DPP2: Include E-nonce in reconfig ke derivation

This was changed in the protocol design to include nonce from both
devices, so update implementation to match.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2020-09-09 23:33:58 +03:00 committed by Jouni Malinen
parent 4ae5e459dd
commit 10c3e58b27
2 changed files with 22 additions and 15 deletions

View file

@ -19,6 +19,7 @@
#include "utils/json.h" #include "utils/json.h"
#include "common/ieee802_11_defs.h" #include "common/ieee802_11_defs.h"
#include "crypto/crypto.h" #include "crypto/crypto.h"
#include "crypto/random.h"
#include "crypto/sha384.h" #include "crypto/sha384.h"
#include "crypto/sha512.h" #include "crypto/sha512.h"
#include "dpp.h" #include "dpp.h"
@ -2269,6 +2270,7 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
u8 prk[DPP_MAX_HASH_LEN]; u8 prk[DPP_MAX_HASH_LEN];
const struct dpp_curve_params *curve; const struct dpp_curve_params *curve;
int res = -1; int res = -1;
u8 nonces[2 * DPP_MAX_NONCE_LEN];
own_key = dpp_set_keypair(&auth->curve, net_access_key, own_key = dpp_set_keypair(&auth->curve, net_access_key,
net_access_key_len); net_access_key_len);
@ -2293,6 +2295,13 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
if (!auth->own_protocol_key) if (!auth->own_protocol_key)
goto fail; goto fail;
if (random_get_bytes(auth->e_nonce, auth->curve->nonce_len)) {
wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce");
goto fail;
}
wpa_hexdump_key(MSG_DEBUG, "DPP: E-nonce",
auth->e_nonce, auth->curve->nonce_len);
/* M = { cR + pR } * CI */ /* M = { cR + pR } * CI */
cR = EVP_PKEY_get0_EC_KEY(own_key); cR = EVP_PKEY_get0_EC_KEY(own_key);
pR = EVP_PKEY_get0_EC_KEY(auth->own_protocol_key); pR = EVP_PKEY_get0_EC_KEY(auth->own_protocol_key);
@ -2325,10 +2334,12 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
goto fail; goto fail;
wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len); wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len);
/* ke = HKDF(C-nonce, "dpp reconfig key", M.x) */ /* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */
/* HKDF-Extract(C-nonce, M.x) */ /* HKDF-Extract(C-nonce | E-nonce, M.x) */
if (dpp_hmac(curve->hash_len, auth->c_nonce, curve->nonce_len, os_memcpy(nonces, auth->c_nonce, curve->nonce_len);
os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len);
if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len,
Mx, curve->prime_len, prk) < 0) Mx, curve->prime_len, prk) < 0)
goto fail; goto fail;
wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len); wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len);
@ -2338,7 +2349,7 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
"dpp reconfig key", auth->ke, curve->hash_len) < 0) "dpp reconfig key", auth->ke, curve->hash_len) < 0)
goto fail; goto fail;
wpa_hexdump_key(MSG_DEBUG, wpa_hexdump_key(MSG_DEBUG,
"DPP: ke = HKDF(C-nonce, \"dpp reconfig key\", M.x)", "DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)",
auth->ke, curve->hash_len); auth->ke, curve->hash_len);
res = 0; res = 0;
@ -2375,6 +2386,7 @@ int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth,
u8 prk[DPP_MAX_HASH_LEN]; u8 prk[DPP_MAX_HASH_LEN];
int res = -1; int res = -1;
const struct dpp_curve_params *curve; const struct dpp_curve_params *curve;
u8 nonces[2 * DPP_MAX_NONCE_LEN];
pr = dpp_set_pubkey_point(auth->conf->connector_key, pr = dpp_set_pubkey_point(auth->conf->connector_key,
r_proto, r_proto_len); r_proto, r_proto_len);
@ -2420,10 +2432,12 @@ int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth,
wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len); wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len);
/* ke = HKDF(C-nonce, "dpp reconfig key", M.x) */ /* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */
/* HKDF-Extract(C-nonce, M.x) */ /* HKDF-Extract(C-nonce | E-nonce, M.x) */
if (dpp_hmac(curve->hash_len, auth->c_nonce, curve->nonce_len, os_memcpy(nonces, auth->c_nonce, curve->nonce_len);
os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len);
if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len,
Mx, curve->prime_len, prk) < 0) Mx, curve->prime_len, prk) < 0)
goto fail; goto fail;
wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len); wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len);
@ -2433,7 +2447,7 @@ int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth,
"dpp reconfig key", auth->ke, curve->hash_len) < 0) "dpp reconfig key", auth->ke, curve->hash_len) < 0)
goto fail; goto fail;
wpa_hexdump_key(MSG_DEBUG, wpa_hexdump_key(MSG_DEBUG,
"DPP: ke = HKDF(C-nonce, \"dpp reconfig key\", M.x)", "DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)",
auth->ke, curve->hash_len); auth->ke, curve->hash_len);
res = 0; res = 0;

View file

@ -533,13 +533,6 @@ dpp_reconfig_auth_req_rx(struct dpp_global *dpp, void *msg_ctx,
goto fail; goto fail;
} }
if (random_get_bytes(auth->e_nonce, auth->curve->nonce_len)) {
wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce");
goto fail;
}
wpa_hexdump_key(MSG_DEBUG, "DPP: E-nonce",
auth->e_nonce, auth->curve->nonce_len);
/* Build Connection Status object */ /* Build Connection Status object */
/* TODO: Get appropriate result value */ /* TODO: Get appropriate result value */
/* TODO: ssid64 and channelList */ /* TODO: ssid64 and channelList */