERROR,
2092 				   "DPP: Failed to generate I-nonce");
2093 			goto fail;
2094 		}
2095 	}
2096 #else /* CONFIG_TESTING_OPTIONS */
2097 	nonce_len = auth->curve->nonce_len;
2098 	if (random_get_bytes(auth->i_nonce, nonce_len)) {
2099 		wpa_printf(MSG_ERROR, "DPP: Failed to generate I-nonce");
2100 		goto fail;
2101 	}
2102 #endif /* CONFIG_TESTING_OPTIONS */
2103 	wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", auth->i_nonce, nonce_len);
2104 
2105 #ifdef CONFIG_TESTING_OPTIONS
2106 	if (dpp_protocol_key_override_len) {
2107 		const struct dpp_curve_params *tmp_curve;
2108 
2109 		wpa_printf(MSG_INFO,
2110 			   "DPP: TESTING - override protocol key");
2111 		auth->own_protocol_key = dpp_set_keypair(
2112 			&tmp_curve, dpp_protocol_key_override,
2113 			dpp_protocol_key_override_len);
2114 	} else {
2115 		auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2116 	}
2117 #else /* CONFIG_TESTING_OPTIONS */
2118 	auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2119 #endif /* CONFIG_TESTING_OPTIONS */
2120 	if (!auth->own_protocol_key)
2121 		goto fail;
2122 
2123 	pi = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2124 	if (!pi)
2125 		goto fail;
2126 
2127 	/* ECDH: M = pI * BR */
2128 	ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL);
2129 	if (!ctx ||
2130 	    EVP_PKEY_derive_init(ctx) != 1 ||
2131 	    EVP_PKEY_derive_set_peer(ctx, auth->peer_bi->pubkey) != 1 ||
2132 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
2133 	    secret_len > DPP_MAX_SHARED_SECRET_LEN ||
2134 	    EVP_PKEY_derive(ctx, auth->Mx, &secret_len) != 1) {
2135 		wpa_printf(MSG_ERROR,
2136 			   "DPP: Failed to derive ECDH shared secret: %s",
2137 			   ERR_error_string(ERR_get_error(), NULL));
2138 		goto fail;
2139 	}
2140 	auth->secret_len = secret_len;
2141 	EVP_PKEY_CTX_free(ctx);
2142 	ctx = NULL;
2143 
2144 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)",
2145 			auth->Mx, auth->secret_len);
2146 	auth->Mx_len = auth->secret_len;
2147 
2148 	if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1,
2149 			  auth->curve->hash_len) < 0)
2150 		goto fail;
2151 
2152 	r_pubkey_hash = auth->peer_bi->pubkey_hash;
2153 	i_pubkey_hash = auth->own_bi->pubkey_hash;
2154 
2155 #ifdef CONFIG_TESTING_OPTIONS
2156 	if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2157 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
2158 		r_pubkey_hash = NULL;
2159 	} else if (dpp_test == DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2160 		wpa_printf(MSG_INFO,
2161 			   "DPP: TESTING - invalid R-Bootstrap Key Hash");
2162 		os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
2163 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2164 		r_pubkey_hash = test_hash;
2165 	} else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2166 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
2167 		i_pubkey_hash = NULL;
2168 	} else if (dpp_test == DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2169 		wpa_printf(MSG_INFO,
2170 			   "DPP: TESTING - invalid I-Bootstrap Key Hash");
2171 		os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
2172 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2173 		i_pubkey_hash = test_hash;
2174 	} else if (dpp_test == DPP_TEST_NO_I_PROTO_KEY_AUTH_REQ) {
2175 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Proto Key");
2176 		wpabuf_free(pi);
2177 		pi = NULL;
2178 	} else if (dpp_test == DPP_TEST_INVALID_I_PROTO_KEY_AUTH_REQ) {
2179 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-Proto Key");
2180 		wpabuf_free(pi);
2181 		pi = wpabuf_alloc(2 * auth->curve->prime_len);
2182 		if (!pi || dpp_test_gen_invalid_key(pi, auth->curve) < 0)
2183 			goto fail;
2184 	}
2185 #endif /* CONFIG_TESTING_OPTIONS */
2186 
2187 	auth->req_msg = dpp_auth_build_req(auth, pi, nonce_len, r_pubkey_hash,
2188 					   i_pubkey_hash, neg_freq);
2189 	if (!auth->req_msg)
2190 		goto fail;
2191 
2192 out:
2193 	wpabuf_free(pi);
2194 	EVP_PKEY_CTX_free(ctx);
2195 	return auth;
2196 fail:
2197 	dpp_auth_deinit(auth);
2198 	auth = NULL;
2199 	goto out;
2200 }
2201 
2202 
2203 struct wpabuf * dpp_build_conf_req(struct dpp_authentication *auth,
2204 				   const char *json)
2205 {
2206 	size_t nonce_len;
2207 	size_t json_len, clear_len;
2208 	struct wpabuf *clear = NULL, *msg = NULL;
2209 	u8 *wrapped;
2210 	size_t attr_len;
2211 
2212 	wpa_printf(MSG_DEBUG, "DPP: Build configuration request");
2213 
2214 	nonce_len = auth->curve->nonce_len;
2215 	if (random_get_bytes(auth->e_nonce, nonce_len)) {
2216 		wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce");
2217 		goto fail;
2218 	}
2219 	wpa_hexdump(MSG_DEBUG, "DPP: E-nonce", auth->e_nonce, nonce_len);
2220 	json_len = os_strlen(json);
2221 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: configAttr JSON", json, json_len);
2222 
2223 	/* { E-nonce, configAttrib }ke */
2224 	clear_len = 4 + nonce_len + 4 + json_len;
2225 	clear = wpabuf_alloc(clear_len);
2226 	attr_len = 4 + clear_len + AES_BLOCK_SIZE;
2227 #ifdef CONFIG_TESTING_OPTIONS
2228 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_REQ)
2229 		attr_len += 5;
2230 #endif /* CONFIG_TESTING_OPTIONS */
2231 	msg = wpabuf_alloc(attr_len);
2232 	if (!clear || !msg)
2233 		goto fail;
2234 
2235 #ifdef CONFIG_TESTING_OPTIONS
2236 	if (dpp_test == DPP_TEST_NO_E_NONCE_CONF_REQ) {
2237 		wpa_printf(MSG_INFO, "DPP: TESTING - no E-nonce");
2238 		goto skip_e_nonce;
2239 	}
2240 	if (dpp_test == DPP_TEST_INVALID_E_NONCE_CONF_REQ) {
2241 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid E-nonce");
2242 		wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
2243 		wpabuf_put_le16(clear, nonce_len - 1);
2244 		wpabuf_put_data(clear, auth->e_nonce, nonce_len - 1);
2245 		goto skip_e_nonce;
2246 	}
2247 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_CONF_REQ) {
2248 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
2249 		goto skip_wrapped_data;
2250 	}
2251 #endif /* CONFIG_TESTING_OPTIONS */
2252 
2253 	/* E-nonce */
2254 	wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
2255 	wpabuf_put_le16(clear, nonce_len);
2256 	wpabuf_put_data(clear, auth->e_nonce, nonce_len);
2257 
2258 #ifdef CONFIG_TESTING_OPTIONS
2259 skip_e_nonce:
2260 	if (dpp_test == DPP_TEST_NO_CONFIG_ATTR_OBJ_CONF_REQ) {
2261 		wpa_printf(MSG_INFO, "DPP: TESTING - no configAttrib");
2262 		goto skip_conf_attr_obj;
2263 	}
2264 #endif /* CONFIG_TESTING_OPTIONS */
2265 
2266 	/* configAttrib */
2267 	wpabuf_put_le16(clear, DPP_ATTR_CONFIG_ATTR_OBJ);
2268 	wpabuf_put_le16(clear, json_len);
2269 	wpabuf_put_data(clear, json, json_len);
2270 
2271 #ifdef CONFIG_TESTING_OPTIONS
2272 skip_conf_attr_obj:
2273 #endif /* CONFIG_TESTING_OPTIONS */
2274 
2275 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
2276 	wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
2277 	wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
2278 
2279 	/* No AES-SIV AD */
2280 	wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
2281 	if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
2282 			    wpabuf_head(clear), wpabuf_len(clear),
2283 			    0, NULL, NULL, wrapped) < 0)
2284 		goto fail;
2285 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
2286 		    wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
2287 
2288 #ifdef CONFIG_TESTING_OPTIONS
2289 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_REQ) {
2290 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
2291 		dpp_build_attr_status(msg, DPP_STATUS_OK);
2292 	}
2293 skip_wrapped_data:
2294 #endif /* CONFIG_TESTING_OPTIONS */
2295 
2296 	wpa_hexdump_buf(MSG_DEBUG,
2297 			"DPP: Configuration Request frame attributes", msg);
2298 	wpabuf_free(clear);
2299 	return msg;
2300 
2301 fail:
2302 	wpabuf_free(clear);
2303 	wpabuf_free(msg);
2304 	return NULL;
2305 }
2306 
2307 
2308 static void dpp_auth_success(struct dpp_authentication *auth)
2309 {
2310 	wpa_printf(MSG_DEBUG,
2311 		   "DPP: Authentication success - clear temporary keys");
2312 	os_memset(auth->Mx, 0, sizeof(auth->Mx));
2313 	auth->Mx_len = 0;
2314 	os_memset(auth->Nx, 0, sizeof(auth->Nx));
2315 	auth->Nx_len = 0;
2316 	os_memset(auth->Lx, 0, sizeof(auth->Lx));
2317 	auth->Lx_len = 0;
2318 	os_memset(auth->k1, 0, sizeof(auth->k1));
2319 	os_memset(auth->k2, 0, sizeof(auth->k2));
2320 
2321 	auth->auth_success = 1;
2322 }
2323 
2324 
2325 static int dpp_gen_r_auth(struct dpp_authentication *auth, u8 *r_auth)
2326 {
2327 	struct wpabuf *pix, *prx, *bix, *brx;
2328 	const u8 *addr[7];
2329 	size_t len[7];
2330 	size_t i, num_elem = 0;
2331 	size_t nonce_len;
2332 	u8 zero = 0;
2333 	int res = -1;
2334 
2335 	/* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
2336 	nonce_len = auth->curve->nonce_len;
2337 
2338 	if (auth->initiator) {
2339 		pix = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2340 		prx = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2341 		if (auth->own_bi)
2342 			bix = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2343 		else
2344 			bix = NULL;
2345 		brx = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2346 	} else {
2347 		pix = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2348 		prx = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2349 		if (auth->peer_bi)
2350 			bix = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2351 		else
2352 			bix = NULL;
2353 		brx = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2354 	}
2355 	if (!pix || !prx || !brx)
2356 		goto fail;
2357 
2358 	addr[num_elem] = auth->i_nonce;
2359 	len[num_elem] = nonce_len;
2360 	num_elem++;
2361 
2362 	addr[num_elem] = auth->r_nonce;
2363 	len[num_elem] = nonce_len;
2364 	num_elem++;
2365 
2366 	addr[num_elem] = wpabuf_head(pix);
2367 	len[num_elem] = wpabuf_len(pix) / 2;
2368 	num_elem++;
2369 
2370 	addr[num_elem] = wpabuf_head(prx);
2371 	len[num_elem] = wpabuf_len(prx) / 2;
2372 	num_elem++;
2373 
2374 	if (bix) {
2375 		addr[num_elem] = wpabuf_head(bix);
2376 		len[num_elem] = wpabuf_len(bix) / 2;
2377 		num_elem++;
2378 	}
2379 
2380 	addr[num_elem] = wpabuf_head(brx);
2381 	len[num_elem] = wpabuf_len(brx) / 2;
2382 	num_elem++;
2383 
2384 	addr[num_elem] = &zero;
2385 	len[num_elem] = 1;
2386 	num_elem++;
2387 
2388 	wpa_printf(MSG_DEBUG, "DPP: R-auth hash components");
2389 	for (i = 0; i < num_elem; i++)
2390 		wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
2391 	res = dpp_hash_vector(auth->curve, num_elem, addr, len, r_auth);
2392 	if (res == 0)
2393 		wpa_hexdump(MSG_DEBUG, "DPP: R-auth", r_auth,
2394 			    auth->curve->hash_len);
2395 fail:
2396 	wpabuf_free(pix);
2397 	wpabuf_free(prx);
2398 	wpabuf_free(bix);
2399 	wpabuf_free(brx);
2400 	return res;
2401 }
2402 
2403 
2404 static int dpp_gen_i_auth(struct dpp_authentication *auth, u8 *i_auth)
2405 {
2406 	struct wpabuf *pix = NULL, *prx = NULL, *bix = NULL, *brx = NULL;
2407 	const u8 *addr[7];
2408 	size_t len[7];
2409 	size_t i, num_elem = 0;
2410 	size_t nonce_len;
2411 	u8 one = 1;
2412 	int res = -1;
2413 
2414 	/* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */
2415 	nonce_len = auth->curve->nonce_len;
2416 
2417 	if (auth->initiator) {
2418 		pix = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2419 		prx = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2420 		if (auth->own_bi)
2421 			bix = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2422 		else
2423 			bix = NULL;
2424 		if (!auth->peer_bi)
2425 			goto fail;
2426 		brx = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2427 	} else {
2428 		pix = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2429 		prx = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2430 		if (auth->peer_bi)
2431 			bix = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2432 		else
2433 			bix = NULL;
2434 		if (!auth->own_bi)
2435 			goto fail;
2436 		brx = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2437 	}
2438 	if (!pix || !prx || !brx)
2439 		goto fail;
2440 
2441 	addr[num_elem] = auth->r_nonce;
2442 	len[num_elem] = nonce_len;
2443 	num_elem++;
2444 
2445 	addr[num_elem] = auth->i_nonce;
2446 	len[num_elem] = nonce_len;
2447 	num_elem++;
2448 
2449 	addr[num_elem] = wpabuf_head(prx);
2450 	len[num_elem] = wpabuf_len(prx) / 2;
2451 	num_elem++;
2452 
2453 	addr[num_elem] = wpabuf_head(pix);
2454 	len[num_elem] = wpabuf_len(pix) / 2;
2455 	num_elem++;
2456 
2457 	addr[num_elem] = wpabuf_head(brx);
2458 	len[num_elem] = wpabuf_len(brx) / 2;
2459 	num_elem++;
2460 
2461 	if (bix) {
2462 		addr[num_elem] = wpabuf_head(bix);
2463 		len[num_elem] = wpabuf_len(bix) / 2;
2464 		num_elem++;
2465 	}
2466 
2467 	addr[num_elem] = &one;
2468 	len[num_elem] = 1;
2469 	num_elem++;
2470 
2471 	wpa_printf(MSG_DEBUG, "DPP: I-auth hash components");
2472 	for (i = 0; i < num_elem; i++)
2473 		wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
2474 	res = dpp_hash_vector(auth->curve, num_elem, addr, len, i_auth);
2475 	if (res == 0)
2476 		wpa_hexdump(MSG_DEBUG, "DPP: I-auth", i_auth,
2477 			    auth->curve->hash_len);
2478 fail:
2479 	wpabuf_free(pix);
2480 	wpabuf_free(prx);
2481 	wpabuf_free(bix);
2482 	wpabuf_free(brx);
2483 	return res;
2484 }
2485 
2486 
2487 static int dpp_auth_derive_l_responder(struct dpp_authentication *auth)
2488 {
2489 	const EC_GROUP *group;
2490 	EC_POINT *l = NULL;
2491 	EC_KEY *BI = NULL, *bR = NULL, *pR = NULL;
2492 	const EC_POINT *BI_point;
2493 	BN_CTX *bnctx;
2494 	BIGNUM *lx, *sum, *q;
2495 	const BIGNUM *bR_bn, *pR_bn;
2496 	int ret = -1;
2497 
2498 	/* L = ((bR + pR) modulo q) * BI */
2499 
2500 	bnctx = BN_CTX_new();
2501 	sum = BN_new();
2502 	q = BN_new();
2503 	lx = BN_new();
2504 	if (!bnctx || !sum || !q || !lx)
2505 		goto fail;
2506 	BI = EVP_PKEY_get1_EC_KEY(auth->peer_bi->pubkey);
2507 	if (!BI)
2508 		goto fail;
2509 	BI_point = EC_KEY_get0_public_key(BI);
2510 	group = EC_KEY_get0_group(BI);
2511 	if (!group)
2512 		goto fail;
2513 
2514 	bR = EVP_PKEY_get1_EC_KEY(auth->own_bi->pubkey);
2515 	pR = EVP_PKEY_get1_EC_KEY(auth->own_protocol_key);
2516 	if (!bR || !pR)
2517 		goto fail;
2518 	bR_bn = EC_KEY_get0_private_key(bR);
2519 	pR_bn = EC_KEY_get0_private_key(pR);
2520 	if (!bR_bn || !pR_bn)
2521 		goto fail;
2522 	if (EC_GROUP_get_order(group, q, bnctx) != 1 ||
2523 	    BN_mod_add(sum, bR_bn, pR_bn, q, bnctx) != 1)
2524 		goto fail;
2525 	l = EC_POINT_new(group);
2526 	if (!l ||
2527 	    EC_POINT_mul(group, l, NULL, BI_point, sum, bnctx) != 1 ||
2528 	    EC_POINT_get_affine_coordinates_GFp(group, l, lx, NULL,
2529 						bnctx) != 1) {
2530 		wpa_printf(MSG_ERROR,
2531 			   "OpenSSL: failed: %s",
2532 			   ERR_error_string(ERR_get_error(), NULL));
2533 		goto fail;
2534 	}
2535 
2536 	if (dpp_bn2bin_pad(lx, auth->Lx, auth->secret_len) < 0)
2537 		goto fail;
2538 	wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
2539 	auth->Lx_len = auth->secret_len;
2540 	ret = 0;
2541 fail:
2542 	EC_POINT_clear_free(l);
2543 	EC_KEY_free(BI);
2544 	EC_KEY_free(bR);
2545 	EC_KEY_free(pR);
2546 	BN_clear_free(lx);
2547 	BN_clear_free(sum);
2548 	BN_free(q);
2549 	BN_CTX_free(bnctx);
2550 	return ret;
2551 }
2552 
2553 
2554 static int dpp_auth_derive_l_initiator(struct dpp_authentication *auth)
2555 {
2556 	const EC_GROUP *group;
2557 	EC_POINT *l = NULL, *sum = NULL;
2558 	EC_KEY *bI = NULL, *BR = NULL, *PR = NULL;
2559 	const EC_POINT *BR_point, *PR_point;
2560 	BN_CTX *bnctx;
2561 	BIGNUM *lx;
2562 	const BIGNUM *bI_bn;
2563 	int ret = -1;
2564 
2565 	/* L = bI * (BR + PR) */
2566 
2567 	bnctx = BN_CTX_new();
2568 	lx = BN_new();
2569 	if (!bnctx || !lx)
2570 		goto fail;
2571 	BR = EVP_PKEY_get1_EC_KEY(auth->peer_bi->pubkey);
2572 	PR = EVP_PKEY_get1_EC_KEY(auth->peer_protocol_key);
2573 	if (!BR || !PR)
2574 		goto fail;
2575 	BR_point = EC_KEY_get0_public_key(BR);
2576 	PR_point = EC_KEY_get0_public_key(PR);
2577 
2578 	bI = EVP_PKEY_get1_EC_KEY(auth->own_bi->pubkey);
2579 	if (!bI)
2580 		goto fail;
2581 	group = EC_KEY_get0_group(bI);
2582 	bI_bn = EC_KEY_get0_private_key(bI);
2583 	if (!group || !bI_bn)
2584 		goto fail;
2585 	sum = EC_POINT_new(group);
2586 	l = EC_POINT_new(group);
2587 	if (!sum || !l ||
2588 	    EC_POINT_add(group, sum, BR_point, PR_point, bnctx) != 1 ||
2589 	    EC_POINT_mul(group, l, NULL, sum, bI_bn, bnctx) != 1 ||
2590 	    EC_POINT_get_affine_coordinates_GFp(group, l, lx, NULL,
2591 						bnctx) != 1) {
2592 		wpa_printf(MSG_ERROR,
2593 			   "OpenSSL: failed: %s",
2594 			   ERR_error_string(ERR_get_error(), NULL));
2595 		goto fail;
2596 	}
2597 
2598 	if (dpp_bn2bin_pad(lx, auth->Lx, auth->secret_len) < 0)
2599 		goto fail;
2600 	wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
2601 	auth->Lx_len = auth->secret_len;
2602 	ret = 0;
2603 fail:
2604 	EC_POINT_clear_free(l);
2605 	EC_POINT_clear_free(sum);
2606 	EC_KEY_free(bI);
2607 	EC_KEY_free(BR);
2608 	EC_KEY_free(PR);
2609 	BN_clear_free(lx);
2610 	BN_CTX_free(bnctx);
2611 	return ret;
2612 }
2613 
2614 
2615 static int dpp_auth_build_resp_ok(struct dpp_authentication *auth)
2616 {
2617 	size_t nonce_len;
2618 	EVP_PKEY_CTX *ctx = NULL;
2619 	size_t secret_len;
2620 	struct wpabuf *msg, *pr = NULL;
2621 	u8 r_auth[4 + DPP_MAX_HASH_LEN];
2622 	u8 wrapped_r_auth[4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE], *w_r_auth;
2623 	size_t wrapped_r_auth_len;
2624 	int ret = -1;
2625 	const u8 *r_pubkey_hash, *i_pubkey_hash, *r_nonce, *i_nonce;
2626 	enum dpp_status_error status = DPP_STATUS_OK;
2627 #ifdef CONFIG_TESTING_OPTIONS
2628 	u8 test_hash[SHA256_MAC_LEN];
2629 #endif /* CONFIG_TESTING_OPTIONS */
2630 
2631 	wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response");
2632 	if (!auth->own_bi)
2633 		return -1;
2634 
2635 #ifdef CONFIG_TESTING_OPTIONS
2636 	if (dpp_nonce_override_len > 0) {
2637 		wpa_printf(MSG_INFO, "DPP: TESTING - override R-nonce");
2638 		nonce_len = dpp_nonce_override_len;
2639 		os_memcpy(auth->r_nonce, dpp_nonce_override, nonce_len);
2640 	} else {
2641 		nonce_len = auth->curve->nonce_len;
2642 		if (random_get_bytes(auth->r_nonce, nonce_len)) {
2643 			wpa_printf(MSG_ERROR,
2644 				   "DPP: Failed to generate R-nonce");
2645 			goto fail;
2646 		}
2647 	}
2648 #else /* CONFIG_TESTING_OPTIONS */
2649 	nonce_len = auth->curve->nonce_len;
2650 	if (random_get_bytes(auth->r_nonce, nonce_len)) {
2651 		wpa_printf(MSG_ERROR, "DPP: Failed to generate R-nonce");
2652 		goto fail;
2653 	}
2654 #endif /* CONFIG_TESTING_OPTIONS */
2655 	wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", auth->r_nonce, nonce_len);
2656 
2657 #ifdef CONFIG_TESTING_OPTIONS
2658 	if (dpp_protocol_key_override_len) {
2659 		const struct dpp_curve_params *tmp_curve;
2660 
2661 		wpa_printf(MSG_INFO,
2662 			   "DPP: TESTING - override protocol key");
2663 		auth->own_protocol_key = dpp_set_keypair(
2664 			&tmp_curve, dpp_protocol_key_override,
2665 			dpp_protocol_key_override_len);
2666 	} else {
2667 		auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2668 	}
2669 #else /* CONFIG_TESTING_OPTIONS */
2670 	auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2671 #endif /* CONFIG_TESTING_OPTIONS */
2672 	if (!auth->own_protocol_key)
2673 		goto fail;
2674 
2675 	pr = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2676 	if (!pr)
2677 		goto fail;
2678 
2679 	/* ECDH: N = pR * PI */
2680 	ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL);
2681 	if (!ctx ||
2682 	    EVP_PKEY_derive_init(ctx) != 1 ||
2683 	    EVP_PKEY_derive_set_peer(ctx, auth->peer_protocol_key) != 1 ||
2684 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
2685 	    secret_len > DPP_MAX_SHARED_SECRET_LEN ||
2686 	    EVP_PKEY_derive(ctx, auth->Nx, &secret_len) != 1) {
2687 		wpa_printf(MSG_ERROR,
2688 			   "DPP: Failed to derive ECDH shared secret: %s",
2689 			   ERR_error_string(ERR_get_error(), NULL));
2690 		goto fail;
2691 	}
2692 	EVP_PKEY_CTX_free(ctx);
2693 	ctx = NULL;
2694 
2695 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
2696 			auth->Nx, auth->secret_len);
2697 	auth->Nx_len = auth->secret_len;
2698 
2699 	if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2,
2700 			  auth->curve->hash_len) < 0)
2701 		goto fail;
2702 
2703 	if (auth->own_bi && auth->peer_bi) {
2704 		/* Mutual authentication */
2705 		if (dpp_auth_derive_l_responder(auth) < 0)
2706 			goto fail;
2707 	}
2708 
2709 	if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0)
2710 		goto fail;
2711 
2712 	/* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
2713 	WPA_PUT_LE16(r_auth, DPP_ATTR_R_AUTH_TAG);
2714 	WPA_PUT_LE16(&r_auth[2], auth->curve->hash_len);
2715 	if (dpp_gen_r_auth(auth, r_auth + 4) < 0)
2716 		goto fail;
2717 #ifdef CONFIG_TESTING_OPTIONS
2718 	if (dpp_test == DPP_TEST_R_AUTH_MISMATCH_AUTH_RESP) {
2719 		wpa_printf(MSG_INFO, "DPP: TESTING - R-auth mismatch");
2720 		r_auth[4 + auth->curve->hash_len / 2] ^= 0x01;
2721 	}
2722 #endif /* CONFIG_TESTING_OPTIONS */
2723 	if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
2724 			    r_auth, 4 + auth->curve->hash_len,
2725 			    0, NULL, NULL, wrapped_r_auth) < 0)
2726 		goto fail;
2727 	wrapped_r_auth_len = 4 + auth->curve->hash_len + AES_BLOCK_SIZE;
2728 	wpa_hexdump(MSG_DEBUG, "DPP: {R-auth}ke",
2729 		    wrapped_r_auth, wrapped_r_auth_len);
2730 	w_r_auth = wrapped_r_auth;
2731 
2732 	r_pubkey_hash = auth->own_bi->pubkey_hash;
2733 	if (auth->peer_bi)
2734 		i_pubkey_hash = auth->peer_bi->pubkey_hash;
2735 	else
2736 		i_pubkey_hash = NULL;
2737 
2738 	i_nonce = auth->i_nonce;
2739 	r_nonce = auth->r_nonce;
2740 
2741 #ifdef CONFIG_TESTING_OPTIONS
2742 	if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2743 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
2744 		r_pubkey_hash = NULL;
2745 	} else if (dpp_test ==
2746 		   DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2747 		wpa_printf(MSG_INFO,
2748 			   "DPP: TESTING - invalid R-Bootstrap Key Hash");
2749 		os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
2750 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2751 		r_pubkey_hash = test_hash;
2752 	} else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2753 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
2754 		i_pubkey_hash = NULL;
2755 	} else if (dpp_test ==
2756 		   DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2757 		wpa_printf(MSG_INFO,
2758 			   "DPP: TESTING - invalid I-Bootstrap Key Hash");
2759 		if (i_pubkey_hash)
2760 			os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
2761 		else
2762 			os_memset(test_hash, 0, SHA256_MAC_LEN);
2763 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2764 		i_pubkey_hash = test_hash;
2765 	} else if (dpp_test == DPP_TEST_NO_R_PROTO_KEY_AUTH_RESP) {
2766 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Proto Key");
2767 		wpabuf_free(pr);
2768 		pr = NULL;
2769 	} else if (dpp_test == DPP_TEST_INVALID_R_PROTO_KEY_AUTH_RESP) {
2770 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid R-Proto Key");
2771 		wpabuf_free(pr);
2772 		pr = wpabuf_alloc(2 * auth->curve->prime_len);
2773 		if (!pr || dpp_test_gen_invalid_key(pr, auth->curve) < 0)
2774 			goto fail;
2775 	} else if (dpp_test == DPP_TEST_NO_R_AUTH_AUTH_RESP) {
2776 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Auth");
2777 		w_r_auth = NULL;
2778 		wrapped_r_auth_len = 0;
2779 	} else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) {
2780 		wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
2781 		status = 255;
2782 	} else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_RESP) {
2783 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
2784 		status = 254;
2785 	} else if (dpp_test == DPP_TEST_NO_R_NONCE_AUTH_RESP) {
2786 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-nonce");
2787 		r_nonce = NULL;
2788 	} else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) {
2789 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
2790 		i_nonce = NULL;
2791 	}
2792 #endif /* CONFIG_TESTING_OPTIONS */
2793 
2794 	msg = dpp_auth_build_resp(auth, status, pr, nonce_len,
2795 				  r_pubkey_hash, i_pubkey_hash,
2796 				  r_nonce, i_nonce,
2797 				  w_r_auth, wrapped_r_auth_len,
2798 				  auth->k2);
2799 	if (!msg)
2800 		goto fail;
2801 	wpabuf_free(auth->resp_msg);
2802 	auth->resp_msg = msg;
2803 	ret = 0;
2804 fail:
2805 	wpabuf_free(pr);
2806 	return ret;
2807 }
2808 
2809 
2810 static int dpp_auth_build_resp_status(struct dpp_authentication *auth,
2811 				      enum dpp_status_error status)
2812 {
2813 	struct wpabuf *msg;
2814 	const u8 *r_pubkey_hash, *i_pubkey_hash, *i_nonce;
2815 #ifdef CONFIG_TESTING_OPTIONS
2816 	u8 test_hash[SHA256_MAC_LEN];
2817 #endif /* CONFIG_TESTING_OPTIONS */
2818 
2819 	if (!auth->own_bi)
2820 		return -1;
2821 	wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response");
2822 
2823 	r_pubkey_hash = auth->own_bi->pubkey_hash;
2824 	if (auth->peer_bi)
2825 		i_pubkey_hash = auth->peer_bi->pubkey_hash;
2826 	else
2827 		i_pubkey_hash = NULL;
2828 
2829 	i_nonce = auth->i_nonce;
2830 
2831 #ifdef CONFIG_TESTING_OPTIONS
2832 	if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2833 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
2834 		r_pubkey_hash = NULL;
2835 	} else if (dpp_test ==
2836 		   DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2837 		wpa_printf(MSG_INFO,
2838 			   "DPP: TESTING - invalid R-Bootstrap Key Hash");
2839 		os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
2840 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2841 		r_pubkey_hash = test_hash;
2842 	} else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2843 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
2844 		i_pubkey_hash = NULL;
2845 	} else if (dpp_test ==
2846 		   DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2847 		wpa_printf(MSG_INFO,
2848 			   "DPP: TESTING - invalid I-Bootstrap Key Hash");
2849 		if (i_pubkey_hash)
2850 			os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
2851 		else
2852 			os_memset(test_hash, 0, SHA256_MAC_LEN);
2853 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2854 		i_pubkey_hash = test_hash;
2855 	} else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) {
2856 		wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
2857 		status = 255;
2858 	} else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) {
2859 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
2860 		i_nonce = NULL;
2861 	}
2862 #endif /* CONFIG_TESTING_OPTIONS */
2863 
2864 	msg = dpp_auth_build_resp(auth, status, NULL, auth->curve->nonce_len,
2865 				  r_pubkey_hash, i_pubkey_hash,
2866 				  NULL, i_nonce, NULL, 0, auth->k1);
2867 	if (!msg)
2868 		return -1;
2869 	wpabuf_free(auth->resp_msg);
2870 	auth->resp_msg = msg;
2871 	return 0;
2872 }
2873 
2874 
2875 struct dpp_authentication *
2876 dpp_auth_req_rx(void *msg_ctx, u8 dpp_allowed_roles, int qr_mutual,
2877 		struct dpp_bootstrap_info *peer_bi,
2878 		struct dpp_bootstrap_info *own_bi,
2879 		unsigned int freq, const u8 *hdr, const u8 *attr_start,
2880 		size_t attr_len)
2881 {
2882 	EVP_PKEY *pi = NULL;
2883 	EVP_PKEY_CTX *ctx = NULL;
2884 	size_t secret_len;
2885 	const u8 *addr[2];
2886 	size_t len[2];
2887 	u8 *unwrapped = NULL;
2888 	size_t unwrapped_len = 0;
2889 	const u8 *wrapped_data, *i_proto, *i_nonce, *i_capab, *i_bootstrap,
2890 		*channel;
2891 	u16 wrapped_data_len, i_proto_len, i_nonce_len, i_capab_len,
2892 		i_bootstrap_len, channel_len;
2893 	struct dpp_authentication *auth = NULL;
2894 
2895 #ifdef CONFIG_TESTING_OPTIONS
2896 	if (dpp_test == DPP_TEST_STOP_AT_AUTH_REQ) {
2897 		wpa_printf(MSG_INFO,
2898 			   "DPP: TESTING - stop at Authentication Request");
2899 		return NULL;
2900 	}
2901 #endif /* CONFIG_TESTING_OPTIONS */
2902 
2903 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
2904 				    &wrapped_data_len);
2905 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
2906 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
2907 			"Missing or invalid required Wrapped Data attribute");
2908 		return NULL;
2909 	}
2910 	wpa_hexdump(MSG_MSGDUMP, "DPP: Wrapped Data",
2911 		    wrapped_data, wrapped_data_len);
2912 	attr_len = wrapped_data - 4 - attr_start;
2913 
2914 	auth = os_zalloc(sizeof(*auth));
2915 	if (!auth)
2916 		goto fail;
2917 	auth->msg_ctx = msg_ctx;
2918 	auth->peer_bi = peer_bi;
2919 	auth->own_bi = own_bi;
2920 	auth->curve = own_bi->curve;
2921 	auth->curr_freq = freq;
2922 
2923 	channel = dpp_get_attr(attr_start, attr_len, DPP_ATTR_CHANNEL,
2924 			       &channel_len);
2925 	if (channel) {
2926 		int neg_freq;
2927 
2928 		if (channel_len < 2) {
2929 			dpp_auth_fail(auth, "Too short Channel attribute");
2930 			goto fail;
2931 		}
2932 
2933 		neg_freq = ieee80211_chan_to_freq(NULL, channel[0], channel[1]);
2934 		wpa_printf(MSG_DEBUG,
2935 			   "DPP: Initiator requested different channel for negotiation: op_class=%u channel=%u --> freq=%d",
2936 			   channel[0], channel[1], neg_freq);
2937 		if (neg_freq < 0) {
2938 			dpp_auth_fail(auth,
2939 				      "Unsupported Channel attribute value");
2940 			goto fail;
2941 		}
2942 
2943 		if (auth->curr_freq != (unsigned int) neg_freq) {
2944 			wpa_printf(MSG_DEBUG,
2945 				   "DPP: Changing negotiation channel from %u MHz to %u MHz",
2946 				   freq, neg_freq);
2947 			auth->curr_freq = neg_freq;
2948 		}
2949 	}
2950 
2951 	i_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_I_PROTOCOL_KEY,
2952 			       &i_proto_len);
2953 	if (!i_proto) {
2954 		dpp_auth_fail(auth,
2955 			      "Missing required Initiator Protocol Key attribute");
2956 		goto fail;
2957 	}
2958 	wpa_hexdump(MSG_MSGDUMP, "DPP: Initiator Protocol Key",
2959 		    i_proto, i_proto_len);
2960 
2961 	/* M = bR * PI */
2962 	pi = dpp_set_pubkey_point(own_bi->pubkey, i_proto, i_proto_len);
2963 	if (!pi) {
2964 		dpp_auth_fail(auth, "Invalid Initiator Protocol Key");
2965 		goto fail;
2966 	}
2967 	dpp_debug_print_key("Peer (Initiator) Protocol Key", pi);
2968 
2969 	ctx = EVP_PKEY_CTX_new(own_bi->pubkey, NULL);
2970 	if (!ctx ||
2971 	    EVP_PKEY_derive_init(ctx) != 1 ||
2972 	    EVP_PKEY_derive_set_peer(ctx, pi) != 1 ||
2973 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
2974 	    secret_len > DPP_MAX_SHARED_SECRET_LEN ||
2975 	    EVP_PKEY_derive(ctx, auth->Mx, &secret_len) != 1) {
2976 		wpa_printf(MSG_ERROR,
2977 			   "DPP: Failed to derive ECDH shared secret: %s",
2978 			   ERR_error_string(ERR_get_error(), NULL));
2979 		dpp_auth_fail(auth, "Failed to derive ECDH shared secret");
2980 		goto fail;
2981 	}
2982 	auth->secret_len = secret_len;
2983 	EVP_PKEY_CTX_free(ctx);
2984 	ctx = NULL;
2985 
2986 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)",
2987 			auth->Mx, auth->secret_len);
2988 	auth->Mx_len = auth->secret_len;
2989 
2990 	if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1,
2991 			  auth->curve->hash_len) < 0)
2992 		goto fail;
2993 
2994 	addr[0] = hdr;
2995 	len[0] = DPP_HDR_LEN;
2996 	addr[1] = attr_start;
2997 	len[1] = attr_len;
2998 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
2999 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3000 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3001 		    wrapped_data, wrapped_data_len);
3002 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3003 	unwrapped = os_malloc(unwrapped_len);
3004 	if (!unwrapped)
3005 		goto fail;
3006 	if (aes_siv_decrypt(auth->k1, auth->curve->hash_len,
3007 			    wrapped_data, wrapped_data_len,
3008 			    2, addr, len, unwrapped) < 0) {
3009 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3010 		goto fail;
3011 	}
3012 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3013 		    unwrapped, unwrapped_len);
3014 
3015 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3016 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3017 		goto fail;
3018 	}
3019 
3020 	i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
3021 			       &i_nonce_len);
3022 	if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
3023 		dpp_auth_fail(auth, "Missing or invalid I-nonce");
3024 		goto fail;
3025 	}
3026 	wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
3027 	os_memcpy(auth->i_nonce, i_nonce, i_nonce_len);
3028 
3029 	i_capab = dpp_get_attr(unwrapped, unwrapped_len,
3030 			       DPP_ATTR_I_CAPABILITIES,
3031 			       &i_capab_len);
3032 	if (!i_capab || i_capab_len < 1) {
3033 		dpp_auth_fail(auth, "Missing or invalid I-capabilities");
3034 		goto fail;
3035 	}
3036 	auth->i_capab = i_capab[0];
3037 	wpa_printf(MSG_DEBUG, "DPP: I-capabilities: 0x%02x", auth->i_capab);
3038 
3039 	bin_clear_free(unwrapped, unwrapped_len);
3040 	unwrapped = NULL;
3041 
3042 	switch (auth->i_capab & DPP_CAPAB_ROLE_MASK) {
3043 	case DPP_CAPAB_ENROLLEE:
3044 		if (!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR)) {
3045 			wpa_printf(MSG_DEBUG,
3046 				   "DPP: Local policy does not allow Configurator role");
3047 			goto not_compatible;
3048 		}
3049 		wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator");
3050 		auth->configurator = 1;
3051 		break;
3052 	case DPP_CAPAB_CONFIGURATOR:
3053 		if (!(dpp_allowed_roles & DPP_CAPAB_ENROLLEE)) {
3054 			wpa_printf(MSG_DEBUG,
3055 				   "DPP: Local policy does not allow Enrollee role");
3056 			goto not_compatible;
3057 		}
3058 		wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee");
3059 		auth->configurator = 0;
3060 		break;
3061 	case DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE:
3062 		if (dpp_allowed_roles & DPP_CAPAB_ENROLLEE) {
3063 			wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee");
3064 			auth->configurator = 0;
3065 		} else if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR) {
3066 			wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator");
3067 			auth->configurator = 1;
3068 		} else {
3069 			wpa_printf(MSG_DEBUG,
3070 				   "DPP: Local policy does not allow Configurator/Enrollee role");
3071 			goto not_compatible;
3072 		}
3073 		break;
3074 	default:
3075 		wpa_printf(MSG_DEBUG, "DPP: Unexpected role in I-capabilities");
3076 		wpa_msg(auth->msg_ctx, MSG_INFO,
3077 			DPP_EVENT_FAIL "Invalid role in I-capabilities 0x%02x",
3078 			auth->i_capab & DPP_CAPAB_ROLE_MASK);
3079 		goto fail;
3080 	}
3081 
3082 	auth->peer_protocol_key = pi;
3083 	pi = NULL;
3084 	if (qr_mutual && !peer_bi && own_bi->type == DPP_BOOTSTRAP_QR_CODE) {
3085 		char hex[SHA256_MAC_LEN * 2 + 1];
3086 
3087 		wpa_printf(MSG_DEBUG,
3088 			   "DPP: Mutual authentication required with QR Codes, but peer info is not yet available - request more time");
3089 		if (dpp_auth_build_resp_status(auth,
3090 					       DPP_STATUS_RESPONSE_PENDING) < 0)
3091 			goto fail;
3092 		i_bootstrap = dpp_get_attr(attr_start, attr_len,
3093 					   DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
3094 					   &i_bootstrap_len);
3095 		if (i_bootstrap && i_bootstrap_len == SHA256_MAC_LEN) {
3096 			auth->response_pending = 1;
3097 			os_memcpy(auth->waiting_pubkey_hash,
3098 				  i_bootstrap, i_bootstrap_len);
3099 			wpa_snprintf_hex(hex, sizeof(hex), i_bootstrap,
3100 					 i_bootstrap_len);
3101 		} else {
3102 			hex[0] = '\0';
3103 		}
3104 
3105 		wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_SCAN_PEER_QR_CODE
3106 			"%s", hex);
3107 		return auth;
3108 	}
3109 	if (dpp_auth_build_resp_ok(auth) < 0)
3110 		goto fail;
3111 
3112 	return auth;
3113 
3114 not_compatible:
3115 	wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE
3116 		"i-capab=0x%02x", auth->i_capab);
3117 	if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR)
3118 		auth->configurator = 1;
3119 	else
3120 		auth->configurator = 0;
3121 	auth->peer_protocol_key = pi;
3122 	pi = NULL;
3123 	if (dpp_auth_build_resp_status(auth, DPP_STATUS_NOT_COMPATIBLE) < 0)
3124 		goto fail;
3125 
3126 	auth->remove_on_tx_status = 1;
3127 	return auth;
3128 fail:
3129 	bin_clear_free(unwrapped, unwrapped_len);
3130 	EVP_PKEY_free(pi);
3131 	EVP_PKEY_CTX_free(ctx);
3132 	dpp_auth_deinit(auth);
3133 	return NULL;
3134 }
3135 
3136 
3137 int dpp_notify_new_qr_code(struct dpp_authentication *auth,
3138 			   struct dpp_bootstrap_info *peer_bi)
3139 {
3140 	if (!auth || !auth->response_pending ||
3141 	    os_memcmp(auth->waiting_pubkey_hash, peer_bi->pubkey_hash,
3142 		      SHA256_MAC_LEN) != 0)
3143 		return 0;
3144 
3145 	wpa_printf(MSG_DEBUG,
3146 		   "DPP: New scanned QR Code has matching public key that was needed to continue DPP Authentication exchange with "
3147 		   MACSTR, MAC2STR(auth->peer_mac_addr));
3148 	auth->peer_bi = peer_bi;
3149 
3150 	if (dpp_auth_build_resp_ok(auth) < 0)
3151 		return -1;
3152 
3153 	return 1;
3154 }
3155 
3156 
3157 static struct wpabuf * dpp_auth_build_conf(struct dpp_authentication *auth,
3158 					   enum dpp_status_error status)
3159 {
3160 	struct wpabuf *msg;
3161 	u8 i_auth[4 + DPP_MAX_HASH_LEN];
3162 	size_t i_auth_len;
3163 	u8 r_nonce[4 + DPP_MAX_NONCE_LEN];
3164 	size_t r_nonce_len;
3165 	const u8 *addr[2];
3166 	size_t len[2], attr_len;
3167 	u8 *wrapped_i_auth;
3168 	u8 *wrapped_r_nonce;
3169 	u8 *attr_start, *attr_end;
3170 	const u8 *r_pubkey_hash, *i_pubkey_hash;
3171 #ifdef CONFIG_TESTING_OPTIONS
3172 	u8 test_hash[SHA256_MAC_LEN];
3173 #endif /* CONFIG_TESTING_OPTIONS */
3174 
3175 	wpa_printf(MSG_DEBUG, "DPP: Build Authentication Confirmation");
3176 
3177 	i_auth_len = 4 + auth->curve->hash_len;
3178 	r_nonce_len = 4 + auth->curve->nonce_len;
3179 	/* Build DPP Authentication Confirmation frame attributes */
3180 	attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) +
3181 		4 + i_auth_len + r_nonce_len + AES_BLOCK_SIZE;
3182 #ifdef CONFIG_TESTING_OPTIONS
3183 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF)
3184 		attr_len += 5;
3185 #endif /* CONFIG_TESTING_OPTIONS */
3186 	msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_CONF, attr_len);
3187 	if (!msg)
3188 		goto fail;
3189 
3190 	attr_start = wpabuf_put(msg, 0);
3191 
3192 	r_pubkey_hash = auth->peer_bi->pubkey_hash;
3193 	if (auth->own_bi)
3194 		i_pubkey_hash = auth->own_bi->pubkey_hash;
3195 	else
3196 		i_pubkey_hash = NULL;
3197 
3198 #ifdef CONFIG_TESTING_OPTIONS
3199 	if (dpp_test == DPP_TEST_NO_STATUS_AUTH_CONF) {
3200 		wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
3201 		goto skip_status;
3202 	} else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_CONF) {
3203 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
3204 		status = 254;
3205 	}
3206 #endif /* CONFIG_TESTING_OPTIONS */
3207 
3208 	/* DPP Status */
3209 	dpp_build_attr_status(msg, status);
3210 
3211 #ifdef CONFIG_TESTING_OPTIONS
3212 skip_status:
3213 	if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3214 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
3215 		r_pubkey_hash = NULL;
3216 	} else if (dpp_test ==
3217 		   DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3218 		wpa_printf(MSG_INFO,
3219 			   "DPP: TESTING - invalid R-Bootstrap Key Hash");
3220 		os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
3221 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
3222 		r_pubkey_hash = test_hash;
3223 	} else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3224 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
3225 		i_pubkey_hash = NULL;
3226 	} else if (dpp_test ==
3227 		   DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3228 		wpa_printf(MSG_INFO,
3229 			   "DPP: TESTING - invalid I-Bootstrap Key Hash");
3230 		if (i_pubkey_hash)
3231 			os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
3232 		else
3233 			os_memset(test_hash, 0, SHA256_MAC_LEN);
3234 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
3235 		i_pubkey_hash = test_hash;
3236 	}
3237 #endif /* CONFIG_TESTING_OPTIONS */
3238 
3239 	/* Responder Bootstrapping Key Hash */
3240 	dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
3241 
3242 	/* Initiator Bootstrapping Key Hash (mutual authentication) */
3243 	dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
3244 
3245 #ifdef CONFIG_TESTING_OPTIONS
3246 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_CONF)
3247 		goto skip_wrapped_data;
3248 	if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF)
3249 		i_auth_len = 0;
3250 #endif /* CONFIG_TESTING_OPTIONS */
3251 
3252 	attr_end = wpabuf_put(msg, 0);
3253 
3254 	/* OUI, OUI type, Crypto Suite, DPP frame type */
3255 	addr[0] = wpabuf_head_u8(msg) + 2;
3256 	len[0] = 3 + 1 + 1 + 1;
3257 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3258 
3259 	/* Attributes before Wrapped Data */
3260 	addr[1] = attr_start;
3261 	len[1] = attr_end - attr_start;
3262 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3263 
3264 	if (status == DPP_STATUS_OK) {
3265 		/* I-auth wrapped with ke */
3266 		wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
3267 		wpabuf_put_le16(msg, i_auth_len + AES_BLOCK_SIZE);
3268 		wrapped_i_auth = wpabuf_put(msg, i_auth_len + AES_BLOCK_SIZE);
3269 
3270 #ifdef CONFIG_TESTING_OPTIONS
3271 		if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF)
3272 			goto skip_i_auth;
3273 #endif /* CONFIG_TESTING_OPTIONS */
3274 
3275 		/* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |]
3276 		 *	      1) */
3277 		WPA_PUT_LE16(i_auth, DPP_ATTR_I_AUTH_TAG);
3278 		WPA_PUT_LE16(&i_auth[2], auth->curve->hash_len);
3279 		if (dpp_gen_i_auth(auth, i_auth + 4) < 0)
3280 			goto fail;
3281 
3282 #ifdef CONFIG_TESTING_OPTIONS
3283 		if (dpp_test == DPP_TEST_I_AUTH_MISMATCH_AUTH_CONF) {
3284 			wpa_printf(MSG_INFO, "DPP: TESTING - I-auth mismatch");
3285 			i_auth[4 + auth->curve->hash_len / 2] ^= 0x01;
3286 		}
3287 skip_i_auth:
3288 #endif /* CONFIG_TESTING_OPTIONS */
3289 		if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
3290 				    i_auth, i_auth_len,
3291 				    2, addr, len, wrapped_i_auth) < 0)
3292 			goto fail;
3293 		wpa_hexdump(MSG_DEBUG, "DPP: {I-auth}ke",
3294 			    wrapped_i_auth, i_auth_len + AES_BLOCK_SIZE);
3295 	} else {
3296 		/* R-nonce wrapped with k2 */
3297 		wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
3298 		wpabuf_put_le16(msg, r_nonce_len + AES_BLOCK_SIZE);
3299 		wrapped_r_nonce = wpabuf_put(msg, r_nonce_len + AES_BLOCK_SIZE);
3300 
3301 		WPA_PUT_LE16(r_nonce, DPP_ATTR_R_NONCE);
3302 		WPA_PUT_LE16(&r_nonce[2], auth->curve->nonce_len);
3303 		os_memcpy(r_nonce + 4, auth->r_nonce, auth->curve->nonce_len);
3304 
3305 		if (aes_siv_encrypt(auth->k2, auth->curve->hash_len,
3306 				    r_nonce, r_nonce_len,
3307 				    2, addr, len, wrapped_r_nonce) < 0)
3308 			goto fail;
3309 		wpa_hexdump(MSG_DEBUG, "DPP: {R-nonce}k2",
3310 			    wrapped_r_nonce, r_nonce_len + AES_BLOCK_SIZE);
3311 	}
3312 
3313 #ifdef CONFIG_TESTING_OPTIONS
3314 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF) {
3315 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
3316 		dpp_build_attr_status(msg, DPP_STATUS_OK);
3317 	}
3318 skip_wrapped_data:
3319 #endif /* CONFIG_TESTING_OPTIONS */
3320 
3321 	wpa_hexdump_buf(MSG_DEBUG,
3322 			"DPP: Authentication Confirmation frame attributes",
3323 			msg);
3324 	if (status == DPP_STATUS_OK)
3325 		dpp_auth_success(auth);
3326 
3327 	return msg;
3328 
3329 fail:
3330 	wpabuf_free(msg);
3331 	return NULL;
3332 }
3333 
3334 
3335 static void
3336 dpp_auth_resp_rx_status(struct dpp_authentication *auth, const u8 *hdr,
3337 			const u8 *attr_start, size_t attr_len,
3338 			const u8 *wrapped_data, u16 wrapped_data_len,
3339 			enum dpp_status_error status)
3340 {
3341 	const u8 *addr[2];
3342 	size_t len[2];
3343 	u8 *unwrapped = NULL;
3344 	size_t unwrapped_len = 0;
3345 	const u8 *i_nonce, *r_capab;
3346 	u16 i_nonce_len, r_capab_len;
3347 
3348 	if (status == DPP_STATUS_NOT_COMPATIBLE) {
3349 		wpa_printf(MSG_DEBUG,
3350 			   "DPP: Responder reported incompatible roles");
3351 	} else if (status == DPP_STATUS_RESPONSE_PENDING) {
3352 		wpa_printf(MSG_DEBUG,
3353 			   "DPP: Responder reported more time needed");
3354 	} else {
3355 		wpa_printf(MSG_DEBUG,
3356 			   "DPP: Responder reported failure (status %d)",
3357 			   status);
3358 		dpp_auth_fail(auth, "Responder reported failure");
3359 		return;
3360 	}
3361 
3362 	addr[0] = hdr;
3363 	len[0] = DPP_HDR_LEN;
3364 	addr[1] = attr_start;
3365 	len[1] = attr_len;
3366 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3367 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3368 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3369 		    wrapped_data, wrapped_data_len);
3370 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3371 	unwrapped = os_malloc(unwrapped_len);
3372 	if (!unwrapped)
3373 		goto fail;
3374 	if (aes_siv_decrypt(auth->k1, auth->curve->hash_len,
3375 			    wrapped_data, wrapped_data_len,
3376 			    2, addr, len, unwrapped) < 0) {
3377 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3378 		goto fail;
3379 	}
3380 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3381 		    unwrapped, unwrapped_len);
3382 
3383 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3384 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3385 		goto fail;
3386 	}
3387 
3388 	i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
3389 			       &i_nonce_len);
3390 	if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
3391 		dpp_auth_fail(auth, "Missing or invalid I-nonce");
3392 		goto fail;
3393 	}
3394 	wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
3395 	if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) {
3396 		dpp_auth_fail(auth, "I-nonce mismatch");
3397 		goto fail;
3398 	}
3399 
3400 	r_capab = dpp_get_attr(unwrapped, unwrapped_len,
3401 			       DPP_ATTR_R_CAPABILITIES,
3402 			       &r_capab_len);
3403 	if (!r_capab || r_capab_len < 1) {
3404 		dpp_auth_fail(auth, "Missing or invalid R-capabilities");
3405 		goto fail;
3406 	}
3407 	auth->r_capab = r_capab[0];
3408 	wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab);
3409 	if (status == DPP_STATUS_NOT_COMPATIBLE) {
3410 		wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE
3411 			"r-capab=0x%02x", auth->r_capab);
3412 	} else if (status == DPP_STATUS_RESPONSE_PENDING) {
3413 		u8 role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
3414 
3415 		if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
3416 		    (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
3417 			wpa_msg(auth->msg_ctx, MSG_INFO,
3418 				DPP_EVENT_FAIL "Unexpected role in R-capabilities 0x%02x",
3419 				role);
3420 		} else {
3421 			wpa_printf(MSG_DEBUG,
3422 				   "DPP: Continue waiting for full DPP Authentication Response");
3423 			wpa_msg(auth->msg_ctx, MSG_INFO,
3424 				DPP_EVENT_RESPONSE_PENDING "%s",
3425 				auth->tmp_own_bi ? auth->tmp_own_bi->uri : "");
3426 		}
3427 	}
3428 fail:
3429 	bin_clear_free(unwrapped, unwrapped_len);
3430 }
3431 
3432 
3433 struct wpabuf *
3434 dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
3435 		 const u8 *attr_start, size_t attr_len)
3436 {
3437 	EVP_PKEY *pr;
3438 	EVP_PKEY_CTX *ctx = NULL;
3439 	size_t secret_len;
3440 	const u8 *addr[2];
3441 	size_t len[2];
3442 	u8 *unwrapped = NULL, *unwrapped2 = NULL;
3443 	size_t unwrapped_len = 0, unwrapped2_len = 0;
3444 	const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *r_proto,
3445 		*r_nonce, *i_nonce, *r_capab, *wrapped2, *r_auth;
3446 	u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len,
3447 		r_proto_len, r_nonce_len, i_nonce_len, r_capab_len,
3448 		wrapped2_len, r_auth_len;
3449 	u8 r_auth2[DPP_MAX_HASH_LEN];
3450 	u8 role;
3451 
3452 #ifdef CONFIG_TESTING_OPTIONS
3453 	if (dpp_test == DPP_TEST_STOP_AT_AUTH_RESP) {
3454 		wpa_printf(MSG_INFO,
3455 			   "DPP: TESTING - stop at Authentication Response");
3456 		return NULL;
3457 	}
3458 #endif /* CONFIG_TESTING_OPTIONS */
3459 
3460 	if (!auth->initiator || !auth->peer_bi) {
3461 		dpp_auth_fail(auth, "Unexpected Authentication Response");
3462 		return NULL;
3463 	}
3464 
3465 	auth->waiting_auth_resp = 0;
3466 
3467 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
3468 				    &wrapped_data_len);
3469 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
3470 		dpp_auth_fail(auth,
3471 			      "Missing or invalid required Wrapped Data attribute");
3472 		return NULL;
3473 	}
3474 	wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
3475 		    wrapped_data, wrapped_data_len);
3476 
3477 	attr_len = wrapped_data - 4 - attr_start;
3478 
3479 	r_bootstrap = dpp_get_attr(attr_start, attr_len,
3480 				   DPP_ATTR_R_BOOTSTRAP_KEY_HASH,
3481 				   &r_bootstrap_len);
3482 	if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) {
3483 		dpp_auth_fail(auth,
3484 			      "Missing or invalid required Responder Bootstrapping Key Hash attribute");
3485 		return NULL;
3486 	}
3487 	wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash",
3488 		    r_bootstrap, r_bootstrap_len);
3489 	if (os_memcmp(r_bootstrap, auth->peer_bi->pubkey_hash,
3490 		      SHA256_MAC_LEN) != 0) {
3491 		dpp_auth_fail(auth,
3492 			      "Unexpected Responder Bootstrapping Key Hash value");
3493 		wpa_hexdump(MSG_DEBUG,
3494 			    "DPP: Expected Responder Bootstrapping Key Hash",
3495 			    auth->peer_bi->pubkey_hash, SHA256_MAC_LEN);
3496 		return NULL;
3497 	}
3498 
3499 	i_bootstrap = dpp_get_attr(attr_start, attr_len,
3500 				   DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
3501 				   &i_bootstrap_len);
3502 	if (i_bootstrap) {
3503 		if (i_bootstrap_len != SHA256_MAC_LEN) {
3504 			dpp_auth_fail(auth,
3505 				      "Invalid Initiator Bootstrapping Key Hash attribute");
3506 			return NULL;
3507 		}
3508 		wpa_hexdump(MSG_MSGDUMP,
3509 			    "DPP: Initiator Bootstrapping Key Hash",
3510 			    i_bootstrap, i_bootstrap_len);
3511 		if (!auth->own_bi ||
3512 		    os_memcmp(i_bootstrap, auth->own_bi->pubkey_hash,
3513 			      SHA256_MAC_LEN) != 0) {
3514 			dpp_auth_fail(auth,
3515 				      "Initiator Bootstrapping Key Hash attribute did not match");
3516 			return NULL;
3517 		}
3518 	} else if (auth->own_bi && auth->own_bi->type == DPP_BOOTSTRAP_PKEX) {
3519 		/* PKEX bootstrapping mandates use of mutual authentication */
3520 		dpp_auth_fail(auth,
3521 			      "Missing Initiator Bootstrapping Key Hash attribute");
3522 		return NULL;
3523 	}
3524 
3525 	status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
3526 			      &status_len);
3527 	if (!status || status_len < 1) {
3528 		dpp_auth_fail(auth,
3529 			      "Missing or invalid required DPP Status attribute");
3530 		return NULL;
3531 	}
3532 	wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
3533 	auth->auth_resp_status = status[0];
3534 	if (status[0] != DPP_STATUS_OK) {
3535 		dpp_auth_resp_rx_status(auth, hdr, attr_start,
3536 					attr_len, wrapped_data,
3537 					wrapped_data_len, status[0]);
3538 		return NULL;
3539 	}
3540 
3541 	if (!i_bootstrap && auth->own_bi) {
3542 		wpa_printf(MSG_DEBUG,
3543 			   "DPP: Responder decided not to use mutual authentication");
3544 		auth->own_bi = NULL;
3545 	}
3546 
3547 	wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_AUTH_DIRECTION "mutual=%d",
3548 		auth->own_bi != NULL);
3549 
3550 	r_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_R_PROTOCOL_KEY,
3551 			       &r_proto_len);
3552 	if (!r_proto) {
3553 		dpp_auth_fail(auth,
3554 			      "Missing required Responder Protocol Key attribute");
3555 		return NULL;
3556 	}
3557 	wpa_hexdump(MSG_MSGDUMP, "DPP: Responder Protocol Key",
3558 		    r_proto, r_proto_len);
3559 
3560 	/* N = pI * PR */
3561 	pr = dpp_set_pubkey_point(auth->own_protocol_key, r_proto, r_proto_len);
3562 	if (!pr) {
3563 		dpp_auth_fail(auth, "Invalid Responder Protocol Key");
3564 		return NULL;
3565 	}
3566 	dpp_debug_print_key("Peer (Responder) Protocol Key", pr);
3567 
3568 	ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL);
3569 	if (!ctx ||
3570 	    EVP_PKEY_derive_init(ctx) != 1 ||
3571 	    EVP_PKEY_derive_set_peer(ctx, pr) != 1 ||
3572 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
3573 	    secret_len > DPP_MAX_SHARED_SECRET_LEN ||
3574 	    EVP_PKEY_derive(ctx, auth->Nx, &secret_len) != 1) {
3575 		wpa_printf(MSG_ERROR,
3576 			   "DPP: Failed to derive ECDH shared secret: %s",
3577 			   ERR_error_string(ERR_get_error(), NULL));
3578 		dpp_auth_fail(auth, "Failed to derive ECDH shared secret");
3579 		goto fail;
3580 	}
3581 	EVP_PKEY_CTX_free(ctx);
3582 	ctx = NULL;
3583 	auth->peer_protocol_key = pr;
3584 	pr = NULL;
3585 
3586 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
3587 			auth->Nx, auth->secret_len);
3588 	auth->Nx_len = auth->secret_len;
3589 
3590 	if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2,
3591 			  auth->curve->hash_len) < 0)
3592 		goto fail;
3593 
3594 	addr[0] = hdr;
3595 	len[0] = DPP_HDR_LEN;
3596 	addr[1] = attr_start;
3597 	len[1] = attr_len;
3598 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3599 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3600 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3601 		    wrapped_data, wrapped_data_len);
3602 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3603 	unwrapped = os_malloc(unwrapped_len);
3604 	if (!unwrapped)
3605 		goto fail;
3606 	if (aes_siv_decrypt(auth->k2, auth->curve->hash_len,
3607 			    wrapped_data, wrapped_data_len,
3608 			    2, addr, len, unwrapped) < 0) {
3609 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3610 		goto fail;
3611 	}
3612 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3613 		    unwrapped, unwrapped_len);
3614 
3615 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3616 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3617 		goto fail;
3618 	}
3619 
3620 	r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE,
3621 			       &r_nonce_len);
3622 	if (!r_nonce || r_nonce_len != auth->curve->nonce_len) {
3623 		dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce");
3624 		goto fail;
3625 	}
3626 	wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", r_nonce, r_nonce_len);
3627 	os_memcpy(auth->r_nonce, r_nonce, r_nonce_len);
3628 
3629 	i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
3630 			       &i_nonce_len);
3631 	if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
3632 		dpp_auth_fail(auth, "Missing or invalid I-nonce");
3633 		goto fail;
3634 	}
3635 	wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
3636 	if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) {
3637 		dpp_auth_fail(auth, "I-nonce mismatch");
3638 		goto fail;
3639 	}
3640 
3641 	if (auth->own_bi) {
3642 		/* Mutual authentication */
3643 		if (dpp_auth_derive_l_initiator(auth) < 0)
3644 			goto fail;
3645 	}
3646 
3647 	r_capab = dpp_get_attr(unwrapped, unwrapped_len,
3648 			       DPP_ATTR_R_CAPABILITIES,
3649 			       &r_capab_len);
3650 	if (!r_capab || r_capab_len < 1) {
3651 		dpp_auth_fail(auth, "Missing or invalid R-capabilities");
3652 		goto fail;
3653 	}
3654 	auth->r_capab = r_capab[0];
3655 	wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab);
3656 	role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
3657 	if ((auth->allowed_roles ==
3658 	     (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE)) &&
3659 	    (role == DPP_CAPAB_CONFIGURATOR || role == DPP_CAPAB_ENROLLEE)) {
3660 		/* Peer selected its role, so move from "either role" to the
3661 		 * role that is compatible with peer's selection. */
3662 		auth->configurator = role == DPP_CAPAB_ENROLLEE;
3663 		wpa_printf(MSG_DEBUG, "DPP: Acting as %s",
3664 			   auth->configurator ? "Configurator" : "Enrollee");
3665 	} else if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
3666 		   (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
3667 		wpa_printf(MSG_DEBUG, "DPP: Incompatible role selection");
3668 		wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL
3669 			"Unexpected role in R-capabilities 0x%02x",
3670 			role);
3671 		if (role != DPP_CAPAB_ENROLLEE &&
3672 		    role != DPP_CAPAB_CONFIGURATOR)
3673 			goto fail;
3674 		bin_clear_free(unwrapped, unwrapped_len);
3675 		auth->remove_on_tx_status = 1;
3676 		return dpp_auth_build_conf(auth, DPP_STATUS_NOT_COMPATIBLE);
3677 	}
3678 
3679 	wrapped2 = dpp_get_attr(unwrapped, unwrapped_len,
3680 				DPP_ATTR_WRAPPED_DATA, &wrapped2_len);
3681 	if (!wrapped2 || wrapped2_len < AES_BLOCK_SIZE) {
3682 		dpp_auth_fail(auth,
3683 			      "Missing or invalid Secondary Wrapped Data");
3684 		goto fail;
3685 	}
3686 
3687 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3688 		    wrapped2, wrapped2_len);
3689 
3690 	if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0)
3691 		goto fail;
3692 
3693 	unwrapped2_len = wrapped2_len - AES_BLOCK_SIZE;
3694 	unwrapped2 = os_malloc(unwrapped2_len);
3695 	if (!unwrapped2)
3696 		goto fail;
3697 	if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
3698 			    wrapped2, wrapped2_len,
3699 			    0, NULL, NULL, unwrapped2) < 0) {
3700 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3701 		goto fail;
3702 	}
3703 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3704 		    unwrapped2, unwrapped2_len);
3705 
3706 	if (dpp_check_attrs(unwrapped2, unwrapped2_len) < 0) {
3707 		dpp_auth_fail(auth,
3708 			      "Invalid attribute in secondary unwrapped data");
3709 		goto fail;
3710 	}
3711 
3712 	r_auth = dpp_get_attr(unwrapped2, unwrapped2_len, DPP_ATTR_R_AUTH_TAG,
3713 			       &r_auth_len);
3714 	if (!r_auth || r_auth_len != auth->curve->hash_len) {
3715 		dpp_auth_fail(auth,
3716 			      "Missing or invalid Responder Authenticating Tag");
3717 		goto fail;
3718 	}
3719 	wpa_hexdump(MSG_DEBUG, "DPP: Received Responder Authenticating Tag",
3720 		    r_auth, r_auth_len);
3721 	/* R-auth' = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
3722 	if (dpp_gen_r_auth(auth, r_auth2) < 0)
3723 		goto fail;
3724 	wpa_hexdump(MSG_DEBUG, "DPP: Calculated Responder Authenticating Tag",
3725 		    r_auth2, r_auth_len);
3726 	if (os_memcmp(r_auth, r_auth2, r_auth_len) != 0) {
3727 		dpp_auth_fail(auth, "Mismatching Responder Authenticating Tag");
3728 		bin_clear_free(unwrapped, unwrapped_len);
3729 		bin_clear_free(unwrapped2, unwrapped2_len);
3730 		auth->remove_on_tx_status = 1;
3731 		return dpp_auth_build_conf(auth, DPP_STATUS_AUTH_FAILURE);
3732 	}
3733 
3734 	bin_clear_free(unwrapped, unwrapped_len);
3735 	bin_clear_free(unwrapped2, unwrapped2_len);
3736 
3737 #ifdef CONFIG_TESTING_OPTIONS
3738 	if (dpp_test == DPP_TEST_AUTH_RESP_IN_PLACE_OF_CONF) {
3739 		wpa_printf(MSG_INFO,
3740 			   "DPP: TESTING - Authentication Response in place of Confirm");
3741 		if (dpp_auth_build_resp_ok(auth) < 0)
3742 			return NULL;
3743 		return wpabuf_dup(auth->resp_msg);
3744 	}
3745 #endif /* CONFIG_TESTING_OPTIONS */
3746 
3747 	return dpp_auth_build_conf(auth, DPP_STATUS_OK);
3748 
3749 fail:
3750 	bin_clear_free(unwrapped, unwrapped_len);
3751 	bin_clear_free(unwrapped2, unwrapped2_len);
3752 	EVP_PKEY_free(pr);
3753 	EVP_PKEY_CTX_free(ctx);
3754 	return NULL;
3755 }
3756 
3757 
3758 static int dpp_auth_conf_rx_failure(struct dpp_authentication *auth,
3759 				    const u8 *hdr,
3760 				    const u8 *attr_start, size_t attr_len,
3761 				    const u8 *wrapped_data,
3762 				    u16 wrapped_data_len,
3763 				    enum dpp_status_error status)
3764 {
3765 	const u8 *addr[2];
3766 	size_t len[2];
3767 	u8 *unwrapped = NULL;
3768 	size_t unwrapped_len = 0;
3769 	const u8 *r_nonce;
3770 	u16 r_nonce_len;
3771 
3772 	/* Authentication Confirm failure cases are expected to include
3773 	 * {R-nonce}k2 in the Wrapped Data attribute. */
3774 
3775 	addr[0] = hdr;
3776 	len[0] = DPP_HDR_LEN;
3777 	addr[1] = attr_start;
3778 	len[1] = attr_len;
3779 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3780 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3781 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3782 		    wrapped_data, wrapped_data_len);
3783 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3784 	unwrapped = os_malloc(unwrapped_len);
3785 	if (!unwrapped) {
3786 		dpp_auth_fail(auth, "Authentication failed");
3787 		goto fail;
3788 	}
3789 	if (aes_siv_decrypt(auth->k2, auth->curve->hash_len,
3790 			    wrapped_data, wrapped_data_len,
3791 			    2, addr, len, unwrapped) < 0) {
3792 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3793 		goto fail;
3794 	}
3795 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3796 		    unwrapped, unwrapped_len);
3797 
3798 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3799 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3800 		goto fail;
3801 	}
3802 
3803 	r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE,
3804 			       &r_nonce_len);
3805 	if (!r_nonce || r_nonce_len != auth->curve->nonce_len) {
3806 		dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce");
3807 		goto fail;
3808 	}
3809 	if (os_memcmp(r_nonce, auth->r_nonce, r_nonce_len) != 0) {
3810 		wpa_hexdump(MSG_DEBUG, "DPP: Received R-nonce",
3811 			    r_nonce, r_nonce_len);
3812 		wpa_hexdump(MSG_DEBUG, "DPP: Expected R-nonce",
3813 			    auth->r_nonce, r_nonce_len);
3814 		dpp_auth_fail(auth, "R-nonce mismatch");
3815 		goto fail;
3816 	}
3817 
3818 	if (status == DPP_STATUS_NOT_COMPATIBLE)
3819 		dpp_auth_fail(auth, "Peer reported incompatible R-capab role");
3820 	else if (status == DPP_STATUS_AUTH_FAILURE)
3821 		dpp_auth_fail(auth, "Peer reported authentication failure)");
3822 
3823 fail:
3824 	bin_clear_free(unwrapped, unwrapped_len);
3825 	return -1;
3826 }
3827 
3828 
3829 int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
3830 		     const u8 *attr_start, size_t attr_len)
3831 {
3832 	const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *i_auth;
3833 	u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len,
3834 		i_auth_len;
3835 	const u8 *addr[2];
3836 	size_t len[2];
3837 	u8 *unwrapped = NULL;
3838 	size_t unwrapped_len = 0;
3839 	u8 i_auth2[DPP_MAX_HASH_LEN];
3840 
3841 #ifdef CONFIG_TESTING_OPTIONS
3842 	if (dpp_test == DPP_TEST_STOP_AT_AUTH_CONF) {
3843 		wpa_printf(MSG_INFO,
3844 			   "DPP: TESTING - stop at Authentication Confirm");
3845 		return -1;
3846 	}
3847 #endif /* CONFIG_TESTING_OPTIONS */
3848 
3849 	if (auth->initiator || !auth->own_bi) {
3850 		dpp_auth_fail(auth, "Unexpected Authentication Confirm");
3851 		return -1;
3852 	}
3853 
3854 	auth->waiting_auth_conf = 0;
3855 
3856 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
3857 				    &wrapped_data_len);
3858 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
3859 		dpp_auth_fail(auth,
3860 			      "Missing or invalid required Wrapped Data attribute");
3861 		return -1;
3862 	}
3863 	wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
3864 		    wrapped_data, wrapped_data_len);
3865 
3866 	attr_len = wrapped_data - 4 - attr_start;
3867 
3868 	r_bootstrap = dpp_get_attr(attr_start, attr_len,
3869 				   DPP_ATTR_R_BOOTSTRAP_KEY_HASH,
3870 				   &r_bootstrap_len);
3871 	if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) {
3872 		dpp_auth_fail(auth,
3873 			      "Missing or invalid required Responder Bootstrapping Key Hash attribute");
3874 		return -1;
3875 	}
3876 	wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash",
3877 		    r_bootstrap, r_bootstrap_len);
3878 	if (os_memcmp(r_bootstrap, auth->own_bi->pubkey_hash,
3879 		      SHA256_MAC_LEN) != 0) {
3880 		wpa_hexdump(MSG_DEBUG,
3881 			    "DPP: Expected Responder Bootstrapping Key Hash",
3882 			    auth->peer_bi->pubkey_hash, SHA256_MAC_LEN);
3883 		dpp_auth_fail(auth,
3884 			      "Responder Bootstrapping Key Hash mismatch");
3885 		return -1;
3886 	}
3887 
3888 	i_bootstrap = dpp_get_attr(attr_start, attr_len,
3889 				   DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
3890 				   &i_bootstrap_len);
3891 	if (i_bootstrap) {
3892 		if (i_bootstrap_len != SHA256_MAC_LEN) {
3893 			dpp_auth_fail(auth,
3894 				      "Invalid Initiator Bootstrapping Key Hash attribute");
3895 			return -1;
3896 		}
3897 		wpa_hexdump(MSG_MSGDUMP,
3898 			    "DPP: Initiator Bootstrapping Key Hash",
3899 			    i_bootstrap, i_bootstrap_len);
3900 		if (!auth->peer_bi ||
3901 		    os_memcmp(i_bootstrap, auth->peer_bi->pubkey_hash,
3902 			      SHA256_MAC_LEN) != 0) {
3903 			dpp_auth_fail(auth,
3904 				      "Initiator Bootstrapping Key Hash mismatch");
3905 			return -1;
3906 		}
3907 	} else if (auth->peer_bi) {
3908 		/* Mutual authentication and peer did not include its
3909 		 * Bootstrapping Key Hash attribute. */
3910 		dpp_auth_fail(auth,
3911 			      "Missing Initiator Bootstrapping Key Hash attribute");
3912 		return -1;
3913 	}
3914 
3915 	status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
3916 			      &status_len);
3917 	if (!status || status_len < 1) {
3918 		dpp_auth_fail(auth,
3919 			      "Missing or invalid required DPP Status attribute");
3920 		return -1;
3921 	}
3922 	wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
3923 	if (status[0] == DPP_STATUS_NOT_COMPATIBLE ||
3924 	    status[0] == DPP_STATUS_AUTH_FAILURE)
3925 		return dpp_auth_conf_rx_failure(auth, hdr, attr_start,
3926 						attr_len, wrapped_data,
3927 						wrapped_data_len, status[0]);
3928 
3929 	if (status[0] != DPP_STATUS_OK) {
3930 		dpp_auth_fail(auth, "Authentication failed");
3931 		return -1;
3932 	}
3933 
3934 	addr[0] = hdr;
3935 	len[0] = DPP_HDR_LEN;
3936 	addr[1] = attr_start;
3937 	len[1] = attr_len;
3938 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3939 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3940 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3941 		    wrapped_data, wrapped_data_len);
3942 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3943 	unwrapped = os_malloc(unwrapped_len);
3944 	if (!unwrapped)
3945 		return -1;
3946 	if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
3947 			    wrapped_data, wrapped_data_len,
3948 			    2, addr, len, unwrapped) < 0) {
3949 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3950 		goto fail;
3951 	}
3952 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3953 		    unwrapped, unwrapped_len);
3954 
3955 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3956 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3957 		goto fail;
3958 	}
3959 
3960 	i_auth = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_AUTH_TAG,
3961 			      &i_auth_len);
3962 	if (!i_auth || i_auth_len != auth->curve->hash_len) {
3963 		dpp_auth_fail(auth,
3964 			      "Missing or invalid Initiator Authenticating Tag");
3965 		goto fail;
3966 	}
3967 	wpa_hexdump(MSG_DEBUG, "DPP: Received Initiator Authenticating Tag",
3968 		    i_auth, i_auth_len);
3969 	/* I-auth' = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */
3970 	if (dpp_gen_i_auth(auth, i_auth2) < 0)
3971 		goto fail;
3972 	wpa_hexdump(MSG_DEBUG, "DPP: Calculated Initiator Authenticating Tag",
3973 		    i_auth2, i_auth_len);
3974 	if (os_memcmp(i_auth, i_auth2, i_auth_len) != 0) {
3975 		dpp_auth_fail(auth, "Mismatching Initiator Authenticating Tag");
3976 		goto fail;
3977 	}
3978 
3979 	bin_clear_free(unwrapped, unwrapped_len);
3980 	dpp_auth_success(auth);
3981 	return 0;
3982 fail:
3983 	bin_clear_free(unwrapped, unwrapped_len);
3984 	return -1;
3985 }
3986 
3987 
3988 void dpp_configuration_free(struct dpp_configuration *conf)
3989 {
3990 	if (!conf)
3991 		return;
3992 	str_clear_free(conf->passphrase);
3993 	os_free(conf->group_id);
3994 	bin_clear_free(conf, sizeof(*conf));
3995 }
3996 
3997 
3998 void dpp_auth_deinit(struct dpp_authentication *auth)
3999 {
4000 	if (!auth)
4001 		return;
4002 	dpp_configuration_free(auth->conf_ap);
4003 	dpp_configuration_free(auth->conf_sta);
4004 	EVP_PKEY_free(auth->own_protocol_key);
4005 	EVP_PKEY_free(auth->peer_protocol_key);
4006 	wpabuf_free(auth->req_msg);
4007 	wpabuf_free(auth->resp_msg);
4008 	wpabuf_free(auth->conf_req);
4009 	os_free(auth->connector);
4010 	wpabuf_free(auth->net_access_key);
4011 	wpabuf_free(auth->c_sign_key);
4012 	dpp_bootstrap_info_free(auth->tmp_own_bi);
4013 #ifdef CONFIG_TESTING_OPTIONS
4014 	os_free(auth->config_obj_override);
4015 	os_free(auth->discovery_override);
4016 	os_free(auth->groups_override);
4017 #endif /* CONFIG_TESTING_OPTIONS */
4018 	bin_clear_free(auth, sizeof(*auth));
4019 }
4020 
4021 
4022 static struct wpabuf *
4023 dpp_build_conf_start(struct dpp_authentication *auth,
4024 		     struct dpp_configuration *conf, size_t tailroom)
4025 {
4026 	struct wpabuf *buf;
4027 	char ssid[6 * sizeof(conf->ssid) + 1];
4028 
4029 #ifdef CONFIG_TESTING_OPTIONS
4030 	if (auth->discovery_override)
4031 		tailroom += os_strlen(auth->discovery_override);
4032 #endif /* CONFIG_TESTING_OPTIONS */
4033 
4034 	buf = wpabuf_alloc(200 + tailroom);
4035 	if (!buf)
4036 		return NULL;
4037 	wpabuf_put_str(buf, "{\"wi-fi_tech\":\"infra\",\"discovery\":");
4038 #ifdef CONFIG_TESTING_OPTIONS
4039 	if (auth->discovery_override) {
4040 		wpa_printf(MSG_DEBUG, "DPP: TESTING - discovery override: '%s'",
4041 			   auth->discovery_override);
4042 		wpabuf_put_str(buf, auth->discovery_override);
4043 		wpabuf_put_u8(buf, ',');
4044 		return buf;
4045 	}
4046 #endif /* CONFIG_TESTING_OPTIONS */
4047 	wpabuf_put_str(buf, "{\"ssid\":\"");
4048 	json_escape_string(ssid, sizeof(ssid),
4049 			   (const char *) conf->ssid, conf->ssid_len);
4050 	wpabuf_put_str(buf, ssid);
4051 	wpabuf_put_str(buf, "\"},");
4052 
4053 	return buf;
4054 }
4055 
4056 
4057 static int dpp_build_jwk(struct wpabuf *buf, const char *name, EVP_PKEY *key,
4058 			 const char *kid, const struct dpp_curve_params *curve)
4059 {
4060 	struct wpabuf *pub;
4061 	const u8 *pos;
4062 	char *x = NULL, *y = NULL;
4063 	int ret = -1;
4064 
4065 	pub = dpp_get_pubkey_point(key, 0);
4066 	if (!pub)
4067 		goto fail;
4068 	pos = wpabuf_head(pub);
4069 	x = (char *) base64_url_encode(pos, curve->prime_len, NULL, 0);
4070 	pos += curve->prime_len;
4071 	y = (char *) base64_url_encode(pos, curve->prime_len, NULL, 0);
4072 	if (!x || !y)
4073 		goto fail;
4074 
4075 	wpabuf_put_str(buf, "\"");
4076 	wpabuf_put_str(buf, name);
4077 	wpabuf_put_str(buf, "\":{\"kty\":\"EC\",\"crv\":\"");
4078 	wpabuf_put_str(buf, curve->jwk_crv);
4079 	wpabuf_put_str(buf, "\",\"x\":\"");
4080 	wpabuf_put_str(buf, x);
4081 	wpabuf_put_str(buf, "\",\"y\":\"");
4082 	wpabuf_put_str(buf, y);
4083 	if (kid) {
4084 		wpabuf_put_str(buf, "\",\"kid\":\"");
4085 		wpabuf_put_str(buf, kid);
4086 	}
4087 	wpabuf_put_str(buf, "\"}");
4088 	ret = 0;
4089 fail:
4090 	wpabuf_free(pub);
4091 	os_free(x);
4092 	os_free(y);
4093 	return ret;
4094 }
4095 
4096 
4097 static struct wpabuf *
4098 dpp_build_conf_obj_dpp(struct dpp_authentication *auth, int ap,
4099 		       struct dpp_configuration *conf)
4100 {
4101 	struct wpabuf *buf = NULL;
4102 	char *signed1 = NULL, *signed2 = NULL, *signed3 = NULL;
4103 	size_t tailroom;
4104 	const struct dpp_curve_params *curve;
4105 	char jws_prot_hdr[100];
4106 	size_t signed1_len, signed2_len, signed3_len;
4107 	struct wpabuf *dppcon = NULL;
4108 	unsigned char *signature = NULL;
4109 	const unsigned char *p;
4110 	size_t signature_len;
4111 	EVP_MD_CTX *md_ctx = NULL;
4112 	ECDSA_SIG *sig = NULL;
4113 	char *dot = ".";
4114 	const EVP_MD *sign_md;
4115 	const BIGNUM *r, *s;
4116 	size_t extra_len = 1000;
4117 
4118 	if (!auth->conf) {
4119 		wpa_printf(MSG_INFO,
4120 			   "DPP: No configurator specified - cannot generate DPP config object");
4121 		goto fail;
4122 	}
4123 	curve = auth->conf->curve;
4124 	if (curve->hash_len == SHA256_MAC_LEN) {
4125 		sign_md = EVP_sha256();
4126 	} else if (curve->hash_len == SHA384_MAC_LEN) {
4127 		sign_md = EVP_sha384();
4128 	} else if (curve->hash_len == SHA512_MAC_LEN) {
4129 		sign_md = EVP_sha512();
4130 	} else {
4131 		wpa_printf(MSG_DEBUG, "DPP: Unknown signature algorithm");
4132 		goto fail;
4133 	}
4134 
4135 #ifdef CONFIG_TESTING_OPTIONS
4136 	if (auth->groups_override)
4137 		extra_len += os_strlen(auth->groups_override);
4138 #endif /* CONFIG_TESTING_OPTIONS */
4139 
4140 	if (conf->group_id)
4141 		extra_len += os_strlen(conf->group_id);
4142 
4143 	/* Connector (JSON dppCon object) */
4144 	dppcon = wpabuf_alloc(extra_len + 2 * auth->curve->prime_len * 4 / 3);
4145 	if (!dppcon)
4146 		goto fail;
4147 #ifdef CONFIG_TESTING_OPTIONS
4148 	if (auth->groups_override) {
4149 		wpabuf_put_u8(dppcon, '{');
4150 		if (auth->groups_override) {
4151 			wpa_printf(MSG_DEBUG,
4152 				   "DPP: TESTING - groups override: '%s'",
4153 				   auth->groups_override);
4154 			wpabuf_put_str(dppcon, "\"groups\":");
4155 			wpabuf_put_str(dppcon, auth->groups_override);
4156 			wpabuf_put_u8(dppcon, ',');
4157 		}
4158 		goto skip_groups;
4159 	}
4160 #endif /* CONFIG_TESTING_OPTIONS */
4161 	wpabuf_printf(dppcon, "{\"groups\":[{\"groupId\":\"%s\",",
4162 		      conf->group_id ? conf->group_id : "*");
4163 	wpabuf_printf(dppcon, "\"netRole\":\"%s\"}],", ap ? "ap" : "sta");
4164 #ifdef CONFIG_TESTING_OPTIONS
4165 skip_groups:
4166 #endif /* CONFIG_TESTING_OPTIONS */
4167 	if (dpp_build_jwk(dppcon, "netAccessKey", auth->peer_protocol_key, NULL,
4168 			  auth->curve) < 0) {
4169 		wpa_printf(MSG_DEBUG, "DPP: Failed to build netAccessKey JWK");
4170 		goto fail;
4171 	}
4172 	if (conf->netaccesskey_expiry) {
4173 		struct os_tm tm;
4174 
4175 		if (os_gmtime(conf->netaccesskey_expiry, &tm) < 0) {
4176 			wpa_printf(MSG_DEBUG,
4177 				   "DPP: Failed to generate expiry string");
4178 			goto fail;
4179 		}
4180 		wpabuf_printf(dppcon,
4181 			      ",\"expiry\":\"%04u-%02u-%02uT%02u:%02u:%02uZ\"",
4182 			      tm.year, tm.month, tm.day,
4183 			      tm.hour, tm.min, tm.sec);
4184 	}
4185 	wpabuf_put_u8(dppcon, '}');
4186 	wpa_printf(MSG_DEBUG, "DPP: dppCon: %s",
4187 		   (const char *) wpabuf_head(dppcon));
4188 
4189 	os_snprintf(jws_prot_hdr, sizeof(jws_prot_hdr),
4190 		    "{\"typ\":\"dppCon\",\"kid\":\"%s\",\"alg\":\"%s\"}",
4191 		    auth->conf->kid, curve->jws_alg);
4192 	signed1 = (char *) base64_url_encode((unsigned char *) jws_prot_hdr,
4193 					     os_strlen(jws_prot_hdr),
4194 					     &signed1_len, 0);
4195 	signed2 = (char *) base64_url_encode(wpabuf_head(dppcon),
4196 					     wpabuf_len(dppcon),
4197 					     &signed2_len, 0);
4198 	if (!signed1 || !signed2)
4199 		goto fail;
4200 
4201 	md_ctx = EVP_MD_CTX_create();
4202 	if (!md_ctx)
4203 		goto fail;
4204 
4205 	ERR_clear_error();
4206 	if (EVP_DigestSignInit(md_ctx, NULL, sign_md, NULL,
4207 			       auth->conf->csign) != 1) {
4208 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignInit failed: %s",
4209 			   ERR_error_string(ERR_get_error(), NULL));
4210 		goto fail;
4211 	}
4212 	if (EVP_DigestSignUpdate(md_ctx, signed1, signed1_len) != 1 ||
4213 	    EVP_DigestSignUpdate(md_ctx, dot, 1) != 1 ||
4214 	    EVP_DigestSignUpdate(md_ctx, signed2, signed2_len) != 1) {
4215 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignUpdate failed: %s",
4216 			   ERR_error_string(ERR_get_error(), NULL));
4217 		goto fail;
4218 	}
4219 	if (EVP_DigestSignFinal(md_ctx, NULL, &signature_len) != 1) {
4220 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignFinal failed: %s",
4221 			   ERR_error_string(ERR_get_error(), NULL));
4222 		goto fail;
4223 	}
4224 	signature = os_malloc(signature_len);
4225 	if (!signature)
4226 		goto fail;
4227 	if (EVP_DigestSignFinal(md_ctx, signature, &signature_len) != 1) {
4228 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignFinal failed: %s",
4229 			   ERR_error_string(ERR_get_error(), NULL));
4230 		goto fail;
4231 	}
4232 	wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (DER)",
4233 		    signature, signature_len);
4234 	/* Convert to raw coordinates r,s */
4235 	p = signature;
4236 	sig = d2i_ECDSA_SIG(NULL, &p, signature_len);
4237 	if (!sig)
4238 		goto fail;
4239 	ECDSA_SIG_get0(sig, &r, &s);
4240 	if (dpp_bn2bin_pad(r, signature, curve->prime_len) < 0 ||
4241 	    dpp_bn2bin_pad(s, signature + curve->prime_len,
4242 			   curve->prime_len) < 0)
4243 		goto fail;
4244 	signature_len = 2 * curve->prime_len;
4245 	wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (raw r,s)",
4246 		    signature, signature_len);
4247 	signed3 = (char *) base64_url_encode(signature, signature_len,
4248 					     &signed3_len, 0);
4249 	if (!signed3)
4250 		goto fail;
4251 
4252 	tailroom = 1000;
4253 	tailroom += 2 * curve->prime_len * 4 / 3 + os_strlen(auth->conf->kid);
4254 	tailroom += signed1_len + signed2_len + signed3_len;
4255 	buf = dpp_build_conf_start(auth, conf, tailroom);
4256 	if (!buf)
4257 		goto fail;
4258 
4259 	wpabuf_put_str(buf, "\"cred\":{\"akm\":\"dpp\",\"signedConnector\":\"");
4260 	wpabuf_put_str(buf, signed1);
4261 	wpabuf_put_u8(buf, '.');
4262 	wpabuf_put_str(buf, signed2);
4263 	wpabuf_put_u8(buf, '.');
4264 	wpabuf_put_str(buf, signed3);
4265 	wpabuf_put_str(buf, "\",");
4266 	if (dpp_build_jwk(buf, "csign", auth->conf->csign, auth->conf->kid,
4267 			  curve) < 0) {
4268 		wpa_printf(MSG_DEBUG, "DPP: Failed to build csign JWK");
4269 		goto fail;
4270 	}
4271 
4272 	wpabuf_put_str(buf, "}}");
4273 
4274 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Configuration Object",
4275 			      wpabuf_head(buf), wpabuf_len(buf));
4276 
4277 out:
4278 	EVP_MD_CTX_destroy(md_ctx);
4279 	ECDSA_SIG_free(sig);
4280 	os_free(signed1);
4281 	os_free(signed2);
4282 	os_free(signed3);
4283 	os_free(signature);
4284 	wpabuf_free(dppcon);
4285 	return buf;
4286 fail:
4287 	wpa_printf(MSG_DEBUG, "DPP: Failed to build configuration object");
4288 	wpabuf_free(buf);
4289 	buf = NULL;
4290 	goto out;
4291 }
4292 
4293 
4294 static struct wpabuf *
4295 dpp_build_conf_obj_legacy(struct dpp_authentication *auth, int ap,
4296 			  struct dpp_configuration *conf)
4297 {
4298 	struct wpabuf *buf;
4299 
4300 	buf = dpp_build_conf_start(auth, conf, 1000);
4301 	if (!buf)
4302 		return NULL;
4303 
4304 	wpabuf_printf(buf, "\"cred\":{\"akm\":\"%s\",", dpp_akm_str(conf->akm));
4305 	if (conf->passphrase) {
4306 		char pass[63 * 6 + 1];
4307 
4308 		if (os_strlen(conf->passphrase) > 63) {
4309 			wpabuf_free(buf);
4310 			return NULL;
4311 		}
4312 
4313 		json_escape_string(pass, sizeof(pass), conf->passphrase,
4314 				   os_strlen(conf->passphrase));
4315 		wpabuf_put_str(buf, "\"pass\":\"");
4316 		wpabuf_put_str(buf, pass);
4317 		wpabuf_put_str(buf, "\"");
4318 	} else {
4319 		char psk[2 * sizeof(conf->psk) + 1];
4320 
4321 		wpa_snprintf_hex(psk, sizeof(psk),
4322 				 conf->psk, sizeof(conf->psk));
4323 		wpabuf_put_str(buf, "\"psk_hex\":\"");
4324 		wpabuf_put_str(buf, psk);
4325 		wpabuf_put_str(buf, "\"");
4326 	}
4327 	wpabuf_put_str(buf, "}}");
4328 
4329 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Configuration Object (legacy)",
4330 			      wpabuf_head(buf), wpabuf_len(buf));
4331 
4332 	return buf;
4333 }
4334 
4335 
4336 static struct wpabuf *
4337 dpp_build_conf_obj(struct dpp_authentication *auth, int ap)
4338 {
4339 	struct dpp_configuration *conf;
4340 
4341 #ifdef CONFIG_TESTING_OPTIONS
4342 	if (auth->config_obj_override) {
4343 		wpa_printf(MSG_DEBUG, "DPP: Testing - Config Object override");
4344 		return wpabuf_alloc_copy(auth->config_obj_override,
4345 					 os_strlen(auth->config_obj_override));
4346 	}
4347 #endif /* CONFIG_TESTING_OPTIONS */
4348 
4349 	conf = ap ? auth->conf_ap : auth->conf_sta;
4350 	if (!conf) {
4351 		wpa_printf(MSG_DEBUG,
4352 			   "DPP: No configuration available for Enrollee(%s) - reject configuration request",
4353 			   ap ? "ap" : "sta");
4354 		return NULL;
4355 	}
4356 
4357 	if (conf->akm == DPP_AKM_DPP)
4358 		return dpp_build_conf_obj_dpp(auth, ap, conf);
4359 	return dpp_build_conf_obj_legacy(auth, ap, conf);
4360 }
4361 
4362 
4363 static struct wpabuf *
4364 dpp_build_conf_resp(struct dpp_authentication *auth, const u8 *e_nonce,
4365 		    u16 e_nonce_len, int ap)
4366 {
4367 	struct wpabuf *conf;
4368 	size_t clear_len, attr_len;
4369 	struct wpabuf *clear = NULL, *msg = NULL;
4370 	u8 *wrapped;
4371 	const u8 *addr[1];
4372 	size_t len[1];
4373 	enum dpp_status_error status;
4374 
4375 	conf = dpp_build_conf_obj(auth, ap);
4376 	if (conf) {
4377 		wpa_hexdump_ascii(MSG_DEBUG, "DPP: configurationObject JSON",
4378 				  wpabuf_head(conf), wpabuf_len(conf));
4379 	}
4380 	status = conf ? DPP_STATUS_OK : DPP_STATUS_CONFIGURE_FAILURE;
4381 
4382 	/* { E-nonce, configurationObject}ke */
4383 	clear_len = 4 + e_nonce_len;
4384 	if (conf)
4385 		clear_len += 4 + wpabuf_len(conf);
4386 	clear = wpabuf_alloc(clear_len);
4387 	attr_len = 4 + 1 + 4 + clear_len + AES_BLOCK_SIZE;
4388 #ifdef CONFIG_TESTING_OPTIONS
4389 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_RESP)
4390 		attr_len += 5;
4391 #endif /* CONFIG_TESTING_OPTIONS */
4392 	msg = wpabuf_alloc(attr_len);
4393 	if (!clear || !msg)
4394 		goto fail;
4395 
4396 #ifdef CONFIG_TESTING_OPTIONS
4397 	if (dpp_test == DPP_TEST_NO_E_NONCE_CONF_RESP) {
4398 		wpa_printf(MSG_INFO, "DPP: TESTING - no E-nonce");
4399 		goto skip_e_nonce;
4400 	}
4401 	if (dpp_test == DPP_TEST_E_NONCE_MISMATCH_CONF_RESP) {
4402 		wpa_printf(MSG_INFO, "DPP: TESTING - E-nonce mismatch");
4403 		wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
4404 		wpabuf_put_le16(clear, e_nonce_len);
4405 		wpabuf_put_data(clear, e_nonce, e_nonce_len - 1);
4406 		wpabuf_put_u8(clear, e_nonce[e_nonce_len - 1] ^ 0x01);
4407 		goto skip_e_nonce;
4408 	}
4409 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_CONF_RESP) {
4410 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
4411 		goto skip_wrapped_data;
4412 	}
4413 #endif /* CONFIG_TESTING_OPTIONS */
4414 
4415 	/* E-nonce */
4416 	wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
4417 	wpabuf_put_le16(clear, e_nonce_len);
4418 	wpabuf_put_data(clear, e_nonce, e_nonce_len);
4419 
4420 #ifdef CONFIG_TESTING_OPTIONS
4421 skip_e_nonce:
4422 	if (dpp_test == DPP_TEST_NO_CONFIG_OBJ_CONF_RESP) {
4423 		wpa_printf(MSG_INFO, "DPP: TESTING - Config Object");
4424 		goto skip_config_obj;
4425 	}
4426 #endif /* CONFIG_TESTING_OPTIONS */
4427 
4428 	if (conf) {
4429 		wpabuf_put_le16(clear, DPP_ATTR_CONFIG_OBJ);
4430 		wpabuf_put_le16(clear, wpabuf_len(conf));
4431 		wpabuf_put_buf(clear, conf);
4432 	}
4433 
4434 #ifdef CONFIG_TESTING_OPTIONS
4435 skip_config_obj:
4436 	if (dpp_test == DPP_TEST_NO_STATUS_CONF_RESP) {
4437 		wpa_printf(MSG_INFO, "DPP: TESTING - Status");
4438 		goto skip_status;
4439 	}
4440 	if (dpp_test == DPP_TEST_INVALID_STATUS_CONF_RESP) {
4441 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
4442 		status = 255;
4443 	}
4444 #endif /* CONFIG_TESTING_OPTIONS */
4445 
4446 	/* DPP Status */
4447 	dpp_build_attr_status(msg, status);
4448 
4449 #ifdef CONFIG_TESTING_OPTIONS
4450 skip_status:
4451 #endif /* CONFIG_TESTING_OPTIONS */
4452 
4453 	addr[0] = wpabuf_head(msg);
4454 	len[0] = wpabuf_len(msg);
4455 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD", addr[0], len[0]);
4456 
4457 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
4458 	wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
4459 	wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
4460 
4461 	wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
4462 	if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
4463 			    wpabuf_head(clear), wpabuf_len(clear),
4464 			    1, addr, len, wrapped) < 0)
4465 		goto fail;
4466 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
4467 		    wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
4468 
4469 #ifdef CONFIG_TESTING_OPTIONS
4470 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_RESP) {
4471 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
4472 		dpp_build_attr_status(msg, DPP_STATUS_OK);
4473 	}
4474 skip_wrapped_data:
4475 #endif /* CONFIG_TESTING_OPTIONS */
4476 
4477 	wpa_hexdump_buf(MSG_DEBUG,
4478 			"DPP: Configuration Response attributes", msg);
4479 out:
4480 	wpabuf_free(conf);
4481 	wpabuf_free(clear);
4482 
4483 	return msg;
4484 fail:
4485 	wpabuf_free(msg);
4486 	msg = NULL;
4487 	goto out;
4488 }
4489 
4490 
4491 struct wpabuf *
4492 dpp_conf_req_rx(struct dpp_authentication *auth, const u8 *attr_start,
4493 		size_t attr_len)
4494 {
4495 	const u8 *wrapped_data, *e_nonce, *config_attr;
4496 	u16 wrapped_data_len, e_nonce_len, config_attr_len;
4497 	u8 *unwrapped = NULL;
4498 	size_t unwrapped_len = 0;
4499 	struct wpabuf *resp = NULL;
4500 	struct json_token *root = NULL, *token;
4501 	int ap;
4502 
4503 #ifdef CONFIG_TESTING_OPTIONS
4504 	if (dpp_test == DPP_TEST_STOP_AT_CONF_REQ) {
4505 		wpa_printf(MSG_INFO,
4506 			   "DPP: TESTING - stop at Config Request");
4507 		return NULL;
4508 	}
4509 #endif /* CONFIG_TESTING_OPTIONS */
4510 
4511 	if (dpp_check_attrs(attr_start, attr_len) < 0) {
4512 		dpp_auth_fail(auth, "Invalid attribute in config request");
4513 		return NULL;
4514 	}
4515 
4516 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
4517 				    &wrapped_data_len);
4518 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
4519 		dpp_auth_fail(auth,
4520 			      "Missing or invalid required Wrapped Data attribute");
4521 		return NULL;
4522 	}
4523 
4524 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
4525 		    wrapped_data, wrapped_data_len);
4526 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
4527 	unwrapped = os_malloc(unwrapped_len);
4528 	if (!unwrapped)
4529 		return NULL;
4530 	if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
4531 			    wrapped_data, wrapped_data_len,
4532 			    0, NULL, NULL, unwrapped) < 0) {
4533 		dpp_auth_fail(auth, "AES-SIV decryption failed");
4534 		goto fail;
4535 	}
4536 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
4537 		    unwrapped, unwrapped_len);
4538 
4539 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
4540 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
4541 		goto fail;
4542 	}
4543 
4544 	e_nonce = dpp_get_attr(unwrapped, unwrapped_len,
4545 			       DPP_ATTR_ENROLLEE_NONCE,
4546 			       &e_nonce_len);
4547 	if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
4548 		dpp_auth_fail(auth,
4549 			      "Missing or invalid Enrollee Nonce attribute");
4550 		goto fail;
4551 	}
4552 	wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len);
4553 
4554 	config_attr = dpp_get_attr(unwrapped, unwrapped_len,
4555 				   DPP_ATTR_CONFIG_ATTR_OBJ,
4556 				   &config_attr_len);
4557 	if (!config_attr) {
4558 		dpp_auth_fail(auth,
4559 			      "Missing or invalid Config Attributes attribute");
4560 		goto fail;
4561 	}
4562 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: Config Attributes",
4563 			  config_attr, config_attr_len);
4564 
4565 	root = json_parse((const char *) config_attr, config_attr_len);
4566 	if (!root) {
4567 		dpp_auth_fail(auth, "Could not parse Config Attributes");
4568 		goto fail;
4569 	}
4570 
4571 	token = json_get_member(root, "name");
4572 	if (!token || token->type != JSON_STRING) {
4573 		dpp_auth_fail(auth, "No Config Attributes - name");
4574 		goto fail;
4575 	}
4576 	wpa_printf(MSG_DEBUG, "DPP: Enrollee name = '%s'", token->string);
4577 
4578 	token = json_get_member(root, "wi-fi_tech");
4579 	if (!token || token->type != JSON_STRING) {
4580 		dpp_auth_fail(auth, "No Config Attributes - wi-fi_tech");
4581 		goto fail;
4582 	}
4583 	wpa_printf(MSG_DEBUG, "DPP: wi-fi_tech = '%s'", token->string);
4584 	if (os_strcmp(token->string, "infra") != 0) {
4585 		wpa_printf(MSG_DEBUG, "DPP: Unsupported wi-fi_tech '%s'",
4586 			   token->string);
4587 		dpp_auth_fail(auth, "Unsupported wi-fi_tech");
4588 		goto fail;
4589 	}
4590 
4591 	token = json_get_member(root, "netRole");
4592 	if (!token || token->type != JSON_STRING) {
4593 		dpp_auth_fail(auth, "No Config Attributes - netRole");
4594 		goto fail;
4595 	}
4596 	wpa_printf(MSG_DEBUG, "DPP: netRole = '%s'", token->string);
4597 	if (os_strcmp(token->string, "sta") == 0) {
4598 		ap = 0;
4599 	} else if (os_strcmp(token->string, "ap") == 0) {
4600 		ap = 1;
4601 	} else {
4602 		wpa_printf(MSG_DEBUG, "DPP: Unsupported netRole '%s'",
4603 			   token->string);
4604 		dpp_auth_fail(auth, "Unsupported netRole");
4605 		goto fail;
4606 	}
4607 
4608 	resp = dpp_build_conf_resp(auth, e_nonce, e_nonce_len, ap);
4609 
4610 fail:
4611 	json_free(root);
4612 	os_free(unwrapped);
4613 	return resp;
4614 }
4615 
4616 
4617 static struct wpabuf *
4618 dpp_parse_jws_prot_hdr(const struct dpp_curve_params *curve,
4619 		       const u8 *prot_hdr, u16 prot_hdr_len,
4620 		       const EVP_MD **ret_md)
4621 {
4622 	struct json_token *root, *token;
4623 	struct wpabuf *kid = NULL;
4624 
4625 	root = json_parse((const char *) prot_hdr, prot_hdr_len);
4626 	if (!root) {
4627 		wpa_printf(MSG_DEBUG,
4628 			   "DPP: JSON parsing failed for JWS Protected Header");
4629 		goto fail;
4630 	}
4631 
4632 	if (root->type != JSON_OBJECT) {
4633 		wpa_printf(MSG_DEBUG,
4634 			   "DPP: JWS Protected Header root is not an object");
4635 		goto fail;
4636 	}
4637 
4638 	token = json_get_member(root, "typ");
4639 	if (!token || token->type != JSON_STRING) {
4640 		wpa_printf(MSG_DEBUG, "DPP: No typ string value found");
4641 		goto fail;
4642 	}
4643 	wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header typ=%s",
4644 		   token->string);
4645 	if (os_strcmp(token->string, "dppCon") != 0) {
4646 		wpa_printf(MSG_DEBUG,
4647 			   "DPP: Unsupported JWS Protected Header typ=%s",
4648 			   token->string);
4649 		goto fail;
4650 	}
4651 
4652 	token = json_get_member(root, "alg");
4653 	if (!token || token->type != JSON_STRING) {
4654 		wpa_printf(MSG_DEBUG, "DPP: No alg string value found");
4655 		goto fail;
4656 	}
4657 	wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header alg=%s",
4658 		   token->string);
4659 	if (os_strcmp(token->string, curve->jws_alg) != 0) {
4660 		wpa_printf(MSG_DEBUG,
4661 			   "DPP: Unexpected JWS Protected Header alg=%s (expected %s based on C-sign-key)",
4662 			   token->string, curve->jws_alg);
4663 		goto fail;
4664 	}
4665 	if (os_strcmp(token->string, "ES256") == 0 ||
4666 	    os_strcmp(token->string, "BS256") == 0)
4667 		*ret_md = EVP_sha256();
4668 	else if (os_strcmp(token->string, "ES384") == 0 ||
4669 		 os_strcmp(token->string, "BS384") == 0)
4670 		*ret_md = EVP_sha384();
4671 	else if (os_strcmp(token->string, "ES512") == 0 ||
4672 		 os_strcmp(token->string, "BS512") == 0)
4673 		*ret_md = EVP_sha512();
4674 	else
4675 		*ret_md = NULL;
4676 	if (!*ret_md) {
4677 		wpa_printf(MSG_DEBUG,
4678 			   "DPP: Unsupported JWS Protected Header alg=%s",
4679 			   token->string);
4680 		goto fail;
4681 	}
4682 
4683 	kid = json_get_member_base64url(root, "kid");
4684 	if (!kid) {
4685 		wpa_printf(MSG_DEBUG, "DPP: No kid string value found");
4686 		goto fail;
4687 	}
4688 	wpa_hexdump_buf(MSG_DEBUG, "DPP: JWS Protected Header kid (decoded)",
4689 			kid);
4690 
4691 fail:
4692 	json_free(root);
4693 	return kid;
4694 }
4695 
4696 
4697 static int dpp_parse_cred_legacy(struct dpp_authentication *auth,
4698 				 struct json_token *cred)
4699 {
4700 	struct json_token *pass, *psk_hex;
4701 
4702 	wpa_printf(MSG_DEBUG, "DPP: Legacy akm=psk credential");
4703 
4704 	pass = json_get_member(cred, "pass");
4705 	psk_hex = json_get_member(cred, "psk_hex");
4706 
4707 	if (pass && pass->type == JSON_STRING) {
4708 		size_t len = os_strlen(pass->string);
4709 
4710 		wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Legacy passphrase",
4711 				      pass->string, len);
4712 		if (len < 8 || len > 63)
4713 			return -1;
4714 		os_strlcpy(auth->passphrase, pass->string,
4715 			   sizeof(auth->passphrase));
4716 	} else if (psk_hex && psk_hex->type == JSON_STRING) {
4717 		if (auth->akm == DPP_AKM_SAE) {
4718 			wpa_printf(MSG_DEBUG,
4719 				   "DPP: Unexpected psk_hex with akm=sae");
4720 			return -1;
4721 		}
4722 		if (os_strlen(psk_hex->string) != PMK_LEN * 2 ||
4723 		    hexstr2bin(psk_hex->string, auth->psk, PMK_LEN) < 0) {
4724 			wpa_printf(MSG_DEBUG, "DPP: Invalid psk_hex encoding");
4725 			return -1;
4726 		}
4727 		wpa_hexdump_key(MSG_DEBUG, "DPP: Legacy PSK",
4728 				auth->psk, PMK_LEN);
4729 		auth->psk_set = 1;
4730 	} else {
4731 		wpa_printf(MSG_DEBUG, "DPP: No pass or psk_hex strings found");
4732 		return -1;
4733 	}
4734 
4735 	if ((auth->akm == DPP_AKM_SAE || auth->akm == DPP_AKM_PSK_SAE) &&
4736 	    !auth->passphrase[0]) {
4737 		wpa_printf(MSG_DEBUG, "DPP: No pass for sae found");
4738 		return -1;
4739 	}
4740 
4741 	return 0;
4742 }
4743 
4744 
4745 static EVP_PKEY * dpp_parse_jwk(struct json_token *jwk,
4746 				const struct dpp_curve_params **key_curve)
4747 {
4748 	struct json_token *token;
4749 	const struct dpp_curve_params *curve;
4750 	struct wpabuf *x = NULL, *y = NULL;
4751 	EC_GROUP *group;
4752 	EVP_PKEY *pkey = NULL;
4753 
4754 	token = json_get_member(jwk, "kty");
4755 	if (!token || token->type != JSON_STRING) {
4756 		wpa_printf(MSG_DEBUG, "DPP: No kty in JWK");
4757 		goto fail;
4758 	}
4759 	if (os_strcmp(token->string, "EC") != 0) {
4760 		wpa_printf(MSG_DEBUG, "DPP: Unexpected JWK kty '%s'",
4761 			   token->string);
4762 		goto fail;
4763 	}
4764 
4765 	token = json_get_member(jwk, "crv");
4766 	if (!token || token->type != JSON_STRING) {
4767 		wpa_printf(MSG_DEBUG, "DPP: No crv in JWK");
4768 		goto fail;
4769 	}
4770 	curve = dpp_get_curve_jwk_crv(token->string);
4771 	if (!curve) {
4772 		wpa_printf(MSG_DEBUG, "DPP: Unsupported JWK crv '%s'",
4773 			   token->string);
4774 		goto fail;
4775 	}
4776 
4777 	x = json_get_member_base64url(jwk, "x");
4778 	if (!x) {
4779 		wpa_printf(MSG_DEBUG, "DPP: No x in JWK");
4780 		goto fail;
4781 	}
4782 	wpa_hexdump_buf(MSG_DEBUG, "DPP: JWK x", x);
4783 	if (wpabuf_len(x) != curve->prime_len) {
4784 		wpa_printf(MSG_DEBUG,
4785 			   "DPP: Unexpected JWK x length %u (expected %u for curve %s)",
4786 			   (unsigned int) wpabuf_len(x),
4787 			   (unsigned int) curve->prime_len, curve->name);
4788 		goto fail;
4789 	}
4790 
4791 	y = json_get_member_base64url(jwk, "y");
4792 	if (!y) {
4793 		wpa_printf(MSG_DEBUG, "DPP: No y in JWK");
4794 		goto fail;
4795 	}
4796 	wpa_hexdump_buf(MSG_DEBUG, "DPP: JWK y", y);
4797 	if (wpabuf_len(y) != curve->prime_len) {
4798 		wpa_printf(MSG_DEBUG,
4799 			   "DPP: Unexpected JWK y length %u (expected %u for curve %s)",
4800 			   (unsigned int) wpabuf_len(y),
4801 			   (unsigned int) curve->prime_len, curve->name);
4802 		goto fail;
4803 	}
4804 
4805 	group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
4806 	if (!group) {
4807 		wpa_printf(MSG_DEBUG, "DPP: Could not prepare group for JWK");
4808 		goto fail;
4809 	}
4810 
4811 	pkey = dpp_set_pubkey_point_group(group, wpabuf_head(x), wpabuf_head(y),
4812 					  wpabuf_len(x));
4813 	*key_curve = curve;
4814 
4815 fail:
4816 	wpabuf_free(x);
4817 	wpabuf_free(y);
4818 
4819 	return pkey;
4820 }
4821 
4822 
4823 int dpp_key_expired(const char *timestamp, os_time_t *expiry)
4824 {
4825 	struct os_time now;
4826 	unsigned int year, month, day, hour, min, sec;
4827 	os_time_t utime;
4828 	const char *pos;
4829 
4830 	/* ISO 8601 date and time:
4831 	 * <date>T<time>
4832 	 * YYYY-MM-DDTHH:MM:SSZ
4833 	 * YYYY-MM-DDTHH:MM:SS+03:00
4834 	 */
4835 	if (os_strlen(timestamp) < 19) {
4836 		wpa_printf(MSG_DEBUG,
4837 			   "DPP: Too short timestamp - assume expired key");
4838 		return 1;
4839 	}
4840 	if (sscanf(timestamp, "%04u-%02u-%02uT%02u:%02u:%02u",
4841 		   &year, &month, &day, &hour, &min, &sec) != 6) {
4842 		wpa_printf(MSG_DEBUG,
4843 			   "DPP: Failed to parse expiration day - assume expired key");
4844 		return 1;
4845 	}
4846 
4847 	if (os_mktime(year, month, day, hour, min, sec, &utime) < 0) {
4848 		wpa_printf(MSG_DEBUG,
4849 			   "DPP: Invalid date/time information - assume expired key");
4850 		return 1;
4851 	}
4852 
4853 	pos = timestamp + 19;
4854 	if (*pos == 'Z' || *pos == '\0') {
4855 		/* In UTC - no need to adjust */
4856 	} else if (*pos == '-' || *pos == '+') {
4857 		int items;
4858 
4859 		/* Adjust local time to UTC */
4860 		items = sscanf(pos + 1, "%02u:%02u", &hour, &min);
4861 		if (items < 1) {
4862 			wpa_printf(MSG_DEBUG,
4863 				   "DPP: Invalid time zone designator (%s) - assume expired key",
4864 				   pos);
4865 			return 1;
4866 		}
4867 		if (*pos == '-')
4868 			utime += 3600 * hour;
4869 		if (*pos == '+')
4870 			utime -= 3600 * hour;
4871 		if (items > 1) {
4872 			if (*pos == '-')
4873 				utime += 60 * min;
4874 			if (*pos == '+')
4875 				utime -= 60 * min;
4876 		}
4877 	} else {
4878 		wpa_printf(MSG_DEBUG,
4879 			   "DPP: Invalid time zone designator (%s) - assume expired key",
4880 			   pos);
4881 		return 1;
4882 	}
4883 	if (expiry)
4884 		*expiry = utime;
4885 
4886 	if (os_get_time(&now) < 0) {
4887 		wpa_printf(MSG_DEBUG,
4888 			   "DPP: Cannot get current time - assume expired key");
4889 		return 1;
4890 	}
4891 
4892 	if (now.sec > utime) {
4893 		wpa_printf(MSG_DEBUG, "DPP: Key has expired (%lu < %lu)",
4894 			   utime, now.sec);
4895 		return 1;
4896 	}
4897 
4898 	return 0;
4899 }
4900 
4901 
4902 static int dpp_parse_connector(struct dpp_authentication *auth,
4903 			       const unsigned char *payload,
4904 			       u16 payload_len)
4905 {
4906 	struct json_token *root, *groups, *netkey, *token;
4907 	int ret = -1;
4908 	EVP_PKEY *key = NULL;
4909 	const struct dpp_curve_params *curve;
4910 	unsigned int rules = 0;
4911 
4912 	root = json_parse((const char *) payload, payload_len);
4913 	if (!root) {
4914 		wpa_printf(MSG_DEBUG, "DPP: JSON parsing of connector failed");
4915 		goto fail;
4916 	}
4917 
4918 	groups = json_get_member(root, "groups");
4919 	if (!groups || groups->type != JSON_ARRAY) {
4920 		wpa_printf(MSG_DEBUG, "DPP: No groups array found");
4921 		goto skip_groups;
4922 	}
4923 	for (token = groups->child; token; token = token->sibling) {
4924 		struct json_token *id, *role;
4925 
4926 		id = json_get_member(token, "groupId");
4927 		if (!id || id->type != JSON_STRING) {
4928 			wpa_printf(MSG_DEBUG, "DPP: Missing groupId string");
4929 			goto fail;
4930 		}
4931 
4932 		role = json_get_member(token, "netRole");
4933 		if (!role || role->type != JSON_STRING) {
4934 			wpa_printf(MSG_DEBUG, "DPP: Missing netRole string");
4935 			goto fail;
4936 		}
4937 		wpa_printf(MSG_DEBUG,
4938 			   "DPP: connector group: groupId='%s' netRole='%s'",
4939 			   id->string, role->string);
4940 		rules++;
4941 	}
4942 skip_groups:
4943 
4944 	if (!rules) {
4945 		wpa_printf(MSG_DEBUG,
4946 			   "DPP: Connector includes no groups");
4947 		goto fail;
4948 	}
4949 
4950 	token = json_get_member(root, "expiry");
4951 	if (!token || token->type != JSON_STRING) {
4952 		wpa_printf(MSG_DEBUG,
4953 			   "DPP: No expiry string found - connector does not expire");
4954 	} else {
4955 		wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string);
4956 		if (dpp_key_expired(token->string,
4957 				    &auth->net_access_key_expiry)) {
4958 			wpa_printf(MSG_DEBUG,
4959 				   "DPP: Connector (netAccessKey) has expired");
4960 			goto fail;
4961 		}
4962 	}
4963 
4964 	netkey = json_get_member(root, "netAccessKey");
4965 	if (!netkey || netkey->type != JSON_OBJECT) {
4966 		wpa_printf(MSG_DEBUG, "DPP: No netAccessKey object found");
4967 		goto fail;
4968 	}
4969 
4970 	key = dpp_parse_jwk(netkey, &curve);
4971 	if (!key)
4972 		goto fail;
4973 	dpp_debug_print_key("DPP: Received netAccessKey", key);
4974 
4975 	if (EVP_PKEY_cmp(key, auth->own_protocol_key) != 1) {
4976 		wpa_printf(MSG_DEBUG,
4977 			   "DPP: netAccessKey in connector does not match own protocol key");
4978 #ifdef CONFIG_TESTING_OPTIONS
4979 		if (auth->ignore_netaccesskey_mismatch) {
4980 			wpa_printf(MSG_DEBUG,
4981 				   "DPP: TESTING - skip netAccessKey mismatch");
4982 		} else {
4983 			goto fail;
4984 		}
4985 #else /* CONFIG_TESTING_OPTIONS */
4986 		goto fail;
4987 #endif /* CONFIG_TESTING_OPTIONS */
4988 	}
4989 
4990 	ret = 0;
4991 fail:
4992 	EVP_PKEY_free(key);
4993 	json_free(root);
4994 	return ret;
4995 }
4996 
4997 
4998 static int dpp_check_pubkey_match(EVP_PKEY *pub, struct wpabuf *r_hash)
4999 {
5000 	struct wpabuf *uncomp;
5001 	int res;
5002 	u8 hash[SHA256_MAC_LEN];
5003 	const u8 *addr[1];
5004 	size_t len[1];
5005 
5006 	if (wpabuf_len(r_hash) != SHA256_MAC_LEN)
5007 		return -1;
5008 	uncomp = dpp_get_pubkey_point(pub, 1);
5009 	if (!uncomp)
5010 		return -1;
5011 	addr[0] = wpabuf_head(uncomp);
5012 	len[0] = wpabuf_len(uncomp);
5013 	wpa_hexdump(MSG_DEBUG, "DPP: Uncompressed public key",
5014 		    addr[0], len[0]);
5015 	res = sha256_vector(1, addr, len, hash);
5016 	wpabuf_free(uncomp);
5017 	if (res < 0)
5018 		return -1;
5019 	if (os_memcmp(hash, wpabuf_head(r_hash), SHA256_MAC_LEN) != 0) {
5020 		wpa_printf(MSG_DEBUG,
5021 			   "DPP: Received hash value does not match calculated public key hash value");
5022 		wpa_hexdump(MSG_DEBUG, "DPP: Calculated hash",
5023 			    hash, SHA256_MAC_LEN);
5024 		return -1;
5025 	}
5026 	return 0;
5027 }
5028 
5029 
5030 static void dpp_copy_csign(struct dpp_authentication *auth, EVP_PKEY *csign)
5031 {
5032 	unsigned char *der = NULL;
5033 	int der_len;
5034 
5035 	der_len = i2d_PUBKEY(csign, &der);
5036 	if (der_len <= 0)
5037 		return;
5038 	wpabuf_free(auth->c_sign_key);
5039 	auth->c_sign_key = wpabuf_alloc_copy(der, der_len);
5040 	OPENSSL_free(der);
5041 }
5042 
5043 
5044 static void dpp_copy_netaccesskey(struct dpp_authentication *auth)
5045 {
5046 	unsigned char *der = NULL;
5047 	int der_len;
5048 	EC_KEY *eckey;
5049 
5050 	eckey = EVP_PKEY_get1_EC_KEY(auth->own_protocol_key);
5051 	if (!eckey)
5052 		return;
5053 
5054 	der_len = i2d_ECPrivateKey(eckey, &der);
5055 	if (der_len <= 0) {
5056 		EC_KEY_free(eckey);
5057 		return;
5058 	}
5059 	wpabuf_free(auth->net_access_key);
5060 	auth->net_access_key = wpabuf_alloc_copy(der, der_len);
5061 	OPENSSL_free(der);
5062 	EC_KEY_free(eckey);
5063 }
5064 
5065 
5066 struct dpp_signed_connector_info {
5067 	unsigned char *payload;
5068 	size_t payload_len;
5069 };
5070 
5071 static enum dpp_status_error
5072 dpp_process_signed_connector(struct dpp_signed_connector_info *info,
5073 			     EVP_PKEY *csign_pub, const char *connector)
5074 {
5075 	enum dpp_status_error ret = 255;
5076 	const char *pos, *end, *signed_start, *signed_end;
5077 	struct wpabuf *kid = NULL;
5078 	unsigned char *prot_hdr = NULL, *signature = NULL;
5079 	size_t prot_hdr_len = 0, signature_len = 0;
5080 	const EVP_MD *sign_md = NULL;
5081 	unsigned char *der = NULL;
5082 	int der_len;
5083 	int res;
5084 	EVP_MD_CTX *md_ctx = NULL;
5085 	ECDSA_SIG *sig = NULL;
5086 	BIGNUM *r = NULL, *s = NULL;
5087 	const struct dpp_curve_params *curve;
5088 	EC_KEY *eckey;
5089 	const EC_GROUP *group;
5090 	int nid;
5091 
5092 	eckey = EVP_PKEY_get1_EC_KEY(csign_pub);
5093 	if (!eckey)
5094 		goto fail;
5095 	group = EC_KEY_get0_group(eckey);
5096 	if (!group)
5097 		goto fail;
5098 	nid = EC_GROUP_get_curve_name(group);
5099 	curve = dpp_get_curve_nid(nid);
5100 	if (!curve)
5101 		goto fail;
5102 	wpa_printf(MSG_DEBUG, "DPP: C-sign-key group: %s", curve->jwk_crv);
5103 	os_memset(info, 0, sizeof(*info));
5104 
5105 	signed_start = pos = connector;
5106 	end = os_strchr(pos, '.');
5107 	if (!end) {
5108 		wpa_printf(MSG_DEBUG, "DPP: Missing dot(1) in signedConnector");
5109 		ret = DPP_STATUS_INVALID_CONNECTOR;
5110 		goto fail;
5111 	}
5112 	prot_hdr = base64_url_decode((const unsigned char *) pos,
5113 				     end - pos, &prot_hdr_len);
5114 	if (!prot_hdr) {
5115 		wpa_printf(MSG_DEBUG,
5116 			   "DPP: Failed to base64url decode signedConnector JWS Protected Header");
5117 		ret = DPP_STATUS_INVALID_CONNECTOR;
5118 		goto fail;
5119 	}
5120 	wpa_hexdump_ascii(MSG_DEBUG,
5121 			  "DPP: signedConnector - JWS Protected Header",
5122 			  prot_hdr, prot_hdr_len);
5123 	kid = dpp_parse_jws_prot_hdr(curve, prot_hdr, prot_hdr_len, &sign_md);
5124 	if (!kid) {
5125 		ret = DPP_STATUS_INVALID_CONNECTOR;
5126 		goto fail;
5127 	}
5128 	if (wpabuf_len(kid) != SHA256_MAC_LEN) {
5129 		wpa_printf(MSG_DEBUG,
5130 			   "DPP: Unexpected signedConnector JWS Protected Header kid length: %u (expected %u)",
5131 			   (unsigned int) wpabuf_len(kid), SHA256_MAC_LEN);
5132 		ret = DPP_STATUS_INVALID_CONNECTOR;
5133 		goto fail;
5134 	}
5135 
5136 	pos = end + 1;
5137 	end = os_strchr(pos, '.');
5138 	if (!end) {
5139 		wpa_printf(MSG_DEBUG,
5140 			   "DPP: Missing dot(2) in signedConnector");
5141 		ret = DPP_STATUS_INVALID_CONNECTOR;
5142 		goto fail;
5143 	}
5144 	signed_end = end - 1;
5145 	info->payload = base64_url_decode((const unsigned char *) pos,
5146 					  end - pos, &info->payload_len);
5147 	if (!info->payload) {
5148 		wpa_printf(MSG_DEBUG,
5149 			   "DPP: Failed to base64url decode signedConnector JWS Payload");
5150 		ret = DPP_STATUS_INVALID_CONNECTOR;
5151 		goto fail;
5152 	}
5153 	wpa_hexdump_ascii(MSG_DEBUG,
5154 			  "DPP: signedConnector - JWS Payload",
5155 			  info->payload, info->payload_len);
5156 	pos = end + 1;
5157 	signature = base64_url_decode((const unsigned char *) pos,
5158 				      os_strlen(pos), &signature_len);
5159 	if (!signature) {
5160 		wpa_printf(MSG_DEBUG,
5161 			   "DPP: Failed to base64url decode signedConnector signature");
5162 		ret = DPP_STATUS_INVALID_CONNECTOR;
5163 		goto fail;
5164 		}
5165 	wpa_hexdump(MSG_DEBUG, "DPP: signedConnector - signature",
5166 		    signature, signature_len);
5167 
5168 	if (dpp_check_pubkey_match(csign_pub, kid) < 0) {
5169 		ret = DPP_STATUS_NO_MATCH;
5170 		goto fail;
5171 	}
5172 
5173 	if (signature_len & 0x01) {
5174 		wpa_printf(MSG_DEBUG,
5175 			   "DPP: Unexpected signedConnector signature length (%d)",
5176 			   (int) signature_len);
5177 		ret = DPP_STATUS_INVALID_CONNECTOR;
5178 		goto fail;
5179 	}
5180 
5181 	/* JWS Signature encodes the signature (r,s) as two octet strings. Need
5182 	 * to convert that to DER encoded ECDSA_SIG for OpenSSL EVP routines. */
5183 	r = BN_bin2bn(signature, signature_len / 2, NULL);
5184 	s = BN_bin2bn(signature + signature_len / 2, signature_len / 2, NULL);
5185 	sig = ECDSA_SIG_new();
5186 	if (!r || !s || !sig || ECDSA_SIG_set0(sig, r, s) != 1)
5187 		goto fail;
5188 	r = NULL;
5189 	s = NULL;
5190 
5191 	der_len = i2d_ECDSA_SIG(sig, &der);
5192 	if (der_len <= 0) {
5193 		wpa_printf(MSG_DEBUG, "DPP: Could not DER encode signature");
5194 		goto fail;
5195 	}
5196 	wpa_hexdump(MSG_DEBUG, "DPP: DER encoded signature", der, der_len);
5197 	md_ctx = EVP_MD_CTX_create();
5198 	if (!md_ctx)
5199 		goto fail;
5200 
5201 	ERR_clear_error();
5202 	if (EVP_DigestVerifyInit(md_ctx, NULL, sign_md, NULL, csign_pub) != 1) {
5203 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestVerifyInit failed: %s",
5204 			   ERR_error_string(ERR_get_error(), NULL));
5205 		goto fail;
5206 	}
5207 	if (EVP_DigestVerifyUpdate(md_ctx, signed_start,
5208 				   signed_end - signed_start + 1) != 1) {
5209 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestVerifyUpdate failed: %s",
5210 			   ERR_error_string(ERR_get_error(), NULL));
5211 		goto fail;
5212 	}
5213 	res = EVP_DigestVerifyFinal(md_ctx, der, der_len);
5214 	if (res != 1) {
5215 		wpa_printf(MSG_DEBUG,
5216 			   "DPP: EVP_DigestVerifyFinal failed (res=%d): %s",
5217 			   res, ERR_error_string(ERR_get_error(), NULL));
5218 		ret = DPP_STATUS_INVALID_CONNECTOR;
5219 		goto fail;
5220 	}
5221 
5222 	ret = DPP_STATUS_OK;
5223 fail:
5224 	EC_KEY_free(eckey);
5225 	EVP_MD_CTX_destroy(md_ctx);
5226 	os_free(prot_hdr);
5227 	wpabuf_free(kid);
5228 	os_free(signature);
5229 	ECDSA_SIG_free(sig);
5230 	BN_free(r);
5231 	BN_free(s);
5232 	OPENSSL_free(der);
5233 	return ret;
5234 }
5235 
5236 
5237 static int dpp_parse_cred_dpp(struct dpp_authentication *auth,
5238 			      struct json_token *cred)
5239 {
5240 	struct dpp_signed_connector_info info;
5241 	struct json_token *token, *csign;
5242 	int ret = -1;
5243 	EVP_PKEY *csign_pub = NULL;
5244 	const struct dpp_curve_params *key_curve = NULL;
5245 	const char *signed_connector;
5246 
5247 	os_memset(&info, 0, sizeof(info));
5248 
5249 	wpa_printf(MSG_DEBUG, "DPP: Connector credential");
5250 
5251 	csign = json_get_member(cred, "csign");
5252 	if (!csign || csign->type != JSON_OBJECT) {
5253 		wpa_printf(MSG_DEBUG, "DPP: No csign JWK in JSON");
5254 		goto fail;
5255 	}
5256 
5257 	csign_pub = dpp_parse_jwk(csign, &key_curve);
5258 	if (!csign_pub) {
5259 		wpa_printf(MSG_DEBUG, "DPP: Failed to parse csign JWK");
5260 		goto fail;
5261 	}
5262 	dpp_debug_print_key("DPP: Received C-sign-key", csign_pub);
5263 
5264 	token = json_get_member(cred, "signedConnector");
5265 	if (!token || token->type != JSON_STRING) {
5266 		wpa_printf(MSG_DEBUG, "DPP: No signedConnector string found");
5267 		goto fail;
5268 	}
5269 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: signedConnector",
5270 			  token->string, os_strlen(token->string));
5271 	signed_connector = token->string;
5272 
5273 	if (os_strchr(signed_connector, '"') ||
5274 	    os_strchr(signed_connector, '\n')) {
5275 		wpa_printf(MSG_DEBUG,
5276 			   "DPP: Unexpected character in signedConnector");
5277 		goto fail;
5278 	}
5279 
5280 	if (dpp_process_signed_connector(&info, csign_pub,
5281 					 signed_connector) != DPP_STATUS_OK)
5282 		goto fail;
5283 
5284 	if (dpp_parse_connector(auth, info.payload, info.payload_len) < 0) {
5285 		wpa_printf(MSG_DEBUG, "DPP: Failed to parse connector");
5286 		goto fail;
5287 	}
5288 
5289 	os_free(auth->connector);
5290 	auth->connector = os_strdup(signed_connector);
5291 
5292 	dpp_copy_csign(auth, csign_pub);
5293 	dpp_copy_netaccesskey(auth);
5294 
5295 	ret = 0;
5296 fail:
5297 	EVP_PKEY_free(csign_pub);
5298 	os_free(info.payload);
5299 	return ret;
5300 }
5301 
5302 
5303 const char * dpp_akm_str(enum dpp_akm akm)
5304 {
5305 	switch (akm) {
5306 	case DPP_AKM_DPP:
5307 		return "dpp";
5308 	case DPP_AKM_PSK:
5309 		return "psk";
5310 	case DPP_AKM_SAE:
5311 		return "sae";
5312 	case DPP_AKM_PSK_SAE:
5313 		return "psk+sae";
5314 	default:
5315 		return "??";
5316 	}
5317 }
5318 
5319 
5320 static enum dpp_akm dpp_akm_from_str(const char *akm)
5321 {
5322 	if (os_strcmp(akm, "psk") == 0)
5323 		return DPP_AKM_PSK;
5324 	if (os_strcmp(akm, "sae") == 0)
5325 		return DPP_AKM_SAE;
5326 	if (os_strcmp(akm, "psk+sae") == 0)
5327 		return DPP_AKM_PSK_SAE;
5328 	if (os_strcmp(akm, "dpp") == 0)
5329 		return DPP_AKM_DPP;
5330 	return DPP_AKM_UNKNOWN;
5331 }
5332 
5333 
5334 static int dpp_parse_conf_obj(struct dpp_authentication *auth,
5335 			      const u8 *conf_obj, u16 conf_obj_len)
5336 {
5337 	int ret = -1;
5338 	struct json_token *root, *token, *discovery, *cred;
5339 
5340 	root = json_parse((const char *) conf_obj, conf_obj_len);
5341 	if (!root)
5342 		return -1;
5343 	if (root->type != JSON_OBJECT) {
5344 		dpp_auth_fail(auth, "JSON root is not an object");
5345 		goto fail;
5346 	}
5347 
5348 	token = json_get_member(root, "wi-fi_tech");
5349 	if (!token || token->type != JSON_STRING) {
5350 		dpp_auth_fail(auth, "No wi-fi_tech string value found");
5351 		goto fail;
5352 	}
5353 	if (os_strcmp(token->string, "infra") != 0) {
5354 		wpa_printf(MSG_DEBUG, "DPP: Unsupported wi-fi_tech value: '%s'",
5355 			   token->string);
5356 		dpp_auth_fail(auth, "Unsupported wi-fi_tech value");
5357 		goto fail;
5358 	}
5359 
5360 	discovery = json_get_member(root, "discovery");
5361 	if (!discovery || discovery->type != JSON_OBJECT) {
5362 		dpp_auth_fail(auth, "No discovery object in JSON");
5363 		goto fail;
5364 	}
5365 
5366 	token = json_get_member(discovery, "ssid");
5367 	if (!token || token->type != JSON_STRING) {
5368 		dpp_auth_fail(auth, "No discovery::ssid string value found");
5369 		goto fail;
5370 	}
5371 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: discovery::ssid",
5372 			  token->string, os_strlen(token->string));
5373 	if (os_strlen(token->string) > SSID_MAX_LEN) {
5374 		dpp_auth_fail(auth, "Too long discovery::ssid string value");
5375 		goto fail;
5376 	}
5377 	auth->ssid_len = os_strlen(token->string);
5378 	os_memcpy(auth->ssid, token->string, auth->ssid_len);
5379 
5380 	cred = json_get_member(root, "cred");
5381 	if (!cred || cred->type != JSON_OBJECT) {
5382 		dpp_auth_fail(auth, "No cred object in JSON");
5383 		goto fail;
5384 	}
5385 
5386 	token = json_get_member(cred, "akm");
5387 	if (!token || token->type != JSON_STRING) {
5388 		dpp_auth_fail(auth, "No cred::akm string value found");
5389 		goto fail;
5390 	}
5391 	auth->akm = dpp_akm_from_str(token->string);
5392 
5393 	if (auth->akm == DPP_AKM_PSK || auth->akm == DPP_AKM_SAE ||
5394 	    auth->akm == DPP_AKM_PSK_SAE) {
5395 		if (dpp_parse_cred_legacy(auth, cred) < 0)
5396 			goto fail;
5397 	} else if (auth->akm == DPP_AKM_DPP) {
5398 		if (dpp_parse_cred_dpp(auth, cred) < 0)
5399 			goto fail;
5400 	} else {
5401 		wpa_printf(MSG_DEBUG, "DPP: Unsupported akm: %s",
5402 			   token->string);
5403 		dpp_auth_fail(auth, "Unsupported akm");
5404 		goto fail;
5405 	}
5406 
5407 	wpa_printf(MSG_DEBUG, "DPP: JSON parsing completed successfully");
5408 	ret = 0;
5409 fail:
5410 	json_free(root);
5411 	return ret;
5412 }
5413 
5414 
5415 int dpp_conf_resp_rx(struct dpp_authentication *auth,
5416 		     const struct wpabuf *resp)
5417 {
5418 	const u8 *wrapped_data, *e_nonce, *status, *conf_obj;
5419 	u16 wrapped_data_len, e_nonce_len, status_len, conf_obj_len;
5420 	const u8 *addr[1];
5421 	size_t len[1];
5422 	u8 *unwrapped = NULL;
5423 	size_t unwrapped_len = 0;
5424 	int ret = -1;
5425 
5426 	if (dpp_check_attrs(wpabuf_head(resp), wpabuf_len(resp)) < 0) {
5427 		dpp_auth_fail(auth, "Invalid attribute in config response");
5428 		return -1;
5429 	}
5430 
5431 	wrapped_data = dpp_get_attr(wpabuf_head(resp), wpabuf_len(resp),
5432 				    DPP_ATTR_WRAPPED_DATA,
5433 				    &wrapped_data_len);
5434 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
5435 		dpp_auth_fail(auth,
5436 			      "Missing or invalid required Wrapped Data attribute");
5437 		return -1;
5438 	}
5439 
5440 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
5441 		    wrapped_data, wrapped_data_len);
5442 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
5443 	unwrapped = os_malloc(unwrapped_len);
5444 	if (!unwrapped)
5445 		return -1;
5446 
5447 	addr[0] = wpabuf_head(resp);
5448 	len[0] = wrapped_data - 4 - (const u8 *) wpabuf_head(resp);
5449 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD", addr[0], len[0]);
5450 
5451 	if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
5452 			    wrapped_data, wrapped_data_len,
5453 			    1, addr, len, unwrapped) < 0) {
5454 		dpp_auth_fail(auth, "AES-SIV decryption failed");
5455 		goto fail;
5456 	}
5457 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
5458 		    unwrapped, unwrapped_len);
5459 
5460 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
5461 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
5462 		goto fail;
5463 	}
5464 
5465 	e_nonce = dpp_get_attr(unwrapped, unwrapped_len,
5466 			       DPP_ATTR_ENROLLEE_NONCE,
5467 			       &e_nonce_len);
5468 	if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
5469 		dpp_auth_fail(auth,
5470 			      "Missing or invalid Enrollee Nonce attribute");
5471 		goto fail;
5472 	}
5473 	wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len);
5474 	if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) {
5475 		dpp_auth_fail(auth, "Enrollee Nonce mismatch");
5476 		goto fail;
5477 	}
5478 
5479 	status = dpp_get_attr(wpabuf_head(resp), wpabuf_len(resp),
5480 			      DPP_ATTR_STATUS, &status_len);
5481 	if (!status || status_len < 1) {
5482 		dpp_auth_fail(auth,
5483 			      "Missing or invalid required DPP Status attribute");
5484 		goto fail;
5485 	}
5486 	wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
5487 	if (status[0] != DPP_STATUS_OK) {
5488 		dpp_auth_fail(auth, "Configurator rejected configuration");
5489 		goto fail;
5490 	}
5491 
5492 	conf_obj = dpp_get_attr(unwrapped, unwrapped_len,
5493 				DPP_ATTR_CONFIG_OBJ, &conf_obj_len);
5494 	if (!conf_obj) {
5495 		dpp_auth_fail(auth,
5496 			      "Missing required Configuration Object attribute");
5497 		goto fail;
5498 	}
5499 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: configurationObject JSON",
5500 			  conf_obj, conf_obj_len);
5501 	if (dpp_parse_conf_obj(auth, conf_obj, conf_obj_len) < 0)
5502 		goto fail;
5503 
5504 	ret = 0;
5505 
5506 fail:
5507 	os_free(unwrapped);
5508 	return ret;
5509 }
5510 
5511 
5512 void dpp_configurator_free(struct dpp_configurator *conf)
5513 {
5514 	if (!conf)
5515 		return;
5516 	EVP_PKEY_free(conf->csign);
5517 	os_free(conf->kid);
5518 	os_free(conf);
5519 }
5520 
5521 
5522 int dpp_configurator_get_key(const struct dpp_configurator *conf, char *buf,
5523 			     size_t buflen)
5524 {
5525 	EC_KEY *eckey;
5526 	int key_len, ret = -1;
5527 	unsigned char *key = NULL;
5528 
5529 	if (!conf->csign)
5530 		return -1;
5531 
5532 	eckey = EVP_PKEY_get1_EC_KEY(conf->csign);
5533 	if (!eckey)
5534 		return -1;
5535 
5536 	key_len = i2d_ECPrivateKey(eckey, &key);
5537 	if (key_len > 0)
5538 		ret = wpa_snprintf_hex(buf, buflen, key, key_len);
5539 
5540 	EC_KEY_free(eckey);
5541 	OPENSSL_free(key);
5542 	return ret;
5543 }
5544 
5545 
5546 struct dpp_configurator *
5547 dpp_keygen_configurator(const char *curve, const u8 *privkey,
5548 			size_t privkey_len)
5549 {
5550 	struct dpp_configurator *conf;
5551 	struct wpabuf *csign_pub = NULL;
5552 	u8 kid_hash[SHA256_MAC_LEN];
5553 	const u8 *addr[1];
5554 	size_t len[1];
5555 
5556 	conf = os_zalloc(sizeof(*conf));
5557 	if (!conf)
5558 		return NULL;
5559 
5560 	if (!curve) {
5561 		conf->curve = &dpp_curves[0];
5562 	} else {
5563 		conf->curve = dpp_get_curve_name(curve);
5564 		if (!conf->curve) {
5565 			wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s",
5566 				   curve);
5567 			os_free(conf);
5568 			return NULL;
5569 		}
5570 	}
5571 	if (privkey)
5572 		conf->csign = dpp_set_keypair(&conf->curve, privkey,
5573 					      privkey_len);
5574 	else
5575 		conf->csign = dpp_gen_keypair(conf->curve);
5576 	if (!conf->csign)
5577 		goto fail;
5578 	conf->own = 1;
5579 
5580 	csign_pub = dpp_get_pubkey_point(conf->csign, 1);
5581 	if (!csign_pub) {
5582 		wpa_printf(MSG_INFO, "DPP: Failed to extract C-sign-key");
5583 		goto fail;
5584 	}
5585 
5586 	/* kid = SHA256(ANSI X9.63 uncompressed C-sign-key) */
5587 	addr[0] = wpabuf_head(csign_pub);
5588 	len[0] = wpabuf_len(csign_pub);
5589 	if (sha256_vector(1, addr, len, kid_hash) < 0) {
5590 		wpa_printf(MSG_DEBUG,
5591 			   "DPP: Failed to derive kid for C-sign-key");
5592 		goto fail;
5593 	}
5594 
5595 	conf->kid = (char *) base64_url_encode(kid_hash, sizeof(kid_hash),
5596 					       NULL, 0);
5597 	if (!conf->kid)
5598 		goto fail;
5599 out:
5600 	wpabuf_free(csign_pub);
5601 	return conf;
5602 fail:
5603 	dpp_configurator_free(conf);
5604 	conf = NULL;
5605 	goto out;
5606 }
5607 
5608 
5609 int dpp_configurator_own_config(struct dpp_authentication *auth,
5610 				const char *curve, int ap)
5611 {
5612 	struct wpabuf *conf_obj;
5613 	int ret = -1;
5614 
5615 	if (!auth->conf) {
5616 		wpa_printf(MSG_DEBUG, "DPP: No configurator specified");
5617 		return -1;
5618 	}
5619 
5620 	if (!curve) {
5621 		auth->curve = &dpp_curves[0];
5622 	} else {
5623 		auth->curve = dpp_get_curve_name(curve);
5624 		if (!auth->curve) {
5625 			wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s",
5626 				   curve);
5627 			return -1;
5628 		}
5629 	}
5630 	wpa_printf(MSG_DEBUG,
5631 		   "DPP: Building own configuration/connector with curve %s",
5632 		   auth->curve->name);
5633 
5634 	auth->own_protocol_key = dpp_gen_keypair(auth->curve);
5635 	if (!auth->own_protocol_key)
5636 		return -1;
5637 	dpp_copy_netaccesskey(auth);
5638 	auth->peer_protocol_key = auth->own_protocol_key;
5639 	dpp_copy_csign(auth, auth->conf->csign);
5640 
5641 	conf_obj = dpp_build_conf_obj(auth, ap);
5642 	if (!conf_obj)
5643 		goto fail;
5644 	ret = dpp_parse_conf_obj(auth, wpabuf_head(conf_obj),
5645 				 wpabuf_len(conf_obj));
5646 fail:
5647 	wpabuf_free(conf_obj);
5648 	auth->peer_protocol_key = NULL;
5649 	return ret;
5650 }
5651 
5652 
5653 static int dpp_compatible_netrole(const char *role1, const char *role2)
5654 {
5655 	return (os_strcmp(role1, "sta") == 0 && os_strcmp(role2, "ap") == 0) ||
5656 		(os_strcmp(role1, "ap") == 0 && os_strcmp(role2, "sta") == 0);
5657 }
5658 
5659 
5660 static int dpp_connector_compatible_group(struct json_token *root,
5661 					  const char *group_id,
5662 					  const char *net_role)
5663 {
5664 	struct json_token *groups, *token;
5665 
5666 	groups = json_get_member(root, "groups");
5667 	if (!groups || groups->type != JSON_ARRAY)
5668 		return 0;
5669 
5670 	for (token = groups->child; token; token = token->sibling) {
5671 		struct json_token *id, *role;
5672 
5673 		id = json_get_member(token, "groupId");
5674 		if (!id || id->type != JSON_STRING)
5675 			continue;
5676 
5677 		role = json_get_member(token, "netRole");
5678 		if (!role || role->type != JSON_STRING)
5679 			continue;
5680 
5681 		if (os_strcmp(id->string, "*") != 0 &&
5682 		    os_strcmp(group_id, "*") != 0 &&
5683 		    os_strcmp(id->string, group_id) != 0)
5684 			continue;
5685 
5686 		if (dpp_compatible_netrole(role->string, net_role))
5687 			return 1;
5688 	}
5689 
5690 	return 0;
5691 }
5692 
5693 
5694 static int dpp_connector_match_groups(struct json_token *own_root,
5695 				      struct json_token *peer_root)
5696 {
5697 	struct json_token *groups, *token;
5698 
5699 	groups = json_get_member(peer_root, "groups");
5700 	if (!groups || groups->type != JSON_ARRAY) {
5701 		wpa_printf(MSG_DEBUG, "DPP: No peer groups array found");
5702 		return 0;
5703 	}
5704 
5705 	for (token = groups->child; token; token = token->sibling) {
5706 		struct json_token *id, *role;
5707 
5708 		id = json_get_member(token, "groupId");
5709 		if (!id || id->type != JSON_STRING) {
5710 			wpa_printf(MSG_DEBUG,
5711 				   "DPP: Missing peer groupId string");
5712 			continue;
5713 		}
5714 
5715 		role = json_get_member(token, "netRole");
5716 		if (!role || role->type != JSON_STRING) {
5717 			wpa_printf(MSG_DEBUG,
5718 				   "DPP: Missing peer groups::netRole string");
5719 			continue;
5720 		}
5721 		wpa_printf(MSG_DEBUG,
5722 			   "DPP: peer connector group: groupId='%s' netRole='%s'",
5723 			   id->string, role->string);
5724 		if (dpp_connector_compatible_group(own_root, id->string,
5725 						   role->string)) {
5726 			wpa_printf(MSG_DEBUG,
5727 				   "DPP: Compatible group/netRole in own connector");
5728 			return 1;
5729 		}
5730 	}
5731 
5732 	return 0;
5733 }
5734 
5735 
5736 static int dpp_derive_pmk(const u8 *Nx, size_t Nx_len, u8 *pmk,
5737 			  unsigned int hash_len)
5738 {
5739 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
5740 	const char *info = "DPP PMK";
5741 	int res;
5742 
5743 	/* PMK = HKDF(<>, "DPP PMK", N.x) */
5744 
5745 	/* HKDF-Extract(<>, N.x) */
5746 	os_memset(salt, 0, hash_len);
5747 	if (dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk) < 0)
5748 		return -1;
5749 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
5750 			prk, hash_len);
5751 
5752 	/* HKDF-Expand(PRK, info, L) */
5753 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info, pmk, hash_len);
5754 	os_memset(prk, 0, hash_len);
5755 	if (res < 0)
5756 		return -1;
5757 
5758 	wpa_hexdump_key(MSG_DEBUG, "DPP: PMK = HKDF-Expand(PRK, info, L)",
5759 			pmk, hash_len);
5760 	return 0;
5761 }
5762 
5763 
5764 static int dpp_derive_pmkid(const struct dpp_curve_params *curve,
5765 			    EVP_PKEY *own_key, EVP_PKEY *peer_key, u8 *pmkid)
5766 {
5767 	struct wpabuf *nkx, *pkx;
5768 	int ret = -1, res;
5769 	const u8 *addr[2];
5770 	size_t len[2];
5771 	u8 hash[SHA256_MAC_LEN];
5772 
5773 	/* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */
5774 	nkx = dpp_get_pubkey_point(own_key, 0);
5775 	pkx = dpp_get_pubkey_point(peer_key, 0);
5776 	if (!nkx || !pkx)
5777 		goto fail;
5778 	addr[0] = wpabuf_head(nkx);
5779 	len[0] = wpabuf_len(nkx) / 2;
5780 	addr[1] = wpabuf_head(pkx);
5781 	len[1] = wpabuf_len(pkx) / 2;
5782 	if (len[0] != len[1])
5783 		goto fail;
5784 	if (os_memcmp(addr[0], addr[1], len[0]) > 0) {
5785 		addr[0] = wpabuf_head(pkx);
5786 		addr[1] = wpabuf_head(nkx);
5787 	}
5788 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 1", addr[0], len[0]);
5789 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 2", addr[1], len[1]);
5790 	res = sha256_vector(2, addr, len, hash);
5791 	if (res < 0)
5792 		goto fail;
5793 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash output", hash, SHA256_MAC_LEN);
5794 	os_memcpy(pmkid, hash, PMKID_LEN);
5795 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID", pmkid, PMKID_LEN);
5796 	ret = 0;
5797 fail:
5798 	wpabuf_free(nkx);
5799 	wpabuf_free(pkx);
5800 	return ret;
5801 }
5802 
5803 
5804 enum dpp_status_error
5805 dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
5806 	       const u8 *net_access_key, size_t net_access_key_len,
5807 	       const u8 *csign_key, size_t csign_key_len,
5808 	       const u8 *peer_connector, size_t peer_connector_len,
5809 	       os_time_t *expiry)
5810 {
5811 	struct json_token *root = NULL, *netkey, *token;
5812 	struct json_token *own_root = NULL;
5813 	enum dpp_status_error ret = 255, res;
5814 	EVP_PKEY *own_key = NULL, *peer_key = NULL;
5815 	struct wpabuf *own_key_pub = NULL;
5816 	const struct dpp_curve_params *curve, *own_curve;
5817 	struct dpp_signed_connector_info info;
5818 	const unsigned char *p;
5819 	EVP_PKEY *csign = NULL;
5820 	char *signed_connector = NULL;
5821 	const char *pos, *end;
5822 	unsigned char *own_conn = NULL;
5823 	size_t own_conn_len;
5824 	EVP_PKEY_CTX *ctx = NULL;
5825 	size_t Nx_len;
5826 	u8 Nx[DPP_MAX_SHARED_SECRET_LEN];
5827 
5828 	os_memset(intro, 0, sizeof(*intro));
5829 	os_memset(&info, 0, sizeof(info));
5830 	if (expiry)
5831 		*expiry = 0;
5832 
5833 	p = csign_key;
5834 	csign = d2i_PUBKEY(NULL, &p, csign_key_len);
5835 	if (!csign) {
5836 		wpa_printf(MSG_ERROR,
5837 			   "DPP: Failed to parse local C-sign-key information");
5838 		goto fail;
5839 	}
5840 
5841 	own_key = dpp_set_keypair(&own_curve, net_access_key,
5842 				  net_access_key_len);
5843 	if (!own_key) {
5844 		wpa_printf(MSG_ERROR, "DPP: Failed to parse own netAccessKey");
5845 		goto fail;
5846 	}
5847 
5848 	pos = os_strchr(own_connector, '.');
5849 	if (!pos) {
5850 		wpa_printf(MSG_DEBUG, "DPP: Own connector is missing the first dot (.)");
5851 		goto fail;
5852 	}
5853 	pos++;
5854 	end = os_strchr(pos, '.');
5855 	if (!end) {
5856 		wpa_printf(MSG_DEBUG, "DPP: Own connector is missing the second dot (.)");
5857 		goto fail;
5858 	}
5859 	own_conn = base64_url_decode((const unsigned char *) pos,
5860 				     end - pos, &own_conn_len);
5861 	if (!own_conn) {
5862 		wpa_printf(MSG_DEBUG,
5863 			   "DPP: Failed to base64url decode own signedConnector JWS Payload");
5864 		goto fail;
5865 	}
5866 
5867 	own_root = json_parse((const char *) own_conn, own_conn_len);
5868 	if (!own_root) {
5869 		wpa_printf(MSG_DEBUG, "DPP: Failed to parse local connector");
5870 		goto fail;
5871 	}
5872 
5873 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: Peer signedConnector",
5874 			  peer_connector, peer_connector_len);
5875 	signed_connector = os_malloc(peer_connector_len + 1);
5876 	if (!signed_connector)
5877 		goto fail;
5878 	os_memcpy(signed_connector, peer_connector, peer_connector_len);
5879 	signed_connector[peer_connector_len] = '\0';
5880 
5881 	res = dpp_process_signed_connector(&info, csign, signed_connector);
5882 	if (res != DPP_STATUS_OK) {
5883 		ret = res;
5884 		goto fail;
5885 	}
5886 
5887 	root = json_parse((const char *) info.payload, info.payload_len);
5888 	if (!root) {
5889 		wpa_printf(MSG_DEBUG, "DPP: JSON parsing of connector failed");
5890 		ret = DPP_STATUS_INVALID_CONNECTOR;
5891 		goto fail;
5892 	}
5893 
5894 	if (!dpp_connector_match_groups(own_root, root)) {
5895 		wpa_printf(MSG_DEBUG,
5896 			   "DPP: Peer connector does not include compatible group netrole with own connector");
5897 		ret = DPP_STATUS_NO_MATCH;
5898 		goto fail;
5899 	}
5900 
5901 	token = json_get_member(root, "expiry");
5902 	if (!token || token->type != JSON_STRING) {
5903 		wpa_printf(MSG_DEBUG,
5904 			   "DPP: No expiry string found - connector does not expire");
5905 	} else {
5906 		wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string);
5907 		if (dpp_key_expired(token->string, expiry)) {
5908 			wpa_printf(MSG_DEBUG,
5909 				   "DPP: Connector (netAccessKey) has expired");
5910 			ret = DPP_STATUS_INVALID_CONNECTOR;
5911 			goto fail;
5912 		}
5913 	}
5914 
5915 	netkey = json_get_member(root, "netAccessKey");
5916 	if (!netkey || netkey->type != JSON_OBJECT) {
5917 		wpa_printf(MSG_DEBUG, "DPP: No netAccessKey object found");
5918 		ret = DPP_STATUS_INVALID_CONNECTOR;
5919 		goto fail;
5920 	}
5921 
5922 	peer_key = dpp_parse_jwk(netkey, &curve);
5923 	if (!peer_key) {
5924 		ret = DPP_STATUS_INVALID_CONNECTOR;
5925 		goto fail;
5926 	}
5927 	dpp_debug_print_key("DPP: Received netAccessKey", peer_key);
5928 
5929 	if (own_curve != curve) {
5930 		wpa_printf(MSG_DEBUG,
5931 			   "DPP: Mismatching netAccessKey curves (%s != %s)",
5932 			   own_curve->name, curve->name);
5933 		ret = DPP_STATUS_INVALID_CONNECTOR;
5934 		goto fail;
5935 	}
5936 
5937 	/* ECDH: N = nk * PK */
5938 	ctx = EVP_PKEY_CTX_new(own_key, NULL);
5939 	if (!ctx ||
5940 	    EVP_PKEY_derive_init(ctx) != 1 ||
5941 	    EVP_PKEY_derive_set_peer(ctx, peer_key) != 1 ||
5942 	    EVP_PKEY_derive(ctx, NULL, &Nx_len) != 1 ||
5943 	    Nx_len > DPP_MAX_SHARED_SECRET_LEN ||
5944 	    EVP_PKEY_derive(ctx, Nx, &Nx_len) != 1) {
5945 		wpa_printf(MSG_ERROR,
5946 			   "DPP: Failed to derive ECDH shared secret: %s",
5947 			   ERR_error_string(ERR_get_error(), NULL));
5948 		goto fail;
5949 	}
5950 
5951 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
5952 			Nx, Nx_len);
5953 
5954 	/* PMK = HKDF(<>, "DPP PMK", N.x) */
5955 	if (dpp_derive_pmk(Nx, Nx_len, intro->pmk, curve->hash_len) < 0) {
5956 		wpa_printf(MSG_ERROR, "DPP: Failed to derive PMK");
5957 		goto fail;
5958 	}
5959 	intro->pmk_len = curve->hash_len;
5960 
5961 	/* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */
5962 	if (dpp_derive_pmkid(curve, own_key, peer_key, intro->pmkid) < 0) {
5963 		wpa_printf(MSG_ERROR, "DPP: Failed to derive PMKID");
5964 		goto fail;
5965 	}
5966 
5967 	ret = DPP_STATUS_OK;
5968 fail:
5969 	if (ret != DPP_STATUS_OK)
5970 		os_memset(intro, 0, sizeof(*intro));
5971 	os_memset(Nx, 0, sizeof(Nx));
5972 	EVP_PKEY_CTX_free(ctx);
5973 	os_free(own_conn);
5974 	os_free(signed_connector);
5975 	os_free(info.payload);
5976 	EVP_PKEY_free(own_key);
5977 	wpabuf_free(own_key_pub);
5978 	EVP_PKEY_free(peer_key);
5979 	EVP_PKEY_free(csign);
5980 	json_free(root);
5981 	json_free(own_root);
5982 	return ret;
5983 }
5984 
5985 
5986 static EVP_PKEY * dpp_pkex_get_role_elem(const struct dpp_curve_params *curve,
5987 					 int init)
5988 {
5989 	EC_GROUP *group;
5990 	size_t len = curve->prime_len;
5991 	const u8 *x, *y;
5992 
5993 	switch (curve->ike_group) {
5994 	case 19:
5995 		x = init ? pkex_init_x_p256 : pkex_resp_x_p256;
5996 		y = init ? pkex_init_y_p256 : pkex_resp_y_p256;
5997 		break;
5998 	case 20:
5999 		x = init ? pkex_init_x_p384 : pkex_resp_x_p384;
6000 		y = init ? pkex_init_y_p384 : pkex_resp_y_p384;
6001 		break;
6002 	case 21:
6003 		x = init ? pkex_init_x_p521 : pkex_resp_x_p521;
6004 		y = init ? pkex_init_y_p521 : pkex_resp_y_p521;
6005 		break;
6006 	case 28:
6007 		x = init ? pkex_init_x_bp_p256r1 : pkex_resp_x_bp_p256r1;
6008 		y = init ? pkex_init_y_bp_p256r1 : pkex_resp_y_bp_p256r1;
6009 		break;
6010 	case 29:
6011 		x = init ? pkex_init_x_bp_p384r1 : pkex_resp_x_bp_p384r1;
6012 		y = init ? pkex_init_y_bp_p384r1 : pkex_resp_y_bp_p384r1;
6013 		break;
6014 	case 30:
6015 		x = init ? pkex_init_x_bp_p512r1 : pkex_resp_x_bp_p512r1;
6016 		y = init ? pkex_init_y_bp_p512r1 : pkex_resp_y_bp_p512r1;
6017 		break;
6018 	default:
6019 		return NULL;
6020 	}
6021 
6022 	group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
6023 	if (!group)
6024 		return NULL;
6025 	return dpp_set_pubkey_point_group(group, x, y, len);
6026 }
6027 
6028 
6029 static EC_POINT * dpp_pkex_derive_Qi(const struct dpp_curve_params *curve,
6030 				     const u8 *mac_init, const char *code,
6031 				     const char *identifier, BN_CTX *bnctx,
6032 				     const EC_GROUP **ret_group)
6033 {
6034 	u8 hash[DPP_MAX_HASH_LEN];
6035 	const u8 *addr[3];
6036 	size_t len[3];
6037 	unsigned int num_elem = 0;
6038 	EC_POINT *Qi = NULL;
6039 	EVP_PKEY *Pi = NULL;
6040 	EC_KEY *Pi_ec = NULL;
6041 	const EC_POINT *Pi_point;
6042 	BIGNUM *hash_bn = NULL;
6043 	const EC_GROUP *group = NULL;
6044 	EC_GROUP *group2 = NULL;
6045 
6046 	/* Qi = H(MAC-Initiator | [identifier |] code) * Pi */
6047 
6048 	wpa_printf(MSG_DEBUG, "DPP: MAC-Initiator: " MACSTR, MAC2STR(mac_init));
6049 	addr[num_elem] = mac_init;
6050 	len[num_elem] = ETH_ALEN;
6051 	num_elem++;
6052 	if (identifier) {
6053 		wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
6054 			   identifier);
6055 		addr[num_elem] = (const u8 *) identifier;
6056 		len[num_elem] = os_strlen(identifier);
6057 		num_elem++;
6058 	}
6059 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code));
6060 	addr[num_elem] = (const u8 *) code;
6061 	len[num_elem] = os_strlen(code);
6062 	num_elem++;
6063 	if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
6064 		goto fail;
6065 	wpa_hexdump_key(MSG_DEBUG,
6066 			"DPP: H(MAC-Initiator | [identifier |] code)",
6067 			hash, curve->hash_len);
6068 	Pi = dpp_pkex_get_role_elem(curve, 1);
6069 	if (!Pi)
6070 		goto fail;
6071 	dpp_debug_print_key("DPP: Pi", Pi);
6072 	Pi_ec = EVP_PKEY_get1_EC_KEY(Pi);
6073 	if (!Pi_ec)
6074 		goto fail;
6075 	Pi_point = EC_KEY_get0_public_key(Pi_ec);
6076 
6077 	group = EC_KEY_get0_group(Pi_ec);
6078 	if (!group)
6079 		goto fail;
6080 	group2 = EC_GROUP_dup(group);
6081 	if (!group2)
6082 		goto fail;
6083 	Qi = EC_POINT_new(group2);
6084 	if (!Qi) {
6085 		EC_GROUP_free(group2);
6086 		goto fail;
6087 	}
6088 	hash_bn = BN_bin2bn(hash, curve->hash_len, NULL);
6089 	if (!hash_bn ||
6090 	    EC_POINT_mul(group2, Qi, NULL, Pi_point, hash_bn, bnctx) != 1)
6091 		goto fail;
6092 	if (EC_POINT_is_at_infinity(group, Qi)) {
6093 		wpa_printf(MSG_INFO, "DPP: Qi is the point-at-infinity");
6094 		goto fail;
6095 	}
6096 	dpp_debug_print_point("DPP: Qi", group, Qi);
6097 out:
6098 	EC_KEY_free(Pi_ec);
6099 	EVP_PKEY_free(Pi);
6100 	BN_clear_free(hash_bn);
6101 	if (ret_group)
6102 		*ret_group = group2;
6103 	return Qi;
6104 fail:
6105 	EC_POINT_free(Qi);
6106 	Qi = NULL;
6107 	goto out;
6108 }
6109 
6110 
6111 static EC_POINT * dpp_pkex_derive_Qr(const struct dpp_curve_params *curve,
6112 				     const u8 *mac_resp, const char *code,
6113 				     const char *identifier, BN_CTX *bnctx,
6114 				     const EC_GROUP **ret_group)
6115 {
6116 	u8 hash[DPP_MAX_HASH_LEN];
6117 	const u8 *addr[3];
6118 	size_t len[3];
6119 	unsigned int num_elem = 0;
6120 	EC_POINT *Qr = NULL;
6121 	EVP_PKEY *Pr = NULL;
6122 	EC_KEY *Pr_ec = NULL;
6123 	const EC_POINT *Pr_point;
6124 	BIGNUM *hash_bn = NULL;
6125 	const EC_GROUP *group = NULL;
6126 	EC_GROUP *group2 = NULL;
6127 
6128 	/* Qr = H(MAC-Responder | | [identifier | ] code) * Pr */
6129 
6130 	wpa_printf(MSG_DEBUG, "DPP: MAC-Responder: " MACSTR, MAC2STR(mac_resp));
6131 	addr[num_elem] = mac_resp;
6132 	len[num_elem] = ETH_ALEN;
6133 	num_elem++;
6134 	if (identifier) {
6135 		wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
6136 			   identifier);
6137 		addr[num_elem] = (const u8 *) identifier;
6138 		len[num_elem] = os_strlen(identifier);
6139 		num_elem++;
6140 	}
6141 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code));
6142 	addr[num_elem] = (const u8 *) code;
6143 	len[num_elem] = os_strlen(code);
6144 	num_elem++;
6145 	if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
6146 		goto fail;
6147 	wpa_hexdump_key(MSG_DEBUG,
6148 			"DPP: H(MAC-Responder | [identifier |] code)",
6149 			hash, curve->hash_len);
6150 	Pr = dpp_pkex_get_role_elem(curve, 0);
6151 	if (!Pr)
6152 		goto fail;
6153 	dpp_debug_print_key("DPP: Pr", Pr);
6154 	Pr_ec = EVP_PKEY_get1_EC_KEY(Pr);
6155 	if (!Pr_ec)
6156 		goto fail;
6157 	Pr_point = EC_KEY_get0_public_key(Pr_ec);
6158 
6159 	group = EC_KEY_get0_group(Pr_ec);
6160 	if (!group)
6161 		goto fail;
6162 	group2 = EC_GROUP_dup(group);
6163 	if (!group2)
6164 		goto fail;
6165 	Qr = EC_POINT_new(group2);
6166 	if (!Qr) {
6167 		EC_GROUP_free(group2);
6168 		goto fail;
6169 	}
6170 	hash_bn = BN_bin2bn(hash, curve->hash_len, NULL);
6171 	if (!hash_bn ||
6172 	    EC_POINT_mul(group2, Qr, NULL, Pr_point, hash_bn, bnctx) != 1)
6173 		goto fail;
6174 	if (EC_POINT_is_at_infinity(group, Qr)) {
6175 		wpa_printf(MSG_INFO, "DPP: Qr is the point-at-infinity");
6176 		goto fail;
6177 	}
6178 	dpp_debug_print_point("DPP: Qr", group, Qr);
6179 out:
6180 	EC_KEY_free(Pr_ec);
6181 	EVP_PKEY_free(Pr);
6182 	BN_clear_free(hash_bn);
6183 	if (ret_group)
6184 		*ret_group = group2;
6185 	return Qr;
6186 fail:
6187 	EC_POINT_free(Qr);
6188 	Qr = NULL;
6189 	goto out;
6190 }
6191 
6192 
6193 #ifdef CONFIG_TESTING_OPTIONS
6194 static int dpp_test_gen_invalid_key(struct wpabuf *msg,
6195 				    const struct dpp_curve_params *curve)
6196 {
6197 	BN_CTX *ctx;
6198 	BIGNUM *x, *y;
6199 	int ret = -1;
6200 	EC_GROUP *group;
6201 	EC_POINT *point;
6202 
6203 	group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
6204 	if (!group)
6205 		return -1;
6206 
6207 	ctx = BN_CTX_new();
6208 	point = EC_POINT_new(group);
6209 	x = BN_new();
6210 	y = BN_new();
6211 	if (!ctx || !point || !x || !y)
6212 		goto fail;
6213 
6214 	if (BN_rand(x, curve->prime_len * 8, 0, 0) != 1)
6215 		goto fail;
6216 
6217 	/* Generate a random y coordinate that results in a point that is not
6218 	 * on the curve. */
6219 	for (;;) {
6220 		if (BN_rand(y, curve->prime_len * 8, 0, 0) != 1)
6221 			goto fail;
6222 
6223 		if (EC_POINT_set_affine_coordinates_GFp(group, point, x, y,
6224 							ctx) != 1) {
6225 #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
6226 		/* Unlike older OpenSSL versions, OpenSSL 1.1.1 and BoringSSL
6227 		 * return an error from EC_POINT_set_affine_coordinates_GFp()
6228 		 * when the point is not on the curve. */
6229 			break;
6230 #else /* >=1.1.0 or OPENSSL_IS_BORINGSSL */
6231 			goto fail;
6232 #endif /* >= 1.1.0 or OPENSSL_IS_BORINGSSL */
6233 		}
6234 
6235 		if (!EC_POINT_is_on_curve(group, point, ctx))
6236 			break;
6237 	}
6238 
6239 	if (dpp_bn2bin_pad(x, wpabuf_put(msg, curve->prime_len),
6240 			   curve->prime_len) < 0 ||
6241 	    dpp_bn2bin_pad(y, wpabuf_put(msg, curve->prime_len),
6242 			   curve->prime_len) < 0)
6243 		goto fail;
6244 
6245 	ret = 0;
6246 fail:
6247 	if (ret < 0)
6248 		wpa_printf(MSG_INFO, "DPP: Failed to generate invalid key");
6249 	BN_free(x);
6250 	BN_free(y);
6251 	EC_POINT_free(point);
6252 	BN_CTX_free(ctx);
6253 
6254 	return ret;
6255 }
6256 #endif /* CONFIG_TESTING_OPTIONS */
6257 
6258 
6259 static struct wpabuf * dpp_pkex_build_exchange_req(struct dpp_pkex *pkex)
6260 {
6261 	EC_KEY *X_ec = NULL;
6262 	const EC_POINT *X_point;
6263 	BN_CTX *bnctx = NULL;
6264 	const EC_GROUP *group;
6265 	EC_POINT *Qi = NULL, *M = NULL;
6266 	struct wpabuf *M_buf = NULL;
6267 	BIGNUM *Mx = NULL, *My = NULL;
6268 	struct wpabuf *msg = NULL;
6269 	size_t attr_len;
6270 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
6271 
6272 	wpa_printf(MSG_DEBUG, "DPP: Build PKEX Exchange Request");
6273 
6274 	/* Qi = H(MAC-Initiator | [identifier |] code) * Pi */
6275 	bnctx = BN_CTX_new();
6276 	if (!bnctx)
6277 		goto fail;
6278 	Qi = dpp_pkex_derive_Qi(curve, pkex->own_mac, pkex->code,
6279 				pkex->identifier, bnctx, &group);
6280 	if (!Qi)
6281 		goto fail;
6282 
6283 	/* Generate a random ephemeral keypair x/X */
6284 #ifdef CONFIG_TESTING_OPTIONS
6285 	if (dpp_pkex_ephemeral_key_override_len) {
6286 		const struct dpp_curve_params *tmp_curve;
6287 
6288 		wpa_printf(MSG_INFO,
6289 			   "DPP: TESTING - override ephemeral key x/X");
6290 		pkex->x = dpp_set_keypair(&tmp_curve,
6291 					  dpp_pkex_ephemeral_key_override,
6292 					  dpp_pkex_ephemeral_key_override_len);
6293 	} else {
6294 		pkex->x = dpp_gen_keypair(curve);
6295 	}
6296 #else /* CONFIG_TESTING_OPTIONS */
6297 	pkex->x = dpp_gen_keypair(curve);
6298 #endif /* CONFIG_TESTING_OPTIONS */
6299 	if (!pkex->x)
6300 		goto fail;
6301 
6302 	/* M = X + Qi */
6303 	X_ec = EVP_PKEY_get1_EC_KEY(pkex->x);
6304 	if (!X_ec)
6305 		goto fail;
6306 	X_point = EC_KEY_get0_public_key(X_ec);
6307 	if (!X_point)
6308 		goto fail;
6309 	dpp_debug_print_point("DPP: X", group, X_point);
6310 	M = EC_POINT_new(group);
6311 	Mx = BN_new();
6312 	My = BN_new();
6313 	if (!M || !Mx || !My ||
6314 	    EC_POINT_add(group, M, X_point, Qi, bnctx) != 1 ||
6315 	    EC_POINT_get_affine_coordinates_GFp(group, M, Mx, My, bnctx) != 1)
6316 		goto fail;
6317 	dpp_debug_print_point("DPP: M", group, M);
6318 
6319 	/* Initiator -> Responder: group, [identifier,] M */
6320 	attr_len = 4 + 2;
6321 	if (pkex->identifier)
6322 		attr_len += 4 + os_strlen(pkex->identifier);
6323 	attr_len += 4 + 2 * curve->prime_len;
6324 	msg = dpp_alloc_msg(DPP_PA_PKEX_EXCHANGE_REQ, attr_len);
6325 	if (!msg)
6326 		goto fail;
6327 
6328 #ifdef CONFIG_TESTING_OPTIONS
6329 	if (dpp_test == DPP_TEST_NO_FINITE_CYCLIC_GROUP_PKEX_EXCHANGE_REQ) {
6330 		wpa_printf(MSG_INFO, "DPP: TESTING - no Finite Cyclic Group");
6331 		goto skip_finite_cyclic_group;
6332 	}
6333 #endif /* CONFIG_TESTING_OPTIONS */
6334 
6335 	/* Finite Cyclic Group attribute */
6336 	wpabuf_put_le16(msg, DPP_ATTR_FINITE_CYCLIC_GROUP);
6337 	wpabuf_put_le16(msg, 2);
6338 	wpabuf_put_le16(msg, curve->ike_group);
6339 
6340 #ifdef CONFIG_TESTING_OPTIONS
6341 skip_finite_cyclic_group:
6342 #endif /* CONFIG_TESTING_OPTIONS */
6343 
6344 	/* Code Identifier attribute */
6345 	if (pkex->identifier) {
6346 		wpabuf_put_le16(msg, DPP_ATTR_CODE_IDENTIFIER);
6347 		wpabuf_put_le16(msg, os_strlen(pkex->identifier));
6348 		wpabuf_put_str(msg, pkex->identifier);
6349 	}
6350 
6351 #ifdef CONFIG_TESTING_OPTIONS
6352 	if (dpp_test == DPP_TEST_NO_ENCRYPTED_KEY_PKEX_EXCHANGE_REQ) {
6353 		wpa_printf(MSG_INFO, "DPP: TESTING - no Encrypted Key");
6354 		goto out;
6355 	}
6356 #endif /* CONFIG_TESTING_OPTIONS */
6357 
6358 	/* M in Encrypted Key attribute */
6359 	wpabuf_put_le16(msg, DPP_ATTR_ENCRYPTED_KEY);
6360 	wpabuf_put_le16(msg, 2 * curve->prime_len);
6361 
6362 #ifdef CONFIG_TESTING_OPTIONS
6363 	if (dpp_test == DPP_TEST_INVALID_ENCRYPTED_KEY_PKEX_EXCHANGE_REQ) {
6364 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Encrypted Key");
6365 		if (dpp_test_gen_invalid_key(msg, curve) < 0)
6366 			goto fail;
6367 		goto out;
6368 	}
6369 #endif /* CONFIG_TESTING_OPTIONS */
6370 
6371 	if (dpp_bn2bin_pad(Mx, wpabuf_put(msg, curve->prime_len),
6372 			   curve->prime_len) < 0 ||
6373 	    dpp_bn2bin_pad(Mx, pkex->Mx, curve->prime_len) < 0 ||
6374 	    dpp_bn2bin_pad(My, wpabuf_put(msg, curve->prime_len),
6375 			   curve->prime_len) < 0)
6376 		goto fail;
6377 
6378 out:
6379 	wpabuf_free(M_buf);
6380 	EC_KEY_free(X_ec);
6381 	EC_POINT_free(M);
6382 	EC_POINT_free(Qi);
6383 	BN_clear_free(Mx);
6384 	BN_clear_free(My);
6385 	BN_CTX_free(bnctx);
6386 	return msg;
6387 fail:
6388 	wpa_printf(MSG_INFO, "DPP: Failed to build PKEX Exchange Request");
6389 	wpabuf_free(msg);
6390 	msg = NULL;
6391 	goto out;
6392 }
6393 
6394 
6395 static void dpp_pkex_fail(struct dpp_pkex *pkex, const char *txt)
6396 {
6397 	wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
6398 }
6399 
6400 
6401 struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi,
6402 				const u8 *own_mac,
6403 				const char *identifier,
6404 				const char *code)
6405 {
6406 	struct dpp_pkex *pkex;
6407 
6408 #ifdef CONFIG_TESTING_OPTIONS
6409 	if (!is_zero_ether_addr(dpp_pkex_own_mac_override)) {
6410 		wpa_printf(MSG_INFO, "DPP: TESTING - own_mac override " MACSTR,
6411 			   MAC2STR(dpp_pkex_own_mac_override));
6412 		own_mac = dpp_pkex_own_mac_override;
6413 	}
6414 #endif /* CONFIG_TESTING_OPTIONS */
6415 
6416 	pkex = os_zalloc(sizeof(*pkex));
6417 	if (!pkex)
6418 		return NULL;
6419 	pkex->msg_ctx = msg_ctx;
6420 	pkex->initiator = 1;
6421 	pkex->own_bi = bi;
6422 	os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
6423 	if (identifier) {
6424 		pkex->identifier = os_strdup(identifier);
6425 		if (!pkex->identifier)
6426 			goto fail;
6427 	}
6428 	pkex->code = os_strdup(code);
6429 	if (!pkex->code)
6430 		goto fail;
6431 	pkex->exchange_req = dpp_pkex_build_exchange_req(pkex);
6432 	if (!pkex->exchange_req)
6433 		goto fail;
6434 	return pkex;
6435 fail:
6436 	dpp_pkex_free(pkex);
6437 	return NULL;
6438 }
6439 
6440 
6441 static struct wpabuf *
6442 dpp_pkex_build_exchange_resp(struct dpp_pkex *pkex,
6443 			     enum dpp_status_error status,
6444 			     const BIGNUM *Nx, const BIGNUM *Ny)
6445 {
6446 	struct wpabuf *msg = NULL;
6447 	size_t attr_len;
6448 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
6449 
6450 	/* Initiator -> Responder: DPP Status, [identifier,] N */
6451 	attr_len = 4 + 1;
6452 	if (pkex->identifier)
6453 		attr_len += 4 + os_strlen(pkex->identifier);
6454 	attr_len += 4 + 2 * curve->prime_len;
6455 	msg = dpp_alloc_msg(DPP_PA_PKEX_EXCHANGE_RESP, attr_len);
6456 	if (!msg)
6457 		goto fail;
6458 
6459 #ifdef CONFIG_TESTING_OPTIONS
6460 	if (dpp_test == DPP_TEST_NO_STATUS_PKEX_EXCHANGE_RESP) {
6461 		wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
6462 		goto skip_status;
6463 	}
6464 
6465 	if (dpp_test == DPP_TEST_INVALID_STATUS_PKEX_EXCHANGE_RESP) {
6466 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
6467 		status = 255;
6468 	}
6469 #endif /* CONFIG_TESTING_OPTIONS */
6470 
6471 	/* DPP Status */
6472 	dpp_build_attr_status(msg, status);
6473 
6474 #ifdef CONFIG_TESTING_OPTIONS
6475 skip_status:
6476 #endif /* CONFIG_TESTING_OPTIONS */
6477 
6478 	/* Code Identifier attribute */
6479 	if (pkex->identifier) {
6480 		wpabuf_put_le16(msg, DPP_ATTR_CODE_IDENTIFIER);
6481 		wpabuf_put_le16(msg, os_strlen(pkex->identifier));
6482 		wpabuf_put_str(msg, pkex->identifier);
6483 	}
6484 
6485 	if (status != DPP_STATUS_OK)
6486 		goto skip_encrypted_key;
6487 
6488 #ifdef CONFIG_TESTING_OPTIONS
6489 	if (dpp_test == DPP_TEST_NO_ENCRYPTED_KEY_PKEX_EXCHANGE_RESP) {
6490 		wpa_printf(MSG_INFO, "DPP: TESTING - no Encrypted Key");
6491 		goto skip_encrypted_key;
6492 	}
6493 #endif /* CONFIG_TESTING_OPTIONS */
6494 
6495 	/* N in Encrypted Key attribute */
6496 	wpabuf_put_le16(msg, DPP_ATTR_ENCRYPTED_KEY);
6497 	wpabuf_put_le16(msg, 2 * curve->prime_len);
6498 
6499 #ifdef CONFIG_TESTING_OPTIONS
6500 	if (dpp_test == DPP_TEST_INVALID_ENCRYPTED_KEY_PKEX_EXCHANGE_RESP) {
6501 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Encrypted Key");
6502 		if (dpp_test_gen_invalid_key(msg, curve) < 0)
6503 			goto fail;
6504 		goto skip_encrypted_key;
6505 	}
6506 #endif /* CONFIG_TESTING_OPTIONS */
6507 
6508 	if (dpp_bn2bin_pad(Nx, wpabuf_put(msg, curve->prime_len),
6509 			   curve->prime_len) < 0 ||
6510 	    dpp_bn2bin_pad(Nx, pkex->Nx, curve->prime_len) < 0 ||
6511 	    dpp_bn2bin_pad(Ny, wpabuf_put(msg, curve->prime_len),
6512 			   curve->prime_len) < 0)
6513 		goto fail;
6514 
6515 skip_encrypted_key:
6516 	if (status == DPP_STATUS_BAD_GROUP) {
6517 		/* Finite Cyclic Group attribute */
6518 		wpabuf_put_le16(msg, DPP_ATTR_FINITE_CYCLIC_GROUP);
6519 		wpabuf_put_le16(msg, 2);
6520 		wpabuf_put_le16(msg, curve->ike_group);
6521 	}
6522 
6523 	return msg;
6524 fail:
6525 	wpabuf_free(msg);
6526 	return NULL;
6527 }
6528 
6529 
6530 static int dpp_pkex_derive_z(const u8 *mac_init, const u8 *mac_resp,
6531 			     const u8 *Mx, size_t Mx_len,
6532 			     const u8 *Nx, size_t Nx_len,
6533 			     const char *code,
6534 			     const u8 *Kx, size_t Kx_len,
6535 			     u8 *z, unsigned int hash_len)
6536 {
6537 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
6538 	int res;
6539 	u8 *info, *pos;
6540 	size_t info_len;
6541 
6542 	/* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x)
6543 	 */
6544 
6545 	/* HKDF-Extract(<>, IKM=K.x) */
6546 	os_memset(salt, 0, hash_len);
6547 	if (dpp_hmac(hash_len, salt, hash_len, Kx, Kx_len, prk) < 0)
6548 		return -1;
6549 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)",
6550 			prk, hash_len);
6551 	info_len = 2 * ETH_ALEN + Mx_len + Nx_len + os_strlen(code);
6552 	info = os_malloc(info_len);
6553 	if (!info)
6554 		return -1;
6555 	pos = info;
6556 	os_memcpy(pos, mac_init, ETH_ALEN);
6557 	pos += ETH_ALEN;
6558 	os_memcpy(pos, mac_resp, ETH_ALEN);
6559 	pos += ETH_ALEN;
6560 	os_memcpy(pos, Mx, Mx_len);
6561 	pos += Mx_len;
6562 	os_memcpy(pos, Nx, Nx_len);
6563 	pos += Nx_len;
6564 	os_memcpy(pos, code, os_strlen(code));
6565 
6566 	/* HKDF-Expand(PRK, info, L) */
6567 	if (hash_len == 32)
6568 		res = hmac_sha256_kdf(prk, hash_len, NULL, info, info_len,
6569 				      z, hash_len);
6570 	else if (hash_len == 48)
6571 		res = hmac_sha384_kdf(prk, hash_len, NULL, info, info_len,
6572 				      z, hash_len);
6573 	else if (hash_len == 64)
6574 		res = hmac_sha512_kdf(prk, hash_len, NULL, info, info_len,
6575 				      z, hash_len);
6576 	else
6577 		res = -1;
6578 	os_free(info);
6579 	os_memset(prk, 0, hash_len);
6580 	if (res < 0)
6581 		return -1;
6582 
6583 	wpa_hexdump_key(MSG_DEBUG, "DPP: z = HKDF-Expand(PRK, info, L)",
6584 			z, hash_len);
6585 	return 0;
6586 }
6587 
6588 
6589 static int dpp_pkex_identifier_match(const u8 *attr_id, u16 attr_id_len,
6590 				     const char *identifier)
6591 {
6592 	if (!attr_id && identifier) {
6593 		wpa_printf(MSG_DEBUG,
6594 			   "DPP: No PKEX code identifier received, but expected one");
6595 		return 0;
6596 	}
6597 
6598 	if (attr_id && !identifier) {
6599 		wpa_printf(MSG_DEBUG,
6600 			   "DPP: PKEX code identifier received, but not expecting one");
6601 		return 0;
6602 	}
6603 
6604 	if (attr_id && identifier &&
6605 	    (os_strlen(identifier) != attr_id_len ||
6606 	     os_memcmp(identifier, attr_id, attr_id_len) != 0)) {
6607 		wpa_printf(MSG_DEBUG, "DPP: PKEX code identifier mismatch");
6608 		return 0;
6609 	}
6610 
6611 	return 1;
6612 }
6613 
6614 
6615 struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
6616 					   struct dpp_bootstrap_info *bi,
6617 					   const u8 *own_mac,
6618 					   const u8 *peer_mac,
6619 					   const char *identifier,
6620 					   const char *code,
6621 					   const u8 *buf, size_t len)
6622 {
6623 	const u8 *attr_group, *attr_id, *attr_key;
6624 	u16 attr_group_len, attr_id_len, attr_key_len;
6625 	const struct dpp_curve_params *curve = bi->curve;
6626 	u16 ike_group;
6627 	struct dpp_pkex *pkex = NULL;
6628 	EC_POINT *Qi = NULL, *Qr = NULL, *M = NULL, *X = NULL, *N = NULL;
6629 	BN_CTX *bnctx = NULL;
6630 	const EC_GROUP *group;
6631 	BIGNUM *Mx = NULL, *My = NULL;
6632 	EC_KEY *Y_ec = NULL, *X_ec = NULL;;
6633 	const EC_POINT *Y_point;
6634 	BIGNUM *Nx = NULL, *Ny = NULL;
6635 	u8 Kx[DPP_MAX_SHARED_SECRET_LEN];
6636 	size_t Kx_len;
6637 	int res;
6638 	EVP_PKEY_CTX *ctx = NULL;
6639 
6640 	if (bi->pkex_t >= PKEX_COUNTER_T_LIMIT) {
6641 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
6642 			"PKEX counter t limit reached - ignore message");
6643 		return NULL;
6644 	}
6645 
6646 #ifdef CONFIG_TESTING_OPTIONS
6647 	if (!is_zero_ether_addr(dpp_pkex_peer_mac_override)) {
6648 		wpa_printf(MSG_INFO, "DPP: TESTING - peer_mac override " MACSTR,
6649 			   MAC2STR(dpp_pkex_peer_mac_override));
6650 		peer_mac = dpp_pkex_peer_mac_override;
6651 	}
6652 	if (!is_zero_ether_addr(dpp_pkex_own_mac_override)) {
6653 		wpa_printf(MSG_INFO, "DPP: TESTING - own_mac override " MACSTR,
6654 			   MAC2STR(dpp_pkex_own_mac_override));
6655 		own_mac = dpp_pkex_own_mac_override;
6656 	}
6657 #endif /* CONFIG_TESTING_OPTIONS */
6658 
6659 	attr_id_len = 0;
6660 	attr_id = dpp_get_attr(buf, len, DPP_ATTR_CODE_IDENTIFIER,
6661 			       &attr_id_len);
6662 	if (!dpp_pkex_identifier_match(attr_id, attr_id_len, identifier))
6663 		return NULL;
6664 
6665 	attr_group = dpp_get_attr(buf, len, DPP_ATTR_FINITE_CYCLIC_GROUP,
6666 				  &attr_group_len);
6667 	if (!attr_group || attr_group_len != 2) {
6668 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
6669 			"Missing or invalid Finite Cyclic Group attribute");
6670 		return NULL;
6671 	}
6672 	ike_group = WPA_GET_LE16(attr_group);
6673 	if (ike_group != curve->ike_group) {
6674 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
6675 			"Mismatching PKEX curve: peer=%u own=%u",
6676 			ike_group, curve->ike_group);
6677 		pkex = os_zalloc(sizeof(*pkex));
6678 		if (!pkex)
6679 			goto fail;
6680 		pkex->own_bi = bi;
6681 		pkex->failed = 1;
6682 		pkex->exchange_resp = dpp_pkex_build_exchange_resp(
6683 			pkex, DPP_STATUS_BAD_GROUP, NULL, NULL);
6684 		if (!pkex->exchange_resp)
6685 			goto fail;
6686 		return pkex;
6687 	}
6688 
6689 	/* M in Encrypted Key attribute */
6690 	attr_key = dpp_get_attr(buf, len, DPP_ATTR_ENCRYPTED_KEY,
6691 				&attr_key_len);
6692 	if (!attr_key || attr_key_len & 0x01 || attr_key_len < 2 ||
6693 	    attr_key_len / 2 > DPP_MAX_SHARED_SECRET_LEN) {
6694 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
6695 			"Missing Encrypted Key attribute");
6696 		return NULL;
6697 	}
6698 
6699 	/* Qi = H(MAC-Initiator | [identifier |] code) * Pi */
6700 	bnctx = BN_CTX_new();
6701 	if (!bnctx)
6702 		goto fail;
6703 	Qi = dpp_pkex_derive_Qi(curve, peer_mac, code, identifier, bnctx,
6704 				&group);
6705 	if (!Qi)
6706 		goto fail;
6707 
6708 	/* X' = M - Qi */
6709 	X = EC_POINT_new(group);
6710 	M = EC_POINT_new(group);
6711 	Mx = BN_bin2bn(attr_key, attr_key_len / 2, NULL);
6712 	My = BN_bin2bn(attr_key + attr_key_len / 2, attr_key_len / 2, NULL);
6713 	if (!X || !M || !Mx || !My ||
6714 	    EC_POINT_set_affine_coordinates_GFp(group, M, Mx, My, bnctx) != 1 ||
6715 	    EC_POINT_is_at_infinity(group, M) ||
6716 	    !EC_POINT_is_on_curve(group, M, bnctx) ||
6717 	    EC_POINT_invert(group, Qi, bnctx) != 1 ||
6718 	    EC_POINT_add(group, X, M, Qi, bnctx) != 1 ||
6719 	    EC_POINT_is_at_infinity(group, X) ||
6720 	    !EC_POINT_is_on_curve(group, X, bnctx)) {
6721 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
6722 			"Invalid Encrypted Key value");
6723 		bi->pkex_t++;
6724 		goto fail;
6725 	}
6726 	dpp_debug_print_point("DPP: M", group, M);
6727 	dpp_debug_print_point("DPP: X'", group, X);
6728 
6729 	pkex = os_zalloc(sizeof(*pkex));
6730 	if (!pkex)
6731 		goto fail;
6732 	pkex->t = bi->pkex_t;
6733 	pkex->msg_ctx = msg_ctx;
6734 	pkex->own_bi = bi;
6735 	os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
6736 	os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
6737 	if (identifier) {
6738 		pkex->identifier = os_strdup(identifier);
6739 		if (!pkex->identifier)
6740 			goto fail;
6741 	}
6742 	pkex->code = os_strdup(code);
6743 	if (!pkex->code)
6744 		goto fail;
6745 
6746 	os_memcpy(pkex->Mx, attr_key, attr_key_len / 2);
6747 
6748 	X_ec = EC_KEY_new();
6749 	if (!X_ec ||
6750 	    EC_KEY_set_group(X_ec, group) != 1 ||
6751 	    EC_KEY_set_public_key(X_ec, X) != 1)
6752 		goto fail;
6753 	pkex->x = EVP_PKEY_new();
6754 	if (!pkex->x ||
6755 	    EVP_PKEY_set1_EC_KEY(pkex->x, X_ec) != 1)
6756 		goto fail;
6757 
6758 	/* Qr = H(MAC-Responder | | [identifier | ] code) * Pr */
6759 	Qr = dpp_pkex_derive_Qr(curve, own_mac, code, identifier, bnctx, NULL);
6760 	if (!Qr)
6761 		goto fail;
6762 
6763 	/* Generate a random ephemeral keypair y/Y */
6764 #ifdef CONFIG_TESTING_OPTIONS
6765 	if (dpp_pkex_ephemeral_key_override_len) {
6766 		const struct dpp_curve_params *tmp_curve;
6767 
6768 		wpa_printf(MSG_INFO,
6769 			   "DPP: TESTING - override ephemeral key y/Y");
6770 		pkex->y = dpp_set_keypair(&tmp_curve,
6771 					  dpp_pkex_ephemeral_key_override,
6772 					  dpp_pkex_ephemeral_key_override_len);
6773 	} else {
6774 		pkex->y = dpp_gen_keypair(curve);
6775 	}
6776 #else /* CONFIG_TESTING_OPTIONS */
6777 	pkex->y = dpp_gen_keypair(curve);
6778 #endif /* CONFIG_TESTING_OPTIONS */
6779 	if (!pkex->y)
6780 		goto fail;
6781 
6782 	/* N = Y + Qr */
6783 	Y_ec = EVP_PKEY_get1_EC_KEY(pkex->y);
6784 	if (!Y_ec)
6785 		goto fail;
6786 	Y_point = EC_KEY_get0_public_key(Y_ec);
6787 	if (!Y_point)
6788 		goto fail;
6789 	dpp_debug_print_point("DPP: Y", group, Y_point);
6790 	N = EC_POINT_new(group);
6791 	Nx = BN_new();
6792 	Ny = BN_new();
6793 	if (!N || !Nx || !Ny ||
6794 	    EC_POINT_add(group, N, Y_point, Qr, bnctx) != 1 ||
6795 	    EC_POINT_get_affine_coordinates_GFp(group, N, Nx, Ny, bnctx) != 1)
6796 		goto fail;
6797 	dpp_debug_print_point("DPP: N", group, N);
6798 
6799 	pkex->exchange_resp = dpp_pkex_build_exchange_resp(pkex, DPP_STATUS_OK,
6800 							   Nx, Ny);
6801 	if (!pkex->exchange_resp)
6802 		goto fail;
6803 
6804 	/* K = y * X' */
6805 	ctx = EVP_PKEY_CTX_new(pkex->y, NULL);
6806 	if (!ctx ||
6807 	    EVP_PKEY_derive_init(ctx) != 1 ||
6808 	    EVP_PKEY_derive_set_peer(ctx, pkex->x) != 1 ||
6809 	    EVP_PKEY_derive(ctx, NULL, &Kx_len) != 1 ||
6810 	    Kx_len > DPP_MAX_SHARED_SECRET_LEN ||
6811 	    EVP_PKEY_derive(ctx, Kx, &Kx_len) != 1) {
6812 		wpa_printf(MSG_ERROR,
6813 			   "DPP: Failed to derive ECDH shared secret: %s",
6814 			   ERR_error_string(ERR_get_error(), NULL));
6815 		goto fail;
6816 	}
6817 
6818 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (K.x)",
6819 			Kx, Kx_len);
6820 
6821 	/* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x)
6822 	 */
6823 	res = dpp_pkex_derive_z(pkex->peer_mac, pkex->own_mac,
6824 				pkex->Mx, curve->prime_len,
6825 				pkex->Nx, curve->prime_len, pkex->code,
6826 				Kx, Kx_len, pkex->z, curve->hash_len);
6827 	os_memset(Kx, 0, Kx_len);
6828 	if (res < 0)
6829 		goto fail;
6830 
6831 	pkex->exchange_done = 1;
6832 
6833 out:
6834 	EVP_PKEY_CTX_free(ctx);
6835 	BN_CTX_free(bnctx);
6836 	EC_POINT_free(Qi);
6837 	EC_POINT_free(Qr);
6838 	BN_free(Mx);
6839 	BN_free(My);
6840 	BN_free(Nx);
6841 	BN_free(Ny);
6842 	EC_POINT_free(M);
6843 	EC_POINT_free(N);
6844 	EC_POINT_free(X);
6845 	EC_KEY_free(X_ec);
6846 	EC_KEY_free(Y_ec);
6847 	return pkex;
6848 fail:
6849 	wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Request processing failed");
6850 	dpp_pkex_free(pkex);
6851 	pkex = NULL;
6852 	goto out;
6853 }
6854 
6855 
6856 static struct wpabuf *
6857 dpp_pkex_build_commit_reveal_req(struct dpp_pkex *pkex,
6858 				 const struct wpabuf *A_pub, const u8 *u)
6859 {
6860 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
6861 	struct wpabuf *msg = NULL;
6862 	size_t clear_len, attr_len;
6863 	struct wpabuf *clear = NULL;
6864 	u8 *wrapped;
6865 	u8 octet;
6866 	const u8 *addr[2];
6867 	size_t len[2];
6868 
6869 	/* {A, u, [bootstrapping info]}z */
6870 	clear_len = 4 + 2 * curve->prime_len + 4 + curve->hash_len;
6871 	clear = wpabuf_alloc(clear_len);
6872 	attr_len = 4 + clear_len + AES_BLOCK_SIZE;
6873 #ifdef CONFIG_TESTING_OPTIONS
6874 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_REQ)
6875 		attr_len += 5;
6876 #endif /* CONFIG_TESTING_OPTIONS */
6877 	msg = dpp_alloc_msg(DPP_PA_PKEX_COMMIT_REVEAL_REQ, attr_len);
6878 	if (!clear || !msg)
6879 		goto fail;
6880 
6881 #ifdef CONFIG_TESTING_OPTIONS
6882 	if (dpp_test == DPP_TEST_NO_BOOTSTRAP_KEY_PKEX_CR_REQ) {
6883 		wpa_printf(MSG_INFO, "DPP: TESTING - no Bootstrap Key");
6884 		goto skip_bootstrap_key;
6885 	}
6886 	if (dpp_test == DPP_TEST_INVALID_BOOTSTRAP_KEY_PKEX_CR_REQ) {
6887 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Bootstrap Key");
6888 		wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
6889 		wpabuf_put_le16(clear, 2 * curve->prime_len);
6890 		if (dpp_test_gen_invalid_key(clear, curve) < 0)
6891 			goto fail;
6892 		goto skip_bootstrap_key;
6893 	}
6894 #endif /* CONFIG_TESTING_OPTIONS */
6895 
6896 	/* A in Bootstrap Key attribute */
6897 	wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
6898 	wpabuf_put_le16(clear, wpabuf_len(A_pub));
6899 	wpabuf_put_buf(clear, A_pub);
6900 
6901 #ifdef CONFIG_TESTING_OPTIONS
6902 skip_bootstrap_key:
6903 	if (dpp_test == DPP_TEST_NO_I_AUTH_TAG_PKEX_CR_REQ) {
6904 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Auth tag");
6905 		goto skip_i_auth_tag;
6906 	}
6907 	if (dpp_test == DPP_TEST_I_AUTH_TAG_MISMATCH_PKEX_CR_REQ) {
6908 		wpa_printf(MSG_INFO, "DPP: TESTING - I-Auth tag mismatch");
6909 		wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG);
6910 		wpabuf_put_le16(clear, curve->hash_len);
6911 		wpabuf_put_data(clear, u, curve->hash_len - 1);
6912 		wpabuf_put_u8(clear, u[curve->hash_len - 1] ^ 0x01);
6913 		goto skip_i_auth_tag;
6914 	}
6915 #endif /* CONFIG_TESTING_OPTIONS */
6916 
6917 	/* u in I-Auth tag attribute */
6918 	wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG);
6919 	wpabuf_put_le16(clear, curve->hash_len);
6920 	wpabuf_put_data(clear, u, curve->hash_len);
6921 
6922 #ifdef CONFIG_TESTING_OPTIONS
6923 skip_i_auth_tag:
6924 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_PKEX_CR_REQ) {
6925 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
6926 		goto skip_wrapped_data;
6927 	}
6928 #endif /* CONFIG_TESTING_OPTIONS */
6929 
6930 	addr[0] = wpabuf_head_u8(msg) + 2;
6931 	len[0] = DPP_HDR_LEN;
6932 	octet = 0;
6933 	addr[1] = &octet;
6934 	len[1] = sizeof(octet);
6935 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
6936 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
6937 
6938 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
6939 	wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
6940 	wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
6941 
6942 	wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
6943 	if (aes_siv_encrypt(pkex->z, curve->hash_len,
6944 			    wpabuf_head(clear), wpabuf_len(clear),
6945 			    2, addr, len, wrapped) < 0)
6946 		goto fail;
6947 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
6948 		    wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
6949 
6950 #ifdef CONFIG_TESTING_OPTIONS
6951 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_REQ) {
6952 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
6953 		dpp_build_attr_status(msg, DPP_STATUS_OK);
6954 	}
6955 skip_wrapped_data:
6956 #endif /* CONFIG_TESTING_OPTIONS */
6957 
6958 out:
6959 	wpabuf_free(clear);
6960 	return msg;
6961 
6962 fail:
6963 	wpabuf_free(msg);
6964 	msg = NULL;
6965 	goto out;
6966 }
6967 
6968 
6969 struct wpabuf * dpp_pkex_rx_exchange_resp(struct dpp_pkex *pkex,
6970 					  const u8 *peer_mac,
6971 					  const u8 *buf, size_t buflen)
6972 {
6973 	const u8 *attr_status, *attr_id, *attr_key, *attr_group;
6974 	u16 attr_status_len, attr_id_len, attr_key_len, attr_group_len;
6975 	const EC_GROUP *group;
6976 	BN_CTX *bnctx = NULL;
6977 	struct wpabuf *msg = NULL, *A_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
6978 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
6979 	EC_POINT *Qr = NULL, *Y = NULL, *N = NULL;
6980 	BIGNUM *Nx = NULL, *Ny = NULL;
6981 	EVP_PKEY_CTX *ctx = NULL;
6982 	EC_KEY *Y_ec = NULL;
6983 	size_t Jx_len, Kx_len;
6984 	u8 Jx[DPP_MAX_SHARED_SECRET_LEN], Kx[DPP_MAX_SHARED_SECRET_LEN];
6985 	const u8 *addr[4];
6986 	size_t len[4];
6987 	u8 u[DPP_MAX_HASH_LEN];
6988 	int res;
6989 
6990 	if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
6991 		return NULL;
6992 
6993 #ifdef CONFIG_TESTING_OPTIONS
6994 	if (dpp_test == DPP_TEST_STOP_AT_PKEX_EXCHANGE_RESP) {
6995 		wpa_printf(MSG_INFO,
6996 			   "DPP: TESTING - stop at PKEX Exchange Response");
6997 		pkex->failed = 1;
6998 		return NULL;
6999 	}
7000 
7001 	if (!is_zero_ether_addr(dpp_pkex_peer_mac_override)) {
7002 		wpa_printf(MSG_INFO, "DPP: TESTING - peer_mac override " MACSTR,
7003 			   MAC2STR(dpp_pkex_peer_mac_override));
7004 		peer_mac = dpp_pkex_peer_mac_override;
7005 	}
7006 #endif /* CONFIG_TESTING_OPTIONS */
7007 
7008 	os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
7009 
7010 	attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS,
7011 				   &attr_status_len);
7012 	if (!attr_status || attr_status_len != 1) {
7013 		dpp_pkex_fail(pkex, "No DPP Status attribute");
7014 		return NULL;
7015 	}
7016 	wpa_printf(MSG_DEBUG, "DPP: Status %u", attr_status[0]);
7017 
7018 	if (attr_status[0] == DPP_STATUS_BAD_GROUP) {
7019 		attr_group = dpp_get_attr(buf, buflen,
7020 					  DPP_ATTR_FINITE_CYCLIC_GROUP,
7021 					  &attr_group_len);
7022 		if (attr_group && attr_group_len == 2) {
7023 			wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7024 				"Peer indicated mismatching PKEX group - proposed %u",
7025 				WPA_GET_LE16(attr_group));
7026 			return NULL;
7027 		}
7028 	}
7029 
7030 	if (attr_status[0] != DPP_STATUS_OK) {
7031 		dpp_pkex_fail(pkex, "PKEX failed (peer indicated failure)");
7032 		return NULL;
7033 	}
7034 
7035 	attr_id_len = 0;
7036 	attr_id = dpp_get_attr(buf, buflen, DPP_ATTR_CODE_IDENTIFIER,
7037 			       &attr_id_len);
7038 	if (!dpp_pkex_identifier_match(attr_id, attr_id_len,
7039 				       pkex->identifier)) {
7040 		dpp_pkex_fail(pkex, "PKEX code identifier mismatch");
7041 		return NULL;
7042 	}
7043 
7044 	/* N in Encrypted Key attribute */
7045 	attr_key = dpp_get_attr(buf, buflen, DPP_ATTR_ENCRYPTED_KEY,
7046 				&attr_key_len);
7047 	if (!attr_key || attr_key_len & 0x01 || attr_key_len < 2) {
7048 		dpp_pkex_fail(pkex, "Missing Encrypted Key attribute");
7049 		return NULL;
7050 	}
7051 
7052 	/* Qr = H(MAC-Responder | [identifier |] code) * Pr */
7053 	bnctx = BN_CTX_new();
7054 	if (!bnctx)
7055 		goto fail;
7056 	Qr = dpp_pkex_derive_Qr(curve, pkex->peer_mac, pkex->code,
7057 				pkex->identifier, bnctx, &group);
7058 	if (!Qr)
7059 		goto fail;
7060 
7061 	/* Y' = N - Qr */
7062 	Y = EC_POINT_new(group);
7063 	N = EC_POINT_new(group);
7064 	Nx = BN_bin2bn(attr_key, attr_key_len / 2, NULL);
7065 	Ny = BN_bin2bn(attr_key + attr_key_len / 2, attr_key_len / 2, NULL);
7066 	if (!Y || !N || !Nx || !Ny ||
7067 	    EC_POINT_set_affine_coordinates_GFp(group, N, Nx, Ny, bnctx) != 1 ||
7068 	    EC_POINT_is_at_infinity(group, N) ||
7069 	    !EC_POINT_is_on_curve(group, N, bnctx) ||
7070 	    EC_POINT_invert(group, Qr, bnctx) != 1 ||
7071 	    EC_POINT_add(group, Y, N, Qr, bnctx) != 1 ||
7072 	    EC_POINT_is_at_infinity(group, Y) ||
7073 	    !EC_POINT_is_on_curve(group, Y, bnctx)) {
7074 		dpp_pkex_fail(pkex, "Invalid Encrypted Key value");
7075 		pkex->t++;
7076 		goto fail;
7077 	}
7078 	dpp_debug_print_point("DPP: N", group, N);
7079 	dpp_debug_print_point("DPP: Y'", group, Y);
7080 
7081 	pkex->exchange_done = 1;
7082 
7083 	/* ECDH: J = a * Y’ */
7084 	Y_ec = EC_KEY_new();
7085 	if (!Y_ec ||
7086 	    EC_KEY_set_group(Y_ec, group) != 1 ||
7087 	    EC_KEY_set_public_key(Y_ec, Y) != 1)
7088 		goto fail;
7089 	pkex->y = EVP_PKEY_new();
7090 	if (!pkex->y ||
7091 	    EVP_PKEY_set1_EC_KEY(pkex->y, Y_ec) != 1)
7092 		goto fail;
7093 	ctx = EVP_PKEY_CTX_new(pkex->own_bi->pubkey, NULL);
7094 	if (!ctx ||
7095 	    EVP_PKEY_derive_init(ctx) != 1 ||
7096 	    EVP_PKEY_derive_set_peer(ctx, pkex->y) != 1 ||
7097 	    EVP_PKEY_derive(ctx, NULL, &Jx_len) != 1 ||
7098 	    Jx_len > DPP_MAX_SHARED_SECRET_LEN ||
7099 	    EVP_PKEY_derive(ctx, Jx, &Jx_len) != 1) {
7100 		wpa_printf(MSG_ERROR,
7101 			   "DPP: Failed to derive ECDH shared secret: %s",
7102 			   ERR_error_string(ERR_get_error(), NULL));
7103 		goto fail;
7104 	}
7105 
7106 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (J.x)",
7107 			Jx, Jx_len);
7108 
7109 	/* u = HMAC(J.x,  MAC-Initiator | A.x | Y’.x | X.x ) */
7110 	A_pub = dpp_get_pubkey_point(pkex->own_bi->pubkey, 0);
7111 	Y_pub = dpp_get_pubkey_point(pkex->y, 0);
7112 	X_pub = dpp_get_pubkey_point(pkex->x, 0);
7113 	if (!A_pub || !Y_pub || !X_pub)
7114 		goto fail;
7115 	addr[0] = pkex->own_mac;
7116 	len[0] = ETH_ALEN;
7117 	addr[1] = wpabuf_head(A_pub);
7118 	len[1] = wpabuf_len(A_pub) / 2;
7119 	addr[2] = wpabuf_head(Y_pub);
7120 	len[2] = wpabuf_len(Y_pub) / 2;
7121 	addr[3] = wpabuf_head(X_pub);
7122 	len[3] = wpabuf_len(X_pub) / 2;
7123 	if (dpp_hmac_vector(curve->hash_len, Jx, Jx_len, 4, addr, len, u) < 0)
7124 		goto fail;
7125 	wpa_hexdump(MSG_DEBUG, "DPP: u", u, curve->hash_len);
7126 
7127 	/* K = x * Y’ */
7128 	EVP_PKEY_CTX_free(ctx);
7129 	ctx = EVP_PKEY_CTX_new(pkex->x, NULL);
7130 	if (!ctx ||
7131 	    EVP_PKEY_derive_init(ctx) != 1 ||
7132 	    EVP_PKEY_derive_set_peer(ctx, pkex->y) != 1 ||
7133 	    EVP_PKEY_derive(ctx, NULL, &Kx_len) != 1 ||
7134 	    Kx_len > DPP_MAX_SHARED_SECRET_LEN ||
7135 	    EVP_PKEY_derive(ctx, Kx, &Kx_len) != 1) {
7136 		wpa_printf(MSG_ERROR,
7137 			   "DPP: Failed to derive ECDH shared secret: %s",
7138 			   ERR_error_string(ERR_get_error(), NULL));
7139 		goto fail;
7140 	}
7141 
7142 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (K.x)",
7143 			Kx, Kx_len);
7144 
7145 	/* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x)
7146 	 */
7147 	res = dpp_pkex_derive_z(pkex->own_mac, pkex->peer_mac,
7148 				pkex->Mx, curve->prime_len,
7149 				attr_key /* N.x */, attr_key_len / 2,
7150 				pkex->code, Kx, Kx_len,
7151 				pkex->z, curve->hash_len);
7152 	os_memset(Kx, 0, Kx_len);
7153 	if (res < 0)
7154 		goto fail;
7155 
7156 	msg = dpp_pkex_build_commit_reveal_req(pkex, A_pub, u);
7157 	if (!msg)
7158 		goto fail;
7159 
7160 out:
7161 	wpabuf_free(A_pub);
7162 	wpabuf_free(X_pub);
7163 	wpabuf_free(Y_pub);
7164 	EC_POINT_free(Qr);
7165 	EC_POINT_free(Y);
7166 	EC_POINT_free(N);
7167 	BN_free(Nx);
7168 	BN_free(Ny);
7169 	EC_KEY_free(Y_ec);
7170 	EVP_PKEY_CTX_free(ctx);
7171 	BN_CTX_free(bnctx);
7172 	return msg;
7173 fail:
7174 	wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Response processing failed");
7175 	goto out;
7176 }
7177 
7178 
7179 static struct wpabuf *
7180 dpp_pkex_build_commit_reveal_resp(struct dpp_pkex *pkex,
7181 				  const struct wpabuf *B_pub, const u8 *v)
7182 {
7183 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
7184 	struct wpabuf *msg = NULL;
7185 	const u8 *addr[2];
7186 	size_t len[2];
7187 	u8 octet;
7188 	u8 *wrapped;
7189 	struct wpabuf *clear = NULL;
7190 	size_t clear_len, attr_len;
7191 
7192 	/* {B, v [bootstrapping info]}z */
7193 	clear_len = 4 + 2 * curve->prime_len + 4 + curve->hash_len;
7194 	clear = wpabuf_alloc(clear_len);
7195 	attr_len = 4 + clear_len + AES_BLOCK_SIZE;
7196 #ifdef CONFIG_TESTING_OPTIONS
7197 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_RESP)
7198 		attr_len += 5;
7199 #endif /* CONFIG_TESTING_OPTIONS */
7200 	msg = dpp_alloc_msg(DPP_PA_PKEX_COMMIT_REVEAL_RESP, attr_len);
7201 	if (!clear || !msg)
7202 		goto fail;
7203 
7204 #ifdef CONFIG_TESTING_OPTIONS
7205 	if (dpp_test == DPP_TEST_NO_BOOTSTRAP_KEY_PKEX_CR_RESP) {
7206 		wpa_printf(MSG_INFO, "DPP: TESTING - no Bootstrap Key");
7207 		goto skip_bootstrap_key;
7208 	}
7209 	if (dpp_test == DPP_TEST_INVALID_BOOTSTRAP_KEY_PKEX_CR_RESP) {
7210 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Bootstrap Key");
7211 		wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7212 		wpabuf_put_le16(clear, 2 * curve->prime_len);
7213 		if (dpp_test_gen_invalid_key(clear, curve) < 0)
7214 			goto fail;
7215 		goto skip_bootstrap_key;
7216 	}
7217 #endif /* CONFIG_TESTING_OPTIONS */
7218 
7219 	/* B in Bootstrap Key attribute */
7220 	wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7221 	wpabuf_put_le16(clear, wpabuf_len(B_pub));
7222 	wpabuf_put_buf(clear, B_pub);
7223 
7224 #ifdef CONFIG_TESTING_OPTIONS
7225 skip_bootstrap_key:
7226 	if (dpp_test == DPP_TEST_NO_R_AUTH_TAG_PKEX_CR_RESP) {
7227 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Auth tag");
7228 		goto skip_r_auth_tag;
7229 	}
7230 	if (dpp_test == DPP_TEST_R_AUTH_TAG_MISMATCH_PKEX_CR_RESP) {
7231 		wpa_printf(MSG_INFO, "DPP: TESTING - R-Auth tag mismatch");
7232 		wpabuf_put_le16(clear, DPP_ATTR_R_AUTH_TAG);
7233 		wpabuf_put_le16(clear, curve->hash_len);
7234 		wpabuf_put_data(clear, v, curve->hash_len - 1);
7235 		wpabuf_put_u8(clear, v[curve->hash_len - 1] ^ 0x01);
7236 		goto skip_r_auth_tag;
7237 	}
7238 #endif /* CONFIG_TESTING_OPTIONS */
7239 
7240 	/* v in R-Auth tag attribute */
7241 	wpabuf_put_le16(clear, DPP_ATTR_R_AUTH_TAG);
7242 	wpabuf_put_le16(clear, curve->hash_len);
7243 	wpabuf_put_data(clear, v, curve->hash_len);
7244 
7245 #ifdef CONFIG_TESTING_OPTIONS
7246 skip_r_auth_tag:
7247 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_PKEX_CR_RESP) {
7248 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
7249 		goto skip_wrapped_data;
7250 	}
7251 #endif /* CONFIG_TESTING_OPTIONS */
7252 
7253 	addr[0] = wpabuf_head_u8(msg) + 2;
7254 	len[0] = DPP_HDR_LEN;
7255 	octet = 1;
7256 	addr[1] = &octet;
7257 	len[1] = sizeof(octet);
7258 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
7259 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
7260 
7261 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
7262 	wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7263 	wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7264 
7265 	wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
7266 	if (aes_siv_encrypt(pkex->z, curve->hash_len,
7267 			    wpabuf_head(clear), wpabuf_len(clear),
7268 			    2, addr, len, wrapped) < 0)
7269 		goto fail;
7270 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
7271 		    wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
7272 
7273 #ifdef CONFIG_TESTING_OPTIONS
7274 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_RESP) {
7275 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
7276 		dpp_build_attr_status(msg, DPP_STATUS_OK);
7277 	}
7278 skip_wrapped_data:
7279 #endif /* CONFIG_TESTING_OPTIONS */
7280 
7281 out:
7282 	wpabuf_free(clear);
7283 	return msg;
7284 
7285 fail:
7286 	wpabuf_free(msg);
7287 	msg = NULL;
7288 	goto out;
7289 }
7290 
7291 
7292 struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex,
7293 					      const u8 *hdr,
7294 					      const u8 *buf, size_t buflen)
7295 {
7296 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
7297 	EVP_PKEY_CTX *ctx = NULL;
7298 	size_t Jx_len, Lx_len;
7299 	u8 Jx[DPP_MAX_SHARED_SECRET_LEN];
7300 	u8 Lx[DPP_MAX_SHARED_SECRET_LEN];
7301 	const u8 *wrapped_data, *b_key, *peer_u;
7302 	u16 wrapped_data_len, b_key_len, peer_u_len = 0;
7303 	const u8 *addr[4];
7304 	size_t len[4];
7305 	u8 octet;
7306 	u8 *unwrapped = NULL;
7307 	size_t unwrapped_len = 0;
7308 	struct wpabuf *msg = NULL, *A_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
7309 	struct wpabuf *B_pub = NULL;
7310 	u8 u[DPP_MAX_HASH_LEN], v[DPP_MAX_HASH_LEN];
7311 
7312 #ifdef CONFIG_TESTING_OPTIONS
7313 	if (dpp_test == DPP_TEST_STOP_AT_PKEX_CR_REQ) {
7314 		wpa_printf(MSG_INFO,
7315 			   "DPP: TESTING - stop at PKEX CR Request");
7316 		pkex->failed = 1;
7317 		return NULL;
7318 	}
7319 #endif /* CONFIG_TESTING_OPTIONS */
7320 
7321 	if (!pkex->exchange_done || pkex->failed ||
7322 	    pkex->t >= PKEX_COUNTER_T_LIMIT || pkex->initiator)
7323 		goto fail;
7324 
7325 	wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
7326 				    &wrapped_data_len);
7327 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
7328 		dpp_pkex_fail(pkex,
7329 			      "Missing or invalid required Wrapped Data attribute");
7330 		goto fail;
7331 	}
7332 
7333 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
7334 		    wrapped_data, wrapped_data_len);
7335 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
7336 	unwrapped = os_malloc(unwrapped_len);
7337 	if (!unwrapped)
7338 		goto fail;
7339 
7340 	addr[0] = hdr;
7341 	len[0] = DPP_HDR_LEN;
7342 	octet = 0;
7343 	addr[1] = &octet;
7344 	len[1] = sizeof(octet);
7345 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
7346 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
7347 
7348 	if (aes_siv_decrypt(pkex->z, curve->hash_len,
7349 			    wrapped_data, wrapped_data_len,
7350 			    2, addr, len, unwrapped) < 0) {
7351 		dpp_pkex_fail(pkex,
7352 			      "AES-SIV decryption failed - possible PKEX code mismatch");
7353 		pkex->failed = 1;
7354 		pkex->t++;
7355 		goto fail;
7356 	}
7357 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
7358 		    unwrapped, unwrapped_len);
7359 
7360 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
7361 		dpp_pkex_fail(pkex, "Invalid attribute in unwrapped data");
7362 		goto fail;
7363 	}
7364 
7365 	b_key = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_BOOTSTRAP_KEY,
7366 			     &b_key_len);
7367 	if (!b_key || b_key_len != 2 * curve->prime_len) {
7368 		dpp_pkex_fail(pkex, "No valid peer bootstrapping key found");
7369 		goto fail;
7370 	}
7371 	pkex->peer_bootstrap_key = dpp_set_pubkey_point(pkex->x, b_key,
7372 							b_key_len);
7373 	if (!pkex->peer_bootstrap_key) {
7374 		dpp_pkex_fail(pkex, "Peer bootstrapping key is invalid");
7375 		goto fail;
7376 	}
7377 	dpp_debug_print_key("DPP: Peer bootstrap public key",
7378 			    pkex->peer_bootstrap_key);
7379 
7380 	/* ECDH: J' = y * A' */
7381 	ctx = EVP_PKEY_CTX_new(pkex->y, NULL);
7382 	if (!ctx ||
7383 	    EVP_PKEY_derive_init(ctx) != 1 ||
7384 	    EVP_PKEY_derive_set_peer(ctx, pkex->peer_bootstrap_key) != 1 ||
7385 	    EVP_PKEY_derive(ctx, NULL, &Jx_len) != 1 ||
7386 	    Jx_len > DPP_MAX_SHARED_SECRET_LEN ||
7387 	    EVP_PKEY_derive(ctx, Jx, &Jx_len) != 1) {
7388 		wpa_printf(MSG_ERROR,
7389 			   "DPP: Failed to derive ECDH shared secret: %s",
7390 			   ERR_error_string(ERR_get_error(), NULL));
7391 		goto fail;
7392 	}
7393 
7394 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (J.x)",
7395 			Jx, Jx_len);
7396 
7397 	/* u' = HMAC(J'.x, MAC-Initiator | A'.x | Y.x | X'.x) */
7398 	A_pub = dpp_get_pubkey_point(pkex->peer_bootstrap_key, 0);
7399 	Y_pub = dpp_get_pubkey_point(pkex->y, 0);
7400 	X_pub = dpp_get_pubkey_point(pkex->x, 0);
7401 	if (!A_pub || !Y_pub || !X_pub)
7402 		goto fail;
7403 	addr[0] = pkex->peer_mac;
7404 	len[0] = ETH_ALEN;
7405 	addr[1] = wpabuf_head(A_pub);
7406 	len[1] = wpabuf_len(A_pub) / 2;
7407 	addr[2] = wpabuf_head(Y_pub);
7408 	len[2] = wpabuf_len(Y_pub) / 2;
7409 	addr[3] = wpabuf_head(X_pub);
7410 	len[3] = wpabuf_len(X_pub) / 2;
7411 	if (dpp_hmac_vector(curve->hash_len, Jx, Jx_len, 4, addr, len, u) < 0)
7412 		goto fail;
7413 
7414 	peer_u = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_AUTH_TAG,
7415 			      &peer_u_len);
7416 	if (!peer_u || peer_u_len != curve->hash_len ||
7417 	    os_memcmp(peer_u, u, curve->hash_len) != 0) {
7418 		dpp_pkex_fail(pkex, "No valid u (I-Auth tag) found");
7419 		wpa_hexdump(MSG_DEBUG, "DPP: Calculated u'",
7420 			    u, curve->hash_len);
7421 		wpa_hexdump(MSG_DEBUG, "DPP: Received u", peer_u, peer_u_len);
7422 		pkex->t++;
7423 		goto fail;
7424 	}
7425 	wpa_printf(MSG_DEBUG, "DPP: Valid u (I-Auth tag) received");
7426 
7427 	/* ECDH: L = b * X' */
7428 	EVP_PKEY_CTX_free(ctx);
7429 	ctx = EVP_PKEY_CTX_new(pkex->own_bi->pubkey, NULL);
7430 	if (!ctx ||
7431 	    EVP_PKEY_derive_init(ctx) != 1 ||
7432 	    EVP_PKEY_derive_set_peer(ctx, pkex->x) != 1 ||
7433 	    EVP_PKEY_derive(ctx, NULL, &Lx_len) != 1 ||
7434 	    Lx_len > DPP_MAX_SHARED_SECRET_LEN ||
7435 	    EVP_PKEY_derive(ctx, Lx, &Lx_len) != 1) {
7436 		wpa_printf(MSG_ERROR,
7437 			   "DPP: Failed to derive ECDH shared secret: %s",
7438 			   ERR_error_string(ERR_get_error(), NULL));
7439 		goto fail;
7440 	}
7441 
7442 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (L.x)",
7443 			Lx, Lx_len);
7444 
7445 	/* v = HMAC(L.x, MAC-Responder | B.x | X'.x | Y.x) */
7446 	B_pub = dpp_get_pubkey_point(pkex->own_bi->pubkey, 0);
7447 	if (!B_pub)
7448 		goto fail;
7449 	addr[0] = pkex->own_mac;
7450 	len[0] = ETH_ALEN;
7451 	addr[1] = wpabuf_head(B_pub);
7452 	len[1] = wpabuf_len(B_pub) / 2;
7453 	addr[2] = wpabuf_head(X_pub);
7454 	len[2] = wpabuf_len(X_pub) / 2;
7455 	addr[3] = wpabuf_head(Y_pub);
7456 	len[3] = wpabuf_len(Y_pub) / 2;
7457 	if (dpp_hmac_vector(curve->hash_len, Lx, Lx_len, 4, addr, len, v) < 0)
7458 		goto fail;
7459 	wpa_hexdump(MSG_DEBUG, "DPP: v", v, curve->hash_len);
7460 
7461 	msg = dpp_pkex_build_commit_reveal_resp(pkex, B_pub, v);
7462 	if (!msg)
7463 		goto fail;
7464 
7465 out:
7466 	EVP_PKEY_CTX_free(ctx);
7467 	os_free(unwrapped);
7468 	wpabuf_free(A_pub);
7469 	wpabuf_free(B_pub);
7470 	wpabuf_free(X_pub);
7471 	wpabuf_free(Y_pub);
7472 	return msg;
7473 fail:
7474 	wpa_printf(MSG_DEBUG,
7475 		   "DPP: PKEX Commit-Reveal Request processing failed");
7476 	goto out;
7477 }
7478 
7479 
7480 int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
7481 				   const u8 *buf, size_t buflen)
7482 {
7483 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
7484 	const u8 *wrapped_data, *b_key, *peer_v;
7485 	u16 wrapped_data_len, b_key_len, peer_v_len = 0;
7486 	const u8 *addr[4];
7487 	size_t len[4];
7488 	u8 octet;
7489 	u8 *unwrapped = NULL;
7490 	size_t unwrapped_len = 0;
7491 	int ret = -1;
7492 	u8 v[DPP_MAX_HASH_LEN];
7493 	size_t Lx_len;
7494 	u8 Lx[DPP_MAX_SHARED_SECRET_LEN];
7495 	EVP_PKEY_CTX *ctx = NULL;
7496 	struct wpabuf *B_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
7497 
7498 #ifdef CONFIG_TESTING_OPTIONS
7499 	if (dpp_test == DPP_TEST_STOP_AT_PKEX_CR_RESP) {
7500 		wpa_printf(MSG_INFO,
7501 			   "DPP: TESTING - stop at PKEX CR Response");
7502 		pkex->failed = 1;
7503 		goto fail;
7504 	}
7505 #endif /* CONFIG_TESTING_OPTIONS */
7506 
7507 	if (!pkex->exchange_done || pkex->failed ||
7508 	    pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
7509 		goto fail;
7510 
7511 	wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
7512 				    &wrapped_data_len);
7513 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
7514 		dpp_pkex_fail(pkex,
7515 			      "Missing or invalid required Wrapped Data attribute");
7516 		goto fail;
7517 	}
7518 
7519 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
7520 		    wrapped_data, wrapped_data_len);
7521 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
7522 	unwrapped = os_malloc(unwrapped_len);
7523 	if (!unwrapped)
7524 		goto fail;
7525 
7526 	addr[0] = hdr;
7527 	len[0] = DPP_HDR_LEN;
7528 	octet = 1;
7529 	addr[1] = &octet;
7530 	len[1] = sizeof(octet);
7531 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
7532 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
7533 
7534 	if (aes_siv_decrypt(pkex->z, curve->hash_len,
7535 			    wrapped_data, wrapped_data_len,
7536 			    2, addr, len, unwrapped) < 0) {
7537 		dpp_pkex_fail(pkex,
7538 			      "AES-SIV decryption failed - possible PKEX code mismatch");
7539 		pkex->t++;
7540 		goto fail;
7541 	}
7542 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
7543 		    unwrapped, unwrapped_len);
7544 
7545 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
7546 		dpp_pkex_fail(pkex, "Invalid attribute in unwrapped data");
7547 		goto fail;
7548 	}
7549 
7550 	b_key = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_BOOTSTRAP_KEY,
7551 			     &b_key_len);
7552 	if (!b_key || b_key_len != 2 * curve->prime_len) {
7553 		dpp_pkex_fail(pkex, "No valid peer bootstrapping key found");
7554 		goto fail;
7555 	}
7556 	pkex->peer_bootstrap_key = dpp_set_pubkey_point(pkex->x, b_key,
7557 							b_key_len);
7558 	if (!pkex->peer_bootstrap_key) {
7559 		dpp_pkex_fail(pkex, "Peer bootstrapping key is invalid");
7560 		goto fail;
7561 	}
7562 	dpp_debug_print_key("DPP: Peer bootstrap public key",
7563 			    pkex->peer_bootstrap_key);
7564 
7565 	/* ECDH: L' = x * B' */
7566 	ctx = EVP_PKEY_CTX_new(pkex->x, NULL);
7567 	if (!ctx ||
7568 	    EVP_PKEY_derive_init(ctx) != 1 ||
7569 	    EVP_PKEY_derive_set_peer(ctx, pkex->peer_bootstrap_key) != 1 ||
7570 	    EVP_PKEY_derive(ctx, NULL, &Lx_len) != 1 ||
7571 	    Lx_len > DPP_MAX_SHARED_SECRET_LEN ||
7572 	    EVP_PKEY_derive(ctx, Lx, &Lx_len) != 1) {
7573 		wpa_printf(MSG_ERROR,
7574 			   "DPP: Failed to derive ECDH shared secret: %s",
7575 			   ERR_error_string(ERR_get_error(), NULL));
7576 		goto fail;
7577 	}
7578 
7579 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (L.x)",
7580 			Lx, Lx_len);
7581 
7582 	/* v' = HMAC(L.x, MAC-Responder | B'.x | X.x | Y'.x) */
7583 	B_pub = dpp_get_pubkey_point(pkex->peer_bootstrap_key, 0);
7584 	X_pub = dpp_get_pubkey_point(pkex->x, 0);
7585 	Y_pub = dpp_get_pubkey_point(pkex->y, 0);
7586 	if (!B_pub || !X_pub || !Y_pub)
7587 		goto fail;
7588 	addr[0] = pkex->peer_mac;
7589 	len[0] = ETH_ALEN;
7590 	addr[1] = wpabuf_head(B_pub);
7591 	len[1] = wpabuf_len(B_pub) / 2;
7592 	addr[2] = wpabuf_head(X_pub);
7593 	len[2] = wpabuf_len(X_pub) / 2;
7594 	addr[3] = wpabuf_head(Y_pub);
7595 	len[3] = wpabuf_len(Y_pub) / 2;
7596 	if (dpp_hmac_vector(curve->hash_len, Lx, Lx_len, 4, addr, len, v) < 0)
7597 		goto fail;
7598 
7599 	peer_v = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_AUTH_TAG,
7600 			      &peer_v_len);
7601 	if (!peer_v || peer_v_len != curve->hash_len ||
7602 	    os_memcmp(peer_v, v, curve->hash_len) != 0) {
7603 		dpp_pkex_fail(pkex, "No valid v (R-Auth tag) found");
7604 		wpa_hexdump(MSG_DEBUG, "DPP: Calculated v'",
7605 			    v, curve->hash_len);
7606 		wpa_hexdump(MSG_DEBUG, "DPP: Received v", peer_v, peer_v_len);
7607 		pkex->t++;
7608 		goto fail;
7609 	}
7610 	wpa_printf(MSG_DEBUG, "DPP: Valid v (R-Auth tag) received");
7611 
7612 	ret = 0;
7613 out:
7614 	wpabuf_free(B_pub);
7615 	wpabuf_free(X_pub);
7616 	wpabuf_free(Y_pub);
7617 	EVP_PKEY_CTX_free(ctx);
7618 	os_free(unwrapped);
7619 	return ret;
7620 fail:
7621 	goto out;
7622 }
7623 
7624 
7625 void dpp_pkex_free(struct dpp_pkex *pkex)
7626 {
7627 	if (!pkex)
7628 		return;
7629 
7630 	os_free(pkex->identifier);
7631 	os_free(pkex->code);
7632 	EVP_PKEY_free(pkex->x);
7633 	EVP_PKEY_free(pkex->y);
7634 	EVP_PKEY_free(pkex->peer_bootstrap_key);
7635 	wpabuf_free(pkex->exchange_req);
7636 	wpabuf_free(pkex->exchange_resp);
7637 	os_free(pkex);
7638 }
7639 
7640 
7641 #ifdef CONFIG_TESTING_OPTIONS
7642 char * dpp_corrupt_connector_signature(const char *connector)
7643 {
7644 	char *tmp, *pos, *signed3 = NULL;
7645 	unsigned char *signature = NULL;
7646 	size_t signature_len = 0, signed3_len;
7647 
7648 	tmp = os_zalloc(os_strlen(connector) + 5);
7649 	if (!tmp)
7650 		goto fail;
7651 	os_memcpy(tmp, connector, os_strlen(connector));
7652 
7653 	pos = os_strchr(tmp, '.');
7654 	if (!pos)
7655 		goto fail;
7656 
7657 	pos = os_strchr(pos + 1, '.');
7658 	if (!pos)
7659 		goto fail;
7660 	pos++;
7661 
7662 	wpa_printf(MSG_DEBUG, "DPP: Original base64url encoded signature: %s",
7663 		   pos);
7664 	signature = base64_url_decode((const unsigned char *) pos,
7665 				      os_strlen(pos), &signature_len);
7666 	if (!signature || signature_len == 0)
7667 		goto fail;
7668 	wpa_hexdump(MSG_DEBUG, "DPP: Original Connector signature",
7669 		    signature, signature_len);
7670 	signature[signature_len - 1] ^= 0x01;
7671 	wpa_hexdump(MSG_DEBUG, "DPP: Corrupted Connector signature",
7672 		    signature, signature_len);
7673 	signed3 = (char *) base64_url_encode(signature, signature_len,
7674 					     &signed3_len, 0);
7675 	if (!signed3)
7676 		goto fail;
7677 	os_memcpy(pos, signed3, signed3_len);
7678 	pos[signed3_len] = '\0';
7679 	wpa_printf(MSG_DEBUG, "DPP: Corrupted base64url encoded signature: %s",
7680 		   pos);
7681 
7682 out:
7683 	os_free(signature);
7684 	os_free(signed3);
7685 	return tmp;
7686 fail:
7687 	os_free(tmp);
7688 	tmp = NULL;
7689 	goto out;
7690 }
7691 #endif /* CONFIG_TESTING_OPTIONS */
7692