DPP2: Include E-nonce in reconfig ke derivation

This was changed in the protocol design to include nonce from both
devices, so update implementation to match.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c
index 9ae33d59ae432b0c37267a959351560875cf42be..5938ed6a78d4c6e4b3fdc4df655ec52aaae8dae7 100644 (file)
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@@ -19,6 +19,7 @@
 #include "utils/json.h"
 #include "common/ieee802_11_defs.h"
 #include "crypto/crypto.h"
+#include "crypto/random.h"
 #include "crypto/sha384.h"
 #include "crypto/sha512.h"
 #include "dpp.h"
@@ -2269,6 +2270,7 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
        u8 prk[DPP_MAX_HASH_LEN];
        const struct dpp_curve_params *curve;
        int res = -1;
+       u8 nonces[2 * DPP_MAX_NONCE_LEN];
 
        own_key = dpp_set_keypair(&auth->curve, net_access_key,
                                  net_access_key_len);
@@ -2293,6 +2295,13 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
        if (!auth->own_protocol_key)
                goto fail;
 
+       if (random_get_bytes(auth->e_nonce, auth->curve->nonce_len)) {
+               wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce");
+               goto fail;
+       }
+       wpa_hexdump_key(MSG_DEBUG, "DPP: E-nonce",
+                       auth->e_nonce, auth->curve->nonce_len);
+
        /* M = { cR + pR } * CI */
        cR = EVP_PKEY_get0_EC_KEY(own_key);
        pR = EVP_PKEY_get0_EC_KEY(auth->own_protocol_key);
@@ -2325,10 +2334,12 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
                goto fail;
        wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len);
 
-       /* ke = HKDF(C-nonce, "dpp reconfig key", M.x) */
+       /* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */
 
-       /* HKDF-Extract(C-nonce, M.x) */
-       if (dpp_hmac(curve->hash_len, auth->c_nonce, curve->nonce_len,
+       /* HKDF-Extract(C-nonce | E-nonce, M.x) */
+       os_memcpy(nonces, auth->c_nonce, curve->nonce_len);
+       os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len);
+       if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len,
                     Mx, curve->prime_len, prk) < 0)
                goto fail;
        wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len);
@@ -2338,7 +2349,7 @@ int dpp_reconfig_derive_ke_responder(struct dpp_authentication *auth,
                            "dpp reconfig key", auth->ke, curve->hash_len) < 0)
                goto fail;
        wpa_hexdump_key(MSG_DEBUG,
-                       "DPP: ke = HKDF(C-nonce, \"dpp reconfig key\", M.x)",
+                       "DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)",
                        auth->ke, curve->hash_len);
 
        res = 0;
@@ -2375,6 +2386,7 @@ int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth,
        u8 prk[DPP_MAX_HASH_LEN];
        int res = -1;
        const struct dpp_curve_params *curve;
+       u8 nonces[2 * DPP_MAX_NONCE_LEN];
 
        pr = dpp_set_pubkey_point(auth->conf->connector_key,
                                  r_proto, r_proto_len);
@@ -2420,10 +2432,12 @@ int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth,
 
        wpa_hexdump_key(MSG_DEBUG, "DPP: M.x", Mx, curve->prime_len);
 
-       /* ke = HKDF(C-nonce, "dpp reconfig key", M.x) */
+       /* ke = HKDF(C-nonce | E-nonce, "dpp reconfig key", M.x) */
 
-       /* HKDF-Extract(C-nonce, M.x) */
-       if (dpp_hmac(curve->hash_len, auth->c_nonce, curve->nonce_len,
+       /* HKDF-Extract(C-nonce | E-nonce, M.x) */
+       os_memcpy(nonces, auth->c_nonce, curve->nonce_len);
+       os_memcpy(&nonces[curve->nonce_len], auth->e_nonce, curve->nonce_len);
+       if (dpp_hmac(curve->hash_len, nonces, 2 * curve->nonce_len,
                     Mx, curve->prime_len, prk) < 0)
                goto fail;
        wpa_hexdump_key(MSG_DEBUG, "DPP: PRK", prk, curve->hash_len);
@@ -2433,7 +2447,7 @@ int dpp_reconfig_derive_ke_initiator(struct dpp_authentication *auth,
                            "dpp reconfig key", auth->ke, curve->hash_len) < 0)
                goto fail;
        wpa_hexdump_key(MSG_DEBUG,
-                       "DPP: ke = HKDF(C-nonce, \"dpp reconfig key\", M.x)",
+                       "DPP: ke = HKDF(C-nonce | E-nonce, \"dpp reconfig key\", M.x)",
                        auth->ke, curve->hash_len);
 
        res = 0;

diff --git a/src/common/dpp_reconfig.c b/src/common/dpp_reconfig.c
index 225bac5e55e4bc91e7c324fd7b8daf932c9e1918..f9d01d8419a0710184b435934293cbb9909aa932 100644 (file)
--- a/src/common/dpp_reconfig.c
+++ b/src/common/dpp_reconfig.c
@@ -533,13 +533,6 @@ dpp_reconfig_auth_req_rx(struct dpp_global *dpp, void *msg_ctx,
                goto fail;
        }
 
-       if (random_get_bytes(auth->e_nonce, auth->curve->nonce_len)) {
-               wpa_printf(MSG_ERROR, "DPP: Failed to generate E-nonce");
-               goto fail;
-       }
-       wpa_hexdump_key(MSG_DEBUG, "DPP: E-nonce",
-                       auth->e_nonce, auth->curve->nonce_len);
-
        /* Build Connection Status object */
        /* TODO: Get appropriate result value */
        /* TODO: ssid64 and channelList */