DPP: Allow Responder to decide not to use mutual authentication

Previously, Initiator decided whether to use mutual authentication on
its own based on having own and peer bootstrapping info. This prevented
Responder from selecting not to use mutual authentication in such a
case. Fix this by allowed Initiator to fall back to non-mutual
authentication based on Responder choice if the bootstrapping mechanism
allows this (PKEX does not; it mandates use of mutual authentication).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 47817de66a06f58816cdb7a942ca8619ee7f5abf..36b1bce308e68f797e9d2262975d1056520fee2c 100644 (file)
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -2841,6 +2841,11 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
                                      "Initiator Bootstrapping Key Hash attribute did not match");
                        return NULL;
                }
+       } else if (auth->own_bi && auth->own_bi->type == DPP_BOOTSTRAP_PKEX) {
+               /* PKEX bootstrapping mandates use of mutual authentication */
+               dpp_auth_fail(auth,
+                             "Missing Initiator Bootstrapping Key Hash attribute");
+               return NULL;
        }
 
        status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
@@ -2859,6 +2864,12 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
                return NULL;
        }
 
+       if (!i_bootstrap && auth->own_bi) {
+               wpa_printf(MSG_DEBUG,
+                          "DPP: Responder decided not to use mutual authentication");
+               auth->own_bi = NULL;
+       }
+
        r_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_R_PROTOCOL_KEY,
                               &r_proto_len);
        if (!r_proto) {
@@ -3102,6 +3113,12 @@ int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
                                      "Initiator Bootstrapping Key Hash mismatch");
                        return -1;
                }
+       } else if (auth->own_bi && auth->peer_bi) {
+               /* Mutual authentication and peer did not include its
+                * Bootstrapping Key Hash attribute. */
+               dpp_auth_fail(auth,
+                             "Missing Initiator Bootstrapping Key Hash attribute");
+               return -1;
        }
 
        status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,