1/* 2 * EAP-WSC peer for Wi-Fi Protected Setup 3 * Copyright (c) 2007-2009, 2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "uuid.h" 13#include "eap_i.h" 14#include "eap_common/eap_wsc_common.h" 15#include "wps/wps.h" 16#include "wps/wps_defs.h" 17 18 19struct eap_wsc_data { 20 enum { WAIT_START, MESG, WAIT_FRAG_ACK, FAIL } state; 21 int registrar; 22 struct wpabuf *in_buf; 23 struct wpabuf *out_buf; 24 enum wsc_op_code in_op_code, out_op_code; 25 size_t out_used; 26 size_t fragment_size; 27 struct wps_data *wps; 28 struct wps_context *wps_ctx; 29}; 30 31 32static const char * eap_wsc_state_txt(int state) 33{ 34 switch (state) { 35 case WAIT_START: 36 return "WAIT_START"; 37 case MESG: 38 return "MESG"; 39 case WAIT_FRAG_ACK: 40 return "WAIT_FRAG_ACK"; 41 case FAIL: 42 return "FAIL"; 43 default: 44 return "?"; 45 } 46} 47 48 49static void eap_wsc_state(struct eap_wsc_data *data, int state) 50{ 51 wpa_printf(MSG_DEBUG, "EAP-WSC: %s -> %s", 52 eap_wsc_state_txt(data->state), 53 eap_wsc_state_txt(state)); 54 data->state = state; 55} 56 57 58static int eap_wsc_new_ap_settings(struct wps_credential *cred, 59 const char *params) 60{ 61 const char *pos, *end; 62 size_t len; 63 64 os_memset(cred, 0, sizeof(*cred)); 65 66 pos = os_strstr(params, "new_ssid="); 67 if (pos == NULL) 68 return 0; 69 pos += 9; 70 end = os_strchr(pos, ' '); 71 if (end == NULL) 72 len = os_strlen(pos); 73 else 74 len = end - pos; 75 if ((len & 1) || len > 2 * sizeof(cred->ssid) || 76 hexstr2bin(pos, cred->ssid, len / 2)) { 77 wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid new_ssid"); 78 return -1; 79 } 80 cred->ssid_len = len / 2; 81 82 pos = os_strstr(params, "new_auth="); 83 if (pos == NULL) { 84 wpa_printf(MSG_DEBUG, "EAP-WSC: Missing new_auth"); 85 return -1; 86 } 87 if (os_strncmp(pos + 9, "OPEN", 4) == 0) 88 cred->auth_type = WPS_AUTH_OPEN; 89 else if (os_strncmp(pos + 9, "WPAPSK", 6) == 0) 90 cred->auth_type = WPS_AUTH_WPAPSK; 91 else if (os_strncmp(pos + 9, "WPA2PSK", 7) == 0) 92 cred->auth_type = WPS_AUTH_WPA2PSK; 93 else { 94 wpa_printf(MSG_DEBUG, "EAP-WSC: Unknown new_auth"); 95 return -1; 96 } 97 98 pos = os_strstr(params, "new_encr="); 99 if (pos == NULL) { 100 wpa_printf(MSG_DEBUG, "EAP-WSC: Missing new_encr"); 101 return -1; 102 } 103 if (os_strncmp(pos + 9, "NONE", 4) == 0) 104 cred->encr_type = WPS_ENCR_NONE; 105#ifdef CONFIG_TESTING_OPTIONS 106 else if (os_strncmp(pos + 9, "WEP", 3) == 0) 107 cred->encr_type = WPS_ENCR_WEP; 108#endif /* CONFIG_TESTING_OPTIONS */ 109 else if (os_strncmp(pos + 9, "TKIP", 4) == 0) 110 cred->encr_type = WPS_ENCR_TKIP; 111 else if (os_strncmp(pos + 9, "CCMP", 4) == 0) 112 cred->encr_type = WPS_ENCR_AES; 113 else { 114 wpa_printf(MSG_DEBUG, "EAP-WSC: Unknown new_encr"); 115 return -1; 116 } 117 118 pos = os_strstr(params, "new_key="); 119 if (pos == NULL) 120 return 0; 121 pos += 8; 122 end = os_strchr(pos, ' '); 123 if (end == NULL) 124 len = os_strlen(pos); 125 else 126 len = end - pos; 127 if ((len & 1) || len > 2 * sizeof(cred->key) || 128 hexstr2bin(pos, cred->key, len / 2)) { 129 wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid new_key"); 130 return -1; 131 } 132 cred->key_len = len / 2; 133 134 return 1; 135} 136 137 138static void * eap_wsc_init(struct eap_sm *sm) 139{ 140 struct eap_wsc_data *data; 141 const u8 *identity; 142 size_t identity_len; 143 int registrar; 144 struct wps_config cfg; 145 const char *pos, *end; 146 const char *phase1; 147 struct wps_context *wps; 148 struct wps_credential new_ap_settings; 149 int res; 150 int nfc = 0; 151 u8 pkhash[WPS_OOB_PUBKEY_HASH_LEN]; 152 153 wps = sm->wps; 154 if (wps == NULL) { 155 wpa_printf(MSG_ERROR, "EAP-WSC: WPS context not available"); 156 return NULL; 157 } 158 159 identity = eap_get_config_identity(sm, &identity_len); 160 161 if (identity && identity_len == WSC_ID_REGISTRAR_LEN && 162 os_memcmp(identity, WSC_ID_REGISTRAR, WSC_ID_REGISTRAR_LEN) == 0) 163 registrar = 1; /* Supplicant is Registrar */ 164 else if (identity && identity_len == WSC_ID_ENROLLEE_LEN && 165 os_memcmp(identity, WSC_ID_ENROLLEE, WSC_ID_ENROLLEE_LEN) == 0) 166 registrar = 0; /* Supplicant is Enrollee */ 167 else { 168 wpa_hexdump_ascii(MSG_INFO, "EAP-WSC: Unexpected identity", 169 identity, identity_len); 170 return NULL; 171 } 172 173 data = os_zalloc(sizeof(*data)); 174 if (data == NULL) 175 return NULL; 176 data->state = registrar ? MESG : WAIT_START; 177 data->registrar = registrar; 178 data->wps_ctx = wps; 179 180 os_memset(&cfg, 0, sizeof(cfg)); 181 cfg.wps = wps; 182 cfg.registrar = registrar; 183 184 phase1 = eap_get_config_phase1(sm); 185 if (phase1 == NULL) { 186 wpa_printf(MSG_INFO, "EAP-WSC: phase1 configuration data not " 187 "set"); 188 os_free(data); 189 return NULL; 190 } 191 192 pos = os_strstr(phase1, "pin="); 193 if (pos) { 194 pos += 4; 195 cfg.pin = (const u8 *) pos; 196 while (*pos != '\0' && *pos != ' ') 197 pos++; 198 cfg.pin_len = pos - (const char *) cfg.pin; 199 if (cfg.pin_len == 6 && 200 os_strncmp((const char *) cfg.pin, "nfc-pw", 6) == 0) { 201 cfg.pin = NULL; 202 cfg.pin_len = 0; 203 nfc = 1; 204 } 205 } else { 206 pos = os_strstr(phase1, "pbc=1"); 207 if (pos) 208 cfg.pbc = 1; 209 } 210 211 pos = os_strstr(phase1, "dev_pw_id="); 212 if (pos) { 213 u16 id = atoi(pos + 10); 214 if (id == DEV_PW_NFC_CONNECTION_HANDOVER) 215 nfc = 1; 216 if (cfg.pin || id == DEV_PW_NFC_CONNECTION_HANDOVER) 217 cfg.dev_pw_id = id; 218 } 219 220 if (cfg.pin == NULL && !cfg.pbc && !nfc) { 221 wpa_printf(MSG_INFO, "EAP-WSC: PIN or PBC not set in phase1 " 222 "configuration data"); 223 os_free(data); 224 return NULL; 225 } 226 227 pos = os_strstr(phase1, " pkhash="); 228 if (pos) { 229 size_t len; 230 pos += 8; 231 end = os_strchr(pos, ' '); 232 if (end) 233 len = end - pos; 234 else 235 len = os_strlen(pos); 236 if (len != 2 * WPS_OOB_PUBKEY_HASH_LEN || 237 hexstr2bin(pos, pkhash, WPS_OOB_PUBKEY_HASH_LEN)) { 238 wpa_printf(MSG_INFO, "EAP-WSC: Invalid pkhash"); 239 os_free(data); 240 return NULL; 241 } 242 cfg.peer_pubkey_hash = pkhash; 243 } 244 245 res = eap_wsc_new_ap_settings(&new_ap_settings, phase1); 246 if (res < 0) { 247 os_free(data); 248 wpa_printf(MSG_DEBUG, "EAP-WSC: Failed to parse new AP " 249 "settings"); 250 return NULL; 251 } 252 if (res == 1) { 253 wpa_printf(MSG_DEBUG, "EAP-WSC: Provide new AP settings for " 254 "WPS"); 255 cfg.new_ap_settings = &new_ap_settings; 256 } 257 258 data->wps = wps_init(&cfg); 259 if (data->wps == NULL) { 260 os_free(data); 261 wpa_printf(MSG_DEBUG, "EAP-WSC: wps_init failed"); 262 return NULL; 263 } 264 res = eap_get_config_fragment_size(sm); 265 if (res > 0) 266 data->fragment_size = res; 267 else 268 data->fragment_size = WSC_FRAGMENT_SIZE; 269 wpa_printf(MSG_DEBUG, "EAP-WSC: Fragment size limit %u", 270 (unsigned int) data->fragment_size); 271 272 if (registrar && cfg.pin) { 273 wps_registrar_add_pin(data->wps_ctx->registrar, NULL, NULL, 274 cfg.pin, cfg.pin_len, 0); 275 } 276 277 /* Use reduced client timeout for WPS to avoid long wait */ 278 if (sm->ClientTimeout > 30) 279 sm->ClientTimeout = 30; 280 281 return data; 282} 283 284 285static void eap_wsc_deinit(struct eap_sm *sm, void *priv) 286{ 287 struct eap_wsc_data *data = priv; 288 wpabuf_free(data->in_buf); 289 wpabuf_free(data->out_buf); 290 wps_deinit(data->wps); 291 os_free(data->wps_ctx->network_key); 292 data->wps_ctx->network_key = NULL; 293 os_free(data); 294} 295 296 297static struct wpabuf * eap_wsc_build_msg(struct eap_wsc_data *data, 298 struct eap_method_ret *ret, u8 id) 299{ 300 struct wpabuf *resp; 301 u8 flags; 302 size_t send_len, plen; 303 304 ret->ignore = FALSE; 305 wpa_printf(MSG_DEBUG, "EAP-WSC: Generating Response"); 306 ret->allowNotifications = TRUE; 307 308 flags = 0; 309 send_len = wpabuf_len(data->out_buf) - data->out_used; 310 if (2 + send_len > data->fragment_size) { 311 send_len = data->fragment_size - 2; 312 flags |= WSC_FLAGS_MF; 313 if (data->out_used == 0) { 314 flags |= WSC_FLAGS_LF; 315 send_len -= 2; 316 } 317 } 318 plen = 2 + send_len; 319 if (flags & WSC_FLAGS_LF) 320 plen += 2; 321 resp = eap_msg_alloc(EAP_VENDOR_WFA, EAP_VENDOR_TYPE_WSC, plen, 322 EAP_CODE_RESPONSE, id); 323 if (resp == NULL) 324 return NULL; 325 326 wpabuf_put_u8(resp, data->out_op_code); /* Op-Code */ 327 wpabuf_put_u8(resp, flags); /* Flags */ 328 if (flags & WSC_FLAGS_LF) 329 wpabuf_put_be16(resp, wpabuf_len(data->out_buf)); 330 331 wpabuf_put_data(resp, wpabuf_head_u8(data->out_buf) + data->out_used, 332 send_len); 333 data->out_used += send_len; 334 335 ret->methodState = METHOD_MAY_CONT; 336 ret->decision = DECISION_FAIL; 337 338 if (data->out_used == wpabuf_len(data->out_buf)) { 339 wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes " 340 "(message sent completely)", 341 (unsigned long) send_len); 342 wpabuf_free(data->out_buf); 343 data->out_buf = NULL; 344 data->out_used = 0; 345 if ((data->state == FAIL && data->out_op_code == WSC_ACK) || 346 data->out_op_code == WSC_NACK || 347 data->out_op_code == WSC_Done) { 348 eap_wsc_state(data, FAIL); 349 ret->methodState = METHOD_DONE; 350 } else 351 eap_wsc_state(data, MESG); 352 } else { 353 wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes " 354 "(%lu more to send)", (unsigned long) send_len, 355 (unsigned long) wpabuf_len(data->out_buf) - 356 data->out_used); 357 eap_wsc_state(data, WAIT_FRAG_ACK); 358 } 359 360 return resp; 361} 362 363 364static int eap_wsc_process_cont(struct eap_wsc_data *data, 365 const u8 *buf, size_t len, u8 op_code) 366{ 367 /* Process continuation of a pending message */ 368 if (op_code != data->in_op_code) { 369 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d in " 370 "fragment (expected %d)", 371 op_code, data->in_op_code); 372 return -1; 373 } 374 375 if (len > wpabuf_tailroom(data->in_buf)) { 376 wpa_printf(MSG_DEBUG, "EAP-WSC: Fragment overflow"); 377 eap_wsc_state(data, FAIL); 378 return -1; 379 } 380 381 wpabuf_put_data(data->in_buf, buf, len); 382 wpa_printf(MSG_DEBUG, "EAP-WSC: Received %lu bytes, waiting " 383 "for %lu bytes more", (unsigned long) len, 384 (unsigned long) wpabuf_tailroom(data->in_buf)); 385 386 return 0; 387} 388 389 390static struct wpabuf * eap_wsc_process_fragment(struct eap_wsc_data *data, 391 struct eap_method_ret *ret, 392 u8 id, u8 flags, u8 op_code, 393 u16 message_length, 394 const u8 *buf, size_t len) 395{ 396 /* Process a fragment that is not the last one of the message */ 397 if (data->in_buf == NULL && !(flags & WSC_FLAGS_LF)) { 398 wpa_printf(MSG_DEBUG, "EAP-WSC: No Message Length field in a " 399 "fragmented packet"); 400 ret->ignore = TRUE; 401 return NULL; 402 } 403 404 if (data->in_buf == NULL) { 405 /* First fragment of the message */ 406 data->in_buf = wpabuf_alloc(message_length); 407 if (data->in_buf == NULL) { 408 wpa_printf(MSG_DEBUG, "EAP-WSC: No memory for " 409 "message"); 410 ret->ignore = TRUE; 411 return NULL; 412 } 413 data->in_op_code = op_code; 414 wpabuf_put_data(data->in_buf, buf, len); 415 wpa_printf(MSG_DEBUG, "EAP-WSC: Received %lu bytes in first " 416 "fragment, waiting for %lu bytes more", 417 (unsigned long) len, 418 (unsigned long) wpabuf_tailroom(data->in_buf)); 419 } 420 421 return eap_wsc_build_frag_ack(id, EAP_CODE_RESPONSE); 422} 423 424 425static struct wpabuf * eap_wsc_process(struct eap_sm *sm, void *priv, 426 struct eap_method_ret *ret, 427 const struct wpabuf *reqData) 428{ 429 struct eap_wsc_data *data = priv; 430 const u8 *start, *pos, *end; 431 size_t len; 432 u8 op_code, flags, id; 433 u16 message_length = 0; 434 enum wps_process_res res; 435 struct wpabuf tmpbuf; 436 struct wpabuf *r; 437 438 pos = eap_hdr_validate(EAP_VENDOR_WFA, EAP_VENDOR_TYPE_WSC, reqData, 439 &len); 440 if (pos == NULL || len < 2) { 441 ret->ignore = TRUE; 442 return NULL; 443 } 444 445 id = eap_get_id(reqData); 446 447 start = pos; 448 end = start + len; 449 450 op_code = *pos++; 451 flags = *pos++; 452 if (flags & WSC_FLAGS_LF) { 453 if (end - pos < 2) { 454 wpa_printf(MSG_DEBUG, "EAP-WSC: Message underflow"); 455 ret->ignore = TRUE; 456 return NULL; 457 } 458 message_length = WPA_GET_BE16(pos); 459 pos += 2; 460 461 if (message_length < end - pos || message_length > 50000) { 462 wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid Message " 463 "Length"); 464 ret->ignore = TRUE; 465 return NULL; 466 } 467 } 468 469 wpa_printf(MSG_DEBUG, "EAP-WSC: Received packet: Op-Code %d " 470 "Flags 0x%x Message Length %d", 471 op_code, flags, message_length); 472 473 if (data->state == WAIT_FRAG_ACK) { 474 if (op_code != WSC_FRAG_ACK) { 475 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d " 476 "in WAIT_FRAG_ACK state", op_code); 477 ret->ignore = TRUE; 478 return NULL; 479 } 480 wpa_printf(MSG_DEBUG, "EAP-WSC: Fragment acknowledged"); 481 eap_wsc_state(data, MESG); 482 return eap_wsc_build_msg(data, ret, id); 483 } 484 485 if (op_code != WSC_ACK && op_code != WSC_NACK && op_code != WSC_MSG && 486 op_code != WSC_Done && op_code != WSC_Start) { 487 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d", 488 op_code); 489 ret->ignore = TRUE; 490 return NULL; 491 } 492 493 if (data->state == WAIT_START) { 494 if (op_code != WSC_Start) { 495 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d " 496 "in WAIT_START state", op_code); 497 ret->ignore = TRUE; 498 return NULL; 499 } 500 wpa_printf(MSG_DEBUG, "EAP-WSC: Received start"); 501 eap_wsc_state(data, MESG); 502 /* Start message has empty payload, skip processing */ 503 goto send_msg; 504 } else if (op_code == WSC_Start) { 505 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d", 506 op_code); 507 ret->ignore = TRUE; 508 return NULL; 509 } 510 511 if (data->in_buf && 512 eap_wsc_process_cont(data, pos, end - pos, op_code) < 0) { 513 ret->ignore = TRUE; 514 return NULL; 515 } 516 517 if (flags & WSC_FLAGS_MF) { 518 return eap_wsc_process_fragment(data, ret, id, flags, op_code, 519 message_length, pos, 520 end - pos); 521 } 522 523 if (data->in_buf == NULL) { 524 /* Wrap unfragmented messages as wpabuf without extra copy */ 525 wpabuf_set(&tmpbuf, pos, end - pos); 526 data->in_buf = &tmpbuf; 527 } 528 529 res = wps_process_msg(data->wps, op_code, data->in_buf); 530 switch (res) { 531 case WPS_DONE: 532 wpa_printf(MSG_DEBUG, "EAP-WSC: WPS processing completed " 533 "successfully - wait for EAP failure"); 534 eap_wsc_state(data, FAIL); 535 break; 536 case WPS_CONTINUE: 537 eap_wsc_state(data, MESG); 538 break; 539 case WPS_FAILURE: 540 case WPS_PENDING: 541 wpa_printf(MSG_DEBUG, "EAP-WSC: WPS processing failed"); 542 eap_wsc_state(data, FAIL); 543 break; 544 } 545 546 if (data->in_buf != &tmpbuf) 547 wpabuf_free(data->in_buf); 548 data->in_buf = NULL; 549 550send_msg: 551 if (data->out_buf == NULL) { 552 data->out_buf = wps_get_msg(data->wps, &data->out_op_code); 553 if (data->out_buf == NULL) { 554 wpa_printf(MSG_DEBUG, "EAP-WSC: Failed to receive " 555 "message from WPS"); 556 eap_wsc_state(data, FAIL); 557 ret->methodState = METHOD_DONE; 558 ret->decision = DECISION_FAIL; 559 return NULL; 560 } 561 data->out_used = 0; 562 } 563 564 eap_wsc_state(data, MESG); 565 r = eap_wsc_build_msg(data, ret, id); 566 if (data->state == FAIL && ret->methodState == METHOD_DONE) { 567 /* Use reduced client timeout for WPS to avoid long wait */ 568 if (sm->ClientTimeout > 2) 569 sm->ClientTimeout = 2; 570 } 571 return r; 572} 573 574 575int eap_peer_wsc_register(void) 576{ 577 struct eap_method *eap; 578 579 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 580 EAP_VENDOR_WFA, EAP_VENDOR_TYPE_WSC, 581 "WSC"); 582 if (eap == NULL) 583 return -1; 584 585 eap->init = eap_wsc_init; 586 eap->deinit = eap_wsc_deinit; 587 eap->process = eap_wsc_process; 588 589 return eap_peer_method_register(eap); 590} 591