The optional channel information was removed from the discovery object
in the DPP tech spec, so no need to maintain this TODO note anymore.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This cleans up dpp_pkex_rx_commit_reveal_req() a bit and makes it easier
to add protocol testing functionality to PKEX exchange similarly to the
previously added DPP Authentication case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This cleans up dpp_pkex_rx_exchange_resp() a bit and makes it easier to
add protocol testing functionality to PKEX exchange similarly to the
previously added DPP Authentication case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This cleans up dpp_pkex_rx_exchange_req() a bit and makes it easier to
add protocol testing functionality to PKEX exchange similarly to the
previously added DPP Authentication case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Indicate to upper layers if PKEX Commit-Reveal Request frame AES-SIV
decryption fails. That is a likely sign of the PKEX code mismatch
between the devices.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Allow the Initiator to request a different channel to be used for DPP
Authentication and DPP Configuration exchanges. This commit adds support
for this in wpa_supplicant with the optional neg_freq=<freq in MHz>
parameter in DPP_AUTH_INIT.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Process Authentication Confirm with the two failure cases defined in the
spec: STATUS_NOT_COMPATIBLE and STATUS_AUTH_FAILURE. This verifies the
{R-nonce}k2 part and reports more detailed failure reason if the message
is valid.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If Authentication Response processing fails due to R-capab
incompatibility or R-auth mismatch, send Authentication Confirm with
error status.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the dpp_test mechanism to allow I-nonce, R-capab, R-auth,
and I-auth values in Authentication Response/Confirm to use incorrect
values.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, Initiator decided whether to use mutual authentication on
its own based on having own and peer bootstrapping info. This prevented
Responder from selecting not to use mutual authentication in such a
case. Fix this by allowed Initiator to fall back to non-mutual
authentication based on Responder choice if the bootstrapping mechanism
allows this (PKEX does not; it mandates use of mutual authentication).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is useful for protocol testing purposes and UI needs to display
more detailed information about DPP exchanges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the dpp_test mechanism to allow each of the required
attributes in Authentication Confirm to be omitted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is useful for protocol testing purposes and UI needs to display
more detailed information about DPP exchanges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the dpp_test mechanism to allow each of the required
attributes in Authentication Response to be omitted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This cleans up old dpp_auth_build_resp() (now dpp_auth_build_resp_ok())
a bit by separating initialization steps for a DPP authentication
session from the code needed to build the frame. This allows
dpp_auth_build_resp_status() to share the helper function instead of
having to maintain a duplicated message construction implementation. In
addition, this makes it easier to remove some of the attributes for
protocol testing purposes.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the dpp_test mechanism to allow each of the required
attributes in Authentication Request to be omitted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This cleans up dpp_auth_init() a bit by separating initialization steps
for a DPP authentication session from the code needed to build the
frame. In addition, this makes it easier to remove some of the
attributes for protocol testing purposes.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Now that dpp_check_attrs() takes care of verifying that no attributes
are after the Wrapped Data attribute, the duplicated checks in hostapd
and wpa_supplicant side of the implementation can be removed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a generic mechanism for configuring the DPP implementation to behave
in particular different (mostly incorrect) ways for protocol testing
purposes. The new dpp_test parameter can be set to a non-zero integer to
indicate a specific behavior. This is only available in
CONFIG_TESTING_OPTIONS=y builds.
This commit include cases for an extra attribute being added after the
Wrapped Data attribute and Initiator/Responder capabilities having an
unexpected zero capability.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Memory allocation failures could have resulted in error paths that
dereference a NULL pointer or double-freeing memory. Fix this by
explicitly clearing the freed pointer and checking allocation results.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This additional field was added to DPP Public Action frames in DPP tech
spec v0.2.3 to support cryptographic agility in the future.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This matches the change in the DPP tech spec to make this less likely to
be confused with the shared secret z.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was previously defined inconsistently (H() vs. SHA256()), but it is
now clarified in the draft tech spec to use SHA256(), so update
implementation to do that.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
DPP tech spec changed the contents of these frames by replacing the
public key hash attributes with a Transaction ID attribute that gets
copied from the request to the response to identify the transaction in a
simpler manner.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
X509_ALGOR_get0() was modified to use const ** pointer as the first
argument in OpenSSL 1.1.0, so need to use different type here to avoid
compilation issues.
Signed-off-by: Jouni Malinen <j@w1.fi>
The DPP Configurator can use this new command to generate its own signed
connector for the network that it manages.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These need to be compatible for the JWS protected header signing to be
valid, so add an explicit check to confirm this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Instead of trying to share the existing definitions for NIST curves,
start using unique strings for Brainpool curves.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This implements genric PKEX functionality in src/common/dpp.c and glue
code to use this in wpa_supplicant (i.e, hostapd DPP implementation does
not yet support PKEX).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use helper functions to cover all three different hash algorithm options
for DPP operations instead of having separate calls to each function at
every location a hash operation based on the curve is needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to notice a reason for failure in cases a connector
string has been truncated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This function is used for parsing both the C-sign-key and netAccessKey,
so better not imply that all cases are C-sign-key in the debug prints.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_supplicant can now be configured to generate a network profile
automatically based on DPP configuration. The following
dpp_config_processing values can be used to specify the behavior:
0 = report received configuration to an external program for
processing; do not generate any network profile internally (default)
1 = report received configuration to an external program and generate
a network profile internally, but do not automatically connect
to the created (disabled) profile; the network profile id is
reported to external programs
2 = report received configuration to an external program, generate
a network profile internally, try to connect to the created
profile automatically
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>