DPP: Add akm=sae and akm=psk+sae support in Enrollee role

This allows DPP to be used for enrolling credentials for SAE networks in addition to the legacy PSK (WPA-PSK) case. In addition, enable FT-PSK and FT-SAE cases automatically. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2024-11-25 00:38:24 -05:00 · 2017-11-22 21:04:41 +02:00 · 2017-11-22 21:04:41 +02:00 · 5dd745b738
commit 5dd745b738
parent af872d9d88
5 changed files with 67 additions and 3 deletions
--- a/src/ap/dpp_hostapd.c
+++ b/src/ap/dpp_hostapd.c
@ -711,6 +711,8 @@ static void hostapd_dpp_gas_resp_cb(void *ctx, const u8 *addr, u8 dialog_token,
 	}

 	wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_CONF_RECEIVED);
+	wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_CONFOBJ_AKM "%s",
+		dpp_akm_str(auth->akm));
 	if (auth->ssid_len)
 		wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_CONFOBJ_SSID "%s",
 			wpa_ssid_txt(auth->ssid, auth->ssid_len));
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@ -4517,6 +4517,11 @@ static int dpp_parse_cred_legacy(struct dpp_authentication *auth,
 		os_strlcpy(auth->passphrase, pass->string,
 			   sizeof(auth->passphrase));
 	} else if (psk_hex && psk_hex->type == JSON_STRING) {
+		if (auth->akm == DPP_AKM_SAE) {
+			wpa_printf(MSG_DEBUG,
+				   "DPP: Unexpected psk_hex with akm=sae");
+			return -1;
+		}
 		if (os_strlen(psk_hex->string) != PMK_LEN * 2 ||
 		    hexstr2bin(psk_hex->string, auth->psk, PMK_LEN) < 0) {
 			wpa_printf(MSG_DEBUG, "DPP: Invalid psk_hex encoding");
@ -4530,6 +4535,12 @@ static int dpp_parse_cred_legacy(struct dpp_authentication *auth,
 		return -1;
 	}

+	if ((auth->akm == DPP_AKM_SAE || auth->akm == DPP_AKM_PSK_SAE) &&
+	    !auth->passphrase[0]) {
+		wpa_printf(MSG_DEBUG, "DPP: No pass for sae found");
+		return -1;
+	}
+
 	return 0;
 }

@ -5092,6 +5103,37 @@ fail:
 }


+const char * dpp_akm_str(enum dpp_akm akm)
+{
+	switch (akm) {
+	case DPP_AKM_DPP:
+		return "dpp";
+	case DPP_AKM_PSK:
+		return "psk";
+	case DPP_AKM_SAE:
+		return "sae";
+	case DPP_AKM_PSK_SAE:
+		return "psk+sae";
+	default:
+		return "??";
+	}
+}
+
+
+static enum dpp_akm dpp_akm_from_str(const char *akm)
+{
+	if (os_strcmp(akm, "psk") == 0)
+		return DPP_AKM_PSK;
+	if (os_strcmp(akm, "sae") == 0)
+		return DPP_AKM_SAE;
+	if (os_strcmp(akm, "psk+sae") == 0)
+		return DPP_AKM_PSK_SAE;
+	if (os_strcmp(akm, "dpp") == 0)
+		return DPP_AKM_DPP;
+	return DPP_AKM_UNKNOWN;
+}
+
+
 static int dpp_parse_conf_obj(struct dpp_authentication *auth,
 			      const u8 *conf_obj, u16 conf_obj_len)
 {
@ -5149,10 +5191,13 @@ static int dpp_parse_conf_obj(struct dpp_authentication *auth,
 		dpp_auth_fail(auth, "No cred::akm string value found");
 		goto fail;
 	}
-	if (os_strcmp(token->string, "psk") == 0) {
+	auth->akm = dpp_akm_from_str(token->string);
+
+	if (auth->akm == DPP_AKM_PSK || auth->akm == DPP_AKM_SAE ||
+	    auth->akm == DPP_AKM_PSK_SAE) {
 		if (dpp_parse_cred_legacy(auth, cred) < 0)
 			goto fail;
-	} else if (os_strcmp(token->string, "dpp") == 0) {
+	} else if (auth->akm == DPP_AKM_DPP) {
 		if (dpp_parse_cred_dpp(auth, cred) < 0)
 			goto fail;
 	} else {
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@ -136,6 +136,14 @@ struct dpp_pkex {
 	unsigned int freq;
 };

+enum dpp_akm {
+	DPP_AKM_UNKNOWN,
+	DPP_AKM_DPP,
+	DPP_AKM_PSK,
+	DPP_AKM_SAE,
+	DPP_AKM_PSK_SAE
+};
+
 struct dpp_configuration {
 	u8 ssid[32];
 	size_t ssid_len;
@ -201,6 +209,7 @@ struct dpp_authentication {
 	char passphrase[64];
 	u8 psk[PMK_LEN];
 	int psk_set;
+	enum dpp_akm akm;
 	struct wpabuf *net_access_key;
 	os_time_t net_access_key_expiry;
 	struct wpabuf *c_sign_key;
@ -361,6 +370,7 @@ struct wpabuf * dpp_alloc_msg(enum dpp_public_action_frame_type type,
 const u8 * dpp_get_attr(const u8 *buf, size_t len, u16 req_id, u16 *ret_len);
 int dpp_check_attrs(const u8 *buf, size_t len);
 int dpp_key_expired(const char *timestamp, os_time_t *expiry);
+const char * dpp_akm_str(enum dpp_akm akm);
 void dpp_configurator_free(struct dpp_configurator *conf);
 struct dpp_configurator *
 dpp_keygen_configurator(const char *curve, const u8 *privkey,
--- a/src/common/wpa_ctrl.h
+++ b/src/common/wpa_ctrl.h
@ -160,6 +160,7 @@ extern "C" {
 #define DPP_EVENT_CONF_RECEIVED "DPP-CONF-RECEIVED "
 #define DPP_EVENT_CONF_SENT "DPP-CONF-SENT "
 #define DPP_EVENT_CONF_FAILED "DPP-CONF-FAILED "
+#define DPP_EVENT_CONFOBJ_AKM "DPP-CONFOBJ-AKM "
 #define DPP_EVENT_CONFOBJ_SSID "DPP-CONFOBJ-SSID "
 #define DPP_EVENT_CONFOBJ_PASS "DPP-CONFOBJ-PASS "
 #define DPP_EVENT_CONFOBJ_PSK "DPP-CONFOBJ-PSK "
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@ -1108,7 +1108,13 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
 	}

 	if (!auth->connector) {
-		ssid->key_mgmt = WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_PSK_SHA256;
+		ssid->key_mgmt = 0;
+		if (auth->akm == DPP_AKM_PSK || auth->akm == DPP_AKM_PSK_SAE)
+			ssid->key_mgmt |= WPA_KEY_MGMT_PSK |
+				WPA_KEY_MGMT_PSK_SHA256 | WPA_KEY_MGMT_FT_PSK;
+		if (auth->akm == DPP_AKM_SAE || auth->akm == DPP_AKM_PSK_SAE)
+			ssid->key_mgmt |= WPA_KEY_MGMT_SAE |
+				WPA_KEY_MGMT_FT_SAE;
 		ssid->ieee80211w = 1;
 		if (auth->passphrase[0]) {
 			if (wpa_config_set_quoted(ssid, "psk",