DPP2: Derive bk ("base key")

Split ke derivation into two parts so that the previously used
internal-only PRK gets stored as the bk in the authentication state.
This new key will be needed for deriving additional keys with DPP R2.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/common/dpp.c b/src/common/dpp.c
index b668e8f41c6f53e48db7b8a2c38a20fe63a6975d..76580d6426af275cb2a34fd68c54a8cddd06d67b 100644 (file)
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -1713,13 +1713,12 @@ static int dpp_derive_k2(const u8 *Nx, size_t Nx_len, u8 *k2,
 }
 
 
-static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke,
-                        unsigned int hash_len)
+static int dpp_derive_bk_ke(struct dpp_authentication *auth)
 {
-       size_t nonce_len;
+       unsigned int hash_len = auth->curve->hash_len;
+       size_t nonce_len = auth->curve->nonce_len;
        u8 nonces[2 * DPP_MAX_NONCE_LEN];
        const char *info_ke = "DPP Key";
-       u8 prk[DPP_MAX_HASH_LEN];
        int res;
        const u8 *addr[3];
        size_t len[3];
@@ -1731,10 +1730,7 @@ static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke,
                return -1;
        }
 
-       /* ke = HKDF(I-nonce | R-nonce, "DPP Key", M.x | N.x [| L.x]) */
-
-       /* HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */
-       nonce_len = auth->curve->nonce_len;
+       /* bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x]) */
        os_memcpy(nonces, auth->i_nonce, nonce_len);
        os_memcpy(&nonces[nonce_len], auth->r_nonce, nonce_len);
        addr[num_elem] = auth->Mx;
@@ -1754,20 +1750,23 @@ static int dpp_derive_ke(struct dpp_authentication *auth, u8 *ke,
                num_elem++;
        }
        res = dpp_hmac_vector(hash_len, nonces, 2 * nonce_len,
-                             num_elem, addr, len, prk);
+                             num_elem, addr, len, auth->bk);
        if (res < 0)
                return -1;
-       wpa_hexdump_key(MSG_DEBUG, "DPP: PRK = HKDF-Extract(<>, IKM)",
-                       prk, hash_len);
+       wpa_hexdump_key(MSG_DEBUG,
+                       "DPP: bk = HKDF-Extract(I-nonce | R-nonce, M.x | N.x [| L.x])",
+                       auth->bk, hash_len);
 
-       /* HKDF-Expand(PRK, info, L) */
-       res = dpp_hkdf_expand(hash_len, prk, hash_len, info_ke, ke, hash_len);
-       os_memset(prk, 0, hash_len);
+       /* ke = HKDF-Expand(bkK, "DPP Key", length) */
+       res = dpp_hkdf_expand(hash_len, auth->bk, hash_len, info_ke, auth->ke,
+                             hash_len);
        if (res < 0)
                return -1;
 
-       wpa_hexdump_key(MSG_DEBUG, "DPP: ke = HKDF-Expand(PRK, info, L)",
-                       ke, hash_len);
+       wpa_hexdump_key(MSG_DEBUG,
+                       "DPP: ke = HKDF-Expand(bk, \"DPP Key\", length)",
+                       auth->ke, hash_len);
+
        return 0;
 }
 
@@ -3153,7 +3152,7 @@ static int dpp_auth_build_resp_ok(struct dpp_authentication *auth)
                        goto fail;
        }
 
-       if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0)
+       if (dpp_derive_bk_ke(auth) < 0)
                goto fail;
 
        /* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
@@ -4160,7 +4159,7 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
        wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
                    wrapped2, wrapped2_len);
 
-       if (dpp_derive_ke(auth, auth->ke, auth->curve->hash_len) < 0)
+       if (dpp_derive_bk_ke(auth) < 0)
                goto fail;
 
        unwrapped2_len = wrapped2_len - AES_BLOCK_SIZE;

diff --git a/src/common/dpp.h b/src/common/dpp.h
index de987dd9374562bee4cd86965380c62b9045c5d1..e81526fc867dcfb3f2edc9e3823e65ffd3e8ec3f 100644 (file)
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@@ -264,6 +264,7 @@ struct dpp_authentication {
        u8 k1[DPP_MAX_HASH_LEN];
        u8 k2[DPP_MAX_HASH_LEN];
        u8 ke[DPP_MAX_HASH_LEN];
+       u8 bk[DPP_MAX_HASH_LEN];
        int initiator;
        int waiting_auth_resp;
        int waiting_auth_conf;