DPP: Support for provisioning SAE password identifiers (Configurator)

Allow SAE password identifiers to be provisioned to Enrollees that
indicate support for this capability.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/common/dpp.c b/src/common/dpp.c
index d5d5c8e92fc70385a56b99479e0ac7a43c9f1892..094c14bbef38bc503281ff64c30ecb3f29f73af1 100644 (file)
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -1151,6 +1151,10 @@ int dpp_configuration_valid(const struct dpp_configuration *conf)
        }
        if (dpp_akm_sae(conf->akm) && !conf->passphrase)
                return 0;
+#ifdef CONFIG_DPP3
+       if (conf->idpass && (!conf->passphrase || !dpp_akm_sae(conf->akm)))
+               return 0;
+#endif /* CONFIG_DPP3 */
        return 1;
 }
 
@@ -1160,6 +1164,9 @@ void dpp_configuration_free(struct dpp_configuration *conf)
        if (!conf)
                return;
        str_clear_free(conf->passphrase);
+#ifdef CONFIG_DPP3
+       os_free(conf->idpass);
+#endif /* CONFIG_DPP3 */
        os_free(conf->group_id);
        os_free(conf->csrattrs);
        os_free(conf->extra_name);
@@ -1244,6 +1251,22 @@ static int dpp_configuration_parse_helper(struct dpp_authentication *auth,
                        goto fail;
        }
 
+#ifdef CONFIG_DPP3
+       pos = os_strstr(cmd, " idpass=");
+       if (pos) {
+               size_t idpass_len;
+
+               pos += 8;
+               end = os_strchr(pos, ' ');
+               idpass_len = end ? (size_t) (end - pos) : os_strlen(pos);
+               idpass_len /= 2;
+               conf->idpass = os_zalloc(idpass_len + 1);
+               if (!conf->idpass ||
+                   hexstr2bin(pos, (u8 *) conf->idpass, idpass_len) < 0)
+                       goto fail;
+       }
+#endif /* CONFIG_DPP3 */
+
        pos = os_strstr(cmd, " psk=");
        if (pos) {
                pos += 5;
@@ -1603,6 +1626,13 @@ static void dpp_build_legacy_cred_params(struct wpabuf *buf,
        if (conf->passphrase && os_strlen(conf->passphrase) < 64) {
                json_add_string_escape(buf, "pass", conf->passphrase,
                                       os_strlen(conf->passphrase));
+#ifdef CONFIG_DPP3
+               if (conf->idpass) {
+                       json_value_sep(buf);
+                       json_add_string_escape(buf, "idpass", conf->idpass,
+                                              os_strlen(conf->idpass));
+               }
+#endif /* CONFIG_DPP3 */
        } else if (conf->psk_set) {
                char psk[2 * sizeof(conf->psk) + 1];
 
@@ -1925,6 +1955,16 @@ dpp_build_conf_obj_legacy(struct dpp_authentication *auth,
        const char *akm_str;
        size_t len = 1000;
 
+
+#ifdef CONFIG_DPP3
+       if (conf->idpass &&
+           !(auth->enrollee_capabilities & DPP_ENROLLEE_CAPAB_SAE_PW_ID)) {
+               wpa_printf(MSG_DEBUG,
+                          "DPP: Enrollee does not support SAE Password Identifier - cannot generate config object");
+               return NULL;
+       }
+#endif /* CONFIG_DPP3 */
+
        if (conf->extra_name && conf->extra_value)
                len += 10 + os_strlen(conf->extra_name) +
                        os_strlen(conf->extra_value);
@@ -2543,6 +2583,18 @@ dpp_conf_req_rx(struct dpp_authentication *auth, const u8 *attr_start,
 cont:
 #endif /* CONFIG_DPP2 */
 
+#ifdef CONFIG_DPP3
+       token = json_get_member(root, "capabilities");
+       if (token && token->type == JSON_NUMBER) {
+               wpa_printf(MSG_DEBUG, "DPP: capabilities = 0x%x",
+                          token->number);
+               wpa_msg(auth->msg_ctx, MSG_INFO,
+                       DPP_EVENT_ENROLLEE_CAPABILITY "%d",
+                       token->number);
+               auth->enrollee_capabilities = token->number;
+       }
+#endif /* CONFIG_DPP3 */
+
        resp = dpp_build_conf_resp(auth, e_nonce, e_nonce_len, netrole,
                                   cert_req);
 

diff --git a/src/common/dpp.h b/src/common/dpp.h
index 29d8145f4bf22af2fe84a5184c5df312fe6bdf26..625946a0009ba6b7dfd53d1a774d4a5b058307c7 100644 (file)
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@@ -263,6 +263,7 @@ struct dpp_configuration {
 
        /* For legacy configuration */
        char *passphrase;
+       char *idpass;
        u8 psk[32];
        int psk_set;
 
@@ -399,6 +400,7 @@ struct dpp_authentication {
        char *e_name;
        char *e_mud_url;
        int *e_band_support;
+       unsigned int enrollee_capabilities;
 #ifdef CONFIG_TESTING_OPTIONS
        char *config_obj_override;
        char *discovery_override;

diff --git a/src/common/wpa_ctrl.h b/src/common/wpa_ctrl.h
index 032360827749f2543c4b45232eceb22388bdce0a..1a3ad2fe1496cc270e2e2a8238c59821eae697b7 100644 (file)
--- a/src/common/wpa_ctrl.h
+++ b/src/common/wpa_ctrl.h
@@ -228,6 +228,7 @@ extern "C" {
 #define DPP_EVENT_CHIRP_STOPPED "DPP-CHIRP-STOPPED "
 #define DPP_EVENT_MUD_URL "DPP-MUD-URL "
 #define DPP_EVENT_BAND_SUPPORT "DPP-BAND-SUPPORT "
+#define DPP_EVENT_ENROLLEE_CAPABILITY "DPP-ENROLLEE-CAPABILITY "
 #define DPP_EVENT_CSR "DPP-CSR "
 #define DPP_EVENT_CHIRP_RX "DPP-CHIRP-RX "
 #define DPP_EVENT_CONF_NEEDED "DPP-CONF-NEEDED "