Support for provisioning SAE password identifiers with DPP

Fri Aug 23 10:50:36 PDT 2024

DPP supports provisioning of SAE password identifiers to uniquely
identify a password if the enrollee indicates support for them.
Support is indicated using dpp_extra_conf_req_<name|value> in the
wpa_supplicant config file but if the Configurator then sends a
password identifier in the Configuration Object, it would not be
saved as part of the provisioned profile. This patch fixes that.

   I put everything under defines for CONFIG_DPP3 as this is a
bleeding edge feature in DPP.

   This was tested against my DPP reference implementation acting
as the Configurator.

-------------------------------------------------------------------

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 3b9f35e8d..8c0fc44f8 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -2549,13 +2549,18 @@ fail:
  static int dpp_parse_cred_legacy(struct dpp_config_obj *conf,
                   struct json_token *cred)
  {
-    struct json_token *pass, *psk_hex;
+    struct json_token *pass, *psk_hex;
+#ifdef CONFIG_DPP3
+    struct json_token *saepi;
+#endif  /* CONFIG_DPP3 */

      wpa_printf(MSG_DEBUG, "DPP: Legacy akm=psk credential");

      pass = json_get_member(cred, "pass");
      psk_hex = json_get_member(cred, "psk_hex");
-
+#ifdef CONFIG_DPP3
+        saepi = json_get_member(cred, "idpass");
+#endif  /* CONFIG_DPP3 */
      if (pass && pass->type == JSON_STRING) {
          size_t len = os_strlen(pass->string);

@@ -2565,6 +2570,12 @@ static int dpp_parse_cred_legacy(struct 
dpp_config_obj *conf,
              return -1;
          os_strlcpy(conf->passphrase, pass->string,
                 sizeof(conf->passphrase));
+#ifdef CONFIG_DPP3
+                if (saepi && saepi->type == JSON_STRING) {
+                    os_strlcpy(conf->password_id, saepi->string,
+                               sizeof(saepi->string));
+                }
+#endif  /* CONFIG_DPP3 */
      } else if (psk_hex && psk_hex->type == JSON_STRING) {
          if (dpp_akm_sae(conf->akm) && !dpp_akm_psk(conf->akm)) {
              wpa_printf(MSG_DEBUG,
diff --git a/src/common/dpp.h b/src/common/dpp.h
index 0f843da6a..6f6487a61 100644
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@@ -356,6 +356,9 @@ struct dpp_authentication {
          u8 ssid_len;
          int ssid_charset;
          char passphrase[64];
+#ifdef CONFIG_DPP3
+                char password_id[64];
+#endif  /* CONFIG_DPP3 */
          u8 psk[PMK_LEN];
          int psk_set;
          enum dpp_akm akm;
diff --git a/src/common/wpa_ctrl.h b/src/common/wpa_ctrl.h
index f6142501e..b6ff6d73f 100644
--- a/src/common/wpa_ctrl.h
+++ b/src/common/wpa_ctrl.h
@@ -204,6 +204,9 @@ extern "C" {
  #define DPP_EVENT_CONFOBJ_SSID "DPP-CONFOBJ-SSID "
  #define DPP_EVENT_CONFOBJ_SSID_CHARSET "DPP-CONFOBJ-SSID-CHARSET "
  #define DPP_EVENT_CONFOBJ_PASS "DPP-CONFOBJ-PASS "
+#ifdef CONFIG_DPP3
+#define DPP_EVENT_CONFOBJ_IDPASS "DPP-CONFOBJ-IDPASS "
+#endif  /* CONFIG_DPP3 */
  #define DPP_EVENT_CONFOBJ_PSK "DPP-CONFOBJ-PSK "
  #define DPP_EVENT_CONNECTOR "DPP-CONNECTOR "
  #define DPP_EVENT_C_SIGN_KEY "DPP-C-SIGN-KEY "
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index b02b694a3..8b79eddda 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -5694,7 +5694,6 @@ int wpa_config_process_global(struct wpa_config 
*config, char *pos, int line)
          if (os_strncmp(pos, field->name, flen) != 0 ||
              pos[flen] != '=')
              continue;
-
          ret = field->parser(field, config, line, pos + flen + 1);
          if (ret < 0) {
              wpa_printf(MSG_ERROR, "Line %d: failed to "
diff --git a/wpa_supplicant/dpp_supplicant.c 
b/wpa_supplicant/dpp_supplicant.c
index 94d7ae990..a99f2384b 100644
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -1418,6 +1418,18 @@ static struct wpa_ssid * 
wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
      os_memcpy(ssid->ssid, conf->ssid, conf->ssid_len);
      ssid->ssid_len = conf->ssid_len;

+#ifdef CONFIG_DPP3
+    if (conf->akm == DPP_AKM_SAE) {
+            if (conf->password_id[0]) {
+                ssid->sae_password_id = 
os_malloc(os_strlen(conf->password_id));
+                if (!ssid->sae_password_id) {
+                    goto fail;
+                }
+                os_memcpy(ssid->sae_password_id, conf->password_id, 
os_strlen(conf->password_id));
+ ssid->sae_password_id[os_strlen(conf->password_id)] = '\0';     /* ??? */
+            }
+        }
+#endif  /* CONFIG_DPP3 */
      if (conf->connector) {
          if (dpp_akm_dpp(conf->akm)) {
              ssid->key_mgmt = WPA_KEY_MGMT_DPP;
@@ -1691,6 +1703,12 @@ static int wpas_dpp_handle_config_obj(struct 
wpa_supplicant *wpa_s,
          wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_CONFOBJ_PSK "%s",
              hex);
      }
+#ifdef CONFIG_DPP3
+        if (conf->password_id[0]) {
+        wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_CONFOBJ_IDPASS "%s",
+            conf->password_id);
+        }
+#endif  /* CONFIG_DPP3 */
      if (conf->c_sign_key) {
          char *hex;
          size_t hexlen;

------------------------------------------------------------------

Signed-off-by: Dan Harkins <dharkins at lounge.org>

   regards,

   Dan.

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius


