DPP3: Verify version match during Network Introduction

Verify that the Protocol Version attribute is used appropriate in Peer
Discovery Request/Response messages in cases where the signed Connector
includes the version information.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c
index 173da4a06c42ea4413a14d9529c2b2f345b7d45f..cd50d17d93c8ebbe5c89a8ee8a2ecbc37d38843e 100644 (file)
--- a/src/ap/dpp_hostapd.c
+++ b/src/ap/dpp_hostapd.c
@@ -1661,6 +1661,28 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd,
                return;
        }
 
+#ifdef CONFIG_DPP3
+       if (intro.peer_version && intro.peer_version >= 2) {
+               const u8 *version;
+               u16 version_len;
+               u8 attr_version = 1;
+
+               version = dpp_get_attr(buf, len, DPP_ATTR_PROTOCOL_VERSION,
+                                      &version_len);
+               if (version && version_len >= 1)
+                       attr_version = version[0];
+               if (attr_version != intro.peer_version) {
+                       wpa_printf(MSG_INFO,
+                                  "DPP: Protocol version mismatch (Connector: %d Attribute: %d",
+                                  intro.peer_version, attr_version);
+                       hostapd_dpp_send_peer_disc_resp(hapd, src, freq,
+                                                       trans_id[0],
+                                                       DPP_STATUS_NO_MATCH);
+                       return;
+               }
+       }
+#endif /* CONFIG_DPP3 */
+
        if (!expire || (os_time_t) hapd->conf->dpp_netaccesskey_expiry < expire)
                expire = hapd->conf->dpp_netaccesskey_expiry;
        if (expire)

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 4a8fe06894e6b923e7830d1debb8c2b9e43db01c..ac6eae4c893edb5bfcf469951d7287cf44331c41 100644 (file)
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -3703,6 +3703,14 @@ dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
                }
        }
 
+#ifdef CONFIG_DPP3
+       token = json_get_member(root, "version");
+       if (token && token->type == JSON_NUMBER) {
+               wpa_printf(MSG_DEBUG, "DPP: version = %d", token->number);
+               intro->peer_version = token->number;
+       }
+#endif /* CONFIG_DPP3 */
+
        netkey = json_get_member(root, "netAccessKey");
        if (!netkey || netkey->type != JSON_OBJECT) {
                wpa_printf(MSG_DEBUG, "DPP: No netAccessKey object found");

diff --git a/src/common/dpp.h b/src/common/dpp.h
index 99e86ec0f9f344f469e03f08c747956f39236d3c..0f59a883e24cb07aca8adf4b1dba86934df5e33b 100644 (file)
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@@ -374,6 +374,7 @@ struct dpp_introduction {
        u8 pmkid[PMKID_LEN];
        u8 pmk[PMK_LEN_MAX];
        size_t pmk_len;
+       int peer_version;
 };
 
 struct dpp_relay_config {

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index fb1f3e1afd69149e337be97c71773072d1fae638..8e58e63beb8610e95dd6564d18c94ae90570be70 100644 (file)
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -2462,6 +2462,16 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
                               &version_len);
        if (version && version_len >= 1)
                peer_version = version[0];
+#ifdef CONFIG_DPP3
+       if (intro.peer_version && intro.peer_version >= 2 &&
+           peer_version != intro.peer_version) {
+               wpa_printf(MSG_INFO,
+                          "DPP: Protocol version mismatch (Connector: %d Attribute: %d",
+                          intro.peer_version, peer_version);
+               wpas_dpp_send_conn_status_result(wpa_s, DPP_STATUS_NO_MATCH);
+               goto fail;
+       }
+#endif /* CONFIG_DPP3 */
        entry->dpp_pfs = peer_version >= 2;
 #endif /* CONFIG_DPP2 */
        if (expiry) {