Support for provisioning SAE password identifiers with DPP

Dan Harkins <dharkins@xxxxxxxxxx> · Fri, 23 Aug 2024 10:50:36 -0700

DPP supports provisioning of SAE password identifiers to uniquely
identify a password if the enrollee indicates support for them.
Support is indicated using dpp_extra_conf_req_<name|value> in the
wpa_supplicant config file but if the Configurator then sends a
password identifier in the Configuration Object, it would not be
saved as part of the provisioned profile. This patch fixes that.

  I put everything under defines for CONFIG_DPP3 as this is a
bleeding edge feature in DPP.

  This was tested against my DPP reference implementation acting
as the Configurator.

-------------------------------------------------------------------

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 3b9f35e8d..8c0fc44f8 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -2549,13 +2549,18 @@ fail:
 static int dpp_parse_cred_legacy(struct dpp_config_obj *conf,
                  struct json_token *cred)
 {
-    struct json_token *pass, *psk_hex;
+    struct json_token *pass, *psk_hex;
+#ifdef CONFIG_DPP3
+    struct json_token *saepi;
+#endif  /* CONFIG_DPP3 */

     wpa_printf(MSG_DEBUG, "DPP: Legacy akm=psk credential");

     pass = json_get_member(cred, "pass");
     psk_hex = json_get_member(cred, "psk_hex");
-
+#ifdef CONFIG_DPP3
+        saepi = json_get_member(cred, "idpass");
+#endif  /* CONFIG_DPP3 */
     if (pass && pass->type == JSON_STRING) {
         size_t len = os_strlen(pass->string);

@@ -2565,6 +2570,12 @@ static int dpp_parse_cred_legacy(struct 
dpp_config_obj *conf,
             return -1;
         os_strlcpy(conf->passphrase, pass->string,
                sizeof(conf->passphrase));
+#ifdef CONFIG_DPP3
+                if (saepi && saepi->type == JSON_STRING) {
+                    os_strlcpy(conf->password_id, saepi->string,
+                               sizeof(saepi->string));
+                }
+#endif  /* CONFIG_DPP3 */
     } else if (psk_hex && psk_hex->type == JSON_STRING) {
         if (dpp_akm_sae(conf->akm) && !dpp_akm_psk(conf->akm)) {
             wpa_printf(MSG_DEBUG,
diff --git a/src/common/dpp.h b/src/common/dpp.h
index 0f843da6a..6f6487a61 100644
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@@ -356,6 +356,9 @@ struct dpp_authentication {
         u8 ssid_len;
         int ssid_charset;
         char passphrase[64];
+#ifdef CONFIG_DPP3
+                char password_id[64];
+#endif  /* CONFIG_DPP3 */
         u8 psk[PMK_LEN];
         int psk_set;
         enum dpp_akm akm;
diff --git a/src/common/wpa_ctrl.h b/src/common/wpa_ctrl.h
index f6142501e..b6ff6d73f 100644
--- a/src/common/wpa_ctrl.h
+++ b/src/common/wpa_ctrl.h
@@ -204,6 +204,9 @@ extern "C" {
 #define DPP_EVENT_CONFOBJ_SSID "DPP-CONFOBJ-SSID "
 #define DPP_EVENT_CONFOBJ_SSID_CHARSET "DPP-CONFOBJ-SSID-CHARSET "
 #define DPP_EVENT_CONFOBJ_PASS "DPP-CONFOBJ-PASS "
+#ifdef CONFIG_DPP3
+#define DPP_EVENT_CONFOBJ_IDPASS "DPP-CONFOBJ-IDPASS "
+#endif  /* CONFIG_DPP3 */
 #define DPP_EVENT_CONFOBJ_PSK "DPP-CONFOBJ-PSK "
 #define DPP_EVENT_CONNECTOR "DPP-CONNECTOR "
 #define DPP_EVENT_C_SIGN_KEY "DPP-C-SIGN-KEY "
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index b02b694a3..8b79eddda 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -5694,7 +5694,6 @@ int wpa_config_process_global(struct wpa_config 
*config, char *pos, int line)
         if (os_strncmp(pos, field->name, flen) != 0 ||
             pos[flen] != '=')
             continue;
-
         ret = field->parser(field, config, line, pos + flen + 1);
         if (ret < 0) {
             wpa_printf(MSG_ERROR, "Line %d: failed to "
diff --git a/wpa_supplicant/dpp_supplicant.c 
b/wpa_supplicant/dpp_supplicant.c
index 94d7ae990..a99f2384b 100644
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -1418,6 +1418,18 @@ static struct wpa_ssid * 
wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
     os_memcpy(ssid->ssid, conf->ssid, conf->ssid_len);
     ssid->ssid_len = conf->ssid_len;

+#ifdef CONFIG_DPP3
+    if (conf->akm == DPP_AKM_SAE) {
+            if (conf->password_id[0]) {
+                ssid->sae_password_id = 
os_malloc(os_strlen(conf->password_id));
+                if (!ssid->sae_password_id) {
+                    goto fail;
+                }
+                os_memcpy(ssid->sae_password_id, conf->password_id, 
os_strlen(conf->password_id));
+ ssid->sae_password_id[os_strlen(conf->password_id)] = '\0';     /* ??? */
+            }
+        }
+#endif  /* CONFIG_DPP3 */
     if (conf->connector) {
         if (dpp_akm_dpp(conf->akm)) {
             ssid->key_mgmt = WPA_KEY_MGMT_DPP;
@@ -1691,6 +1703,12 @@ static int wpas_dpp_handle_config_obj(struct 
wpa_supplicant *wpa_s,
         wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_CONFOBJ_PSK "%s",
             hex);
     }
+#ifdef CONFIG_DPP3
+        if (conf->password_id[0]) {
+        wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_CONFOBJ_IDPASS "%s",
+            conf->password_id);
+        }
+#endif  /* CONFIG_DPP3 */
     if (conf->c_sign_key) {
         char *hex;
         size_t hexlen;

------------------------------------------------------------------

Signed-off-by: Dan Harkins <dharkins@xxxxxxxxxx>

  regards,

  Dan.

--
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap







