From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH v2 05/15] dpp: fix config request header check
Date: Thu, 26 Oct 2023 13:26:47 -0700 [thread overview]
Message-ID: <20231026202657.183591-6-prestwoj@gmail.com> (raw)
In-Reply-To: <20231026202657.183591-1-prestwoj@gmail.com>
The check for the header was incorrect according to the spec.
Table 58 indicates that the "Query Response Info" should be set
to 0x00 for the configuration request. The frame handler was
expecting 0x7f which is the value for the config response frame.
Unfortunately wpa_supplicant also gets this wrong and uses 0x7f
in all cases which is likely why this value was set incorrectly
in IWD. The issue is that IWD's config request is correct which
means IWD<->IWD configuration is broken. (and wpa_supplicant as
a configurator likely doesn't validate the config request).
Fix this by checking both 0x7f and 0x00 to handle both
supplicants.
---
src/dpp.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/src/dpp.c b/src/dpp.c
index dff0ecaf..6fd37272 100644
--- a/src/dpp.c
+++ b/src/dpp.c
@@ -887,6 +887,21 @@ static void dpp_send_config_response(struct dpp_sm *dpp, uint8_t status)
dpp_send_frame(dpp, iov, 2, dpp->current_freq);
}
+static bool dpp_check_config_header(const uint8_t *ptr)
+{
+ /*
+ * Table 58. General Format of DPP Configuration Request frame
+ *
+ * Unfortunately wpa_supplicant hard codes 0x7f as the Query Response
+ * Info so we need to handle both cases.
+ */
+ return ptr[0] != IE_TYPE_ADVERTISEMENT_PROTOCOL ||
+ ptr[1] != 0x08 ||
+ (ptr[2] != 0x7f || ptr[2] != 0x00) ||
+ ptr[3] != IE_TYPE_VENDOR_SPECIFIC ||
+ ptr[4] != 5;
+}
+
static void dpp_handle_config_request_frame(const struct mmpdu_header *frame,
const void *body, size_t body_len,
int rssi, void *user_data)
@@ -904,8 +919,6 @@ static void dpp_handle_config_request_frame(const struct mmpdu_header *frame,
const uint8_t *e_nonce = NULL;
size_t wrapped_len = 0;
_auto_(l_free) uint8_t *unwrapped = NULL;
- uint8_t hdr_check[] = { IE_TYPE_ADVERTISEMENT_PROTOCOL, 0x08, 0x7f,
- IE_TYPE_VENDOR_SPECIFIC, 5 };
struct json_iter jsiter;
_auto_(l_free) char *tech = NULL;
_auto_(l_free) char *role = NULL;
@@ -932,10 +945,10 @@ static void dpp_handle_config_request_frame(const struct mmpdu_header *frame,
dpp->diag_token = *ptr++;
- if (memcmp(ptr, hdr_check, sizeof(hdr_check)))
+ if (!dpp_check_config_header(ptr))
return;
- ptr += sizeof(hdr_check);
+ ptr += 5;
if (memcmp(ptr, wifi_alliance_oui, sizeof(wifi_alliance_oui)))
return;
--
2.25.1
next prev parent reply other threads:[~2023-10-26 20:27 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-26 20:26 [PATCH v2 00/15] DPP PKEX Changes James Prestwood
2023-10-26 20:26 ` [PATCH v2 01/15] station: add station_get_autoconnect James Prestwood
2023-10-26 20:26 ` [PATCH v2 02/15] dpp: remove connect/scanning and resume periodic scans after DPP James Prestwood
2023-10-29 22:04 ` Denis Kenzior
2023-10-30 11:35 ` James Prestwood
2023-10-26 20:26 ` [PATCH v2 03/15] dpp: check configurator role in config request frame James Prestwood
2023-10-29 22:07 ` Denis Kenzior
2023-10-26 20:26 ` [PATCH v2 04/15] dpp: make the protocol timeout more flexible James Prestwood
2023-10-26 20:26 ` James Prestwood [this message]
2023-10-26 21:53 ` [PATCH v2 05/15] dpp: fix config request header check James Prestwood
2023-10-26 20:26 ` [PATCH v2 06/15] dpp-util: add crypto for PKEX James Prestwood
2023-10-29 22:22 ` Denis Kenzior
2023-10-26 20:26 ` [PATCH v2 07/15] dpp: support mutual authentication James Prestwood
2023-10-26 20:26 ` [PATCH v2 08/15] unit: make test-dpp key derivation test more extendable James Prestwood
2023-10-26 20:26 ` [PATCH v2 09/15] unit: add DPP test for mutual authentication James Prestwood
2023-10-26 20:26 ` [PATCH v2 10/15] unit: add PKEX DPP tests James Prestwood
2023-10-26 20:26 ` [PATCH v2 11/15] dpp: allow enrollee to be authentication initiator James Prestwood
2023-10-26 20:26 ` [PATCH v2 12/15] doc: PKEX support for DPP James Prestwood
2023-10-29 22:27 ` Denis Kenzior
2023-10-30 11:56 ` James Prestwood
2023-10-30 14:40 ` Denis Kenzior
2023-10-26 20:26 ` [PATCH v2 13/15] dbus: add SharedCodeDeviceProvisioning interface definition James Prestwood
2023-10-29 22:29 ` Denis Kenzior
2023-10-26 20:26 ` [PATCH v2 14/15] dpp: initial version of PKEX enrollee support James Prestwood
2023-10-26 20:26 ` [PATCH v2 15/15] dpp: initial version of PKEX configurator support James Prestwood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231026202657.183591-6-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=iwd@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox