2020-05-10 15:25:42 +02:00
|
|
|
/*
|
|
|
|
* DPP crypto functionality
|
|
|
|
* Copyright (c) 2017, Qualcomm Atheros, Inc.
|
|
|
|
* Copyright (c) 2018-2020, The Linux Foundation
|
|
|
|
*
|
|
|
|
* This software may be distributed under the terms of the BSD license.
|
|
|
|
* See README for more details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "utils/includes.h"
|
|
|
|
|
|
|
|
#include "utils/common.h"
|
|
|
|
#include "utils/base64.h"
|
|
|
|
#include "utils/json.h"
|
|
|
|
#include "common/ieee802_11_defs.h"
|
|
|
|
#include "crypto/crypto.h"
|
2020-09-09 22:33:58 +02:00
|
|
|
#include "crypto/random.h"
|
2020-05-10 15:25:42 +02:00
|
|
|
#include "crypto/sha384.h"
|
|
|
|
#include "crypto/sha512.h"
|
2021-06-28 18:25:37 +02:00
|
|
|
#include "tls/asn1.h"
|
2020-05-10 15:25:42 +02:00
|
|
|
#include "dpp.h"
|
|
|
|
#include "dpp_i.h"
|
|
|
|
|
|
|
|
|
|
|
|
static const struct dpp_curve_params dpp_curves[] = {
|
|
|
|
/* The mandatory to support and the default NIST P-256 curve needs to
|
|
|
|
* be the first entry on this list. */
|
|
|
|
{ "prime256v1", 32, 32, 16, 32, "P-256", 19, "ES256" },
|
|
|
|
{ "secp384r1", 48, 48, 24, 48, "P-384", 20, "ES384" },
|
|
|
|
{ "secp521r1", 64, 64, 32, 66, "P-521", 21, "ES512" },
|
|
|
|
{ "brainpoolP256r1", 32, 32, 16, 32, "BP-256", 28, "BS256" },
|
|
|
|
{ "brainpoolP384r1", 48, 48, 24, 48, "BP-384", 29, "BS384" },
|
|
|
|
{ "brainpoolP512r1", 64, 64, 32, 64, "BP-512", 30, "BS512" },
|
|
|
|
{ NULL, 0, 0, 0, 0, NULL, 0, NULL }
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
const struct dpp_curve_params * dpp_get_curve_name(const char *name)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
if (!name)
|
|
|
|
return &dpp_curves[0];
|
|
|
|
|
|
|
|
for (i = 0; dpp_curves[i].name; i++) {
|
|
|
|
if (os_strcmp(name, dpp_curves[i].name) == 0 ||
|
|
|
|
(dpp_curves[i].jwk_crv &&
|
|
|
|
os_strcmp(name, dpp_curves[i].jwk_crv) == 0))
|
|
|
|
return &dpp_curves[i];
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
const struct dpp_curve_params * dpp_get_curve_jwk_crv(const char *name)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; dpp_curves[i].name; i++) {
|
|
|
|
if (dpp_curves[i].jwk_crv &&
|
|
|
|
os_strcmp(name, dpp_curves[i].jwk_crv) == 0)
|
|
|
|
return &dpp_curves[i];
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-08-06 18:47:28 +02:00
|
|
|
const struct dpp_curve_params * dpp_get_curve_ike_group(u16 group)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; dpp_curves[i].name; i++) {
|
|
|
|
if (dpp_curves[i].ike_group == group)
|
|
|
|
return &dpp_curves[i];
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:20 +02:00
|
|
|
void dpp_debug_print_key(const char *title, struct crypto_ec_key *key)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
2021-06-28 18:25:22 +02:00
|
|
|
struct wpabuf *der = NULL;
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-06-28 18:25:36 +02:00
|
|
|
crypto_ec_key_debug_print(key, title);
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-06-28 18:25:22 +02:00
|
|
|
der = crypto_ec_key_get_ecprivate_key(key, true);
|
|
|
|
if (der) {
|
|
|
|
wpa_hexdump_buf_key(MSG_DEBUG, "DPP: ECPrivateKey", der);
|
|
|
|
} else {
|
|
|
|
der = crypto_ec_key_get_subject_public_key(key);
|
|
|
|
if (der)
|
|
|
|
wpa_hexdump_buf_key(MSG_DEBUG, "DPP: EC_PUBKEY", der);
|
2020-05-10 15:25:42 +02:00
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:22 +02:00
|
|
|
wpabuf_clear_free(der);
|
2020-05-10 15:25:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-05-11 11:16:20 +02:00
|
|
|
static int dpp_hash_vector(const struct dpp_curve_params *curve,
|
|
|
|
size_t num_elem, const u8 *addr[], const size_t *len,
|
|
|
|
u8 *mac)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
|
|
|
if (curve->hash_len == 32)
|
|
|
|
return sha256_vector(num_elem, addr, len, mac);
|
|
|
|
if (curve->hash_len == 48)
|
|
|
|
return sha384_vector(num_elem, addr, len, mac);
|
|
|
|
if (curve->hash_len == 64)
|
|
|
|
return sha512_vector(num_elem, addr, len, mac);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_hkdf_expand(size_t hash_len, const u8 *secret, size_t secret_len,
|
|
|
|
const char *label, u8 *out, size_t outlen)
|
|
|
|
{
|
|
|
|
if (hash_len == 32)
|
|
|
|
return hmac_sha256_kdf(secret, secret_len, NULL,
|
|
|
|
(const u8 *) label, os_strlen(label),
|
|
|
|
out, outlen);
|
|
|
|
if (hash_len == 48)
|
|
|
|
return hmac_sha384_kdf(secret, secret_len, NULL,
|
|
|
|
(const u8 *) label, os_strlen(label),
|
|
|
|
out, outlen);
|
|
|
|
if (hash_len == 64)
|
|
|
|
return hmac_sha512_kdf(secret, secret_len, NULL,
|
|
|
|
(const u8 *) label, os_strlen(label),
|
|
|
|
out, outlen);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_hmac_vector(size_t hash_len, const u8 *key, size_t key_len,
|
|
|
|
size_t num_elem, const u8 *addr[], const size_t *len,
|
|
|
|
u8 *mac)
|
|
|
|
{
|
|
|
|
if (hash_len == 32)
|
|
|
|
return hmac_sha256_vector(key, key_len, num_elem, addr, len,
|
|
|
|
mac);
|
|
|
|
if (hash_len == 48)
|
|
|
|
return hmac_sha384_vector(key, key_len, num_elem, addr, len,
|
|
|
|
mac);
|
|
|
|
if (hash_len == 64)
|
|
|
|
return hmac_sha512_vector(key, key_len, num_elem, addr, len,
|
|
|
|
mac);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-05-11 11:16:20 +02:00
|
|
|
static int dpp_hmac(size_t hash_len, const u8 *key, size_t key_len,
|
|
|
|
const u8 *data, size_t data_len, u8 *mac)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
|
|
|
if (hash_len == 32)
|
|
|
|
return hmac_sha256(key, key_len, data, data_len, mac);
|
|
|
|
if (hash_len == 48)
|
|
|
|
return hmac_sha384(key, key_len, data, data_len, mac);
|
|
|
|
if (hash_len == 64)
|
|
|
|
return hmac_sha512(key, key_len, data, data_len, mac);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_DPP2
|
|
|
|
|
|
|
|
static int dpp_pbkdf2_f(size_t hash_len,
|
|
|
|
const u8 *password, size_t password_len,
|
|
|
|
const u8 *salt, size_t salt_len,
|
|
|
|
unsigned int iterations, unsigned int count, u8 *digest)
|
|
|
|
{
|
|
|
|
unsigned char tmp[DPP_MAX_HASH_LEN], tmp2[DPP_MAX_HASH_LEN];
|
|
|
|
unsigned int i;
|
|
|
|
size_t j;
|
|
|
|
u8 count_buf[4];
|
|
|
|
const u8 *addr[2];
|
|
|
|
size_t len[2];
|
|
|
|
|
|
|
|
addr[0] = salt;
|
|
|
|
len[0] = salt_len;
|
|
|
|
addr[1] = count_buf;
|
|
|
|
len[1] = 4;
|
|
|
|
|
|
|
|
/* F(P, S, c, i) = U1 xor U2 xor ... Uc
|
|
|
|
* U1 = PRF(P, S || i)
|
|
|
|
* U2 = PRF(P, U1)
|
|
|
|
* Uc = PRF(P, Uc-1)
|
|
|
|
*/
|
|
|
|
|
|
|
|
WPA_PUT_BE32(count_buf, count);
|
|
|
|
if (dpp_hmac_vector(hash_len, password, password_len, 2, addr, len,
|
|
|
|
tmp))
|
|
|
|
return -1;
|
|
|
|
os_memcpy(digest, tmp, hash_len);
|
|
|
|
|
|
|
|
for (i = 1; i < iterations; i++) {
|
|
|
|
if (dpp_hmac(hash_len, password, password_len, tmp, hash_len,
|
|
|
|
tmp2))
|
|
|
|
return -1;
|
|
|
|
os_memcpy(tmp, tmp2, hash_len);
|
|
|
|
for (j = 0; j < hash_len; j++)
|
|
|
|
digest[j] ^= tmp2[j];
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_pbkdf2(size_t hash_len, const u8 *password, size_t password_len,
|
|
|
|
const u8 *salt, size_t salt_len, unsigned int iterations,
|
|
|
|
u8 *buf, size_t buflen)
|
|
|
|
{
|
|
|
|
unsigned int count = 0;
|
|
|
|
unsigned char *pos = buf;
|
|
|
|
size_t left = buflen, plen;
|
|
|
|
unsigned char digest[DPP_MAX_HASH_LEN];
|
|
|
|
|
|
|
|
while (left > 0) {
|
|
|
|
count++;
|
|
|
|
if (dpp_pbkdf2_f(hash_len, password, password_len,
|
|
|
|
salt, salt_len, iterations, count, digest))
|
|
|
|
return -1;
|
|
|
|
plen = left > hash_len ? hash_len : left;
|
|
|
|
os_memcpy(pos, digest, plen);
|
|
|
|
pos += plen;
|
|
|
|
left -= plen;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* CONFIG_DPP2 */
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key * dpp_set_pubkey_point(struct crypto_ec_key *group_key,
|
|
|
|
const u8 *buf, size_t len)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
2021-06-28 18:25:24 +02:00
|
|
|
int ike_group = crypto_ec_key_group(group_key);
|
2020-05-10 15:25:42 +02:00
|
|
|
|
|
|
|
if (len & 1)
|
|
|
|
return NULL;
|
|
|
|
|
2021-06-28 18:25:24 +02:00
|
|
|
if (ike_group < 0) {
|
|
|
|
wpa_printf(MSG_ERROR, "DPP: Could not get EC group");
|
2020-05-10 15:25:42 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:24 +02:00
|
|
|
return crypto_ec_key_set_pub(ike_group, buf, buf + len / 2, len / 2);
|
2020-05-10 15:25:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key * dpp_gen_keypair(const struct dpp_curve_params *curve)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
2021-06-28 18:25:21 +02:00
|
|
|
struct crypto_ec_key *key;
|
2020-05-10 15:25:42 +02:00
|
|
|
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Generating a keypair");
|
|
|
|
|
2021-06-28 18:25:21 +02:00
|
|
|
key = crypto_ec_key_gen(curve->ike_group);
|
|
|
|
if (key && wpa_debug_show_keys)
|
|
|
|
dpp_debug_print_key("Own generated key", key);
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-06-28 18:25:21 +02:00
|
|
|
return key;
|
2020-05-10 15:25:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key * dpp_set_keypair(const struct dpp_curve_params **curve,
|
|
|
|
const u8 *privkey, size_t privkey_len)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
2021-06-28 18:25:27 +02:00
|
|
|
struct crypto_ec_key *key;
|
|
|
|
int group;
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-06-28 18:25:27 +02:00
|
|
|
key = crypto_ec_key_parse_priv(privkey, privkey_len);
|
|
|
|
if (!key) {
|
|
|
|
wpa_printf(MSG_INFO, "DPP: Failed to parse private key");
|
2020-05-10 15:25:42 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
2021-06-28 18:25:27 +02:00
|
|
|
|
|
|
|
group = crypto_ec_key_group(key);
|
|
|
|
if (group < 0) {
|
|
|
|
crypto_ec_key_deinit(key);
|
2020-05-10 15:25:42 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
2021-06-28 18:25:27 +02:00
|
|
|
|
|
|
|
*curve = dpp_get_curve_ike_group(group);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (!*curve) {
|
|
|
|
wpa_printf(MSG_INFO,
|
2021-06-28 18:25:27 +02:00
|
|
|
"DPP: Unsupported curve (group=%d) in pre-assigned key",
|
|
|
|
group);
|
|
|
|
crypto_ec_key_deinit(key);
|
2020-05-10 15:25:42 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:27 +02:00
|
|
|
return key;
|
2020-05-10 15:25:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_bootstrap_key_hash(struct dpp_bootstrap_info *bi)
|
|
|
|
{
|
|
|
|
struct wpabuf *der;
|
|
|
|
int res;
|
|
|
|
|
2021-10-29 11:05:32 +02:00
|
|
|
der = crypto_ec_key_get_subject_public_key(bi->pubkey);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (!der)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
|
|
|
|
der);
|
|
|
|
res = dpp_bi_pubkey_hash(bi, wpabuf_head(der), wpabuf_len(der));
|
|
|
|
if (res < 0)
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
|
|
|
|
wpabuf_free(der);
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_keygen(struct dpp_bootstrap_info *bi, const char *curve,
|
|
|
|
const u8 *privkey, size_t privkey_len)
|
|
|
|
{
|
|
|
|
char *base64 = NULL;
|
|
|
|
char *pos, *end;
|
|
|
|
size_t len;
|
|
|
|
struct wpabuf *der = NULL;
|
|
|
|
|
|
|
|
bi->curve = dpp_get_curve_name(curve);
|
|
|
|
if (!bi->curve) {
|
|
|
|
wpa_printf(MSG_INFO, "DPP: Unsupported curve: %s", curve);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (privkey)
|
|
|
|
bi->pubkey = dpp_set_keypair(&bi->curve, privkey, privkey_len);
|
|
|
|
else
|
|
|
|
bi->pubkey = dpp_gen_keypair(bi->curve);
|
|
|
|
if (!bi->pubkey)
|
|
|
|
goto fail;
|
|
|
|
bi->own = 1;
|
|
|
|
|
2021-10-29 11:05:32 +02:00
|
|
|
der = crypto_ec_key_get_subject_public_key(bi->pubkey);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (!der)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_buf(MSG_DEBUG, "DPP: Compressed public key (DER)",
|
|
|
|
der);
|
|
|
|
|
|
|
|
if (dpp_bi_pubkey_hash(bi, wpabuf_head(der), wpabuf_len(der)) < 0) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
base64 = base64_encode(wpabuf_head(der), wpabuf_len(der), &len);
|
|
|
|
wpabuf_free(der);
|
|
|
|
der = NULL;
|
|
|
|
if (!base64)
|
|
|
|
goto fail;
|
|
|
|
pos = base64;
|
|
|
|
end = pos + len;
|
|
|
|
for (;;) {
|
|
|
|
pos = os_strchr(pos, '\n');
|
|
|
|
if (!pos)
|
|
|
|
break;
|
|
|
|
os_memmove(pos, pos + 1, end - pos);
|
|
|
|
}
|
|
|
|
os_free(bi->pk);
|
|
|
|
bi->pk = base64;
|
|
|
|
return 0;
|
|
|
|
fail:
|
|
|
|
os_free(base64);
|
|
|
|
wpabuf_free(der);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_derive_k1(const u8 *Mx, size_t Mx_len, u8 *k1, unsigned int hash_len)
|
|
|
|
{
|
|
|
|
u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
|
|
|
|
const char *info = "first intermediate key";
|
|
|
|
int res;
|
|
|
|
|
|
|
|
/* k1 = HKDF(<>, "first intermediate key", M.x) */
|
|
|
|
|
|
|
|
/* HKDF-Extract(<>, M.x) */
|
|
|
|
os_memset(salt, 0, hash_len);
|
|
|
|
if (dpp_hmac(hash_len, salt, hash_len, Mx, Mx_len, prk) < 0)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=M.x)",
|
|
|
|
prk, hash_len);
|
|
|
|
|
|
|
|
/* HKDF-Expand(PRK, info, L) */
|
|
|
|
res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k1, hash_len);
|
|
|
|
os_memset(prk, 0, hash_len);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: k1 = HKDF-Expand(PRK, info, L)",
|
|
|
|
k1, hash_len);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_derive_k2(const u8 *Nx, size_t Nx_len, u8 *k2, unsigned int hash_len)
|
|
|
|
{
|
|
|
|
u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
|
|
|
|
const char *info = "second intermediate key";
|
|
|
|
int res;
|
|
|
|
|
|
|
|
/* k2 = HKDF(<>, "second intermediate key", N.x) */
|
|
|
|
|
|
|
|
/* HKDF-Extract(<>, N.x) */
|
|
|
|
os_memset(salt, 0, hash_len);
|
|
|
|
res = dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
|
|
|
|
prk, hash_len);
|
|
|
|
|
|
|
|
/* HKDF-Expand(PRK, info, L) */
|
|
|
|
res = dpp_hkdf_expand(hash_len, prk, hash_len, info, k2, hash_len);
|
|
|
|
os_memset(prk, 0, hash_len);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: k2 = HKDF-Expand(PRK, info, L)",
|
|
|
|
k2, hash_len);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_derive_bk_ke(struct dpp_authentication *auth)
|
|
|
|
{
|
|
|
|
unsigned int hash_len = auth->curve->hash_len;
|
|
|
|
size_t nonce_len = auth->curve->nonce_len;
|
|
|
|
u8 nonces[2 * DPP_MAX_NONCE_LEN];
|
|
|
|
const char *info_ke = "DPP Key";
|
|
|
|
int res;
|
|
|
|
const u8 *addr[3];
|
|
|
|
size_t len[3];
|
|
|
|
size_t num_elem = 0;
|
|
|
|
|
|
|
|
if (!auth->Mx_len || !auth->Nx_len) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Mx/Nx not available - cannot derive ke");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */
|
|
|
|
os_memcpy(nonces, auth->i_nonce, nonce_len);
|
|
|
|
os_memcpy(&nonces[nonce_len], auth->r_nonce, nonce_len);
|
|
|
|
addr[num_elem] = auth->Mx;
|
|
|
|
len[num_elem] = auth->Mx_len;
|
|
|
|
num_elem++;
|
|
|
|
addr[num_elem] = auth->Nx;
|
|
|
|
len[num_elem] = auth->Nx_len;
|
|
|
|
num_elem++;
|
|
|
|
if (auth->peer_bi && auth->own_bi) {
|
|
|
|
if (!auth->Lx_len) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Lx not available - cannot derive ke");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
addr[num_elem] = auth->Lx;
|
|
|
|
len[num_elem] = auth->secret_len;
|
|
|
|
num_elem++;
|
|
|
|
}
|
|
|
|
res = dpp_hmac_vector(hash_len, nonces, 2 * nonce_len,
|
|
|
|
num_elem, addr, len, auth->bk);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
|
|
|
"DPP: bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x])",
|
|
|
|
auth->bk, hash_len);
|
|
|
|
|
2020-05-29 20:35:26 +02:00
|
|
|
/* ke = HKDF-Expand(bk, "DPP Key", length) */
|
2020-05-10 15:25:42 +02:00
|
|
|
res = dpp_hkdf_expand(hash_len, auth->bk, hash_len, info_ke, auth->ke,
|
|
|
|
hash_len);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
|
|
|
"DPP: ke = HKDF-Expand(bk, \"DPP Key\", length)",
|
|
|
|
auth->ke, hash_len);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:20 +02:00
|
|
|
int dpp_ecdh(struct crypto_ec_key *own, struct crypto_ec_key *peer,
|
|
|
|
u8 *secret, size_t *secret_len)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
2021-10-29 11:05:31 +02:00
|
|
|
struct crypto_ecdh *ecdh;
|
|
|
|
struct wpabuf *peer_pub, *secret_buf = NULL;
|
2020-05-10 15:25:42 +02:00
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
*secret_len = 0;
|
|
|
|
|
2021-10-29 11:05:31 +02:00
|
|
|
ecdh = crypto_ecdh_init2(crypto_ec_key_group(own), own);
|
|
|
|
if (!ecdh) {
|
|
|
|
wpa_printf(MSG_ERROR, "DPP: crypto_ecdh_init2() failed");
|
2020-05-10 15:25:42 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2021-10-29 11:05:31 +02:00
|
|
|
peer_pub = crypto_ec_key_get_pubkey_point(peer, 0);
|
|
|
|
if (!peer_pub) {
|
2020-05-10 15:25:42 +02:00
|
|
|
wpa_printf(MSG_ERROR,
|
2021-10-29 11:05:31 +02:00
|
|
|
"DPP: crypto_ec_key_get_pubkey_point() failed");
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2021-10-29 11:05:31 +02:00
|
|
|
secret_buf = crypto_ecdh_set_peerkey(ecdh, 1, wpabuf_head(peer_pub),
|
|
|
|
wpabuf_len(peer_pub));
|
|
|
|
if (!secret_buf) {
|
|
|
|
wpa_printf(MSG_ERROR, "DPP: crypto_ecdh_set_peerkey() failed");
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2021-10-29 11:05:31 +02:00
|
|
|
if (wpabuf_len(secret_buf) > DPP_MAX_SHARED_SECRET_LEN) {
|
|
|
|
wpa_printf(MSG_ERROR, "DPP: ECDH secret longer than expected");
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2021-10-29 11:05:31 +02:00
|
|
|
*secret_len = wpabuf_len(secret_buf);
|
|
|
|
os_memcpy(secret, wpabuf_head(secret_buf), wpabuf_len(secret_buf));
|
2020-05-10 15:25:42 +02:00
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
fail:
|
2021-10-29 11:05:31 +02:00
|
|
|
wpabuf_clear_free(secret_buf);
|
|
|
|
wpabuf_free(peer_pub);
|
|
|
|
crypto_ecdh_deinit(ecdh);
|
2020-05-10 15:25:42 +02:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_bi_pubkey_hash(struct dpp_bootstrap_info *bi,
|
|
|
|
const u8 *data, size_t data_len)
|
|
|
|
{
|
|
|
|
const u8 *addr[2];
|
|
|
|
size_t len[2];
|
|
|
|
|
|
|
|
addr[0] = data;
|
|
|
|
len[0] = data_len;
|
|
|
|
if (sha256_vector(1, addr, len, bi->pubkey_hash) < 0)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: Public key hash",
|
|
|
|
bi->pubkey_hash, SHA256_MAC_LEN);
|
|
|
|
|
|
|
|
addr[0] = (const u8 *) "chirp";
|
|
|
|
len[0] = 5;
|
|
|
|
addr[1] = data;
|
|
|
|
len[1] = data_len;
|
|
|
|
if (sha256_vector(2, addr, len, bi->pubkey_hash_chirp) < 0)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: Public key hash (chirp)",
|
|
|
|
bi->pubkey_hash_chirp, SHA256_MAC_LEN);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_get_subject_public_key(struct dpp_bootstrap_info *bi,
|
|
|
|
const u8 *data, size_t data_len)
|
|
|
|
{
|
2021-06-28 18:25:26 +02:00
|
|
|
struct crypto_ec_key *key;
|
2020-05-10 15:25:42 +02:00
|
|
|
|
|
|
|
if (dpp_bi_pubkey_hash(bi, data, data_len) < 0) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:26 +02:00
|
|
|
key = crypto_ec_key_parse_pub(data, data_len);
|
|
|
|
if (!key) {
|
2020-05-10 15:25:42 +02:00
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Could not parse URI public-key SubjectPublicKeyInfo");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:26 +02:00
|
|
|
bi->curve = dpp_get_curve_ike_group(crypto_ec_key_group(key));
|
2020-05-10 15:25:42 +02:00
|
|
|
if (!bi->curve) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
2021-06-28 18:25:26 +02:00
|
|
|
"DPP: Unsupported SubjectPublicKeyInfo curve: group %d",
|
|
|
|
crypto_ec_key_group(key));
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:26 +02:00
|
|
|
bi->pubkey = key;
|
2020-05-10 15:25:42 +02:00
|
|
|
return 0;
|
|
|
|
fail:
|
2021-06-28 18:25:26 +02:00
|
|
|
crypto_ec_key_deinit(key);
|
2020-05-10 15:25:42 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static struct wpabuf *
|
|
|
|
dpp_parse_jws_prot_hdr(const struct dpp_curve_params *curve,
|
|
|
|
const u8 *prot_hdr, u16 prot_hdr_len,
|
2021-06-28 18:25:31 +02:00
|
|
|
int *hash_func)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
|
|
|
struct json_token *root, *token;
|
|
|
|
struct wpabuf *kid = NULL;
|
|
|
|
|
|
|
|
root = json_parse((const char *) prot_hdr, prot_hdr_len);
|
|
|
|
if (!root) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: JSON parsing failed for JWS Protected Header");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (root->type != JSON_OBJECT) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: JWS Protected Header root is not an object");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
token = json_get_member(root, "typ");
|
|
|
|
if (!token || token->type != JSON_STRING) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: No typ string value found");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header typ=%s",
|
|
|
|
token->string);
|
|
|
|
if (os_strcmp(token->string, "dppCon") != 0) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Unsupported JWS Protected Header typ=%s",
|
|
|
|
token->string);
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
token = json_get_member(root, "alg");
|
|
|
|
if (!token || token->type != JSON_STRING) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: No alg string value found");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: JWS Protected Header alg=%s",
|
|
|
|
token->string);
|
|
|
|
if (os_strcmp(token->string, curve->jws_alg) != 0) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Unexpected JWS Protected Header alg=%s (expected %s based on C-sign-key)",
|
|
|
|
token->string, curve->jws_alg);
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
if (os_strcmp(token->string, "ES256") == 0 ||
|
2021-06-28 18:25:31 +02:00
|
|
|
os_strcmp(token->string, "BS256") == 0) {
|
|
|
|
*hash_func = CRYPTO_HASH_ALG_SHA256;
|
|
|
|
} else if (os_strcmp(token->string, "ES384") == 0 ||
|
|
|
|
os_strcmp(token->string, "BS384") == 0) {
|
|
|
|
*hash_func = CRYPTO_HASH_ALG_SHA384;
|
|
|
|
} else if (os_strcmp(token->string, "ES512") == 0 ||
|
|
|
|
os_strcmp(token->string, "BS512") == 0) {
|
|
|
|
*hash_func = CRYPTO_HASH_ALG_SHA512;
|
|
|
|
} else {
|
|
|
|
*hash_func = -1;
|
2020-05-10 15:25:42 +02:00
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Unsupported JWS Protected Header alg=%s",
|
|
|
|
token->string);
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
kid = json_get_member_base64url(root, "kid");
|
|
|
|
if (!kid) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: No kid string value found");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
wpa_hexdump_buf(MSG_DEBUG, "DPP: JWS Protected Header kid (decoded)",
|
|
|
|
kid);
|
|
|
|
|
|
|
|
fail:
|
|
|
|
json_free(root);
|
|
|
|
return kid;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:20 +02:00
|
|
|
static int dpp_check_pubkey_match(struct crypto_ec_key *pub,
|
|
|
|
struct wpabuf *r_hash)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
|
|
|
struct wpabuf *uncomp;
|
|
|
|
int res;
|
|
|
|
u8 hash[SHA256_MAC_LEN];
|
|
|
|
const u8 *addr[1];
|
|
|
|
size_t len[1];
|
|
|
|
|
|
|
|
if (wpabuf_len(r_hash) != SHA256_MAC_LEN)
|
|
|
|
return -1;
|
2021-06-28 18:25:23 +02:00
|
|
|
uncomp = crypto_ec_key_get_pubkey_point(pub, 1);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (!uncomp)
|
|
|
|
return -1;
|
|
|
|
addr[0] = wpabuf_head(uncomp);
|
|
|
|
len[0] = wpabuf_len(uncomp);
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: Uncompressed public key",
|
|
|
|
addr[0], len[0]);
|
|
|
|
res = sha256_vector(1, addr, len, hash);
|
|
|
|
wpabuf_free(uncomp);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
if (os_memcmp(hash, wpabuf_head(r_hash), SHA256_MAC_LEN) != 0) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Received hash value does not match calculated public key hash value");
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: Calculated hash",
|
|
|
|
hash, SHA256_MAC_LEN);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
enum dpp_status_error
|
|
|
|
dpp_process_signed_connector(struct dpp_signed_connector_info *info,
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key *csign_pub,
|
|
|
|
const char *connector)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
|
|
|
enum dpp_status_error ret = 255;
|
|
|
|
const char *pos, *end, *signed_start, *signed_end;
|
|
|
|
struct wpabuf *kid = NULL;
|
|
|
|
unsigned char *prot_hdr = NULL, *signature = NULL;
|
2021-06-28 18:25:31 +02:00
|
|
|
size_t prot_hdr_len = 0, signature_len = 0, signed_len;
|
|
|
|
int res, hash_func = -1;
|
2020-05-10 15:25:42 +02:00
|
|
|
const struct dpp_curve_params *curve;
|
2021-06-28 18:25:31 +02:00
|
|
|
u8 *hash = NULL;
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-06-28 18:25:31 +02:00
|
|
|
curve = dpp_get_curve_ike_group(crypto_ec_key_group(csign_pub));
|
2020-05-10 15:25:42 +02:00
|
|
|
if (!curve)
|
|
|
|
goto fail;
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: C-sign-key group: %s", curve->jwk_crv);
|
|
|
|
os_memset(info, 0, sizeof(*info));
|
|
|
|
|
|
|
|
signed_start = pos = connector;
|
|
|
|
end = os_strchr(pos, '.');
|
|
|
|
if (!end) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Missing dot(1) in signedConnector");
|
|
|
|
ret = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
prot_hdr = base64_url_decode(pos, end - pos, &prot_hdr_len);
|
|
|
|
if (!prot_hdr) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Failed to base64url decode signedConnector JWS Protected Header");
|
|
|
|
ret = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
wpa_hexdump_ascii(MSG_DEBUG,
|
|
|
|
"DPP: signedConnector - JWS Protected Header",
|
|
|
|
prot_hdr, prot_hdr_len);
|
2021-06-28 18:25:31 +02:00
|
|
|
kid = dpp_parse_jws_prot_hdr(curve, prot_hdr, prot_hdr_len, &hash_func);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (!kid) {
|
|
|
|
ret = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
if (wpabuf_len(kid) != SHA256_MAC_LEN) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Unexpected signedConnector JWS Protected Header kid length: %u (expected %u)",
|
|
|
|
(unsigned int) wpabuf_len(kid), SHA256_MAC_LEN);
|
|
|
|
ret = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
pos = end + 1;
|
|
|
|
end = os_strchr(pos, '.');
|
|
|
|
if (!end) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Missing dot(2) in signedConnector");
|
|
|
|
ret = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
signed_end = end - 1;
|
|
|
|
info->payload = base64_url_decode(pos, end - pos, &info->payload_len);
|
|
|
|
if (!info->payload) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Failed to base64url decode signedConnector JWS Payload");
|
|
|
|
ret = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
wpa_hexdump_ascii(MSG_DEBUG,
|
|
|
|
"DPP: signedConnector - JWS Payload",
|
|
|
|
info->payload, info->payload_len);
|
|
|
|
pos = end + 1;
|
|
|
|
signature = base64_url_decode(pos, os_strlen(pos), &signature_len);
|
|
|
|
if (!signature) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Failed to base64url decode signedConnector signature");
|
|
|
|
ret = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: signedConnector - signature",
|
|
|
|
signature, signature_len);
|
|
|
|
|
|
|
|
if (dpp_check_pubkey_match(csign_pub, kid) < 0) {
|
|
|
|
ret = DPP_STATUS_NO_MATCH;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (signature_len & 0x01) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Unexpected signedConnector signature length (%d)",
|
|
|
|
(int) signature_len);
|
|
|
|
ret = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:31 +02:00
|
|
|
hash = os_malloc(curve->hash_len);
|
|
|
|
if (!hash)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:31 +02:00
|
|
|
signed_len = signed_end - signed_start + 1;
|
|
|
|
if (hash_func == CRYPTO_HASH_ALG_SHA256)
|
|
|
|
res = sha256_vector(1, (const u8 **) &signed_start, &signed_len,
|
|
|
|
hash);
|
|
|
|
else if (hash_func == CRYPTO_HASH_ALG_SHA384)
|
|
|
|
res = sha384_vector(1, (const u8 **) &signed_start, &signed_len,
|
|
|
|
hash);
|
|
|
|
else if (hash_func == CRYPTO_HASH_ALG_SHA512)
|
|
|
|
res = sha512_vector(1, (const u8 **) &signed_start, &signed_len,
|
|
|
|
hash);
|
|
|
|
else
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:31 +02:00
|
|
|
if (res)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
2021-06-28 18:25:31 +02:00
|
|
|
|
|
|
|
res = crypto_ec_key_verify_signature_r_s(csign_pub,
|
|
|
|
hash, curve->hash_len,
|
|
|
|
signature, signature_len / 2,
|
|
|
|
signature + signature_len / 2,
|
|
|
|
signature_len / 2);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (res != 1) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
2021-06-28 18:25:31 +02:00
|
|
|
"DPP: signedConnector signature check failed (res=%d)",
|
|
|
|
res);
|
2020-05-10 15:25:42 +02:00
|
|
|
ret = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = DPP_STATUS_OK;
|
|
|
|
fail:
|
2021-06-28 18:25:31 +02:00
|
|
|
os_free(hash);
|
2020-05-10 15:25:42 +02:00
|
|
|
os_free(prot_hdr);
|
|
|
|
wpabuf_free(kid);
|
|
|
|
os_free(signature);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-05-10 12:41:51 +02:00
|
|
|
enum dpp_status_error
|
|
|
|
dpp_check_signed_connector(struct dpp_signed_connector_info *info,
|
|
|
|
const u8 *csign_key, size_t csign_key_len,
|
|
|
|
const u8 *peer_connector, size_t peer_connector_len)
|
|
|
|
{
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key *csign;
|
2020-05-10 12:41:51 +02:00
|
|
|
char *signed_connector = NULL;
|
|
|
|
enum dpp_status_error res = DPP_STATUS_INVALID_CONNECTOR;
|
|
|
|
|
2021-06-28 18:25:26 +02:00
|
|
|
csign = crypto_ec_key_parse_pub(csign_key, csign_key_len);
|
2020-05-10 12:41:51 +02:00
|
|
|
if (!csign) {
|
|
|
|
wpa_printf(MSG_ERROR,
|
|
|
|
"DPP: Failed to parse local C-sign-key information");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
wpa_hexdump_ascii(MSG_DEBUG, "DPP: Peer signedConnector",
|
|
|
|
peer_connector, peer_connector_len);
|
|
|
|
signed_connector = os_malloc(peer_connector_len + 1);
|
|
|
|
if (!signed_connector)
|
|
|
|
goto fail;
|
|
|
|
os_memcpy(signed_connector, peer_connector, peer_connector_len);
|
|
|
|
signed_connector[peer_connector_len] = '\0';
|
|
|
|
res = dpp_process_signed_connector(info, csign, signed_connector);
|
|
|
|
fail:
|
|
|
|
os_free(signed_connector);
|
2021-06-28 18:25:20 +02:00
|
|
|
crypto_ec_key_deinit(csign);
|
2020-05-10 12:41:51 +02:00
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-05-10 15:25:42 +02:00
|
|
|
int dpp_gen_r_auth(struct dpp_authentication *auth, u8 *r_auth)
|
|
|
|
{
|
|
|
|
struct wpabuf *pix, *prx, *bix, *brx;
|
|
|
|
const u8 *addr[7];
|
|
|
|
size_t len[7];
|
|
|
|
size_t i, num_elem = 0;
|
|
|
|
size_t nonce_len;
|
|
|
|
u8 zero = 0;
|
|
|
|
int res = -1;
|
|
|
|
|
|
|
|
/* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
|
|
|
|
nonce_len = auth->curve->nonce_len;
|
|
|
|
|
|
|
|
if (auth->initiator) {
|
2021-06-28 18:25:23 +02:00
|
|
|
pix = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
|
|
|
|
prx = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
|
|
|
|
0);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (auth->own_bi)
|
2021-06-28 18:25:23 +02:00
|
|
|
bix = crypto_ec_key_get_pubkey_point(
|
|
|
|
auth->own_bi->pubkey, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
else
|
|
|
|
bix = NULL;
|
2021-06-28 18:25:23 +02:00
|
|
|
brx = crypto_ec_key_get_pubkey_point(auth->peer_bi->pubkey, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
} else {
|
2021-06-28 18:25:23 +02:00
|
|
|
pix = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
|
|
|
|
0);
|
|
|
|
prx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (auth->peer_bi)
|
2021-06-28 18:25:23 +02:00
|
|
|
bix = crypto_ec_key_get_pubkey_point(
|
|
|
|
auth->peer_bi->pubkey, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
else
|
|
|
|
bix = NULL;
|
2021-06-28 18:25:23 +02:00
|
|
|
brx = crypto_ec_key_get_pubkey_point(auth->own_bi->pubkey, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
}
|
|
|
|
if (!pix || !prx || !brx)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
addr[num_elem] = auth->i_nonce;
|
|
|
|
len[num_elem] = nonce_len;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
addr[num_elem] = auth->r_nonce;
|
|
|
|
len[num_elem] = nonce_len;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
addr[num_elem] = wpabuf_head(pix);
|
|
|
|
len[num_elem] = wpabuf_len(pix) / 2;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
addr[num_elem] = wpabuf_head(prx);
|
|
|
|
len[num_elem] = wpabuf_len(prx) / 2;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
if (bix) {
|
|
|
|
addr[num_elem] = wpabuf_head(bix);
|
|
|
|
len[num_elem] = wpabuf_len(bix) / 2;
|
|
|
|
num_elem++;
|
|
|
|
}
|
|
|
|
|
|
|
|
addr[num_elem] = wpabuf_head(brx);
|
|
|
|
len[num_elem] = wpabuf_len(brx) / 2;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
addr[num_elem] = &zero;
|
|
|
|
len[num_elem] = 1;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: R-auth hash components");
|
|
|
|
for (i = 0; i < num_elem; i++)
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
|
|
|
|
res = dpp_hash_vector(auth->curve, num_elem, addr, len, r_auth);
|
|
|
|
if (res == 0)
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: R-auth", r_auth,
|
|
|
|
auth->curve->hash_len);
|
|
|
|
fail:
|
|
|
|
wpabuf_free(pix);
|
|
|
|
wpabuf_free(prx);
|
|
|
|
wpabuf_free(bix);
|
|
|
|
wpabuf_free(brx);
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_gen_i_auth(struct dpp_authentication *auth, u8 *i_auth)
|
|
|
|
{
|
|
|
|
struct wpabuf *pix = NULL, *prx = NULL, *bix = NULL, *brx = NULL;
|
|
|
|
const u8 *addr[7];
|
|
|
|
size_t len[7];
|
|
|
|
size_t i, num_elem = 0;
|
|
|
|
size_t nonce_len;
|
|
|
|
u8 one = 1;
|
|
|
|
int res = -1;
|
|
|
|
|
|
|
|
/* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */
|
|
|
|
nonce_len = auth->curve->nonce_len;
|
|
|
|
|
|
|
|
if (auth->initiator) {
|
2021-06-28 18:25:23 +02:00
|
|
|
pix = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
|
|
|
|
prx = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
|
|
|
|
0);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (auth->own_bi)
|
2021-06-28 18:25:23 +02:00
|
|
|
bix = crypto_ec_key_get_pubkey_point(
|
|
|
|
auth->own_bi->pubkey, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
else
|
|
|
|
bix = NULL;
|
|
|
|
if (!auth->peer_bi)
|
|
|
|
goto fail;
|
2021-06-28 18:25:23 +02:00
|
|
|
brx = crypto_ec_key_get_pubkey_point(auth->peer_bi->pubkey, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
} else {
|
2021-06-28 18:25:23 +02:00
|
|
|
pix = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
|
|
|
|
0);
|
|
|
|
prx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (auth->peer_bi)
|
2021-06-28 18:25:23 +02:00
|
|
|
bix = crypto_ec_key_get_pubkey_point(
|
|
|
|
auth->peer_bi->pubkey, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
else
|
|
|
|
bix = NULL;
|
|
|
|
if (!auth->own_bi)
|
|
|
|
goto fail;
|
2021-06-28 18:25:23 +02:00
|
|
|
brx = crypto_ec_key_get_pubkey_point(auth->own_bi->pubkey, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
}
|
|
|
|
if (!pix || !prx || !brx)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
addr[num_elem] = auth->r_nonce;
|
|
|
|
len[num_elem] = nonce_len;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
addr[num_elem] = auth->i_nonce;
|
|
|
|
len[num_elem] = nonce_len;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
addr[num_elem] = wpabuf_head(prx);
|
|
|
|
len[num_elem] = wpabuf_len(prx) / 2;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
addr[num_elem] = wpabuf_head(pix);
|
|
|
|
len[num_elem] = wpabuf_len(pix) / 2;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
addr[num_elem] = wpabuf_head(brx);
|
|
|
|
len[num_elem] = wpabuf_len(brx) / 2;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
if (bix) {
|
|
|
|
addr[num_elem] = wpabuf_head(bix);
|
|
|
|
len[num_elem] = wpabuf_len(bix) / 2;
|
|
|
|
num_elem++;
|
|
|
|
}
|
|
|
|
|
|
|
|
addr[num_elem] = &one;
|
|
|
|
len[num_elem] = 1;
|
|
|
|
num_elem++;
|
|
|
|
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: I-auth hash components");
|
|
|
|
for (i = 0; i < num_elem; i++)
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: hash component", addr[i], len[i]);
|
|
|
|
res = dpp_hash_vector(auth->curve, num_elem, addr, len, i_auth);
|
|
|
|
if (res == 0)
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: I-auth", i_auth,
|
|
|
|
auth->curve->hash_len);
|
|
|
|
fail:
|
|
|
|
wpabuf_free(pix);
|
|
|
|
wpabuf_free(prx);
|
|
|
|
wpabuf_free(bix);
|
|
|
|
wpabuf_free(brx);
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_auth_derive_l_responder(struct dpp_authentication *auth)
|
|
|
|
{
|
2021-06-28 18:25:30 +02:00
|
|
|
struct crypto_ec *ec;
|
|
|
|
struct crypto_ec_point *L = NULL;
|
|
|
|
const struct crypto_ec_point *BI;
|
|
|
|
const struct crypto_bignum *bR, *pR, *q;
|
|
|
|
struct crypto_bignum *sum = NULL, *lx = NULL;
|
2020-05-10 15:25:42 +02:00
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
/* L = ((bR + pR) modulo q) * BI */
|
|
|
|
|
2021-06-28 18:25:30 +02:00
|
|
|
ec = crypto_ec_init(crypto_ec_key_group(auth->peer_bi->pubkey));
|
|
|
|
if (!ec)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:30 +02:00
|
|
|
q = crypto_ec_get_order(ec);
|
|
|
|
BI = crypto_ec_key_get_public_key(auth->peer_bi->pubkey);
|
|
|
|
bR = crypto_ec_key_get_private_key(auth->own_bi->pubkey);
|
|
|
|
pR = crypto_ec_key_get_private_key(auth->own_protocol_key);
|
|
|
|
sum = crypto_bignum_init();
|
|
|
|
L = crypto_ec_point_init(ec);
|
|
|
|
lx = crypto_bignum_init();
|
|
|
|
if (!q || !BI || !bR || !pR || !sum || !L || !lx ||
|
|
|
|
crypto_bignum_addmod(bR, pR, q, sum) ||
|
|
|
|
crypto_ec_point_mul(ec, BI, sum, L) ||
|
|
|
|
crypto_ec_point_x(ec, L, lx) ||
|
|
|
|
crypto_bignum_to_bin(lx, auth->Lx, sizeof(auth->Lx),
|
|
|
|
auth->secret_len) < 0)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
|
|
|
|
auth->Lx_len = auth->secret_len;
|
|
|
|
ret = 0;
|
|
|
|
fail:
|
2021-06-28 18:25:30 +02:00
|
|
|
crypto_bignum_deinit(lx, 1);
|
|
|
|
crypto_bignum_deinit(sum, 1);
|
|
|
|
crypto_ec_point_deinit(L, 1);
|
|
|
|
crypto_ec_deinit(ec);
|
2020-05-10 15:25:42 +02:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_auth_derive_l_initiator(struct dpp_authentication *auth)
|
|
|
|
{
|
2021-06-28 18:25:30 +02:00
|
|
|
struct crypto_ec *ec;
|
|
|
|
struct crypto_ec_point *L = NULL, *sum = NULL;
|
|
|
|
const struct crypto_ec_point *BR, *PR;
|
|
|
|
const struct crypto_bignum *bI;
|
|
|
|
struct crypto_bignum *lx = NULL;
|
2020-05-10 15:25:42 +02:00
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
/* L = bI * (BR + PR) */
|
|
|
|
|
2021-06-28 18:25:30 +02:00
|
|
|
ec = crypto_ec_init(crypto_ec_key_group(auth->peer_bi->pubkey));
|
|
|
|
if (!ec)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:30 +02:00
|
|
|
BR = crypto_ec_key_get_public_key(auth->peer_bi->pubkey);
|
|
|
|
PR = crypto_ec_key_get_public_key(auth->peer_protocol_key);
|
|
|
|
bI = crypto_ec_key_get_private_key(auth->own_bi->pubkey);
|
|
|
|
sum = crypto_ec_point_init(ec);
|
|
|
|
L = crypto_ec_point_init(ec);
|
|
|
|
lx = crypto_bignum_init();
|
|
|
|
if (!BR || !PR || !bI || !sum || !L || !lx ||
|
|
|
|
crypto_ec_point_add(ec, BR, PR, sum) ||
|
|
|
|
crypto_ec_point_mul(ec, sum, bI, L) ||
|
|
|
|
crypto_ec_point_x(ec, L, lx) ||
|
|
|
|
crypto_bignum_to_bin(lx, auth->Lx, sizeof(auth->Lx),
|
|
|
|
auth->secret_len) < 0)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: L.x", auth->Lx, auth->secret_len);
|
|
|
|
auth->Lx_len = auth->secret_len;
|
|
|
|
ret = 0;
|
|
|
|
fail:
|
2021-06-28 18:25:30 +02:00
|
|
|
crypto_bignum_deinit(lx, 1);
|
|
|
|
crypto_ec_point_deinit(sum, 1);
|
|
|
|
crypto_ec_point_deinit(L, 1);
|
|
|
|
crypto_ec_deinit(ec);
|
2020-05-10 15:25:42 +02:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_derive_pmk(const u8 *Nx, size_t Nx_len, u8 *pmk, unsigned int hash_len)
|
|
|
|
{
|
|
|
|
u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
|
|
|
|
const char *info = "DPP PMK";
|
|
|
|
int res;
|
|
|
|
|
|
|
|
/* PMK = HKDF(<>, "DPP PMK", N.x) */
|
|
|
|
|
|
|
|
/* HKDF-Extract(<>, N.x) */
|
|
|
|
os_memset(salt, 0, hash_len);
|
|
|
|
if (dpp_hmac(hash_len, salt, hash_len, Nx, Nx_len, prk) < 0)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM=N.x)",
|
|
|
|
prk, hash_len);
|
|
|
|
|
|
|
|
/* HKDF-Expand(PRK, info, L) */
|
|
|
|
res = dpp_hkdf_expand(hash_len, prk, hash_len, info, pmk, hash_len);
|
|
|
|
os_memset(prk, 0, hash_len);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: PMK = HKDF-Expand(PRK, info, L)",
|
|
|
|
pmk, hash_len);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_derive_pmkid(const struct dpp_curve_params *curve,
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key *own_key,
|
|
|
|
struct crypto_ec_key *peer_key, u8 *pmkid)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
|
|
|
struct wpabuf *nkx, *pkx;
|
|
|
|
int ret = -1, res;
|
|
|
|
const u8 *addr[2];
|
|
|
|
size_t len[2];
|
|
|
|
u8 hash[SHA256_MAC_LEN];
|
|
|
|
|
|
|
|
/* PMKID = Truncate-128(H(min(NK.x, PK.x) | max(NK.x, PK.x))) */
|
2021-06-28 18:25:23 +02:00
|
|
|
nkx = crypto_ec_key_get_pubkey_point(own_key, 0);
|
|
|
|
pkx = crypto_ec_key_get_pubkey_point(peer_key, 0);
|
2020-05-10 15:25:42 +02:00
|
|
|
if (!nkx || !pkx)
|
|
|
|
goto fail;
|
|
|
|
addr[0] = wpabuf_head(nkx);
|
|
|
|
len[0] = wpabuf_len(nkx) / 2;
|
|
|
|
addr[1] = wpabuf_head(pkx);
|
|
|
|
len[1] = wpabuf_len(pkx) / 2;
|
|
|
|
if (len[0] != len[1])
|
|
|
|
goto fail;
|
|
|
|
if (os_memcmp(addr[0], addr[1], len[0]) > 0) {
|
|
|
|
addr[0] = wpabuf_head(pkx);
|
|
|
|
addr[1] = wpabuf_head(nkx);
|
|
|
|
}
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 1", addr[0], len[0]);
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash payload 2", addr[1], len[1]);
|
|
|
|
res = sha256_vector(2, addr, len, hash);
|
|
|
|
if (res < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: PMKID hash output", hash, SHA256_MAC_LEN);
|
|
|
|
os_memcpy(pmkid, hash, PMKID_LEN);
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: PMKID", pmkid, PMKID_LEN);
|
|
|
|
ret = 0;
|
|
|
|
fail:
|
|
|
|
wpabuf_free(nkx);
|
|
|
|
wpabuf_free(pkx);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Role-specific elements for PKEX */
|
|
|
|
|
|
|
|
/* NIST P-256 */
|
|
|
|
static const u8 pkex_init_x_p256[32] = {
|
|
|
|
0x56, 0x26, 0x12, 0xcf, 0x36, 0x48, 0xfe, 0x0b,
|
|
|
|
0x07, 0x04, 0xbb, 0x12, 0x22, 0x50, 0xb2, 0x54,
|
|
|
|
0xb1, 0x94, 0x64, 0x7e, 0x54, 0xce, 0x08, 0x07,
|
|
|
|
0x2e, 0xec, 0xca, 0x74, 0x5b, 0x61, 0x2d, 0x25
|
|
|
|
};
|
|
|
|
static const u8 pkex_init_y_p256[32] = {
|
|
|
|
0x3e, 0x44, 0xc7, 0xc9, 0x8c, 0x1c, 0xa1, 0x0b,
|
|
|
|
0x20, 0x09, 0x93, 0xb2, 0xfd, 0xe5, 0x69, 0xdc,
|
|
|
|
0x75, 0xbc, 0xad, 0x33, 0xc1, 0xe7, 0xc6, 0x45,
|
|
|
|
0x4d, 0x10, 0x1e, 0x6a, 0x3d, 0x84, 0x3c, 0xa4
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_x_p256[32] = {
|
|
|
|
0x1e, 0xa4, 0x8a, 0xb1, 0xa4, 0xe8, 0x42, 0x39,
|
|
|
|
0xad, 0x73, 0x07, 0xf2, 0x34, 0xdf, 0x57, 0x4f,
|
|
|
|
0xc0, 0x9d, 0x54, 0xbe, 0x36, 0x1b, 0x31, 0x0f,
|
|
|
|
0x59, 0x91, 0x52, 0x33, 0xac, 0x19, 0x9d, 0x76
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_y_p256[32] = {
|
|
|
|
0xd9, 0xfb, 0xf6, 0xb9, 0xf5, 0xfa, 0xdf, 0x19,
|
|
|
|
0x58, 0xd8, 0x3e, 0xc9, 0x89, 0x7a, 0x35, 0xc1,
|
|
|
|
0xbd, 0xe9, 0x0b, 0x77, 0x7a, 0xcb, 0x91, 0x2a,
|
|
|
|
0xe8, 0x21, 0x3f, 0x47, 0x52, 0x02, 0x4d, 0x67
|
|
|
|
};
|
|
|
|
|
|
|
|
/* NIST P-384 */
|
|
|
|
static const u8 pkex_init_x_p384[48] = {
|
|
|
|
0x95, 0x3f, 0x42, 0x9e, 0x50, 0x7f, 0xf9, 0xaa,
|
|
|
|
0xac, 0x1a, 0xf2, 0x85, 0x2e, 0x64, 0x91, 0x68,
|
|
|
|
0x64, 0xc4, 0x3c, 0xb7, 0x5c, 0xf8, 0xc9, 0x53,
|
|
|
|
0x6e, 0x58, 0x4c, 0x7f, 0xc4, 0x64, 0x61, 0xac,
|
|
|
|
0x51, 0x8a, 0x6f, 0xfe, 0xab, 0x74, 0xe6, 0x12,
|
|
|
|
0x81, 0xac, 0x38, 0x5d, 0x41, 0xe6, 0xb9, 0xa3
|
|
|
|
};
|
|
|
|
static const u8 pkex_init_y_p384[48] = {
|
|
|
|
0x76, 0x2f, 0x68, 0x84, 0xa6, 0xb0, 0x59, 0x29,
|
|
|
|
0x83, 0xa2, 0x6c, 0xa4, 0x6c, 0x3b, 0xf8, 0x56,
|
|
|
|
0x76, 0x11, 0x2a, 0x32, 0x90, 0xbd, 0x07, 0xc7,
|
|
|
|
0x37, 0x39, 0x9d, 0xdb, 0x96, 0xf3, 0x2b, 0xb6,
|
|
|
|
0x27, 0xbb, 0x29, 0x3c, 0x17, 0x33, 0x9d, 0x94,
|
|
|
|
0xc3, 0xda, 0xac, 0x46, 0xb0, 0x8e, 0x07, 0x18
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_x_p384[48] = {
|
|
|
|
0xad, 0xbe, 0xd7, 0x1d, 0x3a, 0x71, 0x64, 0x98,
|
|
|
|
0x5f, 0xb4, 0xd6, 0x4b, 0x50, 0xd0, 0x84, 0x97,
|
|
|
|
0x4b, 0x7e, 0x57, 0x70, 0xd2, 0xd9, 0xf4, 0x92,
|
|
|
|
0x2a, 0x3f, 0xce, 0x99, 0xc5, 0x77, 0x33, 0x44,
|
|
|
|
0x14, 0x56, 0x92, 0xcb, 0xae, 0x46, 0x64, 0xdf,
|
|
|
|
0xe0, 0xbb, 0xd7, 0xb1, 0x29, 0x20, 0x72, 0xdf
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_y_p384[48] = {
|
|
|
|
0xab, 0xa7, 0xdf, 0x52, 0xaa, 0xe2, 0x35, 0x0c,
|
|
|
|
0xe3, 0x75, 0x32, 0xe6, 0xbf, 0x06, 0xc8, 0x7c,
|
|
|
|
0x38, 0x29, 0x4c, 0xec, 0x82, 0xac, 0xd7, 0xa3,
|
|
|
|
0x09, 0xd2, 0x0e, 0x22, 0x5a, 0x74, 0x52, 0xa1,
|
|
|
|
0x7e, 0x54, 0x4e, 0xfe, 0xc6, 0x29, 0x33, 0x63,
|
|
|
|
0x15, 0xe1, 0x7b, 0xe3, 0x40, 0x1c, 0xca, 0x06
|
|
|
|
};
|
|
|
|
|
|
|
|
/* NIST P-521 */
|
|
|
|
static const u8 pkex_init_x_p521[66] = {
|
|
|
|
0x00, 0x16, 0x20, 0x45, 0x19, 0x50, 0x95, 0x23,
|
|
|
|
0x0d, 0x24, 0xbe, 0x00, 0x87, 0xdc, 0xfa, 0xf0,
|
|
|
|
0x58, 0x9a, 0x01, 0x60, 0x07, 0x7a, 0xca, 0x76,
|
|
|
|
0x01, 0xab, 0x2d, 0x5a, 0x46, 0xcd, 0x2c, 0xb5,
|
|
|
|
0x11, 0x9a, 0xff, 0xaa, 0x48, 0x04, 0x91, 0x38,
|
|
|
|
0xcf, 0x86, 0xfc, 0xa4, 0xa5, 0x0f, 0x47, 0x01,
|
|
|
|
0x80, 0x1b, 0x30, 0xa3, 0xae, 0xe8, 0x1c, 0x2e,
|
|
|
|
0xea, 0xcc, 0xf0, 0x03, 0x9f, 0x77, 0x4c, 0x8d,
|
|
|
|
0x97, 0x76
|
|
|
|
};
|
|
|
|
static const u8 pkex_init_y_p521[66] = {
|
|
|
|
0x00, 0xb3, 0x8e, 0x02, 0xe4, 0x2a, 0x63, 0x59,
|
|
|
|
0x12, 0xc6, 0x10, 0xba, 0x3a, 0xf9, 0x02, 0x99,
|
|
|
|
0x3f, 0x14, 0xf0, 0x40, 0xde, 0x5c, 0xc9, 0x8b,
|
|
|
|
0x02, 0x55, 0xfa, 0x91, 0xb1, 0xcc, 0x6a, 0xbd,
|
|
|
|
0xe5, 0x62, 0xc0, 0xc5, 0xe3, 0xa1, 0x57, 0x9f,
|
|
|
|
0x08, 0x1a, 0xa6, 0xe2, 0xf8, 0x55, 0x90, 0xbf,
|
|
|
|
0xf5, 0xa6, 0xc3, 0xd8, 0x52, 0x1f, 0xb7, 0x02,
|
|
|
|
0x2e, 0x7c, 0xc8, 0xb3, 0x20, 0x1e, 0x79, 0x8d,
|
|
|
|
0x03, 0xa8
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_x_p521[66] = {
|
|
|
|
0x00, 0x79, 0xe4, 0x4d, 0x6b, 0x5e, 0x12, 0x0a,
|
|
|
|
0x18, 0x2c, 0xb3, 0x05, 0x77, 0x0f, 0xc3, 0x44,
|
|
|
|
0x1a, 0xcd, 0x78, 0x46, 0x14, 0xee, 0x46, 0x3f,
|
|
|
|
0xab, 0xc9, 0x59, 0x7c, 0x85, 0xa0, 0xc2, 0xfb,
|
|
|
|
0x02, 0x32, 0x99, 0xde, 0x5d, 0xe1, 0x0d, 0x48,
|
|
|
|
0x2d, 0x71, 0x7d, 0x8d, 0x3f, 0x61, 0x67, 0x9e,
|
|
|
|
0x2b, 0x8b, 0x12, 0xde, 0x10, 0x21, 0x55, 0x0a,
|
|
|
|
0x5b, 0x2d, 0xe8, 0x05, 0x09, 0xf6, 0x20, 0x97,
|
|
|
|
0x84, 0xb4
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_y_p521[66] = {
|
|
|
|
0x00, 0x46, 0x63, 0x39, 0xbe, 0xcd, 0xa4, 0x2d,
|
|
|
|
0xca, 0x27, 0x74, 0xd4, 0x1b, 0x91, 0x33, 0x20,
|
|
|
|
0x83, 0xc7, 0x3b, 0xa4, 0x09, 0x8b, 0x8e, 0xa3,
|
|
|
|
0x88, 0xe9, 0x75, 0x7f, 0x56, 0x7b, 0x38, 0x84,
|
|
|
|
0x62, 0x02, 0x7c, 0x90, 0x51, 0x07, 0xdb, 0xe9,
|
|
|
|
0xd0, 0xde, 0xda, 0x9a, 0x5d, 0xe5, 0x94, 0xd2,
|
|
|
|
0xcf, 0x9d, 0x4c, 0x33, 0x91, 0xa6, 0xc3, 0x80,
|
|
|
|
0xa7, 0x6e, 0x7e, 0x8d, 0xf8, 0x73, 0x6e, 0x53,
|
|
|
|
0xce, 0xe1
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Brainpool P-256r1 */
|
|
|
|
static const u8 pkex_init_x_bp_p256r1[32] = {
|
|
|
|
0x46, 0x98, 0x18, 0x6c, 0x27, 0xcd, 0x4b, 0x10,
|
|
|
|
0x7d, 0x55, 0xa3, 0xdd, 0x89, 0x1f, 0x9f, 0xca,
|
|
|
|
0xc7, 0x42, 0x5b, 0x8a, 0x23, 0xed, 0xf8, 0x75,
|
|
|
|
0xac, 0xc7, 0xe9, 0x8d, 0xc2, 0x6f, 0xec, 0xd8
|
|
|
|
};
|
|
|
|
static const u8 pkex_init_y_bp_p256r1[32] = {
|
|
|
|
0x93, 0xca, 0xef, 0xa9, 0x66, 0x3e, 0x87, 0xcd,
|
|
|
|
0x52, 0x6e, 0x54, 0x13, 0xef, 0x31, 0x67, 0x30,
|
|
|
|
0x15, 0x13, 0x9d, 0x6d, 0xc0, 0x95, 0x32, 0xbe,
|
|
|
|
0x4f, 0xab, 0x5d, 0xf7, 0xbf, 0x5e, 0xaa, 0x0b
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_x_bp_p256r1[32] = {
|
|
|
|
0x90, 0x18, 0x84, 0xc9, 0xdc, 0xcc, 0xb5, 0x2f,
|
|
|
|
0x4a, 0x3f, 0x4f, 0x18, 0x0a, 0x22, 0x56, 0x6a,
|
|
|
|
0xa9, 0xef, 0xd4, 0xe6, 0xc3, 0x53, 0xc2, 0x1a,
|
|
|
|
0x23, 0x54, 0xdd, 0x08, 0x7e, 0x10, 0xd8, 0xe3
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_y_bp_p256r1[32] = {
|
|
|
|
0x2a, 0xfa, 0x98, 0x9b, 0xe3, 0xda, 0x30, 0xfd,
|
|
|
|
0x32, 0x28, 0xcb, 0x66, 0xfb, 0x40, 0x7f, 0xf2,
|
|
|
|
0xb2, 0x25, 0x80, 0x82, 0x44, 0x85, 0x13, 0x7e,
|
|
|
|
0x4b, 0xb5, 0x06, 0xc0, 0x03, 0x69, 0x23, 0x64
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Brainpool P-384r1 */
|
|
|
|
static const u8 pkex_init_x_bp_p384r1[48] = {
|
|
|
|
0x0a, 0x2c, 0xeb, 0x49, 0x5e, 0xb7, 0x23, 0xbd,
|
|
|
|
0x20, 0x5b, 0xe0, 0x49, 0xdf, 0xcf, 0xcf, 0x19,
|
|
|
|
0x37, 0x36, 0xe1, 0x2f, 0x59, 0xdb, 0x07, 0x06,
|
|
|
|
0xb5, 0xeb, 0x2d, 0xae, 0xc2, 0xb2, 0x38, 0x62,
|
|
|
|
0xa6, 0x73, 0x09, 0xa0, 0x6c, 0x0a, 0xa2, 0x30,
|
|
|
|
0x99, 0xeb, 0xf7, 0x1e, 0x47, 0xb9, 0x5e, 0xbe
|
|
|
|
};
|
|
|
|
static const u8 pkex_init_y_bp_p384r1[48] = {
|
|
|
|
0x54, 0x76, 0x61, 0x65, 0x75, 0x5a, 0x2f, 0x99,
|
|
|
|
0x39, 0x73, 0xca, 0x6c, 0xf9, 0xf7, 0x12, 0x86,
|
|
|
|
0x54, 0xd5, 0xd4, 0xad, 0x45, 0x7b, 0xbf, 0x32,
|
|
|
|
0xee, 0x62, 0x8b, 0x9f, 0x52, 0xe8, 0xa0, 0xc9,
|
|
|
|
0xb7, 0x9d, 0xd1, 0x09, 0xb4, 0x79, 0x1c, 0x3e,
|
|
|
|
0x1a, 0xbf, 0x21, 0x45, 0x66, 0x6b, 0x02, 0x52
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_x_bp_p384r1[48] = {
|
|
|
|
0x03, 0xa2, 0x57, 0xef, 0xe8, 0x51, 0x21, 0xa0,
|
|
|
|
0xc8, 0x9e, 0x21, 0x02, 0xb5, 0x9a, 0x36, 0x25,
|
|
|
|
0x74, 0x22, 0xd1, 0xf2, 0x1b, 0xa8, 0x9a, 0x9b,
|
|
|
|
0x97, 0xbc, 0x5a, 0xeb, 0x26, 0x15, 0x09, 0x71,
|
|
|
|
0x77, 0x59, 0xec, 0x8b, 0xb7, 0xe1, 0xe8, 0xce,
|
|
|
|
0x65, 0xb8, 0xaf, 0xf8, 0x80, 0xae, 0x74, 0x6c
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_y_bp_p384r1[48] = {
|
|
|
|
0x2f, 0xd9, 0x6a, 0xc7, 0x3e, 0xec, 0x76, 0x65,
|
|
|
|
0x2d, 0x38, 0x7f, 0xec, 0x63, 0x26, 0x3f, 0x04,
|
|
|
|
0xd8, 0x4e, 0xff, 0xe1, 0x0a, 0x51, 0x74, 0x70,
|
|
|
|
0xe5, 0x46, 0x63, 0x7f, 0x5c, 0xc0, 0xd1, 0x7c,
|
|
|
|
0xfb, 0x2f, 0xea, 0xe2, 0xd8, 0x0f, 0x84, 0xcb,
|
|
|
|
0xe9, 0x39, 0x5c, 0x64, 0xfe, 0xcb, 0x2f, 0xf1
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Brainpool P-512r1 */
|
|
|
|
static const u8 pkex_init_x_bp_p512r1[64] = {
|
|
|
|
0x4c, 0xe9, 0xb6, 0x1c, 0xe2, 0x00, 0x3c, 0x9c,
|
|
|
|
0xa9, 0xc8, 0x56, 0x52, 0xaf, 0x87, 0x3e, 0x51,
|
|
|
|
0x9c, 0xbb, 0x15, 0x31, 0x1e, 0xc1, 0x05, 0xfc,
|
|
|
|
0x7c, 0x77, 0xd7, 0x37, 0x61, 0x27, 0xd0, 0x95,
|
|
|
|
0x98, 0xee, 0x5d, 0xa4, 0x3d, 0x09, 0xdb, 0x3d,
|
|
|
|
0xfa, 0x89, 0x9e, 0x7f, 0xa6, 0xa6, 0x9c, 0xff,
|
|
|
|
0x83, 0x5c, 0x21, 0x6c, 0x3e, 0xf2, 0xfe, 0xdc,
|
|
|
|
0x63, 0xe4, 0xd1, 0x0e, 0x75, 0x45, 0x69, 0x0f
|
|
|
|
};
|
|
|
|
static const u8 pkex_init_y_bp_p512r1[64] = {
|
|
|
|
0x50, 0xb5, 0x9b, 0xfa, 0x45, 0x67, 0x75, 0x94,
|
|
|
|
0x44, 0xe7, 0x68, 0xb0, 0xeb, 0x3e, 0xb3, 0xb8,
|
|
|
|
0xf9, 0x99, 0x05, 0xef, 0xae, 0x6c, 0xbc, 0xe3,
|
|
|
|
0xe1, 0xd2, 0x51, 0x54, 0xdf, 0x59, 0xd4, 0x45,
|
|
|
|
0x41, 0x3a, 0xa8, 0x0b, 0x76, 0x32, 0x44, 0x0e,
|
|
|
|
0x07, 0x60, 0x3a, 0x6e, 0xbe, 0xfe, 0xe0, 0x58,
|
|
|
|
0x52, 0xa0, 0xaa, 0x8b, 0xd8, 0x5b, 0xf2, 0x71,
|
|
|
|
0x11, 0x9a, 0x9e, 0x8f, 0x1a, 0xd1, 0xc9, 0x99
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_x_bp_p512r1[64] = {
|
|
|
|
0x2a, 0x60, 0x32, 0x27, 0xa1, 0xe6, 0x94, 0x72,
|
|
|
|
0x1c, 0x48, 0xbe, 0xc5, 0x77, 0x14, 0x30, 0x76,
|
|
|
|
0xe4, 0xbf, 0xf7, 0x7b, 0xc5, 0xfd, 0xdf, 0x19,
|
|
|
|
0x1e, 0x0f, 0xdf, 0x1c, 0x40, 0xfa, 0x34, 0x9e,
|
|
|
|
0x1f, 0x42, 0x24, 0xa3, 0x2c, 0xd5, 0xc7, 0xc9,
|
|
|
|
0x7b, 0x47, 0x78, 0x96, 0xf1, 0x37, 0x0e, 0x88,
|
|
|
|
0xcb, 0xa6, 0x52, 0x29, 0xd7, 0xa8, 0x38, 0x29,
|
|
|
|
0x8e, 0x6e, 0x23, 0x47, 0xd4, 0x4b, 0x70, 0x3e
|
|
|
|
};
|
|
|
|
static const u8 pkex_resp_y_bp_p512r1[64] = {
|
|
|
|
0x80, 0x1f, 0x43, 0xd2, 0x17, 0x35, 0xec, 0x81,
|
|
|
|
0xd9, 0x4b, 0xdc, 0x81, 0x19, 0xd9, 0x5f, 0x68,
|
|
|
|
0x16, 0x84, 0xfe, 0x63, 0x4b, 0x8d, 0x5d, 0xaa,
|
|
|
|
0x88, 0x4a, 0x47, 0x48, 0xd4, 0xea, 0xab, 0x7d,
|
|
|
|
0x6a, 0xbf, 0xe1, 0x28, 0x99, 0x6a, 0x87, 0x1c,
|
|
|
|
0x30, 0xb4, 0x44, 0x2d, 0x75, 0xac, 0x35, 0x09,
|
|
|
|
0x73, 0x24, 0x3d, 0xb4, 0x43, 0xb1, 0xc1, 0x56,
|
|
|
|
0x56, 0xad, 0x30, 0x87, 0xf4, 0xc3, 0x00, 0xc7
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:20 +02:00
|
|
|
static struct crypto_ec_key *
|
|
|
|
dpp_pkex_get_role_elem(const struct dpp_curve_params *curve, int init)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
|
|
|
const u8 *x, *y;
|
|
|
|
|
|
|
|
switch (curve->ike_group) {
|
|
|
|
case 19:
|
|
|
|
x = init ? pkex_init_x_p256 : pkex_resp_x_p256;
|
|
|
|
y = init ? pkex_init_y_p256 : pkex_resp_y_p256;
|
|
|
|
break;
|
|
|
|
case 20:
|
|
|
|
x = init ? pkex_init_x_p384 : pkex_resp_x_p384;
|
|
|
|
y = init ? pkex_init_y_p384 : pkex_resp_y_p384;
|
|
|
|
break;
|
|
|
|
case 21:
|
|
|
|
x = init ? pkex_init_x_p521 : pkex_resp_x_p521;
|
|
|
|
y = init ? pkex_init_y_p521 : pkex_resp_y_p521;
|
|
|
|
break;
|
|
|
|
case 28:
|
|
|
|
x = init ? pkex_init_x_bp_p256r1 : pkex_resp_x_bp_p256r1;
|
|
|
|
y = init ? pkex_init_y_bp_p256r1 : pkex_resp_y_bp_p256r1;
|
|
|
|
break;
|
|
|
|
case 29:
|
|
|
|
x = init ? pkex_init_x_bp_p384r1 : pkex_resp_x_bp_p384r1;
|
|
|
|
y = init ? pkex_init_y_bp_p384r1 : pkex_resp_y_bp_p384r1;
|
|
|
|
break;
|
|
|
|
case 30:
|
|
|
|
x = init ? pkex_init_x_bp_p512r1 : pkex_resp_x_bp_p512r1;
|
|
|
|
y = init ? pkex_init_y_bp_p512r1 : pkex_resp_y_bp_p512r1;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:24 +02:00
|
|
|
return crypto_ec_key_set_pub(curve->ike_group, x, y, curve->prime_len);
|
2020-05-10 15:25:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:28 +02:00
|
|
|
struct crypto_ec_point *
|
|
|
|
dpp_pkex_derive_Qi(const struct dpp_curve_params *curve, const u8 *mac_init,
|
|
|
|
const char *code, const char *identifier,
|
|
|
|
struct crypto_ec **ret_ec)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
|
|
|
u8 hash[DPP_MAX_HASH_LEN];
|
|
|
|
const u8 *addr[3];
|
|
|
|
size_t len[3];
|
|
|
|
unsigned int num_elem = 0;
|
2021-06-28 18:25:28 +02:00
|
|
|
struct crypto_ec_point *Qi = NULL;
|
|
|
|
struct crypto_ec_key *Pi_key = NULL;
|
|
|
|
const struct crypto_ec_point *Pi = NULL;
|
|
|
|
struct crypto_bignum *hash_bn = NULL;
|
|
|
|
struct crypto_ec *ec = NULL;
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-12-07 16:04:48 +01:00
|
|
|
/* Qi = H([MAC-Initiator |] [identifier |] code) * Pi */
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-12-07 16:04:48 +01:00
|
|
|
if (mac_init) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: MAC-Initiator: " MACSTR,
|
|
|
|
MAC2STR(mac_init));
|
|
|
|
addr[num_elem] = mac_init;
|
|
|
|
len[num_elem] = ETH_ALEN;
|
|
|
|
num_elem++;
|
|
|
|
}
|
2020-05-10 15:25:42 +02:00
|
|
|
if (identifier) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
|
|
|
|
identifier);
|
|
|
|
addr[num_elem] = (const u8 *) identifier;
|
|
|
|
len[num_elem] = os_strlen(identifier);
|
|
|
|
num_elem++;
|
|
|
|
}
|
|
|
|
wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code));
|
|
|
|
addr[num_elem] = (const u8 *) code;
|
|
|
|
len[num_elem] = os_strlen(code);
|
|
|
|
num_elem++;
|
|
|
|
if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
2021-12-07 16:04:48 +01:00
|
|
|
"DPP: H([MAC-Initiator |] [identifier |] code)",
|
2020-05-10 15:25:42 +02:00
|
|
|
hash, curve->hash_len);
|
2021-06-28 18:25:28 +02:00
|
|
|
Pi_key = dpp_pkex_get_role_elem(curve, 1);
|
|
|
|
if (!Pi_key)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
2021-06-28 18:25:28 +02:00
|
|
|
dpp_debug_print_key("DPP: Pi", Pi_key);
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-06-28 18:25:28 +02:00
|
|
|
ec = crypto_ec_init(curve->ike_group);
|
|
|
|
if (!ec)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
2021-06-28 18:25:28 +02:00
|
|
|
|
|
|
|
Pi = crypto_ec_key_get_public_key(Pi_key);
|
|
|
|
Qi = crypto_ec_point_init(ec);
|
|
|
|
hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
|
|
|
|
if (!Pi || !Qi || !hash_bn || crypto_ec_point_mul(ec, Pi, hash_bn, Qi))
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
2021-06-28 18:25:28 +02:00
|
|
|
|
|
|
|
if (crypto_ec_point_is_at_infinity(ec, Qi)) {
|
2020-05-10 15:25:42 +02:00
|
|
|
wpa_printf(MSG_INFO, "DPP: Qi is the point-at-infinity");
|
|
|
|
goto fail;
|
|
|
|
}
|
2021-06-28 18:25:28 +02:00
|
|
|
crypto_ec_point_debug_print(ec, Qi, "DPP: Qi");
|
2020-05-10 15:25:42 +02:00
|
|
|
out:
|
2021-06-28 18:25:28 +02:00
|
|
|
crypto_ec_key_deinit(Pi_key);
|
|
|
|
crypto_bignum_deinit(hash_bn, 1);
|
|
|
|
if (ret_ec && Qi)
|
|
|
|
*ret_ec = ec;
|
2020-05-10 15:25:42 +02:00
|
|
|
else
|
2021-06-28 18:25:28 +02:00
|
|
|
crypto_ec_deinit(ec);
|
2020-05-10 15:25:42 +02:00
|
|
|
return Qi;
|
|
|
|
fail:
|
2021-06-28 18:25:28 +02:00
|
|
|
crypto_ec_point_deinit(Qi, 1);
|
2020-05-10 15:25:42 +02:00
|
|
|
Qi = NULL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:28 +02:00
|
|
|
struct crypto_ec_point *
|
|
|
|
dpp_pkex_derive_Qr(const struct dpp_curve_params *curve, const u8 *mac_resp,
|
|
|
|
const char *code, const char *identifier,
|
|
|
|
struct crypto_ec **ret_ec)
|
2020-05-10 15:25:42 +02:00
|
|
|
{
|
|
|
|
u8 hash[DPP_MAX_HASH_LEN];
|
|
|
|
const u8 *addr[3];
|
|
|
|
size_t len[3];
|
|
|
|
unsigned int num_elem = 0;
|
2021-06-28 18:25:28 +02:00
|
|
|
struct crypto_ec_point *Qr = NULL;
|
|
|
|
struct crypto_ec_key *Pr_key = NULL;
|
|
|
|
const struct crypto_ec_point *Pr = NULL;
|
|
|
|
struct crypto_bignum *hash_bn = NULL;
|
|
|
|
struct crypto_ec *ec = NULL;
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-12-07 16:04:48 +01:00
|
|
|
/* Qr = H([MAC-Responder |] [identifier |] code) * Pr */
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-12-07 16:04:48 +01:00
|
|
|
if (mac_resp) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: MAC-Responder: " MACSTR,
|
|
|
|
MAC2STR(mac_resp));
|
|
|
|
addr[num_elem] = mac_resp;
|
|
|
|
len[num_elem] = ETH_ALEN;
|
|
|
|
num_elem++;
|
|
|
|
}
|
2020-05-10 15:25:42 +02:00
|
|
|
if (identifier) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: code identifier: %s",
|
|
|
|
identifier);
|
|
|
|
addr[num_elem] = (const u8 *) identifier;
|
|
|
|
len[num_elem] = os_strlen(identifier);
|
|
|
|
num_elem++;
|
|
|
|
}
|
|
|
|
wpa_hexdump_ascii_key(MSG_DEBUG, "DPP: code", code, os_strlen(code));
|
|
|
|
addr[num_elem] = (const u8 *) code;
|
|
|
|
len[num_elem] = os_strlen(code);
|
|
|
|
num_elem++;
|
|
|
|
if (dpp_hash_vector(curve, num_elem, addr, len, hash) < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
2021-12-07 16:04:48 +01:00
|
|
|
"DPP: H([MAC-Responder |] [identifier |] code)",
|
2020-05-10 15:25:42 +02:00
|
|
|
hash, curve->hash_len);
|
2021-06-28 18:25:28 +02:00
|
|
|
Pr_key = dpp_pkex_get_role_elem(curve, 0);
|
|
|
|
if (!Pr_key)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
2021-06-28 18:25:28 +02:00
|
|
|
dpp_debug_print_key("DPP: Pr", Pr_key);
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-06-28 18:25:28 +02:00
|
|
|
ec = crypto_ec_init(curve->ike_group);
|
|
|
|
if (!ec)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
2021-06-28 18:25:28 +02:00
|
|
|
|
|
|
|
Pr = crypto_ec_key_get_public_key(Pr_key);
|
|
|
|
Qr = crypto_ec_point_init(ec);
|
|
|
|
hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
|
|
|
|
if (!Pr || !Qr || !hash_bn || crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
2021-06-28 18:25:28 +02:00
|
|
|
|
|
|
|
if (crypto_ec_point_is_at_infinity(ec, Qr)) {
|
2020-05-10 15:25:42 +02:00
|
|
|
wpa_printf(MSG_INFO, "DPP: Qr is the point-at-infinity");
|
|
|
|
goto fail;
|
|
|
|
}
|
2021-06-28 18:25:28 +02:00
|
|
|
crypto_ec_point_debug_print(ec, Qr, "DPP: Qr");
|
|
|
|
|
2020-05-10 15:25:42 +02:00
|
|
|
out:
|
2021-06-28 18:25:28 +02:00
|
|
|
crypto_ec_key_deinit(Pr_key);
|
|
|
|
crypto_bignum_deinit(hash_bn, 1);
|
|
|
|
if (ret_ec && Qr)
|
|
|
|
*ret_ec = ec;
|
2020-05-10 15:25:42 +02:00
|
|
|
else
|
2021-06-28 18:25:28 +02:00
|
|
|
crypto_ec_deinit(ec);
|
2020-05-10 15:25:42 +02:00
|
|
|
return Qr;
|
|
|
|
fail:
|
2021-06-28 18:25:28 +02:00
|
|
|
crypto_ec_point_deinit(Qr, 1);
|
2020-05-10 15:25:42 +02:00
|
|
|
Qr = NULL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_pkex_derive_z(const u8 *mac_init, const u8 *mac_resp,
|
2021-12-07 16:04:48 +01:00
|
|
|
u8 ver_init, u8 ver_resp,
|
2020-05-10 15:25:42 +02:00
|
|
|
const u8 *Mx, size_t Mx_len,
|
|
|
|
const u8 *Nx, size_t Nx_len,
|
|
|
|
const char *code,
|
|
|
|
const u8 *Kx, size_t Kx_len,
|
|
|
|
u8 *z, unsigned int hash_len)
|
|
|
|
{
|
|
|
|
u8 salt[DPP_MAX_HASH_LEN], prk[DPP_MAX_HASH_LEN];
|
|
|
|
int res;
|
|
|
|
u8 *info, *pos;
|
|
|
|
size_t info_len;
|
|
|
|
|
2021-12-07 16:04:48 +01:00
|
|
|
/*
|
|
|
|
* v1: info = MAC-Initiator | MAC-Responder
|
|
|
|
* v2: info = Protocol Version-Initiator | Protocol Version-Responder
|
|
|
|
* z = HKDF(<>, info | M.x | N.x | code, K.x)
|
2020-05-10 15:25:42 +02:00
|
|
|
*/
|
|
|
|
|
|
|
|
/* HKDF-Extract(<>, IKM=K.x) */
|
|
|
|
os_memset(salt, 0, hash_len);
|
|
|
|
if (dpp_hmac(hash_len, salt, hash_len, Kx, Kx_len, prk) < 0)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)",
|
|
|
|
prk, hash_len);
|
2021-12-07 16:04:48 +01:00
|
|
|
if (mac_init && mac_resp)
|
|
|
|
info_len = 2 * ETH_ALEN;
|
|
|
|
else
|
|
|
|
info_len = 2;
|
|
|
|
info_len += Mx_len + Nx_len + os_strlen(code);
|
2020-05-10 15:25:42 +02:00
|
|
|
info = os_malloc(info_len);
|
|
|
|
if (!info)
|
|
|
|
return -1;
|
|
|
|
pos = info;
|
2021-12-07 16:04:48 +01:00
|
|
|
if (mac_init && mac_resp) {
|
|
|
|
os_memcpy(pos, mac_init, ETH_ALEN);
|
|
|
|
pos += ETH_ALEN;
|
|
|
|
os_memcpy(pos, mac_resp, ETH_ALEN);
|
|
|
|
pos += ETH_ALEN;
|
|
|
|
} else {
|
|
|
|
*pos++ = ver_init;
|
|
|
|
*pos++ = ver_resp;
|
|
|
|
}
|
2020-05-10 15:25:42 +02:00
|
|
|
os_memcpy(pos, Mx, Mx_len);
|
|
|
|
pos += Mx_len;
|
|
|
|
os_memcpy(pos, Nx, Nx_len);
|
|
|
|
pos += Nx_len;
|
|
|
|
os_memcpy(pos, code, os_strlen(code));
|
|
|
|
|
|
|
|
/* HKDF-Expand(PRK, info, L) */
|
|
|
|
if (hash_len == 32)
|
|
|
|
res = hmac_sha256_kdf(prk, hash_len, NULL, info, info_len,
|
|
|
|
z, hash_len);
|
|
|
|
else if (hash_len == 48)
|
|
|
|
res = hmac_sha384_kdf(prk, hash_len, NULL, info, info_len,
|
|
|
|
z, hash_len);
|
|
|
|
else if (hash_len == 64)
|
|
|
|
res = hmac_sha512_kdf(prk, hash_len, NULL, info, info_len,
|
|
|
|
z, hash_len);
|
|
|
|
else
|
|
|
|
res = -1;
|
|
|
|
os_free(info);
|
|
|
|
os_memset(prk, 0, hash_len);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: z = HKDF-Expand(PRK, info, L)",
|
|
|
|
z, hash_len);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-05-09 15:30:09 +02:00
|
|
|
int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
|
|
|
|
const u8 *net_access_key,
|
|
|
|
size_t net_access_key_len,
|
|
|
|
struct json_token *peer_net_access_key)
|
|
|
|
{
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key *own_key = NULL, *peer_key = NULL;
|
2021-06-28 18:25:32 +02:00
|
|
|
struct crypto_bignum *sum = NULL;
|
|
|
|
const struct crypto_bignum *q, *cR, *pR;
|
|
|
|
struct crypto_ec *ec = NULL;
|
|
|
|
struct crypto_ec_point *M = NULL;
|
|
|
|
const struct crypto_ec_point *CI;
|
2020-05-09 15:30:09 +02:00
|
|
|
u8 Mx[DPP_MAX_SHARED_SECRET_LEN];
|
|
|
|
u8 prk[DPP_MAX_HASH_LEN];
|
|
|
|
const struct dpp_curve_params *curve;
|
|
|
|
int res = -1;
|
2020-09-09 22:33:58 +02:00
|
|
|
u8 nonces[2 * DPP_MAX_NONCE_LEN];
|
2020-05-09 15:30:09 +02:00
|
|
|
|
|
|
|
own_key = dpp_set_keypair(&auth->curve, net_access_key,
|
|
|
|
net_access_key_len);
|
|
|
|
if (!own_key) {
|
|
|
|
dpp_auth_fail(auth, "Failed to parse own netAccessKey");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
peer_key = dpp_parse_jwk(peer_net_access_key, &curve);
|
|
|
|
if (!peer_key)
|
|
|
|
goto fail;
|
|
|
|
dpp_debug_print_key("DPP: Received netAccessKey", peer_key);
|
|
|
|
|
|
|
|
if (auth->curve != curve) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
2020-08-06 18:47:28 +02:00
|
|
|
"DPP: Mismatching netAccessKey curves (own=%s != peer=%s)",
|
2020-05-09 15:30:09 +02:00
|
|
|
auth->curve->name, curve->name);
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
auth->own_protocol_key = dpp_gen_keypair(curve);
|
|
|
|
if (!auth->own_protocol_key)
|
|
|
|
goto fail;
|
|
|
|
|
2020-09-09 22:33:58 +02:00
|
|
|
if (random_get_bytes(auth->e_nonce, auth->curve->nonce_len)) {
|
|
|
|
wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: E-nonce",
|
|
|
|
auth->e_nonce, auth->curve->nonce_len);
|
|
|
|
|
2020-05-09 15:30:09 +02:00
|
|
|
/* M = { cR + pR } * CI */
|
2021-06-28 18:25:32 +02:00
|
|
|
ec = crypto_ec_init(curve->ike_group);
|
|
|
|
if (!ec)
|
2020-05-09 15:30:09 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:32 +02:00
|
|
|
sum = crypto_bignum_init();
|
|
|
|
q = crypto_ec_get_order(ec);
|
|
|
|
M = crypto_ec_point_init(ec);
|
|
|
|
cR = crypto_ec_key_get_private_key(own_key);
|
|
|
|
pR = crypto_ec_key_get_private_key(auth->own_protocol_key);
|
|
|
|
CI = crypto_ec_key_get_public_key(peer_key);
|
|
|
|
if (!sum || !q || !M || !cR || !pR || !CI ||
|
|
|
|
crypto_bignum_addmod(cR, pR, q, sum) ||
|
|
|
|
crypto_ec_point_mul(ec, CI, sum, M) ||
|
|
|
|
crypto_ec_point_to_bin(ec, M, Mx, NULL)) {
|
|
|
|
wpa_printf(MSG_ERROR, "DPP: Error during M computation");
|
2020-05-09 15:30:09 +02:00
|
|
|
goto fail;
|
2021-06-28 18:25:32 +02:00
|
|
|
}
|
2020-05-09 15:30:09 +02:00
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len);
|
|
|
|
|
2020-09-09 22:33:58 +02:00
|
|
|
/* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */
|
2020-05-09 15:30:09 +02:00
|
|
|
|
2020-09-09 22:33:58 +02:00
|
|
|
/* HKDF-Extract(C-nonce | E-nonce, M.x) */
|
|
|
|
os_memcpy(nonces, auth->c_nonce, curve->nonce_len);
|
|
|
|
os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len);
|
|
|
|
if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len,
|
2020-05-09 15:30:09 +02:00
|
|
|
Mx, curve->prime_len, prk) < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len);
|
|
|
|
|
|
|
|
/* HKDF-Expand(PRK, "dpp reconfig key", L) */
|
|
|
|
if (dpp_hkdf_expand(curve->hash_len, prk, curve->hash_len,
|
|
|
|
"dpp reconfig key", auth->ke, curve->hash_len) < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
2020-09-09 22:33:58 +02:00
|
|
|
"DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)",
|
2020-05-09 15:30:09 +02:00
|
|
|
auth->ke, curve->hash_len);
|
|
|
|
|
|
|
|
res = 0;
|
2021-06-28 18:25:20 +02:00
|
|
|
crypto_ec_key_deinit(auth->reconfig_old_protocol_key);
|
2020-05-09 15:30:09 +02:00
|
|
|
auth->reconfig_old_protocol_key = own_key;
|
|
|
|
own_key = NULL;
|
|
|
|
fail:
|
|
|
|
forced_memzero(prk, sizeof(prk));
|
|
|
|
forced_memzero(Mx, sizeof(Mx));
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_point_deinit(M, 1);
|
|
|
|
crypto_bignum_deinit(sum, 1);
|
2021-06-28 18:25:20 +02:00
|
|
|
crypto_ec_key_deinit(own_key);
|
|
|
|
crypto_ec_key_deinit(peer_key);
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_deinit(ec);
|
2020-05-09 15:30:09 +02:00
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-05-10 11:55:43 +02:00
|
|
|
int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth,
|
|
|
|
const u8 *r_proto, u16 r_proto_len,
|
|
|
|
struct json_token *net_access_key)
|
|
|
|
{
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key *pr = NULL, *peer_key = NULL;
|
2021-06-28 18:25:32 +02:00
|
|
|
const struct crypto_ec_point *CR, *PR;
|
|
|
|
const struct crypto_bignum *cI;
|
|
|
|
struct crypto_ec *ec = NULL;
|
|
|
|
struct crypto_ec_point *sum = NULL, *M = NULL;
|
2020-05-10 11:55:43 +02:00
|
|
|
u8 Mx[DPP_MAX_SHARED_SECRET_LEN];
|
|
|
|
u8 prk[DPP_MAX_HASH_LEN];
|
|
|
|
int res = -1;
|
|
|
|
const struct dpp_curve_params *curve;
|
2020-09-09 22:33:58 +02:00
|
|
|
u8 nonces[2 * DPP_MAX_NONCE_LEN];
|
2020-05-10 11:55:43 +02:00
|
|
|
|
|
|
|
pr = dpp_set_pubkey_point(auth->conf->connector_key,
|
|
|
|
r_proto, r_proto_len);
|
|
|
|
if (!pr) {
|
|
|
|
dpp_auth_fail(auth, "Invalid Responder Protocol Key");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
dpp_debug_print_key("Peer (Responder) Protocol Key", pr);
|
2021-06-28 18:25:20 +02:00
|
|
|
crypto_ec_key_deinit(auth->peer_protocol_key);
|
2020-05-10 11:55:43 +02:00
|
|
|
auth->peer_protocol_key = pr;
|
|
|
|
pr = NULL;
|
|
|
|
|
|
|
|
peer_key = dpp_parse_jwk(net_access_key, &curve);
|
|
|
|
if (!peer_key)
|
|
|
|
goto fail;
|
|
|
|
dpp_debug_print_key("DPP: Received netAccessKey", peer_key);
|
|
|
|
if (auth->curve != curve) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
2020-08-06 18:47:28 +02:00
|
|
|
"DPP: Mismatching netAccessKey curves (own=%s != peer=%s)",
|
2020-05-10 11:55:43 +02:00
|
|
|
auth->curve->name, curve->name);
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* M = cI * { CR + PR } */
|
2021-06-28 18:25:32 +02:00
|
|
|
ec = crypto_ec_init(curve->ike_group);
|
|
|
|
if (!ec)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
cI = crypto_ec_key_get_private_key(auth->conf->connector_key);
|
|
|
|
sum = crypto_ec_point_init(ec);
|
|
|
|
M = crypto_ec_point_init(ec);
|
|
|
|
CR = crypto_ec_key_get_public_key(peer_key);
|
|
|
|
PR = crypto_ec_key_get_public_key(auth->peer_protocol_key);
|
|
|
|
if (!cI || !sum || !M || !CR || !PR ||
|
|
|
|
crypto_ec_point_add(ec, CR, PR, sum) ||
|
|
|
|
crypto_ec_point_mul(ec, sum, cI, M) ||
|
|
|
|
crypto_ec_point_to_bin(ec, M, Mx, NULL)) {
|
|
|
|
wpa_printf(MSG_ERROR, "DPP: Error during M computation");
|
2020-05-10 11:55:43 +02:00
|
|
|
goto fail;
|
2021-06-28 18:25:32 +02:00
|
|
|
}
|
2020-05-10 11:55:43 +02:00
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len);
|
|
|
|
|
2020-09-09 22:33:58 +02:00
|
|
|
/* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */
|
2020-05-10 11:55:43 +02:00
|
|
|
|
2020-09-09 22:33:58 +02:00
|
|
|
/* HKDF-Extract(C-nonce | E-nonce, M.x) */
|
|
|
|
os_memcpy(nonces, auth->c_nonce, curve->nonce_len);
|
|
|
|
os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len);
|
|
|
|
if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len,
|
2020-05-10 11:55:43 +02:00
|
|
|
Mx, curve->prime_len, prk) < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len);
|
|
|
|
|
|
|
|
/* HKDF-Expand(PRK, "dpp reconfig key", L) */
|
|
|
|
if (dpp_hkdf_expand(curve->hash_len, prk, curve->hash_len,
|
|
|
|
"dpp reconfig key", auth->ke, curve->hash_len) < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
2020-09-09 22:33:58 +02:00
|
|
|
"DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)",
|
2020-05-10 11:55:43 +02:00
|
|
|
auth->ke, curve->hash_len);
|
|
|
|
|
|
|
|
res = 0;
|
|
|
|
fail:
|
|
|
|
forced_memzero(prk, sizeof(prk));
|
|
|
|
forced_memzero(Mx, sizeof(Mx));
|
2021-06-28 18:25:20 +02:00
|
|
|
crypto_ec_key_deinit(pr);
|
|
|
|
crypto_ec_key_deinit(peer_key);
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_point_deinit(sum, 1);
|
|
|
|
crypto_ec_point_deinit(M, 1);
|
|
|
|
crypto_ec_deinit(ec);
|
2020-05-10 11:55:43 +02:00
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-05-10 15:25:42 +02:00
|
|
|
static char *
|
|
|
|
dpp_build_jws_prot_hdr(struct dpp_configurator *conf, size_t *signed1_len)
|
|
|
|
{
|
|
|
|
struct wpabuf *jws_prot_hdr;
|
|
|
|
char *signed1;
|
|
|
|
|
|
|
|
jws_prot_hdr = wpabuf_alloc(100);
|
|
|
|
if (!jws_prot_hdr)
|
|
|
|
return NULL;
|
|
|
|
json_start_object(jws_prot_hdr, NULL);
|
|
|
|
json_add_string(jws_prot_hdr, "typ", "dppCon");
|
|
|
|
json_value_sep(jws_prot_hdr);
|
|
|
|
json_add_string(jws_prot_hdr, "kid", conf->kid);
|
|
|
|
json_value_sep(jws_prot_hdr);
|
|
|
|
json_add_string(jws_prot_hdr, "alg", conf->curve->jws_alg);
|
|
|
|
json_end_object(jws_prot_hdr);
|
|
|
|
signed1 = base64_url_encode(wpabuf_head(jws_prot_hdr),
|
|
|
|
wpabuf_len(jws_prot_hdr),
|
|
|
|
signed1_len);
|
|
|
|
wpabuf_free(jws_prot_hdr);
|
|
|
|
return signed1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static char *
|
|
|
|
dpp_build_conn_signature(struct dpp_configurator *conf,
|
|
|
|
const char *signed1, size_t signed1_len,
|
|
|
|
const char *signed2, size_t signed2_len,
|
|
|
|
size_t *signed3_len)
|
|
|
|
{
|
|
|
|
const struct dpp_curve_params *curve;
|
2021-06-28 18:25:31 +02:00
|
|
|
struct wpabuf *sig = NULL;
|
2020-05-10 15:25:42 +02:00
|
|
|
char *signed3 = NULL;
|
|
|
|
char *dot = ".";
|
2021-06-28 18:25:31 +02:00
|
|
|
const u8 *vector[3];
|
|
|
|
size_t vector_len[3];
|
|
|
|
u8 *hash;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
vector[0] = (const u8 *) signed1;
|
|
|
|
vector[1] = (const u8 *) dot;
|
|
|
|
vector[2] = (const u8 *) signed2;
|
|
|
|
vector_len[0] = signed1_len;
|
|
|
|
vector_len[1] = 1;
|
|
|
|
vector_len[2] = signed2_len;
|
2020-05-10 15:25:42 +02:00
|
|
|
|
|
|
|
curve = conf->curve;
|
2021-06-28 18:25:31 +02:00
|
|
|
hash = os_malloc(curve->hash_len);
|
|
|
|
if (!hash)
|
|
|
|
goto fail;
|
2020-05-10 15:25:42 +02:00
|
|
|
if (curve->hash_len == SHA256_MAC_LEN) {
|
2021-06-28 18:25:31 +02:00
|
|
|
ret = sha256_vector(3, vector, vector_len, hash);
|
2020-05-10 15:25:42 +02:00
|
|
|
} else if (curve->hash_len == SHA384_MAC_LEN) {
|
2021-06-28 18:25:31 +02:00
|
|
|
ret = sha384_vector(3, vector, vector_len, hash);
|
2020-05-10 15:25:42 +02:00
|
|
|
} else if (curve->hash_len == SHA512_MAC_LEN) {
|
2021-06-28 18:25:31 +02:00
|
|
|
ret = sha512_vector(3, vector, vector_len, hash);
|
2020-05-10 15:25:42 +02:00
|
|
|
} else {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Unknown signature algorithm");
|
|
|
|
goto fail;
|
|
|
|
}
|
2021-06-28 18:25:31 +02:00
|
|
|
if (ret) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Hash computation failed");
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
2021-06-28 18:25:31 +02:00
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: Hash value for Connector signature",
|
|
|
|
hash, curve->hash_len);
|
|
|
|
|
|
|
|
sig = crypto_ec_key_sign_r_s(conf->csign, hash, curve->hash_len);
|
|
|
|
if (!sig) {
|
|
|
|
wpa_printf(MSG_ERROR, "DPP: Signature computation failed");
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
2021-06-28 18:25:31 +02:00
|
|
|
|
2020-05-10 15:25:42 +02:00
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: signedConnector ECDSA signature (raw r,s)",
|
2021-06-28 18:25:31 +02:00
|
|
|
wpabuf_head(sig), wpabuf_len(sig));
|
|
|
|
signed3 = base64_url_encode(wpabuf_head(sig), wpabuf_len(sig),
|
|
|
|
signed3_len);
|
|
|
|
|
2020-05-10 15:25:42 +02:00
|
|
|
fail:
|
2021-06-28 18:25:31 +02:00
|
|
|
os_free(hash);
|
|
|
|
wpabuf_free(sig);
|
2020-05-10 15:25:42 +02:00
|
|
|
return signed3;
|
|
|
|
}
|
|
|
|
|
|
|
|
char * dpp_sign_connector(struct dpp_configurator *conf,
|
|
|
|
const struct wpabuf *dppcon)
|
|
|
|
{
|
|
|
|
char *signed1 = NULL, *signed2 = NULL, *signed3 = NULL;
|
|
|
|
char *signed_conn = NULL, *pos;
|
|
|
|
size_t signed1_len, signed2_len, signed3_len;
|
|
|
|
|
|
|
|
signed1 = dpp_build_jws_prot_hdr(conf, &signed1_len);
|
|
|
|
signed2 = base64_url_encode(wpabuf_head(dppcon), wpabuf_len(dppcon),
|
|
|
|
&signed2_len);
|
|
|
|
if (!signed1 || !signed2)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
signed3 = dpp_build_conn_signature(conf, signed1, signed1_len,
|
|
|
|
signed2, signed2_len, &signed3_len);
|
|
|
|
if (!signed3)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
signed_conn = os_malloc(signed1_len + signed2_len + signed3_len + 3);
|
|
|
|
if (!signed_conn)
|
|
|
|
goto fail;
|
|
|
|
pos = signed_conn;
|
|
|
|
os_memcpy(pos, signed1, signed1_len);
|
|
|
|
pos += signed1_len;
|
|
|
|
*pos++ = '.';
|
|
|
|
os_memcpy(pos, signed2, signed2_len);
|
|
|
|
pos += signed2_len;
|
|
|
|
*pos++ = '.';
|
|
|
|
os_memcpy(pos, signed3, signed3_len);
|
|
|
|
pos += signed3_len;
|
|
|
|
*pos = '\0';
|
|
|
|
|
|
|
|
fail:
|
|
|
|
os_free(signed1);
|
|
|
|
os_free(signed2);
|
|
|
|
os_free(signed3);
|
|
|
|
return signed_conn;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_DPP2
|
|
|
|
|
|
|
|
struct dpp_pfs * dpp_pfs_init(const u8 *net_access_key,
|
|
|
|
size_t net_access_key_len)
|
|
|
|
{
|
|
|
|
struct wpabuf *pub = NULL;
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key *own_key;
|
2020-05-10 15:25:42 +02:00
|
|
|
struct dpp_pfs *pfs;
|
|
|
|
|
|
|
|
pfs = os_zalloc(sizeof(*pfs));
|
|
|
|
if (!pfs)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
own_key = dpp_set_keypair(&pfs->curve, net_access_key,
|
|
|
|
net_access_key_len);
|
|
|
|
if (!own_key) {
|
|
|
|
wpa_printf(MSG_ERROR, "DPP: Failed to parse own netAccessKey");
|
|
|
|
goto fail;
|
|
|
|
}
|
2021-06-28 18:25:20 +02:00
|
|
|
crypto_ec_key_deinit(own_key);
|
2020-05-10 15:25:42 +02:00
|
|
|
|
|
|
|
pfs->ecdh = crypto_ecdh_init(pfs->curve->ike_group);
|
|
|
|
if (!pfs->ecdh)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
pub = crypto_ecdh_get_pubkey(pfs->ecdh, 0);
|
|
|
|
pub = wpabuf_zeropad(pub, pfs->curve->prime_len);
|
|
|
|
if (!pub)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
pfs->ie = wpabuf_alloc(5 + wpabuf_len(pub));
|
|
|
|
if (!pfs->ie)
|
|
|
|
goto fail;
|
|
|
|
wpabuf_put_u8(pfs->ie, WLAN_EID_EXTENSION);
|
|
|
|
wpabuf_put_u8(pfs->ie, 1 + 2 + wpabuf_len(pub));
|
|
|
|
wpabuf_put_u8(pfs->ie, WLAN_EID_EXT_OWE_DH_PARAM);
|
|
|
|
wpabuf_put_le16(pfs->ie, pfs->curve->ike_group);
|
|
|
|
wpabuf_put_buf(pfs->ie, pub);
|
|
|
|
wpabuf_free(pub);
|
|
|
|
wpa_hexdump_buf(MSG_DEBUG, "DPP: Diffie-Hellman Parameter element",
|
|
|
|
pfs->ie);
|
|
|
|
|
|
|
|
return pfs;
|
|
|
|
fail:
|
|
|
|
wpabuf_free(pub);
|
|
|
|
dpp_pfs_free(pfs);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_pfs_process(struct dpp_pfs *pfs, const u8 *peer_ie, size_t peer_ie_len)
|
|
|
|
{
|
|
|
|
if (peer_ie_len < 2)
|
|
|
|
return -1;
|
|
|
|
if (WPA_GET_LE16(peer_ie) != pfs->curve->ike_group) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Peer used different group for PFS");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
pfs->secret = crypto_ecdh_set_peerkey(pfs->ecdh, 0, peer_ie + 2,
|
|
|
|
peer_ie_len - 2);
|
|
|
|
pfs->secret = wpabuf_zeropad(pfs->secret, pfs->curve->prime_len);
|
|
|
|
if (!pfs->secret) {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Invalid peer DH public key");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
wpa_hexdump_buf_key(MSG_DEBUG, "DPP: DH shared secret", pfs->secret);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void dpp_pfs_free(struct dpp_pfs *pfs)
|
|
|
|
{
|
|
|
|
if (!pfs)
|
|
|
|
return;
|
|
|
|
crypto_ecdh_deinit(pfs->ecdh);
|
|
|
|
wpabuf_free(pfs->ie);
|
|
|
|
wpabuf_clear_free(pfs->secret);
|
|
|
|
os_free(pfs);
|
|
|
|
}
|
|
|
|
|
2020-06-15 19:20:50 +02:00
|
|
|
|
2020-06-18 20:06:10 +02:00
|
|
|
struct wpabuf * dpp_build_csr(struct dpp_authentication *auth, const char *name)
|
2020-06-15 19:20:50 +02:00
|
|
|
{
|
2021-06-28 18:25:37 +02:00
|
|
|
struct crypto_csr *csr = NULL;
|
2020-06-15 19:20:50 +02:00
|
|
|
struct wpabuf *buf = NULL;
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key *key;
|
2020-06-15 19:20:50 +02:00
|
|
|
unsigned int hash_len = auth->curve->hash_len;
|
2021-06-28 18:25:22 +02:00
|
|
|
struct wpabuf *priv_key;
|
2020-06-17 11:22:08 +02:00
|
|
|
u8 cp[DPP_CP_LEN];
|
2021-06-28 18:25:37 +02:00
|
|
|
char *password = NULL;
|
2020-06-17 11:22:08 +02:00
|
|
|
size_t password_len;
|
2021-06-28 18:25:37 +02:00
|
|
|
int hash_sign_algo;
|
2020-06-15 19:20:50 +02:00
|
|
|
|
|
|
|
/* TODO: use auth->csrattrs */
|
|
|
|
|
|
|
|
/* TODO: support generation of a new private key if csrAttrs requests
|
|
|
|
* a specific group to be used */
|
|
|
|
key = auth->own_protocol_key;
|
|
|
|
|
2021-06-28 18:25:22 +02:00
|
|
|
priv_key = crypto_ec_key_get_ecprivate_key(key, true);
|
|
|
|
if (!priv_key)
|
2020-06-15 19:20:50 +02:00
|
|
|
goto fail;
|
|
|
|
wpabuf_free(auth->priv_key);
|
2021-06-28 18:25:22 +02:00
|
|
|
auth->priv_key = priv_key;
|
2020-06-15 19:20:50 +02:00
|
|
|
|
2021-06-28 18:25:37 +02:00
|
|
|
csr = crypto_csr_init();
|
|
|
|
if (!csr || crypto_csr_set_ec_public_key(csr, key))
|
2020-06-15 19:20:50 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:37 +02:00
|
|
|
if (name && crypto_csr_set_name(csr, CSR_NAME_CN, name))
|
|
|
|
goto fail;
|
2020-06-18 20:06:10 +02:00
|
|
|
|
2020-06-17 11:22:08 +02:00
|
|
|
/* cp = HKDF-Expand(bk, "CSR challengePassword", 64) */
|
|
|
|
if (dpp_hkdf_expand(hash_len, auth->bk, hash_len,
|
|
|
|
"CSR challengePassword", cp, DPP_CP_LEN) < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
|
|
|
"DPP: cp = HKDF-Expand(bk, \"CSR challengePassword\", 64)",
|
|
|
|
cp, DPP_CP_LEN);
|
|
|
|
password = base64_encode_no_lf(cp, DPP_CP_LEN, &password_len);
|
|
|
|
forced_memzero(cp, DPP_CP_LEN);
|
2021-06-28 18:25:37 +02:00
|
|
|
if (!password ||
|
|
|
|
crypto_csr_set_attribute(csr, CSR_ATTR_CHALLENGE_PASSWORD,
|
|
|
|
ASN1_TAG_UTF8STRING, (const u8 *) password,
|
|
|
|
password_len))
|
2020-06-17 11:22:08 +02:00
|
|
|
goto fail;
|
|
|
|
|
2020-06-15 19:20:50 +02:00
|
|
|
/* TODO: hash func selection based on csrAttrs */
|
|
|
|
if (hash_len == SHA256_MAC_LEN) {
|
2021-06-28 18:25:37 +02:00
|
|
|
hash_sign_algo = CRYPTO_HASH_ALG_SHA256;
|
2020-06-15 19:20:50 +02:00
|
|
|
} else if (hash_len == SHA384_MAC_LEN) {
|
2021-06-28 18:25:37 +02:00
|
|
|
hash_sign_algo = CRYPTO_HASH_ALG_SHA384;
|
2020-06-15 19:20:50 +02:00
|
|
|
} else if (hash_len == SHA512_MAC_LEN) {
|
2021-06-28 18:25:37 +02:00
|
|
|
hash_sign_algo = CRYPTO_HASH_ALG_SHA512;
|
2020-06-15 19:20:50 +02:00
|
|
|
} else {
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Unknown signature algorithm");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:37 +02:00
|
|
|
buf = crypto_csr_sign(csr, key, hash_sign_algo);
|
|
|
|
if (!buf)
|
2020-06-15 19:20:50 +02:00
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_buf(MSG_DEBUG, "DPP: CSR", buf);
|
|
|
|
|
|
|
|
fail:
|
2021-06-28 18:25:37 +02:00
|
|
|
bin_clear_free(password, password_len);
|
|
|
|
crypto_csr_deinit(csr);
|
2020-06-15 19:20:50 +02:00
|
|
|
return buf;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:37 +02:00
|
|
|
int dpp_validate_csr(struct dpp_authentication *auth,
|
|
|
|
const struct wpabuf *csrbuf)
|
2020-06-17 19:33:07 +02:00
|
|
|
{
|
2021-06-28 18:25:37 +02:00
|
|
|
struct crypto_csr *csr;
|
|
|
|
const u8 *attr;
|
|
|
|
size_t attr_len;
|
|
|
|
int attr_type;
|
2020-06-17 19:33:07 +02:00
|
|
|
unsigned char *cp = NULL;
|
|
|
|
size_t cp_len;
|
|
|
|
u8 exp_cp[DPP_CP_LEN];
|
|
|
|
unsigned int hash_len = auth->curve->hash_len;
|
2021-06-28 18:25:37 +02:00
|
|
|
int ret = -1;
|
2020-06-17 19:33:07 +02:00
|
|
|
|
2021-06-28 18:25:37 +02:00
|
|
|
csr = crypto_csr_verify(csrbuf);
|
|
|
|
if (!csr) {
|
2020-06-17 19:33:07 +02:00
|
|
|
wpa_printf(MSG_DEBUG,
|
2021-06-28 18:25:37 +02:00
|
|
|
"DPP: CSR invalid or invalid signature");
|
2020-06-17 19:33:07 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:37 +02:00
|
|
|
attr = crypto_csr_get_attribute(csr, CSR_ATTR_CHALLENGE_PASSWORD,
|
|
|
|
&attr_len, &attr_type);
|
2020-06-17 19:33:07 +02:00
|
|
|
if (!attr) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
2021-06-28 18:25:37 +02:00
|
|
|
"DPP: CSR does not include challengePassword");
|
2020-06-17 19:33:07 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
/* This is supposed to be UTF8String, but allow other strings as well
|
|
|
|
* since challengePassword is using ASCII (base64 encoded). */
|
2021-06-28 18:25:37 +02:00
|
|
|
if (attr_type != ASN1_TAG_UTF8STRING &&
|
|
|
|
attr_type != ASN1_TAG_PRINTABLESTRING &&
|
|
|
|
attr_type != ASN1_TAG_IA5STRING) {
|
2020-06-17 19:33:07 +02:00
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Unexpected challengePassword attribute type %d",
|
2021-06-28 18:25:37 +02:00
|
|
|
attr_type);
|
2020-06-17 19:33:07 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:37 +02:00
|
|
|
cp = base64_decode((const char *) attr, attr_len, &cp_len);
|
2020-06-17 19:33:07 +02:00
|
|
|
if (!cp) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Could not base64 decode challengePassword");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
if (cp_len != DPP_CP_LEN) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: Unexpected cp length (%zu) in CSR challengePassword",
|
|
|
|
cp_len);
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: cp from CSR challengePassword",
|
|
|
|
cp, cp_len);
|
|
|
|
|
|
|
|
/* cp = HKDF-Expand(bk, "CSR challengePassword", 64) */
|
|
|
|
if (dpp_hkdf_expand(hash_len, auth->bk, hash_len,
|
|
|
|
"CSR challengePassword", exp_cp, DPP_CP_LEN) < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
|
|
|
"DPP: cp = HKDF-Expand(bk, \"CSR challengePassword\", 64)",
|
|
|
|
exp_cp, DPP_CP_LEN);
|
|
|
|
if (os_memcmp_const(cp, exp_cp, DPP_CP_LEN) != 0) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"DPP: CSR challengePassword does not match calculated cp");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
fail:
|
|
|
|
os_free(cp);
|
2021-06-28 18:25:37 +02:00
|
|
|
crypto_csr_deinit(csr);
|
2020-06-17 19:33:07 +02:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2020-08-06 18:47:28 +02:00
|
|
|
|
|
|
|
struct dpp_reconfig_id * dpp_gen_reconfig_id(const u8 *csign_key,
|
2020-10-13 19:53:09 +02:00
|
|
|
size_t csign_key_len,
|
|
|
|
const u8 *pp_key,
|
|
|
|
size_t pp_key_len)
|
2020-08-06 18:47:28 +02:00
|
|
|
{
|
2021-06-28 18:25:20 +02:00
|
|
|
struct crypto_ec_key *csign = NULL, *ppkey = NULL;
|
2020-08-06 18:47:28 +02:00
|
|
|
struct dpp_reconfig_id *id = NULL;
|
2021-06-28 18:25:32 +02:00
|
|
|
struct crypto_ec *ec = NULL;
|
|
|
|
const struct crypto_bignum *q;
|
|
|
|
struct crypto_bignum *bn = NULL;
|
|
|
|
struct crypto_ec_point *e_id = NULL;
|
|
|
|
const struct crypto_ec_point *generator;
|
2020-08-06 18:47:28 +02:00
|
|
|
|
2021-06-28 18:25:32 +02:00
|
|
|
csign = crypto_ec_key_parse_pub(csign_key, csign_key_len);
|
2020-08-06 18:47:28 +02:00
|
|
|
if (!csign)
|
|
|
|
goto fail;
|
|
|
|
|
2020-10-13 19:53:09 +02:00
|
|
|
if (!pp_key)
|
|
|
|
goto fail;
|
2021-06-28 18:25:32 +02:00
|
|
|
ppkey = crypto_ec_key_parse_pub(pp_key, pp_key_len);
|
2020-10-13 19:53:09 +02:00
|
|
|
if (!ppkey)
|
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:32 +02:00
|
|
|
ec = crypto_ec_init(crypto_ec_key_group(csign));
|
|
|
|
if (!ec)
|
2020-08-06 18:47:28 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:32 +02:00
|
|
|
e_id = crypto_ec_point_init(ec);
|
|
|
|
bn = crypto_bignum_init();
|
|
|
|
q = crypto_ec_get_order(ec);
|
|
|
|
generator = crypto_ec_get_generator(ec);
|
|
|
|
if (!e_id || !bn || !q || !generator ||
|
|
|
|
crypto_bignum_rand(bn, q) ||
|
|
|
|
crypto_ec_point_mul(ec, generator, bn, e_id))
|
2020-08-06 18:47:28 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_point_debug_print(ec, e_id,
|
|
|
|
"DPP: Generated random point E-id");
|
2020-08-06 18:47:28 +02:00
|
|
|
|
|
|
|
id = os_zalloc(sizeof(*id));
|
|
|
|
if (!id)
|
|
|
|
goto fail;
|
2021-06-28 18:25:32 +02:00
|
|
|
|
|
|
|
id->ec = ec;
|
|
|
|
ec = NULL;
|
2020-08-06 18:47:28 +02:00
|
|
|
id->e_id = e_id;
|
|
|
|
e_id = NULL;
|
|
|
|
id->csign = csign;
|
|
|
|
csign = NULL;
|
2020-10-13 19:53:09 +02:00
|
|
|
id->pp_key = ppkey;
|
|
|
|
ppkey = NULL;
|
2020-08-06 18:47:28 +02:00
|
|
|
fail:
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_point_deinit(e_id, 1);
|
2021-06-28 18:25:20 +02:00
|
|
|
crypto_ec_key_deinit(csign);
|
|
|
|
crypto_ec_key_deinit(ppkey);
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_bignum_deinit(bn, 1);
|
|
|
|
crypto_ec_deinit(ec);
|
2020-08-06 18:47:28 +02:00
|
|
|
return id;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int dpp_update_reconfig_id(struct dpp_reconfig_id *id)
|
|
|
|
{
|
2021-06-28 18:25:32 +02:00
|
|
|
const struct crypto_bignum *q;
|
|
|
|
struct crypto_bignum *bn;
|
|
|
|
const struct crypto_ec_point *pp, *generator;
|
|
|
|
struct crypto_ec_point *e_prime_id, *a_nonce;
|
2020-08-06 18:47:28 +02:00
|
|
|
int ret = -1;
|
|
|
|
|
2021-06-28 18:25:32 +02:00
|
|
|
pp = crypto_ec_key_get_public_key(id->pp_key);
|
|
|
|
e_prime_id = crypto_ec_point_init(id->ec);
|
|
|
|
a_nonce = crypto_ec_point_init(id->ec);
|
|
|
|
bn = crypto_bignum_init();
|
|
|
|
q = crypto_ec_get_order(id->ec);
|
|
|
|
generator = crypto_ec_get_generator(id->ec);
|
|
|
|
|
2020-08-06 18:47:28 +02:00
|
|
|
/* Generate random 0 <= a-nonce < q
|
|
|
|
* A-NONCE = a-nonce * G
|
2020-10-13 19:53:09 +02:00
|
|
|
* E'-id = E-id + a-nonce * P_pk */
|
2021-06-28 18:25:32 +02:00
|
|
|
if (!pp || !e_prime_id || !a_nonce || !bn || !q || !generator ||
|
|
|
|
crypto_bignum_rand(bn, q) || /* bn = a-nonce */
|
|
|
|
crypto_ec_point_mul(id->ec, generator, bn, a_nonce) ||
|
|
|
|
crypto_ec_point_mul(id->ec, pp, bn, e_prime_id) ||
|
|
|
|
crypto_ec_point_add(id->ec, id->e_id, e_prime_id, e_prime_id))
|
2020-08-06 18:47:28 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_point_debug_print(id->ec, a_nonce,
|
|
|
|
"DPP: Generated A-NONCE");
|
|
|
|
crypto_ec_point_debug_print(id->ec, e_prime_id,
|
|
|
|
"DPP: Encrypted E-id to E'-id");
|
2020-08-06 18:47:28 +02:00
|
|
|
|
2021-06-28 18:25:20 +02:00
|
|
|
crypto_ec_key_deinit(id->a_nonce);
|
|
|
|
crypto_ec_key_deinit(id->e_prime_id);
|
2021-06-28 18:25:32 +02:00
|
|
|
id->a_nonce = crypto_ec_key_set_pub_point(id->ec, a_nonce);
|
|
|
|
id->e_prime_id = crypto_ec_key_set_pub_point(id->ec, e_prime_id);
|
2020-08-06 18:47:28 +02:00
|
|
|
if (!id->a_nonce || !id->e_prime_id)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
fail:
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_point_deinit(e_prime_id, 1);
|
|
|
|
crypto_ec_point_deinit(a_nonce, 1);
|
|
|
|
crypto_bignum_deinit(bn, 1);
|
2020-08-06 18:47:28 +02:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void dpp_free_reconfig_id(struct dpp_reconfig_id *id)
|
|
|
|
{
|
|
|
|
if (id) {
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_point_deinit(id->e_id, 1);
|
2021-06-28 18:25:20 +02:00
|
|
|
crypto_ec_key_deinit(id->csign);
|
|
|
|
crypto_ec_key_deinit(id->a_nonce);
|
|
|
|
crypto_ec_key_deinit(id->e_prime_id);
|
|
|
|
crypto_ec_key_deinit(id->pp_key);
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_deinit(id->ec);
|
2020-08-06 18:47:28 +02:00
|
|
|
os_free(id);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-06-28 18:25:32 +02:00
|
|
|
struct crypto_ec_point * dpp_decrypt_e_id(struct crypto_ec_key *ppkey,
|
|
|
|
struct crypto_ec_key *a_nonce,
|
|
|
|
struct crypto_ec_key *e_prime_id)
|
2020-08-06 18:47:28 +02:00
|
|
|
{
|
2021-06-28 18:25:32 +02:00
|
|
|
struct crypto_ec *ec;
|
|
|
|
const struct crypto_bignum *pp;
|
|
|
|
struct crypto_ec_point *e_id = NULL;
|
|
|
|
const struct crypto_ec_point *a_nonce_point, *e_prime_id_point;
|
2020-08-06 18:47:28 +02:00
|
|
|
|
2020-10-13 19:57:26 +02:00
|
|
|
if (!ppkey)
|
|
|
|
return NULL;
|
|
|
|
|
2020-08-06 18:47:28 +02:00
|
|
|
/* E-id = E'-id - s_C * A-NONCE */
|
2021-06-28 18:25:32 +02:00
|
|
|
ec = crypto_ec_init(crypto_ec_key_group(ppkey));
|
|
|
|
if (!ec)
|
2020-08-06 18:47:28 +02:00
|
|
|
return NULL;
|
2021-06-28 18:25:32 +02:00
|
|
|
|
|
|
|
pp = crypto_ec_key_get_private_key(ppkey);
|
|
|
|
a_nonce_point = crypto_ec_key_get_public_key(a_nonce);
|
|
|
|
e_prime_id_point = crypto_ec_key_get_public_key(e_prime_id);
|
|
|
|
e_id = crypto_ec_point_init(ec);
|
|
|
|
if (!pp || !a_nonce_point || !e_prime_id_point || !e_id ||
|
|
|
|
crypto_ec_point_mul(ec, a_nonce_point, pp, e_id) ||
|
|
|
|
crypto_ec_point_invert(ec, e_id) ||
|
|
|
|
crypto_ec_point_add(ec, e_id, e_prime_id_point, e_id)) {
|
|
|
|
crypto_ec_point_deinit(e_id, 1);
|
2020-08-06 18:47:28 +02:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_point_debug_print(ec, e_id, "DPP: Decrypted E-id");
|
2020-08-06 18:47:28 +02:00
|
|
|
|
|
|
|
fail:
|
2021-06-28 18:25:32 +02:00
|
|
|
crypto_ec_deinit(ec);
|
2020-08-06 18:47:28 +02:00
|
|
|
return e_id;
|
|
|
|
}
|
|
|
|
|
2020-05-10 15:25:42 +02:00
|
|
|
#endif /* CONFIG_DPP2 */
|
|
|
|
|
|
|
|
|
2022-03-09 00:06:01 +01:00
|
|
|
#ifdef CONFIG_DPP3
|
|
|
|
int dpp_derive_auth_i(struct dpp_authentication *auth, u8 *auth_i)
|
|
|
|
{
|
|
|
|
int ret = -1, res;
|
|
|
|
u8 Sx[DPP_MAX_SHARED_SECRET_LEN];
|
|
|
|
size_t Sx_len;
|
|
|
|
unsigned int hash_len;
|
|
|
|
const char *info = "New DPP Protocol Key";
|
2022-03-09 19:49:17 +01:00
|
|
|
const u8 *addr[3];
|
|
|
|
size_t len[3];
|
2022-03-09 00:06:01 +01:00
|
|
|
u8 tmp[DPP_MAX_HASH_LEN], k[DPP_MAX_HASH_LEN];
|
|
|
|
struct wpabuf *pcx = NULL, *pex = NULL;
|
|
|
|
|
2022-03-09 19:49:17 +01:00
|
|
|
hash_len = auth->curve->hash_len;
|
2022-03-09 00:06:01 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Configurator: S = pc * Pe
|
|
|
|
* Enrollee: S = pe * Pc
|
|
|
|
* k = HKDF(bk, "New DPP Protocol Key", S.x)
|
|
|
|
* = HKDF-Expand(HKDF-Extract(bk, S.X), "New DPP Protocol Key",
|
|
|
|
* len(new-curve-hash-out))
|
2022-03-09 19:49:17 +01:00
|
|
|
* Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x)
|
2022-03-09 00:06:01 +01:00
|
|
|
*
|
2022-03-09 19:49:17 +01:00
|
|
|
* auth->own_protocol_key and auth->peer_protocol_key have already been
|
|
|
|
* updated to use the new keys. The new curve determines the size of
|
|
|
|
* the (new) protocol keys and S.x. The other parameters (bk, hash
|
|
|
|
* algorithm, k) are determined based on the initially determined curve
|
|
|
|
* during the (re)authentication exchange.
|
2022-03-09 00:06:01 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
if (dpp_ecdh(auth->own_protocol_key, auth->peer_protocol_key,
|
|
|
|
Sx, &Sx_len) < 0)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: S.x", Sx, Sx_len);
|
|
|
|
|
|
|
|
/* tmp = HKDF-Extract(bk, S.x) */
|
|
|
|
addr[0] = Sx;
|
|
|
|
len[0] = Sx_len;
|
2022-03-09 19:49:17 +01:00
|
|
|
res = dpp_hmac_vector(hash_len, auth->bk, hash_len, 1, addr, len, tmp);
|
2022-03-09 00:06:01 +01:00
|
|
|
if (res < 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "DPP: HKDF-Extract(bk, S.x)",
|
|
|
|
tmp, hash_len);
|
2022-03-09 19:49:17 +01:00
|
|
|
/* k = HKDF-Expand(tmp, "New DPP Protocol Key", len(hash-output))
|
2022-03-09 00:06:01 +01:00
|
|
|
*/
|
|
|
|
res = dpp_hkdf_expand(hash_len, tmp, hash_len, info, k, hash_len);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
|
|
|
"DPP: k = HKDF-Expand(\"New DPP Protocol Key\")",
|
|
|
|
k, hash_len);
|
|
|
|
|
2022-03-09 19:49:17 +01:00
|
|
|
/* Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x) */
|
|
|
|
addr[0] = auth->e_nonce;
|
|
|
|
len[0] = auth->curve->nonce_len;
|
2022-03-09 00:06:01 +01:00
|
|
|
|
|
|
|
if (auth->configurator) {
|
|
|
|
pcx = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
|
|
|
|
pex = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
|
|
|
|
0);
|
|
|
|
} else {
|
|
|
|
pcx = crypto_ec_key_get_pubkey_point(auth->peer_protocol_key,
|
|
|
|
0);
|
|
|
|
pex = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
|
|
|
|
}
|
|
|
|
if (!pcx || !pex)
|
|
|
|
goto fail;
|
2022-03-09 19:49:17 +01:00
|
|
|
addr[1] = wpabuf_head(pcx);
|
|
|
|
len[1] = wpabuf_len(pcx) / 2;
|
|
|
|
addr[2] = wpabuf_head(pex);
|
|
|
|
len[2] = wpabuf_len(pex) / 2;
|
2022-03-09 00:06:01 +01:00
|
|
|
|
2022-03-09 19:49:17 +01:00
|
|
|
if (dpp_hmac_vector(hash_len, k, hash_len, 3, addr, len, auth_i) < 0)
|
2022-03-09 00:06:01 +01:00
|
|
|
goto fail;
|
2022-03-09 19:49:17 +01:00
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
|
|
|
"DPP: Auth-I = HMAC(k, E-nonce | Pc.x | Pe.x)",
|
2022-03-09 00:06:01 +01:00
|
|
|
auth_i, hash_len);
|
|
|
|
ret = 0;
|
|
|
|
fail:
|
|
|
|
forced_memzero(Sx, sizeof(Sx));
|
|
|
|
forced_memzero(tmp, sizeof(tmp));
|
|
|
|
forced_memzero(k, sizeof(k));
|
|
|
|
wpabuf_free(pcx);
|
|
|
|
wpabuf_free(pex);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
#endif /* CONFIG_DPP3 */
|
|
|
|
|
|
|
|
|
2020-05-10 15:25:42 +02:00
|
|
|
#ifdef CONFIG_TESTING_OPTIONS
|
|
|
|
|
|
|
|
int dpp_test_gen_invalid_key(struct wpabuf *msg,
|
|
|
|
const struct dpp_curve_params *curve)
|
|
|
|
{
|
2021-06-28 18:25:35 +02:00
|
|
|
struct crypto_ec *ec;
|
|
|
|
struct crypto_ec_key *key = NULL;
|
|
|
|
const struct crypto_ec_point *pub_key;
|
|
|
|
struct crypto_ec_point *p = NULL;
|
|
|
|
u8 *x, *y;
|
2020-05-10 15:25:42 +02:00
|
|
|
int ret = -1;
|
|
|
|
|
2021-06-28 18:25:35 +02:00
|
|
|
ec = crypto_ec_init(curve->ike_group);
|
|
|
|
x = wpabuf_put(msg, curve->prime_len);
|
|
|
|
y = wpabuf_put(msg, curve->prime_len);
|
|
|
|
if (!ec)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:35 +02:00
|
|
|
retry:
|
|
|
|
/* Generate valid key pair */
|
|
|
|
key = crypto_ec_key_gen(curve->ike_group);
|
|
|
|
if (!key)
|
2020-05-10 15:25:42 +02:00
|
|
|
goto fail;
|
|
|
|
|
2021-06-28 18:25:35 +02:00
|
|
|
/* Retrieve public key coordinates */
|
|
|
|
pub_key = crypto_ec_key_get_public_key(key);
|
|
|
|
if (!pub_key)
|
|
|
|
goto fail;
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-06-28 18:25:35 +02:00
|
|
|
crypto_ec_point_to_bin(ec, pub_key, x, y);
|
2020-05-10 15:25:42 +02:00
|
|
|
|
2021-06-28 18:25:35 +02:00
|
|
|
/* And corrupt them */
|
|
|
|
y[curve->prime_len - 1] ^= 0x01;
|
|
|
|
p = crypto_ec_point_from_bin(ec, x);
|
|
|
|
if (p && crypto_ec_point_is_on_curve(ec, p)) {
|
|
|
|
crypto_ec_point_deinit(p, 0);
|
|
|
|
p = NULL;
|
|
|
|
goto retry;
|
2020-05-10 15:25:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
fail:
|
2021-06-28 18:25:35 +02:00
|
|
|
crypto_ec_point_deinit(p, 0);
|
|
|
|
crypto_ec_key_deinit(key);
|
|
|
|
crypto_ec_deinit(ec);
|
2020-05-10 15:25:42 +02:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
char * dpp_corrupt_connector_signature(const char *connector)
|
|
|
|
{
|
|
|
|
char *tmp, *pos, *signed3 = NULL;
|
|
|
|
unsigned char *signature = NULL;
|
|
|
|
size_t signature_len = 0, signed3_len;
|
|
|
|
|
|
|
|
tmp = os_zalloc(os_strlen(connector) + 5);
|
|
|
|
if (!tmp)
|
|
|
|
goto fail;
|
|
|
|
os_memcpy(tmp, connector, os_strlen(connector));
|
|
|
|
|
|
|
|
pos = os_strchr(tmp, '.');
|
|
|
|
if (!pos)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
pos = os_strchr(pos + 1, '.');
|
|
|
|
if (!pos)
|
|
|
|
goto fail;
|
|
|
|
pos++;
|
|
|
|
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Original base64url encoded signature: %s",
|
|
|
|
pos);
|
|
|
|
signature = base64_url_decode(pos, os_strlen(pos), &signature_len);
|
|
|
|
if (!signature || signature_len == 0)
|
|
|
|
goto fail;
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: Original Connector signature",
|
|
|
|
signature, signature_len);
|
|
|
|
signature[signature_len - 1] ^= 0x01;
|
|
|
|
wpa_hexdump(MSG_DEBUG, "DPP: Corrupted Connector signature",
|
|
|
|
signature, signature_len);
|
|
|
|
signed3 = base64_url_encode(signature, signature_len, &signed3_len);
|
|
|
|
if (!signed3)
|
|
|
|
goto fail;
|
|
|
|
os_memcpy(pos, signed3, signed3_len);
|
|
|
|
pos[signed3_len] = '\0';
|
|
|
|
wpa_printf(MSG_DEBUG, "DPP: Corrupted base64url encoded signature: %s",
|
|
|
|
pos);
|
|
|
|
|
|
|
|
out:
|
|
|
|
os_free(signature);
|
|
|
|
os_free(signed3);
|
|
|
|
return tmp;
|
|
|
|
fail:
|
|
|
|
os_free(tmp);
|
|
|
|
tmp = NULL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* CONFIG_TESTING_OPTIONS */
|