xref: /freebsd/contrib/wpa/src/common/dpp_crypto.c (revision 3750ccefb8629a08890bfbae894dd6bc6a7483b4)
1 /*
2  * DPP crypto functionality
3  * Copyright (c) 2017, Qualcomm Atheros, Inc.
4  * Copyright (c) 2018-2020, The Linux Foundation
5  *
6  * This software may be distributed under the terms of the BSD license.
7  * See README for more details.
8  */
9 
10 #include "utils/includes.h"
11 
12 #include "utils/common.h"
13 #include "utils/base64.h"
14 #include "utils/json.h"
15 #include "common/ieee802_11_defs.h"
16 #include "crypto/crypto.h"
17 #include "crypto/random.h"
18 #include "crypto/sha384.h"
19 #include "crypto/sha512.h"
20 #include "tls/asn1.h"
21 #include "dpp.h"
22 #include "dpp_i.h"
23 
24 
25 static const struct dpp_curve_params dpp_curves[] = {
26 	/* The mandatory to support and the default NIST P-256 curve needs to
27 	 * be the first entry on this list. */
28 	{ "prime256v1", 32, 32, 16, 32, "P-256", 19, "ES256" },
29 	{ "secp384r1", 48, 48, 24, 48, "P-384", 20, "ES384" },
30 	{ "secp521r1", 64, 64, 32, 66, "P-521", 21, "ES512" },
31 	{ "brainpoolP256r1", 32, 32, 16, 32, "BP-256", 28, "BS256" },
32 	{ "brainpoolP384r1", 48, 48, 24, 48, "BP-384", 29, "BS384" },
33 	{ "brainpoolP512r1", 64, 64, 32, 64, "BP-512", 30, "BS512" },
34 	{ NULL, 0, 0, 0, 0, NULL, 0, NULL }
35 };
36 
37 
38 const struct dpp_curve_params * dpp_get_curve_name(const char *name)
39 {
40 	int i;
41 
42 	if (!name)
43 		return &dpp_curves[0];
44 
45 	for (i = 0; dpp_curves[i].name; i++) {
46 		if (os_strcmp(name, dpp_curves[i].name) == 0 ||
47 		    (dpp_curves[i].jwk_crv &&
48 		     os_strcmp(name, dpp_curves[i].jwk_crv) == 0))
49 			return &dpp_curves[i];
50 	}
51 	return NULL;
52 }
53 
54 
55 const struct dpp_curve_params * dpp_get_curve_jwk_crv(const char *name)
56 {
57 	int i;
58 
59 	for (i = 0; dpp_curves[i].name; i++) {
60 		if (dpp_curves[i].jwk_crv &&
61 		    os_strcmp(name, dpp_curves[i].jwk_crv) == 0)
62 			return &dpp_curves[i];
63 	}
64 	return NULL;
65 }
66 
67 
68 const struct dpp_curve_params * dpp_get_curve_ike_group(u16 group)
69 {
70 	int i;
71 
72 	for (i = 0; dpp_curves[i].name; i++) {
73 		if (dpp_curves[i].ike_group == group)
74 			return &dpp_curves[i];
75 	}
76 	return NULL;
77 }
78 
79 
80 void dpp_debug_print_key(const char *title, struct crypto_ec_key *key)
81 {
82 	struct wpabuf *der = NULL;
83 
84 	crypto_ec_key_debug_print(key, title);
85 
86 	der = crypto_ec_key_get_ecprivate_key(key, true);
87 	if (der) {
88 		wpa_hexdump_buf_key(MSG_DEBUG, "DPP: ECPrivateKey", der);
89 	} else {
90 		der = crypto_ec_key_get_subject_public_key(key);
91 		if (der)
92 			wpa_hexdump_buf_key(MSG_DEBUG, "DPP: EC_PUBKEY", der);
93 	}
94 
95 	wpabuf_clear_free(der);
96 }
97 
98 
99 static int dpp_hash_vector(const struct dpp_curve_params *curve,
100 			   size_t num_elem, const u8 *addr[], const size_t *len,
101 			   u8 *mac)
102 {
103 	if (curve->hash_len == 32)
104 		return sha256_vector(num_elem, addr, len, mac);
105 	if (curve->hash_len == 48)
106 		return sha384_vector(num_elem, addr, len, mac);
107 	if (curve->hash_len == 64)
108 		return sha512_vector(num_elem, addr, len, mac);
109 	return -1;
110 }
111 
112 
113 int dpp_hkdf_expand(size_t hash_len, const u8 *secret, size_t secret_len,
114 		    const char *label, u8 *out, size_t outlen)
115 {
116 	if (hash_len == 32)
117 		return hmac_sha256_kdf(secret, secret_len, NULL,
118 				       (const u8 *) label, os_strlen(label),
119 				       out, outlen);
120 	if (hash_len == 48)
121 		return hmac_sha384_kdf(secret, secret_len, NULL,
122 				       (const u8 *) label, os_strlen(label),
123 				       out, outlen);
124 	if (hash_len == 64)
125 		return hmac_sha512_kdf(secret, secret_len, NULL,
126 				       (const u8 *) label, os_strlen(label),
127 				       out, outlen);
128 	return -1;
129 }
130 
131 
132 int dpp_hmac_vector(size_t hash_len, const u8 *key, size_t key_len,
133 		    size_t num_elem, const u8 *addr[], const size_t *len,
134 		    u8 *mac)
135 {
136 	if (hash_len == 32)
137 		return hmac_sha256_vector(key, key_len, num_elem, addr, len,
138 					  mac);
139 	if (hash_len == 48)
140 		return hmac_sha384_vector(key, key_len, num_elem, addr, len,
141 					  mac);
142 	if (hash_len == 64)
143 		return hmac_sha512_vector(key, key_len, num_elem, addr, len,
144 					  mac);
145 	return -1;
146 }
147 
148 
149 static int dpp_hmac(size_t hash_len, const u8 *key, size_t key_len,
150 		    const u8 *data, size_t data_len, u8 *mac)
151 {
152 	if (hash_len == 32)
153 		return hmac_sha256(key, key_len, data, data_len, mac);
154 	if (hash_len == 48)
155 		return hmac_sha384(key, key_len, data, data_len, mac);
156 	if (hash_len == 64)
157 		return hmac_sha512(key, key_len, data, data_len, mac);
158 	return -1;
159 }
160 
161 
162 #ifdef CONFIG_DPP2
163 
164 static int dpp_pbkdf2_f(size_t hash_len,
165 			const u8 *password, size_t password_len,
166 			const u8 *salt, size_t salt_len,
167 			unsigned int iterations, unsigned int count, u8 *digest)
168 {
169 	unsigned char tmp[DPP_MAX_HASH_LEN], tmp2[DPP_MAX_HASH_LEN];
170 	unsigned int i;
171 	size_t j;
172 	u8 count_buf[4];
173 	const u8 *addr[2];
174 	size_t len[2];
175 
176 	addr[0] = salt;
177 	len[0] = salt_len;
178 	addr[1] = count_buf;
179 	len[1] = 4;
180 
181 	/* F(P, S, c, i) = U1 xor U2 xor ... Uc
182 	 * U1 = PRF(P, S || i)
183 	 * U2 = PRF(P, U1)
184 	 * Uc = PRF(P, Uc-1)
185 	 */
186 
187 	WPA_PUT_BE32(count_buf, count);
188 	if (dpp_hmac_vector(hash_len, password, password_len, 2, addr, len,
189 			    tmp))
190 		return -1;
191 	os_memcpy(digest, tmp, hash_len);
192 
193 	for (i = 1; i < iterations; i++) {
194 		if (dpp_hmac(hash_len, password, password_len, tmp, hash_len,
195 			     tmp2))
196 			return -1;
197 		os_memcpy(tmp, tmp2, hash_len);
198 		for (j = 0; j < hash_len; j++)
199 			digest[j] ^= tmp2[j];
200 	}
201 
202 	return 0;
203 }
204 
205 
206 int dpp_pbkdf2(size_t hash_len, const u8 *password, size_t password_len,
207 	       const u8 *salt, size_t salt_len, unsigned int iterations,
208 	       u8 *buf, size_t buflen)
209 {
210 	unsigned int count = 0;
211 	unsigned char *pos = buf;
212 	size_t left = buflen, plen;
213 	unsigned char digest[DPP_MAX_HASH_LEN];
214 
215 	while (left > 0) {
216 		count++;
217 		if (dpp_pbkdf2_f(hash_len, password, password_len,
218 				 salt, salt_len, iterations, count, digest))
219 			return -1;
220 		plen = left > hash_len ? hash_len : left;
221 		os_memcpy(pos, digest, plen);
222 		pos += plen;
223 		left -= plen;
224 	}
225 
226 	return 0;
227 }
228 
229 #endif /* CONFIG_DPP2 */
230 
231 
232 struct crypto_ec_key * dpp_set_pubkey_point(struct crypto_ec_key *group_key,
233 					    const u8 *buf, size_t len)
234 {
235 	int ike_group = crypto_ec_key_group(group_key);
236 
237 	if (len & 1)
238 		return NULL;
239 
240 	if (ike_group < 0) {
241 		wpa_printf(MSG_ERROR, "DPP: Could not get EC group");
242 		return NULL;
243 	}
244 
245 	return crypto_ec_key_set_pub(ike_group, buf, buf + len / 2, len / 2);
246 }
247 
248 
249 int dpp_get_pubkey_hash(struct crypto_ec_key *key, u8 *hash)
250 {
251 	struct wpabuf *uncomp;
252 	const u8 *addr[1];
253 	size_t len[1];
254 	int res;
255 
256 	if (!key)
257 		return -1;
258 
259 	uncomp = crypto_ec_key_get_pubkey_point(key, 1);
260 	if (!uncomp)
261 		return -1;
262 	addr[0] = wpabuf_head(uncomp);
263 	len[0] = wpabuf_len(uncomp);
264 	res = sha256_vector(1, addr, len, hash);
265 	wpabuf_free(uncomp);
266 	return res;
267 }
268 
269 
270 struct crypto_ec_key * dpp_gen_keypair(const struct dpp_curve_params *curve)
271 {
272 	struct crypto_ec_key *key;
273 
274 	wpa_printf(MSG_DEBUG, "DPP: Generating a keypair");
275 
276 	key = crypto_ec_key_gen(curve->ike_group);
277 	if (key && wpa_debug_show_keys)
278 	    dpp_debug_print_key("Own generated key", key);
279 
280 	return key;
281 }
282 
283 
284 struct crypto_ec_key * dpp_set_keypair(const struct dpp_curve_params **curve,
285 				       const u8 *privkey, size_t privkey_len)
286 {
287 	struct crypto_ec_key *key;
288 	int group;
289 
290 	key = crypto_ec_key_parse_priv(privkey, privkey_len);
291 	if (!key) {
292 		wpa_printf(MSG_INFO, "DPP: Failed to parse private key");
293 		return NULL;
294 	}
295 
296 	group = crypto_ec_key_group(key);
297 	if (group < 0) {
298 		crypto_ec_key_deinit(key);
299 		return NULL;
300 	}
301 
302 	*curve = dpp_get_curve_ike_group(group);
303 	if (!*curve) {
304 		wpa_printf(MSG_INFO,
305 			   "DPP: Unsupported curve (group=%d) in pre-assigned key",
306 			   group);
307 		crypto_ec_key_deinit(key);
308 		return NULL;
309 	}
310 
311 	return key;
312 }
313 
314 
315 int dpp_bootstrap_key_hash(struct dpp_bootstrap_info *bi)
316 {
317 	struct wpabuf *der;
318 	int res;
319 
320 	der = crypto_ec_key_get_subject_public_key(bi->pubkey);
321 	if (!der)
322 		return -1;
323 	wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
324 			der);
325 	res = dpp_bi_pubkey_hash(bi, wpabuf_head(der), wpabuf_len(der));
326 	if (res < 0)
327 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
328 	wpabuf_free(der);
329 	return res;
330 }
331 
332 
333 int dpp_keygen(struct dpp_bootstrap_info *bi, const char *curve,
334 	       const u8 *privkey, size_t privkey_len)
335 {
336 	char *base64 = NULL;
337 	char *pos, *end;
338 	size_t len;
339 	struct wpabuf *der = NULL;
340 
341 	bi->curve = dpp_get_curve_name(curve);
342 	if (!bi->curve) {
343 		wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s", curve);
344 		return -1;
345 	}
346 
347 	if (privkey)
348 		bi->pubkey = dpp_set_keypair(&bi->curve, privkey, privkey_len);
349 	else
350 		bi->pubkey = dpp_gen_keypair(bi->curve);
351 	if (!bi->pubkey)
352 		goto fail;
353 	bi->own = 1;
354 
355 	der = crypto_ec_key_get_subject_public_key(bi->pubkey);
356 	if (!der)
357 		goto fail;
358 	wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
359 			der);
360 
361 	if (dpp_bi_pubkey_hash(bi, wpabuf_head(der), wpabuf_len(der)) < 0) {
362 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
363 		goto fail;
364 	}
365 
366 	base64 = base64_encode(wpabuf_head(der), wpabuf_len(der), &len);
367 	wpabuf_free(der);
368 	der = NULL;
369 	if (!base64)
370 		goto fail;
371 	pos = base64;
372 	end = pos + len;
373 	for (;;) {
374 		pos = os_strchr(pos, '\n');
375 		if (!pos)
376 			break;
377 		os_memmove(pos, pos + 1, end - pos);
378 	}
379 	os_free(bi->pk);
380 	bi->pk = base64;
381 	return 0;
382 fail:
383 	os_free(base64);
384 	wpabuf_free(der);
385 	return -1;
386 }
387 
388 
389 int dpp_derive_k1(const u8 *Mx, size_t Mx_len, u8 *k1, unsigned int hash_len)
390 {
391 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
392 	const char *info = "first intermediate key";
393 	int res;
394 
395 	/* k1 = HKDF(<>, "first intermediate key", M.x) */
396 
397 	/* HKDF-Extract(<>, M.x) */
398 	os_memset(salt, 0, hash_len);
399 	if (dpp_hmac(hash_len, salt, hash_len, Mx, Mx_len, prk) < 0)
400 		return -1;
401 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=M.x)",
402 			prk, hash_len);
403 
404 	/* HKDF-Expand(PRK, info, L) */
405 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k1, hash_len);
406 	os_memset(prk, 0, hash_len);
407 	if (res < 0)
408 		return -1;
409 
410 	wpa_hexdump_key(MSG_DEBUG, "DPP: k1 = HKDF-Expand(PRK, info, L)",
411 			k1, hash_len);
412 	return 0;
413 }
414 
415 
416 int dpp_derive_k2(const u8 *Nx, size_t Nx_len, u8 *k2, unsigned int hash_len)
417 {
418 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
419 	const char *info = "second intermediate key";
420 	int res;
421 
422 	/* k2 = HKDF(<>, "second intermediate key", N.x) */
423 
424 	/* HKDF-Extract(<>, N.x) */
425 	os_memset(salt, 0, hash_len);
426 	res = dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk);
427 	if (res < 0)
428 		return -1;
429 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
430 			prk, hash_len);
431 
432 	/* HKDF-Expand(PRK, info, L) */
433 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k2, hash_len);
434 	os_memset(prk, 0, hash_len);
435 	if (res < 0)
436 		return -1;
437 
438 	wpa_hexdump_key(MSG_DEBUG, "DPP: k2 = HKDF-Expand(PRK, info, L)",
439 			k2, hash_len);
440 	return 0;
441 }
442 
443 
444 int dpp_derive_bk_ke(struct dpp_authentication *auth)
445 {
446 	unsigned int hash_len = auth->curve->hash_len;
447 	size_t nonce_len = auth->curve->nonce_len;
448 	u8 nonces[2 * DPP_MAX_NONCE_LEN];
449 	const char *info_ke = "DPP Key";
450 	int res;
451 	const u8 *addr[3];
452 	size_t len[3];
453 	size_t num_elem = 0;
454 
455 	if (!auth->Mx_len || !auth->Nx_len) {
456 		wpa_printf(MSG_DEBUG,
457 			   "DPP: Mx/Nx not available - cannot derive ke");
458 		return -1;
459 	}
460 
461 	/* bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */
462 	os_memcpy(nonces, auth->i_nonce, nonce_len);
463 	os_memcpy(&nonces[nonce_len], auth->r_nonce, nonce_len);
464 	addr[num_elem] = auth->Mx;
465 	len[num_elem] = auth->Mx_len;
466 	num_elem++;
467 	addr[num_elem] = auth->Nx;
468 	len[num_elem] = auth->Nx_len;
469 	num_elem++;
470 	if (auth->peer_bi && auth->own_bi) {
471 		if (!auth->Lx_len) {
472 			wpa_printf(MSG_DEBUG,
473 				   "DPP: Lx not available - cannot derive ke");
474 			return -1;
475 		}
476 		addr[num_elem] = auth->Lx;
477 		len[num_elem] = auth->secret_len;
478 		num_elem++;
479 	}
480 	res = dpp_hmac_vector(hash_len, nonces, 2 * nonce_len,
481 			      num_elem, addr, len, auth->bk);
482 	if (res < 0)
483 		return -1;
484 	wpa_hexdump_key(MSG_DEBUG,
485 			"DPP: bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x])",
486 			auth->bk, hash_len);
487 
488 	/* ke = HKDF-Expand(bk, "DPP Key", length) */
489 	res = dpp_hkdf_expand(hash_len, auth->bk, hash_len, info_ke, auth->ke,
490 			      hash_len);
491 	if (res < 0)
492 		return -1;
493 
494 	wpa_hexdump_key(MSG_DEBUG,
495 			"DPP: ke = HKDF-Expand(bk, \"DPP Key\", length)",
496 			auth->ke, hash_len);
497 
498 	return 0;
499 }
500 
501 
502 int dpp_ecdh(struct crypto_ec_key *own, struct crypto_ec_key *peer,
503 	     u8 *secret, size_t *secret_len)
504 {
505 	struct crypto_ecdh *ecdh;
506 	struct wpabuf *peer_pub, *secret_buf = NULL;
507 	int ret = -1;
508 
509 	*secret_len = 0;
510 
511 	ecdh = crypto_ecdh_init2(crypto_ec_key_group(own), own);
512 	if (!ecdh) {
513 		wpa_printf(MSG_ERROR, "DPP: crypto_ecdh_init2() failed");
514 		return -1;
515 	}
516 
517 	peer_pub = crypto_ec_key_get_pubkey_point(peer, 0);
518 	if (!peer_pub) {
519 		wpa_printf(MSG_ERROR,
520 			   "DPP: crypto_ec_key_get_pubkey_point() failed");
521 		goto fail;
522 	}
523 
524 	secret_buf = crypto_ecdh_set_peerkey(ecdh, 1, wpabuf_head(peer_pub),
525 					     wpabuf_len(peer_pub));
526 	if (!secret_buf) {
527 		wpa_printf(MSG_ERROR, "DPP: crypto_ecdh_set_peerkey() failed");
528 		goto fail;
529 	}
530 
531 	if (wpabuf_len(secret_buf) > DPP_MAX_SHARED_SECRET_LEN) {
532 		wpa_printf(MSG_ERROR, "DPP: ECDH secret longer than expected");
533 		goto fail;
534 	}
535 
536 	*secret_len = wpabuf_len(secret_buf);
537 	os_memcpy(secret, wpabuf_head(secret_buf), wpabuf_len(secret_buf));
538 	ret = 0;
539 
540 fail:
541 	wpabuf_clear_free(secret_buf);
542 	wpabuf_free(peer_pub);
543 	crypto_ecdh_deinit(ecdh);
544 	return ret;
545 }
546 
547 
548 int dpp_bi_pubkey_hash(struct dpp_bootstrap_info *bi,
549 		       const u8 *data, size_t data_len)
550 {
551 	const u8 *addr[2];
552 	size_t len[2];
553 
554 	addr[0] = data;
555 	len[0] = data_len;
556 	if (sha256_vector(1, addr, len, bi->pubkey_hash) < 0)
557 		return -1;
558 	wpa_hexdump(MSG_DEBUG, "DPP: Public key hash",
559 		    bi->pubkey_hash, SHA256_MAC_LEN);
560 
561 	addr[0] = (const u8 *) "chirp";
562 	len[0] = 5;
563 	addr[1] = data;
564 	len[1] = data_len;
565 	if (sha256_vector(2, addr, len, bi->pubkey_hash_chirp) < 0)
566 		return -1;
567 	wpa_hexdump(MSG_DEBUG, "DPP: Public key hash (chirp)",
568 		    bi->pubkey_hash_chirp, SHA256_MAC_LEN);
569 
570 	return 0;
571 }
572 
573 
574 int dpp_get_subject_public_key(struct dpp_bootstrap_info *bi,
575 			       const u8 *data, size_t data_len)
576 {
577 	struct crypto_ec_key *key;
578 
579 	if (dpp_bi_pubkey_hash(bi, data, data_len) < 0) {
580 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
581 		return -1;
582 	}
583 
584 	key = crypto_ec_key_parse_pub(data, data_len);
585 	if (!key) {
586 		wpa_printf(MSG_DEBUG,
587 			   "DPP: Could not parse URI public-key SubjectPublicKeyInfo");
588 		return -1;
589 	}
590 
591 	bi->curve = dpp_get_curve_ike_group(crypto_ec_key_group(key));
592 	if (!bi->curve) {
593 		wpa_printf(MSG_DEBUG,
594 			   "DPP: Unsupported SubjectPublicKeyInfo curve: group %d",
595 			   crypto_ec_key_group(key));
596 		goto fail;
597 	}
598 
599 	bi->pubkey = key;
600 	return 0;
601 fail:
602 	crypto_ec_key_deinit(key);
603 	return -1;
604 }
605 
606 
607 static struct wpabuf *
608 dpp_parse_jws_prot_hdr(const struct dpp_curve_params *curve,
609 		       const u8 *prot_hdr, u16 prot_hdr_len,
610 		       int *hash_func)
611 {
612 	struct json_token *root, *token;
613 	struct wpabuf *kid = NULL;
614 
615 	root = json_parse((const char *) prot_hdr, prot_hdr_len);
616 	if (!root) {
617 		wpa_printf(MSG_DEBUG,
618 			   "DPP: JSON parsing failed for JWS Protected Header");
619 		goto fail;
620 	}
621 
622 	if (root->type != JSON_OBJECT) {
623 		wpa_printf(MSG_DEBUG,
624 			   "DPP: JWS Protected Header root is not an object");
625 		goto fail;
626 	}
627 
628 	token = json_get_member(root, "typ");
629 	if (!token || token->type != JSON_STRING) {
630 		wpa_printf(MSG_DEBUG, "DPP: No typ string value found");
631 		goto fail;
632 	}
633 	wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header typ=%s",
634 		   token->string);
635 	if (os_strcmp(token->string, "dppCon") != 0) {
636 		wpa_printf(MSG_DEBUG,
637 			   "DPP: Unsupported JWS Protected Header typ=%s",
638 			   token->string);
639 		goto fail;
640 	}
641 
642 	token = json_get_member(root, "alg");
643 	if (!token || token->type != JSON_STRING) {
644 		wpa_printf(MSG_DEBUG, "DPP: No alg string value found");
645 		goto fail;
646 	}
647 	wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header alg=%s",
648 		   token->string);
649 	if (os_strcmp(token->string, curve->jws_alg) != 0) {
650 		wpa_printf(MSG_DEBUG,
651 			   "DPP: Unexpected JWS Protected Header alg=%s (expected %s based on C-sign-key)",
652 			   token->string, curve->jws_alg);
653 		goto fail;
654 	}
655 	if (os_strcmp(token->string, "ES256") == 0 ||
656 	    os_strcmp(token->string, "BS256") == 0) {
657 		*hash_func = CRYPTO_HASH_ALG_SHA256;
658 	} else if (os_strcmp(token->string, "ES384") == 0 ||
659 		   os_strcmp(token->string, "BS384") == 0) {
660 		*hash_func = CRYPTO_HASH_ALG_SHA384;
661 	} else if (os_strcmp(token->string, "ES512") == 0 ||
662 		   os_strcmp(token->string, "BS512") == 0) {
663 		*hash_func = CRYPTO_HASH_ALG_SHA512;
664 	} else {
665 		*hash_func = -1;
666 		wpa_printf(MSG_DEBUG,
667 			   "DPP: Unsupported JWS Protected Header alg=%s",
668 			   token->string);
669 		goto fail;
670 	}
671 
672 	kid = json_get_member_base64url(root, "kid");
673 	if (!kid) {
674 		wpa_printf(MSG_DEBUG, "DPP: No kid string value found");
675 		goto fail;
676 	}
677 	wpa_hexdump_buf(MSG_DEBUG, "DPP: JWS Protected Header kid (decoded)",
678 			kid);
679 
680 fail:
681 	json_free(root);
682 	return kid;
683 }
684 
685 
686 static int dpp_check_pubkey_match(struct crypto_ec_key *pub,
687 				  struct wpabuf *r_hash)
688 {
689 	struct wpabuf *uncomp;
690 	int res;
691 	u8 hash[SHA256_MAC_LEN];
692 	const u8 *addr[1];
693 	size_t len[1];
694 
695 	if (wpabuf_len(r_hash) != SHA256_MAC_LEN)
696 		return -1;
697 	uncomp = crypto_ec_key_get_pubkey_point(pub, 1);
698 	if (!uncomp)
699 		return -1;
700 	addr[0] = wpabuf_head(uncomp);
701 	len[0] = wpabuf_len(uncomp);
702 	wpa_hexdump(MSG_DEBUG, "DPP: Uncompressed public key",
703 		    addr[0], len[0]);
704 	res = sha256_vector(1, addr, len, hash);
705 	wpabuf_free(uncomp);
706 	if (res < 0)
707 		return -1;
708 	if (os_memcmp(hash, wpabuf_head(r_hash), SHA256_MAC_LEN) != 0) {
709 		wpa_printf(MSG_DEBUG,
710 			   "DPP: Received hash value does not match calculated public key hash value");
711 		wpa_hexdump(MSG_DEBUG, "DPP: Calculated hash",
712 			    hash, SHA256_MAC_LEN);
713 		return -1;
714 	}
715 	return 0;
716 }
717 
718 
719 enum dpp_status_error
720 dpp_process_signed_connector(struct dpp_signed_connector_info *info,
721 			     struct crypto_ec_key *csign_pub,
722 			     const char *connector)
723 {
724 	enum dpp_status_error ret = 255;
725 	const char *pos, *end, *signed_start, *signed_end;
726 	struct wpabuf *kid = NULL;
727 	unsigned char *prot_hdr = NULL, *signature = NULL;
728 	size_t prot_hdr_len = 0, signature_len = 0, signed_len;
729 	int res, hash_func = -1;
730 	const struct dpp_curve_params *curve;
731 	u8 *hash = NULL;
732 
733 	curve = dpp_get_curve_ike_group(crypto_ec_key_group(csign_pub));
734 	if (!curve)
735 		goto fail;
736 	wpa_printf(MSG_DEBUG, "DPP: C-sign-key group: %s", curve->jwk_crv);
737 	os_memset(info, 0, sizeof(*info));
738 
739 	signed_start = pos = connector;
740 	end = os_strchr(pos, '.');
741 	if (!end) {
742 		wpa_printf(MSG_DEBUG, "DPP: Missing dot(1) in signedConnector");
743 		ret = DPP_STATUS_INVALID_CONNECTOR;
744 		goto fail;
745 	}
746 	prot_hdr = base64_url_decode(pos, end - pos, &prot_hdr_len);
747 	if (!prot_hdr) {
748 		wpa_printf(MSG_DEBUG,
749 			   "DPP: Failed to base64url decode signedConnector JWS Protected Header");
750 		ret = DPP_STATUS_INVALID_CONNECTOR;
751 		goto fail;
752 	}
753 	wpa_hexdump_ascii(MSG_DEBUG,
754 			  "DPP: signedConnector - JWS Protected Header",
755 			  prot_hdr, prot_hdr_len);
756 	kid = dpp_parse_jws_prot_hdr(curve, prot_hdr, prot_hdr_len, &hash_func);
757 	if (!kid) {
758 		ret = DPP_STATUS_INVALID_CONNECTOR;
759 		goto fail;
760 	}
761 	if (wpabuf_len(kid) != SHA256_MAC_LEN) {
762 		wpa_printf(MSG_DEBUG,
763 			   "DPP: Unexpected signedConnector JWS Protected Header kid length: %u (expected %u)",
764 			   (unsigned int) wpabuf_len(kid), SHA256_MAC_LEN);
765 		ret = DPP_STATUS_INVALID_CONNECTOR;
766 		goto fail;
767 	}
768 
769 	pos = end + 1;
770 	end = os_strchr(pos, '.');
771 	if (!end) {
772 		wpa_printf(MSG_DEBUG,
773 			   "DPP: Missing dot(2) in signedConnector");
774 		ret = DPP_STATUS_INVALID_CONNECTOR;
775 		goto fail;
776 	}
777 	signed_end = end - 1;
778 	info->payload = base64_url_decode(pos, end - pos, &info->payload_len);
779 	if (!info->payload) {
780 		wpa_printf(MSG_DEBUG,
781 			   "DPP: Failed to base64url decode signedConnector JWS Payload");
782 		ret = DPP_STATUS_INVALID_CONNECTOR;
783 		goto fail;
784 	}
785 	wpa_hexdump_ascii(MSG_DEBUG,
786 			  "DPP: signedConnector - JWS Payload",
787 			  info->payload, info->payload_len);
788 	pos = end + 1;
789 	signature = base64_url_decode(pos, os_strlen(pos), &signature_len);
790 	if (!signature) {
791 		wpa_printf(MSG_DEBUG,
792 			   "DPP: Failed to base64url decode signedConnector signature");
793 		ret = DPP_STATUS_INVALID_CONNECTOR;
794 		goto fail;
795 		}
796 	wpa_hexdump(MSG_DEBUG, "DPP: signedConnector - signature",
797 		    signature, signature_len);
798 
799 	if (dpp_check_pubkey_match(csign_pub, kid) < 0) {
800 		ret = DPP_STATUS_NO_MATCH;
801 		goto fail;
802 	}
803 
804 	if (signature_len & 0x01) {
805 		wpa_printf(MSG_DEBUG,
806 			   "DPP: Unexpected signedConnector signature length (%d)",
807 			   (int) signature_len);
808 		ret = DPP_STATUS_INVALID_CONNECTOR;
809 		goto fail;
810 	}
811 
812 	hash = os_malloc(curve->hash_len);
813 	if (!hash)
814 		goto fail;
815 
816 	signed_len = signed_end - signed_start + 1;
817 	if (hash_func == CRYPTO_HASH_ALG_SHA256)
818 		res = sha256_vector(1, (const u8 **) &signed_start, &signed_len,
819 				    hash);
820 	else if (hash_func == CRYPTO_HASH_ALG_SHA384)
821 		res = sha384_vector(1, (const u8 **) &signed_start, &signed_len,
822 				    hash);
823 	else if (hash_func == CRYPTO_HASH_ALG_SHA512)
824 		res = sha512_vector(1, (const u8 **) &signed_start, &signed_len,
825 				    hash);
826 	else
827 		goto fail;
828 
829 	if (res)
830 		goto fail;
831 
832 	res = crypto_ec_key_verify_signature_r_s(csign_pub,
833 						 hash, curve->hash_len,
834 						 signature, signature_len / 2,
835 						 signature + signature_len / 2,
836 						 signature_len / 2);
837 	if (res != 1) {
838 		wpa_printf(MSG_DEBUG,
839 			   "DPP: signedConnector signature check failed (res=%d)",
840 			   res);
841 		ret = DPP_STATUS_INVALID_CONNECTOR;
842 		goto fail;
843 	}
844 
845 	ret = DPP_STATUS_OK;
846 fail:
847 	os_free(hash);
848 	os_free(prot_hdr);
849 	wpabuf_free(kid);
850 	os_free(signature);
851 	return ret;
852 }
853 
854 
855 enum dpp_status_error
856 dpp_check_signed_connector(struct dpp_signed_connector_info *info,
857 			   const u8 *csign_key, size_t csign_key_len,
858 			   const u8 *peer_connector, size_t peer_connector_len)
859 {
860 	struct crypto_ec_key *csign;
861 	char *signed_connector = NULL;
862 	enum dpp_status_error res = DPP_STATUS_INVALID_CONNECTOR;
863 
864 	csign = crypto_ec_key_parse_pub(csign_key, csign_key_len);
865 	if (!csign) {
866 		wpa_printf(MSG_ERROR,
867 			   "DPP: Failed to parse local C-sign-key information");
868 		goto fail;
869 	}
870 
871 	wpa_hexdump_ascii(MSG_DEBUG, "DPP: Peer signedConnector",
872 			  peer_connector, peer_connector_len);
873 	signed_connector = os_malloc(peer_connector_len + 1);
874 	if (!signed_connector)
875 		goto fail;
876 	os_memcpy(signed_connector, peer_connector, peer_connector_len);
877 	signed_connector[peer_connector_len] = '\0';
878 	res = dpp_process_signed_connector(info, csign, signed_connector);
879 fail:
880 	os_free(signed_connector);
881 	crypto_ec_key_deinit(csign);
882 	return res;
883 }
884 
885 
886 int dpp_gen_r_auth(struct dpp_authentication *auth, u8 *r_auth)
887 {
888 	struct wpabuf *pix, *prx, *bix, *brx;
889 	const u8 *addr[7];
890 	size_t len[7];
891 	size_t i, num_elem = 0;
892 	size_t nonce_len;
893 	u8 zero = 0;
894 	int res = -1;
895 
896 	/* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
897 	nonce_len = auth->curve->nonce_len;
898 
899 	if (auth->initiator) {
900 		pix = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
901 		prx = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
902 						     0);
903 		if (auth->own_bi)
904 			bix = crypto_ec_key_get_pubkey_point(
905 				auth->own_bi->pubkey, 0);
906 		else
907 			bix = NULL;
908 		brx = crypto_ec_key_get_pubkey_point(auth->peer_bi->pubkey, 0);
909 	} else {
910 		pix = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
911 						     0);
912 		prx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
913 		if (auth->peer_bi)
914 			bix = crypto_ec_key_get_pubkey_point(
915 				auth->peer_bi->pubkey, 0);
916 		else
917 			bix = NULL;
918 		brx = crypto_ec_key_get_pubkey_point(auth->own_bi->pubkey, 0);
919 	}
920 	if (!pix || !prx || !brx)
921 		goto fail;
922 
923 	addr[num_elem] = auth->i_nonce;
924 	len[num_elem] = nonce_len;
925 	num_elem++;
926 
927 	addr[num_elem] = auth->r_nonce;
928 	len[num_elem] = nonce_len;
929 	num_elem++;
930 
931 	addr[num_elem] = wpabuf_head(pix);
932 	len[num_elem] = wpabuf_len(pix) / 2;
933 	num_elem++;
934 
935 	addr[num_elem] = wpabuf_head(prx);
936 	len[num_elem] = wpabuf_len(prx) / 2;
937 	num_elem++;
938 
939 	if (bix) {
940 		addr[num_elem] = wpabuf_head(bix);
941 		len[num_elem] = wpabuf_len(bix) / 2;
942 		num_elem++;
943 	}
944 
945 	addr[num_elem] = wpabuf_head(brx);
946 	len[num_elem] = wpabuf_len(brx) / 2;
947 	num_elem++;
948 
949 	addr[num_elem] = &zero;
950 	len[num_elem] = 1;
951 	num_elem++;
952 
953 	wpa_printf(MSG_DEBUG, "DPP: R-auth hash components");
954 	for (i = 0; i < num_elem; i++)
955 		wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
956 	res = dpp_hash_vector(auth->curve, num_elem, addr, len, r_auth);
957 	if (res == 0)
958 		wpa_hexdump(MSG_DEBUG, "DPP: R-auth", r_auth,
959 			    auth->curve->hash_len);
960 fail:
961 	wpabuf_free(pix);
962 	wpabuf_free(prx);
963 	wpabuf_free(bix);
964 	wpabuf_free(brx);
965 	return res;
966 }
967 
968 
969 int dpp_gen_i_auth(struct dpp_authentication *auth, u8 *i_auth)
970 {
971 	struct wpabuf *pix = NULL, *prx = NULL, *bix = NULL, *brx = NULL;
972 	const u8 *addr[7];
973 	size_t len[7];
974 	size_t i, num_elem = 0;
975 	size_t nonce_len;
976 	u8 one = 1;
977 	int res = -1;
978 
979 	/* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */
980 	nonce_len = auth->curve->nonce_len;
981 
982 	if (auth->initiator) {
983 		pix = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
984 		prx = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
985 						     0);
986 		if (auth->own_bi)
987 			bix = crypto_ec_key_get_pubkey_point(
988 				auth->own_bi->pubkey, 0);
989 		else
990 			bix = NULL;
991 		if (!auth->peer_bi)
992 			goto fail;
993 		brx = crypto_ec_key_get_pubkey_point(auth->peer_bi->pubkey, 0);
994 	} else {
995 		pix = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
996 						     0);
997 		prx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
998 		if (auth->peer_bi)
999 			bix = crypto_ec_key_get_pubkey_point(
1000 				auth->peer_bi->pubkey, 0);
1001 		else
1002 			bix = NULL;
1003 		if (!auth->own_bi)
1004 			goto fail;
1005 		brx = crypto_ec_key_get_pubkey_point(auth->own_bi->pubkey, 0);
1006 	}
1007 	if (!pix || !prx || !brx)
1008 		goto fail;
1009 
1010 	addr[num_elem] = auth->r_nonce;
1011 	len[num_elem] = nonce_len;
1012 	num_elem++;
1013 
1014 	addr[num_elem] = auth->i_nonce;
1015 	len[num_elem] = nonce_len;
1016 	num_elem++;
1017 
1018 	addr[num_elem] = wpabuf_head(prx);
1019 	len[num_elem] = wpabuf_len(prx) / 2;
1020 	num_elem++;
1021 
1022 	addr[num_elem] = wpabuf_head(pix);
1023 	len[num_elem] = wpabuf_len(pix) / 2;
1024 	num_elem++;
1025 
1026 	addr[num_elem] = wpabuf_head(brx);
1027 	len[num_elem] = wpabuf_len(brx) / 2;
1028 	num_elem++;
1029 
1030 	if (bix) {
1031 		addr[num_elem] = wpabuf_head(bix);
1032 		len[num_elem] = wpabuf_len(bix) / 2;
1033 		num_elem++;
1034 	}
1035 
1036 	addr[num_elem] = &one;
1037 	len[num_elem] = 1;
1038 	num_elem++;
1039 
1040 	wpa_printf(MSG_DEBUG, "DPP: I-auth hash components");
1041 	for (i = 0; i < num_elem; i++)
1042 		wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
1043 	res = dpp_hash_vector(auth->curve, num_elem, addr, len, i_auth);
1044 	if (res == 0)
1045 		wpa_hexdump(MSG_DEBUG, "DPP: I-auth", i_auth,
1046 			    auth->curve->hash_len);
1047 fail:
1048 	wpabuf_free(pix);
1049 	wpabuf_free(prx);
1050 	wpabuf_free(bix);
1051 	wpabuf_free(brx);
1052 	return res;
1053 }
1054 
1055 
1056 int dpp_auth_derive_l_responder(struct dpp_authentication *auth)
1057 {
1058 	struct crypto_ec *ec;
1059 	struct crypto_ec_point *L = NULL, *BI = NULL;
1060 	const struct crypto_bignum *q;
1061 	struct crypto_bignum *sum = NULL, *lx = NULL, *bR = NULL, *pR = NULL;
1062 	int ret = -1;
1063 
1064 	/* L = ((bR + pR) modulo q) * BI */
1065 
1066 	ec = crypto_ec_init(crypto_ec_key_group(auth->peer_bi->pubkey));
1067 	if (!ec)
1068 		goto fail;
1069 
1070 	q = crypto_ec_get_order(ec);
1071 	BI = crypto_ec_key_get_public_key(auth->peer_bi->pubkey);
1072 	bR = crypto_ec_key_get_private_key(auth->own_bi->pubkey);
1073 	pR = crypto_ec_key_get_private_key(auth->own_protocol_key);
1074 	sum = crypto_bignum_init();
1075 	L = crypto_ec_point_init(ec);
1076 	lx = crypto_bignum_init();
1077 	if (!q || !BI || !bR || !pR || !sum || !L || !lx ||
1078 	    crypto_bignum_addmod(bR, pR, q, sum) ||
1079 	    crypto_ec_point_mul(ec, BI, sum, L) ||
1080 	    crypto_ec_point_x(ec, L, lx) ||
1081 	    crypto_bignum_to_bin(lx, auth->Lx, sizeof(auth->Lx),
1082 				 auth->secret_len) < 0)
1083 		goto fail;
1084 
1085 	wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
1086 	auth->Lx_len = auth->secret_len;
1087 	ret = 0;
1088 fail:
1089 	crypto_bignum_deinit(lx, 1);
1090 	crypto_bignum_deinit(sum, 1);
1091 	crypto_bignum_deinit(bR, 1);
1092 	crypto_bignum_deinit(pR, 1);
1093 	crypto_ec_point_deinit(L, 1);
1094 	crypto_ec_point_deinit(BI, 1);
1095 	crypto_ec_deinit(ec);
1096 	return ret;
1097 }
1098 
1099 
1100 int dpp_auth_derive_l_initiator(struct dpp_authentication *auth)
1101 {
1102 	struct crypto_ec *ec;
1103 	struct crypto_ec_point *L = NULL, *sum = NULL, *BR = NULL, *PR = NULL;
1104 	struct crypto_bignum *lx = NULL, *bI = NULL;
1105 	int ret = -1;
1106 
1107 	/* L = bI * (BR + PR) */
1108 
1109 	ec = crypto_ec_init(crypto_ec_key_group(auth->peer_bi->pubkey));
1110 	if (!ec)
1111 		goto fail;
1112 
1113 	BR = crypto_ec_key_get_public_key(auth->peer_bi->pubkey);
1114 	PR = crypto_ec_key_get_public_key(auth->peer_protocol_key);
1115 	bI = crypto_ec_key_get_private_key(auth->own_bi->pubkey);
1116 	sum = crypto_ec_point_init(ec);
1117 	L = crypto_ec_point_init(ec);
1118 	lx = crypto_bignum_init();
1119 	if (!BR || !PR || !bI || !sum || !L || !lx ||
1120 	    crypto_ec_point_add(ec, BR, PR, sum) ||
1121 	    crypto_ec_point_mul(ec, sum, bI, L) ||
1122 	    crypto_ec_point_x(ec, L, lx) ||
1123 	    crypto_bignum_to_bin(lx, auth->Lx, sizeof(auth->Lx),
1124 				 auth->secret_len) < 0)
1125 		goto fail;
1126 
1127 	wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
1128 	auth->Lx_len = auth->secret_len;
1129 	ret = 0;
1130 fail:
1131 	crypto_bignum_deinit(lx, 1);
1132 	crypto_bignum_deinit(bI, 1);
1133 	crypto_ec_point_deinit(sum, 1);
1134 	crypto_ec_point_deinit(L, 1);
1135 	crypto_ec_point_deinit(BR, 1);
1136 	crypto_ec_point_deinit(PR, 1);
1137 	crypto_ec_deinit(ec);
1138 	return ret;
1139 }
1140 
1141 
1142 int dpp_derive_pmk(const u8 *Nx, size_t Nx_len, u8 *pmk, unsigned int hash_len)
1143 {
1144 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
1145 	const char *info = "DPP PMK";
1146 	int res;
1147 
1148 	/* PMK = HKDF(<>, "DPP PMK", N.x) */
1149 
1150 	/* HKDF-Extract(<>, N.x) */
1151 	os_memset(salt, 0, hash_len);
1152 	if (dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk) < 0)
1153 		return -1;
1154 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
1155 			prk, hash_len);
1156 
1157 	/* HKDF-Expand(PRK, info, L) */
1158 	res = dpp_hkdf_expand(hash_len, prk, hash_len, info, pmk, hash_len);
1159 	os_memset(prk, 0, hash_len);
1160 	if (res < 0)
1161 		return -1;
1162 
1163 	wpa_hexdump_key(MSG_DEBUG, "DPP: PMK = HKDF-Expand(PRK, info, L)",
1164 			pmk, hash_len);
1165 	return 0;
1166 }
1167 
1168 
1169 int dpp_derive_pmkid(const struct dpp_curve_params *curve,
1170 		     struct crypto_ec_key *own_key,
1171 		     struct crypto_ec_key *peer_key, u8 *pmkid)
1172 {
1173 	struct wpabuf *nkx, *pkx;
1174 	int ret = -1, res;
1175 	const u8 *addr[2];
1176 	size_t len[2];
1177 	u8 hash[SHA256_MAC_LEN];
1178 
1179 	/* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */
1180 	nkx = crypto_ec_key_get_pubkey_point(own_key, 0);
1181 	pkx = crypto_ec_key_get_pubkey_point(peer_key, 0);
1182 	if (!nkx || !pkx)
1183 		goto fail;
1184 	addr[0] = wpabuf_head(nkx);
1185 	len[0] = wpabuf_len(nkx) / 2;
1186 	addr[1] = wpabuf_head(pkx);
1187 	len[1] = wpabuf_len(pkx) / 2;
1188 	if (len[0] != len[1])
1189 		goto fail;
1190 	if (os_memcmp(addr[0], addr[1], len[0]) > 0) {
1191 		addr[0] = wpabuf_head(pkx);
1192 		addr[1] = wpabuf_head(nkx);
1193 	}
1194 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 1", addr[0], len[0]);
1195 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 2", addr[1], len[1]);
1196 	res = sha256_vector(2, addr, len, hash);
1197 	if (res < 0)
1198 		goto fail;
1199 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash output", hash, SHA256_MAC_LEN);
1200 	os_memcpy(pmkid, hash, PMKID_LEN);
1201 	wpa_hexdump(MSG_DEBUG, "DPP: PMKID", pmkid, PMKID_LEN);
1202 	ret = 0;
1203 fail:
1204 	wpabuf_free(nkx);
1205 	wpabuf_free(pkx);
1206 	return ret;
1207 }
1208 
1209 
1210 /* Role-specific elements for PKEX */
1211 
1212 /* NIST P-256 */
1213 static const u8 pkex_init_x_p256[32] = {
1214 	0x56, 0x26, 0x12, 0xcf, 0x36, 0x48, 0xfe, 0x0b,
1215 	0x07, 0x04, 0xbb, 0x12, 0x22, 0x50, 0xb2, 0x54,
1216 	0xb1, 0x94, 0x64, 0x7e, 0x54, 0xce, 0x08, 0x07,
1217 	0x2e, 0xec, 0xca, 0x74, 0x5b, 0x61, 0x2d, 0x25
1218  };
1219 static const u8 pkex_init_y_p256[32] = {
1220 	0x3e, 0x44, 0xc7, 0xc9, 0x8c, 0x1c, 0xa1, 0x0b,
1221 	0x20, 0x09, 0x93, 0xb2, 0xfd, 0xe5, 0x69, 0xdc,
1222 	0x75, 0xbc, 0xad, 0x33, 0xc1, 0xe7, 0xc6, 0x45,
1223 	0x4d, 0x10, 0x1e, 0x6a, 0x3d, 0x84, 0x3c, 0xa4
1224  };
1225 static const u8 pkex_resp_x_p256[32] = {
1226 	0x1e, 0xa4, 0x8a, 0xb1, 0xa4, 0xe8, 0x42, 0x39,
1227 	0xad, 0x73, 0x07, 0xf2, 0x34, 0xdf, 0x57, 0x4f,
1228 	0xc0, 0x9d, 0x54, 0xbe, 0x36, 0x1b, 0x31, 0x0f,
1229 	0x59, 0x91, 0x52, 0x33, 0xac, 0x19, 0x9d, 0x76
1230 };
1231 static const u8 pkex_resp_y_p256[32] = {
1232 	0xd9, 0xfb, 0xf6, 0xb9, 0xf5, 0xfa, 0xdf, 0x19,
1233 	0x58, 0xd8, 0x3e, 0xc9, 0x89, 0x7a, 0x35, 0xc1,
1234 	0xbd, 0xe9, 0x0b, 0x77, 0x7a, 0xcb, 0x91, 0x2a,
1235 	0xe8, 0x21, 0x3f, 0x47, 0x52, 0x02, 0x4d, 0x67
1236 };
1237 
1238 /* NIST P-384 */
1239 static const u8 pkex_init_x_p384[48] = {
1240 	0x95, 0x3f, 0x42, 0x9e, 0x50, 0x7f, 0xf9, 0xaa,
1241 	0xac, 0x1a, 0xf2, 0x85, 0x2e, 0x64, 0x91, 0x68,
1242 	0x64, 0xc4, 0x3c, 0xb7, 0x5c, 0xf8, 0xc9, 0x53,
1243 	0x6e, 0x58, 0x4c, 0x7f, 0xc4, 0x64, 0x61, 0xac,
1244 	0x51, 0x8a, 0x6f, 0xfe, 0xab, 0x74, 0xe6, 0x12,
1245 	0x81, 0xac, 0x38, 0x5d, 0x41, 0xe6, 0xb9, 0xa3
1246 };
1247 static const u8 pkex_init_y_p384[48] = {
1248 	0x76, 0x2f, 0x68, 0x84, 0xa6, 0xb0, 0x59, 0x29,
1249 	0x83, 0xa2, 0x6c, 0xa4, 0x6c, 0x3b, 0xf8, 0x56,
1250 	0x76, 0x11, 0x2a, 0x32, 0x90, 0xbd, 0x07, 0xc7,
1251 	0x37, 0x39, 0x9d, 0xdb, 0x96, 0xf3, 0x2b, 0xb6,
1252 	0x27, 0xbb, 0x29, 0x3c, 0x17, 0x33, 0x9d, 0x94,
1253 	0xc3, 0xda, 0xac, 0x46, 0xb0, 0x8e, 0x07, 0x18
1254 };
1255 static const u8 pkex_resp_x_p384[48] = {
1256 	0xad, 0xbe, 0xd7, 0x1d, 0x3a, 0x71, 0x64, 0x98,
1257 	0x5f, 0xb4, 0xd6, 0x4b, 0x50, 0xd0, 0x84, 0x97,
1258 	0x4b, 0x7e, 0x57, 0x70, 0xd2, 0xd9, 0xf4, 0x92,
1259 	0x2a, 0x3f, 0xce, 0x99, 0xc5, 0x77, 0x33, 0x44,
1260 	0x14, 0x56, 0x92, 0xcb, 0xae, 0x46, 0x64, 0xdf,
1261 	0xe0, 0xbb, 0xd7, 0xb1, 0x29, 0x20, 0x72, 0xdf
1262 };
1263 static const u8 pkex_resp_y_p384[48] = {
1264 	0xab, 0xa7, 0xdf, 0x52, 0xaa, 0xe2, 0x35, 0x0c,
1265 	0xe3, 0x75, 0x32, 0xe6, 0xbf, 0x06, 0xc8, 0x7c,
1266 	0x38, 0x29, 0x4c, 0xec, 0x82, 0xac, 0xd7, 0xa3,
1267 	0x09, 0xd2, 0x0e, 0x22, 0x5a, 0x74, 0x52, 0xa1,
1268 	0x7e, 0x54, 0x4e, 0xfe, 0xc6, 0x29, 0x33, 0x63,
1269 	0x15, 0xe1, 0x7b, 0xe3, 0x40, 0x1c, 0xca, 0x06
1270 };
1271 
1272 /* NIST P-521 */
1273 static const u8 pkex_init_x_p521[66] = {
1274 	0x00, 0x16, 0x20, 0x45, 0x19, 0x50, 0x95, 0x23,
1275 	0x0d, 0x24, 0xbe, 0x00, 0x87, 0xdc, 0xfa, 0xf0,
1276 	0x58, 0x9a, 0x01, 0x60, 0x07, 0x7a, 0xca, 0x76,
1277 	0x01, 0xab, 0x2d, 0x5a, 0x46, 0xcd, 0x2c, 0xb5,
1278 	0x11, 0x9a, 0xff, 0xaa, 0x48, 0x04, 0x91, 0x38,
1279 	0xcf, 0x86, 0xfc, 0xa4, 0xa5, 0x0f, 0x47, 0x01,
1280 	0x80, 0x1b, 0x30, 0xa3, 0xae, 0xe8, 0x1c, 0x2e,
1281 	0xea, 0xcc, 0xf0, 0x03, 0x9f, 0x77, 0x4c, 0x8d,
1282 	0x97, 0x76
1283 };
1284 static const u8 pkex_init_y_p521[66] = {
1285 	0x00, 0xb3, 0x8e, 0x02, 0xe4, 0x2a, 0x63, 0x59,
1286 	0x12, 0xc6, 0x10, 0xba, 0x3a, 0xf9, 0x02, 0x99,
1287 	0x3f, 0x14, 0xf0, 0x40, 0xde, 0x5c, 0xc9, 0x8b,
1288 	0x02, 0x55, 0xfa, 0x91, 0xb1, 0xcc, 0x6a, 0xbd,
1289 	0xe5, 0x62, 0xc0, 0xc5, 0xe3, 0xa1, 0x57, 0x9f,
1290 	0x08, 0x1a, 0xa6, 0xe2, 0xf8, 0x55, 0x90, 0xbf,
1291 	0xf5, 0xa6, 0xc3, 0xd8, 0x52, 0x1f, 0xb7, 0x02,
1292 	0x2e, 0x7c, 0xc8, 0xb3, 0x20, 0x1e, 0x79, 0x8d,
1293 	0x03, 0xa8
1294 };
1295 static const u8 pkex_resp_x_p521[66] = {
1296 	0x00, 0x79, 0xe4, 0x4d, 0x6b, 0x5e, 0x12, 0x0a,
1297 	0x18, 0x2c, 0xb3, 0x05, 0x77, 0x0f, 0xc3, 0x44,
1298 	0x1a, 0xcd, 0x78, 0x46, 0x14, 0xee, 0x46, 0x3f,
1299 	0xab, 0xc9, 0x59, 0x7c, 0x85, 0xa0, 0xc2, 0xfb,
1300 	0x02, 0x32, 0x99, 0xde, 0x5d, 0xe1, 0x0d, 0x48,
1301 	0x2d, 0x71, 0x7d, 0x8d, 0x3f, 0x61, 0x67, 0x9e,
1302 	0x2b, 0x8b, 0x12, 0xde, 0x10, 0x21, 0x55, 0x0a,
1303 	0x5b, 0x2d, 0xe8, 0x05, 0x09, 0xf6, 0x20, 0x97,
1304 	0x84, 0xb4
1305 };
1306 static const u8 pkex_resp_y_p521[66] = {
1307 	0x00, 0x46, 0x63, 0x39, 0xbe, 0xcd, 0xa4, 0x2d,
1308 	0xca, 0x27, 0x74, 0xd4, 0x1b, 0x91, 0x33, 0x20,
1309 	0x83, 0xc7, 0x3b, 0xa4, 0x09, 0x8b, 0x8e, 0xa3,
1310 	0x88, 0xe9, 0x75, 0x7f, 0x56, 0x7b, 0x38, 0x84,
1311 	0x62, 0x02, 0x7c, 0x90, 0x51, 0x07, 0xdb, 0xe9,
1312 	0xd0, 0xde, 0xda, 0x9a, 0x5d, 0xe5, 0x94, 0xd2,
1313 	0xcf, 0x9d, 0x4c, 0x33, 0x91, 0xa6, 0xc3, 0x80,
1314 	0xa7, 0x6e, 0x7e, 0x8d, 0xf8, 0x73, 0x6e, 0x53,
1315 	0xce, 0xe1
1316 };
1317 
1318 /* Brainpool P-256r1 */
1319 static const u8 pkex_init_x_bp_p256r1[32] = {
1320 	0x46, 0x98, 0x18, 0x6c, 0x27, 0xcd, 0x4b, 0x10,
1321 	0x7d, 0x55, 0xa3, 0xdd, 0x89, 0x1f, 0x9f, 0xca,
1322 	0xc7, 0x42, 0x5b, 0x8a, 0x23, 0xed, 0xf8, 0x75,
1323 	0xac, 0xc7, 0xe9, 0x8d, 0xc2, 0x6f, 0xec, 0xd8
1324 };
1325 static const u8 pkex_init_y_bp_p256r1[32] = {
1326 	0x93, 0xca, 0xef, 0xa9, 0x66, 0x3e, 0x87, 0xcd,
1327 	0x52, 0x6e, 0x54, 0x13, 0xef, 0x31, 0x67, 0x30,
1328 	0x15, 0x13, 0x9d, 0x6d, 0xc0, 0x95, 0x32, 0xbe,
1329 	0x4f, 0xab, 0x5d, 0xf7, 0xbf, 0x5e, 0xaa, 0x0b
1330 };
1331 static const u8 pkex_resp_x_bp_p256r1[32] = {
1332 	0x90, 0x18, 0x84, 0xc9, 0xdc, 0xcc, 0xb5, 0x2f,
1333 	0x4a, 0x3f, 0x4f, 0x18, 0x0a, 0x22, 0x56, 0x6a,
1334 	0xa9, 0xef, 0xd4, 0xe6, 0xc3, 0x53, 0xc2, 0x1a,
1335 	0x23, 0x54, 0xdd, 0x08, 0x7e, 0x10, 0xd8, 0xe3
1336 };
1337 static const u8 pkex_resp_y_bp_p256r1[32] = {
1338 	0x2a, 0xfa, 0x98, 0x9b, 0xe3, 0xda, 0x30, 0xfd,
1339 	0x32, 0x28, 0xcb, 0x66, 0xfb, 0x40, 0x7f, 0xf2,
1340 	0xb2, 0x25, 0x80, 0x82, 0x44, 0x85, 0x13, 0x7e,
1341 	0x4b, 0xb5, 0x06, 0xc0, 0x03, 0x69, 0x23, 0x64
1342 };
1343 
1344 /* Brainpool P-384r1 */
1345 static const u8 pkex_init_x_bp_p384r1[48] = {
1346 	0x0a, 0x2c, 0xeb, 0x49, 0x5e, 0xb7, 0x23, 0xbd,
1347 	0x20, 0x5b, 0xe0, 0x49, 0xdf, 0xcf, 0xcf, 0x19,
1348 	0x37, 0x36, 0xe1, 0x2f, 0x59, 0xdb, 0x07, 0x06,
1349 	0xb5, 0xeb, 0x2d, 0xae, 0xc2, 0xb2, 0x38, 0x62,
1350 	0xa6, 0x73, 0x09, 0xa0, 0x6c, 0x0a, 0xa2, 0x30,
1351 	0x99, 0xeb, 0xf7, 0x1e, 0x47, 0xb9, 0x5e, 0xbe
1352 };
1353 static const u8 pkex_init_y_bp_p384r1[48] = {
1354 	0x54, 0x76, 0x61, 0x65, 0x75, 0x5a, 0x2f, 0x99,
1355 	0x39, 0x73, 0xca, 0x6c, 0xf9, 0xf7, 0x12, 0x86,
1356 	0x54, 0xd5, 0xd4, 0xad, 0x45, 0x7b, 0xbf, 0x32,
1357 	0xee, 0x62, 0x8b, 0x9f, 0x52, 0xe8, 0xa0, 0xc9,
1358 	0xb7, 0x9d, 0xd1, 0x09, 0xb4, 0x79, 0x1c, 0x3e,
1359 	0x1a, 0xbf, 0x21, 0x45, 0x66, 0x6b, 0x02, 0x52
1360 };
1361 static const u8 pkex_resp_x_bp_p384r1[48] = {
1362 	0x03, 0xa2, 0x57, 0xef, 0xe8, 0x51, 0x21, 0xa0,
1363 	0xc8, 0x9e, 0x21, 0x02, 0xb5, 0x9a, 0x36, 0x25,
1364 	0x74, 0x22, 0xd1, 0xf2, 0x1b, 0xa8, 0x9a, 0x9b,
1365 	0x97, 0xbc, 0x5a, 0xeb, 0x26, 0x15, 0x09, 0x71,
1366 	0x77, 0x59, 0xec, 0x8b, 0xb7, 0xe1, 0xe8, 0xce,
1367 	0x65, 0xb8, 0xaf, 0xf8, 0x80, 0xae, 0x74, 0x6c
1368 };
1369 static const u8 pkex_resp_y_bp_p384r1[48] = {
1370 	0x2f, 0xd9, 0x6a, 0xc7, 0x3e, 0xec, 0x76, 0x65,
1371 	0x2d, 0x38, 0x7f, 0xec, 0x63, 0x26, 0x3f, 0x04,
1372 	0xd8, 0x4e, 0xff, 0xe1, 0x0a, 0x51, 0x74, 0x70,
1373 	0xe5, 0x46, 0x63, 0x7f, 0x5c, 0xc0, 0xd1, 0x7c,
1374 	0xfb, 0x2f, 0xea, 0xe2, 0xd8, 0x0f, 0x84, 0xcb,
1375 	0xe9, 0x39, 0x5c, 0x64, 0xfe, 0xcb, 0x2f, 0xf1
1376 };
1377 
1378 /* Brainpool P-512r1 */
1379 static const u8 pkex_init_x_bp_p512r1[64] = {
1380 	0x4c, 0xe9, 0xb6, 0x1c, 0xe2, 0x00, 0x3c, 0x9c,
1381 	0xa9, 0xc8, 0x56, 0x52, 0xaf, 0x87, 0x3e, 0x51,
1382 	0x9c, 0xbb, 0x15, 0x31, 0x1e, 0xc1, 0x05, 0xfc,
1383 	0x7c, 0x77, 0xd7, 0x37, 0x61, 0x27, 0xd0, 0x95,
1384 	0x98, 0xee, 0x5d, 0xa4, 0x3d, 0x09, 0xdb, 0x3d,
1385 	0xfa, 0x89, 0x9e, 0x7f, 0xa6, 0xa6, 0x9c, 0xff,
1386 	0x83, 0x5c, 0x21, 0x6c, 0x3e, 0xf2, 0xfe, 0xdc,
1387 	0x63, 0xe4, 0xd1, 0x0e, 0x75, 0x45, 0x69, 0x0f
1388 };
1389 static const u8 pkex_init_y_bp_p512r1[64] = {
1390 	0x50, 0xb5, 0x9b, 0xfa, 0x45, 0x67, 0x75, 0x94,
1391 	0x44, 0xe7, 0x68, 0xb0, 0xeb, 0x3e, 0xb3, 0xb8,
1392 	0xf9, 0x99, 0x05, 0xef, 0xae, 0x6c, 0xbc, 0xe3,
1393 	0xe1, 0xd2, 0x51, 0x54, 0xdf, 0x59, 0xd4, 0x45,
1394 	0x41, 0x3a, 0xa8, 0x0b, 0x76, 0x32, 0x44, 0x0e,
1395 	0x07, 0x60, 0x3a, 0x6e, 0xbe, 0xfe, 0xe0, 0x58,
1396 	0x52, 0xa0, 0xaa, 0x8b, 0xd8, 0x5b, 0xf2, 0x71,
1397 	0x11, 0x9a, 0x9e, 0x8f, 0x1a, 0xd1, 0xc9, 0x99
1398 };
1399 static const u8 pkex_resp_x_bp_p512r1[64] = {
1400 	0x2a, 0x60, 0x32, 0x27, 0xa1, 0xe6, 0x94, 0x72,
1401 	0x1c, 0x48, 0xbe, 0xc5, 0x77, 0x14, 0x30, 0x76,
1402 	0xe4, 0xbf, 0xf7, 0x7b, 0xc5, 0xfd, 0xdf, 0x19,
1403 	0x1e, 0x0f, 0xdf, 0x1c, 0x40, 0xfa, 0x34, 0x9e,
1404 	0x1f, 0x42, 0x24, 0xa3, 0x2c, 0xd5, 0xc7, 0xc9,
1405 	0x7b, 0x47, 0x78, 0x96, 0xf1, 0x37, 0x0e, 0x88,
1406 	0xcb, 0xa6, 0x52, 0x29, 0xd7, 0xa8, 0x38, 0x29,
1407 	0x8e, 0x6e, 0x23, 0x47, 0xd4, 0x4b, 0x70, 0x3e
1408 };
1409 static const u8 pkex_resp_y_bp_p512r1[64] = {
1410 	0x80, 0x1f, 0x43, 0xd2, 0x17, 0x35, 0xec, 0x81,
1411 	0xd9, 0x4b, 0xdc, 0x81, 0x19, 0xd9, 0x5f, 0x68,
1412 	0x16, 0x84, 0xfe, 0x63, 0x4b, 0x8d, 0x5d, 0xaa,
1413 	0x88, 0x4a, 0x47, 0x48, 0xd4, 0xea, 0xab, 0x7d,
1414 	0x6a, 0xbf, 0xe1, 0x28, 0x99, 0x6a, 0x87, 0x1c,
1415 	0x30, 0xb4, 0x44, 0x2d, 0x75, 0xac, 0x35, 0x09,
1416 	0x73, 0x24, 0x3d, 0xb4, 0x43, 0xb1, 0xc1, 0x56,
1417 	0x56, 0xad, 0x30, 0x87, 0xf4, 0xc3, 0x00, 0xc7
1418 };
1419 
1420 
1421 static struct crypto_ec_key *
1422 dpp_pkex_get_role_elem(const struct dpp_curve_params *curve, int init)
1423 {
1424 	const u8 *x, *y;
1425 
1426 	switch (curve->ike_group) {
1427 	case 19:
1428 		x = init ? pkex_init_x_p256 : pkex_resp_x_p256;
1429 		y = init ? pkex_init_y_p256 : pkex_resp_y_p256;
1430 		break;
1431 	case 20:
1432 		x = init ? pkex_init_x_p384 : pkex_resp_x_p384;
1433 		y = init ? pkex_init_y_p384 : pkex_resp_y_p384;
1434 		break;
1435 	case 21:
1436 		x = init ? pkex_init_x_p521 : pkex_resp_x_p521;
1437 		y = init ? pkex_init_y_p521 : pkex_resp_y_p521;
1438 		break;
1439 	case 28:
1440 		x = init ? pkex_init_x_bp_p256r1 : pkex_resp_x_bp_p256r1;
1441 		y = init ? pkex_init_y_bp_p256r1 : pkex_resp_y_bp_p256r1;
1442 		break;
1443 	case 29:
1444 		x = init ? pkex_init_x_bp_p384r1 : pkex_resp_x_bp_p384r1;
1445 		y = init ? pkex_init_y_bp_p384r1 : pkex_resp_y_bp_p384r1;
1446 		break;
1447 	case 30:
1448 		x = init ? pkex_init_x_bp_p512r1 : pkex_resp_x_bp_p512r1;
1449 		y = init ? pkex_init_y_bp_p512r1 : pkex_resp_y_bp_p512r1;
1450 		break;
1451 	default:
1452 		return NULL;
1453 	}
1454 
1455 	return crypto_ec_key_set_pub(curve->ike_group, x, y, curve->prime_len);
1456 }
1457 
1458 
1459 struct crypto_ec_point *
1460 dpp_pkex_derive_Qi(const struct dpp_curve_params *curve, const u8 *mac_init,
1461 		   const char *code, size_t code_len, const char *identifier,
1462 		   struct crypto_ec **ret_ec)
1463 {
1464 	u8 hash[DPP_MAX_HASH_LEN];
1465 	const u8 *addr[3];
1466 	size_t len[3];
1467 	unsigned int num_elem = 0;
1468 	struct crypto_ec_point *Qi = NULL, *Pi = NULL;
1469 	struct crypto_ec_key *Pi_key = NULL;
1470 	struct crypto_bignum *hash_bn = NULL;
1471 	struct crypto_ec *ec = NULL;
1472 
1473 	/* Qi = H([MAC-Initiator |] [identifier |] code) * Pi */
1474 
1475 	if (mac_init) {
1476 		wpa_printf(MSG_DEBUG, "DPP: MAC-Initiator: " MACSTR,
1477 			   MAC2STR(mac_init));
1478 		addr[num_elem] = mac_init;
1479 		len[num_elem] = ETH_ALEN;
1480 		num_elem++;
1481 	}
1482 	if (identifier) {
1483 		wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
1484 			   identifier);
1485 		addr[num_elem] = (const u8 *) identifier;
1486 		len[num_elem] = os_strlen(identifier);
1487 		num_elem++;
1488 	}
1489 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, code_len);
1490 	addr[num_elem] = (const u8 *) code;
1491 	len[num_elem] = code_len;
1492 	num_elem++;
1493 	if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
1494 		goto fail;
1495 	wpa_hexdump_key(MSG_DEBUG,
1496 			"DPP: H([MAC-Initiator |] [identifier |] code)",
1497 			hash, curve->hash_len);
1498 	Pi_key = dpp_pkex_get_role_elem(curve, 1);
1499 	if (!Pi_key)
1500 		goto fail;
1501 	dpp_debug_print_key("DPP: Pi", Pi_key);
1502 
1503 	ec = crypto_ec_init(curve->ike_group);
1504 	if (!ec)
1505 		goto fail;
1506 
1507 	Pi = crypto_ec_key_get_public_key(Pi_key);
1508 	Qi = crypto_ec_point_init(ec);
1509 	hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
1510 	if (!Pi || !Qi || !hash_bn || crypto_ec_point_mul(ec, Pi, hash_bn, Qi))
1511 		goto fail;
1512 
1513 	if (crypto_ec_point_is_at_infinity(ec, Qi)) {
1514 		wpa_printf(MSG_INFO, "DPP: Qi is the point-at-infinity");
1515 		goto fail;
1516 	}
1517 	crypto_ec_point_debug_print(ec, Qi, "DPP: Qi");
1518 out:
1519 	crypto_ec_key_deinit(Pi_key);
1520 	crypto_ec_point_deinit(Pi, 1);
1521 	crypto_bignum_deinit(hash_bn, 1);
1522 	if (ret_ec && Qi)
1523 		*ret_ec = ec;
1524 	else
1525 		crypto_ec_deinit(ec);
1526 	return Qi;
1527 fail:
1528 	crypto_ec_point_deinit(Qi, 1);
1529 	Qi = NULL;
1530 	goto out;
1531 }
1532 
1533 
1534 struct crypto_ec_point *
1535 dpp_pkex_derive_Qr(const struct dpp_curve_params *curve, const u8 *mac_resp,
1536 		   const char *code, size_t code_len, const char *identifier,
1537 		   struct crypto_ec **ret_ec)
1538 {
1539 	u8 hash[DPP_MAX_HASH_LEN];
1540 	const u8 *addr[3];
1541 	size_t len[3];
1542 	unsigned int num_elem = 0;
1543 	struct crypto_ec_point *Qr = NULL, *Pr = NULL;
1544 	struct crypto_ec_key *Pr_key = NULL;
1545 	struct crypto_bignum *hash_bn = NULL;
1546 	struct crypto_ec *ec = NULL;
1547 
1548 	/* Qr = H([MAC-Responder |] [identifier |] code) * Pr */
1549 
1550 	if (mac_resp) {
1551 		wpa_printf(MSG_DEBUG, "DPP: MAC-Responder: " MACSTR,
1552 			   MAC2STR(mac_resp));
1553 		addr[num_elem] = mac_resp;
1554 		len[num_elem] = ETH_ALEN;
1555 		num_elem++;
1556 	}
1557 	if (identifier) {
1558 		wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
1559 			   identifier);
1560 		addr[num_elem] = (const u8 *) identifier;
1561 		len[num_elem] = os_strlen(identifier);
1562 		num_elem++;
1563 	}
1564 	wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, code_len);
1565 	addr[num_elem] = (const u8 *) code;
1566 	len[num_elem] = code_len;
1567 	num_elem++;
1568 	if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
1569 		goto fail;
1570 	wpa_hexdump_key(MSG_DEBUG,
1571 			"DPP: H([MAC-Responder |] [identifier |] code)",
1572 			hash, curve->hash_len);
1573 	Pr_key = dpp_pkex_get_role_elem(curve, 0);
1574 	if (!Pr_key)
1575 		goto fail;
1576 	dpp_debug_print_key("DPP: Pr", Pr_key);
1577 
1578 	ec = crypto_ec_init(curve->ike_group);
1579 	if (!ec)
1580 		goto fail;
1581 
1582 	Pr = crypto_ec_key_get_public_key(Pr_key);
1583 	Qr = crypto_ec_point_init(ec);
1584 	hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
1585 	if (!Pr || !Qr || !hash_bn || crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
1586 		goto fail;
1587 
1588 	if (crypto_ec_point_is_at_infinity(ec, Qr)) {
1589 		wpa_printf(MSG_INFO, "DPP: Qr is the point-at-infinity");
1590 		goto fail;
1591 	}
1592 	crypto_ec_point_debug_print(ec, Qr, "DPP: Qr");
1593 
1594 out:
1595 	crypto_ec_key_deinit(Pr_key);
1596 	crypto_ec_point_deinit(Pr, 1);
1597 	crypto_bignum_deinit(hash_bn, 1);
1598 	if (ret_ec && Qr)
1599 		*ret_ec = ec;
1600 	else
1601 		crypto_ec_deinit(ec);
1602 	return Qr;
1603 fail:
1604 	crypto_ec_point_deinit(Qr, 1);
1605 	Qr = NULL;
1606 	goto out;
1607 }
1608 
1609 
1610 int dpp_pkex_derive_z(const u8 *mac_init, const u8 *mac_resp,
1611 		      u8 ver_init, u8 ver_resp,
1612 		      const u8 *Mx, size_t Mx_len,
1613 		      const u8 *Nx, size_t Nx_len,
1614 		      const char *code, size_t code_len,
1615 		      const u8 *Kx, size_t Kx_len,
1616 		      u8 *z, unsigned int hash_len)
1617 {
1618 	u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
1619 	int res;
1620 	u8 *info, *pos;
1621 	size_t info_len;
1622 
1623 	/*
1624 	 * v1: info = MAC-Initiator | MAC-Responder
1625 	 * v2: info = Protocol Version-Initiator | Protocol Version-Responder
1626 	 * z = HKDF(<>, info | M.x | N.x | code, K.x)
1627 	 */
1628 
1629 	/* HKDF-Extract(<>, IKM=K.x) */
1630 	os_memset(salt, 0, hash_len);
1631 	if (dpp_hmac(hash_len, salt, hash_len, Kx, Kx_len, prk) < 0)
1632 		return -1;
1633 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)",
1634 			prk, hash_len);
1635 	if (mac_init && mac_resp)
1636 		info_len = 2 * ETH_ALEN;
1637 	else
1638 		info_len = 2;
1639 	info_len += Mx_len + Nx_len + code_len;
1640 	info = os_malloc(info_len);
1641 	if (!info)
1642 		return -1;
1643 	pos = info;
1644 	if (mac_init && mac_resp) {
1645 		os_memcpy(pos, mac_init, ETH_ALEN);
1646 		pos += ETH_ALEN;
1647 		os_memcpy(pos, mac_resp, ETH_ALEN);
1648 		pos += ETH_ALEN;
1649 	} else {
1650 		*pos++ = ver_init;
1651 		*pos++ = ver_resp;
1652 	}
1653 	os_memcpy(pos, Mx, Mx_len);
1654 	pos += Mx_len;
1655 	os_memcpy(pos, Nx, Nx_len);
1656 	pos += Nx_len;
1657 	os_memcpy(pos, code, code_len);
1658 
1659 	/* HKDF-Expand(PRK, info, L) */
1660 	if (hash_len == 32)
1661 		res = hmac_sha256_kdf(prk, hash_len, NULL, info, info_len,
1662 				      z, hash_len);
1663 	else if (hash_len == 48)
1664 		res = hmac_sha384_kdf(prk, hash_len, NULL, info, info_len,
1665 				      z, hash_len);
1666 	else if (hash_len == 64)
1667 		res = hmac_sha512_kdf(prk, hash_len, NULL, info, info_len,
1668 				      z, hash_len);
1669 	else
1670 		res = -1;
1671 	os_free(info);
1672 	os_memset(prk, 0, hash_len);
1673 	if (res < 0)
1674 		return -1;
1675 
1676 	wpa_hexdump_key(MSG_DEBUG, "DPP: z = HKDF-Expand(PRK, info, L)",
1677 			z, hash_len);
1678 	return 0;
1679 }
1680 
1681 
1682 int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
1683 				     const u8 *net_access_key,
1684 				     size_t net_access_key_len,
1685 				     struct json_token *peer_net_access_key)
1686 {
1687 	struct crypto_ec_key *own_key = NULL, *peer_key = NULL;
1688 	struct crypto_bignum *sum = NULL, *cR = NULL, *pR = NULL;
1689 	const struct crypto_bignum *q;
1690 	struct crypto_ec *ec = NULL;
1691 	struct crypto_ec_point *M = NULL, *CI = NULL;
1692 	u8 Mx[DPP_MAX_SHARED_SECRET_LEN];
1693 	u8 prk[DPP_MAX_HASH_LEN];
1694 	const struct dpp_curve_params *curve;
1695 	int res = -1;
1696 	u8 nonces[2 * DPP_MAX_NONCE_LEN];
1697 
1698 	own_key = dpp_set_keypair(&auth->curve, net_access_key,
1699 				  net_access_key_len);
1700 	if (!own_key) {
1701 		dpp_auth_fail(auth, "Failed to parse own netAccessKey");
1702 		goto fail;
1703 	}
1704 
1705 	peer_key = dpp_parse_jwk(peer_net_access_key, &curve);
1706 	if (!peer_key)
1707 		goto fail;
1708 	dpp_debug_print_key("DPP: Received netAccessKey", peer_key);
1709 
1710 	if (auth->curve != curve) {
1711 		wpa_printf(MSG_DEBUG,
1712 			   "DPP: Mismatching netAccessKey curves (own=%s != peer=%s)",
1713 			   auth->curve->name, curve->name);
1714 		goto fail;
1715 	}
1716 
1717 	auth->own_protocol_key = dpp_gen_keypair(curve);
1718 	if (!auth->own_protocol_key)
1719 		goto fail;
1720 
1721 	if (random_get_bytes(auth->e_nonce, auth->curve->nonce_len)) {
1722 		wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce");
1723 		goto fail;
1724 	}
1725 	wpa_hexdump_key(MSG_DEBUG, "DPP: E-nonce",
1726 			auth->e_nonce, auth->curve->nonce_len);
1727 
1728 	/* M = { cR + pR } * CI */
1729 	ec = crypto_ec_init(curve->ike_group);
1730 	if (!ec)
1731 		goto fail;
1732 
1733 	sum = crypto_bignum_init();
1734 	q = crypto_ec_get_order(ec);
1735 	M = crypto_ec_point_init(ec);
1736 	cR = crypto_ec_key_get_private_key(own_key);
1737 	pR = crypto_ec_key_get_private_key(auth->own_protocol_key);
1738 	CI = crypto_ec_key_get_public_key(peer_key);
1739 	if (!sum || !q || !M || !cR || !pR || !CI ||
1740 	    crypto_bignum_addmod(cR, pR, q, sum) ||
1741 	    crypto_ec_point_mul(ec, CI, sum, M) ||
1742 	    crypto_ec_point_to_bin(ec, M, Mx, NULL)) {
1743 		wpa_printf(MSG_ERROR, "DPP: Error during M computation");
1744 		goto fail;
1745 	}
1746 	wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len);
1747 
1748 	/* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */
1749 
1750 	/* HKDF-Extract(C-nonce | E-nonce, M.x) */
1751 	os_memcpy(nonces, auth->c_nonce, curve->nonce_len);
1752 	os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len);
1753 	if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len,
1754 		     Mx, curve->prime_len, prk) < 0)
1755 		goto fail;
1756 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len);
1757 
1758 	/* HKDF-Expand(PRK, "dpp reconfig key", L) */
1759 	if (dpp_hkdf_expand(curve->hash_len, prk, curve->hash_len,
1760 			    "dpp reconfig key", auth->ke, curve->hash_len) < 0)
1761 		goto fail;
1762 	wpa_hexdump_key(MSG_DEBUG,
1763 			"DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)",
1764 			auth->ke, curve->hash_len);
1765 
1766 	res = 0;
1767 	crypto_ec_key_deinit(auth->reconfig_old_protocol_key);
1768 	auth->reconfig_old_protocol_key = own_key;
1769 	own_key = NULL;
1770 fail:
1771 	forced_memzero(prk, sizeof(prk));
1772 	forced_memzero(Mx, sizeof(Mx));
1773 	crypto_ec_point_deinit(M, 1);
1774 	crypto_ec_point_deinit(CI, 1);
1775 	crypto_bignum_deinit(sum, 1);
1776 	crypto_bignum_deinit(cR, 1);
1777 	crypto_bignum_deinit(pR, 1);
1778 	crypto_ec_key_deinit(own_key);
1779 	crypto_ec_key_deinit(peer_key);
1780 	crypto_ec_deinit(ec);
1781 	return res;
1782 }
1783 
1784 
1785 int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth,
1786 				     const u8 *r_proto, u16 r_proto_len,
1787 				     struct json_token *net_access_key)
1788 {
1789 	struct crypto_ec_key *pr = NULL, *peer_key = NULL;
1790 	struct crypto_bignum *cI = NULL;
1791 	struct crypto_ec *ec = NULL;
1792 	struct crypto_ec_point *sum = NULL, *M = NULL, *CR = NULL, *PR = NULL;
1793 	u8 Mx[DPP_MAX_SHARED_SECRET_LEN];
1794 	u8 prk[DPP_MAX_HASH_LEN];
1795 	int res = -1;
1796 	const struct dpp_curve_params *curve;
1797 	u8 nonces[2 * DPP_MAX_NONCE_LEN];
1798 
1799 	pr = dpp_set_pubkey_point(auth->conf->connector_key,
1800 				  r_proto, r_proto_len);
1801 	if (!pr) {
1802 		dpp_auth_fail(auth, "Invalid Responder Protocol Key");
1803 		goto fail;
1804 	}
1805 	dpp_debug_print_key("Peer (Responder) Protocol Key", pr);
1806 	crypto_ec_key_deinit(auth->peer_protocol_key);
1807 	auth->peer_protocol_key = pr;
1808 	pr = NULL;
1809 
1810 	peer_key = dpp_parse_jwk(net_access_key, &curve);
1811 	if (!peer_key)
1812 		goto fail;
1813 	dpp_debug_print_key("DPP: Received netAccessKey", peer_key);
1814 	if (auth->curve != curve) {
1815 		wpa_printf(MSG_DEBUG,
1816 			   "DPP: Mismatching netAccessKey curves (own=%s != peer=%s)",
1817 			   auth->curve->name, curve->name);
1818 		goto fail;
1819 	}
1820 
1821 	/* M = cI * { CR + PR } */
1822 	ec = crypto_ec_init(curve->ike_group);
1823 	if (!ec)
1824 		goto fail;
1825 
1826 	cI = crypto_ec_key_get_private_key(auth->conf->connector_key);
1827 	sum = crypto_ec_point_init(ec);
1828 	M = crypto_ec_point_init(ec);
1829 	CR = crypto_ec_key_get_public_key(peer_key);
1830 	PR = crypto_ec_key_get_public_key(auth->peer_protocol_key);
1831 	if (!cI || !sum || !M || !CR || !PR ||
1832 	    crypto_ec_point_add(ec, CR, PR, sum) ||
1833 	    crypto_ec_point_mul(ec, sum, cI, M) ||
1834 	    crypto_ec_point_to_bin(ec, M, Mx, NULL)) {
1835 		wpa_printf(MSG_ERROR, "DPP: Error during M computation");
1836 		goto fail;
1837 	}
1838 
1839 	wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len);
1840 
1841 	/* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */
1842 
1843 	/* HKDF-Extract(C-nonce | E-nonce, M.x) */
1844 	os_memcpy(nonces, auth->c_nonce, curve->nonce_len);
1845 	os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len);
1846 	if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len,
1847 		     Mx, curve->prime_len, prk) < 0)
1848 		goto fail;
1849 	wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len);
1850 
1851 	/* HKDF-Expand(PRK, "dpp reconfig key", L) */
1852 	if (dpp_hkdf_expand(curve->hash_len, prk, curve->hash_len,
1853 			    "dpp reconfig key", auth->ke, curve->hash_len) < 0)
1854 		goto fail;
1855 	wpa_hexdump_key(MSG_DEBUG,
1856 			"DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)",
1857 			auth->ke, curve->hash_len);
1858 
1859 	res = 0;
1860 fail:
1861 	forced_memzero(prk, sizeof(prk));
1862 	forced_memzero(Mx, sizeof(Mx));
1863 	crypto_bignum_deinit(cI, 1);
1864 	crypto_ec_key_deinit(pr);
1865 	crypto_ec_key_deinit(peer_key);
1866 	crypto_ec_point_deinit(sum, 1);
1867 	crypto_ec_point_deinit(M, 1);
1868 	crypto_ec_point_deinit(CR, 1);
1869 	crypto_ec_point_deinit(PR, 1);
1870 	crypto_ec_deinit(ec);
1871 	return res;
1872 }
1873 
1874 
1875 static char *
1876 dpp_build_jws_prot_hdr(struct dpp_configurator *conf, size_t *signed1_len)
1877 {
1878 	struct wpabuf *jws_prot_hdr;
1879 	char *signed1;
1880 
1881 	jws_prot_hdr = wpabuf_alloc(100);
1882 	if (!jws_prot_hdr)
1883 		return NULL;
1884 	json_start_object(jws_prot_hdr, NULL);
1885 	json_add_string(jws_prot_hdr, "typ", "dppCon");
1886 	json_value_sep(jws_prot_hdr);
1887 	json_add_string(jws_prot_hdr, "kid", conf->kid);
1888 	json_value_sep(jws_prot_hdr);
1889 	json_add_string(jws_prot_hdr, "alg", conf->curve->jws_alg);
1890 	json_end_object(jws_prot_hdr);
1891 	signed1 = base64_url_encode(wpabuf_head(jws_prot_hdr),
1892 				    wpabuf_len(jws_prot_hdr),
1893 				    signed1_len);
1894 	wpabuf_free(jws_prot_hdr);
1895 	return signed1;
1896 }
1897 
1898 
1899 static char *
1900 dpp_build_conn_signature(struct dpp_configurator *conf,
1901 			 const char *signed1, size_t signed1_len,
1902 			 const char *signed2, size_t signed2_len,
1903 			 size_t *signed3_len)
1904 {
1905 	const struct dpp_curve_params *curve;
1906 	struct wpabuf *sig = NULL;
1907 	char *signed3 = NULL;
1908 	char *dot = ".";
1909 	const u8 *vector[3];
1910 	size_t vector_len[3];
1911 	u8 *hash;
1912 	int ret;
1913 
1914 	vector[0] = (const u8 *) signed1;
1915 	vector[1] = (const u8 *) dot;
1916 	vector[2] = (const u8 *) signed2;
1917 	vector_len[0] = signed1_len;
1918 	vector_len[1] = 1;
1919 	vector_len[2] = signed2_len;
1920 
1921 	curve = conf->curve;
1922 	hash = os_malloc(curve->hash_len);
1923 	if (!hash)
1924 		goto fail;
1925 	if (curve->hash_len == SHA256_MAC_LEN) {
1926 		ret = sha256_vector(3, vector, vector_len, hash);
1927 	} else if (curve->hash_len == SHA384_MAC_LEN) {
1928 		ret = sha384_vector(3, vector, vector_len, hash);
1929 	} else if (curve->hash_len == SHA512_MAC_LEN) {
1930 		ret = sha512_vector(3, vector, vector_len, hash);
1931 	} else {
1932 		wpa_printf(MSG_DEBUG, "DPP: Unknown signature algorithm");
1933 		goto fail;
1934 	}
1935 	if (ret) {
1936 		wpa_printf(MSG_DEBUG, "DPP: Hash computation failed");
1937 		goto fail;
1938 	}
1939 	wpa_hexdump(MSG_DEBUG, "DPP: Hash value for Connector signature",
1940 		    hash, curve->hash_len);
1941 
1942 	sig = crypto_ec_key_sign_r_s(conf->csign, hash, curve->hash_len);
1943 	if (!sig) {
1944 		wpa_printf(MSG_ERROR, "DPP: Signature computation failed");
1945 		goto fail;
1946 	}
1947 
1948 	wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (raw r,s)",
1949 		    wpabuf_head(sig), wpabuf_len(sig));
1950 	signed3 = base64_url_encode(wpabuf_head(sig), wpabuf_len(sig),
1951 				    signed3_len);
1952 
1953 fail:
1954 	os_free(hash);
1955 	wpabuf_free(sig);
1956 	return signed3;
1957 }
1958 
1959 char * dpp_sign_connector(struct dpp_configurator *conf,
1960 			  const struct wpabuf *dppcon)
1961 {
1962 	char *signed1 = NULL, *signed2 = NULL, *signed3 = NULL;
1963 	char *signed_conn = NULL, *pos;
1964 	size_t signed1_len, signed2_len, signed3_len;
1965 
1966 	signed1 = dpp_build_jws_prot_hdr(conf, &signed1_len);
1967 	signed2 = base64_url_encode(wpabuf_head(dppcon), wpabuf_len(dppcon),
1968 				    &signed2_len);
1969 	if (!signed1 || !signed2)
1970 		goto fail;
1971 
1972 	signed3 = dpp_build_conn_signature(conf, signed1, signed1_len,
1973 					   signed2, signed2_len, &signed3_len);
1974 	if (!signed3)
1975 		goto fail;
1976 
1977 	signed_conn = os_malloc(signed1_len + signed2_len + signed3_len + 3);
1978 	if (!signed_conn)
1979 		goto fail;
1980 	pos = signed_conn;
1981 	os_memcpy(pos, signed1, signed1_len);
1982 	pos += signed1_len;
1983 	*pos++ = '.';
1984 	os_memcpy(pos, signed2, signed2_len);
1985 	pos += signed2_len;
1986 	*pos++ = '.';
1987 	os_memcpy(pos, signed3, signed3_len);
1988 	pos += signed3_len;
1989 	*pos = '\0';
1990 
1991 fail:
1992 	os_free(signed1);
1993 	os_free(signed2);
1994 	os_free(signed3);
1995 	return signed_conn;
1996 }
1997 
1998 
1999 #ifdef CONFIG_DPP2
2000 
2001 struct dpp_pfs * dpp_pfs_init(const u8 *net_access_key,
2002 			      size_t net_access_key_len)
2003 {
2004 	struct wpabuf *pub = NULL;
2005 	struct crypto_ec_key *own_key;
2006 	struct dpp_pfs *pfs;
2007 
2008 	pfs = os_zalloc(sizeof(*pfs));
2009 	if (!pfs)
2010 		return NULL;
2011 
2012 	own_key = dpp_set_keypair(&pfs->curve, net_access_key,
2013 				  net_access_key_len);
2014 	if (!own_key) {
2015 		wpa_printf(MSG_ERROR, "DPP: Failed to parse own netAccessKey");
2016 		goto fail;
2017 	}
2018 	crypto_ec_key_deinit(own_key);
2019 
2020 	pfs->ecdh = crypto_ecdh_init(pfs->curve->ike_group);
2021 	if (!pfs->ecdh)
2022 		goto fail;
2023 
2024 	pub = crypto_ecdh_get_pubkey(pfs->ecdh, 0);
2025 	pub = wpabuf_zeropad(pub, pfs->curve->prime_len);
2026 	if (!pub)
2027 		goto fail;
2028 
2029 	pfs->ie = wpabuf_alloc(5 + wpabuf_len(pub));
2030 	if (!pfs->ie)
2031 		goto fail;
2032 	wpabuf_put_u8(pfs->ie, WLAN_EID_EXTENSION);
2033 	wpabuf_put_u8(pfs->ie, 1 + 2 + wpabuf_len(pub));
2034 	wpabuf_put_u8(pfs->ie, WLAN_EID_EXT_OWE_DH_PARAM);
2035 	wpabuf_put_le16(pfs->ie, pfs->curve->ike_group);
2036 	wpabuf_put_buf(pfs->ie, pub);
2037 	wpabuf_free(pub);
2038 	wpa_hexdump_buf(MSG_DEBUG, "DPP: Diffie-Hellman Parameter element",
2039 			pfs->ie);
2040 
2041 	return pfs;
2042 fail:
2043 	wpabuf_free(pub);
2044 	dpp_pfs_free(pfs);
2045 	return NULL;
2046 }
2047 
2048 
2049 int dpp_pfs_process(struct dpp_pfs *pfs, const u8 *peer_ie, size_t peer_ie_len)
2050 {
2051 	if (peer_ie_len < 2)
2052 		return -1;
2053 	if (WPA_GET_LE16(peer_ie) != pfs->curve->ike_group) {
2054 		wpa_printf(MSG_DEBUG, "DPP: Peer used different group for PFS");
2055 		return -1;
2056 	}
2057 
2058 	pfs->secret = crypto_ecdh_set_peerkey(pfs->ecdh, 0, peer_ie + 2,
2059 					      peer_ie_len - 2);
2060 	pfs->secret = wpabuf_zeropad(pfs->secret, pfs->curve->prime_len);
2061 	if (!pfs->secret) {
2062 		wpa_printf(MSG_DEBUG, "DPP: Invalid peer DH public key");
2063 		return -1;
2064 	}
2065 	wpa_hexdump_buf_key(MSG_DEBUG, "DPP: DH shared secret", pfs->secret);
2066 	return 0;
2067 }
2068 
2069 
2070 void dpp_pfs_free(struct dpp_pfs *pfs)
2071 {
2072 	if (!pfs)
2073 		return;
2074 	crypto_ecdh_deinit(pfs->ecdh);
2075 	wpabuf_free(pfs->ie);
2076 	wpabuf_clear_free(pfs->secret);
2077 	os_free(pfs);
2078 }
2079 
2080 
2081 struct wpabuf * dpp_build_csr(struct dpp_authentication *auth, const char *name)
2082 {
2083 	struct crypto_csr *csr = NULL;
2084 	struct wpabuf *buf = NULL;
2085 	struct crypto_ec_key *key;
2086 	unsigned int hash_len = auth->curve->hash_len;
2087 	struct wpabuf *priv_key;
2088 	u8 cp[DPP_CP_LEN];
2089 	char *password = NULL;
2090 	size_t password_len = 0;
2091 	int hash_sign_algo;
2092 
2093 	/* TODO: use auth->csrattrs */
2094 
2095 	/* TODO: support generation of a new private key if csrAttrs requests
2096 	 * a specific group to be used */
2097 	key = auth->own_protocol_key;
2098 
2099 	priv_key = crypto_ec_key_get_ecprivate_key(key, true);
2100 	if (!priv_key)
2101 		goto fail;
2102 	wpabuf_free(auth->priv_key);
2103 	auth->priv_key = priv_key;
2104 
2105 	csr = crypto_csr_init();
2106 	if (!csr || crypto_csr_set_ec_public_key(csr, key))
2107 		goto fail;
2108 
2109 	if (name && crypto_csr_set_name(csr, CSR_NAME_CN, name))
2110 		goto fail;
2111 
2112 	/* cp = HKDF-Expand(bk, "CSR challengePassword", 64) */
2113 	if (dpp_hkdf_expand(hash_len, auth->bk, hash_len,
2114 			    "CSR challengePassword", cp, DPP_CP_LEN) < 0)
2115 		goto fail;
2116 	wpa_hexdump_key(MSG_DEBUG,
2117 			"DPP: cp = HKDF-Expand(bk, \"CSR challengePassword\", 64)",
2118 			cp, DPP_CP_LEN);
2119 	password = base64_encode_no_lf(cp, DPP_CP_LEN, &password_len);
2120 	forced_memzero(cp, DPP_CP_LEN);
2121 	if (!password ||
2122 	    crypto_csr_set_attribute(csr, CSR_ATTR_CHALLENGE_PASSWORD,
2123 				     ASN1_TAG_UTF8STRING, (const u8 *) password,
2124 				     password_len))
2125 		goto fail;
2126 
2127 	/* TODO: hash func selection based on csrAttrs */
2128 	if (hash_len == SHA256_MAC_LEN) {
2129 		hash_sign_algo = CRYPTO_HASH_ALG_SHA256;
2130 	} else if (hash_len == SHA384_MAC_LEN) {
2131 		hash_sign_algo = CRYPTO_HASH_ALG_SHA384;
2132 	} else if (hash_len == SHA512_MAC_LEN) {
2133 		hash_sign_algo = CRYPTO_HASH_ALG_SHA512;
2134 	} else {
2135 		wpa_printf(MSG_DEBUG, "DPP: Unknown signature algorithm");
2136 		goto fail;
2137 	}
2138 
2139 	buf = crypto_csr_sign(csr, key, hash_sign_algo);
2140 	if (!buf)
2141 		goto fail;
2142 	wpa_hexdump_buf(MSG_DEBUG, "DPP: CSR", buf);
2143 
2144 fail:
2145 	bin_clear_free(password, password_len);
2146 	crypto_csr_deinit(csr);
2147 	return buf;
2148 }
2149 
2150 
2151 int dpp_validate_csr(struct dpp_authentication *auth,
2152 		     const struct wpabuf *csrbuf)
2153 {
2154 	struct crypto_csr *csr;
2155 	const u8 *attr;
2156 	size_t attr_len;
2157 	int attr_type;
2158 	unsigned char *cp = NULL;
2159 	size_t cp_len;
2160 	u8 exp_cp[DPP_CP_LEN];
2161 	unsigned int hash_len = auth->curve->hash_len;
2162 	int ret = -1;
2163 
2164 	csr = crypto_csr_verify(csrbuf);
2165 	if (!csr) {
2166 		wpa_printf(MSG_DEBUG,
2167 			   "DPP: CSR invalid or invalid signature");
2168 		goto fail;
2169 	}
2170 
2171 	attr = crypto_csr_get_attribute(csr, CSR_ATTR_CHALLENGE_PASSWORD,
2172 					&attr_len, &attr_type);
2173 	if (!attr) {
2174 		wpa_printf(MSG_DEBUG,
2175 			   "DPP: CSR does not include challengePassword");
2176 		goto fail;
2177 	}
2178 	/* This is supposed to be UTF8String, but allow other strings as well
2179 	 * since challengePassword is using ASCII (base64 encoded). */
2180 	if (attr_type != ASN1_TAG_UTF8STRING &&
2181 	    attr_type != ASN1_TAG_PRINTABLESTRING &&
2182 	    attr_type != ASN1_TAG_IA5STRING) {
2183 		wpa_printf(MSG_DEBUG,
2184 			   "DPP: Unexpected challengePassword attribute type %d",
2185 			   attr_type);
2186 		goto fail;
2187 	}
2188 
2189 	cp = base64_decode((const char *) attr, attr_len, &cp_len);
2190 	if (!cp) {
2191 		wpa_printf(MSG_DEBUG,
2192 			   "DPP: Could not base64 decode challengePassword");
2193 		goto fail;
2194 	}
2195 	if (cp_len != DPP_CP_LEN) {
2196 		wpa_printf(MSG_DEBUG,
2197 			   "DPP: Unexpected cp length (%zu) in CSR challengePassword",
2198 			   cp_len);
2199 		goto fail;
2200 	}
2201 	wpa_hexdump_key(MSG_DEBUG, "DPP: cp from CSR challengePassword",
2202 			cp, cp_len);
2203 
2204 	/* cp = HKDF-Expand(bk, "CSR challengePassword", 64) */
2205 	if (dpp_hkdf_expand(hash_len, auth->bk, hash_len,
2206 			    "CSR challengePassword", exp_cp, DPP_CP_LEN) < 0)
2207 		goto fail;
2208 	wpa_hexdump_key(MSG_DEBUG,
2209 			"DPP: cp = HKDF-Expand(bk, \"CSR challengePassword\", 64)",
2210 			exp_cp, DPP_CP_LEN);
2211 	if (os_memcmp_const(cp, exp_cp, DPP_CP_LEN) != 0) {
2212 		wpa_printf(MSG_DEBUG,
2213 			   "DPP: CSR challengePassword does not match calculated cp");
2214 		goto fail;
2215 	}
2216 
2217 	ret = 0;
2218 fail:
2219 	os_free(cp);
2220 	crypto_csr_deinit(csr);
2221 	return ret;
2222 }
2223 
2224 
2225 struct dpp_reconfig_id * dpp_gen_reconfig_id(const u8 *csign_key,
2226 					     size_t csign_key_len,
2227 					     const u8 *pp_key,
2228 					     size_t pp_key_len)
2229 {
2230 	struct crypto_ec_key *csign = NULL, *ppkey = NULL;
2231 	struct dpp_reconfig_id *id = NULL;
2232 	struct crypto_ec *ec = NULL;
2233 	const struct crypto_bignum *q;
2234 	struct crypto_bignum *bn = NULL;
2235 	struct crypto_ec_point *e_id = NULL;
2236 	const struct crypto_ec_point *generator;
2237 
2238 	csign = crypto_ec_key_parse_pub(csign_key, csign_key_len);
2239 	if (!csign)
2240 		goto fail;
2241 
2242 	if (!pp_key)
2243 		goto fail;
2244 	ppkey = crypto_ec_key_parse_pub(pp_key, pp_key_len);
2245 	if (!ppkey)
2246 		goto fail;
2247 
2248 	ec = crypto_ec_init(crypto_ec_key_group(csign));
2249 	if (!ec)
2250 		goto fail;
2251 
2252 	e_id = crypto_ec_point_init(ec);
2253 	bn = crypto_bignum_init();
2254 	q = crypto_ec_get_order(ec);
2255 	generator = crypto_ec_get_generator(ec);
2256 	if (!e_id || !bn || !q || !generator ||
2257 	    crypto_bignum_rand(bn, q) ||
2258 	    crypto_ec_point_mul(ec, generator, bn, e_id))
2259 		goto fail;
2260 
2261 	crypto_ec_point_debug_print(ec, e_id,
2262 				    "DPP: Generated random point E-id");
2263 
2264 	id = os_zalloc(sizeof(*id));
2265 	if (!id)
2266 		goto fail;
2267 
2268 	id->ec = ec;
2269 	ec = NULL;
2270 	id->e_id = e_id;
2271 	e_id = NULL;
2272 	id->csign = csign;
2273 	csign = NULL;
2274 	id->pp_key = ppkey;
2275 	ppkey = NULL;
2276 fail:
2277 	crypto_ec_point_deinit(e_id, 1);
2278 	crypto_ec_key_deinit(csign);
2279 	crypto_ec_key_deinit(ppkey);
2280 	crypto_bignum_deinit(bn, 1);
2281 	crypto_ec_deinit(ec);
2282 	return id;
2283 }
2284 
2285 
2286 int dpp_update_reconfig_id(struct dpp_reconfig_id *id)
2287 {
2288 	const struct crypto_bignum *q;
2289 	struct crypto_bignum *bn;
2290 	const struct crypto_ec_point *generator;
2291 	struct crypto_ec_point *e_prime_id, *a_nonce, *pp;
2292 	int ret = -1;
2293 
2294 	pp = crypto_ec_key_get_public_key(id->pp_key);
2295 	e_prime_id = crypto_ec_point_init(id->ec);
2296 	a_nonce = crypto_ec_point_init(id->ec);
2297 	bn = crypto_bignum_init();
2298 	q = crypto_ec_get_order(id->ec);
2299 	generator = crypto_ec_get_generator(id->ec);
2300 
2301 	/* Generate random 0 <= a-nonce < q
2302 	 * A-NONCE = a-nonce * G
2303 	 * E'-id = E-id + a-nonce * P_pk */
2304 	if (!pp || !e_prime_id || !a_nonce || !bn || !q || !generator ||
2305 	    crypto_bignum_rand(bn, q) || /* bn = a-nonce */
2306 	    crypto_ec_point_mul(id->ec, generator, bn, a_nonce) ||
2307 	    crypto_ec_point_mul(id->ec, pp, bn, e_prime_id) ||
2308 	    crypto_ec_point_add(id->ec, id->e_id, e_prime_id, e_prime_id))
2309 		goto fail;
2310 
2311 	crypto_ec_point_debug_print(id->ec, a_nonce,
2312 				    "DPP: Generated A-NONCE");
2313 	crypto_ec_point_debug_print(id->ec, e_prime_id,
2314 				    "DPP: Encrypted E-id to E'-id");
2315 
2316 	crypto_ec_key_deinit(id->a_nonce);
2317 	crypto_ec_key_deinit(id->e_prime_id);
2318 	id->a_nonce = crypto_ec_key_set_pub_point(id->ec, a_nonce);
2319 	id->e_prime_id = crypto_ec_key_set_pub_point(id->ec, e_prime_id);
2320 	if (!id->a_nonce || !id->e_prime_id)
2321 		goto fail;
2322 
2323 	ret = 0;
2324 
2325 fail:
2326 	crypto_ec_point_deinit(e_prime_id, 1);
2327 	crypto_ec_point_deinit(a_nonce, 1);
2328 	crypto_ec_point_deinit(pp, 1);
2329 	crypto_bignum_deinit(bn, 1);
2330 	return ret;
2331 }
2332 
2333 
2334 void dpp_free_reconfig_id(struct dpp_reconfig_id *id)
2335 {
2336 	if (id) {
2337 		crypto_ec_point_deinit(id->e_id, 1);
2338 		crypto_ec_key_deinit(id->csign);
2339 		crypto_ec_key_deinit(id->a_nonce);
2340 		crypto_ec_key_deinit(id->e_prime_id);
2341 		crypto_ec_key_deinit(id->pp_key);
2342 		crypto_ec_deinit(id->ec);
2343 		os_free(id);
2344 	}
2345 }
2346 
2347 
2348 struct crypto_ec_point * dpp_decrypt_e_id(struct crypto_ec_key *ppkey,
2349 					  struct crypto_ec_key *a_nonce,
2350 					  struct crypto_ec_key *e_prime_id)
2351 {
2352 	struct crypto_ec *ec;
2353 	struct crypto_bignum *pp = NULL;
2354 	struct crypto_ec_point *e_id = NULL;
2355 	struct crypto_ec_point *a_nonce_point, *e_prime_id_point;
2356 
2357 	if (!ppkey)
2358 		return NULL;
2359 
2360 	/* E-id = E'-id - s_C * A-NONCE */
2361 	ec = crypto_ec_init(crypto_ec_key_group(ppkey));
2362 	if (!ec)
2363 		return NULL;
2364 
2365 	pp = crypto_ec_key_get_private_key(ppkey);
2366 	a_nonce_point = crypto_ec_key_get_public_key(a_nonce);
2367 	e_prime_id_point = crypto_ec_key_get_public_key(e_prime_id);
2368 	e_id = crypto_ec_point_init(ec);
2369 	if (!pp || !a_nonce_point || !e_prime_id_point || !e_id ||
2370 	    crypto_ec_point_mul(ec, a_nonce_point, pp, e_id) ||
2371 	    crypto_ec_point_invert(ec, e_id) ||
2372 	    crypto_ec_point_add(ec, e_id, e_prime_id_point, e_id)) {
2373 		crypto_ec_point_deinit(e_id, 1);
2374 		goto fail;
2375 	}
2376 
2377 	crypto_ec_point_debug_print(ec, e_id, "DPP: Decrypted E-id");
2378 
2379 fail:
2380 	crypto_ec_point_deinit(a_nonce_point, 1);
2381 	crypto_ec_point_deinit(e_prime_id_point, 1);
2382 	crypto_bignum_deinit(pp, 1);
2383 	crypto_ec_deinit(ec);
2384 	return e_id;
2385 }
2386 
2387 #endif /* CONFIG_DPP2 */
2388 
2389 
2390 #ifdef CONFIG_DPP3
2391 
2392 int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
2393 {
2394 	int ret = -1, res;
2395 	u8 Sx[DPP_MAX_SHARED_SECRET_LEN];
2396 	size_t Sx_len;
2397 	unsigned int hash_len;
2398 	const char *info = "New DPP Protocol Key";
2399 	const u8 *addr[3];
2400 	size_t len[3];
2401 	u8 tmp[DPP_MAX_HASH_LEN], k[DPP_MAX_HASH_LEN];
2402 	struct wpabuf *pcx = NULL, *pex = NULL;
2403 
2404 	hash_len = auth->curve->hash_len;
2405 
2406 	/*
2407 	 * Configurator: S = pc * Pe
2408 	 * Enrollee: S = pe * Pc
2409 	 * k = HKDF(bk, "New DPP Protocol Key", S.x)
2410 	 *   = HKDF-Expand(HKDF-Extract(bk, S.X), "New DPP Protocol Key",
2411 	 *                 len(new-curve-hash-out))
2412 	 * Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x)
2413 	 *
2414 	 * auth->own_protocol_key and auth->peer_protocol_key have already been
2415 	 * updated to use the new keys. The new curve determines the size of
2416 	 * the (new) protocol keys and S.x. The other parameters (bk, hash
2417 	 * algorithm, k) are determined based on the initially determined curve
2418 	 * during the (re)authentication exchange.
2419 	 */
2420 
2421 	if (dpp_ecdh(auth->own_protocol_key, auth->peer_protocol_key,
2422 		     Sx, &Sx_len) < 0)
2423 		goto fail;
2424 
2425 	wpa_hexdump_key(MSG_DEBUG, "DPP: S.x", Sx, Sx_len);
2426 
2427 	/* tmp = HKDF-Extract(bk, S.x) */
2428 	addr[0] = Sx;
2429 	len[0] = Sx_len;
2430 	res = dpp_hmac_vector(hash_len, auth->bk, hash_len, 1, addr, len, tmp);
2431 	if (res < 0)
2432 		goto fail;
2433 	wpa_hexdump_key(MSG_DEBUG, "DPP: HKDF-Extract(bk, S.x)",
2434 			tmp, hash_len);
2435 	/* k = HKDF-Expand(tmp, "New DPP Protocol Key", len(hash-output))
2436 	 */
2437 	res = dpp_hkdf_expand(hash_len, tmp, hash_len, info, k, hash_len);
2438 	if (res < 0)
2439 		return -1;
2440 
2441 	wpa_hexdump_key(MSG_DEBUG,
2442 			"DPP: k = HKDF-Expand(\"New DPP Protocol Key\")",
2443 			k, hash_len);
2444 
2445 	/* Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x) */
2446 	addr[0] = auth->e_nonce;
2447 	len[0] = auth->curve->nonce_len;
2448 
2449 	if (auth->configurator) {
2450 		pcx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
2451 		pex = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
2452 						     0);
2453 	} else {
2454 		pcx = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
2455 						     0);
2456 		pex = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
2457 	}
2458 	if (!pcx || !pex)
2459 		goto fail;
2460 	addr[1] = wpabuf_head(pcx);
2461 	len[1] = wpabuf_len(pcx) / 2;
2462 	addr[2] = wpabuf_head(pex);
2463 	len[2] = wpabuf_len(pex) / 2;
2464 
2465 	if (dpp_hmac_vector(hash_len, k, hash_len, 3, addr, len, auth_i) < 0)
2466 		goto fail;
2467 	wpa_hexdump_key(MSG_DEBUG,
2468 			"DPP: Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x)",
2469 			auth_i, hash_len);
2470 	ret = 0;
2471 fail:
2472 	forced_memzero(Sx, sizeof(Sx));
2473 	forced_memzero(tmp, sizeof(tmp));
2474 	forced_memzero(k, sizeof(k));
2475 	wpabuf_free(pcx);
2476 	wpabuf_free(pex);
2477 	return ret;
2478 }
2479 
2480 
2481 int dpp_hpke_suite(int iana_group, enum hpke_kem_id *kem_id,
2482 		   enum hpke_kdf_id *kdf_id, enum hpke_aead_id *aead_id)
2483 {
2484 	switch (iana_group) {
2485 	case 19:
2486 		*kem_id = HPKE_DHKEM_P256_HKDF_SHA256;
2487 		*kdf_id = HPKE_KDF_HKDF_SHA256;
2488 		*aead_id = HPKE_AEAD_AES_128_GCM;
2489 		return 0;
2490 	case 20:
2491 		*kem_id = HPKE_DHKEM_P384_HKDF_SHA384;
2492 		*kdf_id = HPKE_KDF_HKDF_SHA384;
2493 		*aead_id = HPKE_AEAD_AES_256_GCM;
2494 		return 0;
2495 	case 21:
2496 		*kem_id = HPKE_DHKEM_P521_HKDF_SHA512;
2497 		*kdf_id = HPKE_KDF_HKDF_SHA512;
2498 		*aead_id = HPKE_AEAD_AES_256_GCM;
2499 		return 0;
2500 	case 28:
2501 		*kem_id = HPKE_DHKEM_P256_HKDF_SHA256;
2502 		*kdf_id = HPKE_KDF_HKDF_SHA256;
2503 		*aead_id = HPKE_AEAD_AES_128_GCM;
2504 		return 0;
2505 	case 29:
2506 		*kem_id = HPKE_DHKEM_P384_HKDF_SHA384;
2507 		*kdf_id = HPKE_KDF_HKDF_SHA384;
2508 		*aead_id = HPKE_AEAD_AES_256_GCM;
2509 		return 0;
2510 	case 30:
2511 		*kem_id = HPKE_DHKEM_P521_HKDF_SHA512;
2512 		*kdf_id = HPKE_KDF_HKDF_SHA512;
2513 		*aead_id = HPKE_AEAD_AES_256_GCM;
2514 		return 0;
2515 	}
2516 
2517 	return -1;
2518 }
2519 
2520 #endif /* CONFIG_DPP3 */
2521 
2522 
2523 #ifdef CONFIG_TESTING_OPTIONS
2524 
2525 int dpp_test_gen_invalid_key(struct wpabuf *msg,
2526 			     const struct dpp_curve_params *curve)
2527 {
2528 	struct crypto_ec *ec;
2529 	struct crypto_ec_key *key = NULL;
2530 	struct crypto_ec_point *p = NULL, *pub_key = NULL;
2531 	u8 *x, *y;
2532 	int ret = -1;
2533 
2534 	ec = crypto_ec_init(curve->ike_group);
2535 	x = wpabuf_put(msg, curve->prime_len);
2536 	y = wpabuf_put(msg, curve->prime_len);
2537 	if (!ec)
2538 		goto fail;
2539 
2540 retry:
2541 	/* Generate valid key pair */
2542 	key = crypto_ec_key_gen(curve->ike_group);
2543 	if (!key)
2544 		goto fail;
2545 
2546 	/* Retrieve public key coordinates */
2547 	pub_key = crypto_ec_key_get_public_key(key);
2548 	if (!pub_key || crypto_ec_point_to_bin(ec, pub_key, x, y))
2549 		goto fail;
2550 
2551 	/* And corrupt them */
2552 	y[curve->prime_len - 1] ^= 0x01;
2553 	p = crypto_ec_point_from_bin(ec, x);
2554 	if (p && crypto_ec_point_is_on_curve(ec, p)) {
2555 		crypto_ec_point_deinit(p, 0);
2556 		p = NULL;
2557 		goto retry;
2558 	}
2559 
2560 	ret = 0;
2561 fail:
2562 	crypto_ec_point_deinit(p, 0);
2563 	crypto_ec_point_deinit(pub_key, 0);
2564 	crypto_ec_key_deinit(key);
2565 	crypto_ec_deinit(ec);
2566 	return ret;
2567 }
2568 
2569 
2570 char * dpp_corrupt_connector_signature(const char *connector)
2571 {
2572 	char *tmp, *pos, *signed3 = NULL;
2573 	unsigned char *signature = NULL;
2574 	size_t signature_len = 0, signed3_len;
2575 
2576 	tmp = os_zalloc(os_strlen(connector) + 5);
2577 	if (!tmp)
2578 		goto fail;
2579 	os_memcpy(tmp, connector, os_strlen(connector));
2580 
2581 	pos = os_strchr(tmp, '.');
2582 	if (!pos)
2583 		goto fail;
2584 
2585 	pos = os_strchr(pos + 1, '.');
2586 	if (!pos)
2587 		goto fail;
2588 	pos++;
2589 
2590 	wpa_printf(MSG_DEBUG, "DPP: Original base64url encoded signature: %s",
2591 		   pos);
2592 	signature = base64_url_decode(pos, os_strlen(pos), &signature_len);
2593 	if (!signature || signature_len == 0)
2594 		goto fail;
2595 	wpa_hexdump(MSG_DEBUG, "DPP: Original Connector signature",
2596 		    signature, signature_len);
2597 	signature[signature_len - 1] ^= 0x01;
2598 	wpa_hexdump(MSG_DEBUG, "DPP: Corrupted Connector signature",
2599 		    signature, signature_len);
2600 	signed3 = base64_url_encode(signature, signature_len, &signed3_len);
2601 	if (!signed3)
2602 		goto fail;
2603 	os_memcpy(pos, signed3, signed3_len);
2604 	pos[signed3_len] = '\0';
2605 	wpa_printf(MSG_DEBUG, "DPP: Corrupted base64url encoded signature: %s",
2606 		   pos);
2607 
2608 out:
2609 	os_free(signature);
2610 	os_free(signed3);
2611 	return tmp;
2612 fail:
2613 	os_free(tmp);
2614 	tmp = NULL;
2615 	goto out;
2616 }
2617 
2618 #endif /* CONFIG_TESTING_OPTIONS */
2619