Browse Source

DPP: Explicitly check and reject 0x00 and 0x03 I/R-capab role

0x00 and 0x03 are not valid I/R-capabilities role values.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen 7 years ago
parent
commit
3749ad0e1d
2 changed files with 24 additions and 6 deletions
  1. 23 6
      src/common/dpp.c
  2. 1 0
      src/common/wpa_ctrl.h

+ 23 - 6
src/common/dpp.c

@@ -2370,7 +2370,10 @@ dpp_auth_req_rx(void *msg_ctx, u8 dpp_allowed_roles, int qr_mutual,
 		break;
 	default:
 		wpa_printf(MSG_DEBUG, "DPP: Unexpected role in I-capabilities");
-		goto not_compatible;
+		wpa_msg(auth->msg_ctx, MSG_INFO,
+			DPP_EVENT_FAIL "Invalid role in I-capabilities 0x%02x",
+			auth->i_capab & DPP_CAPAB_ROLE_MASK);
+		goto fail;
 	}
 
 	auth->peer_protocol_key = pi;
@@ -2616,9 +2619,18 @@ dpp_auth_resp_rx_status(struct dpp_authentication *auth, const u8 *hdr,
 		wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_NOT_COMPATIBLE
 			"r-capab=0x%02x", auth->r_capab);
 	} else if (status == DPP_STATUS_RESPONSE_PENDING) {
-		wpa_printf(MSG_DEBUG,
-			   "DPP: Continue waiting for full DPP Authentication Response");
-		wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_RESPONSE_PENDING);
+		u8 role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
+
+		if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
+		    (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
+			wpa_msg(auth->msg_ctx, MSG_INFO,
+				DPP_EVENT_FAIL "Unexpected role in R-capabilities 0x%02x",
+				role);
+		} else {
+			wpa_printf(MSG_DEBUG,
+				   "DPP: Continue waiting for full DPP Authentication Response");
+			wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_RESPONSE_PENDING);
+		}
 	}
 fail:
 	bin_clear_free(unwrapped, unwrapped_len);
@@ -2642,6 +2654,7 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
 		r_proto_len, r_nonce_len, i_nonce_len, r_capab_len,
 		wrapped2_len, r_auth_len;
 	u8 r_auth2[DPP_MAX_HASH_LEN];
+	u8 role;
 
 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
 				    &wrapped_data_len);
@@ -2821,9 +2834,13 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
 	}
 	auth->r_capab = r_capab[0];
 	wpa_printf(MSG_DEBUG, "DPP: R-capabilities: 0x%02x", auth->r_capab);
-	if ((auth->configurator && (auth->r_capab & DPP_CAPAB_CONFIGURATOR)) ||
-	    (!auth->configurator && (auth->r_capab & DPP_CAPAB_ENROLLEE))) {
+	role = auth->r_capab & DPP_CAPAB_ROLE_MASK;
+	if ((auth->configurator && role != DPP_CAPAB_ENROLLEE) ||
+	    (!auth->configurator && role != DPP_CAPAB_CONFIGURATOR)) {
 		wpa_printf(MSG_DEBUG, "DPP: Incompatible role selection");
+		wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL
+			"Unexpected role in R-capabilities 0x%02x",
+			role);
 		goto fail;
 	}
 

+ 1 - 0
src/common/wpa_ctrl.h

@@ -170,6 +170,7 @@ extern "C" {
 #define DPP_EVENT_RX "DPP-RX "
 #define DPP_EVENT_TX "DPP-TX "
 #define DPP_EVENT_TX_STATUS "DPP-TX-STATUS "
+#define DPP_EVENT_FAIL "DPP-FAIL "
 
 /* MESH events */
 #define MESH_GROUP_STARTED "MESH-GROUP-STARTED "