1 /*
2 * DPP authentication exchange
3 * Copyright (c) 2017, Qualcomm Atheros, Inc.
4 * Copyright (c) 2018-2020, The Linux Foundation
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "utils/includes.h"
11
12 #include "utils/common.h"
13 #include "common/ieee802_11_common.h"
14 #include "common/wpa_ctrl.h"
15 #include "crypto/aes.h"
16 #include "crypto/aes_siv.h"
17 #include "crypto/random.h"
18 #include "dpp.h"
19 #include "dpp_i.h"
20
21
22 #ifdef CONFIG_TESTING_OPTIONS
23 u8 dpp_protocol_key_override[600];
24 size_t dpp_protocol_key_override_len = 0;
25 u8 dpp_nonce_override[DPP_MAX_NONCE_LEN];
26 size_t dpp_nonce_override_len = 0;
27 #endif /* CONFIG_TESTING_OPTIONS */
28
29
dpp_build_attr_i_bootstrap_key_hash(struct wpabuf * msg,const u8 * hash)30 static void dpp_build_attr_i_bootstrap_key_hash(struct wpabuf *msg,
31 const u8 *hash)
32 {
33 if (hash) {
34 wpa_printf(MSG_DEBUG, "DPP: I-Bootstrap Key Hash");
35 wpabuf_put_le16(msg, DPP_ATTR_I_BOOTSTRAP_KEY_HASH);
36 wpabuf_put_le16(msg, SHA256_MAC_LEN);
37 wpabuf_put_data(msg, hash, SHA256_MAC_LEN);
38 }
39 }
40
41
dpp_auth_success(struct dpp_authentication * auth)42 static void dpp_auth_success(struct dpp_authentication *auth)
43 {
44 wpa_printf(MSG_DEBUG,
45 "DPP: Authentication success - clear temporary keys");
46 os_memset(auth->Mx, 0, sizeof(auth->Mx));
47 auth->Mx_len = 0;
48 os_memset(auth->Nx, 0, sizeof(auth->Nx));
49 auth->Nx_len = 0;
50 os_memset(auth->Lx, 0, sizeof(auth->Lx));
51 auth->Lx_len = 0;
52 os_memset(auth->k1, 0, sizeof(auth->k1));
53 os_memset(auth->k2, 0, sizeof(auth->k2));
54
55 auth->auth_success = 1;
56 }
57
58
dpp_auth_build_req(struct dpp_authentication * auth,const struct wpabuf * pi,size_t nonce_len,const u8 * r_pubkey_hash,const u8 * i_pubkey_hash,unsigned int neg_freq)59 static struct wpabuf * dpp_auth_build_req(struct dpp_authentication *auth,
60 const struct wpabuf *pi,
61 size_t nonce_len,
62 const u8 *r_pubkey_hash,
63 const u8 *i_pubkey_hash,
64 unsigned int neg_freq)
65 {
66 struct wpabuf *msg;
67 u8 clear[4 + DPP_MAX_NONCE_LEN + 4 + 1];
68 u8 wrapped_data[4 + DPP_MAX_NONCE_LEN + 4 + 1 + AES_BLOCK_SIZE];
69 u8 *pos;
70 const u8 *addr[2];
71 size_t len[2], siv_len, attr_len;
72 u8 *attr_start, *attr_end;
73
74 /* Build DPP Authentication Request frame attributes */
75 attr_len = 2 * (4 + SHA256_MAC_LEN) + 4 + (pi ? wpabuf_len(pi) : 0) +
76 4 + sizeof(wrapped_data);
77 if (neg_freq > 0)
78 attr_len += 4 + 2;
79 #ifdef CONFIG_DPP2
80 attr_len += 5;
81 #endif /* CONFIG_DPP2 */
82 #ifdef CONFIG_TESTING_OPTIONS
83 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ)
84 attr_len += 5;
85 #endif /* CONFIG_TESTING_OPTIONS */
86 msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_REQ, attr_len);
87 if (!msg)
88 return NULL;
89
90 attr_start = wpabuf_put(msg, 0);
91
92 /* Responder Bootstrapping Key Hash */
93 dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
94
95 /* Initiator Bootstrapping Key Hash */
96 dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
97
98 /* Initiator Protocol Key */
99 if (pi) {
100 wpabuf_put_le16(msg, DPP_ATTR_I_PROTOCOL_KEY);
101 wpabuf_put_le16(msg, wpabuf_len(pi));
102 wpabuf_put_buf(msg, pi);
103 }
104
105 /* Channel */
106 if (neg_freq > 0) {
107 u8 op_class, channel;
108
109 if (ieee80211_freq_to_channel_ext(neg_freq, 0, 0, &op_class,
110 &channel) ==
111 NUM_HOSTAPD_MODES) {
112 wpa_printf(MSG_INFO,
113 "DPP: Unsupported negotiation frequency request: %d",
114 neg_freq);
115 wpabuf_free(msg);
116 return NULL;
117 }
118 wpabuf_put_le16(msg, DPP_ATTR_CHANNEL);
119 wpabuf_put_le16(msg, 2);
120 wpabuf_put_u8(msg, op_class);
121 wpabuf_put_u8(msg, channel);
122 }
123
124 #ifdef CONFIG_DPP2
125 /* Protocol Version */
126 if (DPP_VERSION > 1) {
127 wpabuf_put_le16(msg, DPP_ATTR_PROTOCOL_VERSION);
128 wpabuf_put_le16(msg, 1);
129 wpabuf_put_u8(msg, DPP_VERSION);
130 }
131 #endif /* CONFIG_DPP2 */
132
133 #ifdef CONFIG_TESTING_OPTIONS
134 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_REQ) {
135 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
136 goto skip_wrapped_data;
137 }
138 #endif /* CONFIG_TESTING_OPTIONS */
139
140 /* Wrapped data ({I-nonce, I-capabilities}k1) */
141 pos = clear;
142
143 #ifdef CONFIG_TESTING_OPTIONS
144 if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_REQ) {
145 wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
146 goto skip_i_nonce;
147 }
148 if (dpp_test == DPP_TEST_INVALID_I_NONCE_AUTH_REQ) {
149 wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-nonce");
150 WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
151 pos += 2;
152 WPA_PUT_LE16(pos, nonce_len - 1);
153 pos += 2;
154 os_memcpy(pos, auth->i_nonce, nonce_len - 1);
155 pos += nonce_len - 1;
156 goto skip_i_nonce;
157 }
158 #endif /* CONFIG_TESTING_OPTIONS */
159
160 /* I-nonce */
161 WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
162 pos += 2;
163 WPA_PUT_LE16(pos, nonce_len);
164 pos += 2;
165 os_memcpy(pos, auth->i_nonce, nonce_len);
166 pos += nonce_len;
167
168 #ifdef CONFIG_TESTING_OPTIONS
169 skip_i_nonce:
170 if (dpp_test == DPP_TEST_NO_I_CAPAB_AUTH_REQ) {
171 wpa_printf(MSG_INFO, "DPP: TESTING - no I-capab");
172 goto skip_i_capab;
173 }
174 #endif /* CONFIG_TESTING_OPTIONS */
175
176 /* I-capabilities */
177 WPA_PUT_LE16(pos, DPP_ATTR_I_CAPABILITIES);
178 pos += 2;
179 WPA_PUT_LE16(pos, 1);
180 pos += 2;
181 auth->i_capab = auth->allowed_roles;
182 *pos++ = auth->i_capab;
183 #ifdef CONFIG_TESTING_OPTIONS
184 if (dpp_test == DPP_TEST_ZERO_I_CAPAB) {
185 wpa_printf(MSG_INFO, "DPP: TESTING - zero I-capabilities");
186 pos[-1] = 0;
187 }
188 skip_i_capab:
189 #endif /* CONFIG_TESTING_OPTIONS */
190
191 attr_end = wpabuf_put(msg, 0);
192
193 /* OUI, OUI type, Crypto Suite, DPP frame type */
194 addr[0] = wpabuf_head_u8(msg) + 2;
195 len[0] = 3 + 1 + 1 + 1;
196 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
197
198 /* Attributes before Wrapped Data */
199 addr[1] = attr_start;
200 len[1] = attr_end - attr_start;
201 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
202
203 siv_len = pos - clear;
204 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len);
205 if (aes_siv_encrypt(auth->k1, auth->curve->hash_len, clear, siv_len,
206 2, addr, len, wrapped_data) < 0) {
207 wpabuf_free(msg);
208 return NULL;
209 }
210 siv_len += AES_BLOCK_SIZE;
211 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
212 wrapped_data, siv_len);
213
214 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
215 wpabuf_put_le16(msg, siv_len);
216 wpabuf_put_data(msg, wrapped_data, siv_len);
217
218 #ifdef CONFIG_TESTING_OPTIONS
219 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_REQ) {
220 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
221 dpp_build_attr_status(msg, DPP_STATUS_OK);
222 }
223 skip_wrapped_data:
224 #endif /* CONFIG_TESTING_OPTIONS */
225
226 wpa_hexdump_buf(MSG_DEBUG,
227 "DPP: Authentication Request frame attributes", msg);
228
229 return msg;
230 }
231
232
dpp_auth_build_resp(struct dpp_authentication * auth,enum dpp_status_error status,const struct wpabuf * pr,size_t nonce_len,const u8 * r_pubkey_hash,const u8 * i_pubkey_hash,const u8 * r_nonce,const u8 * i_nonce,const u8 * wrapped_r_auth,size_t wrapped_r_auth_len,const u8 * siv_key)233 static struct wpabuf * dpp_auth_build_resp(struct dpp_authentication *auth,
234 enum dpp_status_error status,
235 const struct wpabuf *pr,
236 size_t nonce_len,
237 const u8 *r_pubkey_hash,
238 const u8 *i_pubkey_hash,
239 const u8 *r_nonce, const u8 *i_nonce,
240 const u8 *wrapped_r_auth,
241 size_t wrapped_r_auth_len,
242 const u8 *siv_key)
243 {
244 struct wpabuf *msg;
245 #define DPP_AUTH_RESP_CLEAR_LEN 2 * (4 + DPP_MAX_NONCE_LEN) + 4 + 1 + \
246 4 + 4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE
247 u8 clear[DPP_AUTH_RESP_CLEAR_LEN];
248 u8 wrapped_data[DPP_AUTH_RESP_CLEAR_LEN + AES_BLOCK_SIZE];
249 const u8 *addr[2];
250 size_t len[2], siv_len, attr_len;
251 u8 *attr_start, *attr_end, *pos;
252
253 auth->waiting_auth_conf = 1;
254 auth->auth_resp_status = status;
255 auth->auth_resp_tries = 0;
256
257 /* Build DPP Authentication Response frame attributes */
258 attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) +
259 4 + (pr ? wpabuf_len(pr) : 0) + 4 + sizeof(wrapped_data);
260 #ifdef CONFIG_DPP2
261 attr_len += 5;
262 #endif /* CONFIG_DPP2 */
263 #ifdef CONFIG_TESTING_OPTIONS
264 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP)
265 attr_len += 5;
266 #endif /* CONFIG_TESTING_OPTIONS */
267 msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_RESP, attr_len);
268 if (!msg)
269 return NULL;
270
271 attr_start = wpabuf_put(msg, 0);
272
273 /* DPP Status */
274 if (status != 255)
275 dpp_build_attr_status(msg, status);
276
277 /* Responder Bootstrapping Key Hash */
278 dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
279
280 /* Initiator Bootstrapping Key Hash (mutual authentication) */
281 dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
282
283 /* Responder Protocol Key */
284 if (pr) {
285 wpabuf_put_le16(msg, DPP_ATTR_R_PROTOCOL_KEY);
286 wpabuf_put_le16(msg, wpabuf_len(pr));
287 wpabuf_put_buf(msg, pr);
288 }
289
290 #ifdef CONFIG_DPP2
291 /* Protocol Version */
292 if (auth->peer_version >= 2) {
293 wpabuf_put_le16(msg, DPP_ATTR_PROTOCOL_VERSION);
294 wpabuf_put_le16(msg, 1);
295 wpabuf_put_u8(msg, DPP_VERSION);
296 }
297 #endif /* CONFIG_DPP2 */
298
299 attr_end = wpabuf_put(msg, 0);
300
301 #ifdef CONFIG_TESTING_OPTIONS
302 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_RESP) {
303 wpa_printf(MSG_INFO, "DPP: TESTING - no Wrapped Data");
304 goto skip_wrapped_data;
305 }
306 #endif /* CONFIG_TESTING_OPTIONS */
307
308 /* Wrapped data ({R-nonce, I-nonce, R-capabilities, {R-auth}ke}k2) */
309 pos = clear;
310
311 if (r_nonce) {
312 /* R-nonce */
313 WPA_PUT_LE16(pos, DPP_ATTR_R_NONCE);
314 pos += 2;
315 WPA_PUT_LE16(pos, nonce_len);
316 pos += 2;
317 os_memcpy(pos, r_nonce, nonce_len);
318 pos += nonce_len;
319 }
320
321 if (i_nonce) {
322 /* I-nonce */
323 WPA_PUT_LE16(pos, DPP_ATTR_I_NONCE);
324 pos += 2;
325 WPA_PUT_LE16(pos, nonce_len);
326 pos += 2;
327 os_memcpy(pos, i_nonce, nonce_len);
328 #ifdef CONFIG_TESTING_OPTIONS
329 if (dpp_test == DPP_TEST_I_NONCE_MISMATCH_AUTH_RESP) {
330 wpa_printf(MSG_INFO, "DPP: TESTING - I-nonce mismatch");
331 pos[nonce_len / 2] ^= 0x01;
332 }
333 #endif /* CONFIG_TESTING_OPTIONS */
334 pos += nonce_len;
335 }
336
337 #ifdef CONFIG_TESTING_OPTIONS
338 if (dpp_test == DPP_TEST_NO_R_CAPAB_AUTH_RESP) {
339 wpa_printf(MSG_INFO, "DPP: TESTING - no R-capab");
340 goto skip_r_capab;
341 }
342 #endif /* CONFIG_TESTING_OPTIONS */
343
344 /* R-capabilities */
345 WPA_PUT_LE16(pos, DPP_ATTR_R_CAPABILITIES);
346 pos += 2;
347 WPA_PUT_LE16(pos, 1);
348 pos += 2;
349 auth->r_capab = auth->configurator ? DPP_CAPAB_CONFIGURATOR :
350 DPP_CAPAB_ENROLLEE;
351 *pos++ = auth->r_capab;
352 #ifdef CONFIG_TESTING_OPTIONS
353 if (dpp_test == DPP_TEST_ZERO_R_CAPAB) {
354 wpa_printf(MSG_INFO, "DPP: TESTING - zero R-capabilities");
355 pos[-1] = 0;
356 } else if (dpp_test == DPP_TEST_INCOMPATIBLE_R_CAPAB_AUTH_RESP) {
357 wpa_printf(MSG_INFO,
358 "DPP: TESTING - incompatible R-capabilities");
359 if ((auth->i_capab & DPP_CAPAB_ROLE_MASK) ==
360 (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE))
361 pos[-1] = 0;
362 else
363 pos[-1] = auth->configurator ? DPP_CAPAB_ENROLLEE :
364 DPP_CAPAB_CONFIGURATOR;
365 }
366 skip_r_capab:
367 #endif /* CONFIG_TESTING_OPTIONS */
368
369 if (wrapped_r_auth) {
370 /* {R-auth}ke */
371 WPA_PUT_LE16(pos, DPP_ATTR_WRAPPED_DATA);
372 pos += 2;
373 WPA_PUT_LE16(pos, wrapped_r_auth_len);
374 pos += 2;
375 os_memcpy(pos, wrapped_r_auth, wrapped_r_auth_len);
376 pos += wrapped_r_auth_len;
377 }
378
379 /* OUI, OUI type, Crypto Suite, DPP frame type */
380 addr[0] = wpabuf_head_u8(msg) + 2;
381 len[0] = 3 + 1 + 1 + 1;
382 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
383
384 /* Attributes before Wrapped Data */
385 addr[1] = attr_start;
386 len[1] = attr_end - attr_start;
387 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
388
389 siv_len = pos - clear;
390 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", clear, siv_len);
391 if (aes_siv_encrypt(siv_key, auth->curve->hash_len, clear, siv_len,
392 2, addr, len, wrapped_data) < 0) {
393 wpabuf_free(msg);
394 return NULL;
395 }
396 siv_len += AES_BLOCK_SIZE;
397 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
398 wrapped_data, siv_len);
399
400 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
401 wpabuf_put_le16(msg, siv_len);
402 wpabuf_put_data(msg, wrapped_data, siv_len);
403
404 #ifdef CONFIG_TESTING_OPTIONS
405 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_RESP) {
406 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
407 dpp_build_attr_status(msg, DPP_STATUS_OK);
408 }
409 skip_wrapped_data:
410 #endif /* CONFIG_TESTING_OPTIONS */
411
412 wpa_hexdump_buf(MSG_DEBUG,
413 "DPP: Authentication Response frame attributes", msg);
414 return msg;
415 }
416
417
dpp_auth_build_resp_ok(struct dpp_authentication * auth)418 static int dpp_auth_build_resp_ok(struct dpp_authentication *auth)
419 {
420 size_t nonce_len;
421 size_t secret_len;
422 struct wpabuf *msg, *pr = NULL;
423 u8 r_auth[4 + DPP_MAX_HASH_LEN];
424 u8 wrapped_r_auth[4 + DPP_MAX_HASH_LEN + AES_BLOCK_SIZE], *w_r_auth;
425 size_t wrapped_r_auth_len;
426 int ret = -1;
427 const u8 *r_pubkey_hash, *i_pubkey_hash, *r_nonce, *i_nonce;
428 enum dpp_status_error status = DPP_STATUS_OK;
429 #ifdef CONFIG_TESTING_OPTIONS
430 u8 test_hash[SHA256_MAC_LEN];
431 #endif /* CONFIG_TESTING_OPTIONS */
432
433 wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response");
434 if (!auth->own_bi)
435 return -1;
436
437 #ifdef CONFIG_TESTING_OPTIONS
438 if (dpp_nonce_override_len > 0) {
439 wpa_printf(MSG_INFO, "DPP: TESTING - override R-nonce");
440 nonce_len = dpp_nonce_override_len;
441 os_memcpy(auth->r_nonce, dpp_nonce_override, nonce_len);
442 } else {
443 nonce_len = auth->curve->nonce_len;
444 if (random_get_bytes(auth->r_nonce, nonce_len)) {
445 wpa_printf(MSG_ERROR,
446 "DPP: Failed to generate R-nonce");
447 goto fail;
448 }
449 }
450 #else /* CONFIG_TESTING_OPTIONS */
451 nonce_len = auth->curve->nonce_len;
452 if (random_get_bytes(auth->r_nonce, nonce_len)) {
453 wpa_printf(MSG_ERROR, "DPP: Failed to generate R-nonce");
454 goto fail;
455 }
456 #endif /* CONFIG_TESTING_OPTIONS */
457 wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", auth->r_nonce, nonce_len);
458
459 crypto_ec_key_deinit(auth->own_protocol_key);
460 #ifdef CONFIG_TESTING_OPTIONS
461 if (dpp_protocol_key_override_len) {
462 const struct dpp_curve_params *tmp_curve;
463
464 wpa_printf(MSG_INFO,
465 "DPP: TESTING - override protocol key");
466 auth->own_protocol_key = dpp_set_keypair(
467 &tmp_curve, dpp_protocol_key_override,
468 dpp_protocol_key_override_len);
469 } else {
470 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
471 }
472 #else /* CONFIG_TESTING_OPTIONS */
473 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
474 #endif /* CONFIG_TESTING_OPTIONS */
475 if (!auth->own_protocol_key)
476 goto fail;
477
478 pr = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
479 if (!pr)
480 goto fail;
481
482 /* ECDH: N = pR * PI */
483 if (dpp_ecdh(auth->own_protocol_key, auth->peer_protocol_key,
484 auth->Nx, &secret_len) < 0)
485 goto fail;
486
487 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
488 auth->Nx, auth->secret_len);
489 auth->Nx_len = auth->secret_len;
490
491 if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2,
492 auth->curve->hash_len) < 0)
493 goto fail;
494
495 if (auth->own_bi && auth->peer_bi) {
496 /* Mutual authentication */
497 if (dpp_auth_derive_l_responder(auth) < 0)
498 goto fail;
499 }
500
501 if (dpp_derive_bk_ke(auth) < 0)
502 goto fail;
503
504 /* R-auth = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
505 WPA_PUT_LE16(r_auth, DPP_ATTR_R_AUTH_TAG);
506 WPA_PUT_LE16(&r_auth[2], auth->curve->hash_len);
507 if (dpp_gen_r_auth(auth, r_auth + 4) < 0)
508 goto fail;
509 #ifdef CONFIG_TESTING_OPTIONS
510 if (dpp_test == DPP_TEST_R_AUTH_MISMATCH_AUTH_RESP) {
511 wpa_printf(MSG_INFO, "DPP: TESTING - R-auth mismatch");
512 r_auth[4 + auth->curve->hash_len / 2] ^= 0x01;
513 }
514 #endif /* CONFIG_TESTING_OPTIONS */
515 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
516 r_auth, 4 + auth->curve->hash_len,
517 0, NULL, NULL, wrapped_r_auth) < 0)
518 goto fail;
519 wrapped_r_auth_len = 4 + auth->curve->hash_len + AES_BLOCK_SIZE;
520 wpa_hexdump(MSG_DEBUG, "DPP: {R-auth}ke",
521 wrapped_r_auth, wrapped_r_auth_len);
522 w_r_auth = wrapped_r_auth;
523
524 r_pubkey_hash = auth->own_bi->pubkey_hash;
525 if (auth->peer_bi)
526 i_pubkey_hash = auth->peer_bi->pubkey_hash;
527 else
528 i_pubkey_hash = NULL;
529
530 i_nonce = auth->i_nonce;
531 r_nonce = auth->r_nonce;
532
533 #ifdef CONFIG_TESTING_OPTIONS
534 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
535 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
536 r_pubkey_hash = NULL;
537 } else if (dpp_test ==
538 DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
539 wpa_printf(MSG_INFO,
540 "DPP: TESTING - invalid R-Bootstrap Key Hash");
541 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
542 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
543 r_pubkey_hash = test_hash;
544 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
545 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
546 i_pubkey_hash = NULL;
547 } else if (dpp_test ==
548 DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
549 wpa_printf(MSG_INFO,
550 "DPP: TESTING - invalid I-Bootstrap Key Hash");
551 if (i_pubkey_hash)
552 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
553 else
554 os_memset(test_hash, 0, SHA256_MAC_LEN);
555 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
556 i_pubkey_hash = test_hash;
557 } else if (dpp_test == DPP_TEST_NO_R_PROTO_KEY_AUTH_RESP) {
558 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Proto Key");
559 wpabuf_free(pr);
560 pr = NULL;
561 } else if (dpp_test == DPP_TEST_INVALID_R_PROTO_KEY_AUTH_RESP) {
562 wpa_printf(MSG_INFO, "DPP: TESTING - invalid R-Proto Key");
563 wpabuf_free(pr);
564 pr = wpabuf_alloc(2 * auth->curve->prime_len);
565 if (!pr || dpp_test_gen_invalid_key(pr, auth->curve) < 0)
566 goto fail;
567 } else if (dpp_test == DPP_TEST_NO_R_AUTH_AUTH_RESP) {
568 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Auth");
569 w_r_auth = NULL;
570 wrapped_r_auth_len = 0;
571 } else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) {
572 wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
573 status = 255;
574 } else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_RESP) {
575 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
576 status = 254;
577 } else if (dpp_test == DPP_TEST_NO_R_NONCE_AUTH_RESP) {
578 wpa_printf(MSG_INFO, "DPP: TESTING - no R-nonce");
579 r_nonce = NULL;
580 } else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) {
581 wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
582 i_nonce = NULL;
583 }
584 #endif /* CONFIG_TESTING_OPTIONS */
585
586 msg = dpp_auth_build_resp(auth, status, pr, nonce_len,
587 r_pubkey_hash, i_pubkey_hash,
588 r_nonce, i_nonce,
589 w_r_auth, wrapped_r_auth_len,
590 auth->k2);
591 if (!msg)
592 goto fail;
593 wpabuf_free(auth->resp_msg);
594 auth->resp_msg = msg;
595 ret = 0;
596 fail:
597 wpabuf_free(pr);
598 return ret;
599 }
600
601
dpp_auth_build_resp_status(struct dpp_authentication * auth,enum dpp_status_error status)602 static int dpp_auth_build_resp_status(struct dpp_authentication *auth,
603 enum dpp_status_error status)
604 {
605 struct wpabuf *msg;
606 const u8 *r_pubkey_hash, *i_pubkey_hash, *i_nonce;
607 #ifdef CONFIG_TESTING_OPTIONS
608 u8 test_hash[SHA256_MAC_LEN];
609 #endif /* CONFIG_TESTING_OPTIONS */
610
611 if (!auth->own_bi)
612 return -1;
613 wpa_printf(MSG_DEBUG, "DPP: Build Authentication Response");
614
615 r_pubkey_hash = auth->own_bi->pubkey_hash;
616 if (auth->peer_bi)
617 i_pubkey_hash = auth->peer_bi->pubkey_hash;
618 else
619 i_pubkey_hash = NULL;
620
621 i_nonce = auth->i_nonce;
622
623 #ifdef CONFIG_TESTING_OPTIONS
624 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
625 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
626 r_pubkey_hash = NULL;
627 } else if (dpp_test ==
628 DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
629 wpa_printf(MSG_INFO,
630 "DPP: TESTING - invalid R-Bootstrap Key Hash");
631 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
632 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
633 r_pubkey_hash = test_hash;
634 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
635 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
636 i_pubkey_hash = NULL;
637 } else if (dpp_test ==
638 DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_RESP) {
639 wpa_printf(MSG_INFO,
640 "DPP: TESTING - invalid I-Bootstrap Key Hash");
641 if (i_pubkey_hash)
642 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
643 else
644 os_memset(test_hash, 0, SHA256_MAC_LEN);
645 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
646 i_pubkey_hash = test_hash;
647 } else if (dpp_test == DPP_TEST_NO_STATUS_AUTH_RESP) {
648 wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
649 status = 255;
650 } else if (dpp_test == DPP_TEST_NO_I_NONCE_AUTH_RESP) {
651 wpa_printf(MSG_INFO, "DPP: TESTING - no I-nonce");
652 i_nonce = NULL;
653 }
654 #endif /* CONFIG_TESTING_OPTIONS */
655
656 msg = dpp_auth_build_resp(auth, status, NULL, auth->curve->nonce_len,
657 r_pubkey_hash, i_pubkey_hash,
658 NULL, i_nonce, NULL, 0, auth->k1);
659 if (!msg)
660 return -1;
661 wpabuf_free(auth->resp_msg);
662 auth->resp_msg = msg;
663 return 0;
664 }
665
666
667 struct dpp_authentication *
dpp_auth_req_rx(struct dpp_global * dpp,void * msg_ctx,u8 dpp_allowed_roles,int qr_mutual,struct dpp_bootstrap_info * peer_bi,struct dpp_bootstrap_info * own_bi,unsigned int freq,const u8 * hdr,const u8 * attr_start,size_t attr_len)668 dpp_auth_req_rx(struct dpp_global *dpp, void *msg_ctx, u8 dpp_allowed_roles,
669 int qr_mutual, struct dpp_bootstrap_info *peer_bi,
670 struct dpp_bootstrap_info *own_bi,
671 unsigned int freq, const u8 *hdr, const u8 *attr_start,
672 size_t attr_len)
673 {
674 struct crypto_ec_key *pi = NULL;
675 size_t secret_len;
676 const u8 *addr[2];
677 size_t len[2];
678 u8 *unwrapped = NULL;
679 size_t unwrapped_len = 0;
680 const u8 *wrapped_data, *i_proto, *i_nonce, *i_capab, *i_bootstrap,
681 *channel;
682 u16 wrapped_data_len, i_proto_len, i_nonce_len, i_capab_len,
683 i_bootstrap_len, channel_len;
684 struct dpp_authentication *auth = NULL;
685 #ifdef CONFIG_DPP2
686 const u8 *version;
687 u16 version_len;
688 #endif /* CONFIG_DPP2 */
689
690 #ifdef CONFIG_TESTING_OPTIONS
691 if (dpp_test == DPP_TEST_STOP_AT_AUTH_REQ) {
692 wpa_printf(MSG_INFO,
693 "DPP: TESTING - stop at Authentication Request");
694 return NULL;
695 }
696 #endif /* CONFIG_TESTING_OPTIONS */
697
698 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
699 &wrapped_data_len);
700 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
701 wpa_msg(msg_ctx, MSG_INFO, DPP_EVENT_FAIL
702 "Missing or invalid required Wrapped Data attribute");
703 return NULL;
704 }
705 wpa_hexdump(MSG_MSGDUMP, "DPP: Wrapped Data",
706 wrapped_data, wrapped_data_len);
707 attr_len = wrapped_data - 4 - attr_start;
708
709 auth = dpp_alloc_auth(dpp, msg_ctx);
710 if (!auth)
711 goto fail;
712 if (peer_bi && peer_bi->configurator_params &&
713 dpp_set_configurator(auth, peer_bi->configurator_params) < 0)
714 goto fail;
715 auth->peer_bi = peer_bi;
716 auth->own_bi = own_bi;
717 auth->curve = own_bi->curve;
718 auth->curr_freq = freq;
719
720 auth->peer_version = 1; /* default to the first version */
721 #ifdef CONFIG_DPP2
722 version = dpp_get_attr(attr_start, attr_len, DPP_ATTR_PROTOCOL_VERSION,
723 &version_len);
724 if (version && DPP_VERSION > 1) {
725 if (version_len < 1 || version[0] == 0) {
726 dpp_auth_fail(auth,
727 "Invalid Protocol Version attribute");
728 goto fail;
729 }
730 auth->peer_version = version[0];
731 wpa_printf(MSG_DEBUG, "DPP: Peer protocol version %u",
732 auth->peer_version);
733 }
734 #endif /* CONFIG_DPP2 */
735
736 channel = dpp_get_attr(attr_start, attr_len, DPP_ATTR_CHANNEL,
737 &channel_len);
738 if (channel) {
739 int neg_freq;
740
741 if (channel_len < 2) {
742 dpp_auth_fail(auth, "Too short Channel attribute");
743 goto fail;
744 }
745
746 neg_freq = ieee80211_chan_to_freq(NULL, channel[0], channel[1]);
747 wpa_printf(MSG_DEBUG,
748 "DPP: Initiator requested different channel for negotiation: op_class=%u channel=%u --> freq=%d",
749 channel[0], channel[1], neg_freq);
750 if (neg_freq < 0) {
751 dpp_auth_fail(auth,
752 "Unsupported Channel attribute value");
753 goto fail;
754 }
755
756 if (auth->curr_freq != (unsigned int) neg_freq) {
757 wpa_printf(MSG_DEBUG,
758 "DPP: Changing negotiation channel from %u MHz to %u MHz",
759 freq, neg_freq);
760 auth->curr_freq = neg_freq;
761 }
762 }
763
764 i_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_I_PROTOCOL_KEY,
765 &i_proto_len);
766 if (!i_proto) {
767 dpp_auth_fail(auth,
768 "Missing required Initiator Protocol Key attribute");
769 goto fail;
770 }
771 wpa_hexdump(MSG_MSGDUMP, "DPP: Initiator Protocol Key",
772 i_proto, i_proto_len);
773
774 /* M = bR * PI */
775 pi = dpp_set_pubkey_point(own_bi->pubkey, i_proto, i_proto_len);
776 if (!pi) {
777 dpp_auth_fail(auth, "Invalid Initiator Protocol Key");
778 goto fail;
779 }
780 dpp_debug_print_key("Peer (Initiator) Protocol Key", pi);
781
782 if (dpp_ecdh(own_bi->pubkey, pi, auth->Mx, &secret_len) < 0)
783 goto fail;
784 auth->secret_len = secret_len;
785
786 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)",
787 auth->Mx, auth->secret_len);
788 auth->Mx_len = auth->secret_len;
789
790 if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1,
791 auth->curve->hash_len) < 0)
792 goto fail;
793
794 addr[0] = hdr;
795 len[0] = DPP_HDR_LEN;
796 addr[1] = attr_start;
797 len[1] = attr_len;
798 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
799 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
800 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
801 wrapped_data, wrapped_data_len);
802 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
803 unwrapped = os_malloc(unwrapped_len);
804 if (!unwrapped)
805 goto fail;
806 if (aes_siv_decrypt(auth->k1, auth->curve->hash_len,
807 wrapped_data, wrapped_data_len,
808 2, addr, len, unwrapped) < 0) {
809 dpp_auth_fail(auth, "AES-SIV decryption failed");
810 goto fail;
811 }
812 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
813 unwrapped, unwrapped_len);
814
815 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
816 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
817 goto fail;
818 }
819
820 i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
821 &i_nonce_len);
822 if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
823 dpp_auth_fail(auth, "Missing or invalid I-nonce");
824 goto fail;
825 }
826 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
827 os_memcpy(auth->i_nonce, i_nonce, i_nonce_len);
828
829 i_capab = dpp_get_attr(unwrapped, unwrapped_len,
830 DPP_ATTR_I_CAPABILITIES,
831 &i_capab_len);
832 if (!i_capab || i_capab_len < 1) {
833 dpp_auth_fail(auth, "Missing or invalid I-capabilities");
834 goto fail;
835 }
836 auth->i_capab = i_capab[0];
837 wpa_printf(MSG_DEBUG, "DPP: I-capabilities: 0x%02x", auth->i_capab);
838
839 bin_clear_free(unwrapped, unwrapped_len);
840 unwrapped = NULL;
841
842 switch (auth->i_capab & DPP_CAPAB_ROLE_MASK) {
843 case DPP_CAPAB_ENROLLEE:
844 if (!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR)) {
845 wpa_printf(MSG_DEBUG,
846 "DPP: Local policy does not allow Configurator role");
847 goto not_compatible;
848 }
849 wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator");
850 auth->configurator = 1;
851 break;
852 case DPP_CAPAB_CONFIGURATOR:
853 if (!(dpp_allowed_roles & DPP_CAPAB_ENROLLEE)) {
854 wpa_printf(MSG_DEBUG,
855 "DPP: Local policy does not allow Enrollee role");
856 goto not_compatible;
857 }
858 wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee");
859 auth->configurator = 0;
860 break;
861 case DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE:
862 if (dpp_allowed_roles & DPP_CAPAB_ENROLLEE) {
863 wpa_printf(MSG_DEBUG, "DPP: Acting as Enrollee");
864 auth->configurator = 0;
865 } else if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR) {
866 wpa_printf(MSG_DEBUG, "DPP: Acting as Configurator");
867 auth->configurator = 1;
868 } else {
869 wpa_printf(MSG_DEBUG,
870 "DPP: Local policy does not allow Configurator/Enrollee role");
871 goto not_compatible;
872 }
873 break;
874 default:
875 wpa_printf(MSG_DEBUG, "DPP: Unexpected role in I-capabilities");
876 wpa_msg(auth->msg_ctx, MSG_INFO,
877 DPP_EVENT_FAIL "Invalid role in I-capabilities 0x%02x",
878 (u8)(auth->i_capab & DPP_CAPAB_ROLE_MASK));
879 goto fail;
880 }
881
882 auth->peer_protocol_key = pi;
883 pi = NULL;
884 if (qr_mutual && !peer_bi && own_bi->type == DPP_BOOTSTRAP_QR_CODE) {
885 char hex[SHA256_MAC_LEN * 2 + 1];
886
887 wpa_printf(MSG_DEBUG,
888 "DPP: Mutual authentication required with QR Codes, but peer info is not yet available - request more time");
889 if (dpp_auth_build_resp_status(auth,
890 DPP_STATUS_RESPONSE_PENDING) < 0)
891 goto fail;
892 i_bootstrap = dpp_get_attr(attr_start, attr_len,
893 DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
894 &i_bootstrap_len);
895 if (i_bootstrap && i_bootstrap_len == SHA256_MAC_LEN) {
896 auth->response_pending = 1;
897 os_memcpy(auth->waiting_pubkey_hash,
898 i_bootstrap, i_bootstrap_len);
899 wpa_snprintf_hex(hex, sizeof(hex), i_bootstrap,
900 i_bootstrap_len);
901 } else {
902 hex[0] = '\0';
903 }
904
905 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_SCAN_PEER_QR_CODE
906 "%s", hex);
907 return auth;
908 }
909 if (dpp_auth_build_resp_ok(auth) < 0)
910 goto fail;
911
912 return auth;
913
914 not_compatible:
915 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE
916 "i-capab=0x%02x", auth->i_capab);
917 if (dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR)
918 auth->configurator = 1;
919 else
920 auth->configurator = 0;
921 auth->peer_protocol_key = pi;
922 pi = NULL;
923 if (dpp_auth_build_resp_status(auth, DPP_STATUS_NOT_COMPATIBLE) < 0)
924 goto fail;
925
926 auth->remove_on_tx_status = 1;
927 return auth;
928 fail:
929 bin_clear_free(unwrapped, unwrapped_len);
930 crypto_ec_key_deinit(pi);
931 dpp_auth_deinit(auth);
932 return NULL;
933 }
934
935
dpp_notify_new_qr_code(struct dpp_authentication * auth,struct dpp_bootstrap_info * peer_bi)936 int dpp_notify_new_qr_code(struct dpp_authentication *auth,
937 struct dpp_bootstrap_info *peer_bi)
938 {
939 if (!auth || !auth->response_pending ||
940 os_memcmp(auth->waiting_pubkey_hash, peer_bi->pubkey_hash,
941 SHA256_MAC_LEN) != 0)
942 return 0;
943
944 wpa_printf(MSG_DEBUG,
945 "DPP: New scanned QR Code has matching public key that was needed to continue DPP Authentication exchange with "
946 MACSTR, MAC2STR(auth->peer_mac_addr));
947 auth->peer_bi = peer_bi;
948
949 if (dpp_auth_build_resp_ok(auth) < 0)
950 return -1;
951
952 return 1;
953 }
954
955
dpp_auth_build_conf(struct dpp_authentication * auth,enum dpp_status_error status)956 static struct wpabuf * dpp_auth_build_conf(struct dpp_authentication *auth,
957 enum dpp_status_error status)
958 {
959 struct wpabuf *msg;
960 u8 i_auth[4 + DPP_MAX_HASH_LEN];
961 size_t i_auth_len;
962 u8 r_nonce[4 + DPP_MAX_NONCE_LEN];
963 size_t r_nonce_len;
964 const u8 *addr[2];
965 size_t len[2], attr_len;
966 u8 *wrapped_i_auth;
967 u8 *wrapped_r_nonce;
968 u8 *attr_start, *attr_end;
969 const u8 *r_pubkey_hash, *i_pubkey_hash;
970 #ifdef CONFIG_TESTING_OPTIONS
971 u8 test_hash[SHA256_MAC_LEN];
972 #endif /* CONFIG_TESTING_OPTIONS */
973
974 wpa_printf(MSG_DEBUG, "DPP: Build Authentication Confirmation");
975
976 i_auth_len = 4 + auth->curve->hash_len;
977 r_nonce_len = 4 + auth->curve->nonce_len;
978 /* Build DPP Authentication Confirmation frame attributes */
979 attr_len = 4 + 1 + 2 * (4 + SHA256_MAC_LEN) +
980 4 + i_auth_len + r_nonce_len + AES_BLOCK_SIZE;
981 #ifdef CONFIG_TESTING_OPTIONS
982 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF)
983 attr_len += 5;
984 #endif /* CONFIG_TESTING_OPTIONS */
985 msg = dpp_alloc_msg(DPP_PA_AUTHENTICATION_CONF, attr_len);
986 if (!msg)
987 goto fail;
988
989 attr_start = wpabuf_put(msg, 0);
990
991 r_pubkey_hash = auth->peer_bi->pubkey_hash;
992 if (auth->own_bi)
993 i_pubkey_hash = auth->own_bi->pubkey_hash;
994 else
995 i_pubkey_hash = NULL;
996
997 #ifdef CONFIG_TESTING_OPTIONS
998 if (dpp_test == DPP_TEST_NO_STATUS_AUTH_CONF) {
999 wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
1000 goto skip_status;
1001 } else if (dpp_test == DPP_TEST_INVALID_STATUS_AUTH_CONF) {
1002 wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
1003 status = 254;
1004 }
1005 #endif /* CONFIG_TESTING_OPTIONS */
1006
1007 /* DPP Status */
1008 dpp_build_attr_status(msg, status);
1009
1010 #ifdef CONFIG_TESTING_OPTIONS
1011 skip_status:
1012 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
1013 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
1014 r_pubkey_hash = NULL;
1015 } else if (dpp_test ==
1016 DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
1017 wpa_printf(MSG_INFO,
1018 "DPP: TESTING - invalid R-Bootstrap Key Hash");
1019 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
1020 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
1021 r_pubkey_hash = test_hash;
1022 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
1023 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
1024 i_pubkey_hash = NULL;
1025 } else if (dpp_test ==
1026 DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_CONF) {
1027 wpa_printf(MSG_INFO,
1028 "DPP: TESTING - invalid I-Bootstrap Key Hash");
1029 if (i_pubkey_hash)
1030 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
1031 else
1032 os_memset(test_hash, 0, SHA256_MAC_LEN);
1033 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
1034 i_pubkey_hash = test_hash;
1035 }
1036 #endif /* CONFIG_TESTING_OPTIONS */
1037
1038 /* Responder Bootstrapping Key Hash */
1039 dpp_build_attr_r_bootstrap_key_hash(msg, r_pubkey_hash);
1040
1041 /* Initiator Bootstrapping Key Hash (mutual authentication) */
1042 dpp_build_attr_i_bootstrap_key_hash(msg, i_pubkey_hash);
1043
1044 #ifdef CONFIG_TESTING_OPTIONS
1045 if (dpp_test == DPP_TEST_NO_WRAPPED_DATA_AUTH_CONF)
1046 goto skip_wrapped_data;
1047 if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF)
1048 i_auth_len = 0;
1049 #endif /* CONFIG_TESTING_OPTIONS */
1050
1051 attr_end = wpabuf_put(msg, 0);
1052
1053 /* OUI, OUI type, Crypto Suite, DPP frame type */
1054 addr[0] = wpabuf_head_u8(msg) + 2;
1055 len[0] = 3 + 1 + 1 + 1;
1056 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1057
1058 /* Attributes before Wrapped Data */
1059 addr[1] = attr_start;
1060 len[1] = attr_end - attr_start;
1061 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1062
1063 if (status == DPP_STATUS_OK) {
1064 /* I-auth wrapped with ke */
1065 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
1066 wpabuf_put_le16(msg, i_auth_len + AES_BLOCK_SIZE);
1067 wrapped_i_auth = wpabuf_put(msg, i_auth_len + AES_BLOCK_SIZE);
1068
1069 #ifdef CONFIG_TESTING_OPTIONS
1070 if (dpp_test == DPP_TEST_NO_I_AUTH_AUTH_CONF)
1071 goto skip_i_auth;
1072 #endif /* CONFIG_TESTING_OPTIONS */
1073
1074 /* I-auth = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |]
1075 * 1) */
1076 WPA_PUT_LE16(i_auth, DPP_ATTR_I_AUTH_TAG);
1077 WPA_PUT_LE16(&i_auth[2], auth->curve->hash_len);
1078 if (dpp_gen_i_auth(auth, i_auth + 4) < 0)
1079 goto fail;
1080
1081 #ifdef CONFIG_TESTING_OPTIONS
1082 if (dpp_test == DPP_TEST_I_AUTH_MISMATCH_AUTH_CONF) {
1083 wpa_printf(MSG_INFO, "DPP: TESTING - I-auth mismatch");
1084 i_auth[4 + auth->curve->hash_len / 2] ^= 0x01;
1085 }
1086 skip_i_auth:
1087 #endif /* CONFIG_TESTING_OPTIONS */
1088 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
1089 i_auth, i_auth_len,
1090 2, addr, len, wrapped_i_auth) < 0)
1091 goto fail;
1092 wpa_hexdump(MSG_DEBUG, "DPP: {I-auth}ke",
1093 wrapped_i_auth, i_auth_len + AES_BLOCK_SIZE);
1094 } else {
1095 /* R-nonce wrapped with k2 */
1096 wpabuf_put_le16(msg, DPP_ATTR_WRAPPED_DATA);
1097 wpabuf_put_le16(msg, r_nonce_len + AES_BLOCK_SIZE);
1098 wrapped_r_nonce = wpabuf_put(msg, r_nonce_len + AES_BLOCK_SIZE);
1099
1100 WPA_PUT_LE16(r_nonce, DPP_ATTR_R_NONCE);
1101 WPA_PUT_LE16(&r_nonce[2], auth->curve->nonce_len);
1102 os_memcpy(r_nonce + 4, auth->r_nonce, auth->curve->nonce_len);
1103
1104 if (aes_siv_encrypt(auth->k2, auth->curve->hash_len,
1105 r_nonce, r_nonce_len,
1106 2, addr, len, wrapped_r_nonce) < 0)
1107 goto fail;
1108 wpa_hexdump(MSG_DEBUG, "DPP: {R-nonce}k2",
1109 wrapped_r_nonce, r_nonce_len + AES_BLOCK_SIZE);
1110 }
1111
1112 #ifdef CONFIG_TESTING_OPTIONS
1113 if (dpp_test == DPP_TEST_AFTER_WRAPPED_DATA_AUTH_CONF) {
1114 wpa_printf(MSG_INFO, "DPP: TESTING - attr after Wrapped Data");
1115 dpp_build_attr_status(msg, DPP_STATUS_OK);
1116 }
1117 skip_wrapped_data:
1118 #endif /* CONFIG_TESTING_OPTIONS */
1119
1120 wpa_hexdump_buf(MSG_DEBUG,
1121 "DPP: Authentication Confirmation frame attributes",
1122 msg);
1123 if (status == DPP_STATUS_OK)
1124 dpp_auth_success(auth);
1125
1126 return msg;
1127
1128 fail:
1129 wpabuf_free(msg);
1130 return NULL;
1131 }
1132
1133
dpp_autogen_bootstrap_key(struct dpp_authentication * auth)1134 static int dpp_autogen_bootstrap_key(struct dpp_authentication *auth)
1135 {
1136 struct dpp_bootstrap_info *bi;
1137
1138 if (auth->own_bi)
1139 return 0; /* already generated */
1140
1141 bi = os_zalloc(sizeof(*bi));
1142 if (!bi)
1143 return -1;
1144 bi->type = DPP_BOOTSTRAP_QR_CODE;
1145 if (dpp_keygen(bi, auth->peer_bi->curve->name, NULL, 0) < 0 ||
1146 dpp_gen_uri(bi) < 0)
1147 goto fail;
1148 wpa_printf(MSG_DEBUG,
1149 "DPP: Auto-generated own bootstrapping key info: URI %s",
1150 bi->uri);
1151
1152 auth->tmp_own_bi = auth->own_bi = bi;
1153
1154 return 0;
1155 fail:
1156 dpp_bootstrap_info_free(bi);
1157 return -1;
1158 }
1159
1160
dpp_auth_init(struct dpp_global * dpp,void * msg_ctx,struct dpp_bootstrap_info * peer_bi,struct dpp_bootstrap_info * own_bi,u8 dpp_allowed_roles,unsigned int neg_freq,struct hostapd_hw_modes * own_modes,u16 num_modes)1161 struct dpp_authentication * dpp_auth_init(struct dpp_global *dpp, void *msg_ctx,
1162 struct dpp_bootstrap_info *peer_bi,
1163 struct dpp_bootstrap_info *own_bi,
1164 u8 dpp_allowed_roles,
1165 unsigned int neg_freq,
1166 struct hostapd_hw_modes *own_modes,
1167 u16 num_modes)
1168 {
1169 struct dpp_authentication *auth;
1170 size_t nonce_len;
1171 size_t secret_len;
1172 struct wpabuf *pi = NULL;
1173 const u8 *r_pubkey_hash, *i_pubkey_hash;
1174 #ifdef CONFIG_TESTING_OPTIONS
1175 u8 test_hash[SHA256_MAC_LEN];
1176 #endif /* CONFIG_TESTING_OPTIONS */
1177
1178 auth = dpp_alloc_auth(dpp, msg_ctx);
1179 if (!auth)
1180 return NULL;
1181 if (peer_bi->configurator_params &&
1182 dpp_set_configurator(auth, peer_bi->configurator_params) < 0)
1183 goto fail;
1184 auth->initiator = 1;
1185 auth->waiting_auth_resp = 1;
1186 auth->allowed_roles = dpp_allowed_roles;
1187 auth->configurator = !!(dpp_allowed_roles & DPP_CAPAB_CONFIGURATOR);
1188 auth->peer_bi = peer_bi;
1189 auth->own_bi = own_bi;
1190 auth->curve = peer_bi->curve;
1191
1192 if (dpp_autogen_bootstrap_key(auth) < 0 ||
1193 dpp_prepare_channel_list(auth, neg_freq, own_modes, num_modes) < 0)
1194 goto fail;
1195
1196 #ifdef CONFIG_TESTING_OPTIONS
1197 if (dpp_nonce_override_len > 0) {
1198 wpa_printf(MSG_INFO, "DPP: TESTING - override I-nonce");
1199 nonce_len = dpp_nonce_override_len;
1200 os_memcpy(auth->i_nonce, dpp_nonce_override, nonce_len);
1201 } else {
1202 nonce_len = auth->curve->nonce_len;
1203 if (random_get_bytes(auth->i_nonce, nonce_len)) {
1204 wpa_printf(MSG_ERROR,
1205 "DPP: Failed to generate I-nonce");
1206 goto fail;
1207 }
1208 }
1209 #else /* CONFIG_TESTING_OPTIONS */
1210 nonce_len = auth->curve->nonce_len;
1211 if (random_get_bytes(auth->i_nonce, nonce_len)) {
1212 wpa_printf(MSG_ERROR, "DPP: Failed to generate I-nonce");
1213 goto fail;
1214 }
1215 #endif /* CONFIG_TESTING_OPTIONS */
1216 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", auth->i_nonce, nonce_len);
1217
1218 #ifdef CONFIG_TESTING_OPTIONS
1219 if (dpp_protocol_key_override_len) {
1220 const struct dpp_curve_params *tmp_curve;
1221
1222 wpa_printf(MSG_INFO,
1223 "DPP: TESTING - override protocol key");
1224 auth->own_protocol_key = dpp_set_keypair(
1225 &tmp_curve, dpp_protocol_key_override,
1226 dpp_protocol_key_override_len);
1227 } else {
1228 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
1229 }
1230 #else /* CONFIG_TESTING_OPTIONS */
1231 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
1232 #endif /* CONFIG_TESTING_OPTIONS */
1233 if (!auth->own_protocol_key)
1234 goto fail;
1235
1236 pi = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0);
1237 if (!pi)
1238 goto fail;
1239
1240 /* ECDH: M = pI * BR */
1241 if (dpp_ecdh(auth->own_protocol_key, auth->peer_bi->pubkey,
1242 auth->Mx, &secret_len) < 0)
1243 goto fail;
1244 auth->secret_len = secret_len;
1245
1246 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (M.x)",
1247 auth->Mx, auth->secret_len);
1248 auth->Mx_len = auth->secret_len;
1249
1250 if (dpp_derive_k1(auth->Mx, auth->secret_len, auth->k1,
1251 auth->curve->hash_len) < 0)
1252 goto fail;
1253
1254 r_pubkey_hash = auth->peer_bi->pubkey_hash;
1255 i_pubkey_hash = auth->own_bi->pubkey_hash;
1256
1257 #ifdef CONFIG_TESTING_OPTIONS
1258 if (dpp_test == DPP_TEST_NO_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
1259 wpa_printf(MSG_INFO, "DPP: TESTING - no R-Bootstrap Key Hash");
1260 r_pubkey_hash = NULL;
1261 } else if (dpp_test == DPP_TEST_INVALID_R_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
1262 wpa_printf(MSG_INFO,
1263 "DPP: TESTING - invalid R-Bootstrap Key Hash");
1264 os_memcpy(test_hash, r_pubkey_hash, SHA256_MAC_LEN);
1265 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
1266 r_pubkey_hash = test_hash;
1267 } else if (dpp_test == DPP_TEST_NO_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
1268 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Bootstrap Key Hash");
1269 i_pubkey_hash = NULL;
1270 } else if (dpp_test == DPP_TEST_INVALID_I_BOOTSTRAP_KEY_HASH_AUTH_REQ) {
1271 wpa_printf(MSG_INFO,
1272 "DPP: TESTING - invalid I-Bootstrap Key Hash");
1273 os_memcpy(test_hash, i_pubkey_hash, SHA256_MAC_LEN);
1274 test_hash[SHA256_MAC_LEN - 1] ^= 0x01;
1275 i_pubkey_hash = test_hash;
1276 } else if (dpp_test == DPP_TEST_NO_I_PROTO_KEY_AUTH_REQ) {
1277 wpa_printf(MSG_INFO, "DPP: TESTING - no I-Proto Key");
1278 wpabuf_free(pi);
1279 pi = NULL;
1280 } else if (dpp_test == DPP_TEST_INVALID_I_PROTO_KEY_AUTH_REQ) {
1281 wpa_printf(MSG_INFO, "DPP: TESTING - invalid I-Proto Key");
1282 wpabuf_free(pi);
1283 pi = wpabuf_alloc(2 * auth->curve->prime_len);
1284 if (!pi || dpp_test_gen_invalid_key(pi, auth->curve) < 0)
1285 goto fail;
1286 }
1287 #endif /* CONFIG_TESTING_OPTIONS */
1288
1289 if (neg_freq && auth->num_freq == 1 && auth->freq[0] == neg_freq)
1290 neg_freq = 0;
1291 auth->req_msg = dpp_auth_build_req(auth, pi, nonce_len, r_pubkey_hash,
1292 i_pubkey_hash, neg_freq);
1293 if (!auth->req_msg)
1294 goto fail;
1295
1296 out:
1297 wpabuf_free(pi);
1298 return auth;
1299 fail:
1300 dpp_auth_deinit(auth);
1301 auth = NULL;
1302 goto out;
1303 }
1304 static void
dpp_auth_resp_rx_status(struct dpp_authentication * auth,const u8 * hdr,const u8 * attr_start,size_t attr_len,const u8 * wrapped_data,u16 wrapped_data_len,enum dpp_status_error status)1305 dpp_auth_resp_rx_status(struct dpp_authentication *auth, const u8 *hdr,
1306 const u8 *attr_start, size_t attr_len,
1307 const u8 *wrapped_data, u16 wrapped_data_len,
1308 enum dpp_status_error status)
1309 {
1310 const u8 *addr[2];
1311 size_t len[2];
1312 u8 *unwrapped = NULL;
1313 size_t unwrapped_len = 0;
1314 const u8 *i_nonce, *r_capab;
1315 u16 i_nonce_len, r_capab_len;
1316
1317 if (status == DPP_STATUS_NOT_COMPATIBLE) {
1318 wpa_printf(MSG_DEBUG,
1319 "DPP: Responder reported incompatible roles");
1320 } else if (status == DPP_STATUS_RESPONSE_PENDING) {
1321 wpa_printf(MSG_DEBUG,
1322 "DPP: Responder reported more time needed");
1323 } else {
1324 wpa_printf(MSG_DEBUG,
1325 "DPP: Responder reported failure (status %d)",
1326 status);
1327 dpp_auth_fail(auth, "Responder reported failure");
1328 return;
1329 }
1330
1331 addr[0] = hdr;
1332 len[0] = DPP_HDR_LEN;
1333 addr[1] = attr_start;
1334 len[1] = attr_len;
1335 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1336 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1337 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1338 wrapped_data, wrapped_data_len);
1339 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
1340 unwrapped = os_malloc(unwrapped_len);
1341 if (!unwrapped)
1342 goto fail;
1343 if (aes_siv_decrypt(auth->k1, auth->curve->hash_len,
1344 wrapped_data, wrapped_data_len,
1345 2, addr, len, unwrapped) < 0) {
1346 dpp_auth_fail(auth, "AES-SIV decryption failed");
1347 goto fail;
1348 }
1349 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
1350 unwrapped, unwrapped_len);
1351
1352 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
1353 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
1354 goto fail;
1355 }
1356
1357 i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
1358 &i_nonce_len);
1359 if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
1360 dpp_auth_fail(auth, "Missing or invalid I-nonce");
1361 goto fail;
1362 }
1363 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
1364 if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) {
1365 dpp_auth_fail(auth, "I-nonce mismatch");
1366 goto fail;
1367 }
1368
1369 r_capab = dpp_get_attr(unwrapped, unwrapped_len,
1370 DPP_ATTR_R_CAPABILITIES,
1371 &r_capab_len);
1372 if (!r_capab || r_capab_len < 1) {
1373 dpp_auth_fail(auth, "Missing or invalid R-capabilities");
1374 goto fail;
1375 }
1376 auth->r_capab = r_capab[0];
1377 wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab);
1378 if (status == DPP_STATUS_NOT_COMPATIBLE) {
1379 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE
1380 "r-capab=0x%02x", auth->r_capab);
1381 } else if (status == DPP_STATUS_RESPONSE_PENDING) {
1382 u8 role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
1383
1384 if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
1385 (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
1386 wpa_msg(auth->msg_ctx, MSG_INFO,
1387 DPP_EVENT_FAIL "Unexpected role in R-capabilities 0x%02x",
1388 role);
1389 } else {
1390 wpa_printf(MSG_DEBUG,
1391 "DPP: Continue waiting for full DPP Authentication Response");
1392 wpa_msg(auth->msg_ctx, MSG_INFO,
1393 DPP_EVENT_RESPONSE_PENDING "%s",
1394 auth->tmp_own_bi ? auth->tmp_own_bi->uri : "");
1395 }
1396 }
1397 fail:
1398 bin_clear_free(unwrapped, unwrapped_len);
1399 }
1400
1401
1402 struct wpabuf *
dpp_auth_resp_rx(struct dpp_authentication * auth,const u8 * hdr,const u8 * attr_start,size_t attr_len)1403 dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
1404 const u8 *attr_start, size_t attr_len)
1405 {
1406 struct crypto_ec_key *pr;
1407 size_t secret_len;
1408 const u8 *addr[2];
1409 size_t len[2];
1410 u8 *unwrapped = NULL, *unwrapped2 = NULL;
1411 size_t unwrapped_len = 0, unwrapped2_len = 0;
1412 const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *r_proto,
1413 *r_nonce, *i_nonce, *r_capab, *wrapped2, *r_auth;
1414 u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len,
1415 r_proto_len, r_nonce_len, i_nonce_len, r_capab_len,
1416 wrapped2_len, r_auth_len;
1417 u8 r_auth2[DPP_MAX_HASH_LEN];
1418 u8 role;
1419 #ifdef CONFIG_DPP2
1420 const u8 *version;
1421 u16 version_len;
1422 #endif /* CONFIG_DPP2 */
1423
1424 #ifdef CONFIG_TESTING_OPTIONS
1425 if (dpp_test == DPP_TEST_STOP_AT_AUTH_RESP) {
1426 wpa_printf(MSG_INFO,
1427 "DPP: TESTING - stop at Authentication Response");
1428 return NULL;
1429 }
1430 #endif /* CONFIG_TESTING_OPTIONS */
1431
1432 if (!auth->initiator || !auth->peer_bi || auth->reconfig) {
1433 dpp_auth_fail(auth, "Unexpected Authentication Response");
1434 return NULL;
1435 }
1436
1437 auth->waiting_auth_resp = 0;
1438
1439 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
1440 &wrapped_data_len);
1441 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
1442 dpp_auth_fail(auth,
1443 "Missing or invalid required Wrapped Data attribute");
1444 return NULL;
1445 }
1446 wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
1447 wrapped_data, wrapped_data_len);
1448
1449 attr_len = wrapped_data - 4 - attr_start;
1450
1451 r_bootstrap = dpp_get_attr(attr_start, attr_len,
1452 DPP_ATTR_R_BOOTSTRAP_KEY_HASH,
1453 &r_bootstrap_len);
1454 if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) {
1455 dpp_auth_fail(auth,
1456 "Missing or invalid required Responder Bootstrapping Key Hash attribute");
1457 return NULL;
1458 }
1459 wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash",
1460 r_bootstrap, r_bootstrap_len);
1461 if (os_memcmp(r_bootstrap, auth->peer_bi->pubkey_hash,
1462 SHA256_MAC_LEN) != 0) {
1463 dpp_auth_fail(auth,
1464 "Unexpected Responder Bootstrapping Key Hash value");
1465 wpa_hexdump(MSG_DEBUG,
1466 "DPP: Expected Responder Bootstrapping Key Hash",
1467 auth->peer_bi->pubkey_hash, SHA256_MAC_LEN);
1468 return NULL;
1469 }
1470
1471 i_bootstrap = dpp_get_attr(attr_start, attr_len,
1472 DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
1473 &i_bootstrap_len);
1474 if (i_bootstrap) {
1475 if (i_bootstrap_len != SHA256_MAC_LEN) {
1476 dpp_auth_fail(auth,
1477 "Invalid Initiator Bootstrapping Key Hash attribute");
1478 return NULL;
1479 }
1480 wpa_hexdump(MSG_MSGDUMP,
1481 "DPP: Initiator Bootstrapping Key Hash",
1482 i_bootstrap, i_bootstrap_len);
1483 if (!auth->own_bi ||
1484 os_memcmp(i_bootstrap, auth->own_bi->pubkey_hash,
1485 SHA256_MAC_LEN) != 0) {
1486 dpp_auth_fail(auth,
1487 "Initiator Bootstrapping Key Hash attribute did not match");
1488 return NULL;
1489 }
1490 } else if (auth->own_bi && auth->own_bi->type == DPP_BOOTSTRAP_PKEX) {
1491 /* PKEX bootstrapping mandates use of mutual authentication */
1492 dpp_auth_fail(auth,
1493 "Missing Initiator Bootstrapping Key Hash attribute");
1494 return NULL;
1495 } else if (auth->own_bi &&
1496 auth->own_bi->type == DPP_BOOTSTRAP_NFC_URI &&
1497 auth->own_bi->nfc_negotiated) {
1498 /* NFC negotiated connection handover bootstrapping mandates
1499 * use of mutual authentication */
1500 dpp_auth_fail(auth,
1501 "Missing Initiator Bootstrapping Key Hash attribute");
1502 return NULL;
1503 }
1504
1505 auth->peer_version = 1; /* default to the first version */
1506 #ifdef CONFIG_DPP2
1507 version = dpp_get_attr(attr_start, attr_len, DPP_ATTR_PROTOCOL_VERSION,
1508 &version_len);
1509 if (version && DPP_VERSION > 1) {
1510 if (version_len < 1 || version[0] == 0) {
1511 dpp_auth_fail(auth,
1512 "Invalid Protocol Version attribute");
1513 return NULL;
1514 }
1515 auth->peer_version = version[0];
1516 wpa_printf(MSG_DEBUG, "DPP: Peer protocol version %u",
1517 auth->peer_version);
1518 }
1519 #endif /* CONFIG_DPP2 */
1520
1521 status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
1522 &status_len);
1523 if (!status || status_len < 1) {
1524 dpp_auth_fail(auth,
1525 "Missing or invalid required DPP Status attribute");
1526 return NULL;
1527 }
1528 wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
1529 auth->auth_resp_status = status[0];
1530 if (status[0] != DPP_STATUS_OK) {
1531 dpp_auth_resp_rx_status(auth, hdr, attr_start,
1532 attr_len, wrapped_data,
1533 wrapped_data_len, status[0]);
1534 return NULL;
1535 }
1536
1537 if (!i_bootstrap && auth->own_bi) {
1538 wpa_printf(MSG_DEBUG,
1539 "DPP: Responder decided not to use mutual authentication");
1540 auth->own_bi = NULL;
1541 }
1542
1543 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_AUTH_DIRECTION "mutual=%d",
1544 auth->own_bi != NULL);
1545
1546 r_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_R_PROTOCOL_KEY,
1547 &r_proto_len);
1548 if (!r_proto) {
1549 dpp_auth_fail(auth,
1550 "Missing required Responder Protocol Key attribute");
1551 return NULL;
1552 }
1553 wpa_hexdump(MSG_MSGDUMP, "DPP: Responder Protocol Key",
1554 r_proto, r_proto_len);
1555
1556 /* N = pI * PR */
1557 pr = dpp_set_pubkey_point(auth->own_protocol_key, r_proto, r_proto_len);
1558 if (!pr) {
1559 dpp_auth_fail(auth, "Invalid Responder Protocol Key");
1560 return NULL;
1561 }
1562 dpp_debug_print_key("Peer (Responder) Protocol Key", pr);
1563
1564 if (dpp_ecdh(auth->own_protocol_key, pr, auth->Nx, &secret_len) < 0) {
1565 dpp_auth_fail(auth, "Failed to derive ECDH shared secret");
1566 goto fail;
1567 }
1568 crypto_ec_key_deinit(auth->peer_protocol_key);
1569 auth->peer_protocol_key = pr;
1570 pr = NULL;
1571
1572 wpa_hexdump_key(MSG_DEBUG, "DPP: ECDH shared secret (N.x)",
1573 auth->Nx, auth->secret_len);
1574 auth->Nx_len = auth->secret_len;
1575
1576 if (dpp_derive_k2(auth->Nx, auth->secret_len, auth->k2,
1577 auth->curve->hash_len) < 0)
1578 goto fail;
1579
1580 addr[0] = hdr;
1581 len[0] = DPP_HDR_LEN;
1582 addr[1] = attr_start;
1583 len[1] = attr_len;
1584 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1585 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1586 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1587 wrapped_data, wrapped_data_len);
1588 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
1589 unwrapped = os_malloc(unwrapped_len);
1590 if (!unwrapped)
1591 goto fail;
1592 if (aes_siv_decrypt(auth->k2, auth->curve->hash_len,
1593 wrapped_data, wrapped_data_len,
1594 2, addr, len, unwrapped) < 0) {
1595 dpp_auth_fail(auth, "AES-SIV decryption failed");
1596 goto fail;
1597 }
1598 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
1599 unwrapped, unwrapped_len);
1600
1601 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
1602 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
1603 goto fail;
1604 }
1605
1606 r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE,
1607 &r_nonce_len);
1608 if (!r_nonce || r_nonce_len != auth->curve->nonce_len) {
1609 dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce");
1610 goto fail;
1611 }
1612 wpa_hexdump(MSG_DEBUG, "DPP: R-nonce", r_nonce, r_nonce_len);
1613 os_memcpy(auth->r_nonce, r_nonce, r_nonce_len);
1614
1615 i_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_NONCE,
1616 &i_nonce_len);
1617 if (!i_nonce || i_nonce_len != auth->curve->nonce_len) {
1618 dpp_auth_fail(auth, "Missing or invalid I-nonce");
1619 goto fail;
1620 }
1621 wpa_hexdump(MSG_DEBUG, "DPP: I-nonce", i_nonce, i_nonce_len);
1622 if (os_memcmp(auth->i_nonce, i_nonce, i_nonce_len) != 0) {
1623 dpp_auth_fail(auth, "I-nonce mismatch");
1624 goto fail;
1625 }
1626
1627 if (auth->own_bi) {
1628 /* Mutual authentication */
1629 if (dpp_auth_derive_l_initiator(auth) < 0)
1630 goto fail;
1631 }
1632
1633 r_capab = dpp_get_attr(unwrapped, unwrapped_len,
1634 DPP_ATTR_R_CAPABILITIES,
1635 &r_capab_len);
1636 if (!r_capab || r_capab_len < 1) {
1637 dpp_auth_fail(auth, "Missing or invalid R-capabilities");
1638 goto fail;
1639 }
1640 auth->r_capab = r_capab[0];
1641 wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab);
1642 role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
1643 if ((auth->allowed_roles ==
1644 (DPP_CAPAB_CONFIGURATOR | DPP_CAPAB_ENROLLEE)) &&
1645 (role == DPP_CAPAB_CONFIGURATOR || role == DPP_CAPAB_ENROLLEE)) {
1646 /* Peer selected its role, so move from "either role" to the
1647 * role that is compatible with peer's selection. */
1648 auth->configurator = role == DPP_CAPAB_ENROLLEE;
1649 wpa_printf(MSG_DEBUG, "DPP: Acting as %s",
1650 auth->configurator ? "Configurator" : "Enrollee");
1651 } else if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
1652 (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
1653 wpa_printf(MSG_DEBUG, "DPP: Incompatible role selection");
1654 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL
1655 "Unexpected role in R-capabilities 0x%02x",
1656 role);
1657 if (role != DPP_CAPAB_ENROLLEE &&
1658 role != DPP_CAPAB_CONFIGURATOR)
1659 goto fail;
1660 bin_clear_free(unwrapped, unwrapped_len);
1661 auth->remove_on_tx_status = 1;
1662 return dpp_auth_build_conf(auth, DPP_STATUS_NOT_COMPATIBLE);
1663 }
1664
1665 wrapped2 = dpp_get_attr(unwrapped, unwrapped_len,
1666 DPP_ATTR_WRAPPED_DATA, &wrapped2_len);
1667 if (!wrapped2 || wrapped2_len < AES_BLOCK_SIZE) {
1668 dpp_auth_fail(auth,
1669 "Missing or invalid Secondary Wrapped Data");
1670 goto fail;
1671 }
1672
1673 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1674 wrapped2, wrapped2_len);
1675
1676 if (dpp_derive_bk_ke(auth) < 0)
1677 goto fail;
1678
1679 unwrapped2_len = wrapped2_len - AES_BLOCK_SIZE;
1680 unwrapped2 = os_malloc(unwrapped2_len);
1681 if (!unwrapped2)
1682 goto fail;
1683 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
1684 wrapped2, wrapped2_len,
1685 0, NULL, NULL, unwrapped2) < 0) {
1686 dpp_auth_fail(auth, "AES-SIV decryption failed");
1687 goto fail;
1688 }
1689 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
1690 unwrapped2, unwrapped2_len);
1691
1692 if (dpp_check_attrs(unwrapped2, unwrapped2_len) < 0) {
1693 dpp_auth_fail(auth,
1694 "Invalid attribute in secondary unwrapped data");
1695 goto fail;
1696 }
1697
1698 r_auth = dpp_get_attr(unwrapped2, unwrapped2_len, DPP_ATTR_R_AUTH_TAG,
1699 &r_auth_len);
1700 if (!r_auth || r_auth_len != auth->curve->hash_len) {
1701 dpp_auth_fail(auth,
1702 "Missing or invalid Responder Authenticating Tag");
1703 goto fail;
1704 }
1705 wpa_hexdump(MSG_DEBUG, "DPP: Received Responder Authenticating Tag",
1706 r_auth, r_auth_len);
1707 /* R-auth' = H(I-nonce | R-nonce | PI.x | PR.x | [BI.x |] BR.x | 0) */
1708 if (dpp_gen_r_auth(auth, r_auth2) < 0)
1709 goto fail;
1710 wpa_hexdump(MSG_DEBUG, "DPP: Calculated Responder Authenticating Tag",
1711 r_auth2, r_auth_len);
1712 if (os_memcmp(r_auth, r_auth2, r_auth_len) != 0) {
1713 dpp_auth_fail(auth, "Mismatching Responder Authenticating Tag");
1714 bin_clear_free(unwrapped, unwrapped_len);
1715 bin_clear_free(unwrapped2, unwrapped2_len);
1716 auth->remove_on_tx_status = 1;
1717 return dpp_auth_build_conf(auth, DPP_STATUS_AUTH_FAILURE);
1718 }
1719
1720 bin_clear_free(unwrapped, unwrapped_len);
1721 bin_clear_free(unwrapped2, unwrapped2_len);
1722
1723 #ifdef CONFIG_TESTING_OPTIONS
1724 if (dpp_test == DPP_TEST_AUTH_RESP_IN_PLACE_OF_CONF) {
1725 wpa_printf(MSG_INFO,
1726 "DPP: TESTING - Authentication Response in place of Confirm");
1727 if (dpp_auth_build_resp_ok(auth) < 0)
1728 return NULL;
1729 return wpabuf_dup(auth->resp_msg);
1730 }
1731 #endif /* CONFIG_TESTING_OPTIONS */
1732
1733 return dpp_auth_build_conf(auth, DPP_STATUS_OK);
1734
1735 fail:
1736 bin_clear_free(unwrapped, unwrapped_len);
1737 bin_clear_free(unwrapped2, unwrapped2_len);
1738 crypto_ec_key_deinit(pr);
1739 return NULL;
1740 }
1741
1742
dpp_auth_conf_rx_failure(struct dpp_authentication * auth,const u8 * hdr,const u8 * attr_start,size_t attr_len,const u8 * wrapped_data,u16 wrapped_data_len,enum dpp_status_error status)1743 static int dpp_auth_conf_rx_failure(struct dpp_authentication *auth,
1744 const u8 *hdr,
1745 const u8 *attr_start, size_t attr_len,
1746 const u8 *wrapped_data,
1747 u16 wrapped_data_len,
1748 enum dpp_status_error status)
1749 {
1750 const u8 *addr[2];
1751 size_t len[2];
1752 u8 *unwrapped = NULL;
1753 size_t unwrapped_len = 0;
1754 const u8 *r_nonce;
1755 u16 r_nonce_len;
1756
1757 /* Authentication Confirm failure cases are expected to include
1758 * {R-nonce}k2 in the Wrapped Data attribute. */
1759
1760 addr[0] = hdr;
1761 len[0] = DPP_HDR_LEN;
1762 addr[1] = attr_start;
1763 len[1] = attr_len;
1764 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1765 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1766 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1767 wrapped_data, wrapped_data_len);
1768 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
1769 unwrapped = os_malloc(unwrapped_len);
1770 if (!unwrapped) {
1771 dpp_auth_fail(auth, "Authentication failed");
1772 goto fail;
1773 }
1774 if (aes_siv_decrypt(auth->k2, auth->curve->hash_len,
1775 wrapped_data, wrapped_data_len,
1776 2, addr, len, unwrapped) < 0) {
1777 dpp_auth_fail(auth, "AES-SIV decryption failed");
1778 goto fail;
1779 }
1780 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
1781 unwrapped, unwrapped_len);
1782
1783 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
1784 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
1785 goto fail;
1786 }
1787
1788 r_nonce = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_R_NONCE,
1789 &r_nonce_len);
1790 if (!r_nonce || r_nonce_len != auth->curve->nonce_len) {
1791 dpp_auth_fail(auth, "DPP: Missing or invalid R-nonce");
1792 goto fail;
1793 }
1794 if (os_memcmp(r_nonce, auth->r_nonce, r_nonce_len) != 0) {
1795 wpa_hexdump(MSG_DEBUG, "DPP: Received R-nonce",
1796 r_nonce, r_nonce_len);
1797 wpa_hexdump(MSG_DEBUG, "DPP: Expected R-nonce",
1798 auth->r_nonce, r_nonce_len);
1799 dpp_auth_fail(auth, "R-nonce mismatch");
1800 goto fail;
1801 }
1802
1803 if (status == DPP_STATUS_NOT_COMPATIBLE)
1804 dpp_auth_fail(auth, "Peer reported incompatible R-capab role");
1805 else if (status == DPP_STATUS_AUTH_FAILURE)
1806 dpp_auth_fail(auth, "Peer reported authentication failure)");
1807
1808 fail:
1809 bin_clear_free(unwrapped, unwrapped_len);
1810 return -1;
1811 }
1812
1813
dpp_auth_conf_rx(struct dpp_authentication * auth,const u8 * hdr,const u8 * attr_start,size_t attr_len)1814 int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
1815 const u8 *attr_start, size_t attr_len)
1816 {
1817 const u8 *r_bootstrap, *i_bootstrap, *wrapped_data, *status, *i_auth;
1818 u16 r_bootstrap_len, i_bootstrap_len, wrapped_data_len, status_len,
1819 i_auth_len;
1820 const u8 *addr[2];
1821 size_t len[2];
1822 u8 *unwrapped = NULL;
1823 size_t unwrapped_len = 0;
1824 u8 i_auth2[DPP_MAX_HASH_LEN];
1825
1826 #ifdef CONFIG_TESTING_OPTIONS
1827 if (dpp_test == DPP_TEST_STOP_AT_AUTH_CONF) {
1828 wpa_printf(MSG_INFO,
1829 "DPP: TESTING - stop at Authentication Confirm");
1830 return -1;
1831 }
1832 #endif /* CONFIG_TESTING_OPTIONS */
1833
1834 if (auth->initiator || !auth->own_bi || !auth->waiting_auth_conf ||
1835 auth->reconfig) {
1836 wpa_printf(MSG_DEBUG,
1837 "DPP: initiator=%d own_bi=%d waiting_auth_conf=%d",
1838 auth->initiator, !!auth->own_bi,
1839 auth->waiting_auth_conf);
1840 dpp_auth_fail(auth, "Unexpected Authentication Confirm");
1841 return -1;
1842 }
1843
1844 auth->waiting_auth_conf = 0;
1845
1846 wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
1847 &wrapped_data_len);
1848 if (!wrapped_data || wrapped_data_len < AES_BLOCK_SIZE) {
1849 dpp_auth_fail(auth,
1850 "Missing or invalid required Wrapped Data attribute");
1851 return -1;
1852 }
1853 wpa_hexdump(MSG_DEBUG, "DPP: Wrapped data",
1854 wrapped_data, wrapped_data_len);
1855
1856 attr_len = wrapped_data - 4 - attr_start;
1857
1858 r_bootstrap = dpp_get_attr(attr_start, attr_len,
1859 DPP_ATTR_R_BOOTSTRAP_KEY_HASH,
1860 &r_bootstrap_len);
1861 if (!r_bootstrap || r_bootstrap_len != SHA256_MAC_LEN) {
1862 dpp_auth_fail(auth,
1863 "Missing or invalid required Responder Bootstrapping Key Hash attribute");
1864 return -1;
1865 }
1866 wpa_hexdump(MSG_DEBUG, "DPP: Responder Bootstrapping Key Hash",
1867 r_bootstrap, r_bootstrap_len);
1868 if (os_memcmp(r_bootstrap, auth->own_bi->pubkey_hash,
1869 SHA256_MAC_LEN) != 0) {
1870 wpa_hexdump(MSG_DEBUG,
1871 "DPP: Expected Responder Bootstrapping Key Hash",
1872 auth->peer_bi->pubkey_hash, SHA256_MAC_LEN);
1873 dpp_auth_fail(auth,
1874 "Responder Bootstrapping Key Hash mismatch");
1875 return -1;
1876 }
1877
1878 i_bootstrap = dpp_get_attr(attr_start, attr_len,
1879 DPP_ATTR_I_BOOTSTRAP_KEY_HASH,
1880 &i_bootstrap_len);
1881 if (i_bootstrap) {
1882 if (i_bootstrap_len != SHA256_MAC_LEN) {
1883 dpp_auth_fail(auth,
1884 "Invalid Initiator Bootstrapping Key Hash attribute");
1885 return -1;
1886 }
1887 wpa_hexdump(MSG_MSGDUMP,
1888 "DPP: Initiator Bootstrapping Key Hash",
1889 i_bootstrap, i_bootstrap_len);
1890 if (!auth->peer_bi ||
1891 os_memcmp(i_bootstrap, auth->peer_bi->pubkey_hash,
1892 SHA256_MAC_LEN) != 0) {
1893 dpp_auth_fail(auth,
1894 "Initiator Bootstrapping Key Hash mismatch");
1895 return -1;
1896 }
1897 } else if (auth->peer_bi) {
1898 /* Mutual authentication and peer did not include its
1899 * Bootstrapping Key Hash attribute. */
1900 dpp_auth_fail(auth,
1901 "Missing Initiator Bootstrapping Key Hash attribute");
1902 return -1;
1903 }
1904
1905 status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
1906 &status_len);
1907 if (!status || status_len < 1) {
1908 dpp_auth_fail(auth,
1909 "Missing or invalid required DPP Status attribute");
1910 return -1;
1911 }
1912 wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]);
1913 if (status[0] == DPP_STATUS_NOT_COMPATIBLE ||
1914 status[0] == DPP_STATUS_AUTH_FAILURE)
1915 return dpp_auth_conf_rx_failure(auth, hdr, attr_start,
1916 attr_len, wrapped_data,
1917 wrapped_data_len, status[0]);
1918
1919 if (status[0] != DPP_STATUS_OK) {
1920 dpp_auth_fail(auth, "Authentication failed");
1921 return -1;
1922 }
1923
1924 addr[0] = hdr;
1925 len[0] = DPP_HDR_LEN;
1926 addr[1] = attr_start;
1927 len[1] = attr_len;
1928 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[0]", addr[0], len[0]);
1929 wpa_hexdump(MSG_DEBUG, "DDP: AES-SIV AD[1]", addr[1], len[1]);
1930 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV ciphertext",
1931 wrapped_data, wrapped_data_len);
1932 unwrapped_len = wrapped_data_len - AES_BLOCK_SIZE;
1933 unwrapped = os_malloc(unwrapped_len);
1934 if (!unwrapped)
1935 return -1;
1936 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
1937 wrapped_data, wrapped_data_len,
1938 2, addr, len, unwrapped) < 0) {
1939 dpp_auth_fail(auth, "AES-SIV decryption failed");
1940 goto fail;
1941 }
1942 wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
1943 unwrapped, unwrapped_len);
1944
1945 if (dpp_check_attrs(unwrapped, unwrapped_len) < 0) {
1946 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
1947 goto fail;
1948 }
1949
1950 i_auth = dpp_get_attr(unwrapped, unwrapped_len, DPP_ATTR_I_AUTH_TAG,
1951 &i_auth_len);
1952 if (!i_auth || i_auth_len != auth->curve->hash_len) {
1953 dpp_auth_fail(auth,
1954 "Missing or invalid Initiator Authenticating Tag");
1955 goto fail;
1956 }
1957 wpa_hexdump(MSG_DEBUG, "DPP: Received Initiator Authenticating Tag",
1958 i_auth, i_auth_len);
1959 /* I-auth' = H(R-nonce | I-nonce | PR.x | PI.x | BR.x | [BI.x |] 1) */
1960 if (dpp_gen_i_auth(auth, i_auth2) < 0)
1961 goto fail;
1962 wpa_hexdump(MSG_DEBUG, "DPP: Calculated Initiator Authenticating Tag",
1963 i_auth2, i_auth_len);
1964 if (os_memcmp(i_auth, i_auth2, i_auth_len) != 0) {
1965 dpp_auth_fail(auth, "Mismatching Initiator Authenticating Tag");
1966 goto fail;
1967 }
1968
1969 bin_clear_free(unwrapped, unwrapped_len);
1970 dpp_auth_success(auth);
1971 return 0;
1972 fail:
1973 bin_clear_free(unwrapped, unwrapped_len);
1974 return -1;
1975 }
1976