wps_registrar.c revision b7b4d0ec07161a6d76c40ba7ef1306e82fbb7e15
1/* 2 * Wi-Fi Protected Setup - Registrar 3 * Copyright (c) 2008-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/base64.h" 13#include "utils/eloop.h" 14#include "utils/uuid.h" 15#include "utils/list.h" 16#include "crypto/crypto.h" 17#include "crypto/sha256.h" 18#include "crypto/random.h" 19#include "common/ieee802_11_defs.h" 20#include "wps_i.h" 21#include "wps_dev_attr.h" 22#include "wps_upnp.h" 23#include "wps_upnp_i.h" 24 25#ifndef CONFIG_WPS_STRICT 26#define WPS_WORKAROUNDS 27#endif /* CONFIG_WPS_STRICT */ 28 29#ifdef CONFIG_WPS_NFC 30 31struct wps_nfc_pw_token { 32 struct dl_list list; 33 u8 pubkey_hash[WPS_OOB_PUBKEY_HASH_LEN]; 34 u16 pw_id; 35 u8 dev_pw[WPS_OOB_DEVICE_PASSWORD_LEN * 2 + 1]; 36 size_t dev_pw_len; 37}; 38 39 40static void wps_remove_nfc_pw_token(struct wps_nfc_pw_token *token) 41{ 42 dl_list_del(&token->list); 43 os_free(token); 44} 45 46 47static void wps_free_nfc_pw_tokens(struct dl_list *tokens, u16 pw_id) 48{ 49 struct wps_nfc_pw_token *token, *prev; 50 dl_list_for_each_safe(token, prev, tokens, struct wps_nfc_pw_token, 51 list) { 52 if (pw_id == 0 || pw_id == token->pw_id) 53 wps_remove_nfc_pw_token(token); 54 } 55} 56 57 58static struct wps_nfc_pw_token * wps_get_nfc_pw_token(struct dl_list *tokens, 59 u16 pw_id) 60{ 61 struct wps_nfc_pw_token *token; 62 dl_list_for_each(token, tokens, struct wps_nfc_pw_token, list) { 63 if (pw_id == token->pw_id) 64 return token; 65 } 66 return NULL; 67} 68 69#else /* CONFIG_WPS_NFC */ 70 71#define wps_free_nfc_pw_tokens(t, p) do { } while (0) 72 73#endif /* CONFIG_WPS_NFC */ 74 75 76struct wps_uuid_pin { 77 struct dl_list list; 78 u8 uuid[WPS_UUID_LEN]; 79 int wildcard_uuid; 80 u8 *pin; 81 size_t pin_len; 82#define PIN_LOCKED BIT(0) 83#define PIN_EXPIRES BIT(1) 84 int flags; 85 struct os_time expiration; 86 u8 enrollee_addr[ETH_ALEN]; 87}; 88 89 90static void wps_free_pin(struct wps_uuid_pin *pin) 91{ 92 os_free(pin->pin); 93 os_free(pin); 94} 95 96 97static void wps_remove_pin(struct wps_uuid_pin *pin) 98{ 99 dl_list_del(&pin->list); 100 wps_free_pin(pin); 101} 102 103 104static void wps_free_pins(struct dl_list *pins) 105{ 106 struct wps_uuid_pin *pin, *prev; 107 dl_list_for_each_safe(pin, prev, pins, struct wps_uuid_pin, list) 108 wps_remove_pin(pin); 109} 110 111 112struct wps_pbc_session { 113 struct wps_pbc_session *next; 114 u8 addr[ETH_ALEN]; 115 u8 uuid_e[WPS_UUID_LEN]; 116 struct os_time timestamp; 117}; 118 119 120static void wps_free_pbc_sessions(struct wps_pbc_session *pbc) 121{ 122 struct wps_pbc_session *prev; 123 124 while (pbc) { 125 prev = pbc; 126 pbc = pbc->next; 127 os_free(prev); 128 } 129} 130 131 132struct wps_registrar_device { 133 struct wps_registrar_device *next; 134 struct wps_device_data dev; 135 u8 uuid[WPS_UUID_LEN]; 136}; 137 138 139struct wps_registrar { 140 struct wps_context *wps; 141 142 int pbc; 143 int selected_registrar; 144 145 int (*new_psk_cb)(void *ctx, const u8 *mac_addr, const u8 *psk, 146 size_t psk_len); 147 int (*set_ie_cb)(void *ctx, struct wpabuf *beacon_ie, 148 struct wpabuf *probe_resp_ie); 149 void (*pin_needed_cb)(void *ctx, const u8 *uuid_e, 150 const struct wps_device_data *dev); 151 void (*reg_success_cb)(void *ctx, const u8 *mac_addr, 152 const u8 *uuid_e, const u8 *dev_pw, 153 size_t dev_pw_len); 154 void (*set_sel_reg_cb)(void *ctx, int sel_reg, u16 dev_passwd_id, 155 u16 sel_reg_config_methods); 156 void (*enrollee_seen_cb)(void *ctx, const u8 *addr, const u8 *uuid_e, 157 const u8 *pri_dev_type, u16 config_methods, 158 u16 dev_password_id, u8 request_type, 159 const char *dev_name); 160 void *cb_ctx; 161 162 struct dl_list pins; 163 struct dl_list nfc_pw_tokens; 164 struct wps_pbc_session *pbc_sessions; 165 166 int skip_cred_build; 167 struct wpabuf *extra_cred; 168 int disable_auto_conf; 169 int sel_reg_union; 170 int sel_reg_dev_password_id_override; 171 int sel_reg_config_methods_override; 172 int static_wep_only; 173 int dualband; 174 175 struct wps_registrar_device *devices; 176 177 int force_pbc_overlap; 178 179 u8 authorized_macs[WPS_MAX_AUTHORIZED_MACS][ETH_ALEN]; 180 u8 authorized_macs_union[WPS_MAX_AUTHORIZED_MACS][ETH_ALEN]; 181 182 u8 p2p_dev_addr[ETH_ALEN]; 183 184 u8 pbc_ignore_uuid[WPS_UUID_LEN]; 185 struct os_time pbc_ignore_start; 186}; 187 188 189static int wps_set_ie(struct wps_registrar *reg); 190static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx); 191static void wps_registrar_set_selected_timeout(void *eloop_ctx, 192 void *timeout_ctx); 193static void wps_registrar_remove_pin(struct wps_registrar *reg, 194 struct wps_uuid_pin *pin); 195 196 197static void wps_registrar_add_authorized_mac(struct wps_registrar *reg, 198 const u8 *addr) 199{ 200 int i; 201 wpa_printf(MSG_DEBUG, "WPS: Add authorized MAC " MACSTR, 202 MAC2STR(addr)); 203 for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++) 204 if (os_memcmp(reg->authorized_macs[i], addr, ETH_ALEN) == 0) { 205 wpa_printf(MSG_DEBUG, "WPS: Authorized MAC was " 206 "already in the list"); 207 return; /* already in list */ 208 } 209 for (i = WPS_MAX_AUTHORIZED_MACS - 1; i > 0; i--) 210 os_memcpy(reg->authorized_macs[i], reg->authorized_macs[i - 1], 211 ETH_ALEN); 212 os_memcpy(reg->authorized_macs[0], addr, ETH_ALEN); 213 wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs", 214 (u8 *) reg->authorized_macs, sizeof(reg->authorized_macs)); 215} 216 217 218static void wps_registrar_remove_authorized_mac(struct wps_registrar *reg, 219 const u8 *addr) 220{ 221 int i; 222 wpa_printf(MSG_DEBUG, "WPS: Remove authorized MAC " MACSTR, 223 MAC2STR(addr)); 224 for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++) { 225 if (os_memcmp(reg->authorized_macs, addr, ETH_ALEN) == 0) 226 break; 227 } 228 if (i == WPS_MAX_AUTHORIZED_MACS) { 229 wpa_printf(MSG_DEBUG, "WPS: Authorized MAC was not in the " 230 "list"); 231 return; /* not in the list */ 232 } 233 for (; i + 1 < WPS_MAX_AUTHORIZED_MACS; i++) 234 os_memcpy(reg->authorized_macs[i], reg->authorized_macs[i + 1], 235 ETH_ALEN); 236 os_memset(reg->authorized_macs[WPS_MAX_AUTHORIZED_MACS - 1], 0, 237 ETH_ALEN); 238 wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs", 239 (u8 *) reg->authorized_macs, sizeof(reg->authorized_macs)); 240} 241 242 243static void wps_free_devices(struct wps_registrar_device *dev) 244{ 245 struct wps_registrar_device *prev; 246 247 while (dev) { 248 prev = dev; 249 dev = dev->next; 250 wps_device_data_free(&prev->dev); 251 os_free(prev); 252 } 253} 254 255 256static struct wps_registrar_device * wps_device_get(struct wps_registrar *reg, 257 const u8 *addr) 258{ 259 struct wps_registrar_device *dev; 260 261 for (dev = reg->devices; dev; dev = dev->next) { 262 if (os_memcmp(dev->dev.mac_addr, addr, ETH_ALEN) == 0) 263 return dev; 264 } 265 return NULL; 266} 267 268 269static void wps_device_clone_data(struct wps_device_data *dst, 270 struct wps_device_data *src) 271{ 272 os_memcpy(dst->mac_addr, src->mac_addr, ETH_ALEN); 273 os_memcpy(dst->pri_dev_type, src->pri_dev_type, WPS_DEV_TYPE_LEN); 274 275#define WPS_STRDUP(n) \ 276 os_free(dst->n); \ 277 dst->n = src->n ? os_strdup(src->n) : NULL 278 279 WPS_STRDUP(device_name); 280 WPS_STRDUP(manufacturer); 281 WPS_STRDUP(model_name); 282 WPS_STRDUP(model_number); 283 WPS_STRDUP(serial_number); 284#undef WPS_STRDUP 285} 286 287 288int wps_device_store(struct wps_registrar *reg, 289 struct wps_device_data *dev, const u8 *uuid) 290{ 291 struct wps_registrar_device *d; 292 293 d = wps_device_get(reg, dev->mac_addr); 294 if (d == NULL) { 295 d = os_zalloc(sizeof(*d)); 296 if (d == NULL) 297 return -1; 298 d->next = reg->devices; 299 reg->devices = d; 300 } 301 302 wps_device_clone_data(&d->dev, dev); 303 os_memcpy(d->uuid, uuid, WPS_UUID_LEN); 304 305 return 0; 306} 307 308 309static void wps_registrar_add_pbc_session(struct wps_registrar *reg, 310 const u8 *addr, const u8 *uuid_e) 311{ 312 struct wps_pbc_session *pbc, *prev = NULL; 313 struct os_time now; 314 315 os_get_time(&now); 316 317 pbc = reg->pbc_sessions; 318 while (pbc) { 319 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 && 320 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) { 321 if (prev) 322 prev->next = pbc->next; 323 else 324 reg->pbc_sessions = pbc->next; 325 break; 326 } 327 prev = pbc; 328 pbc = pbc->next; 329 } 330 331 if (!pbc) { 332 pbc = os_zalloc(sizeof(*pbc)); 333 if (pbc == NULL) 334 return; 335 os_memcpy(pbc->addr, addr, ETH_ALEN); 336 if (uuid_e) 337 os_memcpy(pbc->uuid_e, uuid_e, WPS_UUID_LEN); 338 } 339 340 pbc->next = reg->pbc_sessions; 341 reg->pbc_sessions = pbc; 342 pbc->timestamp = now; 343 344 /* remove entries that have timed out */ 345 prev = pbc; 346 pbc = pbc->next; 347 348 while (pbc) { 349 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME) { 350 prev->next = NULL; 351 wps_free_pbc_sessions(pbc); 352 break; 353 } 354 prev = pbc; 355 pbc = pbc->next; 356 } 357} 358 359 360static void wps_registrar_remove_pbc_session(struct wps_registrar *reg, 361 const u8 *uuid_e, 362 const u8 *p2p_dev_addr) 363{ 364 struct wps_pbc_session *pbc, *prev = NULL, *tmp; 365 366 pbc = reg->pbc_sessions; 367 while (pbc) { 368 if (os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0 || 369#ifdef ANDROID_P2P 370 (p2p_dev_addr && !is_zero_ether_addr(pbc->addr) && 371 os_memcmp(pbc->addr, p2p_dev_addr, ETH_ALEN) == 372#else 373 (p2p_dev_addr && !is_zero_ether_addr(reg->p2p_dev_addr) && 374 os_memcmp(reg->p2p_dev_addr, p2p_dev_addr, ETH_ALEN) == 375#endif 376 0)) { 377 if (prev) 378 prev->next = pbc->next; 379 else 380 reg->pbc_sessions = pbc->next; 381 tmp = pbc; 382 pbc = pbc->next; 383 wpa_printf(MSG_DEBUG, "WPS: Removing PBC session for " 384 "addr=" MACSTR, MAC2STR(tmp->addr)); 385 wpa_hexdump(MSG_DEBUG, "WPS: Removed UUID-E", 386 tmp->uuid_e, WPS_UUID_LEN); 387 os_free(tmp); 388 continue; 389 } 390 prev = pbc; 391 pbc = pbc->next; 392 } 393} 394 395 396int wps_registrar_pbc_overlap(struct wps_registrar *reg, 397 const u8 *addr, const u8 *uuid_e) 398{ 399 int count = 0; 400 struct wps_pbc_session *pbc; 401 struct wps_pbc_session *first = NULL; 402 struct os_time now; 403 404 os_get_time(&now); 405 406 wpa_printf(MSG_DEBUG, "WPS: Checking active PBC sessions for overlap"); 407 408 if (uuid_e) { 409 wpa_printf(MSG_DEBUG, "WPS: Add one for the requested UUID"); 410 wpa_hexdump(MSG_DEBUG, "WPS: Requested UUID", 411 uuid_e, WPS_UUID_LEN); 412 count++; 413 } 414 415 for (pbc = reg->pbc_sessions; pbc; pbc = pbc->next) { 416 wpa_printf(MSG_DEBUG, "WPS: Consider PBC session with " MACSTR, 417 MAC2STR(pbc->addr)); 418 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", 419 pbc->uuid_e, WPS_UUID_LEN); 420 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME) { 421 wpa_printf(MSG_DEBUG, "WPS: PBC walk time has " 422 "expired"); 423 break; 424 } 425 if (first && 426 os_memcmp(pbc->uuid_e, first->uuid_e, WPS_UUID_LEN) == 0) { 427 wpa_printf(MSG_DEBUG, "WPS: Same Enrollee"); 428 continue; /* same Enrollee */ 429 } 430 if (uuid_e == NULL || 431 os_memcmp(uuid_e, pbc->uuid_e, WPS_UUID_LEN)) { 432 wpa_printf(MSG_DEBUG, "WPS: New Enrollee"); 433 count++; 434 } 435 if (first == NULL) 436 first = pbc; 437 } 438 439 wpa_printf(MSG_DEBUG, "WPS: %u active PBC session(s) found", count); 440 441 return count > 1 ? 1 : 0; 442} 443 444 445static int wps_build_wps_state(struct wps_context *wps, struct wpabuf *msg) 446{ 447 wpa_printf(MSG_DEBUG, "WPS: * Wi-Fi Protected Setup State (%d)", 448 wps->wps_state); 449 wpabuf_put_be16(msg, ATTR_WPS_STATE); 450 wpabuf_put_be16(msg, 1); 451 wpabuf_put_u8(msg, wps->wps_state); 452 return 0; 453} 454 455 456#ifdef CONFIG_WPS_UPNP 457static void wps_registrar_free_pending_m2(struct wps_context *wps) 458{ 459 struct upnp_pending_message *p, *p2, *prev = NULL; 460 p = wps->upnp_msgs; 461 while (p) { 462 if (p->type == WPS_M2 || p->type == WPS_M2D) { 463 if (prev == NULL) 464 wps->upnp_msgs = p->next; 465 else 466 prev->next = p->next; 467 wpa_printf(MSG_DEBUG, "WPS UPnP: Drop pending M2/M2D"); 468 p2 = p; 469 p = p->next; 470 wpabuf_free(p2->msg); 471 os_free(p2); 472 continue; 473 } 474 prev = p; 475 p = p->next; 476 } 477} 478#endif /* CONFIG_WPS_UPNP */ 479 480 481static int wps_build_ap_setup_locked(struct wps_context *wps, 482 struct wpabuf *msg) 483{ 484 if (wps->ap_setup_locked && wps->ap_setup_locked != 2) { 485 wpa_printf(MSG_DEBUG, "WPS: * AP Setup Locked"); 486 wpabuf_put_be16(msg, ATTR_AP_SETUP_LOCKED); 487 wpabuf_put_be16(msg, 1); 488 wpabuf_put_u8(msg, 1); 489 } 490 return 0; 491} 492 493 494static int wps_build_selected_registrar(struct wps_registrar *reg, 495 struct wpabuf *msg) 496{ 497 if (!reg->sel_reg_union) 498 return 0; 499 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar"); 500 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR); 501 wpabuf_put_be16(msg, 1); 502 wpabuf_put_u8(msg, 1); 503 return 0; 504} 505 506 507static int wps_build_sel_reg_dev_password_id(struct wps_registrar *reg, 508 struct wpabuf *msg) 509{ 510 u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT; 511 if (!reg->sel_reg_union) 512 return 0; 513 if (reg->sel_reg_dev_password_id_override >= 0) 514 id = reg->sel_reg_dev_password_id_override; 515 wpa_printf(MSG_DEBUG, "WPS: * Device Password ID (%d)", id); 516 wpabuf_put_be16(msg, ATTR_DEV_PASSWORD_ID); 517 wpabuf_put_be16(msg, 2); 518 wpabuf_put_be16(msg, id); 519 return 0; 520} 521 522 523static int wps_build_sel_pbc_reg_uuid_e(struct wps_registrar *reg, 524 struct wpabuf *msg) 525{ 526 u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT; 527 if (!reg->sel_reg_union) 528 return 0; 529 if (reg->sel_reg_dev_password_id_override >= 0) 530 id = reg->sel_reg_dev_password_id_override; 531 if (id != DEV_PW_PUSHBUTTON || !reg->dualband) 532 return 0; 533 return wps_build_uuid_e(msg, reg->wps->uuid); 534} 535 536 537static void wps_set_pushbutton(u16 *methods, u16 conf_methods) 538{ 539 *methods |= WPS_CONFIG_PUSHBUTTON; 540#ifdef CONFIG_WPS2 541 if ((conf_methods & WPS_CONFIG_VIRT_PUSHBUTTON) == 542 WPS_CONFIG_VIRT_PUSHBUTTON) 543 *methods |= WPS_CONFIG_VIRT_PUSHBUTTON; 544 if ((conf_methods & WPS_CONFIG_PHY_PUSHBUTTON) == 545 WPS_CONFIG_PHY_PUSHBUTTON) 546 *methods |= WPS_CONFIG_PHY_PUSHBUTTON; 547 if ((*methods & WPS_CONFIG_VIRT_PUSHBUTTON) != 548 WPS_CONFIG_VIRT_PUSHBUTTON && 549 (*methods & WPS_CONFIG_PHY_PUSHBUTTON) != 550 WPS_CONFIG_PHY_PUSHBUTTON) { 551 /* 552 * Required to include virtual/physical flag, but we were not 553 * configured with push button type, so have to default to one 554 * of them. 555 */ 556 *methods |= WPS_CONFIG_PHY_PUSHBUTTON; 557 } 558#endif /* CONFIG_WPS2 */ 559} 560 561 562static int wps_build_sel_reg_config_methods(struct wps_registrar *reg, 563 struct wpabuf *msg) 564{ 565 u16 methods; 566 if (!reg->sel_reg_union) 567 return 0; 568 methods = reg->wps->config_methods; 569 methods &= ~WPS_CONFIG_PUSHBUTTON; 570#ifdef CONFIG_WPS2 571 methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON | 572 WPS_CONFIG_PHY_PUSHBUTTON); 573#endif /* CONFIG_WPS2 */ 574 if (reg->pbc) 575 wps_set_pushbutton(&methods, reg->wps->config_methods); 576 if (reg->sel_reg_config_methods_override >= 0) 577 methods = reg->sel_reg_config_methods_override; 578 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar Config Methods (%x)", 579 methods); 580 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR_CONFIG_METHODS); 581 wpabuf_put_be16(msg, 2); 582 wpabuf_put_be16(msg, methods); 583 return 0; 584} 585 586 587static int wps_build_probe_config_methods(struct wps_registrar *reg, 588 struct wpabuf *msg) 589{ 590 u16 methods; 591 /* 592 * These are the methods that the AP supports as an Enrollee for adding 593 * external Registrars. 594 */ 595 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON; 596#ifdef CONFIG_WPS2 597 methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON | 598 WPS_CONFIG_PHY_PUSHBUTTON); 599#endif /* CONFIG_WPS2 */ 600 wpa_printf(MSG_DEBUG, "WPS: * Config Methods (%x)", methods); 601 wpabuf_put_be16(msg, ATTR_CONFIG_METHODS); 602 wpabuf_put_be16(msg, 2); 603 wpabuf_put_be16(msg, methods); 604 return 0; 605} 606 607 608static int wps_build_config_methods_r(struct wps_registrar *reg, 609 struct wpabuf *msg) 610{ 611 return wps_build_config_methods(msg, reg->wps->config_methods); 612} 613 614 615const u8 * wps_authorized_macs(struct wps_registrar *reg, size_t *count) 616{ 617 *count = 0; 618 619#ifdef CONFIG_WPS2 620 while (*count < WPS_MAX_AUTHORIZED_MACS) { 621 if (is_zero_ether_addr(reg->authorized_macs_union[*count])) 622 break; 623 (*count)++; 624 } 625#endif /* CONFIG_WPS2 */ 626 627 return (const u8 *) reg->authorized_macs_union; 628} 629 630 631/** 632 * wps_registrar_init - Initialize WPS Registrar data 633 * @wps: Pointer to longterm WPS context 634 * @cfg: Registrar configuration 635 * Returns: Pointer to allocated Registrar data or %NULL on failure 636 * 637 * This function is used to initialize WPS Registrar functionality. It can be 638 * used for a single Registrar run (e.g., when run in a supplicant) or multiple 639 * runs (e.g., when run as an internal Registrar in an AP). Caller is 640 * responsible for freeing the returned data with wps_registrar_deinit() when 641 * Registrar functionality is not needed anymore. 642 */ 643struct wps_registrar * 644wps_registrar_init(struct wps_context *wps, 645 const struct wps_registrar_config *cfg) 646{ 647 struct wps_registrar *reg = os_zalloc(sizeof(*reg)); 648 if (reg == NULL) 649 return NULL; 650 651 dl_list_init(®->pins); 652 dl_list_init(®->nfc_pw_tokens); 653 reg->wps = wps; 654 reg->new_psk_cb = cfg->new_psk_cb; 655 reg->set_ie_cb = cfg->set_ie_cb; 656 reg->pin_needed_cb = cfg->pin_needed_cb; 657 reg->reg_success_cb = cfg->reg_success_cb; 658 reg->set_sel_reg_cb = cfg->set_sel_reg_cb; 659 reg->enrollee_seen_cb = cfg->enrollee_seen_cb; 660 reg->cb_ctx = cfg->cb_ctx; 661 reg->skip_cred_build = cfg->skip_cred_build; 662 if (cfg->extra_cred) { 663 reg->extra_cred = wpabuf_alloc_copy(cfg->extra_cred, 664 cfg->extra_cred_len); 665 if (reg->extra_cred == NULL) { 666 os_free(reg); 667 return NULL; 668 } 669 } 670 reg->disable_auto_conf = cfg->disable_auto_conf; 671 reg->sel_reg_dev_password_id_override = -1; 672 reg->sel_reg_config_methods_override = -1; 673 reg->static_wep_only = cfg->static_wep_only; 674 reg->dualband = cfg->dualband; 675 676 if (wps_set_ie(reg)) { 677 wps_registrar_deinit(reg); 678 return NULL; 679 } 680 681 return reg; 682} 683 684 685/** 686 * wps_registrar_deinit - Deinitialize WPS Registrar data 687 * @reg: Registrar data from wps_registrar_init() 688 */ 689void wps_registrar_deinit(struct wps_registrar *reg) 690{ 691 if (reg == NULL) 692 return; 693 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 694 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 695 wps_free_pins(®->pins); 696 wps_free_nfc_pw_tokens(®->nfc_pw_tokens, 0); 697 wps_free_pbc_sessions(reg->pbc_sessions); 698 wpabuf_free(reg->extra_cred); 699 wps_free_devices(reg->devices); 700 os_free(reg); 701} 702 703 704static void wps_registrar_invalidate_unused(struct wps_registrar *reg) 705{ 706 struct wps_uuid_pin *pin; 707 708 dl_list_for_each(pin, ®->pins, struct wps_uuid_pin, list) { 709 if (pin->wildcard_uuid == 1 && !(pin->flags & PIN_LOCKED)) { 710 wpa_printf(MSG_DEBUG, "WPS: Invalidate previously " 711 "configured wildcard PIN"); 712 wps_registrar_remove_pin(reg, pin); 713 break; 714 } 715 } 716} 717 718 719/** 720 * wps_registrar_add_pin - Configure a new PIN for Registrar 721 * @reg: Registrar data from wps_registrar_init() 722 * @addr: Enrollee MAC address or %NULL if not known 723 * @uuid: UUID-E or %NULL for wildcard (any UUID) 724 * @pin: PIN (Device Password) 725 * @pin_len: Length of pin in octets 726 * @timeout: Time (in seconds) when the PIN will be invalidated; 0 = no timeout 727 * Returns: 0 on success, -1 on failure 728 */ 729int wps_registrar_add_pin(struct wps_registrar *reg, const u8 *addr, 730 const u8 *uuid, const u8 *pin, size_t pin_len, 731 int timeout) 732{ 733 struct wps_uuid_pin *p; 734 735 p = os_zalloc(sizeof(*p)); 736 if (p == NULL) 737 return -1; 738 if (addr) 739 os_memcpy(p->enrollee_addr, addr, ETH_ALEN); 740 if (uuid == NULL) 741 p->wildcard_uuid = 1; 742 else 743 os_memcpy(p->uuid, uuid, WPS_UUID_LEN); 744 p->pin = os_malloc(pin_len); 745 if (p->pin == NULL) { 746 os_free(p); 747 return -1; 748 } 749 os_memcpy(p->pin, pin, pin_len); 750 p->pin_len = pin_len; 751 752 if (timeout) { 753 p->flags |= PIN_EXPIRES; 754 os_get_time(&p->expiration); 755 p->expiration.sec += timeout; 756 } 757 758 if (p->wildcard_uuid) 759 wps_registrar_invalidate_unused(reg); 760 761 dl_list_add(®->pins, &p->list); 762 763 wpa_printf(MSG_DEBUG, "WPS: A new PIN configured (timeout=%d)", 764 timeout); 765 wpa_hexdump(MSG_DEBUG, "WPS: UUID", uuid, WPS_UUID_LEN); 766 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: PIN", pin, pin_len); 767 reg->selected_registrar = 1; 768 reg->pbc = 0; 769 if (addr) 770 wps_registrar_add_authorized_mac(reg, addr); 771 else 772 wps_registrar_add_authorized_mac( 773 reg, (u8 *) "\xff\xff\xff\xff\xff\xff"); 774 wps_registrar_selected_registrar_changed(reg, 0); 775 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 776 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, 777 wps_registrar_set_selected_timeout, 778 reg, NULL); 779 780 return 0; 781} 782 783 784static void wps_registrar_remove_pin(struct wps_registrar *reg, 785 struct wps_uuid_pin *pin) 786{ 787 u8 *addr; 788 u8 bcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 789 790 if (is_zero_ether_addr(pin->enrollee_addr)) 791 addr = bcast; 792 else 793 addr = pin->enrollee_addr; 794 wps_registrar_remove_authorized_mac(reg, addr); 795 wps_remove_pin(pin); 796 wps_registrar_selected_registrar_changed(reg, 0); 797} 798 799 800static void wps_registrar_expire_pins(struct wps_registrar *reg) 801{ 802 struct wps_uuid_pin *pin, *prev; 803 struct os_time now; 804 805 os_get_time(&now); 806 dl_list_for_each_safe(pin, prev, ®->pins, struct wps_uuid_pin, list) 807 { 808 if ((pin->flags & PIN_EXPIRES) && 809 os_time_before(&pin->expiration, &now)) { 810 wpa_hexdump(MSG_DEBUG, "WPS: Expired PIN for UUID", 811 pin->uuid, WPS_UUID_LEN); 812 wps_registrar_remove_pin(reg, pin); 813 } 814 } 815} 816 817 818/** 819 * wps_registrar_invalidate_wildcard_pin - Invalidate a wildcard PIN 820 * @reg: Registrar data from wps_registrar_init() 821 * @dev_pw: PIN to search for or %NULL to match any 822 * @dev_pw_len: Length of dev_pw in octets 823 * Returns: 0 on success, -1 if not wildcard PIN is enabled 824 */ 825static int wps_registrar_invalidate_wildcard_pin(struct wps_registrar *reg, 826 const u8 *dev_pw, 827 size_t dev_pw_len) 828{ 829 struct wps_uuid_pin *pin, *prev; 830 831 dl_list_for_each_safe(pin, prev, ®->pins, struct wps_uuid_pin, list) 832 { 833 if (dev_pw && pin->pin && 834 (dev_pw_len != pin->pin_len || 835 os_memcmp(dev_pw, pin->pin, dev_pw_len) != 0)) 836 continue; /* different PIN */ 837 if (pin->wildcard_uuid) { 838 wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID", 839 pin->uuid, WPS_UUID_LEN); 840 wps_registrar_remove_pin(reg, pin); 841 return 0; 842 } 843 } 844 845 return -1; 846} 847 848 849/** 850 * wps_registrar_invalidate_pin - Invalidate a PIN for a specific UUID-E 851 * @reg: Registrar data from wps_registrar_init() 852 * @uuid: UUID-E 853 * Returns: 0 on success, -1 on failure (e.g., PIN not found) 854 */ 855int wps_registrar_invalidate_pin(struct wps_registrar *reg, const u8 *uuid) 856{ 857 struct wps_uuid_pin *pin, *prev; 858 859 dl_list_for_each_safe(pin, prev, ®->pins, struct wps_uuid_pin, list) 860 { 861 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) { 862 wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID", 863 pin->uuid, WPS_UUID_LEN); 864 wps_registrar_remove_pin(reg, pin); 865 return 0; 866 } 867 } 868 869 return -1; 870} 871 872 873static const u8 * wps_registrar_get_pin(struct wps_registrar *reg, 874 const u8 *uuid, size_t *pin_len) 875{ 876 struct wps_uuid_pin *pin, *found = NULL; 877 878 wps_registrar_expire_pins(reg); 879 880 dl_list_for_each(pin, ®->pins, struct wps_uuid_pin, list) { 881 if (!pin->wildcard_uuid && 882 os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) { 883 found = pin; 884 break; 885 } 886 } 887 888 if (!found) { 889 /* Check for wildcard UUIDs since none of the UUID-specific 890 * PINs matched */ 891 dl_list_for_each(pin, ®->pins, struct wps_uuid_pin, list) { 892 if (pin->wildcard_uuid == 1 || 893 pin->wildcard_uuid == 2) { 894 wpa_printf(MSG_DEBUG, "WPS: Found a wildcard " 895 "PIN. Assigned it for this UUID-E"); 896 pin->wildcard_uuid++; 897 os_memcpy(pin->uuid, uuid, WPS_UUID_LEN); 898 found = pin; 899 break; 900 } 901 } 902 } 903 904 if (!found) 905 return NULL; 906 907 /* 908 * Lock the PIN to avoid attacks based on concurrent re-use of the PIN 909 * that could otherwise avoid PIN invalidations. 910 */ 911 if (found->flags & PIN_LOCKED) { 912 wpa_printf(MSG_DEBUG, "WPS: Selected PIN locked - do not " 913 "allow concurrent re-use"); 914 return NULL; 915 } 916 *pin_len = found->pin_len; 917 found->flags |= PIN_LOCKED; 918 return found->pin; 919} 920 921 922/** 923 * wps_registrar_unlock_pin - Unlock a PIN for a specific UUID-E 924 * @reg: Registrar data from wps_registrar_init() 925 * @uuid: UUID-E 926 * Returns: 0 on success, -1 on failure 927 * 928 * PINs are locked to enforce only one concurrent use. This function unlocks a 929 * PIN to allow it to be used again. If the specified PIN was configured using 930 * a wildcard UUID, it will be removed instead of allowing multiple uses. 931 */ 932int wps_registrar_unlock_pin(struct wps_registrar *reg, const u8 *uuid) 933{ 934 struct wps_uuid_pin *pin; 935 936 dl_list_for_each(pin, ®->pins, struct wps_uuid_pin, list) { 937 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) { 938 if (pin->wildcard_uuid == 3) { 939 wpa_printf(MSG_DEBUG, "WPS: Invalidating used " 940 "wildcard PIN"); 941 return wps_registrar_invalidate_pin(reg, uuid); 942 } 943 pin->flags &= ~PIN_LOCKED; 944 return 0; 945 } 946 } 947 948 return -1; 949} 950 951 952static void wps_registrar_stop_pbc(struct wps_registrar *reg) 953{ 954 reg->selected_registrar = 0; 955 reg->pbc = 0; 956 os_memset(reg->p2p_dev_addr, 0, ETH_ALEN); 957 wps_registrar_remove_authorized_mac(reg, 958 (u8 *) "\xff\xff\xff\xff\xff\xff"); 959 wps_registrar_selected_registrar_changed(reg, 0); 960} 961 962 963static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx) 964{ 965 struct wps_registrar *reg = eloop_ctx; 966 967 wpa_printf(MSG_DEBUG, "WPS: PBC timed out - disable PBC mode"); 968 wps_pbc_timeout_event(reg->wps); 969 wps_registrar_stop_pbc(reg); 970} 971 972 973/** 974 * wps_registrar_button_pushed - Notify Registrar that AP button was pushed 975 * @reg: Registrar data from wps_registrar_init() 976 * @p2p_dev_addr: Limit allowed PBC devices to the specified P2P device, %NULL 977 * indicates no such filtering 978 * Returns: 0 on success, -1 on failure, -2 on session overlap 979 * 980 * This function is called on an AP when a push button is pushed to activate 981 * PBC mode. The PBC mode will be stopped after walk time (2 minutes) timeout 982 * or when a PBC registration is completed. If more than one Enrollee in active 983 * PBC mode has been detected during the monitor time (previous 2 minutes), the 984 * PBC mode is not activated and -2 is returned to indicate session overlap. 985 * This is skipped if a specific Enrollee is selected. 986 */ 987int wps_registrar_button_pushed(struct wps_registrar *reg, 988 const u8 *p2p_dev_addr) 989{ 990 if (p2p_dev_addr == NULL && 991 wps_registrar_pbc_overlap(reg, NULL, NULL)) { 992 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - do not start PBC " 993 "mode"); 994 wps_pbc_overlap_event(reg->wps); 995 return -2; 996 } 997 wpa_printf(MSG_DEBUG, "WPS: Button pushed - PBC mode started"); 998 reg->force_pbc_overlap = 0; 999 reg->selected_registrar = 1; 1000 reg->pbc = 1; 1001 if (p2p_dev_addr) 1002 os_memcpy(reg->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 1003 else 1004 os_memset(reg->p2p_dev_addr, 0, ETH_ALEN); 1005 wps_registrar_add_authorized_mac(reg, 1006 (u8 *) "\xff\xff\xff\xff\xff\xff"); 1007 wps_registrar_selected_registrar_changed(reg, 0); 1008 1009 wps_pbc_active_event(reg->wps); 1010 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 1011 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 1012 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wps_registrar_pbc_timeout, 1013 reg, NULL); 1014 return 0; 1015} 1016 1017 1018static void wps_registrar_pbc_completed(struct wps_registrar *reg) 1019{ 1020 wpa_printf(MSG_DEBUG, "WPS: PBC completed - stopping PBC mode"); 1021 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 1022 wps_registrar_stop_pbc(reg); 1023 wps_pbc_disable_event(reg->wps); 1024} 1025 1026 1027static void wps_registrar_pin_completed(struct wps_registrar *reg) 1028{ 1029 wpa_printf(MSG_DEBUG, "WPS: PIN completed using internal Registrar"); 1030 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 1031 reg->selected_registrar = 0; 1032 wps_registrar_selected_registrar_changed(reg, 0); 1033} 1034 1035 1036void wps_registrar_complete(struct wps_registrar *registrar, const u8 *uuid_e, 1037 const u8 *dev_pw, size_t dev_pw_len) 1038{ 1039 if (registrar->pbc) { 1040 wps_registrar_remove_pbc_session(registrar, 1041 uuid_e, NULL); 1042 wps_registrar_pbc_completed(registrar); 1043 os_get_time(®istrar->pbc_ignore_start); 1044 os_memcpy(registrar->pbc_ignore_uuid, uuid_e, WPS_UUID_LEN); 1045 } else { 1046 wps_registrar_pin_completed(registrar); 1047 } 1048 1049 if (dev_pw && 1050 wps_registrar_invalidate_wildcard_pin(registrar, dev_pw, 1051 dev_pw_len) == 0) { 1052 wpa_hexdump_key(MSG_DEBUG, "WPS: Invalidated wildcard PIN", 1053 dev_pw, dev_pw_len); 1054 } 1055} 1056 1057 1058int wps_registrar_wps_cancel(struct wps_registrar *reg) 1059{ 1060 if (reg->pbc) { 1061 wpa_printf(MSG_DEBUG, "WPS: PBC is set - cancelling it"); 1062 wps_registrar_pbc_timeout(reg, NULL); 1063 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 1064 return 1; 1065 } else if (reg->selected_registrar) { 1066 /* PIN Method */ 1067 wpa_printf(MSG_DEBUG, "WPS: PIN is set - cancelling it"); 1068 wps_registrar_pin_completed(reg); 1069 wps_registrar_invalidate_wildcard_pin(reg, NULL, 0); 1070 return 1; 1071 } 1072 return 0; 1073} 1074 1075 1076/** 1077 * wps_registrar_probe_req_rx - Notify Registrar of Probe Request 1078 * @reg: Registrar data from wps_registrar_init() 1079 * @addr: MAC address of the Probe Request sender 1080 * @wps_data: WPS IE contents 1081 * 1082 * This function is called on an AP when a Probe Request with WPS IE is 1083 * received. This is used to track PBC mode use and to detect possible overlap 1084 * situation with other WPS APs. 1085 */ 1086void wps_registrar_probe_req_rx(struct wps_registrar *reg, const u8 *addr, 1087 const struct wpabuf *wps_data, 1088 int p2p_wildcard) 1089{ 1090 struct wps_parse_attr attr; 1091 int skip_add = 0; 1092 1093 wpa_hexdump_buf(MSG_MSGDUMP, 1094 "WPS: Probe Request with WPS data received", 1095 wps_data); 1096 1097 if (wps_parse_msg(wps_data, &attr) < 0) 1098 return; 1099 1100 if (attr.config_methods == NULL) { 1101 wpa_printf(MSG_DEBUG, "WPS: No Config Methods attribute in " 1102 "Probe Request"); 1103 return; 1104 } 1105 1106 if (attr.dev_password_id == NULL) { 1107 wpa_printf(MSG_DEBUG, "WPS: No Device Password Id attribute " 1108 "in Probe Request"); 1109 return; 1110 } 1111 1112 if (reg->enrollee_seen_cb && attr.uuid_e && 1113 attr.primary_dev_type && attr.request_type && !p2p_wildcard) { 1114 char *dev_name = NULL; 1115 if (attr.dev_name) { 1116 dev_name = os_zalloc(attr.dev_name_len + 1); 1117 if (dev_name) { 1118 os_memcpy(dev_name, attr.dev_name, 1119 attr.dev_name_len); 1120 } 1121 } 1122 reg->enrollee_seen_cb(reg->cb_ctx, addr, attr.uuid_e, 1123 attr.primary_dev_type, 1124 WPA_GET_BE16(attr.config_methods), 1125 WPA_GET_BE16(attr.dev_password_id), 1126 *attr.request_type, dev_name); 1127 os_free(dev_name); 1128 } 1129 1130 if (WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON) 1131 return; /* Not PBC */ 1132 1133 wpa_printf(MSG_DEBUG, "WPS: Probe Request for PBC received from " 1134 MACSTR, MAC2STR(addr)); 1135 if (attr.uuid_e == NULL) { 1136 wpa_printf(MSG_DEBUG, "WPS: Invalid Probe Request WPS IE: No " 1137 "UUID-E included"); 1138 return; 1139 } 1140 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E from Probe Request", attr.uuid_e, 1141 WPS_UUID_LEN); 1142 1143#ifdef WPS_WORKAROUNDS 1144 if (reg->pbc_ignore_start.sec && 1145 os_memcmp(attr.uuid_e, reg->pbc_ignore_uuid, WPS_UUID_LEN) == 0) { 1146 struct os_time now, dur; 1147 os_get_time(&now); 1148 os_time_sub(&now, ®->pbc_ignore_start, &dur); 1149 if (dur.sec >= 0 && dur.sec < 5) { 1150 wpa_printf(MSG_DEBUG, "WPS: Ignore PBC activation " 1151 "based on Probe Request from the Enrollee " 1152 "that just completed PBC provisioning"); 1153 skip_add = 1; 1154 } else 1155 reg->pbc_ignore_start.sec = 0; 1156 } 1157#endif /* WPS_WORKAROUNDS */ 1158 1159 if (!skip_add) 1160 wps_registrar_add_pbc_session(reg, addr, attr.uuid_e); 1161 if (wps_registrar_pbc_overlap(reg, addr, attr.uuid_e)) { 1162 wpa_printf(MSG_DEBUG, "WPS: PBC session overlap detected"); 1163 reg->force_pbc_overlap = 1; 1164 wps_pbc_overlap_event(reg->wps); 1165 } 1166} 1167 1168 1169static int wps_cb_new_psk(struct wps_registrar *reg, const u8 *mac_addr, 1170 const u8 *psk, size_t psk_len) 1171{ 1172 if (reg->new_psk_cb == NULL) 1173 return 0; 1174 1175 return reg->new_psk_cb(reg->cb_ctx, mac_addr, psk, psk_len); 1176} 1177 1178 1179static void wps_cb_pin_needed(struct wps_registrar *reg, const u8 *uuid_e, 1180 const struct wps_device_data *dev) 1181{ 1182 if (reg->pin_needed_cb == NULL) 1183 return; 1184 1185 reg->pin_needed_cb(reg->cb_ctx, uuid_e, dev); 1186} 1187 1188 1189static void wps_cb_reg_success(struct wps_registrar *reg, const u8 *mac_addr, 1190 const u8 *uuid_e, const u8 *dev_pw, 1191 size_t dev_pw_len) 1192{ 1193 if (reg->reg_success_cb == NULL) 1194 return; 1195 1196 reg->reg_success_cb(reg->cb_ctx, mac_addr, uuid_e, dev_pw, dev_pw_len); 1197} 1198 1199 1200static int wps_cb_set_ie(struct wps_registrar *reg, struct wpabuf *beacon_ie, 1201 struct wpabuf *probe_resp_ie) 1202{ 1203 return reg->set_ie_cb(reg->cb_ctx, beacon_ie, probe_resp_ie); 1204} 1205 1206 1207static void wps_cb_set_sel_reg(struct wps_registrar *reg) 1208{ 1209 u16 methods = 0; 1210 if (reg->set_sel_reg_cb == NULL) 1211 return; 1212 1213 if (reg->selected_registrar) { 1214 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON; 1215#ifdef CONFIG_WPS2 1216 methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON | 1217 WPS_CONFIG_PHY_PUSHBUTTON); 1218#endif /* CONFIG_WPS2 */ 1219 if (reg->pbc) 1220 wps_set_pushbutton(&methods, reg->wps->config_methods); 1221 } 1222 1223 wpa_printf(MSG_DEBUG, "WPS: wps_cb_set_sel_reg: sel_reg=%d " 1224 "config_methods=0x%x pbc=%d methods=0x%x", 1225 reg->selected_registrar, reg->wps->config_methods, 1226 reg->pbc, methods); 1227 1228 reg->set_sel_reg_cb(reg->cb_ctx, reg->selected_registrar, 1229 reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT, 1230 methods); 1231} 1232 1233 1234static int wps_set_ie(struct wps_registrar *reg) 1235{ 1236 struct wpabuf *beacon; 1237 struct wpabuf *probe; 1238 const u8 *auth_macs; 1239 size_t count; 1240 size_t vendor_len = 0; 1241 int i; 1242 1243 if (reg->set_ie_cb == NULL) 1244 return 0; 1245 1246 for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++) { 1247 if (reg->wps->dev.vendor_ext[i]) { 1248 vendor_len += 2 + 2; 1249 vendor_len += wpabuf_len(reg->wps->dev.vendor_ext[i]); 1250 } 1251 } 1252 1253 beacon = wpabuf_alloc(400 + vendor_len); 1254 if (beacon == NULL) 1255 return -1; 1256 probe = wpabuf_alloc(500 + vendor_len); 1257 if (probe == NULL) { 1258 wpabuf_free(beacon); 1259 return -1; 1260 } 1261 1262 auth_macs = wps_authorized_macs(reg, &count); 1263 1264 wpa_printf(MSG_DEBUG, "WPS: Build Beacon IEs"); 1265 1266 if (wps_build_version(beacon) || 1267 wps_build_wps_state(reg->wps, beacon) || 1268 wps_build_ap_setup_locked(reg->wps, beacon) || 1269 wps_build_selected_registrar(reg, beacon) || 1270 wps_build_sel_reg_dev_password_id(reg, beacon) || 1271 wps_build_sel_reg_config_methods(reg, beacon) || 1272 wps_build_sel_pbc_reg_uuid_e(reg, beacon) || 1273 (reg->dualband && wps_build_rf_bands(®->wps->dev, beacon, 0)) || 1274 wps_build_wfa_ext(beacon, 0, auth_macs, count) || 1275 wps_build_vendor_ext(®->wps->dev, beacon)) { 1276 wpabuf_free(beacon); 1277 wpabuf_free(probe); 1278 return -1; 1279 } 1280 1281#ifdef CONFIG_P2P 1282 if (wps_build_dev_name(®->wps->dev, beacon) || 1283 wps_build_primary_dev_type(®->wps->dev, beacon)) { 1284 wpabuf_free(beacon); 1285 wpabuf_free(probe); 1286 return -1; 1287 } 1288#endif /* CONFIG_P2P */ 1289 1290 wpa_printf(MSG_DEBUG, "WPS: Build Probe Response IEs"); 1291 1292 if (wps_build_version(probe) || 1293 wps_build_wps_state(reg->wps, probe) || 1294 wps_build_ap_setup_locked(reg->wps, probe) || 1295 wps_build_selected_registrar(reg, probe) || 1296 wps_build_sel_reg_dev_password_id(reg, probe) || 1297 wps_build_sel_reg_config_methods(reg, probe) || 1298 wps_build_resp_type(probe, reg->wps->ap ? WPS_RESP_AP : 1299 WPS_RESP_REGISTRAR) || 1300 wps_build_uuid_e(probe, reg->wps->uuid) || 1301 wps_build_device_attrs(®->wps->dev, probe) || 1302 wps_build_probe_config_methods(reg, probe) || 1303 (reg->dualband && wps_build_rf_bands(®->wps->dev, probe, 0)) || 1304 wps_build_wfa_ext(probe, 0, auth_macs, count) || 1305 wps_build_vendor_ext(®->wps->dev, probe)) { 1306 wpabuf_free(beacon); 1307 wpabuf_free(probe); 1308 return -1; 1309 } 1310 1311 beacon = wps_ie_encapsulate(beacon); 1312 probe = wps_ie_encapsulate(probe); 1313 1314 if (!beacon || !probe) { 1315 wpabuf_free(beacon); 1316 wpabuf_free(probe); 1317 return -1; 1318 } 1319 1320 if (reg->static_wep_only) { 1321 /* 1322 * Windows XP and Vista clients can get confused about 1323 * EAP-Identity/Request when they probe the network with 1324 * EAPOL-Start. In such a case, they may assume the network is 1325 * using IEEE 802.1X and prompt user for a certificate while 1326 * the correct (non-WPS) behavior would be to ask for the 1327 * static WEP key. As a workaround, use Microsoft Provisioning 1328 * IE to advertise that legacy 802.1X is not supported. 1329 */ 1330 const u8 ms_wps[7] = { 1331 WLAN_EID_VENDOR_SPECIFIC, 5, 1332 /* Microsoft Provisioning IE (00:50:f2:5) */ 1333 0x00, 0x50, 0xf2, 5, 1334 0x00 /* no legacy 802.1X or MS WPS */ 1335 }; 1336 wpa_printf(MSG_DEBUG, "WPS: Add Microsoft Provisioning IE " 1337 "into Beacon/Probe Response frames"); 1338 wpabuf_put_data(beacon, ms_wps, sizeof(ms_wps)); 1339 wpabuf_put_data(probe, ms_wps, sizeof(ms_wps)); 1340 } 1341 1342 return wps_cb_set_ie(reg, beacon, probe); 1343} 1344 1345 1346static int wps_get_dev_password(struct wps_data *wps) 1347{ 1348 const u8 *pin; 1349 size_t pin_len = 0; 1350 1351 os_free(wps->dev_password); 1352 wps->dev_password = NULL; 1353 1354 if (wps->pbc) { 1355 wpa_printf(MSG_DEBUG, "WPS: Use default PIN for PBC"); 1356 pin = (const u8 *) "00000000"; 1357 pin_len = 8; 1358#ifdef CONFIG_WPS_NFC 1359 } else if (wps->nfc_pw_token) { 1360 wpa_printf(MSG_DEBUG, "WPS: Use OOB Device Password from NFC " 1361 "Password Token"); 1362 pin = wps->nfc_pw_token->dev_pw; 1363 pin_len = wps->nfc_pw_token->dev_pw_len; 1364#endif /* CONFIG_WPS_NFC */ 1365 } else { 1366 pin = wps_registrar_get_pin(wps->wps->registrar, wps->uuid_e, 1367 &pin_len); 1368 if (pin && wps->dev_pw_id >= 0x10) { 1369 wpa_printf(MSG_DEBUG, "WPS: No match for OOB Device " 1370 "Password ID, but PIN found"); 1371 /* 1372 * See whether Enrollee is willing to use PIN instead. 1373 */ 1374 wps->dev_pw_id = DEV_PW_DEFAULT; 1375 } 1376 } 1377 if (pin == NULL) { 1378 wpa_printf(MSG_DEBUG, "WPS: No Device Password available for " 1379 "the Enrollee"); 1380 wps_cb_pin_needed(wps->wps->registrar, wps->uuid_e, 1381 &wps->peer_dev); 1382 return -1; 1383 } 1384 1385 wps->dev_password = os_malloc(pin_len); 1386 if (wps->dev_password == NULL) 1387 return -1; 1388 os_memcpy(wps->dev_password, pin, pin_len); 1389 wps->dev_password_len = pin_len; 1390 1391 return 0; 1392} 1393 1394 1395static int wps_build_uuid_r(struct wps_data *wps, struct wpabuf *msg) 1396{ 1397 wpa_printf(MSG_DEBUG, "WPS: * UUID-R"); 1398 wpabuf_put_be16(msg, ATTR_UUID_R); 1399 wpabuf_put_be16(msg, WPS_UUID_LEN); 1400 wpabuf_put_data(msg, wps->uuid_r, WPS_UUID_LEN); 1401 return 0; 1402} 1403 1404 1405static int wps_build_r_hash(struct wps_data *wps, struct wpabuf *msg) 1406{ 1407 u8 *hash; 1408 const u8 *addr[4]; 1409 size_t len[4]; 1410 1411 if (random_get_bytes(wps->snonce, 2 * WPS_SECRET_NONCE_LEN) < 0) 1412 return -1; 1413 wpa_hexdump(MSG_DEBUG, "WPS: R-S1", wps->snonce, WPS_SECRET_NONCE_LEN); 1414 wpa_hexdump(MSG_DEBUG, "WPS: R-S2", 1415 wps->snonce + WPS_SECRET_NONCE_LEN, WPS_SECRET_NONCE_LEN); 1416 1417 if (wps->dh_pubkey_e == NULL || wps->dh_pubkey_r == NULL) { 1418 wpa_printf(MSG_DEBUG, "WPS: DH public keys not available for " 1419 "R-Hash derivation"); 1420 return -1; 1421 } 1422 1423 wpa_printf(MSG_DEBUG, "WPS: * R-Hash1"); 1424 wpabuf_put_be16(msg, ATTR_R_HASH1); 1425 wpabuf_put_be16(msg, SHA256_MAC_LEN); 1426 hash = wpabuf_put(msg, SHA256_MAC_LEN); 1427 /* R-Hash1 = HMAC_AuthKey(R-S1 || PSK1 || PK_E || PK_R) */ 1428 addr[0] = wps->snonce; 1429 len[0] = WPS_SECRET_NONCE_LEN; 1430 addr[1] = wps->psk1; 1431 len[1] = WPS_PSK_LEN; 1432 addr[2] = wpabuf_head(wps->dh_pubkey_e); 1433 len[2] = wpabuf_len(wps->dh_pubkey_e); 1434 addr[3] = wpabuf_head(wps->dh_pubkey_r); 1435 len[3] = wpabuf_len(wps->dh_pubkey_r); 1436 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 1437 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash1", hash, SHA256_MAC_LEN); 1438 1439 wpa_printf(MSG_DEBUG, "WPS: * R-Hash2"); 1440 wpabuf_put_be16(msg, ATTR_R_HASH2); 1441 wpabuf_put_be16(msg, SHA256_MAC_LEN); 1442 hash = wpabuf_put(msg, SHA256_MAC_LEN); 1443 /* R-Hash2 = HMAC_AuthKey(R-S2 || PSK2 || PK_E || PK_R) */ 1444 addr[0] = wps->snonce + WPS_SECRET_NONCE_LEN; 1445 addr[1] = wps->psk2; 1446 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 1447 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash2", hash, SHA256_MAC_LEN); 1448 1449 return 0; 1450} 1451 1452 1453static int wps_build_r_snonce1(struct wps_data *wps, struct wpabuf *msg) 1454{ 1455 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce1"); 1456 wpabuf_put_be16(msg, ATTR_R_SNONCE1); 1457 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN); 1458 wpabuf_put_data(msg, wps->snonce, WPS_SECRET_NONCE_LEN); 1459 return 0; 1460} 1461 1462 1463static int wps_build_r_snonce2(struct wps_data *wps, struct wpabuf *msg) 1464{ 1465 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce2"); 1466 wpabuf_put_be16(msg, ATTR_R_SNONCE2); 1467 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN); 1468 wpabuf_put_data(msg, wps->snonce + WPS_SECRET_NONCE_LEN, 1469 WPS_SECRET_NONCE_LEN); 1470 return 0; 1471} 1472 1473 1474static int wps_build_cred_network_idx(struct wpabuf *msg, 1475 const struct wps_credential *cred) 1476{ 1477 wpa_printf(MSG_DEBUG, "WPS: * Network Index (1)"); 1478 wpabuf_put_be16(msg, ATTR_NETWORK_INDEX); 1479 wpabuf_put_be16(msg, 1); 1480 wpabuf_put_u8(msg, 1); 1481 return 0; 1482} 1483 1484 1485static int wps_build_cred_ssid(struct wpabuf *msg, 1486 const struct wps_credential *cred) 1487{ 1488 wpa_printf(MSG_DEBUG, "WPS: * SSID"); 1489 wpa_hexdump_ascii(MSG_DEBUG, "WPS: SSID for Credential", 1490 cred->ssid, cred->ssid_len); 1491 wpabuf_put_be16(msg, ATTR_SSID); 1492 wpabuf_put_be16(msg, cred->ssid_len); 1493 wpabuf_put_data(msg, cred->ssid, cred->ssid_len); 1494 return 0; 1495} 1496 1497 1498static int wps_build_cred_auth_type(struct wpabuf *msg, 1499 const struct wps_credential *cred) 1500{ 1501 wpa_printf(MSG_DEBUG, "WPS: * Authentication Type (0x%x)", 1502 cred->auth_type); 1503 wpabuf_put_be16(msg, ATTR_AUTH_TYPE); 1504 wpabuf_put_be16(msg, 2); 1505 wpabuf_put_be16(msg, cred->auth_type); 1506 return 0; 1507} 1508 1509 1510static int wps_build_cred_encr_type(struct wpabuf *msg, 1511 const struct wps_credential *cred) 1512{ 1513 wpa_printf(MSG_DEBUG, "WPS: * Encryption Type (0x%x)", 1514 cred->encr_type); 1515 wpabuf_put_be16(msg, ATTR_ENCR_TYPE); 1516 wpabuf_put_be16(msg, 2); 1517 wpabuf_put_be16(msg, cred->encr_type); 1518 return 0; 1519} 1520 1521 1522static int wps_build_cred_network_key(struct wpabuf *msg, 1523 const struct wps_credential *cred) 1524{ 1525 wpa_printf(MSG_DEBUG, "WPS: * Network Key (len=%d)", 1526 (int) cred->key_len); 1527 wpa_hexdump_key(MSG_DEBUG, "WPS: Network Key", 1528 cred->key, cred->key_len); 1529 wpabuf_put_be16(msg, ATTR_NETWORK_KEY); 1530 wpabuf_put_be16(msg, cred->key_len); 1531 wpabuf_put_data(msg, cred->key, cred->key_len); 1532 return 0; 1533} 1534 1535 1536static int wps_build_credential(struct wpabuf *msg, 1537 const struct wps_credential *cred) 1538{ 1539 if (wps_build_cred_network_idx(msg, cred) || 1540 wps_build_cred_ssid(msg, cred) || 1541 wps_build_cred_auth_type(msg, cred) || 1542 wps_build_cred_encr_type(msg, cred) || 1543 wps_build_cred_network_key(msg, cred) || 1544 wps_build_mac_addr(msg, cred->mac_addr)) 1545 return -1; 1546 return 0; 1547} 1548 1549 1550int wps_build_credential_wrap(struct wpabuf *msg, 1551 const struct wps_credential *cred) 1552{ 1553 struct wpabuf *wbuf; 1554 wbuf = wpabuf_alloc(200); 1555 if (wbuf == NULL) 1556 return -1; 1557 if (wps_build_credential(wbuf, cred)) { 1558 wpabuf_free(wbuf); 1559 return -1; 1560 } 1561 wpabuf_put_be16(msg, ATTR_CRED); 1562 wpabuf_put_be16(msg, wpabuf_len(wbuf)); 1563 wpabuf_put_buf(msg, wbuf); 1564 wpabuf_free(wbuf); 1565 return 0; 1566} 1567 1568 1569int wps_build_cred(struct wps_data *wps, struct wpabuf *msg) 1570{ 1571 struct wpabuf *cred; 1572 1573 if (wps->wps->registrar->skip_cred_build) 1574 goto skip_cred_build; 1575 1576 wpa_printf(MSG_DEBUG, "WPS: * Credential"); 1577 if (wps->use_cred) { 1578 os_memcpy(&wps->cred, wps->use_cred, sizeof(wps->cred)); 1579 goto use_provided; 1580 } 1581 os_memset(&wps->cred, 0, sizeof(wps->cred)); 1582 1583 os_memcpy(wps->cred.ssid, wps->wps->ssid, wps->wps->ssid_len); 1584 wps->cred.ssid_len = wps->wps->ssid_len; 1585 1586 /* Select the best authentication and encryption type */ 1587 if (wps->auth_type & WPS_AUTH_WPA2PSK) 1588 wps->auth_type = WPS_AUTH_WPA2PSK; 1589 else if (wps->auth_type & WPS_AUTH_WPAPSK) 1590 wps->auth_type = WPS_AUTH_WPAPSK; 1591 else if (wps->auth_type & WPS_AUTH_OPEN) 1592 wps->auth_type = WPS_AUTH_OPEN; 1593 else if (wps->auth_type & WPS_AUTH_SHARED) 1594 wps->auth_type = WPS_AUTH_SHARED; 1595 else { 1596 wpa_printf(MSG_DEBUG, "WPS: Unsupported auth_type 0x%x", 1597 wps->auth_type); 1598 return -1; 1599 } 1600 wps->cred.auth_type = wps->auth_type; 1601 1602 if (wps->auth_type == WPS_AUTH_WPA2PSK || 1603 wps->auth_type == WPS_AUTH_WPAPSK) { 1604 if (wps->encr_type & WPS_ENCR_AES) 1605 wps->encr_type = WPS_ENCR_AES; 1606 else if (wps->encr_type & WPS_ENCR_TKIP) 1607 wps->encr_type = WPS_ENCR_TKIP; 1608 else { 1609 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption " 1610 "type for WPA/WPA2"); 1611 return -1; 1612 } 1613 } else { 1614 if (wps->encr_type & WPS_ENCR_WEP) 1615 wps->encr_type = WPS_ENCR_WEP; 1616 else if (wps->encr_type & WPS_ENCR_NONE) 1617 wps->encr_type = WPS_ENCR_NONE; 1618 else { 1619 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption " 1620 "type for non-WPA/WPA2 mode"); 1621 return -1; 1622 } 1623 } 1624 wps->cred.encr_type = wps->encr_type; 1625 /* 1626 * Set MAC address in the Credential to be the Enrollee's MAC address 1627 */ 1628 os_memcpy(wps->cred.mac_addr, wps->mac_addr_e, ETH_ALEN); 1629 1630 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->wps->ap && 1631 !wps->wps->registrar->disable_auto_conf) { 1632 u8 r[16]; 1633 /* Generate a random passphrase */ 1634 if (random_get_bytes(r, sizeof(r)) < 0) 1635 return -1; 1636 os_free(wps->new_psk); 1637 wps->new_psk = base64_encode(r, sizeof(r), &wps->new_psk_len); 1638 if (wps->new_psk == NULL) 1639 return -1; 1640 wps->new_psk_len--; /* remove newline */ 1641 while (wps->new_psk_len && 1642 wps->new_psk[wps->new_psk_len - 1] == '=') 1643 wps->new_psk_len--; 1644 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Generated passphrase", 1645 wps->new_psk, wps->new_psk_len); 1646 os_memcpy(wps->cred.key, wps->new_psk, wps->new_psk_len); 1647 wps->cred.key_len = wps->new_psk_len; 1648 } else if (wps->use_psk_key && wps->wps->psk_set) { 1649 char hex[65]; 1650 wpa_printf(MSG_DEBUG, "WPS: Use PSK format for Network Key"); 1651 wpa_snprintf_hex(hex, sizeof(hex), wps->wps->psk, 32); 1652 os_memcpy(wps->cred.key, hex, 32 * 2); 1653 wps->cred.key_len = 32 * 2; 1654 } else if (wps->wps->network_key) { 1655 os_memcpy(wps->cred.key, wps->wps->network_key, 1656 wps->wps->network_key_len); 1657 wps->cred.key_len = wps->wps->network_key_len; 1658 } else if (wps->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) { 1659 char hex[65]; 1660 /* Generate a random per-device PSK */ 1661 os_free(wps->new_psk); 1662 wps->new_psk_len = 32; 1663 wps->new_psk = os_malloc(wps->new_psk_len); 1664 if (wps->new_psk == NULL) 1665 return -1; 1666 if (random_get_bytes(wps->new_psk, wps->new_psk_len) < 0) { 1667 os_free(wps->new_psk); 1668 wps->new_psk = NULL; 1669 return -1; 1670 } 1671 wpa_hexdump_key(MSG_DEBUG, "WPS: Generated per-device PSK", 1672 wps->new_psk, wps->new_psk_len); 1673 wpa_snprintf_hex(hex, sizeof(hex), wps->new_psk, 1674 wps->new_psk_len); 1675 os_memcpy(wps->cred.key, hex, wps->new_psk_len * 2); 1676 wps->cred.key_len = wps->new_psk_len * 2; 1677 } 1678 1679use_provided: 1680#ifdef CONFIG_WPS_TESTING 1681 if (wps_testing_dummy_cred) 1682 cred = wpabuf_alloc(200); 1683 else 1684 cred = NULL; 1685 if (cred) { 1686 struct wps_credential dummy; 1687 wpa_printf(MSG_DEBUG, "WPS: Add dummy credential"); 1688 os_memset(&dummy, 0, sizeof(dummy)); 1689 os_memcpy(dummy.ssid, "dummy", 5); 1690 dummy.ssid_len = 5; 1691 dummy.auth_type = WPS_AUTH_WPA2PSK; 1692 dummy.encr_type = WPS_ENCR_AES; 1693 os_memcpy(dummy.key, "dummy psk", 9); 1694 dummy.key_len = 9; 1695 os_memcpy(dummy.mac_addr, wps->mac_addr_e, ETH_ALEN); 1696 wps_build_credential(cred, &dummy); 1697 wpa_hexdump_buf(MSG_DEBUG, "WPS: Dummy Credential", cred); 1698 1699 wpabuf_put_be16(msg, ATTR_CRED); 1700 wpabuf_put_be16(msg, wpabuf_len(cred)); 1701 wpabuf_put_buf(msg, cred); 1702 1703 wpabuf_free(cred); 1704 } 1705#endif /* CONFIG_WPS_TESTING */ 1706 1707 cred = wpabuf_alloc(200); 1708 if (cred == NULL) 1709 return -1; 1710 1711 if (wps_build_credential(cred, &wps->cred)) { 1712 wpabuf_free(cred); 1713 return -1; 1714 } 1715 1716 wpabuf_put_be16(msg, ATTR_CRED); 1717 wpabuf_put_be16(msg, wpabuf_len(cred)); 1718 wpabuf_put_buf(msg, cred); 1719 wpabuf_free(cred); 1720 1721skip_cred_build: 1722 if (wps->wps->registrar->extra_cred) { 1723 wpa_printf(MSG_DEBUG, "WPS: * Credential (pre-configured)"); 1724 wpabuf_put_buf(msg, wps->wps->registrar->extra_cred); 1725 } 1726 1727 return 0; 1728} 1729 1730 1731static int wps_build_ap_settings(struct wps_data *wps, struct wpabuf *msg) 1732{ 1733 wpa_printf(MSG_DEBUG, "WPS: * AP Settings"); 1734 1735 if (wps_build_credential(msg, &wps->cred)) 1736 return -1; 1737 1738 return 0; 1739} 1740 1741 1742static struct wpabuf * wps_build_ap_cred(struct wps_data *wps) 1743{ 1744 struct wpabuf *msg, *plain; 1745 1746 msg = wpabuf_alloc(1000); 1747 if (msg == NULL) 1748 return NULL; 1749 1750 plain = wpabuf_alloc(200); 1751 if (plain == NULL) { 1752 wpabuf_free(msg); 1753 return NULL; 1754 } 1755 1756 if (wps_build_ap_settings(wps, plain)) { 1757 wpabuf_free(plain); 1758 wpabuf_free(msg); 1759 return NULL; 1760 } 1761 1762 wpabuf_put_be16(msg, ATTR_CRED); 1763 wpabuf_put_be16(msg, wpabuf_len(plain)); 1764 wpabuf_put_buf(msg, plain); 1765 wpabuf_free(plain); 1766 1767 return msg; 1768} 1769 1770 1771static struct wpabuf * wps_build_m2(struct wps_data *wps) 1772{ 1773 struct wpabuf *msg; 1774 1775 if (random_get_bytes(wps->nonce_r, WPS_NONCE_LEN) < 0) 1776 return NULL; 1777 wpa_hexdump(MSG_DEBUG, "WPS: Registrar Nonce", 1778 wps->nonce_r, WPS_NONCE_LEN); 1779 wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN); 1780 1781 wpa_printf(MSG_DEBUG, "WPS: Building Message M2"); 1782 msg = wpabuf_alloc(1000); 1783 if (msg == NULL) 1784 return NULL; 1785 1786 if (wps_build_version(msg) || 1787 wps_build_msg_type(msg, WPS_M2) || 1788 wps_build_enrollee_nonce(wps, msg) || 1789 wps_build_registrar_nonce(wps, msg) || 1790 wps_build_uuid_r(wps, msg) || 1791 wps_build_public_key(wps, msg) || 1792 wps_derive_keys(wps) || 1793 wps_build_auth_type_flags(wps, msg) || 1794 wps_build_encr_type_flags(wps, msg) || 1795 wps_build_conn_type_flags(wps, msg) || 1796 wps_build_config_methods_r(wps->wps->registrar, msg) || 1797 wps_build_device_attrs(&wps->wps->dev, msg) || 1798 wps_build_rf_bands(&wps->wps->dev, msg, 1799 wps->wps->rf_band_cb(wps->wps->cb_ctx)) || 1800 wps_build_assoc_state(wps, msg) || 1801 wps_build_config_error(msg, WPS_CFG_NO_ERROR) || 1802 wps_build_dev_password_id(msg, wps->dev_pw_id) || 1803 wps_build_os_version(&wps->wps->dev, msg) || 1804 wps_build_wfa_ext(msg, 0, NULL, 0) || 1805 wps_build_authenticator(wps, msg)) { 1806 wpabuf_free(msg); 1807 return NULL; 1808 } 1809 1810 wps->int_reg = 1; 1811 wps->state = RECV_M3; 1812 return msg; 1813} 1814 1815 1816static struct wpabuf * wps_build_m2d(struct wps_data *wps) 1817{ 1818 struct wpabuf *msg; 1819 u16 err = wps->config_error; 1820 1821 wpa_printf(MSG_DEBUG, "WPS: Building Message M2D"); 1822 msg = wpabuf_alloc(1000); 1823 if (msg == NULL) 1824 return NULL; 1825 1826 if (wps->wps->ap && wps->wps->ap_setup_locked && 1827 err == WPS_CFG_NO_ERROR) 1828 err = WPS_CFG_SETUP_LOCKED; 1829 1830 if (wps_build_version(msg) || 1831 wps_build_msg_type(msg, WPS_M2D) || 1832 wps_build_enrollee_nonce(wps, msg) || 1833 wps_build_registrar_nonce(wps, msg) || 1834 wps_build_uuid_r(wps, msg) || 1835 wps_build_auth_type_flags(wps, msg) || 1836 wps_build_encr_type_flags(wps, msg) || 1837 wps_build_conn_type_flags(wps, msg) || 1838 wps_build_config_methods_r(wps->wps->registrar, msg) || 1839 wps_build_device_attrs(&wps->wps->dev, msg) || 1840 wps_build_rf_bands(&wps->wps->dev, msg, 1841 wps->wps->rf_band_cb(wps->wps->cb_ctx)) || 1842 wps_build_assoc_state(wps, msg) || 1843 wps_build_config_error(msg, err) || 1844 wps_build_os_version(&wps->wps->dev, msg) || 1845 wps_build_wfa_ext(msg, 0, NULL, 0)) { 1846 wpabuf_free(msg); 1847 return NULL; 1848 } 1849 1850 wps->state = RECV_M2D_ACK; 1851 return msg; 1852} 1853 1854 1855static struct wpabuf * wps_build_m4(struct wps_data *wps) 1856{ 1857 struct wpabuf *msg, *plain; 1858 1859 wpa_printf(MSG_DEBUG, "WPS: Building Message M4"); 1860 1861 wps_derive_psk(wps, wps->dev_password, wps->dev_password_len); 1862 1863 plain = wpabuf_alloc(200); 1864 if (plain == NULL) 1865 return NULL; 1866 1867 msg = wpabuf_alloc(1000); 1868 if (msg == NULL) { 1869 wpabuf_free(plain); 1870 return NULL; 1871 } 1872 1873 if (wps_build_version(msg) || 1874 wps_build_msg_type(msg, WPS_M4) || 1875 wps_build_enrollee_nonce(wps, msg) || 1876 wps_build_r_hash(wps, msg) || 1877 wps_build_r_snonce1(wps, plain) || 1878 wps_build_key_wrap_auth(wps, plain) || 1879 wps_build_encr_settings(wps, msg, plain) || 1880 wps_build_wfa_ext(msg, 0, NULL, 0) || 1881 wps_build_authenticator(wps, msg)) { 1882 wpabuf_free(plain); 1883 wpabuf_free(msg); 1884 return NULL; 1885 } 1886 wpabuf_free(plain); 1887 1888 wps->state = RECV_M5; 1889 return msg; 1890} 1891 1892 1893static struct wpabuf * wps_build_m6(struct wps_data *wps) 1894{ 1895 struct wpabuf *msg, *plain; 1896 1897 wpa_printf(MSG_DEBUG, "WPS: Building Message M6"); 1898 1899 plain = wpabuf_alloc(200); 1900 if (plain == NULL) 1901 return NULL; 1902 1903 msg = wpabuf_alloc(1000); 1904 if (msg == NULL) { 1905 wpabuf_free(plain); 1906 return NULL; 1907 } 1908 1909 if (wps_build_version(msg) || 1910 wps_build_msg_type(msg, WPS_M6) || 1911 wps_build_enrollee_nonce(wps, msg) || 1912 wps_build_r_snonce2(wps, plain) || 1913 wps_build_key_wrap_auth(wps, plain) || 1914 wps_build_encr_settings(wps, msg, plain) || 1915 wps_build_wfa_ext(msg, 0, NULL, 0) || 1916 wps_build_authenticator(wps, msg)) { 1917 wpabuf_free(plain); 1918 wpabuf_free(msg); 1919 return NULL; 1920 } 1921 wpabuf_free(plain); 1922 1923 wps->wps_pin_revealed = 1; 1924 wps->state = RECV_M7; 1925 return msg; 1926} 1927 1928 1929static struct wpabuf * wps_build_m8(struct wps_data *wps) 1930{ 1931 struct wpabuf *msg, *plain; 1932 1933 wpa_printf(MSG_DEBUG, "WPS: Building Message M8"); 1934 1935 plain = wpabuf_alloc(500); 1936 if (plain == NULL) 1937 return NULL; 1938 1939 msg = wpabuf_alloc(1000); 1940 if (msg == NULL) { 1941 wpabuf_free(plain); 1942 return NULL; 1943 } 1944 1945 if (wps_build_version(msg) || 1946 wps_build_msg_type(msg, WPS_M8) || 1947 wps_build_enrollee_nonce(wps, msg) || 1948 ((wps->wps->ap || wps->er) && wps_build_cred(wps, plain)) || 1949 (!wps->wps->ap && !wps->er && wps_build_ap_settings(wps, plain)) || 1950 wps_build_key_wrap_auth(wps, plain) || 1951 wps_build_encr_settings(wps, msg, plain) || 1952 wps_build_wfa_ext(msg, 0, NULL, 0) || 1953 wps_build_authenticator(wps, msg)) { 1954 wpabuf_free(plain); 1955 wpabuf_free(msg); 1956 return NULL; 1957 } 1958 wpabuf_free(plain); 1959 1960 wps->state = RECV_DONE; 1961 return msg; 1962} 1963 1964 1965struct wpabuf * wps_registrar_get_msg(struct wps_data *wps, 1966 enum wsc_op_code *op_code) 1967{ 1968 struct wpabuf *msg; 1969 1970#ifdef CONFIG_WPS_UPNP 1971 if (!wps->int_reg && wps->wps->wps_upnp) { 1972 struct upnp_pending_message *p, *prev = NULL; 1973 if (wps->ext_reg > 1) 1974 wps_registrar_free_pending_m2(wps->wps); 1975 p = wps->wps->upnp_msgs; 1976 /* TODO: check pending message MAC address */ 1977 while (p && p->next) { 1978 prev = p; 1979 p = p->next; 1980 } 1981 if (p) { 1982 wpa_printf(MSG_DEBUG, "WPS: Use pending message from " 1983 "UPnP"); 1984 if (prev) 1985 prev->next = NULL; 1986 else 1987 wps->wps->upnp_msgs = NULL; 1988 msg = p->msg; 1989 switch (p->type) { 1990 case WPS_WSC_ACK: 1991 *op_code = WSC_ACK; 1992 break; 1993 case WPS_WSC_NACK: 1994 *op_code = WSC_NACK; 1995 break; 1996 default: 1997 *op_code = WSC_MSG; 1998 break; 1999 } 2000 os_free(p); 2001 if (wps->ext_reg == 0) 2002 wps->ext_reg = 1; 2003 return msg; 2004 } 2005 } 2006 if (wps->ext_reg) { 2007 wpa_printf(MSG_DEBUG, "WPS: Using external Registrar, but no " 2008 "pending message available"); 2009 return NULL; 2010 } 2011#endif /* CONFIG_WPS_UPNP */ 2012 2013 switch (wps->state) { 2014 case SEND_M2: 2015 if (wps_get_dev_password(wps) < 0) 2016 msg = wps_build_m2d(wps); 2017 else 2018 msg = wps_build_m2(wps); 2019 *op_code = WSC_MSG; 2020 break; 2021 case SEND_M2D: 2022 msg = wps_build_m2d(wps); 2023 *op_code = WSC_MSG; 2024 break; 2025 case SEND_M4: 2026 msg = wps_build_m4(wps); 2027 *op_code = WSC_MSG; 2028 break; 2029 case SEND_M6: 2030 msg = wps_build_m6(wps); 2031 *op_code = WSC_MSG; 2032 break; 2033 case SEND_M8: 2034 msg = wps_build_m8(wps); 2035 *op_code = WSC_MSG; 2036 break; 2037 case RECV_DONE: 2038 msg = wps_build_wsc_ack(wps); 2039 *op_code = WSC_ACK; 2040 break; 2041 case SEND_WSC_NACK: 2042 msg = wps_build_wsc_nack(wps); 2043 *op_code = WSC_NACK; 2044 break; 2045 default: 2046 wpa_printf(MSG_DEBUG, "WPS: Unsupported state %d for building " 2047 "a message", wps->state); 2048 msg = NULL; 2049 break; 2050 } 2051 2052 if (*op_code == WSC_MSG && msg) { 2053 /* Save a copy of the last message for Authenticator derivation 2054 */ 2055 wpabuf_free(wps->last_msg); 2056 wps->last_msg = wpabuf_dup(msg); 2057 } 2058 2059 return msg; 2060} 2061 2062 2063static int wps_process_enrollee_nonce(struct wps_data *wps, const u8 *e_nonce) 2064{ 2065 if (e_nonce == NULL) { 2066 wpa_printf(MSG_DEBUG, "WPS: No Enrollee Nonce received"); 2067 return -1; 2068 } 2069 2070 os_memcpy(wps->nonce_e, e_nonce, WPS_NONCE_LEN); 2071 wpa_hexdump(MSG_DEBUG, "WPS: Enrollee Nonce", 2072 wps->nonce_e, WPS_NONCE_LEN); 2073 2074 return 0; 2075} 2076 2077 2078static int wps_process_registrar_nonce(struct wps_data *wps, const u8 *r_nonce) 2079{ 2080 if (r_nonce == NULL) { 2081 wpa_printf(MSG_DEBUG, "WPS: No Registrar Nonce received"); 2082 return -1; 2083 } 2084 2085 if (os_memcmp(wps->nonce_r, r_nonce, WPS_NONCE_LEN) != 0) { 2086 wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Nonce received"); 2087 return -1; 2088 } 2089 2090 return 0; 2091} 2092 2093 2094static int wps_process_uuid_e(struct wps_data *wps, const u8 *uuid_e) 2095{ 2096 if (uuid_e == NULL) { 2097 wpa_printf(MSG_DEBUG, "WPS: No UUID-E received"); 2098 return -1; 2099 } 2100 2101 os_memcpy(wps->uuid_e, uuid_e, WPS_UUID_LEN); 2102 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", wps->uuid_e, WPS_UUID_LEN); 2103 2104 return 0; 2105} 2106 2107 2108static int wps_process_dev_password_id(struct wps_data *wps, const u8 *pw_id) 2109{ 2110 if (pw_id == NULL) { 2111 wpa_printf(MSG_DEBUG, "WPS: No Device Password ID received"); 2112 return -1; 2113 } 2114 2115 wps->dev_pw_id = WPA_GET_BE16(pw_id); 2116 wpa_printf(MSG_DEBUG, "WPS: Device Password ID %d", wps->dev_pw_id); 2117 2118 return 0; 2119} 2120 2121 2122static int wps_process_e_hash1(struct wps_data *wps, const u8 *e_hash1) 2123{ 2124 if (e_hash1 == NULL) { 2125 wpa_printf(MSG_DEBUG, "WPS: No E-Hash1 received"); 2126 return -1; 2127 } 2128 2129 os_memcpy(wps->peer_hash1, e_hash1, WPS_HASH_LEN); 2130 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN); 2131 2132 return 0; 2133} 2134 2135 2136static int wps_process_e_hash2(struct wps_data *wps, const u8 *e_hash2) 2137{ 2138 if (e_hash2 == NULL) { 2139 wpa_printf(MSG_DEBUG, "WPS: No E-Hash2 received"); 2140 return -1; 2141 } 2142 2143 os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN); 2144 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN); 2145 2146 return 0; 2147} 2148 2149 2150static int wps_process_e_snonce1(struct wps_data *wps, const u8 *e_snonce1) 2151{ 2152 u8 hash[SHA256_MAC_LEN]; 2153 const u8 *addr[4]; 2154 size_t len[4]; 2155 2156 if (e_snonce1 == NULL) { 2157 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce1 received"); 2158 return -1; 2159 } 2160 2161 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce1", e_snonce1, 2162 WPS_SECRET_NONCE_LEN); 2163 2164 /* E-Hash1 = HMAC_AuthKey(E-S1 || PSK1 || PK_E || PK_R) */ 2165 addr[0] = e_snonce1; 2166 len[0] = WPS_SECRET_NONCE_LEN; 2167 addr[1] = wps->psk1; 2168 len[1] = WPS_PSK_LEN; 2169 addr[2] = wpabuf_head(wps->dh_pubkey_e); 2170 len[2] = wpabuf_len(wps->dh_pubkey_e); 2171 addr[3] = wpabuf_head(wps->dh_pubkey_r); 2172 len[3] = wpabuf_len(wps->dh_pubkey_r); 2173 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 2174 2175 if (os_memcmp(wps->peer_hash1, hash, WPS_HASH_LEN) != 0) { 2176 wpa_printf(MSG_DEBUG, "WPS: E-Hash1 derived from E-S1 does " 2177 "not match with the pre-committed value"); 2178 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE; 2179 wps_pwd_auth_fail_event(wps->wps, 0, 1, wps->mac_addr_e); 2180 return -1; 2181 } 2182 2183 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the first " 2184 "half of the device password"); 2185 2186 return 0; 2187} 2188 2189 2190static int wps_process_e_snonce2(struct wps_data *wps, const u8 *e_snonce2) 2191{ 2192 u8 hash[SHA256_MAC_LEN]; 2193 const u8 *addr[4]; 2194 size_t len[4]; 2195 2196 if (e_snonce2 == NULL) { 2197 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce2 received"); 2198 return -1; 2199 } 2200 2201 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce2", e_snonce2, 2202 WPS_SECRET_NONCE_LEN); 2203 2204 /* E-Hash2 = HMAC_AuthKey(E-S2 || PSK2 || PK_E || PK_R) */ 2205 addr[0] = e_snonce2; 2206 len[0] = WPS_SECRET_NONCE_LEN; 2207 addr[1] = wps->psk2; 2208 len[1] = WPS_PSK_LEN; 2209 addr[2] = wpabuf_head(wps->dh_pubkey_e); 2210 len[2] = wpabuf_len(wps->dh_pubkey_e); 2211 addr[3] = wpabuf_head(wps->dh_pubkey_r); 2212 len[3] = wpabuf_len(wps->dh_pubkey_r); 2213 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 2214 2215 if (os_memcmp(wps->peer_hash2, hash, WPS_HASH_LEN) != 0) { 2216 wpa_printf(MSG_DEBUG, "WPS: E-Hash2 derived from E-S2 does " 2217 "not match with the pre-committed value"); 2218 wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e); 2219 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE; 2220 wps_pwd_auth_fail_event(wps->wps, 0, 2, wps->mac_addr_e); 2221 return -1; 2222 } 2223 2224 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the second " 2225 "half of the device password"); 2226 wps->wps_pin_revealed = 0; 2227 wps_registrar_unlock_pin(wps->wps->registrar, wps->uuid_e); 2228 2229 /* 2230 * In case wildcard PIN is used and WPS handshake succeeds in the first 2231 * attempt, wps_registrar_unlock_pin() would not free the PIN, so make 2232 * sure the PIN gets invalidated here. 2233 */ 2234 wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e); 2235 2236 return 0; 2237} 2238 2239 2240static int wps_process_mac_addr(struct wps_data *wps, const u8 *mac_addr) 2241{ 2242 if (mac_addr == NULL) { 2243 wpa_printf(MSG_DEBUG, "WPS: No MAC Address received"); 2244 return -1; 2245 } 2246 2247 wpa_printf(MSG_DEBUG, "WPS: Enrollee MAC Address " MACSTR, 2248 MAC2STR(mac_addr)); 2249 os_memcpy(wps->mac_addr_e, mac_addr, ETH_ALEN); 2250 os_memcpy(wps->peer_dev.mac_addr, mac_addr, ETH_ALEN); 2251 2252 return 0; 2253} 2254 2255 2256static int wps_process_pubkey(struct wps_data *wps, const u8 *pk, 2257 size_t pk_len) 2258{ 2259 if (pk == NULL || pk_len == 0) { 2260 wpa_printf(MSG_DEBUG, "WPS: No Public Key received"); 2261 return -1; 2262 } 2263 2264 wpabuf_free(wps->dh_pubkey_e); 2265 wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len); 2266 if (wps->dh_pubkey_e == NULL) 2267 return -1; 2268 2269 return 0; 2270} 2271 2272 2273static int wps_process_auth_type_flags(struct wps_data *wps, const u8 *auth) 2274{ 2275 u16 auth_types; 2276 2277 if (auth == NULL) { 2278 wpa_printf(MSG_DEBUG, "WPS: No Authentication Type flags " 2279 "received"); 2280 return -1; 2281 } 2282 2283 auth_types = WPA_GET_BE16(auth); 2284 2285 wpa_printf(MSG_DEBUG, "WPS: Enrollee Authentication Type flags 0x%x", 2286 auth_types); 2287 wps->auth_type = wps->wps->auth_types & auth_types; 2288 if (wps->auth_type == 0) { 2289 wpa_printf(MSG_DEBUG, "WPS: No match in supported " 2290 "authentication types (own 0x%x Enrollee 0x%x)", 2291 wps->wps->auth_types, auth_types); 2292#ifdef WPS_WORKAROUNDS 2293 /* 2294 * Some deployed implementations seem to advertise incorrect 2295 * information in this attribute. For example, Linksys WRT350N 2296 * seems to have a byteorder bug that breaks this negotiation. 2297 * In order to interoperate with existing implementations, 2298 * assume that the Enrollee supports everything we do. 2299 */ 2300 wpa_printf(MSG_DEBUG, "WPS: Workaround - assume Enrollee " 2301 "does not advertise supported authentication types " 2302 "correctly"); 2303 wps->auth_type = wps->wps->auth_types; 2304#else /* WPS_WORKAROUNDS */ 2305 return -1; 2306#endif /* WPS_WORKAROUNDS */ 2307 } 2308 2309 return 0; 2310} 2311 2312 2313static int wps_process_encr_type_flags(struct wps_data *wps, const u8 *encr) 2314{ 2315 u16 encr_types; 2316 2317 if (encr == NULL) { 2318 wpa_printf(MSG_DEBUG, "WPS: No Encryption Type flags " 2319 "received"); 2320 return -1; 2321 } 2322 2323 encr_types = WPA_GET_BE16(encr); 2324 2325 wpa_printf(MSG_DEBUG, "WPS: Enrollee Encryption Type flags 0x%x", 2326 encr_types); 2327 wps->encr_type = wps->wps->encr_types & encr_types; 2328 if (wps->encr_type == 0) { 2329 wpa_printf(MSG_DEBUG, "WPS: No match in supported " 2330 "encryption types (own 0x%x Enrollee 0x%x)", 2331 wps->wps->encr_types, encr_types); 2332#ifdef WPS_WORKAROUNDS 2333 /* 2334 * Some deployed implementations seem to advertise incorrect 2335 * information in this attribute. For example, Linksys WRT350N 2336 * seems to have a byteorder bug that breaks this negotiation. 2337 * In order to interoperate with existing implementations, 2338 * assume that the Enrollee supports everything we do. 2339 */ 2340 wpa_printf(MSG_DEBUG, "WPS: Workaround - assume Enrollee " 2341 "does not advertise supported encryption types " 2342 "correctly"); 2343 wps->encr_type = wps->wps->encr_types; 2344#else /* WPS_WORKAROUNDS */ 2345 return -1; 2346#endif /* WPS_WORKAROUNDS */ 2347 } 2348 2349 return 0; 2350} 2351 2352 2353static int wps_process_conn_type_flags(struct wps_data *wps, const u8 *conn) 2354{ 2355 if (conn == NULL) { 2356 wpa_printf(MSG_DEBUG, "WPS: No Connection Type flags " 2357 "received"); 2358 return -1; 2359 } 2360 2361 wpa_printf(MSG_DEBUG, "WPS: Enrollee Connection Type flags 0x%x", 2362 *conn); 2363 2364 return 0; 2365} 2366 2367 2368static int wps_process_config_methods(struct wps_data *wps, const u8 *methods) 2369{ 2370 u16 m; 2371 2372 if (methods == NULL) { 2373 wpa_printf(MSG_DEBUG, "WPS: No Config Methods received"); 2374 return -1; 2375 } 2376 2377 m = WPA_GET_BE16(methods); 2378 2379 wpa_printf(MSG_DEBUG, "WPS: Enrollee Config Methods 0x%x" 2380 "%s%s%s%s%s%s%s%s%s", m, 2381 m & WPS_CONFIG_USBA ? " [USBA]" : "", 2382 m & WPS_CONFIG_ETHERNET ? " [Ethernet]" : "", 2383 m & WPS_CONFIG_LABEL ? " [Label]" : "", 2384 m & WPS_CONFIG_DISPLAY ? " [Display]" : "", 2385 m & WPS_CONFIG_EXT_NFC_TOKEN ? " [Ext NFC Token]" : "", 2386 m & WPS_CONFIG_INT_NFC_TOKEN ? " [Int NFC Token]" : "", 2387 m & WPS_CONFIG_NFC_INTERFACE ? " [NFC]" : "", 2388 m & WPS_CONFIG_PUSHBUTTON ? " [PBC]" : "", 2389 m & WPS_CONFIG_KEYPAD ? " [Keypad]" : ""); 2390 2391 if (!(m & WPS_CONFIG_DISPLAY) && !wps->use_psk_key) { 2392 /* 2393 * The Enrollee does not have a display so it is unlikely to be 2394 * able to show the passphrase to a user and as such, could 2395 * benefit from receiving PSK to reduce key derivation time. 2396 */ 2397 wpa_printf(MSG_DEBUG, "WPS: Prefer PSK format key due to " 2398 "Enrollee not supporting display"); 2399 wps->use_psk_key = 1; 2400 } 2401 2402 return 0; 2403} 2404 2405 2406static int wps_process_wps_state(struct wps_data *wps, const u8 *state) 2407{ 2408 if (state == NULL) { 2409 wpa_printf(MSG_DEBUG, "WPS: No Wi-Fi Protected Setup State " 2410 "received"); 2411 return -1; 2412 } 2413 2414 wpa_printf(MSG_DEBUG, "WPS: Enrollee Wi-Fi Protected Setup State %d", 2415 *state); 2416 2417 return 0; 2418} 2419 2420 2421static int wps_process_assoc_state(struct wps_data *wps, const u8 *assoc) 2422{ 2423 u16 a; 2424 2425 if (assoc == NULL) { 2426 wpa_printf(MSG_DEBUG, "WPS: No Association State received"); 2427 return -1; 2428 } 2429 2430 a = WPA_GET_BE16(assoc); 2431 wpa_printf(MSG_DEBUG, "WPS: Enrollee Association State %d", a); 2432 2433 return 0; 2434} 2435 2436 2437static int wps_process_config_error(struct wps_data *wps, const u8 *err) 2438{ 2439 u16 e; 2440 2441 if (err == NULL) { 2442 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error received"); 2443 return -1; 2444 } 2445 2446 e = WPA_GET_BE16(err); 2447 wpa_printf(MSG_DEBUG, "WPS: Enrollee Configuration Error %d", e); 2448 2449 return 0; 2450} 2451 2452 2453static int wps_registrar_p2p_dev_addr_match(struct wps_data *wps) 2454{ 2455#ifdef CONFIG_P2P 2456 struct wps_registrar *reg = wps->wps->registrar; 2457 2458 if (is_zero_ether_addr(reg->p2p_dev_addr)) 2459 return 1; /* no filtering in use */ 2460 2461 if (os_memcmp(reg->p2p_dev_addr, wps->p2p_dev_addr, ETH_ALEN) != 0) { 2462 wpa_printf(MSG_DEBUG, "WPS: No match on P2P Device Address " 2463 "filtering for PBC: expected " MACSTR " was " 2464 MACSTR " - indicate PBC session overlap", 2465 MAC2STR(reg->p2p_dev_addr), 2466 MAC2STR(wps->p2p_dev_addr)); 2467 return 0; 2468 } 2469#endif /* CONFIG_P2P */ 2470 return 1; 2471} 2472 2473 2474static int wps_registrar_skip_overlap(struct wps_data *wps) 2475{ 2476#ifdef CONFIG_P2P 2477 struct wps_registrar *reg = wps->wps->registrar; 2478 2479 if (is_zero_ether_addr(reg->p2p_dev_addr)) 2480 return 0; /* no specific Enrollee selected */ 2481 2482 if (os_memcmp(reg->p2p_dev_addr, wps->p2p_dev_addr, ETH_ALEN) == 0) { 2483 wpa_printf(MSG_DEBUG, "WPS: Skip PBC overlap due to selected " 2484 "Enrollee match"); 2485 return 1; 2486 } 2487#endif /* CONFIG_P2P */ 2488 return 0; 2489} 2490 2491 2492static enum wps_process_res wps_process_m1(struct wps_data *wps, 2493 struct wps_parse_attr *attr) 2494{ 2495 wpa_printf(MSG_DEBUG, "WPS: Received M1"); 2496 2497 if (wps->state != RECV_M1) { 2498 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 2499 "receiving M1", wps->state); 2500 return WPS_FAILURE; 2501 } 2502 2503 if (wps_process_uuid_e(wps, attr->uuid_e) || 2504 wps_process_mac_addr(wps, attr->mac_addr) || 2505 wps_process_enrollee_nonce(wps, attr->enrollee_nonce) || 2506 wps_process_pubkey(wps, attr->public_key, attr->public_key_len) || 2507 wps_process_auth_type_flags(wps, attr->auth_type_flags) || 2508 wps_process_encr_type_flags(wps, attr->encr_type_flags) || 2509 wps_process_conn_type_flags(wps, attr->conn_type_flags) || 2510 wps_process_config_methods(wps, attr->config_methods) || 2511 wps_process_wps_state(wps, attr->wps_state) || 2512 wps_process_device_attrs(&wps->peer_dev, attr) || 2513 wps_process_rf_bands(&wps->peer_dev, attr->rf_bands) || 2514 wps_process_assoc_state(wps, attr->assoc_state) || 2515 wps_process_dev_password_id(wps, attr->dev_password_id) || 2516 wps_process_config_error(wps, attr->config_error) || 2517 wps_process_os_version(&wps->peer_dev, attr->os_version)) 2518 return WPS_FAILURE; 2519 2520 if (wps->dev_pw_id < 0x10 && 2521 wps->dev_pw_id != DEV_PW_DEFAULT && 2522 wps->dev_pw_id != DEV_PW_USER_SPECIFIED && 2523 wps->dev_pw_id != DEV_PW_MACHINE_SPECIFIED && 2524 wps->dev_pw_id != DEV_PW_REGISTRAR_SPECIFIED && 2525 (wps->dev_pw_id != DEV_PW_PUSHBUTTON || 2526 !wps->wps->registrar->pbc)) { 2527 wpa_printf(MSG_DEBUG, "WPS: Unsupported Device Password ID %d", 2528 wps->dev_pw_id); 2529 wps->state = SEND_M2D; 2530 return WPS_CONTINUE; 2531 } 2532 2533#ifdef CONFIG_WPS_NFC 2534 if (wps->dev_pw_id >= 0x10) { 2535 struct wps_nfc_pw_token *token; 2536 const u8 *addr[1]; 2537 u8 hash[WPS_HASH_LEN]; 2538 2539 token = wps_get_nfc_pw_token( 2540 &wps->wps->registrar->nfc_pw_tokens, wps->dev_pw_id); 2541 if (token) { 2542 wpa_printf(MSG_DEBUG, "WPS: Found matching NFC " 2543 "Password Token"); 2544 dl_list_del(&token->list); 2545 wps->nfc_pw_token = token; 2546 2547 addr[0] = attr->public_key; 2548 sha256_vector(1, addr, &attr->public_key_len, hash); 2549 if (os_memcmp(hash, wps->nfc_pw_token->pubkey_hash, 2550 WPS_OOB_PUBKEY_HASH_LEN) != 0) { 2551 wpa_printf(MSG_ERROR, "WPS: Public Key hash " 2552 "mismatch"); 2553 return WPS_FAILURE; 2554 } 2555 } 2556 } 2557#endif /* CONFIG_WPS_NFC */ 2558 2559 if (wps->dev_pw_id == DEV_PW_PUSHBUTTON) { 2560 if ((wps->wps->registrar->force_pbc_overlap || 2561 wps_registrar_pbc_overlap(wps->wps->registrar, 2562 wps->mac_addr_e, wps->uuid_e) || 2563 !wps_registrar_p2p_dev_addr_match(wps)) && 2564 !wps_registrar_skip_overlap(wps)) { 2565 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - deny PBC " 2566 "negotiation"); 2567 wps->state = SEND_M2D; 2568 wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED; 2569 wps_pbc_overlap_event(wps->wps); 2570 wps_fail_event(wps->wps, WPS_M1, 2571 WPS_CFG_MULTIPLE_PBC_DETECTED, 2572 WPS_EI_NO_ERROR, wps->mac_addr_e); 2573 wps->wps->registrar->force_pbc_overlap = 1; 2574 return WPS_CONTINUE; 2575 } 2576 wps_registrar_add_pbc_session(wps->wps->registrar, 2577 wps->mac_addr_e, wps->uuid_e); 2578 wps->pbc = 1; 2579 } 2580 2581#ifdef WPS_WORKAROUNDS 2582 /* 2583 * It looks like Mac OS X 10.6.3 and 10.6.4 do not like Network Key in 2584 * passphrase format. To avoid interop issues, force PSK format to be 2585 * used. 2586 */ 2587 if (!wps->use_psk_key && 2588 wps->peer_dev.manufacturer && 2589 os_strncmp(wps->peer_dev.manufacturer, "Apple ", 6) == 0 && 2590 wps->peer_dev.model_name && 2591 os_strcmp(wps->peer_dev.model_name, "AirPort") == 0) { 2592 wpa_printf(MSG_DEBUG, "WPS: Workaround - Force Network Key in " 2593 "PSK format"); 2594 wps->use_psk_key = 1; 2595 } 2596#endif /* WPS_WORKAROUNDS */ 2597 2598 wps->state = SEND_M2; 2599 return WPS_CONTINUE; 2600} 2601 2602 2603static enum wps_process_res wps_process_m3(struct wps_data *wps, 2604 const struct wpabuf *msg, 2605 struct wps_parse_attr *attr) 2606{ 2607 wpa_printf(MSG_DEBUG, "WPS: Received M3"); 2608 2609 if (wps->state != RECV_M3) { 2610 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 2611 "receiving M3", wps->state); 2612 wps->state = SEND_WSC_NACK; 2613 return WPS_CONTINUE; 2614 } 2615 2616 if (wps->pbc && wps->wps->registrar->force_pbc_overlap && 2617 !wps_registrar_skip_overlap(wps)) { 2618 wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC " 2619 "session overlap"); 2620 wps->state = SEND_WSC_NACK; 2621 wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED; 2622 return WPS_CONTINUE; 2623 } 2624 2625 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || 2626 wps_process_authenticator(wps, attr->authenticator, msg) || 2627 wps_process_e_hash1(wps, attr->e_hash1) || 2628 wps_process_e_hash2(wps, attr->e_hash2)) { 2629 wps->state = SEND_WSC_NACK; 2630 return WPS_CONTINUE; 2631 } 2632 2633 wps->state = SEND_M4; 2634 return WPS_CONTINUE; 2635} 2636 2637 2638static enum wps_process_res wps_process_m5(struct wps_data *wps, 2639 const struct wpabuf *msg, 2640 struct wps_parse_attr *attr) 2641{ 2642 struct wpabuf *decrypted; 2643 struct wps_parse_attr eattr; 2644 2645 wpa_printf(MSG_DEBUG, "WPS: Received M5"); 2646 2647 if (wps->state != RECV_M5) { 2648 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 2649 "receiving M5", wps->state); 2650 wps->state = SEND_WSC_NACK; 2651 return WPS_CONTINUE; 2652 } 2653 2654 if (wps->pbc && wps->wps->registrar->force_pbc_overlap && 2655 !wps_registrar_skip_overlap(wps)) { 2656 wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC " 2657 "session overlap"); 2658 wps->state = SEND_WSC_NACK; 2659 wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED; 2660 return WPS_CONTINUE; 2661 } 2662 2663 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || 2664 wps_process_authenticator(wps, attr->authenticator, msg)) { 2665 wps->state = SEND_WSC_NACK; 2666 return WPS_CONTINUE; 2667 } 2668 2669 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings, 2670 attr->encr_settings_len); 2671 if (decrypted == NULL) { 2672 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted " 2673 "Settings attribute"); 2674 wps->state = SEND_WSC_NACK; 2675 return WPS_CONTINUE; 2676 } 2677 2678 if (wps_validate_m5_encr(decrypted, attr->version2 != NULL) < 0) { 2679 wpabuf_free(decrypted); 2680 wps->state = SEND_WSC_NACK; 2681 return WPS_CONTINUE; 2682 } 2683 2684 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings " 2685 "attribute"); 2686 if (wps_parse_msg(decrypted, &eattr) < 0 || 2687 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) || 2688 wps_process_e_snonce1(wps, eattr.e_snonce1)) { 2689 wpabuf_free(decrypted); 2690 wps->state = SEND_WSC_NACK; 2691 return WPS_CONTINUE; 2692 } 2693 wpabuf_free(decrypted); 2694 2695 wps->state = SEND_M6; 2696 return WPS_CONTINUE; 2697} 2698 2699 2700static void wps_sta_cred_cb(struct wps_data *wps) 2701{ 2702 /* 2703 * Update credential to only include a single authentication and 2704 * encryption type in case the AP configuration includes more than one 2705 * option. 2706 */ 2707 if (wps->cred.auth_type & WPS_AUTH_WPA2PSK) 2708 wps->cred.auth_type = WPS_AUTH_WPA2PSK; 2709 else if (wps->cred.auth_type & WPS_AUTH_WPAPSK) 2710 wps->cred.auth_type = WPS_AUTH_WPAPSK; 2711 if (wps->cred.encr_type & WPS_ENCR_AES) 2712 wps->cred.encr_type = WPS_ENCR_AES; 2713 else if (wps->cred.encr_type & WPS_ENCR_TKIP) 2714 wps->cred.encr_type = WPS_ENCR_TKIP; 2715 wpa_printf(MSG_DEBUG, "WPS: Update local configuration based on the " 2716 "AP configuration"); 2717 if (wps->wps->cred_cb) 2718 wps->wps->cred_cb(wps->wps->cb_ctx, &wps->cred); 2719} 2720 2721 2722static void wps_cred_update(struct wps_credential *dst, 2723 struct wps_credential *src) 2724{ 2725 os_memcpy(dst->ssid, src->ssid, sizeof(dst->ssid)); 2726 dst->ssid_len = src->ssid_len; 2727 dst->auth_type = src->auth_type; 2728 dst->encr_type = src->encr_type; 2729 dst->key_idx = src->key_idx; 2730 os_memcpy(dst->key, src->key, sizeof(dst->key)); 2731 dst->key_len = src->key_len; 2732} 2733 2734 2735static int wps_process_ap_settings_r(struct wps_data *wps, 2736 struct wps_parse_attr *attr) 2737{ 2738 struct wpabuf *msg; 2739 2740 if (wps->wps->ap || wps->er) 2741 return 0; 2742 2743 /* AP Settings Attributes in M7 when Enrollee is an AP */ 2744 if (wps_process_ap_settings(attr, &wps->cred) < 0) 2745 return -1; 2746 2747 wpa_printf(MSG_INFO, "WPS: Received old AP configuration from AP"); 2748 2749 if (wps->new_ap_settings) { 2750 wpa_printf(MSG_INFO, "WPS: Update AP configuration based on " 2751 "new settings"); 2752 wps_cred_update(&wps->cred, wps->new_ap_settings); 2753 return 0; 2754 } else { 2755 /* 2756 * Use the AP PIN only to receive the current AP settings, not 2757 * to reconfigure the AP. 2758 */ 2759 2760 /* 2761 * Clear selected registrar here since we do not get to 2762 * WSC_Done in this protocol run. 2763 */ 2764 wps_registrar_pin_completed(wps->wps->registrar); 2765 2766 msg = wps_build_ap_cred(wps); 2767 if (msg == NULL) 2768 return -1; 2769 wps->cred.cred_attr = wpabuf_head(msg); 2770 wps->cred.cred_attr_len = wpabuf_len(msg); 2771 2772 if (wps->ap_settings_cb) { 2773 wps->ap_settings_cb(wps->ap_settings_cb_ctx, 2774 &wps->cred); 2775 wpabuf_free(msg); 2776 return 1; 2777 } 2778 wps_sta_cred_cb(wps); 2779 2780 wps->cred.cred_attr = NULL; 2781 wps->cred.cred_attr_len = 0; 2782 wpabuf_free(msg); 2783 2784 return 1; 2785 } 2786} 2787 2788 2789static enum wps_process_res wps_process_m7(struct wps_data *wps, 2790 const struct wpabuf *msg, 2791 struct wps_parse_attr *attr) 2792{ 2793 struct wpabuf *decrypted; 2794 struct wps_parse_attr eattr; 2795 2796 wpa_printf(MSG_DEBUG, "WPS: Received M7"); 2797 2798 if (wps->state != RECV_M7) { 2799 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 2800 "receiving M7", wps->state); 2801 wps->state = SEND_WSC_NACK; 2802 return WPS_CONTINUE; 2803 } 2804 2805 if (wps->pbc && wps->wps->registrar->force_pbc_overlap && 2806 !wps_registrar_skip_overlap(wps)) { 2807 wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC " 2808 "session overlap"); 2809 wps->state = SEND_WSC_NACK; 2810 wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED; 2811 return WPS_CONTINUE; 2812 } 2813 2814 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || 2815 wps_process_authenticator(wps, attr->authenticator, msg)) { 2816 wps->state = SEND_WSC_NACK; 2817 return WPS_CONTINUE; 2818 } 2819 2820 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings, 2821 attr->encr_settings_len); 2822 if (decrypted == NULL) { 2823 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypt Encrypted " 2824 "Settings attribute"); 2825 wps->state = SEND_WSC_NACK; 2826 return WPS_CONTINUE; 2827 } 2828 2829 if (wps_validate_m7_encr(decrypted, wps->wps->ap || wps->er, 2830 attr->version2 != NULL) < 0) { 2831 wpabuf_free(decrypted); 2832 wps->state = SEND_WSC_NACK; 2833 return WPS_CONTINUE; 2834 } 2835 2836 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings " 2837 "attribute"); 2838 if (wps_parse_msg(decrypted, &eattr) < 0 || 2839 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) || 2840 wps_process_e_snonce2(wps, eattr.e_snonce2) || 2841 wps_process_ap_settings_r(wps, &eattr)) { 2842 wpabuf_free(decrypted); 2843 wps->state = SEND_WSC_NACK; 2844 return WPS_CONTINUE; 2845 } 2846 2847 wpabuf_free(decrypted); 2848 2849 wps->state = SEND_M8; 2850 return WPS_CONTINUE; 2851} 2852 2853 2854static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps, 2855 const struct wpabuf *msg) 2856{ 2857 struct wps_parse_attr attr; 2858 enum wps_process_res ret = WPS_CONTINUE; 2859 2860 wpa_printf(MSG_DEBUG, "WPS: Received WSC_MSG"); 2861 2862 if (wps_parse_msg(msg, &attr) < 0) 2863 return WPS_FAILURE; 2864 2865 if (attr.msg_type == NULL) { 2866 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 2867 wps->state = SEND_WSC_NACK; 2868 return WPS_CONTINUE; 2869 } 2870 2871 if (*attr.msg_type != WPS_M1 && 2872 (attr.registrar_nonce == NULL || 2873 os_memcmp(wps->nonce_r, attr.registrar_nonce, 2874 WPS_NONCE_LEN) != 0)) { 2875 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 2876 return WPS_FAILURE; 2877 } 2878 2879 switch (*attr.msg_type) { 2880 case WPS_M1: 2881 if (wps_validate_m1(msg) < 0) 2882 return WPS_FAILURE; 2883#ifdef CONFIG_WPS_UPNP 2884 if (wps->wps->wps_upnp && attr.mac_addr) { 2885 /* Remove old pending messages when starting new run */ 2886 wps_free_pending_msgs(wps->wps->upnp_msgs); 2887 wps->wps->upnp_msgs = NULL; 2888 2889 upnp_wps_device_send_wlan_event( 2890 wps->wps->wps_upnp, attr.mac_addr, 2891 UPNP_WPS_WLANEVENT_TYPE_EAP, msg); 2892 } 2893#endif /* CONFIG_WPS_UPNP */ 2894 ret = wps_process_m1(wps, &attr); 2895 break; 2896 case WPS_M3: 2897 if (wps_validate_m3(msg) < 0) 2898 return WPS_FAILURE; 2899 ret = wps_process_m3(wps, msg, &attr); 2900 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) 2901 wps_fail_event(wps->wps, WPS_M3, wps->config_error, 2902 wps->error_indication, wps->mac_addr_e); 2903 break; 2904 case WPS_M5: 2905 if (wps_validate_m5(msg) < 0) 2906 return WPS_FAILURE; 2907 ret = wps_process_m5(wps, msg, &attr); 2908 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) 2909 wps_fail_event(wps->wps, WPS_M5, wps->config_error, 2910 wps->error_indication, wps->mac_addr_e); 2911 break; 2912 case WPS_M7: 2913 if (wps_validate_m7(msg) < 0) 2914 return WPS_FAILURE; 2915 ret = wps_process_m7(wps, msg, &attr); 2916 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) 2917 wps_fail_event(wps->wps, WPS_M7, wps->config_error, 2918 wps->error_indication, wps->mac_addr_e); 2919 break; 2920 default: 2921 wpa_printf(MSG_DEBUG, "WPS: Unsupported Message Type %d", 2922 *attr.msg_type); 2923 return WPS_FAILURE; 2924 } 2925 2926 if (ret == WPS_CONTINUE) { 2927 /* Save a copy of the last message for Authenticator derivation 2928 */ 2929 wpabuf_free(wps->last_msg); 2930 wps->last_msg = wpabuf_dup(msg); 2931 } 2932 2933 return ret; 2934} 2935 2936 2937static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps, 2938 const struct wpabuf *msg) 2939{ 2940 struct wps_parse_attr attr; 2941 2942 wpa_printf(MSG_DEBUG, "WPS: Received WSC_ACK"); 2943 2944 if (wps_parse_msg(msg, &attr) < 0) 2945 return WPS_FAILURE; 2946 2947 if (attr.msg_type == NULL) { 2948 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 2949 return WPS_FAILURE; 2950 } 2951 2952 if (*attr.msg_type != WPS_WSC_ACK) { 2953 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d", 2954 *attr.msg_type); 2955 return WPS_FAILURE; 2956 } 2957 2958#ifdef CONFIG_WPS_UPNP 2959 if (wps->wps->wps_upnp && wps->ext_reg && wps->state == RECV_M2D_ACK && 2960 upnp_wps_subscribers(wps->wps->wps_upnp)) { 2961 if (wps->wps->upnp_msgs) 2962 return WPS_CONTINUE; 2963 wpa_printf(MSG_DEBUG, "WPS: Wait for response from an " 2964 "external Registrar"); 2965 return WPS_PENDING; 2966 } 2967#endif /* CONFIG_WPS_UPNP */ 2968 2969 if (attr.registrar_nonce == NULL || 2970 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0) 2971 { 2972 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 2973 return WPS_FAILURE; 2974 } 2975 2976 if (attr.enrollee_nonce == NULL || 2977 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) { 2978 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); 2979 return WPS_FAILURE; 2980 } 2981 2982 if (wps->state == RECV_M2D_ACK) { 2983#ifdef CONFIG_WPS_UPNP 2984 if (wps->wps->wps_upnp && 2985 upnp_wps_subscribers(wps->wps->wps_upnp)) { 2986 if (wps->wps->upnp_msgs) 2987 return WPS_CONTINUE; 2988 if (wps->ext_reg == 0) 2989 wps->ext_reg = 1; 2990 wpa_printf(MSG_DEBUG, "WPS: Wait for response from an " 2991 "external Registrar"); 2992 return WPS_PENDING; 2993 } 2994#endif /* CONFIG_WPS_UPNP */ 2995 2996 wpa_printf(MSG_DEBUG, "WPS: No more registrars available - " 2997 "terminate negotiation"); 2998 } 2999 3000 return WPS_FAILURE; 3001} 3002 3003 3004static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps, 3005 const struct wpabuf *msg) 3006{ 3007 struct wps_parse_attr attr; 3008 int old_state; 3009 u16 config_error; 3010 3011 wpa_printf(MSG_DEBUG, "WPS: Received WSC_NACK"); 3012 3013 old_state = wps->state; 3014 wps->state = SEND_WSC_NACK; 3015 3016 if (wps_parse_msg(msg, &attr) < 0) 3017 return WPS_FAILURE; 3018 3019 if (attr.msg_type == NULL) { 3020 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 3021 return WPS_FAILURE; 3022 } 3023 3024 if (*attr.msg_type != WPS_WSC_NACK) { 3025 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d", 3026 *attr.msg_type); 3027 return WPS_FAILURE; 3028 } 3029 3030#ifdef CONFIG_WPS_UPNP 3031 if (wps->wps->wps_upnp && wps->ext_reg) { 3032 wpa_printf(MSG_DEBUG, "WPS: Negotiation using external " 3033 "Registrar terminated by the Enrollee"); 3034 return WPS_FAILURE; 3035 } 3036#endif /* CONFIG_WPS_UPNP */ 3037 3038 if (attr.registrar_nonce == NULL || 3039 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0) 3040 { 3041 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 3042 return WPS_FAILURE; 3043 } 3044 3045 if (attr.enrollee_nonce == NULL || 3046 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) { 3047 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); 3048 return WPS_FAILURE; 3049 } 3050 3051 if (attr.config_error == NULL) { 3052 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error attribute " 3053 "in WSC_NACK"); 3054 return WPS_FAILURE; 3055 } 3056 3057 config_error = WPA_GET_BE16(attr.config_error); 3058 wpa_printf(MSG_DEBUG, "WPS: Enrollee terminated negotiation with " 3059 "Configuration Error %d", config_error); 3060 3061 switch (old_state) { 3062 case RECV_M3: 3063 wps_fail_event(wps->wps, WPS_M2, config_error, 3064 wps->error_indication, wps->mac_addr_e); 3065 break; 3066 case RECV_M5: 3067 wps_fail_event(wps->wps, WPS_M4, config_error, 3068 wps->error_indication, wps->mac_addr_e); 3069 break; 3070 case RECV_M7: 3071 wps_fail_event(wps->wps, WPS_M6, config_error, 3072 wps->error_indication, wps->mac_addr_e); 3073 break; 3074 case RECV_DONE: 3075 wps_fail_event(wps->wps, WPS_M8, config_error, 3076 wps->error_indication, wps->mac_addr_e); 3077 break; 3078 default: 3079 break; 3080 } 3081 3082 return WPS_FAILURE; 3083} 3084 3085 3086static enum wps_process_res wps_process_wsc_done(struct wps_data *wps, 3087 const struct wpabuf *msg) 3088{ 3089 struct wps_parse_attr attr; 3090 3091 wpa_printf(MSG_DEBUG, "WPS: Received WSC_Done"); 3092 3093 if (wps->state != RECV_DONE && 3094 (!wps->wps->wps_upnp || !wps->ext_reg)) { 3095 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 3096 "receiving WSC_Done", wps->state); 3097 return WPS_FAILURE; 3098 } 3099 3100 if (wps_parse_msg(msg, &attr) < 0) 3101 return WPS_FAILURE; 3102 3103 if (attr.msg_type == NULL) { 3104 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 3105 return WPS_FAILURE; 3106 } 3107 3108 if (*attr.msg_type != WPS_WSC_DONE) { 3109 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d", 3110 *attr.msg_type); 3111 return WPS_FAILURE; 3112 } 3113 3114#ifdef CONFIG_WPS_UPNP 3115 if (wps->wps->wps_upnp && wps->ext_reg) { 3116 wpa_printf(MSG_DEBUG, "WPS: Negotiation using external " 3117 "Registrar completed successfully"); 3118 wps_device_store(wps->wps->registrar, &wps->peer_dev, 3119 wps->uuid_e); 3120 return WPS_DONE; 3121 } 3122#endif /* CONFIG_WPS_UPNP */ 3123 3124 if (attr.registrar_nonce == NULL || 3125 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0) 3126 { 3127 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 3128 return WPS_FAILURE; 3129 } 3130 3131 if (attr.enrollee_nonce == NULL || 3132 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) { 3133 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); 3134 return WPS_FAILURE; 3135 } 3136 3137 wpa_printf(MSG_DEBUG, "WPS: Negotiation completed successfully"); 3138 wps_device_store(wps->wps->registrar, &wps->peer_dev, 3139 wps->uuid_e); 3140 3141 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->new_psk && 3142 wps->wps->ap && !wps->wps->registrar->disable_auto_conf) { 3143 struct wps_credential cred; 3144 3145 wpa_printf(MSG_DEBUG, "WPS: Moving to Configured state based " 3146 "on first Enrollee connection"); 3147 3148 os_memset(&cred, 0, sizeof(cred)); 3149 os_memcpy(cred.ssid, wps->wps->ssid, wps->wps->ssid_len); 3150 cred.ssid_len = wps->wps->ssid_len; 3151 cred.auth_type = WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK; 3152 cred.encr_type = WPS_ENCR_TKIP | WPS_ENCR_AES; 3153 os_memcpy(cred.key, wps->new_psk, wps->new_psk_len); 3154 cred.key_len = wps->new_psk_len; 3155 3156 wps->wps->wps_state = WPS_STATE_CONFIGURED; 3157 wpa_hexdump_ascii_key(MSG_DEBUG, 3158 "WPS: Generated random passphrase", 3159 wps->new_psk, wps->new_psk_len); 3160 if (wps->wps->cred_cb) 3161 wps->wps->cred_cb(wps->wps->cb_ctx, &cred); 3162 3163 os_free(wps->new_psk); 3164 wps->new_psk = NULL; 3165 } 3166 3167 if (!wps->wps->ap && !wps->er) 3168 wps_sta_cred_cb(wps); 3169 3170 if (wps->new_psk) { 3171 if (wps_cb_new_psk(wps->wps->registrar, wps->mac_addr_e, 3172 wps->new_psk, wps->new_psk_len)) { 3173 wpa_printf(MSG_DEBUG, "WPS: Failed to configure the " 3174 "new PSK"); 3175 } 3176 os_free(wps->new_psk); 3177 wps->new_psk = NULL; 3178 } 3179 3180 wps_cb_reg_success(wps->wps->registrar, wps->mac_addr_e, wps->uuid_e, 3181 wps->dev_password, wps->dev_password_len); 3182 3183 if (wps->pbc) { 3184 wps_registrar_remove_pbc_session(wps->wps->registrar, 3185 wps->uuid_e, 3186 wps->p2p_dev_addr); 3187 wps_registrar_pbc_completed(wps->wps->registrar); 3188 os_get_time(&wps->wps->registrar->pbc_ignore_start); 3189 os_memcpy(wps->wps->registrar->pbc_ignore_uuid, wps->uuid_e, 3190 WPS_UUID_LEN); 3191 } else { 3192 wps_registrar_pin_completed(wps->wps->registrar); 3193 } 3194 /* TODO: maintain AuthorizedMACs somewhere separately for each ER and 3195 * merge them into APs own list.. */ 3196 3197 wps_success_event(wps->wps, wps->mac_addr_e); 3198 3199 return WPS_DONE; 3200} 3201 3202 3203enum wps_process_res wps_registrar_process_msg(struct wps_data *wps, 3204 enum wsc_op_code op_code, 3205 const struct wpabuf *msg) 3206{ 3207 enum wps_process_res ret; 3208 3209 wpa_printf(MSG_DEBUG, "WPS: Processing received message (len=%lu " 3210 "op_code=%d)", 3211 (unsigned long) wpabuf_len(msg), op_code); 3212 3213#ifdef CONFIG_WPS_UPNP 3214 if (wps->wps->wps_upnp && op_code == WSC_MSG && wps->ext_reg == 1) { 3215 struct wps_parse_attr attr; 3216 if (wps_parse_msg(msg, &attr) == 0 && attr.msg_type && 3217 *attr.msg_type == WPS_M3) 3218 wps->ext_reg = 2; /* past M2/M2D phase */ 3219 } 3220 if (wps->ext_reg > 1) 3221 wps_registrar_free_pending_m2(wps->wps); 3222 if (wps->wps->wps_upnp && wps->ext_reg && 3223 wps->wps->upnp_msgs == NULL && 3224 (op_code == WSC_MSG || op_code == WSC_Done || op_code == WSC_NACK)) 3225 { 3226 struct wps_parse_attr attr; 3227 int type; 3228 if (wps_parse_msg(msg, &attr) < 0 || attr.msg_type == NULL) 3229 type = -1; 3230 else 3231 type = *attr.msg_type; 3232 wpa_printf(MSG_DEBUG, "WPS: Sending received message (type %d)" 3233 " to external Registrar for processing", type); 3234 upnp_wps_device_send_wlan_event(wps->wps->wps_upnp, 3235 wps->mac_addr_e, 3236 UPNP_WPS_WLANEVENT_TYPE_EAP, 3237 msg); 3238 if (op_code == WSC_MSG) 3239 return WPS_PENDING; 3240 } else if (wps->wps->wps_upnp && wps->ext_reg && op_code == WSC_MSG) { 3241 wpa_printf(MSG_DEBUG, "WPS: Skip internal processing - using " 3242 "external Registrar"); 3243 return WPS_CONTINUE; 3244 } 3245#endif /* CONFIG_WPS_UPNP */ 3246 3247 switch (op_code) { 3248 case WSC_MSG: 3249 return wps_process_wsc_msg(wps, msg); 3250 case WSC_ACK: 3251 if (wps_validate_wsc_ack(msg) < 0) 3252 return WPS_FAILURE; 3253 return wps_process_wsc_ack(wps, msg); 3254 case WSC_NACK: 3255 if (wps_validate_wsc_nack(msg) < 0) 3256 return WPS_FAILURE; 3257 return wps_process_wsc_nack(wps, msg); 3258 case WSC_Done: 3259 if (wps_validate_wsc_done(msg) < 0) 3260 return WPS_FAILURE; 3261 ret = wps_process_wsc_done(wps, msg); 3262 if (ret == WPS_FAILURE) { 3263 wps->state = SEND_WSC_NACK; 3264 wps_fail_event(wps->wps, WPS_WSC_DONE, 3265 wps->config_error, 3266 wps->error_indication, wps->mac_addr_e); 3267 } 3268 return ret; 3269 default: 3270 wpa_printf(MSG_DEBUG, "WPS: Unsupported op_code %d", op_code); 3271 return WPS_FAILURE; 3272 } 3273} 3274 3275 3276int wps_registrar_update_ie(struct wps_registrar *reg) 3277{ 3278 return wps_set_ie(reg); 3279} 3280 3281 3282static void wps_registrar_set_selected_timeout(void *eloop_ctx, 3283 void *timeout_ctx) 3284{ 3285 struct wps_registrar *reg = eloop_ctx; 3286 3287 wpa_printf(MSG_DEBUG, "WPS: Selected Registrar timeout - " 3288 "unselect internal Registrar"); 3289 reg->selected_registrar = 0; 3290 reg->pbc = 0; 3291 wps_registrar_selected_registrar_changed(reg, 0); 3292} 3293 3294 3295#ifdef CONFIG_WPS_UPNP 3296static void wps_registrar_sel_reg_add(struct wps_registrar *reg, 3297 struct subscription *s) 3298{ 3299 int i, j; 3300 wpa_printf(MSG_DEBUG, "WPS: External Registrar selected (dev_pw_id=%d " 3301 "config_methods=0x%x)", 3302 s->dev_password_id, s->config_methods); 3303 reg->sel_reg_union = 1; 3304 if (reg->sel_reg_dev_password_id_override != DEV_PW_PUSHBUTTON) 3305 reg->sel_reg_dev_password_id_override = s->dev_password_id; 3306 if (reg->sel_reg_config_methods_override == -1) 3307 reg->sel_reg_config_methods_override = 0; 3308 reg->sel_reg_config_methods_override |= s->config_methods; 3309 for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++) 3310 if (is_zero_ether_addr(reg->authorized_macs_union[i])) 3311 break; 3312 for (j = 0; i < WPS_MAX_AUTHORIZED_MACS && j < WPS_MAX_AUTHORIZED_MACS; 3313 j++) { 3314 if (is_zero_ether_addr(s->authorized_macs[j])) 3315 break; 3316 wpa_printf(MSG_DEBUG, "WPS: Add authorized MAC into union: " 3317 MACSTR, MAC2STR(s->authorized_macs[j])); 3318 os_memcpy(reg->authorized_macs_union[i], 3319 s->authorized_macs[j], ETH_ALEN); 3320 i++; 3321 } 3322 wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs union", 3323 (u8 *) reg->authorized_macs_union, 3324 sizeof(reg->authorized_macs_union)); 3325} 3326#endif /* CONFIG_WPS_UPNP */ 3327 3328 3329static void wps_registrar_sel_reg_union(struct wps_registrar *reg) 3330{ 3331#ifdef CONFIG_WPS_UPNP 3332 struct subscription *s; 3333 3334 if (reg->wps->wps_upnp == NULL) 3335 return; 3336 3337 dl_list_for_each(s, ®->wps->wps_upnp->subscriptions, 3338 struct subscription, list) { 3339 struct subscr_addr *sa; 3340 sa = dl_list_first(&s->addr_list, struct subscr_addr, list); 3341 if (sa) { 3342 wpa_printf(MSG_DEBUG, "WPS: External Registrar %s:%d", 3343 inet_ntoa(sa->saddr.sin_addr), 3344 ntohs(sa->saddr.sin_port)); 3345 } 3346 if (s->selected_registrar) 3347 wps_registrar_sel_reg_add(reg, s); 3348 else 3349 wpa_printf(MSG_DEBUG, "WPS: External Registrar not " 3350 "selected"); 3351 } 3352#endif /* CONFIG_WPS_UPNP */ 3353} 3354 3355 3356/** 3357 * wps_registrar_selected_registrar_changed - SetSelectedRegistrar change 3358 * @reg: Registrar data from wps_registrar_init() 3359 * 3360 * This function is called when selected registrar state changes, e.g., when an 3361 * AP receives a SetSelectedRegistrar UPnP message. 3362 */ 3363void wps_registrar_selected_registrar_changed(struct wps_registrar *reg, 3364 u16 dev_pw_id) 3365{ 3366 wpa_printf(MSG_DEBUG, "WPS: Selected registrar information changed"); 3367 3368 reg->sel_reg_union = reg->selected_registrar; 3369 reg->sel_reg_dev_password_id_override = -1; 3370 reg->sel_reg_config_methods_override = -1; 3371 os_memcpy(reg->authorized_macs_union, reg->authorized_macs, 3372 WPS_MAX_AUTHORIZED_MACS * ETH_ALEN); 3373 wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs union (start with own)", 3374 (u8 *) reg->authorized_macs_union, 3375 sizeof(reg->authorized_macs_union)); 3376 if (reg->selected_registrar) { 3377 u16 methods; 3378 3379 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON; 3380#ifdef CONFIG_WPS2 3381 methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON | 3382 WPS_CONFIG_PHY_PUSHBUTTON); 3383#endif /* CONFIG_WPS2 */ 3384 if (reg->pbc) { 3385 reg->sel_reg_dev_password_id_override = 3386 DEV_PW_PUSHBUTTON; 3387 wps_set_pushbutton(&methods, reg->wps->config_methods); 3388 } else if (dev_pw_id) 3389 reg->sel_reg_dev_password_id_override = dev_pw_id; 3390 wpa_printf(MSG_DEBUG, "WPS: Internal Registrar selected " 3391 "(pbc=%d)", reg->pbc); 3392 reg->sel_reg_config_methods_override = methods; 3393 } else 3394 wpa_printf(MSG_DEBUG, "WPS: Internal Registrar not selected"); 3395 3396 wps_registrar_sel_reg_union(reg); 3397 3398 wps_set_ie(reg); 3399 wps_cb_set_sel_reg(reg); 3400} 3401 3402 3403int wps_registrar_get_info(struct wps_registrar *reg, const u8 *addr, 3404 char *buf, size_t buflen) 3405{ 3406 struct wps_registrar_device *d; 3407 int len = 0, ret; 3408 char uuid[40]; 3409 char devtype[WPS_DEV_TYPE_BUFSIZE]; 3410 3411 d = wps_device_get(reg, addr); 3412 if (d == NULL) 3413 return 0; 3414 if (uuid_bin2str(d->uuid, uuid, sizeof(uuid))) 3415 return 0; 3416 3417 ret = os_snprintf(buf + len, buflen - len, 3418 "wpsUuid=%s\n" 3419 "wpsPrimaryDeviceType=%s\n" 3420 "wpsDeviceName=%s\n" 3421 "wpsManufacturer=%s\n" 3422 "wpsModelName=%s\n" 3423 "wpsModelNumber=%s\n" 3424 "wpsSerialNumber=%s\n", 3425 uuid, 3426 wps_dev_type_bin2str(d->dev.pri_dev_type, devtype, 3427 sizeof(devtype)), 3428 d->dev.device_name ? d->dev.device_name : "", 3429 d->dev.manufacturer ? d->dev.manufacturer : "", 3430 d->dev.model_name ? d->dev.model_name : "", 3431 d->dev.model_number ? d->dev.model_number : "", 3432 d->dev.serial_number ? d->dev.serial_number : ""); 3433 if (ret < 0 || (size_t) ret >= buflen - len) 3434 return len; 3435 len += ret; 3436 3437 return len; 3438} 3439 3440 3441int wps_registrar_config_ap(struct wps_registrar *reg, 3442 struct wps_credential *cred) 3443{ 3444#ifdef CONFIG_WPS2 3445 printf("encr_type=0x%x\n", cred->encr_type); 3446 if (!(cred->encr_type & (WPS_ENCR_NONE | WPS_ENCR_TKIP | 3447 WPS_ENCR_AES))) { 3448 if (cred->encr_type & WPS_ENCR_WEP) { 3449 wpa_printf(MSG_INFO, "WPS: Reject new AP settings " 3450 "due to WEP configuration"); 3451 return -1; 3452 } 3453 3454 wpa_printf(MSG_INFO, "WPS: Reject new AP settings due to " 3455 "invalid encr_type 0x%x", cred->encr_type); 3456 return -1; 3457 } 3458 3459 if ((cred->encr_type & (WPS_ENCR_TKIP | WPS_ENCR_AES)) == 3460 WPS_ENCR_TKIP) { 3461 wpa_printf(MSG_DEBUG, "WPS: Upgrade encr_type TKIP -> " 3462 "TKIP+AES"); 3463 cred->encr_type |= WPS_ENCR_AES; 3464 } 3465 3466 if ((cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) == 3467 WPS_AUTH_WPAPSK) { 3468 wpa_printf(MSG_DEBUG, "WPS: Upgrade auth_type WPAPSK -> " 3469 "WPAPSK+WPA2PSK"); 3470 cred->auth_type |= WPS_AUTH_WPA2PSK; 3471 } 3472#endif /* CONFIG_WPS2 */ 3473 3474 if (reg->wps->cred_cb) 3475 return reg->wps->cred_cb(reg->wps->cb_ctx, cred); 3476 3477 return -1; 3478} 3479 3480 3481#ifdef CONFIG_WPS_NFC 3482 3483int wps_registrar_add_nfc_pw_token(struct wps_registrar *reg, 3484 const u8 *pubkey_hash, u16 pw_id, 3485 const u8 *dev_pw, size_t dev_pw_len) 3486{ 3487 struct wps_nfc_pw_token *token; 3488 3489 if (dev_pw_len > WPS_OOB_DEVICE_PASSWORD_LEN) 3490 return -1; 3491 3492 wps_free_nfc_pw_tokens(®->nfc_pw_tokens, pw_id); 3493 3494 token = os_zalloc(sizeof(*token)); 3495 if (token == NULL) 3496 return -1; 3497 3498 os_memcpy(token->pubkey_hash, pubkey_hash, WPS_OOB_PUBKEY_HASH_LEN); 3499 token->pw_id = pw_id; 3500 wpa_snprintf_hex_uppercase((char *) token->dev_pw, 3501 sizeof(token->dev_pw), 3502 dev_pw, dev_pw_len); 3503 token->dev_pw_len = dev_pw_len * 2; 3504 3505 dl_list_add(®->nfc_pw_tokens, &token->list); 3506 3507 reg->selected_registrar = 1; 3508 reg->pbc = 0; 3509 wps_registrar_add_authorized_mac(reg, 3510 (u8 *) "\xff\xff\xff\xff\xff\xff"); 3511 wps_registrar_selected_registrar_changed(reg, pw_id); 3512 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 3513 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, 3514 wps_registrar_set_selected_timeout, 3515 reg, NULL); 3516 3517 wpa_printf(MSG_DEBUG, "WPS: Added NFC Device Password %u to Registrar", 3518 pw_id); 3519 3520 return 0; 3521} 3522 3523 3524int wps_registrar_add_nfc_password_token(struct wps_registrar *reg, 3525 const u8 *oob_dev_pw, 3526 size_t oob_dev_pw_len) 3527{ 3528 const u8 *pos, *hash, *dev_pw; 3529 u16 id; 3530 size_t dev_pw_len; 3531 3532 if (oob_dev_pw_len < WPS_OOB_PUBKEY_HASH_LEN + 2 + 3533 WPS_OOB_DEVICE_PASSWORD_MIN_LEN || 3534 oob_dev_pw_len > WPS_OOB_PUBKEY_HASH_LEN + 2 + 3535 WPS_OOB_DEVICE_PASSWORD_LEN) 3536 return -1; 3537 3538 hash = oob_dev_pw; 3539 pos = oob_dev_pw + WPS_OOB_PUBKEY_HASH_LEN; 3540 id = WPA_GET_BE16(pos); 3541 dev_pw = pos + 2; 3542 dev_pw_len = oob_dev_pw + oob_dev_pw_len - dev_pw; 3543 3544 wpa_printf(MSG_DEBUG, "WPS: Add NFC Password Token for Password ID %u", 3545 id); 3546 3547 wpa_hexdump(MSG_DEBUG, "WPS: Public Key Hash", 3548 hash, WPS_OOB_PUBKEY_HASH_LEN); 3549 wpa_hexdump_key(MSG_DEBUG, "WPS: Device Password", dev_pw, dev_pw_len); 3550 3551 return wps_registrar_add_nfc_pw_token(reg, hash, id, dev_pw, 3552 dev_pw_len); 3553} 3554 3555 3556void wps_registrar_remove_nfc_pw_token(struct wps_registrar *reg, 3557 struct wps_nfc_pw_token *token) 3558{ 3559 wps_registrar_remove_authorized_mac(reg, 3560 (u8 *) "\xff\xff\xff\xff\xff\xff"); 3561 wps_registrar_selected_registrar_changed(reg, 0); 3562} 3563 3564#endif /* CONFIG_WPS_NFC */ 3565