DPP: Check Enrollee supported curves when building Config Response

The Enrollee may report its supported curves in the bootstrapping URI.
If it does that, the Configurator may stop generating the Config Object
that would depend on the Enrollee using a curve that it did not indicate
as being supported. Check for this case while proessing the Config
Request and stop Configurator from building a configuration that is
known not to work.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 433102eb9504acdca7c0f413412a762e70ae433d..95f7cbf48323c2bc0a15e34383619e970b81f57a 100644 (file)
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -1615,6 +1615,32 @@ const char * dpp_netrole_str(enum dpp_netrole netrole)
 }
 
 
+static bool dpp_supports_curve(const char *curve, struct dpp_bootstrap_info *bi)
+{
+       enum dpp_bootstrap_supported_curves idx;
+
+       if (!bi || !bi->supported_curves)
+               return true; /* no support indication available */
+
+       if (os_strcmp(curve, "prime256v1") == 0)
+               idx = DPP_BOOTSTRAP_CURVE_P_256;
+       else if (os_strcmp(curve, "secp384r1") == 0)
+               idx = DPP_BOOTSTRAP_CURVE_P_384;
+       else if (os_strcmp(curve, "secp521r1") == 0)
+               idx = DPP_BOOTSTRAP_CURVE_P_521;
+       else if (os_strcmp(curve, "brainpoolP256r1") == 0)
+               idx = DPP_BOOTSTRAP_CURVE_BP_256;
+       else if (os_strcmp(curve, "brainpoolP384r1") == 0)
+               idx = DPP_BOOTSTRAP_CURVE_BP_384;
+       else if (os_strcmp(curve, "brainpoolP512r1") == 0)
+               idx = DPP_BOOTSTRAP_CURVE_BP_512;
+       else
+               return true;
+
+       return bi->supported_curves & BIT(idx);
+}
+
+
 static struct wpabuf *
 dpp_build_conf_obj_dpp(struct dpp_authentication *auth,
                       struct dpp_configuration *conf)
@@ -1636,10 +1662,23 @@ dpp_build_conf_obj_dpp(struct dpp_authentication *auth,
                goto fail;
        }
        curve = auth->conf->curve;
+       if (dpp_akm_dpp(conf->akm) &&
+           !dpp_supports_curve(curve->name, auth->peer_bi)) {
+               wpa_printf(MSG_DEBUG,
+                          "DPP: Enrollee does not support C-sign-key curve (%s) - cannot generate config object",
+                          curve->name);
+               goto fail;
+       }
        if (auth->new_curve && auth->new_key_received)
                nak_curve = auth->new_curve;
        else
                nak_curve = auth->curve;
+       if (!dpp_supports_curve(nak_curve->name, auth->peer_bi)) {
+               wpa_printf(MSG_DEBUG,
+                          "DPP: Enrollee does not support netAccessKey curve (%s) - cannot generate config object",
+                          nak_curve->name);
+               goto fail;
+       }
 
        akm = conf->akm;
        if (dpp_akm_ver2(akm) && auth->peer_version < 2) {
@@ -1696,6 +1735,13 @@ skip_groups:
        if (auth->conf->net_access_key_curve &&
            auth->curve != auth->conf->net_access_key_curve &&
            !auth->new_key_received) {
+               if (!dpp_supports_curve(auth->conf->net_access_key_curve->name,
+                                       auth->peer_bi)) {
+                       wpa_printf(MSG_DEBUG,
+                                  "DPP: Enrollee does not support the required netAccessKey curve (%s) - cannot generate config object",
+                                  auth->conf->net_access_key_curve->name);
+                       goto fail;
+               }
                wpa_printf(MSG_DEBUG,
                           "DPP: Peer protocol key curve (%s) does not match the required netAccessKey curve (%s) - %s",
                           auth->curve->name,