DPP2: Add Connector and C-sign-key in psk/sae credentials for reconfig

If the Enrollee indicates support for DPP R2 or newer, add Connector and
C-sign-key in psk/sae credentials (i.e., cases where DPP AKM is not
enabled) for reconfiguration. Extend processing of such credentials in
wpa_supplicant network profile addition to handle this new case
correctly by not setting key_mgmt=DPP based on Connector being present,
but by looking at the actual akm value in the config object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c
index 7b36908448bdb7237633932cdfb587aea888f536..c86f01ba76843468ebe21d97fd5f4da56c6b2326 100644 (file)
--- a/src/ap/dpp_hostapd.c
+++ b/src/ap/dpp_hostapd.c
@@ -708,7 +708,8 @@ static void hostapd_dpp_handle_config_obj(struct hostapd_data *hapd,
                 * message. */
                wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_CONNECTOR "%s",
                        conf->connector);
-       } else if (conf->passphrase[0]) {
+       }
+       if (conf->passphrase[0]) {
                char hex[64 * 2 + 1];
 
                wpa_snprintf_hex(hex, sizeof(hex),

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 784961ddd75e390f1775be062a8cb0d321e2d4cd..572800e4dae0d708371a7b76ca94ecd518039aaa 100644 (file)
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -5236,7 +5236,7 @@ dpp_build_conf_obj(struct dpp_authentication *auth, enum dpp_netrole netrole,
                return NULL;
        }
 
-       if (dpp_akm_dpp(conf->akm))
+       if (dpp_akm_dpp(conf->akm) || (auth->peer_version >= 2 && auth->conf))
                return dpp_build_conf_obj_dpp(auth, conf);
        return dpp_build_conf_obj_legacy(auth, conf);
 }
@@ -6724,7 +6724,8 @@ static int dpp_parse_cred_dpp(struct dpp_authentication *auth,
        conf->connector = os_strdup(signed_connector);
 
        dpp_copy_csign(conf, csign_pub);
-       dpp_copy_netaccesskey(auth, conf);
+       if (dpp_akm_dpp(conf->akm))
+               dpp_copy_netaccesskey(auth, conf);
 
        ret = 0;
 fail:
@@ -6836,6 +6837,7 @@ static int dpp_parse_conf_obj(struct dpp_authentication *auth,
        struct json_token *root, *token, *discovery, *cred;
        struct dpp_config_obj *conf;
        struct wpabuf *ssid64 = NULL;
+       int legacy;
 
        root = json_parse((const char *) conf_obj, conf_obj_len);
        if (!root)
@@ -6923,10 +6925,21 @@ static int dpp_parse_conf_obj(struct dpp_authentication *auth,
        }
        conf->akm = dpp_akm_from_str(token->string);
 
-       if (dpp_akm_legacy(conf->akm)) {
+       legacy = dpp_akm_legacy(conf->akm);
+       if (legacy && auth->peer_version >= 2) {
+               struct json_token *csign, *s_conn;
+
+               csign = json_get_member(cred, "csign");
+               s_conn = json_get_member(cred, "signedConnector");
+               if (csign && csign->type == JSON_OBJECT &&
+                   s_conn && s_conn->type == JSON_STRING)
+                       legacy = 0;
+       }
+       if (legacy) {
                if (dpp_parse_cred_legacy(conf, cred) < 0)
                        goto fail;
-       } else if (dpp_akm_dpp(conf->akm)) {
+       } else if (dpp_akm_dpp(conf->akm) ||
+                  (auth->peer_version >= 2 && dpp_akm_legacy(conf->akm))) {
                if (dpp_parse_cred_dpp(auth, conf, cred) < 0)
                        goto fail;
        } else {

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index e578e0aefb4c8bec7fa2f8e28e02590f57a81e3b..c1ebf10d33c03be88dc4bae307fe728d01227ed9 100644 (file)
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -1100,8 +1100,10 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
        ssid->ssid_len = conf->ssid_len;
 
        if (conf->connector) {
-               ssid->key_mgmt = WPA_KEY_MGMT_DPP;
-               ssid->ieee80211w = MGMT_FRAME_PROTECTION_REQUIRED;
+               if (dpp_akm_dpp(conf->akm)) {
+                       ssid->key_mgmt = WPA_KEY_MGMT_DPP;
+                       ssid->ieee80211w = MGMT_FRAME_PROTECTION_REQUIRED;
+               }
                ssid->dpp_connector = os_strdup(conf->connector);
                if (!ssid->dpp_connector)
                        goto fail;
@@ -1130,7 +1132,7 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
 
        if (!conf->connector || dpp_akm_psk(conf->akm) ||
            dpp_akm_sae(conf->akm)) {
-               if (!conf->connector)
+               if (!conf->connector || !dpp_akm_dpp(conf->akm))
                        ssid->key_mgmt = 0;
                if (dpp_akm_psk(conf->akm))
                        ssid->key_mgmt |= WPA_KEY_MGMT_PSK |