2 * DPP functionality shared between hostapd and wpa_supplicant
3 * Copyright (c) 2017, Qualcomm Atheros, Inc.
4 * Copyright (c) 2018-2019, The Linux Foundation
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
10 #include "utils/includes.h"
11 #include <openssl/opensslv.h>
12 #include <openssl/err.h>
13 #include <openssl/asn1.h>
14 #include <openssl/asn1t.h>
16 #include "utils/common.h"
17 #include "utils/base64.h"
18 #include "utils/json.h"
19 #include "common/ieee802_11_common.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/wpa_ctrl.h"
22 #include "common/gas.h"
23 #include "crypto/crypto.h"
24 #include "crypto/random.h"
25 #include "crypto/aes.h"
26 #include "crypto/aes_siv.h"
27 #include "crypto/sha384.h"
28 #include "crypto/sha512.h"
29 #include "drivers/driver.h"
33 #ifdef CONFIG_TESTING_OPTIONS
34 enum dpp_test_behavior dpp_test = DPP_TEST_DISABLED;
35 u8 dpp_pkex_own_mac_override[ETH_ALEN] = { 0, 0, 0, 0, 0, 0 };
36 u8 dpp_pkex_peer_mac_override[ETH_ALEN] = { 0, 0, 0, 0, 0, 0 };
37 u8 dpp_pkex_ephemeral_key_override[600];
38 size_t dpp_pkex_ephemeral_key_override_len = 0;
39 u8 dpp_protocol_key_override[600];
40 size_t dpp_protocol_key_override_len = 0;
41 u8 dpp_nonce_override[DPP_MAX_NONCE_LEN];
42 size_t dpp_nonce_override_len = 0;
44 static int dpp_test_gen_invalid_key(struct wpabuf *msg,
45 const struct dpp_curve_params *curve);
46 #endif /* CONFIG_TESTING_OPTIONS */
48 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
49 (defined(LIBRESSL_VERSION_NUMBER) && \
50 LIBRESSL_VERSION_NUMBER < 0x20700000L)
51 /* Compatibility wrappers for older versions. */
53 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
61 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
74 struct dl_list bootstrap; /* struct dpp_bootstrap_info */
75 struct dl_list configurator; /* struct dpp_configurator */
78 static const struct dpp_curve_params dpp_curves[] = {
79 /* The mandatory to support and the default NIST P-256 curve needs to
80 * be the first entry on this list. */
81 { "prime256v1", 32, 32, 16, 32, "P-256", 19, "ES256" },
82 { "secp384r1", 48, 48, 24, 48, "P-384", 20, "ES384" },
83 { "secp521r1", 64, 64, 32, 66, "P-521", 21, "ES512" },
84 { "brainpoolP256r1", 32, 32, 16, 32, "BP-256", 28, "BS256" },
85 { "brainpoolP384r1", 48, 48, 24, 48, "BP-384", 29, "BS384" },
86 { "brainpoolP512r1", 64, 64, 32, 64, "BP-512", 30, "BS512" },
87 { NULL, 0, 0, 0, 0, NULL, 0, NULL }
91 /* Role-specific elements for PKEX */
94 static const u8 pkex_init_x_p256[32] = {
95 0x56, 0x26, 0x12, 0xcf, 0x36, 0x48, 0xfe, 0x0b,
96 0x07, 0x04, 0xbb, 0x12, 0x22, 0x50, 0xb2, 0x54,
97 0xb1, 0x94, 0x64, 0x7e, 0x54, 0xce, 0x08, 0x07,
98 0x2e, 0xec, 0xca, 0x74, 0x5b, 0x61, 0x2d, 0x25
100 static const u8 pkex_init_y_p256[32] = {
101 0x3e, 0x44, 0xc7, 0xc9, 0x8c, 0x1c, 0xa1, 0x0b,
102 0x20, 0x09, 0x93, 0xb2, 0xfd, 0xe5, 0x69, 0xdc,
103 0x75, 0xbc, 0xad, 0x33, 0xc1, 0xe7, 0xc6, 0x45,
104 0x4d, 0x10, 0x1e, 0x6a, 0x3d, 0x84, 0x3c, 0xa4
106 static const u8 pkex_resp_x_p256[32] = {
107 0x1e, 0xa4, 0x8a, 0xb1, 0xa4, 0xe8, 0x42, 0x39,
108 0xad, 0x73, 0x07, 0xf2, 0x34, 0xdf, 0x57, 0x4f,
109 0xc0, 0x9d, 0x54, 0xbe, 0x36, 0x1b, 0x31, 0x0f,
110 0x59, 0x91, 0x52, 0x33, 0xac, 0x19, 0x9d, 0x76
112 static const u8 pkex_resp_y_p256[32] = {
113 0xd9, 0xfb, 0xf6, 0xb9, 0xf5, 0xfa, 0xdf, 0x19,
114 0x58, 0xd8, 0x3e, 0xc9, 0x89, 0x7a, 0x35, 0xc1,
115 0xbd, 0xe9, 0x0b, 0x77, 0x7a, 0xcb, 0x91, 0x2a,
116 0xe8, 0x21, 0x3f, 0x47, 0x52, 0x02, 0x4d, 0x67
120 static const u8 pkex_init_x_p384[48] = {
121 0x95, 0x3f, 0x42, 0x9e, 0x50, 0x7f, 0xf9, 0xaa,
122 0xac, 0x1a, 0xf2, 0x85, 0x2e, 0x64, 0x91, 0x68,
123 0x64, 0xc4, 0x3c, 0xb7, 0x5c, 0xf8, 0xc9, 0x53,
124 0x6e, 0x58, 0x4c, 0x7f, 0xc4, 0x64, 0x61, 0xac,
125 0x51, 0x8a, 0x6f, 0xfe, 0xab, 0x74, 0xe6, 0x12,
126 0x81, 0xac, 0x38, 0x5d, 0x41, 0xe6, 0xb9, 0xa3
128 static const u8 pkex_init_y_p384[48] = {
129 0x76, 0x2f, 0x68, 0x84, 0xa6, 0xb0, 0x59, 0x29,
130 0x83, 0xa2, 0x6c, 0xa4, 0x6c, 0x3b, 0xf8, 0x56,
131 0x76, 0x11, 0x2a, 0x32, 0x90, 0xbd, 0x07, 0xc7,
132 0x37, 0x39, 0x9d, 0xdb, 0x96, 0xf3, 0x2b, 0xb6,
133 0x27, 0xbb, 0x29, 0x3c, 0x17, 0x33, 0x9d, 0x94,
134 0xc3, 0xda, 0xac, 0x46, 0xb0, 0x8e, 0x07, 0x18
136 static const u8 pkex_resp_x_p384[48] = {
137 0xad, 0xbe, 0xd7, 0x1d, 0x3a, 0x71, 0x64, 0x98,
138 0x5f, 0xb4, 0xd6, 0x4b, 0x50, 0xd0, 0x84, 0x97,
139 0x4b, 0x7e, 0x57, 0x70, 0xd2, 0xd9, 0xf4, 0x92,
140 0x2a, 0x3f, 0xce, 0x99, 0xc5, 0x77, 0x33, 0x44,
141 0x14, 0x56, 0x92, 0xcb, 0xae, 0x46, 0x64, 0xdf,
142 0xe0, 0xbb, 0xd7, 0xb1, 0x29, 0x20, 0x72, 0xdf
144 static const u8 pkex_resp_y_p384[48] = {
145 0xab, 0xa7, 0xdf, 0x52, 0xaa, 0xe2, 0x35, 0x0c,
146 0xe3, 0x75, 0x32, 0xe6, 0xbf, 0x06, 0xc8, 0x7c,
147 0x38, 0x29, 0x4c, 0xec, 0x82, 0xac, 0xd7, 0xa3,
148 0x09, 0xd2, 0x0e, 0x22, 0x5a, 0x74, 0x52, 0xa1,
149 0x7e, 0x54, 0x4e, 0xfe, 0xc6, 0x29, 0x33, 0x63,
150 0x15, 0xe1, 0x7b, 0xe3, 0x40, 0x1c, 0xca, 0x06
154 static const u8 pkex_init_x_p521[66] = {
155 0x00, 0x16, 0x20, 0x45, 0x19, 0x50, 0x95, 0x23,
156 0x0d, 0x24, 0xbe, 0x00, 0x87, 0xdc, 0xfa, 0xf0,
157 0x58, 0x9a, 0x01, 0x60, 0x07, 0x7a, 0xca, 0x76,
158 0x01, 0xab, 0x2d, 0x5a, 0x46, 0xcd, 0x2c, 0xb5,
159 0x11, 0x9a, 0xff, 0xaa, 0x48, 0x04, 0x91, 0x38,
160 0xcf, 0x86, 0xfc, 0xa4, 0xa5, 0x0f, 0x47, 0x01,
161 0x80, 0x1b, 0x30, 0xa3, 0xae, 0xe8, 0x1c, 0x2e,
162 0xea, 0xcc, 0xf0, 0x03, 0x9f, 0x77, 0x4c, 0x8d,
165 static const u8 pkex_init_y_p521[66] = {
166 0x00, 0xb3, 0x8e, 0x02, 0xe4, 0x2a, 0x63, 0x59,
167 0x12, 0xc6, 0x10, 0xba, 0x3a, 0xf9, 0x02, 0x99,
168 0x3f, 0x14, 0xf0, 0x40, 0xde, 0x5c, 0xc9, 0x8b,
169 0x02, 0x55, 0xfa, 0x91, 0xb1, 0xcc, 0x6a, 0xbd,
170 0xe5, 0x62, 0xc0, 0xc5, 0xe3, 0xa1, 0x57, 0x9f,
171 0x08, 0x1a, 0xa6, 0xe2, 0xf8, 0x55, 0x90, 0xbf,
172 0xf5, 0xa6, 0xc3, 0xd8, 0x52, 0x1f, 0xb7, 0x02,
173 0x2e, 0x7c, 0xc8, 0xb3, 0x20, 0x1e, 0x79, 0x8d,
176 static const u8 pkex_resp_x_p521[66] = {
177 0x00, 0x79, 0xe4, 0x4d, 0x6b, 0x5e, 0x12, 0x0a,
178 0x18, 0x2c, 0xb3, 0x05, 0x77, 0x0f, 0xc3, 0x44,
179 0x1a, 0xcd, 0x78, 0x46, 0x14, 0xee, 0x46, 0x3f,
180 0xab, 0xc9, 0x59, 0x7c, 0x85, 0xa0, 0xc2, 0xfb,
181 0x02, 0x32, 0x99, 0xde, 0x5d, 0xe1, 0x0d, 0x48,
182 0x2d, 0x71, 0x7d, 0x8d, 0x3f, 0x61, 0x67, 0x9e,
183 0x2b, 0x8b, 0x12, 0xde, 0x10, 0x21, 0x55, 0x0a,
184 0x5b, 0x2d, 0xe8, 0x05, 0x09, 0xf6, 0x20, 0x97,
187 static const u8 pkex_resp_y_p521[66] = {
188 0x00, 0x46, 0x63, 0x39, 0xbe, 0xcd, 0xa4, 0x2d,
189 0xca, 0x27, 0x74, 0xd4, 0x1b, 0x91, 0x33, 0x20,
190 0x83, 0xc7, 0x3b, 0xa4, 0x09, 0x8b, 0x8e, 0xa3,
191 0x88, 0xe9, 0x75, 0x7f, 0x56, 0x7b, 0x38, 0x84,
192 0x62, 0x02, 0x7c, 0x90, 0x51, 0x07, 0xdb, 0xe9,
193 0xd0, 0xde, 0xda, 0x9a, 0x5d, 0xe5, 0x94, 0xd2,
194 0xcf, 0x9d, 0x4c, 0x33, 0x91, 0xa6, 0xc3, 0x80,
195 0xa7, 0x6e, 0x7e, 0x8d, 0xf8, 0x73, 0x6e, 0x53,
199 /* Brainpool P-256r1 */
200 static const u8 pkex_init_x_bp_p256r1[32] = {
201 0x46, 0x98, 0x18, 0x6c, 0x27, 0xcd, 0x4b, 0x10,
202 0x7d, 0x55, 0xa3, 0xdd, 0x89, 0x1f, 0x9f, 0xca,
203 0xc7, 0x42, 0x5b, 0x8a, 0x23, 0xed, 0xf8, 0x75,
204 0xac, 0xc7, 0xe9, 0x8d, 0xc2, 0x6f, 0xec, 0xd8
206 static const u8 pkex_init_y_bp_p256r1[32] = {
207 0x93, 0xca, 0xef, 0xa9, 0x66, 0x3e, 0x87, 0xcd,
208 0x52, 0x6e, 0x54, 0x13, 0xef, 0x31, 0x67, 0x30,
209 0x15, 0x13, 0x9d, 0x6d, 0xc0, 0x95, 0x32, 0xbe,
210 0x4f, 0xab, 0x5d, 0xf7, 0xbf, 0x5e, 0xaa, 0x0b
212 static const u8 pkex_resp_x_bp_p256r1[32] = {
213 0x90, 0x18, 0x84, 0xc9, 0xdc, 0xcc, 0xb5, 0x2f,
214 0x4a, 0x3f, 0x4f, 0x18, 0x0a, 0x22, 0x56, 0x6a,
215 0xa9, 0xef, 0xd4, 0xe6, 0xc3, 0x53, 0xc2, 0x1a,
216 0x23, 0x54, 0xdd, 0x08, 0x7e, 0x10, 0xd8, 0xe3
218 static const u8 pkex_resp_y_bp_p256r1[32] = {
219 0x2a, 0xfa, 0x98, 0x9b, 0xe3, 0xda, 0x30, 0xfd,
220 0x32, 0x28, 0xcb, 0x66, 0xfb, 0x40, 0x7f, 0xf2,
221 0xb2, 0x25, 0x80, 0x82, 0x44, 0x85, 0x13, 0x7e,
222 0x4b, 0xb5, 0x06, 0xc0, 0x03, 0x69, 0x23, 0x64
225 /* Brainpool P-384r1 */
226 static const u8 pkex_init_x_bp_p384r1[48] = {
227 0x0a, 0x2c, 0xeb, 0x49, 0x5e, 0xb7, 0x23, 0xbd,
228 0x20, 0x5b, 0xe0, 0x49, 0xdf, 0xcf, 0xcf, 0x19,
229 0x37, 0x36, 0xe1, 0x2f, 0x59, 0xdb, 0x07, 0x06,
230 0xb5, 0xeb, 0x2d, 0xae, 0xc2, 0xb2, 0x38, 0x62,
231 0xa6, 0x73, 0x09, 0xa0, 0x6c, 0x0a, 0xa2, 0x30,
232 0x99, 0xeb, 0xf7, 0x1e, 0x47, 0xb9, 0x5e, 0xbe
234 static const u8 pkex_init_y_bp_p384r1[48] = {
235 0x54, 0x76, 0x61, 0x65, 0x75, 0x5a, 0x2f, 0x99,
236 0x39, 0x73, 0xca, 0x6c, 0xf9, 0xf7, 0x12, 0x86,
237 0x54, 0xd5, 0xd4, 0xad, 0x45, 0x7b, 0xbf, 0x32,
238 0xee, 0x62, 0x8b, 0x9f, 0x52, 0xe8, 0xa0, 0xc9,
239 0xb7, 0x9d, 0xd1, 0x09, 0xb4, 0x79, 0x1c, 0x3e,
240 0x1a, 0xbf, 0x21, 0x45, 0x66, 0x6b, 0x02, 0x52
242 static const u8 pkex_resp_x_bp_p384r1[48] = {
243 0x03, 0xa2, 0x57, 0xef, 0xe8, 0x51, 0x21, 0xa0,
244 0xc8, 0x9e, 0x21, 0x02, 0xb5, 0x9a, 0x36, 0x25,
245 0x74, 0x22, 0xd1, 0xf2, 0x1b, 0xa8, 0x9a, 0x9b,
246 0x97, 0xbc, 0x5a, 0xeb, 0x26, 0x15, 0x09, 0x71,
247 0x77, 0x59, 0xec, 0x8b, 0xb7, 0xe1, 0xe8, 0xce,
248 0x65, 0xb8, 0xaf, 0xf8, 0x80, 0xae, 0x74, 0x6c
250 static const u8 pkex_resp_y_bp_p384r1[48] = {
251 0x2f, 0xd9, 0x6a, 0xc7, 0x3e, 0xec, 0x76, 0x65,
252 0x2d, 0x38, 0x7f, 0xec, 0x63, 0x26, 0x3f, 0x04,
253 0xd8, 0x4e, 0xff, 0xe1, 0x0a, 0x51, 0x74, 0x70,
254 0xe5, 0x46, 0x63, 0x7f, 0x5c, 0xc0, 0xd1, 0x7c,
255 0xfb, 0x2f, 0xea, 0xe2, 0xd8, 0x0f, 0x84, 0xcb,
256 0xe9, 0x39, 0x5c, 0x64, 0xfe, 0xcb, 0x2f, 0xf1
259 /* Brainpool P-512r1 */
260 static const u8 pkex_init_x_bp_p512r1[64] = {
261 0x4c, 0xe9, 0xb6, 0x1c, 0xe2, 0x00, 0x3c, 0x9c,
262 0xa9, 0xc8, 0x56, 0x52, 0xaf, 0x87, 0x3e, 0x51,
263 0x9c, 0xbb, 0x15, 0x31, 0x1e, 0xc1, 0x05, 0xfc,
264 0x7c, 0x77, 0xd7, 0x37, 0x61, 0x27, 0xd0, 0x95,
265 0x98, 0xee, 0x5d, 0xa4, 0x3d, 0x09, 0xdb, 0x3d,
266 0xfa, 0x89, 0x9e, 0x7f, 0xa6, 0xa6, 0x9c, 0xff,
267 0x83, 0x5c, 0x21, 0x6c, 0x3e, 0xf2, 0xfe, 0xdc,
268 0x63, 0xe4, 0xd1, 0x0e, 0x75, 0x45, 0x69, 0x0f
270 static const u8 pkex_init_y_bp_p512r1[64] = {
271 0x50, 0xb5, 0x9b, 0xfa, 0x45, 0x67, 0x75, 0x94,
272 0x44, 0xe7, 0x68, 0xb0, 0xeb, 0x3e, 0xb3, 0xb8,
273 0xf9, 0x99, 0x05, 0xef, 0xae, 0x6c, 0xbc, 0xe3,
274 0xe1, 0xd2, 0x51, 0x54, 0xdf, 0x59, 0xd4, 0x45,
275 0x41, 0x3a, 0xa8, 0x0b, 0x76, 0x32, 0x44, 0x0e,
276 0x07, 0x60, 0x3a, 0x6e, 0xbe, 0xfe, 0xe0, 0x58,
277 0x52, 0xa0, 0xaa, 0x8b, 0xd8, 0x5b, 0xf2, 0x71,
278 0x11, 0x9a, 0x9e, 0x8f, 0x1a, 0xd1, 0xc9, 0x99
280 static const u8 pkex_resp_x_bp_p512r1[64] = {
281 0x2a, 0x60, 0x32, 0x27, 0xa1, 0xe6, 0x94, 0x72,
282 0x1c, 0x48, 0xbe, 0xc5, 0x77, 0x14, 0x30, 0x76,
283 0xe4, 0xbf, 0xf7, 0x7b, 0xc5, 0xfd, 0xdf, 0x19,
284 0x1e, 0x0f, 0xdf, 0x1c, 0x40, 0xfa, 0x34, 0x9e,
285 0x1f, 0x42, 0x24, 0xa3, 0x2c, 0xd5, 0xc7, 0xc9,
286 0x7b, 0x47, 0x78, 0x96, 0xf1, 0x37, 0x0e, 0x88,
287 0xcb, 0xa6, 0x52, 0x29, 0xd7, 0xa8, 0x38, 0x29,
288 0x8e, 0x6e, 0x23, 0x47, 0xd4, 0x4b, 0x70, 0x3e
290 static const u8 pkex_resp_y_bp_p512r1[64] = {
291 0x80, 0x1f, 0x43, 0xd2, 0x17, 0x35, 0xec, 0x81,
292 0xd9, 0x4b, 0xdc, 0x81, 0x19, 0xd9, 0x5f, 0x68,
293 0x16, 0x84, 0xfe, 0x63, 0x4b, 0x8d, 0x5d, 0xaa,
294 0x88, 0x4a, 0x47, 0x48, 0xd4, 0xea, 0xab, 0x7d,
295 0x6a, 0xbf, 0xe1, 0x28, 0x99, 0x6a, 0x87, 0x1c,
296 0x30, 0xb4, 0x44, 0x2d, 0x75, 0xac, 0x35, 0x09,
297 0x73, 0x24, 0x3d, 0xb4, 0x43, 0xb1, 0xc1, 0x56,
298 0x56, 0xad, 0x30, 0x87, 0xf4, 0xc3, 0x00, 0xc7
302 static void dpp_debug_print_point(const char *title, const EC_GROUP *group,
303 const EC_POINT *point)
307 char *x_str = NULL, *y_str = NULL;
309 if (!wpa_debug_show_keys)
315 if (!ctx || !x || !y ||
316 EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) != 1)
319 x_str = BN_bn2hex(x);
320 y_str = BN_bn2hex(y);
321 if (!x_str || !y_str)
324 wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str);
335 static int dpp_hash_vector(const struct dpp_curve_params *curve,
336 size_t num_elem, const u8 *addr[], const size_t *len,
339 if (curve->hash_len == 32)
340 return sha256_vector(num_elem, addr, len, mac);
341 if (curve->hash_len == 48)
342 return sha384_vector(num_elem, addr, len, mac);
343 if (curve->hash_len == 64)
344 return sha512_vector(num_elem, addr, len, mac);
349 static int dpp_hkdf_expand(size_t hash_len, const u8 *secret, size_t secret_len,
350 const char *label, u8 *out, size_t outlen)
353 return hmac_sha256_kdf(secret, secret_len, NULL,
354 (const u8 *) label, os_strlen(label),
357 return hmac_sha384_kdf(secret, secret_len, NULL,
358 (const u8 *) label, os_strlen(label),
361 return hmac_sha512_kdf(secret, secret_len, NULL,
362 (const u8 *) label, os_strlen(label),
368 static int dpp_hmac_vector(size_t hash_len, const u8 *key, size_t key_len,
369 size_t num_elem, const u8 *addr[],
370 const size_t *len, u8 *mac)
373 return hmac_sha256_vector(key, key_len, num_elem, addr, len,
376 return hmac_sha384_vector(key, key_len, num_elem, addr, len,
379 return hmac_sha512_vector(key, key_len, num_elem, addr, len,
385 static int dpp_hmac(size_t hash_len, const u8 *key, size_t key_len,
386 const u8 *data, size_t data_len, u8 *mac)
389 return hmac_sha256(key, key_len, data, data_len, mac);
391 return hmac_sha384(key, key_len, data, data_len, mac);
393 return hmac_sha512(key, key_len, data, data_len, mac);
398 static int dpp_bn2bin_pad(const BIGNUM *bn, u8 *pos, size_t len)
400 int num_bytes, offset;
402 num_bytes = BN_num_bytes(bn);
403 if ((size_t) num_bytes > len)
405 offset = len - num_bytes;
406 os_memset(pos, 0, offset);
407 BN_bn2bin(bn, pos + offset);
412 static struct wpabuf * dpp_get_pubkey_point(EVP_PKEY *pkey, int prefix)
419 eckey = EVP_PKEY_get1_EC_KEY(pkey);
422 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
423 len = i2o_ECPublicKey(eckey, NULL);
425 wpa_printf(MSG_ERROR,
426 "DDP: Failed to determine public key encoding length");
431 buf = wpabuf_alloc(len);
437 pos = wpabuf_put(buf, len);
438 res = i2o_ECPublicKey(eckey, &pos);
441 wpa_printf(MSG_ERROR,
442 "DDP: Failed to encode public key (res=%d/%d)",
449 /* Remove 0x04 prefix to match DPP definition */
450 pos = wpabuf_mhead(buf);
451 os_memmove(pos, pos + 1, len - 1);
459 static EVP_PKEY * dpp_set_pubkey_point_group(const EC_GROUP *group,
460 const u8 *buf_x, const u8 *buf_y,
463 EC_KEY *eckey = NULL;
465 EC_POINT *point = NULL;
466 BIGNUM *x = NULL, *y = NULL;
467 EVP_PKEY *pkey = NULL;
471 wpa_printf(MSG_ERROR, "DPP: Out of memory");
475 point = EC_POINT_new(group);
476 x = BN_bin2bn(buf_x, len, NULL);
477 y = BN_bin2bn(buf_y, len, NULL);
478 if (!point || !x || !y) {
479 wpa_printf(MSG_ERROR, "DPP: Out of memory");
483 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
484 wpa_printf(MSG_ERROR,
485 "DPP: OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
486 ERR_error_string(ERR_get_error(), NULL));
490 if (!EC_POINT_is_on_curve(group, point, ctx) ||
491 EC_POINT_is_at_infinity(group, point)) {
492 wpa_printf(MSG_ERROR, "DPP: Invalid point");
495 dpp_debug_print_point("DPP: dpp_set_pubkey_point_group", group, point);
497 eckey = EC_KEY_new();
499 EC_KEY_set_group(eckey, group) != 1 ||
500 EC_KEY_set_public_key(eckey, point) != 1) {
501 wpa_printf(MSG_ERROR,
502 "DPP: Failed to set EC_KEY: %s",
503 ERR_error_string(ERR_get_error(), NULL));
506 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
508 pkey = EVP_PKEY_new();
509 if (!pkey || EVP_PKEY_set1_EC_KEY(pkey, eckey) != 1) {
510 wpa_printf(MSG_ERROR, "DPP: Could not create EVP_PKEY");
518 EC_POINT_free(point);
528 static EVP_PKEY * dpp_set_pubkey_point(EVP_PKEY *group_key,
529 const u8 *buf, size_t len)
532 const EC_GROUP *group;
533 EVP_PKEY *pkey = NULL;
538 eckey = EVP_PKEY_get1_EC_KEY(group_key);
540 wpa_printf(MSG_ERROR,
541 "DPP: Could not get EC_KEY from group_key");
545 group = EC_KEY_get0_group(eckey);
547 pkey = dpp_set_pubkey_point_group(group, buf, buf + len / 2,
550 wpa_printf(MSG_ERROR, "DPP: Could not get EC group");
557 static void dpp_auth_fail(struct dpp_authentication *auth, const char *txt)
559 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
563 struct wpabuf * dpp_alloc_msg(enum dpp_public_action_frame_type type,
568 msg = wpabuf_alloc(8 + len);
571 wpabuf_put_u8(msg, WLAN_ACTION_PUBLIC);
572 wpabuf_put_u8(msg, WLAN_PA_VENDOR_SPECIFIC);
573 wpabuf_put_be24(msg, OUI_WFA);
574 wpabuf_put_u8(msg, DPP_OUI_TYPE);
575 wpabuf_put_u8(msg, 1); /* Crypto Suite */
576 wpabuf_put_u8(msg, type);
581 const u8 * dpp_get_attr(const u8 *buf, size_t len, u16 req_id, u16 *ret_len)
584 const u8 *pos = buf, *end = buf + len;
586 while (end - pos >= 4) {
587 id = WPA_GET_LE16(pos);
589 alen = WPA_GET_LE16(pos);
591 if (alen > end - pos)
604 int dpp_check_attrs(const u8 *buf, size_t len)
607 int wrapped_data = 0;
611 while (end - pos >= 4) {
614 id = WPA_GET_LE16(pos);
616 alen = WPA_GET_LE16(pos);
618 wpa_printf(MSG_MSGDUMP, "DPP: Attribute ID %04x len %u",
620 if (alen > end - pos) {
621 wpa_printf(MSG_DEBUG,
622 "DPP: Truncated message - not enough room for the attribute - dropped");
626 wpa_printf(MSG_DEBUG,
627 "DPP: An unexpected attribute included after the Wrapped Data attribute");
630 if (id == DPP_ATTR_WRAPPED_DATA)
636 wpa_printf(MSG_DEBUG,
637 "DPP: Unexpected octets (%d) after the last attribute",
646 void dpp_bootstrap_info_free(struct dpp_bootstrap_info *info)
652 EVP_PKEY_free(info->pubkey);
657 const char * dpp_bootstrap_type_txt(enum dpp_bootstrap_type type)
660 case DPP_BOOTSTRAP_QR_CODE:
662 case DPP_BOOTSTRAP_PKEX:
669 static int dpp_uri_valid_info(const char *info)
672 unsigned char val = *info++;
674 if (val < 0x20 || val > 0x7e || val == 0x3b)
682 static int dpp_clone_uri(struct dpp_bootstrap_info *bi, const char *uri)
684 bi->uri = os_strdup(uri);
685 return bi->uri ? 0 : -1;
689 int dpp_parse_uri_chan_list(struct dpp_bootstrap_info *bi,
690 const char *chan_list)
692 const char *pos = chan_list;
693 int opclass, channel, freq;
695 while (pos && *pos && *pos != ';') {
699 pos = os_strchr(pos, '/');
706 while (*pos >= '0' && *pos <= '9')
708 freq = ieee80211_chan_to_freq(NULL, opclass, channel);
709 wpa_printf(MSG_DEBUG,
710 "DPP: URI channel-list: opclass=%d channel=%d ==> freq=%d",
711 opclass, channel, freq);
713 wpa_printf(MSG_DEBUG,
714 "DPP: Ignore unknown URI channel-list channel (opclass=%d channel=%d)",
716 } else if (bi->num_freq == DPP_BOOTSTRAP_MAX_FREQ) {
717 wpa_printf(MSG_DEBUG,
718 "DPP: Too many channels in URI channel-list - ignore list");
722 bi->freq[bi->num_freq++] = freq;
725 if (*pos == ';' || *pos == '\0')
734 wpa_printf(MSG_DEBUG, "DPP: Invalid URI channel-list");
739 int dpp_parse_uri_mac(struct dpp_bootstrap_info *bi, const char *mac)
744 if (hwaddr_aton2(mac, bi->mac_addr) < 0) {
745 wpa_printf(MSG_DEBUG, "DPP: Invalid URI mac");
749 wpa_printf(MSG_DEBUG, "DPP: URI mac: " MACSTR, MAC2STR(bi->mac_addr));
755 int dpp_parse_uri_info(struct dpp_bootstrap_info *bi, const char *info)
762 end = os_strchr(info, ';');
764 end = info + os_strlen(info);
765 bi->info = os_malloc(end - info + 1);
768 os_memcpy(bi->info, info, end - info);
769 bi->info[end - info] = '\0';
770 wpa_printf(MSG_DEBUG, "DPP: URI(information): %s", bi->info);
771 if (!dpp_uri_valid_info(bi->info)) {
772 wpa_printf(MSG_DEBUG, "DPP: Invalid URI information payload");
780 static const struct dpp_curve_params *
781 dpp_get_curve_oid(const ASN1_OBJECT *poid)
786 for (i = 0; dpp_curves[i].name; i++) {
787 oid = OBJ_txt2obj(dpp_curves[i].name, 0);
788 if (oid && OBJ_cmp(poid, oid) == 0)
789 return &dpp_curves[i];
795 static const struct dpp_curve_params * dpp_get_curve_nid(int nid)
801 for (i = 0; dpp_curves[i].name; i++) {
802 tmp = OBJ_txt2nid(dpp_curves[i].name);
804 return &dpp_curves[i];
810 static int dpp_parse_uri_pk(struct dpp_bootstrap_info *bi, const char *info)
816 const unsigned char *p;
818 X509_PUBKEY *pub = NULL;
820 const unsigned char *pk;
823 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
824 (defined(LIBRESSL_VERSION_NUMBER) && \
825 LIBRESSL_VERSION_NUMBER < 0x20800000L)
828 const ASN1_OBJECT *pa_oid;
832 const ASN1_OBJECT *poid;
835 end = os_strchr(info, ';');
839 data = base64_decode((const unsigned char *) info, end - info,
842 wpa_printf(MSG_DEBUG,
843 "DPP: Invalid base64 encoding on URI public-key");
846 wpa_hexdump(MSG_DEBUG, "DPP: Base64 decoded URI public-key",
849 if (sha256_vector(1, (const u8 **) &data, &data_len,
850 bi->pubkey_hash) < 0) {
851 wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
855 wpa_hexdump(MSG_DEBUG, "DPP: Public key hash",
856 bi->pubkey_hash, SHA256_MAC_LEN);
858 /* DER encoded ASN.1 SubjectPublicKeyInfo
860 * SubjectPublicKeyInfo ::= SEQUENCE {
861 * algorithm AlgorithmIdentifier,
862 * subjectPublicKey BIT STRING }
864 * AlgorithmIdentifier ::= SEQUENCE {
865 * algorithm OBJECT IDENTIFIER,
866 * parameters ANY DEFINED BY algorithm OPTIONAL }
868 * subjectPublicKey = compressed format public key per ANSI X9.63
869 * algorithm = ecPublicKey (1.2.840.10045.2.1)
870 * parameters = shall be present and shall be OBJECT IDENTIFIER; e.g.,
871 * prime256v1 (1.2.840.10045.3.1.7)
875 pkey = d2i_PUBKEY(NULL, &p, data_len);
879 wpa_printf(MSG_DEBUG,
880 "DPP: Could not parse URI public-key SubjectPublicKeyInfo");
884 if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) {
885 wpa_printf(MSG_DEBUG,
886 "DPP: SubjectPublicKeyInfo does not describe an EC key");
891 res = X509_PUBKEY_set(&pub, pkey);
893 wpa_printf(MSG_DEBUG, "DPP: Could not set pubkey");
897 res = X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pub);
899 wpa_printf(MSG_DEBUG,
900 "DPP: Could not extract SubjectPublicKeyInfo parameters");
903 res = OBJ_obj2txt(buf, sizeof(buf), ppkalg, 0);
904 if (res < 0 || (size_t) res >= sizeof(buf)) {
905 wpa_printf(MSG_DEBUG,
906 "DPP: Could not extract SubjectPublicKeyInfo algorithm");
909 wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey algorithm: %s", buf);
910 if (os_strcmp(buf, "id-ecPublicKey") != 0) {
911 wpa_printf(MSG_DEBUG,
912 "DPP: Unsupported SubjectPublicKeyInfo algorithm");
916 X509_ALGOR_get0(&pa_oid, &ptype, (void *) &pval, pa);
917 if (ptype != V_ASN1_OBJECT) {
918 wpa_printf(MSG_DEBUG,
919 "DPP: SubjectPublicKeyInfo parameters did not contain an OID");
923 res = OBJ_obj2txt(buf, sizeof(buf), poid, 0);
924 if (res < 0 || (size_t) res >= sizeof(buf)) {
925 wpa_printf(MSG_DEBUG,
926 "DPP: Could not extract SubjectPublicKeyInfo parameters OID");
929 wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey parameters: %s", buf);
930 bi->curve = dpp_get_curve_oid(poid);
932 wpa_printf(MSG_DEBUG,
933 "DPP: Unsupported SubjectPublicKeyInfo curve: %s",
938 wpa_hexdump(MSG_DEBUG, "DPP: URI subjectPublicKey", pk, ppklen);
940 X509_PUBKEY_free(pub);
944 X509_PUBKEY_free(pub);
950 static struct dpp_bootstrap_info * dpp_parse_uri(const char *uri)
952 const char *pos = uri;
954 const char *chan_list = NULL, *mac = NULL, *info = NULL, *pk = NULL;
955 struct dpp_bootstrap_info *bi;
957 wpa_hexdump_ascii(MSG_DEBUG, "DPP: URI", uri, os_strlen(uri));
959 if (os_strncmp(pos, "DPP:", 4) != 0) {
960 wpa_printf(MSG_INFO, "DPP: Not a DPP URI");
966 end = os_strchr(pos, ';');
971 /* Handle terminating ";;" and ignore unexpected ";"
972 * for parsing robustness. */
977 if (pos[0] == 'C' && pos[1] == ':' && !chan_list)
979 else if (pos[0] == 'M' && pos[1] == ':' && !mac)
981 else if (pos[0] == 'I' && pos[1] == ':' && !info)
983 else if (pos[0] == 'K' && pos[1] == ':' && !pk)
986 wpa_hexdump_ascii(MSG_DEBUG,
987 "DPP: Ignore unrecognized URI parameter",
993 wpa_printf(MSG_INFO, "DPP: URI missing public-key");
997 bi = os_zalloc(sizeof(*bi));
1001 if (dpp_clone_uri(bi, uri) < 0 ||
1002 dpp_parse_uri_chan_list(bi, chan_list) < 0 ||
1003 dpp_parse_uri_mac(bi, mac) < 0 ||
1004 dpp_parse_uri_info(bi, info) < 0 ||
1005 dpp_parse_uri_pk(bi, pk) < 0) {
1006 dpp_bootstrap_info_free(bi);
1014 struct dpp_bootstrap_info * dpp_parse_qr_code(const char *uri)
1016 struct dpp_bootstrap_info *bi;
1018 bi = dpp_parse_uri(uri);
1020 bi->type = DPP_BOOTSTRAP_QR_CODE;
1025 static void dpp_debug_print_key(const char *title, EVP_PKEY *key)
1032 unsigned char *der = NULL;
1034 const EC_GROUP *group;
1035 const EC_POINT *point;
1037 out = BIO_new(BIO_s_mem());
1041 EVP_PKEY_print_private(out, key, 0, NULL);
1042 rlen = BIO_ctrl_pending(out);
1043 txt = os_malloc(rlen + 1);
1045 res = BIO_read(out, txt, rlen);
1048 wpa_printf(MSG_DEBUG, "%s: %s", title, txt);
1054 eckey = EVP_PKEY_get1_EC_KEY(key);
1058 group = EC_KEY_get0_group(eckey);
1059 point = EC_KEY_get0_public_key(eckey);
1061 dpp_debug_print_point(title, group, point);
1063 der_len = i2d_ECPrivateKey(eckey, &der);
1065 wpa_hexdump_key(MSG_DEBUG, "DPP: ECPrivateKey", der, der_len);
1069 der_len = i2d_EC_PUBKEY(eckey, &der);
1071 wpa_hexdump(MSG_DEBUG, "DPP: EC_PUBKEY", der, der_len);
1079 static EVP_PKEY * dpp_gen_keypair(const struct dpp_curve_params *curve)
1081 EVP_PKEY_CTX *kctx = NULL;
1083 EVP_PKEY *params = NULL, *key = NULL;
1086 wpa_printf(MSG_DEBUG, "DPP: Generating a keypair");
1088 nid = OBJ_txt2nid(curve->name);
1089 if (nid == NID_undef) {
1090 wpa_printf(MSG_INFO, "DPP: Unsupported curve %s", curve->name);
1094 ec_params = EC_KEY_new_by_curve_name(nid);
1096 wpa_printf(MSG_ERROR,
1097 "DPP: Failed to generate EC_KEY parameters");
1100 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
1101 params = EVP_PKEY_new();
1102 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
1103 wpa_printf(MSG_ERROR,
1104 "DPP: Failed to generate EVP_PKEY parameters");
1108 kctx = EVP_PKEY_CTX_new(params, NULL);
1110 EVP_PKEY_keygen_init(kctx) != 1 ||
1111 EVP_PKEY_keygen(kctx, &key) != 1) {
1112 wpa_printf(MSG_ERROR, "DPP: Failed to generate EC key");
1116 if (wpa_debug_show_keys)
1117 dpp_debug_print_key("Own generated key", key);
1119 EVP_PKEY_free(params);
1120 EVP_PKEY_CTX_free(kctx);
1123 EVP_PKEY_CTX_free(kctx);
1124 EVP_PKEY_free(params);
1129 static const struct dpp_curve_params *
1130 dpp_get_curve_name(const char *name)
1134 for (i = 0; dpp_curves[i].name; i++) {
1135 if (os_strcmp(name, dpp_curves[i].name) == 0 ||
1136 (dpp_curves[i].jwk_crv &&
1137 os_strcmp(name, dpp_curves[i].jwk_crv) == 0))
1138 return &dpp_curves[i];
1144 static const struct dpp_curve_params *
1145 dpp_get_curve_jwk_crv(const char *name)
1149 for (i = 0; dpp_curves[i].name; i++) {
1150 if (dpp_curves[i].jwk_crv &&
1151 os_strcmp(name, dpp_curves[i].jwk_crv) == 0)
1152 return &dpp_curves[i];
1158 static EVP_PKEY * dpp_set_keypair(const struct dpp_curve_params **curve,
1159 const u8 *privkey, size_t privkey_len)
1163 const EC_GROUP *group;
1166 pkey = EVP_PKEY_new();
1169 eckey = d2i_ECPrivateKey(NULL, &privkey, privkey_len);
1171 wpa_printf(MSG_INFO,
1172 "DPP: OpenSSL: d2i_ECPrivateKey() failed: %s",
1173 ERR_error_string(ERR_get_error(), NULL));
1174 EVP_PKEY_free(pkey);
1177 group = EC_KEY_get0_group(eckey);
1180 EVP_PKEY_free(pkey);
1183 nid = EC_GROUP_get_curve_name(group);
1184 *curve = dpp_get_curve_nid(nid);
1186 wpa_printf(MSG_INFO,
1187 "DPP: Unsupported curve (nid=%d) in pre-assigned key",
1190 EVP_PKEY_free(pkey);
1194 if (EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
1196 EVP_PKEY_free(pkey);
1204 /* AlgorithmIdentifier ecPublicKey with optional parameters present
1205 * as an OID identifying the curve */
1207 /* Compressed format public key per ANSI X9.63 */
1208 ASN1_BIT_STRING *pub_key;
1209 } DPP_BOOTSTRAPPING_KEY;
1211 ASN1_SEQUENCE(DPP_BOOTSTRAPPING_KEY) = {
1212 ASN1_SIMPLE(DPP_BOOTSTRAPPING_KEY, alg, X509_ALGOR),
1213 ASN1_SIMPLE(DPP_BOOTSTRAPPING_KEY, pub_key, ASN1_BIT_STRING)
1214 } ASN1_SEQUENCE_END(DPP_BOOTSTRAPPING_KEY);
1216 IMPLEMENT_ASN1_FUNCTIONS(DPP_BOOTSTRAPPING_KEY);
1219 static struct wpabuf * dpp_bootstrap_key_der(EVP_PKEY *key)
1221 unsigned char *der = NULL;
1224 struct wpabuf *ret = NULL;
1226 const EC_GROUP *group;
1227 const EC_POINT *point;
1229 DPP_BOOTSTRAPPING_KEY *bootstrap = NULL;
1233 eckey = EVP_PKEY_get1_EC_KEY(key);
1237 group = EC_KEY_get0_group(eckey);
1238 point = EC_KEY_get0_public_key(eckey);
1239 if (!group || !point)
1241 dpp_debug_print_point("DPP: bootstrap public key", group, point);
1242 nid = EC_GROUP_get_curve_name(group);
1244 bootstrap = DPP_BOOTSTRAPPING_KEY_new();
1246 X509_ALGOR_set0(bootstrap->alg, OBJ_nid2obj(EVP_PKEY_EC),
1247 V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1)
1250 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
1255 der = OPENSSL_malloc(len);
1258 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
1261 OPENSSL_free(bootstrap->pub_key->data);
1262 bootstrap->pub_key->data = der;
1264 bootstrap->pub_key->length = len;
1265 /* No unused bits */
1266 bootstrap->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
1267 bootstrap->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1269 der_len = i2d_DPP_BOOTSTRAPPING_KEY(bootstrap, &der);
1271 wpa_printf(MSG_ERROR,
1272 "DDP: Failed to build DER encoded public key");
1276 ret = wpabuf_alloc_copy(der, der_len);
1278 DPP_BOOTSTRAPPING_KEY_free(bootstrap);
1286 int dpp_bootstrap_key_hash(struct dpp_bootstrap_info *bi)
1293 der = dpp_bootstrap_key_der(bi->pubkey);
1296 wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
1299 addr[0] = wpabuf_head(der);
1300 len[0] = wpabuf_len(der);
1301 res = sha256_vector(1, addr, len, bi->pubkey_hash);
1303 wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
1305 wpa_hexdump(MSG_DEBUG, "DPP: Public key hash", bi->pubkey_hash,
1312 char * dpp_keygen(struct dpp_bootstrap_info *bi, const char *curve,
1313 const u8 *privkey, size_t privkey_len)
1315 unsigned char *base64 = NULL;
1318 struct wpabuf *der = NULL;
1323 bi->curve = &dpp_curves[0];
1325 bi->curve = dpp_get_curve_name(curve);
1327 wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s",
1333 bi->pubkey = dpp_set_keypair(&bi->curve, privkey, privkey_len);
1335 bi->pubkey = dpp_gen_keypair(bi->curve);
1340 der = dpp_bootstrap_key_der(bi->pubkey);
1343 wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
1346 addr[0] = wpabuf_head(der);
1347 len = wpabuf_len(der);
1348 res = sha256_vector(1, addr, &len, bi->pubkey_hash);
1350 wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
1353 wpa_hexdump(MSG_DEBUG, "DPP: Public key hash", bi->pubkey_hash,
1356 base64 = base64_encode(wpabuf_head(der), wpabuf_len(der), &len);
1361 pos = (char *) base64;
1364 pos = os_strchr(pos, '\n');
1367 os_memmove(pos, pos + 1, end - pos);
1369 return (char *) base64;
1377 static int dpp_derive_k1(const u8 *Mx, size_t Mx_len, u8 *k1,
1378 unsigned int hash_len)
1380 u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
1381 const char *info = "first intermediate key";
1384 /* k1 = HKDF(<>, "first intermediate key", M.x) */
1386 /* HKDF-Extract(<>, M.x) */
1387 os_memset(salt, 0, hash_len);
1388 if (dpp_hmac(hash_len, salt, hash_len, Mx, Mx_len, prk) < 0)
1390 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=M.x)",
1393 /* HKDF-Expand(PRK, info, L) */
1394 res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k1, hash_len);
1395 os_memset(prk, 0, hash_len);
1399 wpa_hexdump_key(MSG_DEBUG, "DPP: k1 = HKDF-Expand(PRK, info, L)",
1405 static int dpp_derive_k2(const u8 *Nx, size_t Nx_len, u8 *k2,
1406 unsigned int hash_len)
1408 u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
1409 const char *info = "second intermediate key";
1412 /* k2 = HKDF(<>, "second intermediate key", N.x) */
1414 /* HKDF-Extract(<>, N.x) */
1415 os_memset(salt, 0, hash_len);
1416 res = dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk);
1419 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
1422 /* HKDF-Expand(PRK, info, L) */
1423 res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k2, hash_len);
1424 os_memset(prk, 0, hash_len);
1428 wpa_hexdump_key(MSG_DEBUG, "DPP: k2 = HKDF-Expand(PRK, info, L)",
1434 static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke,
1435 unsigned int hash_len)
1438 u8 nonces[2 * DPP_MAX_NONCE_LEN];
1439 const char *info_ke = "DPP Key";
1440 u8 prk[DPP_MAX_HASH_LEN];
1444 size_t num_elem = 0;
1446 if (!auth->Mx_len || !auth->Nx_len) {
1447 wpa_printf(MSG_DEBUG,
1448 "DPP: Mx/Nx not available - cannot derive ke");
1452 /* ke = HKDF(I-nonce | R-nonce, "DPP Key", M.x | N.x [| L.x]) */
1454 /* HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */
1455 nonce_len = auth->curve->nonce_len;
1456 os_memcpy(nonces, auth->i_nonce, nonce_len);
1457 os_memcpy(&nonces[nonce_len], auth->r_nonce, nonce_len);
1458 addr[num_elem] = auth->Mx;
1459 len[num_elem] = auth->Mx_len;
1461 addr[num_elem] = auth->Nx;
1462 len[num_elem] = auth->Nx_len;
1464 if (auth->peer_bi && auth->own_bi) {
1465 if (!auth->Lx_len) {
1466 wpa_printf(MSG_DEBUG,
1467 "DPP: Lx not available - cannot derive ke");
1470 addr[num_elem] = auth->Lx;
1471 len[num_elem] = auth->secret_len;
1474 res = dpp_hmac_vector(hash_len, nonces, 2 * nonce_len,
1475 num_elem, addr, len, prk);
1478 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)",
1481 /* HKDF-Expand(PRK, info, L) */
1482 res = dpp_hkdf_expand(hash_len, prk, hash_len, info_ke, ke, hash_len);
1483 os_memset(prk, 0, hash_len);
1487 wpa_hexdump_key(MSG_DEBUG, "DPP: ke = HKDF-Expand(PRK, info, L)",
1493 static void dpp_build_attr_status(struct wpabuf *msg,
1494 enum dpp_status_error status)
1496 wpa_printf(MSG_DEBUG, "DPP: Status %d", status);
1497 wpabuf_put_le16(msg, DPP_ATTR_STATUS);
1498 wpabuf_put_le16(msg, 1);
1499 wpabuf_put_u8(msg, status);
1503 static void dpp_build_attr_r_bootstrap_key_hash(struct wpabuf *msg,
1507 wpa_printf(MSG_DEBUG, "DPP: R-Bootstrap Key Hash");
1508 wpabuf_put_le16(msg, DPP_ATTR_R_BOOTSTRAP_KEY_HASH);
1509 wpabuf_put_le16(msg, SHA256_MAC_LEN);
1510 wpabuf_put_data(msg, hash, SHA256_MAC_LEN);
1515 static void dpp_build_attr_i_bootstrap_key_hash(struct wpabuf *msg,
1519 wpa_printf(MSG_DEBUG, "DPP: I-Bootstrap Key Hash");
1520 wpabuf_put_le16(msg, DPP_ATTR_I_BOOTSTRAP_KEY_HASH);
1521 wpabuf_put_le16(msg, SHA256_MAC_LEN);
1522 wpabuf_put_data(msg, hash, SHA256_MAC_LEN);
1527 static struct wpabuf * dpp_auth_build_req(struct dpp_authentication *auth,
1528 const struct wpabuf *pi,
1530 const u8 *r_pubkey_hash,
1531 const u8 *i_pubkey_hash,
1532 unsigned int neg_freq)
1535 u8 clear[4 + DPP_MAX_NONCE_LEN + 4 + 1];
1536 u8 wrapped_data[4 + DPP_MAX_NONCE_LEN + 4 + 1 + AES_BLOCK_SIZE];
1539 size_t len[2], siv_len, attr_len;
1540 u8 *attr_start, *attr_end;
1542 /* Build DPP Authentication Request frame attributes */
1543 attr_len = 2 * (4 + SHA256_MAC_LEN) + 4 + (pi ? wpabuf_len(pi) : 0) +
1544 4 + sizeof(wrapped_data);
1549 #endif /* CONFIG_DPP2 */
1550 #ifdef CONFIG_TESTING_OPTIONS
1551 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ)
1553 #endif /* CONFIG_TESTING_OPTIONS */
1554 msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_REQ, attr_len);
1558 attr_start = wpabuf_put(msg, 0);
1560 /* Responder Bootstrapping Key Hash */
1561 dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
1563 /* Initiator Bootstrapping Key Hash */
1564 dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
1566 /* Initiator Protocol Key */
1568 wpabuf_put_le16(msg, DPP_ATTR_I_PROTOCOL_KEY);
1569 wpabuf_put_le16(msg, wpabuf_len(pi));
1570 wpabuf_put_buf(msg, pi);
1575 u8 op_class, channel;
1577 if (ieee80211_freq_to_channel_ext(neg_freq, 0, 0, &op_class,
1579 NUM_HOSTAPD_MODES) {
1580 wpa_printf(MSG_INFO,
1581 "DPP: Unsupported negotiation frequency request: %d",
1586 wpabuf_put_le16(msg, DPP_ATTR_CHANNEL);
1587 wpabuf_put_le16(msg, 2);
1588 wpabuf_put_u8(msg, op_class);
1589 wpabuf_put_u8(msg, channel);
1593 /* Protocol Version */
1594 wpabuf_put_le16(msg, DPP_ATTR_PROTOCOL_VERSION);
1595 wpabuf_put_le16(msg, 1);
1596 wpabuf_put_u8(msg, 2);
1597 #endif /* CONFIG_DPP2 */
1599 #ifdef CONFIG_TESTING_OPTIONS
1600 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_REQ) {
1601 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
1602 goto skip_wrapped_data;
1604 #endif /* CONFIG_TESTING_OPTIONS */
1606 /* Wrapped data ({I-nonce, I-capabilities}k1) */
1609 #ifdef CONFIG_TESTING_OPTIONS
1610 if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_REQ) {
1611 wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
1614 if (dpp_test == DPP_TEST_INVALID_I_NONCE_AUTH_REQ) {
1615 wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-nonce");
1616 WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
1618 WPA_PUT_LE16(pos, nonce_len - 1);
1620 os_memcpy(pos, auth->i_nonce, nonce_len - 1);
1621 pos += nonce_len - 1;
1624 #endif /* CONFIG_TESTING_OPTIONS */
1627 WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
1629 WPA_PUT_LE16(pos, nonce_len);
1631 os_memcpy(pos, auth->i_nonce, nonce_len);
1634 #ifdef CONFIG_TESTING_OPTIONS
1636 if (dpp_test == DPP_TEST_NO_I_CAPAB_AUTH_REQ) {
1637 wpa_printf(MSG_INFO, "DPP: TESTING - no I-capab");
1640 #endif /* CONFIG_TESTING_OPTIONS */
1642 /* I-capabilities */
1643 WPA_PUT_LE16(pos, DPP_ATTR_I_CAPABILITIES);
1645 WPA_PUT_LE16(pos, 1);
1647 auth->i_capab = auth->allowed_roles;
1648 *pos++ = auth->i_capab;
1649 #ifdef CONFIG_TESTING_OPTIONS
1650 if (dpp_test == DPP_TEST_ZERO_I_CAPAB) {
1651 wpa_printf(MSG_INFO, "DPP: TESTING - zero I-capabilities");
1655 #endif /* CONFIG_TESTING_OPTIONS */
1657 attr_end = wpabuf_put(msg, 0);
1659 /* OUI, OUI type, Crypto Suite, DPP frame type */
1660 addr[0] = wpabuf_head_u8(msg) + 2;
1661 len[0] = 3 + 1 + 1 + 1;
1662 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1664 /* Attributes before Wrapped Data */
1665 addr[1] = attr_start;
1666 len[1] = attr_end - attr_start;
1667 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1669 siv_len = pos - clear;
1670 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len);
1671 if (aes_siv_encrypt(auth->k1, auth->curve->hash_len, clear, siv_len,
1672 2, addr, len, wrapped_data) < 0) {
1676 siv_len += AES_BLOCK_SIZE;
1677 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1678 wrapped_data, siv_len);
1680 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
1681 wpabuf_put_le16(msg, siv_len);
1682 wpabuf_put_data(msg, wrapped_data, siv_len);
1684 #ifdef CONFIG_TESTING_OPTIONS
1685 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ) {
1686 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
1687 dpp_build_attr_status(msg, DPP_STATUS_OK);
1690 #endif /* CONFIG_TESTING_OPTIONS */
1692 wpa_hexdump_buf(MSG_DEBUG,
1693 "DPP: Authentication Request frame attributes", msg);
1699 static struct wpabuf * dpp_auth_build_resp(struct dpp_authentication *auth,
1700 enum dpp_status_error status,
1701 const struct wpabuf *pr,
1703 const u8 *r_pubkey_hash,
1704 const u8 *i_pubkey_hash,
1705 const u8 *r_nonce, const u8 *i_nonce,
1706 const u8 *wrapped_r_auth,
1707 size_t wrapped_r_auth_len,
1711 #define DPP_AUTH_RESP_CLEAR_LEN 2 * (4 + DPP_MAX_NONCE_LEN) + 4 + 1 + \
1712 4 + 4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE
1713 u8 clear[DPP_AUTH_RESP_CLEAR_LEN];
1714 u8 wrapped_data[DPP_AUTH_RESP_CLEAR_LEN + AES_BLOCK_SIZE];
1716 size_t len[2], siv_len, attr_len;
1717 u8 *attr_start, *attr_end, *pos;
1719 auth->waiting_auth_conf = 1;
1720 auth->auth_resp_tries = 0;
1722 /* Build DPP Authentication Response frame attributes */
1723 attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) +
1724 4 + (pr ? wpabuf_len(pr) : 0) + 4 + sizeof(wrapped_data);
1727 #endif /* CONFIG_DPP2 */
1728 #ifdef CONFIG_TESTING_OPTIONS
1729 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP)
1731 #endif /* CONFIG_TESTING_OPTIONS */
1732 msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_RESP, attr_len);
1736 attr_start = wpabuf_put(msg, 0);
1740 dpp_build_attr_status(msg, status);
1742 /* Responder Bootstrapping Key Hash */
1743 dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
1745 /* Initiator Bootstrapping Key Hash (mutual authentication) */
1746 dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
1748 /* Responder Protocol Key */
1750 wpabuf_put_le16(msg, DPP_ATTR_R_PROTOCOL_KEY);
1751 wpabuf_put_le16(msg, wpabuf_len(pr));
1752 wpabuf_put_buf(msg, pr);
1756 /* Protocol Version */
1757 wpabuf_put_le16(msg, DPP_ATTR_PROTOCOL_VERSION);
1758 wpabuf_put_le16(msg, 1);
1759 wpabuf_put_u8(msg, 2);
1760 #endif /* CONFIG_DPP2 */
1762 attr_end = wpabuf_put(msg, 0);
1764 #ifdef CONFIG_TESTING_OPTIONS
1765 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_RESP) {
1766 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
1767 goto skip_wrapped_data;
1769 #endif /* CONFIG_TESTING_OPTIONS */
1771 /* Wrapped data ({R-nonce, I-nonce, R-capabilities, {R-auth}ke}k2) */
1776 WPA_PUT_LE16(pos, DPP_ATTR_R_NONCE);
1778 WPA_PUT_LE16(pos, nonce_len);
1780 os_memcpy(pos, r_nonce, nonce_len);
1786 WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
1788 WPA_PUT_LE16(pos, nonce_len);
1790 os_memcpy(pos, i_nonce, nonce_len);
1791 #ifdef CONFIG_TESTING_OPTIONS
1792 if (dpp_test == DPP_TEST_I_NONCE_MISMATCH_AUTH_RESP) {
1793 wpa_printf(MSG_INFO, "DPP: TESTING - I-nonce mismatch");
1794 pos[nonce_len / 2] ^= 0x01;
1796 #endif /* CONFIG_TESTING_OPTIONS */
1800 #ifdef CONFIG_TESTING_OPTIONS
1801 if (dpp_test == DPP_TEST_NO_R_CAPAB_AUTH_RESP) {
1802 wpa_printf(MSG_INFO, "DPP: TESTING - no R-capab");
1805 #endif /* CONFIG_TESTING_OPTIONS */
1807 /* R-capabilities */
1808 WPA_PUT_LE16(pos, DPP_ATTR_R_CAPABILITIES);
1810 WPA_PUT_LE16(pos, 1);
1812 auth->r_capab = auth->configurator ? DPP_CAPAB_CONFIGURATOR :
1814 *pos++ = auth->r_capab;
1815 #ifdef CONFIG_TESTING_OPTIONS
1816 if (dpp_test == DPP_TEST_ZERO_R_CAPAB) {
1817 wpa_printf(MSG_INFO, "DPP: TESTING - zero R-capabilities");
1819 } else if (dpp_test == DPP_TEST_INCOMPATIBLE_R_CAPAB_AUTH_RESP) {
1820 wpa_printf(MSG_INFO,
1821 "DPP: TESTING - incompatible R-capabilities");
1822 if ((auth->i_capab & DPP_CAPAB_ROLE_MASK) ==
1823 (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE))
1826 pos[-1] = auth->configurator ? DPP_CAPAB_ENROLLEE :
1827 DPP_CAPAB_CONFIGURATOR;
1830 #endif /* CONFIG_TESTING_OPTIONS */
1832 if (wrapped_r_auth) {
1834 WPA_PUT_LE16(pos, DPP_ATTR_WRAPPED_DATA);
1836 WPA_PUT_LE16(pos, wrapped_r_auth_len);
1838 os_memcpy(pos, wrapped_r_auth, wrapped_r_auth_len);
1839 pos += wrapped_r_auth_len;
1842 /* OUI, OUI type, Crypto Suite, DPP frame type */
1843 addr[0] = wpabuf_head_u8(msg) + 2;
1844 len[0] = 3 + 1 + 1 + 1;
1845 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1847 /* Attributes before Wrapped Data */
1848 addr[1] = attr_start;
1849 len[1] = attr_end - attr_start;
1850 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1852 siv_len = pos - clear;
1853 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len);
1854 if (aes_siv_encrypt(siv_key, auth->curve->hash_len, clear, siv_len,
1855 2, addr, len, wrapped_data) < 0) {
1859 siv_len += AES_BLOCK_SIZE;
1860 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1861 wrapped_data, siv_len);
1863 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
1864 wpabuf_put_le16(msg, siv_len);
1865 wpabuf_put_data(msg, wrapped_data, siv_len);
1867 #ifdef CONFIG_TESTING_OPTIONS
1868 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP) {
1869 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
1870 dpp_build_attr_status(msg, DPP_STATUS_OK);
1873 #endif /* CONFIG_TESTING_OPTIONS */
1875 wpa_hexdump_buf(MSG_DEBUG,
1876 "DPP: Authentication Response frame attributes", msg);
1881 static int dpp_channel_ok_init(struct hostapd_hw_modes *own_modes,
1882 u16 num_modes, unsigned int freq)
1887 if (!own_modes || !num_modes)
1890 for (m = 0; m < num_modes; m++) {
1891 for (c = 0; c < own_modes[m].num_channels; c++) {
1892 if ((unsigned int) own_modes[m].channels[c].freq !=
1895 flag = own_modes[m].channels[c].flag;
1896 if (!(flag & (HOSTAPD_CHAN_DISABLED |
1897 HOSTAPD_CHAN_NO_IR |
1898 HOSTAPD_CHAN_RADAR)))
1903 wpa_printf(MSG_DEBUG, "DPP: Peer channel %u MHz not supported", freq);
1908 static int freq_included(const unsigned int freqs[], unsigned int num,
1912 if (freqs[--num] == freq)
1919 static void freq_to_start(unsigned int freqs[], unsigned int num,
1924 for (i = 0; i < num; i++) {
1925 if (freqs[i] == freq)
1928 if (i == 0 || i >= num)
1930 os_memmove(&freqs[1], &freqs[0], i * sizeof(freqs[0]));
1935 static int dpp_channel_intersect(struct dpp_authentication *auth,
1936 struct hostapd_hw_modes *own_modes,
1939 struct dpp_bootstrap_info *peer_bi = auth->peer_bi;
1940 unsigned int i, freq;
1942 for (i = 0; i < peer_bi->num_freq; i++) {
1943 freq = peer_bi->freq[i];
1944 if (freq_included(auth->freq, auth->num_freq, freq))
1946 if (dpp_channel_ok_init(own_modes, num_modes, freq))
1947 auth->freq[auth->num_freq++] = freq;
1949 if (!auth->num_freq) {
1950 wpa_printf(MSG_INFO,
1951 "DPP: No available channels for initiating DPP Authentication");
1954 auth->curr_freq = auth->freq[0];
1959 static int dpp_channel_local_list(struct dpp_authentication *auth,
1960 struct hostapd_hw_modes *own_modes,
1969 if (!own_modes || !num_modes) {
1970 auth->freq[0] = 2412;
1971 auth->freq[1] = 2437;
1972 auth->freq[2] = 2462;
1977 for (m = 0; m < num_modes; m++) {
1978 for (c = 0; c < own_modes[m].num_channels; c++) {
1979 freq = own_modes[m].channels[c].freq;
1980 flag = own_modes[m].channels[c].flag;
1981 if (flag & (HOSTAPD_CHAN_DISABLED |
1982 HOSTAPD_CHAN_NO_IR |
1983 HOSTAPD_CHAN_RADAR))
1985 if (freq_included(auth->freq, auth->num_freq, freq))
1987 auth->freq[auth->num_freq++] = freq;
1988 if (auth->num_freq == DPP_BOOTSTRAP_MAX_FREQ) {
1995 return auth->num_freq == 0 ? -1 : 0;
1999 static int dpp_prepare_channel_list(struct dpp_authentication *auth,
2000 struct hostapd_hw_modes *own_modes,
2004 char freqs[DPP_BOOTSTRAP_MAX_FREQ * 6 + 10], *pos, *end;
2007 if (auth->peer_bi->num_freq > 0)
2008 res = dpp_channel_intersect(auth, own_modes, num_modes);
2010 res = dpp_channel_local_list(auth, own_modes, num_modes);
2014 /* Prioritize 2.4 GHz channels 6, 1, 11 (in this order) to hit the most
2015 * likely channels first. */
2016 freq_to_start(auth->freq, auth->num_freq, 2462);
2017 freq_to_start(auth->freq, auth->num_freq, 2412);
2018 freq_to_start(auth->freq, auth->num_freq, 2437);
2021 auth->curr_freq = auth->freq[0];
2024 end = pos + sizeof(freqs);
2025 for (i = 0; i < auth->num_freq; i++) {
2026 res = os_snprintf(pos, end - pos, " %u", auth->freq[i]);
2027 if (os_snprintf_error(end - pos, res))
2032 wpa_printf(MSG_DEBUG, "DPP: Possible frequencies for initiating:%s",
2039 static int dpp_autogen_bootstrap_key(struct dpp_authentication *auth)
2041 struct dpp_bootstrap_info *bi;
2046 return 0; /* already generated */
2048 bi = os_zalloc(sizeof(*bi));
2051 bi->type = DPP_BOOTSTRAP_QR_CODE;
2052 pk = dpp_keygen(bi, auth->peer_bi->curve->name, NULL, 0);
2056 len = 4; /* "DPP:" */
2057 len += 4 + os_strlen(pk);
2058 bi->uri = os_malloc(len + 1);
2061 os_snprintf(bi->uri, len + 1, "DPP:K:%s;;", pk);
2062 wpa_printf(MSG_DEBUG,
2063 "DPP: Auto-generated own bootstrapping key info: URI %s",
2066 auth->tmp_own_bi = auth->own_bi = bi;
2073 dpp_bootstrap_info_free(bi);
2078 struct dpp_authentication * dpp_auth_init(void *msg_ctx,
2079 struct dpp_bootstrap_info *peer_bi,
2080 struct dpp_bootstrap_info *own_bi,
2081 u8 dpp_allowed_roles,
2082 unsigned int neg_freq,
2083 struct hostapd_hw_modes *own_modes,
2086 struct dpp_authentication *auth;
2088 EVP_PKEY_CTX *ctx = NULL;
2090 struct wpabuf *pi = NULL;
2091 const u8 *r_pubkey_hash, *i_pubkey_hash;
2092 #ifdef CONFIG_TESTING_OPTIONS
2093 u8 test_hash[SHA256_MAC_LEN];
2094 #endif /* CONFIG_TESTING_OPTIONS */
2096 auth = os_zalloc(sizeof(*auth));
2099 auth->msg_ctx = msg_ctx;
2100 auth->initiator = 1;
2101 auth->waiting_auth_resp = 1;
2102 auth->allowed_roles = dpp_allowed_roles;
2103 auth->configurator = !!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR);
2104 auth->peer_bi = peer_bi;
2105 auth->own_bi = own_bi;
2106 auth->curve = peer_bi->curve;
2108 if (dpp_autogen_bootstrap_key(auth) < 0 ||
2109 dpp_prepare_channel_list(auth, own_modes, num_modes) < 0)
2112 #ifdef CONFIG_TESTING_OPTIONS
2113 if (dpp_nonce_override_len > 0) {
2114 wpa_printf(MSG_INFO, "DPP: TESTING - override I-nonce");
2115 nonce_len = dpp_nonce_override_len;
2116 os_memcpy(auth->i_nonce, dpp_nonce_override, nonce_len);
2118 nonce_len = auth->curve->nonce_len;
2119 if (random_get_bytes(auth->i_nonce, nonce_len)) {
2120 wpa_printf(MSG_ERROR,
2121 "DPP: Failed to generate I-nonce");
2125 #else /* CONFIG_TESTING_OPTIONS */
2126 nonce_len = auth->curve->nonce_len;
2127 if (random_get_bytes(auth->i_nonce, nonce_len)) {
2128 wpa_printf(MSG_ERROR, "DPP: Failed to generate I-nonce");
2131 #endif /* CONFIG_TESTING_OPTIONS */
2132 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", auth->i_nonce, nonce_len);
2134 #ifdef CONFIG_TESTING_OPTIONS
2135 if (dpp_protocol_key_override_len) {
2136 const struct dpp_curve_params *tmp_curve;
2138 wpa_printf(MSG_INFO,
2139 "DPP: TESTING - override protocol key");
2140 auth->own_protocol_key = dpp_set_keypair(
2141 &tmp_curve, dpp_protocol_key_override,
2142 dpp_protocol_key_override_len);
2144 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2146 #else /* CONFIG_TESTING_OPTIONS */
2147 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2148 #endif /* CONFIG_TESTING_OPTIONS */
2149 if (!auth->own_protocol_key)
2152 pi = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2156 /* ECDH: M = pI * BR */
2157 ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL);
2159 EVP_PKEY_derive_init(ctx) != 1 ||
2160 EVP_PKEY_derive_set_peer(ctx, auth->peer_bi->pubkey) != 1 ||
2161 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
2162 secret_len > DPP_MAX_SHARED_SECRET_LEN ||
2163 EVP_PKEY_derive(ctx, auth->Mx, &secret_len) != 1) {
2164 wpa_printf(MSG_ERROR,
2165 "DPP: Failed to derive ECDH shared secret: %s",
2166 ERR_error_string(ERR_get_error(), NULL));
2169 auth->secret_len = secret_len;
2170 EVP_PKEY_CTX_free(ctx);
2173 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)",
2174 auth->Mx, auth->secret_len);
2175 auth->Mx_len = auth->secret_len;
2177 if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1,
2178 auth->curve->hash_len) < 0)
2181 r_pubkey_hash = auth->peer_bi->pubkey_hash;
2182 i_pubkey_hash = auth->own_bi->pubkey_hash;
2184 #ifdef CONFIG_TESTING_OPTIONS
2185 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2186 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
2187 r_pubkey_hash = NULL;
2188 } else if (dpp_test == DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2189 wpa_printf(MSG_INFO,
2190 "DPP: TESTING - invalid R-Bootstrap Key Hash");
2191 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
2192 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2193 r_pubkey_hash = test_hash;
2194 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2195 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
2196 i_pubkey_hash = NULL;
2197 } else if (dpp_test == DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
2198 wpa_printf(MSG_INFO,
2199 "DPP: TESTING - invalid I-Bootstrap Key Hash");
2200 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
2201 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2202 i_pubkey_hash = test_hash;
2203 } else if (dpp_test == DPP_TEST_NO_I_PROTO_KEY_AUTH_REQ) {
2204 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Proto Key");
2207 } else if (dpp_test == DPP_TEST_INVALID_I_PROTO_KEY_AUTH_REQ) {
2208 wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-Proto Key");
2210 pi = wpabuf_alloc(2 * auth->curve->prime_len);
2211 if (!pi || dpp_test_gen_invalid_key(pi, auth->curve) < 0)
2214 #endif /* CONFIG_TESTING_OPTIONS */
2216 auth->req_msg = dpp_auth_build_req(auth, pi, nonce_len, r_pubkey_hash,
2217 i_pubkey_hash, neg_freq);
2223 EVP_PKEY_CTX_free(ctx);
2226 dpp_auth_deinit(auth);
2232 static struct wpabuf * dpp_build_conf_req_attr(struct dpp_authentication *auth,
2236 size_t json_len, clear_len;
2237 struct wpabuf *clear = NULL, *msg = NULL;
2241 wpa_printf(MSG_DEBUG, "DPP: Build configuration request");
2243 nonce_len = auth->curve->nonce_len;
2244 if (random_get_bytes(auth->e_nonce, nonce_len)) {
2245 wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce");
2248 wpa_hexdump(MSG_DEBUG, "DPP: E-nonce", auth->e_nonce, nonce_len);
2249 json_len = os_strlen(json);
2250 wpa_hexdump_ascii(MSG_DEBUG, "DPP: configAttr JSON", json, json_len);
2252 /* { E-nonce, configAttrib }ke */
2253 clear_len = 4 + nonce_len + 4 + json_len;
2254 clear = wpabuf_alloc(clear_len);
2255 attr_len = 4 + clear_len + AES_BLOCK_SIZE;
2256 #ifdef CONFIG_TESTING_OPTIONS
2257 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_REQ)
2259 #endif /* CONFIG_TESTING_OPTIONS */
2260 msg = wpabuf_alloc(attr_len);
2264 #ifdef CONFIG_TESTING_OPTIONS
2265 if (dpp_test == DPP_TEST_NO_E_NONCE_CONF_REQ) {
2266 wpa_printf(MSG_INFO, "DPP: TESTING - no E-nonce");
2269 if (dpp_test == DPP_TEST_INVALID_E_NONCE_CONF_REQ) {
2270 wpa_printf(MSG_INFO, "DPP: TESTING - invalid E-nonce");
2271 wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
2272 wpabuf_put_le16(clear, nonce_len - 1);
2273 wpabuf_put_data(clear, auth->e_nonce, nonce_len - 1);
2276 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_CONF_REQ) {
2277 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
2278 goto skip_wrapped_data;
2280 #endif /* CONFIG_TESTING_OPTIONS */
2283 wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
2284 wpabuf_put_le16(clear, nonce_len);
2285 wpabuf_put_data(clear, auth->e_nonce, nonce_len);
2287 #ifdef CONFIG_TESTING_OPTIONS
2289 if (dpp_test == DPP_TEST_NO_CONFIG_ATTR_OBJ_CONF_REQ) {
2290 wpa_printf(MSG_INFO, "DPP: TESTING - no configAttrib");
2291 goto skip_conf_attr_obj;
2293 #endif /* CONFIG_TESTING_OPTIONS */
2296 wpabuf_put_le16(clear, DPP_ATTR_CONFIG_ATTR_OBJ);
2297 wpabuf_put_le16(clear, json_len);
2298 wpabuf_put_data(clear, json, json_len);
2300 #ifdef CONFIG_TESTING_OPTIONS
2302 #endif /* CONFIG_TESTING_OPTIONS */
2304 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
2305 wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
2306 wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
2309 wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
2310 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
2311 wpabuf_head(clear), wpabuf_len(clear),
2312 0, NULL, NULL, wrapped) < 0)
2314 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
2315 wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
2317 #ifdef CONFIG_TESTING_OPTIONS
2318 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_REQ) {
2319 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
2320 dpp_build_attr_status(msg, DPP_STATUS_OK);
2323 #endif /* CONFIG_TESTING_OPTIONS */
2325 wpa_hexdump_buf(MSG_DEBUG,
2326 "DPP: Configuration Request frame attributes", msg);
2337 static void dpp_write_adv_proto(struct wpabuf *buf)
2339 /* Advertisement Protocol IE */
2340 wpabuf_put_u8(buf, WLAN_EID_ADV_PROTO);
2341 wpabuf_put_u8(buf, 8); /* Length */
2342 wpabuf_put_u8(buf, 0x7f);
2343 wpabuf_put_u8(buf, WLAN_EID_VENDOR_SPECIFIC);
2344 wpabuf_put_u8(buf, 5);
2345 wpabuf_put_be24(buf, OUI_WFA);
2346 wpabuf_put_u8(buf, DPP_OUI_TYPE);
2347 wpabuf_put_u8(buf, 0x01);
2351 static void dpp_write_gas_query(struct wpabuf *buf, struct wpabuf *query)
2354 wpabuf_put_le16(buf, wpabuf_len(query));
2355 wpabuf_put_buf(buf, query);
2359 struct wpabuf * dpp_build_conf_req(struct dpp_authentication *auth,
2362 struct wpabuf *buf, *conf_req;
2364 conf_req = dpp_build_conf_req_attr(auth, json);
2366 wpa_printf(MSG_DEBUG,
2367 "DPP: No configuration request data available");
2371 buf = gas_build_initial_req(0, 10 + 2 + wpabuf_len(conf_req));
2373 wpabuf_free(conf_req);
2377 dpp_write_adv_proto(buf);
2378 dpp_write_gas_query(buf, conf_req);
2379 wpabuf_free(conf_req);
2380 wpa_hexdump_buf(MSG_MSGDUMP, "DPP: GAS Config Request", buf);
2386 static void dpp_auth_success(struct dpp_authentication *auth)
2388 wpa_printf(MSG_DEBUG,
2389 "DPP: Authentication success - clear temporary keys");
2390 os_memset(auth->Mx, 0, sizeof(auth->Mx));
2392 os_memset(auth->Nx, 0, sizeof(auth->Nx));
2394 os_memset(auth->Lx, 0, sizeof(auth->Lx));
2396 os_memset(auth->k1, 0, sizeof(auth->k1));
2397 os_memset(auth->k2, 0, sizeof(auth->k2));
2399 auth->auth_success = 1;
2403 static int dpp_gen_r_auth(struct dpp_authentication *auth, u8 *r_auth)
2405 struct wpabuf *pix, *prx, *bix, *brx;
2408 size_t i, num_elem = 0;
2413 /* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
2414 nonce_len = auth->curve->nonce_len;
2416 if (auth->initiator) {
2417 pix = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2418 prx = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2420 bix = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2423 brx = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2425 pix = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2426 prx = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2428 bix = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2431 brx = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2433 if (!pix || !prx || !brx)
2436 addr[num_elem] = auth->i_nonce;
2437 len[num_elem] = nonce_len;
2440 addr[num_elem] = auth->r_nonce;
2441 len[num_elem] = nonce_len;
2444 addr[num_elem] = wpabuf_head(pix);
2445 len[num_elem] = wpabuf_len(pix) / 2;
2448 addr[num_elem] = wpabuf_head(prx);
2449 len[num_elem] = wpabuf_len(prx) / 2;
2453 addr[num_elem] = wpabuf_head(bix);
2454 len[num_elem] = wpabuf_len(bix) / 2;
2458 addr[num_elem] = wpabuf_head(brx);
2459 len[num_elem] = wpabuf_len(brx) / 2;
2462 addr[num_elem] = &zero;
2466 wpa_printf(MSG_DEBUG, "DPP: R-auth hash components");
2467 for (i = 0; i < num_elem; i++)
2468 wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
2469 res = dpp_hash_vector(auth->curve, num_elem, addr, len, r_auth);
2471 wpa_hexdump(MSG_DEBUG, "DPP: R-auth", r_auth,
2472 auth->curve->hash_len);
2482 static int dpp_gen_i_auth(struct dpp_authentication *auth, u8 *i_auth)
2484 struct wpabuf *pix = NULL, *prx = NULL, *bix = NULL, *brx = NULL;
2487 size_t i, num_elem = 0;
2492 /* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */
2493 nonce_len = auth->curve->nonce_len;
2495 if (auth->initiator) {
2496 pix = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2497 prx = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2499 bix = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2504 brx = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2506 pix = dpp_get_pubkey_point(auth->peer_protocol_key, 0);
2507 prx = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2509 bix = dpp_get_pubkey_point(auth->peer_bi->pubkey, 0);
2514 brx = dpp_get_pubkey_point(auth->own_bi->pubkey, 0);
2516 if (!pix || !prx || !brx)
2519 addr[num_elem] = auth->r_nonce;
2520 len[num_elem] = nonce_len;
2523 addr[num_elem] = auth->i_nonce;
2524 len[num_elem] = nonce_len;
2527 addr[num_elem] = wpabuf_head(prx);
2528 len[num_elem] = wpabuf_len(prx) / 2;
2531 addr[num_elem] = wpabuf_head(pix);
2532 len[num_elem] = wpabuf_len(pix) / 2;
2535 addr[num_elem] = wpabuf_head(brx);
2536 len[num_elem] = wpabuf_len(brx) / 2;
2540 addr[num_elem] = wpabuf_head(bix);
2541 len[num_elem] = wpabuf_len(bix) / 2;
2545 addr[num_elem] = &one;
2549 wpa_printf(MSG_DEBUG, "DPP: I-auth hash components");
2550 for (i = 0; i < num_elem; i++)
2551 wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
2552 res = dpp_hash_vector(auth->curve, num_elem, addr, len, i_auth);
2554 wpa_hexdump(MSG_DEBUG, "DPP: I-auth", i_auth,
2555 auth->curve->hash_len);
2565 static int dpp_auth_derive_l_responder(struct dpp_authentication *auth)
2567 const EC_GROUP *group;
2569 EC_KEY *BI = NULL, *bR = NULL, *pR = NULL;
2570 const EC_POINT *BI_point;
2572 BIGNUM *lx, *sum, *q;
2573 const BIGNUM *bR_bn, *pR_bn;
2576 /* L = ((bR + pR) modulo q) * BI */
2578 bnctx = BN_CTX_new();
2582 if (!bnctx || !sum || !q || !lx)
2584 BI = EVP_PKEY_get1_EC_KEY(auth->peer_bi->pubkey);
2587 BI_point = EC_KEY_get0_public_key(BI);
2588 group = EC_KEY_get0_group(BI);
2592 bR = EVP_PKEY_get1_EC_KEY(auth->own_bi->pubkey);
2593 pR = EVP_PKEY_get1_EC_KEY(auth->own_protocol_key);
2596 bR_bn = EC_KEY_get0_private_key(bR);
2597 pR_bn = EC_KEY_get0_private_key(pR);
2598 if (!bR_bn || !pR_bn)
2600 if (EC_GROUP_get_order(group, q, bnctx) != 1 ||
2601 BN_mod_add(sum, bR_bn, pR_bn, q, bnctx) != 1)
2603 l = EC_POINT_new(group);
2605 EC_POINT_mul(group, l, NULL, BI_point, sum, bnctx) != 1 ||
2606 EC_POINT_get_affine_coordinates_GFp(group, l, lx, NULL,
2608 wpa_printf(MSG_ERROR,
2609 "OpenSSL: failed: %s",
2610 ERR_error_string(ERR_get_error(), NULL));
2614 if (dpp_bn2bin_pad(lx, auth->Lx, auth->secret_len) < 0)
2616 wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
2617 auth->Lx_len = auth->secret_len;
2620 EC_POINT_clear_free(l);
2632 static int dpp_auth_derive_l_initiator(struct dpp_authentication *auth)
2634 const EC_GROUP *group;
2635 EC_POINT *l = NULL, *sum = NULL;
2636 EC_KEY *bI = NULL, *BR = NULL, *PR = NULL;
2637 const EC_POINT *BR_point, *PR_point;
2640 const BIGNUM *bI_bn;
2643 /* L = bI * (BR + PR) */
2645 bnctx = BN_CTX_new();
2649 BR = EVP_PKEY_get1_EC_KEY(auth->peer_bi->pubkey);
2650 PR = EVP_PKEY_get1_EC_KEY(auth->peer_protocol_key);
2653 BR_point = EC_KEY_get0_public_key(BR);
2654 PR_point = EC_KEY_get0_public_key(PR);
2656 bI = EVP_PKEY_get1_EC_KEY(auth->own_bi->pubkey);
2659 group = EC_KEY_get0_group(bI);
2660 bI_bn = EC_KEY_get0_private_key(bI);
2661 if (!group || !bI_bn)
2663 sum = EC_POINT_new(group);
2664 l = EC_POINT_new(group);
2666 EC_POINT_add(group, sum, BR_point, PR_point, bnctx) != 1 ||
2667 EC_POINT_mul(group, l, NULL, sum, bI_bn, bnctx) != 1 ||
2668 EC_POINT_get_affine_coordinates_GFp(group, l, lx, NULL,
2670 wpa_printf(MSG_ERROR,
2671 "OpenSSL: failed: %s",
2672 ERR_error_string(ERR_get_error(), NULL));
2676 if (dpp_bn2bin_pad(lx, auth->Lx, auth->secret_len) < 0)
2678 wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
2679 auth->Lx_len = auth->secret_len;
2682 EC_POINT_clear_free(l);
2683 EC_POINT_clear_free(sum);
2693 static int dpp_auth_build_resp_ok(struct dpp_authentication *auth)
2696 EVP_PKEY_CTX *ctx = NULL;
2698 struct wpabuf *msg, *pr = NULL;
2699 u8 r_auth[4 + DPP_MAX_HASH_LEN];
2700 u8 wrapped_r_auth[4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE], *w_r_auth;
2701 size_t wrapped_r_auth_len;
2703 const u8 *r_pubkey_hash, *i_pubkey_hash, *r_nonce, *i_nonce;
2704 enum dpp_status_error status = DPP_STATUS_OK;
2705 #ifdef CONFIG_TESTING_OPTIONS
2706 u8 test_hash[SHA256_MAC_LEN];
2707 #endif /* CONFIG_TESTING_OPTIONS */
2709 wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response");
2713 #ifdef CONFIG_TESTING_OPTIONS
2714 if (dpp_nonce_override_len > 0) {
2715 wpa_printf(MSG_INFO, "DPP: TESTING - override R-nonce");
2716 nonce_len = dpp_nonce_override_len;
2717 os_memcpy(auth->r_nonce, dpp_nonce_override, nonce_len);
2719 nonce_len = auth->curve->nonce_len;
2720 if (random_get_bytes(auth->r_nonce, nonce_len)) {
2721 wpa_printf(MSG_ERROR,
2722 "DPP: Failed to generate R-nonce");
2726 #else /* CONFIG_TESTING_OPTIONS */
2727 nonce_len = auth->curve->nonce_len;
2728 if (random_get_bytes(auth->r_nonce, nonce_len)) {
2729 wpa_printf(MSG_ERROR, "DPP: Failed to generate R-nonce");
2732 #endif /* CONFIG_TESTING_OPTIONS */
2733 wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", auth->r_nonce, nonce_len);
2735 #ifdef CONFIG_TESTING_OPTIONS
2736 if (dpp_protocol_key_override_len) {
2737 const struct dpp_curve_params *tmp_curve;
2739 wpa_printf(MSG_INFO,
2740 "DPP: TESTING - override protocol key");
2741 auth->own_protocol_key = dpp_set_keypair(
2742 &tmp_curve, dpp_protocol_key_override,
2743 dpp_protocol_key_override_len);
2745 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2747 #else /* CONFIG_TESTING_OPTIONS */
2748 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
2749 #endif /* CONFIG_TESTING_OPTIONS */
2750 if (!auth->own_protocol_key)
2753 pr = dpp_get_pubkey_point(auth->own_protocol_key, 0);
2757 /* ECDH: N = pR * PI */
2758 ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL);
2760 EVP_PKEY_derive_init(ctx) != 1 ||
2761 EVP_PKEY_derive_set_peer(ctx, auth->peer_protocol_key) != 1 ||
2762 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
2763 secret_len > DPP_MAX_SHARED_SECRET_LEN ||
2764 EVP_PKEY_derive(ctx, auth->Nx, &secret_len) != 1) {
2765 wpa_printf(MSG_ERROR,
2766 "DPP: Failed to derive ECDH shared secret: %s",
2767 ERR_error_string(ERR_get_error(), NULL));
2770 EVP_PKEY_CTX_free(ctx);
2773 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
2774 auth->Nx, auth->secret_len);
2775 auth->Nx_len = auth->secret_len;
2777 if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2,
2778 auth->curve->hash_len) < 0)
2781 if (auth->own_bi && auth->peer_bi) {
2782 /* Mutual authentication */
2783 if (dpp_auth_derive_l_responder(auth) < 0)
2787 if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0)
2790 /* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
2791 WPA_PUT_LE16(r_auth, DPP_ATTR_R_AUTH_TAG);
2792 WPA_PUT_LE16(&r_auth[2], auth->curve->hash_len);
2793 if (dpp_gen_r_auth(auth, r_auth + 4) < 0)
2795 #ifdef CONFIG_TESTING_OPTIONS
2796 if (dpp_test == DPP_TEST_R_AUTH_MISMATCH_AUTH_RESP) {
2797 wpa_printf(MSG_INFO, "DPP: TESTING - R-auth mismatch");
2798 r_auth[4 + auth->curve->hash_len / 2] ^= 0x01;
2800 #endif /* CONFIG_TESTING_OPTIONS */
2801 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
2802 r_auth, 4 + auth->curve->hash_len,
2803 0, NULL, NULL, wrapped_r_auth) < 0)
2805 wrapped_r_auth_len = 4 + auth->curve->hash_len + AES_BLOCK_SIZE;
2806 wpa_hexdump(MSG_DEBUG, "DPP: {R-auth}ke",
2807 wrapped_r_auth, wrapped_r_auth_len);
2808 w_r_auth = wrapped_r_auth;
2810 r_pubkey_hash = auth->own_bi->pubkey_hash;
2812 i_pubkey_hash = auth->peer_bi->pubkey_hash;
2814 i_pubkey_hash = NULL;
2816 i_nonce = auth->i_nonce;
2817 r_nonce = auth->r_nonce;
2819 #ifdef CONFIG_TESTING_OPTIONS
2820 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2821 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
2822 r_pubkey_hash = NULL;
2823 } else if (dpp_test ==
2824 DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2825 wpa_printf(MSG_INFO,
2826 "DPP: TESTING - invalid R-Bootstrap Key Hash");
2827 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
2828 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2829 r_pubkey_hash = test_hash;
2830 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2831 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
2832 i_pubkey_hash = NULL;
2833 } else if (dpp_test ==
2834 DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2835 wpa_printf(MSG_INFO,
2836 "DPP: TESTING - invalid I-Bootstrap Key Hash");
2838 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
2840 os_memset(test_hash, 0, SHA256_MAC_LEN);
2841 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2842 i_pubkey_hash = test_hash;
2843 } else if (dpp_test == DPP_TEST_NO_R_PROTO_KEY_AUTH_RESP) {
2844 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Proto Key");
2847 } else if (dpp_test == DPP_TEST_INVALID_R_PROTO_KEY_AUTH_RESP) {
2848 wpa_printf(MSG_INFO, "DPP: TESTING - invalid R-Proto Key");
2850 pr = wpabuf_alloc(2 * auth->curve->prime_len);
2851 if (!pr || dpp_test_gen_invalid_key(pr, auth->curve) < 0)
2853 } else if (dpp_test == DPP_TEST_NO_R_AUTH_AUTH_RESP) {
2854 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Auth");
2856 wrapped_r_auth_len = 0;
2857 } else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) {
2858 wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
2860 } else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_RESP) {
2861 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
2863 } else if (dpp_test == DPP_TEST_NO_R_NONCE_AUTH_RESP) {
2864 wpa_printf(MSG_INFO, "DPP: TESTING - no R-nonce");
2866 } else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) {
2867 wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
2870 #endif /* CONFIG_TESTING_OPTIONS */
2872 msg = dpp_auth_build_resp(auth, status, pr, nonce_len,
2873 r_pubkey_hash, i_pubkey_hash,
2875 w_r_auth, wrapped_r_auth_len,
2879 wpabuf_free(auth->resp_msg);
2880 auth->resp_msg = msg;
2888 static int dpp_auth_build_resp_status(struct dpp_authentication *auth,
2889 enum dpp_status_error status)
2892 const u8 *r_pubkey_hash, *i_pubkey_hash, *i_nonce;
2893 #ifdef CONFIG_TESTING_OPTIONS
2894 u8 test_hash[SHA256_MAC_LEN];
2895 #endif /* CONFIG_TESTING_OPTIONS */
2899 wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response");
2901 r_pubkey_hash = auth->own_bi->pubkey_hash;
2903 i_pubkey_hash = auth->peer_bi->pubkey_hash;
2905 i_pubkey_hash = NULL;
2907 i_nonce = auth->i_nonce;
2909 #ifdef CONFIG_TESTING_OPTIONS
2910 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2911 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
2912 r_pubkey_hash = NULL;
2913 } else if (dpp_test ==
2914 DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2915 wpa_printf(MSG_INFO,
2916 "DPP: TESTING - invalid R-Bootstrap Key Hash");
2917 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
2918 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2919 r_pubkey_hash = test_hash;
2920 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2921 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
2922 i_pubkey_hash = NULL;
2923 } else if (dpp_test ==
2924 DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
2925 wpa_printf(MSG_INFO,
2926 "DPP: TESTING - invalid I-Bootstrap Key Hash");
2928 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
2930 os_memset(test_hash, 0, SHA256_MAC_LEN);
2931 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
2932 i_pubkey_hash = test_hash;
2933 } else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) {
2934 wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
2936 } else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) {
2937 wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
2940 #endif /* CONFIG_TESTING_OPTIONS */
2942 msg = dpp_auth_build_resp(auth, status, NULL, auth->curve->nonce_len,
2943 r_pubkey_hash, i_pubkey_hash,
2944 NULL, i_nonce, NULL, 0, auth->k1);
2947 wpabuf_free(auth->resp_msg);
2948 auth->resp_msg = msg;
2953 struct dpp_authentication *
2954 dpp_auth_req_rx(void *msg_ctx, u8 dpp_allowed_roles, int qr_mutual,
2955 struct dpp_bootstrap_info *peer_bi,
2956 struct dpp_bootstrap_info *own_bi,
2957 unsigned int freq, const u8 *hdr, const u8 *attr_start,
2960 EVP_PKEY *pi = NULL;
2961 EVP_PKEY_CTX *ctx = NULL;
2965 u8 *unwrapped = NULL;
2966 size_t unwrapped_len = 0;
2967 const u8 *wrapped_data, *i_proto, *i_nonce, *i_capab, *i_bootstrap,
2969 u16 wrapped_data_len, i_proto_len, i_nonce_len, i_capab_len,
2970 i_bootstrap_len, channel_len;
2971 struct dpp_authentication *auth = NULL;
2975 #endif /* CONFIG_DPP2 */
2977 #ifdef CONFIG_TESTING_OPTIONS
2978 if (dpp_test == DPP_TEST_STOP_AT_AUTH_REQ) {
2979 wpa_printf(MSG_INFO,
2980 "DPP: TESTING - stop at Authentication Request");
2983 #endif /* CONFIG_TESTING_OPTIONS */
2985 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
2987 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
2988 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
2989 "Missing or invalid required Wrapped Data attribute");
2992 wpa_hexdump(MSG_MSGDUMP, "DPP: Wrapped Data",
2993 wrapped_data, wrapped_data_len);
2994 attr_len = wrapped_data - 4 - attr_start;
2996 auth = os_zalloc(sizeof(*auth));
2999 auth->msg_ctx = msg_ctx;
3000 auth->peer_bi = peer_bi;
3001 auth->own_bi = own_bi;
3002 auth->curve = own_bi->curve;
3003 auth->curr_freq = freq;
3005 auth->peer_version = 1; /* default to the first version */
3007 version = dpp_get_attr(attr_start, attr_len, DPP_ATTR_PROTOCOL_VERSION,
3010 if (version_len < 1 || version[0] == 0) {
3012 "Invalid Protocol Version attribute");
3015 auth->peer_version = version[0];
3016 wpa_printf(MSG_DEBUG, "DPP: Peer protocol version %u",
3017 auth->peer_version);
3019 #endif /* CONFIG_DPP2 */
3021 channel = dpp_get_attr(attr_start, attr_len, DPP_ATTR_CHANNEL,
3026 if (channel_len < 2) {
3027 dpp_auth_fail(auth, "Too short Channel attribute");
3031 neg_freq = ieee80211_chan_to_freq(NULL, channel[0], channel[1]);
3032 wpa_printf(MSG_DEBUG,
3033 "DPP: Initiator requested different channel for negotiation: op_class=%u channel=%u --> freq=%d",
3034 channel[0], channel[1], neg_freq);
3037 "Unsupported Channel attribute value");
3041 if (auth->curr_freq != (unsigned int) neg_freq) {
3042 wpa_printf(MSG_DEBUG,
3043 "DPP: Changing negotiation channel from %u MHz to %u MHz",
3045 auth->curr_freq = neg_freq;
3049 i_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_I_PROTOCOL_KEY,
3053 "Missing required Initiator Protocol Key attribute");
3056 wpa_hexdump(MSG_MSGDUMP, "DPP: Initiator Protocol Key",
3057 i_proto, i_proto_len);
3060 pi = dpp_set_pubkey_point(own_bi->pubkey, i_proto, i_proto_len);
3062 dpp_auth_fail(auth, "Invalid Initiator Protocol Key");
3065 dpp_debug_print_key("Peer (Initiator) Protocol Key", pi);
3067 ctx = EVP_PKEY_CTX_new(own_bi->pubkey, NULL);
3069 EVP_PKEY_derive_init(ctx) != 1 ||
3070 EVP_PKEY_derive_set_peer(ctx, pi) != 1 ||
3071 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
3072 secret_len > DPP_MAX_SHARED_SECRET_LEN ||
3073 EVP_PKEY_derive(ctx, auth->Mx, &secret_len) != 1) {
3074 wpa_printf(MSG_ERROR,
3075 "DPP: Failed to derive ECDH shared secret: %s",
3076 ERR_error_string(ERR_get_error(), NULL));
3077 dpp_auth_fail(auth, "Failed to derive ECDH shared secret");
3080 auth->secret_len = secret_len;
3081 EVP_PKEY_CTX_free(ctx);
3084 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)",
3085 auth->Mx, auth->secret_len);
3086 auth->Mx_len = auth->secret_len;
3088 if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1,
3089 auth->curve->hash_len) < 0)
3093 len[0] = DPP_HDR_LEN;
3094 addr[1] = attr_start;
3096 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3097 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3098 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3099 wrapped_data, wrapped_data_len);
3100 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3101 unwrapped = os_malloc(unwrapped_len);
3104 if (aes_siv_decrypt(auth->k1, auth->curve->hash_len,
3105 wrapped_data, wrapped_data_len,
3106 2, addr, len, unwrapped) < 0) {
3107 dpp_auth_fail(auth, "AES-SIV decryption failed");
3110 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3111 unwrapped, unwrapped_len);
3113 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3114 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3118 i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
3120 if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
3121 dpp_auth_fail(auth, "Missing or invalid I-nonce");
3124 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
3125 os_memcpy(auth->i_nonce, i_nonce, i_nonce_len);
3127 i_capab = dpp_get_attr(unwrapped, unwrapped_len,
3128 DPP_ATTR_I_CAPABILITIES,
3130 if (!i_capab || i_capab_len < 1) {
3131 dpp_auth_fail(auth, "Missing or invalid I-capabilities");
3134 auth->i_capab = i_capab[0];
3135 wpa_printf(MSG_DEBUG, "DPP: I-capabilities: 0x%02x", auth->i_capab);
3137 bin_clear_free(unwrapped, unwrapped_len);
3140 switch (auth->i_capab & DPP_CAPAB_ROLE_MASK) {
3141 case DPP_CAPAB_ENROLLEE:
3142 if (!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR)) {
3143 wpa_printf(MSG_DEBUG,
3144 "DPP: Local policy does not allow Configurator role");
3145 goto not_compatible;
3147 wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator");
3148 auth->configurator = 1;
3150 case DPP_CAPAB_CONFIGURATOR:
3151 if (!(dpp_allowed_roles & DPP_CAPAB_ENROLLEE)) {
3152 wpa_printf(MSG_DEBUG,
3153 "DPP: Local policy does not allow Enrollee role");
3154 goto not_compatible;
3156 wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee");
3157 auth->configurator = 0;
3159 case DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE:
3160 if (dpp_allowed_roles & DPP_CAPAB_ENROLLEE) {
3161 wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee");
3162 auth->configurator = 0;
3163 } else if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR) {
3164 wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator");
3165 auth->configurator = 1;
3167 wpa_printf(MSG_DEBUG,
3168 "DPP: Local policy does not allow Configurator/Enrollee role");
3169 goto not_compatible;
3173 wpa_printf(MSG_DEBUG, "DPP: Unexpected role in I-capabilities");
3174 wpa_msg(auth->msg_ctx, MSG_INFO,
3175 DPP_EVENT_FAIL "Invalid role in I-capabilities 0x%02x",
3176 auth->i_capab & DPP_CAPAB_ROLE_MASK);
3180 auth->peer_protocol_key = pi;
3182 if (qr_mutual && !peer_bi && own_bi->type == DPP_BOOTSTRAP_QR_CODE) {
3183 char hex[SHA256_MAC_LEN * 2 + 1];
3185 wpa_printf(MSG_DEBUG,
3186 "DPP: Mutual authentication required with QR Codes, but peer info is not yet available - request more time");
3187 if (dpp_auth_build_resp_status(auth,
3188 DPP_STATUS_RESPONSE_PENDING) < 0)
3190 i_bootstrap = dpp_get_attr(attr_start, attr_len,
3191 DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
3193 if (i_bootstrap && i_bootstrap_len == SHA256_MAC_LEN) {
3194 auth->response_pending = 1;
3195 os_memcpy(auth->waiting_pubkey_hash,
3196 i_bootstrap, i_bootstrap_len);
3197 wpa_snprintf_hex(hex, sizeof(hex), i_bootstrap,
3203 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_SCAN_PEER_QR_CODE
3207 if (dpp_auth_build_resp_ok(auth) < 0)
3213 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE
3214 "i-capab=0x%02x", auth->i_capab);
3215 if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR)
3216 auth->configurator = 1;
3218 auth->configurator = 0;
3219 auth->peer_protocol_key = pi;
3221 if (dpp_auth_build_resp_status(auth, DPP_STATUS_NOT_COMPATIBLE) < 0)
3224 auth->remove_on_tx_status = 1;
3227 bin_clear_free(unwrapped, unwrapped_len);
3229 EVP_PKEY_CTX_free(ctx);
3230 dpp_auth_deinit(auth);
3235 int dpp_notify_new_qr_code(struct dpp_authentication *auth,
3236 struct dpp_bootstrap_info *peer_bi)
3238 if (!auth || !auth->response_pending ||
3239 os_memcmp(auth->waiting_pubkey_hash, peer_bi->pubkey_hash,
3240 SHA256_MAC_LEN) != 0)
3243 wpa_printf(MSG_DEBUG,
3244 "DPP: New scanned QR Code has matching public key that was needed to continue DPP Authentication exchange with "
3245 MACSTR, MAC2STR(auth->peer_mac_addr));
3246 auth->peer_bi = peer_bi;
3248 if (dpp_auth_build_resp_ok(auth) < 0)
3255 static struct wpabuf * dpp_auth_build_conf(struct dpp_authentication *auth,
3256 enum dpp_status_error status)
3259 u8 i_auth[4 + DPP_MAX_HASH_LEN];
3261 u8 r_nonce[4 + DPP_MAX_NONCE_LEN];
3264 size_t len[2], attr_len;
3266 u8 *wrapped_r_nonce;
3267 u8 *attr_start, *attr_end;
3268 const u8 *r_pubkey_hash, *i_pubkey_hash;
3269 #ifdef CONFIG_TESTING_OPTIONS
3270 u8 test_hash[SHA256_MAC_LEN];
3271 #endif /* CONFIG_TESTING_OPTIONS */
3273 wpa_printf(MSG_DEBUG, "DPP: Build Authentication Confirmation");
3275 i_auth_len = 4 + auth->curve->hash_len;
3276 r_nonce_len = 4 + auth->curve->nonce_len;
3277 /* Build DPP Authentication Confirmation frame attributes */
3278 attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) +
3279 4 + i_auth_len + r_nonce_len + AES_BLOCK_SIZE;
3280 #ifdef CONFIG_TESTING_OPTIONS
3281 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF)
3283 #endif /* CONFIG_TESTING_OPTIONS */
3284 msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_CONF, attr_len);
3288 attr_start = wpabuf_put(msg, 0);
3290 r_pubkey_hash = auth->peer_bi->pubkey_hash;
3292 i_pubkey_hash = auth->own_bi->pubkey_hash;
3294 i_pubkey_hash = NULL;
3296 #ifdef CONFIG_TESTING_OPTIONS
3297 if (dpp_test == DPP_TEST_NO_STATUS_AUTH_CONF) {
3298 wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
3300 } else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_CONF) {
3301 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
3304 #endif /* CONFIG_TESTING_OPTIONS */
3307 dpp_build_attr_status(msg, status);
3309 #ifdef CONFIG_TESTING_OPTIONS
3311 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3312 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
3313 r_pubkey_hash = NULL;
3314 } else if (dpp_test ==
3315 DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3316 wpa_printf(MSG_INFO,
3317 "DPP: TESTING - invalid R-Bootstrap Key Hash");
3318 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
3319 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
3320 r_pubkey_hash = test_hash;
3321 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3322 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
3323 i_pubkey_hash = NULL;
3324 } else if (dpp_test ==
3325 DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
3326 wpa_printf(MSG_INFO,
3327 "DPP: TESTING - invalid I-Bootstrap Key Hash");
3329 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
3331 os_memset(test_hash, 0, SHA256_MAC_LEN);
3332 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
3333 i_pubkey_hash = test_hash;
3335 #endif /* CONFIG_TESTING_OPTIONS */
3337 /* Responder Bootstrapping Key Hash */
3338 dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
3340 /* Initiator Bootstrapping Key Hash (mutual authentication) */
3341 dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
3343 #ifdef CONFIG_TESTING_OPTIONS
3344 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_CONF)
3345 goto skip_wrapped_data;
3346 if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF)
3348 #endif /* CONFIG_TESTING_OPTIONS */
3350 attr_end = wpabuf_put(msg, 0);
3352 /* OUI, OUI type, Crypto Suite, DPP frame type */
3353 addr[0] = wpabuf_head_u8(msg) + 2;
3354 len[0] = 3 + 1 + 1 + 1;
3355 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3357 /* Attributes before Wrapped Data */
3358 addr[1] = attr_start;
3359 len[1] = attr_end - attr_start;
3360 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3362 if (status == DPP_STATUS_OK) {
3363 /* I-auth wrapped with ke */
3364 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
3365 wpabuf_put_le16(msg, i_auth_len + AES_BLOCK_SIZE);
3366 wrapped_i_auth = wpabuf_put(msg, i_auth_len + AES_BLOCK_SIZE);
3368 #ifdef CONFIG_TESTING_OPTIONS
3369 if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF)
3371 #endif /* CONFIG_TESTING_OPTIONS */
3373 /* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |]
3375 WPA_PUT_LE16(i_auth, DPP_ATTR_I_AUTH_TAG);
3376 WPA_PUT_LE16(&i_auth[2], auth->curve->hash_len);
3377 if (dpp_gen_i_auth(auth, i_auth + 4) < 0)
3380 #ifdef CONFIG_TESTING_OPTIONS
3381 if (dpp_test == DPP_TEST_I_AUTH_MISMATCH_AUTH_CONF) {
3382 wpa_printf(MSG_INFO, "DPP: TESTING - I-auth mismatch");
3383 i_auth[4 + auth->curve->hash_len / 2] ^= 0x01;
3386 #endif /* CONFIG_TESTING_OPTIONS */
3387 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
3389 2, addr, len, wrapped_i_auth) < 0)
3391 wpa_hexdump(MSG_DEBUG, "DPP: {I-auth}ke",
3392 wrapped_i_auth, i_auth_len + AES_BLOCK_SIZE);
3394 /* R-nonce wrapped with k2 */
3395 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
3396 wpabuf_put_le16(msg, r_nonce_len + AES_BLOCK_SIZE);
3397 wrapped_r_nonce = wpabuf_put(msg, r_nonce_len + AES_BLOCK_SIZE);
3399 WPA_PUT_LE16(r_nonce, DPP_ATTR_R_NONCE);
3400 WPA_PUT_LE16(&r_nonce[2], auth->curve->nonce_len);
3401 os_memcpy(r_nonce + 4, auth->r_nonce, auth->curve->nonce_len);
3403 if (aes_siv_encrypt(auth->k2, auth->curve->hash_len,
3404 r_nonce, r_nonce_len,
3405 2, addr, len, wrapped_r_nonce) < 0)
3407 wpa_hexdump(MSG_DEBUG, "DPP: {R-nonce}k2",
3408 wrapped_r_nonce, r_nonce_len + AES_BLOCK_SIZE);
3411 #ifdef CONFIG_TESTING_OPTIONS
3412 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF) {
3413 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
3414 dpp_build_attr_status(msg, DPP_STATUS_OK);
3417 #endif /* CONFIG_TESTING_OPTIONS */
3419 wpa_hexdump_buf(MSG_DEBUG,
3420 "DPP: Authentication Confirmation frame attributes",
3422 if (status == DPP_STATUS_OK)
3423 dpp_auth_success(auth);
3434 dpp_auth_resp_rx_status(struct dpp_authentication *auth, const u8 *hdr,
3435 const u8 *attr_start, size_t attr_len,
3436 const u8 *wrapped_data, u16 wrapped_data_len,
3437 enum dpp_status_error status)
3441 u8 *unwrapped = NULL;
3442 size_t unwrapped_len = 0;
3443 const u8 *i_nonce, *r_capab;
3444 u16 i_nonce_len, r_capab_len;
3446 if (status == DPP_STATUS_NOT_COMPATIBLE) {
3447 wpa_printf(MSG_DEBUG,
3448 "DPP: Responder reported incompatible roles");
3449 } else if (status == DPP_STATUS_RESPONSE_PENDING) {
3450 wpa_printf(MSG_DEBUG,
3451 "DPP: Responder reported more time needed");
3453 wpa_printf(MSG_DEBUG,
3454 "DPP: Responder reported failure (status %d)",
3456 dpp_auth_fail(auth, "Responder reported failure");
3461 len[0] = DPP_HDR_LEN;
3462 addr[1] = attr_start;
3464 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3465 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3466 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3467 wrapped_data, wrapped_data_len);
3468 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3469 unwrapped = os_malloc(unwrapped_len);
3472 if (aes_siv_decrypt(auth->k1, auth->curve->hash_len,
3473 wrapped_data, wrapped_data_len,
3474 2, addr, len, unwrapped) < 0) {
3475 dpp_auth_fail(auth, "AES-SIV decryption failed");
3478 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3479 unwrapped, unwrapped_len);
3481 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3482 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3486 i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
3488 if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
3489 dpp_auth_fail(auth, "Missing or invalid I-nonce");
3492 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
3493 if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) {
3494 dpp_auth_fail(auth, "I-nonce mismatch");
3498 r_capab = dpp_get_attr(unwrapped, unwrapped_len,
3499 DPP_ATTR_R_CAPABILITIES,
3501 if (!r_capab || r_capab_len < 1) {
3502 dpp_auth_fail(auth, "Missing or invalid R-capabilities");
3505 auth->r_capab = r_capab[0];
3506 wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab);
3507 if (status == DPP_STATUS_NOT_COMPATIBLE) {
3508 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE
3509 "r-capab=0x%02x", auth->r_capab);
3510 } else if (status == DPP_STATUS_RESPONSE_PENDING) {
3511 u8 role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
3513 if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
3514 (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
3515 wpa_msg(auth->msg_ctx, MSG_INFO,
3516 DPP_EVENT_FAIL "Unexpected role in R-capabilities 0x%02x",
3519 wpa_printf(MSG_DEBUG,
3520 "DPP: Continue waiting for full DPP Authentication Response");
3521 wpa_msg(auth->msg_ctx, MSG_INFO,
3522 DPP_EVENT_RESPONSE_PENDING "%s",
3523 auth->tmp_own_bi ? auth->tmp_own_bi->uri : "");
3527 bin_clear_free(unwrapped, unwrapped_len);
3532 dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
3533 const u8 *attr_start, size_t attr_len)
3536 EVP_PKEY_CTX *ctx = NULL;
3540 u8 *unwrapped = NULL, *unwrapped2 = NULL;
3541 size_t unwrapped_len = 0, unwrapped2_len = 0;
3542 const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *r_proto,
3543 *r_nonce, *i_nonce, *r_capab, *wrapped2, *r_auth;
3544 u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len,
3545 r_proto_len, r_nonce_len, i_nonce_len, r_capab_len,
3546 wrapped2_len, r_auth_len;
3547 u8 r_auth2[DPP_MAX_HASH_LEN];
3552 #endif /* CONFIG_DPP2 */
3554 #ifdef CONFIG_TESTING_OPTIONS
3555 if (dpp_test == DPP_TEST_STOP_AT_AUTH_RESP) {
3556 wpa_printf(MSG_INFO,
3557 "DPP: TESTING - stop at Authentication Response");
3560 #endif /* CONFIG_TESTING_OPTIONS */
3562 if (!auth->initiator || !auth->peer_bi) {
3563 dpp_auth_fail(auth, "Unexpected Authentication Response");
3567 auth->waiting_auth_resp = 0;
3569 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
3571 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
3573 "Missing or invalid required Wrapped Data attribute");
3576 wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
3577 wrapped_data, wrapped_data_len);
3579 attr_len = wrapped_data - 4 - attr_start;
3581 r_bootstrap = dpp_get_attr(attr_start, attr_len,
3582 DPP_ATTR_R_BOOTSTRAP_KEY_HASH,
3584 if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) {
3586 "Missing or invalid required Responder Bootstrapping Key Hash attribute");
3589 wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash",
3590 r_bootstrap, r_bootstrap_len);
3591 if (os_memcmp(r_bootstrap, auth->peer_bi->pubkey_hash,
3592 SHA256_MAC_LEN) != 0) {
3594 "Unexpected Responder Bootstrapping Key Hash value");
3595 wpa_hexdump(MSG_DEBUG,
3596 "DPP: Expected Responder Bootstrapping Key Hash",
3597 auth->peer_bi->pubkey_hash, SHA256_MAC_LEN);
3601 i_bootstrap = dpp_get_attr(attr_start, attr_len,
3602 DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
3605 if (i_bootstrap_len != SHA256_MAC_LEN) {
3607 "Invalid Initiator Bootstrapping Key Hash attribute");
3610 wpa_hexdump(MSG_MSGDUMP,
3611 "DPP: Initiator Bootstrapping Key Hash",
3612 i_bootstrap, i_bootstrap_len);
3613 if (!auth->own_bi ||
3614 os_memcmp(i_bootstrap, auth->own_bi->pubkey_hash,
3615 SHA256_MAC_LEN) != 0) {
3617 "Initiator Bootstrapping Key Hash attribute did not match");
3620 } else if (auth->own_bi && auth->own_bi->type == DPP_BOOTSTRAP_PKEX) {
3621 /* PKEX bootstrapping mandates use of mutual authentication */
3623 "Missing Initiator Bootstrapping Key Hash attribute");
3627 auth->peer_version = 1; /* default to the first version */
3629 version = dpp_get_attr(attr_start, attr_len, DPP_ATTR_PROTOCOL_VERSION,
3632 if (version_len < 1 || version[0] == 0) {
3634 "Invalid Protocol Version attribute");
3637 auth->peer_version = version[0];
3638 wpa_printf(MSG_DEBUG, "DPP: Peer protocol version %u",
3639 auth->peer_version);
3641 #endif /* CONFIG_DPP2 */
3643 status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
3645 if (!status || status_len < 1) {
3647 "Missing or invalid required DPP Status attribute");
3650 wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
3651 auth->auth_resp_status = status[0];
3652 if (status[0] != DPP_STATUS_OK) {
3653 dpp_auth_resp_rx_status(auth, hdr, attr_start,
3654 attr_len, wrapped_data,
3655 wrapped_data_len, status[0]);
3659 if (!i_bootstrap && auth->own_bi) {
3660 wpa_printf(MSG_DEBUG,
3661 "DPP: Responder decided not to use mutual authentication");
3662 auth->own_bi = NULL;
3665 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_AUTH_DIRECTION "mutual=%d",
3666 auth->own_bi != NULL);
3668 r_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_R_PROTOCOL_KEY,
3672 "Missing required Responder Protocol Key attribute");
3675 wpa_hexdump(MSG_MSGDUMP, "DPP: Responder Protocol Key",
3676 r_proto, r_proto_len);
3679 pr = dpp_set_pubkey_point(auth->own_protocol_key, r_proto, r_proto_len);
3681 dpp_auth_fail(auth, "Invalid Responder Protocol Key");
3684 dpp_debug_print_key("Peer (Responder) Protocol Key", pr);
3686 ctx = EVP_PKEY_CTX_new(auth->own_protocol_key, NULL);
3688 EVP_PKEY_derive_init(ctx) != 1 ||
3689 EVP_PKEY_derive_set_peer(ctx, pr) != 1 ||
3690 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1 ||
3691 secret_len > DPP_MAX_SHARED_SECRET_LEN ||
3692 EVP_PKEY_derive(ctx, auth->Nx, &secret_len) != 1) {
3693 wpa_printf(MSG_ERROR,
3694 "DPP: Failed to derive ECDH shared secret: %s",
3695 ERR_error_string(ERR_get_error(), NULL));
3696 dpp_auth_fail(auth, "Failed to derive ECDH shared secret");
3699 EVP_PKEY_CTX_free(ctx);
3701 auth->peer_protocol_key = pr;
3704 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
3705 auth->Nx, auth->secret_len);
3706 auth->Nx_len = auth->secret_len;
3708 if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2,
3709 auth->curve->hash_len) < 0)
3713 len[0] = DPP_HDR_LEN;
3714 addr[1] = attr_start;
3716 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3717 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3718 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3719 wrapped_data, wrapped_data_len);
3720 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3721 unwrapped = os_malloc(unwrapped_len);
3724 if (aes_siv_decrypt(auth->k2, auth->curve->hash_len,
3725 wrapped_data, wrapped_data_len,
3726 2, addr, len, unwrapped) < 0) {
3727 dpp_auth_fail(auth, "AES-SIV decryption failed");
3730 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3731 unwrapped, unwrapped_len);
3733 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3734 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3738 r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE,
3740 if (!r_nonce || r_nonce_len != auth->curve->nonce_len) {
3741 dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce");
3744 wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", r_nonce, r_nonce_len);
3745 os_memcpy(auth->r_nonce, r_nonce, r_nonce_len);
3747 i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
3749 if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
3750 dpp_auth_fail(auth, "Missing or invalid I-nonce");
3753 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
3754 if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) {
3755 dpp_auth_fail(auth, "I-nonce mismatch");
3760 /* Mutual authentication */
3761 if (dpp_auth_derive_l_initiator(auth) < 0)
3765 r_capab = dpp_get_attr(unwrapped, unwrapped_len,
3766 DPP_ATTR_R_CAPABILITIES,
3768 if (!r_capab || r_capab_len < 1) {
3769 dpp_auth_fail(auth, "Missing or invalid R-capabilities");
3772 auth->r_capab = r_capab[0];
3773 wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab);
3774 role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
3775 if ((auth->allowed_roles ==
3776 (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE)) &&
3777 (role == DPP_CAPAB_CONFIGURATOR || role == DPP_CAPAB_ENROLLEE)) {
3778 /* Peer selected its role, so move from "either role" to the
3779 * role that is compatible with peer's selection. */
3780 auth->configurator = role == DPP_CAPAB_ENROLLEE;
3781 wpa_printf(MSG_DEBUG, "DPP: Acting as %s",
3782 auth->configurator ? "Configurator" : "Enrollee");
3783 } else if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
3784 (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
3785 wpa_printf(MSG_DEBUG, "DPP: Incompatible role selection");
3786 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL
3787 "Unexpected role in R-capabilities 0x%02x",
3789 if (role != DPP_CAPAB_ENROLLEE &&
3790 role != DPP_CAPAB_CONFIGURATOR)
3792 bin_clear_free(unwrapped, unwrapped_len);
3793 auth->remove_on_tx_status = 1;
3794 return dpp_auth_build_conf(auth, DPP_STATUS_NOT_COMPATIBLE);
3797 wrapped2 = dpp_get_attr(unwrapped, unwrapped_len,
3798 DPP_ATTR_WRAPPED_DATA, &wrapped2_len);
3799 if (!wrapped2 || wrapped2_len < AES_BLOCK_SIZE) {
3801 "Missing or invalid Secondary Wrapped Data");
3805 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3806 wrapped2, wrapped2_len);
3808 if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0)
3811 unwrapped2_len = wrapped2_len - AES_BLOCK_SIZE;
3812 unwrapped2 = os_malloc(unwrapped2_len);
3815 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
3816 wrapped2, wrapped2_len,
3817 0, NULL, NULL, unwrapped2) < 0) {
3818 dpp_auth_fail(auth, "AES-SIV decryption failed");
3821 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3822 unwrapped2, unwrapped2_len);
3824 if (dpp_check_attrs(unwrapped2, unwrapped2_len) < 0) {
3826 "Invalid attribute in secondary unwrapped data");
3830 r_auth = dpp_get_attr(unwrapped2, unwrapped2_len, DPP_ATTR_R_AUTH_TAG,
3832 if (!r_auth || r_auth_len != auth->curve->hash_len) {
3834 "Missing or invalid Responder Authenticating Tag");
3837 wpa_hexdump(MSG_DEBUG, "DPP: Received Responder Authenticating Tag",
3838 r_auth, r_auth_len);
3839 /* R-auth' = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
3840 if (dpp_gen_r_auth(auth, r_auth2) < 0)
3842 wpa_hexdump(MSG_DEBUG, "DPP: Calculated Responder Authenticating Tag",
3843 r_auth2, r_auth_len);
3844 if (os_memcmp(r_auth, r_auth2, r_auth_len) != 0) {
3845 dpp_auth_fail(auth, "Mismatching Responder Authenticating Tag");
3846 bin_clear_free(unwrapped, unwrapped_len);
3847 bin_clear_free(unwrapped2, unwrapped2_len);
3848 auth->remove_on_tx_status = 1;
3849 return dpp_auth_build_conf(auth, DPP_STATUS_AUTH_FAILURE);
3852 bin_clear_free(unwrapped, unwrapped_len);
3853 bin_clear_free(unwrapped2, unwrapped2_len);
3855 #ifdef CONFIG_TESTING_OPTIONS
3856 if (dpp_test == DPP_TEST_AUTH_RESP_IN_PLACE_OF_CONF) {
3857 wpa_printf(MSG_INFO,
3858 "DPP: TESTING - Authentication Response in place of Confirm");
3859 if (dpp_auth_build_resp_ok(auth) < 0)
3861 return wpabuf_dup(auth->resp_msg);
3863 #endif /* CONFIG_TESTING_OPTIONS */
3865 return dpp_auth_build_conf(auth, DPP_STATUS_OK);
3868 bin_clear_free(unwrapped, unwrapped_len);
3869 bin_clear_free(unwrapped2, unwrapped2_len);
3871 EVP_PKEY_CTX_free(ctx);
3876 static int dpp_auth_conf_rx_failure(struct dpp_authentication *auth,
3878 const u8 *attr_start, size_t attr_len,
3879 const u8 *wrapped_data,
3880 u16 wrapped_data_len,
3881 enum dpp_status_error status)
3885 u8 *unwrapped = NULL;
3886 size_t unwrapped_len = 0;
3890 /* Authentication Confirm failure cases are expected to include
3891 * {R-nonce}k2 in the Wrapped Data attribute. */
3894 len[0] = DPP_HDR_LEN;
3895 addr[1] = attr_start;
3897 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
3898 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
3899 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
3900 wrapped_data, wrapped_data_len);
3901 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
3902 unwrapped = os_malloc(unwrapped_len);
3904 dpp_auth_fail(auth, "Authentication failed");
3907 if (aes_siv_decrypt(auth->k2, auth->curve->hash_len,
3908 wrapped_data, wrapped_data_len,
3909 2, addr, len, unwrapped) < 0) {
3910 dpp_auth_fail(auth, "AES-SIV decryption failed");
3913 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
3914 unwrapped, unwrapped_len);
3916 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
3917 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3921 r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE,
3923 if (!r_nonce || r_nonce_len != auth->curve->nonce_len) {
3924 dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce");
3927 if (os_memcmp(r_nonce, auth->r_nonce, r_nonce_len) != 0) {
3928 wpa_hexdump(MSG_DEBUG, "DPP: Received R-nonce",
3929 r_nonce, r_nonce_len);
3930 wpa_hexdump(MSG_DEBUG, "DPP: Expected R-nonce",
3931 auth->r_nonce, r_nonce_len);
3932 dpp_auth_fail(auth, "R-nonce mismatch");
3936 if (status == DPP_STATUS_NOT_COMPATIBLE)
3937 dpp_auth_fail(auth, "Peer reported incompatible R-capab role");
3938 else if (status == DPP_STATUS_AUTH_FAILURE)
3939 dpp_auth_fail(auth, "Peer reported authentication failure)");
3942 bin_clear_free(unwrapped, unwrapped_len);
3947 int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
3948 const u8 *attr_start, size_t attr_len)
3950 const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *i_auth;
3951 u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len,
3955 u8 *unwrapped = NULL;
3956 size_t unwrapped_len = 0;
3957 u8 i_auth2[DPP_MAX_HASH_LEN];
3959 #ifdef CONFIG_TESTING_OPTIONS
3960 if (dpp_test == DPP_TEST_STOP_AT_AUTH_CONF) {
3961 wpa_printf(MSG_INFO,
3962 "DPP: TESTING - stop at Authentication Confirm");
3965 #endif /* CONFIG_TESTING_OPTIONS */
3967 if (auth->initiator || !auth->own_bi) {
3968 dpp_auth_fail(auth, "Unexpected Authentication Confirm");
3972 auth->waiting_auth_conf = 0;
3974 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
3976 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
3978 "Missing or invalid required Wrapped Data attribute");
3981 wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
3982 wrapped_data, wrapped_data_len);
3984 attr_len = wrapped_data - 4 - attr_start;
3986 r_bootstrap = dpp_get_attr(attr_start, attr_len,
3987 DPP_ATTR_R_BOOTSTRAP_KEY_HASH,
3989 if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) {
3991 "Missing or invalid required Responder Bootstrapping Key Hash attribute");
3994 wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash",
3995 r_bootstrap, r_bootstrap_len);
3996 if (os_memcmp(r_bootstrap, auth->own_bi->pubkey_hash,
3997 SHA256_MAC_LEN) != 0) {
3998 wpa_hexdump(MSG_DEBUG,
3999 "DPP: Expected Responder Bootstrapping Key Hash",
4000 auth->peer_bi->pubkey_hash, SHA256_MAC_LEN);
4002 "Responder Bootstrapping Key Hash mismatch");
4006 i_bootstrap = dpp_get_attr(attr_start, attr_len,
4007 DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
4010 if (i_bootstrap_len != SHA256_MAC_LEN) {
4012 "Invalid Initiator Bootstrapping Key Hash attribute");
4015 wpa_hexdump(MSG_MSGDUMP,
4016 "DPP: Initiator Bootstrapping Key Hash",
4017 i_bootstrap, i_bootstrap_len);
4018 if (!auth->peer_bi ||
4019 os_memcmp(i_bootstrap, auth->peer_bi->pubkey_hash,
4020 SHA256_MAC_LEN) != 0) {
4022 "Initiator Bootstrapping Key Hash mismatch");
4025 } else if (auth->peer_bi) {
4026 /* Mutual authentication and peer did not include its
4027 * Bootstrapping Key Hash attribute. */
4029 "Missing Initiator Bootstrapping Key Hash attribute");
4033 status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
4035 if (!status || status_len < 1) {
4037 "Missing or invalid required DPP Status attribute");
4040 wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
4041 if (status[0] == DPP_STATUS_NOT_COMPATIBLE ||
4042 status[0] == DPP_STATUS_AUTH_FAILURE)
4043 return dpp_auth_conf_rx_failure(auth, hdr, attr_start,
4044 attr_len, wrapped_data,
4045 wrapped_data_len, status[0]);
4047 if (status[0] != DPP_STATUS_OK) {
4048 dpp_auth_fail(auth, "Authentication failed");
4053 len[0] = DPP_HDR_LEN;
4054 addr[1] = attr_start;
4056 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
4057 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
4058 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
4059 wrapped_data, wrapped_data_len);
4060 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
4061 unwrapped = os_malloc(unwrapped_len);
4064 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
4065 wrapped_data, wrapped_data_len,
4066 2, addr, len, unwrapped) < 0) {
4067 dpp_auth_fail(auth, "AES-SIV decryption failed");
4070 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
4071 unwrapped, unwrapped_len);
4073 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
4074 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
4078 i_auth = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_AUTH_TAG,
4080 if (!i_auth || i_auth_len != auth->curve->hash_len) {
4082 "Missing or invalid Initiator Authenticating Tag");
4085 wpa_hexdump(MSG_DEBUG, "DPP: Received Initiator Authenticating Tag",
4086 i_auth, i_auth_len);
4087 /* I-auth' = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */
4088 if (dpp_gen_i_auth(auth, i_auth2) < 0)
4090 wpa_hexdump(MSG_DEBUG, "DPP: Calculated Initiator Authenticating Tag",
4091 i_auth2, i_auth_len);
4092 if (os_memcmp(i_auth, i_auth2, i_auth_len) != 0) {
4093 dpp_auth_fail(auth, "Mismatching Initiator Authenticating Tag");
4097 bin_clear_free(unwrapped, unwrapped_len);
4098 dpp_auth_success(auth);
4101 bin_clear_free(unwrapped, unwrapped_len);
4106 static int bin_str_eq(const char *val, size_t len, const char *cmp)
4108 return os_strlen(cmp) == len && os_memcmp(val, cmp, len) == 0;
4112 struct dpp_configuration * dpp_configuration_alloc(const char *type)
4114 struct dpp_configuration *conf;
4118 conf = os_zalloc(sizeof(*conf));
4122 end = os_strchr(type, ' ');
4126 len = os_strlen(type);
4128 if (bin_str_eq(type, len, "psk"))
4129 conf->akm = DPP_AKM_PSK;
4130 else if (bin_str_eq(type, len, "sae"))
4131 conf->akm = DPP_AKM_SAE;
4132 else if (bin_str_eq(type, len, "psk-sae") ||
4133 bin_str_eq(type, len, "psk+sae"))
4134 conf->akm = DPP_AKM_PSK_SAE;
4135 else if (bin_str_eq(type, len, "sae-dpp") ||
4136 bin_str_eq(type, len, "dpp+sae"))
4137 conf->akm = DPP_AKM_SAE_DPP;
4138 else if (bin_str_eq(type, len, "psk-sae-dpp") ||
4139 bin_str_eq(type, len, "dpp+psk+sae"))
4140 conf->akm = DPP_AKM_PSK_SAE_DPP;
4141 else if (bin_str_eq(type, len, "dpp"))
4142 conf->akm = DPP_AKM_DPP;
4148 dpp_configuration_free(conf);
4153 int dpp_akm_psk(enum dpp_akm akm)
4155 return akm == DPP_AKM_PSK || akm == DPP_AKM_PSK_SAE ||
4156 akm == DPP_AKM_PSK_SAE_DPP;
4160 int dpp_akm_sae(enum dpp_akm akm)
4162 return akm == DPP_AKM_SAE || akm == DPP_AKM_PSK_SAE ||
4163 akm == DPP_AKM_SAE_DPP || akm == DPP_AKM_PSK_SAE_DPP;
4167 int dpp_akm_legacy(enum dpp_akm akm)
4169 return akm == DPP_AKM_PSK || akm == DPP_AKM_PSK_SAE ||
4174 int dpp_akm_dpp(enum dpp_akm akm)
4176 return akm == DPP_AKM_DPP || akm == DPP_AKM_SAE_DPP ||
4177 akm == DPP_AKM_PSK_SAE_DPP;
4181 int dpp_akm_ver2(enum dpp_akm akm)
4183 return akm == DPP_AKM_SAE_DPP || akm == DPP_AKM_PSK_SAE_DPP;
4187 int dpp_configuration_valid(const struct dpp_configuration *conf)
4189 if (conf->ssid_len == 0)
4191 if (dpp_akm_psk(conf->akm) && !conf->passphrase && !conf->psk_set)
4193 if (dpp_akm_sae(conf->akm) && !conf->passphrase)
4199 void dpp_configuration_free(struct dpp_configuration *conf)
4203 str_clear_free(conf->passphrase);
4204 os_free(conf->group_id);
4205 bin_clear_free(conf, sizeof(*conf));
4209 static int dpp_configuration_parse(struct dpp_authentication *auth,
4212 const char *pos, *end;
4213 struct dpp_configuration *conf_sta = NULL, *conf_ap = NULL;
4214 struct dpp_configuration *conf = NULL;
4216 pos = os_strstr(cmd, " conf=sta-");
4218 conf_sta = dpp_configuration_alloc(pos + 10);
4224 pos = os_strstr(cmd, " conf=ap-");
4226 conf_ap = dpp_configuration_alloc(pos + 9);
4235 pos = os_strstr(cmd, " ssid=");
4238 end = os_strchr(pos, ' ');
4239 conf->ssid_len = end ? (size_t) (end - pos) : os_strlen(pos);
4240 conf->ssid_len /= 2;
4241 if (conf->ssid_len > sizeof(conf->ssid) ||
4242 hexstr2bin(pos, conf->ssid, conf->ssid_len) < 0)
4245 #ifdef CONFIG_TESTING_OPTIONS
4246 /* use a default SSID for legacy testing reasons */
4247 os_memcpy(conf->ssid, "test", 4);
4249 #else /* CONFIG_TESTING_OPTIONS */
4251 #endif /* CONFIG_TESTING_OPTIONS */
4254 pos = os_strstr(cmd, " pass=");
4259 end = os_strchr(pos, ' ');
4260 pass_len = end ? (size_t) (end - pos) : os_strlen(pos);
4262 if (pass_len > 63 || pass_len < 8)
4264 conf->passphrase = os_zalloc(pass_len + 1);
4265 if (!conf->passphrase ||
4266 hexstr2bin(pos, (u8 *) conf->passphrase, pass_len) < 0)
4270 pos = os_strstr(cmd, " psk=");
4273 if (hexstr2bin(pos, conf->psk, PMK_LEN) < 0)
4278 pos = os_strstr(cmd, " group_id=");
4280 size_t group_id_len;
4283 end = os_strchr(pos, ' ');
4284 group_id_len = end ? (size_t) (end - pos) : os_strlen(pos);
4285 conf->group_id = os_malloc(group_id_len + 1);
4286 if (!conf->group_id)
4288 os_memcpy(conf->group_id, pos, group_id_len);
4289 conf->group_id[group_id_len] = '\0';
4292 pos = os_strstr(cmd, " expiry=");
4297 val = strtol(pos, NULL, 0);
4300 conf->netaccesskey_expiry = val;
4303 if (!dpp_configuration_valid(conf))
4306 auth->conf_sta = conf_sta;
4307 auth->conf_ap = conf_ap;
4311 dpp_configuration_free(conf_sta);
4312 dpp_configuration_free(conf_ap);
4317 static struct dpp_configurator *
4318 dpp_configurator_get_id(struct dpp_global *dpp, unsigned int id)
4320 struct dpp_configurator *conf;
4325 dl_list_for_each(conf, &dpp->configurator,
4326 struct dpp_configurator, list) {
4334 int dpp_set_configurator(struct dpp_global *dpp, void *msg_ctx,
4335 struct dpp_authentication *auth,
4343 wpa_printf(MSG_DEBUG, "DPP: Set configurator parameters: %s", cmd);
4345 pos = os_strstr(cmd, " configurator=");
4348 auth->conf = dpp_configurator_get_id(dpp, atoi(pos));
4350 wpa_printf(MSG_INFO,
4351 "DPP: Could not find the specified configurator");
4356 if (dpp_configuration_parse(auth, cmd) < 0) {
4357 wpa_msg(msg_ctx, MSG_INFO,
4358 "DPP: Failed to set configurator parameters");
4365 void dpp_auth_deinit(struct dpp_authentication *auth)
4369 dpp_configuration_free(auth->conf_ap);
4370 dpp_configuration_free(auth->conf_sta);
4371 EVP_PKEY_free(auth->own_protocol_key);
4372 EVP_PKEY_free(auth->peer_protocol_key);
4373 wpabuf_free(auth->req_msg);
4374 wpabuf_free(auth->resp_msg);
4375 wpabuf_free(auth->conf_req);
4376 os_free(auth->connector);
4377 wpabuf_free(auth->net_access_key);
4378 wpabuf_free(auth->c_sign_key);
4379 dpp_bootstrap_info_free(auth->tmp_own_bi);
4380 #ifdef CONFIG_TESTING_OPTIONS
4381 os_free(auth->config_obj_override);
4382 os_free(auth->discovery_override);
4383 os_free(auth->groups_override);
4384 #endif /* CONFIG_TESTING_OPTIONS */
4385 bin_clear_free(auth, sizeof(*auth));
4389 static struct wpabuf *
4390 dpp_build_conf_start(struct dpp_authentication *auth,
4391 struct dpp_configuration *conf, size_t tailroom)
4394 char ssid[6 * sizeof(conf->ssid) + 1];
4396 #ifdef CONFIG_TESTING_OPTIONS
4397 if (auth->discovery_override)
4398 tailroom += os_strlen(auth->discovery_override);
4399 #endif /* CONFIG_TESTING_OPTIONS */
4401 buf = wpabuf_alloc(200 + tailroom);
4404 wpabuf_put_str(buf, "{\"wi-fi_tech\":\"infra\",\"discovery\":");
4405 #ifdef CONFIG_TESTING_OPTIONS
4406 if (auth->discovery_override) {
4407 wpa_printf(MSG_DEBUG, "DPP: TESTING - discovery override: '%s'",
4408 auth->discovery_override);
4409 wpabuf_put_str(buf, auth->discovery_override);
4410 wpabuf_put_u8(buf, ',');
4413 #endif /* CONFIG_TESTING_OPTIONS */
4414 wpabuf_put_str(buf, "{\"ssid\":\"");
4415 json_escape_string(ssid, sizeof(ssid),
4416 (const char *) conf->ssid, conf->ssid_len);
4417 wpabuf_put_str(buf, ssid);
4418 wpabuf_put_str(buf, "\"},");
4424 static int dpp_build_jwk(struct wpabuf *buf, const char *name, EVP_PKEY *key,
4425 const char *kid, const struct dpp_curve_params *curve)
4429 char *x = NULL, *y = NULL;
4432 pub = dpp_get_pubkey_point(key, 0);
4435 pos = wpabuf_head(pub);
4436 x = (char *) base64_url_encode(pos, curve->prime_len, NULL, 0);
4437 pos += curve->prime_len;
4438 y = (char *) base64_url_encode(pos, curve->prime_len, NULL, 0);
4442 wpabuf_put_str(buf, "\"");
4443 wpabuf_put_str(buf, name);
4444 wpabuf_put_str(buf, "\":{\"kty\":\"EC\",\"crv\":\"");
4445 wpabuf_put_str(buf, curve->jwk_crv);
4446 wpabuf_put_str(buf, "\",\"x\":\"");
4447 wpabuf_put_str(buf, x);
4448 wpabuf_put_str(buf, "\",\"y\":\"");
4449 wpabuf_put_str(buf, y);
4451 wpabuf_put_str(buf, "\",\"kid\":\"");
4452 wpabuf_put_str(buf, kid);
4454 wpabuf_put_str(buf, "\"}");
4464 static void dpp_build_legacy_cred_params(struct wpabuf *buf,
4465 struct dpp_configuration *conf)
4467 if (conf->passphrase && os_strlen(conf->passphrase) < 64) {
4468 char pass[63 * 6 + 1];
4470 json_escape_string(pass, sizeof(pass), conf->passphrase,
4471 os_strlen(conf->passphrase));
4472 wpabuf_put_str(buf, "\"pass\":\"");
4473 wpabuf_put_str(buf, pass);
4474 wpabuf_put_str(buf, "\"");
4475 os_memset(pass, 0, sizeof(pass));
4476 } else if (conf->psk_set) {
4477 char psk[2 * sizeof(conf->psk) + 1];
4479 wpa_snprintf_hex(psk, sizeof(psk),
4480 conf->psk, sizeof(conf->psk));
4481 wpabuf_put_str(buf, "\"psk_hex\":\"");
4482 wpabuf_put_str(buf, psk);
4483 wpabuf_put_str(buf, "\"");
4484 os_memset(psk, 0, sizeof(psk));
4489 static struct wpabuf *
4490 dpp_build_conf_obj_dpp(struct dpp_authentication *auth, int ap,
4491 struct dpp_configuration *conf)
4493 struct wpabuf *buf = NULL;
4494 char *signed1 = NULL, *signed2 = NULL, *signed3 = NULL;
4496 const struct dpp_curve_params *curve;
4497 char jws_prot_hdr[100];
4498 size_t signed1_len, signed2_len, signed3_len;
4499 struct wpabuf *dppcon = NULL;
4500 unsigned char *signature = NULL;
4501 const unsigned char *p;
4502 size_t signature_len;
4503 EVP_MD_CTX *md_ctx = NULL;
4504 ECDSA_SIG *sig = NULL;
4506 const EVP_MD *sign_md;
4507 const BIGNUM *r, *s;
4508 size_t extra_len = 1000;
4513 wpa_printf(MSG_INFO,
4514 "DPP: No configurator specified - cannot generate DPP config object");
4517 curve = auth->conf->curve;
4518 if (curve->hash_len == SHA256_MAC_LEN) {
4519 sign_md = EVP_sha256();
4520 } else if (curve->hash_len == SHA384_MAC_LEN) {
4521 sign_md = EVP_sha384();
4522 } else if (curve->hash_len == SHA512_MAC_LEN) {
4523 sign_md = EVP_sha512();
4525 wpa_printf(MSG_DEBUG, "DPP: Unknown signature algorithm");
4530 if (dpp_akm_ver2(akm) && auth->peer_version < 2) {
4531 wpa_printf(MSG_DEBUG,
4532 "DPP: Convert DPP+legacy credential to DPP-only for peer that does not support version 2");
4536 #ifdef CONFIG_TESTING_OPTIONS
4537 if (auth->groups_override)
4538 extra_len += os_strlen(auth->groups_override);
4539 #endif /* CONFIG_TESTING_OPTIONS */
4542 extra_len += os_strlen(conf->group_id);
4544 /* Connector (JSON dppCon object) */
4545 dppcon = wpabuf_alloc(extra_len + 2 * auth->curve->prime_len * 4 / 3);
4548 #ifdef CONFIG_TESTING_OPTIONS
4549 if (auth->groups_override) {
4550 wpabuf_put_u8(dppcon, '{');
4551 if (auth->groups_override) {
4552 wpa_printf(MSG_DEBUG,
4553 "DPP: TESTING - groups override: '%s'",
4554 auth->groups_override);
4555 wpabuf_put_str(dppcon, "\"groups\":");
4556 wpabuf_put_str(dppcon, auth->groups_override);
4557 wpabuf_put_u8(dppcon, ',');
4561 #endif /* CONFIG_TESTING_OPTIONS */
4562 wpabuf_printf(dppcon, "{\"groups\":[{\"groupId\":\"%s\",",
4563 conf->group_id ? conf->group_id : "*");
4564 wpabuf_printf(dppcon, "\"netRole\":\"%s\"}],", ap ? "ap" : "sta");
4565 #ifdef CONFIG_TESTING_OPTIONS
4567 #endif /* CONFIG_TESTING_OPTIONS */
4568 if (dpp_build_jwk(dppcon, "netAccessKey", auth->peer_protocol_key, NULL,
4570 wpa_printf(MSG_DEBUG, "DPP: Failed to build netAccessKey JWK");
4573 if (conf->netaccesskey_expiry) {
4576 if (os_gmtime(conf->netaccesskey_expiry, &tm) < 0) {
4577 wpa_printf(MSG_DEBUG,
4578 "DPP: Failed to generate expiry string");
4581 wpabuf_printf(dppcon,
4582 ",\"expiry\":\"%04u-%02u-%02uT%02u:%02u:%02uZ\"",
4583 tm.year, tm.month, tm.day,
4584 tm.hour, tm.min, tm.sec);
4586 wpabuf_put_u8(dppcon, '}');
4587 wpa_printf(MSG_DEBUG, "DPP: dppCon: %s",
4588 (const char *) wpabuf_head(dppcon));
4590 os_snprintf(jws_prot_hdr, sizeof(jws_prot_hdr),
4591 "{\"typ\":\"dppCon\",\"kid\":\"%s\",\"alg\":\"%s\"}",
4592 auth->conf->kid, curve->jws_alg);
4593 signed1 = (char *) base64_url_encode((unsigned char *) jws_prot_hdr,
4594 os_strlen(jws_prot_hdr),
4596 signed2 = (char *) base64_url_encode(wpabuf_head(dppcon),
4599 if (!signed1 || !signed2)
4602 md_ctx = EVP_MD_CTX_create();
4607 if (EVP_DigestSignInit(md_ctx, NULL, sign_md, NULL,
4608 auth->conf->csign) != 1) {
4609 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignInit failed: %s",
4610 ERR_error_string(ERR_get_error(), NULL));
4613 if (EVP_DigestSignUpdate(md_ctx, signed1, signed1_len) != 1 ||
4614 EVP_DigestSignUpdate(md_ctx, dot, 1) != 1 ||
4615 EVP_DigestSignUpdate(md_ctx, signed2, signed2_len) != 1) {
4616 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignUpdate failed: %s",
4617 ERR_error_string(ERR_get_error(), NULL));
4620 if (EVP_DigestSignFinal(md_ctx, NULL, &signature_len) != 1) {
4621 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignFinal failed: %s",
4622 ERR_error_string(ERR_get_error(), NULL));
4625 signature = os_malloc(signature_len);
4628 if (EVP_DigestSignFinal(md_ctx, signature, &signature_len) != 1) {
4629 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestSignFinal failed: %s",
4630 ERR_error_string(ERR_get_error(), NULL));
4633 wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (DER)",
4634 signature, signature_len);
4635 /* Convert to raw coordinates r,s */
4637 sig = d2i_ECDSA_SIG(NULL, &p, signature_len);
4640 ECDSA_SIG_get0(sig, &r, &s);
4641 if (dpp_bn2bin_pad(r, signature, curve->prime_len) < 0 ||
4642 dpp_bn2bin_pad(s, signature + curve->prime_len,
4643 curve->prime_len) < 0)
4645 signature_len = 2 * curve->prime_len;
4646 wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (raw r,s)",
4647 signature, signature_len);
4648 signed3 = (char *) base64_url_encode(signature, signature_len,
4653 incl_legacy = dpp_akm_psk(akm) || dpp_akm_sae(akm);
4655 tailroom += 2 * curve->prime_len * 4 / 3 + os_strlen(auth->conf->kid);
4656 tailroom += signed1_len + signed2_len + signed3_len;
4659 buf = dpp_build_conf_start(auth, conf, tailroom);
4663 wpabuf_printf(buf, "\"cred\":{\"akm\":\"%s\",", dpp_akm_str(akm));
4665 dpp_build_legacy_cred_params(buf, conf);
4666 wpabuf_put_str(buf, ",");
4668 wpabuf_put_str(buf, "\"signedConnector\":\"");
4669 wpabuf_put_str(buf, signed1);
4670 wpabuf_put_u8(buf, '.');
4671 wpabuf_put_str(buf, signed2);
4672 wpabuf_put_u8(buf, '.');
4673 wpabuf_put_str(buf, signed3);
4674 wpabuf_put_str(buf, "\",");
4675 if (dpp_build_jwk(buf, "csign", auth->conf->csign, auth->conf->kid,
4677 wpa_printf(MSG_DEBUG, "DPP: Failed to build csign JWK");
4681 wpabuf_put_str(buf, "}}");
4683 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Configuration Object",
4684 wpabuf_head(buf), wpabuf_len(buf));
4687 EVP_MD_CTX_destroy(md_ctx);
4688 ECDSA_SIG_free(sig);
4693 wpabuf_free(dppcon);
4696 wpa_printf(MSG_DEBUG, "DPP: Failed to build configuration object");
4703 static struct wpabuf *
4704 dpp_build_conf_obj_legacy(struct dpp_authentication *auth, int ap,
4705 struct dpp_configuration *conf)
4709 buf = dpp_build_conf_start(auth, conf, 1000);
4713 wpabuf_printf(buf, "\"cred\":{\"akm\":\"%s\",", dpp_akm_str(conf->akm));
4714 dpp_build_legacy_cred_params(buf, conf);
4715 wpabuf_put_str(buf, "}}");
4717 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Configuration Object (legacy)",
4718 wpabuf_head(buf), wpabuf_len(buf));
4724 static struct wpabuf *
4725 dpp_build_conf_obj(struct dpp_authentication *auth, int ap)
4727 struct dpp_configuration *conf;
4729 #ifdef CONFIG_TESTING_OPTIONS
4730 if (auth->config_obj_override) {
4731 wpa_printf(MSG_DEBUG, "DPP: Testing - Config Object override");
4732 return wpabuf_alloc_copy(auth->config_obj_override,
4733 os_strlen(auth->config_obj_override));
4735 #endif /* CONFIG_TESTING_OPTIONS */
4737 conf = ap ? auth->conf_ap : auth->conf_sta;
4739 wpa_printf(MSG_DEBUG,
4740 "DPP: No configuration available for Enrollee(%s) - reject configuration request",
4745 if (dpp_akm_dpp(conf->akm))
4746 return dpp_build_conf_obj_dpp(auth, ap, conf);
4747 return dpp_build_conf_obj_legacy(auth, ap, conf);
4751 static struct wpabuf *
4752 dpp_build_conf_resp(struct dpp_authentication *auth, const u8 *e_nonce,
4753 u16 e_nonce_len, int ap)
4755 struct wpabuf *conf;
4756 size_t clear_len, attr_len;
4757 struct wpabuf *clear = NULL, *msg = NULL;
4761 enum dpp_status_error status;
4763 conf = dpp_build_conf_obj(auth, ap);
4765 wpa_hexdump_ascii(MSG_DEBUG, "DPP: configurationObject JSON",
4766 wpabuf_head(conf), wpabuf_len(conf));
4768 status = conf ? DPP_STATUS_OK : DPP_STATUS_CONFIGURE_FAILURE;
4769 auth->conf_resp_status = status;
4771 /* { E-nonce, configurationObject}ke */
4772 clear_len = 4 + e_nonce_len;
4774 clear_len += 4 + wpabuf_len(conf);
4775 clear = wpabuf_alloc(clear_len);
4776 attr_len = 4 + 1 + 4 + clear_len + AES_BLOCK_SIZE;
4777 #ifdef CONFIG_TESTING_OPTIONS
4778 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_RESP)
4780 #endif /* CONFIG_TESTING_OPTIONS */
4781 msg = wpabuf_alloc(attr_len);
4785 #ifdef CONFIG_TESTING_OPTIONS
4786 if (dpp_test == DPP_TEST_NO_E_NONCE_CONF_RESP) {
4787 wpa_printf(MSG_INFO, "DPP: TESTING - no E-nonce");
4790 if (dpp_test == DPP_TEST_E_NONCE_MISMATCH_CONF_RESP) {
4791 wpa_printf(MSG_INFO, "DPP: TESTING - E-nonce mismatch");
4792 wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
4793 wpabuf_put_le16(clear, e_nonce_len);
4794 wpabuf_put_data(clear, e_nonce, e_nonce_len - 1);
4795 wpabuf_put_u8(clear, e_nonce[e_nonce_len - 1] ^ 0x01);
4798 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_CONF_RESP) {
4799 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
4800 goto skip_wrapped_data;
4802 #endif /* CONFIG_TESTING_OPTIONS */
4805 wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
4806 wpabuf_put_le16(clear, e_nonce_len);
4807 wpabuf_put_data(clear, e_nonce, e_nonce_len);
4809 #ifdef CONFIG_TESTING_OPTIONS
4811 if (dpp_test == DPP_TEST_NO_CONFIG_OBJ_CONF_RESP) {
4812 wpa_printf(MSG_INFO, "DPP: TESTING - Config Object");
4813 goto skip_config_obj;
4815 #endif /* CONFIG_TESTING_OPTIONS */
4818 wpabuf_put_le16(clear, DPP_ATTR_CONFIG_OBJ);
4819 wpabuf_put_le16(clear, wpabuf_len(conf));
4820 wpabuf_put_buf(clear, conf);
4823 #ifdef CONFIG_TESTING_OPTIONS
4825 if (dpp_test == DPP_TEST_NO_STATUS_CONF_RESP) {
4826 wpa_printf(MSG_INFO, "DPP: TESTING - Status");
4829 if (dpp_test == DPP_TEST_INVALID_STATUS_CONF_RESP) {
4830 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
4833 #endif /* CONFIG_TESTING_OPTIONS */
4836 dpp_build_attr_status(msg, status);
4838 #ifdef CONFIG_TESTING_OPTIONS
4840 #endif /* CONFIG_TESTING_OPTIONS */
4842 addr[0] = wpabuf_head(msg);
4843 len[0] = wpabuf_len(msg);
4844 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD", addr[0], len[0]);
4846 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
4847 wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
4848 wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
4850 wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
4851 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
4852 wpabuf_head(clear), wpabuf_len(clear),
4853 1, addr, len, wrapped) < 0)
4855 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
4856 wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
4858 #ifdef CONFIG_TESTING_OPTIONS
4859 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_CONF_RESP) {
4860 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
4861 dpp_build_attr_status(msg, DPP_STATUS_OK);
4864 #endif /* CONFIG_TESTING_OPTIONS */
4866 wpa_hexdump_buf(MSG_DEBUG,
4867 "DPP: Configuration Response attributes", msg);
4881 dpp_conf_req_rx(struct dpp_authentication *auth, const u8 *attr_start,
4884 const u8 *wrapped_data, *e_nonce, *config_attr;
4885 u16 wrapped_data_len, e_nonce_len, config_attr_len;
4886 u8 *unwrapped = NULL;
4887 size_t unwrapped_len = 0;
4888 struct wpabuf *resp = NULL;
4889 struct json_token *root = NULL, *token;
4892 #ifdef CONFIG_TESTING_OPTIONS
4893 if (dpp_test == DPP_TEST_STOP_AT_CONF_REQ) {
4894 wpa_printf(MSG_INFO,
4895 "DPP: TESTING - stop at Config Request");
4898 #endif /* CONFIG_TESTING_OPTIONS */
4900 if (dpp_check_attrs(attr_start, attr_len) < 0) {
4901 dpp_auth_fail(auth, "Invalid attribute in config request");
4905 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
4907 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
4909 "Missing or invalid required Wrapped Data attribute");
4913 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
4914 wrapped_data, wrapped_data_len);
4915 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
4916 unwrapped = os_malloc(unwrapped_len);
4919 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
4920 wrapped_data, wrapped_data_len,
4921 0, NULL, NULL, unwrapped) < 0) {
4922 dpp_auth_fail(auth, "AES-SIV decryption failed");
4925 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
4926 unwrapped, unwrapped_len);
4928 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
4929 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
4933 e_nonce = dpp_get_attr(unwrapped, unwrapped_len,
4934 DPP_ATTR_ENROLLEE_NONCE,
4936 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
4938 "Missing or invalid Enrollee Nonce attribute");
4941 wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len);
4942 os_memcpy(auth->e_nonce, e_nonce, e_nonce_len);
4944 config_attr = dpp_get_attr(unwrapped, unwrapped_len,
4945 DPP_ATTR_CONFIG_ATTR_OBJ,
4949 "Missing or invalid Config Attributes attribute");
4952 wpa_hexdump_ascii(MSG_DEBUG, "DPP: Config Attributes",
4953 config_attr, config_attr_len);
4955 root = json_parse((const char *) config_attr, config_attr_len);
4957 dpp_auth_fail(auth, "Could not parse Config Attributes");
4961 token = json_get_member(root, "name");
4962 if (!token || token->type != JSON_STRING) {
4963 dpp_auth_fail(auth, "No Config Attributes - name");
4966 wpa_printf(MSG_DEBUG, "DPP: Enrollee name = '%s'", token->string);
4968 token = json_get_member(root, "wi-fi_tech");
4969 if (!token || token->type != JSON_STRING) {
4970 dpp_auth_fail(auth, "No Config Attributes - wi-fi_tech");
4973 wpa_printf(MSG_DEBUG, "DPP: wi-fi_tech = '%s'", token->string);
4974 if (os_strcmp(token->string, "infra") != 0) {
4975 wpa_printf(MSG_DEBUG, "DPP: Unsupported wi-fi_tech '%s'",
4977 dpp_auth_fail(auth, "Unsupported wi-fi_tech");
4981 token = json_get_member(root, "netRole");
4982 if (!token || token->type != JSON_STRING) {
4983 dpp_auth_fail(auth, "No Config Attributes - netRole");
4986 wpa_printf(MSG_DEBUG, "DPP: netRole = '%s'", token->string);
4987 if (os_strcmp(token->string, "sta") == 0) {
4989 } else if (os_strcmp(token->string, "ap") == 0) {
4992 wpa_printf(MSG_DEBUG, "DPP: Unsupported netRole '%s'",
4994 dpp_auth_fail(auth, "Unsupported netRole");
4998 resp = dpp_build_conf_resp(auth, e_nonce, e_nonce_len, ap);
5007 static struct wpabuf *
5008 dpp_parse_jws_prot_hdr(const struct dpp_curve_params *curve,
5009 const u8 *prot_hdr, u16 prot_hdr_len,
5010 const EVP_MD **ret_md)
5012 struct json_token *root, *token;
5013 struct wpabuf *kid = NULL;
5015 root = json_parse((const char *) prot_hdr, prot_hdr_len);
5017 wpa_printf(MSG_DEBUG,
5018 "DPP: JSON parsing failed for JWS Protected Header");
5022 if (root->type != JSON_OBJECT) {
5023 wpa_printf(MSG_DEBUG,
5024 "DPP: JWS Protected Header root is not an object");
5028 token = json_get_member(root, "typ");
5029 if (!token || token->type != JSON_STRING) {
5030 wpa_printf(MSG_DEBUG, "DPP: No typ string value found");
5033 wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header typ=%s",
5035 if (os_strcmp(token->string, "dppCon") != 0) {
5036 wpa_printf(MSG_DEBUG,
5037 "DPP: Unsupported JWS Protected Header typ=%s",
5042 token = json_get_member(root, "alg");
5043 if (!token || token->type != JSON_STRING) {
5044 wpa_printf(MSG_DEBUG, "DPP: No alg string value found");
5047 wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header alg=%s",
5049 if (os_strcmp(token->string, curve->jws_alg) != 0) {
5050 wpa_printf(MSG_DEBUG,
5051 "DPP: Unexpected JWS Protected Header alg=%s (expected %s based on C-sign-key)",
5052 token->string, curve->jws_alg);
5055 if (os_strcmp(token->string, "ES256") == 0 ||
5056 os_strcmp(token->string, "BS256") == 0)
5057 *ret_md = EVP_sha256();
5058 else if (os_strcmp(token->string, "ES384") == 0 ||
5059 os_strcmp(token->string, "BS384") == 0)
5060 *ret_md = EVP_sha384();
5061 else if (os_strcmp(token->string, "ES512") == 0 ||
5062 os_strcmp(token->string, "BS512") == 0)
5063 *ret_md = EVP_sha512();
5067 wpa_printf(MSG_DEBUG,
5068 "DPP: Unsupported JWS Protected Header alg=%s",
5073 kid = json_get_member_base64url(root, "kid");
5075 wpa_printf(MSG_DEBUG, "DPP: No kid string value found");
5078 wpa_hexdump_buf(MSG_DEBUG, "DPP: JWS Protected Header kid (decoded)",
5087 static int dpp_parse_cred_legacy(struct dpp_authentication *auth,
5088 struct json_token *cred)
5090 struct json_token *pass, *psk_hex;
5092 wpa_printf(MSG_DEBUG, "DPP: Legacy akm=psk credential");
5094 pass = json_get_member(cred, "pass");
5095 psk_hex = json_get_member(cred, "psk_hex");
5097 if (pass && pass->type == JSON_STRING) {
5098 size_t len = os_strlen(pass->string);
5100 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: Legacy passphrase",
5102 if (len < 8 || len > 63)
5104 os_strlcpy(auth->passphrase, pass->string,
5105 sizeof(auth->passphrase));
5106 } else if (psk_hex && psk_hex->type == JSON_STRING) {
5107 if (dpp_akm_sae(auth->akm) && !dpp_akm_psk(auth->akm)) {
5108 wpa_printf(MSG_DEBUG,
5109 "DPP: Unexpected psk_hex with akm=sae");
5112 if (os_strlen(psk_hex->string) != PMK_LEN * 2 ||
5113 hexstr2bin(psk_hex->string, auth->psk, PMK_LEN) < 0) {
5114 wpa_printf(MSG_DEBUG, "DPP: Invalid psk_hex encoding");
5117 wpa_hexdump_key(MSG_DEBUG, "DPP: Legacy PSK",
5118 auth->psk, PMK_LEN);
5121 wpa_printf(MSG_DEBUG, "DPP: No pass or psk_hex strings found");
5125 if (dpp_akm_sae(auth->akm) && !auth->passphrase[0]) {
5126 wpa_printf(MSG_DEBUG, "DPP: No pass for sae found");
5134 static EVP_PKEY * dpp_parse_jwk(struct json_token *jwk,
5135 const struct dpp_curve_params **key_curve)
5137 struct json_token *token;
5138 const struct dpp_curve_params *curve;
5139 struct wpabuf *x = NULL, *y = NULL;
5141 EVP_PKEY *pkey = NULL;
5143 token = json_get_member(jwk, "kty");
5144 if (!token || token->type != JSON_STRING) {
5145 wpa_printf(MSG_DEBUG, "DPP: No kty in JWK");
5148 if (os_strcmp(token->string, "EC") != 0) {
5149 wpa_printf(MSG_DEBUG, "DPP: Unexpected JWK kty '%s'",
5154 token = json_get_member(jwk, "crv");
5155 if (!token || token->type != JSON_STRING) {
5156 wpa_printf(MSG_DEBUG, "DPP: No crv in JWK");
5159 curve = dpp_get_curve_jwk_crv(token->string);
5161 wpa_printf(MSG_DEBUG, "DPP: Unsupported JWK crv '%s'",
5166 x = json_get_member_base64url(jwk, "x");
5168 wpa_printf(MSG_DEBUG, "DPP: No x in JWK");
5171 wpa_hexdump_buf(MSG_DEBUG, "DPP: JWK x", x);
5172 if (wpabuf_len(x) != curve->prime_len) {
5173 wpa_printf(MSG_DEBUG,
5174 "DPP: Unexpected JWK x length %u (expected %u for curve %s)",
5175 (unsigned int) wpabuf_len(x),
5176 (unsigned int) curve->prime_len, curve->name);
5180 y = json_get_member_base64url(jwk, "y");
5182 wpa_printf(MSG_DEBUG, "DPP: No y in JWK");
5185 wpa_hexdump_buf(MSG_DEBUG, "DPP: JWK y", y);
5186 if (wpabuf_len(y) != curve->prime_len) {
5187 wpa_printf(MSG_DEBUG,
5188 "DPP: Unexpected JWK y length %u (expected %u for curve %s)",
5189 (unsigned int) wpabuf_len(y),
5190 (unsigned int) curve->prime_len, curve->name);
5194 group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
5196 wpa_printf(MSG_DEBUG, "DPP: Could not prepare group for JWK");
5200 pkey = dpp_set_pubkey_point_group(group, wpabuf_head(x), wpabuf_head(y),
5212 int dpp_key_expired(const char *timestamp, os_time_t *expiry)
5215 unsigned int year, month, day, hour, min, sec;
5219 /* ISO 8601 date and time:
5221 * YYYY-MM-DDTHH:MM:SSZ
5222 * YYYY-MM-DDTHH:MM:SS+03:00
5224 if (os_strlen(timestamp) < 19) {
5225 wpa_printf(MSG_DEBUG,
5226 "DPP: Too short timestamp - assume expired key");
5229 if (sscanf(timestamp, "%04u-%02u-%02uT%02u:%02u:%02u",
5230 &year, &month, &day, &hour, &min, &sec) != 6) {
5231 wpa_printf(MSG_DEBUG,
5232 "DPP: Failed to parse expiration day - assume expired key");
5236 if (os_mktime(year, month, day, hour, min, sec, &utime) < 0) {
5237 wpa_printf(MSG_DEBUG,
5238 "DPP: Invalid date/time information - assume expired key");
5242 pos = timestamp + 19;
5243 if (*pos == 'Z' || *pos == '\0') {
5244 /* In UTC - no need to adjust */
5245 } else if (*pos == '-' || *pos == '+') {
5248 /* Adjust local time to UTC */
5249 items = sscanf(pos + 1, "%02u:%02u", &hour, &min);
5251 wpa_printf(MSG_DEBUG,
5252 "DPP: Invalid time zone designator (%s) - assume expired key",
5257 utime += 3600 * hour;
5259 utime -= 3600 * hour;
5267 wpa_printf(MSG_DEBUG,
5268 "DPP: Invalid time zone designator (%s) - assume expired key",
5275 if (os_get_time(&now) < 0) {
5276 wpa_printf(MSG_DEBUG,
5277 "DPP: Cannot get current time - assume expired key");
5281 if (now.sec > utime) {
5282 wpa_printf(MSG_DEBUG, "DPP: Key has expired (%lu < %lu)",
5291 static int dpp_parse_connector(struct dpp_authentication *auth,
5292 const unsigned char *payload,
5295 struct json_token *root, *groups, *netkey, *token;
5297 EVP_PKEY *key = NULL;
5298 const struct dpp_curve_params *curve;
5299 unsigned int rules = 0;
5301 root = json_parse((const char *) payload, payload_len);
5303 wpa_printf(MSG_DEBUG, "DPP: JSON parsing of connector failed");
5307 groups = json_get_member(root, "groups");
5308 if (!groups || groups->type != JSON_ARRAY) {
5309 wpa_printf(MSG_DEBUG, "DPP: No groups array found");
5312 for (token = groups->child; token; token = token->sibling) {
5313 struct json_token *id, *role;
5315 id = json_get_member(token, "groupId");
5316 if (!id || id->type != JSON_STRING) {
5317 wpa_printf(MSG_DEBUG, "DPP: Missing groupId string");
5321 role = json_get_member(token, "netRole");
5322 if (!role || role->type != JSON_STRING) {
5323 wpa_printf(MSG_DEBUG, "DPP: Missing netRole string");
5326 wpa_printf(MSG_DEBUG,
5327 "DPP: connector group: groupId='%s' netRole='%s'",
5328 id->string, role->string);
5334 wpa_printf(MSG_DEBUG,
5335 "DPP: Connector includes no groups");
5339 token = json_get_member(root, "expiry");
5340 if (!token || token->type != JSON_STRING) {
5341 wpa_printf(MSG_DEBUG,
5342 "DPP: No expiry string found - connector does not expire");
5344 wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string);
5345 if (dpp_key_expired(token->string,
5346 &auth->net_access_key_expiry)) {
5347 wpa_printf(MSG_DEBUG,
5348 "DPP: Connector (netAccessKey) has expired");
5353 netkey = json_get_member(root, "netAccessKey");
5354 if (!netkey || netkey->type != JSON_OBJECT) {
5355 wpa_printf(MSG_DEBUG, "DPP: No netAccessKey object found");
5359 key = dpp_parse_jwk(netkey, &curve);
5362 dpp_debug_print_key("DPP: Received netAccessKey", key);
5364 if (EVP_PKEY_cmp(key, auth->own_protocol_key) != 1) {
5365 wpa_printf(MSG_DEBUG,
5366 "DPP: netAccessKey in connector does not match own protocol key");
5367 #ifdef CONFIG_TESTING_OPTIONS
5368 if (auth->ignore_netaccesskey_mismatch) {
5369 wpa_printf(MSG_DEBUG,
5370 "DPP: TESTING - skip netAccessKey mismatch");
5374 #else /* CONFIG_TESTING_OPTIONS */
5376 #endif /* CONFIG_TESTING_OPTIONS */
5387 static int dpp_check_pubkey_match(EVP_PKEY *pub, struct wpabuf *r_hash)
5389 struct wpabuf *uncomp;
5391 u8 hash[SHA256_MAC_LEN];
5395 if (wpabuf_len(r_hash) != SHA256_MAC_LEN)
5397 uncomp = dpp_get_pubkey_point(pub, 1);
5400 addr[0] = wpabuf_head(uncomp);
5401 len[0] = wpabuf_len(uncomp);
5402 wpa_hexdump(MSG_DEBUG, "DPP: Uncompressed public key",
5404 res = sha256_vector(1, addr, len, hash);
5405 wpabuf_free(uncomp);
5408 if (os_memcmp(hash, wpabuf_head(r_hash), SHA256_MAC_LEN) != 0) {
5409 wpa_printf(MSG_DEBUG,
5410 "DPP: Received hash value does not match calculated public key hash value");
5411 wpa_hexdump(MSG_DEBUG, "DPP: Calculated hash",
5412 hash, SHA256_MAC_LEN);
5419 static void dpp_copy_csign(struct dpp_authentication *auth, EVP_PKEY *csign)
5421 unsigned char *der = NULL;
5424 der_len = i2d_PUBKEY(csign, &der);
5427 wpabuf_free(auth->c_sign_key);
5428 auth->c_sign_key = wpabuf_alloc_copy(der, der_len);
5433 static void dpp_copy_netaccesskey(struct dpp_authentication *auth)
5435 unsigned char *der = NULL;
5439 eckey = EVP_PKEY_get1_EC_KEY(auth->own_protocol_key);
5443 der_len = i2d_ECPrivateKey(eckey, &der);
5448 wpabuf_free(auth->net_access_key);
5449 auth->net_access_key = wpabuf_alloc_copy(der, der_len);
5455 struct dpp_signed_connector_info {
5456 unsigned char *payload;
5460 static enum dpp_status_error
5461 dpp_process_signed_connector(struct dpp_signed_connector_info *info,
5462 EVP_PKEY *csign_pub, const char *connector)
5464 enum dpp_status_error ret = 255;
5465 const char *pos, *end, *signed_start, *signed_end;
5466 struct wpabuf *kid = NULL;
5467 unsigned char *prot_hdr = NULL, *signature = NULL;
5468 size_t prot_hdr_len = 0, signature_len = 0;
5469 const EVP_MD *sign_md = NULL;
5470 unsigned char *der = NULL;
5473 EVP_MD_CTX *md_ctx = NULL;
5474 ECDSA_SIG *sig = NULL;
5475 BIGNUM *r = NULL, *s = NULL;
5476 const struct dpp_curve_params *curve;
5478 const EC_GROUP *group;
5481 eckey = EVP_PKEY_get1_EC_KEY(csign_pub);
5484 group = EC_KEY_get0_group(eckey);
5487 nid = EC_GROUP_get_curve_name(group);
5488 curve = dpp_get_curve_nid(nid);
5491 wpa_printf(MSG_DEBUG, "DPP: C-sign-key group: %s", curve->jwk_crv);
5492 os_memset(info, 0, sizeof(*info));
5494 signed_start = pos = connector;
5495 end = os_strchr(pos, '.');
5497 wpa_printf(MSG_DEBUG, "DPP: Missing dot(1) in signedConnector");
5498 ret = DPP_STATUS_INVALID_CONNECTOR;
5501 prot_hdr = base64_url_decode((const unsigned char *) pos,
5502 end - pos, &prot_hdr_len);
5504 wpa_printf(MSG_DEBUG,
5505 "DPP: Failed to base64url decode signedConnector JWS Protected Header");
5506 ret = DPP_STATUS_INVALID_CONNECTOR;
5509 wpa_hexdump_ascii(MSG_DEBUG,
5510 "DPP: signedConnector - JWS Protected Header",
5511 prot_hdr, prot_hdr_len);
5512 kid = dpp_parse_jws_prot_hdr(curve, prot_hdr, prot_hdr_len, &sign_md);
5514 ret = DPP_STATUS_INVALID_CONNECTOR;
5517 if (wpabuf_len(kid) != SHA256_MAC_LEN) {
5518 wpa_printf(MSG_DEBUG,
5519 "DPP: Unexpected signedConnector JWS Protected Header kid length: %u (expected %u)",
5520 (unsigned int) wpabuf_len(kid), SHA256_MAC_LEN);
5521 ret = DPP_STATUS_INVALID_CONNECTOR;
5526 end = os_strchr(pos, '.');
5528 wpa_printf(MSG_DEBUG,
5529 "DPP: Missing dot(2) in signedConnector");
5530 ret = DPP_STATUS_INVALID_CONNECTOR;
5533 signed_end = end - 1;
5534 info->payload = base64_url_decode((const unsigned char *) pos,
5535 end - pos, &info->payload_len);
5536 if (!info->payload) {
5537 wpa_printf(MSG_DEBUG,
5538 "DPP: Failed to base64url decode signedConnector JWS Payload");
5539 ret = DPP_STATUS_INVALID_CONNECTOR;
5542 wpa_hexdump_ascii(MSG_DEBUG,
5543 "DPP: signedConnector - JWS Payload",
5544 info->payload, info->payload_len);
5546 signature = base64_url_decode((const unsigned char *) pos,
5547 os_strlen(pos), &signature_len);
5549 wpa_printf(MSG_DEBUG,
5550 "DPP: Failed to base64url decode signedConnector signature");
5551 ret = DPP_STATUS_INVALID_CONNECTOR;
5554 wpa_hexdump(MSG_DEBUG, "DPP: signedConnector - signature",
5555 signature, signature_len);
5557 if (dpp_check_pubkey_match(csign_pub, kid) < 0) {
5558 ret = DPP_STATUS_NO_MATCH;
5562 if (signature_len & 0x01) {
5563 wpa_printf(MSG_DEBUG,
5564 "DPP: Unexpected signedConnector signature length (%d)",
5565 (int) signature_len);
5566 ret = DPP_STATUS_INVALID_CONNECTOR;
5570 /* JWS Signature encodes the signature (r,s) as two octet strings. Need
5571 * to convert that to DER encoded ECDSA_SIG for OpenSSL EVP routines. */
5572 r = BN_bin2bn(signature, signature_len / 2, NULL);
5573 s = BN_bin2bn(signature + signature_len / 2, signature_len / 2, NULL);
5574 sig = ECDSA_SIG_new();
5575 if (!r || !s || !sig || ECDSA_SIG_set0(sig, r, s) != 1)
5580 der_len = i2d_ECDSA_SIG(sig, &der);
5582 wpa_printf(MSG_DEBUG, "DPP: Could not DER encode signature");
5585 wpa_hexdump(MSG_DEBUG, "DPP: DER encoded signature", der, der_len);
5586 md_ctx = EVP_MD_CTX_create();
5591 if (EVP_DigestVerifyInit(md_ctx, NULL, sign_md, NULL, csign_pub) != 1) {
5592 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestVerifyInit failed: %s",
5593 ERR_error_string(ERR_get_error(), NULL));
5596 if (EVP_DigestVerifyUpdate(md_ctx, signed_start,
5597 signed_end - signed_start + 1) != 1) {
5598 wpa_printf(MSG_DEBUG, "DPP: EVP_DigestVerifyUpdate failed: %s",
5599 ERR_error_string(ERR_get_error(), NULL));
5602 res = EVP_DigestVerifyFinal(md_ctx, der, der_len);
5604 wpa_printf(MSG_DEBUG,
5605 "DPP: EVP_DigestVerifyFinal failed (res=%d): %s",
5606 res, ERR_error_string(ERR_get_error(), NULL));
5607 ret = DPP_STATUS_INVALID_CONNECTOR;
5611 ret = DPP_STATUS_OK;
5614 EVP_MD_CTX_destroy(md_ctx);
5618 ECDSA_SIG_free(sig);
5626 static int dpp_parse_cred_dpp(struct dpp_authentication *auth,
5627 struct json_token *cred)
5629 struct dpp_signed_connector_info info;
5630 struct json_token *token, *csign;
5632 EVP_PKEY *csign_pub = NULL;
5633 const struct dpp_curve_params *key_curve = NULL;
5634 const char *signed_connector;
5636 os_memset(&info, 0, sizeof(info));
5638 if (dpp_akm_psk(auth->akm) || dpp_akm_sae(auth->akm)) {
5639 wpa_printf(MSG_DEBUG,
5640 "DPP: Legacy credential included in Connector credential");
5641 if (dpp_parse_cred_legacy(auth, cred) < 0)
5645 wpa_printf(MSG_DEBUG, "DPP: Connector credential");
5647 csign = json_get_member(cred, "csign");
5648 if (!csign || csign->type != JSON_OBJECT) {
5649 wpa_printf(MSG_DEBUG, "DPP: No csign JWK in JSON");
5653 csign_pub = dpp_parse_jwk(csign, &key_curve);
5655 wpa_printf(MSG_DEBUG, "DPP: Failed to parse csign JWK");
5658 dpp_debug_print_key("DPP: Received C-sign-key", csign_pub);
5660 token = json_get_member(cred, "signedConnector");
5661 if (!token || token->type != JSON_STRING) {
5662 wpa_printf(MSG_DEBUG, "DPP: No signedConnector string found");
5665 wpa_hexdump_ascii(MSG_DEBUG, "DPP: signedConnector",
5666 token->string, os_strlen(token->string));
5667 signed_connector = token->string;
5669 if (os_strchr(signed_connector, '"') ||
5670 os_strchr(signed_connector, '\n')) {
5671 wpa_printf(MSG_DEBUG,
5672 "DPP: Unexpected character in signedConnector");
5676 if (dpp_process_signed_connector(&info, csign_pub,
5677 signed_connector) != DPP_STATUS_OK)
5680 if (dpp_parse_connector(auth, info.payload, info.payload_len) < 0) {
5681 wpa_printf(MSG_DEBUG, "DPP: Failed to parse connector");
5685 os_free(auth->connector);
5686 auth->connector = os_strdup(signed_connector);
5688 dpp_copy_csign(auth, csign_pub);
5689 dpp_copy_netaccesskey(auth);
5693 EVP_PKEY_free(csign_pub);
5694 os_free(info.payload);
5699 const char * dpp_akm_str(enum dpp_akm akm)
5708 case DPP_AKM_PSK_SAE:
5710 case DPP_AKM_SAE_DPP:
5712 case DPP_AKM_PSK_SAE_DPP:
5713 return "dpp+psk+sae";
5720 static enum dpp_akm dpp_akm_from_str(const char *akm)
5722 if (os_strcmp(akm, "psk") == 0)
5724 if (os_strcmp(akm, "sae") == 0)
5726 if (os_strcmp(akm, "psk+sae") == 0)
5727 return DPP_AKM_PSK_SAE;
5728 if (os_strcmp(akm, "dpp") == 0)
5730 if (os_strcmp(akm, "dpp+sae") == 0)
5731 return DPP_AKM_SAE_DPP;
5732 if (os_strcmp(akm, "dpp+psk+sae") == 0)
5733 return DPP_AKM_PSK_SAE_DPP;
5734 return DPP_AKM_UNKNOWN;
5738 static int dpp_parse_conf_obj(struct dpp_authentication *auth,
5739 const u8 *conf_obj, u16 conf_obj_len)
5742 struct json_token *root, *token, *discovery, *cred;
5744 root = json_parse((const char *) conf_obj, conf_obj_len);
5747 if (root->type != JSON_OBJECT) {
5748 dpp_auth_fail(auth, "JSON root is not an object");
5752 token = json_get_member(root, "wi-fi_tech");
5753 if (!token || token->type != JSON_STRING) {
5754 dpp_auth_fail(auth, "No wi-fi_tech string value found");
5757 if (os_strcmp(token->string, "infra") != 0) {
5758 wpa_printf(MSG_DEBUG, "DPP: Unsupported wi-fi_tech value: '%s'",
5760 dpp_auth_fail(auth, "Unsupported wi-fi_tech value");
5764 discovery = json_get_member(root, "discovery");
5765 if (!discovery || discovery->type != JSON_OBJECT) {
5766 dpp_auth_fail(auth, "No discovery object in JSON");
5770 token = json_get_member(discovery, "ssid");
5771 if (!token || token->type != JSON_STRING) {
5772 dpp_auth_fail(auth, "No discovery::ssid string value found");
5775 wpa_hexdump_ascii(MSG_DEBUG, "DPP: discovery::ssid",
5776 token->string, os_strlen(token->string));
5777 if (os_strlen(token->string) > SSID_MAX_LEN) {
5778 dpp_auth_fail(auth, "Too long discovery::ssid string value");
5781 auth->ssid_len = os_strlen(token->string);
5782 os_memcpy(auth->ssid, token->string, auth->ssid_len);
5784 cred = json_get_member(root, "cred");
5785 if (!cred || cred->type != JSON_OBJECT) {
5786 dpp_auth_fail(auth, "No cred object in JSON");
5790 token = json_get_member(cred, "akm");
5791 if (!token || token->type != JSON_STRING) {
5792 dpp_auth_fail(auth, "No cred::akm string value found");
5795 auth->akm = dpp_akm_from_str(token->string);
5797 if (dpp_akm_legacy(auth->akm)) {
5798 if (dpp_parse_cred_legacy(auth, cred) < 0)
5800 } else if (dpp_akm_dpp(auth->akm)) {
5801 if (dpp_parse_cred_dpp(auth, cred) < 0)
5804 wpa_printf(MSG_DEBUG, "DPP: Unsupported akm: %s",
5806 dpp_auth_fail(auth, "Unsupported akm");
5810 wpa_printf(MSG_DEBUG, "DPP: JSON parsing completed successfully");
5818 int dpp_conf_resp_rx(struct dpp_authentication *auth,
5819 const struct wpabuf *resp)
5821 const u8 *wrapped_data, *e_nonce, *status, *conf_obj;
5822 u16 wrapped_data_len, e_nonce_len, status_len, conf_obj_len;
5825 u8 *unwrapped = NULL;
5826 size_t unwrapped_len = 0;
5829 auth->conf_resp_status = 255;
5831 if (dpp_check_attrs(wpabuf_head(resp), wpabuf_len(resp)) < 0) {
5832 dpp_auth_fail(auth, "Invalid attribute in config response");
5836 wrapped_data = dpp_get_attr(wpabuf_head(resp), wpabuf_len(resp),
5837 DPP_ATTR_WRAPPED_DATA,
5839 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
5841 "Missing or invalid required Wrapped Data attribute");
5845 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
5846 wrapped_data, wrapped_data_len);
5847 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
5848 unwrapped = os_malloc(unwrapped_len);
5852 addr[0] = wpabuf_head(resp);
5853 len[0] = wrapped_data - 4 - (const u8 *) wpabuf_head(resp);
5854 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD", addr[0], len[0]);
5856 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
5857 wrapped_data, wrapped_data_len,
5858 1, addr, len, unwrapped) < 0) {
5859 dpp_auth_fail(auth, "AES-SIV decryption failed");
5862 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
5863 unwrapped, unwrapped_len);
5865 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
5866 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
5870 e_nonce = dpp_get_attr(unwrapped, unwrapped_len,
5871 DPP_ATTR_ENROLLEE_NONCE,
5873 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
5875 "Missing or invalid Enrollee Nonce attribute");
5878 wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len);
5879 if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) {
5880 dpp_auth_fail(auth, "Enrollee Nonce mismatch");
5884 status = dpp_get_attr(wpabuf_head(resp), wpabuf_len(resp),
5885 DPP_ATTR_STATUS, &status_len);
5886 if (!status || status_len < 1) {
5888 "Missing or invalid required DPP Status attribute");
5891 auth->conf_resp_status = status[0];
5892 wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
5893 if (status[0] != DPP_STATUS_OK) {
5894 dpp_auth_fail(auth, "Configurator rejected configuration");
5898 conf_obj = dpp_get_attr(unwrapped, unwrapped_len,
5899 DPP_ATTR_CONFIG_OBJ, &conf_obj_len);
5902 "Missing required Configuration Object attribute");
5905 wpa_hexdump_ascii(MSG_DEBUG, "DPP: configurationObject JSON",
5906 conf_obj, conf_obj_len);
5907 if (dpp_parse_conf_obj(auth, conf_obj, conf_obj_len) < 0)
5919 enum dpp_status_error dpp_conf_result_rx(struct dpp_authentication *auth,
5921 const u8 *attr_start, size_t attr_len)
5923 const u8 *wrapped_data, *status, *e_nonce;
5924 u16 wrapped_data_len, status_len, e_nonce_len;
5927 u8 *unwrapped = NULL;
5928 size_t unwrapped_len = 0;
5929 enum dpp_status_error ret = 256;
5931 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
5933 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
5935 "Missing or invalid required Wrapped Data attribute");
5938 wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
5939 wrapped_data, wrapped_data_len);
5941 attr_len = wrapped_data - 4 - attr_start;
5944 len[0] = DPP_HDR_LEN;
5945 addr[1] = attr_start;
5947 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
5948 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
5949 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
5950 wrapped_data, wrapped_data_len);
5951 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
5952 unwrapped = os_malloc(unwrapped_len);
5955 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
5956 wrapped_data, wrapped_data_len,
5957 2, addr, len, unwrapped) < 0) {
5958 dpp_auth_fail(auth, "AES-SIV decryption failed");
5961 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
5962 unwrapped, unwrapped_len);
5964 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
5965 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
5969 e_nonce = dpp_get_attr(unwrapped, unwrapped_len,
5970 DPP_ATTR_ENROLLEE_NONCE,
5972 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
5974 "Missing or invalid Enrollee Nonce attribute");
5977 wpa_hexdump(MSG_DEBUG, "DPP: Enrollee Nonce", e_nonce, e_nonce_len);
5978 if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) {
5979 dpp_auth_fail(auth, "Enrollee Nonce mismatch");
5980 wpa_hexdump(MSG_DEBUG, "DPP: Expected Enrollee Nonce",
5981 auth->e_nonce, e_nonce_len);
5985 status = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_STATUS,
5987 if (!status || status_len < 1) {
5989 "Missing or invalid required DPP Status attribute");
5992 wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
5996 bin_clear_free(unwrapped, unwrapped_len);
5999 #endif /* CONFIG_DPP2 */
6002 struct wpabuf * dpp_build_conf_result(struct dpp_authentication *auth,
6003 enum dpp_status_error status)
6005 struct wpabuf *msg, *clear;
6006 size_t nonce_len, clear_len, attr_len;
6011 nonce_len = auth->curve->nonce_len;
6012 clear_len = 5 + 4 + nonce_len;
6013 attr_len = 4 + clear_len + AES_BLOCK_SIZE;
6014 clear = wpabuf_alloc(clear_len);
6015 msg = dpp_alloc_msg(DPP_PA_CONFIGURATION_RESULT, attr_len);
6020 dpp_build_attr_status(clear, status);
6023 wpabuf_put_le16(clear, DPP_ATTR_ENROLLEE_NONCE);
6024 wpabuf_put_le16(clear, nonce_len);
6025 wpabuf_put_data(clear, auth->e_nonce, nonce_len);
6027 /* OUI, OUI type, Crypto Suite, DPP frame type */
6028 addr[0] = wpabuf_head_u8(msg) + 2;
6029 len[0] = 3 + 1 + 1 + 1;
6030 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
6032 /* Attributes before Wrapped Data (none) */
6033 addr[1] = wpabuf_put(msg, 0);
6035 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
6038 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
6039 wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
6040 wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
6042 wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
6043 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
6044 wpabuf_head(clear), wpabuf_len(clear),
6045 2, addr, len, wrapped) < 0)
6048 wpa_hexdump_buf(MSG_DEBUG, "DPP: Configuration Result attributes", msg);
6058 void dpp_configurator_free(struct dpp_configurator *conf)
6062 EVP_PKEY_free(conf->csign);
6068 int dpp_configurator_get_key(const struct dpp_configurator *conf, char *buf,
6072 int key_len, ret = -1;
6073 unsigned char *key = NULL;
6078 eckey = EVP_PKEY_get1_EC_KEY(conf->csign);
6082 key_len = i2d_ECPrivateKey(eckey, &key);
6084 ret = wpa_snprintf_hex(buf, buflen, key, key_len);
6092 struct dpp_configurator *
6093 dpp_keygen_configurator(const char *curve, const u8 *privkey,
6096 struct dpp_configurator *conf;
6097 struct wpabuf *csign_pub = NULL;
6098 u8 kid_hash[SHA256_MAC_LEN];
6102 conf = os_zalloc(sizeof(*conf));
6107 conf->curve = &dpp_curves[0];
6109 conf->curve = dpp_get_curve_name(curve);
6111 wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s",
6118 conf->csign = dpp_set_keypair(&conf->curve, privkey,
6121 conf->csign = dpp_gen_keypair(conf->curve);
6126 csign_pub = dpp_get_pubkey_point(conf->csign, 1);
6128 wpa_printf(MSG_INFO, "DPP: Failed to extract C-sign-key");
6132 /* kid = SHA256(ANSI X9.63 uncompressed C-sign-key) */
6133 addr[0] = wpabuf_head(csign_pub);
6134 len[0] = wpabuf_len(csign_pub);
6135 if (sha256_vector(1, addr, len, kid_hash) < 0) {
6136 wpa_printf(MSG_DEBUG,
6137 "DPP: Failed to derive kid for C-sign-key");
6141 conf->kid = (char *) base64_url_encode(kid_hash, sizeof(kid_hash),
6146 wpabuf_free(csign_pub);
6149 dpp_configurator_free(conf);
6155 int dpp_configurator_own_config(struct dpp_authentication *auth,
6156 const char *curve, int ap)
6158 struct wpabuf *conf_obj;
6162 wpa_printf(MSG_DEBUG, "DPP: No configurator specified");
6167 auth->curve = &dpp_curves[0];
6169 auth->curve = dpp_get_curve_name(curve);
6171 wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s",
6176 wpa_printf(MSG_DEBUG,
6177 "DPP: Building own configuration/connector with curve %s",
6180 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
6181 if (!auth->own_protocol_key)
6183 dpp_copy_netaccesskey(auth);
6184 auth->peer_protocol_key = auth->own_protocol_key;
6185 dpp_copy_csign(auth, auth->conf->csign);
6187 conf_obj = dpp_build_conf_obj(auth, ap);
6190 ret = dpp_parse_conf_obj(auth, wpabuf_head(conf_obj),
6191 wpabuf_len(conf_obj));
6193 wpabuf_free(conf_obj);
6194 auth->peer_protocol_key = NULL;
6199 static int dpp_compatible_netrole(const char *role1, const char *role2)
6201 return (os_strcmp(role1, "sta") == 0 && os_strcmp(role2, "ap") == 0) ||
6202 (os_strcmp(role1, "ap") == 0 && os_strcmp(role2, "sta") == 0);
6206 static int dpp_connector_compatible_group(struct json_token *root,
6207 const char *group_id,
6208 const char *net_role)
6210 struct json_token *groups, *token;
6212 groups = json_get_member(root, "groups");
6213 if (!groups || groups->type != JSON_ARRAY)
6216 for (token = groups->child; token; token = token->sibling) {
6217 struct json_token *id, *role;
6219 id = json_get_member(token, "groupId");
6220 if (!id || id->type != JSON_STRING)
6223 role = json_get_member(token, "netRole");
6224 if (!role || role->type != JSON_STRING)
6227 if (os_strcmp(id->string, "*") != 0 &&
6228 os_strcmp(group_id, "*") != 0 &&
6229 os_strcmp(id->string, group_id) != 0)
6232 if (dpp_compatible_netrole(role->string, net_role))
6240 static int dpp_connector_match_groups(struct json_token *own_root,
6241 struct json_token *peer_root)
6243 struct json_token *groups, *token;
6245 groups = json_get_member(peer_root, "groups");
6246 if (!groups || groups->type != JSON_ARRAY) {
6247 wpa_printf(MSG_DEBUG, "DPP: No peer groups array found");
6251 for (token = groups->child; token; token = token->sibling) {
6252 struct json_token *id, *role;
6254 id = json_get_member(token, "groupId");
6255 if (!id || id->type != JSON_STRING) {
6256 wpa_printf(MSG_DEBUG,
6257 "DPP: Missing peer groupId string");
6261 role = json_get_member(token, "netRole");
6262 if (!role || role->type != JSON_STRING) {
6263 wpa_printf(MSG_DEBUG,
6264 "DPP: Missing peer groups::netRole string");
6267 wpa_printf(MSG_DEBUG,
6268 "DPP: peer connector group: groupId='%s' netRole='%s'",
6269 id->string, role->string);
6270 if (dpp_connector_compatible_group(own_root, id->string,
6272 wpa_printf(MSG_DEBUG,
6273 "DPP: Compatible group/netRole in own connector");
6282 static int dpp_derive_pmk(const u8 *Nx, size_t Nx_len, u8 *pmk,
6283 unsigned int hash_len)
6285 u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
6286 const char *info = "DPP PMK";
6289 /* PMK = HKDF(<>, "DPP PMK", N.x) */
6291 /* HKDF-Extract(<>, N.x) */
6292 os_memset(salt, 0, hash_len);
6293 if (dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk) < 0)
6295 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
6298 /* HKDF-Expand(PRK, info, L) */
6299 res = dpp_hkdf_expand(hash_len, prk, hash_len, info, pmk, hash_len);
6300 os_memset(prk, 0, hash_len);
6304 wpa_hexdump_key(MSG_DEBUG, "DPP: PMK = HKDF-Expand(PRK, info, L)",
6310 static int dpp_derive_pmkid(const struct dpp_curve_params *curve,
6311 EVP_PKEY *own_key, EVP_PKEY *peer_key, u8 *pmkid)
6313 struct wpabuf *nkx, *pkx;
6317 u8 hash[SHA256_MAC_LEN];
6319 /* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */
6320 nkx = dpp_get_pubkey_point(own_key, 0);
6321 pkx = dpp_get_pubkey_point(peer_key, 0);
6324 addr[0] = wpabuf_head(nkx);
6325 len[0] = wpabuf_len(nkx) / 2;
6326 addr[1] = wpabuf_head(pkx);
6327 len[1] = wpabuf_len(pkx) / 2;
6328 if (len[0] != len[1])
6330 if (os_memcmp(addr[0], addr[1], len[0]) > 0) {
6331 addr[0] = wpabuf_head(pkx);
6332 addr[1] = wpabuf_head(nkx);
6334 wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 1", addr[0], len[0]);
6335 wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 2", addr[1], len[1]);
6336 res = sha256_vector(2, addr, len, hash);
6339 wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash output", hash, SHA256_MAC_LEN);
6340 os_memcpy(pmkid, hash, PMKID_LEN);
6341 wpa_hexdump(MSG_DEBUG, "DPP: PMKID", pmkid, PMKID_LEN);
6350 enum dpp_status_error
6351 dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
6352 const u8 *net_access_key, size_t net_access_key_len,
6353 const u8 *csign_key, size_t csign_key_len,
6354 const u8 *peer_connector, size_t peer_connector_len,
6357 struct json_token *root = NULL, *netkey, *token;
6358 struct json_token *own_root = NULL;
6359 enum dpp_status_error ret = 255, res;
6360 EVP_PKEY *own_key = NULL, *peer_key = NULL;
6361 struct wpabuf *own_key_pub = NULL;
6362 const struct dpp_curve_params *curve, *own_curve;
6363 struct dpp_signed_connector_info info;
6364 const unsigned char *p;
6365 EVP_PKEY *csign = NULL;
6366 char *signed_connector = NULL;
6367 const char *pos, *end;
6368 unsigned char *own_conn = NULL;
6369 size_t own_conn_len;
6370 EVP_PKEY_CTX *ctx = NULL;
6372 u8 Nx[DPP_MAX_SHARED_SECRET_LEN];
6374 os_memset(intro, 0, sizeof(*intro));
6375 os_memset(&info, 0, sizeof(info));
6380 csign = d2i_PUBKEY(NULL, &p, csign_key_len);
6382 wpa_printf(MSG_ERROR,
6383 "DPP: Failed to parse local C-sign-key information");
6387 own_key = dpp_set_keypair(&own_curve, net_access_key,
6388 net_access_key_len);
6390 wpa_printf(MSG_ERROR, "DPP: Failed to parse own netAccessKey");
6394 pos = os_strchr(own_connector, '.');
6396 wpa_printf(MSG_DEBUG, "DPP: Own connector is missing the first dot (.)");
6400 end = os_strchr(pos, '.');
6402 wpa_printf(MSG_DEBUG, "DPP: Own connector is missing the second dot (.)");
6405 own_conn = base64_url_decode((const unsigned char *) pos,
6406 end - pos, &own_conn_len);
6408 wpa_printf(MSG_DEBUG,
6409 "DPP: Failed to base64url decode own signedConnector JWS Payload");
6413 own_root = json_parse((const char *) own_conn, own_conn_len);
6415 wpa_printf(MSG_DEBUG, "DPP: Failed to parse local connector");
6419 wpa_hexdump_ascii(MSG_DEBUG, "DPP: Peer signedConnector",
6420 peer_connector, peer_connector_len);
6421 signed_connector = os_malloc(peer_connector_len + 1);
6422 if (!signed_connector)
6424 os_memcpy(signed_connector, peer_connector, peer_connector_len);
6425 signed_connector[peer_connector_len] = '\0';
6427 res = dpp_process_signed_connector(&info, csign, signed_connector);
6428 if (res != DPP_STATUS_OK) {
6433 root = json_parse((const char *) info.payload, info.payload_len);
6435 wpa_printf(MSG_DEBUG, "DPP: JSON parsing of connector failed");
6436 ret = DPP_STATUS_INVALID_CONNECTOR;
6440 if (!dpp_connector_match_groups(own_root, root)) {
6441 wpa_printf(MSG_DEBUG,
6442 "DPP: Peer connector does not include compatible group netrole with own connector");
6443 ret = DPP_STATUS_NO_MATCH;
6447 token = json_get_member(root, "expiry");
6448 if (!token || token->type != JSON_STRING) {
6449 wpa_printf(MSG_DEBUG,
6450 "DPP: No expiry string found - connector does not expire");
6452 wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string);
6453 if (dpp_key_expired(token->string, expiry)) {
6454 wpa_printf(MSG_DEBUG,
6455 "DPP: Connector (netAccessKey) has expired");
6456 ret = DPP_STATUS_INVALID_CONNECTOR;
6461 netkey = json_get_member(root, "netAccessKey");
6462 if (!netkey || netkey->type != JSON_OBJECT) {
6463 wpa_printf(MSG_DEBUG, "DPP: No netAccessKey object found");
6464 ret = DPP_STATUS_INVALID_CONNECTOR;
6468 peer_key = dpp_parse_jwk(netkey, &curve);
6470 ret = DPP_STATUS_INVALID_CONNECTOR;
6473 dpp_debug_print_key("DPP: Received netAccessKey", peer_key);
6475 if (own_curve != curve) {
6476 wpa_printf(MSG_DEBUG,
6477 "DPP: Mismatching netAccessKey curves (%s != %s)",
6478 own_curve->name, curve->name);
6479 ret = DPP_STATUS_INVALID_CONNECTOR;
6483 /* ECDH: N = nk * PK */
6484 ctx = EVP_PKEY_CTX_new(own_key, NULL);
6486 EVP_PKEY_derive_init(ctx) != 1 ||
6487 EVP_PKEY_derive_set_peer(ctx, peer_key) != 1 ||
6488 EVP_PKEY_derive(ctx, NULL, &Nx_len) != 1 ||
6489 Nx_len > DPP_MAX_SHARED_SECRET_LEN ||
6490 EVP_PKEY_derive(ctx, Nx, &Nx_len) != 1) {
6491 wpa_printf(MSG_ERROR,
6492 "DPP: Failed to derive ECDH shared secret: %s",
6493 ERR_error_string(ERR_get_error(), NULL));
6497 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
6500 /* PMK = HKDF(<>, "DPP PMK", N.x) */
6501 if (dpp_derive_pmk(Nx, Nx_len, intro->pmk, curve->hash_len) < 0) {
6502 wpa_printf(MSG_ERROR, "DPP: Failed to derive PMK");
6505 intro->pmk_len = curve->hash_len;
6507 /* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */
6508 if (dpp_derive_pmkid(curve, own_key, peer_key, intro->pmkid) < 0) {
6509 wpa_printf(MSG_ERROR, "DPP: Failed to derive PMKID");
6513 ret = DPP_STATUS_OK;
6515 if (ret != DPP_STATUS_OK)
6516 os_memset(intro, 0, sizeof(*intro));
6517 os_memset(Nx, 0, sizeof(Nx));
6518 EVP_PKEY_CTX_free(ctx);
6520 os_free(signed_connector);
6521 os_free(info.payload);
6522 EVP_PKEY_free(own_key);
6523 wpabuf_free(own_key_pub);
6524 EVP_PKEY_free(peer_key);
6525 EVP_PKEY_free(csign);
6527 json_free(own_root);
6532 static EVP_PKEY * dpp_pkex_get_role_elem(const struct dpp_curve_params *curve,
6536 size_t len = curve->prime_len;
6539 switch (curve->ike_group) {
6541 x = init ? pkex_init_x_p256 : pkex_resp_x_p256;
6542 y = init ? pkex_init_y_p256 : pkex_resp_y_p256;
6545 x = init ? pkex_init_x_p384 : pkex_resp_x_p384;
6546 y = init ? pkex_init_y_p384 : pkex_resp_y_p384;
6549 x = init ? pkex_init_x_p521 : pkex_resp_x_p521;
6550 y = init ? pkex_init_y_p521 : pkex_resp_y_p521;
6553 x = init ? pkex_init_x_bp_p256r1 : pkex_resp_x_bp_p256r1;
6554 y = init ? pkex_init_y_bp_p256r1 : pkex_resp_y_bp_p256r1;
6557 x = init ? pkex_init_x_bp_p384r1 : pkex_resp_x_bp_p384r1;
6558 y = init ? pkex_init_y_bp_p384r1 : pkex_resp_y_bp_p384r1;
6561 x = init ? pkex_init_x_bp_p512r1 : pkex_resp_x_bp_p512r1;
6562 y = init ? pkex_init_y_bp_p512r1 : pkex_resp_y_bp_p512r1;
6568 group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
6571 return dpp_set_pubkey_point_group(group, x, y, len);
6575 static EC_POINT * dpp_pkex_derive_Qi(const struct dpp_curve_params *curve,
6576 const u8 *mac_init, const char *code,
6577 const char *identifier, BN_CTX *bnctx,
6578 const EC_GROUP **ret_group)
6580 u8 hash[DPP_MAX_HASH_LEN];
6583 unsigned int num_elem = 0;
6584 EC_POINT *Qi = NULL;
6585 EVP_PKEY *Pi = NULL;
6586 EC_KEY *Pi_ec = NULL;
6587 const EC_POINT *Pi_point;
6588 BIGNUM *hash_bn = NULL;
6589 const EC_GROUP *group = NULL;
6590 EC_GROUP *group2 = NULL;
6592 /* Qi = H(MAC-Initiator | [identifier |] code) * Pi */
6594 wpa_printf(MSG_DEBUG, "DPP: MAC-Initiator: " MACSTR, MAC2STR(mac_init));
6595 addr[num_elem] = mac_init;
6596 len[num_elem] = ETH_ALEN;
6599 wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
6601 addr[num_elem] = (const u8 *) identifier;
6602 len[num_elem] = os_strlen(identifier);
6605 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code));
6606 addr[num_elem] = (const u8 *) code;
6607 len[num_elem] = os_strlen(code);
6609 if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
6611 wpa_hexdump_key(MSG_DEBUG,
6612 "DPP: H(MAC-Initiator | [identifier |] code)",
6613 hash, curve->hash_len);
6614 Pi = dpp_pkex_get_role_elem(curve, 1);
6617 dpp_debug_print_key("DPP: Pi", Pi);
6618 Pi_ec = EVP_PKEY_get1_EC_KEY(Pi);
6621 Pi_point = EC_KEY_get0_public_key(Pi_ec);
6623 group = EC_KEY_get0_group(Pi_ec);
6626 group2 = EC_GROUP_dup(group);
6629 Qi = EC_POINT_new(group2);
6631 EC_GROUP_free(group2);
6634 hash_bn = BN_bin2bn(hash, curve->hash_len, NULL);
6636 EC_POINT_mul(group2, Qi, NULL, Pi_point, hash_bn, bnctx) != 1)
6638 if (EC_POINT_is_at_infinity(group, Qi)) {
6639 wpa_printf(MSG_INFO, "DPP: Qi is the point-at-infinity");
6642 dpp_debug_print_point("DPP: Qi", group, Qi);
6646 BN_clear_free(hash_bn);
6648 *ret_group = group2;
6657 static EC_POINT * dpp_pkex_derive_Qr(const struct dpp_curve_params *curve,
6658 const u8 *mac_resp, const char *code,
6659 const char *identifier, BN_CTX *bnctx,
6660 const EC_GROUP **ret_group)
6662 u8 hash[DPP_MAX_HASH_LEN];
6665 unsigned int num_elem = 0;
6666 EC_POINT *Qr = NULL;
6667 EVP_PKEY *Pr = NULL;
6668 EC_KEY *Pr_ec = NULL;
6669 const EC_POINT *Pr_point;
6670 BIGNUM *hash_bn = NULL;
6671 const EC_GROUP *group = NULL;
6672 EC_GROUP *group2 = NULL;
6674 /* Qr = H(MAC-Responder | | [identifier | ] code) * Pr */
6676 wpa_printf(MSG_DEBUG, "DPP: MAC-Responder: " MACSTR, MAC2STR(mac_resp));
6677 addr[num_elem] = mac_resp;
6678 len[num_elem] = ETH_ALEN;
6681 wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
6683 addr[num_elem] = (const u8 *) identifier;
6684 len[num_elem] = os_strlen(identifier);
6687 wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code));
6688 addr[num_elem] = (const u8 *) code;
6689 len[num_elem] = os_strlen(code);
6691 if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
6693 wpa_hexdump_key(MSG_DEBUG,
6694 "DPP: H(MAC-Responder | [identifier |] code)",
6695 hash, curve->hash_len);
6696 Pr = dpp_pkex_get_role_elem(curve, 0);
6699 dpp_debug_print_key("DPP: Pr", Pr);
6700 Pr_ec = EVP_PKEY_get1_EC_KEY(Pr);
6703 Pr_point = EC_KEY_get0_public_key(Pr_ec);
6705 group = EC_KEY_get0_group(Pr_ec);
6708 group2 = EC_GROUP_dup(group);
6711 Qr = EC_POINT_new(group2);
6713 EC_GROUP_free(group2);
6716 hash_bn = BN_bin2bn(hash, curve->hash_len, NULL);
6718 EC_POINT_mul(group2, Qr, NULL, Pr_point, hash_bn, bnctx) != 1)
6720 if (EC_POINT_is_at_infinity(group, Qr)) {
6721 wpa_printf(MSG_INFO, "DPP: Qr is the point-at-infinity");
6724 dpp_debug_print_point("DPP: Qr", group, Qr);
6728 BN_clear_free(hash_bn);
6730 *ret_group = group2;
6739 #ifdef CONFIG_TESTING_OPTIONS
6740 static int dpp_test_gen_invalid_key(struct wpabuf *msg,
6741 const struct dpp_curve_params *curve)
6749 group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
6754 point = EC_POINT_new(group);
6757 if (!ctx || !point || !x || !y)
6760 if (BN_rand(x, curve->prime_len * 8, 0, 0) != 1)
6763 /* Generate a random y coordinate that results in a point that is not
6766 if (BN_rand(y, curve->prime_len * 8, 0, 0) != 1)
6769 if (EC_POINT_set_affine_coordinates_GFp(group, point, x, y,
6771 #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
6772 /* Unlike older OpenSSL versions, OpenSSL 1.1.1 and BoringSSL
6773 * return an error from EC_POINT_set_affine_coordinates_GFp()
6774 * when the point is not on the curve. */
6776 #else /* >=1.1.0 or OPENSSL_IS_BORINGSSL */
6778 #endif /* >= 1.1.0 or OPENSSL_IS_BORINGSSL */
6781 if (!EC_POINT_is_on_curve(group, point, ctx))
6785 if (dpp_bn2bin_pad(x, wpabuf_put(msg, curve->prime_len),
6786 curve->prime_len) < 0 ||
6787 dpp_bn2bin_pad(y, wpabuf_put(msg, curve->prime_len),
6788 curve->prime_len) < 0)
6794 wpa_printf(MSG_INFO, "DPP: Failed to generate invalid key");
6797 EC_POINT_free(point);
6802 #endif /* CONFIG_TESTING_OPTIONS */
6805 static struct wpabuf * dpp_pkex_build_exchange_req(struct dpp_pkex *pkex)
6807 EC_KEY *X_ec = NULL;
6808 const EC_POINT *X_point;
6809 BN_CTX *bnctx = NULL;
6810 const EC_GROUP *group;
6811 EC_POINT *Qi = NULL, *M = NULL;
6812 struct wpabuf *M_buf = NULL;
6813 BIGNUM *Mx = NULL, *My = NULL;
6814 struct wpabuf *msg = NULL;
6816 const struct dpp_curve_params *curve = pkex->own_bi->curve;
6818 wpa_printf(MSG_DEBUG, "DPP: Build PKEX Exchange Request");
6820 /* Qi = H(MAC-Initiator | [identifier |] code) * Pi */
6821 bnctx = BN_CTX_new();
6824 Qi = dpp_pkex_derive_Qi(curve, pkex->own_mac, pkex->code,
6825 pkex->identifier, bnctx, &group);
6829 /* Generate a random ephemeral keypair x/X */
6830 #ifdef CONFIG_TESTING_OPTIONS
6831 if (dpp_pkex_ephemeral_key_override_len) {
6832 const struct dpp_curve_params *tmp_curve;
6834 wpa_printf(MSG_INFO,
6835 "DPP: TESTING - override ephemeral key x/X");
6836 pkex->x = dpp_set_keypair(&tmp_curve,
6837 dpp_pkex_ephemeral_key_override,
6838 dpp_pkex_ephemeral_key_override_len);
6840 pkex->x = dpp_gen_keypair(curve);
6842 #else /* CONFIG_TESTING_OPTIONS */
6843 pkex->x = dpp_gen_keypair(curve);
6844 #endif /* CONFIG_TESTING_OPTIONS */
6849 X_ec = EVP_PKEY_get1_EC_KEY(pkex->x);
6852 X_point = EC_KEY_get0_public_key(X_ec);
6855 dpp_debug_print_point("DPP: X", group, X_point);
6856 M = EC_POINT_new(group);
6859 if (!M || !Mx || !My ||
6860 EC_POINT_add(group, M, X_point, Qi, bnctx) != 1 ||
6861 EC_POINT_get_affine_coordinates_GFp(group, M, Mx, My, bnctx) != 1)
6863 dpp_debug_print_point("DPP: M", group, M);
6865 /* Initiator -> Responder: group, [identifier,] M */
6867 if (pkex->identifier)
6868 attr_len += 4 + os_strlen(pkex->identifier);
6869 attr_len += 4 + 2 * curve->prime_len;
6870 msg = dpp_alloc_msg(DPP_PA_PKEX_EXCHANGE_REQ, attr_len);
6874 #ifdef CONFIG_TESTING_OPTIONS
6875 if (dpp_test == DPP_TEST_NO_FINITE_CYCLIC_GROUP_PKEX_EXCHANGE_REQ) {
6876 wpa_printf(MSG_INFO, "DPP: TESTING - no Finite Cyclic Group");
6877 goto skip_finite_cyclic_group;
6879 #endif /* CONFIG_TESTING_OPTIONS */
6881 /* Finite Cyclic Group attribute */
6882 wpabuf_put_le16(msg, DPP_ATTR_FINITE_CYCLIC_GROUP);
6883 wpabuf_put_le16(msg, 2);
6884 wpabuf_put_le16(msg, curve->ike_group);
6886 #ifdef CONFIG_TESTING_OPTIONS
6887 skip_finite_cyclic_group:
6888 #endif /* CONFIG_TESTING_OPTIONS */
6890 /* Code Identifier attribute */
6891 if (pkex->identifier) {
6892 wpabuf_put_le16(msg, DPP_ATTR_CODE_IDENTIFIER);
6893 wpabuf_put_le16(msg, os_strlen(pkex->identifier));
6894 wpabuf_put_str(msg, pkex->identifier);
6897 #ifdef CONFIG_TESTING_OPTIONS
6898 if (dpp_test == DPP_TEST_NO_ENCRYPTED_KEY_PKEX_EXCHANGE_REQ) {
6899 wpa_printf(MSG_INFO, "DPP: TESTING - no Encrypted Key");
6902 #endif /* CONFIG_TESTING_OPTIONS */
6904 /* M in Encrypted Key attribute */
6905 wpabuf_put_le16(msg, DPP_ATTR_ENCRYPTED_KEY);
6906 wpabuf_put_le16(msg, 2 * curve->prime_len);
6908 #ifdef CONFIG_TESTING_OPTIONS
6909 if (dpp_test == DPP_TEST_INVALID_ENCRYPTED_KEY_PKEX_EXCHANGE_REQ) {
6910 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Encrypted Key");
6911 if (dpp_test_gen_invalid_key(msg, curve) < 0)
6915 #endif /* CONFIG_TESTING_OPTIONS */
6917 if (dpp_bn2bin_pad(Mx, wpabuf_put(msg, curve->prime_len),
6918 curve->prime_len) < 0 ||
6919 dpp_bn2bin_pad(Mx, pkex->Mx, curve->prime_len) < 0 ||
6920 dpp_bn2bin_pad(My, wpabuf_put(msg, curve->prime_len),
6921 curve->prime_len) < 0)
6934 wpa_printf(MSG_INFO, "DPP: Failed to build PKEX Exchange Request");
6941 static void dpp_pkex_fail(struct dpp_pkex *pkex, const char *txt)
6943 wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
6947 struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi,
6949 const char *identifier,
6952 struct dpp_pkex *pkex;
6954 #ifdef CONFIG_TESTING_OPTIONS
6955 if (!is_zero_ether_addr(dpp_pkex_own_mac_override)) {
6956 wpa_printf(MSG_INFO, "DPP: TESTING - own_mac override " MACSTR,
6957 MAC2STR(dpp_pkex_own_mac_override));
6958 own_mac = dpp_pkex_own_mac_override;
6960 #endif /* CONFIG_TESTING_OPTIONS */
6962 pkex = os_zalloc(sizeof(*pkex));
6965 pkex->msg_ctx = msg_ctx;
6966 pkex->initiator = 1;
6968 os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
6970 pkex->identifier = os_strdup(identifier);
6971 if (!pkex->identifier)
6974 pkex->code = os_strdup(code);
6977 pkex->exchange_req = dpp_pkex_build_exchange_req(pkex);
6978 if (!pkex->exchange_req)
6982 dpp_pkex_free(pkex);
6987 static struct wpabuf *
6988 dpp_pkex_build_exchange_resp(struct dpp_pkex *pkex,
6989 enum dpp_status_error status,
6990 const BIGNUM *Nx, const BIGNUM *Ny)
6992 struct wpabuf *msg = NULL;
6994 const struct dpp_curve_params *curve = pkex->own_bi->curve;
6996 /* Initiator -> Responder: DPP Status, [identifier,] N */
6998 if (pkex->identifier)
6999 attr_len += 4 + os_strlen(pkex->identifier);
7000 attr_len += 4 + 2 * curve->prime_len;
7001 msg = dpp_alloc_msg(DPP_PA_PKEX_EXCHANGE_RESP, attr_len);
7005 #ifdef CONFIG_TESTING_OPTIONS
7006 if (dpp_test == DPP_TEST_NO_STATUS_PKEX_EXCHANGE_RESP) {
7007 wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
7011 if (dpp_test == DPP_TEST_INVALID_STATUS_PKEX_EXCHANGE_RESP) {
7012 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
7015 #endif /* CONFIG_TESTING_OPTIONS */
7018 dpp_build_attr_status(msg, status);
7020 #ifdef CONFIG_TESTING_OPTIONS
7022 #endif /* CONFIG_TESTING_OPTIONS */
7024 /* Code Identifier attribute */
7025 if (pkex->identifier) {
7026 wpabuf_put_le16(msg, DPP_ATTR_CODE_IDENTIFIER);
7027 wpabuf_put_le16(msg, os_strlen(pkex->identifier));
7028 wpabuf_put_str(msg, pkex->identifier);
7031 if (status != DPP_STATUS_OK)
7032 goto skip_encrypted_key;
7034 #ifdef CONFIG_TESTING_OPTIONS
7035 if (dpp_test == DPP_TEST_NO_ENCRYPTED_KEY_PKEX_EXCHANGE_RESP) {
7036 wpa_printf(MSG_INFO, "DPP: TESTING - no Encrypted Key");
7037 goto skip_encrypted_key;
7039 #endif /* CONFIG_TESTING_OPTIONS */
7041 /* N in Encrypted Key attribute */
7042 wpabuf_put_le16(msg, DPP_ATTR_ENCRYPTED_KEY);
7043 wpabuf_put_le16(msg, 2 * curve->prime_len);
7045 #ifdef CONFIG_TESTING_OPTIONS
7046 if (dpp_test == DPP_TEST_INVALID_ENCRYPTED_KEY_PKEX_EXCHANGE_RESP) {
7047 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Encrypted Key");
7048 if (dpp_test_gen_invalid_key(msg, curve) < 0)
7050 goto skip_encrypted_key;
7052 #endif /* CONFIG_TESTING_OPTIONS */
7054 if (dpp_bn2bin_pad(Nx, wpabuf_put(msg, curve->prime_len),
7055 curve->prime_len) < 0 ||
7056 dpp_bn2bin_pad(Nx, pkex->Nx, curve->prime_len) < 0 ||
7057 dpp_bn2bin_pad(Ny, wpabuf_put(msg, curve->prime_len),
7058 curve->prime_len) < 0)
7062 if (status == DPP_STATUS_BAD_GROUP) {
7063 /* Finite Cyclic Group attribute */
7064 wpabuf_put_le16(msg, DPP_ATTR_FINITE_CYCLIC_GROUP);
7065 wpabuf_put_le16(msg, 2);
7066 wpabuf_put_le16(msg, curve->ike_group);
7076 static int dpp_pkex_derive_z(const u8 *mac_init, const u8 *mac_resp,
7077 const u8 *Mx, size_t Mx_len,
7078 const u8 *Nx, size_t Nx_len,
7080 const u8 *Kx, size_t Kx_len,
7081 u8 *z, unsigned int hash_len)
7083 u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
7088 /* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x)
7091 /* HKDF-Extract(<>, IKM=K.x) */
7092 os_memset(salt, 0, hash_len);
7093 if (dpp_hmac(hash_len, salt, hash_len, Kx, Kx_len, prk) < 0)
7095 wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)",
7097 info_len = 2 * ETH_ALEN + Mx_len + Nx_len + os_strlen(code);
7098 info = os_malloc(info_len);
7102 os_memcpy(pos, mac_init, ETH_ALEN);
7104 os_memcpy(pos, mac_resp, ETH_ALEN);
7106 os_memcpy(pos, Mx, Mx_len);
7108 os_memcpy(pos, Nx, Nx_len);
7110 os_memcpy(pos, code, os_strlen(code));
7112 /* HKDF-Expand(PRK, info, L) */
7114 res = hmac_sha256_kdf(prk, hash_len, NULL, info, info_len,
7116 else if (hash_len == 48)
7117 res = hmac_sha384_kdf(prk, hash_len, NULL, info, info_len,
7119 else if (hash_len == 64)
7120 res = hmac_sha512_kdf(prk, hash_len, NULL, info, info_len,
7125 os_memset(prk, 0, hash_len);
7129 wpa_hexdump_key(MSG_DEBUG, "DPP: z = HKDF-Expand(PRK, info, L)",
7135 static int dpp_pkex_identifier_match(const u8 *attr_id, u16 attr_id_len,
7136 const char *identifier)
7138 if (!attr_id && identifier) {
7139 wpa_printf(MSG_DEBUG,
7140 "DPP: No PKEX code identifier received, but expected one");
7144 if (attr_id && !identifier) {
7145 wpa_printf(MSG_DEBUG,
7146 "DPP: PKEX code identifier received, but not expecting one");
7150 if (attr_id && identifier &&
7151 (os_strlen(identifier) != attr_id_len ||
7152 os_memcmp(identifier, attr_id, attr_id_len) != 0)) {
7153 wpa_printf(MSG_DEBUG, "DPP: PKEX code identifier mismatch");
7161 struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
7162 struct dpp_bootstrap_info *bi,
7165 const char *identifier,
7167 const u8 *buf, size_t len)
7169 const u8 *attr_group, *attr_id, *attr_key;
7170 u16 attr_group_len, attr_id_len, attr_key_len;
7171 const struct dpp_curve_params *curve = bi->curve;
7173 struct dpp_pkex *pkex = NULL;
7174 EC_POINT *Qi = NULL, *Qr = NULL, *M = NULL, *X = NULL, *N = NULL;
7175 BN_CTX *bnctx = NULL;
7176 const EC_GROUP *group;
7177 BIGNUM *Mx = NULL, *My = NULL;
7178 EC_KEY *Y_ec = NULL, *X_ec = NULL;;
7179 const EC_POINT *Y_point;
7180 BIGNUM *Nx = NULL, *Ny = NULL;
7181 u8 Kx[DPP_MAX_SHARED_SECRET_LEN];
7184 EVP_PKEY_CTX *ctx = NULL;
7186 if (bi->pkex_t >= PKEX_COUNTER_T_LIMIT) {
7187 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7188 "PKEX counter t limit reached - ignore message");
7192 #ifdef CONFIG_TESTING_OPTIONS
7193 if (!is_zero_ether_addr(dpp_pkex_peer_mac_override)) {
7194 wpa_printf(MSG_INFO, "DPP: TESTING - peer_mac override " MACSTR,
7195 MAC2STR(dpp_pkex_peer_mac_override));
7196 peer_mac = dpp_pkex_peer_mac_override;
7198 if (!is_zero_ether_addr(dpp_pkex_own_mac_override)) {
7199 wpa_printf(MSG_INFO, "DPP: TESTING - own_mac override " MACSTR,
7200 MAC2STR(dpp_pkex_own_mac_override));
7201 own_mac = dpp_pkex_own_mac_override;
7203 #endif /* CONFIG_TESTING_OPTIONS */
7206 attr_id = dpp_get_attr(buf, len, DPP_ATTR_CODE_IDENTIFIER,
7208 if (!dpp_pkex_identifier_match(attr_id, attr_id_len, identifier))
7211 attr_group = dpp_get_attr(buf, len, DPP_ATTR_FINITE_CYCLIC_GROUP,
7213 if (!attr_group || attr_group_len != 2) {
7214 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7215 "Missing or invalid Finite Cyclic Group attribute");
7218 ike_group = WPA_GET_LE16(attr_group);
7219 if (ike_group != curve->ike_group) {
7220 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7221 "Mismatching PKEX curve: peer=%u own=%u",
7222 ike_group, curve->ike_group);
7223 pkex = os_zalloc(sizeof(*pkex));
7228 pkex->exchange_resp = dpp_pkex_build_exchange_resp(
7229 pkex, DPP_STATUS_BAD_GROUP, NULL, NULL);
7230 if (!pkex->exchange_resp)
7235 /* M in Encrypted Key attribute */
7236 attr_key = dpp_get_attr(buf, len, DPP_ATTR_ENCRYPTED_KEY,
7238 if (!attr_key || attr_key_len & 0x01 || attr_key_len < 2 ||
7239 attr_key_len / 2 > DPP_MAX_SHARED_SECRET_LEN) {
7240 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7241 "Missing Encrypted Key attribute");
7245 /* Qi = H(MAC-Initiator | [identifier |] code) * Pi */
7246 bnctx = BN_CTX_new();
7249 Qi = dpp_pkex_derive_Qi(curve, peer_mac, code, identifier, bnctx,
7255 X = EC_POINT_new(group);
7256 M = EC_POINT_new(group);
7257 Mx = BN_bin2bn(attr_key, attr_key_len / 2, NULL);
7258 My = BN_bin2bn(attr_key + attr_key_len / 2, attr_key_len / 2, NULL);
7259 if (!X || !M || !Mx || !My ||
7260 EC_POINT_set_affine_coordinates_GFp(group, M, Mx, My, bnctx) != 1 ||
7261 EC_POINT_is_at_infinity(group, M) ||
7262 !EC_POINT_is_on_curve(group, M, bnctx) ||
7263 EC_POINT_invert(group, Qi, bnctx) != 1 ||
7264 EC_POINT_add(group, X, M, Qi, bnctx) != 1 ||
7265 EC_POINT_is_at_infinity(group, X) ||
7266 !EC_POINT_is_on_curve(group, X, bnctx)) {
7267 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7268 "Invalid Encrypted Key value");
7272 dpp_debug_print_point("DPP: M", group, M);
7273 dpp_debug_print_point("DPP: X'", group, X);
7275 pkex = os_zalloc(sizeof(*pkex));
7278 pkex->t = bi->pkex_t;
7279 pkex->msg_ctx = msg_ctx;
7281 os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
7282 os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
7284 pkex->identifier = os_strdup(identifier);
7285 if (!pkex->identifier)
7288 pkex->code = os_strdup(code);
7292 os_memcpy(pkex->Mx, attr_key, attr_key_len / 2);
7294 X_ec = EC_KEY_new();
7296 EC_KEY_set_group(X_ec, group) != 1 ||
7297 EC_KEY_set_public_key(X_ec, X) != 1)
7299 pkex->x = EVP_PKEY_new();
7301 EVP_PKEY_set1_EC_KEY(pkex->x, X_ec) != 1)
7304 /* Qr = H(MAC-Responder | | [identifier | ] code) * Pr */
7305 Qr = dpp_pkex_derive_Qr(curve, own_mac, code, identifier, bnctx, NULL);
7309 /* Generate a random ephemeral keypair y/Y */
7310 #ifdef CONFIG_TESTING_OPTIONS
7311 if (dpp_pkex_ephemeral_key_override_len) {
7312 const struct dpp_curve_params *tmp_curve;
7314 wpa_printf(MSG_INFO,
7315 "DPP: TESTING - override ephemeral key y/Y");
7316 pkex->y = dpp_set_keypair(&tmp_curve,
7317 dpp_pkex_ephemeral_key_override,
7318 dpp_pkex_ephemeral_key_override_len);
7320 pkex->y = dpp_gen_keypair(curve);
7322 #else /* CONFIG_TESTING_OPTIONS */
7323 pkex->y = dpp_gen_keypair(curve);
7324 #endif /* CONFIG_TESTING_OPTIONS */
7329 Y_ec = EVP_PKEY_get1_EC_KEY(pkex->y);
7332 Y_point = EC_KEY_get0_public_key(Y_ec);
7335 dpp_debug_print_point("DPP: Y", group, Y_point);
7336 N = EC_POINT_new(group);
7339 if (!N || !Nx || !Ny ||
7340 EC_POINT_add(group, N, Y_point, Qr, bnctx) != 1 ||
7341 EC_POINT_get_affine_coordinates_GFp(group, N, Nx, Ny, bnctx) != 1)
7343 dpp_debug_print_point("DPP: N", group, N);
7345 pkex->exchange_resp = dpp_pkex_build_exchange_resp(pkex, DPP_STATUS_OK,
7347 if (!pkex->exchange_resp)
7351 ctx = EVP_PKEY_CTX_new(pkex->y, NULL);
7353 EVP_PKEY_derive_init(ctx) != 1 ||
7354 EVP_PKEY_derive_set_peer(ctx, pkex->x) != 1 ||
7355 EVP_PKEY_derive(ctx, NULL, &Kx_len) != 1 ||
7356 Kx_len > DPP_MAX_SHARED_SECRET_LEN ||
7357 EVP_PKEY_derive(ctx, Kx, &Kx_len) != 1) {
7358 wpa_printf(MSG_ERROR,
7359 "DPP: Failed to derive ECDH shared secret: %s",
7360 ERR_error_string(ERR_get_error(), NULL));
7364 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (K.x)",
7367 /* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x)
7369 res = dpp_pkex_derive_z(pkex->peer_mac, pkex->own_mac,
7370 pkex->Mx, curve->prime_len,
7371 pkex->Nx, curve->prime_len, pkex->code,
7372 Kx, Kx_len, pkex->z, curve->hash_len);
7373 os_memset(Kx, 0, Kx_len);
7377 pkex->exchange_done = 1;
7380 EVP_PKEY_CTX_free(ctx);
7395 wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Request processing failed");
7396 dpp_pkex_free(pkex);
7402 static struct wpabuf *
7403 dpp_pkex_build_commit_reveal_req(struct dpp_pkex *pkex,
7404 const struct wpabuf *A_pub, const u8 *u)
7406 const struct dpp_curve_params *curve = pkex->own_bi->curve;
7407 struct wpabuf *msg = NULL;
7408 size_t clear_len, attr_len;
7409 struct wpabuf *clear = NULL;
7415 /* {A, u, [bootstrapping info]}z */
7416 clear_len = 4 + 2 * curve->prime_len + 4 + curve->hash_len;
7417 clear = wpabuf_alloc(clear_len);
7418 attr_len = 4 + clear_len + AES_BLOCK_SIZE;
7419 #ifdef CONFIG_TESTING_OPTIONS
7420 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_REQ)
7422 #endif /* CONFIG_TESTING_OPTIONS */
7423 msg = dpp_alloc_msg(DPP_PA_PKEX_COMMIT_REVEAL_REQ, attr_len);
7427 #ifdef CONFIG_TESTING_OPTIONS
7428 if (dpp_test == DPP_TEST_NO_BOOTSTRAP_KEY_PKEX_CR_REQ) {
7429 wpa_printf(MSG_INFO, "DPP: TESTING - no Bootstrap Key");
7430 goto skip_bootstrap_key;
7432 if (dpp_test == DPP_TEST_INVALID_BOOTSTRAP_KEY_PKEX_CR_REQ) {
7433 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Bootstrap Key");
7434 wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7435 wpabuf_put_le16(clear, 2 * curve->prime_len);
7436 if (dpp_test_gen_invalid_key(clear, curve) < 0)
7438 goto skip_bootstrap_key;
7440 #endif /* CONFIG_TESTING_OPTIONS */
7442 /* A in Bootstrap Key attribute */
7443 wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7444 wpabuf_put_le16(clear, wpabuf_len(A_pub));
7445 wpabuf_put_buf(clear, A_pub);
7447 #ifdef CONFIG_TESTING_OPTIONS
7449 if (dpp_test == DPP_TEST_NO_I_AUTH_TAG_PKEX_CR_REQ) {
7450 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Auth tag");
7451 goto skip_i_auth_tag;
7453 if (dpp_test == DPP_TEST_I_AUTH_TAG_MISMATCH_PKEX_CR_REQ) {
7454 wpa_printf(MSG_INFO, "DPP: TESTING - I-Auth tag mismatch");
7455 wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG);
7456 wpabuf_put_le16(clear, curve->hash_len);
7457 wpabuf_put_data(clear, u, curve->hash_len - 1);
7458 wpabuf_put_u8(clear, u[curve->hash_len - 1] ^ 0x01);
7459 goto skip_i_auth_tag;
7461 #endif /* CONFIG_TESTING_OPTIONS */
7463 /* u in I-Auth tag attribute */
7464 wpabuf_put_le16(clear, DPP_ATTR_I_AUTH_TAG);
7465 wpabuf_put_le16(clear, curve->hash_len);
7466 wpabuf_put_data(clear, u, curve->hash_len);
7468 #ifdef CONFIG_TESTING_OPTIONS
7470 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_PKEX_CR_REQ) {
7471 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
7472 goto skip_wrapped_data;
7474 #endif /* CONFIG_TESTING_OPTIONS */
7476 addr[0] = wpabuf_head_u8(msg) + 2;
7477 len[0] = DPP_HDR_LEN;
7480 len[1] = sizeof(octet);
7481 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
7482 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
7484 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
7485 wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7486 wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7488 wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
7489 if (aes_siv_encrypt(pkex->z, curve->hash_len,
7490 wpabuf_head(clear), wpabuf_len(clear),
7491 2, addr, len, wrapped) < 0)
7493 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
7494 wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
7496 #ifdef CONFIG_TESTING_OPTIONS
7497 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_REQ) {
7498 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
7499 dpp_build_attr_status(msg, DPP_STATUS_OK);
7502 #endif /* CONFIG_TESTING_OPTIONS */
7515 struct wpabuf * dpp_pkex_rx_exchange_resp(struct dpp_pkex *pkex,
7517 const u8 *buf, size_t buflen)
7519 const u8 *attr_status, *attr_id, *attr_key, *attr_group;
7520 u16 attr_status_len, attr_id_len, attr_key_len, attr_group_len;
7521 const EC_GROUP *group;
7522 BN_CTX *bnctx = NULL;
7523 struct wpabuf *msg = NULL, *A_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
7524 const struct dpp_curve_params *curve = pkex->own_bi->curve;
7525 EC_POINT *Qr = NULL, *Y = NULL, *N = NULL;
7526 BIGNUM *Nx = NULL, *Ny = NULL;
7527 EVP_PKEY_CTX *ctx = NULL;
7528 EC_KEY *Y_ec = NULL;
7529 size_t Jx_len, Kx_len;
7530 u8 Jx[DPP_MAX_SHARED_SECRET_LEN], Kx[DPP_MAX_SHARED_SECRET_LEN];
7533 u8 u[DPP_MAX_HASH_LEN];
7536 if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
7539 #ifdef CONFIG_TESTING_OPTIONS
7540 if (dpp_test == DPP_TEST_STOP_AT_PKEX_EXCHANGE_RESP) {
7541 wpa_printf(MSG_INFO,
7542 "DPP: TESTING - stop at PKEX Exchange Response");
7547 if (!is_zero_ether_addr(dpp_pkex_peer_mac_override)) {
7548 wpa_printf(MSG_INFO, "DPP: TESTING - peer_mac override " MACSTR,
7549 MAC2STR(dpp_pkex_peer_mac_override));
7550 peer_mac = dpp_pkex_peer_mac_override;
7552 #endif /* CONFIG_TESTING_OPTIONS */
7554 os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
7556 attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS,
7558 if (!attr_status || attr_status_len != 1) {
7559 dpp_pkex_fail(pkex, "No DPP Status attribute");
7562 wpa_printf(MSG_DEBUG, "DPP: Status %u", attr_status[0]);
7564 if (attr_status[0] == DPP_STATUS_BAD_GROUP) {
7565 attr_group = dpp_get_attr(buf, buflen,
7566 DPP_ATTR_FINITE_CYCLIC_GROUP,
7568 if (attr_group && attr_group_len == 2) {
7569 wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL
7570 "Peer indicated mismatching PKEX group - proposed %u",
7571 WPA_GET_LE16(attr_group));
7576 if (attr_status[0] != DPP_STATUS_OK) {
7577 dpp_pkex_fail(pkex, "PKEX failed (peer indicated failure)");
7582 attr_id = dpp_get_attr(buf, buflen, DPP_ATTR_CODE_IDENTIFIER,
7584 if (!dpp_pkex_identifier_match(attr_id, attr_id_len,
7585 pkex->identifier)) {
7586 dpp_pkex_fail(pkex, "PKEX code identifier mismatch");
7590 /* N in Encrypted Key attribute */
7591 attr_key = dpp_get_attr(buf, buflen, DPP_ATTR_ENCRYPTED_KEY,
7593 if (!attr_key || attr_key_len & 0x01 || attr_key_len < 2) {
7594 dpp_pkex_fail(pkex, "Missing Encrypted Key attribute");
7598 /* Qr = H(MAC-Responder | [identifier |] code) * Pr */
7599 bnctx = BN_CTX_new();
7602 Qr = dpp_pkex_derive_Qr(curve, pkex->peer_mac, pkex->code,
7603 pkex->identifier, bnctx, &group);
7608 Y = EC_POINT_new(group);
7609 N = EC_POINT_new(group);
7610 Nx = BN_bin2bn(attr_key, attr_key_len / 2, NULL);
7611 Ny = BN_bin2bn(attr_key + attr_key_len / 2, attr_key_len / 2, NULL);
7612 if (!Y || !N || !Nx || !Ny ||
7613 EC_POINT_set_affine_coordinates_GFp(group, N, Nx, Ny, bnctx) != 1 ||
7614 EC_POINT_is_at_infinity(group, N) ||
7615 !EC_POINT_is_on_curve(group, N, bnctx) ||
7616 EC_POINT_invert(group, Qr, bnctx) != 1 ||
7617 EC_POINT_add(group, Y, N, Qr, bnctx) != 1 ||
7618 EC_POINT_is_at_infinity(group, Y) ||
7619 !EC_POINT_is_on_curve(group, Y, bnctx)) {
7620 dpp_pkex_fail(pkex, "Invalid Encrypted Key value");
7624 dpp_debug_print_point("DPP: N", group, N);
7625 dpp_debug_print_point("DPP: Y'", group, Y);
7627 pkex->exchange_done = 1;
7629 /* ECDH: J = a * Y’ */
7630 Y_ec = EC_KEY_new();
7632 EC_KEY_set_group(Y_ec, group) != 1 ||
7633 EC_KEY_set_public_key(Y_ec, Y) != 1)
7635 pkex->y = EVP_PKEY_new();
7637 EVP_PKEY_set1_EC_KEY(pkex->y, Y_ec) != 1)
7639 ctx = EVP_PKEY_CTX_new(pkex->own_bi->pubkey, NULL);
7641 EVP_PKEY_derive_init(ctx) != 1 ||
7642 EVP_PKEY_derive_set_peer(ctx, pkex->y) != 1 ||
7643 EVP_PKEY_derive(ctx, NULL, &Jx_len) != 1 ||
7644 Jx_len > DPP_MAX_SHARED_SECRET_LEN ||
7645 EVP_PKEY_derive(ctx, Jx, &Jx_len) != 1) {
7646 wpa_printf(MSG_ERROR,
7647 "DPP: Failed to derive ECDH shared secret: %s",
7648 ERR_error_string(ERR_get_error(), NULL));
7652 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (J.x)",
7655 /* u = HMAC(J.x, MAC-Initiator | A.x | Y’.x | X.x ) */
7656 A_pub = dpp_get_pubkey_point(pkex->own_bi->pubkey, 0);
7657 Y_pub = dpp_get_pubkey_point(pkex->y, 0);
7658 X_pub = dpp_get_pubkey_point(pkex->x, 0);
7659 if (!A_pub || !Y_pub || !X_pub)
7661 addr[0] = pkex->own_mac;
7663 addr[1] = wpabuf_head(A_pub);
7664 len[1] = wpabuf_len(A_pub) / 2;
7665 addr[2] = wpabuf_head(Y_pub);
7666 len[2] = wpabuf_len(Y_pub) / 2;
7667 addr[3] = wpabuf_head(X_pub);
7668 len[3] = wpabuf_len(X_pub) / 2;
7669 if (dpp_hmac_vector(curve->hash_len, Jx, Jx_len, 4, addr, len, u) < 0)
7671 wpa_hexdump(MSG_DEBUG, "DPP: u", u, curve->hash_len);
7674 EVP_PKEY_CTX_free(ctx);
7675 ctx = EVP_PKEY_CTX_new(pkex->x, NULL);
7677 EVP_PKEY_derive_init(ctx) != 1 ||
7678 EVP_PKEY_derive_set_peer(ctx, pkex->y) != 1 ||
7679 EVP_PKEY_derive(ctx, NULL, &Kx_len) != 1 ||
7680 Kx_len > DPP_MAX_SHARED_SECRET_LEN ||
7681 EVP_PKEY_derive(ctx, Kx, &Kx_len) != 1) {
7682 wpa_printf(MSG_ERROR,
7683 "DPP: Failed to derive ECDH shared secret: %s",
7684 ERR_error_string(ERR_get_error(), NULL));
7688 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (K.x)",
7691 /* z = HKDF(<>, MAC-Initiator | MAC-Responder | M.x | N.x | code, K.x)
7693 res = dpp_pkex_derive_z(pkex->own_mac, pkex->peer_mac,
7694 pkex->Mx, curve->prime_len,
7695 attr_key /* N.x */, attr_key_len / 2,
7696 pkex->code, Kx, Kx_len,
7697 pkex->z, curve->hash_len);
7698 os_memset(Kx, 0, Kx_len);
7702 msg = dpp_pkex_build_commit_reveal_req(pkex, A_pub, u);
7716 EVP_PKEY_CTX_free(ctx);
7720 wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Response processing failed");
7725 static struct wpabuf *
7726 dpp_pkex_build_commit_reveal_resp(struct dpp_pkex *pkex,
7727 const struct wpabuf *B_pub, const u8 *v)
7729 const struct dpp_curve_params *curve = pkex->own_bi->curve;
7730 struct wpabuf *msg = NULL;
7735 struct wpabuf *clear = NULL;
7736 size_t clear_len, attr_len;
7738 /* {B, v [bootstrapping info]}z */
7739 clear_len = 4 + 2 * curve->prime_len + 4 + curve->hash_len;
7740 clear = wpabuf_alloc(clear_len);
7741 attr_len = 4 + clear_len + AES_BLOCK_SIZE;
7742 #ifdef CONFIG_TESTING_OPTIONS
7743 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_RESP)
7745 #endif /* CONFIG_TESTING_OPTIONS */
7746 msg = dpp_alloc_msg(DPP_PA_PKEX_COMMIT_REVEAL_RESP, attr_len);
7750 #ifdef CONFIG_TESTING_OPTIONS
7751 if (dpp_test == DPP_TEST_NO_BOOTSTRAP_KEY_PKEX_CR_RESP) {
7752 wpa_printf(MSG_INFO, "DPP: TESTING - no Bootstrap Key");
7753 goto skip_bootstrap_key;
7755 if (dpp_test == DPP_TEST_INVALID_BOOTSTRAP_KEY_PKEX_CR_RESP) {
7756 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Bootstrap Key");
7757 wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7758 wpabuf_put_le16(clear, 2 * curve->prime_len);
7759 if (dpp_test_gen_invalid_key(clear, curve) < 0)
7761 goto skip_bootstrap_key;
7763 #endif /* CONFIG_TESTING_OPTIONS */
7765 /* B in Bootstrap Key attribute */
7766 wpabuf_put_le16(clear, DPP_ATTR_BOOTSTRAP_KEY);
7767 wpabuf_put_le16(clear, wpabuf_len(B_pub));
7768 wpabuf_put_buf(clear, B_pub);
7770 #ifdef CONFIG_TESTING_OPTIONS
7772 if (dpp_test == DPP_TEST_NO_R_AUTH_TAG_PKEX_CR_RESP) {
7773 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Auth tag");
7774 goto skip_r_auth_tag;
7776 if (dpp_test == DPP_TEST_R_AUTH_TAG_MISMATCH_PKEX_CR_RESP) {
7777 wpa_printf(MSG_INFO, "DPP: TESTING - R-Auth tag mismatch");
7778 wpabuf_put_le16(clear, DPP_ATTR_R_AUTH_TAG);
7779 wpabuf_put_le16(clear, curve->hash_len);
7780 wpabuf_put_data(clear, v, curve->hash_len - 1);
7781 wpabuf_put_u8(clear, v[curve->hash_len - 1] ^ 0x01);
7782 goto skip_r_auth_tag;
7784 #endif /* CONFIG_TESTING_OPTIONS */
7786 /* v in R-Auth tag attribute */
7787 wpabuf_put_le16(clear, DPP_ATTR_R_AUTH_TAG);
7788 wpabuf_put_le16(clear, curve->hash_len);
7789 wpabuf_put_data(clear, v, curve->hash_len);
7791 #ifdef CONFIG_TESTING_OPTIONS
7793 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_PKEX_CR_RESP) {
7794 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
7795 goto skip_wrapped_data;
7797 #endif /* CONFIG_TESTING_OPTIONS */
7799 addr[0] = wpabuf_head_u8(msg) + 2;
7800 len[0] = DPP_HDR_LEN;
7803 len[1] = sizeof(octet);
7804 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
7805 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
7807 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
7808 wpabuf_put_le16(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7809 wrapped = wpabuf_put(msg, wpabuf_len(clear) + AES_BLOCK_SIZE);
7811 wpa_hexdump_buf(MSG_DEBUG, "DPP: AES-SIV cleartext", clear);
7812 if (aes_siv_encrypt(pkex->z, curve->hash_len,
7813 wpabuf_head(clear), wpabuf_len(clear),
7814 2, addr, len, wrapped) < 0)
7816 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
7817 wrapped, wpabuf_len(clear) + AES_BLOCK_SIZE);
7819 #ifdef CONFIG_TESTING_OPTIONS
7820 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_PKEX_CR_RESP) {
7821 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
7822 dpp_build_attr_status(msg, DPP_STATUS_OK);
7825 #endif /* CONFIG_TESTING_OPTIONS */
7838 struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex,
7840 const u8 *buf, size_t buflen)
7842 const struct dpp_curve_params *curve = pkex->own_bi->curve;
7843 EVP_PKEY_CTX *ctx = NULL;
7844 size_t Jx_len, Lx_len;
7845 u8 Jx[DPP_MAX_SHARED_SECRET_LEN];
7846 u8 Lx[DPP_MAX_SHARED_SECRET_LEN];
7847 const u8 *wrapped_data, *b_key, *peer_u;
7848 u16 wrapped_data_len, b_key_len, peer_u_len = 0;
7852 u8 *unwrapped = NULL;
7853 size_t unwrapped_len = 0;
7854 struct wpabuf *msg = NULL, *A_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
7855 struct wpabuf *B_pub = NULL;
7856 u8 u[DPP_MAX_HASH_LEN], v[DPP_MAX_HASH_LEN];
7858 #ifdef CONFIG_TESTING_OPTIONS
7859 if (dpp_test == DPP_TEST_STOP_AT_PKEX_CR_REQ) {
7860 wpa_printf(MSG_INFO,
7861 "DPP: TESTING - stop at PKEX CR Request");
7865 #endif /* CONFIG_TESTING_OPTIONS */
7867 if (!pkex->exchange_done || pkex->failed ||
7868 pkex->t >= PKEX_COUNTER_T_LIMIT || pkex->initiator)
7871 wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
7873 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
7875 "Missing or invalid required Wrapped Data attribute");
7879 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
7880 wrapped_data, wrapped_data_len);
7881 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
7882 unwrapped = os_malloc(unwrapped_len);
7887 len[0] = DPP_HDR_LEN;
7890 len[1] = sizeof(octet);
7891 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
7892 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
7894 if (aes_siv_decrypt(pkex->z, curve->hash_len,
7895 wrapped_data, wrapped_data_len,
7896 2, addr, len, unwrapped) < 0) {
7898 "AES-SIV decryption failed - possible PKEX code mismatch");
7903 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
7904 unwrapped, unwrapped_len);
7906 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
7907 dpp_pkex_fail(pkex, "Invalid attribute in unwrapped data");
7911 b_key = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_BOOTSTRAP_KEY,
7913 if (!b_key || b_key_len != 2 * curve->prime_len) {
7914 dpp_pkex_fail(pkex, "No valid peer bootstrapping key found");
7917 pkex->peer_bootstrap_key = dpp_set_pubkey_point(pkex->x, b_key,
7919 if (!pkex->peer_bootstrap_key) {
7920 dpp_pkex_fail(pkex, "Peer bootstrapping key is invalid");
7923 dpp_debug_print_key("DPP: Peer bootstrap public key",
7924 pkex->peer_bootstrap_key);
7926 /* ECDH: J' = y * A' */
7927 ctx = EVP_PKEY_CTX_new(pkex->y, NULL);
7929 EVP_PKEY_derive_init(ctx) != 1 ||
7930 EVP_PKEY_derive_set_peer(ctx, pkex->peer_bootstrap_key) != 1 ||
7931 EVP_PKEY_derive(ctx, NULL, &Jx_len) != 1 ||
7932 Jx_len > DPP_MAX_SHARED_SECRET_LEN ||
7933 EVP_PKEY_derive(ctx, Jx, &Jx_len) != 1) {
7934 wpa_printf(MSG_ERROR,
7935 "DPP: Failed to derive ECDH shared secret: %s",
7936 ERR_error_string(ERR_get_error(), NULL));
7940 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (J.x)",
7943 /* u' = HMAC(J'.x, MAC-Initiator | A'.x | Y.x | X'.x) */
7944 A_pub = dpp_get_pubkey_point(pkex->peer_bootstrap_key, 0);
7945 Y_pub = dpp_get_pubkey_point(pkex->y, 0);
7946 X_pub = dpp_get_pubkey_point(pkex->x, 0);
7947 if (!A_pub || !Y_pub || !X_pub)
7949 addr[0] = pkex->peer_mac;
7951 addr[1] = wpabuf_head(A_pub);
7952 len[1] = wpabuf_len(A_pub) / 2;
7953 addr[2] = wpabuf_head(Y_pub);
7954 len[2] = wpabuf_len(Y_pub) / 2;
7955 addr[3] = wpabuf_head(X_pub);
7956 len[3] = wpabuf_len(X_pub) / 2;
7957 if (dpp_hmac_vector(curve->hash_len, Jx, Jx_len, 4, addr, len, u) < 0)
7960 peer_u = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_AUTH_TAG,
7962 if (!peer_u || peer_u_len != curve->hash_len ||
7963 os_memcmp(peer_u, u, curve->hash_len) != 0) {
7964 dpp_pkex_fail(pkex, "No valid u (I-Auth tag) found");
7965 wpa_hexdump(MSG_DEBUG, "DPP: Calculated u'",
7966 u, curve->hash_len);
7967 wpa_hexdump(MSG_DEBUG, "DPP: Received u", peer_u, peer_u_len);
7971 wpa_printf(MSG_DEBUG, "DPP: Valid u (I-Auth tag) received");
7973 /* ECDH: L = b * X' */
7974 EVP_PKEY_CTX_free(ctx);
7975 ctx = EVP_PKEY_CTX_new(pkex->own_bi->pubkey, NULL);
7977 EVP_PKEY_derive_init(ctx) != 1 ||
7978 EVP_PKEY_derive_set_peer(ctx, pkex->x) != 1 ||
7979 EVP_PKEY_derive(ctx, NULL, &Lx_len) != 1 ||
7980 Lx_len > DPP_MAX_SHARED_SECRET_LEN ||
7981 EVP_PKEY_derive(ctx, Lx, &Lx_len) != 1) {
7982 wpa_printf(MSG_ERROR,
7983 "DPP: Failed to derive ECDH shared secret: %s",
7984 ERR_error_string(ERR_get_error(), NULL));
7988 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (L.x)",
7991 /* v = HMAC(L.x, MAC-Responder | B.x | X'.x | Y.x) */
7992 B_pub = dpp_get_pubkey_point(pkex->own_bi->pubkey, 0);
7995 addr[0] = pkex->own_mac;
7997 addr[1] = wpabuf_head(B_pub);
7998 len[1] = wpabuf_len(B_pub) / 2;
7999 addr[2] = wpabuf_head(X_pub);
8000 len[2] = wpabuf_len(X_pub) / 2;
8001 addr[3] = wpabuf_head(Y_pub);
8002 len[3] = wpabuf_len(Y_pub) / 2;
8003 if (dpp_hmac_vector(curve->hash_len, Lx, Lx_len, 4, addr, len, v) < 0)
8005 wpa_hexdump(MSG_DEBUG, "DPP: v", v, curve->hash_len);
8007 msg = dpp_pkex_build_commit_reveal_resp(pkex, B_pub, v);
8012 EVP_PKEY_CTX_free(ctx);
8020 wpa_printf(MSG_DEBUG,
8021 "DPP: PKEX Commit-Reveal Request processing failed");
8026 int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
8027 const u8 *buf, size_t buflen)
8029 const struct dpp_curve_params *curve = pkex->own_bi->curve;
8030 const u8 *wrapped_data, *b_key, *peer_v;
8031 u16 wrapped_data_len, b_key_len, peer_v_len = 0;
8035 u8 *unwrapped = NULL;
8036 size_t unwrapped_len = 0;
8038 u8 v[DPP_MAX_HASH_LEN];
8040 u8 Lx[DPP_MAX_SHARED_SECRET_LEN];
8041 EVP_PKEY_CTX *ctx = NULL;
8042 struct wpabuf *B_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
8044 #ifdef CONFIG_TESTING_OPTIONS
8045 if (dpp_test == DPP_TEST_STOP_AT_PKEX_CR_RESP) {
8046 wpa_printf(MSG_INFO,
8047 "DPP: TESTING - stop at PKEX CR Response");
8051 #endif /* CONFIG_TESTING_OPTIONS */
8053 if (!pkex->exchange_done || pkex->failed ||
8054 pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
8057 wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
8059 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
8061 "Missing or invalid required Wrapped Data attribute");
8065 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
8066 wrapped_data, wrapped_data_len);
8067 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
8068 unwrapped = os_malloc(unwrapped_len);
8073 len[0] = DPP_HDR_LEN;
8076 len[1] = sizeof(octet);
8077 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
8078 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
8080 if (aes_siv_decrypt(pkex->z, curve->hash_len,
8081 wrapped_data, wrapped_data_len,
8082 2, addr, len, unwrapped) < 0) {
8084 "AES-SIV decryption failed - possible PKEX code mismatch");
8088 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
8089 unwrapped, unwrapped_len);
8091 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
8092 dpp_pkex_fail(pkex, "Invalid attribute in unwrapped data");
8096 b_key = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_BOOTSTRAP_KEY,
8098 if (!b_key || b_key_len != 2 * curve->prime_len) {
8099 dpp_pkex_fail(pkex, "No valid peer bootstrapping key found");
8102 pkex->peer_bootstrap_key = dpp_set_pubkey_point(pkex->x, b_key,
8104 if (!pkex->peer_bootstrap_key) {
8105 dpp_pkex_fail(pkex, "Peer bootstrapping key is invalid");
8108 dpp_debug_print_key("DPP: Peer bootstrap public key",
8109 pkex->peer_bootstrap_key);
8111 /* ECDH: L' = x * B' */
8112 ctx = EVP_PKEY_CTX_new(pkex->x, NULL);
8114 EVP_PKEY_derive_init(ctx) != 1 ||
8115 EVP_PKEY_derive_set_peer(ctx, pkex->peer_bootstrap_key) != 1 ||
8116 EVP_PKEY_derive(ctx, NULL, &Lx_len) != 1 ||
8117 Lx_len > DPP_MAX_SHARED_SECRET_LEN ||
8118 EVP_PKEY_derive(ctx, Lx, &Lx_len) != 1) {
8119 wpa_printf(MSG_ERROR,
8120 "DPP: Failed to derive ECDH shared secret: %s",
8121 ERR_error_string(ERR_get_error(), NULL));
8125 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (L.x)",
8128 /* v' = HMAC(L.x, MAC-Responder | B'.x | X.x | Y'.x) */
8129 B_pub = dpp_get_pubkey_point(pkex->peer_bootstrap_key, 0);
8130 X_pub = dpp_get_pubkey_point(pkex->x, 0);
8131 Y_pub = dpp_get_pubkey_point(pkex->y, 0);
8132 if (!B_pub || !X_pub || !Y_pub)
8134 addr[0] = pkex->peer_mac;
8136 addr[1] = wpabuf_head(B_pub);
8137 len[1] = wpabuf_len(B_pub) / 2;
8138 addr[2] = wpabuf_head(X_pub);
8139 len[2] = wpabuf_len(X_pub) / 2;
8140 addr[3] = wpabuf_head(Y_pub);
8141 len[3] = wpabuf_len(Y_pub) / 2;
8142 if (dpp_hmac_vector(curve->hash_len, Lx, Lx_len, 4, addr, len, v) < 0)
8145 peer_v = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_AUTH_TAG,
8147 if (!peer_v || peer_v_len != curve->hash_len ||
8148 os_memcmp(peer_v, v, curve->hash_len) != 0) {
8149 dpp_pkex_fail(pkex, "No valid v (R-Auth tag) found");
8150 wpa_hexdump(MSG_DEBUG, "DPP: Calculated v'",
8151 v, curve->hash_len);
8152 wpa_hexdump(MSG_DEBUG, "DPP: Received v", peer_v, peer_v_len);
8156 wpa_printf(MSG_DEBUG, "DPP: Valid v (R-Auth tag) received");
8163 EVP_PKEY_CTX_free(ctx);
8171 void dpp_pkex_free(struct dpp_pkex *pkex)
8176 os_free(pkex->identifier);
8177 os_free(pkex->code);
8178 EVP_PKEY_free(pkex->x);
8179 EVP_PKEY_free(pkex->y);
8180 EVP_PKEY_free(pkex->peer_bootstrap_key);
8181 wpabuf_free(pkex->exchange_req);
8182 wpabuf_free(pkex->exchange_resp);
8187 #ifdef CONFIG_TESTING_OPTIONS
8188 char * dpp_corrupt_connector_signature(const char *connector)
8190 char *tmp, *pos, *signed3 = NULL;
8191 unsigned char *signature = NULL;
8192 size_t signature_len = 0, signed3_len;
8194 tmp = os_zalloc(os_strlen(connector) + 5);
8197 os_memcpy(tmp, connector, os_strlen(connector));
8199 pos = os_strchr(tmp, '.');
8203 pos = os_strchr(pos + 1, '.');
8208 wpa_printf(MSG_DEBUG, "DPP: Original base64url encoded signature: %s",
8210 signature = base64_url_decode((const unsigned char *) pos,
8211 os_strlen(pos), &signature_len);
8212 if (!signature || signature_len == 0)
8214 wpa_hexdump(MSG_DEBUG, "DPP: Original Connector signature",
8215 signature, signature_len);
8216 signature[signature_len - 1] ^= 0x01;
8217 wpa_hexdump(MSG_DEBUG, "DPP: Corrupted Connector signature",
8218 signature, signature_len);
8219 signed3 = (char *) base64_url_encode(signature, signature_len,
8223 os_memcpy(pos, signed3, signed3_len);
8224 pos[signed3_len] = '\0';
8225 wpa_printf(MSG_DEBUG, "DPP: Corrupted base64url encoded signature: %s",
8237 #endif /* CONFIG_TESTING_OPTIONS */
8242 struct dpp_pfs * dpp_pfs_init(const u8 *net_access_key,
8243 size_t net_access_key_len)
8245 struct wpabuf *pub = NULL;
8247 struct dpp_pfs *pfs;
8249 pfs = os_zalloc(sizeof(*pfs));
8253 own_key = dpp_set_keypair(&pfs->curve, net_access_key,
8254 net_access_key_len);
8256 wpa_printf(MSG_ERROR, "DPP: Failed to parse own netAccessKey");
8259 EVP_PKEY_free(own_key);
8261 pfs->ecdh = crypto_ecdh_init(pfs->curve->ike_group);
8265 pub = crypto_ecdh_get_pubkey(pfs->ecdh, 0);
8266 pub = wpabuf_zeropad(pub, pfs->curve->prime_len);
8270 pfs->ie = wpabuf_alloc(5 + wpabuf_len(pub));
8273 wpabuf_put_u8(pfs->ie, WLAN_EID_EXTENSION);
8274 wpabuf_put_u8(pfs->ie, 1 + 2 + wpabuf_len(pub));
8275 wpabuf_put_u8(pfs->ie, WLAN_EID_EXT_OWE_DH_PARAM);
8276 wpabuf_put_le16(pfs->ie, pfs->curve->ike_group);
8277 wpabuf_put_buf(pfs->ie, pub);
8279 wpa_hexdump_buf(MSG_DEBUG, "DPP: Diffie-Hellman Parameter element",
8290 int dpp_pfs_process(struct dpp_pfs *pfs, const u8 *peer_ie, size_t peer_ie_len)
8292 if (peer_ie_len < 2)
8294 if (WPA_GET_LE16(peer_ie) != pfs->curve->ike_group) {
8295 wpa_printf(MSG_DEBUG, "DPP: Peer used different group for PFS");
8299 pfs->secret = crypto_ecdh_set_peerkey(pfs->ecdh, 0, peer_ie + 2,
8301 pfs->secret = wpabuf_zeropad(pfs->secret, pfs->curve->prime_len);
8303 wpa_printf(MSG_DEBUG, "DPP: Invalid peer DH public key");
8306 wpa_hexdump_buf_key(MSG_DEBUG, "DPP: DH shared secret", pfs->secret);
8311 void dpp_pfs_free(struct dpp_pfs *pfs)
8315 crypto_ecdh_deinit(pfs->ecdh);
8316 wpabuf_free(pfs->ie);
8317 wpabuf_clear_free(pfs->secret);
8321 #endif /* CONFIG_DPP2 */
8324 static unsigned int dpp_next_id(struct dpp_global *dpp)
8326 struct dpp_bootstrap_info *bi;
8327 unsigned int max_id = 0;
8329 dl_list_for_each(bi, &dpp->bootstrap, struct dpp_bootstrap_info, list) {
8330 if (bi->id > max_id)
8337 static int dpp_bootstrap_del(struct dpp_global *dpp, unsigned int id)
8339 struct dpp_bootstrap_info *bi, *tmp;
8345 dl_list_for_each_safe(bi, tmp, &dpp->bootstrap,
8346 struct dpp_bootstrap_info, list) {
8347 if (id && bi->id != id)
8350 dl_list_del(&bi->list);
8351 dpp_bootstrap_info_free(bi);
8355 return 0; /* flush succeeds regardless of entries found */
8356 return found ? 0 : -1;
8360 struct dpp_bootstrap_info * dpp_add_qr_code(struct dpp_global *dpp,
8363 struct dpp_bootstrap_info *bi;
8368 bi = dpp_parse_qr_code(uri);
8372 bi->id = dpp_next_id(dpp);
8373 dl_list_add(&dpp->bootstrap, &bi->list);
8378 int dpp_bootstrap_gen(struct dpp_global *dpp, const char *cmd)
8380 char *chan = NULL, *mac = NULL, *info = NULL, *pk = NULL, *curve = NULL;
8383 size_t privkey_len = 0;
8386 struct dpp_bootstrap_info *bi;
8391 bi = os_zalloc(sizeof(*bi));
8395 if (os_strstr(cmd, "type=qrcode"))
8396 bi->type = DPP_BOOTSTRAP_QR_CODE;
8397 else if (os_strstr(cmd, "type=pkex"))
8398 bi->type = DPP_BOOTSTRAP_PKEX;
8402 chan = get_param(cmd, " chan=");
8403 mac = get_param(cmd, " mac=");
8404 info = get_param(cmd, " info=");
8405 curve = get_param(cmd, " curve=");
8406 key = get_param(cmd, " key=");
8409 privkey_len = os_strlen(key) / 2;
8410 privkey = os_malloc(privkey_len);
8412 hexstr2bin(key, privkey, privkey_len) < 0)
8416 pk = dpp_keygen(bi, curve, privkey, privkey_len);
8420 len = 4; /* "DPP:" */
8422 if (dpp_parse_uri_chan_list(bi, chan) < 0)
8424 len += 3 + os_strlen(chan); /* C:...; */
8427 if (dpp_parse_uri_mac(bi, mac) < 0)
8429 len += 3 + os_strlen(mac); /* M:...; */
8432 if (dpp_parse_uri_info(bi, info) < 0)
8434 len += 3 + os_strlen(info); /* I:...; */
8436 len += 4 + os_strlen(pk);
8437 bi->uri = os_malloc(len + 1);
8440 os_snprintf(bi->uri, len + 1, "DPP:%s%s%s%s%s%s%s%s%sK:%s;;",
8441 chan ? "C:" : "", chan ? chan : "", chan ? ";" : "",
8442 mac ? "M:" : "", mac ? mac : "", mac ? ";" : "",
8443 info ? "I:" : "", info ? info : "", info ? ";" : "",
8445 bi->id = dpp_next_id(dpp);
8446 dl_list_add(&dpp->bootstrap, &bi->list);
8455 str_clear_free(key);
8456 bin_clear_free(privkey, privkey_len);
8457 dpp_bootstrap_info_free(bi);
8462 struct dpp_bootstrap_info *
8463 dpp_bootstrap_get_id(struct dpp_global *dpp, unsigned int id)
8465 struct dpp_bootstrap_info *bi;
8470 dl_list_for_each(bi, &dpp->bootstrap, struct dpp_bootstrap_info, list) {
8478 int dpp_bootstrap_remove(struct dpp_global *dpp, const char *id)
8480 unsigned int id_val;
8482 if (os_strcmp(id, "*") == 0) {
8490 return dpp_bootstrap_del(dpp, id_val);
8494 struct dpp_bootstrap_info *
8495 dpp_pkex_finish(struct dpp_global *dpp, struct dpp_pkex *pkex, const u8 *peer,
8498 struct dpp_bootstrap_info *bi;
8500 bi = os_zalloc(sizeof(*bi));
8503 bi->id = dpp_next_id(dpp);
8504 bi->type = DPP_BOOTSTRAP_PKEX;
8505 os_memcpy(bi->mac_addr, peer, ETH_ALEN);
8508 bi->curve = pkex->own_bi->curve;
8509 bi->pubkey = pkex->peer_bootstrap_key;
8510 pkex->peer_bootstrap_key = NULL;
8511 if (dpp_bootstrap_key_hash(bi) < 0) {
8512 dpp_bootstrap_info_free(bi);
8515 dpp_pkex_free(pkex);
8516 dl_list_add(&dpp->bootstrap, &bi->list);
8521 const char * dpp_bootstrap_get_uri(struct dpp_global *dpp, unsigned int id)
8523 struct dpp_bootstrap_info *bi;
8525 bi = dpp_bootstrap_get_id(dpp, id);
8532 int dpp_bootstrap_info(struct dpp_global *dpp, int id,
8533 char *reply, int reply_size)
8535 struct dpp_bootstrap_info *bi;
8537 bi = dpp_bootstrap_get_id(dpp, id);
8540 return os_snprintf(reply, reply_size, "type=%s\n"
8541 "mac_addr=" MACSTR "\n"
8545 dpp_bootstrap_type_txt(bi->type),
8546 MAC2STR(bi->mac_addr),
8547 bi->info ? bi->info : "",
8553 void dpp_bootstrap_find_pair(struct dpp_global *dpp, const u8 *i_bootstrap,
8554 const u8 *r_bootstrap,
8555 struct dpp_bootstrap_info **own_bi,
8556 struct dpp_bootstrap_info **peer_bi)
8558 struct dpp_bootstrap_info *bi;
8565 dl_list_for_each(bi, &dpp->bootstrap, struct dpp_bootstrap_info, list) {
8566 if (!*own_bi && bi->own &&
8567 os_memcmp(bi->pubkey_hash, r_bootstrap,
8568 SHA256_MAC_LEN) == 0) {
8569 wpa_printf(MSG_DEBUG,
8570 "DPP: Found matching own bootstrapping information");
8574 if (!*peer_bi && !bi->own &&
8575 os_memcmp(bi->pubkey_hash, i_bootstrap,
8576 SHA256_MAC_LEN) == 0) {
8577 wpa_printf(MSG_DEBUG,
8578 "DPP: Found matching peer bootstrapping information");
8582 if (*own_bi && *peer_bi)
8589 static unsigned int dpp_next_configurator_id(struct dpp_global *dpp)
8591 struct dpp_configurator *conf;
8592 unsigned int max_id = 0;
8594 dl_list_for_each(conf, &dpp->configurator, struct dpp_configurator,
8596 if (conf->id > max_id)
8603 int dpp_configurator_add(struct dpp_global *dpp, const char *cmd)
8608 size_t privkey_len = 0;
8610 struct dpp_configurator *conf = NULL;
8612 curve = get_param(cmd, " curve=");
8613 key = get_param(cmd, " key=");
8616 privkey_len = os_strlen(key) / 2;
8617 privkey = os_malloc(privkey_len);
8619 hexstr2bin(key, privkey, privkey_len) < 0)
8623 conf = dpp_keygen_configurator(curve, privkey, privkey_len);
8627 conf->id = dpp_next_configurator_id(dpp);
8628 dl_list_add(&dpp->configurator, &conf->list);
8633 str_clear_free(key);
8634 bin_clear_free(privkey, privkey_len);
8635 dpp_configurator_free(conf);
8640 static int dpp_configurator_del(struct dpp_global *dpp, unsigned int id)
8642 struct dpp_configurator *conf, *tmp;
8648 dl_list_for_each_safe(conf, tmp, &dpp->configurator,
8649 struct dpp_configurator, list) {
8650 if (id && conf->id != id)
8653 dl_list_del(&conf->list);
8654 dpp_configurator_free(conf);
8658 return 0; /* flush succeeds regardless of entries found */
8659 return found ? 0 : -1;
8663 int dpp_configurator_remove(struct dpp_global *dpp, const char *id)
8665 unsigned int id_val;
8667 if (os_strcmp(id, "*") == 0) {
8675 return dpp_configurator_del(dpp, id_val);
8679 int dpp_configurator_get_key_id(struct dpp_global *dpp, unsigned int id,
8680 char *buf, size_t buflen)
8682 struct dpp_configurator *conf;
8684 conf = dpp_configurator_get_id(dpp, id);
8688 return dpp_configurator_get_key(conf, buf, buflen);
8692 struct dpp_global * dpp_global_init(void)
8694 struct dpp_global *dpp;
8696 dpp = os_zalloc(sizeof(*dpp));
8700 dl_list_init(&dpp->bootstrap);
8701 dl_list_init(&dpp->configurator);
8707 void dpp_global_clear(struct dpp_global *dpp)
8712 dpp_bootstrap_del(dpp, 0);
8713 dpp_configurator_del(dpp, 0);
8717 void dpp_global_deinit(struct dpp_global *dpp)
8719 dpp_global_clear(dpp);
projects / FreeBSD / FreeBSD.git / blob