wps_registrar.c revision 6c0da2bb83f6915d8260912362692d1a742e057b
1/* 2 * Wi-Fi Protected Setup - Registrar 3 * Copyright (c) 2008-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/base64.h" 13#include "utils/eloop.h" 14#include "utils/uuid.h" 15#include "utils/list.h" 16#include "crypto/crypto.h" 17#include "crypto/sha256.h" 18#include "crypto/random.h" 19#include "common/ieee802_11_defs.h" 20#include "wps_i.h" 21#include "wps_dev_attr.h" 22#include "wps_upnp.h" 23#include "wps_upnp_i.h" 24 25#ifndef CONFIG_WPS_STRICT 26#define WPS_WORKAROUNDS 27#endif /* CONFIG_WPS_STRICT */ 28 29#ifdef CONFIG_WPS_NFC 30 31struct wps_nfc_pw_token { 32 struct dl_list list; 33 u8 pubkey_hash[WPS_OOB_PUBKEY_HASH_LEN]; 34 unsigned int peer_pk_hash_known:1; 35 u16 pw_id; 36 u8 dev_pw[WPS_OOB_DEVICE_PASSWORD_LEN * 2 + 1]; 37 size_t dev_pw_len; 38 int pk_hash_provided_oob; /* whether own PK hash was provided OOB */ 39}; 40 41 42static void wps_remove_nfc_pw_token(struct wps_nfc_pw_token *token) 43{ 44 dl_list_del(&token->list); 45 bin_clear_free(token, sizeof(*token)); 46} 47 48 49static void wps_free_nfc_pw_tokens(struct dl_list *tokens, u16 pw_id) 50{ 51 struct wps_nfc_pw_token *token, *prev; 52 dl_list_for_each_safe(token, prev, tokens, struct wps_nfc_pw_token, 53 list) { 54 if (pw_id == 0 || pw_id == token->pw_id) 55 wps_remove_nfc_pw_token(token); 56 } 57} 58 59 60static struct wps_nfc_pw_token * wps_get_nfc_pw_token(struct dl_list *tokens, 61 u16 pw_id) 62{ 63 struct wps_nfc_pw_token *token; 64 dl_list_for_each(token, tokens, struct wps_nfc_pw_token, list) { 65 if (pw_id == token->pw_id) 66 return token; 67 } 68 return NULL; 69} 70 71#else /* CONFIG_WPS_NFC */ 72 73#define wps_free_nfc_pw_tokens(t, p) do { } while (0) 74 75#endif /* CONFIG_WPS_NFC */ 76 77 78struct wps_uuid_pin { 79 struct dl_list list; 80 u8 uuid[WPS_UUID_LEN]; 81 int wildcard_uuid; 82 u8 *pin; 83 size_t pin_len; 84#define PIN_LOCKED BIT(0) 85#define PIN_EXPIRES BIT(1) 86 int flags; 87 struct os_reltime expiration; 88 u8 enrollee_addr[ETH_ALEN]; 89}; 90 91 92static void wps_free_pin(struct wps_uuid_pin *pin) 93{ 94 bin_clear_free(pin->pin, pin->pin_len); 95 os_free(pin); 96} 97 98 99static void wps_remove_pin(struct wps_uuid_pin *pin) 100{ 101 dl_list_del(&pin->list); 102 wps_free_pin(pin); 103} 104 105 106static void wps_free_pins(struct dl_list *pins) 107{ 108 struct wps_uuid_pin *pin, *prev; 109 dl_list_for_each_safe(pin, prev, pins, struct wps_uuid_pin, list) 110 wps_remove_pin(pin); 111} 112 113 114struct wps_pbc_session { 115 struct wps_pbc_session *next; 116 u8 addr[ETH_ALEN]; 117 u8 uuid_e[WPS_UUID_LEN]; 118 struct os_reltime timestamp; 119}; 120 121 122static void wps_free_pbc_sessions(struct wps_pbc_session *pbc) 123{ 124 struct wps_pbc_session *prev; 125 126 while (pbc) { 127 prev = pbc; 128 pbc = pbc->next; 129 os_free(prev); 130 } 131} 132 133 134struct wps_registrar_device { 135 struct wps_registrar_device *next; 136 struct wps_device_data dev; 137 u8 uuid[WPS_UUID_LEN]; 138}; 139 140 141struct wps_registrar { 142 struct wps_context *wps; 143 144 int pbc; 145 int selected_registrar; 146 147 int (*new_psk_cb)(void *ctx, const u8 *mac_addr, const u8 *p2p_dev_addr, 148 const u8 *psk, size_t psk_len); 149 int (*set_ie_cb)(void *ctx, struct wpabuf *beacon_ie, 150 struct wpabuf *probe_resp_ie); 151 void (*pin_needed_cb)(void *ctx, const u8 *uuid_e, 152 const struct wps_device_data *dev); 153 void (*reg_success_cb)(void *ctx, const u8 *mac_addr, 154 const u8 *uuid_e, const u8 *dev_pw, 155 size_t dev_pw_len); 156 void (*set_sel_reg_cb)(void *ctx, int sel_reg, u16 dev_passwd_id, 157 u16 sel_reg_config_methods); 158 void (*enrollee_seen_cb)(void *ctx, const u8 *addr, const u8 *uuid_e, 159 const u8 *pri_dev_type, u16 config_methods, 160 u16 dev_password_id, u8 request_type, 161 const char *dev_name); 162 void *cb_ctx; 163 164 struct dl_list pins; 165 struct dl_list nfc_pw_tokens; 166 struct wps_pbc_session *pbc_sessions; 167 168 int skip_cred_build; 169 struct wpabuf *extra_cred; 170 int disable_auto_conf; 171 int sel_reg_union; 172 int sel_reg_dev_password_id_override; 173 int sel_reg_config_methods_override; 174 int static_wep_only; 175 int dualband; 176 int force_per_enrollee_psk; 177 178 struct wps_registrar_device *devices; 179 180 int force_pbc_overlap; 181 182 u8 authorized_macs[WPS_MAX_AUTHORIZED_MACS][ETH_ALEN]; 183 u8 authorized_macs_union[WPS_MAX_AUTHORIZED_MACS][ETH_ALEN]; 184 185 u8 p2p_dev_addr[ETH_ALEN]; 186 187 u8 pbc_ignore_uuid[WPS_UUID_LEN]; 188#ifdef WPS_WORKAROUNDS 189 struct os_reltime pbc_ignore_start; 190#endif /* WPS_WORKAROUNDS */ 191}; 192 193 194static int wps_set_ie(struct wps_registrar *reg); 195static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx); 196static void wps_registrar_set_selected_timeout(void *eloop_ctx, 197 void *timeout_ctx); 198static void wps_registrar_remove_pin(struct wps_registrar *reg, 199 struct wps_uuid_pin *pin); 200 201 202static void wps_registrar_add_authorized_mac(struct wps_registrar *reg, 203 const u8 *addr) 204{ 205 int i; 206 wpa_printf(MSG_DEBUG, "WPS: Add authorized MAC " MACSTR, 207 MAC2STR(addr)); 208 for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++) 209 if (os_memcmp(reg->authorized_macs[i], addr, ETH_ALEN) == 0) { 210 wpa_printf(MSG_DEBUG, "WPS: Authorized MAC was " 211 "already in the list"); 212 return; /* already in list */ 213 } 214 for (i = WPS_MAX_AUTHORIZED_MACS - 1; i > 0; i--) 215 os_memcpy(reg->authorized_macs[i], reg->authorized_macs[i - 1], 216 ETH_ALEN); 217 os_memcpy(reg->authorized_macs[0], addr, ETH_ALEN); 218 wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs", 219 (u8 *) reg->authorized_macs, sizeof(reg->authorized_macs)); 220} 221 222 223static void wps_registrar_remove_authorized_mac(struct wps_registrar *reg, 224 const u8 *addr) 225{ 226 int i; 227 wpa_printf(MSG_DEBUG, "WPS: Remove authorized MAC " MACSTR, 228 MAC2STR(addr)); 229 for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++) { 230 if (os_memcmp(reg->authorized_macs, addr, ETH_ALEN) == 0) 231 break; 232 } 233 if (i == WPS_MAX_AUTHORIZED_MACS) { 234 wpa_printf(MSG_DEBUG, "WPS: Authorized MAC was not in the " 235 "list"); 236 return; /* not in the list */ 237 } 238 for (; i + 1 < WPS_MAX_AUTHORIZED_MACS; i++) 239 os_memcpy(reg->authorized_macs[i], reg->authorized_macs[i + 1], 240 ETH_ALEN); 241 os_memset(reg->authorized_macs[WPS_MAX_AUTHORIZED_MACS - 1], 0, 242 ETH_ALEN); 243 wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs", 244 (u8 *) reg->authorized_macs, sizeof(reg->authorized_macs)); 245} 246 247 248static void wps_free_devices(struct wps_registrar_device *dev) 249{ 250 struct wps_registrar_device *prev; 251 252 while (dev) { 253 prev = dev; 254 dev = dev->next; 255 wps_device_data_free(&prev->dev); 256 os_free(prev); 257 } 258} 259 260 261static struct wps_registrar_device * wps_device_get(struct wps_registrar *reg, 262 const u8 *addr) 263{ 264 struct wps_registrar_device *dev; 265 266 for (dev = reg->devices; dev; dev = dev->next) { 267 if (os_memcmp(dev->dev.mac_addr, addr, ETH_ALEN) == 0) 268 return dev; 269 } 270 return NULL; 271} 272 273 274static void wps_device_clone_data(struct wps_device_data *dst, 275 struct wps_device_data *src) 276{ 277 os_memcpy(dst->mac_addr, src->mac_addr, ETH_ALEN); 278 os_memcpy(dst->pri_dev_type, src->pri_dev_type, WPS_DEV_TYPE_LEN); 279 280#define WPS_STRDUP(n) \ 281 os_free(dst->n); \ 282 dst->n = src->n ? os_strdup(src->n) : NULL 283 284 WPS_STRDUP(device_name); 285 WPS_STRDUP(manufacturer); 286 WPS_STRDUP(model_name); 287 WPS_STRDUP(model_number); 288 WPS_STRDUP(serial_number); 289#undef WPS_STRDUP 290} 291 292 293int wps_device_store(struct wps_registrar *reg, 294 struct wps_device_data *dev, const u8 *uuid) 295{ 296 struct wps_registrar_device *d; 297 298 d = wps_device_get(reg, dev->mac_addr); 299 if (d == NULL) { 300 d = os_zalloc(sizeof(*d)); 301 if (d == NULL) 302 return -1; 303 d->next = reg->devices; 304 reg->devices = d; 305 } 306 307 wps_device_clone_data(&d->dev, dev); 308 os_memcpy(d->uuid, uuid, WPS_UUID_LEN); 309 310 return 0; 311} 312 313 314static void wps_registrar_add_pbc_session(struct wps_registrar *reg, 315 const u8 *addr, const u8 *uuid_e) 316{ 317 struct wps_pbc_session *pbc, *prev = NULL; 318 struct os_reltime now; 319 320 os_get_reltime(&now); 321 322 pbc = reg->pbc_sessions; 323 while (pbc) { 324 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 && 325 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) { 326 if (prev) 327 prev->next = pbc->next; 328 else 329 reg->pbc_sessions = pbc->next; 330 break; 331 } 332 prev = pbc; 333 pbc = pbc->next; 334 } 335 336 if (!pbc) { 337 pbc = os_zalloc(sizeof(*pbc)); 338 if (pbc == NULL) 339 return; 340 os_memcpy(pbc->addr, addr, ETH_ALEN); 341 if (uuid_e) 342 os_memcpy(pbc->uuid_e, uuid_e, WPS_UUID_LEN); 343 } 344 345 pbc->next = reg->pbc_sessions; 346 reg->pbc_sessions = pbc; 347 pbc->timestamp = now; 348 349 /* remove entries that have timed out */ 350 prev = pbc; 351 pbc = pbc->next; 352 353 while (pbc) { 354 if (os_reltime_expired(&now, &pbc->timestamp, 355 WPS_PBC_WALK_TIME)) { 356 prev->next = NULL; 357 wps_free_pbc_sessions(pbc); 358 break; 359 } 360 prev = pbc; 361 pbc = pbc->next; 362 } 363} 364 365 366static void wps_registrar_remove_pbc_session(struct wps_registrar *reg, 367 const u8 *uuid_e, 368 const u8 *p2p_dev_addr) 369{ 370 struct wps_pbc_session *pbc, *prev = NULL, *tmp; 371 372 pbc = reg->pbc_sessions; 373 while (pbc) { 374 if (os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0 || 375 (p2p_dev_addr && !is_zero_ether_addr(reg->p2p_dev_addr) && 376 os_memcmp(reg->p2p_dev_addr, p2p_dev_addr, ETH_ALEN) == 377 0)) { 378 if (prev) 379 prev->next = pbc->next; 380 else 381 reg->pbc_sessions = pbc->next; 382 tmp = pbc; 383 pbc = pbc->next; 384 wpa_printf(MSG_DEBUG, "WPS: Removing PBC session for " 385 "addr=" MACSTR, MAC2STR(tmp->addr)); 386 wpa_hexdump(MSG_DEBUG, "WPS: Removed UUID-E", 387 tmp->uuid_e, WPS_UUID_LEN); 388 os_free(tmp); 389 continue; 390 } 391 prev = pbc; 392 pbc = pbc->next; 393 } 394} 395 396 397int wps_registrar_pbc_overlap(struct wps_registrar *reg, 398 const u8 *addr, const u8 *uuid_e) 399{ 400 int count = 0; 401 struct wps_pbc_session *pbc; 402 struct wps_pbc_session *first = NULL; 403 struct os_reltime now; 404 405 os_get_reltime(&now); 406 407 wpa_printf(MSG_DEBUG, "WPS: Checking active PBC sessions for overlap"); 408 409 if (uuid_e) { 410 wpa_printf(MSG_DEBUG, "WPS: Add one for the requested UUID"); 411 wpa_hexdump(MSG_DEBUG, "WPS: Requested UUID", 412 uuid_e, WPS_UUID_LEN); 413 count++; 414 } 415 416 for (pbc = reg->pbc_sessions; pbc; pbc = pbc->next) { 417 wpa_printf(MSG_DEBUG, "WPS: Consider PBC session with " MACSTR, 418 MAC2STR(pbc->addr)); 419 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", 420 pbc->uuid_e, WPS_UUID_LEN); 421 if (os_reltime_expired(&now, &pbc->timestamp, 422 WPS_PBC_WALK_TIME)) { 423 wpa_printf(MSG_DEBUG, "WPS: PBC walk time has expired"); 424 break; 425 } 426 if (first && 427 os_memcmp(pbc->uuid_e, first->uuid_e, WPS_UUID_LEN) == 0) { 428 wpa_printf(MSG_DEBUG, "WPS: Same Enrollee"); 429 continue; /* same Enrollee */ 430 } 431 if (uuid_e == NULL || 432 os_memcmp(uuid_e, pbc->uuid_e, WPS_UUID_LEN)) { 433 wpa_printf(MSG_DEBUG, "WPS: New Enrollee"); 434 count++; 435 } 436 if (first == NULL) 437 first = pbc; 438 } 439 440 wpa_printf(MSG_DEBUG, "WPS: %u active PBC session(s) found", count); 441 442 return count > 1 ? 1 : 0; 443} 444 445 446static int wps_build_wps_state(struct wps_context *wps, struct wpabuf *msg) 447{ 448 wpa_printf(MSG_DEBUG, "WPS: * Wi-Fi Protected Setup State (%d)", 449 wps->wps_state); 450 wpabuf_put_be16(msg, ATTR_WPS_STATE); 451 wpabuf_put_be16(msg, 1); 452 wpabuf_put_u8(msg, wps->wps_state); 453 return 0; 454} 455 456 457#ifdef CONFIG_WPS_UPNP 458static void wps_registrar_free_pending_m2(struct wps_context *wps) 459{ 460 struct upnp_pending_message *p, *p2, *prev = NULL; 461 p = wps->upnp_msgs; 462 while (p) { 463 if (p->type == WPS_M2 || p->type == WPS_M2D) { 464 if (prev == NULL) 465 wps->upnp_msgs = p->next; 466 else 467 prev->next = p->next; 468 wpa_printf(MSG_DEBUG, "WPS UPnP: Drop pending M2/M2D"); 469 p2 = p; 470 p = p->next; 471 wpabuf_free(p2->msg); 472 os_free(p2); 473 continue; 474 } 475 prev = p; 476 p = p->next; 477 } 478} 479#endif /* CONFIG_WPS_UPNP */ 480 481 482static int wps_build_ap_setup_locked(struct wps_context *wps, 483 struct wpabuf *msg) 484{ 485 if (wps->ap_setup_locked && wps->ap_setup_locked != 2) { 486 wpa_printf(MSG_DEBUG, "WPS: * AP Setup Locked"); 487 wpabuf_put_be16(msg, ATTR_AP_SETUP_LOCKED); 488 wpabuf_put_be16(msg, 1); 489 wpabuf_put_u8(msg, 1); 490 } 491 return 0; 492} 493 494 495static int wps_build_selected_registrar(struct wps_registrar *reg, 496 struct wpabuf *msg) 497{ 498 if (!reg->sel_reg_union) 499 return 0; 500 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar"); 501 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR); 502 wpabuf_put_be16(msg, 1); 503 wpabuf_put_u8(msg, 1); 504 return 0; 505} 506 507 508static int wps_build_sel_reg_dev_password_id(struct wps_registrar *reg, 509 struct wpabuf *msg) 510{ 511 u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT; 512 if (!reg->sel_reg_union) 513 return 0; 514 if (reg->sel_reg_dev_password_id_override >= 0) 515 id = reg->sel_reg_dev_password_id_override; 516 wpa_printf(MSG_DEBUG, "WPS: * Device Password ID (%d)", id); 517 wpabuf_put_be16(msg, ATTR_DEV_PASSWORD_ID); 518 wpabuf_put_be16(msg, 2); 519 wpabuf_put_be16(msg, id); 520 return 0; 521} 522 523 524static int wps_build_sel_pbc_reg_uuid_e(struct wps_registrar *reg, 525 struct wpabuf *msg) 526{ 527 u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT; 528 if (!reg->sel_reg_union) 529 return 0; 530 if (reg->sel_reg_dev_password_id_override >= 0) 531 id = reg->sel_reg_dev_password_id_override; 532 if (id != DEV_PW_PUSHBUTTON || !reg->dualband) 533 return 0; 534 return wps_build_uuid_e(msg, reg->wps->uuid); 535} 536 537 538static void wps_set_pushbutton(u16 *methods, u16 conf_methods) 539{ 540 *methods |= WPS_CONFIG_PUSHBUTTON; 541 if ((conf_methods & WPS_CONFIG_VIRT_PUSHBUTTON) == 542 WPS_CONFIG_VIRT_PUSHBUTTON) 543 *methods |= WPS_CONFIG_VIRT_PUSHBUTTON; 544 if ((conf_methods & WPS_CONFIG_PHY_PUSHBUTTON) == 545 WPS_CONFIG_PHY_PUSHBUTTON) 546 *methods |= WPS_CONFIG_PHY_PUSHBUTTON; 547 if ((*methods & WPS_CONFIG_VIRT_PUSHBUTTON) != 548 WPS_CONFIG_VIRT_PUSHBUTTON && 549 (*methods & WPS_CONFIG_PHY_PUSHBUTTON) != 550 WPS_CONFIG_PHY_PUSHBUTTON) { 551 /* 552 * Required to include virtual/physical flag, but we were not 553 * configured with push button type, so have to default to one 554 * of them. 555 */ 556 *methods |= WPS_CONFIG_PHY_PUSHBUTTON; 557 } 558} 559 560 561static int wps_build_sel_reg_config_methods(struct wps_registrar *reg, 562 struct wpabuf *msg) 563{ 564 u16 methods; 565 if (!reg->sel_reg_union) 566 return 0; 567 methods = reg->wps->config_methods; 568 methods &= ~WPS_CONFIG_PUSHBUTTON; 569 methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON | 570 WPS_CONFIG_PHY_PUSHBUTTON); 571 if (reg->pbc) 572 wps_set_pushbutton(&methods, reg->wps->config_methods); 573 if (reg->sel_reg_config_methods_override >= 0) 574 methods = reg->sel_reg_config_methods_override; 575 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar Config Methods (%x)", 576 methods); 577 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR_CONFIG_METHODS); 578 wpabuf_put_be16(msg, 2); 579 wpabuf_put_be16(msg, methods); 580 return 0; 581} 582 583 584static int wps_build_probe_config_methods(struct wps_registrar *reg, 585 struct wpabuf *msg) 586{ 587 u16 methods; 588 /* 589 * These are the methods that the AP supports as an Enrollee for adding 590 * external Registrars. 591 */ 592 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON; 593 methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON | 594 WPS_CONFIG_PHY_PUSHBUTTON); 595 wpa_printf(MSG_DEBUG, "WPS: * Config Methods (%x)", methods); 596 wpabuf_put_be16(msg, ATTR_CONFIG_METHODS); 597 wpabuf_put_be16(msg, 2); 598 wpabuf_put_be16(msg, methods); 599 return 0; 600} 601 602 603static int wps_build_config_methods_r(struct wps_registrar *reg, 604 struct wpabuf *msg) 605{ 606 return wps_build_config_methods(msg, reg->wps->config_methods); 607} 608 609 610const u8 * wps_authorized_macs(struct wps_registrar *reg, size_t *count) 611{ 612 *count = 0; 613 614 while (*count < WPS_MAX_AUTHORIZED_MACS) { 615 if (is_zero_ether_addr(reg->authorized_macs_union[*count])) 616 break; 617 (*count)++; 618 } 619 620 return (const u8 *) reg->authorized_macs_union; 621} 622 623 624/** 625 * wps_registrar_init - Initialize WPS Registrar data 626 * @wps: Pointer to longterm WPS context 627 * @cfg: Registrar configuration 628 * Returns: Pointer to allocated Registrar data or %NULL on failure 629 * 630 * This function is used to initialize WPS Registrar functionality. It can be 631 * used for a single Registrar run (e.g., when run in a supplicant) or multiple 632 * runs (e.g., when run as an internal Registrar in an AP). Caller is 633 * responsible for freeing the returned data with wps_registrar_deinit() when 634 * Registrar functionality is not needed anymore. 635 */ 636struct wps_registrar * 637wps_registrar_init(struct wps_context *wps, 638 const struct wps_registrar_config *cfg) 639{ 640 struct wps_registrar *reg = os_zalloc(sizeof(*reg)); 641 if (reg == NULL) 642 return NULL; 643 644 dl_list_init(®->pins); 645 dl_list_init(®->nfc_pw_tokens); 646 reg->wps = wps; 647 reg->new_psk_cb = cfg->new_psk_cb; 648 reg->set_ie_cb = cfg->set_ie_cb; 649 reg->pin_needed_cb = cfg->pin_needed_cb; 650 reg->reg_success_cb = cfg->reg_success_cb; 651 reg->set_sel_reg_cb = cfg->set_sel_reg_cb; 652 reg->enrollee_seen_cb = cfg->enrollee_seen_cb; 653 reg->cb_ctx = cfg->cb_ctx; 654 reg->skip_cred_build = cfg->skip_cred_build; 655 if (cfg->extra_cred) { 656 reg->extra_cred = wpabuf_alloc_copy(cfg->extra_cred, 657 cfg->extra_cred_len); 658 if (reg->extra_cred == NULL) { 659 os_free(reg); 660 return NULL; 661 } 662 } 663 reg->disable_auto_conf = cfg->disable_auto_conf; 664 reg->sel_reg_dev_password_id_override = -1; 665 reg->sel_reg_config_methods_override = -1; 666 reg->static_wep_only = cfg->static_wep_only; 667 reg->dualband = cfg->dualband; 668 reg->force_per_enrollee_psk = cfg->force_per_enrollee_psk; 669 670 if (wps_set_ie(reg)) { 671 wps_registrar_deinit(reg); 672 return NULL; 673 } 674 675 return reg; 676} 677 678 679void wps_registrar_flush(struct wps_registrar *reg) 680{ 681 if (reg == NULL) 682 return; 683 wps_free_pins(®->pins); 684 wps_free_nfc_pw_tokens(®->nfc_pw_tokens, 0); 685 wps_free_pbc_sessions(reg->pbc_sessions); 686 reg->pbc_sessions = NULL; 687 wps_free_devices(reg->devices); 688 reg->devices = NULL; 689#ifdef WPS_WORKAROUNDS 690 reg->pbc_ignore_start.sec = 0; 691#endif /* WPS_WORKAROUNDS */ 692} 693 694 695/** 696 * wps_registrar_deinit - Deinitialize WPS Registrar data 697 * @reg: Registrar data from wps_registrar_init() 698 */ 699void wps_registrar_deinit(struct wps_registrar *reg) 700{ 701 if (reg == NULL) 702 return; 703 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 704 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 705 wps_registrar_flush(reg); 706 wpabuf_free(reg->extra_cred); 707 os_free(reg); 708} 709 710 711static void wps_registrar_invalidate_unused(struct wps_registrar *reg) 712{ 713 struct wps_uuid_pin *pin; 714 715 dl_list_for_each(pin, ®->pins, struct wps_uuid_pin, list) { 716 if (pin->wildcard_uuid == 1 && !(pin->flags & PIN_LOCKED)) { 717 wpa_printf(MSG_DEBUG, "WPS: Invalidate previously " 718 "configured wildcard PIN"); 719 wps_registrar_remove_pin(reg, pin); 720 break; 721 } 722 } 723} 724 725 726/** 727 * wps_registrar_add_pin - Configure a new PIN for Registrar 728 * @reg: Registrar data from wps_registrar_init() 729 * @addr: Enrollee MAC address or %NULL if not known 730 * @uuid: UUID-E or %NULL for wildcard (any UUID) 731 * @pin: PIN (Device Password) 732 * @pin_len: Length of pin in octets 733 * @timeout: Time (in seconds) when the PIN will be invalidated; 0 = no timeout 734 * Returns: 0 on success, -1 on failure 735 */ 736int wps_registrar_add_pin(struct wps_registrar *reg, const u8 *addr, 737 const u8 *uuid, const u8 *pin, size_t pin_len, 738 int timeout) 739{ 740 struct wps_uuid_pin *p; 741 742 p = os_zalloc(sizeof(*p)); 743 if (p == NULL) 744 return -1; 745 if (addr) 746 os_memcpy(p->enrollee_addr, addr, ETH_ALEN); 747 if (uuid == NULL) 748 p->wildcard_uuid = 1; 749 else 750 os_memcpy(p->uuid, uuid, WPS_UUID_LEN); 751 p->pin = os_malloc(pin_len); 752 if (p->pin == NULL) { 753 os_free(p); 754 return -1; 755 } 756 os_memcpy(p->pin, pin, pin_len); 757 p->pin_len = pin_len; 758 759 if (timeout) { 760 p->flags |= PIN_EXPIRES; 761 os_get_reltime(&p->expiration); 762 p->expiration.sec += timeout; 763 } 764 765 if (p->wildcard_uuid) 766 wps_registrar_invalidate_unused(reg); 767 768 dl_list_add(®->pins, &p->list); 769 770 wpa_printf(MSG_DEBUG, "WPS: A new PIN configured (timeout=%d)", 771 timeout); 772 wpa_hexdump(MSG_DEBUG, "WPS: UUID", uuid, WPS_UUID_LEN); 773 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: PIN", pin, pin_len); 774 reg->selected_registrar = 1; 775 reg->pbc = 0; 776 if (addr) 777 wps_registrar_add_authorized_mac(reg, addr); 778 else 779 wps_registrar_add_authorized_mac( 780 reg, (u8 *) "\xff\xff\xff\xff\xff\xff"); 781 wps_registrar_selected_registrar_changed(reg, 0); 782 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 783 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, 784 wps_registrar_set_selected_timeout, 785 reg, NULL); 786 787 return 0; 788} 789 790 791static void wps_registrar_remove_pin(struct wps_registrar *reg, 792 struct wps_uuid_pin *pin) 793{ 794 u8 *addr; 795 u8 bcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 796 797 if (is_zero_ether_addr(pin->enrollee_addr)) 798 addr = bcast; 799 else 800 addr = pin->enrollee_addr; 801 wps_registrar_remove_authorized_mac(reg, addr); 802 wps_remove_pin(pin); 803 wps_registrar_selected_registrar_changed(reg, 0); 804} 805 806 807static void wps_registrar_expire_pins(struct wps_registrar *reg) 808{ 809 struct wps_uuid_pin *pin, *prev; 810 struct os_reltime now; 811 812 os_get_reltime(&now); 813 dl_list_for_each_safe(pin, prev, ®->pins, struct wps_uuid_pin, list) 814 { 815 if ((pin->flags & PIN_EXPIRES) && 816 os_reltime_before(&pin->expiration, &now)) { 817 wpa_hexdump(MSG_DEBUG, "WPS: Expired PIN for UUID", 818 pin->uuid, WPS_UUID_LEN); 819 wps_registrar_remove_pin(reg, pin); 820 } 821 } 822} 823 824 825/** 826 * wps_registrar_invalidate_wildcard_pin - Invalidate a wildcard PIN 827 * @reg: Registrar data from wps_registrar_init() 828 * @dev_pw: PIN to search for or %NULL to match any 829 * @dev_pw_len: Length of dev_pw in octets 830 * Returns: 0 on success, -1 if not wildcard PIN is enabled 831 */ 832static int wps_registrar_invalidate_wildcard_pin(struct wps_registrar *reg, 833 const u8 *dev_pw, 834 size_t dev_pw_len) 835{ 836 struct wps_uuid_pin *pin, *prev; 837 838 dl_list_for_each_safe(pin, prev, ®->pins, struct wps_uuid_pin, list) 839 { 840 if (dev_pw && pin->pin && 841 (dev_pw_len != pin->pin_len || 842 os_memcmp_const(dev_pw, pin->pin, dev_pw_len) != 0)) 843 continue; /* different PIN */ 844 if (pin->wildcard_uuid) { 845 wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID", 846 pin->uuid, WPS_UUID_LEN); 847 wps_registrar_remove_pin(reg, pin); 848 return 0; 849 } 850 } 851 852 return -1; 853} 854 855 856/** 857 * wps_registrar_invalidate_pin - Invalidate a PIN for a specific UUID-E 858 * @reg: Registrar data from wps_registrar_init() 859 * @uuid: UUID-E 860 * Returns: 0 on success, -1 on failure (e.g., PIN not found) 861 */ 862int wps_registrar_invalidate_pin(struct wps_registrar *reg, const u8 *uuid) 863{ 864 struct wps_uuid_pin *pin, *prev; 865 866 dl_list_for_each_safe(pin, prev, ®->pins, struct wps_uuid_pin, list) 867 { 868 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) { 869 wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID", 870 pin->uuid, WPS_UUID_LEN); 871 wps_registrar_remove_pin(reg, pin); 872 return 0; 873 } 874 } 875 876 return -1; 877} 878 879 880static const u8 * wps_registrar_get_pin(struct wps_registrar *reg, 881 const u8 *uuid, size_t *pin_len) 882{ 883 struct wps_uuid_pin *pin, *found = NULL; 884 885 wps_registrar_expire_pins(reg); 886 887 dl_list_for_each(pin, ®->pins, struct wps_uuid_pin, list) { 888 if (!pin->wildcard_uuid && 889 os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) { 890 found = pin; 891 break; 892 } 893 } 894 895 if (!found) { 896 /* Check for wildcard UUIDs since none of the UUID-specific 897 * PINs matched */ 898 dl_list_for_each(pin, ®->pins, struct wps_uuid_pin, list) { 899 if (pin->wildcard_uuid == 1 || 900 pin->wildcard_uuid == 2) { 901 wpa_printf(MSG_DEBUG, "WPS: Found a wildcard " 902 "PIN. Assigned it for this UUID-E"); 903 pin->wildcard_uuid++; 904 os_memcpy(pin->uuid, uuid, WPS_UUID_LEN); 905 found = pin; 906 break; 907 } 908 } 909 } 910 911 if (!found) 912 return NULL; 913 914 /* 915 * Lock the PIN to avoid attacks based on concurrent re-use of the PIN 916 * that could otherwise avoid PIN invalidations. 917 */ 918 if (found->flags & PIN_LOCKED) { 919 wpa_printf(MSG_DEBUG, "WPS: Selected PIN locked - do not " 920 "allow concurrent re-use"); 921 return NULL; 922 } 923 *pin_len = found->pin_len; 924 found->flags |= PIN_LOCKED; 925 return found->pin; 926} 927 928 929/** 930 * wps_registrar_unlock_pin - Unlock a PIN for a specific UUID-E 931 * @reg: Registrar data from wps_registrar_init() 932 * @uuid: UUID-E 933 * Returns: 0 on success, -1 on failure 934 * 935 * PINs are locked to enforce only one concurrent use. This function unlocks a 936 * PIN to allow it to be used again. If the specified PIN was configured using 937 * a wildcard UUID, it will be removed instead of allowing multiple uses. 938 */ 939int wps_registrar_unlock_pin(struct wps_registrar *reg, const u8 *uuid) 940{ 941 struct wps_uuid_pin *pin; 942 943 dl_list_for_each(pin, ®->pins, struct wps_uuid_pin, list) { 944 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) { 945 if (pin->wildcard_uuid == 3) { 946 wpa_printf(MSG_DEBUG, "WPS: Invalidating used " 947 "wildcard PIN"); 948 return wps_registrar_invalidate_pin(reg, uuid); 949 } 950 pin->flags &= ~PIN_LOCKED; 951 return 0; 952 } 953 } 954 955 return -1; 956} 957 958 959static void wps_registrar_stop_pbc(struct wps_registrar *reg) 960{ 961 reg->selected_registrar = 0; 962 reg->pbc = 0; 963 os_memset(reg->p2p_dev_addr, 0, ETH_ALEN); 964 wps_registrar_remove_authorized_mac(reg, 965 (u8 *) "\xff\xff\xff\xff\xff\xff"); 966 wps_registrar_selected_registrar_changed(reg, 0); 967} 968 969 970static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx) 971{ 972 struct wps_registrar *reg = eloop_ctx; 973 974 wpa_printf(MSG_DEBUG, "WPS: PBC timed out - disable PBC mode"); 975 wps_pbc_timeout_event(reg->wps); 976 wps_registrar_stop_pbc(reg); 977} 978 979 980/** 981 * wps_registrar_button_pushed - Notify Registrar that AP button was pushed 982 * @reg: Registrar data from wps_registrar_init() 983 * @p2p_dev_addr: Limit allowed PBC devices to the specified P2P device, %NULL 984 * indicates no such filtering 985 * Returns: 0 on success, -1 on failure, -2 on session overlap 986 * 987 * This function is called on an AP when a push button is pushed to activate 988 * PBC mode. The PBC mode will be stopped after walk time (2 minutes) timeout 989 * or when a PBC registration is completed. If more than one Enrollee in active 990 * PBC mode has been detected during the monitor time (previous 2 minutes), the 991 * PBC mode is not activated and -2 is returned to indicate session overlap. 992 * This is skipped if a specific Enrollee is selected. 993 */ 994int wps_registrar_button_pushed(struct wps_registrar *reg, 995 const u8 *p2p_dev_addr) 996{ 997 if (p2p_dev_addr == NULL && 998 wps_registrar_pbc_overlap(reg, NULL, NULL)) { 999 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - do not start PBC " 1000 "mode"); 1001 wps_pbc_overlap_event(reg->wps); 1002 return -2; 1003 } 1004 wpa_printf(MSG_DEBUG, "WPS: Button pushed - PBC mode started"); 1005 reg->force_pbc_overlap = 0; 1006 reg->selected_registrar = 1; 1007 reg->pbc = 1; 1008 if (p2p_dev_addr) 1009 os_memcpy(reg->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 1010 else 1011 os_memset(reg->p2p_dev_addr, 0, ETH_ALEN); 1012 wps_registrar_add_authorized_mac(reg, 1013 (u8 *) "\xff\xff\xff\xff\xff\xff"); 1014 wps_registrar_selected_registrar_changed(reg, 0); 1015 1016 wps_pbc_active_event(reg->wps); 1017 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 1018 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 1019 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wps_registrar_pbc_timeout, 1020 reg, NULL); 1021 return 0; 1022} 1023 1024 1025static void wps_registrar_pbc_completed(struct wps_registrar *reg) 1026{ 1027 wpa_printf(MSG_DEBUG, "WPS: PBC completed - stopping PBC mode"); 1028 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 1029 wps_registrar_stop_pbc(reg); 1030 wps_pbc_disable_event(reg->wps); 1031} 1032 1033 1034static void wps_registrar_pin_completed(struct wps_registrar *reg) 1035{ 1036 wpa_printf(MSG_DEBUG, "WPS: PIN completed using internal Registrar"); 1037 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 1038 reg->selected_registrar = 0; 1039 wps_registrar_selected_registrar_changed(reg, 0); 1040} 1041 1042 1043void wps_registrar_complete(struct wps_registrar *registrar, const u8 *uuid_e, 1044 const u8 *dev_pw, size_t dev_pw_len) 1045{ 1046 if (registrar->pbc) { 1047 wps_registrar_remove_pbc_session(registrar, 1048 uuid_e, NULL); 1049 wps_registrar_pbc_completed(registrar); 1050#ifdef WPS_WORKAROUNDS 1051 os_get_reltime(®istrar->pbc_ignore_start); 1052#endif /* WPS_WORKAROUNDS */ 1053 os_memcpy(registrar->pbc_ignore_uuid, uuid_e, WPS_UUID_LEN); 1054 } else { 1055 wps_registrar_pin_completed(registrar); 1056 } 1057 1058 if (dev_pw && 1059 wps_registrar_invalidate_wildcard_pin(registrar, dev_pw, 1060 dev_pw_len) == 0) { 1061 wpa_hexdump_key(MSG_DEBUG, "WPS: Invalidated wildcard PIN", 1062 dev_pw, dev_pw_len); 1063 } 1064} 1065 1066 1067int wps_registrar_wps_cancel(struct wps_registrar *reg) 1068{ 1069 if (reg->pbc) { 1070 wpa_printf(MSG_DEBUG, "WPS: PBC is set - cancelling it"); 1071 wps_registrar_pbc_timeout(reg, NULL); 1072 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 1073 return 1; 1074 } else if (reg->selected_registrar) { 1075 /* PIN Method */ 1076 wpa_printf(MSG_DEBUG, "WPS: PIN is set - cancelling it"); 1077 wps_registrar_pin_completed(reg); 1078 wps_registrar_invalidate_wildcard_pin(reg, NULL, 0); 1079 return 1; 1080 } 1081 return 0; 1082} 1083 1084 1085/** 1086 * wps_registrar_probe_req_rx - Notify Registrar of Probe Request 1087 * @reg: Registrar data from wps_registrar_init() 1088 * @addr: MAC address of the Probe Request sender 1089 * @wps_data: WPS IE contents 1090 * 1091 * This function is called on an AP when a Probe Request with WPS IE is 1092 * received. This is used to track PBC mode use and to detect possible overlap 1093 * situation with other WPS APs. 1094 */ 1095void wps_registrar_probe_req_rx(struct wps_registrar *reg, const u8 *addr, 1096 const struct wpabuf *wps_data, 1097 int p2p_wildcard) 1098{ 1099 struct wps_parse_attr attr; 1100 int skip_add = 0; 1101 1102 wpa_hexdump_buf(MSG_MSGDUMP, 1103 "WPS: Probe Request with WPS data received", 1104 wps_data); 1105 1106 if (wps_parse_msg(wps_data, &attr) < 0) 1107 return; 1108 1109 if (attr.config_methods == NULL) { 1110 wpa_printf(MSG_DEBUG, "WPS: No Config Methods attribute in " 1111 "Probe Request"); 1112 return; 1113 } 1114 1115 if (attr.dev_password_id == NULL) { 1116 wpa_printf(MSG_DEBUG, "WPS: No Device Password Id attribute " 1117 "in Probe Request"); 1118 return; 1119 } 1120 1121 if (reg->enrollee_seen_cb && attr.uuid_e && 1122 attr.primary_dev_type && attr.request_type && !p2p_wildcard) { 1123 char *dev_name = NULL; 1124 if (attr.dev_name) { 1125 dev_name = os_zalloc(attr.dev_name_len + 1); 1126 if (dev_name) { 1127 os_memcpy(dev_name, attr.dev_name, 1128 attr.dev_name_len); 1129 } 1130 } 1131 reg->enrollee_seen_cb(reg->cb_ctx, addr, attr.uuid_e, 1132 attr.primary_dev_type, 1133 WPA_GET_BE16(attr.config_methods), 1134 WPA_GET_BE16(attr.dev_password_id), 1135 *attr.request_type, dev_name); 1136 os_free(dev_name); 1137 } 1138 1139 if (WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON) 1140 return; /* Not PBC */ 1141 1142 wpa_printf(MSG_DEBUG, "WPS: Probe Request for PBC received from " 1143 MACSTR, MAC2STR(addr)); 1144 if (attr.uuid_e == NULL) { 1145 wpa_printf(MSG_DEBUG, "WPS: Invalid Probe Request WPS IE: No " 1146 "UUID-E included"); 1147 return; 1148 } 1149 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E from Probe Request", attr.uuid_e, 1150 WPS_UUID_LEN); 1151 1152#ifdef WPS_WORKAROUNDS 1153 if (reg->pbc_ignore_start.sec && 1154 os_memcmp(attr.uuid_e, reg->pbc_ignore_uuid, WPS_UUID_LEN) == 0) { 1155 struct os_reltime now, dur; 1156 os_get_reltime(&now); 1157 os_reltime_sub(&now, ®->pbc_ignore_start, &dur); 1158 if (dur.sec >= 0 && dur.sec < 5) { 1159 wpa_printf(MSG_DEBUG, "WPS: Ignore PBC activation " 1160 "based on Probe Request from the Enrollee " 1161 "that just completed PBC provisioning"); 1162 skip_add = 1; 1163 } else 1164 reg->pbc_ignore_start.sec = 0; 1165 } 1166#endif /* WPS_WORKAROUNDS */ 1167 1168 if (!skip_add) 1169 wps_registrar_add_pbc_session(reg, addr, attr.uuid_e); 1170 if (wps_registrar_pbc_overlap(reg, addr, attr.uuid_e)) { 1171 wpa_printf(MSG_DEBUG, "WPS: PBC session overlap detected"); 1172 reg->force_pbc_overlap = 1; 1173 wps_pbc_overlap_event(reg->wps); 1174 } 1175} 1176 1177 1178int wps_cb_new_psk(struct wps_registrar *reg, const u8 *mac_addr, 1179 const u8 *p2p_dev_addr, const u8 *psk, size_t psk_len) 1180{ 1181 if (reg->new_psk_cb == NULL) 1182 return 0; 1183 1184 return reg->new_psk_cb(reg->cb_ctx, mac_addr, p2p_dev_addr, psk, 1185 psk_len); 1186} 1187 1188 1189static void wps_cb_pin_needed(struct wps_registrar *reg, const u8 *uuid_e, 1190 const struct wps_device_data *dev) 1191{ 1192 if (reg->pin_needed_cb == NULL) 1193 return; 1194 1195 reg->pin_needed_cb(reg->cb_ctx, uuid_e, dev); 1196} 1197 1198 1199static void wps_cb_reg_success(struct wps_registrar *reg, const u8 *mac_addr, 1200 const u8 *uuid_e, const u8 *dev_pw, 1201 size_t dev_pw_len) 1202{ 1203 if (reg->reg_success_cb == NULL) 1204 return; 1205 1206 reg->reg_success_cb(reg->cb_ctx, mac_addr, uuid_e, dev_pw, dev_pw_len); 1207} 1208 1209 1210static int wps_cb_set_ie(struct wps_registrar *reg, struct wpabuf *beacon_ie, 1211 struct wpabuf *probe_resp_ie) 1212{ 1213 return reg->set_ie_cb(reg->cb_ctx, beacon_ie, probe_resp_ie); 1214} 1215 1216 1217static void wps_cb_set_sel_reg(struct wps_registrar *reg) 1218{ 1219 u16 methods = 0; 1220 if (reg->set_sel_reg_cb == NULL) 1221 return; 1222 1223 if (reg->selected_registrar) { 1224 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON; 1225 methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON | 1226 WPS_CONFIG_PHY_PUSHBUTTON); 1227 if (reg->pbc) 1228 wps_set_pushbutton(&methods, reg->wps->config_methods); 1229 } 1230 1231 wpa_printf(MSG_DEBUG, "WPS: wps_cb_set_sel_reg: sel_reg=%d " 1232 "config_methods=0x%x pbc=%d methods=0x%x", 1233 reg->selected_registrar, reg->wps->config_methods, 1234 reg->pbc, methods); 1235 1236 reg->set_sel_reg_cb(reg->cb_ctx, reg->selected_registrar, 1237 reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT, 1238 methods); 1239} 1240 1241 1242static int wps_set_ie(struct wps_registrar *reg) 1243{ 1244 struct wpabuf *beacon; 1245 struct wpabuf *probe; 1246 const u8 *auth_macs; 1247 size_t count; 1248 size_t vendor_len = 0; 1249 int i; 1250 1251 if (reg->set_ie_cb == NULL) 1252 return 0; 1253 1254 for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++) { 1255 if (reg->wps->dev.vendor_ext[i]) { 1256 vendor_len += 2 + 2; 1257 vendor_len += wpabuf_len(reg->wps->dev.vendor_ext[i]); 1258 } 1259 } 1260 1261 beacon = wpabuf_alloc(400 + vendor_len); 1262 if (beacon == NULL) 1263 return -1; 1264 probe = wpabuf_alloc(500 + vendor_len); 1265 if (probe == NULL) { 1266 wpabuf_free(beacon); 1267 return -1; 1268 } 1269 1270 auth_macs = wps_authorized_macs(reg, &count); 1271 1272 wpa_printf(MSG_DEBUG, "WPS: Build Beacon IEs"); 1273 1274 if (wps_build_version(beacon) || 1275 wps_build_wps_state(reg->wps, beacon) || 1276 wps_build_ap_setup_locked(reg->wps, beacon) || 1277 wps_build_selected_registrar(reg, beacon) || 1278 wps_build_sel_reg_dev_password_id(reg, beacon) || 1279 wps_build_sel_reg_config_methods(reg, beacon) || 1280 wps_build_sel_pbc_reg_uuid_e(reg, beacon) || 1281 (reg->dualband && wps_build_rf_bands(®->wps->dev, beacon, 0)) || 1282 wps_build_wfa_ext(beacon, 0, auth_macs, count) || 1283 wps_build_vendor_ext(®->wps->dev, beacon)) { 1284 wpabuf_free(beacon); 1285 wpabuf_free(probe); 1286 return -1; 1287 } 1288 1289#ifdef CONFIG_P2P 1290 if (wps_build_dev_name(®->wps->dev, beacon) || 1291 wps_build_primary_dev_type(®->wps->dev, beacon)) { 1292 wpabuf_free(beacon); 1293 wpabuf_free(probe); 1294 return -1; 1295 } 1296#endif /* CONFIG_P2P */ 1297 1298 wpa_printf(MSG_DEBUG, "WPS: Build Probe Response IEs"); 1299 1300 if (wps_build_version(probe) || 1301 wps_build_wps_state(reg->wps, probe) || 1302 wps_build_ap_setup_locked(reg->wps, probe) || 1303 wps_build_selected_registrar(reg, probe) || 1304 wps_build_sel_reg_dev_password_id(reg, probe) || 1305 wps_build_sel_reg_config_methods(reg, probe) || 1306 wps_build_resp_type(probe, reg->wps->ap ? WPS_RESP_AP : 1307 WPS_RESP_REGISTRAR) || 1308 wps_build_uuid_e(probe, reg->wps->uuid) || 1309 wps_build_device_attrs(®->wps->dev, probe) || 1310 wps_build_probe_config_methods(reg, probe) || 1311 (reg->dualband && wps_build_rf_bands(®->wps->dev, probe, 0)) || 1312 wps_build_wfa_ext(probe, 0, auth_macs, count) || 1313 wps_build_vendor_ext(®->wps->dev, probe)) { 1314 wpabuf_free(beacon); 1315 wpabuf_free(probe); 1316 return -1; 1317 } 1318 1319 beacon = wps_ie_encapsulate(beacon); 1320 probe = wps_ie_encapsulate(probe); 1321 1322 if (!beacon || !probe) { 1323 wpabuf_free(beacon); 1324 wpabuf_free(probe); 1325 return -1; 1326 } 1327 1328 if (reg->static_wep_only) { 1329 /* 1330 * Windows XP and Vista clients can get confused about 1331 * EAP-Identity/Request when they probe the network with 1332 * EAPOL-Start. In such a case, they may assume the network is 1333 * using IEEE 802.1X and prompt user for a certificate while 1334 * the correct (non-WPS) behavior would be to ask for the 1335 * static WEP key. As a workaround, use Microsoft Provisioning 1336 * IE to advertise that legacy 802.1X is not supported. 1337 */ 1338 const u8 ms_wps[7] = { 1339 WLAN_EID_VENDOR_SPECIFIC, 5, 1340 /* Microsoft Provisioning IE (00:50:f2:5) */ 1341 0x00, 0x50, 0xf2, 5, 1342 0x00 /* no legacy 802.1X or MS WPS */ 1343 }; 1344 wpa_printf(MSG_DEBUG, "WPS: Add Microsoft Provisioning IE " 1345 "into Beacon/Probe Response frames"); 1346 wpabuf_put_data(beacon, ms_wps, sizeof(ms_wps)); 1347 wpabuf_put_data(probe, ms_wps, sizeof(ms_wps)); 1348 } 1349 1350 return wps_cb_set_ie(reg, beacon, probe); 1351} 1352 1353 1354static int wps_get_dev_password(struct wps_data *wps) 1355{ 1356 const u8 *pin; 1357 size_t pin_len = 0; 1358 1359 bin_clear_free(wps->dev_password, wps->dev_password_len); 1360 wps->dev_password = NULL; 1361 1362 if (wps->pbc) { 1363 wpa_printf(MSG_DEBUG, "WPS: Use default PIN for PBC"); 1364 pin = (const u8 *) "00000000"; 1365 pin_len = 8; 1366#ifdef CONFIG_WPS_NFC 1367 } else if (wps->nfc_pw_token) { 1368 if (wps->nfc_pw_token->pw_id == DEV_PW_NFC_CONNECTION_HANDOVER) 1369 { 1370 wpa_printf(MSG_DEBUG, "WPS: Using NFC connection " 1371 "handover and abbreviated WPS handshake " 1372 "without Device Password"); 1373 return 0; 1374 } 1375 wpa_printf(MSG_DEBUG, "WPS: Use OOB Device Password from NFC " 1376 "Password Token"); 1377 pin = wps->nfc_pw_token->dev_pw; 1378 pin_len = wps->nfc_pw_token->dev_pw_len; 1379 } else if (wps->dev_pw_id >= 0x10 && 1380 wps->wps->ap_nfc_dev_pw_id == wps->dev_pw_id && 1381 wps->wps->ap_nfc_dev_pw) { 1382 wpa_printf(MSG_DEBUG, "WPS: Use OOB Device Password from own NFC Password Token"); 1383 pin = wpabuf_head(wps->wps->ap_nfc_dev_pw); 1384 pin_len = wpabuf_len(wps->wps->ap_nfc_dev_pw); 1385#endif /* CONFIG_WPS_NFC */ 1386 } else { 1387 pin = wps_registrar_get_pin(wps->wps->registrar, wps->uuid_e, 1388 &pin_len); 1389 if (pin && wps->dev_pw_id >= 0x10) { 1390 wpa_printf(MSG_DEBUG, "WPS: No match for OOB Device " 1391 "Password ID, but PIN found"); 1392 /* 1393 * See whether Enrollee is willing to use PIN instead. 1394 */ 1395 wps->dev_pw_id = DEV_PW_DEFAULT; 1396 } 1397 } 1398 if (pin == NULL) { 1399 wpa_printf(MSG_DEBUG, "WPS: No Device Password available for " 1400 "the Enrollee (context %p registrar %p)", 1401 wps->wps, wps->wps->registrar); 1402 wps_cb_pin_needed(wps->wps->registrar, wps->uuid_e, 1403 &wps->peer_dev); 1404 return -1; 1405 } 1406 1407 wps->dev_password = os_malloc(pin_len); 1408 if (wps->dev_password == NULL) 1409 return -1; 1410 os_memcpy(wps->dev_password, pin, pin_len); 1411 wps->dev_password_len = pin_len; 1412 1413 return 0; 1414} 1415 1416 1417static int wps_build_uuid_r(struct wps_data *wps, struct wpabuf *msg) 1418{ 1419 wpa_printf(MSG_DEBUG, "WPS: * UUID-R"); 1420 wpabuf_put_be16(msg, ATTR_UUID_R); 1421 wpabuf_put_be16(msg, WPS_UUID_LEN); 1422 wpabuf_put_data(msg, wps->uuid_r, WPS_UUID_LEN); 1423 return 0; 1424} 1425 1426 1427static int wps_build_r_hash(struct wps_data *wps, struct wpabuf *msg) 1428{ 1429 u8 *hash; 1430 const u8 *addr[4]; 1431 size_t len[4]; 1432 1433 if (random_get_bytes(wps->snonce, 2 * WPS_SECRET_NONCE_LEN) < 0) 1434 return -1; 1435 wpa_hexdump(MSG_DEBUG, "WPS: R-S1", wps->snonce, WPS_SECRET_NONCE_LEN); 1436 wpa_hexdump(MSG_DEBUG, "WPS: R-S2", 1437 wps->snonce + WPS_SECRET_NONCE_LEN, WPS_SECRET_NONCE_LEN); 1438 1439 if (wps->dh_pubkey_e == NULL || wps->dh_pubkey_r == NULL) { 1440 wpa_printf(MSG_DEBUG, "WPS: DH public keys not available for " 1441 "R-Hash derivation"); 1442 return -1; 1443 } 1444 1445 wpa_printf(MSG_DEBUG, "WPS: * R-Hash1"); 1446 wpabuf_put_be16(msg, ATTR_R_HASH1); 1447 wpabuf_put_be16(msg, SHA256_MAC_LEN); 1448 hash = wpabuf_put(msg, SHA256_MAC_LEN); 1449 /* R-Hash1 = HMAC_AuthKey(R-S1 || PSK1 || PK_E || PK_R) */ 1450 addr[0] = wps->snonce; 1451 len[0] = WPS_SECRET_NONCE_LEN; 1452 addr[1] = wps->psk1; 1453 len[1] = WPS_PSK_LEN; 1454 addr[2] = wpabuf_head(wps->dh_pubkey_e); 1455 len[2] = wpabuf_len(wps->dh_pubkey_e); 1456 addr[3] = wpabuf_head(wps->dh_pubkey_r); 1457 len[3] = wpabuf_len(wps->dh_pubkey_r); 1458 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 1459 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash1", hash, SHA256_MAC_LEN); 1460 1461 wpa_printf(MSG_DEBUG, "WPS: * R-Hash2"); 1462 wpabuf_put_be16(msg, ATTR_R_HASH2); 1463 wpabuf_put_be16(msg, SHA256_MAC_LEN); 1464 hash = wpabuf_put(msg, SHA256_MAC_LEN); 1465 /* R-Hash2 = HMAC_AuthKey(R-S2 || PSK2 || PK_E || PK_R) */ 1466 addr[0] = wps->snonce + WPS_SECRET_NONCE_LEN; 1467 addr[1] = wps->psk2; 1468 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 1469 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash2", hash, SHA256_MAC_LEN); 1470 1471 return 0; 1472} 1473 1474 1475static int wps_build_r_snonce1(struct wps_data *wps, struct wpabuf *msg) 1476{ 1477 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce1"); 1478 wpabuf_put_be16(msg, ATTR_R_SNONCE1); 1479 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN); 1480 wpabuf_put_data(msg, wps->snonce, WPS_SECRET_NONCE_LEN); 1481 return 0; 1482} 1483 1484 1485static int wps_build_r_snonce2(struct wps_data *wps, struct wpabuf *msg) 1486{ 1487 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce2"); 1488 wpabuf_put_be16(msg, ATTR_R_SNONCE2); 1489 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN); 1490 wpabuf_put_data(msg, wps->snonce + WPS_SECRET_NONCE_LEN, 1491 WPS_SECRET_NONCE_LEN); 1492 return 0; 1493} 1494 1495 1496static int wps_build_cred_network_idx(struct wpabuf *msg, 1497 const struct wps_credential *cred) 1498{ 1499 wpa_printf(MSG_DEBUG, "WPS: * Network Index (1)"); 1500 wpabuf_put_be16(msg, ATTR_NETWORK_INDEX); 1501 wpabuf_put_be16(msg, 1); 1502 wpabuf_put_u8(msg, 1); 1503 return 0; 1504} 1505 1506 1507static int wps_build_cred_ssid(struct wpabuf *msg, 1508 const struct wps_credential *cred) 1509{ 1510 wpa_printf(MSG_DEBUG, "WPS: * SSID"); 1511 wpa_hexdump_ascii(MSG_DEBUG, "WPS: SSID for Credential", 1512 cred->ssid, cred->ssid_len); 1513 wpabuf_put_be16(msg, ATTR_SSID); 1514 wpabuf_put_be16(msg, cred->ssid_len); 1515 wpabuf_put_data(msg, cred->ssid, cred->ssid_len); 1516 return 0; 1517} 1518 1519 1520static int wps_build_cred_auth_type(struct wpabuf *msg, 1521 const struct wps_credential *cred) 1522{ 1523 wpa_printf(MSG_DEBUG, "WPS: * Authentication Type (0x%x)", 1524 cred->auth_type); 1525 wpabuf_put_be16(msg, ATTR_AUTH_TYPE); 1526 wpabuf_put_be16(msg, 2); 1527 wpabuf_put_be16(msg, cred->auth_type); 1528 return 0; 1529} 1530 1531 1532static int wps_build_cred_encr_type(struct wpabuf *msg, 1533 const struct wps_credential *cred) 1534{ 1535 wpa_printf(MSG_DEBUG, "WPS: * Encryption Type (0x%x)", 1536 cred->encr_type); 1537 wpabuf_put_be16(msg, ATTR_ENCR_TYPE); 1538 wpabuf_put_be16(msg, 2); 1539 wpabuf_put_be16(msg, cred->encr_type); 1540 return 0; 1541} 1542 1543 1544static int wps_build_cred_network_key(struct wpabuf *msg, 1545 const struct wps_credential *cred) 1546{ 1547 wpa_printf(MSG_DEBUG, "WPS: * Network Key (len=%d)", 1548 (int) cred->key_len); 1549 wpa_hexdump_key(MSG_DEBUG, "WPS: Network Key", 1550 cred->key, cred->key_len); 1551 wpabuf_put_be16(msg, ATTR_NETWORK_KEY); 1552 wpabuf_put_be16(msg, cred->key_len); 1553 wpabuf_put_data(msg, cred->key, cred->key_len); 1554 return 0; 1555} 1556 1557 1558static int wps_build_credential(struct wpabuf *msg, 1559 const struct wps_credential *cred) 1560{ 1561 if (wps_build_cred_network_idx(msg, cred) || 1562 wps_build_cred_ssid(msg, cred) || 1563 wps_build_cred_auth_type(msg, cred) || 1564 wps_build_cred_encr_type(msg, cred) || 1565 wps_build_cred_network_key(msg, cred) || 1566 wps_build_mac_addr(msg, cred->mac_addr)) 1567 return -1; 1568 return 0; 1569} 1570 1571 1572int wps_build_credential_wrap(struct wpabuf *msg, 1573 const struct wps_credential *cred) 1574{ 1575 struct wpabuf *wbuf; 1576 wbuf = wpabuf_alloc(200); 1577 if (wbuf == NULL) 1578 return -1; 1579 if (wps_build_credential(wbuf, cred)) { 1580 wpabuf_free(wbuf); 1581 return -1; 1582 } 1583 wpabuf_put_be16(msg, ATTR_CRED); 1584 wpabuf_put_be16(msg, wpabuf_len(wbuf)); 1585 wpabuf_put_buf(msg, wbuf); 1586 wpabuf_free(wbuf); 1587 return 0; 1588} 1589 1590 1591int wps_build_cred(struct wps_data *wps, struct wpabuf *msg) 1592{ 1593 struct wpabuf *cred; 1594 1595 if (wps->wps->registrar->skip_cred_build) 1596 goto skip_cred_build; 1597 1598 wpa_printf(MSG_DEBUG, "WPS: * Credential"); 1599 if (wps->use_cred) { 1600 os_memcpy(&wps->cred, wps->use_cred, sizeof(wps->cred)); 1601 goto use_provided; 1602 } 1603 os_memset(&wps->cred, 0, sizeof(wps->cred)); 1604 1605 os_memcpy(wps->cred.ssid, wps->wps->ssid, wps->wps->ssid_len); 1606 wps->cred.ssid_len = wps->wps->ssid_len; 1607 1608 /* Select the best authentication and encryption type */ 1609 if (wps->auth_type & WPS_AUTH_WPA2PSK) 1610 wps->auth_type = WPS_AUTH_WPA2PSK; 1611 else if (wps->auth_type & WPS_AUTH_WPAPSK) 1612 wps->auth_type = WPS_AUTH_WPAPSK; 1613 else if (wps->auth_type & WPS_AUTH_OPEN) 1614 wps->auth_type = WPS_AUTH_OPEN; 1615 else { 1616 wpa_printf(MSG_DEBUG, "WPS: Unsupported auth_type 0x%x", 1617 wps->auth_type); 1618 return -1; 1619 } 1620 wps->cred.auth_type = wps->auth_type; 1621 1622 if (wps->auth_type == WPS_AUTH_WPA2PSK || 1623 wps->auth_type == WPS_AUTH_WPAPSK) { 1624 if (wps->encr_type & WPS_ENCR_AES) 1625 wps->encr_type = WPS_ENCR_AES; 1626 else if (wps->encr_type & WPS_ENCR_TKIP) 1627 wps->encr_type = WPS_ENCR_TKIP; 1628 else { 1629 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption " 1630 "type for WPA/WPA2"); 1631 return -1; 1632 } 1633 } else { 1634 if (wps->encr_type & WPS_ENCR_NONE) 1635 wps->encr_type = WPS_ENCR_NONE; 1636#ifdef CONFIG_TESTING_OPTIONS 1637 else if (wps->encr_type & WPS_ENCR_WEP) 1638 wps->encr_type = WPS_ENCR_WEP; 1639#endif /* CONFIG_TESTING_OPTIONS */ 1640 else { 1641 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption " 1642 "type for non-WPA/WPA2 mode"); 1643 return -1; 1644 } 1645 } 1646 wps->cred.encr_type = wps->encr_type; 1647 /* 1648 * Set MAC address in the Credential to be the Enrollee's MAC address 1649 */ 1650 os_memcpy(wps->cred.mac_addr, wps->mac_addr_e, ETH_ALEN); 1651 1652 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->wps->ap && 1653 !wps->wps->registrar->disable_auto_conf) { 1654 u8 r[16]; 1655 /* Generate a random passphrase */ 1656 if (random_pool_ready() != 1 || 1657 random_get_bytes(r, sizeof(r)) < 0) { 1658 wpa_printf(MSG_INFO, 1659 "WPS: Could not generate random PSK"); 1660 return -1; 1661 } 1662 os_free(wps->new_psk); 1663 wps->new_psk = base64_encode(r, sizeof(r), &wps->new_psk_len); 1664 if (wps->new_psk == NULL) 1665 return -1; 1666 wps->new_psk_len--; /* remove newline */ 1667 while (wps->new_psk_len && 1668 wps->new_psk[wps->new_psk_len - 1] == '=') 1669 wps->new_psk_len--; 1670 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Generated passphrase", 1671 wps->new_psk, wps->new_psk_len); 1672 os_memcpy(wps->cred.key, wps->new_psk, wps->new_psk_len); 1673 wps->cred.key_len = wps->new_psk_len; 1674 } else if (!wps->wps->registrar->force_per_enrollee_psk && 1675 wps->use_psk_key && wps->wps->psk_set) { 1676 char hex[65]; 1677 wpa_printf(MSG_DEBUG, "WPS: Use PSK format for Network Key"); 1678 wpa_snprintf_hex(hex, sizeof(hex), wps->wps->psk, 32); 1679 os_memcpy(wps->cred.key, hex, 32 * 2); 1680 wps->cred.key_len = 32 * 2; 1681 } else if (!wps->wps->registrar->force_per_enrollee_psk && 1682 wps->wps->network_key) { 1683 os_memcpy(wps->cred.key, wps->wps->network_key, 1684 wps->wps->network_key_len); 1685 wps->cred.key_len = wps->wps->network_key_len; 1686 } else if (wps->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) { 1687 char hex[65]; 1688 /* Generate a random per-device PSK */ 1689 os_free(wps->new_psk); 1690 wps->new_psk_len = 32; 1691 wps->new_psk = os_malloc(wps->new_psk_len); 1692 if (wps->new_psk == NULL) 1693 return -1; 1694 if (random_pool_ready() != 1 || 1695 random_get_bytes(wps->new_psk, wps->new_psk_len) < 0) { 1696 wpa_printf(MSG_INFO, 1697 "WPS: Could not generate random PSK"); 1698 os_free(wps->new_psk); 1699 wps->new_psk = NULL; 1700 return -1; 1701 } 1702 wpa_hexdump_key(MSG_DEBUG, "WPS: Generated per-device PSK", 1703 wps->new_psk, wps->new_psk_len); 1704 wpa_snprintf_hex(hex, sizeof(hex), wps->new_psk, 1705 wps->new_psk_len); 1706 os_memcpy(wps->cred.key, hex, wps->new_psk_len * 2); 1707 wps->cred.key_len = wps->new_psk_len * 2; 1708 } 1709 1710use_provided: 1711#ifdef CONFIG_WPS_TESTING 1712 if (wps_testing_dummy_cred) 1713 cred = wpabuf_alloc(200); 1714 else 1715 cred = NULL; 1716 if (cred) { 1717 struct wps_credential dummy; 1718 wpa_printf(MSG_DEBUG, "WPS: Add dummy credential"); 1719 os_memset(&dummy, 0, sizeof(dummy)); 1720 os_memcpy(dummy.ssid, "dummy", 5); 1721 dummy.ssid_len = 5; 1722 dummy.auth_type = WPS_AUTH_WPA2PSK; 1723 dummy.encr_type = WPS_ENCR_AES; 1724 os_memcpy(dummy.key, "dummy psk", 9); 1725 dummy.key_len = 9; 1726 os_memcpy(dummy.mac_addr, wps->mac_addr_e, ETH_ALEN); 1727 wps_build_credential(cred, &dummy); 1728 wpa_hexdump_buf(MSG_DEBUG, "WPS: Dummy Credential", cred); 1729 1730 wpabuf_put_be16(msg, ATTR_CRED); 1731 wpabuf_put_be16(msg, wpabuf_len(cred)); 1732 wpabuf_put_buf(msg, cred); 1733 1734 wpabuf_free(cred); 1735 } 1736#endif /* CONFIG_WPS_TESTING */ 1737 1738 cred = wpabuf_alloc(200); 1739 if (cred == NULL) 1740 return -1; 1741 1742 if (wps_build_credential(cred, &wps->cred)) { 1743 wpabuf_free(cred); 1744 return -1; 1745 } 1746 1747 wpabuf_put_be16(msg, ATTR_CRED); 1748 wpabuf_put_be16(msg, wpabuf_len(cred)); 1749 wpabuf_put_buf(msg, cred); 1750 wpabuf_free(cred); 1751 1752skip_cred_build: 1753 if (wps->wps->registrar->extra_cred) { 1754 wpa_printf(MSG_DEBUG, "WPS: * Credential (pre-configured)"); 1755 wpabuf_put_buf(msg, wps->wps->registrar->extra_cred); 1756 } 1757 1758 return 0; 1759} 1760 1761 1762static int wps_build_ap_settings(struct wps_data *wps, struct wpabuf *msg) 1763{ 1764 wpa_printf(MSG_DEBUG, "WPS: * AP Settings"); 1765 1766 if (wps_build_credential(msg, &wps->cred)) 1767 return -1; 1768 1769 return 0; 1770} 1771 1772 1773static struct wpabuf * wps_build_ap_cred(struct wps_data *wps) 1774{ 1775 struct wpabuf *msg, *plain; 1776 1777 msg = wpabuf_alloc(1000); 1778 if (msg == NULL) 1779 return NULL; 1780 1781 plain = wpabuf_alloc(200); 1782 if (plain == NULL) { 1783 wpabuf_free(msg); 1784 return NULL; 1785 } 1786 1787 if (wps_build_ap_settings(wps, plain)) { 1788 wpabuf_free(plain); 1789 wpabuf_free(msg); 1790 return NULL; 1791 } 1792 1793 wpabuf_put_be16(msg, ATTR_CRED); 1794 wpabuf_put_be16(msg, wpabuf_len(plain)); 1795 wpabuf_put_buf(msg, plain); 1796 wpabuf_free(plain); 1797 1798 return msg; 1799} 1800 1801 1802static struct wpabuf * wps_build_m2(struct wps_data *wps) 1803{ 1804 struct wpabuf *msg; 1805 int config_in_m2 = 0; 1806 1807 if (random_get_bytes(wps->nonce_r, WPS_NONCE_LEN) < 0) 1808 return NULL; 1809 wpa_hexdump(MSG_DEBUG, "WPS: Registrar Nonce", 1810 wps->nonce_r, WPS_NONCE_LEN); 1811 wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN); 1812 1813 wpa_printf(MSG_DEBUG, "WPS: Building Message M2"); 1814 msg = wpabuf_alloc(1000); 1815 if (msg == NULL) 1816 return NULL; 1817 1818 if (wps_build_version(msg) || 1819 wps_build_msg_type(msg, WPS_M2) || 1820 wps_build_enrollee_nonce(wps, msg) || 1821 wps_build_registrar_nonce(wps, msg) || 1822 wps_build_uuid_r(wps, msg) || 1823 wps_build_public_key(wps, msg) || 1824 wps_derive_keys(wps) || 1825 wps_build_auth_type_flags(wps, msg) || 1826 wps_build_encr_type_flags(wps, msg) || 1827 wps_build_conn_type_flags(wps, msg) || 1828 wps_build_config_methods_r(wps->wps->registrar, msg) || 1829 wps_build_device_attrs(&wps->wps->dev, msg) || 1830 wps_build_rf_bands(&wps->wps->dev, msg, 1831 wps->wps->rf_band_cb(wps->wps->cb_ctx)) || 1832 wps_build_assoc_state(wps, msg) || 1833 wps_build_config_error(msg, WPS_CFG_NO_ERROR) || 1834 wps_build_dev_password_id(msg, wps->dev_pw_id) || 1835 wps_build_os_version(&wps->wps->dev, msg) || 1836 wps_build_wfa_ext(msg, 0, NULL, 0)) { 1837 wpabuf_free(msg); 1838 return NULL; 1839 } 1840 1841#ifdef CONFIG_WPS_NFC 1842 if (wps->nfc_pw_token && wps->nfc_pw_token->pk_hash_provided_oob && 1843 wps->nfc_pw_token->pw_id == DEV_PW_NFC_CONNECTION_HANDOVER) { 1844 /* 1845 * Use abbreviated handshake since public key hash allowed 1846 * Enrollee to validate our public key similarly to how Enrollee 1847 * public key was validated. There is no need to validate Device 1848 * Password in this case. 1849 */ 1850 struct wpabuf *plain = wpabuf_alloc(500); 1851 if (plain == NULL || 1852 wps_build_cred(wps, plain) || 1853 wps_build_key_wrap_auth(wps, plain) || 1854 wps_build_encr_settings(wps, msg, plain)) { 1855 wpabuf_free(msg); 1856 wpabuf_free(plain); 1857 return NULL; 1858 } 1859 wpabuf_free(plain); 1860 config_in_m2 = 1; 1861 } 1862#endif /* CONFIG_WPS_NFC */ 1863 1864 if (wps_build_authenticator(wps, msg)) { 1865 wpabuf_free(msg); 1866 return NULL; 1867 } 1868 1869 wps->int_reg = 1; 1870 wps->state = config_in_m2 ? RECV_DONE : RECV_M3; 1871 return msg; 1872} 1873 1874 1875static struct wpabuf * wps_build_m2d(struct wps_data *wps) 1876{ 1877 struct wpabuf *msg; 1878 u16 err = wps->config_error; 1879 1880 wpa_printf(MSG_DEBUG, "WPS: Building Message M2D"); 1881 msg = wpabuf_alloc(1000); 1882 if (msg == NULL) 1883 return NULL; 1884 1885 if (wps->wps->ap && wps->wps->ap_setup_locked && 1886 err == WPS_CFG_NO_ERROR) 1887 err = WPS_CFG_SETUP_LOCKED; 1888 1889 if (wps_build_version(msg) || 1890 wps_build_msg_type(msg, WPS_M2D) || 1891 wps_build_enrollee_nonce(wps, msg) || 1892 wps_build_registrar_nonce(wps, msg) || 1893 wps_build_uuid_r(wps, msg) || 1894 wps_build_auth_type_flags(wps, msg) || 1895 wps_build_encr_type_flags(wps, msg) || 1896 wps_build_conn_type_flags(wps, msg) || 1897 wps_build_config_methods_r(wps->wps->registrar, msg) || 1898 wps_build_device_attrs(&wps->wps->dev, msg) || 1899 wps_build_rf_bands(&wps->wps->dev, msg, 1900 wps->wps->rf_band_cb(wps->wps->cb_ctx)) || 1901 wps_build_assoc_state(wps, msg) || 1902 wps_build_config_error(msg, err) || 1903 wps_build_os_version(&wps->wps->dev, msg) || 1904 wps_build_wfa_ext(msg, 0, NULL, 0)) { 1905 wpabuf_free(msg); 1906 return NULL; 1907 } 1908 1909 wps->state = RECV_M2D_ACK; 1910 return msg; 1911} 1912 1913 1914static struct wpabuf * wps_build_m4(struct wps_data *wps) 1915{ 1916 struct wpabuf *msg, *plain; 1917 1918 wpa_printf(MSG_DEBUG, "WPS: Building Message M4"); 1919 1920 wps_derive_psk(wps, wps->dev_password, wps->dev_password_len); 1921 1922 plain = wpabuf_alloc(200); 1923 if (plain == NULL) 1924 return NULL; 1925 1926 msg = wpabuf_alloc(1000); 1927 if (msg == NULL) { 1928 wpabuf_free(plain); 1929 return NULL; 1930 } 1931 1932 if (wps_build_version(msg) || 1933 wps_build_msg_type(msg, WPS_M4) || 1934 wps_build_enrollee_nonce(wps, msg) || 1935 wps_build_r_hash(wps, msg) || 1936 wps_build_r_snonce1(wps, plain) || 1937 wps_build_key_wrap_auth(wps, plain) || 1938 wps_build_encr_settings(wps, msg, plain) || 1939 wps_build_wfa_ext(msg, 0, NULL, 0) || 1940 wps_build_authenticator(wps, msg)) { 1941 wpabuf_free(plain); 1942 wpabuf_free(msg); 1943 return NULL; 1944 } 1945 wpabuf_free(plain); 1946 1947 wps->state = RECV_M5; 1948 return msg; 1949} 1950 1951 1952static struct wpabuf * wps_build_m6(struct wps_data *wps) 1953{ 1954 struct wpabuf *msg, *plain; 1955 1956 wpa_printf(MSG_DEBUG, "WPS: Building Message M6"); 1957 1958 plain = wpabuf_alloc(200); 1959 if (plain == NULL) 1960 return NULL; 1961 1962 msg = wpabuf_alloc(1000); 1963 if (msg == NULL) { 1964 wpabuf_free(plain); 1965 return NULL; 1966 } 1967 1968 if (wps_build_version(msg) || 1969 wps_build_msg_type(msg, WPS_M6) || 1970 wps_build_enrollee_nonce(wps, msg) || 1971 wps_build_r_snonce2(wps, plain) || 1972 wps_build_key_wrap_auth(wps, plain) || 1973 wps_build_encr_settings(wps, msg, plain) || 1974 wps_build_wfa_ext(msg, 0, NULL, 0) || 1975 wps_build_authenticator(wps, msg)) { 1976 wpabuf_free(plain); 1977 wpabuf_free(msg); 1978 return NULL; 1979 } 1980 wpabuf_free(plain); 1981 1982 wps->wps_pin_revealed = 1; 1983 wps->state = RECV_M7; 1984 return msg; 1985} 1986 1987 1988static struct wpabuf * wps_build_m8(struct wps_data *wps) 1989{ 1990 struct wpabuf *msg, *plain; 1991 1992 wpa_printf(MSG_DEBUG, "WPS: Building Message M8"); 1993 1994 plain = wpabuf_alloc(500); 1995 if (plain == NULL) 1996 return NULL; 1997 1998 msg = wpabuf_alloc(1000); 1999 if (msg == NULL) { 2000 wpabuf_free(plain); 2001 return NULL; 2002 } 2003 2004 if (wps_build_version(msg) || 2005 wps_build_msg_type(msg, WPS_M8) || 2006 wps_build_enrollee_nonce(wps, msg) || 2007 ((wps->wps->ap || wps->er) && wps_build_cred(wps, plain)) || 2008 (!wps->wps->ap && !wps->er && wps_build_ap_settings(wps, plain)) || 2009 wps_build_key_wrap_auth(wps, plain) || 2010 wps_build_encr_settings(wps, msg, plain) || 2011 wps_build_wfa_ext(msg, 0, NULL, 0) || 2012 wps_build_authenticator(wps, msg)) { 2013 wpabuf_free(plain); 2014 wpabuf_free(msg); 2015 return NULL; 2016 } 2017 wpabuf_free(plain); 2018 2019 wps->state = RECV_DONE; 2020 return msg; 2021} 2022 2023 2024struct wpabuf * wps_registrar_get_msg(struct wps_data *wps, 2025 enum wsc_op_code *op_code) 2026{ 2027 struct wpabuf *msg; 2028 2029#ifdef CONFIG_WPS_UPNP 2030 if (!wps->int_reg && wps->wps->wps_upnp) { 2031 struct upnp_pending_message *p, *prev = NULL; 2032 if (wps->ext_reg > 1) 2033 wps_registrar_free_pending_m2(wps->wps); 2034 p = wps->wps->upnp_msgs; 2035 /* TODO: check pending message MAC address */ 2036 while (p && p->next) { 2037 prev = p; 2038 p = p->next; 2039 } 2040 if (p) { 2041 wpa_printf(MSG_DEBUG, "WPS: Use pending message from " 2042 "UPnP"); 2043 if (prev) 2044 prev->next = NULL; 2045 else 2046 wps->wps->upnp_msgs = NULL; 2047 msg = p->msg; 2048 switch (p->type) { 2049 case WPS_WSC_ACK: 2050 *op_code = WSC_ACK; 2051 break; 2052 case WPS_WSC_NACK: 2053 *op_code = WSC_NACK; 2054 break; 2055 default: 2056 *op_code = WSC_MSG; 2057 break; 2058 } 2059 os_free(p); 2060 if (wps->ext_reg == 0) 2061 wps->ext_reg = 1; 2062 return msg; 2063 } 2064 } 2065 if (wps->ext_reg) { 2066 wpa_printf(MSG_DEBUG, "WPS: Using external Registrar, but no " 2067 "pending message available"); 2068 return NULL; 2069 } 2070#endif /* CONFIG_WPS_UPNP */ 2071 2072 switch (wps->state) { 2073 case SEND_M2: 2074 if (wps_get_dev_password(wps) < 0) 2075 msg = wps_build_m2d(wps); 2076 else 2077 msg = wps_build_m2(wps); 2078 *op_code = WSC_MSG; 2079 break; 2080 case SEND_M2D: 2081 msg = wps_build_m2d(wps); 2082 *op_code = WSC_MSG; 2083 break; 2084 case SEND_M4: 2085 msg = wps_build_m4(wps); 2086 *op_code = WSC_MSG; 2087 break; 2088 case SEND_M6: 2089 msg = wps_build_m6(wps); 2090 *op_code = WSC_MSG; 2091 break; 2092 case SEND_M8: 2093 msg = wps_build_m8(wps); 2094 *op_code = WSC_MSG; 2095 break; 2096 case RECV_DONE: 2097 msg = wps_build_wsc_ack(wps); 2098 *op_code = WSC_ACK; 2099 break; 2100 case SEND_WSC_NACK: 2101 msg = wps_build_wsc_nack(wps); 2102 *op_code = WSC_NACK; 2103 break; 2104 default: 2105 wpa_printf(MSG_DEBUG, "WPS: Unsupported state %d for building " 2106 "a message", wps->state); 2107 msg = NULL; 2108 break; 2109 } 2110 2111 if (*op_code == WSC_MSG && msg) { 2112 /* Save a copy of the last message for Authenticator derivation 2113 */ 2114 wpabuf_free(wps->last_msg); 2115 wps->last_msg = wpabuf_dup(msg); 2116 } 2117 2118 return msg; 2119} 2120 2121 2122static int wps_process_enrollee_nonce(struct wps_data *wps, const u8 *e_nonce) 2123{ 2124 if (e_nonce == NULL) { 2125 wpa_printf(MSG_DEBUG, "WPS: No Enrollee Nonce received"); 2126 return -1; 2127 } 2128 2129 os_memcpy(wps->nonce_e, e_nonce, WPS_NONCE_LEN); 2130 wpa_hexdump(MSG_DEBUG, "WPS: Enrollee Nonce", 2131 wps->nonce_e, WPS_NONCE_LEN); 2132 2133 return 0; 2134} 2135 2136 2137static int wps_process_registrar_nonce(struct wps_data *wps, const u8 *r_nonce) 2138{ 2139 if (r_nonce == NULL) { 2140 wpa_printf(MSG_DEBUG, "WPS: No Registrar Nonce received"); 2141 return -1; 2142 } 2143 2144 if (os_memcmp(wps->nonce_r, r_nonce, WPS_NONCE_LEN) != 0) { 2145 wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Nonce received"); 2146 return -1; 2147 } 2148 2149 return 0; 2150} 2151 2152 2153static int wps_process_uuid_e(struct wps_data *wps, const u8 *uuid_e) 2154{ 2155 if (uuid_e == NULL) { 2156 wpa_printf(MSG_DEBUG, "WPS: No UUID-E received"); 2157 return -1; 2158 } 2159 2160 os_memcpy(wps->uuid_e, uuid_e, WPS_UUID_LEN); 2161 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", wps->uuid_e, WPS_UUID_LEN); 2162 2163 return 0; 2164} 2165 2166 2167static int wps_process_dev_password_id(struct wps_data *wps, const u8 *pw_id) 2168{ 2169 if (pw_id == NULL) { 2170 wpa_printf(MSG_DEBUG, "WPS: No Device Password ID received"); 2171 return -1; 2172 } 2173 2174 wps->dev_pw_id = WPA_GET_BE16(pw_id); 2175 wpa_printf(MSG_DEBUG, "WPS: Device Password ID %d", wps->dev_pw_id); 2176 2177 return 0; 2178} 2179 2180 2181static int wps_process_e_hash1(struct wps_data *wps, const u8 *e_hash1) 2182{ 2183 if (e_hash1 == NULL) { 2184 wpa_printf(MSG_DEBUG, "WPS: No E-Hash1 received"); 2185 return -1; 2186 } 2187 2188 os_memcpy(wps->peer_hash1, e_hash1, WPS_HASH_LEN); 2189 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN); 2190 2191 return 0; 2192} 2193 2194 2195static int wps_process_e_hash2(struct wps_data *wps, const u8 *e_hash2) 2196{ 2197 if (e_hash2 == NULL) { 2198 wpa_printf(MSG_DEBUG, "WPS: No E-Hash2 received"); 2199 return -1; 2200 } 2201 2202 os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN); 2203 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN); 2204 2205 return 0; 2206} 2207 2208 2209static int wps_process_e_snonce1(struct wps_data *wps, const u8 *e_snonce1) 2210{ 2211 u8 hash[SHA256_MAC_LEN]; 2212 const u8 *addr[4]; 2213 size_t len[4]; 2214 2215 if (e_snonce1 == NULL) { 2216 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce1 received"); 2217 return -1; 2218 } 2219 2220 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce1", e_snonce1, 2221 WPS_SECRET_NONCE_LEN); 2222 2223 /* E-Hash1 = HMAC_AuthKey(E-S1 || PSK1 || PK_E || PK_R) */ 2224 addr[0] = e_snonce1; 2225 len[0] = WPS_SECRET_NONCE_LEN; 2226 addr[1] = wps->psk1; 2227 len[1] = WPS_PSK_LEN; 2228 addr[2] = wpabuf_head(wps->dh_pubkey_e); 2229 len[2] = wpabuf_len(wps->dh_pubkey_e); 2230 addr[3] = wpabuf_head(wps->dh_pubkey_r); 2231 len[3] = wpabuf_len(wps->dh_pubkey_r); 2232 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 2233 2234 if (os_memcmp_const(wps->peer_hash1, hash, WPS_HASH_LEN) != 0) { 2235 wpa_printf(MSG_DEBUG, "WPS: E-Hash1 derived from E-S1 does " 2236 "not match with the pre-committed value"); 2237 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE; 2238 wps_pwd_auth_fail_event(wps->wps, 0, 1, wps->mac_addr_e); 2239 return -1; 2240 } 2241 2242 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the first " 2243 "half of the device password"); 2244 2245 return 0; 2246} 2247 2248 2249static int wps_process_e_snonce2(struct wps_data *wps, const u8 *e_snonce2) 2250{ 2251 u8 hash[SHA256_MAC_LEN]; 2252 const u8 *addr[4]; 2253 size_t len[4]; 2254 2255 if (e_snonce2 == NULL) { 2256 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce2 received"); 2257 return -1; 2258 } 2259 2260 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce2", e_snonce2, 2261 WPS_SECRET_NONCE_LEN); 2262 2263 /* E-Hash2 = HMAC_AuthKey(E-S2 || PSK2 || PK_E || PK_R) */ 2264 addr[0] = e_snonce2; 2265 len[0] = WPS_SECRET_NONCE_LEN; 2266 addr[1] = wps->psk2; 2267 len[1] = WPS_PSK_LEN; 2268 addr[2] = wpabuf_head(wps->dh_pubkey_e); 2269 len[2] = wpabuf_len(wps->dh_pubkey_e); 2270 addr[3] = wpabuf_head(wps->dh_pubkey_r); 2271 len[3] = wpabuf_len(wps->dh_pubkey_r); 2272 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 2273 2274 if (os_memcmp_const(wps->peer_hash2, hash, WPS_HASH_LEN) != 0) { 2275 wpa_printf(MSG_DEBUG, "WPS: E-Hash2 derived from E-S2 does " 2276 "not match with the pre-committed value"); 2277 wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e); 2278 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE; 2279 wps_pwd_auth_fail_event(wps->wps, 0, 2, wps->mac_addr_e); 2280 return -1; 2281 } 2282 2283 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the second " 2284 "half of the device password"); 2285 wps->wps_pin_revealed = 0; 2286 wps_registrar_unlock_pin(wps->wps->registrar, wps->uuid_e); 2287 2288 /* 2289 * In case wildcard PIN is used and WPS handshake succeeds in the first 2290 * attempt, wps_registrar_unlock_pin() would not free the PIN, so make 2291 * sure the PIN gets invalidated here. 2292 */ 2293 wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e); 2294 2295 return 0; 2296} 2297 2298 2299static int wps_process_mac_addr(struct wps_data *wps, const u8 *mac_addr) 2300{ 2301 if (mac_addr == NULL) { 2302 wpa_printf(MSG_DEBUG, "WPS: No MAC Address received"); 2303 return -1; 2304 } 2305 2306 wpa_printf(MSG_DEBUG, "WPS: Enrollee MAC Address " MACSTR, 2307 MAC2STR(mac_addr)); 2308 os_memcpy(wps->mac_addr_e, mac_addr, ETH_ALEN); 2309 os_memcpy(wps->peer_dev.mac_addr, mac_addr, ETH_ALEN); 2310 2311 return 0; 2312} 2313 2314 2315static int wps_process_pubkey(struct wps_data *wps, const u8 *pk, 2316 size_t pk_len) 2317{ 2318 if (pk == NULL || pk_len == 0) { 2319 wpa_printf(MSG_DEBUG, "WPS: No Public Key received"); 2320 return -1; 2321 } 2322 2323 wpabuf_free(wps->dh_pubkey_e); 2324 wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len); 2325 if (wps->dh_pubkey_e == NULL) 2326 return -1; 2327 2328 return 0; 2329} 2330 2331 2332static int wps_process_auth_type_flags(struct wps_data *wps, const u8 *auth) 2333{ 2334 u16 auth_types; 2335 2336 if (auth == NULL) { 2337 wpa_printf(MSG_DEBUG, "WPS: No Authentication Type flags " 2338 "received"); 2339 return -1; 2340 } 2341 2342 auth_types = WPA_GET_BE16(auth); 2343 2344 wpa_printf(MSG_DEBUG, "WPS: Enrollee Authentication Type flags 0x%x", 2345 auth_types); 2346 wps->auth_type = wps->wps->auth_types & auth_types; 2347 if (wps->auth_type == 0) { 2348 wpa_printf(MSG_DEBUG, "WPS: No match in supported " 2349 "authentication types (own 0x%x Enrollee 0x%x)", 2350 wps->wps->auth_types, auth_types); 2351#ifdef WPS_WORKAROUNDS 2352 /* 2353 * Some deployed implementations seem to advertise incorrect 2354 * information in this attribute. For example, Linksys WRT350N 2355 * seems to have a byteorder bug that breaks this negotiation. 2356 * In order to interoperate with existing implementations, 2357 * assume that the Enrollee supports everything we do. 2358 */ 2359 wpa_printf(MSG_DEBUG, "WPS: Workaround - assume Enrollee " 2360 "does not advertise supported authentication types " 2361 "correctly"); 2362 wps->auth_type = wps->wps->auth_types; 2363#else /* WPS_WORKAROUNDS */ 2364 return -1; 2365#endif /* WPS_WORKAROUNDS */ 2366 } 2367 2368 return 0; 2369} 2370 2371 2372static int wps_process_encr_type_flags(struct wps_data *wps, const u8 *encr) 2373{ 2374 u16 encr_types; 2375 2376 if (encr == NULL) { 2377 wpa_printf(MSG_DEBUG, "WPS: No Encryption Type flags " 2378 "received"); 2379 return -1; 2380 } 2381 2382 encr_types = WPA_GET_BE16(encr); 2383 2384 wpa_printf(MSG_DEBUG, "WPS: Enrollee Encryption Type flags 0x%x", 2385 encr_types); 2386 wps->encr_type = wps->wps->encr_types & encr_types; 2387 if (wps->encr_type == 0) { 2388 wpa_printf(MSG_DEBUG, "WPS: No match in supported " 2389 "encryption types (own 0x%x Enrollee 0x%x)", 2390 wps->wps->encr_types, encr_types); 2391#ifdef WPS_WORKAROUNDS 2392 /* 2393 * Some deployed implementations seem to advertise incorrect 2394 * information in this attribute. For example, Linksys WRT350N 2395 * seems to have a byteorder bug that breaks this negotiation. 2396 * In order to interoperate with existing implementations, 2397 * assume that the Enrollee supports everything we do. 2398 */ 2399 wpa_printf(MSG_DEBUG, "WPS: Workaround - assume Enrollee " 2400 "does not advertise supported encryption types " 2401 "correctly"); 2402 wps->encr_type = wps->wps->encr_types; 2403#else /* WPS_WORKAROUNDS */ 2404 return -1; 2405#endif /* WPS_WORKAROUNDS */ 2406 } 2407 2408 return 0; 2409} 2410 2411 2412static int wps_process_conn_type_flags(struct wps_data *wps, const u8 *conn) 2413{ 2414 if (conn == NULL) { 2415 wpa_printf(MSG_DEBUG, "WPS: No Connection Type flags " 2416 "received"); 2417 return -1; 2418 } 2419 2420 wpa_printf(MSG_DEBUG, "WPS: Enrollee Connection Type flags 0x%x", 2421 *conn); 2422 2423 return 0; 2424} 2425 2426 2427static int wps_process_config_methods(struct wps_data *wps, const u8 *methods) 2428{ 2429 u16 m; 2430 2431 if (methods == NULL) { 2432 wpa_printf(MSG_DEBUG, "WPS: No Config Methods received"); 2433 return -1; 2434 } 2435 2436 m = WPA_GET_BE16(methods); 2437 2438 wpa_printf(MSG_DEBUG, "WPS: Enrollee Config Methods 0x%x" 2439 "%s%s%s%s%s%s%s%s%s", m, 2440 m & WPS_CONFIG_USBA ? " [USBA]" : "", 2441 m & WPS_CONFIG_ETHERNET ? " [Ethernet]" : "", 2442 m & WPS_CONFIG_LABEL ? " [Label]" : "", 2443 m & WPS_CONFIG_DISPLAY ? " [Display]" : "", 2444 m & WPS_CONFIG_EXT_NFC_TOKEN ? " [Ext NFC Token]" : "", 2445 m & WPS_CONFIG_INT_NFC_TOKEN ? " [Int NFC Token]" : "", 2446 m & WPS_CONFIG_NFC_INTERFACE ? " [NFC]" : "", 2447 m & WPS_CONFIG_PUSHBUTTON ? " [PBC]" : "", 2448 m & WPS_CONFIG_KEYPAD ? " [Keypad]" : ""); 2449 2450 if (!(m & WPS_CONFIG_DISPLAY) && !wps->use_psk_key) { 2451 /* 2452 * The Enrollee does not have a display so it is unlikely to be 2453 * able to show the passphrase to a user and as such, could 2454 * benefit from receiving PSK to reduce key derivation time. 2455 */ 2456 wpa_printf(MSG_DEBUG, "WPS: Prefer PSK format key due to " 2457 "Enrollee not supporting display"); 2458 wps->use_psk_key = 1; 2459 } 2460 2461 return 0; 2462} 2463 2464 2465static int wps_process_wps_state(struct wps_data *wps, const u8 *state) 2466{ 2467 if (state == NULL) { 2468 wpa_printf(MSG_DEBUG, "WPS: No Wi-Fi Protected Setup State " 2469 "received"); 2470 return -1; 2471 } 2472 2473 wpa_printf(MSG_DEBUG, "WPS: Enrollee Wi-Fi Protected Setup State %d", 2474 *state); 2475 2476 return 0; 2477} 2478 2479 2480static int wps_process_assoc_state(struct wps_data *wps, const u8 *assoc) 2481{ 2482 u16 a; 2483 2484 if (assoc == NULL) { 2485 wpa_printf(MSG_DEBUG, "WPS: No Association State received"); 2486 return -1; 2487 } 2488 2489 a = WPA_GET_BE16(assoc); 2490 wpa_printf(MSG_DEBUG, "WPS: Enrollee Association State %d", a); 2491 2492 return 0; 2493} 2494 2495 2496static int wps_process_config_error(struct wps_data *wps, const u8 *err) 2497{ 2498 u16 e; 2499 2500 if (err == NULL) { 2501 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error received"); 2502 return -1; 2503 } 2504 2505 e = WPA_GET_BE16(err); 2506 wpa_printf(MSG_DEBUG, "WPS: Enrollee Configuration Error %d", e); 2507 2508 return 0; 2509} 2510 2511 2512static int wps_registrar_p2p_dev_addr_match(struct wps_data *wps) 2513{ 2514#ifdef CONFIG_P2P 2515 struct wps_registrar *reg = wps->wps->registrar; 2516 2517 if (is_zero_ether_addr(reg->p2p_dev_addr)) 2518 return 1; /* no filtering in use */ 2519 2520 if (os_memcmp(reg->p2p_dev_addr, wps->p2p_dev_addr, ETH_ALEN) != 0) { 2521 wpa_printf(MSG_DEBUG, "WPS: No match on P2P Device Address " 2522 "filtering for PBC: expected " MACSTR " was " 2523 MACSTR " - indicate PBC session overlap", 2524 MAC2STR(reg->p2p_dev_addr), 2525 MAC2STR(wps->p2p_dev_addr)); 2526 return 0; 2527 } 2528#endif /* CONFIG_P2P */ 2529 return 1; 2530} 2531 2532 2533static int wps_registrar_skip_overlap(struct wps_data *wps) 2534{ 2535#ifdef CONFIG_P2P 2536 struct wps_registrar *reg = wps->wps->registrar; 2537 2538 if (is_zero_ether_addr(reg->p2p_dev_addr)) 2539 return 0; /* no specific Enrollee selected */ 2540 2541 if (os_memcmp(reg->p2p_dev_addr, wps->p2p_dev_addr, ETH_ALEN) == 0) { 2542 wpa_printf(MSG_DEBUG, "WPS: Skip PBC overlap due to selected " 2543 "Enrollee match"); 2544 return 1; 2545 } 2546#endif /* CONFIG_P2P */ 2547 return 0; 2548} 2549 2550 2551static enum wps_process_res wps_process_m1(struct wps_data *wps, 2552 struct wps_parse_attr *attr) 2553{ 2554 wpa_printf(MSG_DEBUG, "WPS: Received M1"); 2555 2556 if (wps->state != RECV_M1) { 2557 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 2558 "receiving M1", wps->state); 2559 return WPS_FAILURE; 2560 } 2561 2562 if (wps_process_uuid_e(wps, attr->uuid_e) || 2563 wps_process_mac_addr(wps, attr->mac_addr) || 2564 wps_process_enrollee_nonce(wps, attr->enrollee_nonce) || 2565 wps_process_pubkey(wps, attr->public_key, attr->public_key_len) || 2566 wps_process_auth_type_flags(wps, attr->auth_type_flags) || 2567 wps_process_encr_type_flags(wps, attr->encr_type_flags) || 2568 wps_process_conn_type_flags(wps, attr->conn_type_flags) || 2569 wps_process_config_methods(wps, attr->config_methods) || 2570 wps_process_wps_state(wps, attr->wps_state) || 2571 wps_process_device_attrs(&wps->peer_dev, attr) || 2572 wps_process_rf_bands(&wps->peer_dev, attr->rf_bands) || 2573 wps_process_assoc_state(wps, attr->assoc_state) || 2574 wps_process_dev_password_id(wps, attr->dev_password_id) || 2575 wps_process_config_error(wps, attr->config_error) || 2576 wps_process_os_version(&wps->peer_dev, attr->os_version)) 2577 return WPS_FAILURE; 2578 2579 if (wps->dev_pw_id < 0x10 && 2580 wps->dev_pw_id != DEV_PW_DEFAULT && 2581 wps->dev_pw_id != DEV_PW_USER_SPECIFIED && 2582 wps->dev_pw_id != DEV_PW_MACHINE_SPECIFIED && 2583 wps->dev_pw_id != DEV_PW_REGISTRAR_SPECIFIED && 2584#ifdef CONFIG_WPS_NFC 2585 wps->dev_pw_id != DEV_PW_NFC_CONNECTION_HANDOVER && 2586#endif /* CONFIG_WPS_NFC */ 2587 (wps->dev_pw_id != DEV_PW_PUSHBUTTON || 2588 !wps->wps->registrar->pbc)) { 2589 wpa_printf(MSG_DEBUG, "WPS: Unsupported Device Password ID %d", 2590 wps->dev_pw_id); 2591 wps->state = SEND_M2D; 2592 return WPS_CONTINUE; 2593 } 2594 2595#ifdef CONFIG_WPS_NFC 2596 if (wps->dev_pw_id >= 0x10 || 2597 wps->dev_pw_id == DEV_PW_NFC_CONNECTION_HANDOVER) { 2598 struct wps_nfc_pw_token *token; 2599 const u8 *addr[1]; 2600 u8 hash[WPS_HASH_LEN]; 2601 2602 wpa_printf(MSG_DEBUG, "WPS: Searching for NFC token match for id=%d (ctx %p registrar %p)", 2603 wps->dev_pw_id, wps->wps, wps->wps->registrar); 2604 token = wps_get_nfc_pw_token( 2605 &wps->wps->registrar->nfc_pw_tokens, wps->dev_pw_id); 2606 if (token && token->peer_pk_hash_known) { 2607 wpa_printf(MSG_DEBUG, "WPS: Found matching NFC " 2608 "Password Token"); 2609 dl_list_del(&token->list); 2610 wps->nfc_pw_token = token; 2611 2612 addr[0] = attr->public_key; 2613 sha256_vector(1, addr, &attr->public_key_len, hash); 2614 if (os_memcmp_const(hash, 2615 wps->nfc_pw_token->pubkey_hash, 2616 WPS_OOB_PUBKEY_HASH_LEN) != 0) { 2617 wpa_printf(MSG_ERROR, "WPS: Public Key hash " 2618 "mismatch"); 2619 wps->state = SEND_M2D; 2620 wps->config_error = 2621 WPS_CFG_PUBLIC_KEY_HASH_MISMATCH; 2622 return WPS_CONTINUE; 2623 } 2624 } else if (token) { 2625 wpa_printf(MSG_DEBUG, "WPS: Found matching NFC " 2626 "Password Token (no peer PK hash)"); 2627 wps->nfc_pw_token = token; 2628 } else if (wps->dev_pw_id >= 0x10 && 2629 wps->wps->ap_nfc_dev_pw_id == wps->dev_pw_id && 2630 wps->wps->ap_nfc_dev_pw) { 2631 wpa_printf(MSG_DEBUG, "WPS: Found match with own NFC Password Token"); 2632 } 2633 } 2634#endif /* CONFIG_WPS_NFC */ 2635 2636 if (wps->dev_pw_id == DEV_PW_PUSHBUTTON) { 2637 if ((wps->wps->registrar->force_pbc_overlap || 2638 wps_registrar_pbc_overlap(wps->wps->registrar, 2639 wps->mac_addr_e, wps->uuid_e) || 2640 !wps_registrar_p2p_dev_addr_match(wps)) && 2641 !wps_registrar_skip_overlap(wps)) { 2642 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - deny PBC " 2643 "negotiation"); 2644 wps->state = SEND_M2D; 2645 wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED; 2646 wps_pbc_overlap_event(wps->wps); 2647 wps_fail_event(wps->wps, WPS_M1, 2648 WPS_CFG_MULTIPLE_PBC_DETECTED, 2649 WPS_EI_NO_ERROR, wps->mac_addr_e); 2650 wps->wps->registrar->force_pbc_overlap = 1; 2651 return WPS_CONTINUE; 2652 } 2653 wps_registrar_add_pbc_session(wps->wps->registrar, 2654 wps->mac_addr_e, wps->uuid_e); 2655 wps->pbc = 1; 2656 } 2657 2658#ifdef WPS_WORKAROUNDS 2659 /* 2660 * It looks like Mac OS X 10.6.3 and 10.6.4 do not like Network Key in 2661 * passphrase format. To avoid interop issues, force PSK format to be 2662 * used. 2663 */ 2664 if (!wps->use_psk_key && 2665 wps->peer_dev.manufacturer && 2666 os_strncmp(wps->peer_dev.manufacturer, "Apple ", 6) == 0 && 2667 wps->peer_dev.model_name && 2668 os_strcmp(wps->peer_dev.model_name, "AirPort") == 0) { 2669 wpa_printf(MSG_DEBUG, "WPS: Workaround - Force Network Key in " 2670 "PSK format"); 2671 wps->use_psk_key = 1; 2672 } 2673#endif /* WPS_WORKAROUNDS */ 2674 2675 wps->state = SEND_M2; 2676 return WPS_CONTINUE; 2677} 2678 2679 2680static enum wps_process_res wps_process_m3(struct wps_data *wps, 2681 const struct wpabuf *msg, 2682 struct wps_parse_attr *attr) 2683{ 2684 wpa_printf(MSG_DEBUG, "WPS: Received M3"); 2685 2686 if (wps->state != RECV_M3) { 2687 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 2688 "receiving M3", wps->state); 2689 wps->state = SEND_WSC_NACK; 2690 return WPS_CONTINUE; 2691 } 2692 2693 if (wps->pbc && wps->wps->registrar->force_pbc_overlap && 2694 !wps_registrar_skip_overlap(wps)) { 2695 wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC " 2696 "session overlap"); 2697 wps->state = SEND_WSC_NACK; 2698 wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED; 2699 return WPS_CONTINUE; 2700 } 2701 2702 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || 2703 wps_process_authenticator(wps, attr->authenticator, msg) || 2704 wps_process_e_hash1(wps, attr->e_hash1) || 2705 wps_process_e_hash2(wps, attr->e_hash2)) { 2706 wps->state = SEND_WSC_NACK; 2707 return WPS_CONTINUE; 2708 } 2709 2710 wps->state = SEND_M4; 2711 return WPS_CONTINUE; 2712} 2713 2714 2715static enum wps_process_res wps_process_m5(struct wps_data *wps, 2716 const struct wpabuf *msg, 2717 struct wps_parse_attr *attr) 2718{ 2719 struct wpabuf *decrypted; 2720 struct wps_parse_attr eattr; 2721 2722 wpa_printf(MSG_DEBUG, "WPS: Received M5"); 2723 2724 if (wps->state != RECV_M5) { 2725 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 2726 "receiving M5", wps->state); 2727 wps->state = SEND_WSC_NACK; 2728 return WPS_CONTINUE; 2729 } 2730 2731 if (wps->pbc && wps->wps->registrar->force_pbc_overlap && 2732 !wps_registrar_skip_overlap(wps)) { 2733 wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC " 2734 "session overlap"); 2735 wps->state = SEND_WSC_NACK; 2736 wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED; 2737 return WPS_CONTINUE; 2738 } 2739 2740 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || 2741 wps_process_authenticator(wps, attr->authenticator, msg)) { 2742 wps->state = SEND_WSC_NACK; 2743 return WPS_CONTINUE; 2744 } 2745 2746 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings, 2747 attr->encr_settings_len); 2748 if (decrypted == NULL) { 2749 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted " 2750 "Settings attribute"); 2751 wps->state = SEND_WSC_NACK; 2752 return WPS_CONTINUE; 2753 } 2754 2755 if (wps_validate_m5_encr(decrypted, attr->version2 != NULL) < 0) { 2756 wpabuf_free(decrypted); 2757 wps->state = SEND_WSC_NACK; 2758 return WPS_CONTINUE; 2759 } 2760 2761 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings " 2762 "attribute"); 2763 if (wps_parse_msg(decrypted, &eattr) < 0 || 2764 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) || 2765 wps_process_e_snonce1(wps, eattr.e_snonce1)) { 2766 wpabuf_free(decrypted); 2767 wps->state = SEND_WSC_NACK; 2768 return WPS_CONTINUE; 2769 } 2770 wpabuf_free(decrypted); 2771 2772 wps->state = SEND_M6; 2773 return WPS_CONTINUE; 2774} 2775 2776 2777static void wps_sta_cred_cb(struct wps_data *wps) 2778{ 2779 /* 2780 * Update credential to only include a single authentication and 2781 * encryption type in case the AP configuration includes more than one 2782 * option. 2783 */ 2784 if (wps->cred.auth_type & WPS_AUTH_WPA2PSK) 2785 wps->cred.auth_type = WPS_AUTH_WPA2PSK; 2786 else if (wps->cred.auth_type & WPS_AUTH_WPAPSK) 2787 wps->cred.auth_type = WPS_AUTH_WPAPSK; 2788 if (wps->cred.encr_type & WPS_ENCR_AES) 2789 wps->cred.encr_type = WPS_ENCR_AES; 2790 else if (wps->cred.encr_type & WPS_ENCR_TKIP) 2791 wps->cred.encr_type = WPS_ENCR_TKIP; 2792 wpa_printf(MSG_DEBUG, "WPS: Update local configuration based on the " 2793 "AP configuration"); 2794 if (wps->wps->cred_cb) 2795 wps->wps->cred_cb(wps->wps->cb_ctx, &wps->cred); 2796} 2797 2798 2799static void wps_cred_update(struct wps_credential *dst, 2800 struct wps_credential *src) 2801{ 2802 os_memcpy(dst->ssid, src->ssid, sizeof(dst->ssid)); 2803 dst->ssid_len = src->ssid_len; 2804 dst->auth_type = src->auth_type; 2805 dst->encr_type = src->encr_type; 2806 dst->key_idx = src->key_idx; 2807 os_memcpy(dst->key, src->key, sizeof(dst->key)); 2808 dst->key_len = src->key_len; 2809} 2810 2811 2812static int wps_process_ap_settings_r(struct wps_data *wps, 2813 struct wps_parse_attr *attr) 2814{ 2815 struct wpabuf *msg; 2816 2817 if (wps->wps->ap || wps->er) 2818 return 0; 2819 2820 /* AP Settings Attributes in M7 when Enrollee is an AP */ 2821 if (wps_process_ap_settings(attr, &wps->cred) < 0) 2822 return -1; 2823 2824 wpa_printf(MSG_INFO, "WPS: Received old AP configuration from AP"); 2825 2826 if (wps->new_ap_settings) { 2827 wpa_printf(MSG_INFO, "WPS: Update AP configuration based on " 2828 "new settings"); 2829 wps_cred_update(&wps->cred, wps->new_ap_settings); 2830 return 0; 2831 } else { 2832 /* 2833 * Use the AP PIN only to receive the current AP settings, not 2834 * to reconfigure the AP. 2835 */ 2836 2837 /* 2838 * Clear selected registrar here since we do not get to 2839 * WSC_Done in this protocol run. 2840 */ 2841 wps_registrar_pin_completed(wps->wps->registrar); 2842 2843 msg = wps_build_ap_cred(wps); 2844 if (msg == NULL) 2845 return -1; 2846 wps->cred.cred_attr = wpabuf_head(msg); 2847 wps->cred.cred_attr_len = wpabuf_len(msg); 2848 2849 if (wps->ap_settings_cb) { 2850 wps->ap_settings_cb(wps->ap_settings_cb_ctx, 2851 &wps->cred); 2852 wpabuf_free(msg); 2853 return 1; 2854 } 2855 wps_sta_cred_cb(wps); 2856 2857 wps->cred.cred_attr = NULL; 2858 wps->cred.cred_attr_len = 0; 2859 wpabuf_free(msg); 2860 2861 return 1; 2862 } 2863} 2864 2865 2866static enum wps_process_res wps_process_m7(struct wps_data *wps, 2867 const struct wpabuf *msg, 2868 struct wps_parse_attr *attr) 2869{ 2870 struct wpabuf *decrypted; 2871 struct wps_parse_attr eattr; 2872 2873 wpa_printf(MSG_DEBUG, "WPS: Received M7"); 2874 2875 if (wps->state != RECV_M7) { 2876 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 2877 "receiving M7", wps->state); 2878 wps->state = SEND_WSC_NACK; 2879 return WPS_CONTINUE; 2880 } 2881 2882 if (wps->pbc && wps->wps->registrar->force_pbc_overlap && 2883 !wps_registrar_skip_overlap(wps)) { 2884 wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC " 2885 "session overlap"); 2886 wps->state = SEND_WSC_NACK; 2887 wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED; 2888 return WPS_CONTINUE; 2889 } 2890 2891 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || 2892 wps_process_authenticator(wps, attr->authenticator, msg)) { 2893 wps->state = SEND_WSC_NACK; 2894 return WPS_CONTINUE; 2895 } 2896 2897 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings, 2898 attr->encr_settings_len); 2899 if (decrypted == NULL) { 2900 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypt Encrypted " 2901 "Settings attribute"); 2902 wps->state = SEND_WSC_NACK; 2903 return WPS_CONTINUE; 2904 } 2905 2906 if (wps_validate_m7_encr(decrypted, wps->wps->ap || wps->er, 2907 attr->version2 != NULL) < 0) { 2908 wpabuf_free(decrypted); 2909 wps->state = SEND_WSC_NACK; 2910 return WPS_CONTINUE; 2911 } 2912 2913 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings " 2914 "attribute"); 2915 if (wps_parse_msg(decrypted, &eattr) < 0 || 2916 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) || 2917 wps_process_e_snonce2(wps, eattr.e_snonce2) || 2918 wps_process_ap_settings_r(wps, &eattr)) { 2919 wpabuf_free(decrypted); 2920 wps->state = SEND_WSC_NACK; 2921 return WPS_CONTINUE; 2922 } 2923 2924 wpabuf_free(decrypted); 2925 2926 wps->state = SEND_M8; 2927 return WPS_CONTINUE; 2928} 2929 2930 2931static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps, 2932 const struct wpabuf *msg) 2933{ 2934 struct wps_parse_attr attr; 2935 enum wps_process_res ret = WPS_CONTINUE; 2936 2937 wpa_printf(MSG_DEBUG, "WPS: Received WSC_MSG"); 2938 2939 if (wps_parse_msg(msg, &attr) < 0) 2940 return WPS_FAILURE; 2941 2942 if (attr.msg_type == NULL) { 2943 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 2944 wps->state = SEND_WSC_NACK; 2945 return WPS_CONTINUE; 2946 } 2947 2948 if (*attr.msg_type != WPS_M1 && 2949 (attr.registrar_nonce == NULL || 2950 os_memcmp(wps->nonce_r, attr.registrar_nonce, 2951 WPS_NONCE_LEN) != 0)) { 2952 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 2953 return WPS_FAILURE; 2954 } 2955 2956 switch (*attr.msg_type) { 2957 case WPS_M1: 2958 if (wps_validate_m1(msg) < 0) 2959 return WPS_FAILURE; 2960#ifdef CONFIG_WPS_UPNP 2961 if (wps->wps->wps_upnp && attr.mac_addr) { 2962 /* Remove old pending messages when starting new run */ 2963 wps_free_pending_msgs(wps->wps->upnp_msgs); 2964 wps->wps->upnp_msgs = NULL; 2965 2966 upnp_wps_device_send_wlan_event( 2967 wps->wps->wps_upnp, attr.mac_addr, 2968 UPNP_WPS_WLANEVENT_TYPE_EAP, msg); 2969 } 2970#endif /* CONFIG_WPS_UPNP */ 2971 ret = wps_process_m1(wps, &attr); 2972 break; 2973 case WPS_M3: 2974 if (wps_validate_m3(msg) < 0) 2975 return WPS_FAILURE; 2976 ret = wps_process_m3(wps, msg, &attr); 2977 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) 2978 wps_fail_event(wps->wps, WPS_M3, wps->config_error, 2979 wps->error_indication, wps->mac_addr_e); 2980 break; 2981 case WPS_M5: 2982 if (wps_validate_m5(msg) < 0) 2983 return WPS_FAILURE; 2984 ret = wps_process_m5(wps, msg, &attr); 2985 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) 2986 wps_fail_event(wps->wps, WPS_M5, wps->config_error, 2987 wps->error_indication, wps->mac_addr_e); 2988 break; 2989 case WPS_M7: 2990 if (wps_validate_m7(msg) < 0) 2991 return WPS_FAILURE; 2992 ret = wps_process_m7(wps, msg, &attr); 2993 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) 2994 wps_fail_event(wps->wps, WPS_M7, wps->config_error, 2995 wps->error_indication, wps->mac_addr_e); 2996 break; 2997 default: 2998 wpa_printf(MSG_DEBUG, "WPS: Unsupported Message Type %d", 2999 *attr.msg_type); 3000 return WPS_FAILURE; 3001 } 3002 3003 if (ret == WPS_CONTINUE) { 3004 /* Save a copy of the last message for Authenticator derivation 3005 */ 3006 wpabuf_free(wps->last_msg); 3007 wps->last_msg = wpabuf_dup(msg); 3008 } 3009 3010 return ret; 3011} 3012 3013 3014static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps, 3015 const struct wpabuf *msg) 3016{ 3017 struct wps_parse_attr attr; 3018 3019 wpa_printf(MSG_DEBUG, "WPS: Received WSC_ACK"); 3020 3021 if (wps_parse_msg(msg, &attr) < 0) 3022 return WPS_FAILURE; 3023 3024 if (attr.msg_type == NULL) { 3025 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 3026 return WPS_FAILURE; 3027 } 3028 3029 if (*attr.msg_type != WPS_WSC_ACK) { 3030 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d", 3031 *attr.msg_type); 3032 return WPS_FAILURE; 3033 } 3034 3035#ifdef CONFIG_WPS_UPNP 3036 if (wps->wps->wps_upnp && wps->ext_reg && wps->state == RECV_M2D_ACK && 3037 upnp_wps_subscribers(wps->wps->wps_upnp)) { 3038 if (wps->wps->upnp_msgs) 3039 return WPS_CONTINUE; 3040 wpa_printf(MSG_DEBUG, "WPS: Wait for response from an " 3041 "external Registrar"); 3042 return WPS_PENDING; 3043 } 3044#endif /* CONFIG_WPS_UPNP */ 3045 3046 if (attr.registrar_nonce == NULL || 3047 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0) 3048 { 3049 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 3050 return WPS_FAILURE; 3051 } 3052 3053 if (attr.enrollee_nonce == NULL || 3054 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) { 3055 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); 3056 return WPS_FAILURE; 3057 } 3058 3059 if (wps->state == RECV_M2D_ACK) { 3060#ifdef CONFIG_WPS_UPNP 3061 if (wps->wps->wps_upnp && 3062 upnp_wps_subscribers(wps->wps->wps_upnp)) { 3063 if (wps->wps->upnp_msgs) 3064 return WPS_CONTINUE; 3065 if (wps->ext_reg == 0) 3066 wps->ext_reg = 1; 3067 wpa_printf(MSG_DEBUG, "WPS: Wait for response from an " 3068 "external Registrar"); 3069 return WPS_PENDING; 3070 } 3071#endif /* CONFIG_WPS_UPNP */ 3072 3073 wpa_printf(MSG_DEBUG, "WPS: No more registrars available - " 3074 "terminate negotiation"); 3075 } 3076 3077 return WPS_FAILURE; 3078} 3079 3080 3081static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps, 3082 const struct wpabuf *msg) 3083{ 3084 struct wps_parse_attr attr; 3085 int old_state; 3086 u16 config_error; 3087 3088 wpa_printf(MSG_DEBUG, "WPS: Received WSC_NACK"); 3089 3090 old_state = wps->state; 3091 wps->state = SEND_WSC_NACK; 3092 3093 if (wps_parse_msg(msg, &attr) < 0) 3094 return WPS_FAILURE; 3095 3096 if (attr.msg_type == NULL) { 3097 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 3098 return WPS_FAILURE; 3099 } 3100 3101 if (*attr.msg_type != WPS_WSC_NACK) { 3102 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d", 3103 *attr.msg_type); 3104 return WPS_FAILURE; 3105 } 3106 3107#ifdef CONFIG_WPS_UPNP 3108 if (wps->wps->wps_upnp && wps->ext_reg) { 3109 wpa_printf(MSG_DEBUG, "WPS: Negotiation using external " 3110 "Registrar terminated by the Enrollee"); 3111 return WPS_FAILURE; 3112 } 3113#endif /* CONFIG_WPS_UPNP */ 3114 3115 if (attr.registrar_nonce == NULL || 3116 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0) 3117 { 3118 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 3119 return WPS_FAILURE; 3120 } 3121 3122 if (attr.enrollee_nonce == NULL || 3123 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) { 3124 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); 3125 return WPS_FAILURE; 3126 } 3127 3128 if (attr.config_error == NULL) { 3129 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error attribute " 3130 "in WSC_NACK"); 3131 return WPS_FAILURE; 3132 } 3133 3134 config_error = WPA_GET_BE16(attr.config_error); 3135 wpa_printf(MSG_DEBUG, "WPS: Enrollee terminated negotiation with " 3136 "Configuration Error %d", config_error); 3137 3138 switch (old_state) { 3139 case RECV_M3: 3140 wps_fail_event(wps->wps, WPS_M2, config_error, 3141 wps->error_indication, wps->mac_addr_e); 3142 break; 3143 case RECV_M5: 3144 wps_fail_event(wps->wps, WPS_M4, config_error, 3145 wps->error_indication, wps->mac_addr_e); 3146 break; 3147 case RECV_M7: 3148 wps_fail_event(wps->wps, WPS_M6, config_error, 3149 wps->error_indication, wps->mac_addr_e); 3150 break; 3151 case RECV_DONE: 3152 wps_fail_event(wps->wps, WPS_M8, config_error, 3153 wps->error_indication, wps->mac_addr_e); 3154 break; 3155 default: 3156 break; 3157 } 3158 3159 return WPS_FAILURE; 3160} 3161 3162 3163static enum wps_process_res wps_process_wsc_done(struct wps_data *wps, 3164 const struct wpabuf *msg) 3165{ 3166 struct wps_parse_attr attr; 3167 3168 wpa_printf(MSG_DEBUG, "WPS: Received WSC_Done"); 3169 3170 if (wps->state != RECV_DONE && 3171 (!wps->wps->wps_upnp || !wps->ext_reg)) { 3172 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 3173 "receiving WSC_Done", wps->state); 3174 return WPS_FAILURE; 3175 } 3176 3177 if (wps_parse_msg(msg, &attr) < 0) 3178 return WPS_FAILURE; 3179 3180 if (attr.msg_type == NULL) { 3181 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 3182 return WPS_FAILURE; 3183 } 3184 3185 if (*attr.msg_type != WPS_WSC_DONE) { 3186 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d", 3187 *attr.msg_type); 3188 return WPS_FAILURE; 3189 } 3190 3191#ifdef CONFIG_WPS_UPNP 3192 if (wps->wps->wps_upnp && wps->ext_reg) { 3193 wpa_printf(MSG_DEBUG, "WPS: Negotiation using external " 3194 "Registrar completed successfully"); 3195 wps_device_store(wps->wps->registrar, &wps->peer_dev, 3196 wps->uuid_e); 3197 return WPS_DONE; 3198 } 3199#endif /* CONFIG_WPS_UPNP */ 3200 3201 if (attr.registrar_nonce == NULL || 3202 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0) 3203 { 3204 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 3205 return WPS_FAILURE; 3206 } 3207 3208 if (attr.enrollee_nonce == NULL || 3209 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) { 3210 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); 3211 return WPS_FAILURE; 3212 } 3213 3214 wpa_printf(MSG_DEBUG, "WPS: Negotiation completed successfully"); 3215 wps_device_store(wps->wps->registrar, &wps->peer_dev, 3216 wps->uuid_e); 3217 3218 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->new_psk && 3219 wps->wps->ap && !wps->wps->registrar->disable_auto_conf) { 3220 struct wps_credential cred; 3221 3222 wpa_printf(MSG_DEBUG, "WPS: Moving to Configured state based " 3223 "on first Enrollee connection"); 3224 3225 os_memset(&cred, 0, sizeof(cred)); 3226 os_memcpy(cred.ssid, wps->wps->ssid, wps->wps->ssid_len); 3227 cred.ssid_len = wps->wps->ssid_len; 3228 cred.auth_type = WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK; 3229 cred.encr_type = WPS_ENCR_TKIP | WPS_ENCR_AES; 3230 os_memcpy(cred.key, wps->new_psk, wps->new_psk_len); 3231 cred.key_len = wps->new_psk_len; 3232 3233 wps->wps->wps_state = WPS_STATE_CONFIGURED; 3234 wpa_hexdump_ascii_key(MSG_DEBUG, 3235 "WPS: Generated random passphrase", 3236 wps->new_psk, wps->new_psk_len); 3237 if (wps->wps->cred_cb) 3238 wps->wps->cred_cb(wps->wps->cb_ctx, &cred); 3239 3240 os_free(wps->new_psk); 3241 wps->new_psk = NULL; 3242 } 3243 3244 if (!wps->wps->ap && !wps->er) 3245 wps_sta_cred_cb(wps); 3246 3247 if (wps->new_psk) { 3248 if (wps_cb_new_psk(wps->wps->registrar, wps->mac_addr_e, 3249 wps->p2p_dev_addr, wps->new_psk, 3250 wps->new_psk_len)) { 3251 wpa_printf(MSG_DEBUG, "WPS: Failed to configure the " 3252 "new PSK"); 3253 } 3254 os_free(wps->new_psk); 3255 wps->new_psk = NULL; 3256 } 3257 3258 wps_cb_reg_success(wps->wps->registrar, wps->mac_addr_e, wps->uuid_e, 3259 wps->dev_password, wps->dev_password_len); 3260 3261 if (wps->pbc) { 3262 wps_registrar_remove_pbc_session(wps->wps->registrar, 3263 wps->uuid_e, 3264 wps->p2p_dev_addr); 3265 wps_registrar_pbc_completed(wps->wps->registrar); 3266#ifdef WPS_WORKAROUNDS 3267 os_get_reltime(&wps->wps->registrar->pbc_ignore_start); 3268#endif /* WPS_WORKAROUNDS */ 3269 os_memcpy(wps->wps->registrar->pbc_ignore_uuid, wps->uuid_e, 3270 WPS_UUID_LEN); 3271 } else { 3272 wps_registrar_pin_completed(wps->wps->registrar); 3273 } 3274 /* TODO: maintain AuthorizedMACs somewhere separately for each ER and 3275 * merge them into APs own list.. */ 3276 3277 wps_success_event(wps->wps, wps->mac_addr_e); 3278 3279 return WPS_DONE; 3280} 3281 3282 3283enum wps_process_res wps_registrar_process_msg(struct wps_data *wps, 3284 enum wsc_op_code op_code, 3285 const struct wpabuf *msg) 3286{ 3287 enum wps_process_res ret; 3288 3289 wpa_printf(MSG_DEBUG, "WPS: Processing received message (len=%lu " 3290 "op_code=%d)", 3291 (unsigned long) wpabuf_len(msg), op_code); 3292 3293#ifdef CONFIG_WPS_UPNP 3294 if (wps->wps->wps_upnp && op_code == WSC_MSG && wps->ext_reg == 1) { 3295 struct wps_parse_attr attr; 3296 if (wps_parse_msg(msg, &attr) == 0 && attr.msg_type && 3297 *attr.msg_type == WPS_M3) 3298 wps->ext_reg = 2; /* past M2/M2D phase */ 3299 } 3300 if (wps->ext_reg > 1) 3301 wps_registrar_free_pending_m2(wps->wps); 3302 if (wps->wps->wps_upnp && wps->ext_reg && 3303 wps->wps->upnp_msgs == NULL && 3304 (op_code == WSC_MSG || op_code == WSC_Done || op_code == WSC_NACK)) 3305 { 3306 struct wps_parse_attr attr; 3307 int type; 3308 if (wps_parse_msg(msg, &attr) < 0 || attr.msg_type == NULL) 3309 type = -1; 3310 else 3311 type = *attr.msg_type; 3312 wpa_printf(MSG_DEBUG, "WPS: Sending received message (type %d)" 3313 " to external Registrar for processing", type); 3314 upnp_wps_device_send_wlan_event(wps->wps->wps_upnp, 3315 wps->mac_addr_e, 3316 UPNP_WPS_WLANEVENT_TYPE_EAP, 3317 msg); 3318 if (op_code == WSC_MSG) 3319 return WPS_PENDING; 3320 } else if (wps->wps->wps_upnp && wps->ext_reg && op_code == WSC_MSG) { 3321 wpa_printf(MSG_DEBUG, "WPS: Skip internal processing - using " 3322 "external Registrar"); 3323 return WPS_CONTINUE; 3324 } 3325#endif /* CONFIG_WPS_UPNP */ 3326 3327 switch (op_code) { 3328 case WSC_MSG: 3329 return wps_process_wsc_msg(wps, msg); 3330 case WSC_ACK: 3331 if (wps_validate_wsc_ack(msg) < 0) 3332 return WPS_FAILURE; 3333 return wps_process_wsc_ack(wps, msg); 3334 case WSC_NACK: 3335 if (wps_validate_wsc_nack(msg) < 0) 3336 return WPS_FAILURE; 3337 return wps_process_wsc_nack(wps, msg); 3338 case WSC_Done: 3339 if (wps_validate_wsc_done(msg) < 0) 3340 return WPS_FAILURE; 3341 ret = wps_process_wsc_done(wps, msg); 3342 if (ret == WPS_FAILURE) { 3343 wps->state = SEND_WSC_NACK; 3344 wps_fail_event(wps->wps, WPS_WSC_DONE, 3345 wps->config_error, 3346 wps->error_indication, wps->mac_addr_e); 3347 } 3348 return ret; 3349 default: 3350 wpa_printf(MSG_DEBUG, "WPS: Unsupported op_code %d", op_code); 3351 return WPS_FAILURE; 3352 } 3353} 3354 3355 3356int wps_registrar_update_ie(struct wps_registrar *reg) 3357{ 3358 return wps_set_ie(reg); 3359} 3360 3361 3362static void wps_registrar_set_selected_timeout(void *eloop_ctx, 3363 void *timeout_ctx) 3364{ 3365 struct wps_registrar *reg = eloop_ctx; 3366 3367 wpa_printf(MSG_DEBUG, "WPS: Selected Registrar timeout - " 3368 "unselect internal Registrar"); 3369 reg->selected_registrar = 0; 3370 reg->pbc = 0; 3371 wps_registrar_selected_registrar_changed(reg, 0); 3372} 3373 3374 3375#ifdef CONFIG_WPS_UPNP 3376static void wps_registrar_sel_reg_add(struct wps_registrar *reg, 3377 struct subscription *s) 3378{ 3379 int i, j; 3380 wpa_printf(MSG_DEBUG, "WPS: External Registrar selected (dev_pw_id=%d " 3381 "config_methods=0x%x)", 3382 s->dev_password_id, s->config_methods); 3383 reg->sel_reg_union = 1; 3384 if (reg->sel_reg_dev_password_id_override != DEV_PW_PUSHBUTTON) 3385 reg->sel_reg_dev_password_id_override = s->dev_password_id; 3386 if (reg->sel_reg_config_methods_override == -1) 3387 reg->sel_reg_config_methods_override = 0; 3388 reg->sel_reg_config_methods_override |= s->config_methods; 3389 for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++) 3390 if (is_zero_ether_addr(reg->authorized_macs_union[i])) 3391 break; 3392 for (j = 0; i < WPS_MAX_AUTHORIZED_MACS && j < WPS_MAX_AUTHORIZED_MACS; 3393 j++) { 3394 if (is_zero_ether_addr(s->authorized_macs[j])) 3395 break; 3396 wpa_printf(MSG_DEBUG, "WPS: Add authorized MAC into union: " 3397 MACSTR, MAC2STR(s->authorized_macs[j])); 3398 os_memcpy(reg->authorized_macs_union[i], 3399 s->authorized_macs[j], ETH_ALEN); 3400 i++; 3401 } 3402 wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs union", 3403 (u8 *) reg->authorized_macs_union, 3404 sizeof(reg->authorized_macs_union)); 3405} 3406#endif /* CONFIG_WPS_UPNP */ 3407 3408 3409static void wps_registrar_sel_reg_union(struct wps_registrar *reg) 3410{ 3411#ifdef CONFIG_WPS_UPNP 3412 struct subscription *s; 3413 3414 if (reg->wps->wps_upnp == NULL) 3415 return; 3416 3417 dl_list_for_each(s, ®->wps->wps_upnp->subscriptions, 3418 struct subscription, list) { 3419 struct subscr_addr *sa; 3420 sa = dl_list_first(&s->addr_list, struct subscr_addr, list); 3421 if (sa) { 3422 wpa_printf(MSG_DEBUG, "WPS: External Registrar %s:%d", 3423 inet_ntoa(sa->saddr.sin_addr), 3424 ntohs(sa->saddr.sin_port)); 3425 } 3426 if (s->selected_registrar) 3427 wps_registrar_sel_reg_add(reg, s); 3428 else 3429 wpa_printf(MSG_DEBUG, "WPS: External Registrar not " 3430 "selected"); 3431 } 3432#endif /* CONFIG_WPS_UPNP */ 3433} 3434 3435 3436/** 3437 * wps_registrar_selected_registrar_changed - SetSelectedRegistrar change 3438 * @reg: Registrar data from wps_registrar_init() 3439 * 3440 * This function is called when selected registrar state changes, e.g., when an 3441 * AP receives a SetSelectedRegistrar UPnP message. 3442 */ 3443void wps_registrar_selected_registrar_changed(struct wps_registrar *reg, 3444 u16 dev_pw_id) 3445{ 3446 wpa_printf(MSG_DEBUG, "WPS: Selected registrar information changed"); 3447 3448 reg->sel_reg_union = reg->selected_registrar; 3449 reg->sel_reg_dev_password_id_override = -1; 3450 reg->sel_reg_config_methods_override = -1; 3451 os_memcpy(reg->authorized_macs_union, reg->authorized_macs, 3452 WPS_MAX_AUTHORIZED_MACS * ETH_ALEN); 3453 wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs union (start with own)", 3454 (u8 *) reg->authorized_macs_union, 3455 sizeof(reg->authorized_macs_union)); 3456 if (reg->selected_registrar) { 3457 u16 methods; 3458 3459 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON; 3460 methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON | 3461 WPS_CONFIG_PHY_PUSHBUTTON); 3462 if (reg->pbc) { 3463 reg->sel_reg_dev_password_id_override = 3464 DEV_PW_PUSHBUTTON; 3465 wps_set_pushbutton(&methods, reg->wps->config_methods); 3466 } else if (dev_pw_id) 3467 reg->sel_reg_dev_password_id_override = dev_pw_id; 3468 wpa_printf(MSG_DEBUG, "WPS: Internal Registrar selected " 3469 "(pbc=%d)", reg->pbc); 3470 reg->sel_reg_config_methods_override = methods; 3471 } else 3472 wpa_printf(MSG_DEBUG, "WPS: Internal Registrar not selected"); 3473 3474 wps_registrar_sel_reg_union(reg); 3475 3476 wps_set_ie(reg); 3477 wps_cb_set_sel_reg(reg); 3478} 3479 3480 3481int wps_registrar_get_info(struct wps_registrar *reg, const u8 *addr, 3482 char *buf, size_t buflen) 3483{ 3484 struct wps_registrar_device *d; 3485 int len = 0, ret; 3486 char uuid[40]; 3487 char devtype[WPS_DEV_TYPE_BUFSIZE]; 3488 3489 d = wps_device_get(reg, addr); 3490 if (d == NULL) 3491 return 0; 3492 if (uuid_bin2str(d->uuid, uuid, sizeof(uuid))) 3493 return 0; 3494 3495 ret = os_snprintf(buf + len, buflen - len, 3496 "wpsUuid=%s\n" 3497 "wpsPrimaryDeviceType=%s\n" 3498 "wpsDeviceName=%s\n" 3499 "wpsManufacturer=%s\n" 3500 "wpsModelName=%s\n" 3501 "wpsModelNumber=%s\n" 3502 "wpsSerialNumber=%s\n", 3503 uuid, 3504 wps_dev_type_bin2str(d->dev.pri_dev_type, devtype, 3505 sizeof(devtype)), 3506 d->dev.device_name ? d->dev.device_name : "", 3507 d->dev.manufacturer ? d->dev.manufacturer : "", 3508 d->dev.model_name ? d->dev.model_name : "", 3509 d->dev.model_number ? d->dev.model_number : "", 3510 d->dev.serial_number ? d->dev.serial_number : ""); 3511 if (os_snprintf_error(buflen - len, ret)) 3512 return len; 3513 len += ret; 3514 3515 return len; 3516} 3517 3518 3519int wps_registrar_config_ap(struct wps_registrar *reg, 3520 struct wps_credential *cred) 3521{ 3522 wpa_printf(MSG_DEBUG, "WPS: encr_type=0x%x", cred->encr_type); 3523 if (!(cred->encr_type & (WPS_ENCR_NONE | WPS_ENCR_TKIP | 3524 WPS_ENCR_AES))) { 3525 if (cred->encr_type & WPS_ENCR_WEP) { 3526 wpa_printf(MSG_INFO, "WPS: Reject new AP settings " 3527 "due to WEP configuration"); 3528 return -1; 3529 } 3530 3531 wpa_printf(MSG_INFO, "WPS: Reject new AP settings due to " 3532 "invalid encr_type 0x%x", cred->encr_type); 3533 return -1; 3534 } 3535 3536 if ((cred->encr_type & (WPS_ENCR_TKIP | WPS_ENCR_AES)) == 3537 WPS_ENCR_TKIP) { 3538 wpa_printf(MSG_DEBUG, "WPS: Upgrade encr_type TKIP -> " 3539 "TKIP+AES"); 3540 cred->encr_type |= WPS_ENCR_AES; 3541 } 3542 3543 if ((cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) == 3544 WPS_AUTH_WPAPSK) { 3545 wpa_printf(MSG_DEBUG, "WPS: Upgrade auth_type WPAPSK -> " 3546 "WPAPSK+WPA2PSK"); 3547 cred->auth_type |= WPS_AUTH_WPA2PSK; 3548 } 3549 3550 if (reg->wps->cred_cb) 3551 return reg->wps->cred_cb(reg->wps->cb_ctx, cred); 3552 3553 return -1; 3554} 3555 3556 3557#ifdef CONFIG_WPS_NFC 3558 3559int wps_registrar_add_nfc_pw_token(struct wps_registrar *reg, 3560 const u8 *pubkey_hash, u16 pw_id, 3561 const u8 *dev_pw, size_t dev_pw_len, 3562 int pk_hash_provided_oob) 3563{ 3564 struct wps_nfc_pw_token *token; 3565 3566 if (dev_pw_len > WPS_OOB_DEVICE_PASSWORD_LEN) 3567 return -1; 3568 3569 if (pw_id == DEV_PW_NFC_CONNECTION_HANDOVER && 3570 (pubkey_hash == NULL || !pk_hash_provided_oob)) { 3571 wpa_printf(MSG_DEBUG, "WPS: Unexpected NFC Password Token " 3572 "addition - missing public key hash"); 3573 return -1; 3574 } 3575 3576 wps_free_nfc_pw_tokens(®->nfc_pw_tokens, pw_id); 3577 3578 token = os_zalloc(sizeof(*token)); 3579 if (token == NULL) 3580 return -1; 3581 3582 token->peer_pk_hash_known = pubkey_hash != NULL; 3583 if (pubkey_hash) 3584 os_memcpy(token->pubkey_hash, pubkey_hash, 3585 WPS_OOB_PUBKEY_HASH_LEN); 3586 token->pw_id = pw_id; 3587 token->pk_hash_provided_oob = pk_hash_provided_oob; 3588 if (dev_pw) { 3589 wpa_snprintf_hex_uppercase((char *) token->dev_pw, 3590 sizeof(token->dev_pw), 3591 dev_pw, dev_pw_len); 3592 token->dev_pw_len = dev_pw_len * 2; 3593 } 3594 3595 dl_list_add(®->nfc_pw_tokens, &token->list); 3596 3597 reg->selected_registrar = 1; 3598 reg->pbc = 0; 3599 wps_registrar_add_authorized_mac(reg, 3600 (u8 *) "\xff\xff\xff\xff\xff\xff"); 3601 wps_registrar_selected_registrar_changed(reg, pw_id); 3602 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 3603 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, 3604 wps_registrar_set_selected_timeout, 3605 reg, NULL); 3606 3607 wpa_printf(MSG_DEBUG, "WPS: Added NFC Device Password %u to Registrar", 3608 pw_id); 3609 3610 return 0; 3611} 3612 3613 3614int wps_registrar_add_nfc_password_token(struct wps_registrar *reg, 3615 const u8 *oob_dev_pw, 3616 size_t oob_dev_pw_len) 3617{ 3618 const u8 *pos, *hash, *dev_pw; 3619 u16 id; 3620 size_t dev_pw_len; 3621 3622 if (oob_dev_pw_len < WPS_OOB_PUBKEY_HASH_LEN + 2 || 3623 oob_dev_pw_len > WPS_OOB_PUBKEY_HASH_LEN + 2 + 3624 WPS_OOB_DEVICE_PASSWORD_LEN) 3625 return -1; 3626 3627 hash = oob_dev_pw; 3628 pos = oob_dev_pw + WPS_OOB_PUBKEY_HASH_LEN; 3629 id = WPA_GET_BE16(pos); 3630 dev_pw = pos + 2; 3631 dev_pw_len = oob_dev_pw + oob_dev_pw_len - dev_pw; 3632 3633 wpa_printf(MSG_DEBUG, "WPS: Add NFC Password Token for Password ID %u", 3634 id); 3635 3636 wpa_hexdump(MSG_DEBUG, "WPS: Public Key Hash", 3637 hash, WPS_OOB_PUBKEY_HASH_LEN); 3638 wpa_hexdump_key(MSG_DEBUG, "WPS: Device Password", dev_pw, dev_pw_len); 3639 3640 return wps_registrar_add_nfc_pw_token(reg, hash, id, dev_pw, 3641 dev_pw_len, 0); 3642} 3643 3644 3645void wps_registrar_remove_nfc_pw_token(struct wps_registrar *reg, 3646 struct wps_nfc_pw_token *token) 3647{ 3648 wps_registrar_remove_authorized_mac(reg, 3649 (u8 *) "\xff\xff\xff\xff\xff\xff"); 3650 wps_registrar_selected_registrar_changed(reg, 0); 3651 3652 /* 3653 * Free the NFC password token if it was used only for a single protocol 3654 * run. The static handover case uses the same password token multiple 3655 * times, so do not free that case here. 3656 */ 3657 if (token->peer_pk_hash_known) 3658 os_free(token); 3659} 3660 3661#endif /* CONFIG_WPS_NFC */ 3662