xref: /freebsd/contrib/wpa/src/wps/wps_registrar.c (revision b077aed33b7b6aefca7b17ddb250cf521f938613)
1 /*
2  * Wi-Fi Protected Setup - Registrar
3  * Copyright (c) 2008-2016, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/base64.h"
13 #include "utils/eloop.h"
14 #include "utils/uuid.h"
15 #include "utils/list.h"
16 #include "crypto/crypto.h"
17 #include "crypto/sha256.h"
18 #include "crypto/random.h"
19 #include "common/ieee802_11_defs.h"
20 #include "common/wpa_common.h"
21 #include "wps_i.h"
22 #include "wps_dev_attr.h"
23 #include "wps_upnp.h"
24 #include "wps_upnp_i.h"
25 
26 #ifndef CONFIG_WPS_STRICT
27 #define WPS_WORKAROUNDS
28 #endif /* CONFIG_WPS_STRICT */
29 
30 #ifdef CONFIG_WPS_NFC
31 
32 struct wps_nfc_pw_token {
33 	struct dl_list list;
34 	u8 pubkey_hash[WPS_OOB_PUBKEY_HASH_LEN];
35 	unsigned int peer_pk_hash_known:1;
36 	u16 pw_id;
37 	u8 dev_pw[WPS_OOB_DEVICE_PASSWORD_LEN * 2 + 1];
38 	size_t dev_pw_len;
39 	int pk_hash_provided_oob; /* whether own PK hash was provided OOB */
40 };
41 
42 
43 static void wps_remove_nfc_pw_token(struct wps_nfc_pw_token *token)
44 {
45 	dl_list_del(&token->list);
46 	bin_clear_free(token, sizeof(*token));
47 }
48 
49 
50 static void wps_free_nfc_pw_tokens(struct dl_list *tokens, u16 pw_id)
51 {
52 	struct wps_nfc_pw_token *token, *prev;
53 	dl_list_for_each_safe(token, prev, tokens, struct wps_nfc_pw_token,
54 			      list) {
55 		if (pw_id == 0 || pw_id == token->pw_id)
56 			wps_remove_nfc_pw_token(token);
57 	}
58 }
59 
60 
61 static struct wps_nfc_pw_token * wps_get_nfc_pw_token(struct dl_list *tokens,
62 						      u16 pw_id)
63 {
64 	struct wps_nfc_pw_token *token;
65 	dl_list_for_each(token, tokens, struct wps_nfc_pw_token, list) {
66 		if (pw_id == token->pw_id)
67 			return token;
68 	}
69 	return NULL;
70 }
71 
72 #else /* CONFIG_WPS_NFC */
73 
74 #define wps_free_nfc_pw_tokens(t, p) do { } while (0)
75 
76 #endif /* CONFIG_WPS_NFC */
77 
78 
79 struct wps_uuid_pin {
80 	struct dl_list list;
81 	u8 uuid[WPS_UUID_LEN];
82 	int wildcard_uuid;
83 	u8 *pin;
84 	size_t pin_len;
85 #define PIN_LOCKED BIT(0)
86 #define PIN_EXPIRES BIT(1)
87 	int flags;
88 	struct os_reltime expiration;
89 	u8 enrollee_addr[ETH_ALEN];
90 };
91 
92 
93 static void wps_free_pin(struct wps_uuid_pin *pin)
94 {
95 	bin_clear_free(pin->pin, pin->pin_len);
96 	os_free(pin);
97 }
98 
99 
100 static void wps_remove_pin(struct wps_uuid_pin *pin)
101 {
102 	dl_list_del(&pin->list);
103 	wps_free_pin(pin);
104 }
105 
106 
107 static void wps_free_pins(struct dl_list *pins)
108 {
109 	struct wps_uuid_pin *pin, *prev;
110 	dl_list_for_each_safe(pin, prev, pins, struct wps_uuid_pin, list)
111 		wps_remove_pin(pin);
112 }
113 
114 
115 struct wps_pbc_session {
116 	struct wps_pbc_session *next;
117 	u8 addr[ETH_ALEN];
118 	u8 uuid_e[WPS_UUID_LEN];
119 	struct os_reltime timestamp;
120 };
121 
122 
123 static void wps_free_pbc_sessions(struct wps_pbc_session *pbc)
124 {
125 	struct wps_pbc_session *prev;
126 
127 	while (pbc) {
128 		prev = pbc;
129 		pbc = pbc->next;
130 		os_free(prev);
131 	}
132 }
133 
134 
135 struct wps_registrar_device {
136 	struct wps_registrar_device *next;
137 	struct wps_device_data dev;
138 	u8 uuid[WPS_UUID_LEN];
139 };
140 
141 
142 struct wps_registrar {
143 	struct wps_context *wps;
144 
145 	int pbc;
146 	int selected_registrar;
147 
148 	int (*new_psk_cb)(void *ctx, const u8 *mac_addr, const u8 *p2p_dev_addr,
149 			  const u8 *psk, size_t psk_len);
150 	int (*set_ie_cb)(void *ctx, struct wpabuf *beacon_ie,
151 			 struct wpabuf *probe_resp_ie);
152 	void (*pin_needed_cb)(void *ctx, const u8 *uuid_e,
153 			      const struct wps_device_data *dev);
154 	void (*reg_success_cb)(void *ctx, const u8 *mac_addr,
155 			       const u8 *uuid_e, const u8 *dev_pw,
156 			       size_t dev_pw_len);
157 	void (*set_sel_reg_cb)(void *ctx, int sel_reg, u16 dev_passwd_id,
158 			       u16 sel_reg_config_methods);
159 	void (*enrollee_seen_cb)(void *ctx, const u8 *addr, const u8 *uuid_e,
160 				 const u8 *pri_dev_type, u16 config_methods,
161 				 u16 dev_password_id, u8 request_type,
162 				 const char *dev_name);
163 	int (*lookup_pskfile_cb)(void *ctx, const u8 *mac_addr, const u8 **psk);
164 	void *cb_ctx;
165 
166 	struct dl_list pins;
167 	struct dl_list nfc_pw_tokens;
168 	struct wps_pbc_session *pbc_sessions;
169 
170 	int skip_cred_build;
171 	struct wpabuf *extra_cred;
172 	int disable_auto_conf;
173 	int sel_reg_union;
174 	int sel_reg_dev_password_id_override;
175 	int sel_reg_config_methods_override;
176 	int dualband;
177 	int force_per_enrollee_psk;
178 
179 	struct wps_registrar_device *devices;
180 
181 	int force_pbc_overlap;
182 
183 	u8 authorized_macs[WPS_MAX_AUTHORIZED_MACS][ETH_ALEN];
184 	u8 authorized_macs_union[WPS_MAX_AUTHORIZED_MACS][ETH_ALEN];
185 
186 	u8 p2p_dev_addr[ETH_ALEN];
187 
188 	u8 pbc_ignore_uuid[WPS_UUID_LEN];
189 #ifdef WPS_WORKAROUNDS
190 	struct os_reltime pbc_ignore_start;
191 #endif /* WPS_WORKAROUNDS */
192 
193 	/**
194 	 * multi_ap_backhaul_ssid - SSID to supply to a Multi-AP backhaul
195 	 * enrollee
196 	 *
197 	 * This SSID is used by the Registrar to fill in information for
198 	 * Credentials when the enrollee advertises it is a Multi-AP backhaul
199 	 * STA.
200 	 */
201 	u8 multi_ap_backhaul_ssid[SSID_MAX_LEN];
202 
203 	/**
204 	 * multi_ap_backhaul_ssid_len - Length of multi_ap_backhaul_ssid in
205 	 * octets
206 	 */
207 	size_t multi_ap_backhaul_ssid_len;
208 
209 	/**
210 	 * multi_ap_backhaul_network_key - The Network Key (PSK) for the
211 	 * Multi-AP backhaul enrollee.
212 	 *
213 	 * This key can be either the ASCII passphrase (8..63 characters) or the
214 	 * 32-octet PSK (64 hex characters).
215 	 */
216 	u8 *multi_ap_backhaul_network_key;
217 
218 	/**
219 	 * multi_ap_backhaul_network_key_len - Length of
220 	 * multi_ap_backhaul_network_key in octets
221 	 */
222 	size_t multi_ap_backhaul_network_key_len;
223 };
224 
225 
226 static int wps_set_ie(struct wps_registrar *reg);
227 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx);
228 static void wps_registrar_set_selected_timeout(void *eloop_ctx,
229 					       void *timeout_ctx);
230 static void wps_registrar_remove_pin(struct wps_registrar *reg,
231 				     struct wps_uuid_pin *pin);
232 
233 
234 static void wps_registrar_add_authorized_mac(struct wps_registrar *reg,
235 					     const u8 *addr)
236 {
237 	int i;
238 	wpa_printf(MSG_DEBUG, "WPS: Add authorized MAC " MACSTR,
239 		   MAC2STR(addr));
240 	for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++)
241 		if (os_memcmp(reg->authorized_macs[i], addr, ETH_ALEN) == 0) {
242 			wpa_printf(MSG_DEBUG, "WPS: Authorized MAC was "
243 				   "already in the list");
244 			return; /* already in list */
245 		}
246 	for (i = WPS_MAX_AUTHORIZED_MACS - 1; i > 0; i--)
247 		os_memcpy(reg->authorized_macs[i], reg->authorized_macs[i - 1],
248 			  ETH_ALEN);
249 	os_memcpy(reg->authorized_macs[0], addr, ETH_ALEN);
250 	wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs",
251 		    (u8 *) reg->authorized_macs, sizeof(reg->authorized_macs));
252 }
253 
254 
255 static void wps_registrar_remove_authorized_mac(struct wps_registrar *reg,
256 						const u8 *addr)
257 {
258 	int i;
259 	wpa_printf(MSG_DEBUG, "WPS: Remove authorized MAC " MACSTR,
260 		   MAC2STR(addr));
261 	for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++) {
262 		if (os_memcmp(reg->authorized_macs, addr, ETH_ALEN) == 0)
263 			break;
264 	}
265 	if (i == WPS_MAX_AUTHORIZED_MACS) {
266 		wpa_printf(MSG_DEBUG, "WPS: Authorized MAC was not in the "
267 			   "list");
268 		return; /* not in the list */
269 	}
270 	for (; i + 1 < WPS_MAX_AUTHORIZED_MACS; i++)
271 		os_memcpy(reg->authorized_macs[i], reg->authorized_macs[i + 1],
272 			  ETH_ALEN);
273 	os_memset(reg->authorized_macs[WPS_MAX_AUTHORIZED_MACS - 1], 0,
274 		  ETH_ALEN);
275 	wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs",
276 		    (u8 *) reg->authorized_macs, sizeof(reg->authorized_macs));
277 }
278 
279 
280 static void wps_free_devices(struct wps_registrar_device *dev)
281 {
282 	struct wps_registrar_device *prev;
283 
284 	while (dev) {
285 		prev = dev;
286 		dev = dev->next;
287 		wps_device_data_free(&prev->dev);
288 		os_free(prev);
289 	}
290 }
291 
292 
293 static struct wps_registrar_device * wps_device_get(struct wps_registrar *reg,
294 						    const u8 *addr)
295 {
296 	struct wps_registrar_device *dev;
297 
298 	for (dev = reg->devices; dev; dev = dev->next) {
299 		if (os_memcmp(dev->dev.mac_addr, addr, ETH_ALEN) == 0)
300 			return dev;
301 	}
302 	return NULL;
303 }
304 
305 
306 static void wps_device_clone_data(struct wps_device_data *dst,
307 				  struct wps_device_data *src)
308 {
309 	os_memcpy(dst->mac_addr, src->mac_addr, ETH_ALEN);
310 	os_memcpy(dst->pri_dev_type, src->pri_dev_type, WPS_DEV_TYPE_LEN);
311 
312 #define WPS_STRDUP(n) \
313 	os_free(dst->n); \
314 	dst->n = src->n ? os_strdup(src->n) : NULL
315 
316 	WPS_STRDUP(device_name);
317 	WPS_STRDUP(manufacturer);
318 	WPS_STRDUP(model_name);
319 	WPS_STRDUP(model_number);
320 	WPS_STRDUP(serial_number);
321 #undef WPS_STRDUP
322 }
323 
324 
325 int wps_device_store(struct wps_registrar *reg,
326 		     struct wps_device_data *dev, const u8 *uuid)
327 {
328 	struct wps_registrar_device *d;
329 
330 	d = wps_device_get(reg, dev->mac_addr);
331 	if (d == NULL) {
332 		d = os_zalloc(sizeof(*d));
333 		if (d == NULL)
334 			return -1;
335 		d->next = reg->devices;
336 		reg->devices = d;
337 	}
338 
339 	wps_device_clone_data(&d->dev, dev);
340 	os_memcpy(d->uuid, uuid, WPS_UUID_LEN);
341 
342 	return 0;
343 }
344 
345 
346 static void wps_registrar_add_pbc_session(struct wps_registrar *reg,
347 					  const u8 *addr, const u8 *uuid_e)
348 {
349 	struct wps_pbc_session *pbc, *prev = NULL;
350 	struct os_reltime now;
351 
352 	os_get_reltime(&now);
353 
354 	pbc = reg->pbc_sessions;
355 	while (pbc) {
356 		if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 &&
357 		    os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) {
358 			if (prev)
359 				prev->next = pbc->next;
360 			else
361 				reg->pbc_sessions = pbc->next;
362 			break;
363 		}
364 		prev = pbc;
365 		pbc = pbc->next;
366 	}
367 
368 	if (!pbc) {
369 		pbc = os_zalloc(sizeof(*pbc));
370 		if (pbc == NULL)
371 			return;
372 		os_memcpy(pbc->addr, addr, ETH_ALEN);
373 		if (uuid_e)
374 			os_memcpy(pbc->uuid_e, uuid_e, WPS_UUID_LEN);
375 	}
376 
377 	pbc->next = reg->pbc_sessions;
378 	reg->pbc_sessions = pbc;
379 	pbc->timestamp = now;
380 
381 	/* remove entries that have timed out */
382 	prev = pbc;
383 	pbc = pbc->next;
384 
385 	while (pbc) {
386 		if (os_reltime_expired(&now, &pbc->timestamp,
387 				       WPS_PBC_WALK_TIME)) {
388 			prev->next = NULL;
389 			wps_free_pbc_sessions(pbc);
390 			break;
391 		}
392 		prev = pbc;
393 		pbc = pbc->next;
394 	}
395 }
396 
397 
398 static void wps_registrar_remove_pbc_session(struct wps_registrar *reg,
399 					     const u8 *uuid_e,
400 					     const u8 *p2p_dev_addr)
401 {
402 	struct wps_pbc_session *pbc, *prev = NULL, *tmp;
403 
404 	pbc = reg->pbc_sessions;
405 	while (pbc) {
406 		if (os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0 ||
407 		    (p2p_dev_addr && !is_zero_ether_addr(reg->p2p_dev_addr) &&
408 		     os_memcmp(reg->p2p_dev_addr, p2p_dev_addr, ETH_ALEN) ==
409 		     0)) {
410 			if (prev)
411 				prev->next = pbc->next;
412 			else
413 				reg->pbc_sessions = pbc->next;
414 			tmp = pbc;
415 			pbc = pbc->next;
416 			wpa_printf(MSG_DEBUG, "WPS: Removing PBC session for "
417 				   "addr=" MACSTR, MAC2STR(tmp->addr));
418 			wpa_hexdump(MSG_DEBUG, "WPS: Removed UUID-E",
419 				    tmp->uuid_e, WPS_UUID_LEN);
420 			os_free(tmp);
421 			continue;
422 		}
423 		prev = pbc;
424 		pbc = pbc->next;
425 	}
426 }
427 
428 
429 int wps_registrar_pbc_overlap(struct wps_registrar *reg,
430 			      const u8 *addr, const u8 *uuid_e)
431 {
432 	int count = 0;
433 	struct wps_pbc_session *pbc;
434 	struct wps_pbc_session *first = NULL;
435 	struct os_reltime now;
436 
437 	os_get_reltime(&now);
438 
439 	wpa_printf(MSG_DEBUG, "WPS: Checking active PBC sessions for overlap");
440 
441 	if (uuid_e) {
442 		wpa_printf(MSG_DEBUG, "WPS: Add one for the requested UUID");
443 		wpa_hexdump(MSG_DEBUG, "WPS: Requested UUID",
444 			    uuid_e, WPS_UUID_LEN);
445 		count++;
446 	}
447 
448 	for (pbc = reg->pbc_sessions; pbc; pbc = pbc->next) {
449 		wpa_printf(MSG_DEBUG, "WPS: Consider PBC session with " MACSTR,
450 			   MAC2STR(pbc->addr));
451 		wpa_hexdump(MSG_DEBUG, "WPS: UUID-E",
452 			    pbc->uuid_e, WPS_UUID_LEN);
453 		if (os_reltime_expired(&now, &pbc->timestamp,
454 				       WPS_PBC_WALK_TIME)) {
455 			wpa_printf(MSG_DEBUG, "WPS: PBC walk time has expired");
456 			break;
457 		}
458 		if (first &&
459 		    os_memcmp(pbc->uuid_e, first->uuid_e, WPS_UUID_LEN) == 0) {
460 			wpa_printf(MSG_DEBUG, "WPS: Same Enrollee");
461 			continue; /* same Enrollee */
462 		}
463 		if (uuid_e == NULL ||
464 		    os_memcmp(uuid_e, pbc->uuid_e, WPS_UUID_LEN)) {
465 			wpa_printf(MSG_DEBUG, "WPS: New Enrollee");
466 			count++;
467 		}
468 		if (first == NULL)
469 			first = pbc;
470 	}
471 
472 	wpa_printf(MSG_DEBUG, "WPS: %u active PBC session(s) found", count);
473 
474 	return count > 1 ? 1 : 0;
475 }
476 
477 
478 static int wps_build_wps_state(struct wps_context *wps, struct wpabuf *msg)
479 {
480 	wpa_printf(MSG_DEBUG, "WPS:  * Wi-Fi Protected Setup State (%d)",
481 		   wps->wps_state);
482 	wpabuf_put_be16(msg, ATTR_WPS_STATE);
483 	wpabuf_put_be16(msg, 1);
484 	wpabuf_put_u8(msg, wps->wps_state);
485 	return 0;
486 }
487 
488 
489 #ifdef CONFIG_WPS_UPNP
490 static void wps_registrar_free_pending_m2(struct wps_context *wps)
491 {
492 	struct upnp_pending_message *p, *p2, *prev = NULL;
493 	p = wps->upnp_msgs;
494 	while (p) {
495 		if (p->type == WPS_M2 || p->type == WPS_M2D) {
496 			if (prev == NULL)
497 				wps->upnp_msgs = p->next;
498 			else
499 				prev->next = p->next;
500 			wpa_printf(MSG_DEBUG, "WPS UPnP: Drop pending M2/M2D");
501 			p2 = p;
502 			p = p->next;
503 			wpabuf_free(p2->msg);
504 			os_free(p2);
505 			continue;
506 		}
507 		prev = p;
508 		p = p->next;
509 	}
510 }
511 #endif /* CONFIG_WPS_UPNP */
512 
513 
514 static int wps_build_ap_setup_locked(struct wps_context *wps,
515 				     struct wpabuf *msg)
516 {
517 	if (wps->ap_setup_locked && wps->ap_setup_locked != 2) {
518 		wpa_printf(MSG_DEBUG, "WPS:  * AP Setup Locked");
519 		wpabuf_put_be16(msg, ATTR_AP_SETUP_LOCKED);
520 		wpabuf_put_be16(msg, 1);
521 		wpabuf_put_u8(msg, 1);
522 	}
523 	return 0;
524 }
525 
526 
527 static int wps_build_selected_registrar(struct wps_registrar *reg,
528 					struct wpabuf *msg)
529 {
530 	if (!reg->sel_reg_union)
531 		return 0;
532 	wpa_printf(MSG_DEBUG, "WPS:  * Selected Registrar");
533 	wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR);
534 	wpabuf_put_be16(msg, 1);
535 	wpabuf_put_u8(msg, 1);
536 	return 0;
537 }
538 
539 
540 static int wps_build_sel_reg_dev_password_id(struct wps_registrar *reg,
541 					     struct wpabuf *msg)
542 {
543 	u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT;
544 	if (!reg->sel_reg_union)
545 		return 0;
546 	if (reg->sel_reg_dev_password_id_override >= 0)
547 		id = reg->sel_reg_dev_password_id_override;
548 	wpa_printf(MSG_DEBUG, "WPS:  * Device Password ID (%d)", id);
549 	wpabuf_put_be16(msg, ATTR_DEV_PASSWORD_ID);
550 	wpabuf_put_be16(msg, 2);
551 	wpabuf_put_be16(msg, id);
552 	return 0;
553 }
554 
555 
556 static int wps_build_sel_pbc_reg_uuid_e(struct wps_registrar *reg,
557 					struct wpabuf *msg)
558 {
559 	u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT;
560 	if (!reg->sel_reg_union)
561 		return 0;
562 	if (reg->sel_reg_dev_password_id_override >= 0)
563 		id = reg->sel_reg_dev_password_id_override;
564 	if (id != DEV_PW_PUSHBUTTON || !reg->dualband)
565 		return 0;
566 	return wps_build_uuid_e(msg, reg->wps->uuid);
567 }
568 
569 
570 static void wps_set_pushbutton(u16 *methods, u16 conf_methods)
571 {
572 	*methods |= WPS_CONFIG_PUSHBUTTON;
573 	if ((conf_methods & WPS_CONFIG_VIRT_PUSHBUTTON) ==
574 	    WPS_CONFIG_VIRT_PUSHBUTTON)
575 		*methods |= WPS_CONFIG_VIRT_PUSHBUTTON;
576 	if ((conf_methods & WPS_CONFIG_PHY_PUSHBUTTON) ==
577 	    WPS_CONFIG_PHY_PUSHBUTTON)
578 		*methods |= WPS_CONFIG_PHY_PUSHBUTTON;
579 	if ((*methods & WPS_CONFIG_VIRT_PUSHBUTTON) !=
580 	    WPS_CONFIG_VIRT_PUSHBUTTON &&
581 	    (*methods & WPS_CONFIG_PHY_PUSHBUTTON) !=
582 	    WPS_CONFIG_PHY_PUSHBUTTON) {
583 		/*
584 		 * Required to include virtual/physical flag, but we were not
585 		 * configured with push button type, so have to default to one
586 		 * of them.
587 		 */
588 		*methods |= WPS_CONFIG_PHY_PUSHBUTTON;
589 	}
590 }
591 
592 
593 static int wps_build_sel_reg_config_methods(struct wps_registrar *reg,
594 					    struct wpabuf *msg)
595 {
596 	u16 methods;
597 	if (!reg->sel_reg_union)
598 		return 0;
599 	methods = reg->wps->config_methods;
600 	methods &= ~WPS_CONFIG_PUSHBUTTON;
601 	methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON |
602 		     WPS_CONFIG_PHY_PUSHBUTTON);
603 	if (reg->pbc)
604 		wps_set_pushbutton(&methods, reg->wps->config_methods);
605 	if (reg->sel_reg_config_methods_override >= 0)
606 		methods = reg->sel_reg_config_methods_override;
607 	wpa_printf(MSG_DEBUG, "WPS:  * Selected Registrar Config Methods (%x)",
608 		   methods);
609 	wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR_CONFIG_METHODS);
610 	wpabuf_put_be16(msg, 2);
611 	wpabuf_put_be16(msg, methods);
612 	return 0;
613 }
614 
615 
616 static int wps_build_probe_config_methods(struct wps_registrar *reg,
617 					  struct wpabuf *msg)
618 {
619 	u16 methods;
620 	/*
621 	 * These are the methods that the AP supports as an Enrollee for adding
622 	 * external Registrars.
623 	 */
624 	methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
625 	methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON |
626 		     WPS_CONFIG_PHY_PUSHBUTTON);
627 	wpa_printf(MSG_DEBUG, "WPS:  * Config Methods (%x)", methods);
628 	wpabuf_put_be16(msg, ATTR_CONFIG_METHODS);
629 	wpabuf_put_be16(msg, 2);
630 	wpabuf_put_be16(msg, methods);
631 	return 0;
632 }
633 
634 
635 static int wps_build_config_methods_r(struct wps_registrar *reg,
636 				      struct wpabuf *msg)
637 {
638 	return wps_build_config_methods(msg, reg->wps->config_methods);
639 }
640 
641 
642 const u8 * wps_authorized_macs(struct wps_registrar *reg, size_t *count)
643 {
644 	*count = 0;
645 
646 	while (*count < WPS_MAX_AUTHORIZED_MACS) {
647 		if (is_zero_ether_addr(reg->authorized_macs_union[*count]))
648 			break;
649 		(*count)++;
650 	}
651 
652 	return (const u8 *) reg->authorized_macs_union;
653 }
654 
655 
656 /**
657  * wps_registrar_init - Initialize WPS Registrar data
658  * @wps: Pointer to longterm WPS context
659  * @cfg: Registrar configuration
660  * Returns: Pointer to allocated Registrar data or %NULL on failure
661  *
662  * This function is used to initialize WPS Registrar functionality. It can be
663  * used for a single Registrar run (e.g., when run in a supplicant) or multiple
664  * runs (e.g., when run as an internal Registrar in an AP). Caller is
665  * responsible for freeing the returned data with wps_registrar_deinit() when
666  * Registrar functionality is not needed anymore.
667  */
668 struct wps_registrar *
669 wps_registrar_init(struct wps_context *wps,
670 		   const struct wps_registrar_config *cfg)
671 {
672 	struct wps_registrar *reg = os_zalloc(sizeof(*reg));
673 	if (reg == NULL)
674 		return NULL;
675 
676 	dl_list_init(&reg->pins);
677 	dl_list_init(&reg->nfc_pw_tokens);
678 	reg->wps = wps;
679 	reg->new_psk_cb = cfg->new_psk_cb;
680 	reg->set_ie_cb = cfg->set_ie_cb;
681 	reg->pin_needed_cb = cfg->pin_needed_cb;
682 	reg->reg_success_cb = cfg->reg_success_cb;
683 	reg->set_sel_reg_cb = cfg->set_sel_reg_cb;
684 	reg->enrollee_seen_cb = cfg->enrollee_seen_cb;
685 	reg->lookup_pskfile_cb = cfg->lookup_pskfile_cb;
686 	reg->cb_ctx = cfg->cb_ctx;
687 	reg->skip_cred_build = cfg->skip_cred_build;
688 	if (cfg->extra_cred) {
689 		reg->extra_cred = wpabuf_alloc_copy(cfg->extra_cred,
690 						    cfg->extra_cred_len);
691 		if (reg->extra_cred == NULL) {
692 			os_free(reg);
693 			return NULL;
694 		}
695 	}
696 	reg->disable_auto_conf = cfg->disable_auto_conf;
697 	reg->sel_reg_dev_password_id_override = -1;
698 	reg->sel_reg_config_methods_override = -1;
699 	reg->dualband = cfg->dualband;
700 	reg->force_per_enrollee_psk = cfg->force_per_enrollee_psk;
701 
702 	if (cfg->multi_ap_backhaul_ssid) {
703 		os_memcpy(reg->multi_ap_backhaul_ssid,
704 			  cfg->multi_ap_backhaul_ssid,
705 			  cfg->multi_ap_backhaul_ssid_len);
706 		reg->multi_ap_backhaul_ssid_len =
707 			cfg->multi_ap_backhaul_ssid_len;
708 	}
709 	if (cfg->multi_ap_backhaul_network_key) {
710 		reg->multi_ap_backhaul_network_key =
711 			os_memdup(cfg->multi_ap_backhaul_network_key,
712 				  cfg->multi_ap_backhaul_network_key_len);
713 		if (reg->multi_ap_backhaul_network_key)
714 			reg->multi_ap_backhaul_network_key_len =
715 				cfg->multi_ap_backhaul_network_key_len;
716 	}
717 
718 	if (wps_set_ie(reg)) {
719 		wps_registrar_deinit(reg);
720 		return NULL;
721 	}
722 
723 	return reg;
724 }
725 
726 
727 void wps_registrar_flush(struct wps_registrar *reg)
728 {
729 	if (reg == NULL)
730 		return;
731 	wps_free_pins(&reg->pins);
732 	wps_free_nfc_pw_tokens(&reg->nfc_pw_tokens, 0);
733 	wps_free_pbc_sessions(reg->pbc_sessions);
734 	reg->pbc_sessions = NULL;
735 	wps_free_devices(reg->devices);
736 	reg->devices = NULL;
737 #ifdef WPS_WORKAROUNDS
738 	reg->pbc_ignore_start.sec = 0;
739 #endif /* WPS_WORKAROUNDS */
740 }
741 
742 
743 /**
744  * wps_registrar_deinit - Deinitialize WPS Registrar data
745  * @reg: Registrar data from wps_registrar_init()
746  */
747 void wps_registrar_deinit(struct wps_registrar *reg)
748 {
749 	if (reg == NULL)
750 		return;
751 	eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
752 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
753 	wps_registrar_flush(reg);
754 	wpabuf_clear_free(reg->extra_cred);
755 	bin_clear_free(reg->multi_ap_backhaul_network_key,
756 		       reg->multi_ap_backhaul_network_key_len);
757 	os_free(reg);
758 }
759 
760 
761 static void wps_registrar_invalidate_unused(struct wps_registrar *reg)
762 {
763 	struct wps_uuid_pin *pin;
764 
765 	dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
766 		if (pin->wildcard_uuid == 1 && !(pin->flags & PIN_LOCKED)) {
767 			wpa_printf(MSG_DEBUG, "WPS: Invalidate previously "
768 				   "configured wildcard PIN");
769 			wps_registrar_remove_pin(reg, pin);
770 			break;
771 		}
772 	}
773 }
774 
775 
776 /**
777  * wps_registrar_add_pin - Configure a new PIN for Registrar
778  * @reg: Registrar data from wps_registrar_init()
779  * @addr: Enrollee MAC address or %NULL if not known
780  * @uuid: UUID-E or %NULL for wildcard (any UUID)
781  * @pin: PIN (Device Password)
782  * @pin_len: Length of pin in octets
783  * @timeout: Time (in seconds) when the PIN will be invalidated; 0 = no timeout
784  * Returns: 0 on success, -1 on failure
785  */
786 int wps_registrar_add_pin(struct wps_registrar *reg, const u8 *addr,
787 			  const u8 *uuid, const u8 *pin, size_t pin_len,
788 			  int timeout)
789 {
790 	struct wps_uuid_pin *p;
791 
792 	p = os_zalloc(sizeof(*p));
793 	if (p == NULL)
794 		return -1;
795 	if (addr)
796 		os_memcpy(p->enrollee_addr, addr, ETH_ALEN);
797 	if (uuid == NULL)
798 		p->wildcard_uuid = 1;
799 	else
800 		os_memcpy(p->uuid, uuid, WPS_UUID_LEN);
801 	p->pin = os_memdup(pin, pin_len);
802 	if (p->pin == NULL) {
803 		os_free(p);
804 		return -1;
805 	}
806 	p->pin_len = pin_len;
807 
808 	if (timeout) {
809 		p->flags |= PIN_EXPIRES;
810 		os_get_reltime(&p->expiration);
811 		p->expiration.sec += timeout;
812 	}
813 
814 	if (p->wildcard_uuid)
815 		wps_registrar_invalidate_unused(reg);
816 
817 	dl_list_add(&reg->pins, &p->list);
818 
819 	wpa_printf(MSG_DEBUG, "WPS: A new PIN configured (timeout=%d)",
820 		   timeout);
821 	wpa_hexdump(MSG_DEBUG, "WPS: UUID", uuid, WPS_UUID_LEN);
822 	wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: PIN", pin, pin_len);
823 	reg->selected_registrar = 1;
824 	reg->pbc = 0;
825 	if (addr)
826 		wps_registrar_add_authorized_mac(reg, addr);
827 	else
828 		wps_registrar_add_authorized_mac(
829 			reg, (u8 *) "\xff\xff\xff\xff\xff\xff");
830 	wps_registrar_selected_registrar_changed(reg, 0);
831 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
832 	eloop_register_timeout(WPS_PBC_WALK_TIME, 0,
833 			       wps_registrar_set_selected_timeout,
834 			       reg, NULL);
835 
836 	return 0;
837 }
838 
839 
840 static void wps_registrar_remove_pin(struct wps_registrar *reg,
841 				     struct wps_uuid_pin *pin)
842 {
843 	u8 *addr;
844 	u8 bcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
845 
846 	if (is_zero_ether_addr(pin->enrollee_addr))
847 		addr = bcast;
848 	else
849 		addr = pin->enrollee_addr;
850 	wps_registrar_remove_authorized_mac(reg, addr);
851 	wps_remove_pin(pin);
852 	wps_registrar_selected_registrar_changed(reg, 0);
853 }
854 
855 
856 static void wps_registrar_expire_pins(struct wps_registrar *reg)
857 {
858 	struct wps_uuid_pin *pin, *prev;
859 	struct os_reltime now;
860 
861 	os_get_reltime(&now);
862 	dl_list_for_each_safe(pin, prev, &reg->pins, struct wps_uuid_pin, list)
863 	{
864 		if ((pin->flags & PIN_EXPIRES) &&
865 		    os_reltime_before(&pin->expiration, &now)) {
866 			wpa_hexdump(MSG_DEBUG, "WPS: Expired PIN for UUID",
867 				    pin->uuid, WPS_UUID_LEN);
868 			wps_registrar_remove_pin(reg, pin);
869 		}
870 	}
871 }
872 
873 
874 /**
875  * wps_registrar_invalidate_wildcard_pin - Invalidate a wildcard PIN
876  * @reg: Registrar data from wps_registrar_init()
877  * @dev_pw: PIN to search for or %NULL to match any
878  * @dev_pw_len: Length of dev_pw in octets
879  * Returns: 0 on success, -1 if not wildcard PIN is enabled
880  */
881 static int wps_registrar_invalidate_wildcard_pin(struct wps_registrar *reg,
882 						 const u8 *dev_pw,
883 						 size_t dev_pw_len)
884 {
885 	struct wps_uuid_pin *pin, *prev;
886 
887 	dl_list_for_each_safe(pin, prev, &reg->pins, struct wps_uuid_pin, list)
888 	{
889 		if (dev_pw && pin->pin &&
890 		    (dev_pw_len != pin->pin_len ||
891 		     os_memcmp_const(dev_pw, pin->pin, dev_pw_len) != 0))
892 			continue; /* different PIN */
893 		if (pin->wildcard_uuid) {
894 			wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID",
895 				    pin->uuid, WPS_UUID_LEN);
896 			wps_registrar_remove_pin(reg, pin);
897 			return 0;
898 		}
899 	}
900 
901 	return -1;
902 }
903 
904 
905 /**
906  * wps_registrar_invalidate_pin - Invalidate a PIN for a specific UUID-E
907  * @reg: Registrar data from wps_registrar_init()
908  * @uuid: UUID-E
909  * Returns: 0 on success, -1 on failure (e.g., PIN not found)
910  */
911 int wps_registrar_invalidate_pin(struct wps_registrar *reg, const u8 *uuid)
912 {
913 	struct wps_uuid_pin *pin, *prev;
914 
915 	dl_list_for_each_safe(pin, prev, &reg->pins, struct wps_uuid_pin, list)
916 	{
917 		if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
918 			wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID",
919 				    pin->uuid, WPS_UUID_LEN);
920 			wps_registrar_remove_pin(reg, pin);
921 			return 0;
922 		}
923 	}
924 
925 	return -1;
926 }
927 
928 
929 static const u8 * wps_registrar_get_pin(struct wps_registrar *reg,
930 					const u8 *uuid, size_t *pin_len)
931 {
932 	struct wps_uuid_pin *pin, *found = NULL;
933 	int wildcard = 0;
934 
935 	wps_registrar_expire_pins(reg);
936 
937 	dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
938 		if (!pin->wildcard_uuid &&
939 		    os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
940 			found = pin;
941 			break;
942 		}
943 	}
944 
945 	if (!found) {
946 		/* Check for wildcard UUIDs since none of the UUID-specific
947 		 * PINs matched */
948 		dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
949 			if (pin->wildcard_uuid == 1 ||
950 			    pin->wildcard_uuid == 2) {
951 				wpa_printf(MSG_DEBUG, "WPS: Found a wildcard "
952 					   "PIN. Assigned it for this UUID-E");
953 				wildcard = 1;
954 				os_memcpy(pin->uuid, uuid, WPS_UUID_LEN);
955 				found = pin;
956 				break;
957 			}
958 		}
959 	}
960 
961 	if (!found)
962 		return NULL;
963 
964 	/*
965 	 * Lock the PIN to avoid attacks based on concurrent re-use of the PIN
966 	 * that could otherwise avoid PIN invalidations.
967 	 */
968 	if (found->flags & PIN_LOCKED) {
969 		wpa_printf(MSG_DEBUG, "WPS: Selected PIN locked - do not "
970 			   "allow concurrent re-use");
971 		return NULL;
972 	}
973 	*pin_len = found->pin_len;
974 	found->flags |= PIN_LOCKED;
975 	if (wildcard)
976 		found->wildcard_uuid++;
977 	return found->pin;
978 }
979 
980 
981 /**
982  * wps_registrar_unlock_pin - Unlock a PIN for a specific UUID-E
983  * @reg: Registrar data from wps_registrar_init()
984  * @uuid: UUID-E
985  * Returns: 0 on success, -1 on failure
986  *
987  * PINs are locked to enforce only one concurrent use. This function unlocks a
988  * PIN to allow it to be used again. If the specified PIN was configured using
989  * a wildcard UUID, it will be removed instead of allowing multiple uses.
990  */
991 int wps_registrar_unlock_pin(struct wps_registrar *reg, const u8 *uuid)
992 {
993 	struct wps_uuid_pin *pin;
994 
995 	dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
996 		if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
997 			if (pin->wildcard_uuid == 3) {
998 				wpa_printf(MSG_DEBUG, "WPS: Invalidating used "
999 					   "wildcard PIN");
1000 				return wps_registrar_invalidate_pin(reg, uuid);
1001 			}
1002 			pin->flags &= ~PIN_LOCKED;
1003 			return 0;
1004 		}
1005 	}
1006 
1007 	return -1;
1008 }
1009 
1010 
1011 static void wps_registrar_stop_pbc(struct wps_registrar *reg)
1012 {
1013 	reg->selected_registrar = 0;
1014 	reg->pbc = 0;
1015 	os_memset(reg->p2p_dev_addr, 0, ETH_ALEN);
1016 	wps_registrar_remove_authorized_mac(reg,
1017 					    (u8 *) "\xff\xff\xff\xff\xff\xff");
1018 	wps_registrar_selected_registrar_changed(reg, 0);
1019 }
1020 
1021 
1022 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx)
1023 {
1024 	struct wps_registrar *reg = eloop_ctx;
1025 
1026 	wpa_printf(MSG_DEBUG, "WPS: PBC timed out - disable PBC mode");
1027 	wps_pbc_timeout_event(reg->wps);
1028 	wps_registrar_stop_pbc(reg);
1029 }
1030 
1031 
1032 /**
1033  * wps_registrar_button_pushed - Notify Registrar that AP button was pushed
1034  * @reg: Registrar data from wps_registrar_init()
1035  * @p2p_dev_addr: Limit allowed PBC devices to the specified P2P device, %NULL
1036  *	indicates no such filtering
1037  * Returns: 0 on success, -1 on failure, -2 on session overlap
1038  *
1039  * This function is called on an AP when a push button is pushed to activate
1040  * PBC mode. The PBC mode will be stopped after walk time (2 minutes) timeout
1041  * or when a PBC registration is completed. If more than one Enrollee in active
1042  * PBC mode has been detected during the monitor time (previous 2 minutes), the
1043  * PBC mode is not activated and -2 is returned to indicate session overlap.
1044  * This is skipped if a specific Enrollee is selected.
1045  */
1046 int wps_registrar_button_pushed(struct wps_registrar *reg,
1047 				const u8 *p2p_dev_addr)
1048 {
1049 	if (p2p_dev_addr == NULL &&
1050 	    wps_registrar_pbc_overlap(reg, NULL, NULL)) {
1051 		wpa_printf(MSG_DEBUG, "WPS: PBC overlap - do not start PBC "
1052 			   "mode");
1053 		wps_pbc_overlap_event(reg->wps);
1054 		return -2;
1055 	}
1056 	wpa_printf(MSG_DEBUG, "WPS: Button pushed - PBC mode started");
1057 	reg->force_pbc_overlap = 0;
1058 	reg->selected_registrar = 1;
1059 	reg->pbc = 1;
1060 	if (p2p_dev_addr)
1061 		os_memcpy(reg->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
1062 	else
1063 		os_memset(reg->p2p_dev_addr, 0, ETH_ALEN);
1064 	wps_registrar_add_authorized_mac(reg,
1065 					 (u8 *) "\xff\xff\xff\xff\xff\xff");
1066 	wps_registrar_selected_registrar_changed(reg, 0);
1067 
1068 	wps_pbc_active_event(reg->wps);
1069 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
1070 	eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
1071 	eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wps_registrar_pbc_timeout,
1072 			       reg, NULL);
1073 	return 0;
1074 }
1075 
1076 
1077 static void wps_registrar_pbc_completed(struct wps_registrar *reg)
1078 {
1079 	wpa_printf(MSG_DEBUG, "WPS: PBC completed - stopping PBC mode");
1080 	eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
1081 	wps_registrar_stop_pbc(reg);
1082 	wps_pbc_disable_event(reg->wps);
1083 }
1084 
1085 
1086 static void wps_registrar_pin_completed(struct wps_registrar *reg)
1087 {
1088 	wpa_printf(MSG_DEBUG, "WPS: PIN completed using internal Registrar");
1089 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
1090 	reg->selected_registrar = 0;
1091 	wps_registrar_selected_registrar_changed(reg, 0);
1092 }
1093 
1094 
1095 void wps_registrar_complete(struct wps_registrar *registrar, const u8 *uuid_e,
1096 			    const u8 *dev_pw, size_t dev_pw_len)
1097 {
1098 	if (registrar->pbc) {
1099 		wps_registrar_remove_pbc_session(registrar,
1100 						 uuid_e, NULL);
1101 		wps_registrar_pbc_completed(registrar);
1102 #ifdef WPS_WORKAROUNDS
1103 		os_get_reltime(&registrar->pbc_ignore_start);
1104 #endif /* WPS_WORKAROUNDS */
1105 		os_memcpy(registrar->pbc_ignore_uuid, uuid_e, WPS_UUID_LEN);
1106 	} else {
1107 		wps_registrar_pin_completed(registrar);
1108 	}
1109 
1110 	if (dev_pw &&
1111 	    wps_registrar_invalidate_wildcard_pin(registrar, dev_pw,
1112 						  dev_pw_len) == 0) {
1113 		wpa_hexdump_key(MSG_DEBUG, "WPS: Invalidated wildcard PIN",
1114 				dev_pw, dev_pw_len);
1115 	}
1116 }
1117 
1118 
1119 int wps_registrar_wps_cancel(struct wps_registrar *reg)
1120 {
1121 	if (reg->pbc) {
1122 		wpa_printf(MSG_DEBUG, "WPS: PBC is set - cancelling it");
1123 		wps_registrar_pbc_timeout(reg, NULL);
1124 		eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
1125 		return 1;
1126 	} else if (reg->selected_registrar) {
1127 		/* PIN Method */
1128 		wpa_printf(MSG_DEBUG, "WPS: PIN is set - cancelling it");
1129 		wps_registrar_pin_completed(reg);
1130 		wps_registrar_invalidate_wildcard_pin(reg, NULL, 0);
1131 		return 1;
1132 	}
1133 	return 0;
1134 }
1135 
1136 
1137 /**
1138  * wps_registrar_probe_req_rx - Notify Registrar of Probe Request
1139  * @reg: Registrar data from wps_registrar_init()
1140  * @addr: MAC address of the Probe Request sender
1141  * @wps_data: WPS IE contents
1142  *
1143  * This function is called on an AP when a Probe Request with WPS IE is
1144  * received. This is used to track PBC mode use and to detect possible overlap
1145  * situation with other WPS APs.
1146  */
1147 void wps_registrar_probe_req_rx(struct wps_registrar *reg, const u8 *addr,
1148 				const struct wpabuf *wps_data,
1149 				int p2p_wildcard)
1150 {
1151 	struct wps_parse_attr attr;
1152 	int skip_add = 0;
1153 
1154 	wpa_hexdump_buf(MSG_MSGDUMP,
1155 			"WPS: Probe Request with WPS data received",
1156 			wps_data);
1157 
1158 	if (wps_parse_msg(wps_data, &attr) < 0)
1159 		return;
1160 
1161 	if (attr.config_methods == NULL) {
1162 		wpa_printf(MSG_DEBUG, "WPS: No Config Methods attribute in "
1163 			   "Probe Request");
1164 		return;
1165 	}
1166 
1167 	if (attr.dev_password_id == NULL) {
1168 		wpa_printf(MSG_DEBUG, "WPS: No Device Password Id attribute "
1169 			   "in Probe Request");
1170 		return;
1171 	}
1172 
1173 	if (reg->enrollee_seen_cb && attr.uuid_e &&
1174 	    attr.primary_dev_type && attr.request_type && !p2p_wildcard) {
1175 		char *dev_name = NULL;
1176 		if (attr.dev_name) {
1177 			dev_name = os_zalloc(attr.dev_name_len + 1);
1178 			if (dev_name) {
1179 				os_memcpy(dev_name, attr.dev_name,
1180 					  attr.dev_name_len);
1181 			}
1182 		}
1183 		reg->enrollee_seen_cb(reg->cb_ctx, addr, attr.uuid_e,
1184 				      attr.primary_dev_type,
1185 				      WPA_GET_BE16(attr.config_methods),
1186 				      WPA_GET_BE16(attr.dev_password_id),
1187 				      *attr.request_type, dev_name);
1188 		os_free(dev_name);
1189 	}
1190 
1191 	if (WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
1192 		return; /* Not PBC */
1193 
1194 	wpa_printf(MSG_DEBUG, "WPS: Probe Request for PBC received from "
1195 		   MACSTR, MAC2STR(addr));
1196 	if (attr.uuid_e == NULL) {
1197 		wpa_printf(MSG_DEBUG, "WPS: Invalid Probe Request WPS IE: No "
1198 			   "UUID-E included");
1199 		return;
1200 	}
1201 	wpa_hexdump(MSG_DEBUG, "WPS: UUID-E from Probe Request", attr.uuid_e,
1202 		    WPS_UUID_LEN);
1203 
1204 #ifdef WPS_WORKAROUNDS
1205 	if (reg->pbc_ignore_start.sec &&
1206 	    os_memcmp(attr.uuid_e, reg->pbc_ignore_uuid, WPS_UUID_LEN) == 0) {
1207 		struct os_reltime now, dur;
1208 		os_get_reltime(&now);
1209 		os_reltime_sub(&now, &reg->pbc_ignore_start, &dur);
1210 		if (dur.sec >= 0 && dur.sec < 5) {
1211 			wpa_printf(MSG_DEBUG, "WPS: Ignore PBC activation "
1212 				   "based on Probe Request from the Enrollee "
1213 				   "that just completed PBC provisioning");
1214 			skip_add = 1;
1215 		} else
1216 			reg->pbc_ignore_start.sec = 0;
1217 	}
1218 #endif /* WPS_WORKAROUNDS */
1219 
1220 	if (!skip_add)
1221 		wps_registrar_add_pbc_session(reg, addr, attr.uuid_e);
1222 	if (wps_registrar_pbc_overlap(reg, addr, attr.uuid_e)) {
1223 		wpa_printf(MSG_DEBUG, "WPS: PBC session overlap detected");
1224 		reg->force_pbc_overlap = 1;
1225 		wps_pbc_overlap_event(reg->wps);
1226 	}
1227 }
1228 
1229 
1230 int wps_cb_new_psk(struct wps_registrar *reg, const u8 *mac_addr,
1231 		   const u8 *p2p_dev_addr, const u8 *psk, size_t psk_len)
1232 {
1233 	if (reg->new_psk_cb == NULL)
1234 		return 0;
1235 
1236 	return reg->new_psk_cb(reg->cb_ctx, mac_addr, p2p_dev_addr, psk,
1237 			       psk_len);
1238 }
1239 
1240 
1241 static void wps_cb_pin_needed(struct wps_registrar *reg, const u8 *uuid_e,
1242 			      const struct wps_device_data *dev)
1243 {
1244 	if (reg->pin_needed_cb == NULL)
1245 		return;
1246 
1247 	reg->pin_needed_cb(reg->cb_ctx, uuid_e, dev);
1248 }
1249 
1250 
1251 static void wps_cb_reg_success(struct wps_registrar *reg, const u8 *mac_addr,
1252 			       const u8 *uuid_e, const u8 *dev_pw,
1253 			       size_t dev_pw_len)
1254 {
1255 	if (reg->reg_success_cb == NULL)
1256 		return;
1257 
1258 	reg->reg_success_cb(reg->cb_ctx, mac_addr, uuid_e, dev_pw, dev_pw_len);
1259 }
1260 
1261 
1262 static int wps_cb_set_ie(struct wps_registrar *reg, struct wpabuf *beacon_ie,
1263 			 struct wpabuf *probe_resp_ie)
1264 {
1265 	return reg->set_ie_cb(reg->cb_ctx, beacon_ie, probe_resp_ie);
1266 }
1267 
1268 
1269 static void wps_cb_set_sel_reg(struct wps_registrar *reg)
1270 {
1271 	u16 methods = 0;
1272 	if (reg->set_sel_reg_cb == NULL)
1273 		return;
1274 
1275 	if (reg->selected_registrar) {
1276 		methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
1277 		methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON |
1278 			     WPS_CONFIG_PHY_PUSHBUTTON);
1279 		if (reg->pbc)
1280 			wps_set_pushbutton(&methods, reg->wps->config_methods);
1281 	}
1282 
1283 	wpa_printf(MSG_DEBUG, "WPS: wps_cb_set_sel_reg: sel_reg=%d "
1284 		   "config_methods=0x%x pbc=%d methods=0x%x",
1285 		   reg->selected_registrar, reg->wps->config_methods,
1286 		   reg->pbc, methods);
1287 
1288 	reg->set_sel_reg_cb(reg->cb_ctx, reg->selected_registrar,
1289 			    reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT,
1290 			    methods);
1291 }
1292 
1293 
1294 static int wps_cp_lookup_pskfile(struct wps_registrar *reg, const u8 *mac_addr,
1295 				 const u8 **psk)
1296 {
1297 	if (!reg->lookup_pskfile_cb)
1298 		return 0;
1299 	return reg->lookup_pskfile_cb(reg->cb_ctx, mac_addr, psk);
1300 }
1301 
1302 
1303 static int wps_set_ie(struct wps_registrar *reg)
1304 {
1305 	struct wpabuf *beacon;
1306 	struct wpabuf *probe;
1307 	const u8 *auth_macs;
1308 	size_t count;
1309 	size_t vendor_len = 0;
1310 	int i;
1311 
1312 	if (reg->set_ie_cb == NULL)
1313 		return 0;
1314 
1315 	for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++) {
1316 		if (reg->wps->dev.vendor_ext[i]) {
1317 			vendor_len += 2 + 2;
1318 			vendor_len += wpabuf_len(reg->wps->dev.vendor_ext[i]);
1319 		}
1320 	}
1321 
1322 	beacon = wpabuf_alloc(400 + vendor_len);
1323 	probe = wpabuf_alloc(500 + vendor_len);
1324 	if (!beacon || !probe)
1325 		goto fail;
1326 
1327 	auth_macs = wps_authorized_macs(reg, &count);
1328 
1329 	wpa_printf(MSG_DEBUG, "WPS: Build Beacon IEs");
1330 
1331 	if (wps_build_version(beacon) ||
1332 	    wps_build_wps_state(reg->wps, beacon) ||
1333 	    wps_build_ap_setup_locked(reg->wps, beacon) ||
1334 	    wps_build_selected_registrar(reg, beacon) ||
1335 	    wps_build_sel_reg_dev_password_id(reg, beacon) ||
1336 	    wps_build_sel_reg_config_methods(reg, beacon) ||
1337 	    wps_build_sel_pbc_reg_uuid_e(reg, beacon) ||
1338 	    (reg->dualband && wps_build_rf_bands(&reg->wps->dev, beacon, 0)) ||
1339 	    wps_build_wfa_ext(beacon, 0, auth_macs, count, 0) ||
1340 	    wps_build_vendor_ext(&reg->wps->dev, beacon) ||
1341 	    wps_build_application_ext(&reg->wps->dev, beacon))
1342 		goto fail;
1343 
1344 #ifdef CONFIG_P2P
1345 	if (wps_build_dev_name(&reg->wps->dev, beacon) ||
1346 	    wps_build_primary_dev_type(&reg->wps->dev, beacon))
1347 		goto fail;
1348 #endif /* CONFIG_P2P */
1349 
1350 	wpa_printf(MSG_DEBUG, "WPS: Build Probe Response IEs");
1351 
1352 	if (wps_build_version(probe) ||
1353 	    wps_build_wps_state(reg->wps, probe) ||
1354 	    wps_build_ap_setup_locked(reg->wps, probe) ||
1355 	    wps_build_selected_registrar(reg, probe) ||
1356 	    wps_build_sel_reg_dev_password_id(reg, probe) ||
1357 	    wps_build_sel_reg_config_methods(reg, probe) ||
1358 	    wps_build_resp_type(probe, reg->wps->ap ? WPS_RESP_AP :
1359 				WPS_RESP_REGISTRAR) ||
1360 	    wps_build_uuid_e(probe, reg->wps->uuid) ||
1361 	    wps_build_device_attrs(&reg->wps->dev, probe) ||
1362 	    wps_build_probe_config_methods(reg, probe) ||
1363 	    (reg->dualband && wps_build_rf_bands(&reg->wps->dev, probe, 0)) ||
1364 	    wps_build_wfa_ext(probe, 0, auth_macs, count, 0) ||
1365 	    wps_build_vendor_ext(&reg->wps->dev, probe) ||
1366 	    wps_build_application_ext(&reg->wps->dev, probe))
1367 		goto fail;
1368 
1369 	beacon = wps_ie_encapsulate(beacon);
1370 	probe = wps_ie_encapsulate(probe);
1371 
1372 	if (!beacon || !probe)
1373 		goto fail;
1374 
1375 	return wps_cb_set_ie(reg, beacon, probe);
1376 fail:
1377 	wpabuf_free(beacon);
1378 	wpabuf_free(probe);
1379 	return -1;
1380 }
1381 
1382 
1383 static int wps_get_dev_password(struct wps_data *wps)
1384 {
1385 	const u8 *pin;
1386 	size_t pin_len = 0;
1387 
1388 	bin_clear_free(wps->dev_password, wps->dev_password_len);
1389 	wps->dev_password = NULL;
1390 
1391 	if (wps->pbc) {
1392 		wpa_printf(MSG_DEBUG, "WPS: Use default PIN for PBC");
1393 		pin = (const u8 *) "00000000";
1394 		pin_len = 8;
1395 #ifdef CONFIG_WPS_NFC
1396 	} else if (wps->nfc_pw_token) {
1397 		if (wps->nfc_pw_token->pw_id == DEV_PW_NFC_CONNECTION_HANDOVER)
1398 		{
1399 			wpa_printf(MSG_DEBUG, "WPS: Using NFC connection "
1400 				   "handover and abbreviated WPS handshake "
1401 				   "without Device Password");
1402 			return 0;
1403 		}
1404 		wpa_printf(MSG_DEBUG, "WPS: Use OOB Device Password from NFC "
1405 			   "Password Token");
1406 		pin = wps->nfc_pw_token->dev_pw;
1407 		pin_len = wps->nfc_pw_token->dev_pw_len;
1408 	} else if (wps->dev_pw_id >= 0x10 &&
1409 		   wps->wps->ap_nfc_dev_pw_id == wps->dev_pw_id &&
1410 		   wps->wps->ap_nfc_dev_pw) {
1411 		wpa_printf(MSG_DEBUG, "WPS: Use OOB Device Password from own NFC Password Token");
1412 		pin = wpabuf_head(wps->wps->ap_nfc_dev_pw);
1413 		pin_len = wpabuf_len(wps->wps->ap_nfc_dev_pw);
1414 #endif /* CONFIG_WPS_NFC */
1415 	} else {
1416 		pin = wps_registrar_get_pin(wps->wps->registrar, wps->uuid_e,
1417 					    &pin_len);
1418 		if (pin && wps->dev_pw_id >= 0x10) {
1419 			wpa_printf(MSG_DEBUG, "WPS: No match for OOB Device "
1420 				   "Password ID, but PIN found");
1421 			/*
1422 			 * See whether Enrollee is willing to use PIN instead.
1423 			 */
1424 			wps->dev_pw_id = DEV_PW_DEFAULT;
1425 		}
1426 	}
1427 	if (pin == NULL) {
1428 		wpa_printf(MSG_DEBUG, "WPS: No Device Password available for "
1429 			   "the Enrollee (context %p registrar %p)",
1430 			   wps->wps, wps->wps->registrar);
1431 		wps_cb_pin_needed(wps->wps->registrar, wps->uuid_e,
1432 				  &wps->peer_dev);
1433 		return -1;
1434 	}
1435 
1436 	wps->dev_password = os_memdup(pin, pin_len);
1437 	if (wps->dev_password == NULL)
1438 		return -1;
1439 	wps->dev_password_len = pin_len;
1440 
1441 	return 0;
1442 }
1443 
1444 
1445 static int wps_build_uuid_r(struct wps_data *wps, struct wpabuf *msg)
1446 {
1447 	wpa_printf(MSG_DEBUG, "WPS:  * UUID-R");
1448 	wpabuf_put_be16(msg, ATTR_UUID_R);
1449 	wpabuf_put_be16(msg, WPS_UUID_LEN);
1450 	wpabuf_put_data(msg, wps->uuid_r, WPS_UUID_LEN);
1451 	return 0;
1452 }
1453 
1454 
1455 static int wps_build_r_hash(struct wps_data *wps, struct wpabuf *msg)
1456 {
1457 	u8 *hash;
1458 	const u8 *addr[4];
1459 	size_t len[4];
1460 
1461 	if (random_get_bytes(wps->snonce, 2 * WPS_SECRET_NONCE_LEN) < 0)
1462 		return -1;
1463 	wpa_hexdump(MSG_DEBUG, "WPS: R-S1", wps->snonce, WPS_SECRET_NONCE_LEN);
1464 	wpa_hexdump(MSG_DEBUG, "WPS: R-S2",
1465 		    wps->snonce + WPS_SECRET_NONCE_LEN, WPS_SECRET_NONCE_LEN);
1466 
1467 	if (wps->dh_pubkey_e == NULL || wps->dh_pubkey_r == NULL) {
1468 		wpa_printf(MSG_DEBUG, "WPS: DH public keys not available for "
1469 			   "R-Hash derivation");
1470 		return -1;
1471 	}
1472 
1473 	wpa_printf(MSG_DEBUG, "WPS:  * R-Hash1");
1474 	wpabuf_put_be16(msg, ATTR_R_HASH1);
1475 	wpabuf_put_be16(msg, SHA256_MAC_LEN);
1476 	hash = wpabuf_put(msg, SHA256_MAC_LEN);
1477 	/* R-Hash1 = HMAC_AuthKey(R-S1 || PSK1 || PK_E || PK_R) */
1478 	addr[0] = wps->snonce;
1479 	len[0] = WPS_SECRET_NONCE_LEN;
1480 	addr[1] = wps->psk1;
1481 	len[1] = WPS_PSK_LEN;
1482 	addr[2] = wpabuf_head(wps->dh_pubkey_e);
1483 	len[2] = wpabuf_len(wps->dh_pubkey_e);
1484 	addr[3] = wpabuf_head(wps->dh_pubkey_r);
1485 	len[3] = wpabuf_len(wps->dh_pubkey_r);
1486 	hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
1487 	wpa_hexdump(MSG_DEBUG, "WPS: R-Hash1", hash, SHA256_MAC_LEN);
1488 
1489 	wpa_printf(MSG_DEBUG, "WPS:  * R-Hash2");
1490 	wpabuf_put_be16(msg, ATTR_R_HASH2);
1491 	wpabuf_put_be16(msg, SHA256_MAC_LEN);
1492 	hash = wpabuf_put(msg, SHA256_MAC_LEN);
1493 	/* R-Hash2 = HMAC_AuthKey(R-S2 || PSK2 || PK_E || PK_R) */
1494 	addr[0] = wps->snonce + WPS_SECRET_NONCE_LEN;
1495 	addr[1] = wps->psk2;
1496 	hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
1497 	wpa_hexdump(MSG_DEBUG, "WPS: R-Hash2", hash, SHA256_MAC_LEN);
1498 
1499 	return 0;
1500 }
1501 
1502 
1503 static int wps_build_r_snonce1(struct wps_data *wps, struct wpabuf *msg)
1504 {
1505 	wpa_printf(MSG_DEBUG, "WPS:  * R-SNonce1");
1506 	wpabuf_put_be16(msg, ATTR_R_SNONCE1);
1507 	wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
1508 	wpabuf_put_data(msg, wps->snonce, WPS_SECRET_NONCE_LEN);
1509 	return 0;
1510 }
1511 
1512 
1513 static int wps_build_r_snonce2(struct wps_data *wps, struct wpabuf *msg)
1514 {
1515 	wpa_printf(MSG_DEBUG, "WPS:  * R-SNonce2");
1516 	wpabuf_put_be16(msg, ATTR_R_SNONCE2);
1517 	wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
1518 	wpabuf_put_data(msg, wps->snonce + WPS_SECRET_NONCE_LEN,
1519 			WPS_SECRET_NONCE_LEN);
1520 	return 0;
1521 }
1522 
1523 
1524 static int wps_build_cred_network_idx(struct wpabuf *msg,
1525 				      const struct wps_credential *cred)
1526 {
1527 	wpa_printf(MSG_DEBUG, "WPS:  * Network Index (1)");
1528 	wpabuf_put_be16(msg, ATTR_NETWORK_INDEX);
1529 	wpabuf_put_be16(msg, 1);
1530 	wpabuf_put_u8(msg, 1);
1531 	return 0;
1532 }
1533 
1534 
1535 static int wps_build_cred_ssid(struct wpabuf *msg,
1536 			       const struct wps_credential *cred)
1537 {
1538 	wpa_printf(MSG_DEBUG, "WPS:  * SSID");
1539 	wpa_hexdump_ascii(MSG_DEBUG, "WPS: SSID for Credential",
1540 			  cred->ssid, cred->ssid_len);
1541 	wpabuf_put_be16(msg, ATTR_SSID);
1542 	wpabuf_put_be16(msg, cred->ssid_len);
1543 	wpabuf_put_data(msg, cred->ssid, cred->ssid_len);
1544 	return 0;
1545 }
1546 
1547 
1548 static int wps_build_cred_auth_type(struct wpabuf *msg,
1549 				    const struct wps_credential *cred)
1550 {
1551 	wpa_printf(MSG_DEBUG, "WPS:  * Authentication Type (0x%x)",
1552 		   cred->auth_type);
1553 	wpabuf_put_be16(msg, ATTR_AUTH_TYPE);
1554 	wpabuf_put_be16(msg, 2);
1555 	wpabuf_put_be16(msg, cred->auth_type);
1556 	return 0;
1557 }
1558 
1559 
1560 static int wps_build_cred_encr_type(struct wpabuf *msg,
1561 				    const struct wps_credential *cred)
1562 {
1563 	wpa_printf(MSG_DEBUG, "WPS:  * Encryption Type (0x%x)",
1564 		   cred->encr_type);
1565 	wpabuf_put_be16(msg, ATTR_ENCR_TYPE);
1566 	wpabuf_put_be16(msg, 2);
1567 	wpabuf_put_be16(msg, cred->encr_type);
1568 	return 0;
1569 }
1570 
1571 
1572 static int wps_build_cred_network_key(struct wpabuf *msg,
1573 				      const struct wps_credential *cred)
1574 {
1575 	wpa_printf(MSG_DEBUG, "WPS:  * Network Key (len=%d)",
1576 		   (int) cred->key_len);
1577 	wpa_hexdump_key(MSG_DEBUG, "WPS: Network Key",
1578 			cred->key, cred->key_len);
1579 	wpabuf_put_be16(msg, ATTR_NETWORK_KEY);
1580 	wpabuf_put_be16(msg, cred->key_len);
1581 	wpabuf_put_data(msg, cred->key, cred->key_len);
1582 	return 0;
1583 }
1584 
1585 
1586 static int wps_build_credential(struct wpabuf *msg,
1587 				const struct wps_credential *cred)
1588 {
1589 	if (wps_build_cred_network_idx(msg, cred) ||
1590 	    wps_build_cred_ssid(msg, cred) ||
1591 	    wps_build_cred_auth_type(msg, cred) ||
1592 	    wps_build_cred_encr_type(msg, cred) ||
1593 	    wps_build_cred_network_key(msg, cred) ||
1594 	    wps_build_mac_addr(msg, cred->mac_addr))
1595 		return -1;
1596 	return 0;
1597 }
1598 
1599 
1600 int wps_build_credential_wrap(struct wpabuf *msg,
1601 			      const struct wps_credential *cred)
1602 {
1603 	struct wpabuf *wbuf;
1604 	wbuf = wpabuf_alloc(200);
1605 	if (wbuf == NULL)
1606 		return -1;
1607 	if (wps_build_credential(wbuf, cred)) {
1608 		wpabuf_clear_free(wbuf);
1609 		return -1;
1610 	}
1611 	wpabuf_put_be16(msg, ATTR_CRED);
1612 	wpabuf_put_be16(msg, wpabuf_len(wbuf));
1613 	wpabuf_put_buf(msg, wbuf);
1614 	wpabuf_clear_free(wbuf);
1615 	return 0;
1616 }
1617 
1618 
1619 int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
1620 {
1621 	struct wpabuf *cred;
1622 	struct wps_registrar *reg = wps->wps->registrar;
1623 	const u8 *pskfile_psk;
1624 	char hex[65];
1625 
1626 	if (wps->wps->registrar->skip_cred_build)
1627 		goto skip_cred_build;
1628 
1629 	wpa_printf(MSG_DEBUG, "WPS:  * Credential");
1630 	if (wps->use_cred) {
1631 		os_memcpy(&wps->cred, wps->use_cred, sizeof(wps->cred));
1632 		goto use_provided;
1633 	}
1634 	os_memset(&wps->cred, 0, sizeof(wps->cred));
1635 
1636 	if (wps->peer_dev.multi_ap_ext == MULTI_AP_BACKHAUL_STA &&
1637 	    reg->multi_ap_backhaul_ssid_len) {
1638 		wpa_printf(MSG_DEBUG, "WPS: Use backhaul STA credentials");
1639 		os_memcpy(wps->cred.ssid, reg->multi_ap_backhaul_ssid,
1640 			  reg->multi_ap_backhaul_ssid_len);
1641 		wps->cred.ssid_len = reg->multi_ap_backhaul_ssid_len;
1642 		/* Backhaul is always WPA2PSK */
1643 		wps->cred.auth_type = WPS_AUTH_WPA2PSK;
1644 		wps->cred.encr_type = WPS_ENCR_AES;
1645 		/* Set MAC address in the Credential to be the Enrollee's MAC
1646 		 * address
1647 		 */
1648 		os_memcpy(wps->cred.mac_addr, wps->mac_addr_e, ETH_ALEN);
1649 		if (reg->multi_ap_backhaul_network_key) {
1650 			os_memcpy(wps->cred.key,
1651 				  reg->multi_ap_backhaul_network_key,
1652 				  reg->multi_ap_backhaul_network_key_len);
1653 			wps->cred.key_len =
1654 				reg->multi_ap_backhaul_network_key_len;
1655 		}
1656 		goto use_provided;
1657 	}
1658 
1659 	os_memcpy(wps->cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
1660 	wps->cred.ssid_len = wps->wps->ssid_len;
1661 
1662 	/* Select the best authentication and encryption type */
1663 	wpa_printf(MSG_DEBUG,
1664 		   "WPS: Own auth types 0x%x - masked Enrollee auth types 0x%x",
1665 		   wps->wps->auth_types, wps->auth_type);
1666 	if (wps->auth_type & WPS_AUTH_WPA2PSK)
1667 		wps->auth_type = WPS_AUTH_WPA2PSK;
1668 #ifndef CONFIG_NO_TKIP
1669 	else if (wps->auth_type & WPS_AUTH_WPAPSK)
1670 		wps->auth_type = WPS_AUTH_WPAPSK;
1671 #endif /* CONFIG_NO_TKIP */
1672 	else if (wps->auth_type & WPS_AUTH_OPEN)
1673 		wps->auth_type = WPS_AUTH_OPEN;
1674 	else {
1675 		wpa_printf(MSG_DEBUG, "WPS: Unsupported auth_type 0x%x",
1676 			   wps->auth_type);
1677 		return -1;
1678 	}
1679 	wps->cred.auth_type = wps->auth_type;
1680 
1681 	wpa_printf(MSG_DEBUG,
1682 		   "WPS: Own encr types 0x%x (rsn: 0x%x, wpa: 0x%x) - masked Enrollee encr types 0x%x",
1683 		   wps->wps->encr_types, wps->wps->encr_types_rsn,
1684 		   wps->wps->encr_types_wpa, wps->encr_type);
1685 	if (wps->wps->ap && wps->auth_type == WPS_AUTH_WPA2PSK)
1686 		wps->encr_type &= wps->wps->encr_types_rsn;
1687 	else if (wps->wps->ap && wps->auth_type == WPS_AUTH_WPAPSK)
1688 		wps->encr_type &= wps->wps->encr_types_wpa;
1689 	if (wps->auth_type == WPS_AUTH_WPA2PSK ||
1690 	    wps->auth_type == WPS_AUTH_WPAPSK) {
1691 		if (wps->encr_type & WPS_ENCR_AES)
1692 			wps->encr_type = WPS_ENCR_AES;
1693 #ifndef CONFIG_NO_TKIP
1694 		else if (wps->encr_type & WPS_ENCR_TKIP)
1695 			wps->encr_type = WPS_ENCR_TKIP;
1696 #endif /* CONFIG_NO_TKIP */
1697 		else {
1698 			wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
1699 				   "type for WPA/WPA2");
1700 			return -1;
1701 		}
1702 	} else {
1703 		if (wps->encr_type & WPS_ENCR_NONE)
1704 			wps->encr_type = WPS_ENCR_NONE;
1705 #ifdef CONFIG_TESTING_OPTIONS
1706 		else if (wps->encr_type & WPS_ENCR_WEP)
1707 			wps->encr_type = WPS_ENCR_WEP;
1708 #endif /* CONFIG_TESTING_OPTIONS */
1709 		else {
1710 			wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
1711 				   "type for non-WPA/WPA2 mode");
1712 			return -1;
1713 		}
1714 	}
1715 	wps->cred.encr_type = wps->encr_type;
1716 	/*
1717 	 * Set MAC address in the Credential to be the Enrollee's MAC address
1718 	 */
1719 	os_memcpy(wps->cred.mac_addr, wps->mac_addr_e, ETH_ALEN);
1720 
1721 	if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->wps->ap &&
1722 	    !wps->wps->registrar->disable_auto_conf) {
1723 		u8 r[16];
1724 		/* Generate a random passphrase */
1725 		if (random_pool_ready() != 1 ||
1726 		    random_get_bytes(r, sizeof(r)) < 0) {
1727 			wpa_printf(MSG_INFO,
1728 				   "WPS: Could not generate random PSK");
1729 			return -1;
1730 		}
1731 		os_free(wps->new_psk);
1732 		wps->new_psk = (u8 *) base64_encode(r, sizeof(r),
1733 						    &wps->new_psk_len);
1734 		if (wps->new_psk == NULL)
1735 			return -1;
1736 		wps->new_psk_len--; /* remove newline */
1737 		while (wps->new_psk_len &&
1738 		       wps->new_psk[wps->new_psk_len - 1] == '=')
1739 			wps->new_psk_len--;
1740 		wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Generated passphrase",
1741 				      wps->new_psk, wps->new_psk_len);
1742 		os_memcpy(wps->cred.key, wps->new_psk, wps->new_psk_len);
1743 		wps->cred.key_len = wps->new_psk_len;
1744 	} else if (wps_cp_lookup_pskfile(reg, wps->mac_addr_e, &pskfile_psk)) {
1745 		wpa_hexdump_key(MSG_DEBUG, "WPS: Use PSK from wpa_psk_file",
1746 				pskfile_psk, PMK_LEN);
1747 		wpa_snprintf_hex(hex, sizeof(hex), pskfile_psk, PMK_LEN);
1748 		os_memcpy(wps->cred.key, hex, PMK_LEN * 2);
1749 		wps->cred.key_len = PMK_LEN * 2;
1750 	} else if (!wps->wps->registrar->force_per_enrollee_psk &&
1751 		   wps->use_psk_key && wps->wps->psk_set) {
1752 		wpa_printf(MSG_DEBUG, "WPS: Use PSK format for Network Key");
1753 		wpa_snprintf_hex(hex, sizeof(hex), wps->wps->psk, PMK_LEN);
1754 		os_memcpy(wps->cred.key, hex, PMK_LEN * 2);
1755 		wps->cred.key_len = PMK_LEN * 2;
1756 	} else if ((!wps->wps->registrar->force_per_enrollee_psk ||
1757 		    wps->wps->use_passphrase) && wps->wps->network_key) {
1758 		wpa_printf(MSG_DEBUG,
1759 			   "WPS: Use passphrase format for Network key");
1760 		os_memcpy(wps->cred.key, wps->wps->network_key,
1761 			  wps->wps->network_key_len);
1762 		wps->cred.key_len = wps->wps->network_key_len;
1763 	} else if (wps->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) {
1764 		/* Generate a random per-device PSK */
1765 		os_free(wps->new_psk);
1766 		wps->new_psk_len = PMK_LEN;
1767 		wps->new_psk = os_malloc(wps->new_psk_len);
1768 		if (wps->new_psk == NULL)
1769 			return -1;
1770 		if (random_pool_ready() != 1 ||
1771 		    random_get_bytes(wps->new_psk, wps->new_psk_len) < 0) {
1772 			wpa_printf(MSG_INFO,
1773 				   "WPS: Could not generate random PSK");
1774 			os_free(wps->new_psk);
1775 			wps->new_psk = NULL;
1776 			return -1;
1777 		}
1778 		wpa_hexdump_key(MSG_DEBUG, "WPS: Generated per-device PSK",
1779 				wps->new_psk, wps->new_psk_len);
1780 		wpa_snprintf_hex(hex, sizeof(hex), wps->new_psk,
1781 				 wps->new_psk_len);
1782 		os_memcpy(wps->cred.key, hex, wps->new_psk_len * 2);
1783 		wps->cred.key_len = wps->new_psk_len * 2;
1784 	}
1785 
1786 use_provided:
1787 #ifdef CONFIG_WPS_TESTING
1788 	if (wps_testing_stub_cred)
1789 		cred = wpabuf_alloc(200);
1790 	else
1791 		cred = NULL;
1792 	if (cred) {
1793 		struct wps_credential stub;
1794 		wpa_printf(MSG_DEBUG, "WPS: Add stub credential");
1795 		os_memset(&stub, 0, sizeof(stub));
1796 		os_memcpy(stub.ssid, "stub", 5);
1797 		stub.ssid_len = 5;
1798 		stub.auth_type = WPS_AUTH_WPA2PSK;
1799 		stub.encr_type = WPS_ENCR_AES;
1800 		os_memcpy(stub.key, "stub psk", 9);
1801 		stub.key_len = 9;
1802 		os_memcpy(stub.mac_addr, wps->mac_addr_e, ETH_ALEN);
1803 		wps_build_credential(cred, &stub);
1804 		wpa_hexdump_buf(MSG_DEBUG, "WPS: Stub Credential", cred);
1805 
1806 		wpabuf_put_be16(msg, ATTR_CRED);
1807 		wpabuf_put_be16(msg, wpabuf_len(cred));
1808 		wpabuf_put_buf(msg, cred);
1809 
1810 		wpabuf_free(cred);
1811 	}
1812 #endif /* CONFIG_WPS_TESTING */
1813 
1814 	cred = wpabuf_alloc(200);
1815 	if (cred == NULL)
1816 		return -1;
1817 
1818 	if (wps_build_credential(cred, &wps->cred)) {
1819 		wpabuf_clear_free(cred);
1820 		return -1;
1821 	}
1822 
1823 	wpabuf_put_be16(msg, ATTR_CRED);
1824 	wpabuf_put_be16(msg, wpabuf_len(cred));
1825 	wpabuf_put_buf(msg, cred);
1826 	wpabuf_clear_free(cred);
1827 
1828 skip_cred_build:
1829 	if (wps->wps->registrar->extra_cred) {
1830 		wpa_printf(MSG_DEBUG, "WPS:  * Credential (pre-configured)");
1831 		wpabuf_put_buf(msg, wps->wps->registrar->extra_cred);
1832 	}
1833 
1834 	return 0;
1835 }
1836 
1837 
1838 static int wps_build_ap_settings(struct wps_data *wps, struct wpabuf *msg)
1839 {
1840 	wpa_printf(MSG_DEBUG, "WPS:  * AP Settings");
1841 
1842 	if (wps_build_credential(msg, &wps->cred))
1843 		return -1;
1844 
1845 	return 0;
1846 }
1847 
1848 
1849 static struct wpabuf * wps_build_ap_cred(struct wps_data *wps)
1850 {
1851 	struct wpabuf *msg, *plain;
1852 
1853 	msg = wpabuf_alloc(1000);
1854 	if (msg == NULL)
1855 		return NULL;
1856 
1857 	plain = wpabuf_alloc(200);
1858 	if (plain == NULL) {
1859 		wpabuf_free(msg);
1860 		return NULL;
1861 	}
1862 
1863 	if (wps_build_ap_settings(wps, plain)) {
1864 		wpabuf_clear_free(plain);
1865 		wpabuf_free(msg);
1866 		return NULL;
1867 	}
1868 
1869 	wpabuf_put_be16(msg, ATTR_CRED);
1870 	wpabuf_put_be16(msg, wpabuf_len(plain));
1871 	wpabuf_put_buf(msg, plain);
1872 	wpabuf_clear_free(plain);
1873 
1874 	return msg;
1875 }
1876 
1877 
1878 static struct wpabuf * wps_build_m2(struct wps_data *wps)
1879 {
1880 	struct wpabuf *msg;
1881 	int config_in_m2 = 0;
1882 
1883 	if (random_get_bytes(wps->nonce_r, WPS_NONCE_LEN) < 0)
1884 		return NULL;
1885 	wpa_hexdump(MSG_DEBUG, "WPS: Registrar Nonce",
1886 		    wps->nonce_r, WPS_NONCE_LEN);
1887 	wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN);
1888 
1889 	wpa_printf(MSG_DEBUG, "WPS: Building Message M2");
1890 	msg = wpabuf_alloc(1000);
1891 	if (msg == NULL)
1892 		return NULL;
1893 
1894 	if (wps_build_version(msg) ||
1895 	    wps_build_msg_type(msg, WPS_M2) ||
1896 	    wps_build_enrollee_nonce(wps, msg) ||
1897 	    wps_build_registrar_nonce(wps, msg) ||
1898 	    wps_build_uuid_r(wps, msg) ||
1899 	    wps_build_public_key(wps, msg) ||
1900 	    wps_derive_keys(wps) ||
1901 	    wps_build_auth_type_flags(wps, msg) ||
1902 	    wps_build_encr_type_flags(wps, msg) ||
1903 	    wps_build_conn_type_flags(wps, msg) ||
1904 	    wps_build_config_methods_r(wps->wps->registrar, msg) ||
1905 	    wps_build_device_attrs(&wps->wps->dev, msg) ||
1906 	    wps_build_rf_bands(&wps->wps->dev, msg,
1907 			       wps->wps->rf_band_cb(wps->wps->cb_ctx)) ||
1908 	    wps_build_assoc_state(wps, msg) ||
1909 	    wps_build_config_error(msg, WPS_CFG_NO_ERROR) ||
1910 	    wps_build_dev_password_id(msg, wps->dev_pw_id) ||
1911 	    wps_build_os_version(&wps->wps->dev, msg) ||
1912 	    wps_build_wfa_ext(msg, 0, NULL, 0, 0)) {
1913 		wpabuf_free(msg);
1914 		return NULL;
1915 	}
1916 
1917 #ifdef CONFIG_WPS_NFC
1918 	if (wps->nfc_pw_token && wps->nfc_pw_token->pk_hash_provided_oob &&
1919 	    wps->nfc_pw_token->pw_id == DEV_PW_NFC_CONNECTION_HANDOVER) {
1920 		/*
1921 		 * Use abbreviated handshake since public key hash allowed
1922 		 * Enrollee to validate our public key similarly to how Enrollee
1923 		 * public key was validated. There is no need to validate Device
1924 		 * Password in this case.
1925 		 */
1926 		struct wpabuf *plain = wpabuf_alloc(500);
1927 		if (plain == NULL ||
1928 		    wps_build_cred(wps, plain) ||
1929 		    wps_build_key_wrap_auth(wps, plain) ||
1930 		    wps_build_encr_settings(wps, msg, plain)) {
1931 			wpabuf_free(msg);
1932 			wpabuf_clear_free(plain);
1933 			return NULL;
1934 		}
1935 		wpabuf_clear_free(plain);
1936 		config_in_m2 = 1;
1937 	}
1938 #endif /* CONFIG_WPS_NFC */
1939 
1940 	if (wps_build_authenticator(wps, msg)) {
1941 		wpabuf_free(msg);
1942 		return NULL;
1943 	}
1944 
1945 	wps->int_reg = 1;
1946 	wps->state = config_in_m2 ? RECV_DONE : RECV_M3;
1947 	return msg;
1948 }
1949 
1950 
1951 static struct wpabuf * wps_build_m2d(struct wps_data *wps)
1952 {
1953 	struct wpabuf *msg;
1954 	u16 err = wps->config_error;
1955 
1956 	wpa_printf(MSG_DEBUG, "WPS: Building Message M2D");
1957 	msg = wpabuf_alloc(1000);
1958 	if (msg == NULL)
1959 		return NULL;
1960 
1961 	if (wps->wps->ap && wps->wps->ap_setup_locked &&
1962 	    err == WPS_CFG_NO_ERROR)
1963 		err = WPS_CFG_SETUP_LOCKED;
1964 
1965 	if (wps_build_version(msg) ||
1966 	    wps_build_msg_type(msg, WPS_M2D) ||
1967 	    wps_build_enrollee_nonce(wps, msg) ||
1968 	    wps_build_registrar_nonce(wps, msg) ||
1969 	    wps_build_uuid_r(wps, msg) ||
1970 	    wps_build_auth_type_flags(wps, msg) ||
1971 	    wps_build_encr_type_flags(wps, msg) ||
1972 	    wps_build_conn_type_flags(wps, msg) ||
1973 	    wps_build_config_methods_r(wps->wps->registrar, msg) ||
1974 	    wps_build_device_attrs(&wps->wps->dev, msg) ||
1975 	    wps_build_rf_bands(&wps->wps->dev, msg,
1976 			       wps->wps->rf_band_cb(wps->wps->cb_ctx)) ||
1977 	    wps_build_assoc_state(wps, msg) ||
1978 	    wps_build_config_error(msg, err) ||
1979 	    wps_build_os_version(&wps->wps->dev, msg) ||
1980 	    wps_build_wfa_ext(msg, 0, NULL, 0, 0)) {
1981 		wpabuf_free(msg);
1982 		return NULL;
1983 	}
1984 
1985 	wps->state = RECV_M2D_ACK;
1986 	return msg;
1987 }
1988 
1989 
1990 static struct wpabuf * wps_build_m4(struct wps_data *wps)
1991 {
1992 	struct wpabuf *msg, *plain;
1993 
1994 	wpa_printf(MSG_DEBUG, "WPS: Building Message M4");
1995 
1996 	if (wps_derive_psk(wps, wps->dev_password, wps->dev_password_len) < 0)
1997 		return NULL;
1998 
1999 	plain = wpabuf_alloc(200);
2000 	if (plain == NULL)
2001 		return NULL;
2002 
2003 	msg = wpabuf_alloc(1000);
2004 	if (msg == NULL) {
2005 		wpabuf_free(plain);
2006 		return NULL;
2007 	}
2008 
2009 	if (wps_build_version(msg) ||
2010 	    wps_build_msg_type(msg, WPS_M4) ||
2011 	    wps_build_enrollee_nonce(wps, msg) ||
2012 	    wps_build_r_hash(wps, msg) ||
2013 	    wps_build_r_snonce1(wps, plain) ||
2014 	    wps_build_key_wrap_auth(wps, plain) ||
2015 	    wps_build_encr_settings(wps, msg, plain) ||
2016 	    wps_build_wfa_ext(msg, 0, NULL, 0, 0) ||
2017 	    wps_build_authenticator(wps, msg)) {
2018 		wpabuf_clear_free(plain);
2019 		wpabuf_free(msg);
2020 		return NULL;
2021 	}
2022 	wpabuf_clear_free(plain);
2023 
2024 	wps->state = RECV_M5;
2025 	return msg;
2026 }
2027 
2028 
2029 static struct wpabuf * wps_build_m6(struct wps_data *wps)
2030 {
2031 	struct wpabuf *msg, *plain;
2032 
2033 	wpa_printf(MSG_DEBUG, "WPS: Building Message M6");
2034 
2035 	plain = wpabuf_alloc(200);
2036 	if (plain == NULL)
2037 		return NULL;
2038 
2039 	msg = wpabuf_alloc(1000);
2040 	if (msg == NULL) {
2041 		wpabuf_free(plain);
2042 		return NULL;
2043 	}
2044 
2045 	if (wps_build_version(msg) ||
2046 	    wps_build_msg_type(msg, WPS_M6) ||
2047 	    wps_build_enrollee_nonce(wps, msg) ||
2048 	    wps_build_r_snonce2(wps, plain) ||
2049 	    wps_build_key_wrap_auth(wps, plain) ||
2050 	    wps_build_encr_settings(wps, msg, plain) ||
2051 	    wps_build_wfa_ext(msg, 0, NULL, 0, 0) ||
2052 	    wps_build_authenticator(wps, msg)) {
2053 		wpabuf_clear_free(plain);
2054 		wpabuf_free(msg);
2055 		return NULL;
2056 	}
2057 	wpabuf_clear_free(plain);
2058 
2059 	wps->wps_pin_revealed = 1;
2060 	wps->state = RECV_M7;
2061 	return msg;
2062 }
2063 
2064 
2065 static struct wpabuf * wps_build_m8(struct wps_data *wps)
2066 {
2067 	struct wpabuf *msg, *plain;
2068 
2069 	wpa_printf(MSG_DEBUG, "WPS: Building Message M8");
2070 
2071 	plain = wpabuf_alloc(500);
2072 	if (plain == NULL)
2073 		return NULL;
2074 
2075 	msg = wpabuf_alloc(1000);
2076 	if (msg == NULL) {
2077 		wpabuf_free(plain);
2078 		return NULL;
2079 	}
2080 
2081 	if (wps_build_version(msg) ||
2082 	    wps_build_msg_type(msg, WPS_M8) ||
2083 	    wps_build_enrollee_nonce(wps, msg) ||
2084 	    ((wps->wps->ap || wps->er) && wps_build_cred(wps, plain)) ||
2085 	    (!wps->wps->ap && !wps->er && wps_build_ap_settings(wps, plain)) ||
2086 	    wps_build_key_wrap_auth(wps, plain) ||
2087 	    wps_build_encr_settings(wps, msg, plain) ||
2088 	    wps_build_wfa_ext(msg, 0, NULL, 0, 0) ||
2089 	    wps_build_authenticator(wps, msg)) {
2090 		wpabuf_clear_free(plain);
2091 		wpabuf_clear_free(msg);
2092 		return NULL;
2093 	}
2094 	wpabuf_clear_free(plain);
2095 
2096 	wps->state = RECV_DONE;
2097 	return msg;
2098 }
2099 
2100 
2101 struct wpabuf * wps_registrar_get_msg(struct wps_data *wps,
2102 				      enum wsc_op_code *op_code)
2103 {
2104 	struct wpabuf *msg;
2105 
2106 #ifdef CONFIG_WPS_UPNP
2107 	if (!wps->int_reg && wps->wps->wps_upnp) {
2108 		struct upnp_pending_message *p, *prev = NULL;
2109 		if (wps->ext_reg > 1)
2110 			wps_registrar_free_pending_m2(wps->wps);
2111 		p = wps->wps->upnp_msgs;
2112 		/* TODO: check pending message MAC address */
2113 		while (p && p->next) {
2114 			prev = p;
2115 			p = p->next;
2116 		}
2117 		if (p) {
2118 			wpa_printf(MSG_DEBUG, "WPS: Use pending message from "
2119 				   "UPnP");
2120 			if (prev)
2121 				prev->next = NULL;
2122 			else
2123 				wps->wps->upnp_msgs = NULL;
2124 			msg = p->msg;
2125 			switch (p->type) {
2126 			case WPS_WSC_ACK:
2127 				*op_code = WSC_ACK;
2128 				break;
2129 			case WPS_WSC_NACK:
2130 				*op_code = WSC_NACK;
2131 				break;
2132 			default:
2133 				*op_code = WSC_MSG;
2134 				break;
2135 			}
2136 			os_free(p);
2137 			if (wps->ext_reg == 0)
2138 				wps->ext_reg = 1;
2139 			return msg;
2140 		}
2141 	}
2142 	if (wps->ext_reg) {
2143 		wpa_printf(MSG_DEBUG, "WPS: Using external Registrar, but no "
2144 			   "pending message available");
2145 		return NULL;
2146 	}
2147 #endif /* CONFIG_WPS_UPNP */
2148 
2149 	switch (wps->state) {
2150 	case SEND_M2:
2151 		if (wps_get_dev_password(wps) < 0)
2152 			msg = wps_build_m2d(wps);
2153 		else
2154 			msg = wps_build_m2(wps);
2155 		*op_code = WSC_MSG;
2156 		break;
2157 	case SEND_M2D:
2158 		msg = wps_build_m2d(wps);
2159 		*op_code = WSC_MSG;
2160 		break;
2161 	case SEND_M4:
2162 		msg = wps_build_m4(wps);
2163 		*op_code = WSC_MSG;
2164 		break;
2165 	case SEND_M6:
2166 		msg = wps_build_m6(wps);
2167 		*op_code = WSC_MSG;
2168 		break;
2169 	case SEND_M8:
2170 		msg = wps_build_m8(wps);
2171 		*op_code = WSC_MSG;
2172 		break;
2173 	case RECV_DONE:
2174 		msg = wps_build_wsc_ack(wps);
2175 		*op_code = WSC_ACK;
2176 		break;
2177 	case SEND_WSC_NACK:
2178 		msg = wps_build_wsc_nack(wps);
2179 		*op_code = WSC_NACK;
2180 		break;
2181 	default:
2182 		wpa_printf(MSG_DEBUG, "WPS: Unsupported state %d for building "
2183 			   "a message", wps->state);
2184 		msg = NULL;
2185 		break;
2186 	}
2187 
2188 	if (*op_code == WSC_MSG && msg) {
2189 		/* Save a copy of the last message for Authenticator derivation
2190 		 */
2191 		wpabuf_free(wps->last_msg);
2192 		wps->last_msg = wpabuf_dup(msg);
2193 	}
2194 
2195 	return msg;
2196 }
2197 
2198 
2199 static int wps_process_enrollee_nonce(struct wps_data *wps, const u8 *e_nonce)
2200 {
2201 	if (e_nonce == NULL) {
2202 		wpa_printf(MSG_DEBUG, "WPS: No Enrollee Nonce received");
2203 		return -1;
2204 	}
2205 
2206 	os_memcpy(wps->nonce_e, e_nonce, WPS_NONCE_LEN);
2207 	wpa_hexdump(MSG_DEBUG, "WPS: Enrollee Nonce",
2208 		    wps->nonce_e, WPS_NONCE_LEN);
2209 
2210 	return 0;
2211 }
2212 
2213 
2214 static int wps_process_registrar_nonce(struct wps_data *wps, const u8 *r_nonce)
2215 {
2216 	if (r_nonce == NULL) {
2217 		wpa_printf(MSG_DEBUG, "WPS: No Registrar Nonce received");
2218 		return -1;
2219 	}
2220 
2221 	if (os_memcmp(wps->nonce_r, r_nonce, WPS_NONCE_LEN) != 0) {
2222 		wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Nonce received");
2223 		return -1;
2224 	}
2225 
2226 	return 0;
2227 }
2228 
2229 
2230 static int wps_process_uuid_e(struct wps_data *wps, const u8 *uuid_e)
2231 {
2232 	if (uuid_e == NULL) {
2233 		wpa_printf(MSG_DEBUG, "WPS: No UUID-E received");
2234 		return -1;
2235 	}
2236 
2237 	os_memcpy(wps->uuid_e, uuid_e, WPS_UUID_LEN);
2238 	wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", wps->uuid_e, WPS_UUID_LEN);
2239 
2240 	return 0;
2241 }
2242 
2243 
2244 static int wps_process_dev_password_id(struct wps_data *wps, const u8 *pw_id)
2245 {
2246 	if (pw_id == NULL) {
2247 		wpa_printf(MSG_DEBUG, "WPS: No Device Password ID received");
2248 		return -1;
2249 	}
2250 
2251 	wps->dev_pw_id = WPA_GET_BE16(pw_id);
2252 	wpa_printf(MSG_DEBUG, "WPS: Device Password ID %d", wps->dev_pw_id);
2253 
2254 	return 0;
2255 }
2256 
2257 
2258 static int wps_process_e_hash1(struct wps_data *wps, const u8 *e_hash1)
2259 {
2260 	if (e_hash1 == NULL) {
2261 		wpa_printf(MSG_DEBUG, "WPS: No E-Hash1 received");
2262 		return -1;
2263 	}
2264 
2265 	os_memcpy(wps->peer_hash1, e_hash1, WPS_HASH_LEN);
2266 	wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN);
2267 
2268 	return 0;
2269 }
2270 
2271 
2272 static int wps_process_e_hash2(struct wps_data *wps, const u8 *e_hash2)
2273 {
2274 	if (e_hash2 == NULL) {
2275 		wpa_printf(MSG_DEBUG, "WPS: No E-Hash2 received");
2276 		return -1;
2277 	}
2278 
2279 	os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN);
2280 	wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN);
2281 
2282 	return 0;
2283 }
2284 
2285 
2286 static int wps_process_e_snonce1(struct wps_data *wps, const u8 *e_snonce1)
2287 {
2288 	u8 hash[SHA256_MAC_LEN];
2289 	const u8 *addr[4];
2290 	size_t len[4];
2291 
2292 	if (e_snonce1 == NULL) {
2293 		wpa_printf(MSG_DEBUG, "WPS: No E-SNonce1 received");
2294 		return -1;
2295 	}
2296 
2297 	wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce1", e_snonce1,
2298 			WPS_SECRET_NONCE_LEN);
2299 
2300 	/* E-Hash1 = HMAC_AuthKey(E-S1 || PSK1 || PK_E || PK_R) */
2301 	addr[0] = e_snonce1;
2302 	len[0] = WPS_SECRET_NONCE_LEN;
2303 	addr[1] = wps->psk1;
2304 	len[1] = WPS_PSK_LEN;
2305 	addr[2] = wpabuf_head(wps->dh_pubkey_e);
2306 	len[2] = wpabuf_len(wps->dh_pubkey_e);
2307 	addr[3] = wpabuf_head(wps->dh_pubkey_r);
2308 	len[3] = wpabuf_len(wps->dh_pubkey_r);
2309 	hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
2310 
2311 	if (os_memcmp_const(wps->peer_hash1, hash, WPS_HASH_LEN) != 0) {
2312 		wpa_printf(MSG_DEBUG, "WPS: E-Hash1 derived from E-S1 does "
2313 			   "not match with the pre-committed value");
2314 		wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE;
2315 		wps_pwd_auth_fail_event(wps->wps, 0, 1, wps->mac_addr_e);
2316 		return -1;
2317 	}
2318 
2319 	wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the first "
2320 		   "half of the device password");
2321 
2322 	return 0;
2323 }
2324 
2325 
2326 static int wps_process_e_snonce2(struct wps_data *wps, const u8 *e_snonce2)
2327 {
2328 	u8 hash[SHA256_MAC_LEN];
2329 	const u8 *addr[4];
2330 	size_t len[4];
2331 
2332 	if (e_snonce2 == NULL) {
2333 		wpa_printf(MSG_DEBUG, "WPS: No E-SNonce2 received");
2334 		return -1;
2335 	}
2336 
2337 	wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce2", e_snonce2,
2338 			WPS_SECRET_NONCE_LEN);
2339 
2340 	/* E-Hash2 = HMAC_AuthKey(E-S2 || PSK2 || PK_E || PK_R) */
2341 	addr[0] = e_snonce2;
2342 	len[0] = WPS_SECRET_NONCE_LEN;
2343 	addr[1] = wps->psk2;
2344 	len[1] = WPS_PSK_LEN;
2345 	addr[2] = wpabuf_head(wps->dh_pubkey_e);
2346 	len[2] = wpabuf_len(wps->dh_pubkey_e);
2347 	addr[3] = wpabuf_head(wps->dh_pubkey_r);
2348 	len[3] = wpabuf_len(wps->dh_pubkey_r);
2349 	hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
2350 
2351 	if (os_memcmp_const(wps->peer_hash2, hash, WPS_HASH_LEN) != 0) {
2352 		wpa_printf(MSG_DEBUG, "WPS: E-Hash2 derived from E-S2 does "
2353 			   "not match with the pre-committed value");
2354 		wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e);
2355 		wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE;
2356 		wps_pwd_auth_fail_event(wps->wps, 0, 2, wps->mac_addr_e);
2357 		return -1;
2358 	}
2359 
2360 	wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the second "
2361 		   "half of the device password");
2362 	wps->wps_pin_revealed = 0;
2363 	wps_registrar_unlock_pin(wps->wps->registrar, wps->uuid_e);
2364 
2365 	/*
2366 	 * In case wildcard PIN is used and WPS handshake succeeds in the first
2367 	 * attempt, wps_registrar_unlock_pin() would not free the PIN, so make
2368 	 * sure the PIN gets invalidated here.
2369 	 */
2370 	wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e);
2371 
2372 	return 0;
2373 }
2374 
2375 
2376 static int wps_process_mac_addr(struct wps_data *wps, const u8 *mac_addr)
2377 {
2378 	if (mac_addr == NULL) {
2379 		wpa_printf(MSG_DEBUG, "WPS: No MAC Address received");
2380 		return -1;
2381 	}
2382 
2383 	wpa_printf(MSG_DEBUG, "WPS: Enrollee MAC Address " MACSTR,
2384 		   MAC2STR(mac_addr));
2385 	os_memcpy(wps->mac_addr_e, mac_addr, ETH_ALEN);
2386 	os_memcpy(wps->peer_dev.mac_addr, mac_addr, ETH_ALEN);
2387 
2388 	return 0;
2389 }
2390 
2391 
2392 static int wps_process_pubkey(struct wps_data *wps, const u8 *pk,
2393 			      size_t pk_len)
2394 {
2395 	if (pk == NULL || pk_len == 0) {
2396 		wpa_printf(MSG_DEBUG, "WPS: No Public Key received");
2397 		return -1;
2398 	}
2399 
2400 	wpabuf_free(wps->dh_pubkey_e);
2401 	wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len);
2402 	if (wps->dh_pubkey_e == NULL)
2403 		return -1;
2404 
2405 	return 0;
2406 }
2407 
2408 
2409 static int wps_process_auth_type_flags(struct wps_data *wps, const u8 *auth)
2410 {
2411 	u16 auth_types;
2412 
2413 	if (auth == NULL) {
2414 		wpa_printf(MSG_DEBUG, "WPS: No Authentication Type flags "
2415 			   "received");
2416 		return -1;
2417 	}
2418 
2419 	auth_types = WPA_GET_BE16(auth);
2420 
2421 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Authentication Type flags 0x%x",
2422 		   auth_types);
2423 #ifdef WPS_WORKAROUNDS
2424 	/*
2425 	 * Some deployed implementations seem to advertise incorrect information
2426 	 * in this attribute. A value of 0x1b (WPA2 + WPA + WPAPSK + OPEN, but
2427 	 * no WPA2PSK) has been reported to be used. Add WPA2PSK to the list to
2428 	 * avoid issues with building Credentials that do not use the strongest
2429 	 * actually supported authentication option (that device does support
2430 	 * WPA2PSK even when it does not claim it here).
2431 	 */
2432 	if ((auth_types &
2433 	     (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK | WPS_AUTH_WPAPSK)) ==
2434 	    (WPS_AUTH_WPA2 | WPS_AUTH_WPAPSK)) {
2435 		wpa_printf(MSG_DEBUG,
2436 			   "WPS: Workaround - assume Enrollee supports WPA2PSK based on claimed WPA2 support");
2437 		auth_types |= WPS_AUTH_WPA2PSK;
2438 	}
2439 #endif /* WPS_WORKAROUNDS */
2440 	wps->auth_type = wps->wps->auth_types & auth_types;
2441 	if (wps->auth_type == 0) {
2442 		wpa_printf(MSG_DEBUG, "WPS: No match in supported "
2443 			   "authentication types (own 0x%x Enrollee 0x%x)",
2444 			   wps->wps->auth_types, auth_types);
2445 #ifdef WPS_WORKAROUNDS
2446 		/*
2447 		 * Some deployed implementations seem to advertise incorrect
2448 		 * information in this attribute. For example, Linksys WRT350N
2449 		 * seems to have a byteorder bug that breaks this negotiation.
2450 		 * In order to interoperate with existing implementations,
2451 		 * assume that the Enrollee supports everything we do.
2452 		 */
2453 		wpa_printf(MSG_DEBUG, "WPS: Workaround - assume Enrollee "
2454 			   "does not advertise supported authentication types "
2455 			   "correctly");
2456 		wps->auth_type = wps->wps->auth_types;
2457 #else /* WPS_WORKAROUNDS */
2458 		return -1;
2459 #endif /* WPS_WORKAROUNDS */
2460 	}
2461 
2462 	return 0;
2463 }
2464 
2465 
2466 static int wps_process_encr_type_flags(struct wps_data *wps, const u8 *encr)
2467 {
2468 	u16 encr_types;
2469 
2470 	if (encr == NULL) {
2471 		wpa_printf(MSG_DEBUG, "WPS: No Encryption Type flags "
2472 			   "received");
2473 		return -1;
2474 	}
2475 
2476 	encr_types = WPA_GET_BE16(encr);
2477 
2478 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Encryption Type flags 0x%x",
2479 		   encr_types);
2480 	wps->encr_type = wps->wps->encr_types & encr_types;
2481 	if (wps->encr_type == 0) {
2482 		wpa_printf(MSG_DEBUG, "WPS: No match in supported "
2483 			   "encryption types (own 0x%x Enrollee 0x%x)",
2484 			   wps->wps->encr_types, encr_types);
2485 #ifdef WPS_WORKAROUNDS
2486 		/*
2487 		 * Some deployed implementations seem to advertise incorrect
2488 		 * information in this attribute. For example, Linksys WRT350N
2489 		 * seems to have a byteorder bug that breaks this negotiation.
2490 		 * In order to interoperate with existing implementations,
2491 		 * assume that the Enrollee supports everything we do.
2492 		 */
2493 		wpa_printf(MSG_DEBUG, "WPS: Workaround - assume Enrollee "
2494 			   "does not advertise supported encryption types "
2495 			   "correctly");
2496 		wps->encr_type = wps->wps->encr_types;
2497 #else /* WPS_WORKAROUNDS */
2498 		return -1;
2499 #endif /* WPS_WORKAROUNDS */
2500 	}
2501 
2502 	return 0;
2503 }
2504 
2505 
2506 static int wps_process_conn_type_flags(struct wps_data *wps, const u8 *conn)
2507 {
2508 	if (conn == NULL) {
2509 		wpa_printf(MSG_DEBUG, "WPS: No Connection Type flags "
2510 			   "received");
2511 		return -1;
2512 	}
2513 
2514 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Connection Type flags 0x%x",
2515 		   *conn);
2516 
2517 	return 0;
2518 }
2519 
2520 
2521 static int wps_process_config_methods(struct wps_data *wps, const u8 *methods)
2522 {
2523 	u16 m;
2524 
2525 	if (methods == NULL) {
2526 		wpa_printf(MSG_DEBUG, "WPS: No Config Methods received");
2527 		return -1;
2528 	}
2529 
2530 	m = WPA_GET_BE16(methods);
2531 
2532 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Config Methods 0x%x"
2533 		   "%s%s%s%s%s%s%s%s%s", m,
2534 		   m & WPS_CONFIG_USBA ? " [USBA]" : "",
2535 		   m & WPS_CONFIG_ETHERNET ? " [Ethernet]" : "",
2536 		   m & WPS_CONFIG_LABEL ? " [Label]" : "",
2537 		   m & WPS_CONFIG_DISPLAY ? " [Display]" : "",
2538 		   m & WPS_CONFIG_EXT_NFC_TOKEN ? " [Ext NFC Token]" : "",
2539 		   m & WPS_CONFIG_INT_NFC_TOKEN ? " [Int NFC Token]" : "",
2540 		   m & WPS_CONFIG_NFC_INTERFACE ? " [NFC]" : "",
2541 		   m & WPS_CONFIG_PUSHBUTTON ? " [PBC]" : "",
2542 		   m & WPS_CONFIG_KEYPAD ? " [Keypad]" : "");
2543 
2544 	if (!(m & WPS_CONFIG_DISPLAY) && !wps->use_psk_key) {
2545 		/*
2546 		 * The Enrollee does not have a display so it is unlikely to be
2547 		 * able to show the passphrase to a user and as such, could
2548 		 * benefit from receiving PSK to reduce key derivation time.
2549 		 */
2550 		wpa_printf(MSG_DEBUG, "WPS: Prefer PSK format key due to "
2551 			   "Enrollee not supporting display");
2552 		wps->use_psk_key = 1;
2553 	}
2554 
2555 	return 0;
2556 }
2557 
2558 
2559 static int wps_process_wps_state(struct wps_data *wps, const u8 *state)
2560 {
2561 	if (state == NULL) {
2562 		wpa_printf(MSG_DEBUG, "WPS: No Wi-Fi Protected Setup State "
2563 			   "received");
2564 		return -1;
2565 	}
2566 
2567 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Wi-Fi Protected Setup State %d",
2568 		   *state);
2569 
2570 	return 0;
2571 }
2572 
2573 
2574 static int wps_process_assoc_state(struct wps_data *wps, const u8 *assoc)
2575 {
2576 	u16 a;
2577 
2578 	if (assoc == NULL) {
2579 		wpa_printf(MSG_DEBUG, "WPS: No Association State received");
2580 		return -1;
2581 	}
2582 
2583 	a = WPA_GET_BE16(assoc);
2584 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Association State %d", a);
2585 
2586 	return 0;
2587 }
2588 
2589 
2590 static int wps_process_config_error(struct wps_data *wps, const u8 *err)
2591 {
2592 	u16 e;
2593 
2594 	if (err == NULL) {
2595 		wpa_printf(MSG_DEBUG, "WPS: No Configuration Error received");
2596 		return -1;
2597 	}
2598 
2599 	e = WPA_GET_BE16(err);
2600 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Configuration Error %d", e);
2601 
2602 	return 0;
2603 }
2604 
2605 
2606 static int wps_registrar_p2p_dev_addr_match(struct wps_data *wps)
2607 {
2608 #ifdef CONFIG_P2P
2609 	struct wps_registrar *reg = wps->wps->registrar;
2610 
2611 	if (is_zero_ether_addr(reg->p2p_dev_addr))
2612 		return 1; /* no filtering in use */
2613 
2614 	if (os_memcmp(reg->p2p_dev_addr, wps->p2p_dev_addr, ETH_ALEN) != 0) {
2615 		wpa_printf(MSG_DEBUG, "WPS: No match on P2P Device Address "
2616 			   "filtering for PBC: expected " MACSTR " was "
2617 			   MACSTR " - indicate PBC session overlap",
2618 			   MAC2STR(reg->p2p_dev_addr),
2619 			   MAC2STR(wps->p2p_dev_addr));
2620 		return 0;
2621 	}
2622 #endif /* CONFIG_P2P */
2623 	return 1;
2624 }
2625 
2626 
2627 static int wps_registrar_skip_overlap(struct wps_data *wps)
2628 {
2629 #ifdef CONFIG_P2P
2630 	struct wps_registrar *reg = wps->wps->registrar;
2631 
2632 	if (is_zero_ether_addr(reg->p2p_dev_addr))
2633 		return 0; /* no specific Enrollee selected */
2634 
2635 	if (os_memcmp(reg->p2p_dev_addr, wps->p2p_dev_addr, ETH_ALEN) == 0) {
2636 		wpa_printf(MSG_DEBUG, "WPS: Skip PBC overlap due to selected "
2637 			   "Enrollee match");
2638 		return 1;
2639 	}
2640 #endif /* CONFIG_P2P */
2641 	return 0;
2642 }
2643 
2644 
2645 static enum wps_process_res wps_process_m1(struct wps_data *wps,
2646 					   struct wps_parse_attr *attr)
2647 {
2648 	wpa_printf(MSG_DEBUG, "WPS: Received M1");
2649 
2650 	if (wps->state != RECV_M1) {
2651 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
2652 			   "receiving M1", wps->state);
2653 		return WPS_FAILURE;
2654 	}
2655 
2656 	if (wps_process_uuid_e(wps, attr->uuid_e) ||
2657 	    wps_process_mac_addr(wps, attr->mac_addr) ||
2658 	    wps_process_enrollee_nonce(wps, attr->enrollee_nonce) ||
2659 	    wps_process_pubkey(wps, attr->public_key, attr->public_key_len) ||
2660 	    wps_process_auth_type_flags(wps, attr->auth_type_flags) ||
2661 	    wps_process_encr_type_flags(wps, attr->encr_type_flags) ||
2662 	    wps_process_conn_type_flags(wps, attr->conn_type_flags) ||
2663 	    wps_process_config_methods(wps, attr->config_methods) ||
2664 	    wps_process_wps_state(wps, attr->wps_state) ||
2665 	    wps_process_device_attrs(&wps->peer_dev, attr) ||
2666 	    wps_process_rf_bands(&wps->peer_dev, attr->rf_bands) ||
2667 	    wps_process_assoc_state(wps, attr->assoc_state) ||
2668 	    wps_process_dev_password_id(wps, attr->dev_password_id) ||
2669 	    wps_process_config_error(wps, attr->config_error) ||
2670 	    wps_process_os_version(&wps->peer_dev, attr->os_version))
2671 		return WPS_FAILURE;
2672 
2673 	if (wps->dev_pw_id < 0x10 &&
2674 	    wps->dev_pw_id != DEV_PW_DEFAULT &&
2675 	    wps->dev_pw_id != DEV_PW_P2PS_DEFAULT &&
2676 	    wps->dev_pw_id != DEV_PW_USER_SPECIFIED &&
2677 	    wps->dev_pw_id != DEV_PW_MACHINE_SPECIFIED &&
2678 	    wps->dev_pw_id != DEV_PW_REGISTRAR_SPECIFIED &&
2679 #ifdef CONFIG_WPS_NFC
2680 	    wps->dev_pw_id != DEV_PW_NFC_CONNECTION_HANDOVER &&
2681 #endif /* CONFIG_WPS_NFC */
2682 	    (wps->dev_pw_id != DEV_PW_PUSHBUTTON ||
2683 	     !wps->wps->registrar->pbc)) {
2684 		wpa_printf(MSG_DEBUG, "WPS: Unsupported Device Password ID %d",
2685 			   wps->dev_pw_id);
2686 		wps->state = SEND_M2D;
2687 		return WPS_CONTINUE;
2688 	}
2689 
2690 #ifdef CONFIG_WPS_NFC
2691 	if (wps->dev_pw_id >= 0x10 ||
2692 	    wps->dev_pw_id == DEV_PW_NFC_CONNECTION_HANDOVER) {
2693 		struct wps_nfc_pw_token *token;
2694 		const u8 *addr[1];
2695 		u8 hash[WPS_HASH_LEN];
2696 
2697 		wpa_printf(MSG_DEBUG, "WPS: Searching for NFC token match for id=%d (ctx %p registrar %p)",
2698 			   wps->dev_pw_id, wps->wps, wps->wps->registrar);
2699 		token = wps_get_nfc_pw_token(
2700 			&wps->wps->registrar->nfc_pw_tokens, wps->dev_pw_id);
2701 		if (token && token->peer_pk_hash_known) {
2702 			size_t len;
2703 
2704 			wpa_printf(MSG_DEBUG, "WPS: Found matching NFC "
2705 				   "Password Token");
2706 			dl_list_del(&token->list);
2707 			wps->nfc_pw_token = token;
2708 
2709 			addr[0] = attr->public_key;
2710 			len = attr->public_key_len;
2711 			sha256_vector(1, addr, &len, hash);
2712 			if (os_memcmp_const(hash,
2713 					    wps->nfc_pw_token->pubkey_hash,
2714 					    WPS_OOB_PUBKEY_HASH_LEN) != 0) {
2715 				wpa_printf(MSG_ERROR, "WPS: Public Key hash "
2716 					   "mismatch");
2717 				wps->state = SEND_M2D;
2718 				wps->config_error =
2719 					WPS_CFG_PUBLIC_KEY_HASH_MISMATCH;
2720 				return WPS_CONTINUE;
2721 			}
2722 		} else if (token) {
2723 			wpa_printf(MSG_DEBUG, "WPS: Found matching NFC "
2724 				   "Password Token (no peer PK hash)");
2725 			wps->nfc_pw_token = token;
2726 		} else if (wps->dev_pw_id >= 0x10 &&
2727 			   wps->wps->ap_nfc_dev_pw_id == wps->dev_pw_id &&
2728 			   wps->wps->ap_nfc_dev_pw) {
2729 			wpa_printf(MSG_DEBUG, "WPS: Found match with own NFC Password Token");
2730 		}
2731 	}
2732 #endif /* CONFIG_WPS_NFC */
2733 
2734 	if (wps->dev_pw_id == DEV_PW_PUSHBUTTON) {
2735 		if ((wps->wps->registrar->force_pbc_overlap ||
2736 		     wps_registrar_pbc_overlap(wps->wps->registrar,
2737 					       wps->mac_addr_e, wps->uuid_e) ||
2738 		     !wps_registrar_p2p_dev_addr_match(wps)) &&
2739 		    !wps_registrar_skip_overlap(wps)) {
2740 			wpa_printf(MSG_DEBUG, "WPS: PBC overlap - deny PBC "
2741 				   "negotiation");
2742 			wps->state = SEND_M2D;
2743 			wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED;
2744 			wps_pbc_overlap_event(wps->wps);
2745 			wps_fail_event(wps->wps, WPS_M1,
2746 				       WPS_CFG_MULTIPLE_PBC_DETECTED,
2747 				       WPS_EI_NO_ERROR, wps->mac_addr_e);
2748 			wps->wps->registrar->force_pbc_overlap = 1;
2749 			return WPS_CONTINUE;
2750 		}
2751 		wps_registrar_add_pbc_session(wps->wps->registrar,
2752 					      wps->mac_addr_e, wps->uuid_e);
2753 		wps->pbc = 1;
2754 	}
2755 
2756 #ifdef WPS_WORKAROUNDS
2757 	/*
2758 	 * It looks like Mac OS X 10.6.3 and 10.6.4 do not like Network Key in
2759 	 * passphrase format. To avoid interop issues, force PSK format to be
2760 	 * used.
2761 	 */
2762 	if (!wps->use_psk_key &&
2763 	    wps->peer_dev.manufacturer &&
2764 	    os_strncmp(wps->peer_dev.manufacturer, "Apple ", 6) == 0 &&
2765 	    wps->peer_dev.model_name &&
2766 	    os_strcmp(wps->peer_dev.model_name, "AirPort") == 0) {
2767 		wpa_printf(MSG_DEBUG, "WPS: Workaround - Force Network Key in "
2768 			   "PSK format");
2769 		wps->use_psk_key = 1;
2770 	}
2771 #endif /* WPS_WORKAROUNDS */
2772 	wps_process_vendor_ext_m1(&wps->peer_dev, attr->multi_ap_ext);
2773 
2774 	wps->state = SEND_M2;
2775 	return WPS_CONTINUE;
2776 }
2777 
2778 
2779 static enum wps_process_res wps_process_m3(struct wps_data *wps,
2780 					   const struct wpabuf *msg,
2781 					   struct wps_parse_attr *attr)
2782 {
2783 	wpa_printf(MSG_DEBUG, "WPS: Received M3");
2784 
2785 	if (wps->state != RECV_M3) {
2786 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
2787 			   "receiving M3", wps->state);
2788 		wps->state = SEND_WSC_NACK;
2789 		return WPS_CONTINUE;
2790 	}
2791 
2792 	if (wps->pbc && wps->wps->registrar->force_pbc_overlap &&
2793 	    !wps_registrar_skip_overlap(wps)) {
2794 		wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC "
2795 			   "session overlap");
2796 		wps->state = SEND_WSC_NACK;
2797 		wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED;
2798 		return WPS_CONTINUE;
2799 	}
2800 
2801 	if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
2802 	    wps_process_authenticator(wps, attr->authenticator, msg) ||
2803 	    wps_process_e_hash1(wps, attr->e_hash1) ||
2804 	    wps_process_e_hash2(wps, attr->e_hash2)) {
2805 		wps->state = SEND_WSC_NACK;
2806 		return WPS_CONTINUE;
2807 	}
2808 
2809 	wps->state = SEND_M4;
2810 	return WPS_CONTINUE;
2811 }
2812 
2813 
2814 static enum wps_process_res wps_process_m5(struct wps_data *wps,
2815 					   const struct wpabuf *msg,
2816 					   struct wps_parse_attr *attr)
2817 {
2818 	struct wpabuf *decrypted;
2819 	struct wps_parse_attr eattr;
2820 
2821 	wpa_printf(MSG_DEBUG, "WPS: Received M5");
2822 
2823 	if (wps->state != RECV_M5) {
2824 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
2825 			   "receiving M5", wps->state);
2826 		wps->state = SEND_WSC_NACK;
2827 		return WPS_CONTINUE;
2828 	}
2829 
2830 	if (wps->pbc && wps->wps->registrar->force_pbc_overlap &&
2831 	    !wps_registrar_skip_overlap(wps)) {
2832 		wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC "
2833 			   "session overlap");
2834 		wps->state = SEND_WSC_NACK;
2835 		wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED;
2836 		return WPS_CONTINUE;
2837 	}
2838 
2839 	if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
2840 	    wps_process_authenticator(wps, attr->authenticator, msg)) {
2841 		wps->state = SEND_WSC_NACK;
2842 		return WPS_CONTINUE;
2843 	}
2844 
2845 	decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
2846 					      attr->encr_settings_len);
2847 	if (decrypted == NULL) {
2848 		wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted "
2849 			   "Settings attribute");
2850 		wps->state = SEND_WSC_NACK;
2851 		return WPS_CONTINUE;
2852 	}
2853 
2854 	if (wps_validate_m5_encr(decrypted, attr->version2 != NULL) < 0) {
2855 		wpabuf_clear_free(decrypted);
2856 		wps->state = SEND_WSC_NACK;
2857 		return WPS_CONTINUE;
2858 	}
2859 
2860 	wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
2861 		   "attribute");
2862 	if (wps_parse_msg(decrypted, &eattr) < 0 ||
2863 	    wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
2864 	    wps_process_e_snonce1(wps, eattr.e_snonce1)) {
2865 		wpabuf_clear_free(decrypted);
2866 		wps->state = SEND_WSC_NACK;
2867 		return WPS_CONTINUE;
2868 	}
2869 	wpabuf_clear_free(decrypted);
2870 
2871 	wps->state = SEND_M6;
2872 	return WPS_CONTINUE;
2873 }
2874 
2875 
2876 static void wps_sta_cred_cb(struct wps_data *wps)
2877 {
2878 	/*
2879 	 * Update credential to only include a single authentication and
2880 	 * encryption type in case the AP configuration includes more than one
2881 	 * option.
2882 	 */
2883 	if (wps->cred.auth_type & WPS_AUTH_WPA2PSK)
2884 		wps->cred.auth_type = WPS_AUTH_WPA2PSK;
2885 	else if (wps->cred.auth_type & WPS_AUTH_WPAPSK)
2886 		wps->cred.auth_type = WPS_AUTH_WPAPSK;
2887 	if (wps->cred.encr_type & WPS_ENCR_AES)
2888 		wps->cred.encr_type = WPS_ENCR_AES;
2889 	else if (wps->cred.encr_type & WPS_ENCR_TKIP)
2890 		wps->cred.encr_type = WPS_ENCR_TKIP;
2891 	wpa_printf(MSG_DEBUG, "WPS: Update local configuration based on the "
2892 		   "AP configuration");
2893 	if (wps->wps->cred_cb)
2894 		wps->wps->cred_cb(wps->wps->cb_ctx, &wps->cred);
2895 }
2896 
2897 
2898 static void wps_cred_update(struct wps_credential *dst,
2899 			    struct wps_credential *src)
2900 {
2901 	os_memcpy(dst->ssid, src->ssid, sizeof(dst->ssid));
2902 	dst->ssid_len = src->ssid_len;
2903 	dst->auth_type = src->auth_type;
2904 	dst->encr_type = src->encr_type;
2905 	dst->key_idx = src->key_idx;
2906 	os_memcpy(dst->key, src->key, sizeof(dst->key));
2907 	dst->key_len = src->key_len;
2908 }
2909 
2910 
2911 static int wps_process_ap_settings_r(struct wps_data *wps,
2912 				     struct wps_parse_attr *attr)
2913 {
2914 	struct wpabuf *msg;
2915 
2916 	if (wps->wps->ap || wps->er)
2917 		return 0;
2918 
2919 	/* AP Settings Attributes in M7 when Enrollee is an AP */
2920 	if (wps_process_ap_settings(attr, &wps->cred) < 0)
2921 		return -1;
2922 
2923 	wpa_printf(MSG_INFO, "WPS: Received old AP configuration from AP");
2924 
2925 	if (wps->new_ap_settings) {
2926 		wpa_printf(MSG_INFO, "WPS: Update AP configuration based on "
2927 			   "new settings");
2928 		wps_cred_update(&wps->cred, wps->new_ap_settings);
2929 		return 0;
2930 	} else {
2931 		/*
2932 		 * Use the AP PIN only to receive the current AP settings, not
2933 		 * to reconfigure the AP.
2934 		 */
2935 
2936 		/*
2937 		 * Clear selected registrar here since we do not get to
2938 		 * WSC_Done in this protocol run.
2939 		 */
2940 		wps_registrar_pin_completed(wps->wps->registrar);
2941 
2942 		msg = wps_build_ap_cred(wps);
2943 		if (msg == NULL)
2944 			return -1;
2945 		wps->cred.cred_attr = wpabuf_head(msg);
2946 		wps->cred.cred_attr_len = wpabuf_len(msg);
2947 
2948 		if (wps->ap_settings_cb) {
2949 			wps->ap_settings_cb(wps->ap_settings_cb_ctx,
2950 					    &wps->cred);
2951 			wpabuf_free(msg);
2952 			return 1;
2953 		}
2954 		wps_sta_cred_cb(wps);
2955 
2956 		wps->cred.cred_attr = NULL;
2957 		wps->cred.cred_attr_len = 0;
2958 		wpabuf_free(msg);
2959 
2960 		return 1;
2961 	}
2962 }
2963 
2964 
2965 static enum wps_process_res wps_process_m7(struct wps_data *wps,
2966 					   const struct wpabuf *msg,
2967 					   struct wps_parse_attr *attr)
2968 {
2969 	struct wpabuf *decrypted;
2970 	struct wps_parse_attr eattr;
2971 
2972 	wpa_printf(MSG_DEBUG, "WPS: Received M7");
2973 
2974 	if (wps->state != RECV_M7) {
2975 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
2976 			   "receiving M7", wps->state);
2977 		wps->state = SEND_WSC_NACK;
2978 		return WPS_CONTINUE;
2979 	}
2980 
2981 	if (wps->pbc && wps->wps->registrar->force_pbc_overlap &&
2982 	    !wps_registrar_skip_overlap(wps)) {
2983 		wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC "
2984 			   "session overlap");
2985 		wps->state = SEND_WSC_NACK;
2986 		wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED;
2987 		return WPS_CONTINUE;
2988 	}
2989 
2990 	if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
2991 	    wps_process_authenticator(wps, attr->authenticator, msg)) {
2992 		wps->state = SEND_WSC_NACK;
2993 		return WPS_CONTINUE;
2994 	}
2995 
2996 	decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
2997 					      attr->encr_settings_len);
2998 	if (decrypted == NULL) {
2999 		wpa_printf(MSG_DEBUG, "WPS: Failed to decrypt Encrypted "
3000 			   "Settings attribute");
3001 		wps->state = SEND_WSC_NACK;
3002 		return WPS_CONTINUE;
3003 	}
3004 
3005 	if (wps_validate_m7_encr(decrypted, wps->wps->ap || wps->er,
3006 				 attr->version2 != NULL) < 0) {
3007 		wpabuf_clear_free(decrypted);
3008 		wps->state = SEND_WSC_NACK;
3009 		return WPS_CONTINUE;
3010 	}
3011 
3012 	wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
3013 		   "attribute");
3014 	if (wps_parse_msg(decrypted, &eattr) < 0 ||
3015 	    wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
3016 	    wps_process_e_snonce2(wps, eattr.e_snonce2) ||
3017 	    wps_process_ap_settings_r(wps, &eattr)) {
3018 		wpabuf_clear_free(decrypted);
3019 		wps->state = SEND_WSC_NACK;
3020 		return WPS_CONTINUE;
3021 	}
3022 
3023 	wpabuf_clear_free(decrypted);
3024 
3025 	wps->state = SEND_M8;
3026 	return WPS_CONTINUE;
3027 }
3028 
3029 
3030 static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps,
3031 						const struct wpabuf *msg)
3032 {
3033 	struct wps_parse_attr attr;
3034 	enum wps_process_res ret = WPS_CONTINUE;
3035 
3036 	wpa_printf(MSG_DEBUG, "WPS: Received WSC_MSG");
3037 
3038 	if (wps_parse_msg(msg, &attr) < 0)
3039 		return WPS_FAILURE;
3040 
3041 	if (attr.msg_type == NULL) {
3042 		wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
3043 		wps->state = SEND_WSC_NACK;
3044 		return WPS_CONTINUE;
3045 	}
3046 
3047 	if (*attr.msg_type != WPS_M1 &&
3048 	    (attr.registrar_nonce == NULL ||
3049 	     os_memcmp(wps->nonce_r, attr.registrar_nonce,
3050 		       WPS_NONCE_LEN) != 0)) {
3051 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
3052 		return WPS_FAILURE;
3053 	}
3054 
3055 	switch (*attr.msg_type) {
3056 	case WPS_M1:
3057 		if (wps_validate_m1(msg) < 0)
3058 			return WPS_FAILURE;
3059 #ifdef CONFIG_WPS_UPNP
3060 		if (wps->wps->wps_upnp && attr.mac_addr) {
3061 			/* Remove old pending messages when starting new run */
3062 			wps_free_pending_msgs(wps->wps->upnp_msgs);
3063 			wps->wps->upnp_msgs = NULL;
3064 
3065 			upnp_wps_device_send_wlan_event(
3066 				wps->wps->wps_upnp, attr.mac_addr,
3067 				UPNP_WPS_WLANEVENT_TYPE_EAP, msg);
3068 		}
3069 #endif /* CONFIG_WPS_UPNP */
3070 		ret = wps_process_m1(wps, &attr);
3071 		break;
3072 	case WPS_M3:
3073 		if (wps_validate_m3(msg) < 0)
3074 			return WPS_FAILURE;
3075 		ret = wps_process_m3(wps, msg, &attr);
3076 		if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK)
3077 			wps_fail_event(wps->wps, WPS_M3, wps->config_error,
3078 				       wps->error_indication, wps->mac_addr_e);
3079 		break;
3080 	case WPS_M5:
3081 		if (wps_validate_m5(msg) < 0)
3082 			return WPS_FAILURE;
3083 		ret = wps_process_m5(wps, msg, &attr);
3084 		if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK)
3085 			wps_fail_event(wps->wps, WPS_M5, wps->config_error,
3086 				       wps->error_indication, wps->mac_addr_e);
3087 		break;
3088 	case WPS_M7:
3089 		if (wps_validate_m7(msg) < 0)
3090 			return WPS_FAILURE;
3091 		ret = wps_process_m7(wps, msg, &attr);
3092 		if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK)
3093 			wps_fail_event(wps->wps, WPS_M7, wps->config_error,
3094 				       wps->error_indication, wps->mac_addr_e);
3095 		break;
3096 	default:
3097 		wpa_printf(MSG_DEBUG, "WPS: Unsupported Message Type %d",
3098 			   *attr.msg_type);
3099 		return WPS_FAILURE;
3100 	}
3101 
3102 	if (ret == WPS_CONTINUE) {
3103 		/* Save a copy of the last message for Authenticator derivation
3104 		 */
3105 		wpabuf_free(wps->last_msg);
3106 		wps->last_msg = wpabuf_dup(msg);
3107 	}
3108 
3109 	return ret;
3110 }
3111 
3112 
3113 static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps,
3114 						const struct wpabuf *msg)
3115 {
3116 	struct wps_parse_attr attr;
3117 
3118 	wpa_printf(MSG_DEBUG, "WPS: Received WSC_ACK");
3119 
3120 	if (wps_parse_msg(msg, &attr) < 0)
3121 		return WPS_FAILURE;
3122 
3123 	if (attr.msg_type == NULL) {
3124 		wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
3125 		return WPS_FAILURE;
3126 	}
3127 
3128 	if (*attr.msg_type != WPS_WSC_ACK) {
3129 		wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
3130 			   *attr.msg_type);
3131 		return WPS_FAILURE;
3132 	}
3133 
3134 #ifdef CONFIG_WPS_UPNP
3135 	if (wps->wps->wps_upnp && wps->ext_reg && wps->state == RECV_M2D_ACK &&
3136 	    upnp_wps_subscribers(wps->wps->wps_upnp)) {
3137 		if (wps->wps->upnp_msgs)
3138 			return WPS_CONTINUE;
3139 		wpa_printf(MSG_DEBUG, "WPS: Wait for response from an "
3140 			   "external Registrar");
3141 		return WPS_PENDING;
3142 	}
3143 #endif /* CONFIG_WPS_UPNP */
3144 
3145 	if (attr.registrar_nonce == NULL ||
3146 	    os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0)
3147 	{
3148 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
3149 		return WPS_FAILURE;
3150 	}
3151 
3152 	if (attr.enrollee_nonce == NULL ||
3153 	    os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) {
3154 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
3155 		return WPS_FAILURE;
3156 	}
3157 
3158 	if (wps->state == RECV_M2D_ACK) {
3159 #ifdef CONFIG_WPS_UPNP
3160 		if (wps->wps->wps_upnp &&
3161 		    upnp_wps_subscribers(wps->wps->wps_upnp)) {
3162 			if (wps->wps->upnp_msgs)
3163 				return WPS_CONTINUE;
3164 			if (wps->ext_reg == 0)
3165 				wps->ext_reg = 1;
3166 			wpa_printf(MSG_DEBUG, "WPS: Wait for response from an "
3167 				   "external Registrar");
3168 			return WPS_PENDING;
3169 		}
3170 #endif /* CONFIG_WPS_UPNP */
3171 
3172 		wpa_printf(MSG_DEBUG, "WPS: No more registrars available - "
3173 			   "terminate negotiation");
3174 	}
3175 
3176 	return WPS_FAILURE;
3177 }
3178 
3179 
3180 static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps,
3181 						 const struct wpabuf *msg)
3182 {
3183 	struct wps_parse_attr attr;
3184 	int old_state;
3185 	u16 config_error;
3186 
3187 	wpa_printf(MSG_DEBUG, "WPS: Received WSC_NACK");
3188 
3189 	old_state = wps->state;
3190 	wps->state = SEND_WSC_NACK;
3191 
3192 	if (wps_parse_msg(msg, &attr) < 0)
3193 		return WPS_FAILURE;
3194 
3195 	if (attr.msg_type == NULL) {
3196 		wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
3197 		return WPS_FAILURE;
3198 	}
3199 
3200 	if (*attr.msg_type != WPS_WSC_NACK) {
3201 		wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
3202 			   *attr.msg_type);
3203 		return WPS_FAILURE;
3204 	}
3205 
3206 #ifdef CONFIG_WPS_UPNP
3207 	if (wps->wps->wps_upnp && wps->ext_reg) {
3208 		wpa_printf(MSG_DEBUG, "WPS: Negotiation using external "
3209 			   "Registrar terminated by the Enrollee");
3210 		return WPS_FAILURE;
3211 	}
3212 #endif /* CONFIG_WPS_UPNP */
3213 
3214 	if (attr.registrar_nonce == NULL ||
3215 	    os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0)
3216 	{
3217 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
3218 		return WPS_FAILURE;
3219 	}
3220 
3221 	if (attr.enrollee_nonce == NULL ||
3222 	    os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) {
3223 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
3224 		return WPS_FAILURE;
3225 	}
3226 
3227 	if (attr.config_error == NULL) {
3228 		wpa_printf(MSG_DEBUG, "WPS: No Configuration Error attribute "
3229 			   "in WSC_NACK");
3230 		return WPS_FAILURE;
3231 	}
3232 
3233 	config_error = WPA_GET_BE16(attr.config_error);
3234 	wpa_printf(MSG_DEBUG, "WPS: Enrollee terminated negotiation with "
3235 		   "Configuration Error %d", config_error);
3236 
3237 	switch (old_state) {
3238 	case RECV_M3:
3239 		wps_fail_event(wps->wps, WPS_M2, config_error,
3240 			       wps->error_indication, wps->mac_addr_e);
3241 		break;
3242 	case RECV_M5:
3243 		wps_fail_event(wps->wps, WPS_M4, config_error,
3244 			       wps->error_indication, wps->mac_addr_e);
3245 		break;
3246 	case RECV_M7:
3247 		wps_fail_event(wps->wps, WPS_M6, config_error,
3248 			       wps->error_indication, wps->mac_addr_e);
3249 		break;
3250 	case RECV_DONE:
3251 		wps_fail_event(wps->wps, WPS_M8, config_error,
3252 			       wps->error_indication, wps->mac_addr_e);
3253 		break;
3254 	default:
3255 		break;
3256 	}
3257 
3258 	return WPS_FAILURE;
3259 }
3260 
3261 
3262 static enum wps_process_res wps_process_wsc_done(struct wps_data *wps,
3263 						 const struct wpabuf *msg)
3264 {
3265 	struct wps_parse_attr attr;
3266 
3267 	wpa_printf(MSG_DEBUG, "WPS: Received WSC_Done");
3268 
3269 	if (wps->state != RECV_DONE &&
3270 	    (!wps->wps->wps_upnp || !wps->ext_reg)) {
3271 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
3272 			   "receiving WSC_Done", wps->state);
3273 		return WPS_FAILURE;
3274 	}
3275 
3276 	if (wps_parse_msg(msg, &attr) < 0)
3277 		return WPS_FAILURE;
3278 
3279 	if (attr.msg_type == NULL) {
3280 		wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
3281 		return WPS_FAILURE;
3282 	}
3283 
3284 	if (*attr.msg_type != WPS_WSC_DONE) {
3285 		wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
3286 			   *attr.msg_type);
3287 		return WPS_FAILURE;
3288 	}
3289 
3290 #ifdef CONFIG_WPS_UPNP
3291 	if (wps->wps->wps_upnp && wps->ext_reg) {
3292 		wpa_printf(MSG_DEBUG, "WPS: Negotiation using external "
3293 			   "Registrar completed successfully");
3294 		wps_device_store(wps->wps->registrar, &wps->peer_dev,
3295 				 wps->uuid_e);
3296 		return WPS_DONE;
3297 	}
3298 #endif /* CONFIG_WPS_UPNP */
3299 
3300 	if (attr.registrar_nonce == NULL ||
3301 	    os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0)
3302 	{
3303 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
3304 		return WPS_FAILURE;
3305 	}
3306 
3307 	if (attr.enrollee_nonce == NULL ||
3308 	    os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) {
3309 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
3310 		return WPS_FAILURE;
3311 	}
3312 
3313 	wpa_printf(MSG_DEBUG, "WPS: Negotiation completed successfully");
3314 	wps_device_store(wps->wps->registrar, &wps->peer_dev,
3315 			 wps->uuid_e);
3316 
3317 	if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->new_psk &&
3318 	    wps->wps->ap && !wps->wps->registrar->disable_auto_conf) {
3319 		struct wps_credential cred;
3320 
3321 		wpa_printf(MSG_DEBUG, "WPS: Moving to Configured state based "
3322 			   "on first Enrollee connection");
3323 
3324 		os_memset(&cred, 0, sizeof(cred));
3325 		os_memcpy(cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
3326 		cred.ssid_len = wps->wps->ssid_len;
3327 		if (wps->wps->rf_band_cb(wps->wps->cb_ctx) == WPS_RF_60GHZ) {
3328 			cred.auth_type = WPS_AUTH_WPA2PSK;
3329 			cred.encr_type = WPS_ENCR_AES;
3330 		} else {
3331 			cred.auth_type = WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK;
3332 			cred.encr_type = WPS_ENCR_TKIP | WPS_ENCR_AES;
3333 		}
3334 		os_memcpy(cred.key, wps->new_psk, wps->new_psk_len);
3335 		cred.key_len = wps->new_psk_len;
3336 
3337 		wps->wps->wps_state = WPS_STATE_CONFIGURED;
3338 		wpa_hexdump_ascii_key(MSG_DEBUG,
3339 				      "WPS: Generated random passphrase",
3340 				      wps->new_psk, wps->new_psk_len);
3341 		if (wps->wps->cred_cb)
3342 			wps->wps->cred_cb(wps->wps->cb_ctx, &cred);
3343 
3344 		os_free(wps->new_psk);
3345 		wps->new_psk = NULL;
3346 	}
3347 
3348 	if (!wps->wps->ap && !wps->er)
3349 		wps_sta_cred_cb(wps);
3350 
3351 	if (wps->new_psk) {
3352 		if (wps_cb_new_psk(wps->wps->registrar, wps->mac_addr_e,
3353 				   wps->p2p_dev_addr, wps->new_psk,
3354 				   wps->new_psk_len)) {
3355 			wpa_printf(MSG_DEBUG, "WPS: Failed to configure the "
3356 				   "new PSK");
3357 		}
3358 		os_free(wps->new_psk);
3359 		wps->new_psk = NULL;
3360 	}
3361 
3362 	wps_cb_reg_success(wps->wps->registrar, wps->mac_addr_e, wps->uuid_e,
3363 			   wps->dev_password, wps->dev_password_len);
3364 
3365 	if (wps->pbc) {
3366 		wps_registrar_remove_pbc_session(wps->wps->registrar,
3367 						 wps->uuid_e,
3368 						 wps->p2p_dev_addr);
3369 		wps_registrar_pbc_completed(wps->wps->registrar);
3370 #ifdef WPS_WORKAROUNDS
3371 		os_get_reltime(&wps->wps->registrar->pbc_ignore_start);
3372 #endif /* WPS_WORKAROUNDS */
3373 		os_memcpy(wps->wps->registrar->pbc_ignore_uuid, wps->uuid_e,
3374 			  WPS_UUID_LEN);
3375 	} else {
3376 		wps_registrar_pin_completed(wps->wps->registrar);
3377 	}
3378 	/* TODO: maintain AuthorizedMACs somewhere separately for each ER and
3379 	 * merge them into APs own list.. */
3380 
3381 	wps_success_event(wps->wps, wps->mac_addr_e);
3382 
3383 	return WPS_DONE;
3384 }
3385 
3386 
3387 enum wps_process_res wps_registrar_process_msg(struct wps_data *wps,
3388 					       enum wsc_op_code op_code,
3389 					       const struct wpabuf *msg)
3390 {
3391 	enum wps_process_res ret;
3392 
3393 	wpa_printf(MSG_DEBUG, "WPS: Processing received message (len=%lu "
3394 		   "op_code=%d)",
3395 		   (unsigned long) wpabuf_len(msg), op_code);
3396 
3397 #ifdef CONFIG_WPS_UPNP
3398 	if (wps->wps->wps_upnp && op_code == WSC_MSG && wps->ext_reg == 1) {
3399 		struct wps_parse_attr attr;
3400 		if (wps_parse_msg(msg, &attr) == 0 && attr.msg_type &&
3401 		    *attr.msg_type == WPS_M3)
3402 			wps->ext_reg = 2; /* past M2/M2D phase */
3403 	}
3404 	if (wps->ext_reg > 1)
3405 		wps_registrar_free_pending_m2(wps->wps);
3406 	if (wps->wps->wps_upnp && wps->ext_reg &&
3407 	    wps->wps->upnp_msgs == NULL &&
3408 	    (op_code == WSC_MSG || op_code == WSC_Done || op_code == WSC_NACK))
3409 	{
3410 		struct wps_parse_attr attr;
3411 		int type;
3412 		if (wps_parse_msg(msg, &attr) < 0 || attr.msg_type == NULL)
3413 			type = -1;
3414 		else
3415 			type = *attr.msg_type;
3416 		wpa_printf(MSG_DEBUG, "WPS: Sending received message (type %d)"
3417 			   " to external Registrar for processing", type);
3418 		upnp_wps_device_send_wlan_event(wps->wps->wps_upnp,
3419 						wps->mac_addr_e,
3420 						UPNP_WPS_WLANEVENT_TYPE_EAP,
3421 						msg);
3422 		if (op_code == WSC_MSG)
3423 			return WPS_PENDING;
3424 	} else if (wps->wps->wps_upnp && wps->ext_reg && op_code == WSC_MSG) {
3425 		wpa_printf(MSG_DEBUG, "WPS: Skip internal processing - using "
3426 			   "external Registrar");
3427 		return WPS_CONTINUE;
3428 	}
3429 #endif /* CONFIG_WPS_UPNP */
3430 
3431 	switch (op_code) {
3432 	case WSC_MSG:
3433 		return wps_process_wsc_msg(wps, msg);
3434 	case WSC_ACK:
3435 		if (wps_validate_wsc_ack(msg) < 0)
3436 			return WPS_FAILURE;
3437 		return wps_process_wsc_ack(wps, msg);
3438 	case WSC_NACK:
3439 		if (wps_validate_wsc_nack(msg) < 0)
3440 			return WPS_FAILURE;
3441 		return wps_process_wsc_nack(wps, msg);
3442 	case WSC_Done:
3443 		if (wps_validate_wsc_done(msg) < 0)
3444 			return WPS_FAILURE;
3445 		ret = wps_process_wsc_done(wps, msg);
3446 		if (ret == WPS_FAILURE) {
3447 			wps->state = SEND_WSC_NACK;
3448 			wps_fail_event(wps->wps, WPS_WSC_DONE,
3449 				       wps->config_error,
3450 				       wps->error_indication, wps->mac_addr_e);
3451 		}
3452 		return ret;
3453 	default:
3454 		wpa_printf(MSG_DEBUG, "WPS: Unsupported op_code %d", op_code);
3455 		return WPS_FAILURE;
3456 	}
3457 }
3458 
3459 
3460 int wps_registrar_update_ie(struct wps_registrar *reg)
3461 {
3462 	return wps_set_ie(reg);
3463 }
3464 
3465 
3466 static void wps_registrar_set_selected_timeout(void *eloop_ctx,
3467 					       void *timeout_ctx)
3468 {
3469 	struct wps_registrar *reg = eloop_ctx;
3470 
3471 	wpa_printf(MSG_DEBUG, "WPS: Selected Registrar timeout - "
3472 		   "unselect internal Registrar");
3473 	reg->selected_registrar = 0;
3474 	reg->pbc = 0;
3475 	wps_registrar_expire_pins(reg);
3476 	wps_registrar_selected_registrar_changed(reg, 0);
3477 }
3478 
3479 
3480 #ifdef CONFIG_WPS_UPNP
3481 static void wps_registrar_sel_reg_add(struct wps_registrar *reg,
3482 				      struct subscription *s)
3483 {
3484 	int i, j;
3485 	wpa_printf(MSG_DEBUG, "WPS: External Registrar selected (dev_pw_id=%d "
3486 		   "config_methods=0x%x)",
3487 		   s->dev_password_id, s->config_methods);
3488 	reg->sel_reg_union = 1;
3489 	if (reg->sel_reg_dev_password_id_override != DEV_PW_PUSHBUTTON)
3490 		reg->sel_reg_dev_password_id_override = s->dev_password_id;
3491 	if (reg->sel_reg_config_methods_override == -1)
3492 		reg->sel_reg_config_methods_override = 0;
3493 	reg->sel_reg_config_methods_override |= s->config_methods;
3494 	for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++)
3495 		if (is_zero_ether_addr(reg->authorized_macs_union[i]))
3496 			break;
3497 	for (j = 0; i < WPS_MAX_AUTHORIZED_MACS && j < WPS_MAX_AUTHORIZED_MACS;
3498 	     j++) {
3499 		if (is_zero_ether_addr(s->authorized_macs[j]))
3500 			break;
3501 		wpa_printf(MSG_DEBUG, "WPS: Add authorized MAC into union: "
3502 			   MACSTR, MAC2STR(s->authorized_macs[j]));
3503 		os_memcpy(reg->authorized_macs_union[i],
3504 			  s->authorized_macs[j], ETH_ALEN);
3505 		i++;
3506 	}
3507 	wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs union",
3508 		    (u8 *) reg->authorized_macs_union,
3509 		    sizeof(reg->authorized_macs_union));
3510 }
3511 #endif /* CONFIG_WPS_UPNP */
3512 
3513 
3514 static void wps_registrar_sel_reg_union(struct wps_registrar *reg)
3515 {
3516 #ifdef CONFIG_WPS_UPNP
3517 	struct subscription *s;
3518 
3519 	if (reg->wps->wps_upnp == NULL)
3520 		return;
3521 
3522 	dl_list_for_each(s, &reg->wps->wps_upnp->subscriptions,
3523 			 struct subscription, list) {
3524 		struct subscr_addr *sa;
3525 		sa = dl_list_first(&s->addr_list, struct subscr_addr, list);
3526 		if (sa) {
3527 			wpa_printf(MSG_DEBUG, "WPS: External Registrar %s:%d",
3528 				   inet_ntoa(sa->saddr.sin_addr),
3529 				   ntohs(sa->saddr.sin_port));
3530 		}
3531 		if (s->selected_registrar)
3532 			wps_registrar_sel_reg_add(reg, s);
3533 		else
3534 			wpa_printf(MSG_DEBUG, "WPS: External Registrar not "
3535 				   "selected");
3536 	}
3537 #endif /* CONFIG_WPS_UPNP */
3538 }
3539 
3540 
3541 /**
3542  * wps_registrar_selected_registrar_changed - SetSelectedRegistrar change
3543  * @reg: Registrar data from wps_registrar_init()
3544  *
3545  * This function is called when selected registrar state changes, e.g., when an
3546  * AP receives a SetSelectedRegistrar UPnP message.
3547  */
3548 void wps_registrar_selected_registrar_changed(struct wps_registrar *reg,
3549 					      u16 dev_pw_id)
3550 {
3551 	wpa_printf(MSG_DEBUG, "WPS: Selected registrar information changed");
3552 
3553 	reg->sel_reg_union = reg->selected_registrar;
3554 	reg->sel_reg_dev_password_id_override = -1;
3555 	reg->sel_reg_config_methods_override = -1;
3556 	os_memcpy(reg->authorized_macs_union, reg->authorized_macs,
3557 		  WPS_MAX_AUTHORIZED_MACS * ETH_ALEN);
3558 	wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs union (start with own)",
3559 		    (u8 *) reg->authorized_macs_union,
3560 		    sizeof(reg->authorized_macs_union));
3561 	if (reg->selected_registrar) {
3562 		u16 methods;
3563 
3564 		methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
3565 		methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON |
3566 			     WPS_CONFIG_PHY_PUSHBUTTON);
3567 		if (reg->pbc) {
3568 			reg->sel_reg_dev_password_id_override =
3569 				DEV_PW_PUSHBUTTON;
3570 			wps_set_pushbutton(&methods, reg->wps->config_methods);
3571 		} else if (dev_pw_id)
3572 			reg->sel_reg_dev_password_id_override = dev_pw_id;
3573 		wpa_printf(MSG_DEBUG, "WPS: Internal Registrar selected "
3574 			   "(pbc=%d)", reg->pbc);
3575 		reg->sel_reg_config_methods_override = methods;
3576 	} else
3577 		wpa_printf(MSG_DEBUG, "WPS: Internal Registrar not selected");
3578 
3579 	wps_registrar_sel_reg_union(reg);
3580 
3581 	wps_set_ie(reg);
3582 	wps_cb_set_sel_reg(reg);
3583 }
3584 
3585 
3586 int wps_registrar_get_info(struct wps_registrar *reg, const u8 *addr,
3587 			   char *buf, size_t buflen)
3588 {
3589 	struct wps_registrar_device *d;
3590 	int len = 0, ret;
3591 	char uuid[40];
3592 	char devtype[WPS_DEV_TYPE_BUFSIZE];
3593 
3594 	d = wps_device_get(reg, addr);
3595 	if (d == NULL)
3596 		return 0;
3597 	if (uuid_bin2str(d->uuid, uuid, sizeof(uuid)))
3598 		return 0;
3599 
3600 	ret = os_snprintf(buf + len, buflen - len,
3601 			  "wpsUuid=%s\n"
3602 			  "wpsPrimaryDeviceType=%s\n"
3603 			  "wpsDeviceName=%s\n"
3604 			  "wpsManufacturer=%s\n"
3605 			  "wpsModelName=%s\n"
3606 			  "wpsModelNumber=%s\n"
3607 			  "wpsSerialNumber=%s\n",
3608 			  uuid,
3609 			  wps_dev_type_bin2str(d->dev.pri_dev_type, devtype,
3610 					       sizeof(devtype)),
3611 			  d->dev.device_name ? d->dev.device_name : "",
3612 			  d->dev.manufacturer ? d->dev.manufacturer : "",
3613 			  d->dev.model_name ? d->dev.model_name : "",
3614 			  d->dev.model_number ? d->dev.model_number : "",
3615 			  d->dev.serial_number ? d->dev.serial_number : "");
3616 	if (os_snprintf_error(buflen - len, ret))
3617 		return len;
3618 	len += ret;
3619 
3620 	return len;
3621 }
3622 
3623 
3624 int wps_registrar_config_ap(struct wps_registrar *reg,
3625 			    struct wps_credential *cred)
3626 {
3627 	wpa_printf(MSG_DEBUG, "WPS: encr_type=0x%x", cred->encr_type);
3628 	if (!(cred->encr_type & (WPS_ENCR_NONE | WPS_ENCR_TKIP |
3629 				 WPS_ENCR_AES))) {
3630 		if (cred->encr_type & WPS_ENCR_WEP) {
3631 			wpa_printf(MSG_INFO, "WPS: Reject new AP settings "
3632 				   "due to WEP configuration");
3633 			return -1;
3634 		}
3635 
3636 		wpa_printf(MSG_INFO, "WPS: Reject new AP settings due to "
3637 			   "invalid encr_type 0x%x", cred->encr_type);
3638 		return -1;
3639 	}
3640 
3641 	if ((cred->encr_type & (WPS_ENCR_TKIP | WPS_ENCR_AES)) ==
3642 	    WPS_ENCR_TKIP) {
3643 		wpa_printf(MSG_DEBUG, "WPS: Upgrade encr_type TKIP -> "
3644 			   "TKIP+AES");
3645 		cred->encr_type |= WPS_ENCR_AES;
3646 	}
3647 
3648 	if ((cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) ==
3649 	    WPS_AUTH_WPAPSK) {
3650 		wpa_printf(MSG_DEBUG, "WPS: Upgrade auth_type WPAPSK -> "
3651 			   "WPAPSK+WPA2PSK");
3652 		cred->auth_type |= WPS_AUTH_WPA2PSK;
3653 	}
3654 
3655 	if (reg->wps->cred_cb)
3656 		return reg->wps->cred_cb(reg->wps->cb_ctx, cred);
3657 
3658 	return -1;
3659 }
3660 
3661 
3662 int wps_registrar_update_multi_ap(struct wps_registrar *reg,
3663 				  const u8 *multi_ap_backhaul_ssid,
3664 				  size_t multi_ap_backhaul_ssid_len,
3665 				  const u8 *multi_ap_backhaul_network_key,
3666 				  size_t multi_ap_backhaul_network_key_len)
3667 {
3668 	if (multi_ap_backhaul_ssid) {
3669 		os_memcpy(reg->multi_ap_backhaul_ssid,
3670 			  multi_ap_backhaul_ssid, multi_ap_backhaul_ssid_len);
3671 		reg->multi_ap_backhaul_ssid_len = multi_ap_backhaul_ssid_len;
3672 	}
3673 
3674 	os_free(reg->multi_ap_backhaul_network_key);
3675 	reg->multi_ap_backhaul_network_key = NULL;
3676 	reg->multi_ap_backhaul_network_key_len = 0;
3677 	if (multi_ap_backhaul_network_key) {
3678 		reg->multi_ap_backhaul_network_key =
3679 			os_memdup(multi_ap_backhaul_network_key,
3680 				  multi_ap_backhaul_network_key_len);
3681 		if (!reg->multi_ap_backhaul_network_key)
3682 			return -1;
3683 		reg->multi_ap_backhaul_network_key_len =
3684 			multi_ap_backhaul_network_key_len;
3685 	}
3686 
3687 	return 0;
3688 }
3689 
3690 
3691 #ifdef CONFIG_WPS_NFC
3692 
3693 int wps_registrar_add_nfc_pw_token(struct wps_registrar *reg,
3694 				   const u8 *pubkey_hash, u16 pw_id,
3695 				   const u8 *dev_pw, size_t dev_pw_len,
3696 				   int pk_hash_provided_oob)
3697 {
3698 	struct wps_nfc_pw_token *token;
3699 
3700 	if (dev_pw_len > WPS_OOB_DEVICE_PASSWORD_LEN)
3701 		return -1;
3702 
3703 	if (pw_id == DEV_PW_NFC_CONNECTION_HANDOVER &&
3704 	    (pubkey_hash == NULL || !pk_hash_provided_oob)) {
3705 		wpa_printf(MSG_DEBUG, "WPS: Unexpected NFC Password Token "
3706 			   "addition - missing public key hash");
3707 		return -1;
3708 	}
3709 
3710 	wps_free_nfc_pw_tokens(&reg->nfc_pw_tokens, pw_id);
3711 
3712 	token = os_zalloc(sizeof(*token));
3713 	if (token == NULL)
3714 		return -1;
3715 
3716 	token->peer_pk_hash_known = pubkey_hash != NULL;
3717 	if (pubkey_hash)
3718 		os_memcpy(token->pubkey_hash, pubkey_hash,
3719 			  WPS_OOB_PUBKEY_HASH_LEN);
3720 	token->pw_id = pw_id;
3721 	token->pk_hash_provided_oob = pk_hash_provided_oob;
3722 	if (dev_pw) {
3723 		wpa_snprintf_hex_uppercase((char *) token->dev_pw,
3724 					   sizeof(token->dev_pw),
3725 					   dev_pw, dev_pw_len);
3726 		token->dev_pw_len = dev_pw_len * 2;
3727 	}
3728 
3729 	dl_list_add(&reg->nfc_pw_tokens, &token->list);
3730 
3731 	reg->selected_registrar = 1;
3732 	reg->pbc = 0;
3733 	wps_registrar_add_authorized_mac(reg,
3734 					 (u8 *) "\xff\xff\xff\xff\xff\xff");
3735 	wps_registrar_selected_registrar_changed(reg, pw_id);
3736 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
3737 	eloop_register_timeout(WPS_PBC_WALK_TIME, 0,
3738 			       wps_registrar_set_selected_timeout,
3739 			       reg, NULL);
3740 
3741 	wpa_printf(MSG_DEBUG, "WPS: Added NFC Device Password %u to Registrar",
3742 		   pw_id);
3743 
3744 	return 0;
3745 }
3746 
3747 
3748 int wps_registrar_add_nfc_password_token(struct wps_registrar *reg,
3749 					 const u8 *oob_dev_pw,
3750 					 size_t oob_dev_pw_len)
3751 {
3752 	const u8 *pos, *hash, *dev_pw;
3753 	u16 id;
3754 	size_t dev_pw_len;
3755 
3756 	if (oob_dev_pw_len < WPS_OOB_PUBKEY_HASH_LEN + 2 ||
3757 	    oob_dev_pw_len > WPS_OOB_PUBKEY_HASH_LEN + 2 +
3758 	    WPS_OOB_DEVICE_PASSWORD_LEN)
3759 		return -1;
3760 
3761 	hash = oob_dev_pw;
3762 	pos = oob_dev_pw + WPS_OOB_PUBKEY_HASH_LEN;
3763 	id = WPA_GET_BE16(pos);
3764 	dev_pw = pos + 2;
3765 	dev_pw_len = oob_dev_pw + oob_dev_pw_len - dev_pw;
3766 
3767 	wpa_printf(MSG_DEBUG, "WPS: Add NFC Password Token for Password ID %u",
3768 		   id);
3769 
3770 	wpa_hexdump(MSG_DEBUG, "WPS: Public Key Hash",
3771 		    hash, WPS_OOB_PUBKEY_HASH_LEN);
3772 	wpa_hexdump_key(MSG_DEBUG, "WPS: Device Password", dev_pw, dev_pw_len);
3773 
3774 	return wps_registrar_add_nfc_pw_token(reg, hash, id, dev_pw,
3775 					      dev_pw_len, 0);
3776 }
3777 
3778 
3779 void wps_registrar_remove_nfc_pw_token(struct wps_registrar *reg,
3780 				       struct wps_nfc_pw_token *token)
3781 {
3782 	wps_registrar_remove_authorized_mac(reg,
3783 					    (u8 *) "\xff\xff\xff\xff\xff\xff");
3784 	wps_registrar_selected_registrar_changed(reg, 0);
3785 
3786 	/*
3787 	 * Free the NFC password token if it was used only for a single protocol
3788 	 * run. The static handover case uses the same password token multiple
3789 	 * times, so do not free that case here.
3790 	 */
3791 	if (token->peer_pk_hash_known)
3792 		os_free(token);
3793 }
3794 
3795 #endif /* CONFIG_WPS_NFC */
3796