Fix internal DH implementation not to pad shared key

The returned buffer length was hardcoded to be the prime length
which resulted in shorter results being padded in the end. However,
the results from DH code are supposed to be unpadded (and when used
with WPS, the padding is done in WPS code and it is added to the
beginning of the buffer). This fixes WPS key derivation errors
in about 1/256 of runs ("WPS: Incorrect Authenticator") when using
the internal crypto code.

diff --git a/src/crypto/dh_groups.c b/src/crypto/dh_groups.c
index 5f6008a6e2a26758939b955e97569dc15367f7db..7bd2fb7b4e21ed2eb06b49386b8511b6ab70941c 100644 (file)
--- a/src/crypto/dh_groups.c
+++ b/src/crypto/dh_groups.c
@@ -619,11 +619,12 @@ struct wpabuf * dh_derive_shared(const struct wpabuf *peer_public,
        if (crypto_mod_exp(wpabuf_head(peer_public), wpabuf_len(peer_public),
                           wpabuf_head(own_private), wpabuf_len(own_private),
                           dh->prime, dh->prime_len,
-                          wpabuf_put(shared, shared_len), &shared_len) < 0) {
+                          wpabuf_mhead(shared), &shared_len) < 0) {
                wpabuf_free(shared);
                wpa_printf(MSG_INFO, "DH: crypto_mod_exp failed");
                return NULL;
        }
+       wpabuf_put(shared, shared_len);
        wpa_hexdump_buf_key(MSG_DEBUG, "DH: shared key", shared);
 
        return shared;