From 9b5111203117ef62178a5ec8f0b62dcb7f3e0ab6 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 23 Oct 2017 14:14:57 +0300
Subject: [PATCH] DPP: Allow Responder to decide not to use mutual
 authentication

Previously, Initiator decided whether to use mutual authentication on
its own based on having own and peer bootstrapping info. This prevented
Responder from selecting not to use mutual authentication in such a
case. Fix this by allowed Initiator to fall back to non-mutual
authentication based on Responder choice if the bootstrapping mechanism
allows this (PKEX does not; it mandates use of mutual authentication).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 src/common/dpp.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 47817de66..36b1bce30 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -2841,6 +2841,11 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
 				      "Initiator Bootstrapping Key Hash attribute did not match");
 			return NULL;
 		}
+	} else if (auth->own_bi && auth->own_bi->type == DPP_BOOTSTRAP_PKEX) {
+		/* PKEX bootstrapping mandates use of mutual authentication */
+		dpp_auth_fail(auth,
+			      "Missing Initiator Bootstrapping Key Hash attribute");
+		return NULL;
 	}
 
 	status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
@@ -2859,6 +2864,12 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
 		return NULL;
 	}
 
+	if (!i_bootstrap && auth->own_bi) {
+		wpa_printf(MSG_DEBUG,
+			   "DPP: Responder decided not to use mutual authentication");
+		auth->own_bi = NULL;
+	}
+
 	r_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_R_PROTOCOL_KEY,
 			       &r_proto_len);
 	if (!r_proto) {
@@ -3102,6 +3113,12 @@ int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
 				      "Initiator Bootstrapping Key Hash mismatch");
 			return -1;
 		}
+	} else if (auth->own_bi && auth->peer_bi) {
+		/* Mutual authentication and peer did not include its
+		 * Bootstrapping Key Hash attribute. */
+		dpp_auth_fail(auth,
+			      "Missing Initiator Bootstrapping Key Hash attribute");
+		return -1;
 	}
 
 	status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,