From 512b6c02e0f347b30666d5d747da9f9129b1a5b9 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 3 Apr 2020 15:47:18 +0300 Subject: [PATCH] DPP: Mandate mutual auth with NFC negotiated connection handover Mark own bootstrap information as having been used in NFC negotiated connection handover and do not accept non-mutual authentication when processing Authentication Response from the peer when such bootstrapping information is used. Signed-off-by: Jouni Malinen --- src/common/dpp.c | 8 ++++++++ src/common/dpp.h | 2 ++ wpa_supplicant/dpp_supplicant.c | 2 ++ 3 files changed, 12 insertions(+) diff --git a/src/common/dpp.c b/src/common/dpp.c index ae4ed3fd0..c4ee9b8ab 100644 --- a/src/common/dpp.c +++ b/src/common/dpp.c @@ -3952,6 +3952,14 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr, dpp_auth_fail(auth, "Missing Initiator Bootstrapping Key Hash attribute"); return NULL; + } else if (auth->own_bi && + auth->own_bi->type == DPP_BOOTSTRAP_NFC_URI && + auth->own_bi->nfc_negotiated) { + /* NFC negotiated connection handover bootstrapping mandates + * use of mutual authentication */ + dpp_auth_fail(auth, + "Missing Initiator Bootstrapping Key Hash attribute"); + return NULL; } auth->peer_version = 1; /* default to the first version */ diff --git a/src/common/dpp.h b/src/common/dpp.h index 61be2184b..afbedc554 100644 --- a/src/common/dpp.h +++ b/src/common/dpp.h @@ -138,6 +138,8 @@ struct dpp_bootstrap_info { const struct dpp_curve_params *curve; unsigned int pkex_t; /* number of failures before dpp_pkex * instantiation */ + int nfc_negotiated; /* whether this has been used in NFC negotiated + * connection handover */ char *configurator_params; }; diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c index c1ebf10d3..f90463ff6 100644 --- a/wpa_supplicant/dpp_supplicant.c +++ b/wpa_supplicant/dpp_supplicant.c @@ -118,6 +118,7 @@ int wpas_dpp_nfc_handover_req(struct wpa_supplicant *wpa_s, const char *cmd) own_bi = dpp_bootstrap_get_id(wpa_s->dpp, atoi(pos)); if (!own_bi) return -1; + own_bi->nfc_negotiated = 1; pos = os_strstr(cmd, " uri="); if (!pos) @@ -149,6 +150,7 @@ int wpas_dpp_nfc_handover_sel(struct wpa_supplicant *wpa_s, const char *cmd) own_bi = dpp_bootstrap_get_id(wpa_s->dpp, atoi(pos)); if (!own_bi) return -1; + own_bi->nfc_negotiated = 1; pos = os_strstr(cmd, " uri="); if (!pos)