1 /* 2 * Wi-Fi Protected Setup - Registrar 3 * Copyright (c) 2008, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "sha256.h" 19 #include "base64.h" 20 #include "ieee802_11_defs.h" 21 #include "eloop.h" 22 #include "wps_i.h" 23 #include "wps_dev_attr.h" 24 #include "wps_upnp.h" 25 26 27 struct wps_uuid_pin { 28 struct wps_uuid_pin *next; 29 u8 uuid[WPS_UUID_LEN]; 30 int wildcard_uuid; 31 u8 *pin; 32 size_t pin_len; 33 int locked; 34 }; 35 36 37 static void wps_free_pin(struct wps_uuid_pin *pin) 38 { 39 os_free(pin->pin); 40 os_free(pin); 41 } 42 43 44 static void wps_free_pins(struct wps_uuid_pin *pins) 45 { 46 struct wps_uuid_pin *pin, *prev; 47 48 pin = pins; 49 while (pin) { 50 prev = pin; 51 pin = pin->next; 52 wps_free_pin(prev); 53 } 54 } 55 56 57 struct wps_pbc_session { 58 struct wps_pbc_session *next; 59 u8 addr[ETH_ALEN]; 60 u8 uuid_e[WPS_UUID_LEN]; 61 struct os_time timestamp; 62 }; 63 64 65 static void wps_free_pbc_sessions(struct wps_pbc_session *pbc) 66 { 67 struct wps_pbc_session *prev; 68 69 while (pbc) { 70 prev = pbc; 71 pbc = pbc->next; 72 os_free(prev); 73 } 74 } 75 76 77 struct wps_registrar { 78 struct wps_context *wps; 79 80 int pbc; 81 int selected_registrar; 82 83 int (*new_psk_cb)(void *ctx, const u8 *mac_addr, const u8 *psk, 84 size_t psk_len); 85 int (*set_ie_cb)(void *ctx, const u8 *beacon_ie, size_t beacon_ie_len, 86 const u8 *probe_resp_ie, size_t probe_resp_ie_len); 87 void (*pin_needed_cb)(void *ctx, const u8 *uuid_e, 88 const struct wps_device_data *dev); 89 void (*reg_success_cb)(void *ctx, const u8 *mac_addr, 90 const u8 *uuid_e); 91 void *cb_ctx; 92 93 struct wps_uuid_pin *pins; 94 struct wps_pbc_session *pbc_sessions; 95 96 int skip_cred_build; 97 struct wpabuf *extra_cred; 98 int disable_auto_conf; 99 int sel_reg_dev_password_id_override; 100 int sel_reg_config_methods_override; 101 }; 102 103 104 static int wps_set_ie(struct wps_registrar *reg); 105 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx); 106 static void wps_registrar_set_selected_timeout(void *eloop_ctx, 107 void *timeout_ctx); 108 109 110 static void wps_registrar_add_pbc_session(struct wps_registrar *reg, 111 const u8 *addr, const u8 *uuid_e) 112 { 113 struct wps_pbc_session *pbc, *prev = NULL; 114 struct os_time now; 115 116 os_get_time(&now); 117 118 pbc = reg->pbc_sessions; 119 while (pbc) { 120 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 && 121 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) { 122 if (prev) 123 prev->next = pbc->next; 124 else 125 reg->pbc_sessions = pbc->next; 126 break; 127 } 128 prev = pbc; 129 pbc = pbc->next; 130 } 131 132 if (!pbc) { 133 pbc = os_zalloc(sizeof(*pbc)); 134 if (pbc == NULL) 135 return; 136 os_memcpy(pbc->addr, addr, ETH_ALEN); 137 if (uuid_e) 138 os_memcpy(pbc->uuid_e, uuid_e, WPS_UUID_LEN); 139 } 140 141 pbc->next = reg->pbc_sessions; 142 reg->pbc_sessions = pbc; 143 pbc->timestamp = now; 144 145 /* remove entries that have timed out */ 146 prev = pbc; 147 pbc = pbc->next; 148 149 while (pbc) { 150 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME) { 151 prev->next = NULL; 152 wps_free_pbc_sessions(pbc); 153 break; 154 } 155 prev = pbc; 156 pbc = pbc->next; 157 } 158 } 159 160 161 static void wps_registrar_remove_pbc_session(struct wps_registrar *reg, 162 const u8 *addr, const u8 *uuid_e) 163 { 164 struct wps_pbc_session *pbc, *prev = NULL; 165 166 pbc = reg->pbc_sessions; 167 while (pbc) { 168 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 && 169 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) { 170 if (prev) 171 prev->next = pbc->next; 172 else 173 reg->pbc_sessions = pbc->next; 174 os_free(pbc); 175 break; 176 } 177 prev = pbc; 178 pbc = pbc->next; 179 } 180 } 181 182 183 static int wps_registrar_pbc_overlap(struct wps_registrar *reg, 184 const u8 *addr, const u8 *uuid_e) 185 { 186 int count = 0; 187 struct wps_pbc_session *pbc; 188 struct os_time now; 189 190 os_get_time(&now); 191 192 for (pbc = reg->pbc_sessions; pbc; pbc = pbc->next) { 193 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME) 194 break; 195 if (addr == NULL || os_memcmp(addr, pbc->addr, ETH_ALEN) || 196 uuid_e == NULL || 197 os_memcmp(uuid_e, pbc->uuid_e, WPS_UUID_LEN)) 198 count++; 199 } 200 201 if (addr || uuid_e) 202 count++; 203 204 return count > 1 ? 1 : 0; 205 } 206 207 208 static int wps_build_wps_state(struct wps_context *wps, struct wpabuf *msg) 209 { 210 wpa_printf(MSG_DEBUG, "WPS: * Wi-Fi Protected Setup State (%d)", 211 wps->wps_state); 212 wpabuf_put_be16(msg, ATTR_WPS_STATE); 213 wpabuf_put_be16(msg, 1); 214 wpabuf_put_u8(msg, wps->wps_state); 215 return 0; 216 } 217 218 219 #ifdef CONFIG_WPS_UPNP 220 static void wps_registrar_free_pending_m2(struct wps_context *wps) 221 { 222 struct upnp_pending_message *p, *p2, *prev = NULL; 223 p = wps->upnp_msgs; 224 while (p) { 225 if (p->type == WPS_M2 || p->type == WPS_M2D) { 226 if (prev == NULL) 227 wps->upnp_msgs = p->next; 228 else 229 prev->next = p->next; 230 wpa_printf(MSG_DEBUG, "WPS UPnP: Drop pending M2/M2D"); 231 p2 = p; 232 p = p->next; 233 wpabuf_free(p2->msg); 234 os_free(p2); 235 continue; 236 } 237 prev = p; 238 p = p->next; 239 } 240 } 241 #endif /* CONFIG_WPS_UPNP */ 242 243 244 static int wps_build_ap_setup_locked(struct wps_context *wps, 245 struct wpabuf *msg) 246 { 247 if (wps->ap_setup_locked) { 248 wpa_printf(MSG_DEBUG, "WPS: * AP Setup Locked"); 249 wpabuf_put_be16(msg, ATTR_AP_SETUP_LOCKED); 250 wpabuf_put_be16(msg, 1); 251 wpabuf_put_u8(msg, 1); 252 } 253 return 0; 254 } 255 256 257 static int wps_build_selected_registrar(struct wps_registrar *reg, 258 struct wpabuf *msg) 259 { 260 if (!reg->selected_registrar) 261 return 0; 262 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar"); 263 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR); 264 wpabuf_put_be16(msg, 1); 265 wpabuf_put_u8(msg, 1); 266 return 0; 267 } 268 269 270 static int wps_build_sel_reg_dev_password_id(struct wps_registrar *reg, 271 struct wpabuf *msg) 272 { 273 u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT; 274 if (!reg->selected_registrar) 275 return 0; 276 if (reg->sel_reg_dev_password_id_override >= 0) 277 id = reg->sel_reg_dev_password_id_override; 278 wpa_printf(MSG_DEBUG, "WPS: * Device Password ID (%d)", id); 279 wpabuf_put_be16(msg, ATTR_DEV_PASSWORD_ID); 280 wpabuf_put_be16(msg, 2); 281 wpabuf_put_be16(msg, id); 282 return 0; 283 } 284 285 286 static int wps_build_sel_reg_config_methods(struct wps_registrar *reg, 287 struct wpabuf *msg) 288 { 289 u16 methods; 290 if (!reg->selected_registrar) 291 return 0; 292 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON; 293 if (reg->pbc) 294 methods |= WPS_CONFIG_PUSHBUTTON; 295 if (reg->sel_reg_config_methods_override >= 0) 296 methods = reg->sel_reg_config_methods_override; 297 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar Config Methods (%x)", 298 methods); 299 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR_CONFIG_METHODS); 300 wpabuf_put_be16(msg, 2); 301 wpabuf_put_be16(msg, methods); 302 return 0; 303 } 304 305 306 static int wps_build_probe_config_methods(struct wps_registrar *reg, 307 struct wpabuf *msg) 308 { 309 u16 methods; 310 methods = 0; 311 wpa_printf(MSG_DEBUG, "WPS: * Config Methods (%x)", methods); 312 wpabuf_put_be16(msg, ATTR_CONFIG_METHODS); 313 wpabuf_put_be16(msg, 2); 314 wpabuf_put_be16(msg, methods); 315 return 0; 316 } 317 318 319 static int wps_build_config_methods_r(struct wps_registrar *reg, 320 struct wpabuf *msg) 321 { 322 u16 methods; 323 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON; 324 if (reg->pbc) 325 methods |= WPS_CONFIG_PUSHBUTTON; 326 return wps_build_config_methods(msg, methods); 327 } 328 329 330 static int wps_build_resp_type(struct wps_registrar *reg, struct wpabuf *msg) 331 { 332 u8 resp = reg->wps->ap ? WPS_RESP_AP : WPS_RESP_REGISTRAR; 333 wpa_printf(MSG_DEBUG, "WPS: * Response Type (%d)", resp); 334 wpabuf_put_be16(msg, ATTR_RESPONSE_TYPE); 335 wpabuf_put_be16(msg, 1); 336 wpabuf_put_u8(msg, resp); 337 return 0; 338 } 339 340 341 /** 342 * wps_registrar_init - Initialize WPS Registrar data 343 * @wps: Pointer to longterm WPS context 344 * @cfg: Registrar configuration 345 * Returns: Pointer to allocated Registrar data or %NULL on failure 346 * 347 * This function is used to initialize WPS Registrar functionality. It can be 348 * used for a single Registrar run (e.g., when run in a supplicant) or multiple 349 * runs (e.g., when run as an internal Registrar in an AP). Caller is 350 * responsible for freeing the returned data with wps_registrar_deinit() when 351 * Registrar functionality is not needed anymore. 352 */ 353 struct wps_registrar * 354 wps_registrar_init(struct wps_context *wps, 355 const struct wps_registrar_config *cfg) 356 { 357 struct wps_registrar *reg = os_zalloc(sizeof(*reg)); 358 if (reg == NULL) 359 return NULL; 360 361 reg->wps = wps; 362 reg->new_psk_cb = cfg->new_psk_cb; 363 reg->set_ie_cb = cfg->set_ie_cb; 364 reg->pin_needed_cb = cfg->pin_needed_cb; 365 reg->reg_success_cb = cfg->reg_success_cb; 366 reg->cb_ctx = cfg->cb_ctx; 367 reg->skip_cred_build = cfg->skip_cred_build; 368 if (cfg->extra_cred) { 369 reg->extra_cred = wpabuf_alloc_copy(cfg->extra_cred, 370 cfg->extra_cred_len); 371 if (reg->extra_cred == NULL) { 372 os_free(reg); 373 return NULL; 374 } 375 } 376 reg->disable_auto_conf = cfg->disable_auto_conf; 377 reg->sel_reg_dev_password_id_override = -1; 378 reg->sel_reg_config_methods_override = -1; 379 380 if (wps_set_ie(reg)) { 381 wps_registrar_deinit(reg); 382 return NULL; 383 } 384 385 return reg; 386 } 387 388 389 /** 390 * wps_registrar_deinit - Deinitialize WPS Registrar data 391 * @reg: Registrar data from wps_registrar_init() 392 */ 393 void wps_registrar_deinit(struct wps_registrar *reg) 394 { 395 if (reg == NULL) 396 return; 397 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 398 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 399 wps_free_pins(reg->pins); 400 wps_free_pbc_sessions(reg->pbc_sessions); 401 wpabuf_free(reg->extra_cred); 402 os_free(reg); 403 } 404 405 406 /** 407 * wps_registrar_add_pin - Configure a new PIN for Registrar 408 * @reg: Registrar data from wps_registrar_init() 409 * @uuid: UUID-E or %NULL for wildcard (any UUID) 410 * @pin: PIN (Device Password) 411 * @pin_len: Length of pin in octets 412 * Returns: 0 on success, -1 on failure 413 */ 414 int wps_registrar_add_pin(struct wps_registrar *reg, const u8 *uuid, 415 const u8 *pin, size_t pin_len) 416 { 417 struct wps_uuid_pin *p; 418 419 p = os_zalloc(sizeof(*p)); 420 if (p == NULL) 421 return -1; 422 if (uuid == NULL) 423 p->wildcard_uuid = 1; 424 else 425 os_memcpy(p->uuid, uuid, WPS_UUID_LEN); 426 p->pin = os_malloc(pin_len); 427 if (p->pin == NULL) { 428 os_free(p); 429 return -1; 430 } 431 os_memcpy(p->pin, pin, pin_len); 432 p->pin_len = pin_len; 433 434 p->next = reg->pins; 435 reg->pins = p; 436 437 wpa_printf(MSG_DEBUG, "WPS: A new PIN configured"); 438 wpa_hexdump(MSG_DEBUG, "WPS: UUID", uuid, WPS_UUID_LEN); 439 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: PIN", pin, pin_len); 440 reg->selected_registrar = 1; 441 reg->pbc = 0; 442 wps_set_ie(reg); 443 444 return 0; 445 } 446 447 448 /** 449 * wps_registrar_invalidate_pin - Invalidate a PIN for a specific UUID-E 450 * @reg: Registrar data from wps_registrar_init() 451 * @uuid: UUID-E 452 * Returns: 0 on success, -1 on failure (e.g., PIN not found) 453 */ 454 int wps_registrar_invalidate_pin(struct wps_registrar *reg, const u8 *uuid) 455 { 456 struct wps_uuid_pin *pin, *prev; 457 458 prev = NULL; 459 pin = reg->pins; 460 while (pin) { 461 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) { 462 if (prev == NULL) 463 reg->pins = pin->next; 464 else 465 prev->next = pin->next; 466 wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID", 467 pin->uuid, WPS_UUID_LEN); 468 wps_free_pin(pin); 469 return 0; 470 } 471 prev = pin; 472 pin = pin->next; 473 } 474 475 return -1; 476 } 477 478 479 static const u8 * wps_registrar_get_pin(struct wps_registrar *reg, 480 const u8 *uuid, size_t *pin_len) 481 { 482 struct wps_uuid_pin *pin; 483 484 pin = reg->pins; 485 while (pin) { 486 if (!pin->wildcard_uuid && 487 os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) 488 break; 489 pin = pin->next; 490 } 491 492 if (!pin) { 493 /* Check for wildcard UUIDs since none of the UUID-specific 494 * PINs matched */ 495 pin = reg->pins; 496 while (pin) { 497 if (pin->wildcard_uuid == 1) { 498 wpa_printf(MSG_DEBUG, "WPS: Found a wildcard " 499 "PIN. Assigned it for this UUID-E"); 500 pin->wildcard_uuid = 2; 501 os_memcpy(pin->uuid, uuid, WPS_UUID_LEN); 502 break; 503 } 504 pin = pin->next; 505 } 506 } 507 508 if (!pin) 509 return NULL; 510 511 /* 512 * Lock the PIN to avoid attacks based on concurrent re-use of the PIN 513 * that could otherwise avoid PIN invalidations. 514 */ 515 if (pin->locked) { 516 wpa_printf(MSG_DEBUG, "WPS: Selected PIN locked - do not " 517 "allow concurrent re-use"); 518 return NULL; 519 } 520 *pin_len = pin->pin_len; 521 pin->locked = 1; 522 return pin->pin; 523 } 524 525 526 /** 527 * wps_registrar_unlock_pin - Unlock a PIN for a specific UUID-E 528 * @reg: Registrar data from wps_registrar_init() 529 * @uuid: UUID-E 530 * Returns: 0 on success, -1 on failure 531 * 532 * PINs are locked to enforce only one concurrent use. This function unlocks a 533 * PIN to allow it to be used again. If the specified PIN was configured using 534 * a wildcard UUID, it will be removed instead of allowing multiple uses. 535 */ 536 int wps_registrar_unlock_pin(struct wps_registrar *reg, const u8 *uuid) 537 { 538 struct wps_uuid_pin *pin; 539 540 pin = reg->pins; 541 while (pin) { 542 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) { 543 if (pin->wildcard_uuid == 2) { 544 wpa_printf(MSG_DEBUG, "WPS: Invalidating used " 545 "wildcard PIN"); 546 return wps_registrar_invalidate_pin(reg, uuid); 547 } 548 pin->locked = 0; 549 return 0; 550 } 551 pin = pin->next; 552 } 553 554 return -1; 555 } 556 557 558 static void wps_registrar_stop_pbc(struct wps_registrar *reg) 559 { 560 reg->selected_registrar = 0; 561 reg->pbc = 0; 562 wps_set_ie(reg); 563 } 564 565 566 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx) 567 { 568 struct wps_registrar *reg = eloop_ctx; 569 570 wpa_printf(MSG_DEBUG, "WPS: PBC timed out - disable PBC mode"); 571 wps_registrar_stop_pbc(reg); 572 } 573 574 575 /** 576 * wps_registrar_button_pushed - Notify Registrar that AP button was pushed 577 * @reg: Registrar data from wps_registrar_init() 578 * Returns: 0 on success, -1 on failure 579 * 580 * This function is called on an AP when a push button is pushed to activate 581 * PBC mode. The PBC mode will be stopped after walk time (2 minutes) timeout 582 * or when a PBC registration is completed. 583 */ 584 int wps_registrar_button_pushed(struct wps_registrar *reg) 585 { 586 if (wps_registrar_pbc_overlap(reg, NULL, NULL)) { 587 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - do not start PBC " 588 "mode"); 589 return -1; 590 } 591 wpa_printf(MSG_DEBUG, "WPS: Button pushed - PBC mode started"); 592 reg->selected_registrar = 1; 593 reg->pbc = 1; 594 wps_set_ie(reg); 595 596 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 597 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wps_registrar_pbc_timeout, 598 reg, NULL); 599 return 0; 600 } 601 602 603 static void wps_registrar_pbc_completed(struct wps_registrar *reg) 604 { 605 wpa_printf(MSG_DEBUG, "WPS: PBC completed - stopping PBC mode"); 606 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL); 607 wps_registrar_stop_pbc(reg); 608 } 609 610 611 /** 612 * wps_registrar_probe_req_rx - Notify Registrar of Probe Request 613 * @reg: Registrar data from wps_registrar_init() 614 * @addr: MAC address of the Probe Request sender 615 * @wps_data: WPS IE contents 616 * 617 * This function is called on an AP when a Probe Request with WPS IE is 618 * received. This is used to track PBC mode use and to detect possible overlap 619 * situation with other WPS APs. 620 */ 621 void wps_registrar_probe_req_rx(struct wps_registrar *reg, const u8 *addr, 622 const struct wpabuf *wps_data) 623 { 624 struct wps_parse_attr attr; 625 u16 methods; 626 627 wpa_hexdump_buf(MSG_MSGDUMP, 628 "WPS: Probe Request with WPS data received", 629 wps_data); 630 631 if (wps_parse_msg(wps_data, &attr) < 0) 632 return; 633 if (!wps_version_supported(attr.version)) { 634 wpa_printf(MSG_DEBUG, "WPS: Unsupported ProbeReq WPS IE " 635 "version 0x%x", attr.version ? *attr.version : 0); 636 return; 637 } 638 639 if (attr.config_methods == NULL) { 640 wpa_printf(MSG_DEBUG, "WPS: No Config Methods attribute in " 641 "Probe Request"); 642 return; 643 } 644 645 methods = WPA_GET_BE16(attr.config_methods); 646 if (!(methods & WPS_CONFIG_PUSHBUTTON)) 647 return; /* Not PBC */ 648 649 wpa_printf(MSG_DEBUG, "WPS: Probe Request for PBC received from " 650 MACSTR, MAC2STR(addr)); 651 652 wps_registrar_add_pbc_session(reg, addr, attr.uuid_e); 653 } 654 655 656 static int wps_cb_new_psk(struct wps_registrar *reg, const u8 *mac_addr, 657 const u8 *psk, size_t psk_len) 658 { 659 if (reg->new_psk_cb == NULL) 660 return 0; 661 662 return reg->new_psk_cb(reg->cb_ctx, mac_addr, psk, psk_len); 663 } 664 665 666 static void wps_cb_pin_needed(struct wps_registrar *reg, const u8 *uuid_e, 667 const struct wps_device_data *dev) 668 { 669 if (reg->pin_needed_cb == NULL) 670 return; 671 672 reg->pin_needed_cb(reg->cb_ctx, uuid_e, dev); 673 } 674 675 676 static void wps_cb_reg_success(struct wps_registrar *reg, const u8 *mac_addr, 677 const u8 *uuid_e) 678 { 679 if (reg->reg_success_cb == NULL) 680 return; 681 682 reg->reg_success_cb(reg->cb_ctx, mac_addr, uuid_e); 683 } 684 685 686 static int wps_cb_set_ie(struct wps_registrar *reg, 687 const struct wpabuf *beacon_ie, 688 const struct wpabuf *probe_resp_ie) 689 { 690 if (reg->set_ie_cb == NULL) 691 return 0; 692 693 return reg->set_ie_cb(reg->cb_ctx, wpabuf_head(beacon_ie), 694 wpabuf_len(beacon_ie), 695 wpabuf_head(probe_resp_ie), 696 wpabuf_len(probe_resp_ie)); 697 } 698 699 700 /* Encapsulate WPS IE data with one (or more, if needed) IE headers */ 701 static struct wpabuf * wps_ie_encapsulate(struct wpabuf *data) 702 { 703 struct wpabuf *ie; 704 const u8 *pos, *end; 705 706 ie = wpabuf_alloc(wpabuf_len(data) + 100); 707 if (ie == NULL) { 708 wpabuf_free(data); 709 return NULL; 710 } 711 712 pos = wpabuf_head(data); 713 end = pos + wpabuf_len(data); 714 715 while (end > pos) { 716 size_t frag_len = end - pos; 717 if (frag_len > 251) 718 frag_len = 251; 719 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC); 720 wpabuf_put_u8(ie, 4 + frag_len); 721 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA); 722 wpabuf_put_data(ie, pos, frag_len); 723 pos += frag_len; 724 } 725 726 wpabuf_free(data); 727 728 return ie; 729 } 730 731 732 static int wps_set_ie(struct wps_registrar *reg) 733 { 734 struct wpabuf *beacon; 735 struct wpabuf *probe; 736 int ret; 737 738 wpa_printf(MSG_DEBUG, "WPS: Build Beacon and Probe Response IEs"); 739 740 beacon = wpabuf_alloc(300); 741 if (beacon == NULL) 742 return -1; 743 probe = wpabuf_alloc(400); 744 if (probe == NULL) { 745 wpabuf_free(beacon); 746 return -1; 747 } 748 749 if (wps_build_version(beacon) || 750 wps_build_wps_state(reg->wps, beacon) || 751 wps_build_ap_setup_locked(reg->wps, beacon) || 752 wps_build_selected_registrar(reg, beacon) || 753 wps_build_sel_reg_dev_password_id(reg, beacon) || 754 wps_build_sel_reg_config_methods(reg, beacon) || 755 wps_build_version(probe) || 756 wps_build_wps_state(reg->wps, probe) || 757 wps_build_ap_setup_locked(reg->wps, probe) || 758 wps_build_selected_registrar(reg, probe) || 759 wps_build_sel_reg_dev_password_id(reg, probe) || 760 wps_build_sel_reg_config_methods(reg, probe) || 761 wps_build_resp_type(reg, probe) || 762 wps_build_uuid_e(probe, reg->wps->uuid) || 763 wps_build_device_attrs(®->wps->dev, probe) || 764 wps_build_probe_config_methods(reg, probe) || 765 wps_build_rf_bands(®->wps->dev, probe)) { 766 wpabuf_free(beacon); 767 wpabuf_free(probe); 768 return -1; 769 } 770 771 beacon = wps_ie_encapsulate(beacon); 772 probe = wps_ie_encapsulate(probe); 773 774 if (!beacon || !probe) { 775 wpabuf_free(beacon); 776 wpabuf_free(probe); 777 return -1; 778 } 779 780 ret = wps_cb_set_ie(reg, beacon, probe); 781 wpabuf_free(beacon); 782 wpabuf_free(probe); 783 784 return ret; 785 } 786 787 788 static int wps_get_dev_password(struct wps_data *wps) 789 { 790 const u8 *pin; 791 size_t pin_len = 0; 792 793 os_free(wps->dev_password); 794 wps->dev_password = NULL; 795 796 if (wps->pbc) { 797 wpa_printf(MSG_DEBUG, "WPS: Use default PIN for PBC"); 798 pin = (const u8 *) "00000000"; 799 pin_len = 8; 800 } else { 801 pin = wps_registrar_get_pin(wps->wps->registrar, wps->uuid_e, 802 &pin_len); 803 } 804 if (pin == NULL) { 805 wpa_printf(MSG_DEBUG, "WPS: No Device Password available for " 806 "the Enrollee"); 807 wps_cb_pin_needed(wps->wps->registrar, wps->uuid_e, 808 &wps->peer_dev); 809 return -1; 810 } 811 812 wps->dev_password = os_malloc(pin_len); 813 if (wps->dev_password == NULL) 814 return -1; 815 os_memcpy(wps->dev_password, pin, pin_len); 816 wps->dev_password_len = pin_len; 817 818 return 0; 819 } 820 821 822 static int wps_build_uuid_r(struct wps_data *wps, struct wpabuf *msg) 823 { 824 wpa_printf(MSG_DEBUG, "WPS: * UUID-R"); 825 wpabuf_put_be16(msg, ATTR_UUID_R); 826 wpabuf_put_be16(msg, WPS_UUID_LEN); 827 wpabuf_put_data(msg, wps->uuid_r, WPS_UUID_LEN); 828 return 0; 829 } 830 831 832 static int wps_build_r_hash(struct wps_data *wps, struct wpabuf *msg) 833 { 834 u8 *hash; 835 const u8 *addr[4]; 836 size_t len[4]; 837 838 if (os_get_random(wps->snonce, 2 * WPS_SECRET_NONCE_LEN) < 0) 839 return -1; 840 wpa_hexdump(MSG_DEBUG, "WPS: R-S1", wps->snonce, WPS_SECRET_NONCE_LEN); 841 wpa_hexdump(MSG_DEBUG, "WPS: R-S2", 842 wps->snonce + WPS_SECRET_NONCE_LEN, WPS_SECRET_NONCE_LEN); 843 844 if (wps->dh_pubkey_e == NULL || wps->dh_pubkey_r == NULL) { 845 wpa_printf(MSG_DEBUG, "WPS: DH public keys not available for " 846 "R-Hash derivation"); 847 return -1; 848 } 849 850 wpa_printf(MSG_DEBUG, "WPS: * R-Hash1"); 851 wpabuf_put_be16(msg, ATTR_R_HASH1); 852 wpabuf_put_be16(msg, SHA256_MAC_LEN); 853 hash = wpabuf_put(msg, SHA256_MAC_LEN); 854 /* R-Hash1 = HMAC_AuthKey(R-S1 || PSK1 || PK_E || PK_R) */ 855 addr[0] = wps->snonce; 856 len[0] = WPS_SECRET_NONCE_LEN; 857 addr[1] = wps->psk1; 858 len[1] = WPS_PSK_LEN; 859 addr[2] = wpabuf_head(wps->dh_pubkey_e); 860 len[2] = wpabuf_len(wps->dh_pubkey_e); 861 addr[3] = wpabuf_head(wps->dh_pubkey_r); 862 len[3] = wpabuf_len(wps->dh_pubkey_r); 863 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 864 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash1", hash, SHA256_MAC_LEN); 865 866 wpa_printf(MSG_DEBUG, "WPS: * R-Hash2"); 867 wpabuf_put_be16(msg, ATTR_R_HASH2); 868 wpabuf_put_be16(msg, SHA256_MAC_LEN); 869 hash = wpabuf_put(msg, SHA256_MAC_LEN); 870 /* R-Hash2 = HMAC_AuthKey(R-S2 || PSK2 || PK_E || PK_R) */ 871 addr[0] = wps->snonce + WPS_SECRET_NONCE_LEN; 872 addr[1] = wps->psk2; 873 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 874 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash2", hash, SHA256_MAC_LEN); 875 876 return 0; 877 } 878 879 880 static int wps_build_r_snonce1(struct wps_data *wps, struct wpabuf *msg) 881 { 882 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce1"); 883 wpabuf_put_be16(msg, ATTR_R_SNONCE1); 884 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN); 885 wpabuf_put_data(msg, wps->snonce, WPS_SECRET_NONCE_LEN); 886 return 0; 887 } 888 889 890 static int wps_build_r_snonce2(struct wps_data *wps, struct wpabuf *msg) 891 { 892 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce2"); 893 wpabuf_put_be16(msg, ATTR_R_SNONCE2); 894 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN); 895 wpabuf_put_data(msg, wps->snonce + WPS_SECRET_NONCE_LEN, 896 WPS_SECRET_NONCE_LEN); 897 return 0; 898 } 899 900 901 static int wps_build_cred_network_idx(struct wpabuf *msg, 902 struct wps_credential *cred) 903 { 904 wpa_printf(MSG_DEBUG, "WPS: * Network Index"); 905 wpabuf_put_be16(msg, ATTR_NETWORK_INDEX); 906 wpabuf_put_be16(msg, 1); 907 wpabuf_put_u8(msg, 1); 908 return 0; 909 } 910 911 912 static int wps_build_cred_ssid(struct wpabuf *msg, 913 struct wps_credential *cred) 914 { 915 wpa_printf(MSG_DEBUG, "WPS: * SSID"); 916 wpabuf_put_be16(msg, ATTR_SSID); 917 wpabuf_put_be16(msg, cred->ssid_len); 918 wpabuf_put_data(msg, cred->ssid, cred->ssid_len); 919 return 0; 920 } 921 922 923 static int wps_build_cred_auth_type(struct wpabuf *msg, 924 struct wps_credential *cred) 925 { 926 wpa_printf(MSG_DEBUG, "WPS: * Authentication Type (0x%x)", 927 cred->auth_type); 928 wpabuf_put_be16(msg, ATTR_AUTH_TYPE); 929 wpabuf_put_be16(msg, 2); 930 wpabuf_put_be16(msg, cred->auth_type); 931 return 0; 932 } 933 934 935 static int wps_build_cred_encr_type(struct wpabuf *msg, 936 struct wps_credential *cred) 937 { 938 wpa_printf(MSG_DEBUG, "WPS: * Encryption Type (0x%x)", 939 cred->encr_type); 940 wpabuf_put_be16(msg, ATTR_ENCR_TYPE); 941 wpabuf_put_be16(msg, 2); 942 wpabuf_put_be16(msg, cred->encr_type); 943 return 0; 944 } 945 946 947 static int wps_build_cred_network_key(struct wpabuf *msg, 948 struct wps_credential *cred) 949 { 950 wpa_printf(MSG_DEBUG, "WPS: * Network Key"); 951 wpabuf_put_be16(msg, ATTR_NETWORK_KEY); 952 wpabuf_put_be16(msg, cred->key_len); 953 wpabuf_put_data(msg, cred->key, cred->key_len); 954 return 0; 955 } 956 957 958 static int wps_build_cred_mac_addr(struct wpabuf *msg, 959 struct wps_credential *cred) 960 { 961 wpa_printf(MSG_DEBUG, "WPS: * MAC Address (" MACSTR ")", 962 MAC2STR(cred->mac_addr)); 963 wpabuf_put_be16(msg, ATTR_MAC_ADDR); 964 wpabuf_put_be16(msg, ETH_ALEN); 965 wpabuf_put_data(msg, cred->mac_addr, ETH_ALEN); 966 return 0; 967 } 968 969 970 static int wps_build_credential(struct wpabuf *msg, 971 struct wps_credential *cred) 972 { 973 if (wps_build_cred_network_idx(msg, cred) || 974 wps_build_cred_ssid(msg, cred) || 975 wps_build_cred_auth_type(msg, cred) || 976 wps_build_cred_encr_type(msg, cred) || 977 wps_build_cred_network_key(msg, cred) || 978 wps_build_cred_mac_addr(msg, cred)) 979 return -1; 980 return 0; 981 } 982 983 984 static int wps_build_cred(struct wps_data *wps, struct wpabuf *msg) 985 { 986 struct wpabuf *cred; 987 988 if (wps->wps->registrar->skip_cred_build) 989 goto skip_cred_build; 990 991 wpa_printf(MSG_DEBUG, "WPS: * Credential"); 992 os_memset(&wps->cred, 0, sizeof(wps->cred)); 993 994 os_memcpy(wps->cred.ssid, wps->wps->ssid, wps->wps->ssid_len); 995 wps->cred.ssid_len = wps->wps->ssid_len; 996 997 /* Select the best authentication and encryption type */ 998 if (wps->auth_type & WPS_AUTH_WPA2PSK) 999 wps->auth_type = WPS_AUTH_WPA2PSK; 1000 else if (wps->auth_type & WPS_AUTH_WPAPSK) 1001 wps->auth_type = WPS_AUTH_WPAPSK; 1002 else if (wps->auth_type & WPS_AUTH_OPEN) 1003 wps->auth_type = WPS_AUTH_OPEN; 1004 else if (wps->auth_type & WPS_AUTH_SHARED) 1005 wps->auth_type = WPS_AUTH_SHARED; 1006 else { 1007 wpa_printf(MSG_DEBUG, "WPS: Unsupported auth_type 0x%x", 1008 wps->auth_type); 1009 return -1; 1010 } 1011 wps->cred.auth_type = wps->auth_type; 1012 1013 if (wps->auth_type == WPS_AUTH_WPA2PSK || 1014 wps->auth_type == WPS_AUTH_WPAPSK) { 1015 if (wps->encr_type & WPS_ENCR_AES) 1016 wps->encr_type = WPS_ENCR_AES; 1017 else if (wps->encr_type & WPS_ENCR_TKIP) 1018 wps->encr_type = WPS_ENCR_TKIP; 1019 else { 1020 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption " 1021 "type for WPA/WPA2"); 1022 return -1; 1023 } 1024 } else { 1025 if (wps->encr_type & WPS_ENCR_WEP) 1026 wps->encr_type = WPS_ENCR_WEP; 1027 else if (wps->encr_type & WPS_ENCR_NONE) 1028 wps->encr_type = WPS_ENCR_NONE; 1029 else { 1030 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption " 1031 "type for non-WPA/WPA2 mode"); 1032 return -1; 1033 } 1034 } 1035 wps->cred.encr_type = wps->encr_type; 1036 /* Set MAC address in the Credential to be the AP's address (BSSID) */ 1037 os_memcpy(wps->cred.mac_addr, wps->wps->dev.mac_addr, ETH_ALEN); 1038 1039 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->wps->ap && 1040 !wps->wps->registrar->disable_auto_conf) { 1041 u8 r[16]; 1042 /* Generate a random passphrase */ 1043 if (os_get_random(r, sizeof(r)) < 0) 1044 return -1; 1045 os_free(wps->new_psk); 1046 wps->new_psk = base64_encode(r, sizeof(r), &wps->new_psk_len); 1047 if (wps->new_psk == NULL) 1048 return -1; 1049 wps->new_psk_len--; /* remove newline */ 1050 while (wps->new_psk_len && 1051 wps->new_psk[wps->new_psk_len - 1] == '=') 1052 wps->new_psk_len--; 1053 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Generated passphrase", 1054 wps->new_psk, wps->new_psk_len); 1055 os_memcpy(wps->cred.key, wps->new_psk, wps->new_psk_len); 1056 wps->cred.key_len = wps->new_psk_len; 1057 } else if (wps->wps->network_key) { 1058 os_memcpy(wps->cred.key, wps->wps->network_key, 1059 wps->wps->network_key_len); 1060 wps->cred.key_len = wps->wps->network_key_len; 1061 } else if (wps->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) { 1062 char hex[65]; 1063 /* Generate a random per-device PSK */ 1064 os_free(wps->new_psk); 1065 wps->new_psk_len = 32; 1066 wps->new_psk = os_malloc(wps->new_psk_len); 1067 if (wps->new_psk == NULL) 1068 return -1; 1069 if (os_get_random(wps->new_psk, wps->new_psk_len) < 0) { 1070 os_free(wps->new_psk); 1071 wps->new_psk = NULL; 1072 return -1; 1073 } 1074 wpa_hexdump_key(MSG_DEBUG, "WPS: Generated per-device PSK", 1075 wps->new_psk, wps->new_psk_len); 1076 wpa_snprintf_hex(hex, sizeof(hex), wps->new_psk, 1077 wps->new_psk_len); 1078 os_memcpy(wps->cred.key, hex, wps->new_psk_len * 2); 1079 wps->cred.key_len = wps->new_psk_len * 2; 1080 } 1081 1082 cred = wpabuf_alloc(200); 1083 if (cred == NULL) 1084 return -1; 1085 1086 if (wps_build_credential(cred, &wps->cred)) { 1087 wpabuf_free(cred); 1088 return -1; 1089 } 1090 1091 wpabuf_put_be16(msg, ATTR_CRED); 1092 wpabuf_put_be16(msg, wpabuf_len(cred)); 1093 wpabuf_put_buf(msg, cred); 1094 wpabuf_free(cred); 1095 1096 skip_cred_build: 1097 if (wps->wps->registrar->extra_cred) { 1098 wpa_printf(MSG_DEBUG, "WPS: * Credential (pre-configured)"); 1099 wpabuf_put_buf(msg, wps->wps->registrar->extra_cred); 1100 } 1101 1102 return 0; 1103 } 1104 1105 1106 static int wps_build_ap_settings(struct wps_data *wps, struct wpabuf *msg) 1107 { 1108 wpa_printf(MSG_DEBUG, "WPS: * AP Settings"); 1109 1110 if (wps_build_credential(msg, &wps->cred)) 1111 return -1; 1112 1113 return 0; 1114 } 1115 1116 1117 static struct wpabuf * wps_build_m2(struct wps_data *wps) 1118 { 1119 struct wpabuf *msg; 1120 1121 if (os_get_random(wps->nonce_r, WPS_NONCE_LEN) < 0) 1122 return NULL; 1123 wpa_hexdump(MSG_DEBUG, "WPS: Registrar Nonce", 1124 wps->nonce_r, WPS_NONCE_LEN); 1125 wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN); 1126 1127 wpa_printf(MSG_DEBUG, "WPS: Building Message M2"); 1128 msg = wpabuf_alloc(1000); 1129 if (msg == NULL) 1130 return NULL; 1131 1132 if (wps_build_version(msg) || 1133 wps_build_msg_type(msg, WPS_M2) || 1134 wps_build_enrollee_nonce(wps, msg) || 1135 wps_build_registrar_nonce(wps, msg) || 1136 wps_build_uuid_r(wps, msg) || 1137 wps_build_public_key(wps, msg) || 1138 wps_derive_keys(wps) || 1139 wps_build_auth_type_flags(wps, msg) || 1140 wps_build_encr_type_flags(wps, msg) || 1141 wps_build_conn_type_flags(wps, msg) || 1142 wps_build_config_methods_r(wps->wps->registrar, msg) || 1143 wps_build_device_attrs(&wps->wps->dev, msg) || 1144 wps_build_rf_bands(&wps->wps->dev, msg) || 1145 wps_build_assoc_state(wps, msg) || 1146 wps_build_config_error(msg, WPS_CFG_NO_ERROR) || 1147 wps_build_dev_password_id(msg, wps->dev_pw_id) || 1148 wps_build_os_version(&wps->wps->dev, msg) || 1149 wps_build_authenticator(wps, msg)) { 1150 wpabuf_free(msg); 1151 return NULL; 1152 } 1153 1154 wps->state = RECV_M3; 1155 return msg; 1156 } 1157 1158 1159 static struct wpabuf * wps_build_m2d(struct wps_data *wps) 1160 { 1161 struct wpabuf *msg; 1162 u16 err = WPS_CFG_NO_ERROR; 1163 1164 wpa_printf(MSG_DEBUG, "WPS: Building Message M2D"); 1165 msg = wpabuf_alloc(1000); 1166 if (msg == NULL) 1167 return NULL; 1168 1169 if (wps->wps->ap && wps->wps->ap_setup_locked) 1170 err = WPS_CFG_SETUP_LOCKED; 1171 1172 if (wps_build_version(msg) || 1173 wps_build_msg_type(msg, WPS_M2D) || 1174 wps_build_enrollee_nonce(wps, msg) || 1175 wps_build_registrar_nonce(wps, msg) || 1176 wps_build_uuid_r(wps, msg) || 1177 wps_build_auth_type_flags(wps, msg) || 1178 wps_build_encr_type_flags(wps, msg) || 1179 wps_build_conn_type_flags(wps, msg) || 1180 wps_build_config_methods_r(wps->wps->registrar, msg) || 1181 wps_build_device_attrs(&wps->wps->dev, msg) || 1182 wps_build_rf_bands(&wps->wps->dev, msg) || 1183 wps_build_assoc_state(wps, msg) || 1184 wps_build_config_error(msg, err) || 1185 wps_build_os_version(&wps->wps->dev, msg)) { 1186 wpabuf_free(msg); 1187 return NULL; 1188 } 1189 1190 wps->state = RECV_M2D_ACK; 1191 return msg; 1192 } 1193 1194 1195 static struct wpabuf * wps_build_m4(struct wps_data *wps) 1196 { 1197 struct wpabuf *msg, *plain; 1198 1199 wpa_printf(MSG_DEBUG, "WPS: Building Message M4"); 1200 1201 wps_derive_psk(wps, wps->dev_password, wps->dev_password_len); 1202 1203 plain = wpabuf_alloc(200); 1204 if (plain == NULL) 1205 return NULL; 1206 1207 msg = wpabuf_alloc(1000); 1208 if (msg == NULL) { 1209 wpabuf_free(plain); 1210 return NULL; 1211 } 1212 1213 if (wps_build_version(msg) || 1214 wps_build_msg_type(msg, WPS_M4) || 1215 wps_build_enrollee_nonce(wps, msg) || 1216 wps_build_r_hash(wps, msg) || 1217 wps_build_r_snonce1(wps, plain) || 1218 wps_build_key_wrap_auth(wps, plain) || 1219 wps_build_encr_settings(wps, msg, plain) || 1220 wps_build_authenticator(wps, msg)) { 1221 wpabuf_free(plain); 1222 wpabuf_free(msg); 1223 return NULL; 1224 } 1225 wpabuf_free(plain); 1226 1227 wps->state = RECV_M5; 1228 return msg; 1229 } 1230 1231 1232 static struct wpabuf * wps_build_m6(struct wps_data *wps) 1233 { 1234 struct wpabuf *msg, *plain; 1235 1236 wpa_printf(MSG_DEBUG, "WPS: Building Message M6"); 1237 1238 plain = wpabuf_alloc(200); 1239 if (plain == NULL) 1240 return NULL; 1241 1242 msg = wpabuf_alloc(1000); 1243 if (msg == NULL) { 1244 wpabuf_free(plain); 1245 return NULL; 1246 } 1247 1248 if (wps_build_version(msg) || 1249 wps_build_msg_type(msg, WPS_M6) || 1250 wps_build_enrollee_nonce(wps, msg) || 1251 wps_build_r_snonce2(wps, plain) || 1252 wps_build_key_wrap_auth(wps, plain) || 1253 wps_build_encr_settings(wps, msg, plain) || 1254 wps_build_authenticator(wps, msg)) { 1255 wpabuf_free(plain); 1256 wpabuf_free(msg); 1257 return NULL; 1258 } 1259 wpabuf_free(plain); 1260 1261 wps->wps_pin_revealed = 1; 1262 wps->state = RECV_M7; 1263 return msg; 1264 } 1265 1266 1267 static struct wpabuf * wps_build_m8(struct wps_data *wps) 1268 { 1269 struct wpabuf *msg, *plain; 1270 1271 wpa_printf(MSG_DEBUG, "WPS: Building Message M8"); 1272 1273 plain = wpabuf_alloc(500); 1274 if (plain == NULL) 1275 return NULL; 1276 1277 msg = wpabuf_alloc(1000); 1278 if (msg == NULL) { 1279 wpabuf_free(plain); 1280 return NULL; 1281 } 1282 1283 if (wps_build_version(msg) || 1284 wps_build_msg_type(msg, WPS_M8) || 1285 wps_build_enrollee_nonce(wps, msg) || 1286 (wps->wps->ap && wps_build_cred(wps, plain)) || 1287 (!wps->wps->ap && wps_build_ap_settings(wps, plain)) || 1288 wps_build_key_wrap_auth(wps, plain) || 1289 wps_build_encr_settings(wps, msg, plain) || 1290 wps_build_authenticator(wps, msg)) { 1291 wpabuf_free(plain); 1292 wpabuf_free(msg); 1293 return NULL; 1294 } 1295 wpabuf_free(plain); 1296 1297 wps->state = RECV_DONE; 1298 return msg; 1299 } 1300 1301 1302 static struct wpabuf * wps_build_wsc_ack(struct wps_data *wps) 1303 { 1304 struct wpabuf *msg; 1305 1306 wpa_printf(MSG_DEBUG, "WPS: Building Message WSC_ACK"); 1307 1308 msg = wpabuf_alloc(1000); 1309 if (msg == NULL) 1310 return NULL; 1311 1312 if (wps_build_version(msg) || 1313 wps_build_msg_type(msg, WPS_WSC_ACK) || 1314 wps_build_enrollee_nonce(wps, msg) || 1315 wps_build_registrar_nonce(wps, msg)) { 1316 wpabuf_free(msg); 1317 return NULL; 1318 } 1319 1320 return msg; 1321 } 1322 1323 1324 static struct wpabuf * wps_build_wsc_nack(struct wps_data *wps) 1325 { 1326 struct wpabuf *msg; 1327 1328 wpa_printf(MSG_DEBUG, "WPS: Building Message WSC_NACK"); 1329 1330 msg = wpabuf_alloc(1000); 1331 if (msg == NULL) 1332 return NULL; 1333 1334 if (wps_build_version(msg) || 1335 wps_build_msg_type(msg, WPS_WSC_NACK) || 1336 wps_build_enrollee_nonce(wps, msg) || 1337 wps_build_registrar_nonce(wps, msg) || 1338 wps_build_config_error(msg, wps->config_error)) { 1339 wpabuf_free(msg); 1340 return NULL; 1341 } 1342 1343 return msg; 1344 } 1345 1346 1347 struct wpabuf * wps_registrar_get_msg(struct wps_data *wps, 1348 enum wsc_op_code *op_code) 1349 { 1350 struct wpabuf *msg; 1351 1352 #ifdef CONFIG_WPS_UPNP 1353 if (wps->wps->wps_upnp) { 1354 struct upnp_pending_message *p, *prev = NULL; 1355 if (wps->ext_reg > 1) 1356 wps_registrar_free_pending_m2(wps->wps); 1357 p = wps->wps->upnp_msgs; 1358 /* TODO: check pending message MAC address */ 1359 while (p && p->next) { 1360 prev = p; 1361 p = p->next; 1362 } 1363 if (p) { 1364 wpa_printf(MSG_DEBUG, "WPS: Use pending message from " 1365 "UPnP"); 1366 if (prev) 1367 prev->next = NULL; 1368 else 1369 wps->wps->upnp_msgs = NULL; 1370 msg = p->msg; 1371 os_free(p); 1372 *op_code = WSC_MSG; 1373 if (wps->ext_reg == 0) 1374 wps->ext_reg = 1; 1375 return msg; 1376 } 1377 } 1378 if (wps->ext_reg) { 1379 wpa_printf(MSG_DEBUG, "WPS: Using external Registrar, but no " 1380 "pending message available"); 1381 return NULL; 1382 } 1383 #endif /* CONFIG_WPS_UPNP */ 1384 1385 switch (wps->state) { 1386 case SEND_M2: 1387 if (wps_get_dev_password(wps) < 0) 1388 msg = wps_build_m2d(wps); 1389 else 1390 msg = wps_build_m2(wps); 1391 *op_code = WSC_MSG; 1392 break; 1393 case SEND_M2D: 1394 msg = wps_build_m2d(wps); 1395 *op_code = WSC_MSG; 1396 break; 1397 case SEND_M4: 1398 msg = wps_build_m4(wps); 1399 *op_code = WSC_MSG; 1400 break; 1401 case SEND_M6: 1402 msg = wps_build_m6(wps); 1403 *op_code = WSC_MSG; 1404 break; 1405 case SEND_M8: 1406 msg = wps_build_m8(wps); 1407 *op_code = WSC_MSG; 1408 break; 1409 case RECV_DONE: 1410 msg = wps_build_wsc_ack(wps); 1411 *op_code = WSC_ACK; 1412 break; 1413 case SEND_WSC_NACK: 1414 msg = wps_build_wsc_nack(wps); 1415 *op_code = WSC_NACK; 1416 break; 1417 default: 1418 wpa_printf(MSG_DEBUG, "WPS: Unsupported state %d for building " 1419 "a message", wps->state); 1420 msg = NULL; 1421 break; 1422 } 1423 1424 if (*op_code == WSC_MSG && msg) { 1425 /* Save a copy of the last message for Authenticator derivation 1426 */ 1427 wpabuf_free(wps->last_msg); 1428 wps->last_msg = wpabuf_dup(msg); 1429 } 1430 1431 return msg; 1432 } 1433 1434 1435 static int wps_process_enrollee_nonce(struct wps_data *wps, const u8 *e_nonce) 1436 { 1437 if (e_nonce == NULL) { 1438 wpa_printf(MSG_DEBUG, "WPS: No Enrollee Nonce received"); 1439 return -1; 1440 } 1441 1442 os_memcpy(wps->nonce_e, e_nonce, WPS_NONCE_LEN); 1443 wpa_hexdump(MSG_DEBUG, "WPS: Enrollee Nonce", 1444 wps->nonce_e, WPS_NONCE_LEN); 1445 1446 return 0; 1447 } 1448 1449 1450 static int wps_process_registrar_nonce(struct wps_data *wps, const u8 *r_nonce) 1451 { 1452 if (r_nonce == NULL) { 1453 wpa_printf(MSG_DEBUG, "WPS: No Registrar Nonce received"); 1454 return -1; 1455 } 1456 1457 if (os_memcmp(wps->nonce_r, r_nonce, WPS_NONCE_LEN) != 0) { 1458 wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Nonce received"); 1459 return -1; 1460 } 1461 1462 return 0; 1463 } 1464 1465 1466 static int wps_process_uuid_e(struct wps_data *wps, const u8 *uuid_e) 1467 { 1468 if (uuid_e == NULL) { 1469 wpa_printf(MSG_DEBUG, "WPS: No UUID-E received"); 1470 return -1; 1471 } 1472 1473 os_memcpy(wps->uuid_e, uuid_e, WPS_UUID_LEN); 1474 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", wps->uuid_e, WPS_UUID_LEN); 1475 1476 return 0; 1477 } 1478 1479 1480 static int wps_process_dev_password_id(struct wps_data *wps, const u8 *pw_id) 1481 { 1482 if (pw_id == NULL) { 1483 wpa_printf(MSG_DEBUG, "WPS: No Device Password ID received"); 1484 return -1; 1485 } 1486 1487 wps->dev_pw_id = WPA_GET_BE16(pw_id); 1488 wpa_printf(MSG_DEBUG, "WPS: Device Password ID %d", wps->dev_pw_id); 1489 1490 return 0; 1491 } 1492 1493 1494 static int wps_process_e_hash1(struct wps_data *wps, const u8 *e_hash1) 1495 { 1496 if (e_hash1 == NULL) { 1497 wpa_printf(MSG_DEBUG, "WPS: No E-Hash1 received"); 1498 return -1; 1499 } 1500 1501 os_memcpy(wps->peer_hash1, e_hash1, WPS_HASH_LEN); 1502 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN); 1503 1504 return 0; 1505 } 1506 1507 1508 static int wps_process_e_hash2(struct wps_data *wps, const u8 *e_hash2) 1509 { 1510 if (e_hash2 == NULL) { 1511 wpa_printf(MSG_DEBUG, "WPS: No E-Hash2 received"); 1512 return -1; 1513 } 1514 1515 os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN); 1516 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN); 1517 1518 return 0; 1519 } 1520 1521 1522 static int wps_process_e_snonce1(struct wps_data *wps, const u8 *e_snonce1) 1523 { 1524 u8 hash[SHA256_MAC_LEN]; 1525 const u8 *addr[4]; 1526 size_t len[4]; 1527 1528 if (e_snonce1 == NULL) { 1529 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce1 received"); 1530 return -1; 1531 } 1532 1533 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce1", e_snonce1, 1534 WPS_SECRET_NONCE_LEN); 1535 1536 /* E-Hash1 = HMAC_AuthKey(E-S1 || PSK1 || PK_E || PK_R) */ 1537 addr[0] = e_snonce1; 1538 len[0] = WPS_SECRET_NONCE_LEN; 1539 addr[1] = wps->psk1; 1540 len[1] = WPS_PSK_LEN; 1541 addr[2] = wpabuf_head(wps->dh_pubkey_e); 1542 len[2] = wpabuf_len(wps->dh_pubkey_e); 1543 addr[3] = wpabuf_head(wps->dh_pubkey_r); 1544 len[3] = wpabuf_len(wps->dh_pubkey_r); 1545 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 1546 1547 if (os_memcmp(wps->peer_hash1, hash, WPS_HASH_LEN) != 0) { 1548 wpa_printf(MSG_DEBUG, "WPS: E-Hash1 derived from E-S1 does " 1549 "not match with the pre-committed value"); 1550 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE; 1551 wps_pwd_auth_fail_event(wps->wps, 0, 1); 1552 return -1; 1553 } 1554 1555 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the first " 1556 "half of the device password"); 1557 1558 return 0; 1559 } 1560 1561 1562 static int wps_process_e_snonce2(struct wps_data *wps, const u8 *e_snonce2) 1563 { 1564 u8 hash[SHA256_MAC_LEN]; 1565 const u8 *addr[4]; 1566 size_t len[4]; 1567 1568 if (e_snonce2 == NULL) { 1569 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce2 received"); 1570 return -1; 1571 } 1572 1573 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce2", e_snonce2, 1574 WPS_SECRET_NONCE_LEN); 1575 1576 /* E-Hash2 = HMAC_AuthKey(E-S2 || PSK2 || PK_E || PK_R) */ 1577 addr[0] = e_snonce2; 1578 len[0] = WPS_SECRET_NONCE_LEN; 1579 addr[1] = wps->psk2; 1580 len[1] = WPS_PSK_LEN; 1581 addr[2] = wpabuf_head(wps->dh_pubkey_e); 1582 len[2] = wpabuf_len(wps->dh_pubkey_e); 1583 addr[3] = wpabuf_head(wps->dh_pubkey_r); 1584 len[3] = wpabuf_len(wps->dh_pubkey_r); 1585 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash); 1586 1587 if (os_memcmp(wps->peer_hash2, hash, WPS_HASH_LEN) != 0) { 1588 wpa_printf(MSG_DEBUG, "WPS: E-Hash2 derived from E-S2 does " 1589 "not match with the pre-committed value"); 1590 wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e); 1591 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE; 1592 wps_pwd_auth_fail_event(wps->wps, 0, 2); 1593 return -1; 1594 } 1595 1596 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the second " 1597 "half of the device password"); 1598 wps->wps_pin_revealed = 0; 1599 wps_registrar_unlock_pin(wps->wps->registrar, wps->uuid_e); 1600 1601 return 0; 1602 } 1603 1604 1605 static int wps_process_mac_addr(struct wps_data *wps, const u8 *mac_addr) 1606 { 1607 if (mac_addr == NULL) { 1608 wpa_printf(MSG_DEBUG, "WPS: No MAC Address received"); 1609 return -1; 1610 } 1611 1612 wpa_printf(MSG_DEBUG, "WPS: Enrollee MAC Address " MACSTR, 1613 MAC2STR(mac_addr)); 1614 os_memcpy(wps->mac_addr_e, mac_addr, ETH_ALEN); 1615 os_memcpy(wps->peer_dev.mac_addr, mac_addr, ETH_ALEN); 1616 1617 return 0; 1618 } 1619 1620 1621 static int wps_process_pubkey(struct wps_data *wps, const u8 *pk, 1622 size_t pk_len) 1623 { 1624 if (pk == NULL || pk_len == 0) { 1625 wpa_printf(MSG_DEBUG, "WPS: No Public Key received"); 1626 return -1; 1627 } 1628 1629 wpabuf_free(wps->dh_pubkey_e); 1630 wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len); 1631 if (wps->dh_pubkey_e == NULL) 1632 return -1; 1633 1634 return 0; 1635 } 1636 1637 1638 static int wps_process_auth_type_flags(struct wps_data *wps, const u8 *auth) 1639 { 1640 u16 auth_types; 1641 1642 if (auth == NULL) { 1643 wpa_printf(MSG_DEBUG, "WPS: No Authentication Type flags " 1644 "received"); 1645 return -1; 1646 } 1647 1648 auth_types = WPA_GET_BE16(auth); 1649 1650 wpa_printf(MSG_DEBUG, "WPS: Enrollee Authentication Type flags 0x%x", 1651 auth_types); 1652 wps->auth_type = wps->wps->auth_types & auth_types; 1653 if (wps->auth_type == 0) { 1654 wpa_printf(MSG_DEBUG, "WPS: No match in supported " 1655 "authentication types (own 0x%x Enrollee 0x%x)", 1656 wps->wps->auth_types, auth_types); 1657 return -1; 1658 } 1659 1660 return 0; 1661 } 1662 1663 1664 static int wps_process_encr_type_flags(struct wps_data *wps, const u8 *encr) 1665 { 1666 u16 encr_types; 1667 1668 if (encr == NULL) { 1669 wpa_printf(MSG_DEBUG, "WPS: No Encryption Type flags " 1670 "received"); 1671 return -1; 1672 } 1673 1674 encr_types = WPA_GET_BE16(encr); 1675 1676 wpa_printf(MSG_DEBUG, "WPS: Enrollee Encryption Type flags 0x%x", 1677 encr_types); 1678 wps->encr_type = wps->wps->encr_types & encr_types; 1679 if (wps->encr_type == 0) { 1680 wpa_printf(MSG_DEBUG, "WPS: No match in supported " 1681 "encryption types"); 1682 return -1; 1683 } 1684 1685 return 0; 1686 } 1687 1688 1689 static int wps_process_conn_type_flags(struct wps_data *wps, const u8 *conn) 1690 { 1691 if (conn == NULL) { 1692 wpa_printf(MSG_DEBUG, "WPS: No Connection Type flags " 1693 "received"); 1694 return -1; 1695 } 1696 1697 wpa_printf(MSG_DEBUG, "WPS: Enrollee Connection Type flags 0x%x", 1698 *conn); 1699 1700 return 0; 1701 } 1702 1703 1704 static int wps_process_config_methods(struct wps_data *wps, const u8 *methods) 1705 { 1706 u16 m; 1707 1708 if (methods == NULL) { 1709 wpa_printf(MSG_DEBUG, "WPS: No Config Methods received"); 1710 return -1; 1711 } 1712 1713 m = WPA_GET_BE16(methods); 1714 1715 wpa_printf(MSG_DEBUG, "WPS: Enrollee Config Methods 0x%x", m); 1716 1717 return 0; 1718 } 1719 1720 1721 static int wps_process_wps_state(struct wps_data *wps, const u8 *state) 1722 { 1723 if (state == NULL) { 1724 wpa_printf(MSG_DEBUG, "WPS: No Wi-Fi Protected Setup State " 1725 "received"); 1726 return -1; 1727 } 1728 1729 wpa_printf(MSG_DEBUG, "WPS: Enrollee Wi-Fi Protected Setup State %d", 1730 *state); 1731 1732 return 0; 1733 } 1734 1735 1736 static int wps_process_assoc_state(struct wps_data *wps, const u8 *assoc) 1737 { 1738 u16 a; 1739 1740 if (assoc == NULL) { 1741 wpa_printf(MSG_DEBUG, "WPS: No Association State received"); 1742 return -1; 1743 } 1744 1745 a = WPA_GET_BE16(assoc); 1746 wpa_printf(MSG_DEBUG, "WPS: Enrollee Association State %d", a); 1747 1748 return 0; 1749 } 1750 1751 1752 static int wps_process_config_error(struct wps_data *wps, const u8 *err) 1753 { 1754 u16 e; 1755 1756 if (err == NULL) { 1757 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error received"); 1758 return -1; 1759 } 1760 1761 e = WPA_GET_BE16(err); 1762 wpa_printf(MSG_DEBUG, "WPS: Enrollee Configuration Error %d", e); 1763 1764 return 0; 1765 } 1766 1767 1768 static enum wps_process_res wps_process_m1(struct wps_data *wps, 1769 struct wps_parse_attr *attr) 1770 { 1771 wpa_printf(MSG_DEBUG, "WPS: Received M1"); 1772 1773 if (wps->state != RECV_M1) { 1774 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 1775 "receiving M1", wps->state); 1776 return WPS_FAILURE; 1777 } 1778 1779 if (wps_process_uuid_e(wps, attr->uuid_e) || 1780 wps_process_mac_addr(wps, attr->mac_addr) || 1781 wps_process_enrollee_nonce(wps, attr->enrollee_nonce) || 1782 wps_process_pubkey(wps, attr->public_key, attr->public_key_len) || 1783 wps_process_auth_type_flags(wps, attr->auth_type_flags) || 1784 wps_process_encr_type_flags(wps, attr->encr_type_flags) || 1785 wps_process_conn_type_flags(wps, attr->conn_type_flags) || 1786 wps_process_config_methods(wps, attr->config_methods) || 1787 wps_process_wps_state(wps, attr->wps_state) || 1788 wps_process_device_attrs(&wps->peer_dev, attr) || 1789 wps_process_rf_bands(&wps->peer_dev, attr->rf_bands) || 1790 wps_process_assoc_state(wps, attr->assoc_state) || 1791 wps_process_dev_password_id(wps, attr->dev_password_id) || 1792 wps_process_config_error(wps, attr->config_error) || 1793 wps_process_os_version(&wps->peer_dev, attr->os_version)) 1794 return WPS_FAILURE; 1795 1796 if (wps->dev_pw_id != DEV_PW_DEFAULT && 1797 wps->dev_pw_id != DEV_PW_USER_SPECIFIED && 1798 wps->dev_pw_id != DEV_PW_MACHINE_SPECIFIED && 1799 wps->dev_pw_id != DEV_PW_REGISTRAR_SPECIFIED && 1800 (wps->dev_pw_id != DEV_PW_PUSHBUTTON || 1801 !wps->wps->registrar->pbc)) { 1802 wpa_printf(MSG_DEBUG, "WPS: Unsupported Device Password ID %d", 1803 wps->dev_pw_id); 1804 wps->state = SEND_M2D; 1805 return WPS_CONTINUE; 1806 } 1807 1808 if (wps->dev_pw_id == DEV_PW_PUSHBUTTON) { 1809 if (wps_registrar_pbc_overlap(wps->wps->registrar, 1810 wps->mac_addr_e, wps->uuid_e)) { 1811 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - deny PBC " 1812 "negotiation"); 1813 wps->state = SEND_M2D; 1814 return WPS_CONTINUE; 1815 } 1816 wps_registrar_add_pbc_session(wps->wps->registrar, 1817 wps->mac_addr_e, wps->uuid_e); 1818 wps->pbc = 1; 1819 } 1820 1821 wps->state = SEND_M2; 1822 return WPS_CONTINUE; 1823 } 1824 1825 1826 static enum wps_process_res wps_process_m3(struct wps_data *wps, 1827 const struct wpabuf *msg, 1828 struct wps_parse_attr *attr) 1829 { 1830 wpa_printf(MSG_DEBUG, "WPS: Received M3"); 1831 1832 if (wps->state != RECV_M3) { 1833 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 1834 "receiving M3", wps->state); 1835 wps->state = SEND_WSC_NACK; 1836 return WPS_CONTINUE; 1837 } 1838 1839 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || 1840 wps_process_authenticator(wps, attr->authenticator, msg) || 1841 wps_process_e_hash1(wps, attr->e_hash1) || 1842 wps_process_e_hash2(wps, attr->e_hash2)) { 1843 wps->state = SEND_WSC_NACK; 1844 return WPS_CONTINUE; 1845 } 1846 1847 wps->state = SEND_M4; 1848 return WPS_CONTINUE; 1849 } 1850 1851 1852 static enum wps_process_res wps_process_m5(struct wps_data *wps, 1853 const struct wpabuf *msg, 1854 struct wps_parse_attr *attr) 1855 { 1856 struct wpabuf *decrypted; 1857 struct wps_parse_attr eattr; 1858 1859 wpa_printf(MSG_DEBUG, "WPS: Received M5"); 1860 1861 if (wps->state != RECV_M5) { 1862 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 1863 "receiving M5", wps->state); 1864 wps->state = SEND_WSC_NACK; 1865 return WPS_CONTINUE; 1866 } 1867 1868 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || 1869 wps_process_authenticator(wps, attr->authenticator, msg)) { 1870 wps->state = SEND_WSC_NACK; 1871 return WPS_CONTINUE; 1872 } 1873 1874 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings, 1875 attr->encr_settings_len); 1876 if (decrypted == NULL) { 1877 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted " 1878 "Settings attribute"); 1879 wps->state = SEND_WSC_NACK; 1880 return WPS_CONTINUE; 1881 } 1882 1883 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings " 1884 "attribute"); 1885 if (wps_parse_msg(decrypted, &eattr) < 0 || 1886 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) || 1887 wps_process_e_snonce1(wps, eattr.e_snonce1)) { 1888 wpabuf_free(decrypted); 1889 wps->state = SEND_WSC_NACK; 1890 return WPS_CONTINUE; 1891 } 1892 wpabuf_free(decrypted); 1893 1894 wps->state = SEND_M6; 1895 return WPS_CONTINUE; 1896 } 1897 1898 1899 static int wps_process_ap_settings_r(struct wps_data *wps, 1900 struct wps_parse_attr *attr) 1901 { 1902 if (wps->wps->ap) 1903 return 0; 1904 1905 /* AP Settings Attributes in M7 when Enrollee is an AP */ 1906 if (wps_process_ap_settings(attr, &wps->cred) < 0) 1907 return -1; 1908 1909 wpa_printf(MSG_INFO, "WPS: Received old AP configuration from AP"); 1910 1911 /* 1912 * TODO: Provide access to AP settings and allow changes before sending 1913 * out M8. For now, just copy the settings unchanged into M8. 1914 */ 1915 1916 return 0; 1917 } 1918 1919 1920 static enum wps_process_res wps_process_m7(struct wps_data *wps, 1921 const struct wpabuf *msg, 1922 struct wps_parse_attr *attr) 1923 { 1924 struct wpabuf *decrypted; 1925 struct wps_parse_attr eattr; 1926 1927 wpa_printf(MSG_DEBUG, "WPS: Received M7"); 1928 1929 if (wps->state != RECV_M7) { 1930 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 1931 "receiving M7", wps->state); 1932 wps->state = SEND_WSC_NACK; 1933 return WPS_CONTINUE; 1934 } 1935 1936 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || 1937 wps_process_authenticator(wps, attr->authenticator, msg)) { 1938 wps->state = SEND_WSC_NACK; 1939 return WPS_CONTINUE; 1940 } 1941 1942 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings, 1943 attr->encr_settings_len); 1944 if (decrypted == NULL) { 1945 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted " 1946 "Settings attribute"); 1947 wps->state = SEND_WSC_NACK; 1948 return WPS_CONTINUE; 1949 } 1950 1951 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings " 1952 "attribute"); 1953 if (wps_parse_msg(decrypted, &eattr) < 0 || 1954 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) || 1955 wps_process_e_snonce2(wps, eattr.e_snonce2) || 1956 wps_process_ap_settings_r(wps, &eattr)) { 1957 wpabuf_free(decrypted); 1958 wps->state = SEND_WSC_NACK; 1959 return WPS_CONTINUE; 1960 } 1961 1962 wpabuf_free(decrypted); 1963 1964 wps->state = SEND_M8; 1965 return WPS_CONTINUE; 1966 } 1967 1968 1969 static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps, 1970 const struct wpabuf *msg) 1971 { 1972 struct wps_parse_attr attr; 1973 enum wps_process_res ret = WPS_CONTINUE; 1974 1975 wpa_printf(MSG_DEBUG, "WPS: Received WSC_MSG"); 1976 1977 if (wps_parse_msg(msg, &attr) < 0) 1978 return WPS_FAILURE; 1979 1980 if (!wps_version_supported(attr.version)) { 1981 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x", 1982 attr.version ? *attr.version : 0); 1983 return WPS_FAILURE; 1984 } 1985 1986 if (attr.msg_type == NULL) { 1987 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 1988 return WPS_FAILURE; 1989 } 1990 1991 if (*attr.msg_type != WPS_M1 && 1992 (attr.registrar_nonce == NULL || 1993 os_memcmp(wps->nonce_r, attr.registrar_nonce, 1994 WPS_NONCE_LEN != 0))) { 1995 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 1996 return WPS_FAILURE; 1997 } 1998 1999 switch (*attr.msg_type) { 2000 case WPS_M1: 2001 #ifdef CONFIG_WPS_UPNP 2002 if (wps->wps->wps_upnp && attr.mac_addr) { 2003 /* Remove old pending messages when starting new run */ 2004 wps_free_pending_msgs(wps->wps->upnp_msgs); 2005 wps->wps->upnp_msgs = NULL; 2006 2007 upnp_wps_device_send_wlan_event( 2008 wps->wps->wps_upnp, attr.mac_addr, 2009 UPNP_WPS_WLANEVENT_TYPE_EAP, msg); 2010 } 2011 #endif /* CONFIG_WPS_UPNP */ 2012 ret = wps_process_m1(wps, &attr); 2013 break; 2014 case WPS_M3: 2015 ret = wps_process_m3(wps, msg, &attr); 2016 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) 2017 wps_fail_event(wps->wps, WPS_M3); 2018 break; 2019 case WPS_M5: 2020 ret = wps_process_m5(wps, msg, &attr); 2021 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) 2022 wps_fail_event(wps->wps, WPS_M5); 2023 break; 2024 case WPS_M7: 2025 ret = wps_process_m7(wps, msg, &attr); 2026 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) 2027 wps_fail_event(wps->wps, WPS_M7); 2028 break; 2029 default: 2030 wpa_printf(MSG_DEBUG, "WPS: Unsupported Message Type %d", 2031 *attr.msg_type); 2032 return WPS_FAILURE; 2033 } 2034 2035 if (ret == WPS_CONTINUE) { 2036 /* Save a copy of the last message for Authenticator derivation 2037 */ 2038 wpabuf_free(wps->last_msg); 2039 wps->last_msg = wpabuf_dup(msg); 2040 } 2041 2042 return ret; 2043 } 2044 2045 2046 static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps, 2047 const struct wpabuf *msg) 2048 { 2049 struct wps_parse_attr attr; 2050 2051 wpa_printf(MSG_DEBUG, "WPS: Received WSC_ACK"); 2052 2053 if (wps_parse_msg(msg, &attr) < 0) 2054 return WPS_FAILURE; 2055 2056 if (!wps_version_supported(attr.version)) { 2057 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x", 2058 attr.version ? *attr.version : 0); 2059 return WPS_FAILURE; 2060 } 2061 2062 if (attr.msg_type == NULL) { 2063 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 2064 return WPS_FAILURE; 2065 } 2066 2067 if (*attr.msg_type != WPS_WSC_ACK) { 2068 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d", 2069 *attr.msg_type); 2070 return WPS_FAILURE; 2071 } 2072 2073 #ifdef CONFIG_WPS_UPNP 2074 if (wps->wps->wps_upnp && wps->ext_reg && wps->state == RECV_M2D_ACK && 2075 upnp_wps_subscribers(wps->wps->wps_upnp)) { 2076 if (wps->wps->upnp_msgs) 2077 return WPS_CONTINUE; 2078 wpa_printf(MSG_DEBUG, "WPS: Wait for response from an " 2079 "external Registrar"); 2080 return WPS_PENDING; 2081 } 2082 #endif /* CONFIG_WPS_UPNP */ 2083 2084 if (attr.registrar_nonce == NULL || 2085 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0)) 2086 { 2087 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 2088 return WPS_FAILURE; 2089 } 2090 2091 if (attr.enrollee_nonce == NULL || 2092 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) { 2093 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); 2094 return WPS_FAILURE; 2095 } 2096 2097 if (wps->state == RECV_M2D_ACK) { 2098 #ifdef CONFIG_WPS_UPNP 2099 if (wps->wps->wps_upnp && 2100 upnp_wps_subscribers(wps->wps->wps_upnp)) { 2101 if (wps->wps->upnp_msgs) 2102 return WPS_CONTINUE; 2103 if (wps->ext_reg == 0) 2104 wps->ext_reg = 1; 2105 wpa_printf(MSG_DEBUG, "WPS: Wait for response from an " 2106 "external Registrar"); 2107 return WPS_PENDING; 2108 } 2109 #endif /* CONFIG_WPS_UPNP */ 2110 2111 wpa_printf(MSG_DEBUG, "WPS: No more registrars available - " 2112 "terminate negotiation"); 2113 } 2114 2115 return WPS_FAILURE; 2116 } 2117 2118 2119 static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps, 2120 const struct wpabuf *msg) 2121 { 2122 struct wps_parse_attr attr; 2123 int old_state; 2124 2125 wpa_printf(MSG_DEBUG, "WPS: Received WSC_NACK"); 2126 2127 old_state = wps->state; 2128 wps->state = SEND_WSC_NACK; 2129 2130 if (wps_parse_msg(msg, &attr) < 0) 2131 return WPS_FAILURE; 2132 2133 if (!wps_version_supported(attr.version)) { 2134 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x", 2135 attr.version ? *attr.version : 0); 2136 return WPS_FAILURE; 2137 } 2138 2139 if (attr.msg_type == NULL) { 2140 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 2141 return WPS_FAILURE; 2142 } 2143 2144 if (*attr.msg_type != WPS_WSC_NACK) { 2145 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d", 2146 *attr.msg_type); 2147 return WPS_FAILURE; 2148 } 2149 2150 #ifdef CONFIG_WPS_UPNP 2151 if (wps->wps->wps_upnp && wps->ext_reg) { 2152 wpa_printf(MSG_DEBUG, "WPS: Negotiation using external " 2153 "Registrar terminated by the Enrollee"); 2154 return WPS_FAILURE; 2155 } 2156 #endif /* CONFIG_WPS_UPNP */ 2157 2158 if (attr.registrar_nonce == NULL || 2159 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0)) 2160 { 2161 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 2162 return WPS_FAILURE; 2163 } 2164 2165 if (attr.enrollee_nonce == NULL || 2166 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) { 2167 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); 2168 return WPS_FAILURE; 2169 } 2170 2171 if (attr.config_error == NULL) { 2172 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error attribute " 2173 "in WSC_NACK"); 2174 return WPS_FAILURE; 2175 } 2176 2177 wpa_printf(MSG_DEBUG, "WPS: Enrollee terminated negotiation with " 2178 "Configuration Error %d", WPA_GET_BE16(attr.config_error)); 2179 2180 switch (old_state) { 2181 case RECV_M3: 2182 wps_fail_event(wps->wps, WPS_M2); 2183 break; 2184 case RECV_M5: 2185 wps_fail_event(wps->wps, WPS_M4); 2186 break; 2187 case RECV_M7: 2188 wps_fail_event(wps->wps, WPS_M6); 2189 break; 2190 case RECV_DONE: 2191 wps_fail_event(wps->wps, WPS_M8); 2192 break; 2193 default: 2194 break; 2195 } 2196 2197 return WPS_FAILURE; 2198 } 2199 2200 2201 static enum wps_process_res wps_process_wsc_done(struct wps_data *wps, 2202 const struct wpabuf *msg) 2203 { 2204 struct wps_parse_attr attr; 2205 2206 wpa_printf(MSG_DEBUG, "WPS: Received WSC_Done"); 2207 2208 if (wps->state != RECV_DONE && 2209 (!wps->wps->wps_upnp || !wps->ext_reg)) { 2210 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " 2211 "receiving WSC_Done", wps->state); 2212 return WPS_FAILURE; 2213 } 2214 2215 if (wps_parse_msg(msg, &attr) < 0) 2216 return WPS_FAILURE; 2217 2218 if (!wps_version_supported(attr.version)) { 2219 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x", 2220 attr.version ? *attr.version : 0); 2221 return WPS_FAILURE; 2222 } 2223 2224 if (attr.msg_type == NULL) { 2225 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); 2226 return WPS_FAILURE; 2227 } 2228 2229 if (*attr.msg_type != WPS_WSC_DONE) { 2230 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d", 2231 *attr.msg_type); 2232 return WPS_FAILURE; 2233 } 2234 2235 #ifdef CONFIG_WPS_UPNP 2236 if (wps->wps->wps_upnp && wps->ext_reg) { 2237 wpa_printf(MSG_DEBUG, "WPS: Negotiation using external " 2238 "Registrar completed successfully"); 2239 return WPS_DONE; 2240 } 2241 #endif /* CONFIG_WPS_UPNP */ 2242 2243 if (attr.registrar_nonce == NULL || 2244 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0)) 2245 { 2246 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce"); 2247 return WPS_FAILURE; 2248 } 2249 2250 if (attr.enrollee_nonce == NULL || 2251 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) { 2252 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); 2253 return WPS_FAILURE; 2254 } 2255 2256 wpa_printf(MSG_DEBUG, "WPS: Negotiation completed successfully"); 2257 2258 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->new_psk && 2259 wps->wps->ap && !wps->wps->registrar->disable_auto_conf) { 2260 struct wps_credential cred; 2261 2262 wpa_printf(MSG_DEBUG, "WPS: Moving to Configured state based " 2263 "on first Enrollee connection"); 2264 2265 os_memset(&cred, 0, sizeof(cred)); 2266 os_memcpy(cred.ssid, wps->wps->ssid, wps->wps->ssid_len); 2267 cred.ssid_len = wps->wps->ssid_len; 2268 cred.auth_type = WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK; 2269 cred.encr_type = WPS_ENCR_TKIP | WPS_ENCR_AES; 2270 os_memcpy(cred.key, wps->new_psk, wps->new_psk_len); 2271 cred.key_len = wps->new_psk_len; 2272 2273 wps->wps->wps_state = WPS_STATE_CONFIGURED; 2274 wpa_hexdump_ascii_key(MSG_DEBUG, 2275 "WPS: Generated random passphrase", 2276 wps->new_psk, wps->new_psk_len); 2277 if (wps->wps->cred_cb) 2278 wps->wps->cred_cb(wps->wps->cb_ctx, &cred); 2279 2280 os_free(wps->new_psk); 2281 wps->new_psk = NULL; 2282 } 2283 2284 if (!wps->wps->ap) { 2285 wpa_printf(MSG_DEBUG, "WPS: Update local configuration based " 2286 "on the modified AP configuration"); 2287 if (wps->wps->cred_cb) 2288 wps->wps->cred_cb(wps->wps->cb_ctx, &wps->cred); 2289 } 2290 2291 if (wps->new_psk) { 2292 if (wps_cb_new_psk(wps->wps->registrar, wps->mac_addr_e, 2293 wps->new_psk, wps->new_psk_len)) { 2294 wpa_printf(MSG_DEBUG, "WPS: Failed to configure the " 2295 "new PSK"); 2296 } 2297 os_free(wps->new_psk); 2298 wps->new_psk = NULL; 2299 } 2300 2301 wps_cb_reg_success(wps->wps->registrar, wps->mac_addr_e, wps->uuid_e); 2302 2303 if (wps->pbc) { 2304 wps_registrar_remove_pbc_session(wps->wps->registrar, 2305 wps->mac_addr_e, wps->uuid_e); 2306 wps_registrar_pbc_completed(wps->wps->registrar); 2307 } 2308 2309 wps_success_event(wps->wps); 2310 2311 return WPS_DONE; 2312 } 2313 2314 2315 enum wps_process_res wps_registrar_process_msg(struct wps_data *wps, 2316 enum wsc_op_code op_code, 2317 const struct wpabuf *msg) 2318 { 2319 enum wps_process_res ret; 2320 2321 wpa_printf(MSG_DEBUG, "WPS: Processing received message (len=%lu " 2322 "op_code=%d)", 2323 (unsigned long) wpabuf_len(msg), op_code); 2324 2325 #ifdef CONFIG_WPS_UPNP 2326 if (wps->wps->wps_upnp && op_code == WSC_MSG && wps->ext_reg == 1) { 2327 struct wps_parse_attr attr; 2328 if (wps_parse_msg(msg, &attr) == 0 && attr.msg_type && 2329 *attr.msg_type == WPS_M3) 2330 wps->ext_reg = 2; /* past M2/M2D phase */ 2331 } 2332 if (wps->ext_reg > 1) 2333 wps_registrar_free_pending_m2(wps->wps); 2334 if (wps->wps->wps_upnp && wps->ext_reg && 2335 wps->wps->upnp_msgs == NULL && 2336 (op_code == WSC_MSG || op_code == WSC_Done)) { 2337 struct wps_parse_attr attr; 2338 int type; 2339 if (wps_parse_msg(msg, &attr) < 0 || attr.msg_type == NULL) 2340 type = -1; 2341 else 2342 type = *attr.msg_type; 2343 wpa_printf(MSG_DEBUG, "WPS: Sending received message (type %d)" 2344 " to external Registrar for processing", type); 2345 upnp_wps_device_send_wlan_event(wps->wps->wps_upnp, 2346 wps->mac_addr_e, 2347 UPNP_WPS_WLANEVENT_TYPE_EAP, 2348 msg); 2349 if (op_code == WSC_MSG) 2350 return WPS_PENDING; 2351 } else if (wps->wps->wps_upnp && wps->ext_reg && op_code == WSC_MSG) { 2352 wpa_printf(MSG_DEBUG, "WPS: Skip internal processing - using " 2353 "external Registrar"); 2354 return WPS_CONTINUE; 2355 } 2356 #endif /* CONFIG_WPS_UPNP */ 2357 2358 switch (op_code) { 2359 case WSC_MSG: 2360 return wps_process_wsc_msg(wps, msg); 2361 case WSC_ACK: 2362 return wps_process_wsc_ack(wps, msg); 2363 case WSC_NACK: 2364 return wps_process_wsc_nack(wps, msg); 2365 case WSC_Done: 2366 ret = wps_process_wsc_done(wps, msg); 2367 if (ret == WPS_FAILURE) { 2368 wps->state = SEND_WSC_NACK; 2369 wps_fail_event(wps->wps, WPS_WSC_DONE); 2370 } 2371 return ret; 2372 default: 2373 wpa_printf(MSG_DEBUG, "WPS: Unsupported op_code %d", op_code); 2374 return WPS_FAILURE; 2375 } 2376 } 2377 2378 2379 int wps_registrar_update_ie(struct wps_registrar *reg) 2380 { 2381 return wps_set_ie(reg); 2382 } 2383 2384 2385 static void wps_registrar_set_selected_timeout(void *eloop_ctx, 2386 void *timeout_ctx) 2387 { 2388 struct wps_registrar *reg = eloop_ctx; 2389 2390 wpa_printf(MSG_DEBUG, "WPS: SetSelectedRegistrar timed out - " 2391 "unselect Registrar"); 2392 reg->selected_registrar = 0; 2393 reg->pbc = 0; 2394 reg->sel_reg_dev_password_id_override = -1; 2395 reg->sel_reg_config_methods_override = -1; 2396 wps_set_ie(reg); 2397 } 2398 2399 2400 /** 2401 * wps_registrar_set_selected_registrar - Notification of SetSelectedRegistrar 2402 * @reg: Registrar data from wps_registrar_init() 2403 * @msg: Received message from SetSelectedRegistrar 2404 * @msg_len: Length of msg in octets 2405 * Returns: 0 on success, -1 on failure 2406 * 2407 * This function is called when an AP receives a SetSelectedRegistrar UPnP 2408 * message. 2409 */ 2410 int wps_registrar_set_selected_registrar(struct wps_registrar *reg, 2411 const struct wpabuf *msg) 2412 { 2413 struct wps_parse_attr attr; 2414 2415 wpa_hexdump_buf(MSG_MSGDUMP, "WPS: SetSelectedRegistrar attributes", 2416 msg); 2417 2418 if (wps_parse_msg(msg, &attr) < 0) 2419 return -1; 2420 if (!wps_version_supported(attr.version)) { 2421 wpa_printf(MSG_DEBUG, "WPS: Unsupported SetSelectedRegistrar " 2422 "version 0x%x", attr.version ? *attr.version : 0); 2423 return -1; 2424 } 2425 2426 if (attr.selected_registrar == NULL || 2427 *attr.selected_registrar == 0) { 2428 wpa_printf(MSG_DEBUG, "WPS: SetSelectedRegistrar: Disable " 2429 "Selected Registrar"); 2430 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, 2431 NULL); 2432 wps_registrar_set_selected_timeout(reg, NULL); 2433 return 0; 2434 } 2435 2436 reg->selected_registrar = 1; 2437 reg->sel_reg_dev_password_id_override = attr.dev_password_id ? 2438 WPA_GET_BE16(attr.dev_password_id) : DEV_PW_DEFAULT; 2439 reg->sel_reg_config_methods_override = attr.sel_reg_config_methods ? 2440 WPA_GET_BE16(attr.sel_reg_config_methods) : -1; 2441 wps_set_ie(reg); 2442 2443 eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL); 2444 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, 2445 wps_registrar_set_selected_timeout, 2446 reg, NULL); 2447 return 0; 2448 } 2449