1 /* 2 * DPP functionality shared between hostapd and wpa_supplicant 3 * Copyright (c) 2017, Qualcomm Atheros, Inc. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 #include <openssl/opensslv.h> 11 #include <openssl/err.h> 12 #include <openssl/asn1.h> 13 #include <openssl/asn1t.h> 14 15 #include "utils/common.h" 16 #include "utils/base64.h" 17 #include "utils/json.h" 18 #include "common/ieee802_11_common.h" 19 #include "common/ieee802_11_defs.h" 20 #include "common/wpa_ctrl.h" 21 #include "crypto/crypto.h" 22 #include "crypto/random.h" 23 #include "crypto/aes.h" 24 #include "crypto/aes_siv.h" 25 #include "crypto/sha384.h" 26 #include "crypto/sha512.h" 27 #include "drivers/driver.h" 28 #include "dpp.h" 29 30 31 #ifdef CONFIG_TESTING_OPTIONS 32 enum dpp_test_behavior dpp_test = DPP_TEST_DISABLED; 33 u8 dpp_pkex_own_mac_override[ETH_ALEN] = { 0, 0, 0, 0, 0, 0 }; 34 u8 dpp_pkex_peer_mac_override[ETH_ALEN] = { 0, 0, 0, 0, 0, 0 }; 35 u8 dpp_pkex_ephemeral_key_override[600]; 36 size_t dpp_pkex_ephemeral_key_override_len = 0; 37 u8 dpp_protocol_key_override[600]; 38 size_t dpp_protocol_key_override_len = 0; 39 u8 dpp_nonce_override[DPP_MAX_NONCE_LEN]; 40 size_t dpp_nonce_override_len = 0; 41 42 static int dpp_test_gen_invalid_key(struct wpabuf *msg, 43 const struct dpp_curve_params *curve); 44 #endif /* CONFIG_TESTING_OPTIONS */ 45 46 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ 47 (defined(LIBRESSL_VERSION_NUMBER) && \ 48 LIBRESSL_VERSION_NUMBER < 0x20700000L) 49 /* Compatibility wrappers for older versions. */ 50 51 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) 52 { 53 sig->r = r; 54 sig->s = s; 55 return 1; 56 } 57 58 59 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, 60 const BIGNUM **ps) 61 { 62 if (pr) 63 *pr = sig->r; 64 if (ps) 65 *ps = sig->s; 66 } 67 68 #endif 69 70 71 static const struct dpp_curve_params dpp_curves[] = { 72 /* The mandatory to support and the default NIST P-256 curve needs to 73 * be the first entry on this list. */ 74 { "prime256v1", 32, 32, 16, 32, "P-256", 19, "ES256" }, 75 { "secp384r1", 48, 48, 24, 48, "P-384", 20, "ES384" }, 76 { "secp521r1", 64, 64, 32, 66, "P-521", 21, "ES512" }, 77 { "brainpoolP256r1", 32, 32, 16, 32, "BP-256", 28, "BS256" }, 78 { "brainpoolP384r1", 48, 48, 24, 48, "BP-384", 29, "BS384" }, 79 { "brainpoolP512r1", 64, 64, 32, 64, "BP-512", 30, "BS512" }, 80 { NULL, 0, 0, 0, 0, NULL, 0, NULL } 81 }; 82 83 84 /* Role-specific elements for PKEX */ 85 86 /* NIST P-256 */ 87 static const u8 pkex_init_x_p256[32] = { 88 0x56, 0x26, 0x12, 0xcf, 0x36, 0x48, 0xfe, 0x0b, 89 0x07, 0x04, 0xbb, 0x12, 0x22, 0x50, 0xb2, 0x54, 90 0xb1, 0x94, 0x64, 0x7e, 0x54, 0xce, 0x08, 0x07, 91 0x2e, 0xec, 0xca, 0x74, 0x5b, 0x61, 0x2d, 0x25 92 }; 93 static const u8 pkex_init_y_p256[32] = { 94 0x3e, 0x44, 0xc7, 0xc9, 0x8c, 0x1c, 0xa1, 0x0b, 95 0x20, 0x09, 0x93, 0xb2, 0xfd, 0xe5, 0x69, 0xdc, 96 0x75, 0xbc, 0xad, 0x33, 0xc1, 0xe7, 0xc6, 0x45, 97 0x4d, 0x10, 0x1e, 0x6a, 0x3d, 0x84, 0x3c, 0xa4 98 }; 99 static const u8 pkex_resp_x_p256[32] = { 100 0x1e, 0xa4, 0x8a, 0xb1, 0xa4, 0xe8, 0x42, 0x39, 101 0xad, 0x73, 0x07, 0xf2, 0x34, 0xdf, 0x57, 0x4f, 102 0xc0, 0x9d, 0x54, 0xbe, 0x36, 0x1b, 0x31, 0x0f, 103 0x59, 0x91, 0x52, 0x33, 0xac, 0x19, 0x9d, 0x76 104 }; 105 static const u8 pkex_resp_y_p256[32] = { 106 0xd9, 0xfb, 0xf6, 0xb9, 0xf5, 0xfa, 0xdf, 0x19, 107 0x58, 0xd8, 0x3e, 0xc9, 0x89, 0x7a, 0x35, 0xc1, 108 0xbd, 0xe9, 0x0b, 0x77, 0x7a, 0xcb, 0x91, 0x2a, 109 0xe8, 0x21, 0x3f, 0x47, 0x52, 0x02, 0x4d, 0x67 110 }; 111 112 /* NIST P-384 */ 113 static const u8 pkex_init_x_p384[48] = { 114 0x95, 0x3f, 0x42, 0x9e, 0x50, 0x7f, 0xf9, 0xaa, 115 0xac, 0x1a, 0xf2, 0x85, 0x2e, 0x64, 0x91, 0x68, 116 0x64, 0xc4, 0x3c, 0xb7, 0x5c, 0xf8, 0xc9, 0x53, 117 0x6e, 0x58, 0x4c, 0x7f, 0xc4, 0x64, 0x61, 0xac, 118 0x51, 0x8a, 0x6f, 0xfe, 0xab, 0x74, 0xe6, 0x12, 119 0x81, 0xac, 0x38, 0x5d, 0x41, 0xe6, 0xb9, 0xa3 120 }; 121 static const u8 pkex_init_y_p384[48] = { 122 0x76, 0x2f, 0x68, 0x84, 0xa6, 0xb0, 0x59, 0x29, 123 0x83, 0xa2, 0x6c, 0xa4, 0x6c, 0x3b, 0xf8, 0x56, 124 0x76, 0x11, 0x2a, 0x32, 0x90, 0xbd, 0x07, 0xc7, 125 0x37, 0x39, 0x9d, 0xdb, 0x96, 0xf3, 0x2b, 0xb6, 126 0x27, 0xbb, 0x29, 0x3c, 0x17, 0x33, 0x9d, 0x94, 127 0xc3, 0xda, 0xac, 0x46, 0xb0, 0x8e, 0x07, 0x18 128 }; 129 static const u8 pkex_resp_x_p384[48] = { 130 0xad, 0xbe, 0xd7, 0x1d, 0x3a, 0x71, 0x64, 0x98, 131 0x5f, 0xb4, 0xd6, 0x4b, 0x50, 0xd0, 0x84, 0x97, 132 0x4b, 0x7e, 0x57, 0x70, 0xd2, 0xd9, 0xf4, 0x92, 133 0x2a, 0x3f, 0xce, 0x99, 0xc5, 0x77, 0x33, 0x44, 134 0x14, 0x56, 0x92, 0xcb, 0xae, 0x46, 0x64, 0xdf, 135 0xe0, 0xbb, 0xd7, 0xb1, 0x29, 0x20, 0x72, 0xdf 136 }; 137 static const u8 pkex_resp_y_p384[48] = { 138 0xab, 0xa7, 0xdf, 0x52, 0xaa, 0xe2, 0x35, 0x0c, 139 0xe3, 0x75, 0x32, 0xe6, 0xbf, 0x06, 0xc8, 0x7c, 140 0x38, 0x29, 0x4c, 0xec, 0x82, 0xac, 0xd7, 0xa3, 141 0x09, 0xd2, 0x0e, 0x22, 0x5a, 0x74, 0x52, 0xa1, 142 0x7e, 0x54, 0x4e, 0xfe, 0xc6, 0x29, 0x33, 0x63, 143 0x15, 0xe1, 0x7b, 0xe3, 0x40, 0x1c, 0xca, 0x06 144 }; 145 146 /* NIST P-521 */ 147 static const u8 pkex_init_x_p521[66] = { 148 0x00, 0x16, 0x20, 0x45, 0x19, 0x50, 0x95, 0x23, 149 0x0d, 0x24, 0xbe, 0x00, 0x87, 0xdc, 0xfa, 0xf0, 150 0x58, 0x9a, 0x01, 0x60, 0x07, 0x7a, 0xca, 0x76, 151 0x01, 0xab, 0x2d, 0x5a, 0x46, 0xcd, 0x2c, 0xb5, 152 0x11, 0x9a, 0xff, 0xaa, 0x48, 0x04, 0x91, 0x38, 153 0xcf, 0x86, 0xfc, 0xa4, 0xa5, 0x0f, 0x47, 0x01, 154 0x80, 0x1b, 0x30, 0xa3, 0xae, 0xe8, 0x1c, 0x2e, 155 0xea, 0xcc, 0xf0, 0x03, 0x9f, 0x77, 0x4c, 0x8d, 156 0x97, 0x76 157 }; 158 static const u8 pkex_init_y_p521[66] = { 159 0x00, 0xb3, 0x8e, 0x02, 0xe4, 0x2a, 0x63, 0x59, 160 0x12, 0xc6, 0x10, 0xba, 0x3a, 0xf9, 0x02, 0x99, 161 0x3f, 0x14, 0xf0, 0x40, 0xde, 0x5c, 0xc9, 0x8b, 162 0x02, 0x55, 0xfa, 0x91, 0xb1, 0xcc, 0x6a, 0xbd, 163 0xe5, 0x62, 0xc0, 0xc5, 0xe3, 0xa1, 0x57, 0x9f, 164 0x08, 0x1a, 0xa6, 0xe2, 0xf8, 0x55, 0x90, 0xbf, 165 0xf5, 0xa6, 0xc3, 0xd8, 0x52, 0x1f, 0xb7, 0x02, 166 0x2e, 0x7c, 0xc8, 0xb3, 0x20, 0x1e, 0x79, 0x8d, 167 0x03, 0xa8 168 }; 169 static const u8 pkex_resp_x_p521[66] = { 170 0x00, 0x79, 0xe4, 0x4d, 0x6b, 0x5e, 0x12, 0x0a, 171 0x18, 0x2c, 0xb3, 0x05, 0x77, 0x0f, 0xc3, 0x44, 172 0x1a, 0xcd, 0x78, 0x46, 0x14, 0xee, 0x46, 0x3f, 173 0xab, 0xc9, 0x59, 0x7c, 0x85, 0xa0, 0xc2, 0xfb, 174 0x02, 0x32, 0x99, 0xde, 0x5d, 0xe1, 0x0d, 0x48, 175 0x2d, 0x71, 0x7d, 0x8d, 0x3f, 0x61, 0x67, 0x9e, 176 0x2b, 0x8b, 0x12, 0xde, 0x10, 0x21, 0x55, 0x0a, 177 0x5b, 0x2d, 0xe8, 0x05, 0x09, 0xf6, 0x20, 0x97, 178 0x84, 0xb4 179 }; 180 static const u8 pkex_resp_y_p521[66] = { 181 0x00, 0x46, 0x63, 0x39, 0xbe, 0xcd, 0xa4, 0x2d, 182 0xca, 0x27, 0x74, 0xd4, 0x1b, 0x91, 0x33, 0x20, 183 0x83, 0xc7, 0x3b, 0xa4, 0x09, 0x8b, 0x8e, 0xa3, 184 0x88, 0xe9, 0x75, 0x7f, 0x56, 0x7b, 0x38, 0x84, 185 0x62, 0x02, 0x7c, 0x90, 0x51, 0x07, 0xdb, 0xe9, 186 0xd0, 0xde, 0xda, 0x9a, 0x5d, 0xe5, 0x94, 0xd2, 187 0xcf, 0x9d, 0x4c, 0x33, 0x91, 0xa6, 0xc3, 0x80, 188 0xa7, 0x6e, 0x7e, 0x8d, 0xf8, 0x73, 0x6e, 0x53, 189 0xce, 0xe1 190 }; 191 192 /* Brainpool P-256r1 */ 193 static const u8 pkex_init_x_bp_p256r1[32] = { 194 0x46, 0x98, 0x18, 0x6c, 0x27, 0xcd, 0x4b, 0x10, 195 0x7d, 0x55, 0xa3, 0xdd, 0x89, 0x1f, 0x9f, 0xca, 196 0xc7, 0x42, 0x5b, 0x8a, 0x23, 0xed, 0xf8, 0x75, 197 0xac, 0xc7, 0xe9, 0x8d, 0xc2, 0x6f, 0xec, 0xd8 198 }; 199 static const u8 pkex_init_y_bp_p256r1[32] = { 200 0x93, 0xca, 0xef, 0xa9, 0x66, 0x3e, 0x87, 0xcd, 201 0x52, 0x6e, 0x54, 0x13, 0xef, 0x31, 0x67, 0x30, 202 0x15, 0x13, 0x9d, 0x6d, 0xc0, 0x95, 0x32, 0xbe, 203 0x4f, 0xab, 0x5d, 0xf7, 0xbf, 0x5e, 0xaa, 0x0b 204 }; 205 static const u8 pkex_resp_x_bp_p256r1[32] = { 206 0x90, 0x18, 0x84, 0xc9, 0xdc, 0xcc, 0xb5, 0x2f, 207 0x4a, 0x3f, 0x4f, 0x18, 0x0a, 0x22, 0x56, 0x6a, 208 0xa9, 0xef, 0xd4, 0xe6, 0xc3, 0x53, 0xc2, 0x1a, 209 0x23, 0x54, 0xdd, 0x08, 0x7e, 0x10, 0xd8, 0xe3 210 }; 211 static const u8 pkex_resp_y_bp_p256r1[32] = { 212 0x2a, 0xfa, 0x98, 0x9b, 0xe3, 0xda, 0x30, 0xfd, 213 0x32, 0x28, 0xcb, 0x66, 0xfb, 0x40, 0x7f, 0xf2, 214 0xb2, 0x25, 0x80, 0x82, 0x44, 0x85, 0x13, 0x7e, 215 0x4b, 0xb5, 0x06, 0xc0, 0x03, 0x69, 0x23, 0x64 216 }; 217 218 /* Brainpool P-384r1 */ 219 static const u8 pkex_init_x_bp_p384r1[48] = { 220 0x0a, 0x2c, 0xeb, 0x49, 0x5e, 0xb7, 0x23, 0xbd, 221 0x20, 0x5b, 0xe0, 0x49, 0xdf, 0xcf, 0xcf, 0x19, 222 0x37, 0x36, 0xe1, 0x2f, 0x59, 0xdb, 0x07, 0x06, 223 0xb5, 0xeb, 0x2d, 0xae, 0xc2, 0xb2, 0x38, 0x62, 224 0xa6, 0x73, 0x09, 0xa0, 0x6c, 0x0a, 0xa2, 0x30, 225 0x99, 0xeb, 0xf7, 0x1e, 0x47, 0xb9, 0x5e, 0xbe 226 }; 227 static const u8 pkex_init_y_bp_p384r1[48] = { 228 0x54, 0x76, 0x61, 0x65, 0x75, 0x5a, 0x2f, 0x99, 229 0x39, 0x73, 0xca, 0x6c, 0xf9, 0xf7, 0x12, 0x86, 230 0x54, 0xd5, 0xd4, 0xad, 0x45, 0x7b, 0xbf, 0x32, 231 0xee, 0x62, 0x8b, 0x9f, 0x52, 0xe8, 0xa0, 0xc9, 232 0xb7, 0x9d, 0xd1, 0x09, 0xb4, 0x79, 0x1c, 0x3e, 233 0x1a, 0xbf, 0x21, 0x45, 0x66, 0x6b, 0x02, 0x52 234 }; 235 static const u8 pkex_resp_x_bp_p384r1[48] = { 236 0x03, 0xa2, 0x57, 0xef, 0xe8, 0x51, 0x21, 0xa0, 237 0xc8, 0x9e, 0x21, 0x02, 0xb5, 0x9a, 0x36, 0x25, 238 0x74, 0x22, 0xd1, 0xf2, 0x1b, 0xa8, 0x9a, 0x9b, 239 0x97, 0xbc, 0x5a, 0xeb, 0x26, 0x15, 0x09, 0x71, 240 0x77, 0x59, 0xec, 0x8b, 0xb7, 0xe1, 0xe8, 0xce, 241 0x65, 0xb8, 0xaf, 0xf8, 0x80, 0xae, 0x74, 0x6c 242 }; 243 static const u8 pkex_resp_y_bp_p384r1[48] = { 244 0x2f, 0xd9, 0x6a, 0xc7, 0x3e, 0xec, 0x76, 0x65, 245 0x2d, 0x38, 0x7f, 0xec, 0x63, 0x26, 0x3f, 0x04, 246 0xd8, 0x4e, 0xff, 0xe1, 0x0a, 0x51, 0x74, 0x70, 247 0xe5, 0x46, 0x63, 0x7f, 0x5c, 0xc0, 0xd1, 0x7c, 248 0xfb, 0x2f, 0xea, 0xe2, 0xd8, 0x0f, 0x84, 0xcb, 249 0xe9, 0x39, 0x5c, 0x64, 0xfe, 0xcb, 0x2f, 0xf1 250 }; 251 252 /* Brainpool P-512r1 */ 253 static const u8 pkex_init_x_bp_p512r1[64] = { 254 0x4c, 0xe9, 0xb6, 0x1c, 0xe2, 0x00, 0x3c, 0x9c, 255 0xa9, 0xc8, 0x56, 0x52, 0xaf, 0x87, 0x3e, 0x51, 256 0x9c, 0xbb, 0x15, 0x31, 0x1e, 0xc1, 0x05, 0xfc, 257 0x7c, 0x77, 0xd7, 0x37, 0x61, 0x27, 0xd0, 0x95, 258 0x98, 0xee, 0x5d, 0xa4, 0x3d, 0x09, 0xdb, 0x3d, 259 0xfa, 0x89, 0x9e, 0x7f, 0xa6, 0xa6, 0x9c, 0xff, 260 0x83, 0x5c, 0x21, 0x6c, 0x3e, 0xf2, 0xfe, 0xdc, 261 0x63, 0xe4, 0xd1, 0x0e, 0x75, 0x45, 0x69, 0x0f 262 }; 263 static const u8 pkex_init_y_bp_p512r1[64] = { 264 0x50, 0xb5, 0x9b, 0xfa, 0x45, 0x67, 0x75, 0x94, 265 0x44, 0xe7, 0x68, 0xb0, 0xeb, 0x3e, 0xb3, 0xb8, 266 0xf9, 0x99, 0x05, 0xef, 0xae, 0x6c, 0xbc, 0xe3, 267 0xe1, 0xd2, 0x51, 0x54, 0xdf, 0x59, 0xd4, 0x45, 268 0x41, 0x3a, 0xa8, 0x0b, 0x76, 0x32, 0x44, 0x0e, 269 0x07, 0x60, 0x3a, 0x6e, 0xbe, 0xfe, 0xe0, 0x58, 270 0x52, 0xa0, 0xaa, 0x8b, 0xd8, 0x5b, 0xf2, 0x71, 271 0x11, 0x9a, 0x9e, 0x8f, 0x1a, 0xd1, 0xc9, 0x99 272 }; 273 static const u8 pkex_resp_x_bp_p512r1[64] = { 274 0x2a, 0x60, 0x32, 0x27, 0xa1, 0xe6, 0x94, 0x72, 275 0x1c, 0x48, 0xbe, 0xc5, 0x77, 0x14, 0x30, 0x76, 276 0xe4, 0xbf, 0xf7, 0x7b, 0xc5, 0xfd, 0xdf, 0x19, 277 0x1e, 0x0f, 0xdf, 0x1c, 0x40, 0xfa, 0x34, 0x9e, 278 0x1f, 0x42, 0x24, 0xa3, 0x2c, 0xd5, 0xc7, 0xc9, 279 0x7b, 0x47, 0x78, 0x96, 0xf1, 0x37, 0x0e, 0x88, 280 0xcb, 0xa6, 0x52, 0x29, 0xd7, 0xa8, 0x38, 0x29, 281 0x8e, 0x6e, 0x23, 0x47, 0xd4, 0x4b, 0x70, 0x3e 282 }; 283 static const u8 pkex_resp_y_bp_p512r1[64] = { 284 0x80, 0x1f, 0x43, 0xd2, 0x17, 0x35, 0xec, 0x81, 285 0xd9, 0x4b, 0xdc, 0x81, 0x19, 0xd9, 0x5f, 0x68, 286 0x16, 0x84, 0xfe, 0x63, 0x4b, 0x8d, 0x5d, 0xaa, 287 0x88, 0x4a, 0x47, 0x48, 0xd4, 0xea, 0xab, 0x7d, 288 0x6a, 0xbf, 0xe1, 0x28, 0x99, 0x6a, 0x87, 0x1c, 289 0x30, 0xb4, 0x44, 0x2d, 0x75, 0xac, 0x35, 0x09, 290 0x73, 0x24, 0x3d, 0xb4, 0x43, 0xb1, 0xc1, 0x56, 291 0x56, 0xad, 0x30, 0x87, 0xf4, 0xc3, 0x00, 0xc7 292 }; 293 294 295 static void dpp_debug_print_point(const char *title, const EC_GROUP *group, 296 const EC_POINT *point) 297 { 298 BIGNUM *x, *y; 299 BN_CTX *ctx; 300 char *x_str = NULL, *y_str = NULL; 301 302 if (!wpa_debug_show_keys) 303 return; 304 305 ctx = BN_CTX_new(); 306 x = BN_new(); 307 y = BN_new(); 308 if (!ctx || !x || !y || 309 EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) != 1) 310 goto fail; 311 312 x_str = BN_bn2hex(x); 313 y_str = BN_bn2hex(y); 314 if (!x_str || !y_str) 315 goto fail; 316 317 wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str); 318 319 fail: 320 OPENSSL_free(x_str); 321 OPENSSL_free(y_str); 322 BN_free(x); 323 BN_free(y); 324 BN_CTX_free(ctx); 325 } 326 327 328 static int dpp_hash_vector(const struct dpp_curve_params *curve, 329 size_t num_elem, const u8 *addr[], const size_t *len, 330 u8 *mac) 331 { 332 if (curve->hash_len == 32) 333 return sha256_vector(num_elem, addr, len, mac); 334 if (curve->hash_len == 48) 335 return sha384_vector(num_elem, addr, len, mac); 336 if (curve->hash_len == 64) 337 return sha512_vector(num_elem, addr, len, mac); 338 return -1; 339 } 340 341 342 static int dpp_hkdf_expand(size_t hash_len, const u8 *secret, size_t secret_len, 343 const char *label, u8 *out, size_t outlen) 344 { 345 if (hash_len == 32) 346 return hmac_sha256_kdf(secret, secret_len, NULL, 347 (const u8 *) label, os_strlen(label), 348 out, outlen); 349 if (hash_len == 48) 350 return hmac_sha384_kdf(secret, secret_len, NULL, 351 (const u8 *) label, os_strlen(label), 352 out, outlen); 353 if (hash_len == 64) 354 return hmac_sha512_kdf(secret, secret_len, NULL, 355 (const u8 *) label, os_strlen(label), 356 out, outlen); 357 return -1; 358 } 359 360 361 static int dpp_hmac_vector(size_t hash_len, const u8 *key, size_t key_len, 362 size_t num_elem, const u8 *addr[], 363 const size_t *len, u8 *mac) 364 { 365 if (hash_len == 32) 366 return hmac_sha256_vector(key, key_len, num_elem, addr, len, 367 mac); 368 if (hash_len == 48) 369 return hmac_sha384_vector(key, key_len, num_elem, addr, len, 370 mac); 371 if (hash_len == 64) 372 return hmac_sha512_vector(key, key_len, num_elem, addr, len, 373 mac); 374 return -1; 375 } 376 377 378 static int dpp_hmac(size_t hash_len, const u8 *key, size_t key_len, 379 const u8 *data, size_t data_len, u8 *mac) 380 { 381 if (hash_len == 32) 382 return hmac_sha256(key, key_len, data, data_len, mac); 383 if (hash_len == 48) 384 return hmac_sha384(key, key_len, data, data_len, mac); 385 if (hash_len == 64) 386 return hmac_sha512(key, key_len, data, data_len, mac); 387 return -1; 388 } 389 390 391 static int dpp_bn2bin_pad(const BIGNUM *bn, u8 *pos, size_t len) 392 { 393 int num_bytes, offset; 394 395 num_bytes = BN_num_bytes(bn); 396 if ((size_t) num_bytes > len) 397 return -1; 398 offset = len - num_bytes; 399 os_memset(pos, 0, offset); 400 BN_bn2bin(bn, pos + offset); 401 return 0; 402 } 403 404 405 static struct wpabuf * dpp_get_pubkey_point(EVP_PKEY *pkey, int prefix) 406 { 407 int len, res; 408 EC_KEY *eckey; 409 struct wpabuf *buf; 410 unsigned char *pos; 411 412 eckey = EVP_PKEY_get1_EC_KEY(pkey); 413 if (!eckey) 414 return NULL; 415 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED); 416 len = i2o_ECPublicKey(eckey, NULL); 417 if (len <= 0) { 418 wpa_printf(MSG_ERROR, 419 "DDP: Failed to determine public key encoding length"); 420 EC_KEY_free(eckey); 421 return NULL; 422 } 423 424 buf = wpabuf_alloc(len); 425 if (!buf) { 426 EC_KEY_free(eckey); 427 return NULL; 428 } 429 430 pos = wpabuf_put(buf, len); 431 res = i2o_ECPublicKey(eckey, &pos); 432 EC_KEY_free(eckey); 433 if (res != len) { 434 wpa_printf(MSG_ERROR, 435 "DDP: Failed to encode public key (res=%d/%d)", 436 res, len); 437 wpabuf_free(buf); 438 return NULL; 439 } 440 441 if (!prefix) { 442 /* Remove 0x04 prefix to match DPP definition */ 443 pos = wpabuf_mhead(buf); 444 os_memmove(pos, pos + 1, len - 1); 445 buf->used--; 446 } 447 448 return buf; 449 } 450 451 452 static EVP_PKEY * dpp_set_pubkey_point_group(const EC_GROUP *group, 453 const u8 *buf_x, const u8 *buf_y, 454 size_t len) 455 { 456 EC_KEY *eckey = NULL; 457 BN_CTX *ctx; 458 EC_POINT *point = NULL; 459 BIGNUM *x = NULL, *y = NULL; 460 EVP_PKEY *pkey = NULL; 461 462 ctx = BN_CTX_new(); 463 if (!ctx) { 464 wpa_printf(MSG_ERROR, "DPP: Out of memory"); 465 return NULL; 466 } 467 468 point = EC_POINT_new(group); 469 x = BN_bin2bn(buf_x, len, NULL); 470 y = BN_bin2bn(buf_y, len, NULL); 471 if (!point || !x || !y) { 472 wpa_printf(MSG_ERROR, "DPP: Out of memory"); 473 goto fail; 474 } 475 476 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) { 477 wpa_printf(MSG_ERROR, 478 "DPP: OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s", 479 ERR_error_string(ERR_get_error(), NULL)); 480 goto fail; 481 } 482 483 if (!EC_POINT_is_on_curve(group, point, ctx) || 484 EC_POINT_is_at_infinity(group, point)) { 485 wpa_printf(MSG_ERROR, "DPP: Invalid point"); 486 goto fail; 487 } 488 dpp_debug_print_point("DPP: dpp_set_pubkey_point_group", group, point); 489 490 eckey = EC_KEY_new(); 491 if (!eckey || 492 EC_KEY_set_group(eckey, group) != 1 || 493 EC_KEY_set_public_key(eckey, point) != 1) { 494 wpa_printf(MSG_ERROR, 495 "DPP: Failed to set EC_KEY: %s", 496 ERR_error_string(ERR_get_error(), NULL)); 497 goto fail; 498 } 499 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); 500 501 pkey = EVP_PKEY_new(); 502 if (!pkey || EVP_PKEY_set1_EC_KEY(pkey, eckey) != 1) { 503 wpa_printf(MSG_ERROR, "DPP: Could not create EVP_PKEY"); 504 goto fail; 505 } 506 507 out: 508 BN_free(x); 509 BN_free(y); 510 EC_KEY_free(eckey); 511 EC_POINT_free(point); 512 BN_CTX_free(ctx); 513 return pkey; 514 fail: 515 EVP_PKEY_free(pkey); 516 pkey = NULL; 517 goto out; 518 } 519 520 521 static EVP_PKEY * dpp_set_pubkey_point(EVP_PKEY *group_key, 522 const u8 *buf, size_t len) 523 { 524 EC_KEY *eckey; 525 const EC_GROUP *group; 526 EVP_PKEY *pkey = NULL; 527 528 if (len & 1) 529 return NULL; 530 531 eckey = EVP_PKEY_get1_EC_KEY(group_key); 532 if (!eckey) { 533 wpa_printf(MSG_ERROR, 534 "DPP: Could not get EC_KEY from group_key"); 535 return NULL; 536 } 537 538 group = EC_KEY_get0_group(eckey); 539 if (group) 540 pkey = dpp_set_pubkey_point_group(group, buf, buf + len / 2, 541 len / 2); 542 else 543 wpa_printf(MSG_ERROR, "DPP: Could not get EC group"); 544 545 EC_KEY_free(eckey); 546 return pkey; 547 } 548 549 550 static void dpp_auth_fail(struct dpp_authentication *auth, const char *txt) 551 { 552 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt); 553 } 554 555 556 struct wpabuf * dpp_alloc_msg(enum dpp_public_action_frame_type type, 557 size_t len) 558 { 559 struct wpabuf *msg; 560 561 msg = wpabuf_alloc(8 + len); 562 if (!msg) 563 return NULL; 564 wpabuf_put_u8(msg, WLAN_ACTION_PUBLIC); 565 wpabuf_put_u8(msg, WLAN_PA_VENDOR_SPECIFIC); 566 wpabuf_put_be24(msg, OUI_WFA); 567 wpabuf_put_u8(msg, DPP_OUI_TYPE); 568 wpabuf_put_u8(msg, 1); /* Crypto Suite */ 569 wpabuf_put_u8(msg, type); 570 return msg; 571 } 572 573 574 const u8 * dpp_get_attr(const u8 *buf, size_t len, u16 req_id, u16 *ret_len) 575 { 576 u16 id, alen; 577 const u8 *pos = buf, *end = buf + len; 578 579 while (end - pos >= 4) { 580 id = WPA_GET_LE16(pos); 581 pos += 2; 582 alen = WPA_GET_LE16(pos); 583 pos += 2; 584 if (alen > end - pos) 585 return NULL; 586 if (id == req_id) { 587 *ret_len = alen; 588 return pos; 589 } 590 pos += alen; 591 } 592 593 return NULL; 594 } 595 596 597 int dpp_check_attrs(const u8 *buf, size_t len) 598 { 599 const u8 *pos, *end; 600 int wrapped_data = 0; 601 602 pos = buf; 603 end = buf + len; 604 while (end - pos >= 4) { 605 u16 id, alen; 606 607 id = WPA_GET_LE16(pos); 608 pos += 2; 609 alen = WPA_GET_LE16(pos); 610 pos += 2; 611 wpa_printf(MSG_MSGDUMP, "DPP: Attribute ID %04x len %u", 612 id, alen); 613 if (alen > end - pos) { 614 wpa_printf(MSG_DEBUG, 615 "DPP: Truncated message - not enough room for the attribute - dropped"); 616 return -1; 617 } 618 if (wrapped_data) { 619 wpa_printf(MSG_DEBUG, 620 "DPP: An unexpected attribute included after the Wrapped Data attribute"); 621 return -1; 622 } 623 if (id == DPP_ATTR_WRAPPED_DATA) 624 wrapped_data = 1; 625 pos += alen; 626 } 627 628 if (end != pos) { 629 wpa_printf(MSG_DEBUG, 630 "DPP: Unexpected octets (%d) after the last attribute", 631 (int) (end - pos)); 632 return -1; 633 } 634 635 return 0; 636 } 637 638 639 void dpp_bootstrap_info_free(struct dpp_bootstrap_info *info) 640 { 641 if (!info) 642 return; 643 os_free(info->uri); 644 os_free(info->info); 645 EVP_PKEY_free(info->pubkey); 646 os_free(info); 647 } 648 649 650 const char * dpp_bootstrap_type_txt(enum dpp_bootstrap_type type) 651 { 652 switch (type) { 653 case DPP_BOOTSTRAP_QR_CODE: 654 return "QRCODE"; 655 case DPP_BOOTSTRAP_PKEX: 656 return "PKEX"; 657 } 658 return "??"; 659 } 660 661 662 static int dpp_uri_valid_info(const char *info) 663 { 664 while (*info) { 665 unsigned char val = *info++; 666 667 if (val < 0x20 || val > 0x7e || val == 0x3b) 668 return 0; 669 } 670 671 return 1; 672 } 673 674 675 static int dpp_clone_uri(struct dpp_bootstrap_info *bi, const char *uri) 676 { 677 bi->uri = os_strdup(uri); 678 return bi->uri ? 0 : -1; 679 } 680 681 682 int dpp_parse_uri_chan_list(struct dpp_bootstrap_info *bi, 683 const char *chan_list) 684 { 685 const char *pos = chan_list; 686 int opclass, channel, freq; 687 688 while (pos && *pos && *pos != ';') { 689 opclass = atoi(pos); 690 if (opclass <= 0) 691 goto fail; 692 pos = os_strchr(pos, '/'); 693 if (!pos) 694 goto fail; 695 pos++; 696 channel = atoi(pos); 697 if (channel <= 0) 698 goto fail; 699 while (*pos >= '0' && *pos <= '9') 700 pos++; 701 freq = ieee80211_chan_to_freq(NULL, opclass, channel); 702 wpa_printf(MSG_DEBUG, 703 "DPP: URI channel-list: opclass=%d channel=%d ==> freq=%d", 704 opclass, channel, freq); 705 if (freq < 0) { 706 wpa_printf(MSG_DEBUG, 707 "DPP: Ignore unknown URI channel-list channel (opclass=%d channel=%d)", 708 opclass, channel); 709 } else if (bi->num_freq == DPP_BOOTSTRAP_MAX_FREQ) { 710 wpa_printf(MSG_DEBUG, 711 "DPP: Too many channels in URI channel-list - ignore list"); 712 bi->num_freq = 0; 713 break; 714 } else { 715 bi->freq[bi->num_freq++] = freq; 716 } 717 718 if (*pos == ';' || *pos == '\0') 719 break; 720 if (*pos != ',') 721 goto fail; 722 pos++; 723 } 724 725 return 0; 726 fail: 727 wpa_printf(MSG_DEBUG, "DPP: Invalid URI channel-list"); 728 return -1; 729 } 730 731 732 int dpp_parse_uri_mac(struct dpp_bootstrap_info *bi, const char *mac) 733 { 734 if (!mac) 735 return 0; 736 737 if (hwaddr_aton2(mac, bi->mac_addr) < 0) { 738 wpa_printf(MSG_DEBUG, "DPP: Invalid URI mac"); 739 return -1; 740 } 741 742 wpa_printf(MSG_DEBUG, "DPP: URI mac: " MACSTR, MAC2STR(bi->mac_addr)); 743 744 return 0; 745 } 746 747 748 int dpp_parse_uri_info(struct dpp_bootstrap_info *bi, const char *info) 749 { 750 const char *end; 751 752 if (!info) 753 return 0; 754 755 end = os_strchr(info, ';'); 756 if (!end) 757 end = info + os_strlen(info); 758 bi->info = os_malloc(end - info + 1); 759 if (!bi->info) 760 return -1; 761 os_memcpy(bi->info, info, end - info); 762 bi->info[end - info] = '\0'; 763 wpa_printf(MSG_DEBUG, "DPP: URI(information): %s", bi->info); 764 if (!dpp_uri_valid_info(bi->info)) { 765 wpa_printf(MSG_DEBUG, "DPP: Invalid URI information payload"); 766 return -1; 767 } 768 769 return 0; 770 } 771 772 773 static const struct dpp_curve_params * 774 dpp_get_curve_oid(const ASN1_OBJECT *poid) 775 { 776 ASN1_OBJECT *oid; 777 int i; 778 779 for (i = 0; dpp_curves[i].name; i++) { 780 oid = OBJ_txt2obj(dpp_curves[i].name, 0); 781 if (oid && OBJ_cmp(poid, oid) == 0) 782 return &dpp_curves[i]; 783 } 784 return NULL; 785 } 786 787 788 static const struct dpp_curve_params * dpp_get_curve_nid(int nid) 789 { 790 int i, tmp; 791 792 if (!nid) 793 return NULL; 794 for (i = 0; dpp_curves[i].name; i++) { 795 tmp = OBJ_txt2nid(dpp_curves[i].name); 796 if (tmp == nid) 797 return &dpp_curves[i]; 798 } 799 return NULL; 800 } 801 802 803 static int dpp_parse_uri_pk(struct dpp_bootstrap_info *bi, const char *info) 804 { 805 const char *end; 806 u8 *data; 807 size_t data_len; 808 EVP_PKEY *pkey; 809 const unsigned char *p; 810 int res; 811 X509_PUBKEY *pub = NULL; 812 ASN1_OBJECT *ppkalg; 813 const unsigned char *pk; 814 int ppklen; 815 X509_ALGOR *pa; 816 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 817 ASN1_OBJECT *pa_oid; 818 #else 819 const ASN1_OBJECT *pa_oid; 820 #endif 821 const void *pval; 822 int ptype; 823 const ASN1_OBJECT *poid; 824 char buf[100]; 825 826 end = os_strchr(info, ';'); 827 if (!end) 828 return -1; 829 830 data = base64_decode((const unsigned char *) info, end - info, 831 &data_len); 832 if (!data) { 833 wpa_printf(MSG_DEBUG, 834 "DPP: Invalid base64 encoding on URI public-key"); 835 return -1; 836 } 837 wpa_hexdump(MSG_DEBUG, "DPP: Base64 decoded URI public-key", 838 data, data_len); 839 840 if (sha256_vector(1, (const u8 **) &data, &data_len, 841 bi->pubkey_hash) < 0) { 842 wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key"); 843 os_free(data); 844 return -1; 845 } 846 wpa_hexdump(MSG_DEBUG, "DPP: Public key hash", 847 bi->pubkey_hash, SHA256_MAC_LEN); 848 849 /* DER encoded ASN.1 SubjectPublicKeyInfo 850 * 851 * SubjectPublicKeyInfo ::= SEQUENCE { 852 * algorithm AlgorithmIdentifier, 853 * subjectPublicKey BIT STRING } 854 * 855 * AlgorithmIdentifier ::= SEQUENCE { 856 * algorithm OBJECT IDENTIFIER, 857 * parameters ANY DEFINED BY algorithm OPTIONAL } 858 * 859 * subjectPublicKey = compressed format public key per ANSI X9.63 860 * algorithm = ecPublicKey (1.2.840.10045.2.1) 861 * parameters = shall be present and shall be OBJECT IDENTIFIER; e.g., 862 * prime256v1 (1.2.840.10045.3.1.7) 863 */ 864 865 p = data; 866 pkey = d2i_PUBKEY(NULL, &p, data_len); 867 os_free(data); 868 869 if (!pkey) { 870 wpa_printf(MSG_DEBUG, 871 "DPP: Could not parse URI public-key SubjectPublicKeyInfo"); 872 return -1; 873 } 874 875 if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) { 876 wpa_printf(MSG_DEBUG, 877 "DPP: SubjectPublicKeyInfo does not describe an EC key"); 878 EVP_PKEY_free(pkey); 879 return -1; 880 } 881 882 res = X509_PUBKEY_set(&pub, pkey); 883 if (res != 1) { 884 wpa_printf(MSG_DEBUG, "DPP: Could not set pubkey"); 885 goto fail; 886 } 887 888 res = X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pub); 889 if (res != 1) { 890 wpa_printf(MSG_DEBUG, 891 "DPP: Could not extract SubjectPublicKeyInfo parameters"); 892 goto fail; 893 } 894 res = OBJ_obj2txt(buf, sizeof(buf), ppkalg, 0); 895 if (res < 0 || (size_t) res >= sizeof(buf)) { 896 wpa_printf(MSG_DEBUG, 897 "DPP: Could not extract SubjectPublicKeyInfo algorithm"); 898 goto fail; 899 } 900 wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey algorithm: %s", buf); 901 if (os_strcmp(buf, "id-ecPublicKey") != 0) { 902 wpa_printf(MSG_DEBUG, 903 "DPP: Unsupported SubjectPublicKeyInfo algorithm"); 904 goto fail; 905 } 906 907 X509_ALGOR_get0(&pa_oid, &ptype, (void *) &pval, pa); 908 if (ptype != V_ASN1_OBJECT) { 909 wpa_printf(MSG_DEBUG, 910 "DPP: SubjectPublicKeyInfo parameters did not contain an OID"); 911 goto fail; 912 } 913 poid = pval; 914 res = OBJ_obj2txt(buf, sizeof(buf), poid, 0); 915 if (res < 0 || (size_t) res >= sizeof(buf)) { 916 wpa_printf(MSG_DEBUG, 917 "DPP: Could not extract SubjectPublicKeyInfo parameters OID"); 918 goto fail; 919 } 920 wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey parameters: %s", buf); 921 bi->curve = dpp_get_curve_oid(poid); 922 if (!bi->curve) { 923 wpa_printf(MSG_DEBUG, 924 "DPP: Unsupported SubjectPublicKeyInfo curve: %s", 925 buf); 926 goto fail; 927 } 928 929 wpa_hexdump(MSG_DEBUG, "DPP: URI subjectPublicKey", pk, ppklen); 930 931 X509_PUBKEY_free(pub); 932 bi->pubkey = pkey; 933 return 0; 934 fail: 935 X509_PUBKEY_free(pub); 936 EVP_PKEY_free(pkey); 937 return -1; 938 } 939 940 941 static struct dpp_bootstrap_info * dpp_parse_uri(const char *uri) 942 { 943 const char *pos = uri; 944 const char *end; 945 const char *chan_list = NULL, *mac = NULL, *info = NULL, *pk = NULL; 946 struct dpp_bootstrap_info *bi; 947 948 wpa_hexdump_ascii(MSG_DEBUG, "DPP: URI", uri, os_strlen(uri)); 949 950 if (os_strncmp(pos, "DPP:", 4) != 0) { 951 wpa_printf(MSG_INFO, "DPP: Not a DPP URI"); 952 return NULL; 953 } 954 pos += 4; 955 956 for (;;) { 957 end = os_strchr(pos, ';'); 958 if (!end) 959 break; 960 961 if (end == pos) { 962 /* Handle terminating ";;" and ignore unexpected ";" 963 * for parsing robustness. */ 964 pos++; 965 continue; 966 } 967 968 if (pos[0] == 'C' && pos[1] == ':' && !chan_list) 969 chan_list = pos + 2; 970 else if (pos[0] == 'M' && pos[1] == ':' && !mac) 971 mac = pos + 2; 972 else if (pos[0] == 'I' && pos[1] == ':' && !info) 973 info = pos + 2; 974 else if (pos[0] == 'K' && pos[1] == ':' && !pk) 975 pk = pos + 2; 976 else 977 wpa_hexdump_ascii(MSG_DEBUG, 978 "DPP: Ignore unrecognized URI parameter", 979 pos, end - pos); 980 pos = end + 1; 981 } 982 983 if (!pk) { 984 wpa_printf(MSG_INFO, "DPP: URI missing public-key"); 985 return NULL; 986 } 987 988 bi = os_zalloc(sizeof(*bi)); 989 if (!bi) 990 return NULL; 991 992 if (dpp_clone_uri(bi, uri) < 0 || 993 dpp_parse_uri_chan_list(bi, chan_list) < 0 || 994 dpp_parse_uri_mac(bi, mac) < 0 || 995 dpp_parse_uri_info(bi, info) < 0 || 996 dpp_parse_uri_pk(bi, pk) < 0) { 997 dpp_bootstrap_info_free(bi); 998 bi = NULL; 999 } 1000 1001 return bi; 1002 } 1003 1004 1005 struct dpp_bootstrap_info * dpp_parse_qr_code(const char *uri) 1006 { 1007 struct dpp_bootstrap_info *bi; 1008 1009 bi = dpp_parse_uri(uri); 1010 if (bi) 1011 bi->type = DPP_BOOTSTRAP_QR_CODE; 1012 return bi; 1013 } 1014 1015 1016 static void dpp_debug_print_key(const char *title, EVP_PKEY *key) 1017 { 1018 EC_KEY *eckey; 1019 BIO *out; 1020 size_t rlen; 1021 char *txt; 1022 int res; 1023 unsigned char *der = NULL; 1024 int der_len; 1025 const EC_GROUP *group; 1026 const EC_POINT *point; 1027 1028 out = BIO_new(BIO_s_mem()); 1029 if (!out) 1030 return; 1031 1032 EVP_PKEY_print_private(out, key, 0, NULL); 1033 rlen = BIO_ctrl_pending(out); 1034 txt = os_malloc(rlen + 1); 1035 if (txt) { 1036 res = BIO_read(out, txt, rlen); 1037 if (res > 0) { 1038 txt[res] = '\0'; 1039 wpa_printf(MSG_DEBUG, "%s: %s", title, txt); 1040 } 1041 os_free(txt); 1042 } 1043 BIO_free(out); 1044 1045 eckey = EVP_PKEY_get1_EC_KEY(key); 1046 if (!eckey) 1047 return; 1048 1049 group = EC_KEY_get0_group(eckey); 1050 point = EC_KEY_get0_public_key(eckey); 1051 if (group && point) 1052 dpp_debug_print_point(title, group, point); 1053 1054 der_len = i2d_ECPrivateKey(eckey, &der); 1055 if (der_len > 0) 1056 wpa_hexdump_key(MSG_DEBUG, "DPP: ECPrivateKey", der, der_len); 1057 OPENSSL_free(der); 1058 if (der_len <= 0) { 1059 der = NULL; 1060 der_len = i2d_EC_PUBKEY(eckey, &der); 1061 if (der_len > 0) 1062 wpa_hexdump(MSG_DEBUG, "DPP: EC_PUBKEY", der, der_len); 1063 OPENSSL_free(der); 1064 } 1065 1066 EC_KEY_free(eckey); 1067 } 1068 1069 1070 static EVP_PKEY * dpp_gen_keypair(const struct dpp_curve_params *curve) 1071 { 1072 EVP_PKEY_CTX *kctx = NULL; 1073 EC_KEY *ec_params; 1074 EVP_PKEY *params = NULL, *key = NULL; 1075 int nid; 1076 1077 wpa_printf(MSG_DEBUG, "DPP: Generating a keypair"); 1078 1079 nid = OBJ_txt2nid(curve->name); 1080 if (nid == NID_undef) { 1081 wpa_printf(MSG_INFO, "DPP: Unsupported curve %s", curve->name); 1082 return NULL; 1083 } 1084 1085 ec_params = EC_KEY_new_by_curve_name(nid); 1086 if (!ec_params) { 1087 wpa_printf(MSG_ERROR, 1088 "DPP: Failed to generate EC_KEY parameters"); 1089 goto fail; 1090 } 1091 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE); 1092 params = EVP_PKEY_new(); 1093 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) { 1094 wpa_printf(MSG_ERROR, 1095 "DPP: Failed to generate EVP_PKEY parameters"); 1096 goto fail; 1097 } 1098 1099 kctx = EVP_PKEY_CTX_new(params, NULL); 1100 if (!kctx || 1101 EVP_PKEY_keygen_init(kctx) != 1 || 1102 EVP_PKEY_keygen(kctx, &key) != 1) { 1103 wpa_printf(MSG_ERROR, "DPP: Failed to generate EC key"); 1104 goto fail; 1105 } 1106 1107 if (wpa_debug_show_keys) 1108 dpp_debug_print_key("Own generated key", key); 1109 1110 EVP_PKEY_free(params); 1111 EVP_PKEY_CTX_free(kctx); 1112 return key; 1113 fail: 1114 EVP_PKEY_CTX_free(kctx); 1115 EVP_PKEY_free(params); 1116 return NULL; 1117 } 1118 1119 1120 static const struct dpp_curve_params * 1121 dpp_get_curve_name(const char *name) 1122 { 1123 int i; 1124 1125 for (i = 0; dpp_curves[i].name; i++) { 1126 if (os_strcmp(name, dpp_curves[i].name) == 0 || 1127 (dpp_curves[i].jwk_crv && 1128 os_strcmp(name, dpp_curves[i].jwk_crv) == 0)) 1129 return &dpp_curves[i]; 1130 } 1131 return NULL; 1132 } 1133 1134 1135 static const struct dpp_curve_params * 1136 dpp_get_curve_jwk_crv(const char *name) 1137 { 1138 int i; 1139 1140 for (i = 0; dpp_curves[i].name; i++) { 1141 if (dpp_curves[i].jwk_crv && 1142 os_strcmp(name, dpp_curves[i].jwk_crv) == 0) 1143 return &dpp_curves[i]; 1144 } 1145 return NULL; 1146 } 1147 1148 1149 static EVP_PKEY * dpp_set_keypair(const struct dpp_curve_params **curve, 1150 const u8 *privkey, size_t privkey_len) 1151 { 1152 EVP_PKEY *pkey; 1153 EC_KEY *eckey; 1154 const EC_GROUP *group; 1155 int nid; 1156 1157 pkey = EVP_PKEY_new(); 1158 if (!pkey) 1159 return NULL; 1160 eckey = d2i_ECPrivateKey(NULL, &privkey, privkey_len); 1161 if (!eckey) { 1162 wpa_printf(MSG_INFO, 1163 "DPP: OpenSSL: d2i_ECPrivateKey() failed: %s", 1164 ERR_error_string(ERR_get_error(), NULL)); 1165 EVP_PKEY_free(pkey); 1166 return NULL; 1167 } 1168 group = EC_KEY_get0_group(eckey); 1169 if (!group) { 1170 EC_KEY_free(eckey); 1171 EVP_PKEY_free(pkey); 1172 return NULL; 1173 } 1174 nid = EC_GROUP_get_curve_name(group); 1175 *curve = dpp_get_curve_nid(nid); 1176 if (!*curve) { 1177 wpa_printf(MSG_INFO, 1178 "DPP: Unsupported curve (nid=%d) in pre-assigned key", 1179 nid); 1180 EC_KEY_free(eckey); 1181 EVP_PKEY_free(pkey); 1182 return NULL; 1183 } 1184 1185 if (EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) { 1186 EC_KEY_free(eckey); 1187 EVP_PKEY_free(pkey); 1188 return NULL; 1189 } 1190 return pkey; 1191 } 1192 1193 1194 typedef struct { 1195 /* AlgorithmIdentifier ecPublicKey with optional parameters present 1196 * as an OID identifying the curve */ 1197 X509_ALGOR *alg; 1198 /* Compressed format public key per ANSI X9.63 */ 1199 ASN1_BIT_STRING *pub_key; 1200 } DPP_BOOTSTRAPPING_KEY; 1201 1202 ASN1_SEQUENCE(DPP_BOOTSTRAPPING_KEY) = { 1203 ASN1_SIMPLE(DPP_BOOTSTRAPPING_KEY, alg, X509_ALGOR), 1204 ASN1_SIMPLE(DPP_BOOTSTRAPPING_KEY, pub_key, ASN1_BIT_STRING) 1205 } ASN1_SEQUENCE_END(DPP_BOOTSTRAPPING_KEY); 1206 1207 IMPLEMENT_ASN1_FUNCTIONS(DPP_BOOTSTRAPPING_KEY); 1208 1209 1210 static struct wpabuf * dpp_bootstrap_key_der(EVP_PKEY *key) 1211 { 1212 unsigned char *der = NULL; 1213 int der_len; 1214 EC_KEY *eckey; 1215 struct wpabuf *ret = NULL; 1216 size_t len; 1217 const EC_GROUP *group; 1218 const EC_POINT *point; 1219 BN_CTX *ctx; 1220 DPP_BOOTSTRAPPING_KEY *bootstrap = NULL; 1221 int nid; 1222 1223 ctx = BN_CTX_new(); 1224 eckey = EVP_PKEY_get1_EC_KEY(key); 1225 if (!ctx || !eckey) 1226 goto fail; 1227 1228 group = EC_KEY_get0_group(eckey); 1229 point = EC_KEY_get0_public_key(eckey); 1230 if (!group || !point) 1231 goto fail; 1232 dpp_debug_print_point("DPP: bootstrap public key", group, point); 1233 nid = EC_GROUP_get_curve_name(group); 1234 1235 bootstrap = DPP_BOOTSTRAPPING_KEY_new(); 1236 if (!bootstrap || 1237 X509_ALGOR_set0(bootstrap->alg, OBJ_nid2obj(EVP_PKEY_EC), 1238 V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1) 1239 goto fail; 1240 1241 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, 1242 NULL, 0, ctx); 1243 if (len == 0) 1244 goto fail; 1245 1246 der = OPENSSL_malloc(len); 1247 if (!der) 1248 goto fail; 1249 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, 1250 der, len, ctx); 1251 1252 OPENSSL_free(bootstrap->pub_key->data); 1253 bootstrap->pub_key->data = der; 1254 der = NULL; 1255 bootstrap->pub_key->length = len; 1256 /* No unused bits */ 1257 bootstrap->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); 1258 bootstrap->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT; 1259 1260 der_len = i2d_DPP_BOOTSTRAPPING_KEY(bootstrap, &der); 1261 if (der_len <= 0) { 1262 wpa_printf(MSG_ERROR, 1263 "DDP: Failed to build DER encoded public key"); 1264 goto fail; 1265 } 1266 1267 ret = wpabuf_alloc_copy(der, der_len); 1268 fail: 1269 DPP_BOOTSTRAPPING_KEY_free(bootstrap); 1270 OPENSSL_free(der); 1271 EC_KEY_free(eckey); 1272 BN_CTX_free(ctx); 1273 return ret; 1274 } 1275 1276 1277 int dpp_bootstrap_key_hash(struct dpp_bootstrap_info *bi) 1278 { 1279 struct wpabuf *der; 1280 int res; 1281 const u8 *addr[1]; 1282 size_t len[1]; 1283 1284 der = dpp_bootstrap_key_der(bi->pubkey); 1285 if (!der) 1286 return -1; 1287 wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)", 1288 der); 1289 1290 addr[0] = wpabuf_head(der); 1291 len[0] = wpabuf_len(der); 1292 res = sha256_vector(1, addr, len, bi->pubkey_hash); 1293 if (res < 0) 1294 wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key"); 1295 else 1296 wpa_hexdump(MSG_DEBUG, "DPP: Public key hash", bi->pubkey_hash, 1297 SHA256_MAC_LEN); 1298 wpabuf_free(der); 1299 return res; 1300 } 1301 1302 1303 char * dpp_keygen(struct dpp_bootstrap_info *bi, const char *curve, 1304 const u8 *privkey, size_t privkey_len) 1305 { 1306 unsigned char *base64 = NULL; 1307 char *pos, *end; 1308 size_t len; 1309 struct wpabuf *der = NULL; 1310 const u8 *addr[1]; 1311 int res; 1312 1313 if (!curve) { 1314 bi->curve = &dpp_curves[0]; 1315 } else { 1316 bi->curve = dpp_get_curve_name(curve); 1317 if (!bi->curve) { 1318 wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s", 1319 curve); 1320 return NULL; 1321 } 1322 } 1323 if (privkey) 1324 bi->pubkey = dpp_set_keypair(&bi->curve, privkey, privkey_len); 1325 else 1326 bi->pubkey = dpp_gen_keypair(bi->curve); 1327 if (!bi->pubkey) 1328 goto fail; 1329 bi->own = 1; 1330 1331 der = dpp_bootstrap_key_der(bi->pubkey); 1332 if (!der) 1333 goto fail; 1334 wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)", 1335 der); 1336 1337 addr[0] = wpabuf_head(der); 1338 len = wpabuf_len(der); 1339 res = sha256_vector(1, addr, &len, bi->pubkey_hash); 1340 if (res < 0) { 1341 wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key"); 1342 goto fail; 1343 } 1344 wpa_hexdump(MSG_DEBUG, "DPP: Public key hash", bi->pubkey_hash, 1345 SHA256_MAC_LEN); 1346 1347 base64 = base64_encode(wpabuf_head(der), wpabuf_len(der), &len); 1348 wpabuf_free(der); 1349 der = NULL; 1350 if (!base64) 1351 goto fail; 1352 pos = (char *) base64; 1353 end = pos + len; 1354 for (;;) { 1355 pos = os_strchr(pos, '\n'); 1356 if (!pos) 1357 break; 1358 os_memmove(pos, pos + 1, end - pos); 1359 } 1360 return (char *) base64; 1361 fail: 1362 os_free(base64); 1363 wpabuf_free(der); 1364 return NULL; 1365 } 1366 1367 1368 static int dpp_derive_k1(const u8 *Mx, size_t Mx_len, u8 *k1, 1369 unsigned int hash_len) 1370 { 1371 u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN]; 1372 const char *info = "first intermediate key"; 1373 int res; 1374 1375 /* k1 = HKDF(<>, "first intermediate key", M.x) */ 1376 1377 /* HKDF-Extract(<>, M.x) */ 1378 os_memset(salt, 0, hash_len); 1379 if (dpp_hmac(hash_len, salt, hash_len, Mx, Mx_len, prk) < 0) 1380 return -1; 1381 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=M.x)", 1382 prk, hash_len); 1383 1384 /* HKDF-Expand(PRK, info, L) */ 1385 res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k1, hash_len); 1386 os_memset(prk, 0, hash_len); 1387 if (res < 0) 1388 return -1; 1389 1390 wpa_hexdump_key(MSG_DEBUG, "DPP: k1 = HKDF-Expand(PRK, info, L)", 1391 k1, hash_len); 1392 return 0; 1393 } 1394 1395 1396 static int dpp_derive_k2(const u8 *Nx, size_t Nx_len, u8 *k2, 1397 unsigned int hash_len) 1398 { 1399 u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN]; 1400 const char *info = "second intermediate key"; 1401 int res; 1402 1403 /* k2 = HKDF(<>, "second intermediate key", N.x) */ 1404 1405 /* HKDF-Extract(<>, N.x) */ 1406 os_memset(salt, 0, hash_len); 1407 res = dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk); 1408 if (res < 0) 1409 return -1; 1410 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)", 1411 prk, hash_len); 1412 1413 /* HKDF-Expand(PRK, info, L) */ 1414 res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k2, hash_len); 1415 os_memset(prk, 0, hash_len); 1416 if (res < 0) 1417 return -1; 1418 1419 wpa_hexdump_key(MSG_DEBUG, "DPP: k2 = HKDF-Expand(PRK, info, L)", 1420 k2, hash_len); 1421 return 0; 1422 } 1423 1424 1425 static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke, 1426 unsigned int hash_len) 1427 { 1428 size_t nonce_len; 1429 u8 nonces[2 * DPP_MAX_NONCE_LEN]; 1430 const char *info_ke = "DPP Key"; 1431 u8 prk[DPP_MAX_HASH_LEN]; 1432 int res; 1433 const u8 *addr[3]; 1434 size_t len[3]; 1435 size_t num_elem = 0; 1436 1437 if (!auth->Mx_len || !auth->Nx_len) { 1438 wpa_printf(MSG_DEBUG, 1439 "DPP: Mx/Nx not available - cannot derive ke"); 1440 return -1; 1441 } 1442 1443 /* ke = HKDF(I-nonce | R-nonce, "DPP Key", M.x | N.x [| L.x]) */ 1444 1445 /* HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */ 1446 nonce_len = auth->curve->nonce_len; 1447 os_memcpy(nonces, auth->i_nonce, nonce_len); 1448 os_memcpy(&nonces[nonce_len], auth->r_nonce, nonce_len); 1449 addr[num_elem] = auth->Mx; 1450 len[num_elem] = auth->Mx_len; 1451 num_elem++; 1452 addr[num_elem] = auth->Nx; 1453 len[num_elem] = auth->Nx_len; 1454 num_elem++; 1455 if (auth->peer_bi && auth->own_bi) { 1456 if (!auth->Lx_len) { 1457 wpa_printf(MSG_DEBUG, 1458 "DPP: Lx not available - cannot derive ke"); 1459 return -1; 1460 } 1461 addr[num_elem] = auth->Lx; 1462 len[num_elem] = auth->secret_len; 1463 num_elem++; 1464 } 1465 res = dpp_hmac_vector(hash_len, nonces, 2 * nonce_len, 1466 num_elem, addr, len, prk); 1467 if (res < 0) 1468 return -1; 1469 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)", 1470 prk, hash_len); 1471 1472 /* HKDF-Expand(PRK, info, L) */ 1473 res = dpp_hkdf_expand(hash_len, prk, hash_len, info_ke, ke, hash_len); 1474 os_memset(prk, 0, hash_len); 1475 if (res < 0) 1476 return -1; 1477 1478 wpa_hexdump_key(MSG_DEBUG, "DPP: ke = HKDF-Expand(PRK, info, L)", 1479 ke, hash_len); 1480 return 0; 1481 } 1482 1483 1484 static void dpp_build_attr_status(struct wpabuf *msg, 1485 enum dpp_status_error status) 1486 { 1487 wpa_printf(MSG_DEBUG, "DPP: Status %d", status); 1488 wpabuf_put_le16(msg, DPP_ATTR_STATUS); 1489 wpabuf_put_le16(msg, 1); 1490 wpabuf_put_u8(msg, status); 1491 } 1492 1493 1494 static void dpp_build_attr_r_bootstrap_key_hash(struct wpabuf *msg, 1495 const u8 *hash) 1496 { 1497 if (hash) { 1498 wpa_printf(MSG_DEBUG, "DPP: R-Bootstrap Key Hash"); 1499 wpabuf_put_le16(msg, DPP_ATTR_R_BOOTSTRAP_KEY_HASH); 1500 wpabuf_put_le16(msg, SHA256_MAC_LEN); 1501 wpabuf_put_data(msg, hash, SHA256_MAC_LEN); 1502 } 1503 } 1504 1505 1506 static void dpp_build_attr_i_bootstrap_key_hash(struct wpabuf *msg, 1507 const u8 *hash) 1508 { 1509 if (hash) { 1510 wpa_printf(MSG_DEBUG, "DPP: I-Bootstrap Key Hash"); 1511 wpabuf_put_le16(msg, DPP_ATTR_I_BOOTSTRAP_KEY_HASH); 1512 wpabuf_put_le16(msg, SHA256_MAC_LEN); 1513 wpabuf_put_data(msg, hash, SHA256_MAC_LEN); 1514 } 1515 } 1516 1517 1518 static struct wpabuf * dpp_auth_build_req(struct dpp_authentication *auth, 1519 const struct wpabuf *pi, 1520 size_t nonce_len, 1521 const u8 *r_pubkey_hash, 1522 const u8 *i_pubkey_hash, 1523 unsigned int neg_freq) 1524 { 1525 struct wpabuf *msg; 1526 u8 clear[4 + DPP_MAX_NONCE_LEN + 4 + 1]; 1527 u8 wrapped_data[4 + DPP_MAX_NONCE_LEN + 4 + 1 + AES_BLOCK_SIZE]; 1528 u8 *pos; 1529 const u8 *addr[2]; 1530 size_t len[2], siv_len, attr_len; 1531 u8 *attr_start, *attr_end; 1532 1533 /* Build DPP Authentication Request frame attributes */ 1534 attr_len = 2 * (4 + SHA256_MAC_LEN) + 4 + (pi ? wpabuf_len(pi) : 0) + 1535 4 + sizeof(wrapped_data); 1536 if (neg_freq > 0) 1537 attr_len += 4 + 2; 1538 #ifdef CONFIG_TESTING_OPTIONS 1539 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ) 1540 attr_len += 5; 1541 #endif /* CONFIG_TESTING_OPTIONS */ 1542 msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_REQ, attr_len); 1543 if (!msg) 1544 return NULL; 1545 1546 attr_start = wpabuf_put(msg, 0); 1547 1548 /* Responder Bootstrapping Key Hash */ 1549 dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash); 1550 1551 /* Initiator Bootstrapping Key Hash */ 1552 dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash); 1553 1554 /* Initiator Protocol Key */ 1555 if (pi) { 1556 wpabuf_put_le16(msg, DPP_ATTR_I_PROTOCOL_KEY); 1557 wpabuf_put_le16(msg, wpabuf_len(pi)); 1558 wpabuf_put_buf(msg, pi); 1559 } 1560 1561 /* Channel */ 1562 if (neg_freq > 0) { 1563 u8 op_class, channel; 1564 1565 if (ieee80211_freq_to_channel_ext(neg_freq, 0, 0, &op_class, 1566 &channel) == 1567 NUM_HOSTAPD_MODES) { 1568 wpa_printf(MSG_INFO, 1569 "DPP: Unsupported negotiation frequency request: %d", 1570 neg_freq); 1571 wpabuf_free(msg); 1572 return NULL; 1573 } 1574 wpabuf_put_le16(msg, DPP_ATTR_CHANNEL); 1575 wpabuf_put_le16(msg, 2); 1576 wpabuf_put_u8(msg, op_class); 1577 wpabuf_put_u8(msg, channel); 1578 } 1579 1580 #ifdef CONFIG_TESTING_OPTIONS 1581 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_REQ) { 1582 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data"); 1583 goto skip_wrapped_data; 1584 } 1585 #endif /* CONFIG_TESTING_OPTIONS */ 1586 1587 /* Wrapped data ({I-nonce, I-capabilities}k1) */ 1588 pos = clear; 1589 1590 #ifdef CONFIG_TESTING_OPTIONS 1591 if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_REQ) { 1592 wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce"); 1593 goto skip_i_nonce; 1594 } 1595 if (dpp_test == DPP_TEST_INVALID_I_NONCE_AUTH_REQ) { 1596 wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-nonce"); 1597 WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE); 1598 pos += 2; 1599 WPA_PUT_LE16(pos, nonce_len - 1); 1600 pos += 2; 1601 os_memcpy(pos, auth->i_nonce, nonce_len - 1); 1602 pos += nonce_len - 1; 1603 goto skip_i_nonce; 1604 } 1605 #endif /* CONFIG_TESTING_OPTIONS */ 1606 1607 /* I-nonce */ 1608 WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE); 1609 pos += 2; 1610 WPA_PUT_LE16(pos, nonce_len); 1611 pos += 2; 1612 os_memcpy(pos, auth->i_nonce, nonce_len); 1613 pos += nonce_len; 1614 1615 #ifdef CONFIG_TESTING_OPTIONS 1616 skip_i_nonce: 1617 if (dpp_test == DPP_TEST_NO_I_CAPAB_AUTH_REQ) { 1618 wpa_printf(MSG_INFO, "DPP: TESTING - no I-capab"); 1619 goto skip_i_capab; 1620 } 1621 #endif /* CONFIG_TESTING_OPTIONS */ 1622 1623 /* I-capabilities */ 1624 WPA_PUT_LE16(pos, DPP_ATTR_I_CAPABILITIES); 1625 pos += 2; 1626 WPA_PUT_LE16(pos, 1); 1627 pos += 2; 1628 auth->i_capab = auth->allowed_roles; 1629 *pos++ = auth->i_capab; 1630 #ifdef CONFIG_TESTING_OPTIONS 1631 if (dpp_test == DPP_TEST_ZERO_I_CAPAB) { 1632 wpa_printf(MSG_INFO, "DPP: TESTING - zero I-capabilities"); 1633 pos[-1] = 0; 1634 } 1635 skip_i_capab: 1636 #endif /* CONFIG_TESTING_OPTIONS */ 1637 1638 attr_end = wpabuf_put(msg, 0); 1639 1640 /* OUI, OUI type, Crypto Suite, DPP frame type */ 1641 addr[0] = wpabuf_head_u8(msg) + 2; 1642 len[0] = 3 + 1 + 1 + 1; 1643 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 1644 1645 /* Attributes before Wrapped Data */ 1646 addr[1] = attr_start; 1647 len[1] = attr_end - attr_start; 1648 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 1649 1650 siv_len = pos - clear; 1651 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len); 1652 if (aes_siv_encrypt(auth->k1, auth->curve->hash_len, clear, siv_len, 1653 2, addr, len, wrapped_data) < 0) { 1654 wpabuf_free(msg); 1655 return NULL; 1656 } 1657 siv_len += AES_BLOCK_SIZE; 1658 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 1659 wrapped_data, siv_len); 1660 1661 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA); 1662 wpabuf_put_le16(msg, siv_len); 1663 wpabuf_put_data(msg, wrapped_data, siv_len); 1664 1665 #ifdef CONFIG_TESTING_OPTIONS 1666 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ) { 1667 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data"); 1668 dpp_build_attr_status(msg, DPP_STATUS_OK); 1669 } 1670 skip_wrapped_data: 1671 #endif /* CONFIG_TESTING_OPTIONS */ 1672 1673 wpa_hexdump_buf(MSG_DEBUG, 1674 "DPP: Authentication Request frame attributes", msg); 1675 1676 return msg; 1677 } 1678 1679 1680 static struct wpabuf * dpp_auth_build_resp(struct dpp_authentication *auth, 1681 enum dpp_status_error status, 1682 const struct wpabuf *pr, 1683 size_t nonce_len, 1684 const u8 *r_pubkey_hash, 1685 const u8 *i_pubkey_hash, 1686 const u8 *r_nonce, const u8 *i_nonce, 1687 const u8 *wrapped_r_auth, 1688 size_t wrapped_r_auth_len, 1689 const u8 *siv_key) 1690 { 1691 struct wpabuf *msg; 1692 #define DPP_AUTH_RESP_CLEAR_LEN 2 * (4 + DPP_MAX_NONCE_LEN) + 4 + 1 + \ 1693 4 + 4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE 1694 u8 clear[DPP_AUTH_RESP_CLEAR_LEN]; 1695 u8 wrapped_data[DPP_AUTH_RESP_CLEAR_LEN + AES_BLOCK_SIZE]; 1696 const u8 *addr[2]; 1697 size_t len[2], siv_len, attr_len; 1698 u8 *attr_start, *attr_end, *pos; 1699 1700 auth->waiting_auth_conf = 1; 1701 auth->auth_resp_tries = 0; 1702 1703 /* Build DPP Authentication Response frame attributes */ 1704 attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) + 1705 4 + (pr ? wpabuf_len(pr) : 0) + 4 + sizeof(wrapped_data); 1706 #ifdef CONFIG_TESTING_OPTIONS 1707 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP) 1708 attr_len += 5; 1709 #endif /* CONFIG_TESTING_OPTIONS */ 1710 msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_RESP, attr_len); 1711 if (!msg) 1712 return NULL; 1713 1714 attr_start = wpabuf_put(msg, 0); 1715 1716 /* DPP Status */ 1717 if (status != 255) 1718 dpp_build_attr_status(msg, status); 1719 1720 /* Responder Bootstrapping Key Hash */ 1721 dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash); 1722 1723 /* Initiator Bootstrapping Key Hash (mutual authentication) */ 1724 dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash); 1725 1726 /* Responder Protocol Key */ 1727 if (pr) { 1728 wpabuf_put_le16(msg, DPP_ATTR_R_PROTOCOL_KEY); 1729 wpabuf_put_le16(msg, wpabuf_len(pr)); 1730 wpabuf_put_buf(msg, pr); 1731 } 1732 1733 attr_end = wpabuf_put(msg, 0); 1734 1735 #ifdef CONFIG_TESTING_OPTIONS 1736 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_RESP) { 1737 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data"); 1738 goto skip_wrapped_data; 1739 } 1740 #endif /* CONFIG_TESTING_OPTIONS */ 1741 1742 /* Wrapped data ({R-nonce, I-nonce, R-capabilities, {R-auth}ke}k2) */ 1743 pos = clear; 1744 1745 if (r_nonce) { 1746 /* R-nonce */ 1747 WPA_PUT_LE16(pos, DPP_ATTR_R_NONCE); 1748 pos += 2; 1749 WPA_PUT_LE16(pos, nonce_len); 1750 pos += 2; 1751 os_memcpy(pos, r_nonce, nonce_len); 1752 pos += nonce_len; 1753 } 1754 1755 if (i_nonce) { 1756 /* I-nonce */ 1757 WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE); 1758 pos += 2; 1759 WPA_PUT_LE16(pos, nonce_len); 1760 pos += 2; 1761 os_memcpy(pos, i_nonce, nonce_len); 1762 #ifdef CONFIG_TESTING_OPTIONS 1763 if (dpp_test == DPP_TEST_I_NONCE_MISMATCH_AUTH_RESP) { 1764 wpa_printf(MSG_INFO, "DPP: TESTING - I-nonce mismatch"); 1765 pos[nonce_len / 2] ^= 0x01; 1766 } 1767 #endif /* CONFIG_TESTING_OPTIONS */ 1768 pos += nonce_len; 1769 } 1770 1771 #ifdef CONFIG_TESTING_OPTIONS 1772 if (dpp_test == DPP_TEST_NO_R_CAPAB_AUTH_RESP) { 1773 wpa_printf(MSG_INFO, "DPP: TESTING - no R-capab"); 1774 goto skip_r_capab; 1775 } 1776 #endif /* CONFIG_TESTING_OPTIONS */ 1777 1778 /* R-capabilities */ 1779 WPA_PUT_LE16(pos, DPP_ATTR_R_CAPABILITIES); 1780 pos += 2; 1781 WPA_PUT_LE16(pos, 1); 1782 pos += 2; 1783 auth->r_capab = auth->configurator ? DPP_CAPAB_CONFIGURATOR : 1784 DPP_CAPAB_ENROLLEE; 1785 *pos++ = auth->r_capab; 1786 #ifdef CONFIG_TESTING_OPTIONS 1787 if (dpp_test == DPP_TEST_ZERO_R_CAPAB) { 1788 wpa_printf(MSG_INFO, "DPP: TESTING - zero R-capabilities"); 1789 pos[-1] = 0; 1790 } else if (dpp_test == DPP_TEST_INCOMPATIBLE_R_CAPAB_AUTH_RESP) { 1791 wpa_printf(MSG_INFO, 1792 "DPP: TESTING - incompatible R-capabilities"); 1793 if ((auth->i_capab & DPP_CAPAB_ROLE_MASK) == 1794 (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE)) 1795 pos[-1] = 0; 1796 else 1797 pos[-1] = auth->configurator ? DPP_CAPAB_ENROLLEE : 1798 DPP_CAPAB_CONFIGURATOR; 1799 } 1800 skip_r_capab: 1801 #endif /* CONFIG_TESTING_OPTIONS */ 1802 1803 if (wrapped_r_auth) { 1804 /* {R-auth}ke */ 1805 WPA_PUT_LE16(pos, DPP_ATTR_WRAPPED_DATA); 1806 pos += 2; 1807 WPA_PUT_LE16(pos, wrapped_r_auth_len); 1808 pos += 2; 1809 os_memcpy(pos, wrapped_r_auth, wrapped_r_auth_len); 1810 pos += wrapped_r_auth_len; 1811 } 1812 1813 /* OUI, OUI type, Crypto Suite, DPP frame type */ 1814 addr[0] = wpabuf_head_u8(msg) + 2; 1815 len[0] = 3 + 1 + 1 + 1; 1816 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 1817 1818 /* Attributes before Wrapped Data */ 1819 addr[1] = attr_start; 1820 len[1] = attr_end - attr_start; 1821 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 1822 1823 siv_len = pos - clear; 1824 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len); 1825 if (aes_siv_encrypt(siv_key, auth->curve->hash_len, clear, siv_len, 1826 2, addr, len, wrapped_data) < 0) { 1827 wpabuf_free(msg); 1828 return NULL; 1829 } 1830 siv_len += AES_BLOCK_SIZE; 1831 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 1832 wrapped_data, siv_len); 1833 1834 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA); 1835 wpabuf_put_le16(msg, siv_len); 1836 wpabuf_put_data(msg, wrapped_data, siv_len); 1837 1838 #ifdef CONFIG_TESTING_OPTIONS 1839 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP) { 1840 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data"); 1841 dpp_build_attr_status(msg, DPP_STATUS_OK); 1842 } 1843 skip_wrapped_data: 1844 #endif /* CONFIG_TESTING_OPTIONS */ 1845 1846 wpa_hexdump_buf(MSG_DEBUG, 1847 "DPP: Authentication Response frame attributes", msg); 1848 return msg; 1849 } 1850 1851 1852 static int dpp_channel_ok_init(struct hostapd_hw_modes *own_modes, 1853 u16 num_modes, unsigned int freq) 1854 { 1855 u16 m; 1856 int c, flag; 1857 1858 if (!own_modes || !num_modes) 1859 return 1; 1860 1861 for (m = 0; m < num_modes; m++) { 1862 for (c = 0; c < own_modes[m].num_channels; c++) { 1863 if ((unsigned int) own_modes[m].channels[c].freq != 1864 freq) 1865 continue; 1866 flag = own_modes[m].channels[c].flag; 1867 if (!(flag & (HOSTAPD_CHAN_DISABLED | 1868 HOSTAPD_CHAN_NO_IR | 1869 HOSTAPD_CHAN_RADAR))) 1870 return 1; 1871 } 1872 } 1873 1874 wpa_printf(MSG_DEBUG, "DPP: Peer channel %u MHz not supported", freq); 1875 return 0; 1876 } 1877 1878 1879 static int freq_included(const unsigned int freqs[], unsigned int num, 1880 unsigned int freq) 1881 { 1882 while (num > 0) { 1883 if (freqs[--num] == freq) 1884 return 1; 1885 } 1886 return 0; 1887 } 1888 1889 1890 static void freq_to_start(unsigned int freqs[], unsigned int num, 1891 unsigned int freq) 1892 { 1893 unsigned int i; 1894 1895 for (i = 0; i < num; i++) { 1896 if (freqs[i] == freq) 1897 break; 1898 } 1899 if (i == 0 || i >= num) 1900 return; 1901 os_memmove(&freqs[1], &freqs[0], i * sizeof(freqs[0])); 1902 freqs[0] = freq; 1903 } 1904 1905 1906 static int dpp_channel_intersect(struct dpp_authentication *auth, 1907 struct hostapd_hw_modes *own_modes, 1908 u16 num_modes) 1909 { 1910 struct dpp_bootstrap_info *peer_bi = auth->peer_bi; 1911 unsigned int i, freq; 1912 1913 for (i = 0; i < peer_bi->num_freq; i++) { 1914 freq = peer_bi->freq[i]; 1915 if (freq_included(auth->freq, auth->num_freq, freq)) 1916 continue; 1917 if (dpp_channel_ok_init(own_modes, num_modes, freq)) 1918 auth->freq[auth->num_freq++] = freq; 1919 } 1920 if (!auth->num_freq) { 1921 wpa_printf(MSG_INFO, 1922 "DPP: No available channels for initiating DPP Authentication"); 1923 return -1; 1924 } 1925 auth->curr_freq = auth->freq[0]; 1926 return 0; 1927 } 1928 1929 1930 static int dpp_channel_local_list(struct dpp_authentication *auth, 1931 struct hostapd_hw_modes *own_modes, 1932 u16 num_modes) 1933 { 1934 u16 m; 1935 int c, flag; 1936 unsigned int freq; 1937 1938 auth->num_freq = 0; 1939 1940 if (!own_modes || !num_modes) { 1941 auth->freq[0] = 2412; 1942 auth->freq[1] = 2437; 1943 auth->freq[2] = 2462; 1944 auth->num_freq = 3; 1945 return 0; 1946 } 1947 1948 for (m = 0; m < num_modes; m++) { 1949 for (c = 0; c < own_modes[m].num_channels; c++) { 1950 freq = own_modes[m].channels[c].freq; 1951 flag = own_modes[m].channels[c].flag; 1952 if (flag & (HOSTAPD_CHAN_DISABLED | 1953 HOSTAPD_CHAN_NO_IR | 1954 HOSTAPD_CHAN_RADAR)) 1955 continue; 1956 if (freq_included(auth->freq, auth->num_freq, freq)) 1957 continue; 1958 auth->freq[auth->num_freq++] = freq; 1959 if (auth->num_freq == DPP_BOOTSTRAP_MAX_FREQ) { 1960 m = num_modes; 1961 break; 1962 } 1963 } 1964 } 1965 1966 return auth->num_freq == 0 ? -1 : 0; 1967 } 1968 1969 1970 static int dpp_prepare_channel_list(struct dpp_authentication *auth, 1971 struct hostapd_hw_modes *own_modes, 1972 u16 num_modes) 1973 { 1974 int res; 1975 char freqs[DPP_BOOTSTRAP_MAX_FREQ * 6 + 10], *pos, *end; 1976 unsigned int i; 1977 1978 if (auth->peer_bi->num_freq > 0) 1979 res = dpp_channel_intersect(auth, own_modes, num_modes); 1980 else 1981 res = dpp_channel_local_list(auth, own_modes, num_modes); 1982 if (res < 0) 1983 return res; 1984 1985 /* Prioritize 2.4 GHz channels 6, 1, 11 (in this order) to hit the most 1986 * likely channels first. */ 1987 freq_to_start(auth->freq, auth->num_freq, 2462); 1988 freq_to_start(auth->freq, auth->num_freq, 2412); 1989 freq_to_start(auth->freq, auth->num_freq, 2437); 1990 1991 auth->freq_idx = 0; 1992 auth->curr_freq = auth->freq[0]; 1993 1994 pos = freqs; 1995 end = pos + sizeof(freqs); 1996 for (i = 0; i < auth->num_freq; i++) { 1997 res = os_snprintf(pos, end - pos, " %u", auth->freq[i]); 1998 if (os_snprintf_error(end - pos, res)) 1999 break; 2000 pos += res; 2001 } 2002 *pos = '\0'; 2003 wpa_printf(MSG_DEBUG, "DPP: Possible frequencies for initiating:%s", 2004 freqs); 2005 2006 return 0; 2007 } 2008 2009 2010 static int dpp_autogen_bootstrap_key(struct dpp_authentication *auth) 2011 { 2012 struct dpp_bootstrap_info *bi; 2013 char *pk = NULL; 2014 size_t len; 2015 2016 if (auth->own_bi) 2017 return 0; /* already generated */ 2018 2019 bi = os_zalloc(sizeof(*bi)); 2020 if (!bi) 2021 return -1; 2022 bi->type = DPP_BOOTSTRAP_QR_CODE; 2023 pk = dpp_keygen(bi, auth->peer_bi->curve->name, NULL, 0); 2024 if (!pk) 2025 goto fail; 2026 2027 len = 4; /* "DPP:" */ 2028 len += 4 + os_strlen(pk); 2029 bi->uri = os_malloc(len + 1); 2030 if (!bi->uri) 2031 goto fail; 2032 os_snprintf(bi->uri, len + 1, "DPP:K:%s;;", pk); 2033 wpa_printf(MSG_DEBUG, 2034 "DPP: Auto-generated own bootstrapping key info: URI %s", 2035 bi->uri); 2036 2037 auth->tmp_own_bi = auth->own_bi = bi; 2038 2039 os_free(pk); 2040 2041 return 0; 2042 fail: 2043 os_free(pk); 2044 dpp_bootstrap_info_free(bi); 2045 return -1; 2046 } 2047 2048 2049 struct dpp_authentication * dpp_auth_init(void *msg_ctx, 2050 struct dpp_bootstrap_info *peer_bi, 2051 struct dpp_bootstrap_info *own_bi, 2052 u8 dpp_allowed_roles, 2053 unsigned int neg_freq, 2054 struct hostapd_hw_modes *own_modes, 2055 u16 num_modes) 2056 { 2057 struct dpp_authentication *auth; 2058 size_t nonce_len; 2059 EVP_PKEY_CTX *ctx = NULL; 2060 size_t secret_len; 2061 struct wpabuf *pi = NULL; 2062 const u8 *r_pubkey_hash, *i_pubkey_hash; 2063 #ifdef CONFIG_TESTING_OPTIONS 2064 u8 test_hash[SHA256_MAC_LEN]; 2065 #endif /* CONFIG_TESTING_OPTIONS */ 2066 2067 auth = os_zalloc(sizeof(*auth)); 2068 if (!auth) 2069 return NULL; 2070 auth->msg_ctx = msg_ctx; 2071 auth->initiator = 1; 2072 auth->waiting_auth_resp = 1; 2073 auth->allowed_roles = dpp_allowed_roles; 2074 auth->configurator = !!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR); 2075 auth->peer_bi = peer_bi; 2076 auth->own_bi = own_bi; 2077 auth->curve = peer_bi->curve; 2078 2079 if (dpp_autogen_bootstrap_key(auth) < 0 || 2080 dpp_prepare_channel_list(auth, own_modes, num_modes) < 0) 2081 goto fail; 2082 2083 #ifdef CONFIG_TESTING_OPTIONS 2084 if (dpp_nonce_override_len > 0) { 2085 wpa_printf(MSG_INFO, "DPP: TESTING - override I-nonce"); 2086 nonce_len = dpp_nonce_override_len; 2087 os_memcpy(auth->i_nonce, dpp_nonce_override, nonce_len); 2088 } else { 2089 nonce_len = auth->curve->nonce_len; 2090 if (random_get_bytes(auth->i_nonce, nonce_len)) { 2091 wpa_printf(MSG_ERROR, 2092 "DPP: Failed to generate I-nonce"); 2093 goto fail; 2094 } 2095 } 2096 #else /* CONFIG_TESTING_OPTIONS */ 2097 nonce_len = auth->curve->nonce_len; 2098 if (random_get_bytes(auth->i_nonce, nonce_len)) { 2099 wpa_printf(MSG_ERROR, "DPP: Failed to generate I-nonce"); 2100 goto fail; 2101 } 2102 #endif /* CONFIG_TESTING_OPTIONS */ 2103 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", auth->i_nonce, nonce_len); 2104 2105 #ifdef CONFIG_TESTING_OPTIONS 2106 if (dpp_protocol_key_override_len) { 2107 const struct dpp_curve_params *tmp_curve; 2108 2109 wpa_printf(MSG_INFO, 2110 "DPP: TESTING - override protocol key"); 2111 auth->own_protocol_key = dpp_set_keypair( 2112 &tmp_curve, dpp_protocol_key_override, 2113 dpp_protocol_key_override_len); 2114 } else { 2115 auth->own_protocol_key = dpp_gen_keypair(auth->curve); 2116 } 2117 #else /* CONFIG_TESTING_OPTIONS */ 2118 auth->own_protocol_key = dpp_gen_keypair(auth->curve); 2119 #endif /* CONFIG_TESTING_OPTIONS */ 2120 if (!auth->own_protocol_key) 2121 goto fail; 2122 2123 pi = dpp_get_pubkey_point(auth->own_protocol_key, 0); 2124 if (!pi) 2125 goto fail; 2126 2127 /* ECDH: M = pI * BR */ 2128 ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL); 2129 if (!ctx || 2130 EVP_PKEY_derive_init(ctx) != 1 || 2131 EVP_PKEY_derive_set_peer(ctx, auth->peer_bi->pubkey) != 1 || 2132 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 || 2133 secret_len > DPP_MAX_SHARED_SECRET_LEN || 2134 EVP_PKEY_derive(ctx, auth->Mx, &secret_len) != 1) { 2135 wpa_printf(MSG_ERROR, 2136 "DPP: Failed to derive ECDH shared secret: %s", 2137 ERR_error_string(ERR_get_error(), NULL)); 2138 goto fail; 2139 } 2140 auth->secret_len = secret_len; 2141 EVP_PKEY_CTX_free(ctx); 2142 ctx = NULL; 2143 2144 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)", 2145 auth->Mx, auth->secret_len); 2146 auth->Mx_len = auth->secret_len; 2147 2148 if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1, 2149 auth->curve->hash_len) < 0) 2150 goto fail; 2151 2152 r_pubkey_hash = auth->peer_bi->pubkey_hash; 2153 i_pubkey_hash = auth->own_bi->pubkey_hash; 2154 2155 #ifdef CONFIG_TESTING_OPTIONS 2156 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) { 2157 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash"); 2158 r_pubkey_hash = NULL; 2159 } else if (dpp_test == DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) { 2160 wpa_printf(MSG_INFO, 2161 "DPP: TESTING - invalid R-Bootstrap Key Hash"); 2162 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN); 2163 test_hash[SHA256_MAC_LEN - 1] ^= 0x01; 2164 r_pubkey_hash = test_hash; 2165 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) { 2166 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash"); 2167 i_pubkey_hash = NULL; 2168 } else if (dpp_test == DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) { 2169 wpa_printf(MSG_INFO, 2170 "DPP: TESTING - invalid I-Bootstrap Key Hash"); 2171 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN); 2172 test_hash[SHA256_MAC_LEN - 1] ^= 0x01; 2173 i_pubkey_hash = test_hash; 2174 } else if (dpp_test == DPP_TEST_NO_I_PROTO_KEY_AUTH_REQ) { 2175 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Proto Key"); 2176 wpabuf_free(pi); 2177 pi = NULL; 2178 } else if (dpp_test == DPP_TEST_INVALID_I_PROTO_KEY_AUTH_REQ) { 2179 wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-Proto Key"); 2180 wpabuf_free(pi); 2181 pi = wpabuf_alloc(2 * auth->curve->prime_len); 2182 if (!pi || dpp_test_gen_invalid_key(pi, auth->curve) < 0) 2183 goto fail; 2184 } 2185 #endif /* CONFIG_TESTING_OPTIONS */ 2186 2187 auth->req_msg = dpp_auth_build_req(auth, pi, nonce_len, r_pubkey_hash, 2188 i_pubkey_hash, neg_freq); 2189 if (!auth->req_msg) 2190 goto fail; 2191 2192 out: 2193 wpabuf_free(pi); 2194 EVP_PKEY_CTX_free(ctx); 2195 return auth; 2196 fail: 2197 dpp_auth_deinit(auth); 2198 auth = NULL; 2199 goto out; 2200 } 2201 2202 2203 struct wpabuf * dpp_build_conf_req(struct dpp_authentication *auth, 2204 const char *json) 2205 { 2206 size_t nonce_len; 2207 size_t json_len, clear_len; 2208 struct wpabuf *clear = NULL, *msg = NULL; 2209 u8 *wrapped; 2210 size_t attr_len; 2211 2212 wpa_printf(MSG_DEBUG, "DPP: Build configuration request"); 2213 2214 nonce_len = auth->curve->nonce_len; 2215 if (random_get_bytes(auth->e_nonce, nonce_len)) { 2216 wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce"); 2217 goto fail; 2218 } 2219 wpa_hexdump(MSG_DEBUG, "DPP: E-nonce", auth->e_nonce, nonce_len); 2220 json_len = os_strlen(json); 2221 wpa_hexdump_ascii(MSG_DEBUG, "DPP: configAttr JSON", json, json_len); 2222 2223 /* { E-nonce, configAttrib }ke */ 2224 clear_len = 4 + nonce_len + 4 + json_len; 2225 clear = wpabuf_alloc(clear_len); 2226 attr_len = 4 + clear_len + AES_BLOCK_SIZE; 2227 #ifdef CONFIG_TESTING_OPTIONS 2228 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_REQ) 2229 attr_len += 5; 2230 #endif /* CONFIG_TESTING_OPTIONS */ 2231 msg = wpabuf_alloc(attr_len); 2232 if (!clear || !msg) 2233 goto fail; 2234 2235 #ifdef CONFIG_TESTING_OPTIONS 2236 if (dpp_test == DPP_TEST_NO_E_NONCE_CONF_REQ) { 2237 wpa_printf(MSG_INFO, "DPP: TESTING - no E-nonce"); 2238 goto skip_e_nonce; 2239 } 2240 if (dpp_test == DPP_TEST_INVALID_E_NONCE_CONF_REQ) { 2241 wpa_printf(MSG_INFO, "DPP: TESTING - invalid E-nonce"); 2242 wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE); 2243 wpabuf_put_le16(clear, nonce_len - 1); 2244 wpabuf_put_data(clear, auth->e_nonce, nonce_len - 1); 2245 goto skip_e_nonce; 2246 } 2247 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_CONF_REQ) { 2248 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data"); 2249 goto skip_wrapped_data; 2250 } 2251 #endif /* CONFIG_TESTING_OPTIONS */ 2252 2253 /* E-nonce */ 2254 wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE); 2255 wpabuf_put_le16(clear, nonce_len); 2256 wpabuf_put_data(clear, auth->e_nonce, nonce_len); 2257 2258 #ifdef CONFIG_TESTING_OPTIONS 2259 skip_e_nonce: 2260 if (dpp_test == DPP_TEST_NO_CONFIG_ATTR_OBJ_CONF_REQ) { 2261 wpa_printf(MSG_INFO, "DPP: TESTING - no configAttrib"); 2262 goto skip_conf_attr_obj; 2263 } 2264 #endif /* CONFIG_TESTING_OPTIONS */ 2265 2266 /* configAttrib */ 2267 wpabuf_put_le16(clear, DPP_ATTR_CONFIG_ATTR_OBJ); 2268 wpabuf_put_le16(clear, json_len); 2269 wpabuf_put_data(clear, json, json_len); 2270 2271 #ifdef CONFIG_TESTING_OPTIONS 2272 skip_conf_attr_obj: 2273 #endif /* CONFIG_TESTING_OPTIONS */ 2274 2275 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA); 2276 wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE); 2277 wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE); 2278 2279 /* No AES-SIV AD */ 2280 wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear); 2281 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len, 2282 wpabuf_head(clear), wpabuf_len(clear), 2283 0, NULL, NULL, wrapped) < 0) 2284 goto fail; 2285 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 2286 wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE); 2287 2288 #ifdef CONFIG_TESTING_OPTIONS 2289 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_REQ) { 2290 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data"); 2291 dpp_build_attr_status(msg, DPP_STATUS_OK); 2292 } 2293 skip_wrapped_data: 2294 #endif /* CONFIG_TESTING_OPTIONS */ 2295 2296 wpa_hexdump_buf(MSG_DEBUG, 2297 "DPP: Configuration Request frame attributes", msg); 2298 wpabuf_free(clear); 2299 return msg; 2300 2301 fail: 2302 wpabuf_free(clear); 2303 wpabuf_free(msg); 2304 return NULL; 2305 } 2306 2307 2308 static void dpp_auth_success(struct dpp_authentication *auth) 2309 { 2310 wpa_printf(MSG_DEBUG, 2311 "DPP: Authentication success - clear temporary keys"); 2312 os_memset(auth->Mx, 0, sizeof(auth->Mx)); 2313 auth->Mx_len = 0; 2314 os_memset(auth->Nx, 0, sizeof(auth->Nx)); 2315 auth->Nx_len = 0; 2316 os_memset(auth->Lx, 0, sizeof(auth->Lx)); 2317 auth->Lx_len = 0; 2318 os_memset(auth->k1, 0, sizeof(auth->k1)); 2319 os_memset(auth->k2, 0, sizeof(auth->k2)); 2320 2321 auth->auth_success = 1; 2322 } 2323 2324 2325 static int dpp_gen_r_auth(struct dpp_authentication *auth, u8 *r_auth) 2326 { 2327 struct wpabuf *pix, *prx, *bix, *brx; 2328 const u8 *addr[7]; 2329 size_t len[7]; 2330 size_t i, num_elem = 0; 2331 size_t nonce_len; 2332 u8 zero = 0; 2333 int res = -1; 2334 2335 /* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */ 2336 nonce_len = auth->curve->nonce_len; 2337 2338 if (auth->initiator) { 2339 pix = dpp_get_pubkey_point(auth->own_protocol_key, 0); 2340 prx = dpp_get_pubkey_point(auth->peer_protocol_key, 0); 2341 if (auth->own_bi) 2342 bix = dpp_get_pubkey_point(auth->own_bi->pubkey, 0); 2343 else 2344 bix = NULL; 2345 brx = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0); 2346 } else { 2347 pix = dpp_get_pubkey_point(auth->peer_protocol_key, 0); 2348 prx = dpp_get_pubkey_point(auth->own_protocol_key, 0); 2349 if (auth->peer_bi) 2350 bix = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0); 2351 else 2352 bix = NULL; 2353 brx = dpp_get_pubkey_point(auth->own_bi->pubkey, 0); 2354 } 2355 if (!pix || !prx || !brx) 2356 goto fail; 2357 2358 addr[num_elem] = auth->i_nonce; 2359 len[num_elem] = nonce_len; 2360 num_elem++; 2361 2362 addr[num_elem] = auth->r_nonce; 2363 len[num_elem] = nonce_len; 2364 num_elem++; 2365 2366 addr[num_elem] = wpabuf_head(pix); 2367 len[num_elem] = wpabuf_len(pix) / 2; 2368 num_elem++; 2369 2370 addr[num_elem] = wpabuf_head(prx); 2371 len[num_elem] = wpabuf_len(prx) / 2; 2372 num_elem++; 2373 2374 if (bix) { 2375 addr[num_elem] = wpabuf_head(bix); 2376 len[num_elem] = wpabuf_len(bix) / 2; 2377 num_elem++; 2378 } 2379 2380 addr[num_elem] = wpabuf_head(brx); 2381 len[num_elem] = wpabuf_len(brx) / 2; 2382 num_elem++; 2383 2384 addr[num_elem] = &zero; 2385 len[num_elem] = 1; 2386 num_elem++; 2387 2388 wpa_printf(MSG_DEBUG, "DPP: R-auth hash components"); 2389 for (i = 0; i < num_elem; i++) 2390 wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]); 2391 res = dpp_hash_vector(auth->curve, num_elem, addr, len, r_auth); 2392 if (res == 0) 2393 wpa_hexdump(MSG_DEBUG, "DPP: R-auth", r_auth, 2394 auth->curve->hash_len); 2395 fail: 2396 wpabuf_free(pix); 2397 wpabuf_free(prx); 2398 wpabuf_free(bix); 2399 wpabuf_free(brx); 2400 return res; 2401 } 2402 2403 2404 static int dpp_gen_i_auth(struct dpp_authentication *auth, u8 *i_auth) 2405 { 2406 struct wpabuf *pix = NULL, *prx = NULL, *bix = NULL, *brx = NULL; 2407 const u8 *addr[7]; 2408 size_t len[7]; 2409 size_t i, num_elem = 0; 2410 size_t nonce_len; 2411 u8 one = 1; 2412 int res = -1; 2413 2414 /* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */ 2415 nonce_len = auth->curve->nonce_len; 2416 2417 if (auth->initiator) { 2418 pix = dpp_get_pubkey_point(auth->own_protocol_key, 0); 2419 prx = dpp_get_pubkey_point(auth->peer_protocol_key, 0); 2420 if (auth->own_bi) 2421 bix = dpp_get_pubkey_point(auth->own_bi->pubkey, 0); 2422 else 2423 bix = NULL; 2424 if (!auth->peer_bi) 2425 goto fail; 2426 brx = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0); 2427 } else { 2428 pix = dpp_get_pubkey_point(auth->peer_protocol_key, 0); 2429 prx = dpp_get_pubkey_point(auth->own_protocol_key, 0); 2430 if (auth->peer_bi) 2431 bix = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0); 2432 else 2433 bix = NULL; 2434 if (!auth->own_bi) 2435 goto fail; 2436 brx = dpp_get_pubkey_point(auth->own_bi->pubkey, 0); 2437 } 2438 if (!pix || !prx || !brx) 2439 goto fail; 2440 2441 addr[num_elem] = auth->r_nonce; 2442 len[num_elem] = nonce_len; 2443 num_elem++; 2444 2445 addr[num_elem] = auth->i_nonce; 2446 len[num_elem] = nonce_len; 2447 num_elem++; 2448 2449 addr[num_elem] = wpabuf_head(prx); 2450 len[num_elem] = wpabuf_len(prx) / 2; 2451 num_elem++; 2452 2453 addr[num_elem] = wpabuf_head(pix); 2454 len[num_elem] = wpabuf_len(pix) / 2; 2455 num_elem++; 2456 2457 addr[num_elem] = wpabuf_head(brx); 2458 len[num_elem] = wpabuf_len(brx) / 2; 2459 num_elem++; 2460 2461 if (bix) { 2462 addr[num_elem] = wpabuf_head(bix); 2463 len[num_elem] = wpabuf_len(bix) / 2; 2464 num_elem++; 2465 } 2466 2467 addr[num_elem] = &one; 2468 len[num_elem] = 1; 2469 num_elem++; 2470 2471 wpa_printf(MSG_DEBUG, "DPP: I-auth hash components"); 2472 for (i = 0; i < num_elem; i++) 2473 wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]); 2474 res = dpp_hash_vector(auth->curve, num_elem, addr, len, i_auth); 2475 if (res == 0) 2476 wpa_hexdump(MSG_DEBUG, "DPP: I-auth", i_auth, 2477 auth->curve->hash_len); 2478 fail: 2479 wpabuf_free(pix); 2480 wpabuf_free(prx); 2481 wpabuf_free(bix); 2482 wpabuf_free(brx); 2483 return res; 2484 } 2485 2486 2487 static int dpp_auth_derive_l_responder(struct dpp_authentication *auth) 2488 { 2489 const EC_GROUP *group; 2490 EC_POINT *l = NULL; 2491 EC_KEY *BI = NULL, *bR = NULL, *pR = NULL; 2492 const EC_POINT *BI_point; 2493 BN_CTX *bnctx; 2494 BIGNUM *lx, *sum, *q; 2495 const BIGNUM *bR_bn, *pR_bn; 2496 int ret = -1; 2497 2498 /* L = ((bR + pR) modulo q) * BI */ 2499 2500 bnctx = BN_CTX_new(); 2501 sum = BN_new(); 2502 q = BN_new(); 2503 lx = BN_new(); 2504 if (!bnctx || !sum || !q || !lx) 2505 goto fail; 2506 BI = EVP_PKEY_get1_EC_KEY(auth->peer_bi->pubkey); 2507 if (!BI) 2508 goto fail; 2509 BI_point = EC_KEY_get0_public_key(BI); 2510 group = EC_KEY_get0_group(BI); 2511 if (!group) 2512 goto fail; 2513 2514 bR = EVP_PKEY_get1_EC_KEY(auth->own_bi->pubkey); 2515 pR = EVP_PKEY_get1_EC_KEY(auth->own_protocol_key); 2516 if (!bR || !pR) 2517 goto fail; 2518 bR_bn = EC_KEY_get0_private_key(bR); 2519 pR_bn = EC_KEY_get0_private_key(pR); 2520 if (!bR_bn || !pR_bn) 2521 goto fail; 2522 if (EC_GROUP_get_order(group, q, bnctx) != 1 || 2523 BN_mod_add(sum, bR_bn, pR_bn, q, bnctx) != 1) 2524 goto fail; 2525 l = EC_POINT_new(group); 2526 if (!l || 2527 EC_POINT_mul(group, l, NULL, BI_point, sum, bnctx) != 1 || 2528 EC_POINT_get_affine_coordinates_GFp(group, l, lx, NULL, 2529 bnctx) != 1) { 2530 wpa_printf(MSG_ERROR, 2531 "OpenSSL: failed: %s", 2532 ERR_error_string(ERR_get_error(), NULL)); 2533 goto fail; 2534 } 2535 2536 if (dpp_bn2bin_pad(lx, auth->Lx, auth->secret_len) < 0) 2537 goto fail; 2538 wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len); 2539 auth->Lx_len = auth->secret_len; 2540 ret = 0; 2541 fail: 2542 EC_POINT_clear_free(l); 2543 EC_KEY_free(BI); 2544 EC_KEY_free(bR); 2545 EC_KEY_free(pR); 2546 BN_clear_free(lx); 2547 BN_clear_free(sum); 2548 BN_free(q); 2549 BN_CTX_free(bnctx); 2550 return ret; 2551 } 2552 2553 2554 static int dpp_auth_derive_l_initiator(struct dpp_authentication *auth) 2555 { 2556 const EC_GROUP *group; 2557 EC_POINT *l = NULL, *sum = NULL; 2558 EC_KEY *bI = NULL, *BR = NULL, *PR = NULL; 2559 const EC_POINT *BR_point, *PR_point; 2560 BN_CTX *bnctx; 2561 BIGNUM *lx; 2562 const BIGNUM *bI_bn; 2563 int ret = -1; 2564 2565 /* L = bI * (BR + PR) */ 2566 2567 bnctx = BN_CTX_new(); 2568 lx = BN_new(); 2569 if (!bnctx || !lx) 2570 goto fail; 2571 BR = EVP_PKEY_get1_EC_KEY(auth->peer_bi->pubkey); 2572 PR = EVP_PKEY_get1_EC_KEY(auth->peer_protocol_key); 2573 if (!BR || !PR) 2574 goto fail; 2575 BR_point = EC_KEY_get0_public_key(BR); 2576 PR_point = EC_KEY_get0_public_key(PR); 2577 2578 bI = EVP_PKEY_get1_EC_KEY(auth->own_bi->pubkey); 2579 if (!bI) 2580 goto fail; 2581 group = EC_KEY_get0_group(bI); 2582 bI_bn = EC_KEY_get0_private_key(bI); 2583 if (!group || !bI_bn) 2584 goto fail; 2585 sum = EC_POINT_new(group); 2586 l = EC_POINT_new(group); 2587 if (!sum || !l || 2588 EC_POINT_add(group, sum, BR_point, PR_point, bnctx) != 1 || 2589 EC_POINT_mul(group, l, NULL, sum, bI_bn, bnctx) != 1 || 2590 EC_POINT_get_affine_coordinates_GFp(group, l, lx, NULL, 2591 bnctx) != 1) { 2592 wpa_printf(MSG_ERROR, 2593 "OpenSSL: failed: %s", 2594 ERR_error_string(ERR_get_error(), NULL)); 2595 goto fail; 2596 } 2597 2598 if (dpp_bn2bin_pad(lx, auth->Lx, auth->secret_len) < 0) 2599 goto fail; 2600 wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len); 2601 auth->Lx_len = auth->secret_len; 2602 ret = 0; 2603 fail: 2604 EC_POINT_clear_free(l); 2605 EC_POINT_clear_free(sum); 2606 EC_KEY_free(bI); 2607 EC_KEY_free(BR); 2608 EC_KEY_free(PR); 2609 BN_clear_free(lx); 2610 BN_CTX_free(bnctx); 2611 return ret; 2612 } 2613 2614 2615 static int dpp_auth_build_resp_ok(struct dpp_authentication *auth) 2616 { 2617 size_t nonce_len; 2618 EVP_PKEY_CTX *ctx = NULL; 2619 size_t secret_len; 2620 struct wpabuf *msg, *pr = NULL; 2621 u8 r_auth[4 + DPP_MAX_HASH_LEN]; 2622 u8 wrapped_r_auth[4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE], *w_r_auth; 2623 size_t wrapped_r_auth_len; 2624 int ret = -1; 2625 const u8 *r_pubkey_hash, *i_pubkey_hash, *r_nonce, *i_nonce; 2626 enum dpp_status_error status = DPP_STATUS_OK; 2627 #ifdef CONFIG_TESTING_OPTIONS 2628 u8 test_hash[SHA256_MAC_LEN]; 2629 #endif /* CONFIG_TESTING_OPTIONS */ 2630 2631 wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response"); 2632 if (!auth->own_bi) 2633 return -1; 2634 2635 #ifdef CONFIG_TESTING_OPTIONS 2636 if (dpp_nonce_override_len > 0) { 2637 wpa_printf(MSG_INFO, "DPP: TESTING - override R-nonce"); 2638 nonce_len = dpp_nonce_override_len; 2639 os_memcpy(auth->r_nonce, dpp_nonce_override, nonce_len); 2640 } else { 2641 nonce_len = auth->curve->nonce_len; 2642 if (random_get_bytes(auth->r_nonce, nonce_len)) { 2643 wpa_printf(MSG_ERROR, 2644 "DPP: Failed to generate R-nonce"); 2645 goto fail; 2646 } 2647 } 2648 #else /* CONFIG_TESTING_OPTIONS */ 2649 nonce_len = auth->curve->nonce_len; 2650 if (random_get_bytes(auth->r_nonce, nonce_len)) { 2651 wpa_printf(MSG_ERROR, "DPP: Failed to generate R-nonce"); 2652 goto fail; 2653 } 2654 #endif /* CONFIG_TESTING_OPTIONS */ 2655 wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", auth->r_nonce, nonce_len); 2656 2657 #ifdef CONFIG_TESTING_OPTIONS 2658 if (dpp_protocol_key_override_len) { 2659 const struct dpp_curve_params *tmp_curve; 2660 2661 wpa_printf(MSG_INFO, 2662 "DPP: TESTING - override protocol key"); 2663 auth->own_protocol_key = dpp_set_keypair( 2664 &tmp_curve, dpp_protocol_key_override, 2665 dpp_protocol_key_override_len); 2666 } else { 2667 auth->own_protocol_key = dpp_gen_keypair(auth->curve); 2668 } 2669 #else /* CONFIG_TESTING_OPTIONS */ 2670 auth->own_protocol_key = dpp_gen_keypair(auth->curve); 2671 #endif /* CONFIG_TESTING_OPTIONS */ 2672 if (!auth->own_protocol_key) 2673 goto fail; 2674 2675 pr = dpp_get_pubkey_point(auth->own_protocol_key, 0); 2676 if (!pr) 2677 goto fail; 2678 2679 /* ECDH: N = pR * PI */ 2680 ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL); 2681 if (!ctx || 2682 EVP_PKEY_derive_init(ctx) != 1 || 2683 EVP_PKEY_derive_set_peer(ctx, auth->peer_protocol_key) != 1 || 2684 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 || 2685 secret_len > DPP_MAX_SHARED_SECRET_LEN || 2686 EVP_PKEY_derive(ctx, auth->Nx, &secret_len) != 1) { 2687 wpa_printf(MSG_ERROR, 2688 "DPP: Failed to derive ECDH shared secret: %s", 2689 ERR_error_string(ERR_get_error(), NULL)); 2690 goto fail; 2691 } 2692 EVP_PKEY_CTX_free(ctx); 2693 ctx = NULL; 2694 2695 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)", 2696 auth->Nx, auth->secret_len); 2697 auth->Nx_len = auth->secret_len; 2698 2699 if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2, 2700 auth->curve->hash_len) < 0) 2701 goto fail; 2702 2703 if (auth->own_bi && auth->peer_bi) { 2704 /* Mutual authentication */ 2705 if (dpp_auth_derive_l_responder(auth) < 0) 2706 goto fail; 2707 } 2708 2709 if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0) 2710 goto fail; 2711 2712 /* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */ 2713 WPA_PUT_LE16(r_auth, DPP_ATTR_R_AUTH_TAG); 2714 WPA_PUT_LE16(&r_auth[2], auth->curve->hash_len); 2715 if (dpp_gen_r_auth(auth, r_auth + 4) < 0) 2716 goto fail; 2717 #ifdef CONFIG_TESTING_OPTIONS 2718 if (dpp_test == DPP_TEST_R_AUTH_MISMATCH_AUTH_RESP) { 2719 wpa_printf(MSG_INFO, "DPP: TESTING - R-auth mismatch"); 2720 r_auth[4 + auth->curve->hash_len / 2] ^= 0x01; 2721 } 2722 #endif /* CONFIG_TESTING_OPTIONS */ 2723 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len, 2724 r_auth, 4 + auth->curve->hash_len, 2725 0, NULL, NULL, wrapped_r_auth) < 0) 2726 goto fail; 2727 wrapped_r_auth_len = 4 + auth->curve->hash_len + AES_BLOCK_SIZE; 2728 wpa_hexdump(MSG_DEBUG, "DPP: {R-auth}ke", 2729 wrapped_r_auth, wrapped_r_auth_len); 2730 w_r_auth = wrapped_r_auth; 2731 2732 r_pubkey_hash = auth->own_bi->pubkey_hash; 2733 if (auth->peer_bi) 2734 i_pubkey_hash = auth->peer_bi->pubkey_hash; 2735 else 2736 i_pubkey_hash = NULL; 2737 2738 i_nonce = auth->i_nonce; 2739 r_nonce = auth->r_nonce; 2740 2741 #ifdef CONFIG_TESTING_OPTIONS 2742 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) { 2743 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash"); 2744 r_pubkey_hash = NULL; 2745 } else if (dpp_test == 2746 DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) { 2747 wpa_printf(MSG_INFO, 2748 "DPP: TESTING - invalid R-Bootstrap Key Hash"); 2749 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN); 2750 test_hash[SHA256_MAC_LEN - 1] ^= 0x01; 2751 r_pubkey_hash = test_hash; 2752 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) { 2753 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash"); 2754 i_pubkey_hash = NULL; 2755 } else if (dpp_test == 2756 DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) { 2757 wpa_printf(MSG_INFO, 2758 "DPP: TESTING - invalid I-Bootstrap Key Hash"); 2759 if (i_pubkey_hash) 2760 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN); 2761 else 2762 os_memset(test_hash, 0, SHA256_MAC_LEN); 2763 test_hash[SHA256_MAC_LEN - 1] ^= 0x01; 2764 i_pubkey_hash = test_hash; 2765 } else if (dpp_test == DPP_TEST_NO_R_PROTO_KEY_AUTH_RESP) { 2766 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Proto Key"); 2767 wpabuf_free(pr); 2768 pr = NULL; 2769 } else if (dpp_test == DPP_TEST_INVALID_R_PROTO_KEY_AUTH_RESP) { 2770 wpa_printf(MSG_INFO, "DPP: TESTING - invalid R-Proto Key"); 2771 wpabuf_free(pr); 2772 pr = wpabuf_alloc(2 * auth->curve->prime_len); 2773 if (!pr || dpp_test_gen_invalid_key(pr, auth->curve) < 0) 2774 goto fail; 2775 } else if (dpp_test == DPP_TEST_NO_R_AUTH_AUTH_RESP) { 2776 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Auth"); 2777 w_r_auth = NULL; 2778 wrapped_r_auth_len = 0; 2779 } else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) { 2780 wpa_printf(MSG_INFO, "DPP: TESTING - no Status"); 2781 status = 255; 2782 } else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_RESP) { 2783 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status"); 2784 status = 254; 2785 } else if (dpp_test == DPP_TEST_NO_R_NONCE_AUTH_RESP) { 2786 wpa_printf(MSG_INFO, "DPP: TESTING - no R-nonce"); 2787 r_nonce = NULL; 2788 } else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) { 2789 wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce"); 2790 i_nonce = NULL; 2791 } 2792 #endif /* CONFIG_TESTING_OPTIONS */ 2793 2794 msg = dpp_auth_build_resp(auth, status, pr, nonce_len, 2795 r_pubkey_hash, i_pubkey_hash, 2796 r_nonce, i_nonce, 2797 w_r_auth, wrapped_r_auth_len, 2798 auth->k2); 2799 if (!msg) 2800 goto fail; 2801 wpabuf_free(auth->resp_msg); 2802 auth->resp_msg = msg; 2803 ret = 0; 2804 fail: 2805 wpabuf_free(pr); 2806 return ret; 2807 } 2808 2809 2810 static int dpp_auth_build_resp_status(struct dpp_authentication *auth, 2811 enum dpp_status_error status) 2812 { 2813 struct wpabuf *msg; 2814 const u8 *r_pubkey_hash, *i_pubkey_hash, *i_nonce; 2815 #ifdef CONFIG_TESTING_OPTIONS 2816 u8 test_hash[SHA256_MAC_LEN]; 2817 #endif /* CONFIG_TESTING_OPTIONS */ 2818 2819 if (!auth->own_bi) 2820 return -1; 2821 wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response"); 2822 2823 r_pubkey_hash = auth->own_bi->pubkey_hash; 2824 if (auth->peer_bi) 2825 i_pubkey_hash = auth->peer_bi->pubkey_hash; 2826 else 2827 i_pubkey_hash = NULL; 2828 2829 i_nonce = auth->i_nonce; 2830 2831 #ifdef CONFIG_TESTING_OPTIONS 2832 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) { 2833 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash"); 2834 r_pubkey_hash = NULL; 2835 } else if (dpp_test == 2836 DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) { 2837 wpa_printf(MSG_INFO, 2838 "DPP: TESTING - invalid R-Bootstrap Key Hash"); 2839 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN); 2840 test_hash[SHA256_MAC_LEN - 1] ^= 0x01; 2841 r_pubkey_hash = test_hash; 2842 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) { 2843 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash"); 2844 i_pubkey_hash = NULL; 2845 } else if (dpp_test == 2846 DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) { 2847 wpa_printf(MSG_INFO, 2848 "DPP: TESTING - invalid I-Bootstrap Key Hash"); 2849 if (i_pubkey_hash) 2850 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN); 2851 else 2852 os_memset(test_hash, 0, SHA256_MAC_LEN); 2853 test_hash[SHA256_MAC_LEN - 1] ^= 0x01; 2854 i_pubkey_hash = test_hash; 2855 } else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) { 2856 wpa_printf(MSG_INFO, "DPP: TESTING - no Status"); 2857 status = 255; 2858 } else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) { 2859 wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce"); 2860 i_nonce = NULL; 2861 } 2862 #endif /* CONFIG_TESTING_OPTIONS */ 2863 2864 msg = dpp_auth_build_resp(auth, status, NULL, auth->curve->nonce_len, 2865 r_pubkey_hash, i_pubkey_hash, 2866 NULL, i_nonce, NULL, 0, auth->k1); 2867 if (!msg) 2868 return -1; 2869 wpabuf_free(auth->resp_msg); 2870 auth->resp_msg = msg; 2871 return 0; 2872 } 2873 2874 2875 struct dpp_authentication * 2876 dpp_auth_req_rx(void *msg_ctx, u8 dpp_allowed_roles, int qr_mutual, 2877 struct dpp_bootstrap_info *peer_bi, 2878 struct dpp_bootstrap_info *own_bi, 2879 unsigned int freq, const u8 *hdr, const u8 *attr_start, 2880 size_t attr_len) 2881 { 2882 EVP_PKEY *pi = NULL; 2883 EVP_PKEY_CTX *ctx = NULL; 2884 size_t secret_len; 2885 const u8 *addr[2]; 2886 size_t len[2]; 2887 u8 *unwrapped = NULL; 2888 size_t unwrapped_len = 0; 2889 const u8 *wrapped_data, *i_proto, *i_nonce, *i_capab, *i_bootstrap, 2890 *channel; 2891 u16 wrapped_data_len, i_proto_len, i_nonce_len, i_capab_len, 2892 i_bootstrap_len, channel_len; 2893 struct dpp_authentication *auth = NULL; 2894 2895 #ifdef CONFIG_TESTING_OPTIONS 2896 if (dpp_test == DPP_TEST_STOP_AT_AUTH_REQ) { 2897 wpa_printf(MSG_INFO, 2898 "DPP: TESTING - stop at Authentication Request"); 2899 return NULL; 2900 } 2901 #endif /* CONFIG_TESTING_OPTIONS */ 2902 2903 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA, 2904 &wrapped_data_len); 2905 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) { 2906 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL 2907 "Missing or invalid required Wrapped Data attribute"); 2908 return NULL; 2909 } 2910 wpa_hexdump(MSG_MSGDUMP, "DPP: Wrapped Data", 2911 wrapped_data, wrapped_data_len); 2912 attr_len = wrapped_data - 4 - attr_start; 2913 2914 auth = os_zalloc(sizeof(*auth)); 2915 if (!auth) 2916 goto fail; 2917 auth->msg_ctx = msg_ctx; 2918 auth->peer_bi = peer_bi; 2919 auth->own_bi = own_bi; 2920 auth->curve = own_bi->curve; 2921 auth->curr_freq = freq; 2922 2923 channel = dpp_get_attr(attr_start, attr_len, DPP_ATTR_CHANNEL, 2924 &channel_len); 2925 if (channel) { 2926 int neg_freq; 2927 2928 if (channel_len < 2) { 2929 dpp_auth_fail(auth, "Too short Channel attribute"); 2930 goto fail; 2931 } 2932 2933 neg_freq = ieee80211_chan_to_freq(NULL, channel[0], channel[1]); 2934 wpa_printf(MSG_DEBUG, 2935 "DPP: Initiator requested different channel for negotiation: op_class=%u channel=%u --> freq=%d", 2936 channel[0], channel[1], neg_freq); 2937 if (neg_freq < 0) { 2938 dpp_auth_fail(auth, 2939 "Unsupported Channel attribute value"); 2940 goto fail; 2941 } 2942 2943 if (auth->curr_freq != (unsigned int) neg_freq) { 2944 wpa_printf(MSG_DEBUG, 2945 "DPP: Changing negotiation channel from %u MHz to %u MHz", 2946 freq, neg_freq); 2947 auth->curr_freq = neg_freq; 2948 } 2949 } 2950 2951 i_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_I_PROTOCOL_KEY, 2952 &i_proto_len); 2953 if (!i_proto) { 2954 dpp_auth_fail(auth, 2955 "Missing required Initiator Protocol Key attribute"); 2956 goto fail; 2957 } 2958 wpa_hexdump(MSG_MSGDUMP, "DPP: Initiator Protocol Key", 2959 i_proto, i_proto_len); 2960 2961 /* M = bR * PI */ 2962 pi = dpp_set_pubkey_point(own_bi->pubkey, i_proto, i_proto_len); 2963 if (!pi) { 2964 dpp_auth_fail(auth, "Invalid Initiator Protocol Key"); 2965 goto fail; 2966 } 2967 dpp_debug_print_key("Peer (Initiator) Protocol Key", pi); 2968 2969 ctx = EVP_PKEY_CTX_new(own_bi->pubkey, NULL); 2970 if (!ctx || 2971 EVP_PKEY_derive_init(ctx) != 1 || 2972 EVP_PKEY_derive_set_peer(ctx, pi) != 1 || 2973 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 || 2974 secret_len > DPP_MAX_SHARED_SECRET_LEN || 2975 EVP_PKEY_derive(ctx, auth->Mx, &secret_len) != 1) { 2976 wpa_printf(MSG_ERROR, 2977 "DPP: Failed to derive ECDH shared secret: %s", 2978 ERR_error_string(ERR_get_error(), NULL)); 2979 dpp_auth_fail(auth, "Failed to derive ECDH shared secret"); 2980 goto fail; 2981 } 2982 auth->secret_len = secret_len; 2983 EVP_PKEY_CTX_free(ctx); 2984 ctx = NULL; 2985 2986 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)", 2987 auth->Mx, auth->secret_len); 2988 auth->Mx_len = auth->secret_len; 2989 2990 if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1, 2991 auth->curve->hash_len) < 0) 2992 goto fail; 2993 2994 addr[0] = hdr; 2995 len[0] = DPP_HDR_LEN; 2996 addr[1] = attr_start; 2997 len[1] = attr_len; 2998 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 2999 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 3000 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 3001 wrapped_data, wrapped_data_len); 3002 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE; 3003 unwrapped = os_malloc(unwrapped_len); 3004 if (!unwrapped) 3005 goto fail; 3006 if (aes_siv_decrypt(auth->k1, auth->curve->hash_len, 3007 wrapped_data, wrapped_data_len, 3008 2, addr, len, unwrapped) < 0) { 3009 dpp_auth_fail(auth, "AES-SIV decryption failed"); 3010 goto fail; 3011 } 3012 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 3013 unwrapped, unwrapped_len); 3014 3015 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) { 3016 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); 3017 goto fail; 3018 } 3019 3020 i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE, 3021 &i_nonce_len); 3022 if (!i_nonce || i_nonce_len != auth->curve->nonce_len) { 3023 dpp_auth_fail(auth, "Missing or invalid I-nonce"); 3024 goto fail; 3025 } 3026 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len); 3027 os_memcpy(auth->i_nonce, i_nonce, i_nonce_len); 3028 3029 i_capab = dpp_get_attr(unwrapped, unwrapped_len, 3030 DPP_ATTR_I_CAPABILITIES, 3031 &i_capab_len); 3032 if (!i_capab || i_capab_len < 1) { 3033 dpp_auth_fail(auth, "Missing or invalid I-capabilities"); 3034 goto fail; 3035 } 3036 auth->i_capab = i_capab[0]; 3037 wpa_printf(MSG_DEBUG, "DPP: I-capabilities: 0x%02x", auth->i_capab); 3038 3039 bin_clear_free(unwrapped, unwrapped_len); 3040 unwrapped = NULL; 3041 3042 switch (auth->i_capab & DPP_CAPAB_ROLE_MASK) { 3043 case DPP_CAPAB_ENROLLEE: 3044 if (!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR)) { 3045 wpa_printf(MSG_DEBUG, 3046 "DPP: Local policy does not allow Configurator role"); 3047 goto not_compatible; 3048 } 3049 wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator"); 3050 auth->configurator = 1; 3051 break; 3052 case DPP_CAPAB_CONFIGURATOR: 3053 if (!(dpp_allowed_roles & DPP_CAPAB_ENROLLEE)) { 3054 wpa_printf(MSG_DEBUG, 3055 "DPP: Local policy does not allow Enrollee role"); 3056 goto not_compatible; 3057 } 3058 wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee"); 3059 auth->configurator = 0; 3060 break; 3061 case DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE: 3062 if (dpp_allowed_roles & DPP_CAPAB_ENROLLEE) { 3063 wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee"); 3064 auth->configurator = 0; 3065 } else if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR) { 3066 wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator"); 3067 auth->configurator = 1; 3068 } else { 3069 wpa_printf(MSG_DEBUG, 3070 "DPP: Local policy does not allow Configurator/Enrollee role"); 3071 goto not_compatible; 3072 } 3073 break; 3074 default: 3075 wpa_printf(MSG_DEBUG, "DPP: Unexpected role in I-capabilities"); 3076 wpa_msg(auth->msg_ctx, MSG_INFO, 3077 DPP_EVENT_FAIL "Invalid role in I-capabilities 0x%02x", 3078 auth->i_capab & DPP_CAPAB_ROLE_MASK); 3079 goto fail; 3080 } 3081 3082 auth->peer_protocol_key = pi; 3083 pi = NULL; 3084 if (qr_mutual && !peer_bi && own_bi->type == DPP_BOOTSTRAP_QR_CODE) { 3085 char hex[SHA256_MAC_LEN * 2 + 1]; 3086 3087 wpa_printf(MSG_DEBUG, 3088 "DPP: Mutual authentication required with QR Codes, but peer info is not yet available - request more time"); 3089 if (dpp_auth_build_resp_status(auth, 3090 DPP_STATUS_RESPONSE_PENDING) < 0) 3091 goto fail; 3092 i_bootstrap = dpp_get_attr(attr_start, attr_len, 3093 DPP_ATTR_I_BOOTSTRAP_KEY_HASH, 3094 &i_bootstrap_len); 3095 if (i_bootstrap && i_bootstrap_len == SHA256_MAC_LEN) { 3096 auth->response_pending = 1; 3097 os_memcpy(auth->waiting_pubkey_hash, 3098 i_bootstrap, i_bootstrap_len); 3099 wpa_snprintf_hex(hex, sizeof(hex), i_bootstrap, 3100 i_bootstrap_len); 3101 } else { 3102 hex[0] = '\0'; 3103 } 3104 3105 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_SCAN_PEER_QR_CODE 3106 "%s", hex); 3107 return auth; 3108 } 3109 if (dpp_auth_build_resp_ok(auth) < 0) 3110 goto fail; 3111 3112 return auth; 3113 3114 not_compatible: 3115 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE 3116 "i-capab=0x%02x", auth->i_capab); 3117 if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR) 3118 auth->configurator = 1; 3119 else 3120 auth->configurator = 0; 3121 auth->peer_protocol_key = pi; 3122 pi = NULL; 3123 if (dpp_auth_build_resp_status(auth, DPP_STATUS_NOT_COMPATIBLE) < 0) 3124 goto fail; 3125 3126 auth->remove_on_tx_status = 1; 3127 return auth; 3128 fail: 3129 bin_clear_free(unwrapped, unwrapped_len); 3130 EVP_PKEY_free(pi); 3131 EVP_PKEY_CTX_free(ctx); 3132 dpp_auth_deinit(auth); 3133 return NULL; 3134 } 3135 3136 3137 int dpp_notify_new_qr_code(struct dpp_authentication *auth, 3138 struct dpp_bootstrap_info *peer_bi) 3139 { 3140 if (!auth || !auth->response_pending || 3141 os_memcmp(auth->waiting_pubkey_hash, peer_bi->pubkey_hash, 3142 SHA256_MAC_LEN) != 0) 3143 return 0; 3144 3145 wpa_printf(MSG_DEBUG, 3146 "DPP: New scanned QR Code has matching public key that was needed to continue DPP Authentication exchange with " 3147 MACSTR, MAC2STR(auth->peer_mac_addr)); 3148 auth->peer_bi = peer_bi; 3149 3150 if (dpp_auth_build_resp_ok(auth) < 0) 3151 return -1; 3152 3153 return 1; 3154 } 3155 3156 3157 static struct wpabuf * dpp_auth_build_conf(struct dpp_authentication *auth, 3158 enum dpp_status_error status) 3159 { 3160 struct wpabuf *msg; 3161 u8 i_auth[4 + DPP_MAX_HASH_LEN]; 3162 size_t i_auth_len; 3163 u8 r_nonce[4 + DPP_MAX_NONCE_LEN]; 3164 size_t r_nonce_len; 3165 const u8 *addr[2]; 3166 size_t len[2], attr_len; 3167 u8 *wrapped_i_auth; 3168 u8 *wrapped_r_nonce; 3169 u8 *attr_start, *attr_end; 3170 const u8 *r_pubkey_hash, *i_pubkey_hash; 3171 #ifdef CONFIG_TESTING_OPTIONS 3172 u8 test_hash[SHA256_MAC_LEN]; 3173 #endif /* CONFIG_TESTING_OPTIONS */ 3174 3175 wpa_printf(MSG_DEBUG, "DPP: Build Authentication Confirmation"); 3176 3177 i_auth_len = 4 + auth->curve->hash_len; 3178 r_nonce_len = 4 + auth->curve->nonce_len; 3179 /* Build DPP Authentication Confirmation frame attributes */ 3180 attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) + 3181 4 + i_auth_len + r_nonce_len + AES_BLOCK_SIZE; 3182 #ifdef CONFIG_TESTING_OPTIONS 3183 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF) 3184 attr_len += 5; 3185 #endif /* CONFIG_TESTING_OPTIONS */ 3186 msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_CONF, attr_len); 3187 if (!msg) 3188 goto fail; 3189 3190 attr_start = wpabuf_put(msg, 0); 3191 3192 r_pubkey_hash = auth->peer_bi->pubkey_hash; 3193 if (auth->own_bi) 3194 i_pubkey_hash = auth->own_bi->pubkey_hash; 3195 else 3196 i_pubkey_hash = NULL; 3197 3198 #ifdef CONFIG_TESTING_OPTIONS 3199 if (dpp_test == DPP_TEST_NO_STATUS_AUTH_CONF) { 3200 wpa_printf(MSG_INFO, "DPP: TESTING - no Status"); 3201 goto skip_status; 3202 } else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_CONF) { 3203 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status"); 3204 status = 254; 3205 } 3206 #endif /* CONFIG_TESTING_OPTIONS */ 3207 3208 /* DPP Status */ 3209 dpp_build_attr_status(msg, status); 3210 3211 #ifdef CONFIG_TESTING_OPTIONS 3212 skip_status: 3213 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) { 3214 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash"); 3215 r_pubkey_hash = NULL; 3216 } else if (dpp_test == 3217 DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) { 3218 wpa_printf(MSG_INFO, 3219 "DPP: TESTING - invalid R-Bootstrap Key Hash"); 3220 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN); 3221 test_hash[SHA256_MAC_LEN - 1] ^= 0x01; 3222 r_pubkey_hash = test_hash; 3223 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) { 3224 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash"); 3225 i_pubkey_hash = NULL; 3226 } else if (dpp_test == 3227 DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) { 3228 wpa_printf(MSG_INFO, 3229 "DPP: TESTING - invalid I-Bootstrap Key Hash"); 3230 if (i_pubkey_hash) 3231 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN); 3232 else 3233 os_memset(test_hash, 0, SHA256_MAC_LEN); 3234 test_hash[SHA256_MAC_LEN - 1] ^= 0x01; 3235 i_pubkey_hash = test_hash; 3236 } 3237 #endif /* CONFIG_TESTING_OPTIONS */ 3238 3239 /* Responder Bootstrapping Key Hash */ 3240 dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash); 3241 3242 /* Initiator Bootstrapping Key Hash (mutual authentication) */ 3243 dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash); 3244 3245 #ifdef CONFIG_TESTING_OPTIONS 3246 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_CONF) 3247 goto skip_wrapped_data; 3248 if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF) 3249 i_auth_len = 0; 3250 #endif /* CONFIG_TESTING_OPTIONS */ 3251 3252 attr_end = wpabuf_put(msg, 0); 3253 3254 /* OUI, OUI type, Crypto Suite, DPP frame type */ 3255 addr[0] = wpabuf_head_u8(msg) + 2; 3256 len[0] = 3 + 1 + 1 + 1; 3257 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 3258 3259 /* Attributes before Wrapped Data */ 3260 addr[1] = attr_start; 3261 len[1] = attr_end - attr_start; 3262 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 3263 3264 if (status == DPP_STATUS_OK) { 3265 /* I-auth wrapped with ke */ 3266 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA); 3267 wpabuf_put_le16(msg, i_auth_len + AES_BLOCK_SIZE); 3268 wrapped_i_auth = wpabuf_put(msg, i_auth_len + AES_BLOCK_SIZE); 3269 3270 #ifdef CONFIG_TESTING_OPTIONS 3271 if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF) 3272 goto skip_i_auth; 3273 #endif /* CONFIG_TESTING_OPTIONS */ 3274 3275 /* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 3276 * 1) */ 3277 WPA_PUT_LE16(i_auth, DPP_ATTR_I_AUTH_TAG); 3278 WPA_PUT_LE16(&i_auth[2], auth->curve->hash_len); 3279 if (dpp_gen_i_auth(auth, i_auth + 4) < 0) 3280 goto fail; 3281 3282 #ifdef CONFIG_TESTING_OPTIONS 3283 if (dpp_test == DPP_TEST_I_AUTH_MISMATCH_AUTH_CONF) { 3284 wpa_printf(MSG_INFO, "DPP: TESTING - I-auth mismatch"); 3285 i_auth[4 + auth->curve->hash_len / 2] ^= 0x01; 3286 } 3287 skip_i_auth: 3288 #endif /* CONFIG_TESTING_OPTIONS */ 3289 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len, 3290 i_auth, i_auth_len, 3291 2, addr, len, wrapped_i_auth) < 0) 3292 goto fail; 3293 wpa_hexdump(MSG_DEBUG, "DPP: {I-auth}ke", 3294 wrapped_i_auth, i_auth_len + AES_BLOCK_SIZE); 3295 } else { 3296 /* R-nonce wrapped with k2 */ 3297 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA); 3298 wpabuf_put_le16(msg, r_nonce_len + AES_BLOCK_SIZE); 3299 wrapped_r_nonce = wpabuf_put(msg, r_nonce_len + AES_BLOCK_SIZE); 3300 3301 WPA_PUT_LE16(r_nonce, DPP_ATTR_R_NONCE); 3302 WPA_PUT_LE16(&r_nonce[2], auth->curve->nonce_len); 3303 os_memcpy(r_nonce + 4, auth->r_nonce, auth->curve->nonce_len); 3304 3305 if (aes_siv_encrypt(auth->k2, auth->curve->hash_len, 3306 r_nonce, r_nonce_len, 3307 2, addr, len, wrapped_r_nonce) < 0) 3308 goto fail; 3309 wpa_hexdump(MSG_DEBUG, "DPP: {R-nonce}k2", 3310 wrapped_r_nonce, r_nonce_len + AES_BLOCK_SIZE); 3311 } 3312 3313 #ifdef CONFIG_TESTING_OPTIONS 3314 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF) { 3315 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data"); 3316 dpp_build_attr_status(msg, DPP_STATUS_OK); 3317 } 3318 skip_wrapped_data: 3319 #endif /* CONFIG_TESTING_OPTIONS */ 3320 3321 wpa_hexdump_buf(MSG_DEBUG, 3322 "DPP: Authentication Confirmation frame attributes", 3323 msg); 3324 if (status == DPP_STATUS_OK) 3325 dpp_auth_success(auth); 3326 3327 return msg; 3328 3329 fail: 3330 wpabuf_free(msg); 3331 return NULL; 3332 } 3333 3334 3335 static void 3336 dpp_auth_resp_rx_status(struct dpp_authentication *auth, const u8 *hdr, 3337 const u8 *attr_start, size_t attr_len, 3338 const u8 *wrapped_data, u16 wrapped_data_len, 3339 enum dpp_status_error status) 3340 { 3341 const u8 *addr[2]; 3342 size_t len[2]; 3343 u8 *unwrapped = NULL; 3344 size_t unwrapped_len = 0; 3345 const u8 *i_nonce, *r_capab; 3346 u16 i_nonce_len, r_capab_len; 3347 3348 if (status == DPP_STATUS_NOT_COMPATIBLE) { 3349 wpa_printf(MSG_DEBUG, 3350 "DPP: Responder reported incompatible roles"); 3351 } else if (status == DPP_STATUS_RESPONSE_PENDING) { 3352 wpa_printf(MSG_DEBUG, 3353 "DPP: Responder reported more time needed"); 3354 } else { 3355 wpa_printf(MSG_DEBUG, 3356 "DPP: Responder reported failure (status %d)", 3357 status); 3358 dpp_auth_fail(auth, "Responder reported failure"); 3359 return; 3360 } 3361 3362 addr[0] = hdr; 3363 len[0] = DPP_HDR_LEN; 3364 addr[1] = attr_start; 3365 len[1] = attr_len; 3366 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 3367 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 3368 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 3369 wrapped_data, wrapped_data_len); 3370 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE; 3371 unwrapped = os_malloc(unwrapped_len); 3372 if (!unwrapped) 3373 goto fail; 3374 if (aes_siv_decrypt(auth->k1, auth->curve->hash_len, 3375 wrapped_data, wrapped_data_len, 3376 2, addr, len, unwrapped) < 0) { 3377 dpp_auth_fail(auth, "AES-SIV decryption failed"); 3378 goto fail; 3379 } 3380 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 3381 unwrapped, unwrapped_len); 3382 3383 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) { 3384 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); 3385 goto fail; 3386 } 3387 3388 i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE, 3389 &i_nonce_len); 3390 if (!i_nonce || i_nonce_len != auth->curve->nonce_len) { 3391 dpp_auth_fail(auth, "Missing or invalid I-nonce"); 3392 goto fail; 3393 } 3394 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len); 3395 if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) { 3396 dpp_auth_fail(auth, "I-nonce mismatch"); 3397 goto fail; 3398 } 3399 3400 r_capab = dpp_get_attr(unwrapped, unwrapped_len, 3401 DPP_ATTR_R_CAPABILITIES, 3402 &r_capab_len); 3403 if (!r_capab || r_capab_len < 1) { 3404 dpp_auth_fail(auth, "Missing or invalid R-capabilities"); 3405 goto fail; 3406 } 3407 auth->r_capab = r_capab[0]; 3408 wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab); 3409 if (status == DPP_STATUS_NOT_COMPATIBLE) { 3410 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE 3411 "r-capab=0x%02x", auth->r_capab); 3412 } else if (status == DPP_STATUS_RESPONSE_PENDING) { 3413 u8 role = auth->r_capab & DPP_CAPAB_ROLE_MASK; 3414 3415 if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) || 3416 (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) { 3417 wpa_msg(auth->msg_ctx, MSG_INFO, 3418 DPP_EVENT_FAIL "Unexpected role in R-capabilities 0x%02x", 3419 role); 3420 } else { 3421 wpa_printf(MSG_DEBUG, 3422 "DPP: Continue waiting for full DPP Authentication Response"); 3423 wpa_msg(auth->msg_ctx, MSG_INFO, 3424 DPP_EVENT_RESPONSE_PENDING "%s", 3425 auth->tmp_own_bi ? auth->tmp_own_bi->uri : ""); 3426 } 3427 } 3428 fail: 3429 bin_clear_free(unwrapped, unwrapped_len); 3430 } 3431 3432 3433 struct wpabuf * 3434 dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr, 3435 const u8 *attr_start, size_t attr_len) 3436 { 3437 EVP_PKEY *pr; 3438 EVP_PKEY_CTX *ctx = NULL; 3439 size_t secret_len; 3440 const u8 *addr[2]; 3441 size_t len[2]; 3442 u8 *unwrapped = NULL, *unwrapped2 = NULL; 3443 size_t unwrapped_len = 0, unwrapped2_len = 0; 3444 const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *r_proto, 3445 *r_nonce, *i_nonce, *r_capab, *wrapped2, *r_auth; 3446 u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len, 3447 r_proto_len, r_nonce_len, i_nonce_len, r_capab_len, 3448 wrapped2_len, r_auth_len; 3449 u8 r_auth2[DPP_MAX_HASH_LEN]; 3450 u8 role; 3451 3452 #ifdef CONFIG_TESTING_OPTIONS 3453 if (dpp_test == DPP_TEST_STOP_AT_AUTH_RESP) { 3454 wpa_printf(MSG_INFO, 3455 "DPP: TESTING - stop at Authentication Response"); 3456 return NULL; 3457 } 3458 #endif /* CONFIG_TESTING_OPTIONS */ 3459 3460 if (!auth->initiator || !auth->peer_bi) { 3461 dpp_auth_fail(auth, "Unexpected Authentication Response"); 3462 return NULL; 3463 } 3464 3465 auth->waiting_auth_resp = 0; 3466 3467 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA, 3468 &wrapped_data_len); 3469 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) { 3470 dpp_auth_fail(auth, 3471 "Missing or invalid required Wrapped Data attribute"); 3472 return NULL; 3473 } 3474 wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data", 3475 wrapped_data, wrapped_data_len); 3476 3477 attr_len = wrapped_data - 4 - attr_start; 3478 3479 r_bootstrap = dpp_get_attr(attr_start, attr_len, 3480 DPP_ATTR_R_BOOTSTRAP_KEY_HASH, 3481 &r_bootstrap_len); 3482 if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) { 3483 dpp_auth_fail(auth, 3484 "Missing or invalid required Responder Bootstrapping Key Hash attribute"); 3485 return NULL; 3486 } 3487 wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash", 3488 r_bootstrap, r_bootstrap_len); 3489 if (os_memcmp(r_bootstrap, auth->peer_bi->pubkey_hash, 3490 SHA256_MAC_LEN) != 0) { 3491 dpp_auth_fail(auth, 3492 "Unexpected Responder Bootstrapping Key Hash value"); 3493 wpa_hexdump(MSG_DEBUG, 3494 "DPP: Expected Responder Bootstrapping Key Hash", 3495 auth->peer_bi->pubkey_hash, SHA256_MAC_LEN); 3496 return NULL; 3497 } 3498 3499 i_bootstrap = dpp_get_attr(attr_start, attr_len, 3500 DPP_ATTR_I_BOOTSTRAP_KEY_HASH, 3501 &i_bootstrap_len); 3502 if (i_bootstrap) { 3503 if (i_bootstrap_len != SHA256_MAC_LEN) { 3504 dpp_auth_fail(auth, 3505 "Invalid Initiator Bootstrapping Key Hash attribute"); 3506 return NULL; 3507 } 3508 wpa_hexdump(MSG_MSGDUMP, 3509 "DPP: Initiator Bootstrapping Key Hash", 3510 i_bootstrap, i_bootstrap_len); 3511 if (!auth->own_bi || 3512 os_memcmp(i_bootstrap, auth->own_bi->pubkey_hash, 3513 SHA256_MAC_LEN) != 0) { 3514 dpp_auth_fail(auth, 3515 "Initiator Bootstrapping Key Hash attribute did not match"); 3516 return NULL; 3517 } 3518 } else if (auth->own_bi && auth->own_bi->type == DPP_BOOTSTRAP_PKEX) { 3519 /* PKEX bootstrapping mandates use of mutual authentication */ 3520 dpp_auth_fail(auth, 3521 "Missing Initiator Bootstrapping Key Hash attribute"); 3522 return NULL; 3523 } 3524 3525 status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS, 3526 &status_len); 3527 if (!status || status_len < 1) { 3528 dpp_auth_fail(auth, 3529 "Missing or invalid required DPP Status attribute"); 3530 return NULL; 3531 } 3532 wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]); 3533 auth->auth_resp_status = status[0]; 3534 if (status[0] != DPP_STATUS_OK) { 3535 dpp_auth_resp_rx_status(auth, hdr, attr_start, 3536 attr_len, wrapped_data, 3537 wrapped_data_len, status[0]); 3538 return NULL; 3539 } 3540 3541 if (!i_bootstrap && auth->own_bi) { 3542 wpa_printf(MSG_DEBUG, 3543 "DPP: Responder decided not to use mutual authentication"); 3544 auth->own_bi = NULL; 3545 } 3546 3547 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_AUTH_DIRECTION "mutual=%d", 3548 auth->own_bi != NULL); 3549 3550 r_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_R_PROTOCOL_KEY, 3551 &r_proto_len); 3552 if (!r_proto) { 3553 dpp_auth_fail(auth, 3554 "Missing required Responder Protocol Key attribute"); 3555 return NULL; 3556 } 3557 wpa_hexdump(MSG_MSGDUMP, "DPP: Responder Protocol Key", 3558 r_proto, r_proto_len); 3559 3560 /* N = pI * PR */ 3561 pr = dpp_set_pubkey_point(auth->own_protocol_key, r_proto, r_proto_len); 3562 if (!pr) { 3563 dpp_auth_fail(auth, "Invalid Responder Protocol Key"); 3564 return NULL; 3565 } 3566 dpp_debug_print_key("Peer (Responder) Protocol Key", pr); 3567 3568 ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL); 3569 if (!ctx || 3570 EVP_PKEY_derive_init(ctx) != 1 || 3571 EVP_PKEY_derive_set_peer(ctx, pr) != 1 || 3572 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 || 3573 secret_len > DPP_MAX_SHARED_SECRET_LEN || 3574 EVP_PKEY_derive(ctx, auth->Nx, &secret_len) != 1) { 3575 wpa_printf(MSG_ERROR, 3576 "DPP: Failed to derive ECDH shared secret: %s", 3577 ERR_error_string(ERR_get_error(), NULL)); 3578 dpp_auth_fail(auth, "Failed to derive ECDH shared secret"); 3579 goto fail; 3580 } 3581 EVP_PKEY_CTX_free(ctx); 3582 ctx = NULL; 3583 auth->peer_protocol_key = pr; 3584 pr = NULL; 3585 3586 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)", 3587 auth->Nx, auth->secret_len); 3588 auth->Nx_len = auth->secret_len; 3589 3590 if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2, 3591 auth->curve->hash_len) < 0) 3592 goto fail; 3593 3594 addr[0] = hdr; 3595 len[0] = DPP_HDR_LEN; 3596 addr[1] = attr_start; 3597 len[1] = attr_len; 3598 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 3599 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 3600 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 3601 wrapped_data, wrapped_data_len); 3602 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE; 3603 unwrapped = os_malloc(unwrapped_len); 3604 if (!unwrapped) 3605 goto fail; 3606 if (aes_siv_decrypt(auth->k2, auth->curve->hash_len, 3607 wrapped_data, wrapped_data_len, 3608 2, addr, len, unwrapped) < 0) { 3609 dpp_auth_fail(auth, "AES-SIV decryption failed"); 3610 goto fail; 3611 } 3612 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 3613 unwrapped, unwrapped_len); 3614 3615 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) { 3616 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); 3617 goto fail; 3618 } 3619 3620 r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE, 3621 &r_nonce_len); 3622 if (!r_nonce || r_nonce_len != auth->curve->nonce_len) { 3623 dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce"); 3624 goto fail; 3625 } 3626 wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", r_nonce, r_nonce_len); 3627 os_memcpy(auth->r_nonce, r_nonce, r_nonce_len); 3628 3629 i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE, 3630 &i_nonce_len); 3631 if (!i_nonce || i_nonce_len != auth->curve->nonce_len) { 3632 dpp_auth_fail(auth, "Missing or invalid I-nonce"); 3633 goto fail; 3634 } 3635 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len); 3636 if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) { 3637 dpp_auth_fail(auth, "I-nonce mismatch"); 3638 goto fail; 3639 } 3640 3641 if (auth->own_bi) { 3642 /* Mutual authentication */ 3643 if (dpp_auth_derive_l_initiator(auth) < 0) 3644 goto fail; 3645 } 3646 3647 r_capab = dpp_get_attr(unwrapped, unwrapped_len, 3648 DPP_ATTR_R_CAPABILITIES, 3649 &r_capab_len); 3650 if (!r_capab || r_capab_len < 1) { 3651 dpp_auth_fail(auth, "Missing or invalid R-capabilities"); 3652 goto fail; 3653 } 3654 auth->r_capab = r_capab[0]; 3655 wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab); 3656 role = auth->r_capab & DPP_CAPAB_ROLE_MASK; 3657 if ((auth->allowed_roles == 3658 (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE)) && 3659 (role == DPP_CAPAB_CONFIGURATOR || role == DPP_CAPAB_ENROLLEE)) { 3660 /* Peer selected its role, so move from "either role" to the 3661 * role that is compatible with peer's selection. */ 3662 auth->configurator = role == DPP_CAPAB_ENROLLEE; 3663 wpa_printf(MSG_DEBUG, "DPP: Acting as %s", 3664 auth->configurator ? "Configurator" : "Enrollee"); 3665 } else if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) || 3666 (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) { 3667 wpa_printf(MSG_DEBUG, "DPP: Incompatible role selection"); 3668 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL 3669 "Unexpected role in R-capabilities 0x%02x", 3670 role); 3671 if (role != DPP_CAPAB_ENROLLEE && 3672 role != DPP_CAPAB_CONFIGURATOR) 3673 goto fail; 3674 bin_clear_free(unwrapped, unwrapped_len); 3675 auth->remove_on_tx_status = 1; 3676 return dpp_auth_build_conf(auth, DPP_STATUS_NOT_COMPATIBLE); 3677 } 3678 3679 wrapped2 = dpp_get_attr(unwrapped, unwrapped_len, 3680 DPP_ATTR_WRAPPED_DATA, &wrapped2_len); 3681 if (!wrapped2 || wrapped2_len < AES_BLOCK_SIZE) { 3682 dpp_auth_fail(auth, 3683 "Missing or invalid Secondary Wrapped Data"); 3684 goto fail; 3685 } 3686 3687 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 3688 wrapped2, wrapped2_len); 3689 3690 if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0) 3691 goto fail; 3692 3693 unwrapped2_len = wrapped2_len - AES_BLOCK_SIZE; 3694 unwrapped2 = os_malloc(unwrapped2_len); 3695 if (!unwrapped2) 3696 goto fail; 3697 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len, 3698 wrapped2, wrapped2_len, 3699 0, NULL, NULL, unwrapped2) < 0) { 3700 dpp_auth_fail(auth, "AES-SIV decryption failed"); 3701 goto fail; 3702 } 3703 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 3704 unwrapped2, unwrapped2_len); 3705 3706 if (dpp_check_attrs(unwrapped2, unwrapped2_len) < 0) { 3707 dpp_auth_fail(auth, 3708 "Invalid attribute in secondary unwrapped data"); 3709 goto fail; 3710 } 3711 3712 r_auth = dpp_get_attr(unwrapped2, unwrapped2_len, DPP_ATTR_R_AUTH_TAG, 3713 &r_auth_len); 3714 if (!r_auth || r_auth_len != auth->curve->hash_len) { 3715 dpp_auth_fail(auth, 3716 "Missing or invalid Responder Authenticating Tag"); 3717 goto fail; 3718 } 3719 wpa_hexdump(MSG_DEBUG, "DPP: Received Responder Authenticating Tag", 3720 r_auth, r_auth_len); 3721 /* R-auth' = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */ 3722 if (dpp_gen_r_auth(auth, r_auth2) < 0) 3723 goto fail; 3724 wpa_hexdump(MSG_DEBUG, "DPP: Calculated Responder Authenticating Tag", 3725 r_auth2, r_auth_len); 3726 if (os_memcmp(r_auth, r_auth2, r_auth_len) != 0) { 3727 dpp_auth_fail(auth, "Mismatching Responder Authenticating Tag"); 3728 bin_clear_free(unwrapped, unwrapped_len); 3729 bin_clear_free(unwrapped2, unwrapped2_len); 3730 auth->remove_on_tx_status = 1; 3731 return dpp_auth_build_conf(auth, DPP_STATUS_AUTH_FAILURE); 3732 } 3733 3734 bin_clear_free(unwrapped, unwrapped_len); 3735 bin_clear_free(unwrapped2, unwrapped2_len); 3736 3737 #ifdef CONFIG_TESTING_OPTIONS 3738 if (dpp_test == DPP_TEST_AUTH_RESP_IN_PLACE_OF_CONF) { 3739 wpa_printf(MSG_INFO, 3740 "DPP: TESTING - Authentication Response in place of Confirm"); 3741 if (dpp_auth_build_resp_ok(auth) < 0) 3742 return NULL; 3743 return wpabuf_dup(auth->resp_msg); 3744 } 3745 #endif /* CONFIG_TESTING_OPTIONS */ 3746 3747 return dpp_auth_build_conf(auth, DPP_STATUS_OK); 3748 3749 fail: 3750 bin_clear_free(unwrapped, unwrapped_len); 3751 bin_clear_free(unwrapped2, unwrapped2_len); 3752 EVP_PKEY_free(pr); 3753 EVP_PKEY_CTX_free(ctx); 3754 return NULL; 3755 } 3756 3757 3758 static int dpp_auth_conf_rx_failure(struct dpp_authentication *auth, 3759 const u8 *hdr, 3760 const u8 *attr_start, size_t attr_len, 3761 const u8 *wrapped_data, 3762 u16 wrapped_data_len, 3763 enum dpp_status_error status) 3764 { 3765 const u8 *addr[2]; 3766 size_t len[2]; 3767 u8 *unwrapped = NULL; 3768 size_t unwrapped_len = 0; 3769 const u8 *r_nonce; 3770 u16 r_nonce_len; 3771 3772 /* Authentication Confirm failure cases are expected to include 3773 * {R-nonce}k2 in the Wrapped Data attribute. */ 3774 3775 addr[0] = hdr; 3776 len[0] = DPP_HDR_LEN; 3777 addr[1] = attr_start; 3778 len[1] = attr_len; 3779 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 3780 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 3781 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 3782 wrapped_data, wrapped_data_len); 3783 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE; 3784 unwrapped = os_malloc(unwrapped_len); 3785 if (!unwrapped) { 3786 dpp_auth_fail(auth, "Authentication failed"); 3787 goto fail; 3788 } 3789 if (aes_siv_decrypt(auth->k2, auth->curve->hash_len, 3790 wrapped_data, wrapped_data_len, 3791 2, addr, len, unwrapped) < 0) { 3792 dpp_auth_fail(auth, "AES-SIV decryption failed"); 3793 goto fail; 3794 } 3795 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 3796 unwrapped, unwrapped_len); 3797 3798 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) { 3799 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); 3800 goto fail; 3801 } 3802 3803 r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE, 3804 &r_nonce_len); 3805 if (!r_nonce || r_nonce_len != auth->curve->nonce_len) { 3806 dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce"); 3807 goto fail; 3808 } 3809 if (os_memcmp(r_nonce, auth->r_nonce, r_nonce_len) != 0) { 3810 wpa_hexdump(MSG_DEBUG, "DPP: Received R-nonce", 3811 r_nonce, r_nonce_len); 3812 wpa_hexdump(MSG_DEBUG, "DPP: Expected R-nonce", 3813 auth->r_nonce, r_nonce_len); 3814 dpp_auth_fail(auth, "R-nonce mismatch"); 3815 goto fail; 3816 } 3817 3818 if (status == DPP_STATUS_NOT_COMPATIBLE) 3819 dpp_auth_fail(auth, "Peer reported incompatible R-capab role"); 3820 else if (status == DPP_STATUS_AUTH_FAILURE) 3821 dpp_auth_fail(auth, "Peer reported authentication failure)"); 3822 3823 fail: 3824 bin_clear_free(unwrapped, unwrapped_len); 3825 return -1; 3826 } 3827 3828 3829 int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr, 3830 const u8 *attr_start, size_t attr_len) 3831 { 3832 const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *i_auth; 3833 u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len, 3834 i_auth_len; 3835 const u8 *addr[2]; 3836 size_t len[2]; 3837 u8 *unwrapped = NULL; 3838 size_t unwrapped_len = 0; 3839 u8 i_auth2[DPP_MAX_HASH_LEN]; 3840 3841 #ifdef CONFIG_TESTING_OPTIONS 3842 if (dpp_test == DPP_TEST_STOP_AT_AUTH_CONF) { 3843 wpa_printf(MSG_INFO, 3844 "DPP: TESTING - stop at Authentication Confirm"); 3845 return -1; 3846 } 3847 #endif /* CONFIG_TESTING_OPTIONS */ 3848 3849 if (auth->initiator || !auth->own_bi) { 3850 dpp_auth_fail(auth, "Unexpected Authentication Confirm"); 3851 return -1; 3852 } 3853 3854 auth->waiting_auth_conf = 0; 3855 3856 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA, 3857 &wrapped_data_len); 3858 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) { 3859 dpp_auth_fail(auth, 3860 "Missing or invalid required Wrapped Data attribute"); 3861 return -1; 3862 } 3863 wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data", 3864 wrapped_data, wrapped_data_len); 3865 3866 attr_len = wrapped_data - 4 - attr_start; 3867 3868 r_bootstrap = dpp_get_attr(attr_start, attr_len, 3869 DPP_ATTR_R_BOOTSTRAP_KEY_HASH, 3870 &r_bootstrap_len); 3871 if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) { 3872 dpp_auth_fail(auth, 3873 "Missing or invalid required Responder Bootstrapping Key Hash attribute"); 3874 return -1; 3875 } 3876 wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash", 3877 r_bootstrap, r_bootstrap_len); 3878 if (os_memcmp(r_bootstrap, auth->own_bi->pubkey_hash, 3879 SHA256_MAC_LEN) != 0) { 3880 wpa_hexdump(MSG_DEBUG, 3881 "DPP: Expected Responder Bootstrapping Key Hash", 3882 auth->peer_bi->pubkey_hash, SHA256_MAC_LEN); 3883 dpp_auth_fail(auth, 3884 "Responder Bootstrapping Key Hash mismatch"); 3885 return -1; 3886 } 3887 3888 i_bootstrap = dpp_get_attr(attr_start, attr_len, 3889 DPP_ATTR_I_BOOTSTRAP_KEY_HASH, 3890 &i_bootstrap_len); 3891 if (i_bootstrap) { 3892 if (i_bootstrap_len != SHA256_MAC_LEN) { 3893 dpp_auth_fail(auth, 3894 "Invalid Initiator Bootstrapping Key Hash attribute"); 3895 return -1; 3896 } 3897 wpa_hexdump(MSG_MSGDUMP, 3898 "DPP: Initiator Bootstrapping Key Hash", 3899 i_bootstrap, i_bootstrap_len); 3900 if (!auth->peer_bi || 3901 os_memcmp(i_bootstrap, auth->peer_bi->pubkey_hash, 3902 SHA256_MAC_LEN) != 0) { 3903 dpp_auth_fail(auth, 3904 "Initiator Bootstrapping Key Hash mismatch"); 3905 return -1; 3906 } 3907 } else if (auth->peer_bi) { 3908 /* Mutual authentication and peer did not include its 3909 * Bootstrapping Key Hash attribute. */ 3910 dpp_auth_fail(auth, 3911 "Missing Initiator Bootstrapping Key Hash attribute"); 3912 return -1; 3913 } 3914 3915 status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS, 3916 &status_len); 3917 if (!status || status_len < 1) { 3918 dpp_auth_fail(auth, 3919 "Missing or invalid required DPP Status attribute"); 3920 return -1; 3921 } 3922 wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]); 3923 if (status[0] == DPP_STATUS_NOT_COMPATIBLE || 3924 status[0] == DPP_STATUS_AUTH_FAILURE) 3925 return dpp_auth_conf_rx_failure(auth, hdr, attr_start, 3926 attr_len, wrapped_data, 3927 wrapped_data_len, status[0]); 3928 3929 if (status[0] != DPP_STATUS_OK) { 3930 dpp_auth_fail(auth, "Authentication failed"); 3931 return -1; 3932 } 3933 3934 addr[0] = hdr; 3935 len[0] = DPP_HDR_LEN; 3936 addr[1] = attr_start; 3937 len[1] = attr_len; 3938 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 3939 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 3940 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 3941 wrapped_data, wrapped_data_len); 3942 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE; 3943 unwrapped = os_malloc(unwrapped_len); 3944 if (!unwrapped) 3945 return -1; 3946 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len, 3947 wrapped_data, wrapped_data_len, 3948 2, addr, len, unwrapped) < 0) { 3949 dpp_auth_fail(auth, "AES-SIV decryption failed"); 3950 goto fail; 3951 } 3952 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 3953 unwrapped, unwrapped_len); 3954 3955 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) { 3956 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); 3957 goto fail; 3958 } 3959 3960 i_auth = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_AUTH_TAG, 3961 &i_auth_len); 3962 if (!i_auth || i_auth_len != auth->curve->hash_len) { 3963 dpp_auth_fail(auth, 3964 "Missing or invalid Initiator Authenticating Tag"); 3965 goto fail; 3966 } 3967 wpa_hexdump(MSG_DEBUG, "DPP: Received Initiator Authenticating Tag", 3968 i_auth, i_auth_len); 3969 /* I-auth' = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */ 3970 if (dpp_gen_i_auth(auth, i_auth2) < 0) 3971 goto fail; 3972 wpa_hexdump(MSG_DEBUG, "DPP: Calculated Initiator Authenticating Tag", 3973 i_auth2, i_auth_len); 3974 if (os_memcmp(i_auth, i_auth2, i_auth_len) != 0) { 3975 dpp_auth_fail(auth, "Mismatching Initiator Authenticating Tag"); 3976 goto fail; 3977 } 3978 3979 bin_clear_free(unwrapped, unwrapped_len); 3980 dpp_auth_success(auth); 3981 return 0; 3982 fail: 3983 bin_clear_free(unwrapped, unwrapped_len); 3984 return -1; 3985 } 3986 3987 3988 void dpp_configuration_free(struct dpp_configuration *conf) 3989 { 3990 if (!conf) 3991 return; 3992 str_clear_free(conf->passphrase); 3993 os_free(conf->group_id); 3994 bin_clear_free(conf, sizeof(*conf)); 3995 } 3996 3997 3998 void dpp_auth_deinit(struct dpp_authentication *auth) 3999 { 4000 if (!auth) 4001 return; 4002 dpp_configuration_free(auth->conf_ap); 4003 dpp_configuration_free(auth->conf_sta); 4004 EVP_PKEY_free(auth->own_protocol_key); 4005 EVP_PKEY_free(auth->peer_protocol_key); 4006 wpabuf_free(auth->req_msg); 4007 wpabuf_free(auth->resp_msg); 4008 wpabuf_free(auth->conf_req); 4009 os_free(auth->connector); 4010 wpabuf_free(auth->net_access_key); 4011 wpabuf_free(auth->c_sign_key); 4012 dpp_bootstrap_info_free(auth->tmp_own_bi); 4013 #ifdef CONFIG_TESTING_OPTIONS 4014 os_free(auth->config_obj_override); 4015 os_free(auth->discovery_override); 4016 os_free(auth->groups_override); 4017 #endif /* CONFIG_TESTING_OPTIONS */ 4018 bin_clear_free(auth, sizeof(*auth)); 4019 } 4020 4021 4022 static struct wpabuf * 4023 dpp_build_conf_start(struct dpp_authentication *auth, 4024 struct dpp_configuration *conf, size_t tailroom) 4025 { 4026 struct wpabuf *buf; 4027 char ssid[6 * sizeof(conf->ssid) + 1]; 4028 4029 #ifdef CONFIG_TESTING_OPTIONS 4030 if (auth->discovery_override) 4031 tailroom += os_strlen(auth->discovery_override); 4032 #endif /* CONFIG_TESTING_OPTIONS */ 4033 4034 buf = wpabuf_alloc(200 + tailroom); 4035 if (!buf) 4036 return NULL; 4037 wpabuf_put_str(buf, "{\"wi-fi_tech\":\"infra\",\"discovery\":"); 4038 #ifdef CONFIG_TESTING_OPTIONS 4039 if (auth->discovery_override) { 4040 wpa_printf(MSG_DEBUG, "DPP: TESTING - discovery override: '%s'", 4041 auth->discovery_override); 4042 wpabuf_put_str(buf, auth->discovery_override); 4043 wpabuf_put_u8(buf, ','); 4044 return buf; 4045 } 4046 #endif /* CONFIG_TESTING_OPTIONS */ 4047 wpabuf_put_str(buf, "{\"ssid\":\""); 4048 json_escape_string(ssid, sizeof(ssid), 4049 (const char *) conf->ssid, conf->ssid_len); 4050 wpabuf_put_str(buf, ssid); 4051 wpabuf_put_str(buf, "\"},"); 4052 4053 return buf; 4054 } 4055 4056 4057 static int dpp_build_jwk(struct wpabuf *buf, const char *name, EVP_PKEY *key, 4058 const char *kid, const struct dpp_curve_params *curve) 4059 { 4060 struct wpabuf *pub; 4061 const u8 *pos; 4062 char *x = NULL, *y = NULL; 4063 int ret = -1; 4064 4065 pub = dpp_get_pubkey_point(key, 0); 4066 if (!pub) 4067 goto fail; 4068 pos = wpabuf_head(pub); 4069 x = (char *) base64_url_encode(pos, curve->prime_len, NULL, 0); 4070 pos += curve->prime_len; 4071 y = (char *) base64_url_encode(pos, curve->prime_len, NULL, 0); 4072 if (!x || !y) 4073 goto fail; 4074 4075 wpabuf_put_str(buf, "\""); 4076 wpabuf_put_str(buf, name); 4077 wpabuf_put_str(buf, "\":{\"kty\":\"EC\",\"crv\":\""); 4078 wpabuf_put_str(buf, curve->jwk_crv); 4079 wpabuf_put_str(buf, "\",\"x\":\""); 4080 wpabuf_put_str(buf, x); 4081 wpabuf_put_str(buf, "\",\"y\":\""); 4082 wpabuf_put_str(buf, y); 4083 if (kid) { 4084 wpabuf_put_str(buf, "\",\"kid\":\""); 4085 wpabuf_put_str(buf, kid); 4086 } 4087 wpabuf_put_str(buf, "\"}"); 4088 ret = 0; 4089 fail: 4090 wpabuf_free(pub); 4091 os_free(x); 4092 os_free(y); 4093 return ret; 4094 } 4095 4096 4097 static struct wpabuf * 4098 dpp_build_conf_obj_dpp(struct dpp_authentication *auth, int ap, 4099 struct dpp_configuration *conf) 4100 { 4101 struct wpabuf *buf = NULL; 4102 char *signed1 = NULL, *signed2 = NULL, *signed3 = NULL; 4103 size_t tailroom; 4104 const struct dpp_curve_params *curve; 4105 char jws_prot_hdr[100]; 4106 size_t signed1_len, signed2_len, signed3_len; 4107 struct wpabuf *dppcon = NULL; 4108 unsigned char *signature = NULL; 4109 const unsigned char *p; 4110 size_t signature_len; 4111 EVP_MD_CTX *md_ctx = NULL; 4112 ECDSA_SIG *sig = NULL; 4113 char *dot = "."; 4114 const EVP_MD *sign_md; 4115 const BIGNUM *r, *s; 4116 size_t extra_len = 1000; 4117 4118 if (!auth->conf) { 4119 wpa_printf(MSG_INFO, 4120 "DPP: No configurator specified - cannot generate DPP config object"); 4121 goto fail; 4122 } 4123 curve = auth->conf->curve; 4124 if (curve->hash_len == SHA256_MAC_LEN) { 4125 sign_md = EVP_sha256(); 4126 } else if (curve->hash_len == SHA384_MAC_LEN) { 4127 sign_md = EVP_sha384(); 4128 } else if (curve->hash_len == SHA512_MAC_LEN) { 4129 sign_md = EVP_sha512(); 4130 } else { 4131 wpa_printf(MSG_DEBUG, "DPP: Unknown signature algorithm"); 4132 goto fail; 4133 } 4134 4135 #ifdef CONFIG_TESTING_OPTIONS 4136 if (auth->groups_override) 4137 extra_len += os_strlen(auth->groups_override); 4138 #endif /* CONFIG_TESTING_OPTIONS */ 4139 4140 if (conf->group_id) 4141 extra_len += os_strlen(conf->group_id); 4142 4143 /* Connector (JSON dppCon object) */ 4144 dppcon = wpabuf_alloc(extra_len + 2 * auth->curve->prime_len * 4 / 3); 4145 if (!dppcon) 4146 goto fail; 4147 #ifdef CONFIG_TESTING_OPTIONS 4148 if (auth->groups_override) { 4149 wpabuf_put_u8(dppcon, '{'); 4150 if (auth->groups_override) { 4151 wpa_printf(MSG_DEBUG, 4152 "DPP: TESTING - groups override: '%s'", 4153 auth->groups_override); 4154 wpabuf_put_str(dppcon, "\"groups\":"); 4155 wpabuf_put_str(dppcon, auth->groups_override); 4156 wpabuf_put_u8(dppcon, ','); 4157 } 4158 goto skip_groups; 4159 } 4160 #endif /* CONFIG_TESTING_OPTIONS */ 4161 wpabuf_printf(dppcon, "{\"groups\":[{\"groupId\":\"%s\",", 4162 conf->group_id ? conf->group_id : "*"); 4163 wpabuf_printf(dppcon, "\"netRole\":\"%s\"}],", ap ? "ap" : "sta"); 4164 #ifdef CONFIG_TESTING_OPTIONS 4165 skip_groups: 4166 #endif /* CONFIG_TESTING_OPTIONS */ 4167 if (dpp_build_jwk(dppcon, "netAccessKey", auth->peer_protocol_key, NULL, 4168 auth->curve) < 0) { 4169 wpa_printf(MSG_DEBUG, "DPP: Failed to build netAccessKey JWK"); 4170 goto fail; 4171 } 4172 if (conf->netaccesskey_expiry) { 4173 struct os_tm tm; 4174 4175 if (os_gmtime(conf->netaccesskey_expiry, &tm) < 0) { 4176 wpa_printf(MSG_DEBUG, 4177 "DPP: Failed to generate expiry string"); 4178 goto fail; 4179 } 4180 wpabuf_printf(dppcon, 4181 ",\"expiry\":\"%04u-%02u-%02uT%02u:%02u:%02uZ\"", 4182 tm.year, tm.month, tm.day, 4183 tm.hour, tm.min, tm.sec); 4184 } 4185 wpabuf_put_u8(dppcon, '}'); 4186 wpa_printf(MSG_DEBUG, "DPP: dppCon: %s", 4187 (const char *) wpabuf_head(dppcon)); 4188 4189 os_snprintf(jws_prot_hdr, sizeof(jws_prot_hdr), 4190 "{\"typ\":\"dppCon\",\"kid\":\"%s\",\"alg\":\"%s\"}", 4191 auth->conf->kid, curve->jws_alg); 4192 signed1 = (char *) base64_url_encode((unsigned char *) jws_prot_hdr, 4193 os_strlen(jws_prot_hdr), 4194 &signed1_len, 0); 4195 signed2 = (char *) base64_url_encode(wpabuf_head(dppcon), 4196 wpabuf_len(dppcon), 4197 &signed2_len, 0); 4198 if (!signed1 || !signed2) 4199 goto fail; 4200 4201 md_ctx = EVP_MD_CTX_create(); 4202 if (!md_ctx) 4203 goto fail; 4204 4205 ERR_clear_error(); 4206 if (EVP_DigestSignInit(md_ctx, NULL, sign_md, NULL, 4207 auth->conf->csign) != 1) { 4208 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignInit failed: %s", 4209 ERR_error_string(ERR_get_error(), NULL)); 4210 goto fail; 4211 } 4212 if (EVP_DigestSignUpdate(md_ctx, signed1, signed1_len) != 1 || 4213 EVP_DigestSignUpdate(md_ctx, dot, 1) != 1 || 4214 EVP_DigestSignUpdate(md_ctx, signed2, signed2_len) != 1) { 4215 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignUpdate failed: %s", 4216 ERR_error_string(ERR_get_error(), NULL)); 4217 goto fail; 4218 } 4219 if (EVP_DigestSignFinal(md_ctx, NULL, &signature_len) != 1) { 4220 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignFinal failed: %s", 4221 ERR_error_string(ERR_get_error(), NULL)); 4222 goto fail; 4223 } 4224 signature = os_malloc(signature_len); 4225 if (!signature) 4226 goto fail; 4227 if (EVP_DigestSignFinal(md_ctx, signature, &signature_len) != 1) { 4228 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignFinal failed: %s", 4229 ERR_error_string(ERR_get_error(), NULL)); 4230 goto fail; 4231 } 4232 wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (DER)", 4233 signature, signature_len); 4234 /* Convert to raw coordinates r,s */ 4235 p = signature; 4236 sig = d2i_ECDSA_SIG(NULL, &p, signature_len); 4237 if (!sig) 4238 goto fail; 4239 ECDSA_SIG_get0(sig, &r, &s); 4240 if (dpp_bn2bin_pad(r, signature, curve->prime_len) < 0 || 4241 dpp_bn2bin_pad(s, signature + curve->prime_len, 4242 curve->prime_len) < 0) 4243 goto fail; 4244 signature_len = 2 * curve->prime_len; 4245 wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (raw r,s)", 4246 signature, signature_len); 4247 signed3 = (char *) base64_url_encode(signature, signature_len, 4248 &signed3_len, 0); 4249 if (!signed3) 4250 goto fail; 4251 4252 tailroom = 1000; 4253 tailroom += 2 * curve->prime_len * 4 / 3 + os_strlen(auth->conf->kid); 4254 tailroom += signed1_len + signed2_len + signed3_len; 4255 buf = dpp_build_conf_start(auth, conf, tailroom); 4256 if (!buf) 4257 goto fail; 4258 4259 wpabuf_put_str(buf, "\"cred\":{\"akm\":\"dpp\",\"signedConnector\":\""); 4260 wpabuf_put_str(buf, signed1); 4261 wpabuf_put_u8(buf, '.'); 4262 wpabuf_put_str(buf, signed2); 4263 wpabuf_put_u8(buf, '.'); 4264 wpabuf_put_str(buf, signed3); 4265 wpabuf_put_str(buf, "\","); 4266 if (dpp_build_jwk(buf, "csign", auth->conf->csign, auth->conf->kid, 4267 curve) < 0) { 4268 wpa_printf(MSG_DEBUG, "DPP: Failed to build csign JWK"); 4269 goto fail; 4270 } 4271 4272 wpabuf_put_str(buf, "}}"); 4273 4274 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Configuration Object", 4275 wpabuf_head(buf), wpabuf_len(buf)); 4276 4277 out: 4278 EVP_MD_CTX_destroy(md_ctx); 4279 ECDSA_SIG_free(sig); 4280 os_free(signed1); 4281 os_free(signed2); 4282 os_free(signed3); 4283 os_free(signature); 4284 wpabuf_free(dppcon); 4285 return buf; 4286 fail: 4287 wpa_printf(MSG_DEBUG, "DPP: Failed to build configuration object"); 4288 wpabuf_free(buf); 4289 buf = NULL; 4290 goto out; 4291 } 4292 4293 4294 static struct wpabuf * 4295 dpp_build_conf_obj_legacy(struct dpp_authentication *auth, int ap, 4296 struct dpp_configuration *conf) 4297 { 4298 struct wpabuf *buf; 4299 4300 buf = dpp_build_conf_start(auth, conf, 1000); 4301 if (!buf) 4302 return NULL; 4303 4304 wpabuf_printf(buf, "\"cred\":{\"akm\":\"%s\",", dpp_akm_str(conf->akm)); 4305 if (conf->passphrase) { 4306 char pass[63 * 6 + 1]; 4307 4308 if (os_strlen(conf->passphrase) > 63) { 4309 wpabuf_free(buf); 4310 return NULL; 4311 } 4312 4313 json_escape_string(pass, sizeof(pass), conf->passphrase, 4314 os_strlen(conf->passphrase)); 4315 wpabuf_put_str(buf, "\"pass\":\""); 4316 wpabuf_put_str(buf, pass); 4317 wpabuf_put_str(buf, "\""); 4318 } else { 4319 char psk[2 * sizeof(conf->psk) + 1]; 4320 4321 wpa_snprintf_hex(psk, sizeof(psk), 4322 conf->psk, sizeof(conf->psk)); 4323 wpabuf_put_str(buf, "\"psk_hex\":\""); 4324 wpabuf_put_str(buf, psk); 4325 wpabuf_put_str(buf, "\""); 4326 } 4327 wpabuf_put_str(buf, "}}"); 4328 4329 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Configuration Object (legacy)", 4330 wpabuf_head(buf), wpabuf_len(buf)); 4331 4332 return buf; 4333 } 4334 4335 4336 static struct wpabuf * 4337 dpp_build_conf_obj(struct dpp_authentication *auth, int ap) 4338 { 4339 struct dpp_configuration *conf; 4340 4341 #ifdef CONFIG_TESTING_OPTIONS 4342 if (auth->config_obj_override) { 4343 wpa_printf(MSG_DEBUG, "DPP: Testing - Config Object override"); 4344 return wpabuf_alloc_copy(auth->config_obj_override, 4345 os_strlen(auth->config_obj_override)); 4346 } 4347 #endif /* CONFIG_TESTING_OPTIONS */ 4348 4349 conf = ap ? auth->conf_ap : auth->conf_sta; 4350 if (!conf) { 4351 wpa_printf(MSG_DEBUG, 4352 "DPP: No configuration available for Enrollee(%s) - reject configuration request", 4353 ap ? "ap" : "sta"); 4354 return NULL; 4355 } 4356 4357 if (conf->akm == DPP_AKM_DPP) 4358 return dpp_build_conf_obj_dpp(auth, ap, conf); 4359 return dpp_build_conf_obj_legacy(auth, ap, conf); 4360 } 4361 4362 4363 static struct wpabuf * 4364 dpp_build_conf_resp(struct dpp_authentication *auth, const u8 *e_nonce, 4365 u16 e_nonce_len, int ap) 4366 { 4367 struct wpabuf *conf; 4368 size_t clear_len, attr_len; 4369 struct wpabuf *clear = NULL, *msg = NULL; 4370 u8 *wrapped; 4371 const u8 *addr[1]; 4372 size_t len[1]; 4373 enum dpp_status_error status; 4374 4375 conf = dpp_build_conf_obj(auth, ap); 4376 if (conf) { 4377 wpa_hexdump_ascii(MSG_DEBUG, "DPP: configurationObject JSON", 4378 wpabuf_head(conf), wpabuf_len(conf)); 4379 } 4380 status = conf ? DPP_STATUS_OK : DPP_STATUS_CONFIGURE_FAILURE; 4381 4382 /* { E-nonce, configurationObject}ke */ 4383 clear_len = 4 + e_nonce_len; 4384 if (conf) 4385 clear_len += 4 + wpabuf_len(conf); 4386 clear = wpabuf_alloc(clear_len); 4387 attr_len = 4 + 1 + 4 + clear_len + AES_BLOCK_SIZE; 4388 #ifdef CONFIG_TESTING_OPTIONS 4389 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_RESP) 4390 attr_len += 5; 4391 #endif /* CONFIG_TESTING_OPTIONS */ 4392 msg = wpabuf_alloc(attr_len); 4393 if (!clear || !msg) 4394 goto fail; 4395 4396 #ifdef CONFIG_TESTING_OPTIONS 4397 if (dpp_test == DPP_TEST_NO_E_NONCE_CONF_RESP) { 4398 wpa_printf(MSG_INFO, "DPP: TESTING - no E-nonce"); 4399 goto skip_e_nonce; 4400 } 4401 if (dpp_test == DPP_TEST_E_NONCE_MISMATCH_CONF_RESP) { 4402 wpa_printf(MSG_INFO, "DPP: TESTING - E-nonce mismatch"); 4403 wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE); 4404 wpabuf_put_le16(clear, e_nonce_len); 4405 wpabuf_put_data(clear, e_nonce, e_nonce_len - 1); 4406 wpabuf_put_u8(clear, e_nonce[e_nonce_len - 1] ^ 0x01); 4407 goto skip_e_nonce; 4408 } 4409 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_CONF_RESP) { 4410 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data"); 4411 goto skip_wrapped_data; 4412 } 4413 #endif /* CONFIG_TESTING_OPTIONS */ 4414 4415 /* E-nonce */ 4416 wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE); 4417 wpabuf_put_le16(clear, e_nonce_len); 4418 wpabuf_put_data(clear, e_nonce, e_nonce_len); 4419 4420 #ifdef CONFIG_TESTING_OPTIONS 4421 skip_e_nonce: 4422 if (dpp_test == DPP_TEST_NO_CONFIG_OBJ_CONF_RESP) { 4423 wpa_printf(MSG_INFO, "DPP: TESTING - Config Object"); 4424 goto skip_config_obj; 4425 } 4426 #endif /* CONFIG_TESTING_OPTIONS */ 4427 4428 if (conf) { 4429 wpabuf_put_le16(clear, DPP_ATTR_CONFIG_OBJ); 4430 wpabuf_put_le16(clear, wpabuf_len(conf)); 4431 wpabuf_put_buf(clear, conf); 4432 } 4433 4434 #ifdef CONFIG_TESTING_OPTIONS 4435 skip_config_obj: 4436 if (dpp_test == DPP_TEST_NO_STATUS_CONF_RESP) { 4437 wpa_printf(MSG_INFO, "DPP: TESTING - Status"); 4438 goto skip_status; 4439 } 4440 if (dpp_test == DPP_TEST_INVALID_STATUS_CONF_RESP) { 4441 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status"); 4442 status = 255; 4443 } 4444 #endif /* CONFIG_TESTING_OPTIONS */ 4445 4446 /* DPP Status */ 4447 dpp_build_attr_status(msg, status); 4448 4449 #ifdef CONFIG_TESTING_OPTIONS 4450 skip_status: 4451 #endif /* CONFIG_TESTING_OPTIONS */ 4452 4453 addr[0] = wpabuf_head(msg); 4454 len[0] = wpabuf_len(msg); 4455 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD", addr[0], len[0]); 4456 4457 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA); 4458 wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE); 4459 wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE); 4460 4461 wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear); 4462 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len, 4463 wpabuf_head(clear), wpabuf_len(clear), 4464 1, addr, len, wrapped) < 0) 4465 goto fail; 4466 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 4467 wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE); 4468 4469 #ifdef CONFIG_TESTING_OPTIONS 4470 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_RESP) { 4471 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data"); 4472 dpp_build_attr_status(msg, DPP_STATUS_OK); 4473 } 4474 skip_wrapped_data: 4475 #endif /* CONFIG_TESTING_OPTIONS */ 4476 4477 wpa_hexdump_buf(MSG_DEBUG, 4478 "DPP: Configuration Response attributes", msg); 4479 out: 4480 wpabuf_free(conf); 4481 wpabuf_free(clear); 4482 4483 return msg; 4484 fail: 4485 wpabuf_free(msg); 4486 msg = NULL; 4487 goto out; 4488 } 4489 4490 4491 struct wpabuf * 4492 dpp_conf_req_rx(struct dpp_authentication *auth, const u8 *attr_start, 4493 size_t attr_len) 4494 { 4495 const u8 *wrapped_data, *e_nonce, *config_attr; 4496 u16 wrapped_data_len, e_nonce_len, config_attr_len; 4497 u8 *unwrapped = NULL; 4498 size_t unwrapped_len = 0; 4499 struct wpabuf *resp = NULL; 4500 struct json_token *root = NULL, *token; 4501 int ap; 4502 4503 #ifdef CONFIG_TESTING_OPTIONS 4504 if (dpp_test == DPP_TEST_STOP_AT_CONF_REQ) { 4505 wpa_printf(MSG_INFO, 4506 "DPP: TESTING - stop at Config Request"); 4507 return NULL; 4508 } 4509 #endif /* CONFIG_TESTING_OPTIONS */ 4510 4511 if (dpp_check_attrs(attr_start, attr_len) < 0) { 4512 dpp_auth_fail(auth, "Invalid attribute in config request"); 4513 return NULL; 4514 } 4515 4516 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA, 4517 &wrapped_data_len); 4518 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) { 4519 dpp_auth_fail(auth, 4520 "Missing or invalid required Wrapped Data attribute"); 4521 return NULL; 4522 } 4523 4524 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 4525 wrapped_data, wrapped_data_len); 4526 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE; 4527 unwrapped = os_malloc(unwrapped_len); 4528 if (!unwrapped) 4529 return NULL; 4530 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len, 4531 wrapped_data, wrapped_data_len, 4532 0, NULL, NULL, unwrapped) < 0) { 4533 dpp_auth_fail(auth, "AES-SIV decryption failed"); 4534 goto fail; 4535 } 4536 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 4537 unwrapped, unwrapped_len); 4538 4539 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) { 4540 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); 4541 goto fail; 4542 } 4543 4544 e_nonce = dpp_get_attr(unwrapped, unwrapped_len, 4545 DPP_ATTR_ENROLLEE_NONCE, 4546 &e_nonce_len); 4547 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) { 4548 dpp_auth_fail(auth, 4549 "Missing or invalid Enrollee Nonce attribute"); 4550 goto fail; 4551 } 4552 wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len); 4553 4554 config_attr = dpp_get_attr(unwrapped, unwrapped_len, 4555 DPP_ATTR_CONFIG_ATTR_OBJ, 4556 &config_attr_len); 4557 if (!config_attr) { 4558 dpp_auth_fail(auth, 4559 "Missing or invalid Config Attributes attribute"); 4560 goto fail; 4561 } 4562 wpa_hexdump_ascii(MSG_DEBUG, "DPP: Config Attributes", 4563 config_attr, config_attr_len); 4564 4565 root = json_parse((const char *) config_attr, config_attr_len); 4566 if (!root) { 4567 dpp_auth_fail(auth, "Could not parse Config Attributes"); 4568 goto fail; 4569 } 4570 4571 token = json_get_member(root, "name"); 4572 if (!token || token->type != JSON_STRING) { 4573 dpp_auth_fail(auth, "No Config Attributes - name"); 4574 goto fail; 4575 } 4576 wpa_printf(MSG_DEBUG, "DPP: Enrollee name = '%s'", token->string); 4577 4578 token = json_get_member(root, "wi-fi_tech"); 4579 if (!token || token->type != JSON_STRING) { 4580 dpp_auth_fail(auth, "No Config Attributes - wi-fi_tech"); 4581 goto fail; 4582 } 4583 wpa_printf(MSG_DEBUG, "DPP: wi-fi_tech = '%s'", token->string); 4584 if (os_strcmp(token->string, "infra") != 0) { 4585 wpa_printf(MSG_DEBUG, "DPP: Unsupported wi-fi_tech '%s'", 4586 token->string); 4587 dpp_auth_fail(auth, "Unsupported wi-fi_tech"); 4588 goto fail; 4589 } 4590 4591 token = json_get_member(root, "netRole"); 4592 if (!token || token->type != JSON_STRING) { 4593 dpp_auth_fail(auth, "No Config Attributes - netRole"); 4594 goto fail; 4595 } 4596 wpa_printf(MSG_DEBUG, "DPP: netRole = '%s'", token->string); 4597 if (os_strcmp(token->string, "sta") == 0) { 4598 ap = 0; 4599 } else if (os_strcmp(token->string, "ap") == 0) { 4600 ap = 1; 4601 } else { 4602 wpa_printf(MSG_DEBUG, "DPP: Unsupported netRole '%s'", 4603 token->string); 4604 dpp_auth_fail(auth, "Unsupported netRole"); 4605 goto fail; 4606 } 4607 4608 resp = dpp_build_conf_resp(auth, e_nonce, e_nonce_len, ap); 4609 4610 fail: 4611 json_free(root); 4612 os_free(unwrapped); 4613 return resp; 4614 } 4615 4616 4617 static struct wpabuf * 4618 dpp_parse_jws_prot_hdr(const struct dpp_curve_params *curve, 4619 const u8 *prot_hdr, u16 prot_hdr_len, 4620 const EVP_MD **ret_md) 4621 { 4622 struct json_token *root, *token; 4623 struct wpabuf *kid = NULL; 4624 4625 root = json_parse((const char *) prot_hdr, prot_hdr_len); 4626 if (!root) { 4627 wpa_printf(MSG_DEBUG, 4628 "DPP: JSON parsing failed for JWS Protected Header"); 4629 goto fail; 4630 } 4631 4632 if (root->type != JSON_OBJECT) { 4633 wpa_printf(MSG_DEBUG, 4634 "DPP: JWS Protected Header root is not an object"); 4635 goto fail; 4636 } 4637 4638 token = json_get_member(root, "typ"); 4639 if (!token || token->type != JSON_STRING) { 4640 wpa_printf(MSG_DEBUG, "DPP: No typ string value found"); 4641 goto fail; 4642 } 4643 wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header typ=%s", 4644 token->string); 4645 if (os_strcmp(token->string, "dppCon") != 0) { 4646 wpa_printf(MSG_DEBUG, 4647 "DPP: Unsupported JWS Protected Header typ=%s", 4648 token->string); 4649 goto fail; 4650 } 4651 4652 token = json_get_member(root, "alg"); 4653 if (!token || token->type != JSON_STRING) { 4654 wpa_printf(MSG_DEBUG, "DPP: No alg string value found"); 4655 goto fail; 4656 } 4657 wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header alg=%s", 4658 token->string); 4659 if (os_strcmp(token->string, curve->jws_alg) != 0) { 4660 wpa_printf(MSG_DEBUG, 4661 "DPP: Unexpected JWS Protected Header alg=%s (expected %s based on C-sign-key)", 4662 token->string, curve->jws_alg); 4663 goto fail; 4664 } 4665 if (os_strcmp(token->string, "ES256") == 0 || 4666 os_strcmp(token->string, "BS256") == 0) 4667 *ret_md = EVP_sha256(); 4668 else if (os_strcmp(token->string, "ES384") == 0 || 4669 os_strcmp(token->string, "BS384") == 0) 4670 *ret_md = EVP_sha384(); 4671 else if (os_strcmp(token->string, "ES512") == 0 || 4672 os_strcmp(token->string, "BS512") == 0) 4673 *ret_md = EVP_sha512(); 4674 else 4675 *ret_md = NULL; 4676 if (!*ret_md) { 4677 wpa_printf(MSG_DEBUG, 4678 "DPP: Unsupported JWS Protected Header alg=%s", 4679 token->string); 4680 goto fail; 4681 } 4682 4683 kid = json_get_member_base64url(root, "kid"); 4684 if (!kid) { 4685 wpa_printf(MSG_DEBUG, "DPP: No kid string value found"); 4686 goto fail; 4687 } 4688 wpa_hexdump_buf(MSG_DEBUG, "DPP: JWS Protected Header kid (decoded)", 4689 kid); 4690 4691 fail: 4692 json_free(root); 4693 return kid; 4694 } 4695 4696 4697 static int dpp_parse_cred_legacy(struct dpp_authentication *auth, 4698 struct json_token *cred) 4699 { 4700 struct json_token *pass, *psk_hex; 4701 4702 wpa_printf(MSG_DEBUG, "DPP: Legacy akm=psk credential"); 4703 4704 pass = json_get_member(cred, "pass"); 4705 psk_hex = json_get_member(cred, "psk_hex"); 4706 4707 if (pass && pass->type == JSON_STRING) { 4708 size_t len = os_strlen(pass->string); 4709 4710 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Legacy passphrase", 4711 pass->string, len); 4712 if (len < 8 || len > 63) 4713 return -1; 4714 os_strlcpy(auth->passphrase, pass->string, 4715 sizeof(auth->passphrase)); 4716 } else if (psk_hex && psk_hex->type == JSON_STRING) { 4717 if (auth->akm == DPP_AKM_SAE) { 4718 wpa_printf(MSG_DEBUG, 4719 "DPP: Unexpected psk_hex with akm=sae"); 4720 return -1; 4721 } 4722 if (os_strlen(psk_hex->string) != PMK_LEN * 2 || 4723 hexstr2bin(psk_hex->string, auth->psk, PMK_LEN) < 0) { 4724 wpa_printf(MSG_DEBUG, "DPP: Invalid psk_hex encoding"); 4725 return -1; 4726 } 4727 wpa_hexdump_key(MSG_DEBUG, "DPP: Legacy PSK", 4728 auth->psk, PMK_LEN); 4729 auth->psk_set = 1; 4730 } else { 4731 wpa_printf(MSG_DEBUG, "DPP: No pass or psk_hex strings found"); 4732 return -1; 4733 } 4734 4735 if ((auth->akm == DPP_AKM_SAE || auth->akm == DPP_AKM_PSK_SAE) && 4736 !auth->passphrase[0]) { 4737 wpa_printf(MSG_DEBUG, "DPP: No pass for sae found"); 4738 return -1; 4739 } 4740 4741 return 0; 4742 } 4743 4744 4745 static EVP_PKEY * dpp_parse_jwk(struct json_token *jwk, 4746 const struct dpp_curve_params **key_curve) 4747 { 4748 struct json_token *token; 4749 const struct dpp_curve_params *curve; 4750 struct wpabuf *x = NULL, *y = NULL; 4751 EC_GROUP *group; 4752 EVP_PKEY *pkey = NULL; 4753 4754 token = json_get_member(jwk, "kty"); 4755 if (!token || token->type != JSON_STRING) { 4756 wpa_printf(MSG_DEBUG, "DPP: No kty in JWK"); 4757 goto fail; 4758 } 4759 if (os_strcmp(token->string, "EC") != 0) { 4760 wpa_printf(MSG_DEBUG, "DPP: Unexpected JWK kty '%s'", 4761 token->string); 4762 goto fail; 4763 } 4764 4765 token = json_get_member(jwk, "crv"); 4766 if (!token || token->type != JSON_STRING) { 4767 wpa_printf(MSG_DEBUG, "DPP: No crv in JWK"); 4768 goto fail; 4769 } 4770 curve = dpp_get_curve_jwk_crv(token->string); 4771 if (!curve) { 4772 wpa_printf(MSG_DEBUG, "DPP: Unsupported JWK crv '%s'", 4773 token->string); 4774 goto fail; 4775 } 4776 4777 x = json_get_member_base64url(jwk, "x"); 4778 if (!x) { 4779 wpa_printf(MSG_DEBUG, "DPP: No x in JWK"); 4780 goto fail; 4781 } 4782 wpa_hexdump_buf(MSG_DEBUG, "DPP: JWK x", x); 4783 if (wpabuf_len(x) != curve->prime_len) { 4784 wpa_printf(MSG_DEBUG, 4785 "DPP: Unexpected JWK x length %u (expected %u for curve %s)", 4786 (unsigned int) wpabuf_len(x), 4787 (unsigned int) curve->prime_len, curve->name); 4788 goto fail; 4789 } 4790 4791 y = json_get_member_base64url(jwk, "y"); 4792 if (!y) { 4793 wpa_printf(MSG_DEBUG, "DPP: No y in JWK"); 4794 goto fail; 4795 } 4796 wpa_hexdump_buf(MSG_DEBUG, "DPP: JWK y", y); 4797 if (wpabuf_len(y) != curve->prime_len) { 4798 wpa_printf(MSG_DEBUG, 4799 "DPP: Unexpected JWK y length %u (expected %u for curve %s)", 4800 (unsigned int) wpabuf_len(y), 4801 (unsigned int) curve->prime_len, curve->name); 4802 goto fail; 4803 } 4804 4805 group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name)); 4806 if (!group) { 4807 wpa_printf(MSG_DEBUG, "DPP: Could not prepare group for JWK"); 4808 goto fail; 4809 } 4810 4811 pkey = dpp_set_pubkey_point_group(group, wpabuf_head(x), wpabuf_head(y), 4812 wpabuf_len(x)); 4813 *key_curve = curve; 4814 4815 fail: 4816 wpabuf_free(x); 4817 wpabuf_free(y); 4818 4819 return pkey; 4820 } 4821 4822 4823 int dpp_key_expired(const char *timestamp, os_time_t *expiry) 4824 { 4825 struct os_time now; 4826 unsigned int year, month, day, hour, min, sec; 4827 os_time_t utime; 4828 const char *pos; 4829 4830 /* ISO 8601 date and time: 4831 * <date>T<time> 4832 * YYYY-MM-DDTHH:MM:SSZ 4833 * YYYY-MM-DDTHH:MM:SS+03:00 4834 */ 4835 if (os_strlen(timestamp) < 19) { 4836 wpa_printf(MSG_DEBUG, 4837 "DPP: Too short timestamp - assume expired key"); 4838 return 1; 4839 } 4840 if (sscanf(timestamp, "%04u-%02u-%02uT%02u:%02u:%02u", 4841 &year, &month, &day, &hour, &min, &sec) != 6) { 4842 wpa_printf(MSG_DEBUG, 4843 "DPP: Failed to parse expiration day - assume expired key"); 4844 return 1; 4845 } 4846 4847 if (os_mktime(year, month, day, hour, min, sec, &utime) < 0) { 4848 wpa_printf(MSG_DEBUG, 4849 "DPP: Invalid date/time information - assume expired key"); 4850 return 1; 4851 } 4852 4853 pos = timestamp + 19; 4854 if (*pos == 'Z' || *pos == '\0') { 4855 /* In UTC - no need to adjust */ 4856 } else if (*pos == '-' || *pos == '+') { 4857 int items; 4858 4859 /* Adjust local time to UTC */ 4860 items = sscanf(pos + 1, "%02u:%02u", &hour, &min); 4861 if (items < 1) { 4862 wpa_printf(MSG_DEBUG, 4863 "DPP: Invalid time zone designator (%s) - assume expired key", 4864 pos); 4865 return 1; 4866 } 4867 if (*pos == '-') 4868 utime += 3600 * hour; 4869 if (*pos == '+') 4870 utime -= 3600 * hour; 4871 if (items > 1) { 4872 if (*pos == '-') 4873 utime += 60 * min; 4874 if (*pos == '+') 4875 utime -= 60 * min; 4876 } 4877 } else { 4878 wpa_printf(MSG_DEBUG, 4879 "DPP: Invalid time zone designator (%s) - assume expired key", 4880 pos); 4881 return 1; 4882 } 4883 if (expiry) 4884 *expiry = utime; 4885 4886 if (os_get_time(&now) < 0) { 4887 wpa_printf(MSG_DEBUG, 4888 "DPP: Cannot get current time - assume expired key"); 4889 return 1; 4890 } 4891 4892 if (now.sec > utime) { 4893 wpa_printf(MSG_DEBUG, "DPP: Key has expired (%lu < %lu)", 4894 utime, now.sec); 4895 return 1; 4896 } 4897 4898 return 0; 4899 } 4900 4901 4902 static int dpp_parse_connector(struct dpp_authentication *auth, 4903 const unsigned char *payload, 4904 u16 payload_len) 4905 { 4906 struct json_token *root, *groups, *netkey, *token; 4907 int ret = -1; 4908 EVP_PKEY *key = NULL; 4909 const struct dpp_curve_params *curve; 4910 unsigned int rules = 0; 4911 4912 root = json_parse((const char *) payload, payload_len); 4913 if (!root) { 4914 wpa_printf(MSG_DEBUG, "DPP: JSON parsing of connector failed"); 4915 goto fail; 4916 } 4917 4918 groups = json_get_member(root, "groups"); 4919 if (!groups || groups->type != JSON_ARRAY) { 4920 wpa_printf(MSG_DEBUG, "DPP: No groups array found"); 4921 goto skip_groups; 4922 } 4923 for (token = groups->child; token; token = token->sibling) { 4924 struct json_token *id, *role; 4925 4926 id = json_get_member(token, "groupId"); 4927 if (!id || id->type != JSON_STRING) { 4928 wpa_printf(MSG_DEBUG, "DPP: Missing groupId string"); 4929 goto fail; 4930 } 4931 4932 role = json_get_member(token, "netRole"); 4933 if (!role || role->type != JSON_STRING) { 4934 wpa_printf(MSG_DEBUG, "DPP: Missing netRole string"); 4935 goto fail; 4936 } 4937 wpa_printf(MSG_DEBUG, 4938 "DPP: connector group: groupId='%s' netRole='%s'", 4939 id->string, role->string); 4940 rules++; 4941 } 4942 skip_groups: 4943 4944 if (!rules) { 4945 wpa_printf(MSG_DEBUG, 4946 "DPP: Connector includes no groups"); 4947 goto fail; 4948 } 4949 4950 token = json_get_member(root, "expiry"); 4951 if (!token || token->type != JSON_STRING) { 4952 wpa_printf(MSG_DEBUG, 4953 "DPP: No expiry string found - connector does not expire"); 4954 } else { 4955 wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string); 4956 if (dpp_key_expired(token->string, 4957 &auth->net_access_key_expiry)) { 4958 wpa_printf(MSG_DEBUG, 4959 "DPP: Connector (netAccessKey) has expired"); 4960 goto fail; 4961 } 4962 } 4963 4964 netkey = json_get_member(root, "netAccessKey"); 4965 if (!netkey || netkey->type != JSON_OBJECT) { 4966 wpa_printf(MSG_DEBUG, "DPP: No netAccessKey object found"); 4967 goto fail; 4968 } 4969 4970 key = dpp_parse_jwk(netkey, &curve); 4971 if (!key) 4972 goto fail; 4973 dpp_debug_print_key("DPP: Received netAccessKey", key); 4974 4975 if (EVP_PKEY_cmp(key, auth->own_protocol_key) != 1) { 4976 wpa_printf(MSG_DEBUG, 4977 "DPP: netAccessKey in connector does not match own protocol key"); 4978 #ifdef CONFIG_TESTING_OPTIONS 4979 if (auth->ignore_netaccesskey_mismatch) { 4980 wpa_printf(MSG_DEBUG, 4981 "DPP: TESTING - skip netAccessKey mismatch"); 4982 } else { 4983 goto fail; 4984 } 4985 #else /* CONFIG_TESTING_OPTIONS */ 4986 goto fail; 4987 #endif /* CONFIG_TESTING_OPTIONS */ 4988 } 4989 4990 ret = 0; 4991 fail: 4992 EVP_PKEY_free(key); 4993 json_free(root); 4994 return ret; 4995 } 4996 4997 4998 static int dpp_check_pubkey_match(EVP_PKEY *pub, struct wpabuf *r_hash) 4999 { 5000 struct wpabuf *uncomp; 5001 int res; 5002 u8 hash[SHA256_MAC_LEN]; 5003 const u8 *addr[1]; 5004 size_t len[1]; 5005 5006 if (wpabuf_len(r_hash) != SHA256_MAC_LEN) 5007 return -1; 5008 uncomp = dpp_get_pubkey_point(pub, 1); 5009 if (!uncomp) 5010 return -1; 5011 addr[0] = wpabuf_head(uncomp); 5012 len[0] = wpabuf_len(uncomp); 5013 wpa_hexdump(MSG_DEBUG, "DPP: Uncompressed public key", 5014 addr[0], len[0]); 5015 res = sha256_vector(1, addr, len, hash); 5016 wpabuf_free(uncomp); 5017 if (res < 0) 5018 return -1; 5019 if (os_memcmp(hash, wpabuf_head(r_hash), SHA256_MAC_LEN) != 0) { 5020 wpa_printf(MSG_DEBUG, 5021 "DPP: Received hash value does not match calculated public key hash value"); 5022 wpa_hexdump(MSG_DEBUG, "DPP: Calculated hash", 5023 hash, SHA256_MAC_LEN); 5024 return -1; 5025 } 5026 return 0; 5027 } 5028 5029 5030 static void dpp_copy_csign(struct dpp_authentication *auth, EVP_PKEY *csign) 5031 { 5032 unsigned char *der = NULL; 5033 int der_len; 5034 5035 der_len = i2d_PUBKEY(csign, &der); 5036 if (der_len <= 0) 5037 return; 5038 wpabuf_free(auth->c_sign_key); 5039 auth->c_sign_key = wpabuf_alloc_copy(der, der_len); 5040 OPENSSL_free(der); 5041 } 5042 5043 5044 static void dpp_copy_netaccesskey(struct dpp_authentication *auth) 5045 { 5046 unsigned char *der = NULL; 5047 int der_len; 5048 EC_KEY *eckey; 5049 5050 eckey = EVP_PKEY_get1_EC_KEY(auth->own_protocol_key); 5051 if (!eckey) 5052 return; 5053 5054 der_len = i2d_ECPrivateKey(eckey, &der); 5055 if (der_len <= 0) { 5056 EC_KEY_free(eckey); 5057 return; 5058 } 5059 wpabuf_free(auth->net_access_key); 5060 auth->net_access_key = wpabuf_alloc_copy(der, der_len); 5061 OPENSSL_free(der); 5062 EC_KEY_free(eckey); 5063 } 5064 5065 5066 struct dpp_signed_connector_info { 5067 unsigned char *payload; 5068 size_t payload_len; 5069 }; 5070 5071 static enum dpp_status_error 5072 dpp_process_signed_connector(struct dpp_signed_connector_info *info, 5073 EVP_PKEY *csign_pub, const char *connector) 5074 { 5075 enum dpp_status_error ret = 255; 5076 const char *pos, *end, *signed_start, *signed_end; 5077 struct wpabuf *kid = NULL; 5078 unsigned char *prot_hdr = NULL, *signature = NULL; 5079 size_t prot_hdr_len = 0, signature_len = 0; 5080 const EVP_MD *sign_md = NULL; 5081 unsigned char *der = NULL; 5082 int der_len; 5083 int res; 5084 EVP_MD_CTX *md_ctx = NULL; 5085 ECDSA_SIG *sig = NULL; 5086 BIGNUM *r = NULL, *s = NULL; 5087 const struct dpp_curve_params *curve; 5088 EC_KEY *eckey; 5089 const EC_GROUP *group; 5090 int nid; 5091 5092 eckey = EVP_PKEY_get1_EC_KEY(csign_pub); 5093 if (!eckey) 5094 goto fail; 5095 group = EC_KEY_get0_group(eckey); 5096 if (!group) 5097 goto fail; 5098 nid = EC_GROUP_get_curve_name(group); 5099 curve = dpp_get_curve_nid(nid); 5100 if (!curve) 5101 goto fail; 5102 wpa_printf(MSG_DEBUG, "DPP: C-sign-key group: %s", curve->jwk_crv); 5103 os_memset(info, 0, sizeof(*info)); 5104 5105 signed_start = pos = connector; 5106 end = os_strchr(pos, '.'); 5107 if (!end) { 5108 wpa_printf(MSG_DEBUG, "DPP: Missing dot(1) in signedConnector"); 5109 ret = DPP_STATUS_INVALID_CONNECTOR; 5110 goto fail; 5111 } 5112 prot_hdr = base64_url_decode((const unsigned char *) pos, 5113 end - pos, &prot_hdr_len); 5114 if (!prot_hdr) { 5115 wpa_printf(MSG_DEBUG, 5116 "DPP: Failed to base64url decode signedConnector JWS Protected Header"); 5117 ret = DPP_STATUS_INVALID_CONNECTOR; 5118 goto fail; 5119 } 5120 wpa_hexdump_ascii(MSG_DEBUG, 5121 "DPP: signedConnector - JWS Protected Header", 5122 prot_hdr, prot_hdr_len); 5123 kid = dpp_parse_jws_prot_hdr(curve, prot_hdr, prot_hdr_len, &sign_md); 5124 if (!kid) { 5125 ret = DPP_STATUS_INVALID_CONNECTOR; 5126 goto fail; 5127 } 5128 if (wpabuf_len(kid) != SHA256_MAC_LEN) { 5129 wpa_printf(MSG_DEBUG, 5130 "DPP: Unexpected signedConnector JWS Protected Header kid length: %u (expected %u)", 5131 (unsigned int) wpabuf_len(kid), SHA256_MAC_LEN); 5132 ret = DPP_STATUS_INVALID_CONNECTOR; 5133 goto fail; 5134 } 5135 5136 pos = end + 1; 5137 end = os_strchr(pos, '.'); 5138 if (!end) { 5139 wpa_printf(MSG_DEBUG, 5140 "DPP: Missing dot(2) in signedConnector"); 5141 ret = DPP_STATUS_INVALID_CONNECTOR; 5142 goto fail; 5143 } 5144 signed_end = end - 1; 5145 info->payload = base64_url_decode((const unsigned char *) pos, 5146 end - pos, &info->payload_len); 5147 if (!info->payload) { 5148 wpa_printf(MSG_DEBUG, 5149 "DPP: Failed to base64url decode signedConnector JWS Payload"); 5150 ret = DPP_STATUS_INVALID_CONNECTOR; 5151 goto fail; 5152 } 5153 wpa_hexdump_ascii(MSG_DEBUG, 5154 "DPP: signedConnector - JWS Payload", 5155 info->payload, info->payload_len); 5156 pos = end + 1; 5157 signature = base64_url_decode((const unsigned char *) pos, 5158 os_strlen(pos), &signature_len); 5159 if (!signature) { 5160 wpa_printf(MSG_DEBUG, 5161 "DPP: Failed to base64url decode signedConnector signature"); 5162 ret = DPP_STATUS_INVALID_CONNECTOR; 5163 goto fail; 5164 } 5165 wpa_hexdump(MSG_DEBUG, "DPP: signedConnector - signature", 5166 signature, signature_len); 5167 5168 if (dpp_check_pubkey_match(csign_pub, kid) < 0) { 5169 ret = DPP_STATUS_NO_MATCH; 5170 goto fail; 5171 } 5172 5173 if (signature_len & 0x01) { 5174 wpa_printf(MSG_DEBUG, 5175 "DPP: Unexpected signedConnector signature length (%d)", 5176 (int) signature_len); 5177 ret = DPP_STATUS_INVALID_CONNECTOR; 5178 goto fail; 5179 } 5180 5181 /* JWS Signature encodes the signature (r,s) as two octet strings. Need 5182 * to convert that to DER encoded ECDSA_SIG for OpenSSL EVP routines. */ 5183 r = BN_bin2bn(signature, signature_len / 2, NULL); 5184 s = BN_bin2bn(signature + signature_len / 2, signature_len / 2, NULL); 5185 sig = ECDSA_SIG_new(); 5186 if (!r || !s || !sig || ECDSA_SIG_set0(sig, r, s) != 1) 5187 goto fail; 5188 r = NULL; 5189 s = NULL; 5190 5191 der_len = i2d_ECDSA_SIG(sig, &der); 5192 if (der_len <= 0) { 5193 wpa_printf(MSG_DEBUG, "DPP: Could not DER encode signature"); 5194 goto fail; 5195 } 5196 wpa_hexdump(MSG_DEBUG, "DPP: DER encoded signature", der, der_len); 5197 md_ctx = EVP_MD_CTX_create(); 5198 if (!md_ctx) 5199 goto fail; 5200 5201 ERR_clear_error(); 5202 if (EVP_DigestVerifyInit(md_ctx, NULL, sign_md, NULL, csign_pub) != 1) { 5203 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestVerifyInit failed: %s", 5204 ERR_error_string(ERR_get_error(), NULL)); 5205 goto fail; 5206 } 5207 if (EVP_DigestVerifyUpdate(md_ctx, signed_start, 5208 signed_end - signed_start + 1) != 1) { 5209 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestVerifyUpdate failed: %s", 5210 ERR_error_string(ERR_get_error(), NULL)); 5211 goto fail; 5212 } 5213 res = EVP_DigestVerifyFinal(md_ctx, der, der_len); 5214 if (res != 1) { 5215 wpa_printf(MSG_DEBUG, 5216 "DPP: EVP_DigestVerifyFinal failed (res=%d): %s", 5217 res, ERR_error_string(ERR_get_error(), NULL)); 5218 ret = DPP_STATUS_INVALID_CONNECTOR; 5219 goto fail; 5220 } 5221 5222 ret = DPP_STATUS_OK; 5223 fail: 5224 EC_KEY_free(eckey); 5225 EVP_MD_CTX_destroy(md_ctx); 5226 os_free(prot_hdr); 5227 wpabuf_free(kid); 5228 os_free(signature); 5229 ECDSA_SIG_free(sig); 5230 BN_free(r); 5231 BN_free(s); 5232 OPENSSL_free(der); 5233 return ret; 5234 } 5235 5236 5237 static int dpp_parse_cred_dpp(struct dpp_authentication *auth, 5238 struct json_token *cred) 5239 { 5240 struct dpp_signed_connector_info info; 5241 struct json_token *token, *csign; 5242 int ret = -1; 5243 EVP_PKEY *csign_pub = NULL; 5244 const struct dpp_curve_params *key_curve = NULL; 5245 const char *signed_connector; 5246 5247 os_memset(&info, 0, sizeof(info)); 5248 5249 wpa_printf(MSG_DEBUG, "DPP: Connector credential"); 5250 5251 csign = json_get_member(cred, "csign"); 5252 if (!csign || csign->type != JSON_OBJECT) { 5253 wpa_printf(MSG_DEBUG, "DPP: No csign JWK in JSON"); 5254 goto fail; 5255 } 5256 5257 csign_pub = dpp_parse_jwk(csign, &key_curve); 5258 if (!csign_pub) { 5259 wpa_printf(MSG_DEBUG, "DPP: Failed to parse csign JWK"); 5260 goto fail; 5261 } 5262 dpp_debug_print_key("DPP: Received C-sign-key", csign_pub); 5263 5264 token = json_get_member(cred, "signedConnector"); 5265 if (!token || token->type != JSON_STRING) { 5266 wpa_printf(MSG_DEBUG, "DPP: No signedConnector string found"); 5267 goto fail; 5268 } 5269 wpa_hexdump_ascii(MSG_DEBUG, "DPP: signedConnector", 5270 token->string, os_strlen(token->string)); 5271 signed_connector = token->string; 5272 5273 if (os_strchr(signed_connector, '"') || 5274 os_strchr(signed_connector, '\n')) { 5275 wpa_printf(MSG_DEBUG, 5276 "DPP: Unexpected character in signedConnector"); 5277 goto fail; 5278 } 5279 5280 if (dpp_process_signed_connector(&info, csign_pub, 5281 signed_connector) != DPP_STATUS_OK) 5282 goto fail; 5283 5284 if (dpp_parse_connector(auth, info.payload, info.payload_len) < 0) { 5285 wpa_printf(MSG_DEBUG, "DPP: Failed to parse connector"); 5286 goto fail; 5287 } 5288 5289 os_free(auth->connector); 5290 auth->connector = os_strdup(signed_connector); 5291 5292 dpp_copy_csign(auth, csign_pub); 5293 dpp_copy_netaccesskey(auth); 5294 5295 ret = 0; 5296 fail: 5297 EVP_PKEY_free(csign_pub); 5298 os_free(info.payload); 5299 return ret; 5300 } 5301 5302 5303 const char * dpp_akm_str(enum dpp_akm akm) 5304 { 5305 switch (akm) { 5306 case DPP_AKM_DPP: 5307 return "dpp"; 5308 case DPP_AKM_PSK: 5309 return "psk"; 5310 case DPP_AKM_SAE: 5311 return "sae"; 5312 case DPP_AKM_PSK_SAE: 5313 return "psk+sae"; 5314 default: 5315 return "??"; 5316 } 5317 } 5318 5319 5320 static enum dpp_akm dpp_akm_from_str(const char *akm) 5321 { 5322 if (os_strcmp(akm, "psk") == 0) 5323 return DPP_AKM_PSK; 5324 if (os_strcmp(akm, "sae") == 0) 5325 return DPP_AKM_SAE; 5326 if (os_strcmp(akm, "psk+sae") == 0) 5327 return DPP_AKM_PSK_SAE; 5328 if (os_strcmp(akm, "dpp") == 0) 5329 return DPP_AKM_DPP; 5330 return DPP_AKM_UNKNOWN; 5331 } 5332 5333 5334 static int dpp_parse_conf_obj(struct dpp_authentication *auth, 5335 const u8 *conf_obj, u16 conf_obj_len) 5336 { 5337 int ret = -1; 5338 struct json_token *root, *token, *discovery, *cred; 5339 5340 root = json_parse((const char *) conf_obj, conf_obj_len); 5341 if (!root) 5342 return -1; 5343 if (root->type != JSON_OBJECT) { 5344 dpp_auth_fail(auth, "JSON root is not an object"); 5345 goto fail; 5346 } 5347 5348 token = json_get_member(root, "wi-fi_tech"); 5349 if (!token || token->type != JSON_STRING) { 5350 dpp_auth_fail(auth, "No wi-fi_tech string value found"); 5351 goto fail; 5352 } 5353 if (os_strcmp(token->string, "infra") != 0) { 5354 wpa_printf(MSG_DEBUG, "DPP: Unsupported wi-fi_tech value: '%s'", 5355 token->string); 5356 dpp_auth_fail(auth, "Unsupported wi-fi_tech value"); 5357 goto fail; 5358 } 5359 5360 discovery = json_get_member(root, "discovery"); 5361 if (!discovery || discovery->type != JSON_OBJECT) { 5362 dpp_auth_fail(auth, "No discovery object in JSON"); 5363 goto fail; 5364 } 5365 5366 token = json_get_member(discovery, "ssid"); 5367 if (!token || token->type != JSON_STRING) { 5368 dpp_auth_fail(auth, "No discovery::ssid string value found"); 5369 goto fail; 5370 } 5371 wpa_hexdump_ascii(MSG_DEBUG, "DPP: discovery::ssid", 5372 token->string, os_strlen(token->string)); 5373 if (os_strlen(token->string) > SSID_MAX_LEN) { 5374 dpp_auth_fail(auth, "Too long discovery::ssid string value"); 5375 goto fail; 5376 } 5377 auth->ssid_len = os_strlen(token->string); 5378 os_memcpy(auth->ssid, token->string, auth->ssid_len); 5379 5380 cred = json_get_member(root, "cred"); 5381 if (!cred || cred->type != JSON_OBJECT) { 5382 dpp_auth_fail(auth, "No cred object in JSON"); 5383 goto fail; 5384 } 5385 5386 token = json_get_member(cred, "akm"); 5387 if (!token || token->type != JSON_STRING) { 5388 dpp_auth_fail(auth, "No cred::akm string value found"); 5389 goto fail; 5390 } 5391 auth->akm = dpp_akm_from_str(token->string); 5392 5393 if (auth->akm == DPP_AKM_PSK || auth->akm == DPP_AKM_SAE || 5394 auth->akm == DPP_AKM_PSK_SAE) { 5395 if (dpp_parse_cred_legacy(auth, cred) < 0) 5396 goto fail; 5397 } else if (auth->akm == DPP_AKM_DPP) { 5398 if (dpp_parse_cred_dpp(auth, cred) < 0) 5399 goto fail; 5400 } else { 5401 wpa_printf(MSG_DEBUG, "DPP: Unsupported akm: %s", 5402 token->string); 5403 dpp_auth_fail(auth, "Unsupported akm"); 5404 goto fail; 5405 } 5406 5407 wpa_printf(MSG_DEBUG, "DPP: JSON parsing completed successfully"); 5408 ret = 0; 5409 fail: 5410 json_free(root); 5411 return ret; 5412 } 5413 5414 5415 int dpp_conf_resp_rx(struct dpp_authentication *auth, 5416 const struct wpabuf *resp) 5417 { 5418 const u8 *wrapped_data, *e_nonce, *status, *conf_obj; 5419 u16 wrapped_data_len, e_nonce_len, status_len, conf_obj_len; 5420 const u8 *addr[1]; 5421 size_t len[1]; 5422 u8 *unwrapped = NULL; 5423 size_t unwrapped_len = 0; 5424 int ret = -1; 5425 5426 if (dpp_check_attrs(wpabuf_head(resp), wpabuf_len(resp)) < 0) { 5427 dpp_auth_fail(auth, "Invalid attribute in config response"); 5428 return -1; 5429 } 5430 5431 wrapped_data = dpp_get_attr(wpabuf_head(resp), wpabuf_len(resp), 5432 DPP_ATTR_WRAPPED_DATA, 5433 &wrapped_data_len); 5434 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) { 5435 dpp_auth_fail(auth, 5436 "Missing or invalid required Wrapped Data attribute"); 5437 return -1; 5438 } 5439 5440 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 5441 wrapped_data, wrapped_data_len); 5442 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE; 5443 unwrapped = os_malloc(unwrapped_len); 5444 if (!unwrapped) 5445 return -1; 5446 5447 addr[0] = wpabuf_head(resp); 5448 len[0] = wrapped_data - 4 - (const u8 *) wpabuf_head(resp); 5449 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD", addr[0], len[0]); 5450 5451 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len, 5452 wrapped_data, wrapped_data_len, 5453 1, addr, len, unwrapped) < 0) { 5454 dpp_auth_fail(auth, "AES-SIV decryption failed"); 5455 goto fail; 5456 } 5457 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 5458 unwrapped, unwrapped_len); 5459 5460 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) { 5461 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); 5462 goto fail; 5463 } 5464 5465 e_nonce = dpp_get_attr(unwrapped, unwrapped_len, 5466 DPP_ATTR_ENROLLEE_NONCE, 5467 &e_nonce_len); 5468 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) { 5469 dpp_auth_fail(auth, 5470 "Missing or invalid Enrollee Nonce attribute"); 5471 goto fail; 5472 } 5473 wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len); 5474 if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) { 5475 dpp_auth_fail(auth, "Enrollee Nonce mismatch"); 5476 goto fail; 5477 } 5478 5479 status = dpp_get_attr(wpabuf_head(resp), wpabuf_len(resp), 5480 DPP_ATTR_STATUS, &status_len); 5481 if (!status || status_len < 1) { 5482 dpp_auth_fail(auth, 5483 "Missing or invalid required DPP Status attribute"); 5484 goto fail; 5485 } 5486 wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]); 5487 if (status[0] != DPP_STATUS_OK) { 5488 dpp_auth_fail(auth, "Configurator rejected configuration"); 5489 goto fail; 5490 } 5491 5492 conf_obj = dpp_get_attr(unwrapped, unwrapped_len, 5493 DPP_ATTR_CONFIG_OBJ, &conf_obj_len); 5494 if (!conf_obj) { 5495 dpp_auth_fail(auth, 5496 "Missing required Configuration Object attribute"); 5497 goto fail; 5498 } 5499 wpa_hexdump_ascii(MSG_DEBUG, "DPP: configurationObject JSON", 5500 conf_obj, conf_obj_len); 5501 if (dpp_parse_conf_obj(auth, conf_obj, conf_obj_len) < 0) 5502 goto fail; 5503 5504 ret = 0; 5505 5506 fail: 5507 os_free(unwrapped); 5508 return ret; 5509 } 5510 5511 5512 void dpp_configurator_free(struct dpp_configurator *conf) 5513 { 5514 if (!conf) 5515 return; 5516 EVP_PKEY_free(conf->csign); 5517 os_free(conf->kid); 5518 os_free(conf); 5519 } 5520 5521 5522 int dpp_configurator_get_key(const struct dpp_configurator *conf, char *buf, 5523 size_t buflen) 5524 { 5525 EC_KEY *eckey; 5526 int key_len, ret = -1; 5527 unsigned char *key = NULL; 5528 5529 if (!conf->csign) 5530 return -1; 5531 5532 eckey = EVP_PKEY_get1_EC_KEY(conf->csign); 5533 if (!eckey) 5534 return -1; 5535 5536 key_len = i2d_ECPrivateKey(eckey, &key); 5537 if (key_len > 0) 5538 ret = wpa_snprintf_hex(buf, buflen, key, key_len); 5539 5540 EC_KEY_free(eckey); 5541 OPENSSL_free(key); 5542 return ret; 5543 } 5544 5545 5546 struct dpp_configurator * 5547 dpp_keygen_configurator(const char *curve, const u8 *privkey, 5548 size_t privkey_len) 5549 { 5550 struct dpp_configurator *conf; 5551 struct wpabuf *csign_pub = NULL; 5552 u8 kid_hash[SHA256_MAC_LEN]; 5553 const u8 *addr[1]; 5554 size_t len[1]; 5555 5556 conf = os_zalloc(sizeof(*conf)); 5557 if (!conf) 5558 return NULL; 5559 5560 if (!curve) { 5561 conf->curve = &dpp_curves[0]; 5562 } else { 5563 conf->curve = dpp_get_curve_name(curve); 5564 if (!conf->curve) { 5565 wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s", 5566 curve); 5567 os_free(conf); 5568 return NULL; 5569 } 5570 } 5571 if (privkey) 5572 conf->csign = dpp_set_keypair(&conf->curve, privkey, 5573 privkey_len); 5574 else 5575 conf->csign = dpp_gen_keypair(conf->curve); 5576 if (!conf->csign) 5577 goto fail; 5578 conf->own = 1; 5579 5580 csign_pub = dpp_get_pubkey_point(conf->csign, 1); 5581 if (!csign_pub) { 5582 wpa_printf(MSG_INFO, "DPP: Failed to extract C-sign-key"); 5583 goto fail; 5584 } 5585 5586 /* kid = SHA256(ANSI X9.63 uncompressed C-sign-key) */ 5587 addr[0] = wpabuf_head(csign_pub); 5588 len[0] = wpabuf_len(csign_pub); 5589 if (sha256_vector(1, addr, len, kid_hash) < 0) { 5590 wpa_printf(MSG_DEBUG, 5591 "DPP: Failed to derive kid for C-sign-key"); 5592 goto fail; 5593 } 5594 5595 conf->kid = (char *) base64_url_encode(kid_hash, sizeof(kid_hash), 5596 NULL, 0); 5597 if (!conf->kid) 5598 goto fail; 5599 out: 5600 wpabuf_free(csign_pub); 5601 return conf; 5602 fail: 5603 dpp_configurator_free(conf); 5604 conf = NULL; 5605 goto out; 5606 } 5607 5608 5609 int dpp_configurator_own_config(struct dpp_authentication *auth, 5610 const char *curve, int ap) 5611 { 5612 struct wpabuf *conf_obj; 5613 int ret = -1; 5614 5615 if (!auth->conf) { 5616 wpa_printf(MSG_DEBUG, "DPP: No configurator specified"); 5617 return -1; 5618 } 5619 5620 if (!curve) { 5621 auth->curve = &dpp_curves[0]; 5622 } else { 5623 auth->curve = dpp_get_curve_name(curve); 5624 if (!auth->curve) { 5625 wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s", 5626 curve); 5627 return -1; 5628 } 5629 } 5630 wpa_printf(MSG_DEBUG, 5631 "DPP: Building own configuration/connector with curve %s", 5632 auth->curve->name); 5633 5634 auth->own_protocol_key = dpp_gen_keypair(auth->curve); 5635 if (!auth->own_protocol_key) 5636 return -1; 5637 dpp_copy_netaccesskey(auth); 5638 auth->peer_protocol_key = auth->own_protocol_key; 5639 dpp_copy_csign(auth, auth->conf->csign); 5640 5641 conf_obj = dpp_build_conf_obj(auth, ap); 5642 if (!conf_obj) 5643 goto fail; 5644 ret = dpp_parse_conf_obj(auth, wpabuf_head(conf_obj), 5645 wpabuf_len(conf_obj)); 5646 fail: 5647 wpabuf_free(conf_obj); 5648 auth->peer_protocol_key = NULL; 5649 return ret; 5650 } 5651 5652 5653 static int dpp_compatible_netrole(const char *role1, const char *role2) 5654 { 5655 return (os_strcmp(role1, "sta") == 0 && os_strcmp(role2, "ap") == 0) || 5656 (os_strcmp(role1, "ap") == 0 && os_strcmp(role2, "sta") == 0); 5657 } 5658 5659 5660 static int dpp_connector_compatible_group(struct json_token *root, 5661 const char *group_id, 5662 const char *net_role) 5663 { 5664 struct json_token *groups, *token; 5665 5666 groups = json_get_member(root, "groups"); 5667 if (!groups || groups->type != JSON_ARRAY) 5668 return 0; 5669 5670 for (token = groups->child; token; token = token->sibling) { 5671 struct json_token *id, *role; 5672 5673 id = json_get_member(token, "groupId"); 5674 if (!id || id->type != JSON_STRING) 5675 continue; 5676 5677 role = json_get_member(token, "netRole"); 5678 if (!role || role->type != JSON_STRING) 5679 continue; 5680 5681 if (os_strcmp(id->string, "*") != 0 && 5682 os_strcmp(group_id, "*") != 0 && 5683 os_strcmp(id->string, group_id) != 0) 5684 continue; 5685 5686 if (dpp_compatible_netrole(role->string, net_role)) 5687 return 1; 5688 } 5689 5690 return 0; 5691 } 5692 5693 5694 static int dpp_connector_match_groups(struct json_token *own_root, 5695 struct json_token *peer_root) 5696 { 5697 struct json_token *groups, *token; 5698 5699 groups = json_get_member(peer_root, "groups"); 5700 if (!groups || groups->type != JSON_ARRAY) { 5701 wpa_printf(MSG_DEBUG, "DPP: No peer groups array found"); 5702 return 0; 5703 } 5704 5705 for (token = groups->child; token; token = token->sibling) { 5706 struct json_token *id, *role; 5707 5708 id = json_get_member(token, "groupId"); 5709 if (!id || id->type != JSON_STRING) { 5710 wpa_printf(MSG_DEBUG, 5711 "DPP: Missing peer groupId string"); 5712 continue; 5713 } 5714 5715 role = json_get_member(token, "netRole"); 5716 if (!role || role->type != JSON_STRING) { 5717 wpa_printf(MSG_DEBUG, 5718 "DPP: Missing peer groups::netRole string"); 5719 continue; 5720 } 5721 wpa_printf(MSG_DEBUG, 5722 "DPP: peer connector group: groupId='%s' netRole='%s'", 5723 id->string, role->string); 5724 if (dpp_connector_compatible_group(own_root, id->string, 5725 role->string)) { 5726 wpa_printf(MSG_DEBUG, 5727 "DPP: Compatible group/netRole in own connector"); 5728 return 1; 5729 } 5730 } 5731 5732 return 0; 5733 } 5734 5735 5736 static int dpp_derive_pmk(const u8 *Nx, size_t Nx_len, u8 *pmk, 5737 unsigned int hash_len) 5738 { 5739 u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN]; 5740 const char *info = "DPP PMK"; 5741 int res; 5742 5743 /* PMK = HKDF(<>, "DPP PMK", N.x) */ 5744 5745 /* HKDF-Extract(<>, N.x) */ 5746 os_memset(salt, 0, hash_len); 5747 if (dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk) < 0) 5748 return -1; 5749 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)", 5750 prk, hash_len); 5751 5752 /* HKDF-Expand(PRK, info, L) */ 5753 res = dpp_hkdf_expand(hash_len, prk, hash_len, info, pmk, hash_len); 5754 os_memset(prk, 0, hash_len); 5755 if (res < 0) 5756 return -1; 5757 5758 wpa_hexdump_key(MSG_DEBUG, "DPP: PMK = HKDF-Expand(PRK, info, L)", 5759 pmk, hash_len); 5760 return 0; 5761 } 5762 5763 5764 static int dpp_derive_pmkid(const struct dpp_curve_params *curve, 5765 EVP_PKEY *own_key, EVP_PKEY *peer_key, u8 *pmkid) 5766 { 5767 struct wpabuf *nkx, *pkx; 5768 int ret = -1, res; 5769 const u8 *addr[2]; 5770 size_t len[2]; 5771 u8 hash[SHA256_MAC_LEN]; 5772 5773 /* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */ 5774 nkx = dpp_get_pubkey_point(own_key, 0); 5775 pkx = dpp_get_pubkey_point(peer_key, 0); 5776 if (!nkx || !pkx) 5777 goto fail; 5778 addr[0] = wpabuf_head(nkx); 5779 len[0] = wpabuf_len(nkx) / 2; 5780 addr[1] = wpabuf_head(pkx); 5781 len[1] = wpabuf_len(pkx) / 2; 5782 if (len[0] != len[1]) 5783 goto fail; 5784 if (os_memcmp(addr[0], addr[1], len[0]) > 0) { 5785 addr[0] = wpabuf_head(pkx); 5786 addr[1] = wpabuf_head(nkx); 5787 } 5788 wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 1", addr[0], len[0]); 5789 wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 2", addr[1], len[1]); 5790 res = sha256_vector(2, addr, len, hash); 5791 if (res < 0) 5792 goto fail; 5793 wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash output", hash, SHA256_MAC_LEN); 5794 os_memcpy(pmkid, hash, PMKID_LEN); 5795 wpa_hexdump(MSG_DEBUG, "DPP: PMKID", pmkid, PMKID_LEN); 5796 ret = 0; 5797 fail: 5798 wpabuf_free(nkx); 5799 wpabuf_free(pkx); 5800 return ret; 5801 } 5802 5803 5804 enum dpp_status_error 5805 dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, 5806 const u8 *net_access_key, size_t net_access_key_len, 5807 const u8 *csign_key, size_t csign_key_len, 5808 const u8 *peer_connector, size_t peer_connector_len, 5809 os_time_t *expiry) 5810 { 5811 struct json_token *root = NULL, *netkey, *token; 5812 struct json_token *own_root = NULL; 5813 enum dpp_status_error ret = 255, res; 5814 EVP_PKEY *own_key = NULL, *peer_key = NULL; 5815 struct wpabuf *own_key_pub = NULL; 5816 const struct dpp_curve_params *curve, *own_curve; 5817 struct dpp_signed_connector_info info; 5818 const unsigned char *p; 5819 EVP_PKEY *csign = NULL; 5820 char *signed_connector = NULL; 5821 const char *pos, *end; 5822 unsigned char *own_conn = NULL; 5823 size_t own_conn_len; 5824 EVP_PKEY_CTX *ctx = NULL; 5825 size_t Nx_len; 5826 u8 Nx[DPP_MAX_SHARED_SECRET_LEN]; 5827 5828 os_memset(intro, 0, sizeof(*intro)); 5829 os_memset(&info, 0, sizeof(info)); 5830 if (expiry) 5831 *expiry = 0; 5832 5833 p = csign_key; 5834 csign = d2i_PUBKEY(NULL, &p, csign_key_len); 5835 if (!csign) { 5836 wpa_printf(MSG_ERROR, 5837 "DPP: Failed to parse local C-sign-key information"); 5838 goto fail; 5839 } 5840 5841 own_key = dpp_set_keypair(&own_curve, net_access_key, 5842 net_access_key_len); 5843 if (!own_key) { 5844 wpa_printf(MSG_ERROR, "DPP: Failed to parse own netAccessKey"); 5845 goto fail; 5846 } 5847 5848 pos = os_strchr(own_connector, '.'); 5849 if (!pos) { 5850 wpa_printf(MSG_DEBUG, "DPP: Own connector is missing the first dot (.)"); 5851 goto fail; 5852 } 5853 pos++; 5854 end = os_strchr(pos, '.'); 5855 if (!end) { 5856 wpa_printf(MSG_DEBUG, "DPP: Own connector is missing the second dot (.)"); 5857 goto fail; 5858 } 5859 own_conn = base64_url_decode((const unsigned char *) pos, 5860 end - pos, &own_conn_len); 5861 if (!own_conn) { 5862 wpa_printf(MSG_DEBUG, 5863 "DPP: Failed to base64url decode own signedConnector JWS Payload"); 5864 goto fail; 5865 } 5866 5867 own_root = json_parse((const char *) own_conn, own_conn_len); 5868 if (!own_root) { 5869 wpa_printf(MSG_DEBUG, "DPP: Failed to parse local connector"); 5870 goto fail; 5871 } 5872 5873 wpa_hexdump_ascii(MSG_DEBUG, "DPP: Peer signedConnector", 5874 peer_connector, peer_connector_len); 5875 signed_connector = os_malloc(peer_connector_len + 1); 5876 if (!signed_connector) 5877 goto fail; 5878 os_memcpy(signed_connector, peer_connector, peer_connector_len); 5879 signed_connector[peer_connector_len] = '\0'; 5880 5881 res = dpp_process_signed_connector(&info, csign, signed_connector); 5882 if (res != DPP_STATUS_OK) { 5883 ret = res; 5884 goto fail; 5885 } 5886 5887 root = json_parse((const char *) info.payload, info.payload_len); 5888 if (!root) { 5889 wpa_printf(MSG_DEBUG, "DPP: JSON parsing of connector failed"); 5890 ret = DPP_STATUS_INVALID_CONNECTOR; 5891 goto fail; 5892 } 5893 5894 if (!dpp_connector_match_groups(own_root, root)) { 5895 wpa_printf(MSG_DEBUG, 5896 "DPP: Peer connector does not include compatible group netrole with own connector"); 5897 ret = DPP_STATUS_NO_MATCH; 5898 goto fail; 5899 } 5900 5901 token = json_get_member(root, "expiry"); 5902 if (!token || token->type != JSON_STRING) { 5903 wpa_printf(MSG_DEBUG, 5904 "DPP: No expiry string found - connector does not expire"); 5905 } else { 5906 wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string); 5907 if (dpp_key_expired(token->string, expiry)) { 5908 wpa_printf(MSG_DEBUG, 5909 "DPP: Connector (netAccessKey) has expired"); 5910 ret = DPP_STATUS_INVALID_CONNECTOR; 5911 goto fail; 5912 } 5913 } 5914 5915 netkey = json_get_member(root, "netAccessKey"); 5916 if (!netkey || netkey->type != JSON_OBJECT) { 5917 wpa_printf(MSG_DEBUG, "DPP: No netAccessKey object found"); 5918 ret = DPP_STATUS_INVALID_CONNECTOR; 5919 goto fail; 5920 } 5921 5922 peer_key = dpp_parse_jwk(netkey, &curve); 5923 if (!peer_key) { 5924 ret = DPP_STATUS_INVALID_CONNECTOR; 5925 goto fail; 5926 } 5927 dpp_debug_print_key("DPP: Received netAccessKey", peer_key); 5928 5929 if (own_curve != curve) { 5930 wpa_printf(MSG_DEBUG, 5931 "DPP: Mismatching netAccessKey curves (%s != %s)", 5932 own_curve->name, curve->name); 5933 ret = DPP_STATUS_INVALID_CONNECTOR; 5934 goto fail; 5935 } 5936 5937 /* ECDH: N = nk * PK */ 5938 ctx = EVP_PKEY_CTX_new(own_key, NULL); 5939 if (!ctx || 5940 EVP_PKEY_derive_init(ctx) != 1 || 5941 EVP_PKEY_derive_set_peer(ctx, peer_key) != 1 || 5942 EVP_PKEY_derive(ctx, NULL, &Nx_len) != 1 || 5943 Nx_len > DPP_MAX_SHARED_SECRET_LEN || 5944 EVP_PKEY_derive(ctx, Nx, &Nx_len) != 1) { 5945 wpa_printf(MSG_ERROR, 5946 "DPP: Failed to derive ECDH shared secret: %s", 5947 ERR_error_string(ERR_get_error(), NULL)); 5948 goto fail; 5949 } 5950 5951 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)", 5952 Nx, Nx_len); 5953 5954 /* PMK = HKDF(<>, "DPP PMK", N.x) */ 5955 if (dpp_derive_pmk(Nx, Nx_len, intro->pmk, curve->hash_len) < 0) { 5956 wpa_printf(MSG_ERROR, "DPP: Failed to derive PMK"); 5957 goto fail; 5958 } 5959 intro->pmk_len = curve->hash_len; 5960 5961 /* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */ 5962 if (dpp_derive_pmkid(curve, own_key, peer_key, intro->pmkid) < 0) { 5963 wpa_printf(MSG_ERROR, "DPP: Failed to derive PMKID"); 5964 goto fail; 5965 } 5966 5967 ret = DPP_STATUS_OK; 5968 fail: 5969 if (ret != DPP_STATUS_OK) 5970 os_memset(intro, 0, sizeof(*intro)); 5971 os_memset(Nx, 0, sizeof(Nx)); 5972 EVP_PKEY_CTX_free(ctx); 5973 os_free(own_conn); 5974 os_free(signed_connector); 5975 os_free(info.payload); 5976 EVP_PKEY_free(own_key); 5977 wpabuf_free(own_key_pub); 5978 EVP_PKEY_free(peer_key); 5979 EVP_PKEY_free(csign); 5980 json_free(root); 5981 json_free(own_root); 5982 return ret; 5983 } 5984 5985 5986 static EVP_PKEY * dpp_pkex_get_role_elem(const struct dpp_curve_params *curve, 5987 int init) 5988 { 5989 EC_GROUP *group; 5990 size_t len = curve->prime_len; 5991 const u8 *x, *y; 5992 5993 switch (curve->ike_group) { 5994 case 19: 5995 x = init ? pkex_init_x_p256 : pkex_resp_x_p256; 5996 y = init ? pkex_init_y_p256 : pkex_resp_y_p256; 5997 break; 5998 case 20: 5999 x = init ? pkex_init_x_p384 : pkex_resp_x_p384; 6000 y = init ? pkex_init_y_p384 : pkex_resp_y_p384; 6001 break; 6002 case 21: 6003 x = init ? pkex_init_x_p521 : pkex_resp_x_p521; 6004 y = init ? pkex_init_y_p521 : pkex_resp_y_p521; 6005 break; 6006 case 28: 6007 x = init ? pkex_init_x_bp_p256r1 : pkex_resp_x_bp_p256r1; 6008 y = init ? pkex_init_y_bp_p256r1 : pkex_resp_y_bp_p256r1; 6009 break; 6010 case 29: 6011 x = init ? pkex_init_x_bp_p384r1 : pkex_resp_x_bp_p384r1; 6012 y = init ? pkex_init_y_bp_p384r1 : pkex_resp_y_bp_p384r1; 6013 break; 6014 case 30: 6015 x = init ? pkex_init_x_bp_p512r1 : pkex_resp_x_bp_p512r1; 6016 y = init ? pkex_init_y_bp_p512r1 : pkex_resp_y_bp_p512r1; 6017 break; 6018 default: 6019 return NULL; 6020 } 6021 6022 group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name)); 6023 if (!group) 6024 return NULL; 6025 return dpp_set_pubkey_point_group(group, x, y, len); 6026 } 6027 6028 6029 static EC_POINT * dpp_pkex_derive_Qi(const struct dpp_curve_params *curve, 6030 const u8 *mac_init, const char *code, 6031 const char *identifier, BN_CTX *bnctx, 6032 const EC_GROUP **ret_group) 6033 { 6034 u8 hash[DPP_MAX_HASH_LEN]; 6035 const u8 *addr[3]; 6036 size_t len[3]; 6037 unsigned int num_elem = 0; 6038 EC_POINT *Qi = NULL; 6039 EVP_PKEY *Pi = NULL; 6040 EC_KEY *Pi_ec = NULL; 6041 const EC_POINT *Pi_point; 6042 BIGNUM *hash_bn = NULL; 6043 const EC_GROUP *group = NULL; 6044 EC_GROUP *group2 = NULL; 6045 6046 /* Qi = H(MAC-Initiator | [identifier |] code) * Pi */ 6047 6048 wpa_printf(MSG_DEBUG, "DPP: MAC-Initiator: " MACSTR, MAC2STR(mac_init)); 6049 addr[num_elem] = mac_init; 6050 len[num_elem] = ETH_ALEN; 6051 num_elem++; 6052 if (identifier) { 6053 wpa_printf(MSG_DEBUG, "DPP: code identifier: %s", 6054 identifier); 6055 addr[num_elem] = (const u8 *) identifier; 6056 len[num_elem] = os_strlen(identifier); 6057 num_elem++; 6058 } 6059 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code)); 6060 addr[num_elem] = (const u8 *) code; 6061 len[num_elem] = os_strlen(code); 6062 num_elem++; 6063 if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0) 6064 goto fail; 6065 wpa_hexdump_key(MSG_DEBUG, 6066 "DPP: H(MAC-Initiator | [identifier |] code)", 6067 hash, curve->hash_len); 6068 Pi = dpp_pkex_get_role_elem(curve, 1); 6069 if (!Pi) 6070 goto fail; 6071 dpp_debug_print_key("DPP: Pi", Pi); 6072 Pi_ec = EVP_PKEY_get1_EC_KEY(Pi); 6073 if (!Pi_ec) 6074 goto fail; 6075 Pi_point = EC_KEY_get0_public_key(Pi_ec); 6076 6077 group = EC_KEY_get0_group(Pi_ec); 6078 if (!group) 6079 goto fail; 6080 group2 = EC_GROUP_dup(group); 6081 if (!group2) 6082 goto fail; 6083 Qi = EC_POINT_new(group2); 6084 if (!Qi) { 6085 EC_GROUP_free(group2); 6086 goto fail; 6087 } 6088 hash_bn = BN_bin2bn(hash, curve->hash_len, NULL); 6089 if (!hash_bn || 6090 EC_POINT_mul(group2, Qi, NULL, Pi_point, hash_bn, bnctx) != 1) 6091 goto fail; 6092 if (EC_POINT_is_at_infinity(group, Qi)) { 6093 wpa_printf(MSG_INFO, "DPP: Qi is the point-at-infinity"); 6094 goto fail; 6095 } 6096 dpp_debug_print_point("DPP: Qi", group, Qi); 6097 out: 6098 EC_KEY_free(Pi_ec); 6099 EVP_PKEY_free(Pi); 6100 BN_clear_free(hash_bn); 6101 if (ret_group) 6102 *ret_group = group2; 6103 return Qi; 6104 fail: 6105 EC_POINT_free(Qi); 6106 Qi = NULL; 6107 goto out; 6108 } 6109 6110 6111 static EC_POINT * dpp_pkex_derive_Qr(const struct dpp_curve_params *curve, 6112 const u8 *mac_resp, const char *code, 6113 const char *identifier, BN_CTX *bnctx, 6114 const EC_GROUP **ret_group) 6115 { 6116 u8 hash[DPP_MAX_HASH_LEN]; 6117 const u8 *addr[3]; 6118 size_t len[3]; 6119 unsigned int num_elem = 0; 6120 EC_POINT *Qr = NULL; 6121 EVP_PKEY *Pr = NULL; 6122 EC_KEY *Pr_ec = NULL; 6123 const EC_POINT *Pr_point; 6124 BIGNUM *hash_bn = NULL; 6125 const EC_GROUP *group = NULL; 6126 EC_GROUP *group2 = NULL; 6127 6128 /* Qr = H(MAC-Responder | | [identifier | ] code) * Pr */ 6129 6130 wpa_printf(MSG_DEBUG, "DPP: MAC-Responder: " MACSTR, MAC2STR(mac_resp)); 6131 addr[num_elem] = mac_resp; 6132 len[num_elem] = ETH_ALEN; 6133 num_elem++; 6134 if (identifier) { 6135 wpa_printf(MSG_DEBUG, "DPP: code identifier: %s", 6136 identifier); 6137 addr[num_elem] = (const u8 *) identifier; 6138 len[num_elem] = os_strlen(identifier); 6139 num_elem++; 6140 } 6141 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code)); 6142 addr[num_elem] = (const u8 *) code; 6143 len[num_elem] = os_strlen(code); 6144 num_elem++; 6145 if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0) 6146 goto fail; 6147 wpa_hexdump_key(MSG_DEBUG, 6148 "DPP: H(MAC-Responder | [identifier |] code)", 6149 hash, curve->hash_len); 6150 Pr = dpp_pkex_get_role_elem(curve, 0); 6151 if (!Pr) 6152 goto fail; 6153 dpp_debug_print_key("DPP: Pr", Pr); 6154 Pr_ec = EVP_PKEY_get1_EC_KEY(Pr); 6155 if (!Pr_ec) 6156 goto fail; 6157 Pr_point = EC_KEY_get0_public_key(Pr_ec); 6158 6159 group = EC_KEY_get0_group(Pr_ec); 6160 if (!group) 6161 goto fail; 6162 group2 = EC_GROUP_dup(group); 6163 if (!group2) 6164 goto fail; 6165 Qr = EC_POINT_new(group2); 6166 if (!Qr) { 6167 EC_GROUP_free(group2); 6168 goto fail; 6169 } 6170 hash_bn = BN_bin2bn(hash, curve->hash_len, NULL); 6171 if (!hash_bn || 6172 EC_POINT_mul(group2, Qr, NULL, Pr_point, hash_bn, bnctx) != 1) 6173 goto fail; 6174 if (EC_POINT_is_at_infinity(group, Qr)) { 6175 wpa_printf(MSG_INFO, "DPP: Qr is the point-at-infinity"); 6176 goto fail; 6177 } 6178 dpp_debug_print_point("DPP: Qr", group, Qr); 6179 out: 6180 EC_KEY_free(Pr_ec); 6181 EVP_PKEY_free(Pr); 6182 BN_clear_free(hash_bn); 6183 if (ret_group) 6184 *ret_group = group2; 6185 return Qr; 6186 fail: 6187 EC_POINT_free(Qr); 6188 Qr = NULL; 6189 goto out; 6190 } 6191 6192 6193 #ifdef CONFIG_TESTING_OPTIONS 6194 static int dpp_test_gen_invalid_key(struct wpabuf *msg, 6195 const struct dpp_curve_params *curve) 6196 { 6197 BN_CTX *ctx; 6198 BIGNUM *x, *y; 6199 int ret = -1; 6200 EC_GROUP *group; 6201 EC_POINT *point; 6202 6203 group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name)); 6204 if (!group) 6205 return -1; 6206 6207 ctx = BN_CTX_new(); 6208 point = EC_POINT_new(group); 6209 x = BN_new(); 6210 y = BN_new(); 6211 if (!ctx || !point || !x || !y) 6212 goto fail; 6213 6214 if (BN_rand(x, curve->prime_len * 8, 0, 0) != 1) 6215 goto fail; 6216 6217 /* Generate a random y coordinate that results in a point that is not 6218 * on the curve. */ 6219 for (;;) { 6220 if (BN_rand(y, curve->prime_len * 8, 0, 0) != 1) 6221 goto fail; 6222 6223 if (EC_POINT_set_affine_coordinates_GFp(group, point, x, y, 6224 ctx) != 1) { 6225 #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL) 6226 /* Unlike older OpenSSL versions, OpenSSL 1.1.1 and BoringSSL 6227 * return an error from EC_POINT_set_affine_coordinates_GFp() 6228 * when the point is not on the curve. */ 6229 break; 6230 #else /* >=1.1.0 or OPENSSL_IS_BORINGSSL */ 6231 goto fail; 6232 #endif /* >= 1.1.0 or OPENSSL_IS_BORINGSSL */ 6233 } 6234 6235 if (!EC_POINT_is_on_curve(group, point, ctx)) 6236 break; 6237 } 6238 6239 if (dpp_bn2bin_pad(x, wpabuf_put(msg, curve->prime_len), 6240 curve->prime_len) < 0 || 6241 dpp_bn2bin_pad(y, wpabuf_put(msg, curve->prime_len), 6242 curve->prime_len) < 0) 6243 goto fail; 6244 6245 ret = 0; 6246 fail: 6247 if (ret < 0) 6248 wpa_printf(MSG_INFO, "DPP: Failed to generate invalid key"); 6249 BN_free(x); 6250 BN_free(y); 6251 EC_POINT_free(point); 6252 BN_CTX_free(ctx); 6253 6254 return ret; 6255 } 6256 #endif /* CONFIG_TESTING_OPTIONS */ 6257 6258 6259 static struct wpabuf * dpp_pkex_build_exchange_req(struct dpp_pkex *pkex) 6260 { 6261 EC_KEY *X_ec = NULL; 6262 const EC_POINT *X_point; 6263 BN_CTX *bnctx = NULL; 6264 const EC_GROUP *group; 6265 EC_POINT *Qi = NULL, *M = NULL; 6266 struct wpabuf *M_buf = NULL; 6267 BIGNUM *Mx = NULL, *My = NULL; 6268 struct wpabuf *msg = NULL; 6269 size_t attr_len; 6270 const struct dpp_curve_params *curve = pkex->own_bi->curve; 6271 6272 wpa_printf(MSG_DEBUG, "DPP: Build PKEX Exchange Request"); 6273 6274 /* Qi = H(MAC-Initiator | [identifier |] code) * Pi */ 6275 bnctx = BN_CTX_new(); 6276 if (!bnctx) 6277 goto fail; 6278 Qi = dpp_pkex_derive_Qi(curve, pkex->own_mac, pkex->code, 6279 pkex->identifier, bnctx, &group); 6280 if (!Qi) 6281 goto fail; 6282 6283 /* Generate a random ephemeral keypair x/X */ 6284 #ifdef CONFIG_TESTING_OPTIONS 6285 if (dpp_pkex_ephemeral_key_override_len) { 6286 const struct dpp_curve_params *tmp_curve; 6287 6288 wpa_printf(MSG_INFO, 6289 "DPP: TESTING - override ephemeral key x/X"); 6290 pkex->x = dpp_set_keypair(&tmp_curve, 6291 dpp_pkex_ephemeral_key_override, 6292 dpp_pkex_ephemeral_key_override_len); 6293 } else { 6294 pkex->x = dpp_gen_keypair(curve); 6295 } 6296 #else /* CONFIG_TESTING_OPTIONS */ 6297 pkex->x = dpp_gen_keypair(curve); 6298 #endif /* CONFIG_TESTING_OPTIONS */ 6299 if (!pkex->x) 6300 goto fail; 6301 6302 /* M = X + Qi */ 6303 X_ec = EVP_PKEY_get1_EC_KEY(pkex->x); 6304 if (!X_ec) 6305 goto fail; 6306 X_point = EC_KEY_get0_public_key(X_ec); 6307 if (!X_point) 6308 goto fail; 6309 dpp_debug_print_point("DPP: X", group, X_point); 6310 M = EC_POINT_new(group); 6311 Mx = BN_new(); 6312 My = BN_new(); 6313 if (!M || !Mx || !My || 6314 EC_POINT_add(group, M, X_point, Qi, bnctx) != 1 || 6315 EC_POINT_get_affine_coordinates_GFp(group, M, Mx, My, bnctx) != 1) 6316 goto fail; 6317 dpp_debug_print_point("DPP: M", group, M); 6318 6319 /* Initiator -> Responder: group, [identifier,] M */ 6320 attr_len = 4 + 2; 6321 if (pkex->identifier) 6322 attr_len += 4 + os_strlen(pkex->identifier); 6323 attr_len += 4 + 2 * curve->prime_len; 6324 msg = dpp_alloc_msg(DPP_PA_PKEX_EXCHANGE_REQ, attr_len); 6325 if (!msg) 6326 goto fail; 6327 6328 #ifdef CONFIG_TESTING_OPTIONS 6329 if (dpp_test == DPP_TEST_NO_FINITE_CYCLIC_GROUP_PKEX_EXCHANGE_REQ) { 6330 wpa_printf(MSG_INFO, "DPP: TESTING - no Finite Cyclic Group"); 6331 goto skip_finite_cyclic_group; 6332 } 6333 #endif /* CONFIG_TESTING_OPTIONS */ 6334 6335 /* Finite Cyclic Group attribute */ 6336 wpabuf_put_le16(msg, DPP_ATTR_FINITE_CYCLIC_GROUP); 6337 wpabuf_put_le16(msg, 2); 6338 wpabuf_put_le16(msg, curve->ike_group); 6339 6340 #ifdef CONFIG_TESTING_OPTIONS 6341 skip_finite_cyclic_group: 6342 #endif /* CONFIG_TESTING_OPTIONS */ 6343 6344 /* Code Identifier attribute */ 6345 if (pkex->identifier) { 6346 wpabuf_put_le16(msg, DPP_ATTR_CODE_IDENTIFIER); 6347 wpabuf_put_le16(msg, os_strlen(pkex->identifier)); 6348 wpabuf_put_str(msg, pkex->identifier); 6349 } 6350 6351 #ifdef CONFIG_TESTING_OPTIONS 6352 if (dpp_test == DPP_TEST_NO_ENCRYPTED_KEY_PKEX_EXCHANGE_REQ) { 6353 wpa_printf(MSG_INFO, "DPP: TESTING - no Encrypted Key"); 6354 goto out; 6355 } 6356 #endif /* CONFIG_TESTING_OPTIONS */ 6357 6358 /* M in Encrypted Key attribute */ 6359 wpabuf_put_le16(msg, DPP_ATTR_ENCRYPTED_KEY); 6360 wpabuf_put_le16(msg, 2 * curve->prime_len); 6361 6362 #ifdef CONFIG_TESTING_OPTIONS 6363 if (dpp_test == DPP_TEST_INVALID_ENCRYPTED_KEY_PKEX_EXCHANGE_REQ) { 6364 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Encrypted Key"); 6365 if (dpp_test_gen_invalid_key(msg, curve) < 0) 6366 goto fail; 6367 goto out; 6368 } 6369 #endif /* CONFIG_TESTING_OPTIONS */ 6370 6371 if (dpp_bn2bin_pad(Mx, wpabuf_put(msg, curve->prime_len), 6372 curve->prime_len) < 0 || 6373 dpp_bn2bin_pad(Mx, pkex->Mx, curve->prime_len) < 0 || 6374 dpp_bn2bin_pad(My, wpabuf_put(msg, curve->prime_len), 6375 curve->prime_len) < 0) 6376 goto fail; 6377 6378 out: 6379 wpabuf_free(M_buf); 6380 EC_KEY_free(X_ec); 6381 EC_POINT_free(M); 6382 EC_POINT_free(Qi); 6383 BN_clear_free(Mx); 6384 BN_clear_free(My); 6385 BN_CTX_free(bnctx); 6386 return msg; 6387 fail: 6388 wpa_printf(MSG_INFO, "DPP: Failed to build PKEX Exchange Request"); 6389 wpabuf_free(msg); 6390 msg = NULL; 6391 goto out; 6392 } 6393 6394 6395 static void dpp_pkex_fail(struct dpp_pkex *pkex, const char *txt) 6396 { 6397 wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt); 6398 } 6399 6400 6401 struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi, 6402 const u8 *own_mac, 6403 const char *identifier, 6404 const char *code) 6405 { 6406 struct dpp_pkex *pkex; 6407 6408 #ifdef CONFIG_TESTING_OPTIONS 6409 if (!is_zero_ether_addr(dpp_pkex_own_mac_override)) { 6410 wpa_printf(MSG_INFO, "DPP: TESTING - own_mac override " MACSTR, 6411 MAC2STR(dpp_pkex_own_mac_override)); 6412 own_mac = dpp_pkex_own_mac_override; 6413 } 6414 #endif /* CONFIG_TESTING_OPTIONS */ 6415 6416 pkex = os_zalloc(sizeof(*pkex)); 6417 if (!pkex) 6418 return NULL; 6419 pkex->msg_ctx = msg_ctx; 6420 pkex->initiator = 1; 6421 pkex->own_bi = bi; 6422 os_memcpy(pkex->own_mac, own_mac, ETH_ALEN); 6423 if (identifier) { 6424 pkex->identifier = os_strdup(identifier); 6425 if (!pkex->identifier) 6426 goto fail; 6427 } 6428 pkex->code = os_strdup(code); 6429 if (!pkex->code) 6430 goto fail; 6431 pkex->exchange_req = dpp_pkex_build_exchange_req(pkex); 6432 if (!pkex->exchange_req) 6433 goto fail; 6434 return pkex; 6435 fail: 6436 dpp_pkex_free(pkex); 6437 return NULL; 6438 } 6439 6440 6441 static struct wpabuf * 6442 dpp_pkex_build_exchange_resp(struct dpp_pkex *pkex, 6443 enum dpp_status_error status, 6444 const BIGNUM *Nx, const BIGNUM *Ny) 6445 { 6446 struct wpabuf *msg = NULL; 6447 size_t attr_len; 6448 const struct dpp_curve_params *curve = pkex->own_bi->curve; 6449 6450 /* Initiator -> Responder: DPP Status, [identifier,] N */ 6451 attr_len = 4 + 1; 6452 if (pkex->identifier) 6453 attr_len += 4 + os_strlen(pkex->identifier); 6454 attr_len += 4 + 2 * curve->prime_len; 6455 msg = dpp_alloc_msg(DPP_PA_PKEX_EXCHANGE_RESP, attr_len); 6456 if (!msg) 6457 goto fail; 6458 6459 #ifdef CONFIG_TESTING_OPTIONS 6460 if (dpp_test == DPP_TEST_NO_STATUS_PKEX_EXCHANGE_RESP) { 6461 wpa_printf(MSG_INFO, "DPP: TESTING - no Status"); 6462 goto skip_status; 6463 } 6464 6465 if (dpp_test == DPP_TEST_INVALID_STATUS_PKEX_EXCHANGE_RESP) { 6466 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status"); 6467 status = 255; 6468 } 6469 #endif /* CONFIG_TESTING_OPTIONS */ 6470 6471 /* DPP Status */ 6472 dpp_build_attr_status(msg, status); 6473 6474 #ifdef CONFIG_TESTING_OPTIONS 6475 skip_status: 6476 #endif /* CONFIG_TESTING_OPTIONS */ 6477 6478 /* Code Identifier attribute */ 6479 if (pkex->identifier) { 6480 wpabuf_put_le16(msg, DPP_ATTR_CODE_IDENTIFIER); 6481 wpabuf_put_le16(msg, os_strlen(pkex->identifier)); 6482 wpabuf_put_str(msg, pkex->identifier); 6483 } 6484 6485 if (status != DPP_STATUS_OK) 6486 goto skip_encrypted_key; 6487 6488 #ifdef CONFIG_TESTING_OPTIONS 6489 if (dpp_test == DPP_TEST_NO_ENCRYPTED_KEY_PKEX_EXCHANGE_RESP) { 6490 wpa_printf(MSG_INFO, "DPP: TESTING - no Encrypted Key"); 6491 goto skip_encrypted_key; 6492 } 6493 #endif /* CONFIG_TESTING_OPTIONS */ 6494 6495 /* N in Encrypted Key attribute */ 6496 wpabuf_put_le16(msg, DPP_ATTR_ENCRYPTED_KEY); 6497 wpabuf_put_le16(msg, 2 * curve->prime_len); 6498 6499 #ifdef CONFIG_TESTING_OPTIONS 6500 if (dpp_test == DPP_TEST_INVALID_ENCRYPTED_KEY_PKEX_EXCHANGE_RESP) { 6501 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Encrypted Key"); 6502 if (dpp_test_gen_invalid_key(msg, curve) < 0) 6503 goto fail; 6504 goto skip_encrypted_key; 6505 } 6506 #endif /* CONFIG_TESTING_OPTIONS */ 6507 6508 if (dpp_bn2bin_pad(Nx, wpabuf_put(msg, curve->prime_len), 6509 curve->prime_len) < 0 || 6510 dpp_bn2bin_pad(Nx, pkex->Nx, curve->prime_len) < 0 || 6511 dpp_bn2bin_pad(Ny, wpabuf_put(msg, curve->prime_len), 6512 curve->prime_len) < 0) 6513 goto fail; 6514 6515 skip_encrypted_key: 6516 if (status == DPP_STATUS_BAD_GROUP) { 6517 /* Finite Cyclic Group attribute */ 6518 wpabuf_put_le16(msg, DPP_ATTR_FINITE_CYCLIC_GROUP); 6519 wpabuf_put_le16(msg, 2); 6520 wpabuf_put_le16(msg, curve->ike_group); 6521 } 6522 6523 return msg; 6524 fail: 6525 wpabuf_free(msg); 6526 return NULL; 6527 } 6528 6529 6530 static int dpp_pkex_derive_z(const u8 *mac_init, const u8 *mac_resp, 6531 const u8 *Mx, size_t Mx_len, 6532 const u8 *Nx, size_t Nx_len, 6533 const char *code, 6534 const u8 *Kx, size_t Kx_len, 6535 u8 *z, unsigned int hash_len) 6536 { 6537 u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN]; 6538 int res; 6539 u8 *info, *pos; 6540 size_t info_len; 6541 6542 /* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x) 6543 */ 6544 6545 /* HKDF-Extract(<>, IKM=K.x) */ 6546 os_memset(salt, 0, hash_len); 6547 if (dpp_hmac(hash_len, salt, hash_len, Kx, Kx_len, prk) < 0) 6548 return -1; 6549 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)", 6550 prk, hash_len); 6551 info_len = 2 * ETH_ALEN + Mx_len + Nx_len + os_strlen(code); 6552 info = os_malloc(info_len); 6553 if (!info) 6554 return -1; 6555 pos = info; 6556 os_memcpy(pos, mac_init, ETH_ALEN); 6557 pos += ETH_ALEN; 6558 os_memcpy(pos, mac_resp, ETH_ALEN); 6559 pos += ETH_ALEN; 6560 os_memcpy(pos, Mx, Mx_len); 6561 pos += Mx_len; 6562 os_memcpy(pos, Nx, Nx_len); 6563 pos += Nx_len; 6564 os_memcpy(pos, code, os_strlen(code)); 6565 6566 /* HKDF-Expand(PRK, info, L) */ 6567 if (hash_len == 32) 6568 res = hmac_sha256_kdf(prk, hash_len, NULL, info, info_len, 6569 z, hash_len); 6570 else if (hash_len == 48) 6571 res = hmac_sha384_kdf(prk, hash_len, NULL, info, info_len, 6572 z, hash_len); 6573 else if (hash_len == 64) 6574 res = hmac_sha512_kdf(prk, hash_len, NULL, info, info_len, 6575 z, hash_len); 6576 else 6577 res = -1; 6578 os_free(info); 6579 os_memset(prk, 0, hash_len); 6580 if (res < 0) 6581 return -1; 6582 6583 wpa_hexdump_key(MSG_DEBUG, "DPP: z = HKDF-Expand(PRK, info, L)", 6584 z, hash_len); 6585 return 0; 6586 } 6587 6588 6589 static int dpp_pkex_identifier_match(const u8 *attr_id, u16 attr_id_len, 6590 const char *identifier) 6591 { 6592 if (!attr_id && identifier) { 6593 wpa_printf(MSG_DEBUG, 6594 "DPP: No PKEX code identifier received, but expected one"); 6595 return 0; 6596 } 6597 6598 if (attr_id && !identifier) { 6599 wpa_printf(MSG_DEBUG, 6600 "DPP: PKEX code identifier received, but not expecting one"); 6601 return 0; 6602 } 6603 6604 if (attr_id && identifier && 6605 (os_strlen(identifier) != attr_id_len || 6606 os_memcmp(identifier, attr_id, attr_id_len) != 0)) { 6607 wpa_printf(MSG_DEBUG, "DPP: PKEX code identifier mismatch"); 6608 return 0; 6609 } 6610 6611 return 1; 6612 } 6613 6614 6615 struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx, 6616 struct dpp_bootstrap_info *bi, 6617 const u8 *own_mac, 6618 const u8 *peer_mac, 6619 const char *identifier, 6620 const char *code, 6621 const u8 *buf, size_t len) 6622 { 6623 const u8 *attr_group, *attr_id, *attr_key; 6624 u16 attr_group_len, attr_id_len, attr_key_len; 6625 const struct dpp_curve_params *curve = bi->curve; 6626 u16 ike_group; 6627 struct dpp_pkex *pkex = NULL; 6628 EC_POINT *Qi = NULL, *Qr = NULL, *M = NULL, *X = NULL, *N = NULL; 6629 BN_CTX *bnctx = NULL; 6630 const EC_GROUP *group; 6631 BIGNUM *Mx = NULL, *My = NULL; 6632 EC_KEY *Y_ec = NULL, *X_ec = NULL;; 6633 const EC_POINT *Y_point; 6634 BIGNUM *Nx = NULL, *Ny = NULL; 6635 u8 Kx[DPP_MAX_SHARED_SECRET_LEN]; 6636 size_t Kx_len; 6637 int res; 6638 EVP_PKEY_CTX *ctx = NULL; 6639 6640 if (bi->pkex_t >= PKEX_COUNTER_T_LIMIT) { 6641 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL 6642 "PKEX counter t limit reached - ignore message"); 6643 return NULL; 6644 } 6645 6646 #ifdef CONFIG_TESTING_OPTIONS 6647 if (!is_zero_ether_addr(dpp_pkex_peer_mac_override)) { 6648 wpa_printf(MSG_INFO, "DPP: TESTING - peer_mac override " MACSTR, 6649 MAC2STR(dpp_pkex_peer_mac_override)); 6650 peer_mac = dpp_pkex_peer_mac_override; 6651 } 6652 if (!is_zero_ether_addr(dpp_pkex_own_mac_override)) { 6653 wpa_printf(MSG_INFO, "DPP: TESTING - own_mac override " MACSTR, 6654 MAC2STR(dpp_pkex_own_mac_override)); 6655 own_mac = dpp_pkex_own_mac_override; 6656 } 6657 #endif /* CONFIG_TESTING_OPTIONS */ 6658 6659 attr_id_len = 0; 6660 attr_id = dpp_get_attr(buf, len, DPP_ATTR_CODE_IDENTIFIER, 6661 &attr_id_len); 6662 if (!dpp_pkex_identifier_match(attr_id, attr_id_len, identifier)) 6663 return NULL; 6664 6665 attr_group = dpp_get_attr(buf, len, DPP_ATTR_FINITE_CYCLIC_GROUP, 6666 &attr_group_len); 6667 if (!attr_group || attr_group_len != 2) { 6668 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL 6669 "Missing or invalid Finite Cyclic Group attribute"); 6670 return NULL; 6671 } 6672 ike_group = WPA_GET_LE16(attr_group); 6673 if (ike_group != curve->ike_group) { 6674 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL 6675 "Mismatching PKEX curve: peer=%u own=%u", 6676 ike_group, curve->ike_group); 6677 pkex = os_zalloc(sizeof(*pkex)); 6678 if (!pkex) 6679 goto fail; 6680 pkex->own_bi = bi; 6681 pkex->failed = 1; 6682 pkex->exchange_resp = dpp_pkex_build_exchange_resp( 6683 pkex, DPP_STATUS_BAD_GROUP, NULL, NULL); 6684 if (!pkex->exchange_resp) 6685 goto fail; 6686 return pkex; 6687 } 6688 6689 /* M in Encrypted Key attribute */ 6690 attr_key = dpp_get_attr(buf, len, DPP_ATTR_ENCRYPTED_KEY, 6691 &attr_key_len); 6692 if (!attr_key || attr_key_len & 0x01 || attr_key_len < 2 || 6693 attr_key_len / 2 > DPP_MAX_SHARED_SECRET_LEN) { 6694 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL 6695 "Missing Encrypted Key attribute"); 6696 return NULL; 6697 } 6698 6699 /* Qi = H(MAC-Initiator | [identifier |] code) * Pi */ 6700 bnctx = BN_CTX_new(); 6701 if (!bnctx) 6702 goto fail; 6703 Qi = dpp_pkex_derive_Qi(curve, peer_mac, code, identifier, bnctx, 6704 &group); 6705 if (!Qi) 6706 goto fail; 6707 6708 /* X' = M - Qi */ 6709 X = EC_POINT_new(group); 6710 M = EC_POINT_new(group); 6711 Mx = BN_bin2bn(attr_key, attr_key_len / 2, NULL); 6712 My = BN_bin2bn(attr_key + attr_key_len / 2, attr_key_len / 2, NULL); 6713 if (!X || !M || !Mx || !My || 6714 EC_POINT_set_affine_coordinates_GFp(group, M, Mx, My, bnctx) != 1 || 6715 EC_POINT_is_at_infinity(group, M) || 6716 !EC_POINT_is_on_curve(group, M, bnctx) || 6717 EC_POINT_invert(group, Qi, bnctx) != 1 || 6718 EC_POINT_add(group, X, M, Qi, bnctx) != 1 || 6719 EC_POINT_is_at_infinity(group, X) || 6720 !EC_POINT_is_on_curve(group, X, bnctx)) { 6721 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL 6722 "Invalid Encrypted Key value"); 6723 bi->pkex_t++; 6724 goto fail; 6725 } 6726 dpp_debug_print_point("DPP: M", group, M); 6727 dpp_debug_print_point("DPP: X'", group, X); 6728 6729 pkex = os_zalloc(sizeof(*pkex)); 6730 if (!pkex) 6731 goto fail; 6732 pkex->t = bi->pkex_t; 6733 pkex->msg_ctx = msg_ctx; 6734 pkex->own_bi = bi; 6735 os_memcpy(pkex->own_mac, own_mac, ETH_ALEN); 6736 os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN); 6737 if (identifier) { 6738 pkex->identifier = os_strdup(identifier); 6739 if (!pkex->identifier) 6740 goto fail; 6741 } 6742 pkex->code = os_strdup(code); 6743 if (!pkex->code) 6744 goto fail; 6745 6746 os_memcpy(pkex->Mx, attr_key, attr_key_len / 2); 6747 6748 X_ec = EC_KEY_new(); 6749 if (!X_ec || 6750 EC_KEY_set_group(X_ec, group) != 1 || 6751 EC_KEY_set_public_key(X_ec, X) != 1) 6752 goto fail; 6753 pkex->x = EVP_PKEY_new(); 6754 if (!pkex->x || 6755 EVP_PKEY_set1_EC_KEY(pkex->x, X_ec) != 1) 6756 goto fail; 6757 6758 /* Qr = H(MAC-Responder | | [identifier | ] code) * Pr */ 6759 Qr = dpp_pkex_derive_Qr(curve, own_mac, code, identifier, bnctx, NULL); 6760 if (!Qr) 6761 goto fail; 6762 6763 /* Generate a random ephemeral keypair y/Y */ 6764 #ifdef CONFIG_TESTING_OPTIONS 6765 if (dpp_pkex_ephemeral_key_override_len) { 6766 const struct dpp_curve_params *tmp_curve; 6767 6768 wpa_printf(MSG_INFO, 6769 "DPP: TESTING - override ephemeral key y/Y"); 6770 pkex->y = dpp_set_keypair(&tmp_curve, 6771 dpp_pkex_ephemeral_key_override, 6772 dpp_pkex_ephemeral_key_override_len); 6773 } else { 6774 pkex->y = dpp_gen_keypair(curve); 6775 } 6776 #else /* CONFIG_TESTING_OPTIONS */ 6777 pkex->y = dpp_gen_keypair(curve); 6778 #endif /* CONFIG_TESTING_OPTIONS */ 6779 if (!pkex->y) 6780 goto fail; 6781 6782 /* N = Y + Qr */ 6783 Y_ec = EVP_PKEY_get1_EC_KEY(pkex->y); 6784 if (!Y_ec) 6785 goto fail; 6786 Y_point = EC_KEY_get0_public_key(Y_ec); 6787 if (!Y_point) 6788 goto fail; 6789 dpp_debug_print_point("DPP: Y", group, Y_point); 6790 N = EC_POINT_new(group); 6791 Nx = BN_new(); 6792 Ny = BN_new(); 6793 if (!N || !Nx || !Ny || 6794 EC_POINT_add(group, N, Y_point, Qr, bnctx) != 1 || 6795 EC_POINT_get_affine_coordinates_GFp(group, N, Nx, Ny, bnctx) != 1) 6796 goto fail; 6797 dpp_debug_print_point("DPP: N", group, N); 6798 6799 pkex->exchange_resp = dpp_pkex_build_exchange_resp(pkex, DPP_STATUS_OK, 6800 Nx, Ny); 6801 if (!pkex->exchange_resp) 6802 goto fail; 6803 6804 /* K = y * X' */ 6805 ctx = EVP_PKEY_CTX_new(pkex->y, NULL); 6806 if (!ctx || 6807 EVP_PKEY_derive_init(ctx) != 1 || 6808 EVP_PKEY_derive_set_peer(ctx, pkex->x) != 1 || 6809 EVP_PKEY_derive(ctx, NULL, &Kx_len) != 1 || 6810 Kx_len > DPP_MAX_SHARED_SECRET_LEN || 6811 EVP_PKEY_derive(ctx, Kx, &Kx_len) != 1) { 6812 wpa_printf(MSG_ERROR, 6813 "DPP: Failed to derive ECDH shared secret: %s", 6814 ERR_error_string(ERR_get_error(), NULL)); 6815 goto fail; 6816 } 6817 6818 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (K.x)", 6819 Kx, Kx_len); 6820 6821 /* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x) 6822 */ 6823 res = dpp_pkex_derive_z(pkex->peer_mac, pkex->own_mac, 6824 pkex->Mx, curve->prime_len, 6825 pkex->Nx, curve->prime_len, pkex->code, 6826 Kx, Kx_len, pkex->z, curve->hash_len); 6827 os_memset(Kx, 0, Kx_len); 6828 if (res < 0) 6829 goto fail; 6830 6831 pkex->exchange_done = 1; 6832 6833 out: 6834 EVP_PKEY_CTX_free(ctx); 6835 BN_CTX_free(bnctx); 6836 EC_POINT_free(Qi); 6837 EC_POINT_free(Qr); 6838 BN_free(Mx); 6839 BN_free(My); 6840 BN_free(Nx); 6841 BN_free(Ny); 6842 EC_POINT_free(M); 6843 EC_POINT_free(N); 6844 EC_POINT_free(X); 6845 EC_KEY_free(X_ec); 6846 EC_KEY_free(Y_ec); 6847 return pkex; 6848 fail: 6849 wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Request processing failed"); 6850 dpp_pkex_free(pkex); 6851 pkex = NULL; 6852 goto out; 6853 } 6854 6855 6856 static struct wpabuf * 6857 dpp_pkex_build_commit_reveal_req(struct dpp_pkex *pkex, 6858 const struct wpabuf *A_pub, const u8 *u) 6859 { 6860 const struct dpp_curve_params *curve = pkex->own_bi->curve; 6861 struct wpabuf *msg = NULL; 6862 size_t clear_len, attr_len; 6863 struct wpabuf *clear = NULL; 6864 u8 *wrapped; 6865 u8 octet; 6866 const u8 *addr[2]; 6867 size_t len[2]; 6868 6869 /* {A, u, [bootstrapping info]}z */ 6870 clear_len = 4 + 2 * curve->prime_len + 4 + curve->hash_len; 6871 clear = wpabuf_alloc(clear_len); 6872 attr_len = 4 + clear_len + AES_BLOCK_SIZE; 6873 #ifdef CONFIG_TESTING_OPTIONS 6874 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_REQ) 6875 attr_len += 5; 6876 #endif /* CONFIG_TESTING_OPTIONS */ 6877 msg = dpp_alloc_msg(DPP_PA_PKEX_COMMIT_REVEAL_REQ, attr_len); 6878 if (!clear || !msg) 6879 goto fail; 6880 6881 #ifdef CONFIG_TESTING_OPTIONS 6882 if (dpp_test == DPP_TEST_NO_BOOTSTRAP_KEY_PKEX_CR_REQ) { 6883 wpa_printf(MSG_INFO, "DPP: TESTING - no Bootstrap Key"); 6884 goto skip_bootstrap_key; 6885 } 6886 if (dpp_test == DPP_TEST_INVALID_BOOTSTRAP_KEY_PKEX_CR_REQ) { 6887 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Bootstrap Key"); 6888 wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY); 6889 wpabuf_put_le16(clear, 2 * curve->prime_len); 6890 if (dpp_test_gen_invalid_key(clear, curve) < 0) 6891 goto fail; 6892 goto skip_bootstrap_key; 6893 } 6894 #endif /* CONFIG_TESTING_OPTIONS */ 6895 6896 /* A in Bootstrap Key attribute */ 6897 wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY); 6898 wpabuf_put_le16(clear, wpabuf_len(A_pub)); 6899 wpabuf_put_buf(clear, A_pub); 6900 6901 #ifdef CONFIG_TESTING_OPTIONS 6902 skip_bootstrap_key: 6903 if (dpp_test == DPP_TEST_NO_I_AUTH_TAG_PKEX_CR_REQ) { 6904 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Auth tag"); 6905 goto skip_i_auth_tag; 6906 } 6907 if (dpp_test == DPP_TEST_I_AUTH_TAG_MISMATCH_PKEX_CR_REQ) { 6908 wpa_printf(MSG_INFO, "DPP: TESTING - I-Auth tag mismatch"); 6909 wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG); 6910 wpabuf_put_le16(clear, curve->hash_len); 6911 wpabuf_put_data(clear, u, curve->hash_len - 1); 6912 wpabuf_put_u8(clear, u[curve->hash_len - 1] ^ 0x01); 6913 goto skip_i_auth_tag; 6914 } 6915 #endif /* CONFIG_TESTING_OPTIONS */ 6916 6917 /* u in I-Auth tag attribute */ 6918 wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG); 6919 wpabuf_put_le16(clear, curve->hash_len); 6920 wpabuf_put_data(clear, u, curve->hash_len); 6921 6922 #ifdef CONFIG_TESTING_OPTIONS 6923 skip_i_auth_tag: 6924 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_PKEX_CR_REQ) { 6925 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data"); 6926 goto skip_wrapped_data; 6927 } 6928 #endif /* CONFIG_TESTING_OPTIONS */ 6929 6930 addr[0] = wpabuf_head_u8(msg) + 2; 6931 len[0] = DPP_HDR_LEN; 6932 octet = 0; 6933 addr[1] = &octet; 6934 len[1] = sizeof(octet); 6935 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 6936 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 6937 6938 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA); 6939 wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE); 6940 wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE); 6941 6942 wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear); 6943 if (aes_siv_encrypt(pkex->z, curve->hash_len, 6944 wpabuf_head(clear), wpabuf_len(clear), 6945 2, addr, len, wrapped) < 0) 6946 goto fail; 6947 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 6948 wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE); 6949 6950 #ifdef CONFIG_TESTING_OPTIONS 6951 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_REQ) { 6952 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data"); 6953 dpp_build_attr_status(msg, DPP_STATUS_OK); 6954 } 6955 skip_wrapped_data: 6956 #endif /* CONFIG_TESTING_OPTIONS */ 6957 6958 out: 6959 wpabuf_free(clear); 6960 return msg; 6961 6962 fail: 6963 wpabuf_free(msg); 6964 msg = NULL; 6965 goto out; 6966 } 6967 6968 6969 struct wpabuf * dpp_pkex_rx_exchange_resp(struct dpp_pkex *pkex, 6970 const u8 *peer_mac, 6971 const u8 *buf, size_t buflen) 6972 { 6973 const u8 *attr_status, *attr_id, *attr_key, *attr_group; 6974 u16 attr_status_len, attr_id_len, attr_key_len, attr_group_len; 6975 const EC_GROUP *group; 6976 BN_CTX *bnctx = NULL; 6977 struct wpabuf *msg = NULL, *A_pub = NULL, *X_pub = NULL, *Y_pub = NULL; 6978 const struct dpp_curve_params *curve = pkex->own_bi->curve; 6979 EC_POINT *Qr = NULL, *Y = NULL, *N = NULL; 6980 BIGNUM *Nx = NULL, *Ny = NULL; 6981 EVP_PKEY_CTX *ctx = NULL; 6982 EC_KEY *Y_ec = NULL; 6983 size_t Jx_len, Kx_len; 6984 u8 Jx[DPP_MAX_SHARED_SECRET_LEN], Kx[DPP_MAX_SHARED_SECRET_LEN]; 6985 const u8 *addr[4]; 6986 size_t len[4]; 6987 u8 u[DPP_MAX_HASH_LEN]; 6988 int res; 6989 6990 if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator) 6991 return NULL; 6992 6993 #ifdef CONFIG_TESTING_OPTIONS 6994 if (dpp_test == DPP_TEST_STOP_AT_PKEX_EXCHANGE_RESP) { 6995 wpa_printf(MSG_INFO, 6996 "DPP: TESTING - stop at PKEX Exchange Response"); 6997 pkex->failed = 1; 6998 return NULL; 6999 } 7000 7001 if (!is_zero_ether_addr(dpp_pkex_peer_mac_override)) { 7002 wpa_printf(MSG_INFO, "DPP: TESTING - peer_mac override " MACSTR, 7003 MAC2STR(dpp_pkex_peer_mac_override)); 7004 peer_mac = dpp_pkex_peer_mac_override; 7005 } 7006 #endif /* CONFIG_TESTING_OPTIONS */ 7007 7008 os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN); 7009 7010 attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS, 7011 &attr_status_len); 7012 if (!attr_status || attr_status_len != 1) { 7013 dpp_pkex_fail(pkex, "No DPP Status attribute"); 7014 return NULL; 7015 } 7016 wpa_printf(MSG_DEBUG, "DPP: Status %u", attr_status[0]); 7017 7018 if (attr_status[0] == DPP_STATUS_BAD_GROUP) { 7019 attr_group = dpp_get_attr(buf, buflen, 7020 DPP_ATTR_FINITE_CYCLIC_GROUP, 7021 &attr_group_len); 7022 if (attr_group && attr_group_len == 2) { 7023 wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL 7024 "Peer indicated mismatching PKEX group - proposed %u", 7025 WPA_GET_LE16(attr_group)); 7026 return NULL; 7027 } 7028 } 7029 7030 if (attr_status[0] != DPP_STATUS_OK) { 7031 dpp_pkex_fail(pkex, "PKEX failed (peer indicated failure)"); 7032 return NULL; 7033 } 7034 7035 attr_id_len = 0; 7036 attr_id = dpp_get_attr(buf, buflen, DPP_ATTR_CODE_IDENTIFIER, 7037 &attr_id_len); 7038 if (!dpp_pkex_identifier_match(attr_id, attr_id_len, 7039 pkex->identifier)) { 7040 dpp_pkex_fail(pkex, "PKEX code identifier mismatch"); 7041 return NULL; 7042 } 7043 7044 /* N in Encrypted Key attribute */ 7045 attr_key = dpp_get_attr(buf, buflen, DPP_ATTR_ENCRYPTED_KEY, 7046 &attr_key_len); 7047 if (!attr_key || attr_key_len & 0x01 || attr_key_len < 2) { 7048 dpp_pkex_fail(pkex, "Missing Encrypted Key attribute"); 7049 return NULL; 7050 } 7051 7052 /* Qr = H(MAC-Responder | [identifier |] code) * Pr */ 7053 bnctx = BN_CTX_new(); 7054 if (!bnctx) 7055 goto fail; 7056 Qr = dpp_pkex_derive_Qr(curve, pkex->peer_mac, pkex->code, 7057 pkex->identifier, bnctx, &group); 7058 if (!Qr) 7059 goto fail; 7060 7061 /* Y' = N - Qr */ 7062 Y = EC_POINT_new(group); 7063 N = EC_POINT_new(group); 7064 Nx = BN_bin2bn(attr_key, attr_key_len / 2, NULL); 7065 Ny = BN_bin2bn(attr_key + attr_key_len / 2, attr_key_len / 2, NULL); 7066 if (!Y || !N || !Nx || !Ny || 7067 EC_POINT_set_affine_coordinates_GFp(group, N, Nx, Ny, bnctx) != 1 || 7068 EC_POINT_is_at_infinity(group, N) || 7069 !EC_POINT_is_on_curve(group, N, bnctx) || 7070 EC_POINT_invert(group, Qr, bnctx) != 1 || 7071 EC_POINT_add(group, Y, N, Qr, bnctx) != 1 || 7072 EC_POINT_is_at_infinity(group, Y) || 7073 !EC_POINT_is_on_curve(group, Y, bnctx)) { 7074 dpp_pkex_fail(pkex, "Invalid Encrypted Key value"); 7075 pkex->t++; 7076 goto fail; 7077 } 7078 dpp_debug_print_point("DPP: N", group, N); 7079 dpp_debug_print_point("DPP: Y'", group, Y); 7080 7081 pkex->exchange_done = 1; 7082 7083 /* ECDH: J = a * Y’ */ 7084 Y_ec = EC_KEY_new(); 7085 if (!Y_ec || 7086 EC_KEY_set_group(Y_ec, group) != 1 || 7087 EC_KEY_set_public_key(Y_ec, Y) != 1) 7088 goto fail; 7089 pkex->y = EVP_PKEY_new(); 7090 if (!pkex->y || 7091 EVP_PKEY_set1_EC_KEY(pkex->y, Y_ec) != 1) 7092 goto fail; 7093 ctx = EVP_PKEY_CTX_new(pkex->own_bi->pubkey, NULL); 7094 if (!ctx || 7095 EVP_PKEY_derive_init(ctx) != 1 || 7096 EVP_PKEY_derive_set_peer(ctx, pkex->y) != 1 || 7097 EVP_PKEY_derive(ctx, NULL, &Jx_len) != 1 || 7098 Jx_len > DPP_MAX_SHARED_SECRET_LEN || 7099 EVP_PKEY_derive(ctx, Jx, &Jx_len) != 1) { 7100 wpa_printf(MSG_ERROR, 7101 "DPP: Failed to derive ECDH shared secret: %s", 7102 ERR_error_string(ERR_get_error(), NULL)); 7103 goto fail; 7104 } 7105 7106 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (J.x)", 7107 Jx, Jx_len); 7108 7109 /* u = HMAC(J.x, MAC-Initiator | A.x | Y’.x | X.x ) */ 7110 A_pub = dpp_get_pubkey_point(pkex->own_bi->pubkey, 0); 7111 Y_pub = dpp_get_pubkey_point(pkex->y, 0); 7112 X_pub = dpp_get_pubkey_point(pkex->x, 0); 7113 if (!A_pub || !Y_pub || !X_pub) 7114 goto fail; 7115 addr[0] = pkex->own_mac; 7116 len[0] = ETH_ALEN; 7117 addr[1] = wpabuf_head(A_pub); 7118 len[1] = wpabuf_len(A_pub) / 2; 7119 addr[2] = wpabuf_head(Y_pub); 7120 len[2] = wpabuf_len(Y_pub) / 2; 7121 addr[3] = wpabuf_head(X_pub); 7122 len[3] = wpabuf_len(X_pub) / 2; 7123 if (dpp_hmac_vector(curve->hash_len, Jx, Jx_len, 4, addr, len, u) < 0) 7124 goto fail; 7125 wpa_hexdump(MSG_DEBUG, "DPP: u", u, curve->hash_len); 7126 7127 /* K = x * Y’ */ 7128 EVP_PKEY_CTX_free(ctx); 7129 ctx = EVP_PKEY_CTX_new(pkex->x, NULL); 7130 if (!ctx || 7131 EVP_PKEY_derive_init(ctx) != 1 || 7132 EVP_PKEY_derive_set_peer(ctx, pkex->y) != 1 || 7133 EVP_PKEY_derive(ctx, NULL, &Kx_len) != 1 || 7134 Kx_len > DPP_MAX_SHARED_SECRET_LEN || 7135 EVP_PKEY_derive(ctx, Kx, &Kx_len) != 1) { 7136 wpa_printf(MSG_ERROR, 7137 "DPP: Failed to derive ECDH shared secret: %s", 7138 ERR_error_string(ERR_get_error(), NULL)); 7139 goto fail; 7140 } 7141 7142 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (K.x)", 7143 Kx, Kx_len); 7144 7145 /* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x) 7146 */ 7147 res = dpp_pkex_derive_z(pkex->own_mac, pkex->peer_mac, 7148 pkex->Mx, curve->prime_len, 7149 attr_key /* N.x */, attr_key_len / 2, 7150 pkex->code, Kx, Kx_len, 7151 pkex->z, curve->hash_len); 7152 os_memset(Kx, 0, Kx_len); 7153 if (res < 0) 7154 goto fail; 7155 7156 msg = dpp_pkex_build_commit_reveal_req(pkex, A_pub, u); 7157 if (!msg) 7158 goto fail; 7159 7160 out: 7161 wpabuf_free(A_pub); 7162 wpabuf_free(X_pub); 7163 wpabuf_free(Y_pub); 7164 EC_POINT_free(Qr); 7165 EC_POINT_free(Y); 7166 EC_POINT_free(N); 7167 BN_free(Nx); 7168 BN_free(Ny); 7169 EC_KEY_free(Y_ec); 7170 EVP_PKEY_CTX_free(ctx); 7171 BN_CTX_free(bnctx); 7172 return msg; 7173 fail: 7174 wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Response processing failed"); 7175 goto out; 7176 } 7177 7178 7179 static struct wpabuf * 7180 dpp_pkex_build_commit_reveal_resp(struct dpp_pkex *pkex, 7181 const struct wpabuf *B_pub, const u8 *v) 7182 { 7183 const struct dpp_curve_params *curve = pkex->own_bi->curve; 7184 struct wpabuf *msg = NULL; 7185 const u8 *addr[2]; 7186 size_t len[2]; 7187 u8 octet; 7188 u8 *wrapped; 7189 struct wpabuf *clear = NULL; 7190 size_t clear_len, attr_len; 7191 7192 /* {B, v [bootstrapping info]}z */ 7193 clear_len = 4 + 2 * curve->prime_len + 4 + curve->hash_len; 7194 clear = wpabuf_alloc(clear_len); 7195 attr_len = 4 + clear_len + AES_BLOCK_SIZE; 7196 #ifdef CONFIG_TESTING_OPTIONS 7197 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_RESP) 7198 attr_len += 5; 7199 #endif /* CONFIG_TESTING_OPTIONS */ 7200 msg = dpp_alloc_msg(DPP_PA_PKEX_COMMIT_REVEAL_RESP, attr_len); 7201 if (!clear || !msg) 7202 goto fail; 7203 7204 #ifdef CONFIG_TESTING_OPTIONS 7205 if (dpp_test == DPP_TEST_NO_BOOTSTRAP_KEY_PKEX_CR_RESP) { 7206 wpa_printf(MSG_INFO, "DPP: TESTING - no Bootstrap Key"); 7207 goto skip_bootstrap_key; 7208 } 7209 if (dpp_test == DPP_TEST_INVALID_BOOTSTRAP_KEY_PKEX_CR_RESP) { 7210 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Bootstrap Key"); 7211 wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY); 7212 wpabuf_put_le16(clear, 2 * curve->prime_len); 7213 if (dpp_test_gen_invalid_key(clear, curve) < 0) 7214 goto fail; 7215 goto skip_bootstrap_key; 7216 } 7217 #endif /* CONFIG_TESTING_OPTIONS */ 7218 7219 /* B in Bootstrap Key attribute */ 7220 wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY); 7221 wpabuf_put_le16(clear, wpabuf_len(B_pub)); 7222 wpabuf_put_buf(clear, B_pub); 7223 7224 #ifdef CONFIG_TESTING_OPTIONS 7225 skip_bootstrap_key: 7226 if (dpp_test == DPP_TEST_NO_R_AUTH_TAG_PKEX_CR_RESP) { 7227 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Auth tag"); 7228 goto skip_r_auth_tag; 7229 } 7230 if (dpp_test == DPP_TEST_R_AUTH_TAG_MISMATCH_PKEX_CR_RESP) { 7231 wpa_printf(MSG_INFO, "DPP: TESTING - R-Auth tag mismatch"); 7232 wpabuf_put_le16(clear, DPP_ATTR_R_AUTH_TAG); 7233 wpabuf_put_le16(clear, curve->hash_len); 7234 wpabuf_put_data(clear, v, curve->hash_len - 1); 7235 wpabuf_put_u8(clear, v[curve->hash_len - 1] ^ 0x01); 7236 goto skip_r_auth_tag; 7237 } 7238 #endif /* CONFIG_TESTING_OPTIONS */ 7239 7240 /* v in R-Auth tag attribute */ 7241 wpabuf_put_le16(clear, DPP_ATTR_R_AUTH_TAG); 7242 wpabuf_put_le16(clear, curve->hash_len); 7243 wpabuf_put_data(clear, v, curve->hash_len); 7244 7245 #ifdef CONFIG_TESTING_OPTIONS 7246 skip_r_auth_tag: 7247 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_PKEX_CR_RESP) { 7248 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data"); 7249 goto skip_wrapped_data; 7250 } 7251 #endif /* CONFIG_TESTING_OPTIONS */ 7252 7253 addr[0] = wpabuf_head_u8(msg) + 2; 7254 len[0] = DPP_HDR_LEN; 7255 octet = 1; 7256 addr[1] = &octet; 7257 len[1] = sizeof(octet); 7258 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 7259 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 7260 7261 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA); 7262 wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE); 7263 wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE); 7264 7265 wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear); 7266 if (aes_siv_encrypt(pkex->z, curve->hash_len, 7267 wpabuf_head(clear), wpabuf_len(clear), 7268 2, addr, len, wrapped) < 0) 7269 goto fail; 7270 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 7271 wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE); 7272 7273 #ifdef CONFIG_TESTING_OPTIONS 7274 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_RESP) { 7275 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data"); 7276 dpp_build_attr_status(msg, DPP_STATUS_OK); 7277 } 7278 skip_wrapped_data: 7279 #endif /* CONFIG_TESTING_OPTIONS */ 7280 7281 out: 7282 wpabuf_free(clear); 7283 return msg; 7284 7285 fail: 7286 wpabuf_free(msg); 7287 msg = NULL; 7288 goto out; 7289 } 7290 7291 7292 struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex, 7293 const u8 *hdr, 7294 const u8 *buf, size_t buflen) 7295 { 7296 const struct dpp_curve_params *curve = pkex->own_bi->curve; 7297 EVP_PKEY_CTX *ctx = NULL; 7298 size_t Jx_len, Lx_len; 7299 u8 Jx[DPP_MAX_SHARED_SECRET_LEN]; 7300 u8 Lx[DPP_MAX_SHARED_SECRET_LEN]; 7301 const u8 *wrapped_data, *b_key, *peer_u; 7302 u16 wrapped_data_len, b_key_len, peer_u_len = 0; 7303 const u8 *addr[4]; 7304 size_t len[4]; 7305 u8 octet; 7306 u8 *unwrapped = NULL; 7307 size_t unwrapped_len = 0; 7308 struct wpabuf *msg = NULL, *A_pub = NULL, *X_pub = NULL, *Y_pub = NULL; 7309 struct wpabuf *B_pub = NULL; 7310 u8 u[DPP_MAX_HASH_LEN], v[DPP_MAX_HASH_LEN]; 7311 7312 #ifdef CONFIG_TESTING_OPTIONS 7313 if (dpp_test == DPP_TEST_STOP_AT_PKEX_CR_REQ) { 7314 wpa_printf(MSG_INFO, 7315 "DPP: TESTING - stop at PKEX CR Request"); 7316 pkex->failed = 1; 7317 return NULL; 7318 } 7319 #endif /* CONFIG_TESTING_OPTIONS */ 7320 7321 if (!pkex->exchange_done || pkex->failed || 7322 pkex->t >= PKEX_COUNTER_T_LIMIT || pkex->initiator) 7323 goto fail; 7324 7325 wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA, 7326 &wrapped_data_len); 7327 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) { 7328 dpp_pkex_fail(pkex, 7329 "Missing or invalid required Wrapped Data attribute"); 7330 goto fail; 7331 } 7332 7333 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 7334 wrapped_data, wrapped_data_len); 7335 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE; 7336 unwrapped = os_malloc(unwrapped_len); 7337 if (!unwrapped) 7338 goto fail; 7339 7340 addr[0] = hdr; 7341 len[0] = DPP_HDR_LEN; 7342 octet = 0; 7343 addr[1] = &octet; 7344 len[1] = sizeof(octet); 7345 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 7346 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 7347 7348 if (aes_siv_decrypt(pkex->z, curve->hash_len, 7349 wrapped_data, wrapped_data_len, 7350 2, addr, len, unwrapped) < 0) { 7351 dpp_pkex_fail(pkex, 7352 "AES-SIV decryption failed - possible PKEX code mismatch"); 7353 pkex->failed = 1; 7354 pkex->t++; 7355 goto fail; 7356 } 7357 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 7358 unwrapped, unwrapped_len); 7359 7360 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) { 7361 dpp_pkex_fail(pkex, "Invalid attribute in unwrapped data"); 7362 goto fail; 7363 } 7364 7365 b_key = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_BOOTSTRAP_KEY, 7366 &b_key_len); 7367 if (!b_key || b_key_len != 2 * curve->prime_len) { 7368 dpp_pkex_fail(pkex, "No valid peer bootstrapping key found"); 7369 goto fail; 7370 } 7371 pkex->peer_bootstrap_key = dpp_set_pubkey_point(pkex->x, b_key, 7372 b_key_len); 7373 if (!pkex->peer_bootstrap_key) { 7374 dpp_pkex_fail(pkex, "Peer bootstrapping key is invalid"); 7375 goto fail; 7376 } 7377 dpp_debug_print_key("DPP: Peer bootstrap public key", 7378 pkex->peer_bootstrap_key); 7379 7380 /* ECDH: J' = y * A' */ 7381 ctx = EVP_PKEY_CTX_new(pkex->y, NULL); 7382 if (!ctx || 7383 EVP_PKEY_derive_init(ctx) != 1 || 7384 EVP_PKEY_derive_set_peer(ctx, pkex->peer_bootstrap_key) != 1 || 7385 EVP_PKEY_derive(ctx, NULL, &Jx_len) != 1 || 7386 Jx_len > DPP_MAX_SHARED_SECRET_LEN || 7387 EVP_PKEY_derive(ctx, Jx, &Jx_len) != 1) { 7388 wpa_printf(MSG_ERROR, 7389 "DPP: Failed to derive ECDH shared secret: %s", 7390 ERR_error_string(ERR_get_error(), NULL)); 7391 goto fail; 7392 } 7393 7394 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (J.x)", 7395 Jx, Jx_len); 7396 7397 /* u' = HMAC(J'.x, MAC-Initiator | A'.x | Y.x | X'.x) */ 7398 A_pub = dpp_get_pubkey_point(pkex->peer_bootstrap_key, 0); 7399 Y_pub = dpp_get_pubkey_point(pkex->y, 0); 7400 X_pub = dpp_get_pubkey_point(pkex->x, 0); 7401 if (!A_pub || !Y_pub || !X_pub) 7402 goto fail; 7403 addr[0] = pkex->peer_mac; 7404 len[0] = ETH_ALEN; 7405 addr[1] = wpabuf_head(A_pub); 7406 len[1] = wpabuf_len(A_pub) / 2; 7407 addr[2] = wpabuf_head(Y_pub); 7408 len[2] = wpabuf_len(Y_pub) / 2; 7409 addr[3] = wpabuf_head(X_pub); 7410 len[3] = wpabuf_len(X_pub) / 2; 7411 if (dpp_hmac_vector(curve->hash_len, Jx, Jx_len, 4, addr, len, u) < 0) 7412 goto fail; 7413 7414 peer_u = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_AUTH_TAG, 7415 &peer_u_len); 7416 if (!peer_u || peer_u_len != curve->hash_len || 7417 os_memcmp(peer_u, u, curve->hash_len) != 0) { 7418 dpp_pkex_fail(pkex, "No valid u (I-Auth tag) found"); 7419 wpa_hexdump(MSG_DEBUG, "DPP: Calculated u'", 7420 u, curve->hash_len); 7421 wpa_hexdump(MSG_DEBUG, "DPP: Received u", peer_u, peer_u_len); 7422 pkex->t++; 7423 goto fail; 7424 } 7425 wpa_printf(MSG_DEBUG, "DPP: Valid u (I-Auth tag) received"); 7426 7427 /* ECDH: L = b * X' */ 7428 EVP_PKEY_CTX_free(ctx); 7429 ctx = EVP_PKEY_CTX_new(pkex->own_bi->pubkey, NULL); 7430 if (!ctx || 7431 EVP_PKEY_derive_init(ctx) != 1 || 7432 EVP_PKEY_derive_set_peer(ctx, pkex->x) != 1 || 7433 EVP_PKEY_derive(ctx, NULL, &Lx_len) != 1 || 7434 Lx_len > DPP_MAX_SHARED_SECRET_LEN || 7435 EVP_PKEY_derive(ctx, Lx, &Lx_len) != 1) { 7436 wpa_printf(MSG_ERROR, 7437 "DPP: Failed to derive ECDH shared secret: %s", 7438 ERR_error_string(ERR_get_error(), NULL)); 7439 goto fail; 7440 } 7441 7442 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (L.x)", 7443 Lx, Lx_len); 7444 7445 /* v = HMAC(L.x, MAC-Responder | B.x | X'.x | Y.x) */ 7446 B_pub = dpp_get_pubkey_point(pkex->own_bi->pubkey, 0); 7447 if (!B_pub) 7448 goto fail; 7449 addr[0] = pkex->own_mac; 7450 len[0] = ETH_ALEN; 7451 addr[1] = wpabuf_head(B_pub); 7452 len[1] = wpabuf_len(B_pub) / 2; 7453 addr[2] = wpabuf_head(X_pub); 7454 len[2] = wpabuf_len(X_pub) / 2; 7455 addr[3] = wpabuf_head(Y_pub); 7456 len[3] = wpabuf_len(Y_pub) / 2; 7457 if (dpp_hmac_vector(curve->hash_len, Lx, Lx_len, 4, addr, len, v) < 0) 7458 goto fail; 7459 wpa_hexdump(MSG_DEBUG, "DPP: v", v, curve->hash_len); 7460 7461 msg = dpp_pkex_build_commit_reveal_resp(pkex, B_pub, v); 7462 if (!msg) 7463 goto fail; 7464 7465 out: 7466 EVP_PKEY_CTX_free(ctx); 7467 os_free(unwrapped); 7468 wpabuf_free(A_pub); 7469 wpabuf_free(B_pub); 7470 wpabuf_free(X_pub); 7471 wpabuf_free(Y_pub); 7472 return msg; 7473 fail: 7474 wpa_printf(MSG_DEBUG, 7475 "DPP: PKEX Commit-Reveal Request processing failed"); 7476 goto out; 7477 } 7478 7479 7480 int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr, 7481 const u8 *buf, size_t buflen) 7482 { 7483 const struct dpp_curve_params *curve = pkex->own_bi->curve; 7484 const u8 *wrapped_data, *b_key, *peer_v; 7485 u16 wrapped_data_len, b_key_len, peer_v_len = 0; 7486 const u8 *addr[4]; 7487 size_t len[4]; 7488 u8 octet; 7489 u8 *unwrapped = NULL; 7490 size_t unwrapped_len = 0; 7491 int ret = -1; 7492 u8 v[DPP_MAX_HASH_LEN]; 7493 size_t Lx_len; 7494 u8 Lx[DPP_MAX_SHARED_SECRET_LEN]; 7495 EVP_PKEY_CTX *ctx = NULL; 7496 struct wpabuf *B_pub = NULL, *X_pub = NULL, *Y_pub = NULL; 7497 7498 #ifdef CONFIG_TESTING_OPTIONS 7499 if (dpp_test == DPP_TEST_STOP_AT_PKEX_CR_RESP) { 7500 wpa_printf(MSG_INFO, 7501 "DPP: TESTING - stop at PKEX CR Response"); 7502 pkex->failed = 1; 7503 goto fail; 7504 } 7505 #endif /* CONFIG_TESTING_OPTIONS */ 7506 7507 if (!pkex->exchange_done || pkex->failed || 7508 pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator) 7509 goto fail; 7510 7511 wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA, 7512 &wrapped_data_len); 7513 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) { 7514 dpp_pkex_fail(pkex, 7515 "Missing or invalid required Wrapped Data attribute"); 7516 goto fail; 7517 } 7518 7519 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext", 7520 wrapped_data, wrapped_data_len); 7521 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE; 7522 unwrapped = os_malloc(unwrapped_len); 7523 if (!unwrapped) 7524 goto fail; 7525 7526 addr[0] = hdr; 7527 len[0] = DPP_HDR_LEN; 7528 octet = 1; 7529 addr[1] = &octet; 7530 len[1] = sizeof(octet); 7531 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]); 7532 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]); 7533 7534 if (aes_siv_decrypt(pkex->z, curve->hash_len, 7535 wrapped_data, wrapped_data_len, 7536 2, addr, len, unwrapped) < 0) { 7537 dpp_pkex_fail(pkex, 7538 "AES-SIV decryption failed - possible PKEX code mismatch"); 7539 pkex->t++; 7540 goto fail; 7541 } 7542 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", 7543 unwrapped, unwrapped_len); 7544 7545 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) { 7546 dpp_pkex_fail(pkex, "Invalid attribute in unwrapped data"); 7547 goto fail; 7548 } 7549 7550 b_key = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_BOOTSTRAP_KEY, 7551 &b_key_len); 7552 if (!b_key || b_key_len != 2 * curve->prime_len) { 7553 dpp_pkex_fail(pkex, "No valid peer bootstrapping key found"); 7554 goto fail; 7555 } 7556 pkex->peer_bootstrap_key = dpp_set_pubkey_point(pkex->x, b_key, 7557 b_key_len); 7558 if (!pkex->peer_bootstrap_key) { 7559 dpp_pkex_fail(pkex, "Peer bootstrapping key is invalid"); 7560 goto fail; 7561 } 7562 dpp_debug_print_key("DPP: Peer bootstrap public key", 7563 pkex->peer_bootstrap_key); 7564 7565 /* ECDH: L' = x * B' */ 7566 ctx = EVP_PKEY_CTX_new(pkex->x, NULL); 7567 if (!ctx || 7568 EVP_PKEY_derive_init(ctx) != 1 || 7569 EVP_PKEY_derive_set_peer(ctx, pkex->peer_bootstrap_key) != 1 || 7570 EVP_PKEY_derive(ctx, NULL, &Lx_len) != 1 || 7571 Lx_len > DPP_MAX_SHARED_SECRET_LEN || 7572 EVP_PKEY_derive(ctx, Lx, &Lx_len) != 1) { 7573 wpa_printf(MSG_ERROR, 7574 "DPP: Failed to derive ECDH shared secret: %s", 7575 ERR_error_string(ERR_get_error(), NULL)); 7576 goto fail; 7577 } 7578 7579 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (L.x)", 7580 Lx, Lx_len); 7581 7582 /* v' = HMAC(L.x, MAC-Responder | B'.x | X.x | Y'.x) */ 7583 B_pub = dpp_get_pubkey_point(pkex->peer_bootstrap_key, 0); 7584 X_pub = dpp_get_pubkey_point(pkex->x, 0); 7585 Y_pub = dpp_get_pubkey_point(pkex->y, 0); 7586 if (!B_pub || !X_pub || !Y_pub) 7587 goto fail; 7588 addr[0] = pkex->peer_mac; 7589 len[0] = ETH_ALEN; 7590 addr[1] = wpabuf_head(B_pub); 7591 len[1] = wpabuf_len(B_pub) / 2; 7592 addr[2] = wpabuf_head(X_pub); 7593 len[2] = wpabuf_len(X_pub) / 2; 7594 addr[3] = wpabuf_head(Y_pub); 7595 len[3] = wpabuf_len(Y_pub) / 2; 7596 if (dpp_hmac_vector(curve->hash_len, Lx, Lx_len, 4, addr, len, v) < 0) 7597 goto fail; 7598 7599 peer_v = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_AUTH_TAG, 7600 &peer_v_len); 7601 if (!peer_v || peer_v_len != curve->hash_len || 7602 os_memcmp(peer_v, v, curve->hash_len) != 0) { 7603 dpp_pkex_fail(pkex, "No valid v (R-Auth tag) found"); 7604 wpa_hexdump(MSG_DEBUG, "DPP: Calculated v'", 7605 v, curve->hash_len); 7606 wpa_hexdump(MSG_DEBUG, "DPP: Received v", peer_v, peer_v_len); 7607 pkex->t++; 7608 goto fail; 7609 } 7610 wpa_printf(MSG_DEBUG, "DPP: Valid v (R-Auth tag) received"); 7611 7612 ret = 0; 7613 out: 7614 wpabuf_free(B_pub); 7615 wpabuf_free(X_pub); 7616 wpabuf_free(Y_pub); 7617 EVP_PKEY_CTX_free(ctx); 7618 os_free(unwrapped); 7619 return ret; 7620 fail: 7621 goto out; 7622 } 7623 7624 7625 void dpp_pkex_free(struct dpp_pkex *pkex) 7626 { 7627 if (!pkex) 7628 return; 7629 7630 os_free(pkex->identifier); 7631 os_free(pkex->code); 7632 EVP_PKEY_free(pkex->x); 7633 EVP_PKEY_free(pkex->y); 7634 EVP_PKEY_free(pkex->peer_bootstrap_key); 7635 wpabuf_free(pkex->exchange_req); 7636 wpabuf_free(pkex->exchange_resp); 7637 os_free(pkex); 7638 } 7639 7640 7641 #ifdef CONFIG_TESTING_OPTIONS 7642 char * dpp_corrupt_connector_signature(const char *connector) 7643 { 7644 char *tmp, *pos, *signed3 = NULL; 7645 unsigned char *signature = NULL; 7646 size_t signature_len = 0, signed3_len; 7647 7648 tmp = os_zalloc(os_strlen(connector) + 5); 7649 if (!tmp) 7650 goto fail; 7651 os_memcpy(tmp, connector, os_strlen(connector)); 7652 7653 pos = os_strchr(tmp, '.'); 7654 if (!pos) 7655 goto fail; 7656 7657 pos = os_strchr(pos + 1, '.'); 7658 if (!pos) 7659 goto fail; 7660 pos++; 7661 7662 wpa_printf(MSG_DEBUG, "DPP: Original base64url encoded signature: %s", 7663 pos); 7664 signature = base64_url_decode((const unsigned char *) pos, 7665 os_strlen(pos), &signature_len); 7666 if (!signature || signature_len == 0) 7667 goto fail; 7668 wpa_hexdump(MSG_DEBUG, "DPP: Original Connector signature", 7669 signature, signature_len); 7670 signature[signature_len - 1] ^= 0x01; 7671 wpa_hexdump(MSG_DEBUG, "DPP: Corrupted Connector signature", 7672 signature, signature_len); 7673 signed3 = (char *) base64_url_encode(signature, signature_len, 7674 &signed3_len, 0); 7675 if (!signed3) 7676 goto fail; 7677 os_memcpy(pos, signed3, signed3_len); 7678 pos[signed3_len] = '\0'; 7679 wpa_printf(MSG_DEBUG, "DPP: Corrupted base64url encoded signature: %s", 7680 pos); 7681 7682 out: 7683 os_free(signature); 7684 os_free(signed3); 7685 return tmp; 7686 fail: 7687 os_free(tmp); 7688 tmp = NULL; 7689 goto out; 7690 } 7691 #endif /* CONFIG_TESTING_OPTIONS */ 7692