diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c index 9ae33d59a..5938ed6a7 100644 --- a/src/common/dpp_crypto.c +++ b/src/common/dpp_crypto.c @@ -19,6 +19,7 @@ #include "utils/json.h" #include "common/ieee802_11_defs.h" #include "crypto/crypto.h" +#include "crypto/random.h" #include "crypto/sha384.h" #include "crypto/sha512.h" #include "dpp.h" @@ -2269,6 +2270,7 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth, u8 prk[DPP_MAX_HASH_LEN]; const struct dpp_curve_params *curve; int res = -1; + u8 nonces[2 * DPP_MAX_NONCE_LEN]; own_key = dpp_set_keypair(&auth->curve, net_access_key, net_access_key_len); @@ -2293,6 +2295,13 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth, if (!auth->own_protocol_key) goto fail; + if (random_get_bytes(auth->e_nonce, auth->curve->nonce_len)) { + wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce"); + goto fail; + } + wpa_hexdump_key(MSG_DEBUG, "DPP: E-nonce", + auth->e_nonce, auth->curve->nonce_len); + /* M = { cR + pR } * CI */ cR = EVP_PKEY_get0_EC_KEY(own_key); pR = EVP_PKEY_get0_EC_KEY(auth->own_protocol_key); @@ -2325,10 +2334,12 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth, goto fail; wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len); - /* ke = HKDF(C-nonce, "dpp reconfig key", M.x) */ + /* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */ - /* HKDF-Extract(C-nonce, M.x) */ - if (dpp_hmac(curve->hash_len, auth->c_nonce, curve->nonce_len, + /* HKDF-Extract(C-nonce | E-nonce, M.x) */ + os_memcpy(nonces, auth->c_nonce, curve->nonce_len); + os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len); + if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len, Mx, curve->prime_len, prk) < 0) goto fail; wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len); @@ -2338,7 +2349,7 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth, "dpp reconfig key", auth->ke, curve->hash_len) < 0) goto fail; wpa_hexdump_key(MSG_DEBUG, - "DPP: ke = HKDF(C-nonce, \"dpp reconfig key\", M.x)", + "DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)", auth->ke, curve->hash_len); res = 0; @@ -2375,6 +2386,7 @@ int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth, u8 prk[DPP_MAX_HASH_LEN]; int res = -1; const struct dpp_curve_params *curve; + u8 nonces[2 * DPP_MAX_NONCE_LEN]; pr = dpp_set_pubkey_point(auth->conf->connector_key, r_proto, r_proto_len); @@ -2420,10 +2432,12 @@ int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth, wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len); - /* ke = HKDF(C-nonce, "dpp reconfig key", M.x) */ + /* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */ - /* HKDF-Extract(C-nonce, M.x) */ - if (dpp_hmac(curve->hash_len, auth->c_nonce, curve->nonce_len, + /* HKDF-Extract(C-nonce | E-nonce, M.x) */ + os_memcpy(nonces, auth->c_nonce, curve->nonce_len); + os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len); + if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len, Mx, curve->prime_len, prk) < 0) goto fail; wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len); @@ -2433,7 +2447,7 @@ int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth, "dpp reconfig key", auth->ke, curve->hash_len) < 0) goto fail; wpa_hexdump_key(MSG_DEBUG, - "DPP: ke = HKDF(C-nonce, \"dpp reconfig key\", M.x)", + "DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)", auth->ke, curve->hash_len); res = 0; diff --git a/src/common/dpp_reconfig.c b/src/common/dpp_reconfig.c index 225bac5e5..f9d01d841 100644 --- a/src/common/dpp_reconfig.c +++ b/src/common/dpp_reconfig.c @@ -533,13 +533,6 @@ dpp_reconfig_auth_req_rx(struct dpp_global *dpp, void *msg_ctx, goto fail; } - if (random_get_bytes(auth->e_nonce, auth->curve->nonce_len)) { - wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce"); - goto fail; - } - wpa_hexdump_key(MSG_DEBUG, "DPP: E-nonce", - auth->e_nonce, auth->curve->nonce_len); - /* Build Connection Status object */ /* TODO: Get appropriate result value */ /* TODO: ssid64 and channelList */