DPP: Mandate mutual auth with NFC negotiated connection handover

Mark own bootstrap information as having been used in NFC negotiated
connection handover and do not accept non-mutual authentication when
processing Authentication Response from the peer when such bootstrapping
information is used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/common/dpp.c b/src/common/dpp.c
index ae4ed3fd0aca4b35e5aab9d07611d2c5f8319175..c4ee9b8abe084aa2f1381d830a34eff96357857a 100644 (file)
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -3952,6 +3952,14 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
                dpp_auth_fail(auth,
                              "Missing Initiator Bootstrapping Key Hash attribute");
                return NULL;
+       } else if (auth->own_bi &&
+                  auth->own_bi->type == DPP_BOOTSTRAP_NFC_URI &&
+                  auth->own_bi->nfc_negotiated) {
+               /* NFC negotiated connection handover bootstrapping mandates
+                * use of mutual authentication */
+               dpp_auth_fail(auth,
+                             "Missing Initiator Bootstrapping Key Hash attribute");
+               return NULL;
        }
 
        auth->peer_version = 1; /* default to the first version */

diff --git a/src/common/dpp.h b/src/common/dpp.h
index 61be2184b71935faa1730a3c891a1c708861dfc2..afbedc554b431da783cde415c2f8ed3c5b263c28 100644 (file)
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@@ -138,6 +138,8 @@ struct dpp_bootstrap_info {
        const struct dpp_curve_params *curve;
        unsigned int pkex_t; /* number of failures before dpp_pkex
                              * instantiation */
+       int nfc_negotiated; /* whether this has been used in NFC negotiated
+                            * connection handover */
        char *configurator_params;
 };
 

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index c1ebf10d33c03be88dc4bae307fe728d01227ed9..f90463ff6adb2c65387fcf8524918f338424a6e3 100644 (file)
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -118,6 +118,7 @@ int wpas_dpp_nfc_handover_req(struct wpa_supplicant *wpa_s, const char *cmd)
        own_bi = dpp_bootstrap_get_id(wpa_s->dpp, atoi(pos));
        if (!own_bi)
                return -1;
+       own_bi->nfc_negotiated = 1;
 
        pos = os_strstr(cmd, " uri=");
        if (!pos)
@@ -149,6 +150,7 @@ int wpas_dpp_nfc_handover_sel(struct wpa_supplicant *wpa_s, const char *cmd)
        own_bi = dpp_bootstrap_get_id(wpa_s->dpp, atoi(pos));
        if (!own_bi)
                return -1;
+       own_bi->nfc_negotiated = 1;
 
        pos = os_strstr(cmd, " uri=");
        if (!pos)