Fix internal DH implementation not to pad shared key

The returned buffer length was hardcoded to be the prime length
which resulted in shorter results being padded in the end. However,
the results from DH code are supposed to be unpadded (and when used
with WPS, the padding is done in WPS code and it is added to the
beginning of the buffer). This fixes WPS key derivation errors
in about 1/256 of runs ("WPS: Incorrect Authenticator") when using
the internal crypto code.

diff --git a/src/crypto/dh_groups.c b/src/crypto/dh_groups.c
index 5f6008a..7bd2fb7 100644 (file)
--- a/src/crypto/dh_groups.c
+++ b/src/crypto/dh_groups.c
@@ -619,11 +619,12 @@ struct wpabuf * dh_derive_shared(const struct wpabuf *peer_public,
        if (crypto_mod_exp(wpabuf_head(peer_public), wpabuf_len(peer_public),
                           wpabuf_head(own_private), wpabuf_len(own_private),
                           dh->prime, dh->prime_len,
-                          wpabuf_put(shared, shared_len), &shared_len) < 0) {
+                          wpabuf_mhead(shared), &shared_len) < 0) {
                wpabuf_free(shared);
                wpa_printf(MSG_INFO, "DH: crypto_mod_exp failed");
                return NULL;
        }
+       wpabuf_put(shared, shared_len);
        wpa_hexdump_buf_key(MSG_DEBUG, "DH: shared key", shared);
 
        return shared;