xref: /freebsd/contrib/wpa/src/common/dpp.c (revision 53384ed5eea5fead452b20a84b7db7fe45afb059)
1 /*
2  * DPP functionality shared between hostapd and wpa_supplicant
3  * Copyright (c) 2017, Qualcomm Atheros, Inc.
4  * Copyright (c) 2018-2019, The Linux Foundation
5  *
6  * This software may be distributed under the terms of the BSD license.
7  * See README for more details.
8  */
9 
10 #include "utils/includes.h"
11 #include <openssl/opensslv.h>
12 #include <openssl/err.h>
13 #include <openssl/asn1.h>
14 #include <openssl/asn1t.h>
15 
16 #include "utils/common.h"
17 #include "utils/base64.h"
18 #include "utils/json.h"
19 #include "common/ieee802_11_common.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/wpa_ctrl.h"
22 #include "common/gas.h"
23 #include "crypto/crypto.h"
24 #include "crypto/random.h"
25 #include "crypto/aes.h"
26 #include "crypto/aes_siv.h"
27 #include "crypto/sha384.h"
28 #include "crypto/sha512.h"
29 #include "drivers/driver.h"
30 #include "dpp.h"
31 
32 
33 #ifdef CONFIG_TESTING_OPTIONS
34 enum dpp_test_behavior dpp_test = DPP_TEST_DISABLED;
35 u8 dpp_pkex_own_mac_override[ETH_ALEN] = { 0, 0, 0, 0, 0, 0 };
36 u8 dpp_pkex_peer_mac_override[ETH_ALEN] = { 0, 0, 0, 0, 0, 0 };
37 u8 dpp_pkex_ephemeral_key_override[600];
38 size_t dpp_pkex_ephemeral_key_override_len = 0;
39 u8 dpp_protocol_key_override[600];
40 size_t dpp_protocol_key_override_len = 0;
41 u8 dpp_nonce_override[DPP_MAX_NONCE_LEN];
42 size_t dpp_nonce_override_len = 0;
43 
44 static int dpp_test_gen_invalid_key(struct wpabuf *msg,
45 				    const struct dpp_curve_params *curve);
46 #endif /* CONFIG_TESTING_OPTIONS */
47 
48 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
49 	(defined(LIBRESSL_VERSION_NUMBER) && \
50 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
51 /* Compatibility wrappers for older versions. */
52 
53 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
54 {
55 	sig->r = r;
56 	sig->s = s;
57 	return 1;
58 }
59 
60 
61 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
62 			   const BIGNUM **ps)
63 {
64 	if (pr)
65 		*pr = sig->r;
66 	if (ps)
67 		*ps = sig->s;
68 }
69 
70 #endif
71 
72 
73 struct dpp_global {
74 	struct dl_list bootstrap; /* struct dpp_bootstrap_info */
75 	struct dl_list configurator; /* struct dpp_configurator */
76 };
77 
78 static const struct dpp_curve_params dpp_curves[] = {
79 	/* The mandatory to support and the default NIST P-256 curve needs to
80 	 * be the first entry on this list. */
81 	{ "prime256v1", 32, 32, 16, 32, "P-256", 19, "ES256" },
82 	{ "secp384r1", 48, 48, 24, 48, "P-384", 20, "ES384" },
83 	{ "secp521r1", 64, 64, 32, 66, "P-521", 21, "ES512" },
84 	{ "brainpoolP256r1", 32, 32, 16, 32, "BP-256", 28, "BS256" },
85 	{ "brainpoolP384r1", 48, 48, 24, 48, "BP-384", 29, "BS384" },
86 	{ "brainpoolP512r1", 64, 64, 32, 64, "BP-512", 30, "BS512" },
87 	{ NULL, 0, 0, 0, 0, NULL, 0, NULL }
88 };
89 
90 
91 /* Role-specific elements for PKEX */
92 
93 /* NIST P-256 */
94 static const u8 pkex_init_x_p256[32] = {
95 	0x56, 0x26, 0x12, 0xcf, 0x36, 0x48, 0xfe, 0x0b,
96 	0x07, 0x04, 0xbb, 0x12, 0x22, 0x50, 0xb2, 0x54,
97 	0xb1, 0x94, 0x64, 0x7e, 0x54, 0xce, 0x08, 0x07,
98 	0x2e, 0xec, 0xca, 0x74, 0x5b, 0x61, 0x2d, 0x25
99  };
100 static const u8 pkex_init_y_p256[32] = {
101 	0x3e, 0x44, 0xc7, 0xc9, 0x8c, 0x1c, 0xa1, 0x0b,
102 	0x20, 0x09, 0x93, 0xb2, 0xfd, 0xe5, 0x69, 0xdc,
103 	0x75, 0xbc, 0xad, 0x33, 0xc1, 0xe7, 0xc6, 0x45,
104 	0x4d, 0x10, 0x1e, 0x6a, 0x3d, 0x84, 0x3c, 0xa4
105  };
106 static const u8 pkex_resp_x_p256[32] = {
107 	0x1e, 0xa4, 0x8a, 0xb1, 0xa4, 0xe8, 0x42, 0x39,
108 	0xad, 0x73, 0x07, 0xf2, 0x34, 0xdf, 0x57, 0x4f,
109 	0xc0, 0x9d, 0x54, 0xbe, 0x36, 0x1b, 0x31, 0x0f,
110 	0x59, 0x91, 0x52, 0x33, 0xac, 0x19, 0x9d, 0x76
111 };
112 static const u8 pkex_resp_y_p256[32] = {
113 	0xd9, 0xfb, 0xf6, 0xb9, 0xf5, 0xfa, 0xdf, 0x19,
114 	0x58, 0xd8, 0x3e, 0xc9, 0x89, 0x7a, 0x35, 0xc1,
115 	0xbd, 0xe9, 0x0b, 0x77, 0x7a, 0xcb, 0x91, 0x2a,
116 	0xe8, 0x21, 0x3f, 0x47, 0x52, 0x02, 0x4d, 0x67
117 };
118 
119 /* NIST P-384 */
120 static const u8 pkex_init_x_p384[48] = {
121 	0x95, 0x3f, 0x42, 0x9e, 0x50, 0x7f, 0xf9, 0xaa,
122 	0xac, 0x1a, 0xf2, 0x85, 0x2e, 0x64, 0x91, 0x68,
123 	0x64, 0xc4, 0x3c, 0xb7, 0x5c, 0xf8, 0xc9, 0x53,
124 	0x6e, 0x58, 0x4c, 0x7f, 0xc4, 0x64, 0x61, 0xac,
125 	0x51, 0x8a, 0x6f, 0xfe, 0xab, 0x74, 0xe6, 0x12,
126 	0x81, 0xac, 0x38, 0x5d, 0x41, 0xe6, 0xb9, 0xa3
127 };
128 static const u8 pkex_init_y_p384[48] = {
129 	0x76, 0x2f, 0x68, 0x84, 0xa6, 0xb0, 0x59, 0x29,
130 	0x83, 0xa2, 0x6c, 0xa4, 0x6c, 0x3b, 0xf8, 0x56,
131 	0x76, 0x11, 0x2a, 0x32, 0x90, 0xbd, 0x07, 0xc7,
132 	0x37, 0x39, 0x9d, 0xdb, 0x96, 0xf3, 0x2b, 0xb6,
133 	0x27, 0xbb, 0x29, 0x3c, 0x17, 0x33, 0x9d, 0x94,
134 	0xc3, 0xda, 0xac, 0x46, 0xb0, 0x8e, 0x07, 0x18
135 };
136 static const u8 pkex_resp_x_p384[48] = {
137 	0xad, 0xbe, 0xd7, 0x1d, 0x3a, 0x71, 0x64, 0x98,
138 	0x5f, 0xb4, 0xd6, 0x4b, 0x50, 0xd0, 0x84, 0x97,
139 	0x4b, 0x7e, 0x57, 0x70, 0xd2, 0xd9, 0xf4, 0x92,
140 	0x2a, 0x3f, 0xce, 0x99, 0xc5, 0x77, 0x33, 0x44,
141 	0x14, 0x56, 0x92, 0xcb, 0xae, 0x46, 0x64, 0xdf,
142 	0xe0, 0xbb, 0xd7, 0xb1, 0x29, 0x20, 0x72, 0xdf
143 };
144 static const u8 pkex_resp_y_p384[48] = {
145 	0xab, 0xa7, 0xdf, 0x52, 0xaa, 0xe2, 0x35, 0x0c,
146 	0xe3, 0x75, 0x32, 0xe6, 0xbf, 0x06, 0xc8, 0x7c,
147 	0x38, 0x29, 0x4c, 0xec, 0x82, 0xac, 0xd7, 0xa3,
148 	0x09, 0xd2, 0x0e, 0x22, 0x5a, 0x74, 0x52, 0xa1,
149 	0x7e, 0x54, 0x4e, 0xfe, 0xc6, 0x29, 0x33, 0x63,
150 	0x15, 0xe1, 0x7b, 0xe3, 0x40, 0x1c, 0xca, 0x06
151 };
152 
153 /* NIST P-521 */
154 static const u8 pkex_init_x_p521[66] = {
155 	0x00, 0x16, 0x20, 0x45, 0x19, 0x50, 0x95, 0x23,
156 	0x0d, 0x24, 0xbe, 0x00, 0x87, 0xdc, 0xfa, 0xf0,
157 	0x58, 0x9a, 0x01, 0x60, 0x07, 0x7a, 0xca, 0x76,
158 	0x01, 0xab, 0x2d, 0x5a, 0x46, 0xcd, 0x2c, 0xb5,
159 	0x11, 0x9a, 0xff, 0xaa, 0x48, 0x04, 0x91, 0x38,
160 	0xcf, 0x86, 0xfc, 0xa4, 0xa5, 0x0f, 0x47, 0x01,
161 	0x80, 0x1b, 0x30, 0xa3, 0xae, 0xe8, 0x1c, 0x2e,
162 	0xea, 0xcc, 0xf0, 0x03, 0x9f, 0x77, 0x4c, 0x8d,
163 	0x97, 0x76
164 };
165 static const u8 pkex_init_y_p521[66] = {
166 	0x00, 0xb3, 0x8e, 0x02, 0xe4, 0x2a, 0x63, 0x59,
167 	0x12, 0xc6, 0x10, 0xba, 0x3a, 0xf9, 0x02, 0x99,
168 	0x3f, 0x14, 0xf0, 0x40, 0xde, 0x5c, 0xc9, 0x8b,
169 	0x02, 0x55, 0xfa, 0x91, 0xb1, 0xcc, 0x6a, 0xbd,
170 	0xe5, 0x62, 0xc0, 0xc5, 0xe3, 0xa1, 0x57, 0x9f,
171 	0x08, 0x1a, 0xa6, 0xe2, 0xf8, 0x55, 0x90, 0xbf,
172 	0xf5, 0xa6, 0xc3, 0xd8, 0x52, 0x1f, 0xb7, 0x02,
173 	0x2e, 0x7c, 0xc8, 0xb3, 0x20, 0x1e, 0x79, 0x8d,
174 	0x03, 0xa8
175 };
176 static const u8 pkex_resp_x_p521[66] = {
177 	0x00, 0x79, 0xe4, 0x4d, 0x6b, 0x5e, 0x12, 0x0a,
178 	0x18, 0x2c, 0xb3, 0x05, 0x77, 0x0f, 0xc3, 0x44,
179 	0x1a, 0xcd, 0x78, 0x46, 0x14, 0xee, 0x46, 0x3f,
180 	0xab, 0xc9, 0x59, 0x7c, 0x85, 0xa0, 0xc2, 0xfb,
181 	0x02, 0x32, 0x99, 0xde, 0x5d, 0xe1, 0x0d, 0x48,
182 	0x2d, 0x71, 0x7d, 0x8d, 0x3f, 0x61, 0x67, 0x9e,
183 	0x2b, 0x8b, 0x12, 0xde, 0x10, 0x21, 0x55, 0x0a,
184 	0x5b, 0x2d, 0xe8, 0x05, 0x09, 0xf6, 0x20, 0x97,
185 	0x84, 0xb4
186 };
187 static const u8 pkex_resp_y_p521[66] = {
188 	0x00, 0x46, 0x63, 0x39, 0xbe, 0xcd, 0xa4, 0x2d,
189 	0xca, 0x27, 0x74, 0xd4, 0x1b, 0x91, 0x33, 0x20,
190 	0x83, 0xc7, 0x3b, 0xa4, 0x09, 0x8b, 0x8e, 0xa3,
191 	0x88, 0xe9, 0x75, 0x7f, 0x56, 0x7b, 0x38, 0x84,
192 	0x62, 0x02, 0x7c, 0x90, 0x51, 0x07, 0xdb, 0xe9,
193 	0xd0, 0xde, 0xda, 0x9a, 0x5d, 0xe5, 0x94, 0xd2,
194 	0xcf, 0x9d, 0x4c, 0x33, 0x91, 0xa6, 0xc3, 0x80,
195 	0xa7, 0x6e, 0x7e, 0x8d, 0xf8, 0x73, 0x6e, 0x53,
196 	0xce, 0xe1
197 };
198 
199 /* Brainpool P-256r1 */
200 static const u8 pkex_init_x_bp_p256r1[32] = {
201 	0x46, 0x98, 0x18, 0x6c, 0x27, 0xcd, 0x4b, 0x10,
202 	0x7d, 0x55, 0xa3, 0xdd, 0x89, 0x1f, 0x9f, 0xca,
203 	0xc7, 0x42, 0x5b, 0x8a, 0x23, 0xed, 0xf8, 0x75,
204 	0xac, 0xc7, 0xe9, 0x8d, 0xc2, 0x6f, 0xec, 0xd8
205 };
206 static const u8 pkex_init_y_bp_p256r1[32] = {
207 	0x93, 0xca, 0xef, 0xa9, 0x66, 0x3e, 0x87, 0xcd,
208 	0x52, 0x6e, 0x54, 0x13, 0xef, 0x31, 0x67, 0x30,
209 	0x15, 0x13, 0x9d, 0x6d, 0xc0, 0x95, 0x32, 0xbe,
210 	0x4f, 0xab, 0x5d, 0xf7, 0xbf, 0x5e, 0xaa, 0x0b
211 };
212 static const u8 pkex_resp_x_bp_p256r1[32] = {
213 	0x90, 0x18, 0x84, 0xc9, 0xdc, 0xcc, 0xb5, 0x2f,
214 	0x4a, 0x3f, 0x4f, 0x18, 0x0a, 0x22, 0x56, 0x6a,
215 	0xa9, 0xef, 0xd4, 0xe6, 0xc3, 0x53, 0xc2, 0x1a,
216 	0x23, 0x54, 0xdd, 0x08, 0x7e, 0x10, 0xd8, 0xe3
217 };
218 static const u8 pkex_resp_y_bp_p256r1[32] = {
219 	0x2a, 0xfa, 0x98, 0x9b, 0xe3, 0xda, 0x30, 0xfd,
220 	0x32, 0x28, 0xcb, 0x66, 0xfb, 0x40, 0x7f, 0xf2,
221 	0xb2, 0x25, 0x80, 0x82, 0x44, 0x85, 0x13, 0x7e,
222 	0x4b, 0xb5, 0x06, 0xc0, 0x03, 0x69, 0x23, 0x64
223 };
224 
225 /* Brainpool P-384r1 */
226 static const u8 pkex_init_x_bp_p384r1[48] = {
227 	0x0a, 0x2c, 0xeb, 0x49, 0x5e, 0xb7, 0x23, 0xbd,
228 	0x20, 0x5b, 0xe0, 0x49, 0xdf, 0xcf, 0xcf, 0x19,
229 	0x37, 0x36, 0xe1, 0x2f, 0x59, 0xdb, 0x07, 0x06,
230 	0xb5, 0xeb, 0x2d, 0xae, 0xc2, 0xb2, 0x38, 0x62,
231 	0xa6, 0x73, 0x09, 0xa0, 0x6c, 0x0a, 0xa2, 0x30,
232 	0x99, 0xeb, 0xf7, 0x1e, 0x47, 0xb9, 0x5e, 0xbe
233 };
234 static const u8 pkex_init_y_bp_p384r1[48] = {
235 	0x54, 0x76, 0x61, 0x65, 0x75, 0x5a, 0x2f, 0x99,
236 	0x39, 0x73, 0xca, 0x6c, 0xf9, 0xf7, 0x12, 0x86,
237 	0x54, 0xd5, 0xd4, 0xad, 0x45, 0x7b, 0xbf, 0x32,
238 	0xee, 0x62, 0x8b, 0x9f, 0x52, 0xe8, 0xa0, 0xc9,
239 	0xb7, 0x9d, 0xd1, 0x09, 0xb4, 0x79, 0x1c, 0x3e,
240 	0x1a, 0xbf, 0x21, 0x45, 0x66, 0x6b, 0x02, 0x52
241 };
242 static const u8 pkex_resp_x_bp_p384r1[48] = {
243 	0x03, 0xa2, 0x57, 0xef, 0xe8, 0x51, 0x21, 0xa0,
244 	0xc8, 0x9e, 0x21, 0x02, 0xb5, 0x9a, 0x36, 0x25,
245 	0x74, 0x22, 0xd1, 0xf2, 0x1b, 0xa8, 0x9a, 0x9b,
246 	0x97, 0xbc, 0x5a, 0xeb, 0x26, 0x15, 0x09, 0x71,
247 	0x77, 0x59, 0xec, 0x8b, 0xb7, 0xe1, 0xe8, 0xce,
248 	0x65, 0xb8, 0xaf, 0xf8, 0x80, 0xae, 0x74, 0x6c
249 };
250 static const u8 pkex_resp_y_bp_p384r1[48] = {
251 	0x2f, 0xd9, 0x6a, 0xc7, 0x3e, 0xec, 0x76, 0x65,
252 	0x2d, 0x38, 0x7f, 0xec, 0x63, 0x26, 0x3f, 0x04,
253 	0xd8, 0x4e, 0xff, 0xe1, 0x0a, 0x51, 0x74, 0x70,
254 	0xe5, 0x46, 0x63, 0x7f, 0x5c, 0xc0, 0xd1, 0x7c,
255 	0xfb, 0x2f, 0xea, 0xe2, 0xd8, 0x0f, 0x84, 0xcb,
256 	0xe9, 0x39, 0x5c, 0x64, 0xfe, 0xcb, 0x2f, 0xf1
257 };
258 
259 /* Brainpool P-512r1 */
260 static const u8 pkex_init_x_bp_p512r1[64] = {
261 	0x4c, 0xe9, 0xb6, 0x1c, 0xe2, 0x00, 0x3c, 0x9c,
262 	0xa9, 0xc8, 0x56, 0x52, 0xaf, 0x87, 0x3e, 0x51,
263 	0x9c, 0xbb, 0x15, 0x31, 0x1e, 0xc1, 0x05, 0xfc,
264 	0x7c, 0x77, 0xd7, 0x37, 0x61, 0x27, 0xd0, 0x95,
265 	0x98, 0xee, 0x5d, 0xa4, 0x3d, 0x09, 0xdb, 0x3d,
266 	0xfa, 0x89, 0x9e, 0x7f, 0xa6, 0xa6, 0x9c, 0xff,
267 	0x83, 0x5c, 0x21, 0x6c, 0x3e, 0xf2, 0xfe, 0xdc,
268 	0x63, 0xe4, 0xd1, 0x0e, 0x75, 0x45, 0x69, 0x0f
269 };
270 static const u8 pkex_init_y_bp_p512r1[64] = {
271 	0x50, 0xb5, 0x9b, 0xfa, 0x45, 0x67, 0x75, 0x94,
272 	0x44, 0xe7, 0x68, 0xb0, 0xeb, 0x3e, 0xb3, 0xb8,
273 	0xf9, 0x99, 0x05, 0xef, 0xae, 0x6c, 0xbc, 0xe3,
274 	0xe1, 0xd2, 0x51, 0x54, 0xdf, 0x59, 0xd4, 0x45,
275 	0x41, 0x3a, 0xa8, 0x0b, 0x76, 0x32, 0x44, 0x0e,
276 	0x07, 0x60, 0x3a, 0x6e, 0xbe, 0xfe, 0xe0, 0x58,
277 	0x52, 0xa0, 0xaa, 0x8b, 0xd8, 0x5b, 0xf2, 0x71,
278 	0x11, 0x9a, 0x9e, 0x8f, 0x1a, 0xd1, 0xc9, 0x99
279 };
280 static const u8 pkex_resp_x_bp_p512r1[64] = {
281 	0x2a, 0x60, 0x32, 0x27, 0xa1, 0xe6, 0x94, 0x72,
282 	0x1c, 0x48, 0xbe, 0xc5, 0x77, 0x14, 0x30, 0x76,
283 	0xe4, 0xbf, 0xf7, 0x7b, 0xc5, 0xfd, 0xdf, 0x19,
284 	0x1e, 0x0f, 0xdf, 0x1c, 0x40, 0xfa, 0x34, 0x9e,
285 	0x1f, 0x42, 0x24, 0xa3, 0x2c, 0xd5, 0xc7, 0xc9,
286 	0x7b, 0x47, 0x78, 0x96, 0xf1, 0x37, 0x0e, 0x88,
287 	0xcb, 0xa6, 0x52, 0x29, 0xd7, 0xa8, 0x38, 0x29,
288 	0x8e, 0x6e, 0x23, 0x47, 0xd4, 0x4b, 0x70, 0x3e
289 };
290 static const u8 pkex_resp_y_bp_p512r1[64] = {
291 	0x80, 0x1f, 0x43, 0xd2, 0x17, 0x35, 0xec, 0x81,
292 	0xd9, 0x4b, 0xdc, 0x81, 0x19, 0xd9, 0x5f, 0x68,
293 	0x16, 0x84, 0xfe, 0x63, 0x4b, 0x8d, 0x5d, 0xaa,
294 	0x88, 0x4a, 0x47, 0x48, 0xd4, 0xea, 0xab, 0x7d,
295 	0x6a, 0xbf, 0xe1, 0x28, 0x99, 0x6a, 0x87, 0x1c,
296 	0x30, 0xb4, 0x44, 0x2d, 0x75, 0xac, 0x35, 0x09,
297 	0x73, 0x24, 0x3d, 0xb4, 0x43, 0xb1, 0xc1, 0x56,
298 	0x56, 0xad, 0x30, 0x87, 0xf4, 0xc3, 0x00, 0xc7
299 };
300 
301 
302 static void dpp_debug_print_point(const char *title, const EC_GROUP *group,
303 				  const EC_POINT *point)
304 {
305 	BIGNUM *x, *y;
306 	BN_CTX *ctx;
307 	char *x_str = NULL, *y_str = NULL;
308 
309 	if (!wpa_debug_show_keys)
310 		return;
311 
312 	ctx = BN_CTX_new();
313 	x = BN_new();
314 	y = BN_new();
315 	if (!ctx || !x || !y ||
316 	    EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) != 1)
317 		goto fail;
318 
319 	x_str = BN_bn2hex(x);
320 	y_str = BN_bn2hex(y);
321 	if (!x_str || !y_str)
322 		goto fail;
323 
324 	wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str);
325 
326 fail:
327 	OPENSSL_free(x_str);
328 	OPENSSL_free(y_str);
329 	BN_free(x);
330 	BN_free(y);
331 	BN_CTX_free(ctx);
332 }
333 
334 
335 static int dpp_hash_vector(const struct dpp_curve_params *curve,
336 			   size_t num_elem, const u8 *addr[], const size_t *len,
337 			   u8 *mac)
338 {
339 	if (curve->hash_len == 32)
340 		return sha256_vector(num_elem, addr, len, mac);
341 	if (curve->hash_len == 48)
342 		return sha384_vector(num_elem, addr, len, mac);
343 	if (curve->hash_len == 64)
344 		return sha512_vector(num_elem, addr, len, mac);
345 	return -1;
346 }
347 
348 
349 static int dpp_hkdf_expand(size_t hash_len, const u8 *secret, size_t secret_len,
350 			   const char *label, u8 *out, size_t outlen)
351 {
352 	if (hash_len == 32)
353 		return hmac_sha256_kdf(secret, secret_len, NULL,
354 				       (const u8 *) label, os_strlen(label),
355 				       out, outlen);
356 	if (hash_len == 48)
357 		return hmac_sha384_kdf(secret, secret_len, NULL,
358 				       (const u8 *) label, os_strlen(label),
359 				       out, outlen);
360 	if (hash_len == 64)
361 		return hmac_sha512_kdf(secret, secret_len, NULL,
362 				       (const u8 *) label, os_strlen(label),
363 				       out, outlen);
364 	return -1;
365 }
366 
367 
368 static int dpp_hmac_vector(size_t hash_len, const u8 *key, size_t key_len,
369 			   size_t num_elem, const u8 *addr[],
370 			   const size_t *len, u8 *mac)
371 {
372 	if (hash_len == 32)
373 		return hmac_sha256_vector(key, key_len, num_elem, addr, len,
374 					  mac);
375 	if (hash_len == 48)
376 		return hmac_sha384_vector(key, key_len, num_elem, addr, len,
377 					  mac);
378 	if (hash_len == 64)
379 		return hmac_sha512_vector(key, key_len, num_elem, addr, len,
380 					  mac);
381 	return -1;
382 }
383 
384 
385 static int dpp_hmac(size_t hash_len, const u8 *key, size_t key_len,
386 		    const u8 *data, size_t data_len, u8 *mac)
387 {
388 	if (hash_len == 32)
389 		return hmac_sha256(key, key_len, data, data_len, mac);
390 	if (hash_len == 48)
391 		return hmac_sha384(key, key_len, data, data_len, mac);
392 	if (hash_len == 64)
393 		return hmac_sha512(key, key_len, data, data_len, mac);
394 	return -1;
395 }
396 
397 
398 static int dpp_bn2bin_pad(const BIGNUM *bn, u8 *pos, size_t len)
399 {
400 	int num_bytes, offset;
401 
402 	num_bytes = BN_num_bytes(bn);
403 	if ((size_t) num_bytes > len)
404 		return -1;
405 	offset = len - num_bytes;
406 	os_memset(pos, 0, offset);
407 	BN_bn2bin(bn, pos + offset);
408 	return 0;
409 }
410 
411 
412 static struct wpabuf * dpp_get_pubkey_point(EVP_PKEY *pkey, int prefix)
413 {
414 	int len, res;
415 	EC_KEY *eckey;
416 	struct wpabuf *buf;
417 	unsigned char *pos;
418 
419 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
420 	if (!eckey)
421 		return NULL;
422 	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
423 	len = i2o_ECPublicKey(eckey, NULL);
424 	if (len <= 0) {
425 		wpa_printf(MSG_ERROR,
426 			   "DDP: Failed to determine public key encoding length");
427 		EC_KEY_free(eckey);
428 		return NULL;
429 	}
430 
431 	buf = wpabuf_alloc(len);
432 	if (!buf) {
433 		EC_KEY_free(eckey);
434 		return NULL;
435 	}
436 
437 	pos = wpabuf_put(buf, len);
438 	res = i2o_ECPublicKey(eckey, &pos);
439 	EC_KEY_free(eckey);
440 	if (res != len) {
441 		wpa_printf(MSG_ERROR,
442 			   "DDP: Failed to encode public key (res=%d/%d)",
443 			   res, len);
444 		wpabuf_free(buf);
445 		return NULL;
446 	}
447 
448 	if (!prefix) {
449 		/* Remove 0x04 prefix to match DPP definition */
450 		pos = wpabuf_mhead(buf);
451 		os_memmove(pos, pos + 1, len - 1);
452 		buf->used--;
453 	}
454 
455 	return buf;
456 }
457 
458 
459 static EVP_PKEY * dpp_set_pubkey_point_group(const EC_GROUP *group,
460 					     const u8 *buf_x, const u8 *buf_y,
461 					     size_t len)
462 {
463 	EC_KEY *eckey = NULL;
464 	BN_CTX *ctx;
465 	EC_POINT *point = NULL;
466 	BIGNUM *x = NULL, *y = NULL;
467 	EVP_PKEY *pkey = NULL;
468 
469 	ctx = BN_CTX_new();
470 	if (!ctx) {
471 		wpa_printf(MSG_ERROR, "DPP: Out of memory");
472 		return NULL;
473 	}
474 
475 	point = EC_POINT_new(group);
476 	x = BN_bin2bn(buf_x, len, NULL);
477 	y = BN_bin2bn(buf_y, len, NULL);
478 	if (!point || !x || !y) {
479 		wpa_printf(MSG_ERROR, "DPP: Out of memory");
480 		goto fail;
481 	}
482 
483 	if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
484 		wpa_printf(MSG_ERROR,
485 			   "DPP: OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
486 			   ERR_error_string(ERR_get_error(), NULL));
487 		goto fail;
488 	}
489 
490 	if (!EC_POINT_is_on_curve(group, point, ctx) ||
491 	    EC_POINT_is_at_infinity(group, point)) {
492 		wpa_printf(MSG_ERROR, "DPP: Invalid point");
493 		goto fail;
494 	}
495 	dpp_debug_print_point("DPP: dpp_set_pubkey_point_group", group, point);
496 
497 	eckey = EC_KEY_new();
498 	if (!eckey ||
499 	    EC_KEY_set_group(eckey, group) != 1 ||
500 	    EC_KEY_set_public_key(eckey, point) != 1) {
501 		wpa_printf(MSG_ERROR,
502 			   "DPP: Failed to set EC_KEY: %s",
503 			   ERR_error_string(ERR_get_error(), NULL));
504 		goto fail;
505 	}
506 	EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
507 
508 	pkey = EVP_PKEY_new();
509 	if (!pkey || EVP_PKEY_set1_EC_KEY(pkey, eckey) != 1) {
510 		wpa_printf(MSG_ERROR, "DPP: Could not create EVP_PKEY");
511 		goto fail;
512 	}
513 
514 out:
515 	BN_free(x);
516 	BN_free(y);
517 	EC_KEY_free(eckey);
518 	EC_POINT_free(point);
519 	BN_CTX_free(ctx);
520 	return pkey;
521 fail:
522 	EVP_PKEY_free(pkey);
523 	pkey = NULL;
524 	goto out;
525 }
526 
527 
528 static EVP_PKEY * dpp_set_pubkey_point(EVP_PKEY *group_key,
529 				       const u8 *buf, size_t len)
530 {
531 	EC_KEY *eckey;
532 	const EC_GROUP *group;
533 	EVP_PKEY *pkey = NULL;
534 
535 	if (len & 1)
536 		return NULL;
537 
538 	eckey = EVP_PKEY_get1_EC_KEY(group_key);
539 	if (!eckey) {
540 		wpa_printf(MSG_ERROR,
541 			   "DPP: Could not get EC_KEY from group_key");
542 		return NULL;
543 	}
544 
545 	group = EC_KEY_get0_group(eckey);
546 	if (group)
547 		pkey = dpp_set_pubkey_point_group(group, buf, buf + len / 2,
548 						  len / 2);
549 	else
550 		wpa_printf(MSG_ERROR, "DPP: Could not get EC group");
551 
552 	EC_KEY_free(eckey);
553 	return pkey;
554 }
555 
556 
557 static void dpp_auth_fail(struct dpp_authentication *auth, const char *txt)
558 {
559 	wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
560 }
561 
562 
563 struct wpabuf * dpp_alloc_msg(enum dpp_public_action_frame_type type,
564 			      size_t len)
565 {
566 	struct wpabuf *msg;
567 
568 	msg = wpabuf_alloc(8 + len);
569 	if (!msg)
570 		return NULL;
571 	wpabuf_put_u8(msg, WLAN_ACTION_PUBLIC);
572 	wpabuf_put_u8(msg, WLAN_PA_VENDOR_SPECIFIC);
573 	wpabuf_put_be24(msg, OUI_WFA);
574 	wpabuf_put_u8(msg, DPP_OUI_TYPE);
575 	wpabuf_put_u8(msg, 1); /* Crypto Suite */
576 	wpabuf_put_u8(msg, type);
577 	return msg;
578 }
579 
580 
581 const u8 * dpp_get_attr(const u8 *buf, size_t len, u16 req_id, u16 *ret_len)
582 {
583 	u16 id, alen;
584 	const u8 *pos = buf, *end = buf + len;
585 
586 	while (end - pos >= 4) {
587 		id = WPA_GET_LE16(pos);
588 		pos += 2;
589 		alen = WPA_GET_LE16(pos);
590 		pos += 2;
591 		if (alen > end - pos)
592 			return NULL;
593 		if (id == req_id) {
594 			*ret_len = alen;
595 			return pos;
596 		}
597 		pos += alen;
598 	}
599 
600 	return NULL;
601 }
602 
603 
604 int dpp_check_attrs(const u8 *buf, size_t len)
605 {
606 	const u8 *pos, *end;
607 	int wrapped_data = 0;
608 
609 	pos = buf;
610 	end = buf + len;
611 	while (end - pos >= 4) {
612 		u16 id, alen;
613 
614 		id = WPA_GET_LE16(pos);
615 		pos += 2;
616 		alen = WPA_GET_LE16(pos);
617 		pos += 2;
618 		wpa_printf(MSG_MSGDUMP, "DPP: Attribute ID %04x len %u",
619 			   id, alen);
620 		if (alen > end - pos) {
621 			wpa_printf(MSG_DEBUG,
622 				   "DPP: Truncated message - not enough room for the attribute - dropped");
623 			return -1;
624 		}
625 		if (wrapped_data) {
626 			wpa_printf(MSG_DEBUG,
627 				   "DPP: An unexpected attribute included after the Wrapped Data attribute");
628 			return -1;
629 		}
630 		if (id == DPP_ATTR_WRAPPED_DATA)
631 			wrapped_data = 1;
632 		pos += alen;
633 	}
634 
635 	if (end != pos) {
636 		wpa_printf(MSG_DEBUG,
637 			   "DPP: Unexpected octets (%d) after the last attribute",
638 			   (int) (end - pos));
639 		return -1;
640 	}
641 
642 	return 0;
643 }
644 
645 
646 void dpp_bootstrap_info_free(struct dpp_bootstrap_info *info)
647 {
648 	if (!info)
649 		return;
650 	os_free(info->uri);
651 	os_free(info->info);
652 	EVP_PKEY_free(info->pubkey);
653 	os_free(info);
654 }
655 
656 
657 const char * dpp_bootstrap_type_txt(enum dpp_bootstrap_type type)
658 {
659 	switch (type) {
660 	case DPP_BOOTSTRAP_QR_CODE:
661 		return "QRCODE";
662 	case DPP_BOOTSTRAP_PKEX:
663 		return "PKEX";
664 	}
665 	return "??";
666 }
667 
668 
669 static int dpp_uri_valid_info(const char *info)
670 {
671 	while (*info) {
672 		unsigned char val = *info++;
673 
674 		if (val < 0x20 || val > 0x7e || val == 0x3b)
675 			return 0;
676 	}
677 
678 	return 1;
679 }
680 
681 
682 static int dpp_clone_uri(struct dpp_bootstrap_info *bi, const char *uri)
683 {
684 	bi->uri = os_strdup(uri);
685 	return bi->uri ? 0 : -1;
686 }
687 
688 
689 int dpp_parse_uri_chan_list(struct dpp_bootstrap_info *bi,
690 			    const char *chan_list)
691 {
692 	const char *pos = chan_list;
693 	int opclass, channel, freq;
694 
695 	while (pos && *pos && *pos != ';') {
696 		opclass = atoi(pos);
697 		if (opclass <= 0)
698 			goto fail;
699 		pos = os_strchr(pos, '/');
700 		if (!pos)
701 			goto fail;
702 		pos++;
703 		channel = atoi(pos);
704 		if (channel <= 0)
705 			goto fail;
706 		while (*pos >= '0' && *pos <= '9')
707 			pos++;
708 		freq = ieee80211_chan_to_freq(NULL, opclass, channel);
709 		wpa_printf(MSG_DEBUG,
710 			   "DPP: URI channel-list: opclass=%d channel=%d ==> freq=%d",
711 			   opclass, channel, freq);
712 		if (freq < 0) {
713 			wpa_printf(MSG_DEBUG,
714 				   "DPP: Ignore unknown URI channel-list channel (opclass=%d channel=%d)",
715 				   opclass, channel);
716 		} else if (bi->num_freq == DPP_BOOTSTRAP_MAX_FREQ) {
717 			wpa_printf(MSG_DEBUG,
718 				   "DPP: Too many channels in URI channel-list - ignore list");
719 			bi->num_freq = 0;
720 			break;
721 		} else {
722 			bi->freq[bi->num_freq++] = freq;
723 		}
724 
725 		if (*pos == ';' || *pos == '\0')
726 			break;
727 		if (*pos != ',')
728 			goto fail;
729 		pos++;
730 	}
731 
732 	return 0;
733 fail:
734 	wpa_printf(MSG_DEBUG, "DPP: Invalid URI channel-list");
735 	return -1;
736 }
737 
738 
739 int dpp_parse_uri_mac(struct dpp_bootstrap_info *bi, const char *mac)
740 {
741 	if (!mac)
742 		return 0;
743 
744 	if (hwaddr_aton2(mac, bi->mac_addr) < 0) {
745 		wpa_printf(MSG_DEBUG, "DPP: Invalid URI mac");
746 		return -1;
747 	}
748 
749 	wpa_printf(MSG_DEBUG, "DPP: URI mac: " MACSTR, MAC2STR(bi->mac_addr));
750 
751 	return 0;
752 }
753 
754 
755 int dpp_parse_uri_info(struct dpp_bootstrap_info *bi, const char *info)
756 {
757 	const char *end;
758 
759 	if (!info)
760 		return 0;
761 
762 	end = os_strchr(info, ';');
763 	if (!end)
764 		end = info + os_strlen(info);
765 	bi->info = os_malloc(end - info + 1);
766 	if (!bi->info)
767 		return -1;
768 	os_memcpy(bi->info, info, end - info);
769 	bi->info[end - info] = '\0';
770 	wpa_printf(MSG_DEBUG, "DPP: URI(information): %s", bi->info);
771 	if (!dpp_uri_valid_info(bi->info)) {
772 		wpa_printf(MSG_DEBUG, "DPP: Invalid URI information payload");
773 		return -1;
774 	}
775 
776 	return 0;
777 }
778 
779 
780 static const struct dpp_curve_params *
781 dpp_get_curve_oid(const ASN1_OBJECT *poid)
782 {
783 	ASN1_OBJECT *oid;
784 	int i;
785 
786 	for (i = 0; dpp_curves[i].name; i++) {
787 		oid = OBJ_txt2obj(dpp_curves[i].name, 0);
788 		if (oid && OBJ_cmp(poid, oid) == 0)
789 			return &dpp_curves[i];
790 	}
791 	return NULL;
792 }
793 
794 
795 static const struct dpp_curve_params * dpp_get_curve_nid(int nid)
796 {
797 	int i, tmp;
798 
799 	if (!nid)
800 		return NULL;
801 	for (i = 0; dpp_curves[i].name; i++) {
802 		tmp = OBJ_txt2nid(dpp_curves[i].name);
803 		if (tmp == nid)
804 			return &dpp_curves[i];
805 	}
806 	return NULL;
807 }
808 
809 
810 static int dpp_parse_uri_pk(struct dpp_bootstrap_info *bi, const char *info)
811 {
812 	const char *end;
813 	u8 *data;
814 	size_t data_len;
815 	EVP_PKEY *pkey;
816 	const unsigned char *p;
817 	int res;
818 	X509_PUBKEY *pub = NULL;
819 	ASN1_OBJECT *ppkalg;
820 	const unsigned char *pk;
821 	int ppklen;
822 	X509_ALGOR *pa;
823 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
824 	(defined(LIBRESSL_VERSION_NUMBER) && \
825 	 LIBRESSL_VERSION_NUMBER < 0x20800000L)
826 	ASN1_OBJECT *pa_oid;
827 #else
828 	const ASN1_OBJECT *pa_oid;
829 #endif
830 	const void *pval;
831 	int ptype;
832 	const ASN1_OBJECT *poid;
833 	char buf[100];
834 
835 	end = os_strchr(info, ';');
836 	if (!end)
837 		return -1;
838 
839 	data = base64_decode((const unsigned char *) info, end - info,
840 			     &data_len);
841 	if (!data) {
842 		wpa_printf(MSG_DEBUG,
843 			   "DPP: Invalid base64 encoding on URI public-key");
844 		return -1;
845 	}
846 	wpa_hexdump(MSG_DEBUG, "DPP: Base64 decoded URI public-key",
847 		    data, data_len);
848 
849 	if (sha256_vector(1, (const u8 **) &data, &data_len,
850 			  bi->pubkey_hash) < 0) {
851 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
852 		os_free(data);
853 		return -1;
854 	}
855 	wpa_hexdump(MSG_DEBUG, "DPP: Public key hash",
856 		    bi->pubkey_hash, SHA256_MAC_LEN);
857 
858 	/* DER encoded ASN.1 SubjectPublicKeyInfo
859 	 *
860 	 * SubjectPublicKeyInfo  ::=  SEQUENCE  {
861 	 *      algorithm            AlgorithmIdentifier,
862 	 *      subjectPublicKey     BIT STRING  }
863 	 *
864 	 * AlgorithmIdentifier  ::=  SEQUENCE  {
865 	 *      algorithm               OBJECT IDENTIFIER,
866 	 *      parameters              ANY DEFINED BY algorithm OPTIONAL  }
867 	 *
868 	 * subjectPublicKey = compressed format public key per ANSI X9.63
869 	 * algorithm = ecPublicKey (1.2.840.10045.2.1)
870 	 * parameters = shall be present and shall be OBJECT IDENTIFIER; e.g.,
871 	 *       prime256v1 (1.2.840.10045.3.1.7)
872 	 */
873 
874 	p = data;
875 	pkey = d2i_PUBKEY(NULL, &p, data_len);
876 	os_free(data);
877 
878 	if (!pkey) {
879 		wpa_printf(MSG_DEBUG,
880 			   "DPP: Could not parse URI public-key SubjectPublicKeyInfo");
881 		return -1;
882 	}
883 
884 	if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) {
885 		wpa_printf(MSG_DEBUG,
886 			   "DPP: SubjectPublicKeyInfo does not describe an EC key");
887 		EVP_PKEY_free(pkey);
888 		return -1;
889 	}
890 
891 	res = X509_PUBKEY_set(&pub, pkey);
892 	if (res != 1) {
893 		wpa_printf(MSG_DEBUG, "DPP: Could not set pubkey");
894 		goto fail;
895 	}
896 
897 	res = X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pub);
898 	if (res != 1) {
899 		wpa_printf(MSG_DEBUG,
900 			   "DPP: Could not extract SubjectPublicKeyInfo parameters");
901 		goto fail;
902 	}
903 	res = OBJ_obj2txt(buf, sizeof(buf), ppkalg, 0);
904 	if (res < 0 || (size_t) res >= sizeof(buf)) {
905 		wpa_printf(MSG_DEBUG,
906 			   "DPP: Could not extract SubjectPublicKeyInfo algorithm");
907 		goto fail;
908 	}
909 	wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey algorithm: %s", buf);
910 	if (os_strcmp(buf, "id-ecPublicKey") != 0) {
911 		wpa_printf(MSG_DEBUG,
912 			   "DPP: Unsupported SubjectPublicKeyInfo algorithm");
913 		goto fail;
914 	}
915 
916 	X509_ALGOR_get0(&pa_oid, &ptype, (void *) &pval, pa);
917 	if (ptype != V_ASN1_OBJECT) {
918 		wpa_printf(MSG_DEBUG,
919 			   "DPP: SubjectPublicKeyInfo parameters did not contain an OID");
920 		goto fail;
921 	}
922 	poid = pval;
923 	res = OBJ_obj2txt(buf, sizeof(buf), poid, 0);
924 	if (res < 0 || (size_t) res >= sizeof(buf)) {
925 		wpa_printf(MSG_DEBUG,
926 			   "DPP: Could not extract SubjectPublicKeyInfo parameters OID");
927 		goto fail;
928 	}
929 	wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey parameters: %s", buf);
930 	bi->curve = dpp_get_curve_oid(poid);
931 	if (!bi->curve) {
932 		wpa_printf(MSG_DEBUG,
933 			   "DPP: Unsupported SubjectPublicKeyInfo curve: %s",
934 			   buf);
935 		goto fail;
936 	}
937 
938 	wpa_hexdump(MSG_DEBUG, "DPP: URI subjectPublicKey", pk, ppklen);
939 
940 	X509_PUBKEY_free(pub);
941 	bi->pubkey = pkey;
942 	return 0;
943 fail:
944 	X509_PUBKEY_free(pub);
945 	EVP_PKEY_free(pkey);
946 	return -1;
947 }
948 
949 
950 static struct dpp_bootstrap_info * dpp_parse_uri(const char *uri)
951 {
952 	const char *pos = uri;
953 	const char *end;
954 	const char *chan_list = NULL, *mac = NULL, *info = NULL, *pk = NULL;
955 	struct dpp_bootstrap_info *bi;
956 
957 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: URI", uri, os_strlen(uri));
958 
959 	if (os_strncmp(pos, "DPP:", 4) != 0) {
960 		wpa_printf(MSG_INFO, "DPP: Not a DPP URI");
961 		return NULL;
962 	}
963 	pos += 4;
964 
965 	for (;;) {
966 		end = os_strchr(pos, ';');
967 		if (!end)
968 			break;
969 
970 		if (end == pos) {
971 			/* Handle terminating ";;" and ignore unexpected ";"
972 			 * for parsing robustness. */
973 			pos++;
974 			continue;
975 		}
976 
977 		if (pos[0] == 'C' && pos[1] == ':' && !chan_list)
978 			chan_list = pos + 2;
979 		else if (pos[0] == 'M' && pos[1] == ':' && !mac)
980 			mac = pos + 2;
981 		else if (pos[0] == 'I' && pos[1] == ':' && !info)
982 			info = pos + 2;
983 		else if (pos[0] == 'K' && pos[1] == ':' && !pk)
984 			pk = pos + 2;
985 		else
986 			wpa_hexdump_ascii(MSG_DEBUG,
987 					  "DPP: Ignore unrecognized URI parameter",
988 					  pos, end - pos);
989 		pos = end + 1;
990 	}
991 
992 	if (!pk) {
993 		wpa_printf(MSG_INFO, "DPP: URI missing public-key");
994 		return NULL;
995 	}
996 
997 	bi = os_zalloc(sizeof(*bi));
998 	if (!bi)
999 		return NULL;
1000 
1001 	if (dpp_clone_uri(bi, uri) < 0 ||
1002 	    dpp_parse_uri_chan_list(bi, chan_list) < 0 ||
1003 	    dpp_parse_uri_mac(bi, mac) < 0 ||
1004 	    dpp_parse_uri_info(bi, info) < 0 ||
1005 	    dpp_parse_uri_pk(bi, pk) < 0) {
1006 		dpp_bootstrap_info_free(bi);
1007 		bi = NULL;
1008 	}
1009 
1010 	return bi;
1011 }
1012 
1013 
1014 struct dpp_bootstrap_info * dpp_parse_qr_code(const char *uri)
1015 {
1016 	struct dpp_bootstrap_info *bi;
1017 
1018 	bi = dpp_parse_uri(uri);
1019 	if (bi)
1020 		bi->type = DPP_BOOTSTRAP_QR_CODE;
1021 	return bi;
1022 }
1023 
1024 
1025 static void dpp_debug_print_key(const char *title, EVP_PKEY *key)
1026 {
1027 	EC_KEY *eckey;
1028 	BIO *out;
1029 	size_t rlen;
1030 	char *txt;
1031 	int res;
1032 	unsigned char *der = NULL;
1033 	int der_len;
1034 	const EC_GROUP *group;
1035 	const EC_POINT *point;
1036 
1037 	out = BIO_new(BIO_s_mem());
1038 	if (!out)
1039 		return;
1040 
1041 	EVP_PKEY_print_private(out, key, 0, NULL);
1042 	rlen = BIO_ctrl_pending(out);
1043 	txt = os_malloc(rlen + 1);
1044 	if (txt) {
1045 		res = BIO_read(out, txt, rlen);
1046 		if (res > 0) {
1047 			txt[res] = '\0';
1048 			wpa_printf(MSG_DEBUG, "%s: %s", title, txt);
1049 		}
1050 		os_free(txt);
1051 	}
1052 	BIO_free(out);
1053 
1054 	eckey = EVP_PKEY_get1_EC_KEY(key);
1055 	if (!eckey)
1056 		return;
1057 
1058 	group = EC_KEY_get0_group(eckey);
1059 	point = EC_KEY_get0_public_key(eckey);
1060 	if (group && point)
1061 		dpp_debug_print_point(title, group, point);
1062 
1063 	der_len = i2d_ECPrivateKey(eckey, &der);
1064 	if (der_len > 0)
1065 		wpa_hexdump_key(MSG_DEBUG, "DPP: ECPrivateKey", der, der_len);
1066 	OPENSSL_free(der);
1067 	if (der_len <= 0) {
1068 		der = NULL;
1069 		der_len = i2d_EC_PUBKEY(eckey, &der);
1070 		if (der_len > 0)
1071 			wpa_hexdump(MSG_DEBUG, "DPP: EC_PUBKEY", der, der_len);
1072 		OPENSSL_free(der);
1073 	}
1074 
1075 	EC_KEY_free(eckey);
1076 }
1077 
1078 
1079 static EVP_PKEY * dpp_gen_keypair(const struct dpp_curve_params *curve)
1080 {
1081 	EVP_PKEY_CTX *kctx = NULL;
1082 	EC_KEY *ec_params;
1083 	EVP_PKEY *params = NULL, *key = NULL;
1084 	int nid;
1085 
1086 	wpa_printf(MSG_DEBUG, "DPP: Generating a keypair");
1087 
1088 	nid = OBJ_txt2nid(curve->name);
1089 	if (nid == NID_undef) {
1090 		wpa_printf(MSG_INFO, "DPP: Unsupported curve %s", curve->name);
1091 		return NULL;
1092 	}
1093 
1094 	ec_params = EC_KEY_new_by_curve_name(nid);
1095 	if (!ec_params) {
1096 		wpa_printf(MSG_ERROR,
1097 			   "DPP: Failed to generate EC_KEY parameters");
1098 		goto fail;
1099 	}
1100 	EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
1101 	params = EVP_PKEY_new();
1102 	if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
1103 		wpa_printf(MSG_ERROR,
1104 			   "DPP: Failed to generate EVP_PKEY parameters");
1105 		goto fail;
1106 	}
1107 
1108 	kctx = EVP_PKEY_CTX_new(params, NULL);
1109 	if (!kctx ||
1110 	    EVP_PKEY_keygen_init(kctx) != 1 ||
1111 	    EVP_PKEY_keygen(kctx, &key) != 1) {
1112 		wpa_printf(MSG_ERROR, "DPP: Failed to generate EC key");
1113 		goto fail;
1114 	}
1115 
1116 	if (wpa_debug_show_keys)
1117 		dpp_debug_print_key("Own generated key", key);
1118 
1119 	EVP_PKEY_free(params);
1120 	EVP_PKEY_CTX_free(kctx);
1121 	return key;
1122 fail:
1123 	EVP_PKEY_CTX_free(kctx);
1124 	EVP_PKEY_free(params);
1125 	return NULL;
1126 }
1127 
1128 
1129 static const struct dpp_curve_params *
1130 dpp_get_curve_name(const char *name)
1131 {
1132 	int i;
1133 
1134 	for (i = 0; dpp_curves[i].name; i++) {
1135 		if (os_strcmp(name, dpp_curves[i].name) == 0 ||
1136 		    (dpp_curves[i].jwk_crv &&
1137 		     os_strcmp(name, dpp_curves[i].jwk_crv) == 0))
1138 			return &dpp_curves[i];
1139 	}
1140 	return NULL;
1141 }
1142 
1143 
1144 static const struct dpp_curve_params *
1145 dpp_get_curve_jwk_crv(const char *name)
1146 {
1147 	int i;
1148 
1149 	for (i = 0; dpp_curves[i].name; i++) {
1150 		if (dpp_curves[i].jwk_crv &&
1151 		    os_strcmp(name, dpp_curves[i].jwk_crv) == 0)
1152 			return &dpp_curves[i];
1153 	}
1154 	return NULL;
1155 }
1156 
1157 
1158 static EVP_PKEY * dpp_set_keypair(const struct dpp_curve_params **curve,
1159 				  const u8 *privkey, size_t privkey_len)
1160 {
1161 	EVP_PKEY *pkey;
1162 	EC_KEY *eckey;
1163 	const EC_GROUP *group;
1164 	int nid;
1165 
1166 	pkey = EVP_PKEY_new();
1167 	if (!pkey)
1168 		return NULL;
1169 	eckey = d2i_ECPrivateKey(NULL, &privkey, privkey_len);
1170 	if (!eckey) {
1171 		wpa_printf(MSG_INFO,
1172 			   "DPP: OpenSSL: d2i_ECPrivateKey() failed: %s",
1173 			   ERR_error_string(ERR_get_error(), NULL));
1174 		EVP_PKEY_free(pkey);
1175 		return NULL;
1176 	}
1177 	group = EC_KEY_get0_group(eckey);
1178 	if (!group) {
1179 		EC_KEY_free(eckey);
1180 		EVP_PKEY_free(pkey);
1181 		return NULL;
1182 	}
1183 	nid = EC_GROUP_get_curve_name(group);
1184 	*curve = dpp_get_curve_nid(nid);
1185 	if (!*curve) {
1186 		wpa_printf(MSG_INFO,
1187 			   "DPP: Unsupported curve (nid=%d) in pre-assigned key",
1188 			   nid);
1189 		EC_KEY_free(eckey);
1190 		EVP_PKEY_free(pkey);
1191 		return NULL;
1192 	}
1193 
1194 	if (EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
1195 		EC_KEY_free(eckey);
1196 		EVP_PKEY_free(pkey);
1197 		return NULL;
1198 	}
1199 	return pkey;
1200 }
1201 
1202 
1203 typedef struct {
1204 	/* AlgorithmIdentifier ecPublicKey with optional parameters present
1205 	 * as an OID identifying the curve */
1206 	X509_ALGOR *alg;
1207 	/* Compressed format public key per ANSI X9.63 */
1208 	ASN1_BIT_STRING *pub_key;
1209 } DPP_BOOTSTRAPPING_KEY;
1210 
1211 ASN1_SEQUENCE(DPP_BOOTSTRAPPING_KEY) = {
1212 	ASN1_SIMPLE(DPP_BOOTSTRAPPING_KEY, alg, X509_ALGOR),
1213 	ASN1_SIMPLE(DPP_BOOTSTRAPPING_KEY, pub_key, ASN1_BIT_STRING)
1214 } ASN1_SEQUENCE_END(DPP_BOOTSTRAPPING_KEY);
1215 
1216 IMPLEMENT_ASN1_FUNCTIONS(DPP_BOOTSTRAPPING_KEY);
1217 
1218 
1219 static struct wpabuf * dpp_bootstrap_key_der(EVP_PKEY *key)
1220 {
1221 	unsigned char *der = NULL;
1222 	int der_len;
1223 	EC_KEY *eckey;
1224 	struct wpabuf *ret = NULL;
1225 	size_t len;
1226 	const EC_GROUP *group;
1227 	const EC_POINT *point;
1228 	BN_CTX *ctx;
1229 	DPP_BOOTSTRAPPING_KEY *bootstrap = NULL;
1230 	int nid;
1231 
1232 	ctx = BN_CTX_new();
1233 	eckey = EVP_PKEY_get1_EC_KEY(key);
1234 	if (!ctx || !eckey)
1235 		goto fail;
1236 
1237 	group = EC_KEY_get0_group(eckey);
1238 	point = EC_KEY_get0_public_key(eckey);
1239 	if (!group || !point)
1240 		goto fail;
1241 	dpp_debug_print_point("DPP: bootstrap public key", group, point);
1242 	nid = EC_GROUP_get_curve_name(group);
1243 
1244 	bootstrap = DPP_BOOTSTRAPPING_KEY_new();
1245 	if (!bootstrap ||
1246 	    X509_ALGOR_set0(bootstrap->alg, OBJ_nid2obj(EVP_PKEY_EC),
1247 			    V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1)
1248 		goto fail;
1249 
1250 	len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
1251 				 NULL, 0, ctx);
1252 	if (len == 0)
1253 		goto fail;
1254 
1255 	der = OPENSSL_malloc(len);
1256 	if (!der)
1257 		goto fail;
1258 	len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
1259 				 der, len, ctx);
1260 
1261 	OPENSSL_free(bootstrap->pub_key->data);
1262 	bootstrap->pub_key->data = der;
1263 	der = NULL;
1264 	bootstrap->pub_key->length = len;
1265 	/* No unused bits */
1266 	bootstrap->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
1267 	bootstrap->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1268 
1269 	der_len = i2d_DPP_BOOTSTRAPPING_KEY(bootstrap, &der);
1270 	if (der_len <= 0) {
1271 		wpa_printf(MSG_ERROR,
1272 			   "DDP: Failed to build DER encoded public key");
1273 		goto fail;
1274 	}
1275 
1276 	ret = wpabuf_alloc_copy(der, der_len);
1277 fail:
1278 	DPP_BOOTSTRAPPING_KEY_free(bootstrap);
1279 	OPENSSL_free(der);
1280 	EC_KEY_free(eckey);
1281 	BN_CTX_free(ctx);
1282 	return ret;
1283 }
1284 
1285 
1286 int dpp_bootstrap_key_hash(struct dpp_bootstrap_info *bi)
1287 {
1288 	struct wpabuf *der;
1289 	int res;
1290 	const u8 *addr[1];
1291 	size_t len[1];
1292 
1293 	der = dpp_bootstrap_key_der(bi->pubkey);
1294 	if (!der)
1295 		return -1;
1296 	wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
1297 			der);
1298 
1299 	addr[0] = wpabuf_head(der);
1300 	len[0] = wpabuf_len(der);
1301 	res = sha256_vector(1, addr, len, bi->pubkey_hash);
1302 	if (res < 0)
1303 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
1304 	else
1305 		wpa_hexdump(MSG_DEBUG, "DPP: Public key hash", bi->pubkey_hash,
1306 			    SHA256_MAC_LEN);
1307 	wpabuf_free(der);
1308 	return res;
1309 }
1310 
1311 
1312 char * dpp_keygen(struct dpp_bootstrap_info *bi, const char *curve,
1313 		  const u8 *privkey, size_t privkey_len)
1314 {
1315 	unsigned char *base64 = NULL;
1316 	char *pos, *end;
1317 	size_t len;
1318 	struct wpabuf *der = NULL;
1319 	const u8 *addr[1];
1320 	int res;
1321 
1322 	if (!curve) {
1323 		bi->curve = &dpp_curves[0];
1324 	} else {
1325 		bi->curve = dpp_get_curve_name(curve);
1326 		if (!bi->curve) {
1327 			wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s",
1328 				   curve);
1329 			return NULL;
1330 		}
1331 	}
1332 	if (privkey)
1333 		bi->pubkey = dpp_set_keypair(&bi->curve, privkey, privkey_len);
1334 	else
1335 		bi->pubkey = dpp_gen_keypair(bi->curve);
1336 	if (!bi->pubkey)
1337 		goto fail;
1338 	bi->own = 1;
1339 
1340 	der = dpp_bootstrap_key_der(bi->pubkey);
1341 	if (!der)
1342 		goto fail;
1343 	wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
1344 			der);
1345 
1346 	addr[0] = wpabuf_head(der);
1347 	len = wpabuf_len(der);
1348 	res = sha256_vector(1, addr, &len, bi->pubkey_hash);
1349 	if (res < 0) {
1350 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
1351 		goto fail;
1352 	}
1353 	wpa_hexdump(MSG_DEBUG, "DPP: Public key hash", bi->pubkey_hash,
1354 		    SHA256_MAC_LEN);
1355 
1356 	base64 = base64_encode(wpabuf_head(der), wpabuf_len(der), &len);
1357 	wpabuf_free(der);
1358 	der = NULL;
1359 	if (!base64)
1360 		goto fail;
1361 	pos = (char *) base64;
1362 	end = pos + len;
1363 	for (;;) {
1364 		pos = os_strchr(pos, '\n');
1365 		if (!pos)
1366 			break;
1367 		os_memmove(pos, pos + 1, end - pos);
1368 	}
1369 	return (char *) base64;
1370 fail:
1371 	os_free(base64);
1372 	wpabuf_free(der);
1373 	return NULL;
1374 }
1375 
1376 
1377 static int dpp_derive_k1(const u8 *Mx, size_t Mx_len, u8 *k1,
1378 			 unsigned int hash_len)
1379 {
1380 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
1381 	const char *info = "first intermediate key";
1382 	int res;
1383 
1384 	/* k1 = HKDF(<>, "first intermediate key", M.x) */
1385 
1386 	/* HKDF-Extract(<>, M.x) */
1387 	os_memset(salt, 0, hash_len);
1388 	if (dpp_hmac(hash_len, salt, hash_len, Mx, Mx_len, prk) < 0)
1389 		return -1;
1390 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=M.x)",
1391 			prk, hash_len);
1392 
1393 	/* HKDF-Expand(PRK, info, L) */
1394 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k1, hash_len);
1395 	os_memset(prk, 0, hash_len);
1396 	if (res < 0)
1397 		return -1;
1398 
1399 	wpa_hexdump_key(MSG_DEBUG, "DPP: k1 = HKDF-Expand(PRK, info, L)",
1400 			k1, hash_len);
1401 	return 0;
1402 }
1403 
1404 
1405 static int dpp_derive_k2(const u8 *Nx, size_t Nx_len, u8 *k2,
1406 			 unsigned int hash_len)
1407 {
1408 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
1409 	const char *info = "second intermediate key";
1410 	int res;
1411 
1412 	/* k2 = HKDF(<>, "second intermediate key", N.x) */
1413 
1414 	/* HKDF-Extract(<>, N.x) */
1415 	os_memset(salt, 0, hash_len);
1416 	res = dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk);
1417 	if (res < 0)
1418 		return -1;
1419 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
1420 			prk, hash_len);
1421 
1422 	/* HKDF-Expand(PRK, info, L) */
1423 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k2, hash_len);
1424 	os_memset(prk, 0, hash_len);
1425 	if (res < 0)
1426 		return -1;
1427 
1428 	wpa_hexdump_key(MSG_DEBUG, "DPP: k2 = HKDF-Expand(PRK, info, L)",
1429 			k2, hash_len);
1430 	return 0;
1431 }
1432 
1433 
1434 static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke,
1435 			 unsigned int hash_len)
1436 {
1437 	size_t nonce_len;
1438 	u8 nonces[2 * DPP_MAX_NONCE_LEN];
1439 	const char *info_ke = "DPP Key";
1440 	u8 prk[DPP_MAX_HASH_LEN];
1441 	int res;
1442 	const u8 *addr[3];
1443 	size_t len[3];
1444 	size_t num_elem = 0;
1445 
1446 	if (!auth->Mx_len || !auth->Nx_len) {
1447 		wpa_printf(MSG_DEBUG,
1448 			   "DPP: Mx/Nx not available - cannot derive ke");
1449 		return -1;
1450 	}
1451 
1452 	/* ke = HKDF(I-nonce | R-nonce, "DPP Key", M.x | N.x [| L.x]) */
1453 
1454 	/* HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */
1455 	nonce_len = auth->curve->nonce_len;
1456 	os_memcpy(nonces, auth->i_nonce, nonce_len);
1457 	os_memcpy(&nonces[nonce_len], auth->r_nonce, nonce_len);
1458 	addr[num_elem] = auth->Mx;
1459 	len[num_elem] = auth->Mx_len;
1460 	num_elem++;
1461 	addr[num_elem] = auth->Nx;
1462 	len[num_elem] = auth->Nx_len;
1463 	num_elem++;
1464 	if (auth->peer_bi && auth->own_bi) {
1465 		if (!auth->Lx_len) {
1466 			wpa_printf(MSG_DEBUG,
1467 				   "DPP: Lx not available - cannot derive ke");
1468 			return -1;
1469 		}
1470 		addr[num_elem] = auth->Lx;
1471 		len[num_elem] = auth->secret_len;
1472 		num_elem++;
1473 	}
1474 	res = dpp_hmac_vector(hash_len, nonces, 2 * nonce_len,
1475 			      num_elem, addr, len, prk);
1476 	if (res < 0)
1477 		return -1;
1478 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)",
1479 			prk, hash_len);
1480 
1481 	/* HKDF-Expand(PRK, info, L) */
1482 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info_ke, ke, hash_len);
1483 	os_memset(prk, 0, hash_len);
1484 	if (res < 0)
1485 		return -1;
1486 
1487 	wpa_hexdump_key(MSG_DEBUG, "DPP: ke = HKDF-Expand(PRK, info, L)",
1488 			ke, hash_len);
1489 	return 0;
1490 }
1491 
1492 
1493 static void dpp_build_attr_status(struct wpabuf *msg,
1494 				  enum dpp_status_error status)
1495 {
1496 	wpa_printf(MSG_DEBUG, "DPP: Status %d", status);
1497 	wpabuf_put_le16(msg, DPP_ATTR_STATUS);
1498 	wpabuf_put_le16(msg, 1);
1499 	wpabuf_put_u8(msg, status);
1500 }
1501 
1502 
1503 static void dpp_build_attr_r_bootstrap_key_hash(struct wpabuf *msg,
1504 						const u8 *hash)
1505 {
1506 	if (hash) {
1507 		wpa_printf(MSG_DEBUG, "DPP: R-Bootstrap Key Hash");
1508 		wpabuf_put_le16(msg, DPP_ATTR_R_BOOTSTRAP_KEY_HASH);
1509 		wpabuf_put_le16(msg, SHA256_MAC_LEN);
1510 		wpabuf_put_data(msg, hash, SHA256_MAC_LEN);
1511 	}
1512 }
1513 
1514 
1515 static void dpp_build_attr_i_bootstrap_key_hash(struct wpabuf *msg,
1516 						const u8 *hash)
1517 {
1518 	if (hash) {
1519 		wpa_printf(MSG_DEBUG, "DPP: I-Bootstrap Key Hash");
1520 		wpabuf_put_le16(msg, DPP_ATTR_I_BOOTSTRAP_KEY_HASH);
1521 		wpabuf_put_le16(msg, SHA256_MAC_LEN);
1522 		wpabuf_put_data(msg, hash, SHA256_MAC_LEN);
1523 	}
1524 }
1525 
1526 
1527 static struct wpabuf * dpp_auth_build_req(struct dpp_authentication *auth,
1528 					  const struct wpabuf *pi,
1529 					  size_t nonce_len,
1530 					  const u8 *r_pubkey_hash,
1531 					  const u8 *i_pubkey_hash,
1532 					  unsigned int neg_freq)
1533 {
1534 	struct wpabuf *msg;
1535 	u8 clear[4 + DPP_MAX_NONCE_LEN + 4 + 1];
1536 	u8 wrapped_data[4 + DPP_MAX_NONCE_LEN + 4 + 1 + AES_BLOCK_SIZE];
1537 	u8 *pos;
1538 	const u8 *addr[2];
1539 	size_t len[2], siv_len, attr_len;
1540 	u8 *attr_start, *attr_end;
1541 
1542 	/* Build DPP Authentication Request frame attributes */
1543 	attr_len = 2 * (4 + SHA256_MAC_LEN) + 4 + (pi ? wpabuf_len(pi) : 0) +
1544 		4 + sizeof(wrapped_data);
1545 	if (neg_freq > 0)
1546 		attr_len += 4 + 2;
1547 #ifdef CONFIG_DPP2
1548 	attr_len += 5;
1549 #endif /* CONFIG_DPP2 */
1550 #ifdef CONFIG_TESTING_OPTIONS
1551 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ)
1552 		attr_len += 5;
1553 #endif /* CONFIG_TESTING_OPTIONS */
1554 	msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_REQ, attr_len);
1555 	if (!msg)
1556 		return NULL;
1557 
1558 	attr_start = wpabuf_put(msg, 0);
1559 
1560 	/* Responder Bootstrapping Key Hash */
1561 	dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
1562 
1563 	/* Initiator Bootstrapping Key Hash */
1564 	dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
1565 
1566 	/* Initiator Protocol Key */
1567 	if (pi) {
1568 		wpabuf_put_le16(msg, DPP_ATTR_I_PROTOCOL_KEY);
1569 		wpabuf_put_le16(msg, wpabuf_len(pi));
1570 		wpabuf_put_buf(msg, pi);
1571 	}
1572 
1573 	/* Channel */
1574 	if (neg_freq > 0) {
1575 		u8 op_class, channel;
1576 
1577 		if (ieee80211_freq_to_channel_ext(neg_freq, 0, 0, &op_class,
1578 						  &channel) ==
1579 		    NUM_HOSTAPD_MODES) {
1580 			wpa_printf(MSG_INFO,
1581 				   "DPP: Unsupported negotiation frequency request: %d",
1582 				   neg_freq);
1583 			wpabuf_free(msg);
1584 			return NULL;
1585 		}
1586 		wpabuf_put_le16(msg, DPP_ATTR_CHANNEL);
1587 		wpabuf_put_le16(msg, 2);
1588 		wpabuf_put_u8(msg, op_class);
1589 		wpabuf_put_u8(msg, channel);
1590 	}
1591 
1592 #ifdef CONFIG_DPP2
1593 	/* Protocol Version */
1594 	wpabuf_put_le16(msg, DPP_ATTR_PROTOCOL_VERSION);
1595 	wpabuf_put_le16(msg, 1);
1596 	wpabuf_put_u8(msg, 2);
1597 #endif /* CONFIG_DPP2 */
1598 
1599 #ifdef CONFIG_TESTING_OPTIONS
1600 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_REQ) {
1601 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
1602 		goto skip_wrapped_data;
1603 	}
1604 #endif /* CONFIG_TESTING_OPTIONS */
1605 
1606 	/* Wrapped data ({I-nonce, I-capabilities}k1) */
1607 	pos = clear;
1608 
1609 #ifdef CONFIG_TESTING_OPTIONS
1610 	if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_REQ) {
1611 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
1612 		goto skip_i_nonce;
1613 	}
1614 	if (dpp_test == DPP_TEST_INVALID_I_NONCE_AUTH_REQ) {
1615 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-nonce");
1616 		WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
1617 		pos += 2;
1618 		WPA_PUT_LE16(pos, nonce_len - 1);
1619 		pos += 2;
1620 		os_memcpy(pos, auth->i_nonce, nonce_len - 1);
1621 		pos += nonce_len - 1;
1622 		goto skip_i_nonce;
1623 	}
1624 #endif /* CONFIG_TESTING_OPTIONS */
1625 
1626 	/* I-nonce */
1627 	WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
1628 	pos += 2;
1629 	WPA_PUT_LE16(pos, nonce_len);
1630 	pos += 2;
1631 	os_memcpy(pos, auth->i_nonce, nonce_len);
1632 	pos += nonce_len;
1633 
1634 #ifdef CONFIG_TESTING_OPTIONS
1635 skip_i_nonce:
1636 	if (dpp_test == DPP_TEST_NO_I_CAPAB_AUTH_REQ) {
1637 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-capab");
1638 		goto skip_i_capab;
1639 	}
1640 #endif /* CONFIG_TESTING_OPTIONS */
1641 
1642 	/* I-capabilities */
1643 	WPA_PUT_LE16(pos, DPP_ATTR_I_CAPABILITIES);
1644 	pos += 2;
1645 	WPA_PUT_LE16(pos, 1);
1646 	pos += 2;
1647 	auth->i_capab = auth->allowed_roles;
1648 	*pos++ = auth->i_capab;
1649 #ifdef CONFIG_TESTING_OPTIONS
1650 	if (dpp_test == DPP_TEST_ZERO_I_CAPAB) {
1651 		wpa_printf(MSG_INFO, "DPP: TESTING - zero I-capabilities");
1652 		pos[-1] = 0;
1653 	}
1654 skip_i_capab:
1655 #endif /* CONFIG_TESTING_OPTIONS */
1656 
1657 	attr_end = wpabuf_put(msg, 0);
1658 
1659 	/* OUI, OUI type, Crypto Suite, DPP frame type */
1660 	addr[0] = wpabuf_head_u8(msg) + 2;
1661 	len[0] = 3 + 1 + 1 + 1;
1662 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1663 
1664 	/* Attributes before Wrapped Data */
1665 	addr[1] = attr_start;
1666 	len[1] = attr_end - attr_start;
1667 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1668 
1669 	siv_len = pos - clear;
1670 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len);
1671 	if (aes_siv_encrypt(auth->k1, auth->curve->hash_len, clear, siv_len,
1672 			    2, addr, len, wrapped_data) < 0) {
1673 		wpabuf_free(msg);
1674 		return NULL;
1675 	}
1676 	siv_len += AES_BLOCK_SIZE;
1677 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1678 		    wrapped_data, siv_len);
1679 
1680 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
1681 	wpabuf_put_le16(msg, siv_len);
1682 	wpabuf_put_data(msg, wrapped_data, siv_len);
1683 
1684 #ifdef CONFIG_TESTING_OPTIONS
1685 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ) {
1686 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
1687 		dpp_build_attr_status(msg, DPP_STATUS_OK);
1688 	}
1689 skip_wrapped_data:
1690 #endif /* CONFIG_TESTING_OPTIONS */
1691 
1692 	wpa_hexdump_buf(MSG_DEBUG,
1693 			"DPP: Authentication Request frame attributes", msg);
1694 
1695 	return msg;
1696 }
1697 
1698 
1699 static struct wpabuf * dpp_auth_build_resp(struct dpp_authentication *auth,
1700 					   enum dpp_status_error status,
1701 					   const struct wpabuf *pr,
1702 					   size_t nonce_len,
1703 					   const u8 *r_pubkey_hash,
1704 					   const u8 *i_pubkey_hash,
1705 					   const u8 *r_nonce, const u8 *i_nonce,
1706 					   const u8 *wrapped_r_auth,
1707 					   size_t wrapped_r_auth_len,
1708 					   const u8 *siv_key)
1709 {
1710 	struct wpabuf *msg;
1711 #define DPP_AUTH_RESP_CLEAR_LEN 2 * (4 + DPP_MAX_NONCE_LEN) + 4 + 1 + \
1712 		4 + 4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE
1713 	u8 clear[DPP_AUTH_RESP_CLEAR_LEN];
1714 	u8 wrapped_data[DPP_AUTH_RESP_CLEAR_LEN + AES_BLOCK_SIZE];
1715 	const u8 *addr[2];
1716 	size_t len[2], siv_len, attr_len;
1717 	u8 *attr_start, *attr_end, *pos;
1718 
1719 	auth->waiting_auth_conf = 1;
1720 	auth->auth_resp_tries = 0;
1721 
1722 	/* Build DPP Authentication Response frame attributes */
1723 	attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) +
1724 		4 + (pr ? wpabuf_len(pr) : 0) + 4 + sizeof(wrapped_data);
1725 #ifdef CONFIG_DPP2
1726 	attr_len += 5;
1727 #endif /* CONFIG_DPP2 */
1728 #ifdef CONFIG_TESTING_OPTIONS
1729 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP)
1730 		attr_len += 5;
1731 #endif /* CONFIG_TESTING_OPTIONS */
1732 	msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_RESP, attr_len);
1733 	if (!msg)
1734 		return NULL;
1735 
1736 	attr_start = wpabuf_put(msg, 0);
1737 
1738 	/* DPP Status */
1739 	if (status != 255)
1740 		dpp_build_attr_status(msg, status);
1741 
1742 	/* Responder Bootstrapping Key Hash */
1743 	dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
1744 
1745 	/* Initiator Bootstrapping Key Hash (mutual authentication) */
1746 	dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
1747 
1748 	/* Responder Protocol Key */
1749 	if (pr) {
1750 		wpabuf_put_le16(msg, DPP_ATTR_R_PROTOCOL_KEY);
1751 		wpabuf_put_le16(msg, wpabuf_len(pr));
1752 		wpabuf_put_buf(msg, pr);
1753 	}
1754 
1755 #ifdef CONFIG_DPP2
1756 	/* Protocol Version */
1757 	wpabuf_put_le16(msg, DPP_ATTR_PROTOCOL_VERSION);
1758 	wpabuf_put_le16(msg, 1);
1759 	wpabuf_put_u8(msg, 2);
1760 #endif /* CONFIG_DPP2 */
1761 
1762 	attr_end = wpabuf_put(msg, 0);
1763 
1764 #ifdef CONFIG_TESTING_OPTIONS
1765 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_RESP) {
1766 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
1767 		goto skip_wrapped_data;
1768 	}
1769 #endif /* CONFIG_TESTING_OPTIONS */
1770 
1771 	/* Wrapped data ({R-nonce, I-nonce, R-capabilities, {R-auth}ke}k2) */
1772 	pos = clear;
1773 
1774 	if (r_nonce) {
1775 		/* R-nonce */
1776 		WPA_PUT_LE16(pos, DPP_ATTR_R_NONCE);
1777 		pos += 2;
1778 		WPA_PUT_LE16(pos, nonce_len);
1779 		pos += 2;
1780 		os_memcpy(pos, r_nonce, nonce_len);
1781 		pos += nonce_len;
1782 	}
1783 
1784 	if (i_nonce) {
1785 		/* I-nonce */
1786 		WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
1787 		pos += 2;
1788 		WPA_PUT_LE16(pos, nonce_len);
1789 		pos += 2;
1790 		os_memcpy(pos, i_nonce, nonce_len);
1791 #ifdef CONFIG_TESTING_OPTIONS
1792 		if (dpp_test == DPP_TEST_I_NONCE_MISMATCH_AUTH_RESP) {
1793 			wpa_printf(MSG_INFO, "DPP: TESTING - I-nonce mismatch");
1794 			pos[nonce_len / 2] ^= 0x01;
1795 		}
1796 #endif /* CONFIG_TESTING_OPTIONS */
1797 		pos += nonce_len;
1798 	}
1799 
1800 #ifdef CONFIG_TESTING_OPTIONS
1801 	if (dpp_test == DPP_TEST_NO_R_CAPAB_AUTH_RESP) {
1802 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-capab");
1803 		goto skip_r_capab;
1804 	}
1805 #endif /* CONFIG_TESTING_OPTIONS */
1806 
1807 	/* R-capabilities */
1808 	WPA_PUT_LE16(pos, DPP_ATTR_R_CAPABILITIES);
1809 	pos += 2;
1810 	WPA_PUT_LE16(pos, 1);
1811 	pos += 2;
1812 	auth->r_capab = auth->configurator ? DPP_CAPAB_CONFIGURATOR :
1813 		DPP_CAPAB_ENROLLEE;
1814 	*pos++ = auth->r_capab;
1815 #ifdef CONFIG_TESTING_OPTIONS
1816 	if (dpp_test == DPP_TEST_ZERO_R_CAPAB) {
1817 		wpa_printf(MSG_INFO, "DPP: TESTING - zero R-capabilities");
1818 		pos[-1] = 0;
1819 	} else if (dpp_test == DPP_TEST_INCOMPATIBLE_R_CAPAB_AUTH_RESP) {
1820 		wpa_printf(MSG_INFO,
1821 			   "DPP: TESTING - incompatible R-capabilities");
1822 		if ((auth->i_capab & DPP_CAPAB_ROLE_MASK) ==
1823 		    (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE))
1824 			pos[-1] = 0;
1825 		else
1826 			pos[-1] = auth->configurator ? DPP_CAPAB_ENROLLEE :
1827 				DPP_CAPAB_CONFIGURATOR;
1828 	}
1829 skip_r_capab:
1830 #endif /* CONFIG_TESTING_OPTIONS */
1831 
1832 	if (wrapped_r_auth) {
1833 		/* {R-auth}ke */
1834 		WPA_PUT_LE16(pos, DPP_ATTR_WRAPPED_DATA);
1835 		pos += 2;
1836 		WPA_PUT_LE16(pos, wrapped_r_auth_len);
1837 		pos += 2;
1838 		os_memcpy(pos, wrapped_r_auth, wrapped_r_auth_len);
1839 		pos += wrapped_r_auth_len;
1840 	}
1841 
1842 	/* OUI, OUI type, Crypto Suite, DPP frame type */
1843 	addr[0] = wpabuf_head_u8(msg) + 2;
1844 	len[0] = 3 + 1 + 1 + 1;
1845 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1846 
1847 	/* Attributes before Wrapped Data */
1848 	addr[1] = attr_start;
1849 	len[1] = attr_end - attr_start;
1850 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1851 
1852 	siv_len = pos - clear;
1853 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len);
1854 	if (aes_siv_encrypt(siv_key, auth->curve->hash_len, clear, siv_len,
1855 			    2, addr, len, wrapped_data) < 0) {
1856 		wpabuf_free(msg);
1857 		return NULL;
1858 	}
1859 	siv_len += AES_BLOCK_SIZE;
1860 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1861 		    wrapped_data, siv_len);
1862 
1863 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
1864 	wpabuf_put_le16(msg, siv_len);
1865 	wpabuf_put_data(msg, wrapped_data, siv_len);
1866 
1867 #ifdef CONFIG_TESTING_OPTIONS
1868 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP) {
1869 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
1870 		dpp_build_attr_status(msg, DPP_STATUS_OK);
1871 	}
1872 skip_wrapped_data:
1873 #endif /* CONFIG_TESTING_OPTIONS */
1874 
1875 	wpa_hexdump_buf(MSG_DEBUG,
1876 			"DPP: Authentication Response frame attributes", msg);
1877 	return msg;
1878 }
1879 
1880 
1881 static int dpp_channel_ok_init(struct hostapd_hw_modes *own_modes,
1882 			       u16 num_modes, unsigned int freq)
1883 {
1884 	u16 m;
1885 	int c, flag;
1886 
1887 	if (!own_modes || !num_modes)
1888 		return 1;
1889 
1890 	for (m = 0; m < num_modes; m++) {
1891 		for (c = 0; c < own_modes[m].num_channels; c++) {
1892 			if ((unsigned int) own_modes[m].channels[c].freq !=
1893 			    freq)
1894 				continue;
1895 			flag = own_modes[m].channels[c].flag;
1896 			if (!(flag & (HOSTAPD_CHAN_DISABLED |
1897 				      HOSTAPD_CHAN_NO_IR |
1898 				      HOSTAPD_CHAN_RADAR)))
1899 				return 1;
1900 		}
1901 	}
1902 
1903 	wpa_printf(MSG_DEBUG, "DPP: Peer channel %u MHz not supported", freq);
1904 	return 0;
1905 }
1906 
1907 
1908 static int freq_included(const unsigned int freqs[], unsigned int num,
1909 			 unsigned int freq)
1910 {
1911 	while (num > 0) {
1912 		if (freqs[--num] == freq)
1913 			return 1;
1914 	}
1915 	return 0;
1916 }
1917 
1918 
1919 static void freq_to_start(unsigned int freqs[], unsigned int num,
1920 			  unsigned int freq)
1921 {
1922 	unsigned int i;
1923 
1924 	for (i = 0; i < num; i++) {
1925 		if (freqs[i] == freq)
1926 			break;
1927 	}
1928 	if (i == 0 || i >= num)
1929 		return;
1930 	os_memmove(&freqs[1], &freqs[0], i * sizeof(freqs[0]));
1931 	freqs[0] = freq;
1932 }
1933 
1934 
1935 static int dpp_channel_intersect(struct dpp_authentication *auth,
1936 				 struct hostapd_hw_modes *own_modes,
1937 				 u16 num_modes)
1938 {
1939 	struct dpp_bootstrap_info *peer_bi = auth->peer_bi;
1940 	unsigned int i, freq;
1941 
1942 	for (i = 0; i < peer_bi->num_freq; i++) {
1943 		freq = peer_bi->freq[i];
1944 		if (freq_included(auth->freq, auth->num_freq, freq))
1945 			continue;
1946 		if (dpp_channel_ok_init(own_modes, num_modes, freq))
1947 			auth->freq[auth->num_freq++] = freq;
1948 	}
1949 	if (!auth->num_freq) {
1950 		wpa_printf(MSG_INFO,
1951 			   "DPP: No available channels for initiating DPP Authentication");
1952 		return -1;
1953 	}
1954 	auth->curr_freq = auth->freq[0];
1955 	return 0;
1956 }
1957 
1958 
1959 static int dpp_channel_local_list(struct dpp_authentication *auth,
1960 				  struct hostapd_hw_modes *own_modes,
1961 				  u16 num_modes)
1962 {
1963 	u16 m;
1964 	int c, flag;
1965 	unsigned int freq;
1966 
1967 	auth->num_freq = 0;
1968 
1969 	if (!own_modes || !num_modes) {
1970 		auth->freq[0] = 2412;
1971 		auth->freq[1] = 2437;
1972 		auth->freq[2] = 2462;
1973 		auth->num_freq = 3;
1974 		return 0;
1975 	}
1976 
1977 	for (m = 0; m < num_modes; m++) {
1978 		for (c = 0; c < own_modes[m].num_channels; c++) {
1979 			freq = own_modes[m].channels[c].freq;
1980 			flag = own_modes[m].channels[c].flag;
1981 			if (flag & (HOSTAPD_CHAN_DISABLED |
1982 				    HOSTAPD_CHAN_NO_IR |
1983 				    HOSTAPD_CHAN_RADAR))
1984 				continue;
1985 			if (freq_included(auth->freq, auth->num_freq, freq))
1986 				continue;
1987 			auth->freq[auth->num_freq++] = freq;
1988 			if (auth->num_freq == DPP_BOOTSTRAP_MAX_FREQ) {
1989 				m = num_modes;
1990 				break;
1991 			}
1992 		}
1993 	}
1994 
1995 	return auth->num_freq == 0 ? -1 : 0;
1996 }
1997 
1998 
1999 static int dpp_prepare_channel_list(struct dpp_authentication *auth,
2000 				    struct hostapd_hw_modes *own_modes,
2001 				    u16 num_modes)
2002 {
2003 	int res;
2004 	char freqs[DPP_BOOTSTRAP_MAX_FREQ * 6 + 10], *pos, *end;
2005 	unsigned int i;
2006 
2007 	if (auth->peer_bi->num_freq > 0)
2008 		res = dpp_channel_intersect(auth, own_modes, num_modes);
2009 	else
2010 		res = dpp_channel_local_list(auth, own_modes, num_modes);
2011 	if (res < 0)
2012 		return res;
2013 
2014 	/* Prioritize 2.4 GHz channels 6, 1, 11 (in this order) to hit the most
2015 	 * likely channels first. */
2016 	freq_to_start(auth->freq, auth->num_freq, 2462);
2017 	freq_to_start(auth->freq, auth->num_freq, 2412);
2018 	freq_to_start(auth->freq, auth->num_freq, 2437);
2019 
2020 	auth->freq_idx = 0;
2021 	auth->curr_freq = auth->freq[0];
2022 
2023 	pos = freqs;
2024 	end = pos + sizeof(freqs);
2025 	for (i = 0; i < auth->num_freq; i++) {
2026 		res = os_snprintf(pos, end - pos, " %u", auth->freq[i]);
2027 		if (os_snprintf_error(end - pos, res))
2028 			break;
2029 		pos += res;
2030 	}
2031 	*pos = '\0';
2032 	wpa_printf(MSG_DEBUG, "DPP: Possible frequencies for initiating:%s",
2033 		   freqs);
2034 
2035 	return 0;
2036 }
2037 
2038 
2039 static int dpp_autogen_bootstrap_key(struct dpp_authentication *auth)
2040 {
2041 	struct dpp_bootstrap_info *bi;
2042 	char *pk = NULL;
2043 	size_t len;
2044 
2045 	if (auth->own_bi)
2046 		return 0; /* already generated */
2047 
2048 	bi = os_zalloc(sizeof(*bi));
2049 	if (!bi)
2050 		return -1;
2051 	bi->type = DPP_BOOTSTRAP_QR_CODE;
2052 	pk = dpp_keygen(bi, auth->peer_bi->curve->name, NULL, 0);
2053 	if (!pk)
2054 		goto fail;
2055 
2056 	len = 4; /* "DPP:" */
2057 	len += 4 + os_strlen(pk);
2058 	bi->uri = os_malloc(len + 1);
2059 	if (!bi->uri)
2060 		goto fail;
2061 	os_snprintf(bi->uri, len + 1, "DPP:K:%s;;", pk);
2062 	wpa_printf(MSG_DEBUG,
2063 		   "DPP: Auto-generated own bootstrapping key info: URI %s",
2064 		   bi->uri);
2065 
2066 	auth->tmp_own_bi = auth->own_bi = bi;
2067 
2068 	os_free(pk);
2069 
2070 	return 0;
2071 fail:
2072 	os_free(pk);
2073 	dpp_bootstrap_info_free(bi);
2074 	return -1;
2075 }
2076 
2077 
2078 struct dpp_authentication * dpp_auth_init(void *msg_ctx,
2079 					  struct dpp_bootstrap_info *peer_bi,
2080 					  struct dpp_bootstrap_info *own_bi,
2081 					  u8 dpp_allowed_roles,
2082 					  unsigned int neg_freq,
2083 					  struct hostapd_hw_modes *own_modes,
2084 					  u16 num_modes)
2085 {
2086 	struct dpp_authentication *auth;
2087 	size_t nonce_len;
2088 	EVP_PKEY_CTX *ctx = NULL;
2089 	size_t secret_len;
2090 	struct wpabuf *pi = NULL;
2091 	const u8 *r_pubkey_hash, *i_pubkey_hash;
2092 #ifdef CONFIG_TESTING_OPTIONS
2093 	u8 test_hash[SHA256_MAC_LEN];
2094 #endif /* CONFIG_TESTING_OPTIONS */
2095 
2096 	auth = os_zalloc(sizeof(*auth));
2097 	if (!auth)
2098 		return NULL;
2099 	auth->msg_ctx = msg_ctx;
2100 	auth->initiator = 1;
2101 	auth->waiting_auth_resp = 1;
2102 	auth->allowed_roles = dpp_allowed_roles;
2103 	auth->configurator = !!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR);
2104 	auth->peer_bi = peer_bi;
2105 	auth->own_bi = own_bi;
2106 	auth->curve = peer_bi->curve;
2107 
2108 	if (dpp_autogen_bootstrap_key(auth) < 0 ||
2109 	    dpp_prepare_channel_list(auth, own_modes, num_modes) < 0)
2110 		goto fail;
2111 
2112 #ifdef CONFIG_TESTING_OPTIONS
2113 	if (dpp_nonce_override_len > 0) {
2114 		wpa_printf(MSG_INFO, "DPP: TESTING - override I-nonce");
2115 		nonce_len = dpp_nonce_override_len;
2116 		os_memcpy(auth->i_nonce, dpp_nonce_override, nonce_len);
2117 	} else {
2118 		nonce_len = auth->curve->nonce_len;
2119 		if (random_get_bytes(auth->i_nonce, nonce_len)) {
2120 			wpa_printf(MSG_ERROR,
2121 				   "DPP: Failed to generate I-nonce");
2122 			goto fail;
2123 		}
2124 	}
2125 #else /* CONFIG_TESTING_OPTIONS */
2126 	nonce_len = auth->curve->nonce_len;
2127 	if (random_get_bytes(auth->i_nonce, nonce_len)) {
2128 		wpa_printf(MSG_ERROR, "DPP: Failed to generate I-nonce");
2129 		goto fail;
2130 	}
2131 #endif /* CONFIG_TESTING_OPTIONS */
2132 	wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", auth->i_nonce, nonce_len);
2133 
2134 #ifdef CONFIG_TESTING_OPTIONS
2135 	if (dpp_protocol_key_override_len) {
2136 		const struct dpp_curve_params *tmp_curve;
2137 
2138 		wpa_printf(MSG_INFO,
2139 			   "DPP: TESTING - override protocol key");
2140 		auth->own_protocol_key = dpp_set_keypair(
2141 			&tmp_curve, dpp_protocol_key_override,
2142 			dpp_protocol_key_override_len);
2143 	} else {
2144 		auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2145 	}
2146 #else /* CONFIG_TESTING_OPTIONS */
2147 	auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2148 #endif /* CONFIG_TESTING_OPTIONS */
2149 	if (!auth->own_protocol_key)
2150 		goto fail;
2151 
2152 	pi = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2153 	if (!pi)
2154 		goto fail;
2155 
2156 	/* ECDH: M = pI * BR */
2157 	ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL);
2158 	if (!ctx ||
2159 	    EVP_PKEY_derive_init(ctx) != 1 ||
2160 	    EVP_PKEY_derive_set_peer(ctx, auth->peer_bi->pubkey) != 1 ||
2161 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
2162 	    secret_len > DPP_MAX_SHARED_SECRET_LEN ||
2163 	    EVP_PKEY_derive(ctx, auth->Mx, &secret_len) != 1) {
2164 		wpa_printf(MSG_ERROR,
2165 			   "DPP: Failed to derive ECDH shared secret: %s",
2166 			   ERR_error_string(ERR_get_error(), NULL));
2167 		goto fail;
2168 	}
2169 	auth->secret_len = secret_len;
2170 	EVP_PKEY_CTX_free(ctx);
2171 	ctx = NULL;
2172 
2173 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)",
2174 			auth->Mx, auth->secret_len);
2175 	auth->Mx_len = auth->secret_len;
2176 
2177 	if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1,
2178 			  auth->curve->hash_len) < 0)
2179 		goto fail;
2180 
2181 	r_pubkey_hash = auth->peer_bi->pubkey_hash;
2182 	i_pubkey_hash = auth->own_bi->pubkey_hash;
2183 
2184 #ifdef CONFIG_TESTING_OPTIONS
2185 	if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2186 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
2187 		r_pubkey_hash = NULL;
2188 	} else if (dpp_test == DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2189 		wpa_printf(MSG_INFO,
2190 			   "DPP: TESTING - invalid R-Bootstrap Key Hash");
2191 		os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
2192 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2193 		r_pubkey_hash = test_hash;
2194 	} else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2195 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
2196 		i_pubkey_hash = NULL;
2197 	} else if (dpp_test == DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2198 		wpa_printf(MSG_INFO,
2199 			   "DPP: TESTING - invalid I-Bootstrap Key Hash");
2200 		os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
2201 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2202 		i_pubkey_hash = test_hash;
2203 	} else if (dpp_test == DPP_TEST_NO_I_PROTO_KEY_AUTH_REQ) {
2204 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Proto Key");
2205 		wpabuf_free(pi);
2206 		pi = NULL;
2207 	} else if (dpp_test == DPP_TEST_INVALID_I_PROTO_KEY_AUTH_REQ) {
2208 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-Proto Key");
2209 		wpabuf_free(pi);
2210 		pi = wpabuf_alloc(2 * auth->curve->prime_len);
2211 		if (!pi || dpp_test_gen_invalid_key(pi, auth->curve) < 0)
2212 			goto fail;
2213 	}
2214 #endif /* CONFIG_TESTING_OPTIONS */
2215 
2216 	auth->req_msg = dpp_auth_build_req(auth, pi, nonce_len, r_pubkey_hash,
2217 					   i_pubkey_hash, neg_freq);
2218 	if (!auth->req_msg)
2219 		goto fail;
2220 
2221 out:
2222 	wpabuf_free(pi);
2223 	EVP_PKEY_CTX_free(ctx);
2224 	return auth;
2225 fail:
2226 	dpp_auth_deinit(auth);
2227 	auth = NULL;
2228 	goto out;
2229 }
2230 
2231 
2232 static struct wpabuf * dpp_build_conf_req_attr(struct dpp_authentication *auth,
2233 					       const char *json)
2234 {
2235 	size_t nonce_len;
2236 	size_t json_len, clear_len;
2237 	struct wpabuf *clear = NULL, *msg = NULL;
2238 	u8 *wrapped;
2239 	size_t attr_len;
2240 
2241 	wpa_printf(MSG_DEBUG, "DPP: Build configuration request");
2242 
2243 	nonce_len = auth->curve->nonce_len;
2244 	if (random_get_bytes(auth->e_nonce, nonce_len)) {
2245 		wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce");
2246 		goto fail;
2247 	}
2248 	wpa_hexdump(MSG_DEBUG, "DPP: E-nonce", auth->e_nonce, nonce_len);
2249 	json_len = os_strlen(json);
2250 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: configAttr JSON", json, json_len);
2251 
2252 	/* { E-nonce, configAttrib }ke */
2253 	clear_len = 4 + nonce_len + 4 + json_len;
2254 	clear = wpabuf_alloc(clear_len);
2255 	attr_len = 4 + clear_len + AES_BLOCK_SIZE;
2256 #ifdef CONFIG_TESTING_OPTIONS
2257 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_REQ)
2258 		attr_len += 5;
2259 #endif /* CONFIG_TESTING_OPTIONS */
2260 	msg = wpabuf_alloc(attr_len);
2261 	if (!clear || !msg)
2262 		goto fail;
2263 
2264 #ifdef CONFIG_TESTING_OPTIONS
2265 	if (dpp_test == DPP_TEST_NO_E_NONCE_CONF_REQ) {
2266 		wpa_printf(MSG_INFO, "DPP: TESTING - no E-nonce");
2267 		goto skip_e_nonce;
2268 	}
2269 	if (dpp_test == DPP_TEST_INVALID_E_NONCE_CONF_REQ) {
2270 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid E-nonce");
2271 		wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
2272 		wpabuf_put_le16(clear, nonce_len - 1);
2273 		wpabuf_put_data(clear, auth->e_nonce, nonce_len - 1);
2274 		goto skip_e_nonce;
2275 	}
2276 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_CONF_REQ) {
2277 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
2278 		goto skip_wrapped_data;
2279 	}
2280 #endif /* CONFIG_TESTING_OPTIONS */
2281 
2282 	/* E-nonce */
2283 	wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
2284 	wpabuf_put_le16(clear, nonce_len);
2285 	wpabuf_put_data(clear, auth->e_nonce, nonce_len);
2286 
2287 #ifdef CONFIG_TESTING_OPTIONS
2288 skip_e_nonce:
2289 	if (dpp_test == DPP_TEST_NO_CONFIG_ATTR_OBJ_CONF_REQ) {
2290 		wpa_printf(MSG_INFO, "DPP: TESTING - no configAttrib");
2291 		goto skip_conf_attr_obj;
2292 	}
2293 #endif /* CONFIG_TESTING_OPTIONS */
2294 
2295 	/* configAttrib */
2296 	wpabuf_put_le16(clear, DPP_ATTR_CONFIG_ATTR_OBJ);
2297 	wpabuf_put_le16(clear, json_len);
2298 	wpabuf_put_data(clear, json, json_len);
2299 
2300 #ifdef CONFIG_TESTING_OPTIONS
2301 skip_conf_attr_obj:
2302 #endif /* CONFIG_TESTING_OPTIONS */
2303 
2304 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
2305 	wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
2306 	wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
2307 
2308 	/* No AES-SIV AD */
2309 	wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
2310 	if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
2311 			    wpabuf_head(clear), wpabuf_len(clear),
2312 			    0, NULL, NULL, wrapped) < 0)
2313 		goto fail;
2314 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
2315 		    wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
2316 
2317 #ifdef CONFIG_TESTING_OPTIONS
2318 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_REQ) {
2319 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
2320 		dpp_build_attr_status(msg, DPP_STATUS_OK);
2321 	}
2322 skip_wrapped_data:
2323 #endif /* CONFIG_TESTING_OPTIONS */
2324 
2325 	wpa_hexdump_buf(MSG_DEBUG,
2326 			"DPP: Configuration Request frame attributes", msg);
2327 	wpabuf_free(clear);
2328 	return msg;
2329 
2330 fail:
2331 	wpabuf_free(clear);
2332 	wpabuf_free(msg);
2333 	return NULL;
2334 }
2335 
2336 
2337 static void dpp_write_adv_proto(struct wpabuf *buf)
2338 {
2339 	/* Advertisement Protocol IE */
2340 	wpabuf_put_u8(buf, WLAN_EID_ADV_PROTO);
2341 	wpabuf_put_u8(buf, 8); /* Length */
2342 	wpabuf_put_u8(buf, 0x7f);
2343 	wpabuf_put_u8(buf, WLAN_EID_VENDOR_SPECIFIC);
2344 	wpabuf_put_u8(buf, 5);
2345 	wpabuf_put_be24(buf, OUI_WFA);
2346 	wpabuf_put_u8(buf, DPP_OUI_TYPE);
2347 	wpabuf_put_u8(buf, 0x01);
2348 }
2349 
2350 
2351 static void dpp_write_gas_query(struct wpabuf *buf, struct wpabuf *query)
2352 {
2353 	/* GAS Query */
2354 	wpabuf_put_le16(buf, wpabuf_len(query));
2355 	wpabuf_put_buf(buf, query);
2356 }
2357 
2358 
2359 struct wpabuf * dpp_build_conf_req(struct dpp_authentication *auth,
2360 				   const char *json)
2361 {
2362 	struct wpabuf *buf, *conf_req;
2363 
2364 	conf_req = dpp_build_conf_req_attr(auth, json);
2365 	if (!conf_req) {
2366 		wpa_printf(MSG_DEBUG,
2367 			   "DPP: No configuration request data available");
2368 		return NULL;
2369 	}
2370 
2371 	buf = gas_build_initial_req(0, 10 + 2 + wpabuf_len(conf_req));
2372 	if (!buf) {
2373 		wpabuf_free(conf_req);
2374 		return NULL;
2375 	}
2376 
2377 	dpp_write_adv_proto(buf);
2378 	dpp_write_gas_query(buf, conf_req);
2379 	wpabuf_free(conf_req);
2380 	wpa_hexdump_buf(MSG_MSGDUMP, "DPP: GAS Config Request", buf);
2381 
2382 	return buf;
2383 }
2384 
2385 
2386 static void dpp_auth_success(struct dpp_authentication *auth)
2387 {
2388 	wpa_printf(MSG_DEBUG,
2389 		   "DPP: Authentication success - clear temporary keys");
2390 	os_memset(auth->Mx, 0, sizeof(auth->Mx));
2391 	auth->Mx_len = 0;
2392 	os_memset(auth->Nx, 0, sizeof(auth->Nx));
2393 	auth->Nx_len = 0;
2394 	os_memset(auth->Lx, 0, sizeof(auth->Lx));
2395 	auth->Lx_len = 0;
2396 	os_memset(auth->k1, 0, sizeof(auth->k1));
2397 	os_memset(auth->k2, 0, sizeof(auth->k2));
2398 
2399 	auth->auth_success = 1;
2400 }
2401 
2402 
2403 static int dpp_gen_r_auth(struct dpp_authentication *auth, u8 *r_auth)
2404 {
2405 	struct wpabuf *pix, *prx, *bix, *brx;
2406 	const u8 *addr[7];
2407 	size_t len[7];
2408 	size_t i, num_elem = 0;
2409 	size_t nonce_len;
2410 	u8 zero = 0;
2411 	int res = -1;
2412 
2413 	/* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
2414 	nonce_len = auth->curve->nonce_len;
2415 
2416 	if (auth->initiator) {
2417 		pix = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2418 		prx = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2419 		if (auth->own_bi)
2420 			bix = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2421 		else
2422 			bix = NULL;
2423 		brx = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2424 	} else {
2425 		pix = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2426 		prx = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2427 		if (auth->peer_bi)
2428 			bix = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2429 		else
2430 			bix = NULL;
2431 		brx = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2432 	}
2433 	if (!pix || !prx || !brx)
2434 		goto fail;
2435 
2436 	addr[num_elem] = auth->i_nonce;
2437 	len[num_elem] = nonce_len;
2438 	num_elem++;
2439 
2440 	addr[num_elem] = auth->r_nonce;
2441 	len[num_elem] = nonce_len;
2442 	num_elem++;
2443 
2444 	addr[num_elem] = wpabuf_head(pix);
2445 	len[num_elem] = wpabuf_len(pix) / 2;
2446 	num_elem++;
2447 
2448 	addr[num_elem] = wpabuf_head(prx);
2449 	len[num_elem] = wpabuf_len(prx) / 2;
2450 	num_elem++;
2451 
2452 	if (bix) {
2453 		addr[num_elem] = wpabuf_head(bix);
2454 		len[num_elem] = wpabuf_len(bix) / 2;
2455 		num_elem++;
2456 	}
2457 
2458 	addr[num_elem] = wpabuf_head(brx);
2459 	len[num_elem] = wpabuf_len(brx) / 2;
2460 	num_elem++;
2461 
2462 	addr[num_elem] = &zero;
2463 	len[num_elem] = 1;
2464 	num_elem++;
2465 
2466 	wpa_printf(MSG_DEBUG, "DPP: R-auth hash components");
2467 	for (i = 0; i < num_elem; i++)
2468 		wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
2469 	res = dpp_hash_vector(auth->curve, num_elem, addr, len, r_auth);
2470 	if (res == 0)
2471 		wpa_hexdump(MSG_DEBUG, "DPP: R-auth", r_auth,
2472 			    auth->curve->hash_len);
2473 fail:
2474 	wpabuf_free(pix);
2475 	wpabuf_free(prx);
2476 	wpabuf_free(bix);
2477 	wpabuf_free(brx);
2478 	return res;
2479 }
2480 
2481 
2482 static int dpp_gen_i_auth(struct dpp_authentication *auth, u8 *i_auth)
2483 {
2484 	struct wpabuf *pix = NULL, *prx = NULL, *bix = NULL, *brx = NULL;
2485 	const u8 *addr[7];
2486 	size_t len[7];
2487 	size_t i, num_elem = 0;
2488 	size_t nonce_len;
2489 	u8 one = 1;
2490 	int res = -1;
2491 
2492 	/* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */
2493 	nonce_len = auth->curve->nonce_len;
2494 
2495 	if (auth->initiator) {
2496 		pix = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2497 		prx = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2498 		if (auth->own_bi)
2499 			bix = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2500 		else
2501 			bix = NULL;
2502 		if (!auth->peer_bi)
2503 			goto fail;
2504 		brx = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2505 	} else {
2506 		pix = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2507 		prx = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2508 		if (auth->peer_bi)
2509 			bix = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2510 		else
2511 			bix = NULL;
2512 		if (!auth->own_bi)
2513 			goto fail;
2514 		brx = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2515 	}
2516 	if (!pix || !prx || !brx)
2517 		goto fail;
2518 
2519 	addr[num_elem] = auth->r_nonce;
2520 	len[num_elem] = nonce_len;
2521 	num_elem++;
2522 
2523 	addr[num_elem] = auth->i_nonce;
2524 	len[num_elem] = nonce_len;
2525 	num_elem++;
2526 
2527 	addr[num_elem] = wpabuf_head(prx);
2528 	len[num_elem] = wpabuf_len(prx) / 2;
2529 	num_elem++;
2530 
2531 	addr[num_elem] = wpabuf_head(pix);
2532 	len[num_elem] = wpabuf_len(pix) / 2;
2533 	num_elem++;
2534 
2535 	addr[num_elem] = wpabuf_head(brx);
2536 	len[num_elem] = wpabuf_len(brx) / 2;
2537 	num_elem++;
2538 
2539 	if (bix) {
2540 		addr[num_elem] = wpabuf_head(bix);
2541 		len[num_elem] = wpabuf_len(bix) / 2;
2542 		num_elem++;
2543 	}
2544 
2545 	addr[num_elem] = &one;
2546 	len[num_elem] = 1;
2547 	num_elem++;
2548 
2549 	wpa_printf(MSG_DEBUG, "DPP: I-auth hash components");
2550 	for (i = 0; i < num_elem; i++)
2551 		wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
2552 	res = dpp_hash_vector(auth->curve, num_elem, addr, len, i_auth);
2553 	if (res == 0)
2554 		wpa_hexdump(MSG_DEBUG, "DPP: I-auth", i_auth,
2555 			    auth->curve->hash_len);
2556 fail:
2557 	wpabuf_free(pix);
2558 	wpabuf_free(prx);
2559 	wpabuf_free(bix);
2560 	wpabuf_free(brx);
2561 	return res;
2562 }
2563 
2564 
2565 static int dpp_auth_derive_l_responder(struct dpp_authentication *auth)
2566 {
2567 	const EC_GROUP *group;
2568 	EC_POINT *l = NULL;
2569 	EC_KEY *BI = NULL, *bR = NULL, *pR = NULL;
2570 	const EC_POINT *BI_point;
2571 	BN_CTX *bnctx;
2572 	BIGNUM *lx, *sum, *q;
2573 	const BIGNUM *bR_bn, *pR_bn;
2574 	int ret = -1;
2575 
2576 	/* L = ((bR + pR) modulo q) * BI */
2577 
2578 	bnctx = BN_CTX_new();
2579 	sum = BN_new();
2580 	q = BN_new();
2581 	lx = BN_new();
2582 	if (!bnctx || !sum || !q || !lx)
2583 		goto fail;
2584 	BI = EVP_PKEY_get1_EC_KEY(auth->peer_bi->pubkey);
2585 	if (!BI)
2586 		goto fail;
2587 	BI_point = EC_KEY_get0_public_key(BI);
2588 	group = EC_KEY_get0_group(BI);
2589 	if (!group)
2590 		goto fail;
2591 
2592 	bR = EVP_PKEY_get1_EC_KEY(auth->own_bi->pubkey);
2593 	pR = EVP_PKEY_get1_EC_KEY(auth->own_protocol_key);
2594 	if (!bR || !pR)
2595 		goto fail;
2596 	bR_bn = EC_KEY_get0_private_key(bR);
2597 	pR_bn = EC_KEY_get0_private_key(pR);
2598 	if (!bR_bn || !pR_bn)
2599 		goto fail;
2600 	if (EC_GROUP_get_order(group, q, bnctx) != 1 ||
2601 	    BN_mod_add(sum, bR_bn, pR_bn, q, bnctx) != 1)
2602 		goto fail;
2603 	l = EC_POINT_new(group);
2604 	if (!l ||
2605 	    EC_POINT_mul(group, l, NULL, BI_point, sum, bnctx) != 1 ||
2606 	    EC_POINT_get_affine_coordinates_GFp(group, l, lx, NULL,
2607 						bnctx) != 1) {
2608 		wpa_printf(MSG_ERROR,
2609 			   "OpenSSL: failed: %s",
2610 			   ERR_error_string(ERR_get_error(), NULL));
2611 		goto fail;
2612 	}
2613 
2614 	if (dpp_bn2bin_pad(lx, auth->Lx, auth->secret_len) < 0)
2615 		goto fail;
2616 	wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
2617 	auth->Lx_len = auth->secret_len;
2618 	ret = 0;
2619 fail:
2620 	EC_POINT_clear_free(l);
2621 	EC_KEY_free(BI);
2622 	EC_KEY_free(bR);
2623 	EC_KEY_free(pR);
2624 	BN_clear_free(lx);
2625 	BN_clear_free(sum);
2626 	BN_free(q);
2627 	BN_CTX_free(bnctx);
2628 	return ret;
2629 }
2630 
2631 
2632 static int dpp_auth_derive_l_initiator(struct dpp_authentication *auth)
2633 {
2634 	const EC_GROUP *group;
2635 	EC_POINT *l = NULL, *sum = NULL;
2636 	EC_KEY *bI = NULL, *BR = NULL, *PR = NULL;
2637 	const EC_POINT *BR_point, *PR_point;
2638 	BN_CTX *bnctx;
2639 	BIGNUM *lx;
2640 	const BIGNUM *bI_bn;
2641 	int ret = -1;
2642 
2643 	/* L = bI * (BR + PR) */
2644 
2645 	bnctx = BN_CTX_new();
2646 	lx = BN_new();
2647 	if (!bnctx || !lx)
2648 		goto fail;
2649 	BR = EVP_PKEY_get1_EC_KEY(auth->peer_bi->pubkey);
2650 	PR = EVP_PKEY_get1_EC_KEY(auth->peer_protocol_key);
2651 	if (!BR || !PR)
2652 		goto fail;
2653 	BR_point = EC_KEY_get0_public_key(BR);
2654 	PR_point = EC_KEY_get0_public_key(PR);
2655 
2656 	bI = EVP_PKEY_get1_EC_KEY(auth->own_bi->pubkey);
2657 	if (!bI)
2658 		goto fail;
2659 	group = EC_KEY_get0_group(bI);
2660 	bI_bn = EC_KEY_get0_private_key(bI);
2661 	if (!group || !bI_bn)
2662 		goto fail;
2663 	sum = EC_POINT_new(group);
2664 	l = EC_POINT_new(group);
2665 	if (!sum || !l ||
2666 	    EC_POINT_add(group, sum, BR_point, PR_point, bnctx) != 1 ||
2667 	    EC_POINT_mul(group, l, NULL, sum, bI_bn, bnctx) != 1 ||
2668 	    EC_POINT_get_affine_coordinates_GFp(group, l, lx, NULL,
2669 						bnctx) != 1) {
2670 		wpa_printf(MSG_ERROR,
2671 			   "OpenSSL: failed: %s",
2672 			   ERR_error_string(ERR_get_error(), NULL));
2673 		goto fail;
2674 	}
2675 
2676 	if (dpp_bn2bin_pad(lx, auth->Lx, auth->secret_len) < 0)
2677 		goto fail;
2678 	wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
2679 	auth->Lx_len = auth->secret_len;
2680 	ret = 0;
2681 fail:
2682 	EC_POINT_clear_free(l);
2683 	EC_POINT_clear_free(sum);
2684 	EC_KEY_free(bI);
2685 	EC_KEY_free(BR);
2686 	EC_KEY_free(PR);
2687 	BN_clear_free(lx);
2688 	BN_CTX_free(bnctx);
2689 	return ret;
2690 }
2691 
2692 
2693 static int dpp_auth_build_resp_ok(struct dpp_authentication *auth)
2694 {
2695 	size_t nonce_len;
2696 	EVP_PKEY_CTX *ctx = NULL;
2697 	size_t secret_len;
2698 	struct wpabuf *msg, *pr = NULL;
2699 	u8 r_auth[4 + DPP_MAX_HASH_LEN];
2700 	u8 wrapped_r_auth[4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE], *w_r_auth;
2701 	size_t wrapped_r_auth_len;
2702 	int ret = -1;
2703 	const u8 *r_pubkey_hash, *i_pubkey_hash, *r_nonce, *i_nonce;
2704 	enum dpp_status_error status = DPP_STATUS_OK;
2705 #ifdef CONFIG_TESTING_OPTIONS
2706 	u8 test_hash[SHA256_MAC_LEN];
2707 #endif /* CONFIG_TESTING_OPTIONS */
2708 
2709 	wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response");
2710 	if (!auth->own_bi)
2711 		return -1;
2712 
2713 #ifdef CONFIG_TESTING_OPTIONS
2714 	if (dpp_nonce_override_len > 0) {
2715 		wpa_printf(MSG_INFO, "DPP: TESTING - override R-nonce");
2716 		nonce_len = dpp_nonce_override_len;
2717 		os_memcpy(auth->r_nonce, dpp_nonce_override, nonce_len);
2718 	} else {
2719 		nonce_len = auth->curve->nonce_len;
2720 		if (random_get_bytes(auth->r_nonce, nonce_len)) {
2721 			wpa_printf(MSG_ERROR,
2722 				   "DPP: Failed to generate R-nonce");
2723 			goto fail;
2724 		}
2725 	}
2726 #else /* CONFIG_TESTING_OPTIONS */
2727 	nonce_len = auth->curve->nonce_len;
2728 	if (random_get_bytes(auth->r_nonce, nonce_len)) {
2729 		wpa_printf(MSG_ERROR, "DPP: Failed to generate R-nonce");
2730 		goto fail;
2731 	}
2732 #endif /* CONFIG_TESTING_OPTIONS */
2733 	wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", auth->r_nonce, nonce_len);
2734 
2735 #ifdef CONFIG_TESTING_OPTIONS
2736 	if (dpp_protocol_key_override_len) {
2737 		const struct dpp_curve_params *tmp_curve;
2738 
2739 		wpa_printf(MSG_INFO,
2740 			   "DPP: TESTING - override protocol key");
2741 		auth->own_protocol_key = dpp_set_keypair(
2742 			&tmp_curve, dpp_protocol_key_override,
2743 			dpp_protocol_key_override_len);
2744 	} else {
2745 		auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2746 	}
2747 #else /* CONFIG_TESTING_OPTIONS */
2748 	auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2749 #endif /* CONFIG_TESTING_OPTIONS */
2750 	if (!auth->own_protocol_key)
2751 		goto fail;
2752 
2753 	pr = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2754 	if (!pr)
2755 		goto fail;
2756 
2757 	/* ECDH: N = pR * PI */
2758 	ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL);
2759 	if (!ctx ||
2760 	    EVP_PKEY_derive_init(ctx) != 1 ||
2761 	    EVP_PKEY_derive_set_peer(ctx, auth->peer_protocol_key) != 1 ||
2762 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
2763 	    secret_len > DPP_MAX_SHARED_SECRET_LEN ||
2764 	    EVP_PKEY_derive(ctx, auth->Nx, &secret_len) != 1) {
2765 		wpa_printf(MSG_ERROR,
2766 			   "DPP: Failed to derive ECDH shared secret: %s",
2767 			   ERR_error_string(ERR_get_error(), NULL));
2768 		goto fail;
2769 	}
2770 	EVP_PKEY_CTX_free(ctx);
2771 	ctx = NULL;
2772 
2773 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
2774 			auth->Nx, auth->secret_len);
2775 	auth->Nx_len = auth->secret_len;
2776 
2777 	if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2,
2778 			  auth->curve->hash_len) < 0)
2779 		goto fail;
2780 
2781 	if (auth->own_bi && auth->peer_bi) {
2782 		/* Mutual authentication */
2783 		if (dpp_auth_derive_l_responder(auth) < 0)
2784 			goto fail;
2785 	}
2786 
2787 	if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0)
2788 		goto fail;
2789 
2790 	/* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
2791 	WPA_PUT_LE16(r_auth, DPP_ATTR_R_AUTH_TAG);
2792 	WPA_PUT_LE16(&r_auth[2], auth->curve->hash_len);
2793 	if (dpp_gen_r_auth(auth, r_auth + 4) < 0)
2794 		goto fail;
2795 #ifdef CONFIG_TESTING_OPTIONS
2796 	if (dpp_test == DPP_TEST_R_AUTH_MISMATCH_AUTH_RESP) {
2797 		wpa_printf(MSG_INFO, "DPP: TESTING - R-auth mismatch");
2798 		r_auth[4 + auth->curve->hash_len / 2] ^= 0x01;
2799 	}
2800 #endif /* CONFIG_TESTING_OPTIONS */
2801 	if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
2802 			    r_auth, 4 + auth->curve->hash_len,
2803 			    0, NULL, NULL, wrapped_r_auth) < 0)
2804 		goto fail;
2805 	wrapped_r_auth_len = 4 + auth->curve->hash_len + AES_BLOCK_SIZE;
2806 	wpa_hexdump(MSG_DEBUG, "DPP: {R-auth}ke",
2807 		    wrapped_r_auth, wrapped_r_auth_len);
2808 	w_r_auth = wrapped_r_auth;
2809 
2810 	r_pubkey_hash = auth->own_bi->pubkey_hash;
2811 	if (auth->peer_bi)
2812 		i_pubkey_hash = auth->peer_bi->pubkey_hash;
2813 	else
2814 		i_pubkey_hash = NULL;
2815 
2816 	i_nonce = auth->i_nonce;
2817 	r_nonce = auth->r_nonce;
2818 
2819 #ifdef CONFIG_TESTING_OPTIONS
2820 	if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2821 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
2822 		r_pubkey_hash = NULL;
2823 	} else if (dpp_test ==
2824 		   DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2825 		wpa_printf(MSG_INFO,
2826 			   "DPP: TESTING - invalid R-Bootstrap Key Hash");
2827 		os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
2828 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2829 		r_pubkey_hash = test_hash;
2830 	} else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2831 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
2832 		i_pubkey_hash = NULL;
2833 	} else if (dpp_test ==
2834 		   DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2835 		wpa_printf(MSG_INFO,
2836 			   "DPP: TESTING - invalid I-Bootstrap Key Hash");
2837 		if (i_pubkey_hash)
2838 			os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
2839 		else
2840 			os_memset(test_hash, 0, SHA256_MAC_LEN);
2841 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2842 		i_pubkey_hash = test_hash;
2843 	} else if (dpp_test == DPP_TEST_NO_R_PROTO_KEY_AUTH_RESP) {
2844 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Proto Key");
2845 		wpabuf_free(pr);
2846 		pr = NULL;
2847 	} else if (dpp_test == DPP_TEST_INVALID_R_PROTO_KEY_AUTH_RESP) {
2848 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid R-Proto Key");
2849 		wpabuf_free(pr);
2850 		pr = wpabuf_alloc(2 * auth->curve->prime_len);
2851 		if (!pr || dpp_test_gen_invalid_key(pr, auth->curve) < 0)
2852 			goto fail;
2853 	} else if (dpp_test == DPP_TEST_NO_R_AUTH_AUTH_RESP) {
2854 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Auth");
2855 		w_r_auth = NULL;
2856 		wrapped_r_auth_len = 0;
2857 	} else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) {
2858 		wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
2859 		status = 255;
2860 	} else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_RESP) {
2861 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
2862 		status = 254;
2863 	} else if (dpp_test == DPP_TEST_NO_R_NONCE_AUTH_RESP) {
2864 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-nonce");
2865 		r_nonce = NULL;
2866 	} else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) {
2867 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
2868 		i_nonce = NULL;
2869 	}
2870 #endif /* CONFIG_TESTING_OPTIONS */
2871 
2872 	msg = dpp_auth_build_resp(auth, status, pr, nonce_len,
2873 				  r_pubkey_hash, i_pubkey_hash,
2874 				  r_nonce, i_nonce,
2875 				  w_r_auth, wrapped_r_auth_len,
2876 				  auth->k2);
2877 	if (!msg)
2878 		goto fail;
2879 	wpabuf_free(auth->resp_msg);
2880 	auth->resp_msg = msg;
2881 	ret = 0;
2882 fail:
2883 	wpabuf_free(pr);
2884 	return ret;
2885 }
2886 
2887 
2888 static int dpp_auth_build_resp_status(struct dpp_authentication *auth,
2889 				      enum dpp_status_error status)
2890 {
2891 	struct wpabuf *msg;
2892 	const u8 *r_pubkey_hash, *i_pubkey_hash, *i_nonce;
2893 #ifdef CONFIG_TESTING_OPTIONS
2894 	u8 test_hash[SHA256_MAC_LEN];
2895 #endif /* CONFIG_TESTING_OPTIONS */
2896 
2897 	if (!auth->own_bi)
2898 		return -1;
2899 	wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response");
2900 
2901 	r_pubkey_hash = auth->own_bi->pubkey_hash;
2902 	if (auth->peer_bi)
2903 		i_pubkey_hash = auth->peer_bi->pubkey_hash;
2904 	else
2905 		i_pubkey_hash = NULL;
2906 
2907 	i_nonce = auth->i_nonce;
2908 
2909 #ifdef CONFIG_TESTING_OPTIONS
2910 	if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2911 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
2912 		r_pubkey_hash = NULL;
2913 	} else if (dpp_test ==
2914 		   DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2915 		wpa_printf(MSG_INFO,
2916 			   "DPP: TESTING - invalid R-Bootstrap Key Hash");
2917 		os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
2918 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2919 		r_pubkey_hash = test_hash;
2920 	} else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2921 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
2922 		i_pubkey_hash = NULL;
2923 	} else if (dpp_test ==
2924 		   DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2925 		wpa_printf(MSG_INFO,
2926 			   "DPP: TESTING - invalid I-Bootstrap Key Hash");
2927 		if (i_pubkey_hash)
2928 			os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
2929 		else
2930 			os_memset(test_hash, 0, SHA256_MAC_LEN);
2931 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2932 		i_pubkey_hash = test_hash;
2933 	} else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) {
2934 		wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
2935 		status = 255;
2936 	} else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) {
2937 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
2938 		i_nonce = NULL;
2939 	}
2940 #endif /* CONFIG_TESTING_OPTIONS */
2941 
2942 	msg = dpp_auth_build_resp(auth, status, NULL, auth->curve->nonce_len,
2943 				  r_pubkey_hash, i_pubkey_hash,
2944 				  NULL, i_nonce, NULL, 0, auth->k1);
2945 	if (!msg)
2946 		return -1;
2947 	wpabuf_free(auth->resp_msg);
2948 	auth->resp_msg = msg;
2949 	return 0;
2950 }
2951 
2952 
2953 struct dpp_authentication *
2954 dpp_auth_req_rx(void *msg_ctx, u8 dpp_allowed_roles, int qr_mutual,
2955 		struct dpp_bootstrap_info *peer_bi,
2956 		struct dpp_bootstrap_info *own_bi,
2957 		unsigned int freq, const u8 *hdr, const u8 *attr_start,
2958 		size_t attr_len)
2959 {
2960 	EVP_PKEY *pi = NULL;
2961 	EVP_PKEY_CTX *ctx = NULL;
2962 	size_t secret_len;
2963 	const u8 *addr[2];
2964 	size_t len[2];
2965 	u8 *unwrapped = NULL;
2966 	size_t unwrapped_len = 0;
2967 	const u8 *wrapped_data, *i_proto, *i_nonce, *i_capab, *i_bootstrap,
2968 		*channel;
2969 	u16 wrapped_data_len, i_proto_len, i_nonce_len, i_capab_len,
2970 		i_bootstrap_len, channel_len;
2971 	struct dpp_authentication *auth = NULL;
2972 #ifdef CONFIG_DPP2
2973 	const u8 *version;
2974 	u16 version_len;
2975 #endif /* CONFIG_DPP2 */
2976 
2977 #ifdef CONFIG_TESTING_OPTIONS
2978 	if (dpp_test == DPP_TEST_STOP_AT_AUTH_REQ) {
2979 		wpa_printf(MSG_INFO,
2980 			   "DPP: TESTING - stop at Authentication Request");
2981 		return NULL;
2982 	}
2983 #endif /* CONFIG_TESTING_OPTIONS */
2984 
2985 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
2986 				    &wrapped_data_len);
2987 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
2988 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
2989 			"Missing or invalid required Wrapped Data attribute");
2990 		return NULL;
2991 	}
2992 	wpa_hexdump(MSG_MSGDUMP, "DPP: Wrapped Data",
2993 		    wrapped_data, wrapped_data_len);
2994 	attr_len = wrapped_data - 4 - attr_start;
2995 
2996 	auth = os_zalloc(sizeof(*auth));
2997 	if (!auth)
2998 		goto fail;
2999 	auth->msg_ctx = msg_ctx;
3000 	auth->peer_bi = peer_bi;
3001 	auth->own_bi = own_bi;
3002 	auth->curve = own_bi->curve;
3003 	auth->curr_freq = freq;
3004 
3005 	auth->peer_version = 1; /* default to the first version */
3006 #ifdef CONFIG_DPP2
3007 	version = dpp_get_attr(attr_start, attr_len, DPP_ATTR_PROTOCOL_VERSION,
3008 			       &version_len);
3009 	if (version) {
3010 		if (version_len < 1 || version[0] == 0) {
3011 			dpp_auth_fail(auth,
3012 				      "Invalid Protocol Version attribute");
3013 			goto fail;
3014 		}
3015 		auth->peer_version = version[0];
3016 		wpa_printf(MSG_DEBUG, "DPP: Peer protocol version %u",
3017 			   auth->peer_version);
3018 	}
3019 #endif /* CONFIG_DPP2 */
3020 
3021 	channel = dpp_get_attr(attr_start, attr_len, DPP_ATTR_CHANNEL,
3022 			       &channel_len);
3023 	if (channel) {
3024 		int neg_freq;
3025 
3026 		if (channel_len < 2) {
3027 			dpp_auth_fail(auth, "Too short Channel attribute");
3028 			goto fail;
3029 		}
3030 
3031 		neg_freq = ieee80211_chan_to_freq(NULL, channel[0], channel[1]);
3032 		wpa_printf(MSG_DEBUG,
3033 			   "DPP: Initiator requested different channel for negotiation: op_class=%u channel=%u --> freq=%d",
3034 			   channel[0], channel[1], neg_freq);
3035 		if (neg_freq < 0) {
3036 			dpp_auth_fail(auth,
3037 				      "Unsupported Channel attribute value");
3038 			goto fail;
3039 		}
3040 
3041 		if (auth->curr_freq != (unsigned int) neg_freq) {
3042 			wpa_printf(MSG_DEBUG,
3043 				   "DPP: Changing negotiation channel from %u MHz to %u MHz",
3044 				   freq, neg_freq);
3045 			auth->curr_freq = neg_freq;
3046 		}
3047 	}
3048 
3049 	i_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_I_PROTOCOL_KEY,
3050 			       &i_proto_len);
3051 	if (!i_proto) {
3052 		dpp_auth_fail(auth,
3053 			      "Missing required Initiator Protocol Key attribute");
3054 		goto fail;
3055 	}
3056 	wpa_hexdump(MSG_MSGDUMP, "DPP: Initiator Protocol Key",
3057 		    i_proto, i_proto_len);
3058 
3059 	/* M = bR * PI */
3060 	pi = dpp_set_pubkey_point(own_bi->pubkey, i_proto, i_proto_len);
3061 	if (!pi) {
3062 		dpp_auth_fail(auth, "Invalid Initiator Protocol Key");
3063 		goto fail;
3064 	}
3065 	dpp_debug_print_key("Peer (Initiator) Protocol Key", pi);
3066 
3067 	ctx = EVP_PKEY_CTX_new(own_bi->pubkey, NULL);
3068 	if (!ctx ||
3069 	    EVP_PKEY_derive_init(ctx) != 1 ||
3070 	    EVP_PKEY_derive_set_peer(ctx, pi) != 1 ||
3071 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
3072 	    secret_len > DPP_MAX_SHARED_SECRET_LEN ||
3073 	    EVP_PKEY_derive(ctx, auth->Mx, &secret_len) != 1) {
3074 		wpa_printf(MSG_ERROR,
3075 			   "DPP: Failed to derive ECDH shared secret: %s",
3076 			   ERR_error_string(ERR_get_error(), NULL));
3077 		dpp_auth_fail(auth, "Failed to derive ECDH shared secret");
3078 		goto fail;
3079 	}
3080 	auth->secret_len = secret_len;
3081 	EVP_PKEY_CTX_free(ctx);
3082 	ctx = NULL;
3083 
3084 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)",
3085 			auth->Mx, auth->secret_len);
3086 	auth->Mx_len = auth->secret_len;
3087 
3088 	if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1,
3089 			  auth->curve->hash_len) < 0)
3090 		goto fail;
3091 
3092 	addr[0] = hdr;
3093 	len[0] = DPP_HDR_LEN;
3094 	addr[1] = attr_start;
3095 	len[1] = attr_len;
3096 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3097 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3098 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3099 		    wrapped_data, wrapped_data_len);
3100 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3101 	unwrapped = os_malloc(unwrapped_len);
3102 	if (!unwrapped)
3103 		goto fail;
3104 	if (aes_siv_decrypt(auth->k1, auth->curve->hash_len,
3105 			    wrapped_data, wrapped_data_len,
3106 			    2, addr, len, unwrapped) < 0) {
3107 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3108 		goto fail;
3109 	}
3110 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3111 		    unwrapped, unwrapped_len);
3112 
3113 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3114 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3115 		goto fail;
3116 	}
3117 
3118 	i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
3119 			       &i_nonce_len);
3120 	if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
3121 		dpp_auth_fail(auth, "Missing or invalid I-nonce");
3122 		goto fail;
3123 	}
3124 	wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
3125 	os_memcpy(auth->i_nonce, i_nonce, i_nonce_len);
3126 
3127 	i_capab = dpp_get_attr(unwrapped, unwrapped_len,
3128 			       DPP_ATTR_I_CAPABILITIES,
3129 			       &i_capab_len);
3130 	if (!i_capab || i_capab_len < 1) {
3131 		dpp_auth_fail(auth, "Missing or invalid I-capabilities");
3132 		goto fail;
3133 	}
3134 	auth->i_capab = i_capab[0];
3135 	wpa_printf(MSG_DEBUG, "DPP: I-capabilities: 0x%02x", auth->i_capab);
3136 
3137 	bin_clear_free(unwrapped, unwrapped_len);
3138 	unwrapped = NULL;
3139 
3140 	switch (auth->i_capab & DPP_CAPAB_ROLE_MASK) {
3141 	case DPP_CAPAB_ENROLLEE:
3142 		if (!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR)) {
3143 			wpa_printf(MSG_DEBUG,
3144 				   "DPP: Local policy does not allow Configurator role");
3145 			goto not_compatible;
3146 		}
3147 		wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator");
3148 		auth->configurator = 1;
3149 		break;
3150 	case DPP_CAPAB_CONFIGURATOR:
3151 		if (!(dpp_allowed_roles & DPP_CAPAB_ENROLLEE)) {
3152 			wpa_printf(MSG_DEBUG,
3153 				   "DPP: Local policy does not allow Enrollee role");
3154 			goto not_compatible;
3155 		}
3156 		wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee");
3157 		auth->configurator = 0;
3158 		break;
3159 	case DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE:
3160 		if (dpp_allowed_roles & DPP_CAPAB_ENROLLEE) {
3161 			wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee");
3162 			auth->configurator = 0;
3163 		} else if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR) {
3164 			wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator");
3165 			auth->configurator = 1;
3166 		} else {
3167 			wpa_printf(MSG_DEBUG,
3168 				   "DPP: Local policy does not allow Configurator/Enrollee role");
3169 			goto not_compatible;
3170 		}
3171 		break;
3172 	default:
3173 		wpa_printf(MSG_DEBUG, "DPP: Unexpected role in I-capabilities");
3174 		wpa_msg(auth->msg_ctx, MSG_INFO,
3175 			DPP_EVENT_FAIL "Invalid role in I-capabilities 0x%02x",
3176 			auth->i_capab & DPP_CAPAB_ROLE_MASK);
3177 		goto fail;
3178 	}
3179 
3180 	auth->peer_protocol_key = pi;
3181 	pi = NULL;
3182 	if (qr_mutual && !peer_bi && own_bi->type == DPP_BOOTSTRAP_QR_CODE) {
3183 		char hex[SHA256_MAC_LEN * 2 + 1];
3184 
3185 		wpa_printf(MSG_DEBUG,
3186 			   "DPP: Mutual authentication required with QR Codes, but peer info is not yet available - request more time");
3187 		if (dpp_auth_build_resp_status(auth,
3188 					       DPP_STATUS_RESPONSE_PENDING) < 0)
3189 			goto fail;
3190 		i_bootstrap = dpp_get_attr(attr_start, attr_len,
3191 					   DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
3192 					   &i_bootstrap_len);
3193 		if (i_bootstrap && i_bootstrap_len == SHA256_MAC_LEN) {
3194 			auth->response_pending = 1;
3195 			os_memcpy(auth->waiting_pubkey_hash,
3196 				  i_bootstrap, i_bootstrap_len);
3197 			wpa_snprintf_hex(hex, sizeof(hex), i_bootstrap,
3198 					 i_bootstrap_len);
3199 		} else {
3200 			hex[0] = '\0';
3201 		}
3202 
3203 		wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_SCAN_PEER_QR_CODE
3204 			"%s", hex);
3205 		return auth;
3206 	}
3207 	if (dpp_auth_build_resp_ok(auth) < 0)
3208 		goto fail;
3209 
3210 	return auth;
3211 
3212 not_compatible:
3213 	wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE
3214 		"i-capab=0x%02x", auth->i_capab);
3215 	if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR)
3216 		auth->configurator = 1;
3217 	else
3218 		auth->configurator = 0;
3219 	auth->peer_protocol_key = pi;
3220 	pi = NULL;
3221 	if (dpp_auth_build_resp_status(auth, DPP_STATUS_NOT_COMPATIBLE) < 0)
3222 		goto fail;
3223 
3224 	auth->remove_on_tx_status = 1;
3225 	return auth;
3226 fail:
3227 	bin_clear_free(unwrapped, unwrapped_len);
3228 	EVP_PKEY_free(pi);
3229 	EVP_PKEY_CTX_free(ctx);
3230 	dpp_auth_deinit(auth);
3231 	return NULL;
3232 }
3233 
3234 
3235 int dpp_notify_new_qr_code(struct dpp_authentication *auth,
3236 			   struct dpp_bootstrap_info *peer_bi)
3237 {
3238 	if (!auth || !auth->response_pending ||
3239 	    os_memcmp(auth->waiting_pubkey_hash, peer_bi->pubkey_hash,
3240 		      SHA256_MAC_LEN) != 0)
3241 		return 0;
3242 
3243 	wpa_printf(MSG_DEBUG,
3244 		   "DPP: New scanned QR Code has matching public key that was needed to continue DPP Authentication exchange with "
3245 		   MACSTR, MAC2STR(auth->peer_mac_addr));
3246 	auth->peer_bi = peer_bi;
3247 
3248 	if (dpp_auth_build_resp_ok(auth) < 0)
3249 		return -1;
3250 
3251 	return 1;
3252 }
3253 
3254 
3255 static struct wpabuf * dpp_auth_build_conf(struct dpp_authentication *auth,
3256 					   enum dpp_status_error status)
3257 {
3258 	struct wpabuf *msg;
3259 	u8 i_auth[4 + DPP_MAX_HASH_LEN];
3260 	size_t i_auth_len;
3261 	u8 r_nonce[4 + DPP_MAX_NONCE_LEN];
3262 	size_t r_nonce_len;
3263 	const u8 *addr[2];
3264 	size_t len[2], attr_len;
3265 	u8 *wrapped_i_auth;
3266 	u8 *wrapped_r_nonce;
3267 	u8 *attr_start, *attr_end;
3268 	const u8 *r_pubkey_hash, *i_pubkey_hash;
3269 #ifdef CONFIG_TESTING_OPTIONS
3270 	u8 test_hash[SHA256_MAC_LEN];
3271 #endif /* CONFIG_TESTING_OPTIONS */
3272 
3273 	wpa_printf(MSG_DEBUG, "DPP: Build Authentication Confirmation");
3274 
3275 	i_auth_len = 4 + auth->curve->hash_len;
3276 	r_nonce_len = 4 + auth->curve->nonce_len;
3277 	/* Build DPP Authentication Confirmation frame attributes */
3278 	attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) +
3279 		4 + i_auth_len + r_nonce_len + AES_BLOCK_SIZE;
3280 #ifdef CONFIG_TESTING_OPTIONS
3281 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF)
3282 		attr_len += 5;
3283 #endif /* CONFIG_TESTING_OPTIONS */
3284 	msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_CONF, attr_len);
3285 	if (!msg)
3286 		goto fail;
3287 
3288 	attr_start = wpabuf_put(msg, 0);
3289 
3290 	r_pubkey_hash = auth->peer_bi->pubkey_hash;
3291 	if (auth->own_bi)
3292 		i_pubkey_hash = auth->own_bi->pubkey_hash;
3293 	else
3294 		i_pubkey_hash = NULL;
3295 
3296 #ifdef CONFIG_TESTING_OPTIONS
3297 	if (dpp_test == DPP_TEST_NO_STATUS_AUTH_CONF) {
3298 		wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
3299 		goto skip_status;
3300 	} else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_CONF) {
3301 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
3302 		status = 254;
3303 	}
3304 #endif /* CONFIG_TESTING_OPTIONS */
3305 
3306 	/* DPP Status */
3307 	dpp_build_attr_status(msg, status);
3308 
3309 #ifdef CONFIG_TESTING_OPTIONS
3310 skip_status:
3311 	if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3312 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
3313 		r_pubkey_hash = NULL;
3314 	} else if (dpp_test ==
3315 		   DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3316 		wpa_printf(MSG_INFO,
3317 			   "DPP: TESTING - invalid R-Bootstrap Key Hash");
3318 		os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
3319 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
3320 		r_pubkey_hash = test_hash;
3321 	} else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3322 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
3323 		i_pubkey_hash = NULL;
3324 	} else if (dpp_test ==
3325 		   DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3326 		wpa_printf(MSG_INFO,
3327 			   "DPP: TESTING - invalid I-Bootstrap Key Hash");
3328 		if (i_pubkey_hash)
3329 			os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
3330 		else
3331 			os_memset(test_hash, 0, SHA256_MAC_LEN);
3332 		test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
3333 		i_pubkey_hash = test_hash;
3334 	}
3335 #endif /* CONFIG_TESTING_OPTIONS */
3336 
3337 	/* Responder Bootstrapping Key Hash */
3338 	dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
3339 
3340 	/* Initiator Bootstrapping Key Hash (mutual authentication) */
3341 	dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
3342 
3343 #ifdef CONFIG_TESTING_OPTIONS
3344 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_CONF)
3345 		goto skip_wrapped_data;
3346 	if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF)
3347 		i_auth_len = 0;
3348 #endif /* CONFIG_TESTING_OPTIONS */
3349 
3350 	attr_end = wpabuf_put(msg, 0);
3351 
3352 	/* OUI, OUI type, Crypto Suite, DPP frame type */
3353 	addr[0] = wpabuf_head_u8(msg) + 2;
3354 	len[0] = 3 + 1 + 1 + 1;
3355 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3356 
3357 	/* Attributes before Wrapped Data */
3358 	addr[1] = attr_start;
3359 	len[1] = attr_end - attr_start;
3360 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3361 
3362 	if (status == DPP_STATUS_OK) {
3363 		/* I-auth wrapped with ke */
3364 		wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
3365 		wpabuf_put_le16(msg, i_auth_len + AES_BLOCK_SIZE);
3366 		wrapped_i_auth = wpabuf_put(msg, i_auth_len + AES_BLOCK_SIZE);
3367 
3368 #ifdef CONFIG_TESTING_OPTIONS
3369 		if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF)
3370 			goto skip_i_auth;
3371 #endif /* CONFIG_TESTING_OPTIONS */
3372 
3373 		/* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |]
3374 		 *	      1) */
3375 		WPA_PUT_LE16(i_auth, DPP_ATTR_I_AUTH_TAG);
3376 		WPA_PUT_LE16(&i_auth[2], auth->curve->hash_len);
3377 		if (dpp_gen_i_auth(auth, i_auth + 4) < 0)
3378 			goto fail;
3379 
3380 #ifdef CONFIG_TESTING_OPTIONS
3381 		if (dpp_test == DPP_TEST_I_AUTH_MISMATCH_AUTH_CONF) {
3382 			wpa_printf(MSG_INFO, "DPP: TESTING - I-auth mismatch");
3383 			i_auth[4 + auth->curve->hash_len / 2] ^= 0x01;
3384 		}
3385 skip_i_auth:
3386 #endif /* CONFIG_TESTING_OPTIONS */
3387 		if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
3388 				    i_auth, i_auth_len,
3389 				    2, addr, len, wrapped_i_auth) < 0)
3390 			goto fail;
3391 		wpa_hexdump(MSG_DEBUG, "DPP: {I-auth}ke",
3392 			    wrapped_i_auth, i_auth_len + AES_BLOCK_SIZE);
3393 	} else {
3394 		/* R-nonce wrapped with k2 */
3395 		wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
3396 		wpabuf_put_le16(msg, r_nonce_len + AES_BLOCK_SIZE);
3397 		wrapped_r_nonce = wpabuf_put(msg, r_nonce_len + AES_BLOCK_SIZE);
3398 
3399 		WPA_PUT_LE16(r_nonce, DPP_ATTR_R_NONCE);
3400 		WPA_PUT_LE16(&r_nonce[2], auth->curve->nonce_len);
3401 		os_memcpy(r_nonce + 4, auth->r_nonce, auth->curve->nonce_len);
3402 
3403 		if (aes_siv_encrypt(auth->k2, auth->curve->hash_len,
3404 				    r_nonce, r_nonce_len,
3405 				    2, addr, len, wrapped_r_nonce) < 0)
3406 			goto fail;
3407 		wpa_hexdump(MSG_DEBUG, "DPP: {R-nonce}k2",
3408 			    wrapped_r_nonce, r_nonce_len + AES_BLOCK_SIZE);
3409 	}
3410 
3411 #ifdef CONFIG_TESTING_OPTIONS
3412 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF) {
3413 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
3414 		dpp_build_attr_status(msg, DPP_STATUS_OK);
3415 	}
3416 skip_wrapped_data:
3417 #endif /* CONFIG_TESTING_OPTIONS */
3418 
3419 	wpa_hexdump_buf(MSG_DEBUG,
3420 			"DPP: Authentication Confirmation frame attributes",
3421 			msg);
3422 	if (status == DPP_STATUS_OK)
3423 		dpp_auth_success(auth);
3424 
3425 	return msg;
3426 
3427 fail:
3428 	wpabuf_free(msg);
3429 	return NULL;
3430 }
3431 
3432 
3433 static void
3434 dpp_auth_resp_rx_status(struct dpp_authentication *auth, const u8 *hdr,
3435 			const u8 *attr_start, size_t attr_len,
3436 			const u8 *wrapped_data, u16 wrapped_data_len,
3437 			enum dpp_status_error status)
3438 {
3439 	const u8 *addr[2];
3440 	size_t len[2];
3441 	u8 *unwrapped = NULL;
3442 	size_t unwrapped_len = 0;
3443 	const u8 *i_nonce, *r_capab;
3444 	u16 i_nonce_len, r_capab_len;
3445 
3446 	if (status == DPP_STATUS_NOT_COMPATIBLE) {
3447 		wpa_printf(MSG_DEBUG,
3448 			   "DPP: Responder reported incompatible roles");
3449 	} else if (status == DPP_STATUS_RESPONSE_PENDING) {
3450 		wpa_printf(MSG_DEBUG,
3451 			   "DPP: Responder reported more time needed");
3452 	} else {
3453 		wpa_printf(MSG_DEBUG,
3454 			   "DPP: Responder reported failure (status %d)",
3455 			   status);
3456 		dpp_auth_fail(auth, "Responder reported failure");
3457 		return;
3458 	}
3459 
3460 	addr[0] = hdr;
3461 	len[0] = DPP_HDR_LEN;
3462 	addr[1] = attr_start;
3463 	len[1] = attr_len;
3464 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3465 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3466 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3467 		    wrapped_data, wrapped_data_len);
3468 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3469 	unwrapped = os_malloc(unwrapped_len);
3470 	if (!unwrapped)
3471 		goto fail;
3472 	if (aes_siv_decrypt(auth->k1, auth->curve->hash_len,
3473 			    wrapped_data, wrapped_data_len,
3474 			    2, addr, len, unwrapped) < 0) {
3475 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3476 		goto fail;
3477 	}
3478 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3479 		    unwrapped, unwrapped_len);
3480 
3481 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3482 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3483 		goto fail;
3484 	}
3485 
3486 	i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
3487 			       &i_nonce_len);
3488 	if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
3489 		dpp_auth_fail(auth, "Missing or invalid I-nonce");
3490 		goto fail;
3491 	}
3492 	wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
3493 	if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) {
3494 		dpp_auth_fail(auth, "I-nonce mismatch");
3495 		goto fail;
3496 	}
3497 
3498 	r_capab = dpp_get_attr(unwrapped, unwrapped_len,
3499 			       DPP_ATTR_R_CAPABILITIES,
3500 			       &r_capab_len);
3501 	if (!r_capab || r_capab_len < 1) {
3502 		dpp_auth_fail(auth, "Missing or invalid R-capabilities");
3503 		goto fail;
3504 	}
3505 	auth->r_capab = r_capab[0];
3506 	wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab);
3507 	if (status == DPP_STATUS_NOT_COMPATIBLE) {
3508 		wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE
3509 			"r-capab=0x%02x", auth->r_capab);
3510 	} else if (status == DPP_STATUS_RESPONSE_PENDING) {
3511 		u8 role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
3512 
3513 		if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
3514 		    (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
3515 			wpa_msg(auth->msg_ctx, MSG_INFO,
3516 				DPP_EVENT_FAIL "Unexpected role in R-capabilities 0x%02x",
3517 				role);
3518 		} else {
3519 			wpa_printf(MSG_DEBUG,
3520 				   "DPP: Continue waiting for full DPP Authentication Response");
3521 			wpa_msg(auth->msg_ctx, MSG_INFO,
3522 				DPP_EVENT_RESPONSE_PENDING "%s",
3523 				auth->tmp_own_bi ? auth->tmp_own_bi->uri : "");
3524 		}
3525 	}
3526 fail:
3527 	bin_clear_free(unwrapped, unwrapped_len);
3528 }
3529 
3530 
3531 struct wpabuf *
3532 dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
3533 		 const u8 *attr_start, size_t attr_len)
3534 {
3535 	EVP_PKEY *pr;
3536 	EVP_PKEY_CTX *ctx = NULL;
3537 	size_t secret_len;
3538 	const u8 *addr[2];
3539 	size_t len[2];
3540 	u8 *unwrapped = NULL, *unwrapped2 = NULL;
3541 	size_t unwrapped_len = 0, unwrapped2_len = 0;
3542 	const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *r_proto,
3543 		*r_nonce, *i_nonce, *r_capab, *wrapped2, *r_auth;
3544 	u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len,
3545 		r_proto_len, r_nonce_len, i_nonce_len, r_capab_len,
3546 		wrapped2_len, r_auth_len;
3547 	u8 r_auth2[DPP_MAX_HASH_LEN];
3548 	u8 role;
3549 #ifdef CONFIG_DPP2
3550 	const u8 *version;
3551 	u16 version_len;
3552 #endif /* CONFIG_DPP2 */
3553 
3554 #ifdef CONFIG_TESTING_OPTIONS
3555 	if (dpp_test == DPP_TEST_STOP_AT_AUTH_RESP) {
3556 		wpa_printf(MSG_INFO,
3557 			   "DPP: TESTING - stop at Authentication Response");
3558 		return NULL;
3559 	}
3560 #endif /* CONFIG_TESTING_OPTIONS */
3561 
3562 	if (!auth->initiator || !auth->peer_bi) {
3563 		dpp_auth_fail(auth, "Unexpected Authentication Response");
3564 		return NULL;
3565 	}
3566 
3567 	auth->waiting_auth_resp = 0;
3568 
3569 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
3570 				    &wrapped_data_len);
3571 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
3572 		dpp_auth_fail(auth,
3573 			      "Missing or invalid required Wrapped Data attribute");
3574 		return NULL;
3575 	}
3576 	wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
3577 		    wrapped_data, wrapped_data_len);
3578 
3579 	attr_len = wrapped_data - 4 - attr_start;
3580 
3581 	r_bootstrap = dpp_get_attr(attr_start, attr_len,
3582 				   DPP_ATTR_R_BOOTSTRAP_KEY_HASH,
3583 				   &r_bootstrap_len);
3584 	if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) {
3585 		dpp_auth_fail(auth,
3586 			      "Missing or invalid required Responder Bootstrapping Key Hash attribute");
3587 		return NULL;
3588 	}
3589 	wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash",
3590 		    r_bootstrap, r_bootstrap_len);
3591 	if (os_memcmp(r_bootstrap, auth->peer_bi->pubkey_hash,
3592 		      SHA256_MAC_LEN) != 0) {
3593 		dpp_auth_fail(auth,
3594 			      "Unexpected Responder Bootstrapping Key Hash value");
3595 		wpa_hexdump(MSG_DEBUG,
3596 			    "DPP: Expected Responder Bootstrapping Key Hash",
3597 			    auth->peer_bi->pubkey_hash, SHA256_MAC_LEN);
3598 		return NULL;
3599 	}
3600 
3601 	i_bootstrap = dpp_get_attr(attr_start, attr_len,
3602 				   DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
3603 				   &i_bootstrap_len);
3604 	if (i_bootstrap) {
3605 		if (i_bootstrap_len != SHA256_MAC_LEN) {
3606 			dpp_auth_fail(auth,
3607 				      "Invalid Initiator Bootstrapping Key Hash attribute");
3608 			return NULL;
3609 		}
3610 		wpa_hexdump(MSG_MSGDUMP,
3611 			    "DPP: Initiator Bootstrapping Key Hash",
3612 			    i_bootstrap, i_bootstrap_len);
3613 		if (!auth->own_bi ||
3614 		    os_memcmp(i_bootstrap, auth->own_bi->pubkey_hash,
3615 			      SHA256_MAC_LEN) != 0) {
3616 			dpp_auth_fail(auth,
3617 				      "Initiator Bootstrapping Key Hash attribute did not match");
3618 			return NULL;
3619 		}
3620 	} else if (auth->own_bi && auth->own_bi->type == DPP_BOOTSTRAP_PKEX) {
3621 		/* PKEX bootstrapping mandates use of mutual authentication */
3622 		dpp_auth_fail(auth,
3623 			      "Missing Initiator Bootstrapping Key Hash attribute");
3624 		return NULL;
3625 	}
3626 
3627 	auth->peer_version = 1; /* default to the first version */
3628 #ifdef CONFIG_DPP2
3629 	version = dpp_get_attr(attr_start, attr_len, DPP_ATTR_PROTOCOL_VERSION,
3630 			       &version_len);
3631 	if (version) {
3632 		if (version_len < 1 || version[0] == 0) {
3633 			dpp_auth_fail(auth,
3634 				      "Invalid Protocol Version attribute");
3635 			return NULL;
3636 		}
3637 		auth->peer_version = version[0];
3638 		wpa_printf(MSG_DEBUG, "DPP: Peer protocol version %u",
3639 			   auth->peer_version);
3640 	}
3641 #endif /* CONFIG_DPP2 */
3642 
3643 	status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
3644 			      &status_len);
3645 	if (!status || status_len < 1) {
3646 		dpp_auth_fail(auth,
3647 			      "Missing or invalid required DPP Status attribute");
3648 		return NULL;
3649 	}
3650 	wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
3651 	auth->auth_resp_status = status[0];
3652 	if (status[0] != DPP_STATUS_OK) {
3653 		dpp_auth_resp_rx_status(auth, hdr, attr_start,
3654 					attr_len, wrapped_data,
3655 					wrapped_data_len, status[0]);
3656 		return NULL;
3657 	}
3658 
3659 	if (!i_bootstrap && auth->own_bi) {
3660 		wpa_printf(MSG_DEBUG,
3661 			   "DPP: Responder decided not to use mutual authentication");
3662 		auth->own_bi = NULL;
3663 	}
3664 
3665 	wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_AUTH_DIRECTION "mutual=%d",
3666 		auth->own_bi != NULL);
3667 
3668 	r_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_R_PROTOCOL_KEY,
3669 			       &r_proto_len);
3670 	if (!r_proto) {
3671 		dpp_auth_fail(auth,
3672 			      "Missing required Responder Protocol Key attribute");
3673 		return NULL;
3674 	}
3675 	wpa_hexdump(MSG_MSGDUMP, "DPP: Responder Protocol Key",
3676 		    r_proto, r_proto_len);
3677 
3678 	/* N = pI * PR */
3679 	pr = dpp_set_pubkey_point(auth->own_protocol_key, r_proto, r_proto_len);
3680 	if (!pr) {
3681 		dpp_auth_fail(auth, "Invalid Responder Protocol Key");
3682 		return NULL;
3683 	}
3684 	dpp_debug_print_key("Peer (Responder) Protocol Key", pr);
3685 
3686 	ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL);
3687 	if (!ctx ||
3688 	    EVP_PKEY_derive_init(ctx) != 1 ||
3689 	    EVP_PKEY_derive_set_peer(ctx, pr) != 1 ||
3690 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
3691 	    secret_len > DPP_MAX_SHARED_SECRET_LEN ||
3692 	    EVP_PKEY_derive(ctx, auth->Nx, &secret_len) != 1) {
3693 		wpa_printf(MSG_ERROR,
3694 			   "DPP: Failed to derive ECDH shared secret: %s",
3695 			   ERR_error_string(ERR_get_error(), NULL));
3696 		dpp_auth_fail(auth, "Failed to derive ECDH shared secret");
3697 		goto fail;
3698 	}
3699 	EVP_PKEY_CTX_free(ctx);
3700 	ctx = NULL;
3701 	auth->peer_protocol_key = pr;
3702 	pr = NULL;
3703 
3704 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
3705 			auth->Nx, auth->secret_len);
3706 	auth->Nx_len = auth->secret_len;
3707 
3708 	if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2,
3709 			  auth->curve->hash_len) < 0)
3710 		goto fail;
3711 
3712 	addr[0] = hdr;
3713 	len[0] = DPP_HDR_LEN;
3714 	addr[1] = attr_start;
3715 	len[1] = attr_len;
3716 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3717 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3718 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3719 		    wrapped_data, wrapped_data_len);
3720 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3721 	unwrapped = os_malloc(unwrapped_len);
3722 	if (!unwrapped)
3723 		goto fail;
3724 	if (aes_siv_decrypt(auth->k2, auth->curve->hash_len,
3725 			    wrapped_data, wrapped_data_len,
3726 			    2, addr, len, unwrapped) < 0) {
3727 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3728 		goto fail;
3729 	}
3730 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3731 		    unwrapped, unwrapped_len);
3732 
3733 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3734 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3735 		goto fail;
3736 	}
3737 
3738 	r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE,
3739 			       &r_nonce_len);
3740 	if (!r_nonce || r_nonce_len != auth->curve->nonce_len) {
3741 		dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce");
3742 		goto fail;
3743 	}
3744 	wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", r_nonce, r_nonce_len);
3745 	os_memcpy(auth->r_nonce, r_nonce, r_nonce_len);
3746 
3747 	i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
3748 			       &i_nonce_len);
3749 	if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
3750 		dpp_auth_fail(auth, "Missing or invalid I-nonce");
3751 		goto fail;
3752 	}
3753 	wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
3754 	if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) {
3755 		dpp_auth_fail(auth, "I-nonce mismatch");
3756 		goto fail;
3757 	}
3758 
3759 	if (auth->own_bi) {
3760 		/* Mutual authentication */
3761 		if (dpp_auth_derive_l_initiator(auth) < 0)
3762 			goto fail;
3763 	}
3764 
3765 	r_capab = dpp_get_attr(unwrapped, unwrapped_len,
3766 			       DPP_ATTR_R_CAPABILITIES,
3767 			       &r_capab_len);
3768 	if (!r_capab || r_capab_len < 1) {
3769 		dpp_auth_fail(auth, "Missing or invalid R-capabilities");
3770 		goto fail;
3771 	}
3772 	auth->r_capab = r_capab[0];
3773 	wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab);
3774 	role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
3775 	if ((auth->allowed_roles ==
3776 	     (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE)) &&
3777 	    (role == DPP_CAPAB_CONFIGURATOR || role == DPP_CAPAB_ENROLLEE)) {
3778 		/* Peer selected its role, so move from "either role" to the
3779 		 * role that is compatible with peer's selection. */
3780 		auth->configurator = role == DPP_CAPAB_ENROLLEE;
3781 		wpa_printf(MSG_DEBUG, "DPP: Acting as %s",
3782 			   auth->configurator ? "Configurator" : "Enrollee");
3783 	} else if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
3784 		   (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
3785 		wpa_printf(MSG_DEBUG, "DPP: Incompatible role selection");
3786 		wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL
3787 			"Unexpected role in R-capabilities 0x%02x",
3788 			role);
3789 		if (role != DPP_CAPAB_ENROLLEE &&
3790 		    role != DPP_CAPAB_CONFIGURATOR)
3791 			goto fail;
3792 		bin_clear_free(unwrapped, unwrapped_len);
3793 		auth->remove_on_tx_status = 1;
3794 		return dpp_auth_build_conf(auth, DPP_STATUS_NOT_COMPATIBLE);
3795 	}
3796 
3797 	wrapped2 = dpp_get_attr(unwrapped, unwrapped_len,
3798 				DPP_ATTR_WRAPPED_DATA, &wrapped2_len);
3799 	if (!wrapped2 || wrapped2_len < AES_BLOCK_SIZE) {
3800 		dpp_auth_fail(auth,
3801 			      "Missing or invalid Secondary Wrapped Data");
3802 		goto fail;
3803 	}
3804 
3805 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3806 		    wrapped2, wrapped2_len);
3807 
3808 	if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0)
3809 		goto fail;
3810 
3811 	unwrapped2_len = wrapped2_len - AES_BLOCK_SIZE;
3812 	unwrapped2 = os_malloc(unwrapped2_len);
3813 	if (!unwrapped2)
3814 		goto fail;
3815 	if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
3816 			    wrapped2, wrapped2_len,
3817 			    0, NULL, NULL, unwrapped2) < 0) {
3818 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3819 		goto fail;
3820 	}
3821 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3822 		    unwrapped2, unwrapped2_len);
3823 
3824 	if (dpp_check_attrs(unwrapped2, unwrapped2_len) < 0) {
3825 		dpp_auth_fail(auth,
3826 			      "Invalid attribute in secondary unwrapped data");
3827 		goto fail;
3828 	}
3829 
3830 	r_auth = dpp_get_attr(unwrapped2, unwrapped2_len, DPP_ATTR_R_AUTH_TAG,
3831 			       &r_auth_len);
3832 	if (!r_auth || r_auth_len != auth->curve->hash_len) {
3833 		dpp_auth_fail(auth,
3834 			      "Missing or invalid Responder Authenticating Tag");
3835 		goto fail;
3836 	}
3837 	wpa_hexdump(MSG_DEBUG, "DPP: Received Responder Authenticating Tag",
3838 		    r_auth, r_auth_len);
3839 	/* R-auth' = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
3840 	if (dpp_gen_r_auth(auth, r_auth2) < 0)
3841 		goto fail;
3842 	wpa_hexdump(MSG_DEBUG, "DPP: Calculated Responder Authenticating Tag",
3843 		    r_auth2, r_auth_len);
3844 	if (os_memcmp(r_auth, r_auth2, r_auth_len) != 0) {
3845 		dpp_auth_fail(auth, "Mismatching Responder Authenticating Tag");
3846 		bin_clear_free(unwrapped, unwrapped_len);
3847 		bin_clear_free(unwrapped2, unwrapped2_len);
3848 		auth->remove_on_tx_status = 1;
3849 		return dpp_auth_build_conf(auth, DPP_STATUS_AUTH_FAILURE);
3850 	}
3851 
3852 	bin_clear_free(unwrapped, unwrapped_len);
3853 	bin_clear_free(unwrapped2, unwrapped2_len);
3854 
3855 #ifdef CONFIG_TESTING_OPTIONS
3856 	if (dpp_test == DPP_TEST_AUTH_RESP_IN_PLACE_OF_CONF) {
3857 		wpa_printf(MSG_INFO,
3858 			   "DPP: TESTING - Authentication Response in place of Confirm");
3859 		if (dpp_auth_build_resp_ok(auth) < 0)
3860 			return NULL;
3861 		return wpabuf_dup(auth->resp_msg);
3862 	}
3863 #endif /* CONFIG_TESTING_OPTIONS */
3864 
3865 	return dpp_auth_build_conf(auth, DPP_STATUS_OK);
3866 
3867 fail:
3868 	bin_clear_free(unwrapped, unwrapped_len);
3869 	bin_clear_free(unwrapped2, unwrapped2_len);
3870 	EVP_PKEY_free(pr);
3871 	EVP_PKEY_CTX_free(ctx);
3872 	return NULL;
3873 }
3874 
3875 
3876 static int dpp_auth_conf_rx_failure(struct dpp_authentication *auth,
3877 				    const u8 *hdr,
3878 				    const u8 *attr_start, size_t attr_len,
3879 				    const u8 *wrapped_data,
3880 				    u16 wrapped_data_len,
3881 				    enum dpp_status_error status)
3882 {
3883 	const u8 *addr[2];
3884 	size_t len[2];
3885 	u8 *unwrapped = NULL;
3886 	size_t unwrapped_len = 0;
3887 	const u8 *r_nonce;
3888 	u16 r_nonce_len;
3889 
3890 	/* Authentication Confirm failure cases are expected to include
3891 	 * {R-nonce}k2 in the Wrapped Data attribute. */
3892 
3893 	addr[0] = hdr;
3894 	len[0] = DPP_HDR_LEN;
3895 	addr[1] = attr_start;
3896 	len[1] = attr_len;
3897 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3898 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3899 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3900 		    wrapped_data, wrapped_data_len);
3901 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3902 	unwrapped = os_malloc(unwrapped_len);
3903 	if (!unwrapped) {
3904 		dpp_auth_fail(auth, "Authentication failed");
3905 		goto fail;
3906 	}
3907 	if (aes_siv_decrypt(auth->k2, auth->curve->hash_len,
3908 			    wrapped_data, wrapped_data_len,
3909 			    2, addr, len, unwrapped) < 0) {
3910 		dpp_auth_fail(auth, "AES-SIV decryption failed");
3911 		goto fail;
3912 	}
3913 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3914 		    unwrapped, unwrapped_len);
3915 
3916 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3917 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3918 		goto fail;
3919 	}
3920 
3921 	r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE,
3922 			       &r_nonce_len);
3923 	if (!r_nonce || r_nonce_len != auth->curve->nonce_len) {
3924 		dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce");
3925 		goto fail;
3926 	}
3927 	if (os_memcmp(r_nonce, auth->r_nonce, r_nonce_len) != 0) {
3928 		wpa_hexdump(MSG_DEBUG, "DPP: Received R-nonce",
3929 			    r_nonce, r_nonce_len);
3930 		wpa_hexdump(MSG_DEBUG, "DPP: Expected R-nonce",
3931 			    auth->r_nonce, r_nonce_len);
3932 		dpp_auth_fail(auth, "R-nonce mismatch");
3933 		goto fail;
3934 	}
3935 
3936 	if (status == DPP_STATUS_NOT_COMPATIBLE)
3937 		dpp_auth_fail(auth, "Peer reported incompatible R-capab role");
3938 	else if (status == DPP_STATUS_AUTH_FAILURE)
3939 		dpp_auth_fail(auth, "Peer reported authentication failure)");
3940 
3941 fail:
3942 	bin_clear_free(unwrapped, unwrapped_len);
3943 	return -1;
3944 }
3945 
3946 
3947 int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
3948 		     const u8 *attr_start, size_t attr_len)
3949 {
3950 	const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *i_auth;
3951 	u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len,
3952 		i_auth_len;
3953 	const u8 *addr[2];
3954 	size_t len[2];
3955 	u8 *unwrapped = NULL;
3956 	size_t unwrapped_len = 0;
3957 	u8 i_auth2[DPP_MAX_HASH_LEN];
3958 
3959 #ifdef CONFIG_TESTING_OPTIONS
3960 	if (dpp_test == DPP_TEST_STOP_AT_AUTH_CONF) {
3961 		wpa_printf(MSG_INFO,
3962 			   "DPP: TESTING - stop at Authentication Confirm");
3963 		return -1;
3964 	}
3965 #endif /* CONFIG_TESTING_OPTIONS */
3966 
3967 	if (auth->initiator || !auth->own_bi) {
3968 		dpp_auth_fail(auth, "Unexpected Authentication Confirm");
3969 		return -1;
3970 	}
3971 
3972 	auth->waiting_auth_conf = 0;
3973 
3974 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
3975 				    &wrapped_data_len);
3976 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
3977 		dpp_auth_fail(auth,
3978 			      "Missing or invalid required Wrapped Data attribute");
3979 		return -1;
3980 	}
3981 	wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
3982 		    wrapped_data, wrapped_data_len);
3983 
3984 	attr_len = wrapped_data - 4 - attr_start;
3985 
3986 	r_bootstrap = dpp_get_attr(attr_start, attr_len,
3987 				   DPP_ATTR_R_BOOTSTRAP_KEY_HASH,
3988 				   &r_bootstrap_len);
3989 	if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) {
3990 		dpp_auth_fail(auth,
3991 			      "Missing or invalid required Responder Bootstrapping Key Hash attribute");
3992 		return -1;
3993 	}
3994 	wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash",
3995 		    r_bootstrap, r_bootstrap_len);
3996 	if (os_memcmp(r_bootstrap, auth->own_bi->pubkey_hash,
3997 		      SHA256_MAC_LEN) != 0) {
3998 		wpa_hexdump(MSG_DEBUG,
3999 			    "DPP: Expected Responder Bootstrapping Key Hash",
4000 			    auth->peer_bi->pubkey_hash, SHA256_MAC_LEN);
4001 		dpp_auth_fail(auth,
4002 			      "Responder Bootstrapping Key Hash mismatch");
4003 		return -1;
4004 	}
4005 
4006 	i_bootstrap = dpp_get_attr(attr_start, attr_len,
4007 				   DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
4008 				   &i_bootstrap_len);
4009 	if (i_bootstrap) {
4010 		if (i_bootstrap_len != SHA256_MAC_LEN) {
4011 			dpp_auth_fail(auth,
4012 				      "Invalid Initiator Bootstrapping Key Hash attribute");
4013 			return -1;
4014 		}
4015 		wpa_hexdump(MSG_MSGDUMP,
4016 			    "DPP: Initiator Bootstrapping Key Hash",
4017 			    i_bootstrap, i_bootstrap_len);
4018 		if (!auth->peer_bi ||
4019 		    os_memcmp(i_bootstrap, auth->peer_bi->pubkey_hash,
4020 			      SHA256_MAC_LEN) != 0) {
4021 			dpp_auth_fail(auth,
4022 				      "Initiator Bootstrapping Key Hash mismatch");
4023 			return -1;
4024 		}
4025 	} else if (auth->peer_bi) {
4026 		/* Mutual authentication and peer did not include its
4027 		 * Bootstrapping Key Hash attribute. */
4028 		dpp_auth_fail(auth,
4029 			      "Missing Initiator Bootstrapping Key Hash attribute");
4030 		return -1;
4031 	}
4032 
4033 	status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
4034 			      &status_len);
4035 	if (!status || status_len < 1) {
4036 		dpp_auth_fail(auth,
4037 			      "Missing or invalid required DPP Status attribute");
4038 		return -1;
4039 	}
4040 	wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
4041 	if (status[0] == DPP_STATUS_NOT_COMPATIBLE ||
4042 	    status[0] == DPP_STATUS_AUTH_FAILURE)
4043 		return dpp_auth_conf_rx_failure(auth, hdr, attr_start,
4044 						attr_len, wrapped_data,
4045 						wrapped_data_len, status[0]);
4046 
4047 	if (status[0] != DPP_STATUS_OK) {
4048 		dpp_auth_fail(auth, "Authentication failed");
4049 		return -1;
4050 	}
4051 
4052 	addr[0] = hdr;
4053 	len[0] = DPP_HDR_LEN;
4054 	addr[1] = attr_start;
4055 	len[1] = attr_len;
4056 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
4057 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
4058 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
4059 		    wrapped_data, wrapped_data_len);
4060 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
4061 	unwrapped = os_malloc(unwrapped_len);
4062 	if (!unwrapped)
4063 		return -1;
4064 	if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
4065 			    wrapped_data, wrapped_data_len,
4066 			    2, addr, len, unwrapped) < 0) {
4067 		dpp_auth_fail(auth, "AES-SIV decryption failed");
4068 		goto fail;
4069 	}
4070 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
4071 		    unwrapped, unwrapped_len);
4072 
4073 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
4074 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
4075 		goto fail;
4076 	}
4077 
4078 	i_auth = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_AUTH_TAG,
4079 			      &i_auth_len);
4080 	if (!i_auth || i_auth_len != auth->curve->hash_len) {
4081 		dpp_auth_fail(auth,
4082 			      "Missing or invalid Initiator Authenticating Tag");
4083 		goto fail;
4084 	}
4085 	wpa_hexdump(MSG_DEBUG, "DPP: Received Initiator Authenticating Tag",
4086 		    i_auth, i_auth_len);
4087 	/* I-auth' = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */
4088 	if (dpp_gen_i_auth(auth, i_auth2) < 0)
4089 		goto fail;
4090 	wpa_hexdump(MSG_DEBUG, "DPP: Calculated Initiator Authenticating Tag",
4091 		    i_auth2, i_auth_len);
4092 	if (os_memcmp(i_auth, i_auth2, i_auth_len) != 0) {
4093 		dpp_auth_fail(auth, "Mismatching Initiator Authenticating Tag");
4094 		goto fail;
4095 	}
4096 
4097 	bin_clear_free(unwrapped, unwrapped_len);
4098 	dpp_auth_success(auth);
4099 	return 0;
4100 fail:
4101 	bin_clear_free(unwrapped, unwrapped_len);
4102 	return -1;
4103 }
4104 
4105 
4106 static int bin_str_eq(const char *val, size_t len, const char *cmp)
4107 {
4108 	return os_strlen(cmp) == len && os_memcmp(val, cmp, len) == 0;
4109 }
4110 
4111 
4112 struct dpp_configuration * dpp_configuration_alloc(const char *type)
4113 {
4114 	struct dpp_configuration *conf;
4115 	const char *end;
4116 	size_t len;
4117 
4118 	conf = os_zalloc(sizeof(*conf));
4119 	if (!conf)
4120 		goto fail;
4121 
4122 	end = os_strchr(type, ' ');
4123 	if (end)
4124 		len = end - type;
4125 	else
4126 		len = os_strlen(type);
4127 
4128 	if (bin_str_eq(type, len, "psk"))
4129 		conf->akm = DPP_AKM_PSK;
4130 	else if (bin_str_eq(type, len, "sae"))
4131 		conf->akm = DPP_AKM_SAE;
4132 	else if (bin_str_eq(type, len, "psk-sae") ||
4133 		 bin_str_eq(type, len, "psk+sae"))
4134 		conf->akm = DPP_AKM_PSK_SAE;
4135 	else if (bin_str_eq(type, len, "sae-dpp") ||
4136 		 bin_str_eq(type, len, "dpp+sae"))
4137 		conf->akm = DPP_AKM_SAE_DPP;
4138 	else if (bin_str_eq(type, len, "psk-sae-dpp") ||
4139 		 bin_str_eq(type, len, "dpp+psk+sae"))
4140 		conf->akm = DPP_AKM_PSK_SAE_DPP;
4141 	else if (bin_str_eq(type, len, "dpp"))
4142 		conf->akm = DPP_AKM_DPP;
4143 	else
4144 		goto fail;
4145 
4146 	return conf;
4147 fail:
4148 	dpp_configuration_free(conf);
4149 	return NULL;
4150 }
4151 
4152 
4153 int dpp_akm_psk(enum dpp_akm akm)
4154 {
4155 	return akm == DPP_AKM_PSK || akm == DPP_AKM_PSK_SAE ||
4156 		akm == DPP_AKM_PSK_SAE_DPP;
4157 }
4158 
4159 
4160 int dpp_akm_sae(enum dpp_akm akm)
4161 {
4162 	return akm == DPP_AKM_SAE || akm == DPP_AKM_PSK_SAE ||
4163 		akm == DPP_AKM_SAE_DPP || akm == DPP_AKM_PSK_SAE_DPP;
4164 }
4165 
4166 
4167 int dpp_akm_legacy(enum dpp_akm akm)
4168 {
4169 	return akm == DPP_AKM_PSK || akm == DPP_AKM_PSK_SAE ||
4170 		akm == DPP_AKM_SAE;
4171 }
4172 
4173 
4174 int dpp_akm_dpp(enum dpp_akm akm)
4175 {
4176 	return akm == DPP_AKM_DPP || akm == DPP_AKM_SAE_DPP ||
4177 		akm == DPP_AKM_PSK_SAE_DPP;
4178 }
4179 
4180 
4181 int dpp_akm_ver2(enum dpp_akm akm)
4182 {
4183 	return akm == DPP_AKM_SAE_DPP || akm == DPP_AKM_PSK_SAE_DPP;
4184 }
4185 
4186 
4187 int dpp_configuration_valid(const struct dpp_configuration *conf)
4188 {
4189 	if (conf->ssid_len == 0)
4190 		return 0;
4191 	if (dpp_akm_psk(conf->akm) && !conf->passphrase && !conf->psk_set)
4192 		return 0;
4193 	if (dpp_akm_sae(conf->akm) && !conf->passphrase)
4194 		return 0;
4195 	return 1;
4196 }
4197 
4198 
4199 void dpp_configuration_free(struct dpp_configuration *conf)
4200 {
4201 	if (!conf)
4202 		return;
4203 	str_clear_free(conf->passphrase);
4204 	os_free(conf->group_id);
4205 	bin_clear_free(conf, sizeof(*conf));
4206 }
4207 
4208 
4209 static int dpp_configuration_parse(struct dpp_authentication *auth,
4210 				   const char *cmd)
4211 {
4212 	const char *pos, *end;
4213 	struct dpp_configuration *conf_sta = NULL, *conf_ap = NULL;
4214 	struct dpp_configuration *conf = NULL;
4215 
4216 	pos = os_strstr(cmd, " conf=sta-");
4217 	if (pos) {
4218 		conf_sta = dpp_configuration_alloc(pos + 10);
4219 		if (!conf_sta)
4220 			goto fail;
4221 		conf = conf_sta;
4222 	}
4223 
4224 	pos = os_strstr(cmd, " conf=ap-");
4225 	if (pos) {
4226 		conf_ap = dpp_configuration_alloc(pos + 9);
4227 		if (!conf_ap)
4228 			goto fail;
4229 		conf = conf_ap;
4230 	}
4231 
4232 	if (!conf)
4233 		return 0;
4234 
4235 	pos = os_strstr(cmd, " ssid=");
4236 	if (pos) {
4237 		pos += 6;
4238 		end = os_strchr(pos, ' ');
4239 		conf->ssid_len = end ? (size_t) (end - pos) : os_strlen(pos);
4240 		conf->ssid_len /= 2;
4241 		if (conf->ssid_len > sizeof(conf->ssid) ||
4242 		    hexstr2bin(pos, conf->ssid, conf->ssid_len) < 0)
4243 			goto fail;
4244 	} else {
4245 #ifdef CONFIG_TESTING_OPTIONS
4246 		/* use a default SSID for legacy testing reasons */
4247 		os_memcpy(conf->ssid, "test", 4);
4248 		conf->ssid_len = 4;
4249 #else /* CONFIG_TESTING_OPTIONS */
4250 		goto fail;
4251 #endif /* CONFIG_TESTING_OPTIONS */
4252 	}
4253 
4254 	pos = os_strstr(cmd, " pass=");
4255 	if (pos) {
4256 		size_t pass_len;
4257 
4258 		pos += 6;
4259 		end = os_strchr(pos, ' ');
4260 		pass_len = end ? (size_t) (end - pos) : os_strlen(pos);
4261 		pass_len /= 2;
4262 		if (pass_len > 63 || pass_len < 8)
4263 			goto fail;
4264 		conf->passphrase = os_zalloc(pass_len + 1);
4265 		if (!conf->passphrase ||
4266 		    hexstr2bin(pos, (u8 *) conf->passphrase, pass_len) < 0)
4267 			goto fail;
4268 	}
4269 
4270 	pos = os_strstr(cmd, " psk=");
4271 	if (pos) {
4272 		pos += 5;
4273 		if (hexstr2bin(pos, conf->psk, PMK_LEN) < 0)
4274 			goto fail;
4275 		conf->psk_set = 1;
4276 	}
4277 
4278 	pos = os_strstr(cmd, " group_id=");
4279 	if (pos) {
4280 		size_t group_id_len;
4281 
4282 		pos += 10;
4283 		end = os_strchr(pos, ' ');
4284 		group_id_len = end ? (size_t) (end - pos) : os_strlen(pos);
4285 		conf->group_id = os_malloc(group_id_len + 1);
4286 		if (!conf->group_id)
4287 			goto fail;
4288 		os_memcpy(conf->group_id, pos, group_id_len);
4289 		conf->group_id[group_id_len] = '\0';
4290 	}
4291 
4292 	pos = os_strstr(cmd, " expiry=");
4293 	if (pos) {
4294 		long int val;
4295 
4296 		pos += 8;
4297 		val = strtol(pos, NULL, 0);
4298 		if (val <= 0)
4299 			goto fail;
4300 		conf->netaccesskey_expiry = val;
4301 	}
4302 
4303 	if (!dpp_configuration_valid(conf))
4304 		goto fail;
4305 
4306 	auth->conf_sta = conf_sta;
4307 	auth->conf_ap = conf_ap;
4308 	return 0;
4309 
4310 fail:
4311 	dpp_configuration_free(conf_sta);
4312 	dpp_configuration_free(conf_ap);
4313 	return -1;
4314 }
4315 
4316 
4317 static struct dpp_configurator *
4318 dpp_configurator_get_id(struct dpp_global *dpp, unsigned int id)
4319 {
4320 	struct dpp_configurator *conf;
4321 
4322 	if (!dpp)
4323 		return NULL;
4324 
4325 	dl_list_for_each(conf, &dpp->configurator,
4326 			 struct dpp_configurator, list) {
4327 		if (conf->id == id)
4328 			return conf;
4329 	}
4330 	return NULL;
4331 }
4332 
4333 
4334 int dpp_set_configurator(struct dpp_global *dpp, void *msg_ctx,
4335 			 struct dpp_authentication *auth,
4336 			 const char *cmd)
4337 {
4338 	const char *pos;
4339 
4340 	if (!cmd)
4341 		return 0;
4342 
4343 	wpa_printf(MSG_DEBUG, "DPP: Set configurator parameters: %s", cmd);
4344 
4345 	pos = os_strstr(cmd, " configurator=");
4346 	if (pos) {
4347 		pos += 14;
4348 		auth->conf = dpp_configurator_get_id(dpp, atoi(pos));
4349 		if (!auth->conf) {
4350 			wpa_printf(MSG_INFO,
4351 				   "DPP: Could not find the specified configurator");
4352 			return -1;
4353 		}
4354 	}
4355 
4356 	if (dpp_configuration_parse(auth, cmd) < 0) {
4357 		wpa_msg(msg_ctx, MSG_INFO,
4358 			"DPP: Failed to set configurator parameters");
4359 		return -1;
4360 	}
4361 	return 0;
4362 }
4363 
4364 
4365 void dpp_auth_deinit(struct dpp_authentication *auth)
4366 {
4367 	if (!auth)
4368 		return;
4369 	dpp_configuration_free(auth->conf_ap);
4370 	dpp_configuration_free(auth->conf_sta);
4371 	EVP_PKEY_free(auth->own_protocol_key);
4372 	EVP_PKEY_free(auth->peer_protocol_key);
4373 	wpabuf_free(auth->req_msg);
4374 	wpabuf_free(auth->resp_msg);
4375 	wpabuf_free(auth->conf_req);
4376 	os_free(auth->connector);
4377 	wpabuf_free(auth->net_access_key);
4378 	wpabuf_free(auth->c_sign_key);
4379 	dpp_bootstrap_info_free(auth->tmp_own_bi);
4380 #ifdef CONFIG_TESTING_OPTIONS
4381 	os_free(auth->config_obj_override);
4382 	os_free(auth->discovery_override);
4383 	os_free(auth->groups_override);
4384 #endif /* CONFIG_TESTING_OPTIONS */
4385 	bin_clear_free(auth, sizeof(*auth));
4386 }
4387 
4388 
4389 static struct wpabuf *
4390 dpp_build_conf_start(struct dpp_authentication *auth,
4391 		     struct dpp_configuration *conf, size_t tailroom)
4392 {
4393 	struct wpabuf *buf;
4394 	char ssid[6 * sizeof(conf->ssid) + 1];
4395 
4396 #ifdef CONFIG_TESTING_OPTIONS
4397 	if (auth->discovery_override)
4398 		tailroom += os_strlen(auth->discovery_override);
4399 #endif /* CONFIG_TESTING_OPTIONS */
4400 
4401 	buf = wpabuf_alloc(200 + tailroom);
4402 	if (!buf)
4403 		return NULL;
4404 	wpabuf_put_str(buf, "{\"wi-fi_tech\":\"infra\",\"discovery\":");
4405 #ifdef CONFIG_TESTING_OPTIONS
4406 	if (auth->discovery_override) {
4407 		wpa_printf(MSG_DEBUG, "DPP: TESTING - discovery override: '%s'",
4408 			   auth->discovery_override);
4409 		wpabuf_put_str(buf, auth->discovery_override);
4410 		wpabuf_put_u8(buf, ',');
4411 		return buf;
4412 	}
4413 #endif /* CONFIG_TESTING_OPTIONS */
4414 	wpabuf_put_str(buf, "{\"ssid\":\"");
4415 	json_escape_string(ssid, sizeof(ssid),
4416 			   (const char *) conf->ssid, conf->ssid_len);
4417 	wpabuf_put_str(buf, ssid);
4418 	wpabuf_put_str(buf, "\"},");
4419 
4420 	return buf;
4421 }
4422 
4423 
4424 static int dpp_build_jwk(struct wpabuf *buf, const char *name, EVP_PKEY *key,
4425 			 const char *kid, const struct dpp_curve_params *curve)
4426 {
4427 	struct wpabuf *pub;
4428 	const u8 *pos;
4429 	char *x = NULL, *y = NULL;
4430 	int ret = -1;
4431 
4432 	pub = dpp_get_pubkey_point(key, 0);
4433 	if (!pub)
4434 		goto fail;
4435 	pos = wpabuf_head(pub);
4436 	x = (char *) base64_url_encode(pos, curve->prime_len, NULL, 0);
4437 	pos += curve->prime_len;
4438 	y = (char *) base64_url_encode(pos, curve->prime_len, NULL, 0);
4439 	if (!x || !y)
4440 		goto fail;
4441 
4442 	wpabuf_put_str(buf, "\"");
4443 	wpabuf_put_str(buf, name);
4444 	wpabuf_put_str(buf, "\":{\"kty\":\"EC\",\"crv\":\"");
4445 	wpabuf_put_str(buf, curve->jwk_crv);
4446 	wpabuf_put_str(buf, "\",\"x\":\"");
4447 	wpabuf_put_str(buf, x);
4448 	wpabuf_put_str(buf, "\",\"y\":\"");
4449 	wpabuf_put_str(buf, y);
4450 	if (kid) {
4451 		wpabuf_put_str(buf, "\",\"kid\":\"");
4452 		wpabuf_put_str(buf, kid);
4453 	}
4454 	wpabuf_put_str(buf, "\"}");
4455 	ret = 0;
4456 fail:
4457 	wpabuf_free(pub);
4458 	os_free(x);
4459 	os_free(y);
4460 	return ret;
4461 }
4462 
4463 
4464 static void dpp_build_legacy_cred_params(struct wpabuf *buf,
4465 					 struct dpp_configuration *conf)
4466 {
4467 	if (conf->passphrase && os_strlen(conf->passphrase) < 64) {
4468 		char pass[63 * 6 + 1];
4469 
4470 		json_escape_string(pass, sizeof(pass), conf->passphrase,
4471 				   os_strlen(conf->passphrase));
4472 		wpabuf_put_str(buf, "\"pass\":\"");
4473 		wpabuf_put_str(buf, pass);
4474 		wpabuf_put_str(buf, "\"");
4475 		os_memset(pass, 0, sizeof(pass));
4476 	} else if (conf->psk_set) {
4477 		char psk[2 * sizeof(conf->psk) + 1];
4478 
4479 		wpa_snprintf_hex(psk, sizeof(psk),
4480 				 conf->psk, sizeof(conf->psk));
4481 		wpabuf_put_str(buf, "\"psk_hex\":\"");
4482 		wpabuf_put_str(buf, psk);
4483 		wpabuf_put_str(buf, "\"");
4484 		os_memset(psk, 0, sizeof(psk));
4485 	}
4486 }
4487 
4488 
4489 static struct wpabuf *
4490 dpp_build_conf_obj_dpp(struct dpp_authentication *auth, int ap,
4491 		       struct dpp_configuration *conf)
4492 {
4493 	struct wpabuf *buf = NULL;
4494 	char *signed1 = NULL, *signed2 = NULL, *signed3 = NULL;
4495 	size_t tailroom;
4496 	const struct dpp_curve_params *curve;
4497 	char jws_prot_hdr[100];
4498 	size_t signed1_len, signed2_len, signed3_len;
4499 	struct wpabuf *dppcon = NULL;
4500 	unsigned char *signature = NULL;
4501 	const unsigned char *p;
4502 	size_t signature_len;
4503 	EVP_MD_CTX *md_ctx = NULL;
4504 	ECDSA_SIG *sig = NULL;
4505 	char *dot = ".";
4506 	const EVP_MD *sign_md;
4507 	const BIGNUM *r, *s;
4508 	size_t extra_len = 1000;
4509 	int incl_legacy;
4510 	enum dpp_akm akm;
4511 
4512 	if (!auth->conf) {
4513 		wpa_printf(MSG_INFO,
4514 			   "DPP: No configurator specified - cannot generate DPP config object");
4515 		goto fail;
4516 	}
4517 	curve = auth->conf->curve;
4518 	if (curve->hash_len == SHA256_MAC_LEN) {
4519 		sign_md = EVP_sha256();
4520 	} else if (curve->hash_len == SHA384_MAC_LEN) {
4521 		sign_md = EVP_sha384();
4522 	} else if (curve->hash_len == SHA512_MAC_LEN) {
4523 		sign_md = EVP_sha512();
4524 	} else {
4525 		wpa_printf(MSG_DEBUG, "DPP: Unknown signature algorithm");
4526 		goto fail;
4527 	}
4528 
4529 	akm = conf->akm;
4530 	if (dpp_akm_ver2(akm) && auth->peer_version < 2) {
4531 		wpa_printf(MSG_DEBUG,
4532 			   "DPP: Convert DPP+legacy credential to DPP-only for peer that does not support version 2");
4533 		akm = DPP_AKM_DPP;
4534 	}
4535 
4536 #ifdef CONFIG_TESTING_OPTIONS
4537 	if (auth->groups_override)
4538 		extra_len += os_strlen(auth->groups_override);
4539 #endif /* CONFIG_TESTING_OPTIONS */
4540 
4541 	if (conf->group_id)
4542 		extra_len += os_strlen(conf->group_id);
4543 
4544 	/* Connector (JSON dppCon object) */
4545 	dppcon = wpabuf_alloc(extra_len + 2 * auth->curve->prime_len * 4 / 3);
4546 	if (!dppcon)
4547 		goto fail;
4548 #ifdef CONFIG_TESTING_OPTIONS
4549 	if (auth->groups_override) {
4550 		wpabuf_put_u8(dppcon, '{');
4551 		if (auth->groups_override) {
4552 			wpa_printf(MSG_DEBUG,
4553 				   "DPP: TESTING - groups override: '%s'",
4554 				   auth->groups_override);
4555 			wpabuf_put_str(dppcon, "\"groups\":");
4556 			wpabuf_put_str(dppcon, auth->groups_override);
4557 			wpabuf_put_u8(dppcon, ',');
4558 		}
4559 		goto skip_groups;
4560 	}
4561 #endif /* CONFIG_TESTING_OPTIONS */
4562 	wpabuf_printf(dppcon, "{\"groups\":[{\"groupId\":\"%s\",",
4563 		      conf->group_id ? conf->group_id : "*");
4564 	wpabuf_printf(dppcon, "\"netRole\":\"%s\"}],", ap ? "ap" : "sta");
4565 #ifdef CONFIG_TESTING_OPTIONS
4566 skip_groups:
4567 #endif /* CONFIG_TESTING_OPTIONS */
4568 	if (dpp_build_jwk(dppcon, "netAccessKey", auth->peer_protocol_key, NULL,
4569 			  auth->curve) < 0) {
4570 		wpa_printf(MSG_DEBUG, "DPP: Failed to build netAccessKey JWK");
4571 		goto fail;
4572 	}
4573 	if (conf->netaccesskey_expiry) {
4574 		struct os_tm tm;
4575 
4576 		if (os_gmtime(conf->netaccesskey_expiry, &tm) < 0) {
4577 			wpa_printf(MSG_DEBUG,
4578 				   "DPP: Failed to generate expiry string");
4579 			goto fail;
4580 		}
4581 		wpabuf_printf(dppcon,
4582 			      ",\"expiry\":\"%04u-%02u-%02uT%02u:%02u:%02uZ\"",
4583 			      tm.year, tm.month, tm.day,
4584 			      tm.hour, tm.min, tm.sec);
4585 	}
4586 	wpabuf_put_u8(dppcon, '}');
4587 	wpa_printf(MSG_DEBUG, "DPP: dppCon: %s",
4588 		   (const char *) wpabuf_head(dppcon));
4589 
4590 	os_snprintf(jws_prot_hdr, sizeof(jws_prot_hdr),
4591 		    "{\"typ\":\"dppCon\",\"kid\":\"%s\",\"alg\":\"%s\"}",
4592 		    auth->conf->kid, curve->jws_alg);
4593 	signed1 = (char *) base64_url_encode((unsigned char *) jws_prot_hdr,
4594 					     os_strlen(jws_prot_hdr),
4595 					     &signed1_len, 0);
4596 	signed2 = (char *) base64_url_encode(wpabuf_head(dppcon),
4597 					     wpabuf_len(dppcon),
4598 					     &signed2_len, 0);
4599 	if (!signed1 || !signed2)
4600 		goto fail;
4601 
4602 	md_ctx = EVP_MD_CTX_create();
4603 	if (!md_ctx)
4604 		goto fail;
4605 
4606 	ERR_clear_error();
4607 	if (EVP_DigestSignInit(md_ctx, NULL, sign_md, NULL,
4608 			       auth->conf->csign) != 1) {
4609 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignInit failed: %s",
4610 			   ERR_error_string(ERR_get_error(), NULL));
4611 		goto fail;
4612 	}
4613 	if (EVP_DigestSignUpdate(md_ctx, signed1, signed1_len) != 1 ||
4614 	    EVP_DigestSignUpdate(md_ctx, dot, 1) != 1 ||
4615 	    EVP_DigestSignUpdate(md_ctx, signed2, signed2_len) != 1) {
4616 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignUpdate failed: %s",
4617 			   ERR_error_string(ERR_get_error(), NULL));
4618 		goto fail;
4619 	}
4620 	if (EVP_DigestSignFinal(md_ctx, NULL, &signature_len) != 1) {
4621 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignFinal failed: %s",
4622 			   ERR_error_string(ERR_get_error(), NULL));
4623 		goto fail;
4624 	}
4625 	signature = os_malloc(signature_len);
4626 	if (!signature)
4627 		goto fail;
4628 	if (EVP_DigestSignFinal(md_ctx, signature, &signature_len) != 1) {
4629 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignFinal failed: %s",
4630 			   ERR_error_string(ERR_get_error(), NULL));
4631 		goto fail;
4632 	}
4633 	wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (DER)",
4634 		    signature, signature_len);
4635 	/* Convert to raw coordinates r,s */
4636 	p = signature;
4637 	sig = d2i_ECDSA_SIG(NULL, &p, signature_len);
4638 	if (!sig)
4639 		goto fail;
4640 	ECDSA_SIG_get0(sig, &r, &s);
4641 	if (dpp_bn2bin_pad(r, signature, curve->prime_len) < 0 ||
4642 	    dpp_bn2bin_pad(s, signature + curve->prime_len,
4643 			   curve->prime_len) < 0)
4644 		goto fail;
4645 	signature_len = 2 * curve->prime_len;
4646 	wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (raw r,s)",
4647 		    signature, signature_len);
4648 	signed3 = (char *) base64_url_encode(signature, signature_len,
4649 					     &signed3_len, 0);
4650 	if (!signed3)
4651 		goto fail;
4652 
4653 	incl_legacy = dpp_akm_psk(akm) || dpp_akm_sae(akm);
4654 	tailroom = 1000;
4655 	tailroom += 2 * curve->prime_len * 4 / 3 + os_strlen(auth->conf->kid);
4656 	tailroom += signed1_len + signed2_len + signed3_len;
4657 	if (incl_legacy)
4658 		tailroom += 1000;
4659 	buf = dpp_build_conf_start(auth, conf, tailroom);
4660 	if (!buf)
4661 		goto fail;
4662 
4663 	wpabuf_printf(buf, "\"cred\":{\"akm\":\"%s\",", dpp_akm_str(akm));
4664 	if (incl_legacy) {
4665 		dpp_build_legacy_cred_params(buf, conf);
4666 		wpabuf_put_str(buf, ",");
4667 	}
4668 	wpabuf_put_str(buf, "\"signedConnector\":\"");
4669 	wpabuf_put_str(buf, signed1);
4670 	wpabuf_put_u8(buf, '.');
4671 	wpabuf_put_str(buf, signed2);
4672 	wpabuf_put_u8(buf, '.');
4673 	wpabuf_put_str(buf, signed3);
4674 	wpabuf_put_str(buf, "\",");
4675 	if (dpp_build_jwk(buf, "csign", auth->conf->csign, auth->conf->kid,
4676 			  curve) < 0) {
4677 		wpa_printf(MSG_DEBUG, "DPP: Failed to build csign JWK");
4678 		goto fail;
4679 	}
4680 
4681 	wpabuf_put_str(buf, "}}");
4682 
4683 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Configuration Object",
4684 			      wpabuf_head(buf), wpabuf_len(buf));
4685 
4686 out:
4687 	EVP_MD_CTX_destroy(md_ctx);
4688 	ECDSA_SIG_free(sig);
4689 	os_free(signed1);
4690 	os_free(signed2);
4691 	os_free(signed3);
4692 	os_free(signature);
4693 	wpabuf_free(dppcon);
4694 	return buf;
4695 fail:
4696 	wpa_printf(MSG_DEBUG, "DPP: Failed to build configuration object");
4697 	wpabuf_free(buf);
4698 	buf = NULL;
4699 	goto out;
4700 }
4701 
4702 
4703 static struct wpabuf *
4704 dpp_build_conf_obj_legacy(struct dpp_authentication *auth, int ap,
4705 			  struct dpp_configuration *conf)
4706 {
4707 	struct wpabuf *buf;
4708 
4709 	buf = dpp_build_conf_start(auth, conf, 1000);
4710 	if (!buf)
4711 		return NULL;
4712 
4713 	wpabuf_printf(buf, "\"cred\":{\"akm\":\"%s\",", dpp_akm_str(conf->akm));
4714 	dpp_build_legacy_cred_params(buf, conf);
4715 	wpabuf_put_str(buf, "}}");
4716 
4717 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Configuration Object (legacy)",
4718 			      wpabuf_head(buf), wpabuf_len(buf));
4719 
4720 	return buf;
4721 }
4722 
4723 
4724 static struct wpabuf *
4725 dpp_build_conf_obj(struct dpp_authentication *auth, int ap)
4726 {
4727 	struct dpp_configuration *conf;
4728 
4729 #ifdef CONFIG_TESTING_OPTIONS
4730 	if (auth->config_obj_override) {
4731 		wpa_printf(MSG_DEBUG, "DPP: Testing - Config Object override");
4732 		return wpabuf_alloc_copy(auth->config_obj_override,
4733 					 os_strlen(auth->config_obj_override));
4734 	}
4735 #endif /* CONFIG_TESTING_OPTIONS */
4736 
4737 	conf = ap ? auth->conf_ap : auth->conf_sta;
4738 	if (!conf) {
4739 		wpa_printf(MSG_DEBUG,
4740 			   "DPP: No configuration available for Enrollee(%s) - reject configuration request",
4741 			   ap ? "ap" : "sta");
4742 		return NULL;
4743 	}
4744 
4745 	if (dpp_akm_dpp(conf->akm))
4746 		return dpp_build_conf_obj_dpp(auth, ap, conf);
4747 	return dpp_build_conf_obj_legacy(auth, ap, conf);
4748 }
4749 
4750 
4751 static struct wpabuf *
4752 dpp_build_conf_resp(struct dpp_authentication *auth, const u8 *e_nonce,
4753 		    u16 e_nonce_len, int ap)
4754 {
4755 	struct wpabuf *conf;
4756 	size_t clear_len, attr_len;
4757 	struct wpabuf *clear = NULL, *msg = NULL;
4758 	u8 *wrapped;
4759 	const u8 *addr[1];
4760 	size_t len[1];
4761 	enum dpp_status_error status;
4762 
4763 	conf = dpp_build_conf_obj(auth, ap);
4764 	if (conf) {
4765 		wpa_hexdump_ascii(MSG_DEBUG, "DPP: configurationObject JSON",
4766 				  wpabuf_head(conf), wpabuf_len(conf));
4767 	}
4768 	status = conf ? DPP_STATUS_OK : DPP_STATUS_CONFIGURE_FAILURE;
4769 	auth->conf_resp_status = status;
4770 
4771 	/* { E-nonce, configurationObject}ke */
4772 	clear_len = 4 + e_nonce_len;
4773 	if (conf)
4774 		clear_len += 4 + wpabuf_len(conf);
4775 	clear = wpabuf_alloc(clear_len);
4776 	attr_len = 4 + 1 + 4 + clear_len + AES_BLOCK_SIZE;
4777 #ifdef CONFIG_TESTING_OPTIONS
4778 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_RESP)
4779 		attr_len += 5;
4780 #endif /* CONFIG_TESTING_OPTIONS */
4781 	msg = wpabuf_alloc(attr_len);
4782 	if (!clear || !msg)
4783 		goto fail;
4784 
4785 #ifdef CONFIG_TESTING_OPTIONS
4786 	if (dpp_test == DPP_TEST_NO_E_NONCE_CONF_RESP) {
4787 		wpa_printf(MSG_INFO, "DPP: TESTING - no E-nonce");
4788 		goto skip_e_nonce;
4789 	}
4790 	if (dpp_test == DPP_TEST_E_NONCE_MISMATCH_CONF_RESP) {
4791 		wpa_printf(MSG_INFO, "DPP: TESTING - E-nonce mismatch");
4792 		wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
4793 		wpabuf_put_le16(clear, e_nonce_len);
4794 		wpabuf_put_data(clear, e_nonce, e_nonce_len - 1);
4795 		wpabuf_put_u8(clear, e_nonce[e_nonce_len - 1] ^ 0x01);
4796 		goto skip_e_nonce;
4797 	}
4798 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_CONF_RESP) {
4799 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
4800 		goto skip_wrapped_data;
4801 	}
4802 #endif /* CONFIG_TESTING_OPTIONS */
4803 
4804 	/* E-nonce */
4805 	wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
4806 	wpabuf_put_le16(clear, e_nonce_len);
4807 	wpabuf_put_data(clear, e_nonce, e_nonce_len);
4808 
4809 #ifdef CONFIG_TESTING_OPTIONS
4810 skip_e_nonce:
4811 	if (dpp_test == DPP_TEST_NO_CONFIG_OBJ_CONF_RESP) {
4812 		wpa_printf(MSG_INFO, "DPP: TESTING - Config Object");
4813 		goto skip_config_obj;
4814 	}
4815 #endif /* CONFIG_TESTING_OPTIONS */
4816 
4817 	if (conf) {
4818 		wpabuf_put_le16(clear, DPP_ATTR_CONFIG_OBJ);
4819 		wpabuf_put_le16(clear, wpabuf_len(conf));
4820 		wpabuf_put_buf(clear, conf);
4821 	}
4822 
4823 #ifdef CONFIG_TESTING_OPTIONS
4824 skip_config_obj:
4825 	if (dpp_test == DPP_TEST_NO_STATUS_CONF_RESP) {
4826 		wpa_printf(MSG_INFO, "DPP: TESTING - Status");
4827 		goto skip_status;
4828 	}
4829 	if (dpp_test == DPP_TEST_INVALID_STATUS_CONF_RESP) {
4830 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
4831 		status = 255;
4832 	}
4833 #endif /* CONFIG_TESTING_OPTIONS */
4834 
4835 	/* DPP Status */
4836 	dpp_build_attr_status(msg, status);
4837 
4838 #ifdef CONFIG_TESTING_OPTIONS
4839 skip_status:
4840 #endif /* CONFIG_TESTING_OPTIONS */
4841 
4842 	addr[0] = wpabuf_head(msg);
4843 	len[0] = wpabuf_len(msg);
4844 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD", addr[0], len[0]);
4845 
4846 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
4847 	wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
4848 	wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
4849 
4850 	wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
4851 	if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
4852 			    wpabuf_head(clear), wpabuf_len(clear),
4853 			    1, addr, len, wrapped) < 0)
4854 		goto fail;
4855 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
4856 		    wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
4857 
4858 #ifdef CONFIG_TESTING_OPTIONS
4859 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_RESP) {
4860 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
4861 		dpp_build_attr_status(msg, DPP_STATUS_OK);
4862 	}
4863 skip_wrapped_data:
4864 #endif /* CONFIG_TESTING_OPTIONS */
4865 
4866 	wpa_hexdump_buf(MSG_DEBUG,
4867 			"DPP: Configuration Response attributes", msg);
4868 out:
4869 	wpabuf_free(conf);
4870 	wpabuf_free(clear);
4871 
4872 	return msg;
4873 fail:
4874 	wpabuf_free(msg);
4875 	msg = NULL;
4876 	goto out;
4877 }
4878 
4879 
4880 struct wpabuf *
4881 dpp_conf_req_rx(struct dpp_authentication *auth, const u8 *attr_start,
4882 		size_t attr_len)
4883 {
4884 	const u8 *wrapped_data, *e_nonce, *config_attr;
4885 	u16 wrapped_data_len, e_nonce_len, config_attr_len;
4886 	u8 *unwrapped = NULL;
4887 	size_t unwrapped_len = 0;
4888 	struct wpabuf *resp = NULL;
4889 	struct json_token *root = NULL, *token;
4890 	int ap;
4891 
4892 #ifdef CONFIG_TESTING_OPTIONS
4893 	if (dpp_test == DPP_TEST_STOP_AT_CONF_REQ) {
4894 		wpa_printf(MSG_INFO,
4895 			   "DPP: TESTING - stop at Config Request");
4896 		return NULL;
4897 	}
4898 #endif /* CONFIG_TESTING_OPTIONS */
4899 
4900 	if (dpp_check_attrs(attr_start, attr_len) < 0) {
4901 		dpp_auth_fail(auth, "Invalid attribute in config request");
4902 		return NULL;
4903 	}
4904 
4905 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
4906 				    &wrapped_data_len);
4907 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
4908 		dpp_auth_fail(auth,
4909 			      "Missing or invalid required Wrapped Data attribute");
4910 		return NULL;
4911 	}
4912 
4913 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
4914 		    wrapped_data, wrapped_data_len);
4915 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
4916 	unwrapped = os_malloc(unwrapped_len);
4917 	if (!unwrapped)
4918 		return NULL;
4919 	if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
4920 			    wrapped_data, wrapped_data_len,
4921 			    0, NULL, NULL, unwrapped) < 0) {
4922 		dpp_auth_fail(auth, "AES-SIV decryption failed");
4923 		goto fail;
4924 	}
4925 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
4926 		    unwrapped, unwrapped_len);
4927 
4928 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
4929 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
4930 		goto fail;
4931 	}
4932 
4933 	e_nonce = dpp_get_attr(unwrapped, unwrapped_len,
4934 			       DPP_ATTR_ENROLLEE_NONCE,
4935 			       &e_nonce_len);
4936 	if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
4937 		dpp_auth_fail(auth,
4938 			      "Missing or invalid Enrollee Nonce attribute");
4939 		goto fail;
4940 	}
4941 	wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len);
4942 	os_memcpy(auth->e_nonce, e_nonce, e_nonce_len);
4943 
4944 	config_attr = dpp_get_attr(unwrapped, unwrapped_len,
4945 				   DPP_ATTR_CONFIG_ATTR_OBJ,
4946 				   &config_attr_len);
4947 	if (!config_attr) {
4948 		dpp_auth_fail(auth,
4949 			      "Missing or invalid Config Attributes attribute");
4950 		goto fail;
4951 	}
4952 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: Config Attributes",
4953 			  config_attr, config_attr_len);
4954 
4955 	root = json_parse((const char *) config_attr, config_attr_len);
4956 	if (!root) {
4957 		dpp_auth_fail(auth, "Could not parse Config Attributes");
4958 		goto fail;
4959 	}
4960 
4961 	token = json_get_member(root, "name");
4962 	if (!token || token->type != JSON_STRING) {
4963 		dpp_auth_fail(auth, "No Config Attributes - name");
4964 		goto fail;
4965 	}
4966 	wpa_printf(MSG_DEBUG, "DPP: Enrollee name = '%s'", token->string);
4967 
4968 	token = json_get_member(root, "wi-fi_tech");
4969 	if (!token || token->type != JSON_STRING) {
4970 		dpp_auth_fail(auth, "No Config Attributes - wi-fi_tech");
4971 		goto fail;
4972 	}
4973 	wpa_printf(MSG_DEBUG, "DPP: wi-fi_tech = '%s'", token->string);
4974 	if (os_strcmp(token->string, "infra") != 0) {
4975 		wpa_printf(MSG_DEBUG, "DPP: Unsupported wi-fi_tech '%s'",
4976 			   token->string);
4977 		dpp_auth_fail(auth, "Unsupported wi-fi_tech");
4978 		goto fail;
4979 	}
4980 
4981 	token = json_get_member(root, "netRole");
4982 	if (!token || token->type != JSON_STRING) {
4983 		dpp_auth_fail(auth, "No Config Attributes - netRole");
4984 		goto fail;
4985 	}
4986 	wpa_printf(MSG_DEBUG, "DPP: netRole = '%s'", token->string);
4987 	if (os_strcmp(token->string, "sta") == 0) {
4988 		ap = 0;
4989 	} else if (os_strcmp(token->string, "ap") == 0) {
4990 		ap = 1;
4991 	} else {
4992 		wpa_printf(MSG_DEBUG, "DPP: Unsupported netRole '%s'",
4993 			   token->string);
4994 		dpp_auth_fail(auth, "Unsupported netRole");
4995 		goto fail;
4996 	}
4997 
4998 	resp = dpp_build_conf_resp(auth, e_nonce, e_nonce_len, ap);
4999 
5000 fail:
5001 	json_free(root);
5002 	os_free(unwrapped);
5003 	return resp;
5004 }
5005 
5006 
5007 static struct wpabuf *
5008 dpp_parse_jws_prot_hdr(const struct dpp_curve_params *curve,
5009 		       const u8 *prot_hdr, u16 prot_hdr_len,
5010 		       const EVP_MD **ret_md)
5011 {
5012 	struct json_token *root, *token;
5013 	struct wpabuf *kid = NULL;
5014 
5015 	root = json_parse((const char *) prot_hdr, prot_hdr_len);
5016 	if (!root) {
5017 		wpa_printf(MSG_DEBUG,
5018 			   "DPP: JSON parsing failed for JWS Protected Header");
5019 		goto fail;
5020 	}
5021 
5022 	if (root->type != JSON_OBJECT) {
5023 		wpa_printf(MSG_DEBUG,
5024 			   "DPP: JWS Protected Header root is not an object");
5025 		goto fail;
5026 	}
5027 
5028 	token = json_get_member(root, "typ");
5029 	if (!token || token->type != JSON_STRING) {
5030 		wpa_printf(MSG_DEBUG, "DPP: No typ string value found");
5031 		goto fail;
5032 	}
5033 	wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header typ=%s",
5034 		   token->string);
5035 	if (os_strcmp(token->string, "dppCon") != 0) {
5036 		wpa_printf(MSG_DEBUG,
5037 			   "DPP: Unsupported JWS Protected Header typ=%s",
5038 			   token->string);
5039 		goto fail;
5040 	}
5041 
5042 	token = json_get_member(root, "alg");
5043 	if (!token || token->type != JSON_STRING) {
5044 		wpa_printf(MSG_DEBUG, "DPP: No alg string value found");
5045 		goto fail;
5046 	}
5047 	wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header alg=%s",
5048 		   token->string);
5049 	if (os_strcmp(token->string, curve->jws_alg) != 0) {
5050 		wpa_printf(MSG_DEBUG,
5051 			   "DPP: Unexpected JWS Protected Header alg=%s (expected %s based on C-sign-key)",
5052 			   token->string, curve->jws_alg);
5053 		goto fail;
5054 	}
5055 	if (os_strcmp(token->string, "ES256") == 0 ||
5056 	    os_strcmp(token->string, "BS256") == 0)
5057 		*ret_md = EVP_sha256();
5058 	else if (os_strcmp(token->string, "ES384") == 0 ||
5059 		 os_strcmp(token->string, "BS384") == 0)
5060 		*ret_md = EVP_sha384();
5061 	else if (os_strcmp(token->string, "ES512") == 0 ||
5062 		 os_strcmp(token->string, "BS512") == 0)
5063 		*ret_md = EVP_sha512();
5064 	else
5065 		*ret_md = NULL;
5066 	if (!*ret_md) {
5067 		wpa_printf(MSG_DEBUG,
5068 			   "DPP: Unsupported JWS Protected Header alg=%s",
5069 			   token->string);
5070 		goto fail;
5071 	}
5072 
5073 	kid = json_get_member_base64url(root, "kid");
5074 	if (!kid) {
5075 		wpa_printf(MSG_DEBUG, "DPP: No kid string value found");
5076 		goto fail;
5077 	}
5078 	wpa_hexdump_buf(MSG_DEBUG, "DPP: JWS Protected Header kid (decoded)",
5079 			kid);
5080 
5081 fail:
5082 	json_free(root);
5083 	return kid;
5084 }
5085 
5086 
5087 static int dpp_parse_cred_legacy(struct dpp_authentication *auth,
5088 				 struct json_token *cred)
5089 {
5090 	struct json_token *pass, *psk_hex;
5091 
5092 	wpa_printf(MSG_DEBUG, "DPP: Legacy akm=psk credential");
5093 
5094 	pass = json_get_member(cred, "pass");
5095 	psk_hex = json_get_member(cred, "psk_hex");
5096 
5097 	if (pass && pass->type == JSON_STRING) {
5098 		size_t len = os_strlen(pass->string);
5099 
5100 		wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Legacy passphrase",
5101 				      pass->string, len);
5102 		if (len < 8 || len > 63)
5103 			return -1;
5104 		os_strlcpy(auth->passphrase, pass->string,
5105 			   sizeof(auth->passphrase));
5106 	} else if (psk_hex && psk_hex->type == JSON_STRING) {
5107 		if (dpp_akm_sae(auth->akm) && !dpp_akm_psk(auth->akm)) {
5108 			wpa_printf(MSG_DEBUG,
5109 				   "DPP: Unexpected psk_hex with akm=sae");
5110 			return -1;
5111 		}
5112 		if (os_strlen(psk_hex->string) != PMK_LEN * 2 ||
5113 		    hexstr2bin(psk_hex->string, auth->psk, PMK_LEN) < 0) {
5114 			wpa_printf(MSG_DEBUG, "DPP: Invalid psk_hex encoding");
5115 			return -1;
5116 		}
5117 		wpa_hexdump_key(MSG_DEBUG, "DPP: Legacy PSK",
5118 				auth->psk, PMK_LEN);
5119 		auth->psk_set = 1;
5120 	} else {
5121 		wpa_printf(MSG_DEBUG, "DPP: No pass or psk_hex strings found");
5122 		return -1;
5123 	}
5124 
5125 	if (dpp_akm_sae(auth->akm) && !auth->passphrase[0]) {
5126 		wpa_printf(MSG_DEBUG, "DPP: No pass for sae found");
5127 		return -1;
5128 	}
5129 
5130 	return 0;
5131 }
5132 
5133 
5134 static EVP_PKEY * dpp_parse_jwk(struct json_token *jwk,
5135 				const struct dpp_curve_params **key_curve)
5136 {
5137 	struct json_token *token;
5138 	const struct dpp_curve_params *curve;
5139 	struct wpabuf *x = NULL, *y = NULL;
5140 	EC_GROUP *group;
5141 	EVP_PKEY *pkey = NULL;
5142 
5143 	token = json_get_member(jwk, "kty");
5144 	if (!token || token->type != JSON_STRING) {
5145 		wpa_printf(MSG_DEBUG, "DPP: No kty in JWK");
5146 		goto fail;
5147 	}
5148 	if (os_strcmp(token->string, "EC") != 0) {
5149 		wpa_printf(MSG_DEBUG, "DPP: Unexpected JWK kty '%s'",
5150 			   token->string);
5151 		goto fail;
5152 	}
5153 
5154 	token = json_get_member(jwk, "crv");
5155 	if (!token || token->type != JSON_STRING) {
5156 		wpa_printf(MSG_DEBUG, "DPP: No crv in JWK");
5157 		goto fail;
5158 	}
5159 	curve = dpp_get_curve_jwk_crv(token->string);
5160 	if (!curve) {
5161 		wpa_printf(MSG_DEBUG, "DPP: Unsupported JWK crv '%s'",
5162 			   token->string);
5163 		goto fail;
5164 	}
5165 
5166 	x = json_get_member_base64url(jwk, "x");
5167 	if (!x) {
5168 		wpa_printf(MSG_DEBUG, "DPP: No x in JWK");
5169 		goto fail;
5170 	}
5171 	wpa_hexdump_buf(MSG_DEBUG, "DPP: JWK x", x);
5172 	if (wpabuf_len(x) != curve->prime_len) {
5173 		wpa_printf(MSG_DEBUG,
5174 			   "DPP: Unexpected JWK x length %u (expected %u for curve %s)",
5175 			   (unsigned int) wpabuf_len(x),
5176 			   (unsigned int) curve->prime_len, curve->name);
5177 		goto fail;
5178 	}
5179 
5180 	y = json_get_member_base64url(jwk, "y");
5181 	if (!y) {
5182 		wpa_printf(MSG_DEBUG, "DPP: No y in JWK");
5183 		goto fail;
5184 	}
5185 	wpa_hexdump_buf(MSG_DEBUG, "DPP: JWK y", y);
5186 	if (wpabuf_len(y) != curve->prime_len) {
5187 		wpa_printf(MSG_DEBUG,
5188 			   "DPP: Unexpected JWK y length %u (expected %u for curve %s)",
5189 			   (unsigned int) wpabuf_len(y),
5190 			   (unsigned int) curve->prime_len, curve->name);
5191 		goto fail;
5192 	}
5193 
5194 	group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
5195 	if (!group) {
5196 		wpa_printf(MSG_DEBUG, "DPP: Could not prepare group for JWK");
5197 		goto fail;
5198 	}
5199 
5200 	pkey = dpp_set_pubkey_point_group(group, wpabuf_head(x), wpabuf_head(y),
5201 					  wpabuf_len(x));
5202 	*key_curve = curve;
5203 
5204 fail:
5205 	wpabuf_free(x);
5206 	wpabuf_free(y);
5207 
5208 	return pkey;
5209 }
5210 
5211 
5212 int dpp_key_expired(const char *timestamp, os_time_t *expiry)
5213 {
5214 	struct os_time now;
5215 	unsigned int year, month, day, hour, min, sec;
5216 	os_time_t utime;
5217 	const char *pos;
5218 
5219 	/* ISO 8601 date and time:
5220 	 * <date>T<time>
5221 	 * YYYY-MM-DDTHH:MM:SSZ
5222 	 * YYYY-MM-DDTHH:MM:SS+03:00
5223 	 */
5224 	if (os_strlen(timestamp) < 19) {
5225 		wpa_printf(MSG_DEBUG,
5226 			   "DPP: Too short timestamp - assume expired key");
5227 		return 1;
5228 	}
5229 	if (sscanf(timestamp, "%04u-%02u-%02uT%02u:%02u:%02u",
5230 		   &year, &month, &day, &hour, &min, &sec) != 6) {
5231 		wpa_printf(MSG_DEBUG,
5232 			   "DPP: Failed to parse expiration day - assume expired key");
5233 		return 1;
5234 	}
5235 
5236 	if (os_mktime(year, month, day, hour, min, sec, &utime) < 0) {
5237 		wpa_printf(MSG_DEBUG,
5238 			   "DPP: Invalid date/time information - assume expired key");
5239 		return 1;
5240 	}
5241 
5242 	pos = timestamp + 19;
5243 	if (*pos == 'Z' || *pos == '\0') {
5244 		/* In UTC - no need to adjust */
5245 	} else if (*pos == '-' || *pos == '+') {
5246 		int items;
5247 
5248 		/* Adjust local time to UTC */
5249 		items = sscanf(pos + 1, "%02u:%02u", &hour, &min);
5250 		if (items < 1) {
5251 			wpa_printf(MSG_DEBUG,
5252 				   "DPP: Invalid time zone designator (%s) - assume expired key",
5253 				   pos);
5254 			return 1;
5255 		}
5256 		if (*pos == '-')
5257 			utime += 3600 * hour;
5258 		if (*pos == '+')
5259 			utime -= 3600 * hour;
5260 		if (items > 1) {
5261 			if (*pos == '-')
5262 				utime += 60 * min;
5263 			if (*pos == '+')
5264 				utime -= 60 * min;
5265 		}
5266 	} else {
5267 		wpa_printf(MSG_DEBUG,
5268 			   "DPP: Invalid time zone designator (%s) - assume expired key",
5269 			   pos);
5270 		return 1;
5271 	}
5272 	if (expiry)
5273 		*expiry = utime;
5274 
5275 	if (os_get_time(&now) < 0) {
5276 		wpa_printf(MSG_DEBUG,
5277 			   "DPP: Cannot get current time - assume expired key");
5278 		return 1;
5279 	}
5280 
5281 	if (now.sec > utime) {
5282 		wpa_printf(MSG_DEBUG, "DPP: Key has expired (%lu < %lu)",
5283 			   utime, now.sec);
5284 		return 1;
5285 	}
5286 
5287 	return 0;
5288 }
5289 
5290 
5291 static int dpp_parse_connector(struct dpp_authentication *auth,
5292 			       const unsigned char *payload,
5293 			       u16 payload_len)
5294 {
5295 	struct json_token *root, *groups, *netkey, *token;
5296 	int ret = -1;
5297 	EVP_PKEY *key = NULL;
5298 	const struct dpp_curve_params *curve;
5299 	unsigned int rules = 0;
5300 
5301 	root = json_parse((const char *) payload, payload_len);
5302 	if (!root) {
5303 		wpa_printf(MSG_DEBUG, "DPP: JSON parsing of connector failed");
5304 		goto fail;
5305 	}
5306 
5307 	groups = json_get_member(root, "groups");
5308 	if (!groups || groups->type != JSON_ARRAY) {
5309 		wpa_printf(MSG_DEBUG, "DPP: No groups array found");
5310 		goto skip_groups;
5311 	}
5312 	for (token = groups->child; token; token = token->sibling) {
5313 		struct json_token *id, *role;
5314 
5315 		id = json_get_member(token, "groupId");
5316 		if (!id || id->type != JSON_STRING) {
5317 			wpa_printf(MSG_DEBUG, "DPP: Missing groupId string");
5318 			goto fail;
5319 		}
5320 
5321 		role = json_get_member(token, "netRole");
5322 		if (!role || role->type != JSON_STRING) {
5323 			wpa_printf(MSG_DEBUG, "DPP: Missing netRole string");
5324 			goto fail;
5325 		}
5326 		wpa_printf(MSG_DEBUG,
5327 			   "DPP: connector group: groupId='%s' netRole='%s'",
5328 			   id->string, role->string);
5329 		rules++;
5330 	}
5331 skip_groups:
5332 
5333 	if (!rules) {
5334 		wpa_printf(MSG_DEBUG,
5335 			   "DPP: Connector includes no groups");
5336 		goto fail;
5337 	}
5338 
5339 	token = json_get_member(root, "expiry");
5340 	if (!token || token->type != JSON_STRING) {
5341 		wpa_printf(MSG_DEBUG,
5342 			   "DPP: No expiry string found - connector does not expire");
5343 	} else {
5344 		wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string);
5345 		if (dpp_key_expired(token->string,
5346 				    &auth->net_access_key_expiry)) {
5347 			wpa_printf(MSG_DEBUG,
5348 				   "DPP: Connector (netAccessKey) has expired");
5349 			goto fail;
5350 		}
5351 	}
5352 
5353 	netkey = json_get_member(root, "netAccessKey");
5354 	if (!netkey || netkey->type != JSON_OBJECT) {
5355 		wpa_printf(MSG_DEBUG, "DPP: No netAccessKey object found");
5356 		goto fail;
5357 	}
5358 
5359 	key = dpp_parse_jwk(netkey, &curve);
5360 	if (!key)
5361 		goto fail;
5362 	dpp_debug_print_key("DPP: Received netAccessKey", key);
5363 
5364 	if (EVP_PKEY_cmp(key, auth->own_protocol_key) != 1) {
5365 		wpa_printf(MSG_DEBUG,
5366 			   "DPP: netAccessKey in connector does not match own protocol key");
5367 #ifdef CONFIG_TESTING_OPTIONS
5368 		if (auth->ignore_netaccesskey_mismatch) {
5369 			wpa_printf(MSG_DEBUG,
5370 				   "DPP: TESTING - skip netAccessKey mismatch");
5371 		} else {
5372 			goto fail;
5373 		}
5374 #else /* CONFIG_TESTING_OPTIONS */
5375 		goto fail;
5376 #endif /* CONFIG_TESTING_OPTIONS */
5377 	}
5378 
5379 	ret = 0;
5380 fail:
5381 	EVP_PKEY_free(key);
5382 	json_free(root);
5383 	return ret;
5384 }
5385 
5386 
5387 static int dpp_check_pubkey_match(EVP_PKEY *pub, struct wpabuf *r_hash)
5388 {
5389 	struct wpabuf *uncomp;
5390 	int res;
5391 	u8 hash[SHA256_MAC_LEN];
5392 	const u8 *addr[1];
5393 	size_t len[1];
5394 
5395 	if (wpabuf_len(r_hash) != SHA256_MAC_LEN)
5396 		return -1;
5397 	uncomp = dpp_get_pubkey_point(pub, 1);
5398 	if (!uncomp)
5399 		return -1;
5400 	addr[0] = wpabuf_head(uncomp);
5401 	len[0] = wpabuf_len(uncomp);
5402 	wpa_hexdump(MSG_DEBUG, "DPP: Uncompressed public key",
5403 		    addr[0], len[0]);
5404 	res = sha256_vector(1, addr, len, hash);
5405 	wpabuf_free(uncomp);
5406 	if (res < 0)
5407 		return -1;
5408 	if (os_memcmp(hash, wpabuf_head(r_hash), SHA256_MAC_LEN) != 0) {
5409 		wpa_printf(MSG_DEBUG,
5410 			   "DPP: Received hash value does not match calculated public key hash value");
5411 		wpa_hexdump(MSG_DEBUG, "DPP: Calculated hash",
5412 			    hash, SHA256_MAC_LEN);
5413 		return -1;
5414 	}
5415 	return 0;
5416 }
5417 
5418 
5419 static void dpp_copy_csign(struct dpp_authentication *auth, EVP_PKEY *csign)
5420 {
5421 	unsigned char *der = NULL;
5422 	int der_len;
5423 
5424 	der_len = i2d_PUBKEY(csign, &der);
5425 	if (der_len <= 0)
5426 		return;
5427 	wpabuf_free(auth->c_sign_key);
5428 	auth->c_sign_key = wpabuf_alloc_copy(der, der_len);
5429 	OPENSSL_free(der);
5430 }
5431 
5432 
5433 static void dpp_copy_netaccesskey(struct dpp_authentication *auth)
5434 {
5435 	unsigned char *der = NULL;
5436 	int der_len;
5437 	EC_KEY *eckey;
5438 
5439 	eckey = EVP_PKEY_get1_EC_KEY(auth->own_protocol_key);
5440 	if (!eckey)
5441 		return;
5442 
5443 	der_len = i2d_ECPrivateKey(eckey, &der);
5444 	if (der_len <= 0) {
5445 		EC_KEY_free(eckey);
5446 		return;
5447 	}
5448 	wpabuf_free(auth->net_access_key);
5449 	auth->net_access_key = wpabuf_alloc_copy(der, der_len);
5450 	OPENSSL_free(der);
5451 	EC_KEY_free(eckey);
5452 }
5453 
5454 
5455 struct dpp_signed_connector_info {
5456 	unsigned char *payload;
5457 	size_t payload_len;
5458 };
5459 
5460 static enum dpp_status_error
5461 dpp_process_signed_connector(struct dpp_signed_connector_info *info,
5462 			     EVP_PKEY *csign_pub, const char *connector)
5463 {
5464 	enum dpp_status_error ret = 255;
5465 	const char *pos, *end, *signed_start, *signed_end;
5466 	struct wpabuf *kid = NULL;
5467 	unsigned char *prot_hdr = NULL, *signature = NULL;
5468 	size_t prot_hdr_len = 0, signature_len = 0;
5469 	const EVP_MD *sign_md = NULL;
5470 	unsigned char *der = NULL;
5471 	int der_len;
5472 	int res;
5473 	EVP_MD_CTX *md_ctx = NULL;
5474 	ECDSA_SIG *sig = NULL;
5475 	BIGNUM *r = NULL, *s = NULL;
5476 	const struct dpp_curve_params *curve;
5477 	EC_KEY *eckey;
5478 	const EC_GROUP *group;
5479 	int nid;
5480 
5481 	eckey = EVP_PKEY_get1_EC_KEY(csign_pub);
5482 	if (!eckey)
5483 		goto fail;
5484 	group = EC_KEY_get0_group(eckey);
5485 	if (!group)
5486 		goto fail;
5487 	nid = EC_GROUP_get_curve_name(group);
5488 	curve = dpp_get_curve_nid(nid);
5489 	if (!curve)
5490 		goto fail;
5491 	wpa_printf(MSG_DEBUG, "DPP: C-sign-key group: %s", curve->jwk_crv);
5492 	os_memset(info, 0, sizeof(*info));
5493 
5494 	signed_start = pos = connector;
5495 	end = os_strchr(pos, '.');
5496 	if (!end) {
5497 		wpa_printf(MSG_DEBUG, "DPP: Missing dot(1) in signedConnector");
5498 		ret = DPP_STATUS_INVALID_CONNECTOR;
5499 		goto fail;
5500 	}
5501 	prot_hdr = base64_url_decode((const unsigned char *) pos,
5502 				     end - pos, &prot_hdr_len);
5503 	if (!prot_hdr) {
5504 		wpa_printf(MSG_DEBUG,
5505 			   "DPP: Failed to base64url decode signedConnector JWS Protected Header");
5506 		ret = DPP_STATUS_INVALID_CONNECTOR;
5507 		goto fail;
5508 	}
5509 	wpa_hexdump_ascii(MSG_DEBUG,
5510 			  "DPP: signedConnector - JWS Protected Header",
5511 			  prot_hdr, prot_hdr_len);
5512 	kid = dpp_parse_jws_prot_hdr(curve, prot_hdr, prot_hdr_len, &sign_md);
5513 	if (!kid) {
5514 		ret = DPP_STATUS_INVALID_CONNECTOR;
5515 		goto fail;
5516 	}
5517 	if (wpabuf_len(kid) != SHA256_MAC_LEN) {
5518 		wpa_printf(MSG_DEBUG,
5519 			   "DPP: Unexpected signedConnector JWS Protected Header kid length: %u (expected %u)",
5520 			   (unsigned int) wpabuf_len(kid), SHA256_MAC_LEN);
5521 		ret = DPP_STATUS_INVALID_CONNECTOR;
5522 		goto fail;
5523 	}
5524 
5525 	pos = end + 1;
5526 	end = os_strchr(pos, '.');
5527 	if (!end) {
5528 		wpa_printf(MSG_DEBUG,
5529 			   "DPP: Missing dot(2) in signedConnector");
5530 		ret = DPP_STATUS_INVALID_CONNECTOR;
5531 		goto fail;
5532 	}
5533 	signed_end = end - 1;
5534 	info->payload = base64_url_decode((const unsigned char *) pos,
5535 					  end - pos, &info->payload_len);
5536 	if (!info->payload) {
5537 		wpa_printf(MSG_DEBUG,
5538 			   "DPP: Failed to base64url decode signedConnector JWS Payload");
5539 		ret = DPP_STATUS_INVALID_CONNECTOR;
5540 		goto fail;
5541 	}
5542 	wpa_hexdump_ascii(MSG_DEBUG,
5543 			  "DPP: signedConnector - JWS Payload",
5544 			  info->payload, info->payload_len);
5545 	pos = end + 1;
5546 	signature = base64_url_decode((const unsigned char *) pos,
5547 				      os_strlen(pos), &signature_len);
5548 	if (!signature) {
5549 		wpa_printf(MSG_DEBUG,
5550 			   "DPP: Failed to base64url decode signedConnector signature");
5551 		ret = DPP_STATUS_INVALID_CONNECTOR;
5552 		goto fail;
5553 		}
5554 	wpa_hexdump(MSG_DEBUG, "DPP: signedConnector - signature",
5555 		    signature, signature_len);
5556 
5557 	if (dpp_check_pubkey_match(csign_pub, kid) < 0) {
5558 		ret = DPP_STATUS_NO_MATCH;
5559 		goto fail;
5560 	}
5561 
5562 	if (signature_len & 0x01) {
5563 		wpa_printf(MSG_DEBUG,
5564 			   "DPP: Unexpected signedConnector signature length (%d)",
5565 			   (int) signature_len);
5566 		ret = DPP_STATUS_INVALID_CONNECTOR;
5567 		goto fail;
5568 	}
5569 
5570 	/* JWS Signature encodes the signature (r,s) as two octet strings. Need
5571 	 * to convert that to DER encoded ECDSA_SIG for OpenSSL EVP routines. */
5572 	r = BN_bin2bn(signature, signature_len / 2, NULL);
5573 	s = BN_bin2bn(signature + signature_len / 2, signature_len / 2, NULL);
5574 	sig = ECDSA_SIG_new();
5575 	if (!r || !s || !sig || ECDSA_SIG_set0(sig, r, s) != 1)
5576 		goto fail;
5577 	r = NULL;
5578 	s = NULL;
5579 
5580 	der_len = i2d_ECDSA_SIG(sig, &der);
5581 	if (der_len <= 0) {
5582 		wpa_printf(MSG_DEBUG, "DPP: Could not DER encode signature");
5583 		goto fail;
5584 	}
5585 	wpa_hexdump(MSG_DEBUG, "DPP: DER encoded signature", der, der_len);
5586 	md_ctx = EVP_MD_CTX_create();
5587 	if (!md_ctx)
5588 		goto fail;
5589 
5590 	ERR_clear_error();
5591 	if (EVP_DigestVerifyInit(md_ctx, NULL, sign_md, NULL, csign_pub) != 1) {
5592 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestVerifyInit failed: %s",
5593 			   ERR_error_string(ERR_get_error(), NULL));
5594 		goto fail;
5595 	}
5596 	if (EVP_DigestVerifyUpdate(md_ctx, signed_start,
5597 				   signed_end - signed_start + 1) != 1) {
5598 		wpa_printf(MSG_DEBUG, "DPP: EVP_DigestVerifyUpdate failed: %s",
5599 			   ERR_error_string(ERR_get_error(), NULL));
5600 		goto fail;
5601 	}
5602 	res = EVP_DigestVerifyFinal(md_ctx, der, der_len);
5603 	if (res != 1) {
5604 		wpa_printf(MSG_DEBUG,
5605 			   "DPP: EVP_DigestVerifyFinal failed (res=%d): %s",
5606 			   res, ERR_error_string(ERR_get_error(), NULL));
5607 		ret = DPP_STATUS_INVALID_CONNECTOR;
5608 		goto fail;
5609 	}
5610 
5611 	ret = DPP_STATUS_OK;
5612 fail:
5613 	EC_KEY_free(eckey);
5614 	EVP_MD_CTX_destroy(md_ctx);
5615 	os_free(prot_hdr);
5616 	wpabuf_free(kid);
5617 	os_free(signature);
5618 	ECDSA_SIG_free(sig);
5619 	BN_free(r);
5620 	BN_free(s);
5621 	OPENSSL_free(der);
5622 	return ret;
5623 }
5624 
5625 
5626 static int dpp_parse_cred_dpp(struct dpp_authentication *auth,
5627 			      struct json_token *cred)
5628 {
5629 	struct dpp_signed_connector_info info;
5630 	struct json_token *token, *csign;
5631 	int ret = -1;
5632 	EVP_PKEY *csign_pub = NULL;
5633 	const struct dpp_curve_params *key_curve = NULL;
5634 	const char *signed_connector;
5635 
5636 	os_memset(&info, 0, sizeof(info));
5637 
5638 	if (dpp_akm_psk(auth->akm) || dpp_akm_sae(auth->akm)) {
5639 		wpa_printf(MSG_DEBUG,
5640 			   "DPP: Legacy credential included in Connector credential");
5641 		if (dpp_parse_cred_legacy(auth, cred) < 0)
5642 			return -1;
5643 	}
5644 
5645 	wpa_printf(MSG_DEBUG, "DPP: Connector credential");
5646 
5647 	csign = json_get_member(cred, "csign");
5648 	if (!csign || csign->type != JSON_OBJECT) {
5649 		wpa_printf(MSG_DEBUG, "DPP: No csign JWK in JSON");
5650 		goto fail;
5651 	}
5652 
5653 	csign_pub = dpp_parse_jwk(csign, &key_curve);
5654 	if (!csign_pub) {
5655 		wpa_printf(MSG_DEBUG, "DPP: Failed to parse csign JWK");
5656 		goto fail;
5657 	}
5658 	dpp_debug_print_key("DPP: Received C-sign-key", csign_pub);
5659 
5660 	token = json_get_member(cred, "signedConnector");
5661 	if (!token || token->type != JSON_STRING) {
5662 		wpa_printf(MSG_DEBUG, "DPP: No signedConnector string found");
5663 		goto fail;
5664 	}
5665 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: signedConnector",
5666 			  token->string, os_strlen(token->string));
5667 	signed_connector = token->string;
5668 
5669 	if (os_strchr(signed_connector, '"') ||
5670 	    os_strchr(signed_connector, '\n')) {
5671 		wpa_printf(MSG_DEBUG,
5672 			   "DPP: Unexpected character in signedConnector");
5673 		goto fail;
5674 	}
5675 
5676 	if (dpp_process_signed_connector(&info, csign_pub,
5677 					 signed_connector) != DPP_STATUS_OK)
5678 		goto fail;
5679 
5680 	if (dpp_parse_connector(auth, info.payload, info.payload_len) < 0) {
5681 		wpa_printf(MSG_DEBUG, "DPP: Failed to parse connector");
5682 		goto fail;
5683 	}
5684 
5685 	os_free(auth->connector);
5686 	auth->connector = os_strdup(signed_connector);
5687 
5688 	dpp_copy_csign(auth, csign_pub);
5689 	dpp_copy_netaccesskey(auth);
5690 
5691 	ret = 0;
5692 fail:
5693 	EVP_PKEY_free(csign_pub);
5694 	os_free(info.payload);
5695 	return ret;
5696 }
5697 
5698 
5699 const char * dpp_akm_str(enum dpp_akm akm)
5700 {
5701 	switch (akm) {
5702 	case DPP_AKM_DPP:
5703 		return "dpp";
5704 	case DPP_AKM_PSK:
5705 		return "psk";
5706 	case DPP_AKM_SAE:
5707 		return "sae";
5708 	case DPP_AKM_PSK_SAE:
5709 		return "psk+sae";
5710 	case DPP_AKM_SAE_DPP:
5711 		return "dpp+sae";
5712 	case DPP_AKM_PSK_SAE_DPP:
5713 		return "dpp+psk+sae";
5714 	default:
5715 		return "??";
5716 	}
5717 }
5718 
5719 
5720 static enum dpp_akm dpp_akm_from_str(const char *akm)
5721 {
5722 	if (os_strcmp(akm, "psk") == 0)
5723 		return DPP_AKM_PSK;
5724 	if (os_strcmp(akm, "sae") == 0)
5725 		return DPP_AKM_SAE;
5726 	if (os_strcmp(akm, "psk+sae") == 0)
5727 		return DPP_AKM_PSK_SAE;
5728 	if (os_strcmp(akm, "dpp") == 0)
5729 		return DPP_AKM_DPP;
5730 	if (os_strcmp(akm, "dpp+sae") == 0)
5731 		return DPP_AKM_SAE_DPP;
5732 	if (os_strcmp(akm, "dpp+psk+sae") == 0)
5733 		return DPP_AKM_PSK_SAE_DPP;
5734 	return DPP_AKM_UNKNOWN;
5735 }
5736 
5737 
5738 static int dpp_parse_conf_obj(struct dpp_authentication *auth,
5739 			      const u8 *conf_obj, u16 conf_obj_len)
5740 {
5741 	int ret = -1;
5742 	struct json_token *root, *token, *discovery, *cred;
5743 
5744 	root = json_parse((const char *) conf_obj, conf_obj_len);
5745 	if (!root)
5746 		return -1;
5747 	if (root->type != JSON_OBJECT) {
5748 		dpp_auth_fail(auth, "JSON root is not an object");
5749 		goto fail;
5750 	}
5751 
5752 	token = json_get_member(root, "wi-fi_tech");
5753 	if (!token || token->type != JSON_STRING) {
5754 		dpp_auth_fail(auth, "No wi-fi_tech string value found");
5755 		goto fail;
5756 	}
5757 	if (os_strcmp(token->string, "infra") != 0) {
5758 		wpa_printf(MSG_DEBUG, "DPP: Unsupported wi-fi_tech value: '%s'",
5759 			   token->string);
5760 		dpp_auth_fail(auth, "Unsupported wi-fi_tech value");
5761 		goto fail;
5762 	}
5763 
5764 	discovery = json_get_member(root, "discovery");
5765 	if (!discovery || discovery->type != JSON_OBJECT) {
5766 		dpp_auth_fail(auth, "No discovery object in JSON");
5767 		goto fail;
5768 	}
5769 
5770 	token = json_get_member(discovery, "ssid");
5771 	if (!token || token->type != JSON_STRING) {
5772 		dpp_auth_fail(auth, "No discovery::ssid string value found");
5773 		goto fail;
5774 	}
5775 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: discovery::ssid",
5776 			  token->string, os_strlen(token->string));
5777 	if (os_strlen(token->string) > SSID_MAX_LEN) {
5778 		dpp_auth_fail(auth, "Too long discovery::ssid string value");
5779 		goto fail;
5780 	}
5781 	auth->ssid_len = os_strlen(token->string);
5782 	os_memcpy(auth->ssid, token->string, auth->ssid_len);
5783 
5784 	cred = json_get_member(root, "cred");
5785 	if (!cred || cred->type != JSON_OBJECT) {
5786 		dpp_auth_fail(auth, "No cred object in JSON");
5787 		goto fail;
5788 	}
5789 
5790 	token = json_get_member(cred, "akm");
5791 	if (!token || token->type != JSON_STRING) {
5792 		dpp_auth_fail(auth, "No cred::akm string value found");
5793 		goto fail;
5794 	}
5795 	auth->akm = dpp_akm_from_str(token->string);
5796 
5797 	if (dpp_akm_legacy(auth->akm)) {
5798 		if (dpp_parse_cred_legacy(auth, cred) < 0)
5799 			goto fail;
5800 	} else if (dpp_akm_dpp(auth->akm)) {
5801 		if (dpp_parse_cred_dpp(auth, cred) < 0)
5802 			goto fail;
5803 	} else {
5804 		wpa_printf(MSG_DEBUG, "DPP: Unsupported akm: %s",
5805 			   token->string);
5806 		dpp_auth_fail(auth, "Unsupported akm");
5807 		goto fail;
5808 	}
5809 
5810 	wpa_printf(MSG_DEBUG, "DPP: JSON parsing completed successfully");
5811 	ret = 0;
5812 fail:
5813 	json_free(root);
5814 	return ret;
5815 }
5816 
5817 
5818 int dpp_conf_resp_rx(struct dpp_authentication *auth,
5819 		     const struct wpabuf *resp)
5820 {
5821 	const u8 *wrapped_data, *e_nonce, *status, *conf_obj;
5822 	u16 wrapped_data_len, e_nonce_len, status_len, conf_obj_len;
5823 	const u8 *addr[1];
5824 	size_t len[1];
5825 	u8 *unwrapped = NULL;
5826 	size_t unwrapped_len = 0;
5827 	int ret = -1;
5828 
5829 	auth->conf_resp_status = 255;
5830 
5831 	if (dpp_check_attrs(wpabuf_head(resp), wpabuf_len(resp)) < 0) {
5832 		dpp_auth_fail(auth, "Invalid attribute in config response");
5833 		return -1;
5834 	}
5835 
5836 	wrapped_data = dpp_get_attr(wpabuf_head(resp), wpabuf_len(resp),
5837 				    DPP_ATTR_WRAPPED_DATA,
5838 				    &wrapped_data_len);
5839 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
5840 		dpp_auth_fail(auth,
5841 			      "Missing or invalid required Wrapped Data attribute");
5842 		return -1;
5843 	}
5844 
5845 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
5846 		    wrapped_data, wrapped_data_len);
5847 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
5848 	unwrapped = os_malloc(unwrapped_len);
5849 	if (!unwrapped)
5850 		return -1;
5851 
5852 	addr[0] = wpabuf_head(resp);
5853 	len[0] = wrapped_data - 4 - (const u8 *) wpabuf_head(resp);
5854 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD", addr[0], len[0]);
5855 
5856 	if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
5857 			    wrapped_data, wrapped_data_len,
5858 			    1, addr, len, unwrapped) < 0) {
5859 		dpp_auth_fail(auth, "AES-SIV decryption failed");
5860 		goto fail;
5861 	}
5862 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
5863 		    unwrapped, unwrapped_len);
5864 
5865 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
5866 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
5867 		goto fail;
5868 	}
5869 
5870 	e_nonce = dpp_get_attr(unwrapped, unwrapped_len,
5871 			       DPP_ATTR_ENROLLEE_NONCE,
5872 			       &e_nonce_len);
5873 	if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
5874 		dpp_auth_fail(auth,
5875 			      "Missing or invalid Enrollee Nonce attribute");
5876 		goto fail;
5877 	}
5878 	wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len);
5879 	if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) {
5880 		dpp_auth_fail(auth, "Enrollee Nonce mismatch");
5881 		goto fail;
5882 	}
5883 
5884 	status = dpp_get_attr(wpabuf_head(resp), wpabuf_len(resp),
5885 			      DPP_ATTR_STATUS, &status_len);
5886 	if (!status || status_len < 1) {
5887 		dpp_auth_fail(auth,
5888 			      "Missing or invalid required DPP Status attribute");
5889 		goto fail;
5890 	}
5891 	auth->conf_resp_status = status[0];
5892 	wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
5893 	if (status[0] != DPP_STATUS_OK) {
5894 		dpp_auth_fail(auth, "Configurator rejected configuration");
5895 		goto fail;
5896 	}
5897 
5898 	conf_obj = dpp_get_attr(unwrapped, unwrapped_len,
5899 				DPP_ATTR_CONFIG_OBJ, &conf_obj_len);
5900 	if (!conf_obj) {
5901 		dpp_auth_fail(auth,
5902 			      "Missing required Configuration Object attribute");
5903 		goto fail;
5904 	}
5905 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: configurationObject JSON",
5906 			  conf_obj, conf_obj_len);
5907 	if (dpp_parse_conf_obj(auth, conf_obj, conf_obj_len) < 0)
5908 		goto fail;
5909 
5910 	ret = 0;
5911 
5912 fail:
5913 	os_free(unwrapped);
5914 	return ret;
5915 }
5916 
5917 
5918 #ifdef CONFIG_DPP2
5919 enum dpp_status_error dpp_conf_result_rx(struct dpp_authentication *auth,
5920 					 const u8 *hdr,
5921 					 const u8 *attr_start, size_t attr_len)
5922 {
5923 	const u8 *wrapped_data, *status, *e_nonce;
5924 	u16 wrapped_data_len, status_len, e_nonce_len;
5925 	const u8 *addr[2];
5926 	size_t len[2];
5927 	u8 *unwrapped = NULL;
5928 	size_t unwrapped_len = 0;
5929 	enum dpp_status_error ret = 256;
5930 
5931 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
5932 				    &wrapped_data_len);
5933 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
5934 		dpp_auth_fail(auth,
5935 			      "Missing or invalid required Wrapped Data attribute");
5936 		goto fail;
5937 	}
5938 	wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
5939 		    wrapped_data, wrapped_data_len);
5940 
5941 	attr_len = wrapped_data - 4 - attr_start;
5942 
5943 	addr[0] = hdr;
5944 	len[0] = DPP_HDR_LEN;
5945 	addr[1] = attr_start;
5946 	len[1] = attr_len;
5947 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
5948 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
5949 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
5950 		    wrapped_data, wrapped_data_len);
5951 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
5952 	unwrapped = os_malloc(unwrapped_len);
5953 	if (!unwrapped)
5954 		goto fail;
5955 	if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
5956 			    wrapped_data, wrapped_data_len,
5957 			    2, addr, len, unwrapped) < 0) {
5958 		dpp_auth_fail(auth, "AES-SIV decryption failed");
5959 		goto fail;
5960 	}
5961 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
5962 		    unwrapped, unwrapped_len);
5963 
5964 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
5965 		dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
5966 		goto fail;
5967 	}
5968 
5969 	e_nonce = dpp_get_attr(unwrapped, unwrapped_len,
5970 			       DPP_ATTR_ENROLLEE_NONCE,
5971 			       &e_nonce_len);
5972 	if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
5973 		dpp_auth_fail(auth,
5974 			      "Missing or invalid Enrollee Nonce attribute");
5975 		goto fail;
5976 	}
5977 	wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len);
5978 	if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) {
5979 		dpp_auth_fail(auth, "Enrollee Nonce mismatch");
5980 		wpa_hexdump(MSG_DEBUG, "DPP: Expected Enrollee Nonce",
5981 			    auth->e_nonce, e_nonce_len);
5982 		goto fail;
5983 	}
5984 
5985 	status = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_STATUS,
5986 			      &status_len);
5987 	if (!status || status_len < 1) {
5988 		dpp_auth_fail(auth,
5989 			      "Missing or invalid required DPP Status attribute");
5990 		goto fail;
5991 	}
5992 	wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
5993 	ret = status[0];
5994 
5995 fail:
5996 	bin_clear_free(unwrapped, unwrapped_len);
5997 	return ret;
5998 }
5999 #endif /* CONFIG_DPP2 */
6000 
6001 
6002 struct wpabuf * dpp_build_conf_result(struct dpp_authentication *auth,
6003 				      enum dpp_status_error status)
6004 {
6005 	struct wpabuf *msg, *clear;
6006 	size_t nonce_len, clear_len, attr_len;
6007 	const u8 *addr[2];
6008 	size_t len[2];
6009 	u8 *wrapped;
6010 
6011 	nonce_len = auth->curve->nonce_len;
6012 	clear_len = 5 + 4 + nonce_len;
6013 	attr_len = 4 + clear_len + AES_BLOCK_SIZE;
6014 	clear = wpabuf_alloc(clear_len);
6015 	msg = dpp_alloc_msg(DPP_PA_CONFIGURATION_RESULT, attr_len);
6016 	if (!clear || !msg)
6017 		return NULL;
6018 
6019 	/* DPP Status */
6020 	dpp_build_attr_status(clear, status);
6021 
6022 	/* E-nonce */
6023 	wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
6024 	wpabuf_put_le16(clear, nonce_len);
6025 	wpabuf_put_data(clear, auth->e_nonce, nonce_len);
6026 
6027 	/* OUI, OUI type, Crypto Suite, DPP frame type */
6028 	addr[0] = wpabuf_head_u8(msg) + 2;
6029 	len[0] = 3 + 1 + 1 + 1;
6030 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
6031 
6032 	/* Attributes before Wrapped Data (none) */
6033 	addr[1] = wpabuf_put(msg, 0);
6034 	len[1] = 0;
6035 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
6036 
6037 	/* Wrapped Data */
6038 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
6039 	wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
6040 	wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
6041 
6042 	wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
6043 	if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
6044 			    wpabuf_head(clear), wpabuf_len(clear),
6045 			    2, addr, len, wrapped) < 0)
6046 		goto fail;
6047 
6048 	wpa_hexdump_buf(MSG_DEBUG, "DPP: Configuration Result attributes", msg);
6049 	wpabuf_free(clear);
6050 	return msg;
6051 fail:
6052 	wpabuf_free(clear);
6053 	wpabuf_free(msg);
6054 	return NULL;
6055 }
6056 
6057 
6058 void dpp_configurator_free(struct dpp_configurator *conf)
6059 {
6060 	if (!conf)
6061 		return;
6062 	EVP_PKEY_free(conf->csign);
6063 	os_free(conf->kid);
6064 	os_free(conf);
6065 }
6066 
6067 
6068 int dpp_configurator_get_key(const struct dpp_configurator *conf, char *buf,
6069 			     size_t buflen)
6070 {
6071 	EC_KEY *eckey;
6072 	int key_len, ret = -1;
6073 	unsigned char *key = NULL;
6074 
6075 	if (!conf->csign)
6076 		return -1;
6077 
6078 	eckey = EVP_PKEY_get1_EC_KEY(conf->csign);
6079 	if (!eckey)
6080 		return -1;
6081 
6082 	key_len = i2d_ECPrivateKey(eckey, &key);
6083 	if (key_len > 0)
6084 		ret = wpa_snprintf_hex(buf, buflen, key, key_len);
6085 
6086 	EC_KEY_free(eckey);
6087 	OPENSSL_free(key);
6088 	return ret;
6089 }
6090 
6091 
6092 struct dpp_configurator *
6093 dpp_keygen_configurator(const char *curve, const u8 *privkey,
6094 			size_t privkey_len)
6095 {
6096 	struct dpp_configurator *conf;
6097 	struct wpabuf *csign_pub = NULL;
6098 	u8 kid_hash[SHA256_MAC_LEN];
6099 	const u8 *addr[1];
6100 	size_t len[1];
6101 
6102 	conf = os_zalloc(sizeof(*conf));
6103 	if (!conf)
6104 		return NULL;
6105 
6106 	if (!curve) {
6107 		conf->curve = &dpp_curves[0];
6108 	} else {
6109 		conf->curve = dpp_get_curve_name(curve);
6110 		if (!conf->curve) {
6111 			wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s",
6112 				   curve);
6113 			os_free(conf);
6114 			return NULL;
6115 		}
6116 	}
6117 	if (privkey)
6118 		conf->csign = dpp_set_keypair(&conf->curve, privkey,
6119 					      privkey_len);
6120 	else
6121 		conf->csign = dpp_gen_keypair(conf->curve);
6122 	if (!conf->csign)
6123 		goto fail;
6124 	conf->own = 1;
6125 
6126 	csign_pub = dpp_get_pubkey_point(conf->csign, 1);
6127 	if (!csign_pub) {
6128 		wpa_printf(MSG_INFO, "DPP: Failed to extract C-sign-key");
6129 		goto fail;
6130 	}
6131 
6132 	/* kid = SHA256(ANSI X9.63 uncompressed C-sign-key) */
6133 	addr[0] = wpabuf_head(csign_pub);
6134 	len[0] = wpabuf_len(csign_pub);
6135 	if (sha256_vector(1, addr, len, kid_hash) < 0) {
6136 		wpa_printf(MSG_DEBUG,
6137 			   "DPP: Failed to derive kid for C-sign-key");
6138 		goto fail;
6139 	}
6140 
6141 	conf->kid = (char *) base64_url_encode(kid_hash, sizeof(kid_hash),
6142 					       NULL, 0);
6143 	if (!conf->kid)
6144 		goto fail;
6145 out:
6146 	wpabuf_free(csign_pub);
6147 	return conf;
6148 fail:
6149 	dpp_configurator_free(conf);
6150 	conf = NULL;
6151 	goto out;
6152 }
6153 
6154 
6155 int dpp_configurator_own_config(struct dpp_authentication *auth,
6156 				const char *curve, int ap)
6157 {
6158 	struct wpabuf *conf_obj;
6159 	int ret = -1;
6160 
6161 	if (!auth->conf) {
6162 		wpa_printf(MSG_DEBUG, "DPP: No configurator specified");
6163 		return -1;
6164 	}
6165 
6166 	if (!curve) {
6167 		auth->curve = &dpp_curves[0];
6168 	} else {
6169 		auth->curve = dpp_get_curve_name(curve);
6170 		if (!auth->curve) {
6171 			wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s",
6172 				   curve);
6173 			return -1;
6174 		}
6175 	}
6176 	wpa_printf(MSG_DEBUG,
6177 		   "DPP: Building own configuration/connector with curve %s",
6178 		   auth->curve->name);
6179 
6180 	auth->own_protocol_key = dpp_gen_keypair(auth->curve);
6181 	if (!auth->own_protocol_key)
6182 		return -1;
6183 	dpp_copy_netaccesskey(auth);
6184 	auth->peer_protocol_key = auth->own_protocol_key;
6185 	dpp_copy_csign(auth, auth->conf->csign);
6186 
6187 	conf_obj = dpp_build_conf_obj(auth, ap);
6188 	if (!conf_obj)
6189 		goto fail;
6190 	ret = dpp_parse_conf_obj(auth, wpabuf_head(conf_obj),
6191 				 wpabuf_len(conf_obj));
6192 fail:
6193 	wpabuf_free(conf_obj);
6194 	auth->peer_protocol_key = NULL;
6195 	return ret;
6196 }
6197 
6198 
6199 static int dpp_compatible_netrole(const char *role1, const char *role2)
6200 {
6201 	return (os_strcmp(role1, "sta") == 0 && os_strcmp(role2, "ap") == 0) ||
6202 		(os_strcmp(role1, "ap") == 0 && os_strcmp(role2, "sta") == 0);
6203 }
6204 
6205 
6206 static int dpp_connector_compatible_group(struct json_token *root,
6207 					  const char *group_id,
6208 					  const char *net_role)
6209 {
6210 	struct json_token *groups, *token;
6211 
6212 	groups = json_get_member(root, "groups");
6213 	if (!groups || groups->type != JSON_ARRAY)
6214 		return 0;
6215 
6216 	for (token = groups->child; token; token = token->sibling) {
6217 		struct json_token *id, *role;
6218 
6219 		id = json_get_member(token, "groupId");
6220 		if (!id || id->type != JSON_STRING)
6221 			continue;
6222 
6223 		role = json_get_member(token, "netRole");
6224 		if (!role || role->type != JSON_STRING)
6225 			continue;
6226 
6227 		if (os_strcmp(id->string, "*") != 0 &&
6228 		    os_strcmp(group_id, "*") != 0 &&
6229 		    os_strcmp(id->string, group_id) != 0)
6230 			continue;
6231 
6232 		if (dpp_compatible_netrole(role->string, net_role))
6233 			return 1;
6234 	}
6235 
6236 	return 0;
6237 }
6238 
6239 
6240 static int dpp_connector_match_groups(struct json_token *own_root,
6241 				      struct json_token *peer_root)
6242 {
6243 	struct json_token *groups, *token;
6244 
6245 	groups = json_get_member(peer_root, "groups");
6246 	if (!groups || groups->type != JSON_ARRAY) {
6247 		wpa_printf(MSG_DEBUG, "DPP: No peer groups array found");
6248 		return 0;
6249 	}
6250 
6251 	for (token = groups->child; token; token = token->sibling) {
6252 		struct json_token *id, *role;
6253 
6254 		id = json_get_member(token, "groupId");
6255 		if (!id || id->type != JSON_STRING) {
6256 			wpa_printf(MSG_DEBUG,
6257 				   "DPP: Missing peer groupId string");
6258 			continue;
6259 		}
6260 
6261 		role = json_get_member(token, "netRole");
6262 		if (!role || role->type != JSON_STRING) {
6263 			wpa_printf(MSG_DEBUG,
6264 				   "DPP: Missing peer groups::netRole string");
6265 			continue;
6266 		}
6267 		wpa_printf(MSG_DEBUG,
6268 			   "DPP: peer connector group: groupId='%s' netRole='%s'",
6269 			   id->string, role->string);
6270 		if (dpp_connector_compatible_group(own_root, id->string,
6271 						   role->string)) {
6272 			wpa_printf(MSG_DEBUG,
6273 				   "DPP: Compatible group/netRole in own connector");
6274 			return 1;
6275 		}
6276 	}
6277 
6278 	return 0;
6279 }
6280 
6281 
6282 static int dpp_derive_pmk(const u8 *Nx, size_t Nx_len, u8 *pmk,
6283 			  unsigned int hash_len)
6284 {
6285 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
6286 	const char *info = "DPP PMK";
6287 	int res;
6288 
6289 	/* PMK = HKDF(<>, "DPP PMK", N.x) */
6290 
6291 	/* HKDF-Extract(<>, N.x) */
6292 	os_memset(salt, 0, hash_len);
6293 	if (dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk) < 0)
6294 		return -1;
6295 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
6296 			prk, hash_len);
6297 
6298 	/* HKDF-Expand(PRK, info, L) */
6299 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info, pmk, hash_len);
6300 	os_memset(prk, 0, hash_len);
6301 	if (res < 0)
6302 		return -1;
6303 
6304 	wpa_hexdump_key(MSG_DEBUG, "DPP: PMK = HKDF-Expand(PRK, info, L)",
6305 			pmk, hash_len);
6306 	return 0;
6307 }
6308 
6309 
6310 static int dpp_derive_pmkid(const struct dpp_curve_params *curve,
6311 			    EVP_PKEY *own_key, EVP_PKEY *peer_key, u8 *pmkid)
6312 {
6313 	struct wpabuf *nkx, *pkx;
6314 	int ret = -1, res;
6315 	const u8 *addr[2];
6316 	size_t len[2];
6317 	u8 hash[SHA256_MAC_LEN];
6318 
6319 	/* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */
6320 	nkx = dpp_get_pubkey_point(own_key, 0);
6321 	pkx = dpp_get_pubkey_point(peer_key, 0);
6322 	if (!nkx || !pkx)
6323 		goto fail;
6324 	addr[0] = wpabuf_head(nkx);
6325 	len[0] = wpabuf_len(nkx) / 2;
6326 	addr[1] = wpabuf_head(pkx);
6327 	len[1] = wpabuf_len(pkx) / 2;
6328 	if (len[0] != len[1])
6329 		goto fail;
6330 	if (os_memcmp(addr[0], addr[1], len[0]) > 0) {
6331 		addr[0] = wpabuf_head(pkx);
6332 		addr[1] = wpabuf_head(nkx);
6333 	}
6334 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 1", addr[0], len[0]);
6335 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 2", addr[1], len[1]);
6336 	res = sha256_vector(2, addr, len, hash);
6337 	if (res < 0)
6338 		goto fail;
6339 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash output", hash, SHA256_MAC_LEN);
6340 	os_memcpy(pmkid, hash, PMKID_LEN);
6341 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID", pmkid, PMKID_LEN);
6342 	ret = 0;
6343 fail:
6344 	wpabuf_free(nkx);
6345 	wpabuf_free(pkx);
6346 	return ret;
6347 }
6348 
6349 
6350 enum dpp_status_error
6351 dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
6352 	       const u8 *net_access_key, size_t net_access_key_len,
6353 	       const u8 *csign_key, size_t csign_key_len,
6354 	       const u8 *peer_connector, size_t peer_connector_len,
6355 	       os_time_t *expiry)
6356 {
6357 	struct json_token *root = NULL, *netkey, *token;
6358 	struct json_token *own_root = NULL;
6359 	enum dpp_status_error ret = 255, res;
6360 	EVP_PKEY *own_key = NULL, *peer_key = NULL;
6361 	struct wpabuf *own_key_pub = NULL;
6362 	const struct dpp_curve_params *curve, *own_curve;
6363 	struct dpp_signed_connector_info info;
6364 	const unsigned char *p;
6365 	EVP_PKEY *csign = NULL;
6366 	char *signed_connector = NULL;
6367 	const char *pos, *end;
6368 	unsigned char *own_conn = NULL;
6369 	size_t own_conn_len;
6370 	EVP_PKEY_CTX *ctx = NULL;
6371 	size_t Nx_len;
6372 	u8 Nx[DPP_MAX_SHARED_SECRET_LEN];
6373 
6374 	os_memset(intro, 0, sizeof(*intro));
6375 	os_memset(&info, 0, sizeof(info));
6376 	if (expiry)
6377 		*expiry = 0;
6378 
6379 	p = csign_key;
6380 	csign = d2i_PUBKEY(NULL, &p, csign_key_len);
6381 	if (!csign) {
6382 		wpa_printf(MSG_ERROR,
6383 			   "DPP: Failed to parse local C-sign-key information");
6384 		goto fail;
6385 	}
6386 
6387 	own_key = dpp_set_keypair(&own_curve, net_access_key,
6388 				  net_access_key_len);
6389 	if (!own_key) {
6390 		wpa_printf(MSG_ERROR, "DPP: Failed to parse own netAccessKey");
6391 		goto fail;
6392 	}
6393 
6394 	pos = os_strchr(own_connector, '.');
6395 	if (!pos) {
6396 		wpa_printf(MSG_DEBUG, "DPP: Own connector is missing the first dot (.)");
6397 		goto fail;
6398 	}
6399 	pos++;
6400 	end = os_strchr(pos, '.');
6401 	if (!end) {
6402 		wpa_printf(MSG_DEBUG, "DPP: Own connector is missing the second dot (.)");
6403 		goto fail;
6404 	}
6405 	own_conn = base64_url_decode((const unsigned char *) pos,
6406 				     end - pos, &own_conn_len);
6407 	if (!own_conn) {
6408 		wpa_printf(MSG_DEBUG,
6409 			   "DPP: Failed to base64url decode own signedConnector JWS Payload");
6410 		goto fail;
6411 	}
6412 
6413 	own_root = json_parse((const char *) own_conn, own_conn_len);
6414 	if (!own_root) {
6415 		wpa_printf(MSG_DEBUG, "DPP: Failed to parse local connector");
6416 		goto fail;
6417 	}
6418 
6419 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: Peer signedConnector",
6420 			  peer_connector, peer_connector_len);
6421 	signed_connector = os_malloc(peer_connector_len + 1);
6422 	if (!signed_connector)
6423 		goto fail;
6424 	os_memcpy(signed_connector, peer_connector, peer_connector_len);
6425 	signed_connector[peer_connector_len] = '\0';
6426 
6427 	res = dpp_process_signed_connector(&info, csign, signed_connector);
6428 	if (res != DPP_STATUS_OK) {
6429 		ret = res;
6430 		goto fail;
6431 	}
6432 
6433 	root = json_parse((const char *) info.payload, info.payload_len);
6434 	if (!root) {
6435 		wpa_printf(MSG_DEBUG, "DPP: JSON parsing of connector failed");
6436 		ret = DPP_STATUS_INVALID_CONNECTOR;
6437 		goto fail;
6438 	}
6439 
6440 	if (!dpp_connector_match_groups(own_root, root)) {
6441 		wpa_printf(MSG_DEBUG,
6442 			   "DPP: Peer connector does not include compatible group netrole with own connector");
6443 		ret = DPP_STATUS_NO_MATCH;
6444 		goto fail;
6445 	}
6446 
6447 	token = json_get_member(root, "expiry");
6448 	if (!token || token->type != JSON_STRING) {
6449 		wpa_printf(MSG_DEBUG,
6450 			   "DPP: No expiry string found - connector does not expire");
6451 	} else {
6452 		wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string);
6453 		if (dpp_key_expired(token->string, expiry)) {
6454 			wpa_printf(MSG_DEBUG,
6455 				   "DPP: Connector (netAccessKey) has expired");
6456 			ret = DPP_STATUS_INVALID_CONNECTOR;
6457 			goto fail;
6458 		}
6459 	}
6460 
6461 	netkey = json_get_member(root, "netAccessKey");
6462 	if (!netkey || netkey->type != JSON_OBJECT) {
6463 		wpa_printf(MSG_DEBUG, "DPP: No netAccessKey object found");
6464 		ret = DPP_STATUS_INVALID_CONNECTOR;
6465 		goto fail;
6466 	}
6467 
6468 	peer_key = dpp_parse_jwk(netkey, &curve);
6469 	if (!peer_key) {
6470 		ret = DPP_STATUS_INVALID_CONNECTOR;
6471 		goto fail;
6472 	}
6473 	dpp_debug_print_key("DPP: Received netAccessKey", peer_key);
6474 
6475 	if (own_curve != curve) {
6476 		wpa_printf(MSG_DEBUG,
6477 			   "DPP: Mismatching netAccessKey curves (%s != %s)",
6478 			   own_curve->name, curve->name);
6479 		ret = DPP_STATUS_INVALID_CONNECTOR;
6480 		goto fail;
6481 	}
6482 
6483 	/* ECDH: N = nk * PK */
6484 	ctx = EVP_PKEY_CTX_new(own_key, NULL);
6485 	if (!ctx ||
6486 	    EVP_PKEY_derive_init(ctx) != 1 ||
6487 	    EVP_PKEY_derive_set_peer(ctx, peer_key) != 1 ||
6488 	    EVP_PKEY_derive(ctx, NULL, &Nx_len) != 1 ||
6489 	    Nx_len > DPP_MAX_SHARED_SECRET_LEN ||
6490 	    EVP_PKEY_derive(ctx, Nx, &Nx_len) != 1) {
6491 		wpa_printf(MSG_ERROR,
6492 			   "DPP: Failed to derive ECDH shared secret: %s",
6493 			   ERR_error_string(ERR_get_error(), NULL));
6494 		goto fail;
6495 	}
6496 
6497 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
6498 			Nx, Nx_len);
6499 
6500 	/* PMK = HKDF(<>, "DPP PMK", N.x) */
6501 	if (dpp_derive_pmk(Nx, Nx_len, intro->pmk, curve->hash_len) < 0) {
6502 		wpa_printf(MSG_ERROR, "DPP: Failed to derive PMK");
6503 		goto fail;
6504 	}
6505 	intro->pmk_len = curve->hash_len;
6506 
6507 	/* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */
6508 	if (dpp_derive_pmkid(curve, own_key, peer_key, intro->pmkid) < 0) {
6509 		wpa_printf(MSG_ERROR, "DPP: Failed to derive PMKID");
6510 		goto fail;
6511 	}
6512 
6513 	ret = DPP_STATUS_OK;
6514 fail:
6515 	if (ret != DPP_STATUS_OK)
6516 		os_memset(intro, 0, sizeof(*intro));
6517 	os_memset(Nx, 0, sizeof(Nx));
6518 	EVP_PKEY_CTX_free(ctx);
6519 	os_free(own_conn);
6520 	os_free(signed_connector);
6521 	os_free(info.payload);
6522 	EVP_PKEY_free(own_key);
6523 	wpabuf_free(own_key_pub);
6524 	EVP_PKEY_free(peer_key);
6525 	EVP_PKEY_free(csign);
6526 	json_free(root);
6527 	json_free(own_root);
6528 	return ret;
6529 }
6530 
6531 
6532 static EVP_PKEY * dpp_pkex_get_role_elem(const struct dpp_curve_params *curve,
6533 					 int init)
6534 {
6535 	EC_GROUP *group;
6536 	size_t len = curve->prime_len;
6537 	const u8 *x, *y;
6538 
6539 	switch (curve->ike_group) {
6540 	case 19:
6541 		x = init ? pkex_init_x_p256 : pkex_resp_x_p256;
6542 		y = init ? pkex_init_y_p256 : pkex_resp_y_p256;
6543 		break;
6544 	case 20:
6545 		x = init ? pkex_init_x_p384 : pkex_resp_x_p384;
6546 		y = init ? pkex_init_y_p384 : pkex_resp_y_p384;
6547 		break;
6548 	case 21:
6549 		x = init ? pkex_init_x_p521 : pkex_resp_x_p521;
6550 		y = init ? pkex_init_y_p521 : pkex_resp_y_p521;
6551 		break;
6552 	case 28:
6553 		x = init ? pkex_init_x_bp_p256r1 : pkex_resp_x_bp_p256r1;
6554 		y = init ? pkex_init_y_bp_p256r1 : pkex_resp_y_bp_p256r1;
6555 		break;
6556 	case 29:
6557 		x = init ? pkex_init_x_bp_p384r1 : pkex_resp_x_bp_p384r1;
6558 		y = init ? pkex_init_y_bp_p384r1 : pkex_resp_y_bp_p384r1;
6559 		break;
6560 	case 30:
6561 		x = init ? pkex_init_x_bp_p512r1 : pkex_resp_x_bp_p512r1;
6562 		y = init ? pkex_init_y_bp_p512r1 : pkex_resp_y_bp_p512r1;
6563 		break;
6564 	default:
6565 		return NULL;
6566 	}
6567 
6568 	group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
6569 	if (!group)
6570 		return NULL;
6571 	return dpp_set_pubkey_point_group(group, x, y, len);
6572 }
6573 
6574 
6575 static EC_POINT * dpp_pkex_derive_Qi(const struct dpp_curve_params *curve,
6576 				     const u8 *mac_init, const char *code,
6577 				     const char *identifier, BN_CTX *bnctx,
6578 				     const EC_GROUP **ret_group)
6579 {
6580 	u8 hash[DPP_MAX_HASH_LEN];
6581 	const u8 *addr[3];
6582 	size_t len[3];
6583 	unsigned int num_elem = 0;
6584 	EC_POINT *Qi = NULL;
6585 	EVP_PKEY *Pi = NULL;
6586 	EC_KEY *Pi_ec = NULL;
6587 	const EC_POINT *Pi_point;
6588 	BIGNUM *hash_bn = NULL;
6589 	const EC_GROUP *group = NULL;
6590 	EC_GROUP *group2 = NULL;
6591 
6592 	/* Qi = H(MAC-Initiator | [identifier |] code) * Pi */
6593 
6594 	wpa_printf(MSG_DEBUG, "DPP: MAC-Initiator: " MACSTR, MAC2STR(mac_init));
6595 	addr[num_elem] = mac_init;
6596 	len[num_elem] = ETH_ALEN;
6597 	num_elem++;
6598 	if (identifier) {
6599 		wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
6600 			   identifier);
6601 		addr[num_elem] = (const u8 *) identifier;
6602 		len[num_elem] = os_strlen(identifier);
6603 		num_elem++;
6604 	}
6605 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code));
6606 	addr[num_elem] = (const u8 *) code;
6607 	len[num_elem] = os_strlen(code);
6608 	num_elem++;
6609 	if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
6610 		goto fail;
6611 	wpa_hexdump_key(MSG_DEBUG,
6612 			"DPP: H(MAC-Initiator | [identifier |] code)",
6613 			hash, curve->hash_len);
6614 	Pi = dpp_pkex_get_role_elem(curve, 1);
6615 	if (!Pi)
6616 		goto fail;
6617 	dpp_debug_print_key("DPP: Pi", Pi);
6618 	Pi_ec = EVP_PKEY_get1_EC_KEY(Pi);
6619 	if (!Pi_ec)
6620 		goto fail;
6621 	Pi_point = EC_KEY_get0_public_key(Pi_ec);
6622 
6623 	group = EC_KEY_get0_group(Pi_ec);
6624 	if (!group)
6625 		goto fail;
6626 	group2 = EC_GROUP_dup(group);
6627 	if (!group2)
6628 		goto fail;
6629 	Qi = EC_POINT_new(group2);
6630 	if (!Qi) {
6631 		EC_GROUP_free(group2);
6632 		goto fail;
6633 	}
6634 	hash_bn = BN_bin2bn(hash, curve->hash_len, NULL);
6635 	if (!hash_bn ||
6636 	    EC_POINT_mul(group2, Qi, NULL, Pi_point, hash_bn, bnctx) != 1)
6637 		goto fail;
6638 	if (EC_POINT_is_at_infinity(group, Qi)) {
6639 		wpa_printf(MSG_INFO, "DPP: Qi is the point-at-infinity");
6640 		goto fail;
6641 	}
6642 	dpp_debug_print_point("DPP: Qi", group, Qi);
6643 out:
6644 	EC_KEY_free(Pi_ec);
6645 	EVP_PKEY_free(Pi);
6646 	BN_clear_free(hash_bn);
6647 	if (ret_group)
6648 		*ret_group = group2;
6649 	return Qi;
6650 fail:
6651 	EC_POINT_free(Qi);
6652 	Qi = NULL;
6653 	goto out;
6654 }
6655 
6656 
6657 static EC_POINT * dpp_pkex_derive_Qr(const struct dpp_curve_params *curve,
6658 				     const u8 *mac_resp, const char *code,
6659 				     const char *identifier, BN_CTX *bnctx,
6660 				     const EC_GROUP **ret_group)
6661 {
6662 	u8 hash[DPP_MAX_HASH_LEN];
6663 	const u8 *addr[3];
6664 	size_t len[3];
6665 	unsigned int num_elem = 0;
6666 	EC_POINT *Qr = NULL;
6667 	EVP_PKEY *Pr = NULL;
6668 	EC_KEY *Pr_ec = NULL;
6669 	const EC_POINT *Pr_point;
6670 	BIGNUM *hash_bn = NULL;
6671 	const EC_GROUP *group = NULL;
6672 	EC_GROUP *group2 = NULL;
6673 
6674 	/* Qr = H(MAC-Responder | | [identifier | ] code) * Pr */
6675 
6676 	wpa_printf(MSG_DEBUG, "DPP: MAC-Responder: " MACSTR, MAC2STR(mac_resp));
6677 	addr[num_elem] = mac_resp;
6678 	len[num_elem] = ETH_ALEN;
6679 	num_elem++;
6680 	if (identifier) {
6681 		wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
6682 			   identifier);
6683 		addr[num_elem] = (const u8 *) identifier;
6684 		len[num_elem] = os_strlen(identifier);
6685 		num_elem++;
6686 	}
6687 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code));
6688 	addr[num_elem] = (const u8 *) code;
6689 	len[num_elem] = os_strlen(code);
6690 	num_elem++;
6691 	if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
6692 		goto fail;
6693 	wpa_hexdump_key(MSG_DEBUG,
6694 			"DPP: H(MAC-Responder | [identifier |] code)",
6695 			hash, curve->hash_len);
6696 	Pr = dpp_pkex_get_role_elem(curve, 0);
6697 	if (!Pr)
6698 		goto fail;
6699 	dpp_debug_print_key("DPP: Pr", Pr);
6700 	Pr_ec = EVP_PKEY_get1_EC_KEY(Pr);
6701 	if (!Pr_ec)
6702 		goto fail;
6703 	Pr_point = EC_KEY_get0_public_key(Pr_ec);
6704 
6705 	group = EC_KEY_get0_group(Pr_ec);
6706 	if (!group)
6707 		goto fail;
6708 	group2 = EC_GROUP_dup(group);
6709 	if (!group2)
6710 		goto fail;
6711 	Qr = EC_POINT_new(group2);
6712 	if (!Qr) {
6713 		EC_GROUP_free(group2);
6714 		goto fail;
6715 	}
6716 	hash_bn = BN_bin2bn(hash, curve->hash_len, NULL);
6717 	if (!hash_bn ||
6718 	    EC_POINT_mul(group2, Qr, NULL, Pr_point, hash_bn, bnctx) != 1)
6719 		goto fail;
6720 	if (EC_POINT_is_at_infinity(group, Qr)) {
6721 		wpa_printf(MSG_INFO, "DPP: Qr is the point-at-infinity");
6722 		goto fail;
6723 	}
6724 	dpp_debug_print_point("DPP: Qr", group, Qr);
6725 out:
6726 	EC_KEY_free(Pr_ec);
6727 	EVP_PKEY_free(Pr);
6728 	BN_clear_free(hash_bn);
6729 	if (ret_group)
6730 		*ret_group = group2;
6731 	return Qr;
6732 fail:
6733 	EC_POINT_free(Qr);
6734 	Qr = NULL;
6735 	goto out;
6736 }
6737 
6738 
6739 #ifdef CONFIG_TESTING_OPTIONS
6740 static int dpp_test_gen_invalid_key(struct wpabuf *msg,
6741 				    const struct dpp_curve_params *curve)
6742 {
6743 	BN_CTX *ctx;
6744 	BIGNUM *x, *y;
6745 	int ret = -1;
6746 	EC_GROUP *group;
6747 	EC_POINT *point;
6748 
6749 	group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
6750 	if (!group)
6751 		return -1;
6752 
6753 	ctx = BN_CTX_new();
6754 	point = EC_POINT_new(group);
6755 	x = BN_new();
6756 	y = BN_new();
6757 	if (!ctx || !point || !x || !y)
6758 		goto fail;
6759 
6760 	if (BN_rand(x, curve->prime_len * 8, 0, 0) != 1)
6761 		goto fail;
6762 
6763 	/* Generate a random y coordinate that results in a point that is not
6764 	 * on the curve. */
6765 	for (;;) {
6766 		if (BN_rand(y, curve->prime_len * 8, 0, 0) != 1)
6767 			goto fail;
6768 
6769 		if (EC_POINT_set_affine_coordinates_GFp(group, point, x, y,
6770 							ctx) != 1) {
6771 #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
6772 		/* Unlike older OpenSSL versions, OpenSSL 1.1.1 and BoringSSL
6773 		 * return an error from EC_POINT_set_affine_coordinates_GFp()
6774 		 * when the point is not on the curve. */
6775 			break;
6776 #else /* >=1.1.0 or OPENSSL_IS_BORINGSSL */
6777 			goto fail;
6778 #endif /* >= 1.1.0 or OPENSSL_IS_BORINGSSL */
6779 		}
6780 
6781 		if (!EC_POINT_is_on_curve(group, point, ctx))
6782 			break;
6783 	}
6784 
6785 	if (dpp_bn2bin_pad(x, wpabuf_put(msg, curve->prime_len),
6786 			   curve->prime_len) < 0 ||
6787 	    dpp_bn2bin_pad(y, wpabuf_put(msg, curve->prime_len),
6788 			   curve->prime_len) < 0)
6789 		goto fail;
6790 
6791 	ret = 0;
6792 fail:
6793 	if (ret < 0)
6794 		wpa_printf(MSG_INFO, "DPP: Failed to generate invalid key");
6795 	BN_free(x);
6796 	BN_free(y);
6797 	EC_POINT_free(point);
6798 	BN_CTX_free(ctx);
6799 
6800 	return ret;
6801 }
6802 #endif /* CONFIG_TESTING_OPTIONS */
6803 
6804 
6805 static struct wpabuf * dpp_pkex_build_exchange_req(struct dpp_pkex *pkex)
6806 {
6807 	EC_KEY *X_ec = NULL;
6808 	const EC_POINT *X_point;
6809 	BN_CTX *bnctx = NULL;
6810 	const EC_GROUP *group;
6811 	EC_POINT *Qi = NULL, *M = NULL;
6812 	struct wpabuf *M_buf = NULL;
6813 	BIGNUM *Mx = NULL, *My = NULL;
6814 	struct wpabuf *msg = NULL;
6815 	size_t attr_len;
6816 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
6817 
6818 	wpa_printf(MSG_DEBUG, "DPP: Build PKEX Exchange Request");
6819 
6820 	/* Qi = H(MAC-Initiator | [identifier |] code) * Pi */
6821 	bnctx = BN_CTX_new();
6822 	if (!bnctx)
6823 		goto fail;
6824 	Qi = dpp_pkex_derive_Qi(curve, pkex->own_mac, pkex->code,
6825 				pkex->identifier, bnctx, &group);
6826 	if (!Qi)
6827 		goto fail;
6828 
6829 	/* Generate a random ephemeral keypair x/X */
6830 #ifdef CONFIG_TESTING_OPTIONS
6831 	if (dpp_pkex_ephemeral_key_override_len) {
6832 		const struct dpp_curve_params *tmp_curve;
6833 
6834 		wpa_printf(MSG_INFO,
6835 			   "DPP: TESTING - override ephemeral key x/X");
6836 		pkex->x = dpp_set_keypair(&tmp_curve,
6837 					  dpp_pkex_ephemeral_key_override,
6838 					  dpp_pkex_ephemeral_key_override_len);
6839 	} else {
6840 		pkex->x = dpp_gen_keypair(curve);
6841 	}
6842 #else /* CONFIG_TESTING_OPTIONS */
6843 	pkex->x = dpp_gen_keypair(curve);
6844 #endif /* CONFIG_TESTING_OPTIONS */
6845 	if (!pkex->x)
6846 		goto fail;
6847 
6848 	/* M = X + Qi */
6849 	X_ec = EVP_PKEY_get1_EC_KEY(pkex->x);
6850 	if (!X_ec)
6851 		goto fail;
6852 	X_point = EC_KEY_get0_public_key(X_ec);
6853 	if (!X_point)
6854 		goto fail;
6855 	dpp_debug_print_point("DPP: X", group, X_point);
6856 	M = EC_POINT_new(group);
6857 	Mx = BN_new();
6858 	My = BN_new();
6859 	if (!M || !Mx || !My ||
6860 	    EC_POINT_add(group, M, X_point, Qi, bnctx) != 1 ||
6861 	    EC_POINT_get_affine_coordinates_GFp(group, M, Mx, My, bnctx) != 1)
6862 		goto fail;
6863 	dpp_debug_print_point("DPP: M", group, M);
6864 
6865 	/* Initiator -> Responder: group, [identifier,] M */
6866 	attr_len = 4 + 2;
6867 	if (pkex->identifier)
6868 		attr_len += 4 + os_strlen(pkex->identifier);
6869 	attr_len += 4 + 2 * curve->prime_len;
6870 	msg = dpp_alloc_msg(DPP_PA_PKEX_EXCHANGE_REQ, attr_len);
6871 	if (!msg)
6872 		goto fail;
6873 
6874 #ifdef CONFIG_TESTING_OPTIONS
6875 	if (dpp_test == DPP_TEST_NO_FINITE_CYCLIC_GROUP_PKEX_EXCHANGE_REQ) {
6876 		wpa_printf(MSG_INFO, "DPP: TESTING - no Finite Cyclic Group");
6877 		goto skip_finite_cyclic_group;
6878 	}
6879 #endif /* CONFIG_TESTING_OPTIONS */
6880 
6881 	/* Finite Cyclic Group attribute */
6882 	wpabuf_put_le16(msg, DPP_ATTR_FINITE_CYCLIC_GROUP);
6883 	wpabuf_put_le16(msg, 2);
6884 	wpabuf_put_le16(msg, curve->ike_group);
6885 
6886 #ifdef CONFIG_TESTING_OPTIONS
6887 skip_finite_cyclic_group:
6888 #endif /* CONFIG_TESTING_OPTIONS */
6889 
6890 	/* Code Identifier attribute */
6891 	if (pkex->identifier) {
6892 		wpabuf_put_le16(msg, DPP_ATTR_CODE_IDENTIFIER);
6893 		wpabuf_put_le16(msg, os_strlen(pkex->identifier));
6894 		wpabuf_put_str(msg, pkex->identifier);
6895 	}
6896 
6897 #ifdef CONFIG_TESTING_OPTIONS
6898 	if (dpp_test == DPP_TEST_NO_ENCRYPTED_KEY_PKEX_EXCHANGE_REQ) {
6899 		wpa_printf(MSG_INFO, "DPP: TESTING - no Encrypted Key");
6900 		goto out;
6901 	}
6902 #endif /* CONFIG_TESTING_OPTIONS */
6903 
6904 	/* M in Encrypted Key attribute */
6905 	wpabuf_put_le16(msg, DPP_ATTR_ENCRYPTED_KEY);
6906 	wpabuf_put_le16(msg, 2 * curve->prime_len);
6907 
6908 #ifdef CONFIG_TESTING_OPTIONS
6909 	if (dpp_test == DPP_TEST_INVALID_ENCRYPTED_KEY_PKEX_EXCHANGE_REQ) {
6910 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Encrypted Key");
6911 		if (dpp_test_gen_invalid_key(msg, curve) < 0)
6912 			goto fail;
6913 		goto out;
6914 	}
6915 #endif /* CONFIG_TESTING_OPTIONS */
6916 
6917 	if (dpp_bn2bin_pad(Mx, wpabuf_put(msg, curve->prime_len),
6918 			   curve->prime_len) < 0 ||
6919 	    dpp_bn2bin_pad(Mx, pkex->Mx, curve->prime_len) < 0 ||
6920 	    dpp_bn2bin_pad(My, wpabuf_put(msg, curve->prime_len),
6921 			   curve->prime_len) < 0)
6922 		goto fail;
6923 
6924 out:
6925 	wpabuf_free(M_buf);
6926 	EC_KEY_free(X_ec);
6927 	EC_POINT_free(M);
6928 	EC_POINT_free(Qi);
6929 	BN_clear_free(Mx);
6930 	BN_clear_free(My);
6931 	BN_CTX_free(bnctx);
6932 	return msg;
6933 fail:
6934 	wpa_printf(MSG_INFO, "DPP: Failed to build PKEX Exchange Request");
6935 	wpabuf_free(msg);
6936 	msg = NULL;
6937 	goto out;
6938 }
6939 
6940 
6941 static void dpp_pkex_fail(struct dpp_pkex *pkex, const char *txt)
6942 {
6943 	wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
6944 }
6945 
6946 
6947 struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi,
6948 				const u8 *own_mac,
6949 				const char *identifier,
6950 				const char *code)
6951 {
6952 	struct dpp_pkex *pkex;
6953 
6954 #ifdef CONFIG_TESTING_OPTIONS
6955 	if (!is_zero_ether_addr(dpp_pkex_own_mac_override)) {
6956 		wpa_printf(MSG_INFO, "DPP: TESTING - own_mac override " MACSTR,
6957 			   MAC2STR(dpp_pkex_own_mac_override));
6958 		own_mac = dpp_pkex_own_mac_override;
6959 	}
6960 #endif /* CONFIG_TESTING_OPTIONS */
6961 
6962 	pkex = os_zalloc(sizeof(*pkex));
6963 	if (!pkex)
6964 		return NULL;
6965 	pkex->msg_ctx = msg_ctx;
6966 	pkex->initiator = 1;
6967 	pkex->own_bi = bi;
6968 	os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
6969 	if (identifier) {
6970 		pkex->identifier = os_strdup(identifier);
6971 		if (!pkex->identifier)
6972 			goto fail;
6973 	}
6974 	pkex->code = os_strdup(code);
6975 	if (!pkex->code)
6976 		goto fail;
6977 	pkex->exchange_req = dpp_pkex_build_exchange_req(pkex);
6978 	if (!pkex->exchange_req)
6979 		goto fail;
6980 	return pkex;
6981 fail:
6982 	dpp_pkex_free(pkex);
6983 	return NULL;
6984 }
6985 
6986 
6987 static struct wpabuf *
6988 dpp_pkex_build_exchange_resp(struct dpp_pkex *pkex,
6989 			     enum dpp_status_error status,
6990 			     const BIGNUM *Nx, const BIGNUM *Ny)
6991 {
6992 	struct wpabuf *msg = NULL;
6993 	size_t attr_len;
6994 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
6995 
6996 	/* Initiator -> Responder: DPP Status, [identifier,] N */
6997 	attr_len = 4 + 1;
6998 	if (pkex->identifier)
6999 		attr_len += 4 + os_strlen(pkex->identifier);
7000 	attr_len += 4 + 2 * curve->prime_len;
7001 	msg = dpp_alloc_msg(DPP_PA_PKEX_EXCHANGE_RESP, attr_len);
7002 	if (!msg)
7003 		goto fail;
7004 
7005 #ifdef CONFIG_TESTING_OPTIONS
7006 	if (dpp_test == DPP_TEST_NO_STATUS_PKEX_EXCHANGE_RESP) {
7007 		wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
7008 		goto skip_status;
7009 	}
7010 
7011 	if (dpp_test == DPP_TEST_INVALID_STATUS_PKEX_EXCHANGE_RESP) {
7012 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
7013 		status = 255;
7014 	}
7015 #endif /* CONFIG_TESTING_OPTIONS */
7016 
7017 	/* DPP Status */
7018 	dpp_build_attr_status(msg, status);
7019 
7020 #ifdef CONFIG_TESTING_OPTIONS
7021 skip_status:
7022 #endif /* CONFIG_TESTING_OPTIONS */
7023 
7024 	/* Code Identifier attribute */
7025 	if (pkex->identifier) {
7026 		wpabuf_put_le16(msg, DPP_ATTR_CODE_IDENTIFIER);
7027 		wpabuf_put_le16(msg, os_strlen(pkex->identifier));
7028 		wpabuf_put_str(msg, pkex->identifier);
7029 	}
7030 
7031 	if (status != DPP_STATUS_OK)
7032 		goto skip_encrypted_key;
7033 
7034 #ifdef CONFIG_TESTING_OPTIONS
7035 	if (dpp_test == DPP_TEST_NO_ENCRYPTED_KEY_PKEX_EXCHANGE_RESP) {
7036 		wpa_printf(MSG_INFO, "DPP: TESTING - no Encrypted Key");
7037 		goto skip_encrypted_key;
7038 	}
7039 #endif /* CONFIG_TESTING_OPTIONS */
7040 
7041 	/* N in Encrypted Key attribute */
7042 	wpabuf_put_le16(msg, DPP_ATTR_ENCRYPTED_KEY);
7043 	wpabuf_put_le16(msg, 2 * curve->prime_len);
7044 
7045 #ifdef CONFIG_TESTING_OPTIONS
7046 	if (dpp_test == DPP_TEST_INVALID_ENCRYPTED_KEY_PKEX_EXCHANGE_RESP) {
7047 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Encrypted Key");
7048 		if (dpp_test_gen_invalid_key(msg, curve) < 0)
7049 			goto fail;
7050 		goto skip_encrypted_key;
7051 	}
7052 #endif /* CONFIG_TESTING_OPTIONS */
7053 
7054 	if (dpp_bn2bin_pad(Nx, wpabuf_put(msg, curve->prime_len),
7055 			   curve->prime_len) < 0 ||
7056 	    dpp_bn2bin_pad(Nx, pkex->Nx, curve->prime_len) < 0 ||
7057 	    dpp_bn2bin_pad(Ny, wpabuf_put(msg, curve->prime_len),
7058 			   curve->prime_len) < 0)
7059 		goto fail;
7060 
7061 skip_encrypted_key:
7062 	if (status == DPP_STATUS_BAD_GROUP) {
7063 		/* Finite Cyclic Group attribute */
7064 		wpabuf_put_le16(msg, DPP_ATTR_FINITE_CYCLIC_GROUP);
7065 		wpabuf_put_le16(msg, 2);
7066 		wpabuf_put_le16(msg, curve->ike_group);
7067 	}
7068 
7069 	return msg;
7070 fail:
7071 	wpabuf_free(msg);
7072 	return NULL;
7073 }
7074 
7075 
7076 static int dpp_pkex_derive_z(const u8 *mac_init, const u8 *mac_resp,
7077 			     const u8 *Mx, size_t Mx_len,
7078 			     const u8 *Nx, size_t Nx_len,
7079 			     const char *code,
7080 			     const u8 *Kx, size_t Kx_len,
7081 			     u8 *z, unsigned int hash_len)
7082 {
7083 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
7084 	int res;
7085 	u8 *info, *pos;
7086 	size_t info_len;
7087 
7088 	/* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x)
7089 	 */
7090 
7091 	/* HKDF-Extract(<>, IKM=K.x) */
7092 	os_memset(salt, 0, hash_len);
7093 	if (dpp_hmac(hash_len, salt, hash_len, Kx, Kx_len, prk) < 0)
7094 		return -1;
7095 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)",
7096 			prk, hash_len);
7097 	info_len = 2 * ETH_ALEN + Mx_len + Nx_len + os_strlen(code);
7098 	info = os_malloc(info_len);
7099 	if (!info)
7100 		return -1;
7101 	pos = info;
7102 	os_memcpy(pos, mac_init, ETH_ALEN);
7103 	pos += ETH_ALEN;
7104 	os_memcpy(pos, mac_resp, ETH_ALEN);
7105 	pos += ETH_ALEN;
7106 	os_memcpy(pos, Mx, Mx_len);
7107 	pos += Mx_len;
7108 	os_memcpy(pos, Nx, Nx_len);
7109 	pos += Nx_len;
7110 	os_memcpy(pos, code, os_strlen(code));
7111 
7112 	/* HKDF-Expand(PRK, info, L) */
7113 	if (hash_len == 32)
7114 		res = hmac_sha256_kdf(prk, hash_len, NULL, info, info_len,
7115 				      z, hash_len);
7116 	else if (hash_len == 48)
7117 		res = hmac_sha384_kdf(prk, hash_len, NULL, info, info_len,
7118 				      z, hash_len);
7119 	else if (hash_len == 64)
7120 		res = hmac_sha512_kdf(prk, hash_len, NULL, info, info_len,
7121 				      z, hash_len);
7122 	else
7123 		res = -1;
7124 	os_free(info);
7125 	os_memset(prk, 0, hash_len);
7126 	if (res < 0)
7127 		return -1;
7128 
7129 	wpa_hexdump_key(MSG_DEBUG, "DPP: z = HKDF-Expand(PRK, info, L)",
7130 			z, hash_len);
7131 	return 0;
7132 }
7133 
7134 
7135 static int dpp_pkex_identifier_match(const u8 *attr_id, u16 attr_id_len,
7136 				     const char *identifier)
7137 {
7138 	if (!attr_id && identifier) {
7139 		wpa_printf(MSG_DEBUG,
7140 			   "DPP: No PKEX code identifier received, but expected one");
7141 		return 0;
7142 	}
7143 
7144 	if (attr_id && !identifier) {
7145 		wpa_printf(MSG_DEBUG,
7146 			   "DPP: PKEX code identifier received, but not expecting one");
7147 		return 0;
7148 	}
7149 
7150 	if (attr_id && identifier &&
7151 	    (os_strlen(identifier) != attr_id_len ||
7152 	     os_memcmp(identifier, attr_id, attr_id_len) != 0)) {
7153 		wpa_printf(MSG_DEBUG, "DPP: PKEX code identifier mismatch");
7154 		return 0;
7155 	}
7156 
7157 	return 1;
7158 }
7159 
7160 
7161 struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
7162 					   struct dpp_bootstrap_info *bi,
7163 					   const u8 *own_mac,
7164 					   const u8 *peer_mac,
7165 					   const char *identifier,
7166 					   const char *code,
7167 					   const u8 *buf, size_t len)
7168 {
7169 	const u8 *attr_group, *attr_id, *attr_key;
7170 	u16 attr_group_len, attr_id_len, attr_key_len;
7171 	const struct dpp_curve_params *curve = bi->curve;
7172 	u16 ike_group;
7173 	struct dpp_pkex *pkex = NULL;
7174 	EC_POINT *Qi = NULL, *Qr = NULL, *M = NULL, *X = NULL, *N = NULL;
7175 	BN_CTX *bnctx = NULL;
7176 	const EC_GROUP *group;
7177 	BIGNUM *Mx = NULL, *My = NULL;
7178 	EC_KEY *Y_ec = NULL, *X_ec = NULL;;
7179 	const EC_POINT *Y_point;
7180 	BIGNUM *Nx = NULL, *Ny = NULL;
7181 	u8 Kx[DPP_MAX_SHARED_SECRET_LEN];
7182 	size_t Kx_len;
7183 	int res;
7184 	EVP_PKEY_CTX *ctx = NULL;
7185 
7186 	if (bi->pkex_t >= PKEX_COUNTER_T_LIMIT) {
7187 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7188 			"PKEX counter t limit reached - ignore message");
7189 		return NULL;
7190 	}
7191 
7192 #ifdef CONFIG_TESTING_OPTIONS
7193 	if (!is_zero_ether_addr(dpp_pkex_peer_mac_override)) {
7194 		wpa_printf(MSG_INFO, "DPP: TESTING - peer_mac override " MACSTR,
7195 			   MAC2STR(dpp_pkex_peer_mac_override));
7196 		peer_mac = dpp_pkex_peer_mac_override;
7197 	}
7198 	if (!is_zero_ether_addr(dpp_pkex_own_mac_override)) {
7199 		wpa_printf(MSG_INFO, "DPP: TESTING - own_mac override " MACSTR,
7200 			   MAC2STR(dpp_pkex_own_mac_override));
7201 		own_mac = dpp_pkex_own_mac_override;
7202 	}
7203 #endif /* CONFIG_TESTING_OPTIONS */
7204 
7205 	attr_id_len = 0;
7206 	attr_id = dpp_get_attr(buf, len, DPP_ATTR_CODE_IDENTIFIER,
7207 			       &attr_id_len);
7208 	if (!dpp_pkex_identifier_match(attr_id, attr_id_len, identifier))
7209 		return NULL;
7210 
7211 	attr_group = dpp_get_attr(buf, len, DPP_ATTR_FINITE_CYCLIC_GROUP,
7212 				  &attr_group_len);
7213 	if (!attr_group || attr_group_len != 2) {
7214 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7215 			"Missing or invalid Finite Cyclic Group attribute");
7216 		return NULL;
7217 	}
7218 	ike_group = WPA_GET_LE16(attr_group);
7219 	if (ike_group != curve->ike_group) {
7220 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7221 			"Mismatching PKEX curve: peer=%u own=%u",
7222 			ike_group, curve->ike_group);
7223 		pkex = os_zalloc(sizeof(*pkex));
7224 		if (!pkex)
7225 			goto fail;
7226 		pkex->own_bi = bi;
7227 		pkex->failed = 1;
7228 		pkex->exchange_resp = dpp_pkex_build_exchange_resp(
7229 			pkex, DPP_STATUS_BAD_GROUP, NULL, NULL);
7230 		if (!pkex->exchange_resp)
7231 			goto fail;
7232 		return pkex;
7233 	}
7234 
7235 	/* M in Encrypted Key attribute */
7236 	attr_key = dpp_get_attr(buf, len, DPP_ATTR_ENCRYPTED_KEY,
7237 				&attr_key_len);
7238 	if (!attr_key || attr_key_len & 0x01 || attr_key_len < 2 ||
7239 	    attr_key_len / 2 > DPP_MAX_SHARED_SECRET_LEN) {
7240 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7241 			"Missing Encrypted Key attribute");
7242 		return NULL;
7243 	}
7244 
7245 	/* Qi = H(MAC-Initiator | [identifier |] code) * Pi */
7246 	bnctx = BN_CTX_new();
7247 	if (!bnctx)
7248 		goto fail;
7249 	Qi = dpp_pkex_derive_Qi(curve, peer_mac, code, identifier, bnctx,
7250 				&group);
7251 	if (!Qi)
7252 		goto fail;
7253 
7254 	/* X' = M - Qi */
7255 	X = EC_POINT_new(group);
7256 	M = EC_POINT_new(group);
7257 	Mx = BN_bin2bn(attr_key, attr_key_len / 2, NULL);
7258 	My = BN_bin2bn(attr_key + attr_key_len / 2, attr_key_len / 2, NULL);
7259 	if (!X || !M || !Mx || !My ||
7260 	    EC_POINT_set_affine_coordinates_GFp(group, M, Mx, My, bnctx) != 1 ||
7261 	    EC_POINT_is_at_infinity(group, M) ||
7262 	    !EC_POINT_is_on_curve(group, M, bnctx) ||
7263 	    EC_POINT_invert(group, Qi, bnctx) != 1 ||
7264 	    EC_POINT_add(group, X, M, Qi, bnctx) != 1 ||
7265 	    EC_POINT_is_at_infinity(group, X) ||
7266 	    !EC_POINT_is_on_curve(group, X, bnctx)) {
7267 		wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7268 			"Invalid Encrypted Key value");
7269 		bi->pkex_t++;
7270 		goto fail;
7271 	}
7272 	dpp_debug_print_point("DPP: M", group, M);
7273 	dpp_debug_print_point("DPP: X'", group, X);
7274 
7275 	pkex = os_zalloc(sizeof(*pkex));
7276 	if (!pkex)
7277 		goto fail;
7278 	pkex->t = bi->pkex_t;
7279 	pkex->msg_ctx = msg_ctx;
7280 	pkex->own_bi = bi;
7281 	os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
7282 	os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
7283 	if (identifier) {
7284 		pkex->identifier = os_strdup(identifier);
7285 		if (!pkex->identifier)
7286 			goto fail;
7287 	}
7288 	pkex->code = os_strdup(code);
7289 	if (!pkex->code)
7290 		goto fail;
7291 
7292 	os_memcpy(pkex->Mx, attr_key, attr_key_len / 2);
7293 
7294 	X_ec = EC_KEY_new();
7295 	if (!X_ec ||
7296 	    EC_KEY_set_group(X_ec, group) != 1 ||
7297 	    EC_KEY_set_public_key(X_ec, X) != 1)
7298 		goto fail;
7299 	pkex->x = EVP_PKEY_new();
7300 	if (!pkex->x ||
7301 	    EVP_PKEY_set1_EC_KEY(pkex->x, X_ec) != 1)
7302 		goto fail;
7303 
7304 	/* Qr = H(MAC-Responder | | [identifier | ] code) * Pr */
7305 	Qr = dpp_pkex_derive_Qr(curve, own_mac, code, identifier, bnctx, NULL);
7306 	if (!Qr)
7307 		goto fail;
7308 
7309 	/* Generate a random ephemeral keypair y/Y */
7310 #ifdef CONFIG_TESTING_OPTIONS
7311 	if (dpp_pkex_ephemeral_key_override_len) {
7312 		const struct dpp_curve_params *tmp_curve;
7313 
7314 		wpa_printf(MSG_INFO,
7315 			   "DPP: TESTING - override ephemeral key y/Y");
7316 		pkex->y = dpp_set_keypair(&tmp_curve,
7317 					  dpp_pkex_ephemeral_key_override,
7318 					  dpp_pkex_ephemeral_key_override_len);
7319 	} else {
7320 		pkex->y = dpp_gen_keypair(curve);
7321 	}
7322 #else /* CONFIG_TESTING_OPTIONS */
7323 	pkex->y = dpp_gen_keypair(curve);
7324 #endif /* CONFIG_TESTING_OPTIONS */
7325 	if (!pkex->y)
7326 		goto fail;
7327 
7328 	/* N = Y + Qr */
7329 	Y_ec = EVP_PKEY_get1_EC_KEY(pkex->y);
7330 	if (!Y_ec)
7331 		goto fail;
7332 	Y_point = EC_KEY_get0_public_key(Y_ec);
7333 	if (!Y_point)
7334 		goto fail;
7335 	dpp_debug_print_point("DPP: Y", group, Y_point);
7336 	N = EC_POINT_new(group);
7337 	Nx = BN_new();
7338 	Ny = BN_new();
7339 	if (!N || !Nx || !Ny ||
7340 	    EC_POINT_add(group, N, Y_point, Qr, bnctx) != 1 ||
7341 	    EC_POINT_get_affine_coordinates_GFp(group, N, Nx, Ny, bnctx) != 1)
7342 		goto fail;
7343 	dpp_debug_print_point("DPP: N", group, N);
7344 
7345 	pkex->exchange_resp = dpp_pkex_build_exchange_resp(pkex, DPP_STATUS_OK,
7346 							   Nx, Ny);
7347 	if (!pkex->exchange_resp)
7348 		goto fail;
7349 
7350 	/* K = y * X' */
7351 	ctx = EVP_PKEY_CTX_new(pkex->y, NULL);
7352 	if (!ctx ||
7353 	    EVP_PKEY_derive_init(ctx) != 1 ||
7354 	    EVP_PKEY_derive_set_peer(ctx, pkex->x) != 1 ||
7355 	    EVP_PKEY_derive(ctx, NULL, &Kx_len) != 1 ||
7356 	    Kx_len > DPP_MAX_SHARED_SECRET_LEN ||
7357 	    EVP_PKEY_derive(ctx, Kx, &Kx_len) != 1) {
7358 		wpa_printf(MSG_ERROR,
7359 			   "DPP: Failed to derive ECDH shared secret: %s",
7360 			   ERR_error_string(ERR_get_error(), NULL));
7361 		goto fail;
7362 	}
7363 
7364 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (K.x)",
7365 			Kx, Kx_len);
7366 
7367 	/* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x)
7368 	 */
7369 	res = dpp_pkex_derive_z(pkex->peer_mac, pkex->own_mac,
7370 				pkex->Mx, curve->prime_len,
7371 				pkex->Nx, curve->prime_len, pkex->code,
7372 				Kx, Kx_len, pkex->z, curve->hash_len);
7373 	os_memset(Kx, 0, Kx_len);
7374 	if (res < 0)
7375 		goto fail;
7376 
7377 	pkex->exchange_done = 1;
7378 
7379 out:
7380 	EVP_PKEY_CTX_free(ctx);
7381 	BN_CTX_free(bnctx);
7382 	EC_POINT_free(Qi);
7383 	EC_POINT_free(Qr);
7384 	BN_free(Mx);
7385 	BN_free(My);
7386 	BN_free(Nx);
7387 	BN_free(Ny);
7388 	EC_POINT_free(M);
7389 	EC_POINT_free(N);
7390 	EC_POINT_free(X);
7391 	EC_KEY_free(X_ec);
7392 	EC_KEY_free(Y_ec);
7393 	return pkex;
7394 fail:
7395 	wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Request processing failed");
7396 	dpp_pkex_free(pkex);
7397 	pkex = NULL;
7398 	goto out;
7399 }
7400 
7401 
7402 static struct wpabuf *
7403 dpp_pkex_build_commit_reveal_req(struct dpp_pkex *pkex,
7404 				 const struct wpabuf *A_pub, const u8 *u)
7405 {
7406 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
7407 	struct wpabuf *msg = NULL;
7408 	size_t clear_len, attr_len;
7409 	struct wpabuf *clear = NULL;
7410 	u8 *wrapped;
7411 	u8 octet;
7412 	const u8 *addr[2];
7413 	size_t len[2];
7414 
7415 	/* {A, u, [bootstrapping info]}z */
7416 	clear_len = 4 + 2 * curve->prime_len + 4 + curve->hash_len;
7417 	clear = wpabuf_alloc(clear_len);
7418 	attr_len = 4 + clear_len + AES_BLOCK_SIZE;
7419 #ifdef CONFIG_TESTING_OPTIONS
7420 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_REQ)
7421 		attr_len += 5;
7422 #endif /* CONFIG_TESTING_OPTIONS */
7423 	msg = dpp_alloc_msg(DPP_PA_PKEX_COMMIT_REVEAL_REQ, attr_len);
7424 	if (!clear || !msg)
7425 		goto fail;
7426 
7427 #ifdef CONFIG_TESTING_OPTIONS
7428 	if (dpp_test == DPP_TEST_NO_BOOTSTRAP_KEY_PKEX_CR_REQ) {
7429 		wpa_printf(MSG_INFO, "DPP: TESTING - no Bootstrap Key");
7430 		goto skip_bootstrap_key;
7431 	}
7432 	if (dpp_test == DPP_TEST_INVALID_BOOTSTRAP_KEY_PKEX_CR_REQ) {
7433 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Bootstrap Key");
7434 		wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7435 		wpabuf_put_le16(clear, 2 * curve->prime_len);
7436 		if (dpp_test_gen_invalid_key(clear, curve) < 0)
7437 			goto fail;
7438 		goto skip_bootstrap_key;
7439 	}
7440 #endif /* CONFIG_TESTING_OPTIONS */
7441 
7442 	/* A in Bootstrap Key attribute */
7443 	wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7444 	wpabuf_put_le16(clear, wpabuf_len(A_pub));
7445 	wpabuf_put_buf(clear, A_pub);
7446 
7447 #ifdef CONFIG_TESTING_OPTIONS
7448 skip_bootstrap_key:
7449 	if (dpp_test == DPP_TEST_NO_I_AUTH_TAG_PKEX_CR_REQ) {
7450 		wpa_printf(MSG_INFO, "DPP: TESTING - no I-Auth tag");
7451 		goto skip_i_auth_tag;
7452 	}
7453 	if (dpp_test == DPP_TEST_I_AUTH_TAG_MISMATCH_PKEX_CR_REQ) {
7454 		wpa_printf(MSG_INFO, "DPP: TESTING - I-Auth tag mismatch");
7455 		wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG);
7456 		wpabuf_put_le16(clear, curve->hash_len);
7457 		wpabuf_put_data(clear, u, curve->hash_len - 1);
7458 		wpabuf_put_u8(clear, u[curve->hash_len - 1] ^ 0x01);
7459 		goto skip_i_auth_tag;
7460 	}
7461 #endif /* CONFIG_TESTING_OPTIONS */
7462 
7463 	/* u in I-Auth tag attribute */
7464 	wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG);
7465 	wpabuf_put_le16(clear, curve->hash_len);
7466 	wpabuf_put_data(clear, u, curve->hash_len);
7467 
7468 #ifdef CONFIG_TESTING_OPTIONS
7469 skip_i_auth_tag:
7470 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_PKEX_CR_REQ) {
7471 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
7472 		goto skip_wrapped_data;
7473 	}
7474 #endif /* CONFIG_TESTING_OPTIONS */
7475 
7476 	addr[0] = wpabuf_head_u8(msg) + 2;
7477 	len[0] = DPP_HDR_LEN;
7478 	octet = 0;
7479 	addr[1] = &octet;
7480 	len[1] = sizeof(octet);
7481 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
7482 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
7483 
7484 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
7485 	wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7486 	wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7487 
7488 	wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
7489 	if (aes_siv_encrypt(pkex->z, curve->hash_len,
7490 			    wpabuf_head(clear), wpabuf_len(clear),
7491 			    2, addr, len, wrapped) < 0)
7492 		goto fail;
7493 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
7494 		    wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
7495 
7496 #ifdef CONFIG_TESTING_OPTIONS
7497 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_REQ) {
7498 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
7499 		dpp_build_attr_status(msg, DPP_STATUS_OK);
7500 	}
7501 skip_wrapped_data:
7502 #endif /* CONFIG_TESTING_OPTIONS */
7503 
7504 out:
7505 	wpabuf_free(clear);
7506 	return msg;
7507 
7508 fail:
7509 	wpabuf_free(msg);
7510 	msg = NULL;
7511 	goto out;
7512 }
7513 
7514 
7515 struct wpabuf * dpp_pkex_rx_exchange_resp(struct dpp_pkex *pkex,
7516 					  const u8 *peer_mac,
7517 					  const u8 *buf, size_t buflen)
7518 {
7519 	const u8 *attr_status, *attr_id, *attr_key, *attr_group;
7520 	u16 attr_status_len, attr_id_len, attr_key_len, attr_group_len;
7521 	const EC_GROUP *group;
7522 	BN_CTX *bnctx = NULL;
7523 	struct wpabuf *msg = NULL, *A_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
7524 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
7525 	EC_POINT *Qr = NULL, *Y = NULL, *N = NULL;
7526 	BIGNUM *Nx = NULL, *Ny = NULL;
7527 	EVP_PKEY_CTX *ctx = NULL;
7528 	EC_KEY *Y_ec = NULL;
7529 	size_t Jx_len, Kx_len;
7530 	u8 Jx[DPP_MAX_SHARED_SECRET_LEN], Kx[DPP_MAX_SHARED_SECRET_LEN];
7531 	const u8 *addr[4];
7532 	size_t len[4];
7533 	u8 u[DPP_MAX_HASH_LEN];
7534 	int res;
7535 
7536 	if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
7537 		return NULL;
7538 
7539 #ifdef CONFIG_TESTING_OPTIONS
7540 	if (dpp_test == DPP_TEST_STOP_AT_PKEX_EXCHANGE_RESP) {
7541 		wpa_printf(MSG_INFO,
7542 			   "DPP: TESTING - stop at PKEX Exchange Response");
7543 		pkex->failed = 1;
7544 		return NULL;
7545 	}
7546 
7547 	if (!is_zero_ether_addr(dpp_pkex_peer_mac_override)) {
7548 		wpa_printf(MSG_INFO, "DPP: TESTING - peer_mac override " MACSTR,
7549 			   MAC2STR(dpp_pkex_peer_mac_override));
7550 		peer_mac = dpp_pkex_peer_mac_override;
7551 	}
7552 #endif /* CONFIG_TESTING_OPTIONS */
7553 
7554 	os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
7555 
7556 	attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS,
7557 				   &attr_status_len);
7558 	if (!attr_status || attr_status_len != 1) {
7559 		dpp_pkex_fail(pkex, "No DPP Status attribute");
7560 		return NULL;
7561 	}
7562 	wpa_printf(MSG_DEBUG, "DPP: Status %u", attr_status[0]);
7563 
7564 	if (attr_status[0] == DPP_STATUS_BAD_GROUP) {
7565 		attr_group = dpp_get_attr(buf, buflen,
7566 					  DPP_ATTR_FINITE_CYCLIC_GROUP,
7567 					  &attr_group_len);
7568 		if (attr_group && attr_group_len == 2) {
7569 			wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7570 				"Peer indicated mismatching PKEX group - proposed %u",
7571 				WPA_GET_LE16(attr_group));
7572 			return NULL;
7573 		}
7574 	}
7575 
7576 	if (attr_status[0] != DPP_STATUS_OK) {
7577 		dpp_pkex_fail(pkex, "PKEX failed (peer indicated failure)");
7578 		return NULL;
7579 	}
7580 
7581 	attr_id_len = 0;
7582 	attr_id = dpp_get_attr(buf, buflen, DPP_ATTR_CODE_IDENTIFIER,
7583 			       &attr_id_len);
7584 	if (!dpp_pkex_identifier_match(attr_id, attr_id_len,
7585 				       pkex->identifier)) {
7586 		dpp_pkex_fail(pkex, "PKEX code identifier mismatch");
7587 		return NULL;
7588 	}
7589 
7590 	/* N in Encrypted Key attribute */
7591 	attr_key = dpp_get_attr(buf, buflen, DPP_ATTR_ENCRYPTED_KEY,
7592 				&attr_key_len);
7593 	if (!attr_key || attr_key_len & 0x01 || attr_key_len < 2) {
7594 		dpp_pkex_fail(pkex, "Missing Encrypted Key attribute");
7595 		return NULL;
7596 	}
7597 
7598 	/* Qr = H(MAC-Responder | [identifier |] code) * Pr */
7599 	bnctx = BN_CTX_new();
7600 	if (!bnctx)
7601 		goto fail;
7602 	Qr = dpp_pkex_derive_Qr(curve, pkex->peer_mac, pkex->code,
7603 				pkex->identifier, bnctx, &group);
7604 	if (!Qr)
7605 		goto fail;
7606 
7607 	/* Y' = N - Qr */
7608 	Y = EC_POINT_new(group);
7609 	N = EC_POINT_new(group);
7610 	Nx = BN_bin2bn(attr_key, attr_key_len / 2, NULL);
7611 	Ny = BN_bin2bn(attr_key + attr_key_len / 2, attr_key_len / 2, NULL);
7612 	if (!Y || !N || !Nx || !Ny ||
7613 	    EC_POINT_set_affine_coordinates_GFp(group, N, Nx, Ny, bnctx) != 1 ||
7614 	    EC_POINT_is_at_infinity(group, N) ||
7615 	    !EC_POINT_is_on_curve(group, N, bnctx) ||
7616 	    EC_POINT_invert(group, Qr, bnctx) != 1 ||
7617 	    EC_POINT_add(group, Y, N, Qr, bnctx) != 1 ||
7618 	    EC_POINT_is_at_infinity(group, Y) ||
7619 	    !EC_POINT_is_on_curve(group, Y, bnctx)) {
7620 		dpp_pkex_fail(pkex, "Invalid Encrypted Key value");
7621 		pkex->t++;
7622 		goto fail;
7623 	}
7624 	dpp_debug_print_point("DPP: N", group, N);
7625 	dpp_debug_print_point("DPP: Y'", group, Y);
7626 
7627 	pkex->exchange_done = 1;
7628 
7629 	/* ECDH: J = a * Y’ */
7630 	Y_ec = EC_KEY_new();
7631 	if (!Y_ec ||
7632 	    EC_KEY_set_group(Y_ec, group) != 1 ||
7633 	    EC_KEY_set_public_key(Y_ec, Y) != 1)
7634 		goto fail;
7635 	pkex->y = EVP_PKEY_new();
7636 	if (!pkex->y ||
7637 	    EVP_PKEY_set1_EC_KEY(pkex->y, Y_ec) != 1)
7638 		goto fail;
7639 	ctx = EVP_PKEY_CTX_new(pkex->own_bi->pubkey, NULL);
7640 	if (!ctx ||
7641 	    EVP_PKEY_derive_init(ctx) != 1 ||
7642 	    EVP_PKEY_derive_set_peer(ctx, pkex->y) != 1 ||
7643 	    EVP_PKEY_derive(ctx, NULL, &Jx_len) != 1 ||
7644 	    Jx_len > DPP_MAX_SHARED_SECRET_LEN ||
7645 	    EVP_PKEY_derive(ctx, Jx, &Jx_len) != 1) {
7646 		wpa_printf(MSG_ERROR,
7647 			   "DPP: Failed to derive ECDH shared secret: %s",
7648 			   ERR_error_string(ERR_get_error(), NULL));
7649 		goto fail;
7650 	}
7651 
7652 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (J.x)",
7653 			Jx, Jx_len);
7654 
7655 	/* u = HMAC(J.x,  MAC-Initiator | A.x | Y’.x | X.x ) */
7656 	A_pub = dpp_get_pubkey_point(pkex->own_bi->pubkey, 0);
7657 	Y_pub = dpp_get_pubkey_point(pkex->y, 0);
7658 	X_pub = dpp_get_pubkey_point(pkex->x, 0);
7659 	if (!A_pub || !Y_pub || !X_pub)
7660 		goto fail;
7661 	addr[0] = pkex->own_mac;
7662 	len[0] = ETH_ALEN;
7663 	addr[1] = wpabuf_head(A_pub);
7664 	len[1] = wpabuf_len(A_pub) / 2;
7665 	addr[2] = wpabuf_head(Y_pub);
7666 	len[2] = wpabuf_len(Y_pub) / 2;
7667 	addr[3] = wpabuf_head(X_pub);
7668 	len[3] = wpabuf_len(X_pub) / 2;
7669 	if (dpp_hmac_vector(curve->hash_len, Jx, Jx_len, 4, addr, len, u) < 0)
7670 		goto fail;
7671 	wpa_hexdump(MSG_DEBUG, "DPP: u", u, curve->hash_len);
7672 
7673 	/* K = x * Y’ */
7674 	EVP_PKEY_CTX_free(ctx);
7675 	ctx = EVP_PKEY_CTX_new(pkex->x, NULL);
7676 	if (!ctx ||
7677 	    EVP_PKEY_derive_init(ctx) != 1 ||
7678 	    EVP_PKEY_derive_set_peer(ctx, pkex->y) != 1 ||
7679 	    EVP_PKEY_derive(ctx, NULL, &Kx_len) != 1 ||
7680 	    Kx_len > DPP_MAX_SHARED_SECRET_LEN ||
7681 	    EVP_PKEY_derive(ctx, Kx, &Kx_len) != 1) {
7682 		wpa_printf(MSG_ERROR,
7683 			   "DPP: Failed to derive ECDH shared secret: %s",
7684 			   ERR_error_string(ERR_get_error(), NULL));
7685 		goto fail;
7686 	}
7687 
7688 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (K.x)",
7689 			Kx, Kx_len);
7690 
7691 	/* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x)
7692 	 */
7693 	res = dpp_pkex_derive_z(pkex->own_mac, pkex->peer_mac,
7694 				pkex->Mx, curve->prime_len,
7695 				attr_key /* N.x */, attr_key_len / 2,
7696 				pkex->code, Kx, Kx_len,
7697 				pkex->z, curve->hash_len);
7698 	os_memset(Kx, 0, Kx_len);
7699 	if (res < 0)
7700 		goto fail;
7701 
7702 	msg = dpp_pkex_build_commit_reveal_req(pkex, A_pub, u);
7703 	if (!msg)
7704 		goto fail;
7705 
7706 out:
7707 	wpabuf_free(A_pub);
7708 	wpabuf_free(X_pub);
7709 	wpabuf_free(Y_pub);
7710 	EC_POINT_free(Qr);
7711 	EC_POINT_free(Y);
7712 	EC_POINT_free(N);
7713 	BN_free(Nx);
7714 	BN_free(Ny);
7715 	EC_KEY_free(Y_ec);
7716 	EVP_PKEY_CTX_free(ctx);
7717 	BN_CTX_free(bnctx);
7718 	return msg;
7719 fail:
7720 	wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Response processing failed");
7721 	goto out;
7722 }
7723 
7724 
7725 static struct wpabuf *
7726 dpp_pkex_build_commit_reveal_resp(struct dpp_pkex *pkex,
7727 				  const struct wpabuf *B_pub, const u8 *v)
7728 {
7729 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
7730 	struct wpabuf *msg = NULL;
7731 	const u8 *addr[2];
7732 	size_t len[2];
7733 	u8 octet;
7734 	u8 *wrapped;
7735 	struct wpabuf *clear = NULL;
7736 	size_t clear_len, attr_len;
7737 
7738 	/* {B, v [bootstrapping info]}z */
7739 	clear_len = 4 + 2 * curve->prime_len + 4 + curve->hash_len;
7740 	clear = wpabuf_alloc(clear_len);
7741 	attr_len = 4 + clear_len + AES_BLOCK_SIZE;
7742 #ifdef CONFIG_TESTING_OPTIONS
7743 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_RESP)
7744 		attr_len += 5;
7745 #endif /* CONFIG_TESTING_OPTIONS */
7746 	msg = dpp_alloc_msg(DPP_PA_PKEX_COMMIT_REVEAL_RESP, attr_len);
7747 	if (!clear || !msg)
7748 		goto fail;
7749 
7750 #ifdef CONFIG_TESTING_OPTIONS
7751 	if (dpp_test == DPP_TEST_NO_BOOTSTRAP_KEY_PKEX_CR_RESP) {
7752 		wpa_printf(MSG_INFO, "DPP: TESTING - no Bootstrap Key");
7753 		goto skip_bootstrap_key;
7754 	}
7755 	if (dpp_test == DPP_TEST_INVALID_BOOTSTRAP_KEY_PKEX_CR_RESP) {
7756 		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Bootstrap Key");
7757 		wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7758 		wpabuf_put_le16(clear, 2 * curve->prime_len);
7759 		if (dpp_test_gen_invalid_key(clear, curve) < 0)
7760 			goto fail;
7761 		goto skip_bootstrap_key;
7762 	}
7763 #endif /* CONFIG_TESTING_OPTIONS */
7764 
7765 	/* B in Bootstrap Key attribute */
7766 	wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7767 	wpabuf_put_le16(clear, wpabuf_len(B_pub));
7768 	wpabuf_put_buf(clear, B_pub);
7769 
7770 #ifdef CONFIG_TESTING_OPTIONS
7771 skip_bootstrap_key:
7772 	if (dpp_test == DPP_TEST_NO_R_AUTH_TAG_PKEX_CR_RESP) {
7773 		wpa_printf(MSG_INFO, "DPP: TESTING - no R-Auth tag");
7774 		goto skip_r_auth_tag;
7775 	}
7776 	if (dpp_test == DPP_TEST_R_AUTH_TAG_MISMATCH_PKEX_CR_RESP) {
7777 		wpa_printf(MSG_INFO, "DPP: TESTING - R-Auth tag mismatch");
7778 		wpabuf_put_le16(clear, DPP_ATTR_R_AUTH_TAG);
7779 		wpabuf_put_le16(clear, curve->hash_len);
7780 		wpabuf_put_data(clear, v, curve->hash_len - 1);
7781 		wpabuf_put_u8(clear, v[curve->hash_len - 1] ^ 0x01);
7782 		goto skip_r_auth_tag;
7783 	}
7784 #endif /* CONFIG_TESTING_OPTIONS */
7785 
7786 	/* v in R-Auth tag attribute */
7787 	wpabuf_put_le16(clear, DPP_ATTR_R_AUTH_TAG);
7788 	wpabuf_put_le16(clear, curve->hash_len);
7789 	wpabuf_put_data(clear, v, curve->hash_len);
7790 
7791 #ifdef CONFIG_TESTING_OPTIONS
7792 skip_r_auth_tag:
7793 	if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_PKEX_CR_RESP) {
7794 		wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
7795 		goto skip_wrapped_data;
7796 	}
7797 #endif /* CONFIG_TESTING_OPTIONS */
7798 
7799 	addr[0] = wpabuf_head_u8(msg) + 2;
7800 	len[0] = DPP_HDR_LEN;
7801 	octet = 1;
7802 	addr[1] = &octet;
7803 	len[1] = sizeof(octet);
7804 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
7805 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
7806 
7807 	wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
7808 	wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7809 	wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7810 
7811 	wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
7812 	if (aes_siv_encrypt(pkex->z, curve->hash_len,
7813 			    wpabuf_head(clear), wpabuf_len(clear),
7814 			    2, addr, len, wrapped) < 0)
7815 		goto fail;
7816 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
7817 		    wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
7818 
7819 #ifdef CONFIG_TESTING_OPTIONS
7820 	if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_RESP) {
7821 		wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
7822 		dpp_build_attr_status(msg, DPP_STATUS_OK);
7823 	}
7824 skip_wrapped_data:
7825 #endif /* CONFIG_TESTING_OPTIONS */
7826 
7827 out:
7828 	wpabuf_free(clear);
7829 	return msg;
7830 
7831 fail:
7832 	wpabuf_free(msg);
7833 	msg = NULL;
7834 	goto out;
7835 }
7836 
7837 
7838 struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex,
7839 					      const u8 *hdr,
7840 					      const u8 *buf, size_t buflen)
7841 {
7842 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
7843 	EVP_PKEY_CTX *ctx = NULL;
7844 	size_t Jx_len, Lx_len;
7845 	u8 Jx[DPP_MAX_SHARED_SECRET_LEN];
7846 	u8 Lx[DPP_MAX_SHARED_SECRET_LEN];
7847 	const u8 *wrapped_data, *b_key, *peer_u;
7848 	u16 wrapped_data_len, b_key_len, peer_u_len = 0;
7849 	const u8 *addr[4];
7850 	size_t len[4];
7851 	u8 octet;
7852 	u8 *unwrapped = NULL;
7853 	size_t unwrapped_len = 0;
7854 	struct wpabuf *msg = NULL, *A_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
7855 	struct wpabuf *B_pub = NULL;
7856 	u8 u[DPP_MAX_HASH_LEN], v[DPP_MAX_HASH_LEN];
7857 
7858 #ifdef CONFIG_TESTING_OPTIONS
7859 	if (dpp_test == DPP_TEST_STOP_AT_PKEX_CR_REQ) {
7860 		wpa_printf(MSG_INFO,
7861 			   "DPP: TESTING - stop at PKEX CR Request");
7862 		pkex->failed = 1;
7863 		return NULL;
7864 	}
7865 #endif /* CONFIG_TESTING_OPTIONS */
7866 
7867 	if (!pkex->exchange_done || pkex->failed ||
7868 	    pkex->t >= PKEX_COUNTER_T_LIMIT || pkex->initiator)
7869 		goto fail;
7870 
7871 	wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
7872 				    &wrapped_data_len);
7873 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
7874 		dpp_pkex_fail(pkex,
7875 			      "Missing or invalid required Wrapped Data attribute");
7876 		goto fail;
7877 	}
7878 
7879 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
7880 		    wrapped_data, wrapped_data_len);
7881 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
7882 	unwrapped = os_malloc(unwrapped_len);
7883 	if (!unwrapped)
7884 		goto fail;
7885 
7886 	addr[0] = hdr;
7887 	len[0] = DPP_HDR_LEN;
7888 	octet = 0;
7889 	addr[1] = &octet;
7890 	len[1] = sizeof(octet);
7891 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
7892 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
7893 
7894 	if (aes_siv_decrypt(pkex->z, curve->hash_len,
7895 			    wrapped_data, wrapped_data_len,
7896 			    2, addr, len, unwrapped) < 0) {
7897 		dpp_pkex_fail(pkex,
7898 			      "AES-SIV decryption failed - possible PKEX code mismatch");
7899 		pkex->failed = 1;
7900 		pkex->t++;
7901 		goto fail;
7902 	}
7903 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
7904 		    unwrapped, unwrapped_len);
7905 
7906 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
7907 		dpp_pkex_fail(pkex, "Invalid attribute in unwrapped data");
7908 		goto fail;
7909 	}
7910 
7911 	b_key = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_BOOTSTRAP_KEY,
7912 			     &b_key_len);
7913 	if (!b_key || b_key_len != 2 * curve->prime_len) {
7914 		dpp_pkex_fail(pkex, "No valid peer bootstrapping key found");
7915 		goto fail;
7916 	}
7917 	pkex->peer_bootstrap_key = dpp_set_pubkey_point(pkex->x, b_key,
7918 							b_key_len);
7919 	if (!pkex->peer_bootstrap_key) {
7920 		dpp_pkex_fail(pkex, "Peer bootstrapping key is invalid");
7921 		goto fail;
7922 	}
7923 	dpp_debug_print_key("DPP: Peer bootstrap public key",
7924 			    pkex->peer_bootstrap_key);
7925 
7926 	/* ECDH: J' = y * A' */
7927 	ctx = EVP_PKEY_CTX_new(pkex->y, NULL);
7928 	if (!ctx ||
7929 	    EVP_PKEY_derive_init(ctx) != 1 ||
7930 	    EVP_PKEY_derive_set_peer(ctx, pkex->peer_bootstrap_key) != 1 ||
7931 	    EVP_PKEY_derive(ctx, NULL, &Jx_len) != 1 ||
7932 	    Jx_len > DPP_MAX_SHARED_SECRET_LEN ||
7933 	    EVP_PKEY_derive(ctx, Jx, &Jx_len) != 1) {
7934 		wpa_printf(MSG_ERROR,
7935 			   "DPP: Failed to derive ECDH shared secret: %s",
7936 			   ERR_error_string(ERR_get_error(), NULL));
7937 		goto fail;
7938 	}
7939 
7940 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (J.x)",
7941 			Jx, Jx_len);
7942 
7943 	/* u' = HMAC(J'.x, MAC-Initiator | A'.x | Y.x | X'.x) */
7944 	A_pub = dpp_get_pubkey_point(pkex->peer_bootstrap_key, 0);
7945 	Y_pub = dpp_get_pubkey_point(pkex->y, 0);
7946 	X_pub = dpp_get_pubkey_point(pkex->x, 0);
7947 	if (!A_pub || !Y_pub || !X_pub)
7948 		goto fail;
7949 	addr[0] = pkex->peer_mac;
7950 	len[0] = ETH_ALEN;
7951 	addr[1] = wpabuf_head(A_pub);
7952 	len[1] = wpabuf_len(A_pub) / 2;
7953 	addr[2] = wpabuf_head(Y_pub);
7954 	len[2] = wpabuf_len(Y_pub) / 2;
7955 	addr[3] = wpabuf_head(X_pub);
7956 	len[3] = wpabuf_len(X_pub) / 2;
7957 	if (dpp_hmac_vector(curve->hash_len, Jx, Jx_len, 4, addr, len, u) < 0)
7958 		goto fail;
7959 
7960 	peer_u = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_AUTH_TAG,
7961 			      &peer_u_len);
7962 	if (!peer_u || peer_u_len != curve->hash_len ||
7963 	    os_memcmp(peer_u, u, curve->hash_len) != 0) {
7964 		dpp_pkex_fail(pkex, "No valid u (I-Auth tag) found");
7965 		wpa_hexdump(MSG_DEBUG, "DPP: Calculated u'",
7966 			    u, curve->hash_len);
7967 		wpa_hexdump(MSG_DEBUG, "DPP: Received u", peer_u, peer_u_len);
7968 		pkex->t++;
7969 		goto fail;
7970 	}
7971 	wpa_printf(MSG_DEBUG, "DPP: Valid u (I-Auth tag) received");
7972 
7973 	/* ECDH: L = b * X' */
7974 	EVP_PKEY_CTX_free(ctx);
7975 	ctx = EVP_PKEY_CTX_new(pkex->own_bi->pubkey, NULL);
7976 	if (!ctx ||
7977 	    EVP_PKEY_derive_init(ctx) != 1 ||
7978 	    EVP_PKEY_derive_set_peer(ctx, pkex->x) != 1 ||
7979 	    EVP_PKEY_derive(ctx, NULL, &Lx_len) != 1 ||
7980 	    Lx_len > DPP_MAX_SHARED_SECRET_LEN ||
7981 	    EVP_PKEY_derive(ctx, Lx, &Lx_len) != 1) {
7982 		wpa_printf(MSG_ERROR,
7983 			   "DPP: Failed to derive ECDH shared secret: %s",
7984 			   ERR_error_string(ERR_get_error(), NULL));
7985 		goto fail;
7986 	}
7987 
7988 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (L.x)",
7989 			Lx, Lx_len);
7990 
7991 	/* v = HMAC(L.x, MAC-Responder | B.x | X'.x | Y.x) */
7992 	B_pub = dpp_get_pubkey_point(pkex->own_bi->pubkey, 0);
7993 	if (!B_pub)
7994 		goto fail;
7995 	addr[0] = pkex->own_mac;
7996 	len[0] = ETH_ALEN;
7997 	addr[1] = wpabuf_head(B_pub);
7998 	len[1] = wpabuf_len(B_pub) / 2;
7999 	addr[2] = wpabuf_head(X_pub);
8000 	len[2] = wpabuf_len(X_pub) / 2;
8001 	addr[3] = wpabuf_head(Y_pub);
8002 	len[3] = wpabuf_len(Y_pub) / 2;
8003 	if (dpp_hmac_vector(curve->hash_len, Lx, Lx_len, 4, addr, len, v) < 0)
8004 		goto fail;
8005 	wpa_hexdump(MSG_DEBUG, "DPP: v", v, curve->hash_len);
8006 
8007 	msg = dpp_pkex_build_commit_reveal_resp(pkex, B_pub, v);
8008 	if (!msg)
8009 		goto fail;
8010 
8011 out:
8012 	EVP_PKEY_CTX_free(ctx);
8013 	os_free(unwrapped);
8014 	wpabuf_free(A_pub);
8015 	wpabuf_free(B_pub);
8016 	wpabuf_free(X_pub);
8017 	wpabuf_free(Y_pub);
8018 	return msg;
8019 fail:
8020 	wpa_printf(MSG_DEBUG,
8021 		   "DPP: PKEX Commit-Reveal Request processing failed");
8022 	goto out;
8023 }
8024 
8025 
8026 int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
8027 				   const u8 *buf, size_t buflen)
8028 {
8029 	const struct dpp_curve_params *curve = pkex->own_bi->curve;
8030 	const u8 *wrapped_data, *b_key, *peer_v;
8031 	u16 wrapped_data_len, b_key_len, peer_v_len = 0;
8032 	const u8 *addr[4];
8033 	size_t len[4];
8034 	u8 octet;
8035 	u8 *unwrapped = NULL;
8036 	size_t unwrapped_len = 0;
8037 	int ret = -1;
8038 	u8 v[DPP_MAX_HASH_LEN];
8039 	size_t Lx_len;
8040 	u8 Lx[DPP_MAX_SHARED_SECRET_LEN];
8041 	EVP_PKEY_CTX *ctx = NULL;
8042 	struct wpabuf *B_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
8043 
8044 #ifdef CONFIG_TESTING_OPTIONS
8045 	if (dpp_test == DPP_TEST_STOP_AT_PKEX_CR_RESP) {
8046 		wpa_printf(MSG_INFO,
8047 			   "DPP: TESTING - stop at PKEX CR Response");
8048 		pkex->failed = 1;
8049 		goto fail;
8050 	}
8051 #endif /* CONFIG_TESTING_OPTIONS */
8052 
8053 	if (!pkex->exchange_done || pkex->failed ||
8054 	    pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
8055 		goto fail;
8056 
8057 	wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
8058 				    &wrapped_data_len);
8059 	if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
8060 		dpp_pkex_fail(pkex,
8061 			      "Missing or invalid required Wrapped Data attribute");
8062 		goto fail;
8063 	}
8064 
8065 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
8066 		    wrapped_data, wrapped_data_len);
8067 	unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
8068 	unwrapped = os_malloc(unwrapped_len);
8069 	if (!unwrapped)
8070 		goto fail;
8071 
8072 	addr[0] = hdr;
8073 	len[0] = DPP_HDR_LEN;
8074 	octet = 1;
8075 	addr[1] = &octet;
8076 	len[1] = sizeof(octet);
8077 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
8078 	wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
8079 
8080 	if (aes_siv_decrypt(pkex->z, curve->hash_len,
8081 			    wrapped_data, wrapped_data_len,
8082 			    2, addr, len, unwrapped) < 0) {
8083 		dpp_pkex_fail(pkex,
8084 			      "AES-SIV decryption failed - possible PKEX code mismatch");
8085 		pkex->t++;
8086 		goto fail;
8087 	}
8088 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
8089 		    unwrapped, unwrapped_len);
8090 
8091 	if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
8092 		dpp_pkex_fail(pkex, "Invalid attribute in unwrapped data");
8093 		goto fail;
8094 	}
8095 
8096 	b_key = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_BOOTSTRAP_KEY,
8097 			     &b_key_len);
8098 	if (!b_key || b_key_len != 2 * curve->prime_len) {
8099 		dpp_pkex_fail(pkex, "No valid peer bootstrapping key found");
8100 		goto fail;
8101 	}
8102 	pkex->peer_bootstrap_key = dpp_set_pubkey_point(pkex->x, b_key,
8103 							b_key_len);
8104 	if (!pkex->peer_bootstrap_key) {
8105 		dpp_pkex_fail(pkex, "Peer bootstrapping key is invalid");
8106 		goto fail;
8107 	}
8108 	dpp_debug_print_key("DPP: Peer bootstrap public key",
8109 			    pkex->peer_bootstrap_key);
8110 
8111 	/* ECDH: L' = x * B' */
8112 	ctx = EVP_PKEY_CTX_new(pkex->x, NULL);
8113 	if (!ctx ||
8114 	    EVP_PKEY_derive_init(ctx) != 1 ||
8115 	    EVP_PKEY_derive_set_peer(ctx, pkex->peer_bootstrap_key) != 1 ||
8116 	    EVP_PKEY_derive(ctx, NULL, &Lx_len) != 1 ||
8117 	    Lx_len > DPP_MAX_SHARED_SECRET_LEN ||
8118 	    EVP_PKEY_derive(ctx, Lx, &Lx_len) != 1) {
8119 		wpa_printf(MSG_ERROR,
8120 			   "DPP: Failed to derive ECDH shared secret: %s",
8121 			   ERR_error_string(ERR_get_error(), NULL));
8122 		goto fail;
8123 	}
8124 
8125 	wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (L.x)",
8126 			Lx, Lx_len);
8127 
8128 	/* v' = HMAC(L.x, MAC-Responder | B'.x | X.x | Y'.x) */
8129 	B_pub = dpp_get_pubkey_point(pkex->peer_bootstrap_key, 0);
8130 	X_pub = dpp_get_pubkey_point(pkex->x, 0);
8131 	Y_pub = dpp_get_pubkey_point(pkex->y, 0);
8132 	if (!B_pub || !X_pub || !Y_pub)
8133 		goto fail;
8134 	addr[0] = pkex->peer_mac;
8135 	len[0] = ETH_ALEN;
8136 	addr[1] = wpabuf_head(B_pub);
8137 	len[1] = wpabuf_len(B_pub) / 2;
8138 	addr[2] = wpabuf_head(X_pub);
8139 	len[2] = wpabuf_len(X_pub) / 2;
8140 	addr[3] = wpabuf_head(Y_pub);
8141 	len[3] = wpabuf_len(Y_pub) / 2;
8142 	if (dpp_hmac_vector(curve->hash_len, Lx, Lx_len, 4, addr, len, v) < 0)
8143 		goto fail;
8144 
8145 	peer_v = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_AUTH_TAG,
8146 			      &peer_v_len);
8147 	if (!peer_v || peer_v_len != curve->hash_len ||
8148 	    os_memcmp(peer_v, v, curve->hash_len) != 0) {
8149 		dpp_pkex_fail(pkex, "No valid v (R-Auth tag) found");
8150 		wpa_hexdump(MSG_DEBUG, "DPP: Calculated v'",
8151 			    v, curve->hash_len);
8152 		wpa_hexdump(MSG_DEBUG, "DPP: Received v", peer_v, peer_v_len);
8153 		pkex->t++;
8154 		goto fail;
8155 	}
8156 	wpa_printf(MSG_DEBUG, "DPP: Valid v (R-Auth tag) received");
8157 
8158 	ret = 0;
8159 out:
8160 	wpabuf_free(B_pub);
8161 	wpabuf_free(X_pub);
8162 	wpabuf_free(Y_pub);
8163 	EVP_PKEY_CTX_free(ctx);
8164 	os_free(unwrapped);
8165 	return ret;
8166 fail:
8167 	goto out;
8168 }
8169 
8170 
8171 void dpp_pkex_free(struct dpp_pkex *pkex)
8172 {
8173 	if (!pkex)
8174 		return;
8175 
8176 	os_free(pkex->identifier);
8177 	os_free(pkex->code);
8178 	EVP_PKEY_free(pkex->x);
8179 	EVP_PKEY_free(pkex->y);
8180 	EVP_PKEY_free(pkex->peer_bootstrap_key);
8181 	wpabuf_free(pkex->exchange_req);
8182 	wpabuf_free(pkex->exchange_resp);
8183 	os_free(pkex);
8184 }
8185 
8186 
8187 #ifdef CONFIG_TESTING_OPTIONS
8188 char * dpp_corrupt_connector_signature(const char *connector)
8189 {
8190 	char *tmp, *pos, *signed3 = NULL;
8191 	unsigned char *signature = NULL;
8192 	size_t signature_len = 0, signed3_len;
8193 
8194 	tmp = os_zalloc(os_strlen(connector) + 5);
8195 	if (!tmp)
8196 		goto fail;
8197 	os_memcpy(tmp, connector, os_strlen(connector));
8198 
8199 	pos = os_strchr(tmp, '.');
8200 	if (!pos)
8201 		goto fail;
8202 
8203 	pos = os_strchr(pos + 1, '.');
8204 	if (!pos)
8205 		goto fail;
8206 	pos++;
8207 
8208 	wpa_printf(MSG_DEBUG, "DPP: Original base64url encoded signature: %s",
8209 		   pos);
8210 	signature = base64_url_decode((const unsigned char *) pos,
8211 				      os_strlen(pos), &signature_len);
8212 	if (!signature || signature_len == 0)
8213 		goto fail;
8214 	wpa_hexdump(MSG_DEBUG, "DPP: Original Connector signature",
8215 		    signature, signature_len);
8216 	signature[signature_len - 1] ^= 0x01;
8217 	wpa_hexdump(MSG_DEBUG, "DPP: Corrupted Connector signature",
8218 		    signature, signature_len);
8219 	signed3 = (char *) base64_url_encode(signature, signature_len,
8220 					     &signed3_len, 0);
8221 	if (!signed3)
8222 		goto fail;
8223 	os_memcpy(pos, signed3, signed3_len);
8224 	pos[signed3_len] = '\0';
8225 	wpa_printf(MSG_DEBUG, "DPP: Corrupted base64url encoded signature: %s",
8226 		   pos);
8227 
8228 out:
8229 	os_free(signature);
8230 	os_free(signed3);
8231 	return tmp;
8232 fail:
8233 	os_free(tmp);
8234 	tmp = NULL;
8235 	goto out;
8236 }
8237 #endif /* CONFIG_TESTING_OPTIONS */
8238 
8239 
8240 #ifdef CONFIG_DPP2
8241 
8242 struct dpp_pfs * dpp_pfs_init(const u8 *net_access_key,
8243 			      size_t net_access_key_len)
8244 {
8245 	struct wpabuf *pub = NULL;
8246 	EVP_PKEY *own_key;
8247 	struct dpp_pfs *pfs;
8248 
8249 	pfs = os_zalloc(sizeof(*pfs));
8250 	if (!pfs)
8251 		return NULL;
8252 
8253 	own_key = dpp_set_keypair(&pfs->curve, net_access_key,
8254 				  net_access_key_len);
8255 	if (!own_key) {
8256 		wpa_printf(MSG_ERROR, "DPP: Failed to parse own netAccessKey");
8257 		goto fail;
8258 	}
8259 	EVP_PKEY_free(own_key);
8260 
8261 	pfs->ecdh = crypto_ecdh_init(pfs->curve->ike_group);
8262 	if (!pfs->ecdh)
8263 		goto fail;
8264 
8265 	pub = crypto_ecdh_get_pubkey(pfs->ecdh, 0);
8266 	pub = wpabuf_zeropad(pub, pfs->curve->prime_len);
8267 	if (!pub)
8268 		goto fail;
8269 
8270 	pfs->ie = wpabuf_alloc(5 + wpabuf_len(pub));
8271 	if (!pfs->ie)
8272 		goto fail;
8273 	wpabuf_put_u8(pfs->ie, WLAN_EID_EXTENSION);
8274 	wpabuf_put_u8(pfs->ie, 1 + 2 + wpabuf_len(pub));
8275 	wpabuf_put_u8(pfs->ie, WLAN_EID_EXT_OWE_DH_PARAM);
8276 	wpabuf_put_le16(pfs->ie, pfs->curve->ike_group);
8277 	wpabuf_put_buf(pfs->ie, pub);
8278 	wpabuf_free(pub);
8279 	wpa_hexdump_buf(MSG_DEBUG, "DPP: Diffie-Hellman Parameter element",
8280 			pfs->ie);
8281 
8282 	return pfs;
8283 fail:
8284 	wpabuf_free(pub);
8285 	dpp_pfs_free(pfs);
8286 	return NULL;
8287 }
8288 
8289 
8290 int dpp_pfs_process(struct dpp_pfs *pfs, const u8 *peer_ie, size_t peer_ie_len)
8291 {
8292 	if (peer_ie_len < 2)
8293 		return -1;
8294 	if (WPA_GET_LE16(peer_ie) != pfs->curve->ike_group) {
8295 		wpa_printf(MSG_DEBUG, "DPP: Peer used different group for PFS");
8296 		return -1;
8297 	}
8298 
8299 	pfs->secret = crypto_ecdh_set_peerkey(pfs->ecdh, 0, peer_ie + 2,
8300 					      peer_ie_len - 2);
8301 	pfs->secret = wpabuf_zeropad(pfs->secret, pfs->curve->prime_len);
8302 	if (!pfs->secret) {
8303 		wpa_printf(MSG_DEBUG, "DPP: Invalid peer DH public key");
8304 		return -1;
8305 	}
8306 	wpa_hexdump_buf_key(MSG_DEBUG, "DPP: DH shared secret", pfs->secret);
8307 	return 0;
8308 }
8309 
8310 
8311 void dpp_pfs_free(struct dpp_pfs *pfs)
8312 {
8313 	if (!pfs)
8314 		return;
8315 	crypto_ecdh_deinit(pfs->ecdh);
8316 	wpabuf_free(pfs->ie);
8317 	wpabuf_clear_free(pfs->secret);
8318 	os_free(pfs);
8319 }
8320 
8321 #endif /* CONFIG_DPP2 */
8322 
8323 
8324 static unsigned int dpp_next_id(struct dpp_global *dpp)
8325 {
8326 	struct dpp_bootstrap_info *bi;
8327 	unsigned int max_id = 0;
8328 
8329 	dl_list_for_each(bi, &dpp->bootstrap, struct dpp_bootstrap_info, list) {
8330 		if (bi->id > max_id)
8331 			max_id = bi->id;
8332 	}
8333 	return max_id + 1;
8334 }
8335 
8336 
8337 static int dpp_bootstrap_del(struct dpp_global *dpp, unsigned int id)
8338 {
8339 	struct dpp_bootstrap_info *bi, *tmp;
8340 	int found = 0;
8341 
8342 	if (!dpp)
8343 		return -1;
8344 
8345 	dl_list_for_each_safe(bi, tmp, &dpp->bootstrap,
8346 			      struct dpp_bootstrap_info, list) {
8347 		if (id && bi->id != id)
8348 			continue;
8349 		found = 1;
8350 		dl_list_del(&bi->list);
8351 		dpp_bootstrap_info_free(bi);
8352 	}
8353 
8354 	if (id == 0)
8355 		return 0; /* flush succeeds regardless of entries found */
8356 	return found ? 0 : -1;
8357 }
8358 
8359 
8360 struct dpp_bootstrap_info * dpp_add_qr_code(struct dpp_global *dpp,
8361 					    const char *uri)
8362 {
8363 	struct dpp_bootstrap_info *bi;
8364 
8365 	if (!dpp)
8366 		return NULL;
8367 
8368 	bi = dpp_parse_qr_code(uri);
8369 	if (!bi)
8370 		return NULL;
8371 
8372 	bi->id = dpp_next_id(dpp);
8373 	dl_list_add(&dpp->bootstrap, &bi->list);
8374 	return bi;
8375 }
8376 
8377 
8378 int dpp_bootstrap_gen(struct dpp_global *dpp, const char *cmd)
8379 {
8380 	char *chan = NULL, *mac = NULL, *info = NULL, *pk = NULL, *curve = NULL;
8381 	char *key = NULL;
8382 	u8 *privkey = NULL;
8383 	size_t privkey_len = 0;
8384 	size_t len;
8385 	int ret = -1;
8386 	struct dpp_bootstrap_info *bi;
8387 
8388 	if (!dpp)
8389 		return -1;
8390 
8391 	bi = os_zalloc(sizeof(*bi));
8392 	if (!bi)
8393 		goto fail;
8394 
8395 	if (os_strstr(cmd, "type=qrcode"))
8396 		bi->type = DPP_BOOTSTRAP_QR_CODE;
8397 	else if (os_strstr(cmd, "type=pkex"))
8398 		bi->type = DPP_BOOTSTRAP_PKEX;
8399 	else
8400 		goto fail;
8401 
8402 	chan = get_param(cmd, " chan=");
8403 	mac = get_param(cmd, " mac=");
8404 	info = get_param(cmd, " info=");
8405 	curve = get_param(cmd, " curve=");
8406 	key = get_param(cmd, " key=");
8407 
8408 	if (key) {
8409 		privkey_len = os_strlen(key) / 2;
8410 		privkey = os_malloc(privkey_len);
8411 		if (!privkey ||
8412 		    hexstr2bin(key, privkey, privkey_len) < 0)
8413 			goto fail;
8414 	}
8415 
8416 	pk = dpp_keygen(bi, curve, privkey, privkey_len);
8417 	if (!pk)
8418 		goto fail;
8419 
8420 	len = 4; /* "DPP:" */
8421 	if (chan) {
8422 		if (dpp_parse_uri_chan_list(bi, chan) < 0)
8423 			goto fail;
8424 		len += 3 + os_strlen(chan); /* C:...; */
8425 	}
8426 	if (mac) {
8427 		if (dpp_parse_uri_mac(bi, mac) < 0)
8428 			goto fail;
8429 		len += 3 + os_strlen(mac); /* M:...; */
8430 	}
8431 	if (info) {
8432 		if (dpp_parse_uri_info(bi, info) < 0)
8433 			goto fail;
8434 		len += 3 + os_strlen(info); /* I:...; */
8435 	}
8436 	len += 4 + os_strlen(pk);
8437 	bi->uri = os_malloc(len + 1);
8438 	if (!bi->uri)
8439 		goto fail;
8440 	os_snprintf(bi->uri, len + 1, "DPP:%s%s%s%s%s%s%s%s%sK:%s;;",
8441 		    chan ? "C:" : "", chan ? chan : "", chan ? ";" : "",
8442 		    mac ? "M:" : "", mac ? mac : "", mac ? ";" : "",
8443 		    info ? "I:" : "", info ? info : "", info ? ";" : "",
8444 		    pk);
8445 	bi->id = dpp_next_id(dpp);
8446 	dl_list_add(&dpp->bootstrap, &bi->list);
8447 	ret = bi->id;
8448 	bi = NULL;
8449 fail:
8450 	os_free(curve);
8451 	os_free(pk);
8452 	os_free(chan);
8453 	os_free(mac);
8454 	os_free(info);
8455 	str_clear_free(key);
8456 	bin_clear_free(privkey, privkey_len);
8457 	dpp_bootstrap_info_free(bi);
8458 	return ret;
8459 }
8460 
8461 
8462 struct dpp_bootstrap_info *
8463 dpp_bootstrap_get_id(struct dpp_global *dpp, unsigned int id)
8464 {
8465 	struct dpp_bootstrap_info *bi;
8466 
8467 	if (!dpp)
8468 		return NULL;
8469 
8470 	dl_list_for_each(bi, &dpp->bootstrap, struct dpp_bootstrap_info, list) {
8471 		if (bi->id == id)
8472 			return bi;
8473 	}
8474 	return NULL;
8475 }
8476 
8477 
8478 int dpp_bootstrap_remove(struct dpp_global *dpp, const char *id)
8479 {
8480 	unsigned int id_val;
8481 
8482 	if (os_strcmp(id, "*") == 0) {
8483 		id_val = 0;
8484 	} else {
8485 		id_val = atoi(id);
8486 		if (id_val == 0)
8487 			return -1;
8488 	}
8489 
8490 	return dpp_bootstrap_del(dpp, id_val);
8491 }
8492 
8493 
8494 struct dpp_bootstrap_info *
8495 dpp_pkex_finish(struct dpp_global *dpp, struct dpp_pkex *pkex, const u8 *peer,
8496 		unsigned int freq)
8497 {
8498 	struct dpp_bootstrap_info *bi;
8499 
8500 	bi = os_zalloc(sizeof(*bi));
8501 	if (!bi)
8502 		return NULL;
8503 	bi->id = dpp_next_id(dpp);
8504 	bi->type = DPP_BOOTSTRAP_PKEX;
8505 	os_memcpy(bi->mac_addr, peer, ETH_ALEN);
8506 	bi->num_freq = 1;
8507 	bi->freq[0] = freq;
8508 	bi->curve = pkex->own_bi->curve;
8509 	bi->pubkey = pkex->peer_bootstrap_key;
8510 	pkex->peer_bootstrap_key = NULL;
8511 	if (dpp_bootstrap_key_hash(bi) < 0) {
8512 		dpp_bootstrap_info_free(bi);
8513 		return NULL;
8514 	}
8515 	dpp_pkex_free(pkex);
8516 	dl_list_add(&dpp->bootstrap, &bi->list);
8517 	return bi;
8518 }
8519 
8520 
8521 const char * dpp_bootstrap_get_uri(struct dpp_global *dpp, unsigned int id)
8522 {
8523 	struct dpp_bootstrap_info *bi;
8524 
8525 	bi = dpp_bootstrap_get_id(dpp, id);
8526 	if (!bi)
8527 		return NULL;
8528 	return bi->uri;
8529 }
8530 
8531 
8532 int dpp_bootstrap_info(struct dpp_global *dpp, int id,
8533 		       char *reply, int reply_size)
8534 {
8535 	struct dpp_bootstrap_info *bi;
8536 
8537 	bi = dpp_bootstrap_get_id(dpp, id);
8538 	if (!bi)
8539 		return -1;
8540 	return os_snprintf(reply, reply_size, "type=%s\n"
8541 			   "mac_addr=" MACSTR "\n"
8542 			   "info=%s\n"
8543 			   "num_freq=%u\n"
8544 			   "curve=%s\n",
8545 			   dpp_bootstrap_type_txt(bi->type),
8546 			   MAC2STR(bi->mac_addr),
8547 			   bi->info ? bi->info : "",
8548 			   bi->num_freq,
8549 			   bi->curve->name);
8550 }
8551 
8552 
8553 void dpp_bootstrap_find_pair(struct dpp_global *dpp, const u8 *i_bootstrap,
8554 			     const u8 *r_bootstrap,
8555 			     struct dpp_bootstrap_info **own_bi,
8556 			     struct dpp_bootstrap_info **peer_bi)
8557 {
8558 	struct dpp_bootstrap_info *bi;
8559 
8560 	*own_bi = NULL;
8561 	*peer_bi = NULL;
8562 	if (!dpp)
8563 		return;
8564 
8565 	dl_list_for_each(bi, &dpp->bootstrap, struct dpp_bootstrap_info, list) {
8566 		if (!*own_bi && bi->own &&
8567 		    os_memcmp(bi->pubkey_hash, r_bootstrap,
8568 			      SHA256_MAC_LEN) == 0) {
8569 			wpa_printf(MSG_DEBUG,
8570 				   "DPP: Found matching own bootstrapping information");
8571 			*own_bi = bi;
8572 		}
8573 
8574 		if (!*peer_bi && !bi->own &&
8575 		    os_memcmp(bi->pubkey_hash, i_bootstrap,
8576 			      SHA256_MAC_LEN) == 0) {
8577 			wpa_printf(MSG_DEBUG,
8578 				   "DPP: Found matching peer bootstrapping information");
8579 			*peer_bi = bi;
8580 		}
8581 
8582 		if (*own_bi && *peer_bi)
8583 			break;
8584 	}
8585 
8586 }
8587 
8588 
8589 static unsigned int dpp_next_configurator_id(struct dpp_global *dpp)
8590 {
8591 	struct dpp_configurator *conf;
8592 	unsigned int max_id = 0;
8593 
8594 	dl_list_for_each(conf, &dpp->configurator, struct dpp_configurator,
8595 			 list) {
8596 		if (conf->id > max_id)
8597 			max_id = conf->id;
8598 	}
8599 	return max_id + 1;
8600 }
8601 
8602 
8603 int dpp_configurator_add(struct dpp_global *dpp, const char *cmd)
8604 {
8605 	char *curve = NULL;
8606 	char *key = NULL;
8607 	u8 *privkey = NULL;
8608 	size_t privkey_len = 0;
8609 	int ret = -1;
8610 	struct dpp_configurator *conf = NULL;
8611 
8612 	curve = get_param(cmd, " curve=");
8613 	key = get_param(cmd, " key=");
8614 
8615 	if (key) {
8616 		privkey_len = os_strlen(key) / 2;
8617 		privkey = os_malloc(privkey_len);
8618 		if (!privkey ||
8619 		    hexstr2bin(key, privkey, privkey_len) < 0)
8620 			goto fail;
8621 	}
8622 
8623 	conf = dpp_keygen_configurator(curve, privkey, privkey_len);
8624 	if (!conf)
8625 		goto fail;
8626 
8627 	conf->id = dpp_next_configurator_id(dpp);
8628 	dl_list_add(&dpp->configurator, &conf->list);
8629 	ret = conf->id;
8630 	conf = NULL;
8631 fail:
8632 	os_free(curve);
8633 	str_clear_free(key);
8634 	bin_clear_free(privkey, privkey_len);
8635 	dpp_configurator_free(conf);
8636 	return ret;
8637 }
8638 
8639 
8640 static int dpp_configurator_del(struct dpp_global *dpp, unsigned int id)
8641 {
8642 	struct dpp_configurator *conf, *tmp;
8643 	int found = 0;
8644 
8645 	if (!dpp)
8646 		return -1;
8647 
8648 	dl_list_for_each_safe(conf, tmp, &dpp->configurator,
8649 			      struct dpp_configurator, list) {
8650 		if (id && conf->id != id)
8651 			continue;
8652 		found = 1;
8653 		dl_list_del(&conf->list);
8654 		dpp_configurator_free(conf);
8655 	}
8656 
8657 	if (id == 0)
8658 		return 0; /* flush succeeds regardless of entries found */
8659 	return found ? 0 : -1;
8660 }
8661 
8662 
8663 int dpp_configurator_remove(struct dpp_global *dpp, const char *id)
8664 {
8665 	unsigned int id_val;
8666 
8667 	if (os_strcmp(id, "*") == 0) {
8668 		id_val = 0;
8669 	} else {
8670 		id_val = atoi(id);
8671 		if (id_val == 0)
8672 			return -1;
8673 	}
8674 
8675 	return dpp_configurator_del(dpp, id_val);
8676 }
8677 
8678 
8679 int dpp_configurator_get_key_id(struct dpp_global *dpp, unsigned int id,
8680 				char *buf, size_t buflen)
8681 {
8682 	struct dpp_configurator *conf;
8683 
8684 	conf = dpp_configurator_get_id(dpp, id);
8685 	if (!conf)
8686 		return -1;
8687 
8688 	return dpp_configurator_get_key(conf, buf, buflen);
8689 }
8690 
8691 
8692 struct dpp_global * dpp_global_init(void)
8693 {
8694 	struct dpp_global *dpp;
8695 
8696 	dpp = os_zalloc(sizeof(*dpp));
8697 	if (!dpp)
8698 		return NULL;
8699 
8700 	dl_list_init(&dpp->bootstrap);
8701 	dl_list_init(&dpp->configurator);
8702 
8703 	return dpp;
8704 }
8705 
8706 
8707 void dpp_global_clear(struct dpp_global *dpp)
8708 {
8709 	if (!dpp)
8710 		return;
8711 
8712 	dpp_bootstrap_del(dpp, 0);
8713 	dpp_configurator_del(dpp, 0);
8714 }
8715 
8716 
8717 void dpp_global_deinit(struct dpp_global *dpp)
8718 {
8719 	dpp_global_clear(dpp);
8720 	os_free(dpp);
8721 }
8722