From a4bf007877576ab91ef1cf9b97aa5df62e233496 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 22 Aug 2017 23:46:27 +0300 Subject: [PATCH] DPP: Remove devices object from the connector This was removed from the draft DPP tech spec, so remove it from the implementation as well. Signed-off-by: Jouni Malinen --- hostapd/ctrl_iface.c | 3 - src/ap/dpp_hostapd.c | 4 - src/ap/hostapd.h | 1 - src/common/dpp.c | 178 +----------------------------- src/common/dpp.h | 3 +- wpa_supplicant/ctrl_iface.c | 3 - wpa_supplicant/dpp_supplicant.c | 5 - wpa_supplicant/wpa_supplicant_i.h | 1 - 8 files changed, 6 insertions(+), 192 deletions(-) diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index c2534d1fb..21d50ed79 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -1298,9 +1298,6 @@ static int hostapd_ctrl_iface_set(struct hostapd_data *hapd, char *cmd) } else if (os_strcasecmp(cmd, "dpp_groups_override") == 0) { os_free(hapd->dpp_groups_override); hapd->dpp_groups_override = os_strdup(value); - } else if (os_strcasecmp(cmd, "dpp_devices_override") == 0) { - os_free(hapd->dpp_devices_override); - hapd->dpp_devices_override = os_strdup(value); } else if (os_strcasecmp(cmd, "dpp_ignore_netaccesskey_mismatch") == 0) { hapd->dpp_ignore_netaccesskey_mismatch = atoi(value); diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c index c8b4f87b8..8a8b4be64 100644 --- a/src/ap/dpp_hostapd.c +++ b/src/ap/dpp_hostapd.c @@ -320,8 +320,6 @@ static void hostapd_dpp_set_testing_options(struct hostapd_data *hapd, os_strdup(hapd->dpp_discovery_override); if (hapd->dpp_groups_override) auth->groups_override = os_strdup(hapd->dpp_groups_override); - if (hapd->dpp_devices_override) - auth->devices_override = os_strdup(hapd->dpp_devices_override); auth->ignore_netaccesskey_mismatch = hapd->dpp_ignore_netaccesskey_mismatch; #endif /* CONFIG_TESTING_OPTIONS */ @@ -1476,8 +1474,6 @@ void hostapd_dpp_deinit(struct hostapd_data *hapd) hapd->dpp_discovery_override = NULL; os_free(hapd->dpp_groups_override); hapd->dpp_groups_override = NULL; - os_free(hapd->dpp_devices_override); - hapd->dpp_devices_override = NULL; hapd->dpp_ignore_netaccesskey_mismatch = 0; #endif /* CONFIG_TESTING_OPTIONS */ if (!hapd->dpp_init_done) diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h index fc19c25a9..97e116571 100644 --- a/src/ap/hostapd.h +++ b/src/ap/hostapd.h @@ -344,7 +344,6 @@ struct hostapd_data { char *dpp_config_obj_override; char *dpp_discovery_override; char *dpp_groups_override; - char *dpp_devices_override; unsigned int dpp_ignore_netaccesskey_mismatch:1; #endif /* CONFIG_TESTING_OPTIONS */ #endif /* CONFIG_DPP */ diff --git a/src/common/dpp.c b/src/common/dpp.c index e98a13390..1edfc9be0 100644 --- a/src/common/dpp.c +++ b/src/common/dpp.c @@ -2890,7 +2890,6 @@ void dpp_auth_deinit(struct dpp_authentication *auth) os_free(auth->config_obj_override); os_free(auth->discovery_override); os_free(auth->groups_override); - os_free(auth->devices_override); #endif /* CONFIG_TESTING_OPTIONS */ bin_clear_free(auth, sizeof(*auth)); } @@ -3028,8 +3027,6 @@ dpp_build_conf_obj_dpp(struct dpp_authentication *auth, int ap, #ifdef CONFIG_TESTING_OPTIONS if (auth->groups_override) extra_len += os_strlen(auth->groups_override); - if (auth->devices_override) - extra_len += os_strlen(auth->devices_override); #endif /* CONFIG_TESTING_OPTIONS */ /* Connector (JSON dppCon object) */ @@ -3037,7 +3034,7 @@ dpp_build_conf_obj_dpp(struct dpp_authentication *auth, int ap, if (!dppcon) goto fail; #ifdef CONFIG_TESTING_OPTIONS - if (auth->groups_override || auth->devices_override) { + if (auth->groups_override) { wpabuf_put_u8(dppcon, '{'); if (auth->groups_override) { wpa_printf(MSG_DEBUG, @@ -3047,14 +3044,6 @@ dpp_build_conf_obj_dpp(struct dpp_authentication *auth, int ap, wpabuf_put_str(dppcon, auth->groups_override); wpabuf_put_u8(dppcon, ','); } - if (auth->devices_override) { - wpa_printf(MSG_DEBUG, - "DPP: TESTING - devices override: '%s'", - auth->devices_override); - wpabuf_put_str(dppcon, "\"devices\":"); - wpabuf_put_str(dppcon, auth->devices_override); - wpabuf_put_u8(dppcon, ','); - } goto skip_groups; } #endif /* CONFIG_TESTING_OPTIONS */ @@ -3743,7 +3732,7 @@ static int dpp_parse_connector(struct dpp_authentication *auth, const unsigned char *payload, u16 payload_len) { - struct json_token *root, *groups, *devices, *netkey, *token; + struct json_token *root, *groups, *netkey, *token; int ret = -1; EVP_PKEY *key = NULL; const struct dpp_curve_params *curve; @@ -3781,44 +3770,9 @@ static int dpp_parse_connector(struct dpp_authentication *auth, } skip_groups: - devices = json_get_member(root, "devices"); - if (!devices || devices->type != JSON_ARRAY) { - wpa_printf(MSG_DEBUG, "DPP: No devices array found"); - goto skip_devices; - } - for (token = devices->child; token; token = token->sibling) { - struct wpabuf *id; - struct json_token *role; - - id = json_get_member_base64url(token, "deviceId"); - if (!id) { - wpa_printf(MSG_DEBUG, - "DPP: Missing or invalid deviceId string"); - goto fail; - } - wpa_hexdump_buf(MSG_DEBUG, "DPP: deviceId", id); - if (wpabuf_len(id) != SHA256_MAC_LEN) { - wpa_printf(MSG_DEBUG, - "DPP: Unexpected deviceId length"); - wpabuf_free(id); - goto fail; - } - wpabuf_free(id); - - role = json_get_member(token, "netRole"); - if (!role || role->type != JSON_STRING) { - wpa_printf(MSG_DEBUG, "DPP: Missing netRole string"); - goto fail; - } - wpa_printf(MSG_DEBUG, "DPP: connector device netRole='%s'", - role->string); - rules++; - } - -skip_devices: if (!rules) { wpa_printf(MSG_DEBUG, - "DPP: Connector includes no groups or devices"); + "DPP: Connector includes no groups"); goto fail; } @@ -4552,102 +4506,6 @@ static int dpp_connector_match_groups(struct json_token *own_root, } -static int dpp_connector_compatible_device(struct json_token *root, - const char *device_id, - const char *net_role) -{ - struct json_token *groups, *token; - - groups = json_get_member(root, "devices"); - if (!groups || groups->type != JSON_ARRAY) - return 0; - - for (token = groups->child; token; token = token->sibling) { - struct json_token *id, *role; - - id = json_get_member(token, "deviceId"); - if (!id || id->type != JSON_STRING) - continue; - - role = json_get_member(token, "netRole"); - if (!role || role->type != JSON_STRING) - continue; - - if (os_strcmp(id->string, device_id) != 0) - continue; - - if (dpp_compatible_netrole(role->string, net_role)) - return 1; - } - - return 0; -} - - -static int dpp_connector_match_devices(struct json_token *own_root, - struct json_token *peer_root, - const char *own_deviceid) -{ - struct json_token *devices, *token; - - devices = json_get_member(peer_root, "devices"); - if (!devices || devices->type != JSON_ARRAY) { - wpa_printf(MSG_DEBUG, "DPP: No peer devices array found"); - return 0; - } - - for (token = devices->child; token; token = token->sibling) { - struct json_token *id, *role; - - id = json_get_member(token, "deviceId"); - if (!id || id->type != JSON_STRING) { - wpa_printf(MSG_DEBUG, - "DPP: Missing or invalid deviceId string"); - continue; - } - - role = json_get_member(token, "netRole"); - if (!role || role->type != JSON_STRING) { - wpa_printf(MSG_DEBUG, "DPP: Missing netRole string"); - continue; - } - wpa_printf(MSG_DEBUG, - "DPP: connector device deviceId='%s' netRole='%s'", - id->string, role->string); - if (os_strcmp(id->string, own_deviceid) != 0) - continue; - - wpa_printf(MSG_DEBUG, - "DPP: Listed deviceId matches own deviceId"); - /* TODO: Is this next step required? */ - if (dpp_connector_compatible_device(own_root, id->string, - role->string)) { - wpa_printf(MSG_DEBUG, - "DPP: Compatible device/netRole in own connector"); - return 1; - } - /* TODO: For now, accept this for interop testing purposes based - * on a simple match of deviceId while ignoring netRole. Once - * the spec is clearer on the expected behavior, either this - * comment or the following return 1 statement needs to be - * removed. - */ - return 1; - } - - return 0; -} - - -static int dpp_connector_match(struct json_token *own_root, - struct json_token *peer_root, - const char *own_deviceid) -{ - return dpp_connector_match_groups(own_root, peer_root) || - dpp_connector_match_devices(own_root, peer_root, own_deviceid); -} - - static int dpp_derive_pmk(const u8 *Nx, size_t Nx_len, u8 *pmk, unsigned int hash_len) { @@ -4754,7 +4612,6 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, int ret = -1; EVP_PKEY *own_key = NULL, *peer_key = NULL; struct wpabuf *own_key_pub = NULL; - char *own_deviceid = NULL; const struct dpp_curve_params *curve, *own_curve; struct dpp_signed_connector_info info; const unsigned char *p; @@ -4766,9 +4623,6 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, EVP_PKEY_CTX *ctx = NULL; size_t Nx_len; u8 Nx[DPP_MAX_SHARED_SECRET_LEN]; - u8 hash[SHA256_MAC_LEN]; - const u8 *addr[1]; - size_t len[1]; os_memset(intro, 0, sizeof(*intro)); os_memset(&info, 0, sizeof(info)); @@ -4789,27 +4643,6 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, wpa_printf(MSG_ERROR, "DPP: Failed to parse own netAccessKey"); goto fail; } - /* deviceId = SHA256(ANSI X9.63 uncompressed netAccessKey) */ - own_key_pub = dpp_get_pubkey_point(own_key, 1); - if (!own_key_pub) - goto fail; - wpa_hexdump_buf(MSG_DEBUG, - "DPP: ANSI X9.63 uncompressed public key of own netAccessKey", - own_key_pub); - addr[0] = wpabuf_head(own_key_pub); - len[0] = wpabuf_len(own_key_pub); - if (sha256_vector(1, addr, len, hash) < 0) - goto fail; - wpa_hexdump(MSG_DEBUG, - "DPP: SHA256 hash of ANSI X9.63 uncompressed form", - hash, SHA256_MAC_LEN); - - own_deviceid = (char *) base64_url_encode(hash, sizeof(hash), NULL, 0); - if (!own_deviceid) - goto fail; - wpa_printf(MSG_DEBUG, - "DPP: Own deviceId (base64url encoded hash value): %s", - own_deviceid); pos = os_strchr(own_connector, '.'); if (!pos) { @@ -4853,9 +4686,9 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, goto fail; } - if (!dpp_connector_match(own_root, root, own_deviceid)) { + if (!dpp_connector_match_groups(own_root, root)) { wpa_printf(MSG_DEBUG, - "DPP: Peer connector does not include compatible group/device netrole with own connector"); + "DPP: Peer connector does not include compatible group netrole with own connector"); goto fail; } @@ -4937,7 +4770,6 @@ fail: os_free(info.payload); EVP_PKEY_free(own_key); wpabuf_free(own_key_pub); - os_free(own_deviceid); EVP_PKEY_free(peer_key); EVP_PKEY_free(csign); json_free(root); diff --git a/src/common/dpp.h b/src/common/dpp.h index c328e1db3..277b03ae2 100644 --- a/src/common/dpp.h +++ b/src/common/dpp.h @@ -128,7 +128,7 @@ struct dpp_configuration { /* For DPP configuration (connector) */ os_time_t netaccesskey_expiry; - /* TODO: groups, devices */ + /* TODO: groups */ /* For legacy configuration */ char *passphrase; @@ -183,7 +183,6 @@ struct dpp_authentication { char *config_obj_override; char *discovery_override; char *groups_override; - char *devices_override; unsigned int ignore_netaccesskey_mismatch:1; #endif /* CONFIG_TESTING_OPTIONS */ }; diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 863dc992f..62b1bafc5 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -646,9 +646,6 @@ static int wpa_supplicant_ctrl_iface_set(struct wpa_supplicant *wpa_s, } else if (os_strcasecmp(cmd, "dpp_groups_override") == 0) { os_free(wpa_s->dpp_groups_override); wpa_s->dpp_groups_override = os_strdup(value); - } else if (os_strcasecmp(cmd, "dpp_devices_override") == 0) { - os_free(wpa_s->dpp_devices_override); - wpa_s->dpp_devices_override = os_strdup(value); } else if (os_strcasecmp(cmd, "dpp_ignore_netaccesskey_mismatch") == 0) { wpa_s->dpp_ignore_netaccesskey_mismatch = atoi(value); diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c index 7acb44fb2..4d632b389 100644 --- a/wpa_supplicant/dpp_supplicant.c +++ b/wpa_supplicant/dpp_supplicant.c @@ -366,9 +366,6 @@ static void wpas_dpp_set_testing_options(struct wpa_supplicant *wpa_s, if (wpa_s->dpp_groups_override) auth->groups_override = os_strdup(wpa_s->dpp_groups_override); - if (wpa_s->dpp_devices_override) - auth->devices_override = - os_strdup(wpa_s->dpp_devices_override); auth->ignore_netaccesskey_mismatch = wpa_s->dpp_ignore_netaccesskey_mismatch; #endif /* CONFIG_TESTING_OPTIONS */ @@ -2039,8 +2036,6 @@ void wpas_dpp_deinit(struct wpa_supplicant *wpa_s) wpa_s->dpp_discovery_override = NULL; os_free(wpa_s->dpp_groups_override); wpa_s->dpp_groups_override = NULL; - os_free(wpa_s->dpp_devices_override); - wpa_s->dpp_devices_override = NULL; wpa_s->dpp_ignore_netaccesskey_mismatch = 0; #endif /* CONFIG_TESTING_OPTIONS */ if (!wpa_s->dpp_init_done) diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 8b7d2f5c8..61ea5ee3d 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -1193,7 +1193,6 @@ struct wpa_supplicant { char *dpp_config_obj_override; char *dpp_discovery_override; char *dpp_groups_override; - char *dpp_devices_override; unsigned int dpp_ignore_netaccesskey_mismatch:1; #endif /* CONFIG_TESTING_OPTIONS */ #endif /* CONFIG_DPP */