1/*
2 * Wi-Fi Protected Setup
3 * Copyright (c) 2007-2009, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/dh_group5.h"
13#include "common/ieee802_11_defs.h"
14#include "wps_i.h"
15#include "wps_dev_attr.h"
16
17
18#ifdef CONFIG_WPS_TESTING
19int wps_version_number = 0x20;
20int wps_testing_dummy_cred = 0;
21int wps_corrupt_pkhash = 0;
22#endif /* CONFIG_WPS_TESTING */
23
24
25/**
26 * wps_init - Initialize WPS Registration protocol data
27 * @cfg: WPS configuration
28 * Returns: Pointer to allocated data or %NULL on failure
29 *
30 * This function is used to initialize WPS data for a registration protocol
31 * instance (i.e., each run of registration protocol as a Registrar of
32 * Enrollee. The caller is responsible for freeing this data after the
33 * registration run has been completed by calling wps_deinit().
34 */
35struct wps_data * wps_init(const struct wps_config *cfg)
36{
37	struct wps_data *data = os_zalloc(sizeof(*data));
38	if (data == NULL)
39		return NULL;
40	data->wps = cfg->wps;
41	data->registrar = cfg->registrar;
42	if (cfg->registrar) {
43		os_memcpy(data->uuid_r, cfg->wps->uuid, WPS_UUID_LEN);
44	} else {
45		os_memcpy(data->mac_addr_e, cfg->wps->dev.mac_addr, ETH_ALEN);
46		os_memcpy(data->uuid_e, cfg->wps->uuid, WPS_UUID_LEN);
47	}
48	if (cfg->pin) {
49		data->dev_pw_id = cfg->dev_pw_id;
50		data->dev_password = os_malloc(cfg->pin_len);
51		if (data->dev_password == NULL) {
52			os_free(data);
53			return NULL;
54		}
55		os_memcpy(data->dev_password, cfg->pin, cfg->pin_len);
56		data->dev_password_len = cfg->pin_len;
57		wpa_hexdump_key(MSG_DEBUG, "WPS: AP PIN dev_password",
58				data->dev_password, data->dev_password_len);
59	}
60
61#ifdef CONFIG_WPS_NFC
62	if (cfg->pin == NULL &&
63	    cfg->dev_pw_id == DEV_PW_NFC_CONNECTION_HANDOVER)
64		data->dev_pw_id = cfg->dev_pw_id;
65
66	if (cfg->wps->ap && !cfg->registrar && cfg->wps->ap_nfc_dev_pw_id) {
67		/* Keep AP PIN as alternative Device Password */
68		data->alt_dev_pw_id = data->dev_pw_id;
69		data->alt_dev_password = data->dev_password;
70		data->alt_dev_password_len = data->dev_password_len;
71
72		data->dev_pw_id = cfg->wps->ap_nfc_dev_pw_id;
73		data->dev_password =
74			os_malloc(wpabuf_len(cfg->wps->ap_nfc_dev_pw));
75		if (data->dev_password == NULL) {
76			os_free(data);
77			return NULL;
78		}
79		os_memcpy(data->dev_password,
80			  wpabuf_head(cfg->wps->ap_nfc_dev_pw),
81			  wpabuf_len(cfg->wps->ap_nfc_dev_pw));
82		data->dev_password_len = wpabuf_len(cfg->wps->ap_nfc_dev_pw);
83		wpa_hexdump_key(MSG_DEBUG, "WPS: NFC dev_password",
84			    data->dev_password, data->dev_password_len);
85	}
86#endif /* CONFIG_WPS_NFC */
87
88	data->pbc = cfg->pbc;
89	if (cfg->pbc) {
90		/* Use special PIN '00000000' for PBC */
91		data->dev_pw_id = DEV_PW_PUSHBUTTON;
92		bin_clear_free(data->dev_password, data->dev_password_len);
93		data->dev_password = (u8 *) os_strdup("00000000");
94		if (data->dev_password == NULL) {
95			os_free(data);
96			return NULL;
97		}
98		data->dev_password_len = 8;
99	}
100
101	data->state = data->registrar ? RECV_M1 : SEND_M1;
102
103	if (cfg->assoc_wps_ie) {
104		struct wps_parse_attr attr;
105		wpa_hexdump_buf(MSG_DEBUG, "WPS: WPS IE from (Re)AssocReq",
106				cfg->assoc_wps_ie);
107		if (wps_parse_msg(cfg->assoc_wps_ie, &attr) < 0) {
108			wpa_printf(MSG_DEBUG, "WPS: Failed to parse WPS IE "
109				   "from (Re)AssocReq");
110		} else if (attr.request_type == NULL) {
111			wpa_printf(MSG_DEBUG, "WPS: No Request Type attribute "
112				   "in (Re)AssocReq WPS IE");
113		} else {
114			wpa_printf(MSG_DEBUG, "WPS: Request Type (from WPS IE "
115				   "in (Re)AssocReq WPS IE): %d",
116				   *attr.request_type);
117			data->request_type = *attr.request_type;
118		}
119	}
120
121	if (cfg->new_ap_settings) {
122		data->new_ap_settings =
123			os_malloc(sizeof(*data->new_ap_settings));
124		if (data->new_ap_settings == NULL) {
125			bin_clear_free(data->dev_password,
126				       data->dev_password_len);
127			os_free(data);
128			return NULL;
129		}
130		os_memcpy(data->new_ap_settings, cfg->new_ap_settings,
131			  sizeof(*data->new_ap_settings));
132	}
133
134	if (cfg->peer_addr)
135		os_memcpy(data->peer_dev.mac_addr, cfg->peer_addr, ETH_ALEN);
136	if (cfg->p2p_dev_addr)
137		os_memcpy(data->p2p_dev_addr, cfg->p2p_dev_addr, ETH_ALEN);
138
139	data->use_psk_key = cfg->use_psk_key;
140	data->pbc_in_m1 = cfg->pbc_in_m1;
141
142	if (cfg->peer_pubkey_hash) {
143		os_memcpy(data->peer_pubkey_hash, cfg->peer_pubkey_hash,
144			  WPS_OOB_PUBKEY_HASH_LEN);
145		data->peer_pubkey_hash_set = 1;
146	}
147
148	return data;
149}
150
151
152/**
153 * wps_deinit - Deinitialize WPS Registration protocol data
154 * @data: WPS Registration protocol data from wps_init()
155 */
156void wps_deinit(struct wps_data *data)
157{
158#ifdef CONFIG_WPS_NFC
159	if (data->registrar && data->nfc_pw_token)
160		wps_registrar_remove_nfc_pw_token(data->wps->registrar,
161						  data->nfc_pw_token);
162#endif /* CONFIG_WPS_NFC */
163
164	if (data->wps_pin_revealed) {
165		wpa_printf(MSG_DEBUG, "WPS: Full PIN information revealed and "
166			   "negotiation failed");
167		if (data->registrar)
168			wps_registrar_invalidate_pin(data->wps->registrar,
169						     data->uuid_e);
170	} else if (data->registrar)
171		wps_registrar_unlock_pin(data->wps->registrar, data->uuid_e);
172
173	wpabuf_free(data->dh_privkey);
174	wpabuf_free(data->dh_pubkey_e);
175	wpabuf_free(data->dh_pubkey_r);
176	wpabuf_free(data->last_msg);
177	bin_clear_free(data->dev_password, data->dev_password_len);
178	bin_clear_free(data->alt_dev_password, data->alt_dev_password_len);
179	bin_clear_free(data->new_psk, data->new_psk_len);
180	wps_device_data_free(&data->peer_dev);
181	bin_clear_free(data->new_ap_settings, sizeof(*data->new_ap_settings));
182	dh5_free(data->dh_ctx);
183	os_free(data);
184}
185
186
187/**
188 * wps_process_msg - Process a WPS message
189 * @wps: WPS Registration protocol data from wps_init()
190 * @op_code: Message OP Code
191 * @msg: Message data
192 * Returns: Processing result
193 *
194 * This function is used to process WPS messages with OP Codes WSC_ACK,
195 * WSC_NACK, WSC_MSG, and WSC_Done. The caller (e.g., EAP server/peer) is
196 * responsible for reassembling the messages before calling this function.
197 * Response to this message is built by calling wps_get_msg().
198 */
199enum wps_process_res wps_process_msg(struct wps_data *wps,
200				     enum wsc_op_code op_code,
201				     const struct wpabuf *msg)
202{
203	if (wps->registrar)
204		return wps_registrar_process_msg(wps, op_code, msg);
205	else
206		return wps_enrollee_process_msg(wps, op_code, msg);
207}
208
209
210/**
211 * wps_get_msg - Build a WPS message
212 * @wps: WPS Registration protocol data from wps_init()
213 * @op_code: Buffer for returning message OP Code
214 * Returns: The generated WPS message or %NULL on failure
215 *
216 * This function is used to build a response to a message processed by calling
217 * wps_process_msg(). The caller is responsible for freeing the buffer.
218 */
219struct wpabuf * wps_get_msg(struct wps_data *wps, enum wsc_op_code *op_code)
220{
221	if (wps->registrar)
222		return wps_registrar_get_msg(wps, op_code);
223	else
224		return wps_enrollee_get_msg(wps, op_code);
225}
226
227
228/**
229 * wps_is_selected_pbc_registrar - Check whether WPS IE indicates active PBC
230 * @msg: WPS IE contents from Beacon or Probe Response frame
231 * Returns: 1 if PBC Registrar is active, 0 if not
232 */
233int wps_is_selected_pbc_registrar(const struct wpabuf *msg)
234{
235	struct wps_parse_attr attr;
236
237	/*
238	 * In theory, this could also verify that attr.sel_reg_config_methods
239	 * includes WPS_CONFIG_PUSHBUTTON, but some deployed AP implementations
240	 * do not set Selected Registrar Config Methods attribute properly, so
241	 * it is safer to just use Device Password ID here.
242	 */
243
244	if (wps_parse_msg(msg, &attr) < 0 ||
245	    !attr.selected_registrar || *attr.selected_registrar == 0 ||
246	    !attr.dev_password_id ||
247	    WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
248		return 0;
249
250#ifdef CONFIG_WPS_STRICT
251	if (!attr.sel_reg_config_methods ||
252	    !(WPA_GET_BE16(attr.sel_reg_config_methods) &
253	      WPS_CONFIG_PUSHBUTTON))
254		return 0;
255#endif /* CONFIG_WPS_STRICT */
256
257	return 1;
258}
259
260
261static int is_selected_pin_registrar(struct wps_parse_attr *attr)
262{
263	/*
264	 * In theory, this could also verify that attr.sel_reg_config_methods
265	 * includes WPS_CONFIG_LABEL, WPS_CONFIG_DISPLAY, or WPS_CONFIG_KEYPAD,
266	 * but some deployed AP implementations do not set Selected Registrar
267	 * Config Methods attribute properly, so it is safer to just use
268	 * Device Password ID here.
269	 */
270
271	if (!attr->selected_registrar || *attr->selected_registrar == 0)
272		return 0;
273
274	if (attr->dev_password_id != NULL &&
275	    WPA_GET_BE16(attr->dev_password_id) == DEV_PW_PUSHBUTTON)
276		return 0;
277
278#ifdef CONFIG_WPS_STRICT
279	if (!attr->sel_reg_config_methods ||
280	    !(WPA_GET_BE16(attr->sel_reg_config_methods) &
281	      (WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY | WPS_CONFIG_KEYPAD)))
282		return 0;
283#endif /* CONFIG_WPS_STRICT */
284
285	return 1;
286}
287
288
289/**
290 * wps_is_selected_pin_registrar - Check whether WPS IE indicates active PIN
291 * @msg: WPS IE contents from Beacon or Probe Response frame
292 * Returns: 1 if PIN Registrar is active, 0 if not
293 */
294int wps_is_selected_pin_registrar(const struct wpabuf *msg)
295{
296	struct wps_parse_attr attr;
297
298	if (wps_parse_msg(msg, &attr) < 0)
299		return 0;
300
301	return is_selected_pin_registrar(&attr);
302}
303
304
305/**
306 * wps_is_addr_authorized - Check whether WPS IE authorizes MAC address
307 * @msg: WPS IE contents from Beacon or Probe Response frame
308 * @addr: MAC address to search for
309 * @ver1_compat: Whether to use version 1 compatibility mode
310 * Returns: 2 if the specified address is explicit authorized, 1 if address is
311 * authorized (broadcast), 0 if not
312 */
313int wps_is_addr_authorized(const struct wpabuf *msg, const u8 *addr,
314			   int ver1_compat)
315{
316	struct wps_parse_attr attr;
317	unsigned int i;
318	const u8 *pos;
319	const u8 bcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
320
321	if (wps_parse_msg(msg, &attr) < 0)
322		return 0;
323
324	if (!attr.version2 && ver1_compat) {
325		/*
326		 * Version 1.0 AP - AuthorizedMACs not used, so revert back to
327		 * old mechanism of using SelectedRegistrar.
328		 */
329		return is_selected_pin_registrar(&attr);
330	}
331
332	if (!attr.authorized_macs)
333		return 0;
334
335	pos = attr.authorized_macs;
336	for (i = 0; i < attr.authorized_macs_len / ETH_ALEN; i++) {
337		if (os_memcmp(pos, addr, ETH_ALEN) == 0)
338			return 2;
339		if (os_memcmp(pos, bcast, ETH_ALEN) == 0)
340			return 1;
341		pos += ETH_ALEN;
342	}
343
344	return 0;
345}
346
347
348/**
349 * wps_ap_priority_compar - Prioritize WPS IE from two APs
350 * @wps_a: WPS IE contents from Beacon or Probe Response frame
351 * @wps_b: WPS IE contents from Beacon or Probe Response frame
352 * Returns: 1 if wps_b is considered more likely selection for WPS
353 * provisioning, -1 if wps_a is considered more like, or 0 if no preference
354 */
355int wps_ap_priority_compar(const struct wpabuf *wps_a,
356			   const struct wpabuf *wps_b)
357{
358	struct wps_parse_attr attr_a, attr_b;
359	int sel_a, sel_b;
360
361	if (wps_a == NULL || wps_parse_msg(wps_a, &attr_a) < 0)
362		return 1;
363	if (wps_b == NULL || wps_parse_msg(wps_b, &attr_b) < 0)
364		return -1;
365
366	sel_a = attr_a.selected_registrar && *attr_a.selected_registrar != 0;
367	sel_b = attr_b.selected_registrar && *attr_b.selected_registrar != 0;
368
369	if (sel_a && !sel_b)
370		return -1;
371	if (!sel_a && sel_b)
372		return 1;
373
374	return 0;
375}
376
377
378/**
379 * wps_get_uuid_e - Get UUID-E from WPS IE
380 * @msg: WPS IE contents from Beacon or Probe Response frame
381 * Returns: Pointer to UUID-E or %NULL if not included
382 *
383 * The returned pointer is to the msg contents and it remains valid only as
384 * long as the msg buffer is valid.
385 */
386const u8 * wps_get_uuid_e(const struct wpabuf *msg)
387{
388	struct wps_parse_attr attr;
389
390	if (wps_parse_msg(msg, &attr) < 0)
391		return NULL;
392	return attr.uuid_e;
393}
394
395
396/**
397 * wps_is_20 - Check whether WPS attributes claim support for WPS 2.0
398 */
399int wps_is_20(const struct wpabuf *msg)
400{
401	struct wps_parse_attr attr;
402
403	if (msg == NULL || wps_parse_msg(msg, &attr) < 0)
404		return 0;
405	return attr.version2 != NULL;
406}
407
408
409/**
410 * wps_build_assoc_req_ie - Build WPS IE for (Re)Association Request
411 * @req_type: Value for Request Type attribute
412 * Returns: WPS IE or %NULL on failure
413 *
414 * The caller is responsible for freeing the buffer.
415 */
416struct wpabuf * wps_build_assoc_req_ie(enum wps_request_type req_type)
417{
418	struct wpabuf *ie;
419	u8 *len;
420
421	wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association "
422		   "Request");
423	ie = wpabuf_alloc(100);
424	if (ie == NULL)
425		return NULL;
426
427	wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
428	len = wpabuf_put(ie, 1);
429	wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
430
431	if (wps_build_version(ie) ||
432	    wps_build_req_type(ie, req_type) ||
433	    wps_build_wfa_ext(ie, 0, NULL, 0)) {
434		wpabuf_free(ie);
435		return NULL;
436	}
437
438	*len = wpabuf_len(ie) - 2;
439
440	return ie;
441}
442
443
444/**
445 * wps_build_assoc_resp_ie - Build WPS IE for (Re)Association Response
446 * Returns: WPS IE or %NULL on failure
447 *
448 * The caller is responsible for freeing the buffer.
449 */
450struct wpabuf * wps_build_assoc_resp_ie(void)
451{
452	struct wpabuf *ie;
453	u8 *len;
454
455	wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association "
456		   "Response");
457	ie = wpabuf_alloc(100);
458	if (ie == NULL)
459		return NULL;
460
461	wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
462	len = wpabuf_put(ie, 1);
463	wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
464
465	if (wps_build_version(ie) ||
466	    wps_build_resp_type(ie, WPS_RESP_AP) ||
467	    wps_build_wfa_ext(ie, 0, NULL, 0)) {
468		wpabuf_free(ie);
469		return NULL;
470	}
471
472	*len = wpabuf_len(ie) - 2;
473
474	return ie;
475}
476
477
478/**
479 * wps_build_probe_req_ie - Build WPS IE for Probe Request
480 * @pw_id: Password ID (DEV_PW_PUSHBUTTON for active PBC and DEV_PW_DEFAULT for
481 * most other use cases)
482 * @dev: Device attributes
483 * @uuid: Own UUID
484 * @req_type: Value for Request Type attribute
485 * @num_req_dev_types: Number of requested device types
486 * @req_dev_types: Requested device types (8 * num_req_dev_types octets) or
487 *	%NULL if none
488 * Returns: WPS IE or %NULL on failure
489 *
490 * The caller is responsible for freeing the buffer.
491 */
492struct wpabuf * wps_build_probe_req_ie(u16 pw_id, struct wps_device_data *dev,
493				       const u8 *uuid,
494				       enum wps_request_type req_type,
495				       unsigned int num_req_dev_types,
496				       const u8 *req_dev_types)
497{
498	struct wpabuf *ie;
499
500	wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for Probe Request");
501
502	ie = wpabuf_alloc(500);
503	if (ie == NULL)
504		return NULL;
505
506	if (wps_build_version(ie) ||
507	    wps_build_req_type(ie, req_type) ||
508	    wps_build_config_methods(ie, dev->config_methods) ||
509	    wps_build_uuid_e(ie, uuid) ||
510	    wps_build_primary_dev_type(dev, ie) ||
511	    wps_build_rf_bands(dev, ie, 0) ||
512	    wps_build_assoc_state(NULL, ie) ||
513	    wps_build_config_error(ie, WPS_CFG_NO_ERROR) ||
514	    wps_build_dev_password_id(ie, pw_id) ||
515	    wps_build_manufacturer(dev, ie) ||
516	    wps_build_model_name(dev, ie) ||
517	    wps_build_model_number(dev, ie) ||
518	    wps_build_dev_name(dev, ie) ||
519	    wps_build_wfa_ext(ie, req_type == WPS_REQ_ENROLLEE, NULL, 0) ||
520	    wps_build_req_dev_type(dev, ie, num_req_dev_types, req_dev_types)
521	    ||
522	    wps_build_secondary_dev_type(dev, ie)
523		) {
524		wpabuf_free(ie);
525		return NULL;
526	}
527
528	return wps_ie_encapsulate(ie);
529}
530
531
532void wps_free_pending_msgs(struct upnp_pending_message *msgs)
533{
534	struct upnp_pending_message *p, *prev;
535	p = msgs;
536	while (p) {
537		prev = p;
538		p = p->next;
539		wpabuf_free(prev->msg);
540		os_free(prev);
541	}
542}
543
544
545int wps_attr_text(struct wpabuf *data, char *buf, char *end)
546{
547	struct wps_parse_attr attr;
548	char *pos = buf;
549	int ret;
550
551	if (wps_parse_msg(data, &attr) < 0)
552		return -1;
553
554	if (attr.wps_state) {
555		if (*attr.wps_state == WPS_STATE_NOT_CONFIGURED)
556			ret = os_snprintf(pos, end - pos,
557					  "wps_state=unconfigured\n");
558		else if (*attr.wps_state == WPS_STATE_CONFIGURED)
559			ret = os_snprintf(pos, end - pos,
560					  "wps_state=configured\n");
561		else
562			ret = 0;
563		if (ret < 0 || ret >= end - pos)
564			return pos - buf;
565		pos += ret;
566	}
567
568	if (attr.ap_setup_locked && *attr.ap_setup_locked) {
569		ret = os_snprintf(pos, end - pos,
570				  "wps_ap_setup_locked=1\n");
571		if (ret < 0 || ret >= end - pos)
572			return pos - buf;
573		pos += ret;
574	}
575
576	if (attr.selected_registrar && *attr.selected_registrar) {
577		ret = os_snprintf(pos, end - pos,
578				  "wps_selected_registrar=1\n");
579		if (ret < 0 || ret >= end - pos)
580			return pos - buf;
581		pos += ret;
582	}
583
584	if (attr.dev_password_id) {
585		ret = os_snprintf(pos, end - pos,
586				  "wps_device_password_id=%u\n",
587				  WPA_GET_BE16(attr.dev_password_id));
588		if (ret < 0 || ret >= end - pos)
589			return pos - buf;
590		pos += ret;
591	}
592
593	if (attr.sel_reg_config_methods) {
594		ret = os_snprintf(pos, end - pos,
595				  "wps_selected_registrar_config_methods="
596				  "0x%04x\n",
597				  WPA_GET_BE16(attr.sel_reg_config_methods));
598		if (ret < 0 || ret >= end - pos)
599			return pos - buf;
600		pos += ret;
601	}
602
603	if (attr.primary_dev_type) {
604		char devtype[WPS_DEV_TYPE_BUFSIZE];
605		ret = os_snprintf(pos, end - pos,
606				  "wps_primary_device_type=%s\n",
607				  wps_dev_type_bin2str(attr.primary_dev_type,
608						       devtype,
609						       sizeof(devtype)));
610		if (ret < 0 || ret >= end - pos)
611			return pos - buf;
612		pos += ret;
613	}
614
615	if (attr.dev_name) {
616		char *str = os_malloc(attr.dev_name_len + 1);
617		size_t i;
618		if (str == NULL)
619			return pos - buf;
620		for (i = 0; i < attr.dev_name_len; i++) {
621			if (attr.dev_name[i] < 32)
622				str[i] = '_';
623			else
624				str[i] = attr.dev_name[i];
625		}
626		str[i] = '\0';
627		ret = os_snprintf(pos, end - pos, "wps_device_name=%s\n", str);
628		os_free(str);
629		if (ret < 0 || ret >= end - pos)
630			return pos - buf;
631		pos += ret;
632	}
633
634	if (attr.config_methods) {
635		ret = os_snprintf(pos, end - pos,
636				  "wps_config_methods=0x%04x\n",
637				  WPA_GET_BE16(attr.config_methods));
638		if (ret < 0 || ret >= end - pos)
639			return pos - buf;
640		pos += ret;
641	}
642
643	return pos - buf;
644}
645
646
647const char * wps_ei_str(enum wps_error_indication ei)
648{
649	switch (ei) {
650	case WPS_EI_NO_ERROR:
651		return "No Error";
652	case WPS_EI_SECURITY_TKIP_ONLY_PROHIBITED:
653		return "TKIP Only Prohibited";
654	case WPS_EI_SECURITY_WEP_PROHIBITED:
655		return "WEP Prohibited";
656	case WPS_EI_AUTH_FAILURE:
657		return "Authentication Failure";
658	default:
659		return "Unknown";
660	}
661}
662