The new use_akm_selector=1 value to Configurator parameters can now be
used to request a list of AKM suite selectors to be used in the
Configuration Object if the Enrollee supports version 2 or newer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process all received DPP Configuration Object attributes from
Configuration Result in Enrollee STA case. If wpa_supplicant is
configured to add networks automatically, this results in one network
being added for each included Configuration Object.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Special @CONF-OBJ-SEP@ string can now be used as a DPP configuration
string value to split the string into two different components to
configure two Config Objects for an Enrollee.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Go through the received bandSupport JSON array and print its contents in
the debug log. This information might be exposed to upper layer
configuration generation/use somehow in the future.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
A new argument to the DPP_AUTH_INIT command (conn_status=1) can now be
used to set Configurator to request a station Enrollee to report
connection result after a successfully completed provisioning step. If
the peer supports this, the DPP-CONF-SENT event indicates this with a
new argument (wait_conn_status=1) and the Configurator remains waiting
for the connection result for up to 16 seconds.
Once the Enrollee reports the result, a new DPP-CONN-STATUS-RESULT event
is generated with arguments result, ssid, and channel_list indicating
what the Enrollee reported. result=0 means success while non-zero codes
are for various error cases as specified in the DPP tech spec. If no
report is received from the Enrollee, the event with "timeout" argument
is generated locally.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is more consistent with the use of CONFIG_DPP2 since the
Configuration Result message is sent only when using version 2 or newer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If only one of the allocations fails, the successful allocation needs to
be freed on the error path.
Fixes: 22f90b32f1 ("DPP2: Configuration Result message generation and processing")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This replaces the separately implemented ECDH operations with a single
helper function to avoid code duplication. In addition, this introduces
a workaround for strange OpenSSL behavior where the first
EVP_PKEY_derive(NULL) call to learn the size of the output shared secret
returns unexpectedly large buffer (72 octets when expected 32 octets for
group 19). It is not known what is causing this, but such behavior seems
to be showing up every now and then at least when running hwsim test
cases under UML and apparently mainly (only?) in the sigma_dut
controller cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
The bootstrapping URI format for DPP was extended during protocol design
to allow a list of channels without having to repeat the same operating
class information for each channel. That change was not included in the
initial implementation of the parser and a channel-list like
"C:81/1,6,11" would not be understood correctly (i.e., only the longer
"C:81/1,81/6,81/11" form would have been parsed correctly).
Fix this by extending the parser to accept both the shorter and longer
form for a list of channels within a single operating class.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->own_protocol_key to be overridden without having
freed the previously stored key in case a test sequence in
dpp_proto_auth_conf_replaced_by_resp is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->peer_protocol_key to be overridden without having
freed the previously stored key in case two Authentication Response
messages are received.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The result of EC_GROUP_dup() needs to be freed, so do so within the
derivation functions for all error cases and in the callers for success
cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
EC_GROUP_new_by_curve_name() allocates memory for the returned pointer,
so need to free this with EC_GROUP_free() before leaving the calling
functions. This was leaking memory when parsing JWK and when performing
PKEX.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no point in checking this pointer against NULL after it has
been dereferenced. Move the check to the beginning of the function.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add initial implementation of DPP-over-TCP. This adds the general TCP
encapsulation routines into the shared src/common/dpp.c implementation.
That functionality will be exposed through hostapd and wpa_supplicant in
the following commits.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be helpful for testing DPP2 Controller functionality (get
pkhash from Controller to Relay).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be used to provide configurable parameter to the global DPP
context. This initial commit introduces the msg_ctx context pointer for
wpa_msg().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Avoid duplicated code in each user of dpp_build_conf_req() by moving the
common encapsulation case into this helper function.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Merge the practically copy-pasted implementations in wpa_supplicant and
hostapd into a single shared implementation in dpp.c for managing
configurator and boostrapping information. This avoid unnecessary code
duplication and provides a convenient location for adding new global DPP
data.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use Diffie-Hellman key exchange to derivate additional material for
PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element
(defined in OWE RFC 8110) is used in association frames to exchange the
DH public keys. For backwards compatibility, ignore missing
request/response DH parameter and fall back to no PFS in such cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows devices supporting DPP protocol version 2 or newer to
provision networks that enable both the legacy (PSK/SAE) and DPP
credentials.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Share a single parsing implementation for both hostapd and
wpa_supplicant to avoid code duplication. In addition, clean up the
implementation to be more easily extensible.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use this new message from Enrollee to Configurator to indicate result of
the config object provisioning if both devices support protocol version
2 or newer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Send out the new Protocol Version attribute in Authentication
Request/Response messages and determine the peer version based on this
attribute.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Looks like LibreSSL 2.8 pulled in the OpenSSL API change to mark the
first argument to X509_ALGOR_get0() const.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The reverse case (local identifier configured but no identifier
received) was already covered, but PKEX is not going to complete
successfully if there is any difference in identifier configuration, so
ignore this other case as well. This avoids unnecessary responses to
PKEX requests with identifier from a device that is ready for PKEX in
general, but not for that particular request.
Signed-off-by: Jouni Malinen <j@w1.fi>
The temporary EC_POINT 'sum' needs to be freed at the end of the
function with the other OpenSSL allocations.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It looks like at least OpenSSL 1.1.0i includes the extra checks in
EC_POINT_set_affine_coordinates_GFp() that break the previously used
mechanism for generating invalid keys. Fix this by using the alternative
design that was used with OpenSSL 1.1.1 and BoringSSL.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This enhances DPP_AUTH_INIT, DPP_CONFIGURATOR_SIGN, and SET
dpp_configurator_params to allow optional setting of the DPP groupId
string for a Connector. If the value is not set, the previously wildcard
value ("*") is used by default.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
OpenSSL started reporting failures from
EC_POINT_set_affine_coordinates_GFp() similarly to BoringSSL, so use the
same workaround to enable this protocol testing case.
Signed-off-by: Jouni Malinen <j@w1.fi>
At least LibreSSL v2.7.2 indicates support for OpenSSL API 1.1.0, but it
does not apparently use const ASN1_OBJECT * with X509_ALGOR_get0(). Use
the older non-const version here with LibreSSL to fix compilation.
Signed-off-by: Jouni Malinen <j@w1.fi>
To retain configurator information across hostapd/wpa_supplicant
restart, private key need to be maintained to generate a valid pair of
authentication keys (connector, netaccess_key, csign) for new enrollees
in the network.
Add a DPP_CONFIGURATOR_GET_KEY control interface API through which the
private key of an existing configurator can be fetched.
Command format:
DPP_CONFIGURATOR_GET_KEY <configurator_id>
The output from this command can then be used with
"DPP_CONFIGURATOR_ADD key=<hexdump>" to create the same key again.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The y coordinates for some of these PKEX role-specific points were
changed in the PKEX specification, so update the implementation to
match.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This prevents an issue where duplicated Authentication Response frame
could have resulted in deriving a new ke value after M.x had already
been cleared. This would result in the following configuration exchange
failing. This could happen since many driver do not filter out
retransmitted Public Action frames and link layer. Furthermore, this
could have been used as a denial-of-service attack agains the DPP
exchange.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The BoringSSL version of crypto_ecdh_init() and dpp_gen_keypair() works
fine with OpenSSL as well, so use that same implementation for both to
avoid unnecessary maintanence of multiple versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to go through EC_GROUP_new_by_curve_name(),
EC_KEY_new(), and EC_KEY_set_group() when a single call to
EC_KEY_new_by_curve_name() takes care of all that.
Signed-off-by: Jouni Malinen <j@w1.fi>
This reverts commit 5548453a2d since
BoringSSL added ECDSA_SIG_set0() and ECDSA_SIG_get0() in commit
8dc226ca8f1ef60737e1c1bf8cfcabf51d4068c7 ('Add some missing OpenSSL
1.1.0 accessors.') and updated X509_ALGOR_get0() prototype to match
OpenSSL 1.1.0 changes in commit e3b2a5d30d309091cab3e6a19dee7323c40d968d
('Const-correct X509_ALGOR_get0.').
Signed-off-by: Jouni Malinen <j@w1.fi>
DPP Responder selects whether mutual authentication is used. This commit
adds information about that selection to upper layers (ctrl_iface event
DPP-AUTH-DIRECTION mutual=<0/1>) on the Initiator side.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends dpp_test functionality to allow DPP exchanges to be stopped
when receiving a specified message.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
sha256_vector() result was ignored apart from printing out the failure
in the debug log. This is not really a normal case and it is better to
reject the full operation rather than try to continue with an incorrect
public key hash value.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Configurator signing its own Connector was previously supported only in
wpa_supplicant. This commit extends that to hostapd to allow an AP
acting as a Configurator to self-configure itself.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Instead of using the all-zeros Initiator Bootstrapping Key Hash when no
local bootstrapping key is configuref for the Initiator, automatically
generate a temporary bootstrapping key for the same curve that the
Responder uses. If the Responder indicates that it wants to do mutual
authentication, provide the URI for the auto-generated bootstrapping key
in the DPP-RESPONSE-PENDING event for upper layers to display the QR
Code.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 03abb6b541 ('DPP: Reject unexpected
Req/Resp message based on Auth/PKEX role') used incorrect type of error
value (NULL vs. -1). Fix that.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new conf={sta,ap}-{sae,psk-sae} parameter values can now be used to
specify that the legacy configuration object is for SAE.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows DPP to be used for enrolling credentials for SAE networks in
addition to the legacy PSK (WPA-PSK) case. In addition, enable FT-PSK
and FT-SAE cases automatically.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Extend dpp_test to allow more invalid attribute values to be written
into Peer Discovery Request/Response frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Extend dpp_test to cover cases where DPP Status value is invalid in
Authentication Response/Confirm frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Extend dpp_test to cover cases where Initiator/Responder Bootstrap Key
Hash value in DPP Authentication frames is invalid (flip one bit).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends dpp_test to allow invalid Initiator/Responder Protocol Key
to be written into the Authentication Request/Response frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Unlike OpenSSL, BoringSSL returns an error from
EC_POINT_set_affine_coordinates_GFp() is not on the curve. As such, need
to behave differently here depending on which library is used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While the OpenSSL version of i2d_EC_PUBKEY() seemed to be able to use
the POINT_CONVERSION_COMPRESSED setting on the EC key, that did not seem
to work with BoringSSL. Since this is not exactly robust design, replace
use of i2d_EC_PUBKEY() with a custom routine that enforces the DPP rules
on SubjectPublicKeyInfo (compressed format of the public key,
ecPublicKey OID, parameters present and indicating the curve by OID).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This routine was previously implemented twice using i2d_EC_PUBKEY().
There is no need to duplicate that implementation and especially since
it looks like this implementation needs to be replaced for BoringSSL,
start by using a shared helper function for both locations so that there
is only a single place that uses i2d_EC_PUBKEY() to build the special
DPP bootstrapping key DER encoding.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide ECDSA_SIG_set0() or
ECDSA_SIG_get0(). For now, add the helper functions regardless of the
version BoringSSL claims to be. Similarly, include the X509_ALGOR_get0()
workaround unconditionally for BoringSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
../src/common/dpp.c: In function 'dpp_test_gen_invalid_key':
../src/common/dpp.c:5531:10: warning: return makes integer from pointer without a cast [-Wint-conversion]
return NULL;
^
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This is for protocol testing to check what happens if the Responser
receives an unexpected Authentication Response instead of Authentication
Confirm.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This prevents issues where an unexpected message in the DPP
Authentication exchange or PKEX could result in undefined behavior.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends wpa_supplicant DPP implementation to retransmit DPP
Authentication Response frame every 10 seconds up to 5 times if the peer
does not reply with DPP Authentication Confirm frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new role=either parameter can now be used with DPP_AUTH_INIT to
indicate that the initiator can take either the Configurator or Enrollee
role.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends wpa_supplicant to iterate over all available channels from
the intersection of what the peer indicates and the local device
supports when initiating DPP Authentication. In addition, retry DPP
Authentication Request frame up to five times if no response is
received.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
K and z can be derived already based on information available at the
time the PKEX Exchange Request is being processed, so move these there
from the PKEX Commit-Reveal Request processing since that matches the
DPP tech spec description close and allows PKEX exchange to be aborted
earlier if anything unexpected happens.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add limit on number of failed attempts that could have used PKEX code.
If the limit (5) is reached, drop the PKEX state (including the code)
and report this on the control interface to indicate that a new code
needs to be entered due to possible attack.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Clean up the pending PKEX exchange if Commit-Reveal Request processing
indicates a mismatch in the PKEX code. Previously, the this case was
silently ignored and the session was left in pending state that
prevented new PKEX exchanges from getting initated. Now, a new attempt
is allowed to be initiated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Number of places writing BIGNUM values with left-padding were open
coding this helper functionality unnecessarily.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Report mismatching finite cyclic group with PKEX Exchange Response using
STATUS_BAD_GROUP and provide more detailed error report over the control
interface on the peer device when this happens.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The optional channel information was removed from the discovery object
in the DPP tech spec, so no need to maintain this TODO note anymore.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>