xref: /freebsd/contrib/wpa/wpa_supplicant/wps_supplicant.c (revision 39ee7a7a6bdd1557b1c3532abf60d139798ac88b)
1 /*
2  * wpa_supplicant / WPS integration
3  * Copyright (c) 2008-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "eloop.h"
13 #include "uuid.h"
14 #include "crypto/random.h"
15 #include "crypto/dh_group5.h"
16 #include "common/ieee802_11_defs.h"
17 #include "common/ieee802_11_common.h"
18 #include "common/wpa_common.h"
19 #include "common/wpa_ctrl.h"
20 #include "eap_common/eap_wsc_common.h"
21 #include "eap_peer/eap.h"
22 #include "eapol_supp/eapol_supp_sm.h"
23 #include "rsn_supp/wpa.h"
24 #include "wps/wps_attr_parse.h"
25 #include "config.h"
26 #include "wpa_supplicant_i.h"
27 #include "driver_i.h"
28 #include "notify.h"
29 #include "blacklist.h"
30 #include "bss.h"
31 #include "scan.h"
32 #include "ap.h"
33 #include "p2p/p2p.h"
34 #include "p2p_supplicant.h"
35 #include "wps_supplicant.h"
36 
37 
38 #ifndef WPS_PIN_SCAN_IGNORE_SEL_REG
39 #define WPS_PIN_SCAN_IGNORE_SEL_REG 3
40 #endif /* WPS_PIN_SCAN_IGNORE_SEL_REG */
41 
42 /*
43  * The minimum time in seconds before trying to associate to a WPS PIN AP that
44  * does not have Selected Registrar TRUE.
45  */
46 #ifndef WPS_PIN_TIME_IGNORE_SEL_REG
47 #define WPS_PIN_TIME_IGNORE_SEL_REG 5
48 #endif /* WPS_PIN_TIME_IGNORE_SEL_REG */
49 
50 static void wpas_wps_timeout(void *eloop_ctx, void *timeout_ctx);
51 static void wpas_clear_wps(struct wpa_supplicant *wpa_s);
52 
53 
54 static void wpas_wps_clear_ap_info(struct wpa_supplicant *wpa_s)
55 {
56 	os_free(wpa_s->wps_ap);
57 	wpa_s->wps_ap = NULL;
58 	wpa_s->num_wps_ap = 0;
59 	wpa_s->wps_ap_iter = 0;
60 }
61 
62 
63 static void wpas_wps_assoc_with_cred(void *eloop_ctx, void *timeout_ctx)
64 {
65 	struct wpa_supplicant *wpa_s = eloop_ctx;
66 	int use_fast_assoc = timeout_ctx != NULL;
67 
68 	wpa_printf(MSG_DEBUG, "WPS: Continuing association after eapol_cb");
69 	if (!use_fast_assoc ||
70 	    wpa_supplicant_fast_associate(wpa_s) != 1)
71 		wpa_supplicant_req_scan(wpa_s, 0, 0);
72 }
73 
74 
75 static void wpas_wps_assoc_with_cred_cancel(struct wpa_supplicant *wpa_s)
76 {
77 	eloop_cancel_timeout(wpas_wps_assoc_with_cred, wpa_s, (void *) 0);
78 	eloop_cancel_timeout(wpas_wps_assoc_with_cred, wpa_s, (void *) 1);
79 }
80 
81 
82 int wpas_wps_eapol_cb(struct wpa_supplicant *wpa_s)
83 {
84 	if (wpas_p2p_wps_eapol_cb(wpa_s) > 0)
85 		return 1;
86 
87 	if (!wpa_s->wps_success &&
88 	    wpa_s->current_ssid &&
89 	    eap_is_wps_pin_enrollee(&wpa_s->current_ssid->eap)) {
90 		const u8 *bssid = wpa_s->bssid;
91 		if (is_zero_ether_addr(bssid))
92 			bssid = wpa_s->pending_bssid;
93 
94 		wpa_printf(MSG_DEBUG, "WPS: PIN registration with " MACSTR
95 			   " did not succeed - continue trying to find "
96 			   "suitable AP", MAC2STR(bssid));
97 		wpa_blacklist_add(wpa_s, bssid);
98 
99 		wpa_supplicant_deauthenticate(wpa_s,
100 					      WLAN_REASON_DEAUTH_LEAVING);
101 		wpa_s->reassociate = 1;
102 		wpa_supplicant_req_scan(wpa_s,
103 					wpa_s->blacklist_cleared ? 5 : 0, 0);
104 		wpa_s->blacklist_cleared = 0;
105 		return 1;
106 	}
107 
108 	wpas_wps_clear_ap_info(wpa_s);
109 	eloop_cancel_timeout(wpas_wps_timeout, wpa_s, NULL);
110 	if (wpa_s->key_mgmt == WPA_KEY_MGMT_WPS && !wpa_s->wps_success)
111 		wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_FAIL);
112 
113 	if (wpa_s->key_mgmt == WPA_KEY_MGMT_WPS && wpa_s->current_ssid &&
114 	    !(wpa_s->current_ssid->key_mgmt & WPA_KEY_MGMT_WPS)) {
115 		int disabled = wpa_s->current_ssid->disabled;
116 		unsigned int freq = wpa_s->assoc_freq;
117 		struct wpa_bss *bss;
118 		struct wpa_ssid *ssid = NULL;
119 		int use_fast_assoc = 0;
120 
121 		wpa_printf(MSG_DEBUG, "WPS: Network configuration replaced - "
122 			   "try to associate with the received credential "
123 			   "(freq=%u)", freq);
124 		wpa_s->own_disconnect_req = 1;
125 		wpa_supplicant_deauthenticate(wpa_s,
126 					      WLAN_REASON_DEAUTH_LEAVING);
127 		if (disabled) {
128 			wpa_printf(MSG_DEBUG, "WPS: Current network is "
129 				   "disabled - wait for user to enable");
130 			return 1;
131 		}
132 		wpa_s->after_wps = 5;
133 		wpa_s->wps_freq = freq;
134 		wpa_s->normal_scans = 0;
135 		wpa_s->reassociate = 1;
136 
137 		wpa_printf(MSG_DEBUG, "WPS: Checking whether fast association "
138 			   "without a new scan can be used");
139 		bss = wpa_supplicant_pick_network(wpa_s, &ssid);
140 		if (bss) {
141 			struct wpabuf *wps;
142 			struct wps_parse_attr attr;
143 
144 			wps = wpa_bss_get_vendor_ie_multi(bss,
145 							  WPS_IE_VENDOR_TYPE);
146 			if (wps && wps_parse_msg(wps, &attr) == 0 &&
147 			    attr.wps_state &&
148 			    *attr.wps_state == WPS_STATE_CONFIGURED)
149 				use_fast_assoc = 1;
150 			wpabuf_free(wps);
151 		}
152 
153 		/*
154 		 * Complete the next step from an eloop timeout to allow pending
155 		 * driver events related to the disconnection to be processed
156 		 * first. This makes it less likely for disconnection event to
157 		 * cause problems with the following connection.
158 		 */
159 		wpa_printf(MSG_DEBUG, "WPS: Continue association from timeout");
160 		wpas_wps_assoc_with_cred_cancel(wpa_s);
161 		eloop_register_timeout(0, 10000,
162 				       wpas_wps_assoc_with_cred, wpa_s,
163 				       use_fast_assoc ? (void *) 1 :
164 				       (void *) 0);
165 		return 1;
166 	}
167 
168 	if (wpa_s->key_mgmt == WPA_KEY_MGMT_WPS && wpa_s->current_ssid) {
169 		wpa_printf(MSG_DEBUG, "WPS: Registration completed - waiting "
170 			   "for external credential processing");
171 		wpas_clear_wps(wpa_s);
172 		wpa_s->own_disconnect_req = 1;
173 		wpa_supplicant_deauthenticate(wpa_s,
174 					      WLAN_REASON_DEAUTH_LEAVING);
175 		return 1;
176 	}
177 
178 	return 0;
179 }
180 
181 
182 static void wpas_wps_security_workaround(struct wpa_supplicant *wpa_s,
183 					 struct wpa_ssid *ssid,
184 					 const struct wps_credential *cred)
185 {
186 	struct wpa_driver_capa capa;
187 	struct wpa_bss *bss;
188 	const u8 *ie;
189 	struct wpa_ie_data adv;
190 	int wpa2 = 0, ccmp = 0;
191 
192 	/*
193 	 * Many existing WPS APs do not know how to negotiate WPA2 or CCMP in
194 	 * case they are configured for mixed mode operation (WPA+WPA2 and
195 	 * TKIP+CCMP). Try to use scan results to figure out whether the AP
196 	 * actually supports stronger security and select that if the client
197 	 * has support for it, too.
198 	 */
199 
200 	if (wpa_drv_get_capa(wpa_s, &capa))
201 		return; /* Unknown what driver supports */
202 
203 	if (ssid->ssid == NULL)
204 		return;
205 	bss = wpa_bss_get(wpa_s, cred->mac_addr, ssid->ssid, ssid->ssid_len);
206 	if (bss == NULL) {
207 		wpa_printf(MSG_DEBUG, "WPS: The AP was not found from BSS "
208 			   "table - use credential as-is");
209 		return;
210 	}
211 
212 	wpa_printf(MSG_DEBUG, "WPS: AP found from BSS table");
213 
214 	ie = wpa_bss_get_ie(bss, WLAN_EID_RSN);
215 	if (ie && wpa_parse_wpa_ie(ie, 2 + ie[1], &adv) == 0) {
216 		wpa2 = 1;
217 		if (adv.pairwise_cipher & WPA_CIPHER_CCMP)
218 			ccmp = 1;
219 	} else {
220 		ie = wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE);
221 		if (ie && wpa_parse_wpa_ie(ie, 2 + ie[1], &adv) == 0 &&
222 		    adv.pairwise_cipher & WPA_CIPHER_CCMP)
223 			ccmp = 1;
224 	}
225 
226 	if (ie == NULL && (ssid->proto & WPA_PROTO_WPA) &&
227 	    (ssid->pairwise_cipher & WPA_CIPHER_TKIP)) {
228 		/*
229 		 * TODO: This could be the initial AP configuration and the
230 		 * Beacon contents could change shortly. Should request a new
231 		 * scan and delay addition of the network until the updated
232 		 * scan results are available.
233 		 */
234 		wpa_printf(MSG_DEBUG, "WPS: The AP did not yet advertise WPA "
235 			   "support - use credential as-is");
236 		return;
237 	}
238 
239 	if (ccmp && !(ssid->pairwise_cipher & WPA_CIPHER_CCMP) &&
240 	    (ssid->pairwise_cipher & WPA_CIPHER_TKIP) &&
241 	    (capa.key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA2_PSK)) {
242 		wpa_printf(MSG_DEBUG, "WPS: Add CCMP into the credential "
243 			   "based on scan results");
244 		if (wpa_s->conf->ap_scan == 1)
245 			ssid->pairwise_cipher |= WPA_CIPHER_CCMP;
246 		else
247 			ssid->pairwise_cipher = WPA_CIPHER_CCMP;
248 	}
249 
250 	if (wpa2 && !(ssid->proto & WPA_PROTO_RSN) &&
251 	    (ssid->proto & WPA_PROTO_WPA) &&
252 	    (capa.enc & WPA_DRIVER_CAPA_ENC_CCMP)) {
253 		wpa_printf(MSG_DEBUG, "WPS: Add WPA2 into the credential "
254 			   "based on scan results");
255 		if (wpa_s->conf->ap_scan == 1)
256 			ssid->proto |= WPA_PROTO_RSN;
257 		else
258 			ssid->proto = WPA_PROTO_RSN;
259 	}
260 }
261 
262 
263 static void wpas_wps_remove_dup_network(struct wpa_supplicant *wpa_s,
264 					struct wpa_ssid *new_ssid)
265 {
266 	struct wpa_ssid *ssid, *next;
267 
268 	for (ssid = wpa_s->conf->ssid, next = ssid ? ssid->next : NULL; ssid;
269 	     ssid = next, next = ssid ? ssid->next : NULL) {
270 		/*
271 		 * new_ssid has already been added to the list in
272 		 * wpas_wps_add_network(), so skip it.
273 		 */
274 		if (ssid == new_ssid)
275 			continue;
276 
277 		if (ssid->bssid_set || new_ssid->bssid_set) {
278 			if (ssid->bssid_set != new_ssid->bssid_set)
279 				continue;
280 			if (os_memcmp(ssid->bssid, new_ssid->bssid, ETH_ALEN) !=
281 			    0)
282 				continue;
283 		}
284 
285 		/* compare SSID */
286 		if (ssid->ssid_len == 0 || ssid->ssid_len != new_ssid->ssid_len)
287 			continue;
288 
289 		if (ssid->ssid && new_ssid->ssid) {
290 			if (os_memcmp(ssid->ssid, new_ssid->ssid,
291 				      ssid->ssid_len) != 0)
292 				continue;
293 		} else if (ssid->ssid || new_ssid->ssid)
294 			continue;
295 
296 		/* compare security parameters */
297 		if (ssid->auth_alg != new_ssid->auth_alg ||
298 		    ssid->key_mgmt != new_ssid->key_mgmt ||
299 		    (ssid->group_cipher != new_ssid->group_cipher &&
300 		     !(ssid->group_cipher & new_ssid->group_cipher &
301 		       WPA_CIPHER_CCMP)))
302 			continue;
303 
304 		/*
305 		 * Some existing WPS APs will send two creds in case they are
306 		 * configured for mixed mode operation (WPA+WPA2 and TKIP+CCMP).
307 		 * Try to merge these two creds if they are received in the same
308 		 * M8 message.
309 		 */
310 		if (ssid->wps_run && ssid->wps_run == new_ssid->wps_run &&
311 		    wpa_key_mgmt_wpa_psk(ssid->key_mgmt)) {
312 			if (new_ssid->passphrase && ssid->passphrase &&
313 			    os_strcmp(new_ssid->passphrase, ssid->passphrase) !=
314 			    0) {
315 				wpa_printf(MSG_DEBUG,
316 					   "WPS: M8 Creds with different passphrase - do not merge");
317 				continue;
318 			}
319 
320 			if (new_ssid->psk_set &&
321 			    (!ssid->psk_set ||
322 			     os_memcmp(new_ssid->psk, ssid->psk, 32) != 0)) {
323 				wpa_printf(MSG_DEBUG,
324 					   "WPS: M8 Creds with different PSK - do not merge");
325 				continue;
326 			}
327 
328 			if ((new_ssid->passphrase && !ssid->passphrase) ||
329 			    (!new_ssid->passphrase && ssid->passphrase)) {
330 				wpa_printf(MSG_DEBUG,
331 					   "WPS: M8 Creds with different passphrase/PSK type - do not merge");
332 				continue;
333 			}
334 
335 			wpa_printf(MSG_DEBUG,
336 				   "WPS: Workaround - merge likely WPA/WPA2-mixed mode creds in same M8 message");
337 			new_ssid->proto |= ssid->proto;
338 			new_ssid->pairwise_cipher |= ssid->pairwise_cipher;
339 		} else {
340 			/*
341 			 * proto and pairwise_cipher difference matter for
342 			 * non-mixed-mode creds.
343 			 */
344 			if (ssid->proto != new_ssid->proto ||
345 			    ssid->pairwise_cipher != new_ssid->pairwise_cipher)
346 				continue;
347 		}
348 
349 		/* Remove the duplicated older network entry. */
350 		wpa_printf(MSG_DEBUG, "Remove duplicate network %d", ssid->id);
351 		wpas_notify_network_removed(wpa_s, ssid);
352 		if (wpa_s->current_ssid == ssid)
353 			wpa_s->current_ssid = NULL;
354 		wpa_config_remove_network(wpa_s->conf, ssid->id);
355 	}
356 }
357 
358 
359 static int wpa_supplicant_wps_cred(void *ctx,
360 				   const struct wps_credential *cred)
361 {
362 	struct wpa_supplicant *wpa_s = ctx;
363 	struct wpa_ssid *ssid = wpa_s->current_ssid;
364 	u16 auth_type;
365 #ifdef CONFIG_WPS_REG_DISABLE_OPEN
366 	int registrar = 0;
367 #endif /* CONFIG_WPS_REG_DISABLE_OPEN */
368 
369 	if ((wpa_s->conf->wps_cred_processing == 1 ||
370 	     wpa_s->conf->wps_cred_processing == 2) && cred->cred_attr) {
371 		size_t blen = cred->cred_attr_len * 2 + 1;
372 		char *buf = os_malloc(blen);
373 		if (buf) {
374 			wpa_snprintf_hex(buf, blen,
375 					 cred->cred_attr, cred->cred_attr_len);
376 			wpa_msg(wpa_s, MSG_INFO, "%s%s",
377 				WPS_EVENT_CRED_RECEIVED, buf);
378 			os_free(buf);
379 		}
380 
381 		wpas_notify_wps_credential(wpa_s, cred);
382 	} else
383 		wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_CRED_RECEIVED);
384 
385 	wpa_hexdump_key(MSG_DEBUG, "WPS: Received Credential attribute",
386 			cred->cred_attr, cred->cred_attr_len);
387 
388 	if (wpa_s->conf->wps_cred_processing == 1)
389 		return 0;
390 
391 	wpa_hexdump_ascii(MSG_DEBUG, "WPS: SSID", cred->ssid, cred->ssid_len);
392 	wpa_printf(MSG_DEBUG, "WPS: Authentication Type 0x%x",
393 		   cred->auth_type);
394 	wpa_printf(MSG_DEBUG, "WPS: Encryption Type 0x%x", cred->encr_type);
395 	wpa_printf(MSG_DEBUG, "WPS: Network Key Index %d", cred->key_idx);
396 	wpa_hexdump_key(MSG_DEBUG, "WPS: Network Key",
397 			cred->key, cred->key_len);
398 	wpa_printf(MSG_DEBUG, "WPS: MAC Address " MACSTR,
399 		   MAC2STR(cred->mac_addr));
400 
401 	auth_type = cred->auth_type;
402 	if (auth_type == (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) {
403 		wpa_printf(MSG_DEBUG, "WPS: Workaround - convert mixed-mode "
404 			   "auth_type into WPA2PSK");
405 		auth_type = WPS_AUTH_WPA2PSK;
406 	}
407 
408 	if (auth_type != WPS_AUTH_OPEN &&
409 	    auth_type != WPS_AUTH_WPAPSK &&
410 	    auth_type != WPS_AUTH_WPA2PSK) {
411 		wpa_printf(MSG_DEBUG, "WPS: Ignored credentials for "
412 			   "unsupported authentication type 0x%x",
413 			   auth_type);
414 		return 0;
415 	}
416 
417 	if (auth_type == WPS_AUTH_WPAPSK || auth_type == WPS_AUTH_WPA2PSK) {
418 		if (cred->key_len < 8 || cred->key_len > 2 * PMK_LEN) {
419 			wpa_printf(MSG_ERROR, "WPS: Reject PSK credential with "
420 				   "invalid Network Key length %lu",
421 				   (unsigned long) cred->key_len);
422 			return -1;
423 		}
424 	}
425 
426 	if (ssid && (ssid->key_mgmt & WPA_KEY_MGMT_WPS)) {
427 		wpa_printf(MSG_DEBUG, "WPS: Replace WPS network block based "
428 			   "on the received credential");
429 #ifdef CONFIG_WPS_REG_DISABLE_OPEN
430 		if (ssid->eap.identity &&
431 		    ssid->eap.identity_len == WSC_ID_REGISTRAR_LEN &&
432 		    os_memcmp(ssid->eap.identity, WSC_ID_REGISTRAR,
433 			      WSC_ID_REGISTRAR_LEN) == 0)
434 			registrar = 1;
435 #endif /* CONFIG_WPS_REG_DISABLE_OPEN */
436 		os_free(ssid->eap.identity);
437 		ssid->eap.identity = NULL;
438 		ssid->eap.identity_len = 0;
439 		os_free(ssid->eap.phase1);
440 		ssid->eap.phase1 = NULL;
441 		os_free(ssid->eap.eap_methods);
442 		ssid->eap.eap_methods = NULL;
443 		if (!ssid->p2p_group) {
444 			ssid->temporary = 0;
445 			ssid->bssid_set = 0;
446 		}
447 		ssid->disabled_until.sec = 0;
448 		ssid->disabled_until.usec = 0;
449 		ssid->auth_failures = 0;
450 	} else {
451 		wpa_printf(MSG_DEBUG, "WPS: Create a new network based on the "
452 			   "received credential");
453 		ssid = wpa_config_add_network(wpa_s->conf);
454 		if (ssid == NULL)
455 			return -1;
456 		if (wpa_s->current_ssid) {
457 			/*
458 			 * Should the GO issue multiple credentials for some
459 			 * reason, each credential should be marked as a
460 			 * temporary P2P group similarly to the one that gets
461 			 * marked as such based on the pre-configured values
462 			 * used for the WPS network block.
463 			 */
464 			ssid->p2p_group = wpa_s->current_ssid->p2p_group;
465 			ssid->temporary = wpa_s->current_ssid->temporary;
466 		}
467 		wpas_notify_network_added(wpa_s, ssid);
468 	}
469 
470 	wpa_config_set_network_defaults(ssid);
471 	ssid->wps_run = wpa_s->wps_run;
472 
473 	os_free(ssid->ssid);
474 	ssid->ssid = os_malloc(cred->ssid_len);
475 	if (ssid->ssid) {
476 		os_memcpy(ssid->ssid, cred->ssid, cred->ssid_len);
477 		ssid->ssid_len = cred->ssid_len;
478 	}
479 
480 	switch (cred->encr_type) {
481 	case WPS_ENCR_NONE:
482 		break;
483 	case WPS_ENCR_TKIP:
484 		ssid->pairwise_cipher = WPA_CIPHER_TKIP;
485 		break;
486 	case WPS_ENCR_AES:
487 		ssid->pairwise_cipher = WPA_CIPHER_CCMP;
488 		if (wpa_s->drv_capa_known &&
489 		    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP)) {
490 			ssid->pairwise_cipher |= WPA_CIPHER_GCMP;
491 			ssid->group_cipher |= WPA_CIPHER_GCMP;
492 		}
493 		break;
494 	}
495 
496 	switch (auth_type) {
497 	case WPS_AUTH_OPEN:
498 		ssid->auth_alg = WPA_AUTH_ALG_OPEN;
499 		ssid->key_mgmt = WPA_KEY_MGMT_NONE;
500 		ssid->proto = 0;
501 #ifdef CONFIG_WPS_REG_DISABLE_OPEN
502 		if (registrar) {
503 			wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_OPEN_NETWORK
504 				"id=%d - Credentials for an open "
505 				"network disabled by default - use "
506 				"'select_network %d' to enable",
507 				ssid->id, ssid->id);
508 			ssid->disabled = 1;
509 		}
510 #endif /* CONFIG_WPS_REG_DISABLE_OPEN */
511 		break;
512 	case WPS_AUTH_WPAPSK:
513 		ssid->auth_alg = WPA_AUTH_ALG_OPEN;
514 		ssid->key_mgmt = WPA_KEY_MGMT_PSK;
515 		ssid->proto = WPA_PROTO_WPA;
516 		break;
517 	case WPS_AUTH_WPA2PSK:
518 		ssid->auth_alg = WPA_AUTH_ALG_OPEN;
519 		ssid->key_mgmt = WPA_KEY_MGMT_PSK;
520 		ssid->proto = WPA_PROTO_RSN;
521 		break;
522 	}
523 
524 	if (ssid->key_mgmt == WPA_KEY_MGMT_PSK) {
525 		if (cred->key_len == 2 * PMK_LEN) {
526 			if (hexstr2bin((const char *) cred->key, ssid->psk,
527 				       PMK_LEN)) {
528 				wpa_printf(MSG_ERROR, "WPS: Invalid Network "
529 					   "Key");
530 				return -1;
531 			}
532 			ssid->psk_set = 1;
533 			ssid->export_keys = 1;
534 		} else if (cred->key_len >= 8 && cred->key_len < 2 * PMK_LEN) {
535 			os_free(ssid->passphrase);
536 			ssid->passphrase = os_malloc(cred->key_len + 1);
537 			if (ssid->passphrase == NULL)
538 				return -1;
539 			os_memcpy(ssid->passphrase, cred->key, cred->key_len);
540 			ssid->passphrase[cred->key_len] = '\0';
541 			wpa_config_update_psk(ssid);
542 			ssid->export_keys = 1;
543 		} else {
544 			wpa_printf(MSG_ERROR, "WPS: Invalid Network Key "
545 				   "length %lu",
546 				   (unsigned long) cred->key_len);
547 			return -1;
548 		}
549 	}
550 	ssid->priority = wpa_s->conf->wps_priority;
551 
552 	wpas_wps_security_workaround(wpa_s, ssid, cred);
553 
554 	wpas_wps_remove_dup_network(wpa_s, ssid);
555 
556 #ifndef CONFIG_NO_CONFIG_WRITE
557 	if (wpa_s->conf->update_config &&
558 	    wpa_config_write(wpa_s->confname, wpa_s->conf)) {
559 		wpa_printf(MSG_DEBUG, "WPS: Failed to update configuration");
560 		return -1;
561 	}
562 #endif /* CONFIG_NO_CONFIG_WRITE */
563 
564 	if (ssid->priority)
565 		wpa_config_update_prio_list(wpa_s->conf);
566 
567 	/*
568 	 * Optimize the post-WPS scan based on the channel used during
569 	 * the provisioning in case EAP-Failure is not received.
570 	 */
571 	wpa_s->after_wps = 5;
572 	wpa_s->wps_freq = wpa_s->assoc_freq;
573 
574 	return 0;
575 }
576 
577 
578 static void wpa_supplicant_wps_event_m2d(struct wpa_supplicant *wpa_s,
579 					 struct wps_event_m2d *m2d)
580 {
581 	wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_M2D
582 		"dev_password_id=%d config_error=%d",
583 		m2d->dev_password_id, m2d->config_error);
584 	wpas_notify_wps_event_m2d(wpa_s, m2d);
585 #ifdef CONFIG_P2P
586 	if (wpa_s->parent && wpa_s->parent != wpa_s) {
587 		wpa_msg(wpa_s->parent, MSG_INFO, WPS_EVENT_M2D
588 			"dev_password_id=%d config_error=%d",
589 			m2d->dev_password_id, m2d->config_error);
590 	}
591 	if (m2d->config_error == WPS_CFG_MULTIPLE_PBC_DETECTED) {
592 		/*
593 		 * Notify P2P from eloop timeout to avoid issues with the
594 		 * interface getting removed while processing a message.
595 		 */
596 		eloop_register_timeout(0, 0, wpas_p2p_pbc_overlap_cb, wpa_s,
597 				       NULL);
598 	}
599 #endif /* CONFIG_P2P */
600 }
601 
602 
603 static void wpas_wps_clear_timeout(void *eloop_ctx, void *timeout_ctx)
604 {
605 	struct wpa_supplicant *wpa_s = eloop_ctx;
606 	wpa_printf(MSG_DEBUG, "WPS: Clear WPS network from timeout");
607 	wpas_clear_wps(wpa_s);
608 }
609 
610 
611 static void wpa_supplicant_wps_event_fail(struct wpa_supplicant *wpa_s,
612 					  struct wps_event_fail *fail)
613 {
614 	if (fail->error_indication > 0 &&
615 	    fail->error_indication < NUM_WPS_EI_VALUES) {
616 		wpa_msg(wpa_s, MSG_INFO,
617 			WPS_EVENT_FAIL "msg=%d config_error=%d reason=%d (%s)",
618 			fail->msg, fail->config_error, fail->error_indication,
619 			wps_ei_str(fail->error_indication));
620 		if (wpa_s->parent && wpa_s->parent != wpa_s)
621 			wpa_msg(wpa_s->parent, MSG_INFO, WPS_EVENT_FAIL
622 				"msg=%d config_error=%d reason=%d (%s)",
623 				fail->msg, fail->config_error,
624 				fail->error_indication,
625 				wps_ei_str(fail->error_indication));
626 	} else {
627 		wpa_msg(wpa_s, MSG_INFO,
628 			WPS_EVENT_FAIL "msg=%d config_error=%d",
629 			fail->msg, fail->config_error);
630 		if (wpa_s->parent && wpa_s->parent != wpa_s)
631 			wpa_msg(wpa_s->parent, MSG_INFO, WPS_EVENT_FAIL
632 				"msg=%d config_error=%d",
633 				fail->msg, fail->config_error);
634 	}
635 
636 	/*
637 	 * Need to allow WPS processing to complete, e.g., by sending WSC_NACK.
638 	 */
639 	wpa_printf(MSG_DEBUG, "WPS: Register timeout to clear WPS network");
640 	eloop_cancel_timeout(wpas_wps_clear_timeout, wpa_s, NULL);
641 	eloop_register_timeout(0, 100000, wpas_wps_clear_timeout, wpa_s, NULL);
642 
643 	wpas_notify_wps_event_fail(wpa_s, fail);
644 	wpas_p2p_wps_failed(wpa_s, fail);
645 }
646 
647 
648 static void wpas_wps_reenable_networks_cb(void *eloop_ctx, void *timeout_ctx);
649 
650 static void wpas_wps_reenable_networks(struct wpa_supplicant *wpa_s)
651 {
652 	struct wpa_ssid *ssid;
653 	int changed = 0;
654 
655 	eloop_cancel_timeout(wpas_wps_reenable_networks_cb, wpa_s, NULL);
656 
657 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
658 		if (ssid->disabled_for_connect && ssid->disabled) {
659 			ssid->disabled_for_connect = 0;
660 			ssid->disabled = 0;
661 			wpas_notify_network_enabled_changed(wpa_s, ssid);
662 			changed++;
663 		}
664 	}
665 
666 	if (changed) {
667 #ifndef CONFIG_NO_CONFIG_WRITE
668 		if (wpa_s->conf->update_config &&
669 		    wpa_config_write(wpa_s->confname, wpa_s->conf)) {
670 			wpa_printf(MSG_DEBUG, "WPS: Failed to update "
671 				   "configuration");
672 		}
673 #endif /* CONFIG_NO_CONFIG_WRITE */
674 	}
675 }
676 
677 
678 static void wpas_wps_reenable_networks_cb(void *eloop_ctx, void *timeout_ctx)
679 {
680 	struct wpa_supplicant *wpa_s = eloop_ctx;
681 	/* Enable the networks disabled during wpas_wps_reassoc */
682 	wpas_wps_reenable_networks(wpa_s);
683 }
684 
685 
686 static void wpa_supplicant_wps_event_success(struct wpa_supplicant *wpa_s)
687 {
688 	wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_SUCCESS);
689 	wpa_s->wps_success = 1;
690 	wpas_notify_wps_event_success(wpa_s);
691 	if (wpa_s->current_ssid)
692 		wpas_clear_temp_disabled(wpa_s, wpa_s->current_ssid, 1);
693 	wpa_s->extra_blacklist_count = 0;
694 
695 	/*
696 	 * Enable the networks disabled during wpas_wps_reassoc after 10
697 	 * seconds. The 10 seconds timer is to allow the data connection to be
698 	 * formed before allowing other networks to be selected.
699 	 */
700 	eloop_register_timeout(10, 0, wpas_wps_reenable_networks_cb, wpa_s,
701 			       NULL);
702 
703 	wpas_p2p_wps_success(wpa_s, wpa_s->bssid, 0);
704 }
705 
706 
707 static void wpa_supplicant_wps_event_er_ap_add(struct wpa_supplicant *wpa_s,
708 					       struct wps_event_er_ap *ap)
709 {
710 	char uuid_str[100];
711 	char dev_type[WPS_DEV_TYPE_BUFSIZE];
712 
713 	uuid_bin2str(ap->uuid, uuid_str, sizeof(uuid_str));
714 	if (ap->pri_dev_type)
715 		wps_dev_type_bin2str(ap->pri_dev_type, dev_type,
716 				     sizeof(dev_type));
717 	else
718 		dev_type[0] = '\0';
719 
720 	wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_ER_AP_ADD "%s " MACSTR
721 		" pri_dev_type=%s wps_state=%d |%s|%s|%s|%s|%s|%s|",
722 		uuid_str, MAC2STR(ap->mac_addr), dev_type, ap->wps_state,
723 		ap->friendly_name ? ap->friendly_name : "",
724 		ap->manufacturer ? ap->manufacturer : "",
725 		ap->model_description ? ap->model_description : "",
726 		ap->model_name ? ap->model_name : "",
727 		ap->manufacturer_url ? ap->manufacturer_url : "",
728 		ap->model_url ? ap->model_url : "");
729 }
730 
731 
732 static void wpa_supplicant_wps_event_er_ap_remove(struct wpa_supplicant *wpa_s,
733 						  struct wps_event_er_ap *ap)
734 {
735 	char uuid_str[100];
736 	uuid_bin2str(ap->uuid, uuid_str, sizeof(uuid_str));
737 	wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_ER_AP_REMOVE "%s", uuid_str);
738 }
739 
740 
741 static void wpa_supplicant_wps_event_er_enrollee_add(
742 	struct wpa_supplicant *wpa_s, struct wps_event_er_enrollee *enrollee)
743 {
744 	char uuid_str[100];
745 	char dev_type[WPS_DEV_TYPE_BUFSIZE];
746 
747 	uuid_bin2str(enrollee->uuid, uuid_str, sizeof(uuid_str));
748 	if (enrollee->pri_dev_type)
749 		wps_dev_type_bin2str(enrollee->pri_dev_type, dev_type,
750 				     sizeof(dev_type));
751 	else
752 		dev_type[0] = '\0';
753 
754 	wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_ER_ENROLLEE_ADD "%s " MACSTR
755 		" M1=%d config_methods=0x%x dev_passwd_id=%d pri_dev_type=%s "
756 		"|%s|%s|%s|%s|%s|",
757 		uuid_str, MAC2STR(enrollee->mac_addr), enrollee->m1_received,
758 		enrollee->config_methods, enrollee->dev_passwd_id, dev_type,
759 		enrollee->dev_name ? enrollee->dev_name : "",
760 		enrollee->manufacturer ? enrollee->manufacturer : "",
761 		enrollee->model_name ? enrollee->model_name : "",
762 		enrollee->model_number ? enrollee->model_number : "",
763 		enrollee->serial_number ? enrollee->serial_number : "");
764 }
765 
766 
767 static void wpa_supplicant_wps_event_er_enrollee_remove(
768 	struct wpa_supplicant *wpa_s, struct wps_event_er_enrollee *enrollee)
769 {
770 	char uuid_str[100];
771 	uuid_bin2str(enrollee->uuid, uuid_str, sizeof(uuid_str));
772 	wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_ER_ENROLLEE_REMOVE "%s " MACSTR,
773 		uuid_str, MAC2STR(enrollee->mac_addr));
774 }
775 
776 
777 static void wpa_supplicant_wps_event_er_ap_settings(
778 	struct wpa_supplicant *wpa_s,
779 	struct wps_event_er_ap_settings *ap_settings)
780 {
781 	char uuid_str[100];
782 	char key_str[65];
783 	const struct wps_credential *cred = ap_settings->cred;
784 
785 	key_str[0] = '\0';
786 	if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) {
787 		if (cred->key_len >= 8 && cred->key_len <= 64) {
788 			os_memcpy(key_str, cred->key, cred->key_len);
789 			key_str[cred->key_len] = '\0';
790 		}
791 	}
792 
793 	uuid_bin2str(ap_settings->uuid, uuid_str, sizeof(uuid_str));
794 	/* Use wpa_msg_ctrl to avoid showing the key in debug log */
795 	wpa_msg_ctrl(wpa_s, MSG_INFO, WPS_EVENT_ER_AP_SETTINGS
796 		     "uuid=%s ssid=%s auth_type=0x%04x encr_type=0x%04x "
797 		     "key=%s",
798 		     uuid_str, wpa_ssid_txt(cred->ssid, cred->ssid_len),
799 		     cred->auth_type, cred->encr_type, key_str);
800 }
801 
802 
803 static void wpa_supplicant_wps_event_er_set_sel_reg(
804 	struct wpa_supplicant *wpa_s,
805 	struct wps_event_er_set_selected_registrar *ev)
806 {
807 	char uuid_str[100];
808 
809 	uuid_bin2str(ev->uuid, uuid_str, sizeof(uuid_str));
810 	switch (ev->state) {
811 	case WPS_ER_SET_SEL_REG_START:
812 		wpa_msg(wpa_s, MSG_DEBUG, WPS_EVENT_ER_SET_SEL_REG
813 			"uuid=%s state=START sel_reg=%d dev_passwd_id=%u "
814 			"sel_reg_config_methods=0x%x",
815 			uuid_str, ev->sel_reg, ev->dev_passwd_id,
816 			ev->sel_reg_config_methods);
817 		break;
818 	case WPS_ER_SET_SEL_REG_DONE:
819 		wpa_msg(wpa_s, MSG_DEBUG, WPS_EVENT_ER_SET_SEL_REG
820 			"uuid=%s state=DONE", uuid_str);
821 		break;
822 	case WPS_ER_SET_SEL_REG_FAILED:
823 		wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_ER_SET_SEL_REG
824 			"uuid=%s state=FAILED", uuid_str);
825 		break;
826 	}
827 }
828 
829 
830 static void wpa_supplicant_wps_event(void *ctx, enum wps_event event,
831 				     union wps_event_data *data)
832 {
833 	struct wpa_supplicant *wpa_s = ctx;
834 	switch (event) {
835 	case WPS_EV_M2D:
836 		wpa_supplicant_wps_event_m2d(wpa_s, &data->m2d);
837 		break;
838 	case WPS_EV_FAIL:
839 		wpa_supplicant_wps_event_fail(wpa_s, &data->fail);
840 		break;
841 	case WPS_EV_SUCCESS:
842 		wpa_supplicant_wps_event_success(wpa_s);
843 		break;
844 	case WPS_EV_PWD_AUTH_FAIL:
845 #ifdef CONFIG_AP
846 		if (wpa_s->ap_iface && data->pwd_auth_fail.enrollee)
847 			wpa_supplicant_ap_pwd_auth_fail(wpa_s);
848 #endif /* CONFIG_AP */
849 		break;
850 	case WPS_EV_PBC_OVERLAP:
851 		break;
852 	case WPS_EV_PBC_TIMEOUT:
853 		break;
854 	case WPS_EV_PBC_ACTIVE:
855 		wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_ACTIVE);
856 		break;
857 	case WPS_EV_PBC_DISABLE:
858 		wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_DISABLE);
859 		break;
860 	case WPS_EV_ER_AP_ADD:
861 		wpa_supplicant_wps_event_er_ap_add(wpa_s, &data->ap);
862 		break;
863 	case WPS_EV_ER_AP_REMOVE:
864 		wpa_supplicant_wps_event_er_ap_remove(wpa_s, &data->ap);
865 		break;
866 	case WPS_EV_ER_ENROLLEE_ADD:
867 		wpa_supplicant_wps_event_er_enrollee_add(wpa_s,
868 							 &data->enrollee);
869 		break;
870 	case WPS_EV_ER_ENROLLEE_REMOVE:
871 		wpa_supplicant_wps_event_er_enrollee_remove(wpa_s,
872 							    &data->enrollee);
873 		break;
874 	case WPS_EV_ER_AP_SETTINGS:
875 		wpa_supplicant_wps_event_er_ap_settings(wpa_s,
876 							&data->ap_settings);
877 		break;
878 	case WPS_EV_ER_SET_SELECTED_REGISTRAR:
879 		wpa_supplicant_wps_event_er_set_sel_reg(wpa_s,
880 							&data->set_sel_reg);
881 		break;
882 	case WPS_EV_AP_PIN_SUCCESS:
883 		break;
884 	}
885 }
886 
887 
888 static int wpa_supplicant_wps_rf_band(void *ctx)
889 {
890 	struct wpa_supplicant *wpa_s = ctx;
891 
892 	if (!wpa_s->current_ssid || !wpa_s->assoc_freq)
893 		return 0;
894 
895 	return (wpa_s->assoc_freq > 50000) ? WPS_RF_60GHZ :
896 		(wpa_s->assoc_freq > 2484) ? WPS_RF_50GHZ : WPS_RF_24GHZ;
897 }
898 
899 
900 enum wps_request_type wpas_wps_get_req_type(struct wpa_ssid *ssid)
901 {
902 	if (eap_is_wps_pbc_enrollee(&ssid->eap) ||
903 	    eap_is_wps_pin_enrollee(&ssid->eap))
904 		return WPS_REQ_ENROLLEE;
905 	else
906 		return WPS_REQ_REGISTRAR;
907 }
908 
909 
910 static void wpas_clear_wps(struct wpa_supplicant *wpa_s)
911 {
912 	int id;
913 	struct wpa_ssid *ssid, *remove_ssid = NULL, *prev_current;
914 
915 	wpa_s->after_wps = 0;
916 	wpa_s->known_wps_freq = 0;
917 
918 	prev_current = wpa_s->current_ssid;
919 
920 	/* Enable the networks disabled during wpas_wps_reassoc */
921 	wpas_wps_reenable_networks(wpa_s);
922 
923 	eloop_cancel_timeout(wpas_wps_timeout, wpa_s, NULL);
924 	eloop_cancel_timeout(wpas_wps_clear_timeout, wpa_s, NULL);
925 
926 	/* Remove any existing WPS network from configuration */
927 	ssid = wpa_s->conf->ssid;
928 	while (ssid) {
929 		if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) {
930 			if (ssid == wpa_s->current_ssid) {
931 				wpa_s->own_disconnect_req = 1;
932 				wpa_supplicant_deauthenticate(
933 					wpa_s, WLAN_REASON_DEAUTH_LEAVING);
934 			}
935 			id = ssid->id;
936 			remove_ssid = ssid;
937 		} else
938 			id = -1;
939 		ssid = ssid->next;
940 		if (id >= 0) {
941 			if (prev_current == remove_ssid) {
942 				wpa_sm_set_config(wpa_s->wpa, NULL);
943 				eapol_sm_notify_config(wpa_s->eapol, NULL,
944 						       NULL);
945 			}
946 			wpas_notify_network_removed(wpa_s, remove_ssid);
947 			wpa_config_remove_network(wpa_s->conf, id);
948 		}
949 	}
950 
951 	wpas_wps_clear_ap_info(wpa_s);
952 }
953 
954 
955 static void wpas_wps_timeout(void *eloop_ctx, void *timeout_ctx)
956 {
957 	struct wpa_supplicant *wpa_s = eloop_ctx;
958 	union wps_event_data data;
959 
960 	wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_TIMEOUT "Requested operation timed "
961 		"out");
962 	os_memset(&data, 0, sizeof(data));
963 	data.fail.config_error = WPS_CFG_MSG_TIMEOUT;
964 	data.fail.error_indication = WPS_EI_NO_ERROR;
965 	/*
966 	 * Call wpas_notify_wps_event_fail() directly instead of through
967 	 * wpa_supplicant_wps_event() which would end up registering unnecessary
968 	 * timeouts (those are only for the case where the failure happens
969 	 * during an EAP-WSC exchange).
970 	 */
971 	wpas_notify_wps_event_fail(wpa_s, &data.fail);
972 	wpas_clear_wps(wpa_s);
973 }
974 
975 
976 static struct wpa_ssid * wpas_wps_add_network(struct wpa_supplicant *wpa_s,
977 					      int registrar, const u8 *dev_addr,
978 					      const u8 *bssid)
979 {
980 	struct wpa_ssid *ssid;
981 
982 	ssid = wpa_config_add_network(wpa_s->conf);
983 	if (ssid == NULL)
984 		return NULL;
985 	wpas_notify_network_added(wpa_s, ssid);
986 	wpa_config_set_network_defaults(ssid);
987 	ssid->temporary = 1;
988 	if (wpa_config_set(ssid, "key_mgmt", "WPS", 0) < 0 ||
989 	    wpa_config_set(ssid, "eap", "WSC", 0) < 0 ||
990 	    wpa_config_set(ssid, "identity", registrar ?
991 			   "\"" WSC_ID_REGISTRAR "\"" :
992 			   "\"" WSC_ID_ENROLLEE "\"", 0) < 0) {
993 		wpas_notify_network_removed(wpa_s, ssid);
994 		wpa_config_remove_network(wpa_s->conf, ssid->id);
995 		return NULL;
996 	}
997 
998 #ifdef CONFIG_P2P
999 	if (dev_addr)
1000 		os_memcpy(ssid->go_p2p_dev_addr, dev_addr, ETH_ALEN);
1001 #endif /* CONFIG_P2P */
1002 
1003 	if (bssid) {
1004 #ifndef CONFIG_P2P
1005 		struct wpa_bss *bss;
1006 		int count = 0;
1007 #endif /* CONFIG_P2P */
1008 
1009 		os_memcpy(ssid->bssid, bssid, ETH_ALEN);
1010 		ssid->bssid_set = 1;
1011 
1012 		/*
1013 		 * Note: With P2P, the SSID may change at the time the WPS
1014 		 * provisioning is started, so better not filter the AP based
1015 		 * on the current SSID in the scan results.
1016 		 */
1017 #ifndef CONFIG_P2P
1018 		dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
1019 			if (os_memcmp(bssid, bss->bssid, ETH_ALEN) != 0)
1020 				continue;
1021 
1022 			os_free(ssid->ssid);
1023 			ssid->ssid = os_malloc(bss->ssid_len);
1024 			if (ssid->ssid == NULL)
1025 				break;
1026 			os_memcpy(ssid->ssid, bss->ssid, bss->ssid_len);
1027 			ssid->ssid_len = bss->ssid_len;
1028 			wpa_hexdump_ascii(MSG_DEBUG, "WPS: Picked SSID from "
1029 					  "scan results",
1030 					  ssid->ssid, ssid->ssid_len);
1031 			count++;
1032 		}
1033 
1034 		if (count > 1) {
1035 			wpa_printf(MSG_DEBUG, "WPS: More than one SSID found "
1036 				   "for the AP; use wildcard");
1037 			os_free(ssid->ssid);
1038 			ssid->ssid = NULL;
1039 			ssid->ssid_len = 0;
1040 		}
1041 #endif /* CONFIG_P2P */
1042 	}
1043 
1044 	return ssid;
1045 }
1046 
1047 
1048 static void wpas_wps_temp_disable(struct wpa_supplicant *wpa_s,
1049 				  struct wpa_ssid *selected)
1050 {
1051 	struct wpa_ssid *ssid;
1052 
1053 	if (wpa_s->current_ssid) {
1054 		wpa_s->own_disconnect_req = 1;
1055 		wpa_supplicant_deauthenticate(
1056 			wpa_s, WLAN_REASON_DEAUTH_LEAVING);
1057 	}
1058 
1059 	/* Mark all other networks disabled and trigger reassociation */
1060 	ssid = wpa_s->conf->ssid;
1061 	while (ssid) {
1062 		int was_disabled = ssid->disabled;
1063 		ssid->disabled_for_connect = 0;
1064 		/*
1065 		 * In case the network object corresponds to a persistent group
1066 		 * then do not send out network disabled signal. In addition,
1067 		 * do not change disabled status of persistent network objects
1068 		 * from 2 to 1 should we connect to another network.
1069 		 */
1070 		if (was_disabled != 2) {
1071 			ssid->disabled = ssid != selected;
1072 			if (was_disabled != ssid->disabled) {
1073 				if (ssid->disabled)
1074 					ssid->disabled_for_connect = 1;
1075 				wpas_notify_network_enabled_changed(wpa_s,
1076 								    ssid);
1077 			}
1078 		}
1079 		ssid = ssid->next;
1080 	}
1081 }
1082 
1083 
1084 static void wpas_wps_reassoc(struct wpa_supplicant *wpa_s,
1085 			     struct wpa_ssid *selected, const u8 *bssid,
1086 			     int freq)
1087 {
1088 	struct wpa_bss *bss;
1089 
1090 	wpa_s->wps_run++;
1091 	if (wpa_s->wps_run == 0)
1092 		wpa_s->wps_run++;
1093 	wpa_s->after_wps = 0;
1094 	wpa_s->known_wps_freq = 0;
1095 	if (freq) {
1096 		wpa_s->after_wps = 5;
1097 		wpa_s->wps_freq = freq;
1098 	} else if (bssid) {
1099 		bss = wpa_bss_get_bssid_latest(wpa_s, bssid);
1100 		if (bss && bss->freq > 0) {
1101 			wpa_s->known_wps_freq = 1;
1102 			wpa_s->wps_freq = bss->freq;
1103 		}
1104 	}
1105 
1106 	wpas_wps_temp_disable(wpa_s, selected);
1107 
1108 	wpa_s->disconnected = 0;
1109 	wpa_s->reassociate = 1;
1110 	wpa_s->scan_runs = 0;
1111 	wpa_s->normal_scans = 0;
1112 	wpa_s->wps_success = 0;
1113 	wpa_s->blacklist_cleared = 0;
1114 
1115 	wpa_supplicant_cancel_sched_scan(wpa_s);
1116 	wpa_supplicant_req_scan(wpa_s, 0, 0);
1117 }
1118 
1119 
1120 int wpas_wps_start_pbc(struct wpa_supplicant *wpa_s, const u8 *bssid,
1121 		       int p2p_group)
1122 {
1123 	struct wpa_ssid *ssid;
1124 
1125 #ifdef CONFIG_AP
1126 	if (wpa_s->ap_iface) {
1127 		wpa_printf(MSG_DEBUG,
1128 			   "WPS: Reject request to start Registrar(as station) operation while AP mode is enabled");
1129 		return -1;
1130 	}
1131 #endif /* CONFIG_AP */
1132 	wpas_clear_wps(wpa_s);
1133 	ssid = wpas_wps_add_network(wpa_s, 0, NULL, bssid);
1134 	if (ssid == NULL)
1135 		return -1;
1136 	ssid->temporary = 1;
1137 	ssid->p2p_group = p2p_group;
1138 #ifdef CONFIG_P2P
1139 	if (p2p_group && wpa_s->go_params && wpa_s->go_params->ssid_len) {
1140 		ssid->ssid = os_zalloc(wpa_s->go_params->ssid_len + 1);
1141 		if (ssid->ssid) {
1142 			ssid->ssid_len = wpa_s->go_params->ssid_len;
1143 			os_memcpy(ssid->ssid, wpa_s->go_params->ssid,
1144 				  ssid->ssid_len);
1145 			wpa_hexdump_ascii(MSG_DEBUG, "WPS: Use specific AP "
1146 					  "SSID", ssid->ssid, ssid->ssid_len);
1147 		}
1148 	}
1149 #endif /* CONFIG_P2P */
1150 	if (wpa_config_set(ssid, "phase1", "\"pbc=1\"", 0) < 0)
1151 		return -1;
1152 	if (wpa_s->wps_fragment_size)
1153 		ssid->eap.fragment_size = wpa_s->wps_fragment_size;
1154 	eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wpas_wps_timeout,
1155 			       wpa_s, NULL);
1156 	wpas_wps_reassoc(wpa_s, ssid, bssid, 0);
1157 	return 0;
1158 }
1159 
1160 
1161 static int wpas_wps_start_dev_pw(struct wpa_supplicant *wpa_s,
1162 				 const u8 *dev_addr, const u8 *bssid,
1163 				 const char *pin, int p2p_group, u16 dev_pw_id,
1164 				 const u8 *peer_pubkey_hash,
1165 				 const u8 *ssid_val, size_t ssid_len, int freq)
1166 {
1167 	struct wpa_ssid *ssid;
1168 	char val[128 + 2 * WPS_OOB_PUBKEY_HASH_LEN];
1169 	unsigned int rpin = 0;
1170 	char hash[2 * WPS_OOB_PUBKEY_HASH_LEN + 10];
1171 
1172 #ifdef CONFIG_AP
1173 	if (wpa_s->ap_iface) {
1174 		wpa_printf(MSG_DEBUG,
1175 			   "WPS: Reject request to start Registrar(as station) operation while AP mode is enabled");
1176 		return -1;
1177 	}
1178 #endif /* CONFIG_AP */
1179 	wpas_clear_wps(wpa_s);
1180 	if (bssid && is_zero_ether_addr(bssid))
1181 		bssid = NULL;
1182 	ssid = wpas_wps_add_network(wpa_s, 0, dev_addr, bssid);
1183 	if (ssid == NULL) {
1184 		wpa_printf(MSG_DEBUG, "WPS: Could not add network");
1185 		return -1;
1186 	}
1187 	ssid->temporary = 1;
1188 	ssid->p2p_group = p2p_group;
1189 	if (ssid_val) {
1190 		ssid->ssid = os_malloc(ssid_len);
1191 		if (ssid->ssid) {
1192 			os_memcpy(ssid->ssid, ssid_val, ssid_len);
1193 			ssid->ssid_len = ssid_len;
1194 		}
1195 	}
1196 	if (peer_pubkey_hash) {
1197 		os_memcpy(hash, " pkhash=", 8);
1198 		wpa_snprintf_hex_uppercase(hash + 8, sizeof(hash) - 8,
1199 					   peer_pubkey_hash,
1200 					   WPS_OOB_PUBKEY_HASH_LEN);
1201 	} else {
1202 		hash[0] = '\0';
1203 	}
1204 #ifdef CONFIG_P2P
1205 	if (p2p_group && wpa_s->go_params && wpa_s->go_params->ssid_len) {
1206 		os_free(ssid->ssid);
1207 		ssid->ssid = os_zalloc(wpa_s->go_params->ssid_len + 1);
1208 		if (ssid->ssid) {
1209 			ssid->ssid_len = wpa_s->go_params->ssid_len;
1210 			os_memcpy(ssid->ssid, wpa_s->go_params->ssid,
1211 				  ssid->ssid_len);
1212 			wpa_hexdump_ascii(MSG_DEBUG, "WPS: Use specific AP "
1213 					  "SSID", ssid->ssid, ssid->ssid_len);
1214 		}
1215 	}
1216 #endif /* CONFIG_P2P */
1217 	if (pin)
1218 		os_snprintf(val, sizeof(val), "\"pin=%s dev_pw_id=%u%s\"",
1219 			    pin, dev_pw_id, hash);
1220 	else if (pin == NULL && dev_pw_id == DEV_PW_NFC_CONNECTION_HANDOVER) {
1221 		os_snprintf(val, sizeof(val), "\"dev_pw_id=%u%s\"",
1222 			    dev_pw_id, hash);
1223 	} else {
1224 		rpin = wps_generate_pin();
1225 		os_snprintf(val, sizeof(val), "\"pin=%08d dev_pw_id=%u%s\"",
1226 			    rpin, dev_pw_id, hash);
1227 	}
1228 	if (wpa_config_set(ssid, "phase1", val, 0) < 0) {
1229 		wpa_printf(MSG_DEBUG, "WPS: Failed to set phase1 '%s'", val);
1230 		return -1;
1231 	}
1232 	if (wpa_s->wps_fragment_size)
1233 		ssid->eap.fragment_size = wpa_s->wps_fragment_size;
1234 	eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wpas_wps_timeout,
1235 			       wpa_s, NULL);
1236 	wpa_s->wps_ap_iter = 1;
1237 	wpas_wps_reassoc(wpa_s, ssid, bssid, freq);
1238 	return rpin;
1239 }
1240 
1241 
1242 int wpas_wps_start_pin(struct wpa_supplicant *wpa_s, const u8 *bssid,
1243 		       const char *pin, int p2p_group, u16 dev_pw_id)
1244 {
1245 	os_get_reltime(&wpa_s->wps_pin_start_time);
1246 	return wpas_wps_start_dev_pw(wpa_s, NULL, bssid, pin, p2p_group,
1247 				     dev_pw_id, NULL, NULL, 0, 0);
1248 }
1249 
1250 
1251 void wpas_wps_pbc_overlap(struct wpa_supplicant *wpa_s)
1252 {
1253 	union wps_event_data data;
1254 
1255 	os_memset(&data, 0, sizeof(data));
1256 	data.fail.config_error = WPS_CFG_MULTIPLE_PBC_DETECTED;
1257 	data.fail.error_indication = WPS_EI_NO_ERROR;
1258 	/*
1259 	 * Call wpas_notify_wps_event_fail() directly instead of through
1260 	 * wpa_supplicant_wps_event() which would end up registering unnecessary
1261 	 * timeouts (those are only for the case where the failure happens
1262 	 * during an EAP-WSC exchange).
1263 	 */
1264 	wpas_notify_wps_event_fail(wpa_s, &data.fail);
1265 }
1266 
1267 /* Cancel the wps pbc/pin requests */
1268 int wpas_wps_cancel(struct wpa_supplicant *wpa_s)
1269 {
1270 #ifdef CONFIG_AP
1271 	if (wpa_s->ap_iface) {
1272 		wpa_printf(MSG_DEBUG, "WPS: Cancelling in AP mode");
1273 		return wpa_supplicant_ap_wps_cancel(wpa_s);
1274 	}
1275 #endif /* CONFIG_AP */
1276 
1277 	if (wpa_s->wpa_state == WPA_SCANNING ||
1278 	    wpa_s->wpa_state == WPA_DISCONNECTED) {
1279 		wpa_printf(MSG_DEBUG, "WPS: Cancel operation - cancel scan");
1280 		wpa_supplicant_cancel_scan(wpa_s);
1281 		wpas_clear_wps(wpa_s);
1282 	} else if (wpa_s->wpa_state >= WPA_ASSOCIATED) {
1283 		wpa_printf(MSG_DEBUG, "WPS: Cancel operation - "
1284 			   "deauthenticate");
1285 		wpa_s->own_disconnect_req = 1;
1286 		wpa_supplicant_deauthenticate(wpa_s,
1287 					      WLAN_REASON_DEAUTH_LEAVING);
1288 		wpas_clear_wps(wpa_s);
1289 	} else {
1290 		wpas_wps_reenable_networks(wpa_s);
1291 		wpas_wps_clear_ap_info(wpa_s);
1292 		if (eloop_cancel_timeout(wpas_wps_clear_timeout, wpa_s, NULL) >
1293 		    0)
1294 			wpas_clear_wps(wpa_s);
1295 	}
1296 
1297 	wpa_s->after_wps = 0;
1298 
1299 	return 0;
1300 }
1301 
1302 
1303 int wpas_wps_start_reg(struct wpa_supplicant *wpa_s, const u8 *bssid,
1304 		       const char *pin, struct wps_new_ap_settings *settings)
1305 {
1306 	struct wpa_ssid *ssid;
1307 	char val[200];
1308 	char *pos, *end;
1309 	int res;
1310 
1311 #ifdef CONFIG_AP
1312 	if (wpa_s->ap_iface) {
1313 		wpa_printf(MSG_DEBUG,
1314 			   "WPS: Reject request to start Registrar(as station) operation while AP mode is enabled");
1315 		return -1;
1316 	}
1317 #endif /* CONFIG_AP */
1318 	if (!pin)
1319 		return -1;
1320 	wpas_clear_wps(wpa_s);
1321 	ssid = wpas_wps_add_network(wpa_s, 1, NULL, bssid);
1322 	if (ssid == NULL)
1323 		return -1;
1324 	ssid->temporary = 1;
1325 	pos = val;
1326 	end = pos + sizeof(val);
1327 	res = os_snprintf(pos, end - pos, "\"pin=%s", pin);
1328 	if (os_snprintf_error(end - pos, res))
1329 		return -1;
1330 	pos += res;
1331 	if (settings) {
1332 		res = os_snprintf(pos, end - pos, " new_ssid=%s new_auth=%s "
1333 				  "new_encr=%s new_key=%s",
1334 				  settings->ssid_hex, settings->auth,
1335 				  settings->encr, settings->key_hex);
1336 		if (os_snprintf_error(end - pos, res))
1337 			return -1;
1338 		pos += res;
1339 	}
1340 	res = os_snprintf(pos, end - pos, "\"");
1341 	if (os_snprintf_error(end - pos, res))
1342 		return -1;
1343 	if (wpa_config_set(ssid, "phase1", val, 0) < 0)
1344 		return -1;
1345 	if (wpa_s->wps_fragment_size)
1346 		ssid->eap.fragment_size = wpa_s->wps_fragment_size;
1347 	eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wpas_wps_timeout,
1348 			       wpa_s, NULL);
1349 	wpas_wps_reassoc(wpa_s, ssid, bssid, 0);
1350 	return 0;
1351 }
1352 
1353 
1354 static int wpas_wps_new_psk_cb(void *ctx, const u8 *mac_addr,
1355 			       const u8 *p2p_dev_addr, const u8 *psk,
1356 			       size_t psk_len)
1357 {
1358 	if (is_zero_ether_addr(p2p_dev_addr)) {
1359 		wpa_printf(MSG_DEBUG,
1360 			   "Received new WPA/WPA2-PSK from WPS for STA " MACSTR,
1361 			   MAC2STR(mac_addr));
1362 	} else {
1363 		wpa_printf(MSG_DEBUG,
1364 			   "Received new WPA/WPA2-PSK from WPS for STA " MACSTR
1365 			   " P2P Device Addr " MACSTR,
1366 			   MAC2STR(mac_addr), MAC2STR(p2p_dev_addr));
1367 	}
1368 	wpa_hexdump_key(MSG_DEBUG, "Per-device PSK", psk, psk_len);
1369 
1370 	/* TODO */
1371 
1372 	return 0;
1373 }
1374 
1375 
1376 static void wpas_wps_pin_needed_cb(void *ctx, const u8 *uuid_e,
1377 				   const struct wps_device_data *dev)
1378 {
1379 	char uuid[40], txt[400];
1380 	int len;
1381 	char devtype[WPS_DEV_TYPE_BUFSIZE];
1382 	if (uuid_bin2str(uuid_e, uuid, sizeof(uuid)))
1383 		return;
1384 	wpa_printf(MSG_DEBUG, "WPS: PIN needed for UUID-E %s", uuid);
1385 	len = os_snprintf(txt, sizeof(txt), "WPS-EVENT-PIN-NEEDED %s " MACSTR
1386 			  " [%s|%s|%s|%s|%s|%s]",
1387 			  uuid, MAC2STR(dev->mac_addr), dev->device_name,
1388 			  dev->manufacturer, dev->model_name,
1389 			  dev->model_number, dev->serial_number,
1390 			  wps_dev_type_bin2str(dev->pri_dev_type, devtype,
1391 					       sizeof(devtype)));
1392 	if (!os_snprintf_error(sizeof(txt), len))
1393 		wpa_printf(MSG_INFO, "%s", txt);
1394 }
1395 
1396 
1397 static void wpas_wps_set_sel_reg_cb(void *ctx, int sel_reg, u16 dev_passwd_id,
1398 				    u16 sel_reg_config_methods)
1399 {
1400 #ifdef CONFIG_WPS_ER
1401 	struct wpa_supplicant *wpa_s = ctx;
1402 
1403 	if (wpa_s->wps_er == NULL)
1404 		return;
1405 	wpa_printf(MSG_DEBUG, "WPS ER: SetSelectedRegistrar - sel_reg=%d "
1406 		   "dev_password_id=%u sel_reg_config_methods=0x%x",
1407 		   sel_reg, dev_passwd_id, sel_reg_config_methods);
1408 	wps_er_set_sel_reg(wpa_s->wps_er, sel_reg, dev_passwd_id,
1409 			   sel_reg_config_methods);
1410 #endif /* CONFIG_WPS_ER */
1411 }
1412 
1413 
1414 static u16 wps_fix_config_methods(u16 config_methods)
1415 {
1416 	if ((config_methods &
1417 	     (WPS_CONFIG_DISPLAY | WPS_CONFIG_VIRT_DISPLAY |
1418 	      WPS_CONFIG_PHY_DISPLAY)) == WPS_CONFIG_DISPLAY) {
1419 		wpa_printf(MSG_INFO, "WPS: Converting display to "
1420 			   "virtual_display for WPS 2.0 compliance");
1421 		config_methods |= WPS_CONFIG_VIRT_DISPLAY;
1422 	}
1423 	if ((config_methods &
1424 	     (WPS_CONFIG_PUSHBUTTON | WPS_CONFIG_VIRT_PUSHBUTTON |
1425 	      WPS_CONFIG_PHY_PUSHBUTTON)) == WPS_CONFIG_PUSHBUTTON) {
1426 		wpa_printf(MSG_INFO, "WPS: Converting push_button to "
1427 			   "virtual_push_button for WPS 2.0 compliance");
1428 		config_methods |= WPS_CONFIG_VIRT_PUSHBUTTON;
1429 	}
1430 
1431 	return config_methods;
1432 }
1433 
1434 
1435 static void wpas_wps_set_uuid(struct wpa_supplicant *wpa_s,
1436 			      struct wps_context *wps)
1437 {
1438 	char buf[50];
1439 	const char *src;
1440 
1441 	if (is_nil_uuid(wpa_s->conf->uuid)) {
1442 		struct wpa_supplicant *first;
1443 		first = wpa_s->global->ifaces;
1444 		while (first && first->next)
1445 			first = first->next;
1446 		if (first && first != wpa_s) {
1447 			if (wps != wpa_s->global->ifaces->wps)
1448 				os_memcpy(wps->uuid,
1449 					  wpa_s->global->ifaces->wps->uuid,
1450 					  WPS_UUID_LEN);
1451 			src = "from the first interface";
1452 		} else {
1453 			uuid_gen_mac_addr(wpa_s->own_addr, wps->uuid);
1454 			src = "based on MAC address";
1455 		}
1456 	} else {
1457 		os_memcpy(wps->uuid, wpa_s->conf->uuid, WPS_UUID_LEN);
1458 		src = "based on configuration";
1459 	}
1460 
1461 	uuid_bin2str(wps->uuid, buf, sizeof(buf));
1462 	wpa_dbg(wpa_s, MSG_DEBUG, "WPS: UUID %s: %s", src, buf);
1463 }
1464 
1465 
1466 static void wpas_wps_set_vendor_ext_m1(struct wpa_supplicant *wpa_s,
1467 				       struct wps_context *wps)
1468 {
1469 	wpabuf_free(wps->dev.vendor_ext_m1);
1470 	wps->dev.vendor_ext_m1 = NULL;
1471 
1472 	if (wpa_s->conf->wps_vendor_ext_m1) {
1473 		wps->dev.vendor_ext_m1 =
1474 			wpabuf_dup(wpa_s->conf->wps_vendor_ext_m1);
1475 		if (!wps->dev.vendor_ext_m1) {
1476 			wpa_printf(MSG_ERROR, "WPS: Cannot "
1477 				   "allocate memory for vendor_ext_m1");
1478 		}
1479 	}
1480 }
1481 
1482 
1483 int wpas_wps_init(struct wpa_supplicant *wpa_s)
1484 {
1485 	struct wps_context *wps;
1486 	struct wps_registrar_config rcfg;
1487 	struct hostapd_hw_modes *modes;
1488 	u16 m;
1489 
1490 	wps = os_zalloc(sizeof(*wps));
1491 	if (wps == NULL)
1492 		return -1;
1493 
1494 	wps->cred_cb = wpa_supplicant_wps_cred;
1495 	wps->event_cb = wpa_supplicant_wps_event;
1496 	wps->rf_band_cb = wpa_supplicant_wps_rf_band;
1497 	wps->cb_ctx = wpa_s;
1498 
1499 	wps->dev.device_name = wpa_s->conf->device_name;
1500 	wps->dev.manufacturer = wpa_s->conf->manufacturer;
1501 	wps->dev.model_name = wpa_s->conf->model_name;
1502 	wps->dev.model_number = wpa_s->conf->model_number;
1503 	wps->dev.serial_number = wpa_s->conf->serial_number;
1504 	wps->config_methods =
1505 		wps_config_methods_str2bin(wpa_s->conf->config_methods);
1506 	if ((wps->config_methods & (WPS_CONFIG_DISPLAY | WPS_CONFIG_LABEL)) ==
1507 	    (WPS_CONFIG_DISPLAY | WPS_CONFIG_LABEL)) {
1508 		wpa_printf(MSG_ERROR, "WPS: Both Label and Display config "
1509 			   "methods are not allowed at the same time");
1510 		os_free(wps);
1511 		return -1;
1512 	}
1513 	wps->config_methods = wps_fix_config_methods(wps->config_methods);
1514 	wps->dev.config_methods = wps->config_methods;
1515 	os_memcpy(wps->dev.pri_dev_type, wpa_s->conf->device_type,
1516 		  WPS_DEV_TYPE_LEN);
1517 
1518 	wps->dev.num_sec_dev_types = wpa_s->conf->num_sec_device_types;
1519 	os_memcpy(wps->dev.sec_dev_type, wpa_s->conf->sec_device_type,
1520 		  WPS_DEV_TYPE_LEN * wps->dev.num_sec_dev_types);
1521 
1522 	wpas_wps_set_vendor_ext_m1(wpa_s, wps);
1523 
1524 	wps->dev.os_version = WPA_GET_BE32(wpa_s->conf->os_version);
1525 	modes = wpa_s->hw.modes;
1526 	if (modes) {
1527 		for (m = 0; m < wpa_s->hw.num_modes; m++) {
1528 			if (modes[m].mode == HOSTAPD_MODE_IEEE80211B ||
1529 			    modes[m].mode == HOSTAPD_MODE_IEEE80211G)
1530 				wps->dev.rf_bands |= WPS_RF_24GHZ;
1531 			else if (modes[m].mode == HOSTAPD_MODE_IEEE80211A)
1532 				wps->dev.rf_bands |= WPS_RF_50GHZ;
1533 			else if (modes[m].mode == HOSTAPD_MODE_IEEE80211AD)
1534 				wps->dev.rf_bands |= WPS_RF_60GHZ;
1535 		}
1536 	}
1537 	if (wps->dev.rf_bands == 0) {
1538 		/*
1539 		 * Default to claiming support for both bands if the driver
1540 		 * does not provide support for fetching supported bands.
1541 		 */
1542 		wps->dev.rf_bands = WPS_RF_24GHZ | WPS_RF_50GHZ;
1543 	}
1544 	os_memcpy(wps->dev.mac_addr, wpa_s->own_addr, ETH_ALEN);
1545 	wpas_wps_set_uuid(wpa_s, wps);
1546 
1547 	wps->auth_types = WPS_AUTH_WPA2PSK | WPS_AUTH_WPAPSK;
1548 	wps->encr_types = WPS_ENCR_AES | WPS_ENCR_TKIP;
1549 
1550 	os_memset(&rcfg, 0, sizeof(rcfg));
1551 	rcfg.new_psk_cb = wpas_wps_new_psk_cb;
1552 	rcfg.pin_needed_cb = wpas_wps_pin_needed_cb;
1553 	rcfg.set_sel_reg_cb = wpas_wps_set_sel_reg_cb;
1554 	rcfg.cb_ctx = wpa_s;
1555 
1556 	wps->registrar = wps_registrar_init(wps, &rcfg);
1557 	if (wps->registrar == NULL) {
1558 		wpa_printf(MSG_DEBUG, "Failed to initialize WPS Registrar");
1559 		os_free(wps);
1560 		return -1;
1561 	}
1562 
1563 	wpa_s->wps = wps;
1564 
1565 	return 0;
1566 }
1567 
1568 
1569 #ifdef CONFIG_WPS_ER
1570 static void wpas_wps_nfc_clear(struct wps_context *wps)
1571 {
1572 	wps->ap_nfc_dev_pw_id = 0;
1573 	wpabuf_free(wps->ap_nfc_dh_pubkey);
1574 	wps->ap_nfc_dh_pubkey = NULL;
1575 	wpabuf_free(wps->ap_nfc_dh_privkey);
1576 	wps->ap_nfc_dh_privkey = NULL;
1577 	wpabuf_free(wps->ap_nfc_dev_pw);
1578 	wps->ap_nfc_dev_pw = NULL;
1579 }
1580 #endif /* CONFIG_WPS_ER */
1581 
1582 
1583 void wpas_wps_deinit(struct wpa_supplicant *wpa_s)
1584 {
1585 	wpas_wps_assoc_with_cred_cancel(wpa_s);
1586 	eloop_cancel_timeout(wpas_wps_timeout, wpa_s, NULL);
1587 	eloop_cancel_timeout(wpas_wps_clear_timeout, wpa_s, NULL);
1588 	eloop_cancel_timeout(wpas_wps_reenable_networks_cb, wpa_s, NULL);
1589 	wpas_wps_clear_ap_info(wpa_s);
1590 
1591 #ifdef CONFIG_P2P
1592 	eloop_cancel_timeout(wpas_p2p_pbc_overlap_cb, wpa_s, NULL);
1593 #endif /* CONFIG_P2P */
1594 
1595 	if (wpa_s->wps == NULL)
1596 		return;
1597 
1598 #ifdef CONFIG_WPS_ER
1599 	wps_er_deinit(wpa_s->wps_er, NULL, NULL);
1600 	wpa_s->wps_er = NULL;
1601 	wpas_wps_nfc_clear(wpa_s->wps);
1602 #endif /* CONFIG_WPS_ER */
1603 
1604 	wps_registrar_deinit(wpa_s->wps->registrar);
1605 	wpabuf_free(wpa_s->wps->dh_pubkey);
1606 	wpabuf_free(wpa_s->wps->dh_privkey);
1607 	wpabuf_free(wpa_s->wps->dev.vendor_ext_m1);
1608 	os_free(wpa_s->wps->network_key);
1609 	os_free(wpa_s->wps);
1610 	wpa_s->wps = NULL;
1611 }
1612 
1613 
1614 int wpas_wps_ssid_bss_match(struct wpa_supplicant *wpa_s,
1615 			    struct wpa_ssid *ssid, struct wpa_bss *bss)
1616 {
1617 	struct wpabuf *wps_ie;
1618 
1619 	if (!(ssid->key_mgmt & WPA_KEY_MGMT_WPS))
1620 		return -1;
1621 
1622 	wps_ie = wpa_bss_get_vendor_ie_multi(bss, WPS_IE_VENDOR_TYPE);
1623 	if (eap_is_wps_pbc_enrollee(&ssid->eap)) {
1624 		if (!wps_ie) {
1625 			wpa_printf(MSG_DEBUG, "   skip - non-WPS AP");
1626 			return 0;
1627 		}
1628 
1629 		if (!wps_is_selected_pbc_registrar(wps_ie)) {
1630 			wpa_printf(MSG_DEBUG, "   skip - WPS AP "
1631 				   "without active PBC Registrar");
1632 			wpabuf_free(wps_ie);
1633 			return 0;
1634 		}
1635 
1636 		/* TODO: overlap detection */
1637 		wpa_printf(MSG_DEBUG, "   selected based on WPS IE "
1638 			   "(Active PBC)");
1639 		wpabuf_free(wps_ie);
1640 		return 1;
1641 	}
1642 
1643 	if (eap_is_wps_pin_enrollee(&ssid->eap)) {
1644 		if (!wps_ie) {
1645 			wpa_printf(MSG_DEBUG, "   skip - non-WPS AP");
1646 			return 0;
1647 		}
1648 
1649 		/*
1650 		 * Start with WPS APs that advertise our address as an
1651 		 * authorized MAC (v2.0) or active PIN Registrar (v1.0) and
1652 		 * allow any WPS AP after couple of scans since some APs do not
1653 		 * set Selected Registrar attribute properly when using
1654 		 * external Registrar.
1655 		 */
1656 		if (!wps_is_addr_authorized(wps_ie, wpa_s->own_addr, 1)) {
1657 			struct os_reltime age;
1658 
1659 			os_reltime_age(&wpa_s->wps_pin_start_time, &age);
1660 
1661 			if (wpa_s->scan_runs < WPS_PIN_SCAN_IGNORE_SEL_REG ||
1662 			    age.sec < WPS_PIN_TIME_IGNORE_SEL_REG) {
1663 				wpa_printf(MSG_DEBUG,
1664 					   "   skip - WPS AP without active PIN Registrar (scan_runs=%d age=%d)",
1665 					   wpa_s->scan_runs, (int) age.sec);
1666 				wpabuf_free(wps_ie);
1667 				return 0;
1668 			}
1669 			wpa_printf(MSG_DEBUG, "   selected based on WPS IE");
1670 		} else {
1671 			wpa_printf(MSG_DEBUG, "   selected based on WPS IE "
1672 				   "(Authorized MAC or Active PIN)");
1673 		}
1674 		wpabuf_free(wps_ie);
1675 		return 1;
1676 	}
1677 
1678 	if (wps_ie) {
1679 		wpa_printf(MSG_DEBUG, "   selected based on WPS IE");
1680 		wpabuf_free(wps_ie);
1681 		return 1;
1682 	}
1683 
1684 	return -1;
1685 }
1686 
1687 
1688 int wpas_wps_ssid_wildcard_ok(struct wpa_supplicant *wpa_s,
1689 			      struct wpa_ssid *ssid,
1690 			      struct wpa_bss *bss)
1691 {
1692 	struct wpabuf *wps_ie = NULL;
1693 	int ret = 0;
1694 
1695 	if (eap_is_wps_pbc_enrollee(&ssid->eap)) {
1696 		wps_ie = wpa_bss_get_vendor_ie_multi(bss, WPS_IE_VENDOR_TYPE);
1697 		if (wps_ie && wps_is_selected_pbc_registrar(wps_ie)) {
1698 			/* allow wildcard SSID for WPS PBC */
1699 			ret = 1;
1700 		}
1701 	} else if (eap_is_wps_pin_enrollee(&ssid->eap)) {
1702 		wps_ie = wpa_bss_get_vendor_ie_multi(bss, WPS_IE_VENDOR_TYPE);
1703 		if (wps_ie &&
1704 		    (wps_is_addr_authorized(wps_ie, wpa_s->own_addr, 1) ||
1705 		     wpa_s->scan_runs >= WPS_PIN_SCAN_IGNORE_SEL_REG)) {
1706 			/* allow wildcard SSID for WPS PIN */
1707 			ret = 1;
1708 		}
1709 	}
1710 
1711 	if (!ret && ssid->bssid_set &&
1712 	    os_memcmp(ssid->bssid, bss->bssid, ETH_ALEN) == 0) {
1713 		/* allow wildcard SSID due to hardcoded BSSID match */
1714 		ret = 1;
1715 	}
1716 
1717 #ifdef CONFIG_WPS_STRICT
1718 	if (wps_ie) {
1719 		if (wps_validate_beacon_probe_resp(wps_ie, bss->beacon_ie_len >
1720 						   0, bss->bssid) < 0)
1721 			ret = 0;
1722 		if (bss->beacon_ie_len) {
1723 			struct wpabuf *bcn_wps;
1724 			bcn_wps = wpa_bss_get_vendor_ie_multi_beacon(
1725 				bss, WPS_IE_VENDOR_TYPE);
1726 			if (bcn_wps == NULL) {
1727 				wpa_printf(MSG_DEBUG, "WPS: Mandatory WPS IE "
1728 					   "missing from AP Beacon");
1729 				ret = 0;
1730 			} else {
1731 				if (wps_validate_beacon(wps_ie) < 0)
1732 					ret = 0;
1733 				wpabuf_free(bcn_wps);
1734 			}
1735 		}
1736 	}
1737 #endif /* CONFIG_WPS_STRICT */
1738 
1739 	wpabuf_free(wps_ie);
1740 
1741 	return ret;
1742 }
1743 
1744 
1745 int wpas_wps_scan_pbc_overlap(struct wpa_supplicant *wpa_s,
1746 			      struct wpa_bss *selected, struct wpa_ssid *ssid)
1747 {
1748 	const u8 *sel_uuid;
1749 	struct wpabuf *wps_ie;
1750 	int ret = 0;
1751 	size_t i;
1752 
1753 	if (!eap_is_wps_pbc_enrollee(&ssid->eap))
1754 		return 0;
1755 
1756 	wpa_printf(MSG_DEBUG, "WPS: Check whether PBC session overlap is "
1757 		   "present in scan results; selected BSSID " MACSTR,
1758 		   MAC2STR(selected->bssid));
1759 
1760 	/* Make sure that only one AP is in active PBC mode */
1761 	wps_ie = wpa_bss_get_vendor_ie_multi(selected, WPS_IE_VENDOR_TYPE);
1762 	if (wps_ie) {
1763 		sel_uuid = wps_get_uuid_e(wps_ie);
1764 		wpa_hexdump(MSG_DEBUG, "WPS: UUID of the selected BSS",
1765 			    sel_uuid, UUID_LEN);
1766 	} else {
1767 		wpa_printf(MSG_DEBUG, "WPS: Selected BSS does not include "
1768 			   "WPS IE?!");
1769 		sel_uuid = NULL;
1770 	}
1771 
1772 	for (i = 0; i < wpa_s->num_wps_ap; i++) {
1773 		struct wps_ap_info *ap = &wpa_s->wps_ap[i];
1774 
1775 		if (!ap->pbc_active ||
1776 		    os_memcmp(selected->bssid, ap->bssid, ETH_ALEN) == 0)
1777 			continue;
1778 
1779 		wpa_printf(MSG_DEBUG, "WPS: Another BSS in active PBC mode: "
1780 			   MACSTR, MAC2STR(ap->bssid));
1781 		wpa_hexdump(MSG_DEBUG, "WPS: UUID of the other BSS",
1782 			    ap->uuid, UUID_LEN);
1783 		if (sel_uuid == NULL ||
1784 		    os_memcmp(sel_uuid, ap->uuid, UUID_LEN) != 0) {
1785 			ret = 1; /* PBC overlap */
1786 			wpa_msg(wpa_s, MSG_INFO, "WPS: PBC overlap detected: "
1787 				MACSTR " and " MACSTR,
1788 				MAC2STR(selected->bssid),
1789 				MAC2STR(ap->bssid));
1790 			break;
1791 		}
1792 
1793 		/* TODO: verify that this is reasonable dual-band situation */
1794 	}
1795 
1796 	wpabuf_free(wps_ie);
1797 
1798 	return ret;
1799 }
1800 
1801 
1802 void wpas_wps_notify_scan_results(struct wpa_supplicant *wpa_s)
1803 {
1804 	struct wpa_bss *bss;
1805 	unsigned int pbc = 0, auth = 0, pin = 0, wps = 0;
1806 
1807 	if (wpa_s->disconnected || wpa_s->wpa_state >= WPA_ASSOCIATED)
1808 		return;
1809 
1810 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
1811 		struct wpabuf *ie;
1812 		ie = wpa_bss_get_vendor_ie_multi(bss, WPS_IE_VENDOR_TYPE);
1813 		if (!ie)
1814 			continue;
1815 		if (wps_is_selected_pbc_registrar(ie))
1816 			pbc++;
1817 		else if (wps_is_addr_authorized(ie, wpa_s->own_addr, 0))
1818 			auth++;
1819 		else if (wps_is_selected_pin_registrar(ie))
1820 			pin++;
1821 		else
1822 			wps++;
1823 		wpabuf_free(ie);
1824 	}
1825 
1826 	if (pbc)
1827 		wpa_msg_ctrl(wpa_s, MSG_INFO, WPS_EVENT_AP_AVAILABLE_PBC);
1828 	else if (auth)
1829 		wpa_msg_ctrl(wpa_s, MSG_INFO, WPS_EVENT_AP_AVAILABLE_AUTH);
1830 	else if (pin)
1831 		wpa_msg_ctrl(wpa_s, MSG_INFO, WPS_EVENT_AP_AVAILABLE_PIN);
1832 	else if (wps)
1833 		wpa_msg_ctrl(wpa_s, MSG_INFO, WPS_EVENT_AP_AVAILABLE);
1834 }
1835 
1836 
1837 int wpas_wps_searching(struct wpa_supplicant *wpa_s)
1838 {
1839 	struct wpa_ssid *ssid;
1840 
1841 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
1842 		if ((ssid->key_mgmt & WPA_KEY_MGMT_WPS) && !ssid->disabled)
1843 			return 1;
1844 	}
1845 
1846 	return 0;
1847 }
1848 
1849 
1850 int wpas_wps_scan_result_text(const u8 *ies, size_t ies_len, char *buf,
1851 			      char *end)
1852 {
1853 	struct wpabuf *wps_ie;
1854 	int ret;
1855 
1856 	wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len, WPS_DEV_OUI_WFA);
1857 	if (wps_ie == NULL)
1858 		return 0;
1859 
1860 	ret = wps_attr_text(wps_ie, buf, end);
1861 	wpabuf_free(wps_ie);
1862 	return ret;
1863 }
1864 
1865 
1866 int wpas_wps_er_start(struct wpa_supplicant *wpa_s, const char *filter)
1867 {
1868 #ifdef CONFIG_WPS_ER
1869 	if (wpa_s->wps_er) {
1870 		wps_er_refresh(wpa_s->wps_er);
1871 		return 0;
1872 	}
1873 	wpa_s->wps_er = wps_er_init(wpa_s->wps, wpa_s->ifname, filter);
1874 	if (wpa_s->wps_er == NULL)
1875 		return -1;
1876 	return 0;
1877 #else /* CONFIG_WPS_ER */
1878 	return 0;
1879 #endif /* CONFIG_WPS_ER */
1880 }
1881 
1882 
1883 void wpas_wps_er_stop(struct wpa_supplicant *wpa_s)
1884 {
1885 #ifdef CONFIG_WPS_ER
1886 	wps_er_deinit(wpa_s->wps_er, NULL, NULL);
1887 	wpa_s->wps_er = NULL;
1888 #endif /* CONFIG_WPS_ER */
1889 }
1890 
1891 
1892 #ifdef CONFIG_WPS_ER
1893 int wpas_wps_er_add_pin(struct wpa_supplicant *wpa_s, const u8 *addr,
1894 			const char *uuid, const char *pin)
1895 {
1896 	u8 u[UUID_LEN];
1897 	const u8 *use_uuid = NULL;
1898 	u8 addr_buf[ETH_ALEN];
1899 
1900 	if (os_strcmp(uuid, "any") == 0) {
1901 	} else if (uuid_str2bin(uuid, u) == 0) {
1902 		use_uuid = u;
1903 	} else if (hwaddr_aton(uuid, addr_buf) == 0) {
1904 		use_uuid = wps_er_get_sta_uuid(wpa_s->wps_er, addr_buf);
1905 		if (use_uuid == NULL)
1906 			return -1;
1907 	} else
1908 		return -1;
1909 	return wps_registrar_add_pin(wpa_s->wps->registrar, addr,
1910 				     use_uuid,
1911 				     (const u8 *) pin, os_strlen(pin), 300);
1912 }
1913 
1914 
1915 int wpas_wps_er_pbc(struct wpa_supplicant *wpa_s, const char *uuid)
1916 {
1917 	u8 u[UUID_LEN], *use_uuid = NULL;
1918 	u8 addr[ETH_ALEN], *use_addr = NULL;
1919 
1920 	if (uuid_str2bin(uuid, u) == 0)
1921 		use_uuid = u;
1922 	else if (hwaddr_aton(uuid, addr) == 0)
1923 		use_addr = addr;
1924 	else
1925 		return -1;
1926 	return wps_er_pbc(wpa_s->wps_er, use_uuid, use_addr);
1927 }
1928 
1929 
1930 int wpas_wps_er_learn(struct wpa_supplicant *wpa_s, const char *uuid,
1931 		      const char *pin)
1932 {
1933 	u8 u[UUID_LEN], *use_uuid = NULL;
1934 	u8 addr[ETH_ALEN], *use_addr = NULL;
1935 
1936 	if (uuid_str2bin(uuid, u) == 0)
1937 		use_uuid = u;
1938 	else if (hwaddr_aton(uuid, addr) == 0)
1939 		use_addr = addr;
1940 	else
1941 		return -1;
1942 
1943 	return wps_er_learn(wpa_s->wps_er, use_uuid, use_addr, (const u8 *) pin,
1944 			    os_strlen(pin));
1945 }
1946 
1947 
1948 static int wpas_wps_network_to_cred(struct wpa_ssid *ssid,
1949 				    struct wps_credential *cred)
1950 {
1951 	os_memset(cred, 0, sizeof(*cred));
1952 	if (ssid->ssid_len > SSID_MAX_LEN)
1953 		return -1;
1954 	os_memcpy(cred->ssid, ssid->ssid, ssid->ssid_len);
1955 	cred->ssid_len = ssid->ssid_len;
1956 	if (ssid->key_mgmt & WPA_KEY_MGMT_PSK) {
1957 		cred->auth_type = (ssid->proto & WPA_PROTO_RSN) ?
1958 			WPS_AUTH_WPA2PSK : WPS_AUTH_WPAPSK;
1959 		if (ssid->pairwise_cipher & WPA_CIPHER_CCMP)
1960 			cred->encr_type = WPS_ENCR_AES;
1961 		else
1962 			cred->encr_type = WPS_ENCR_TKIP;
1963 		if (ssid->passphrase) {
1964 			cred->key_len = os_strlen(ssid->passphrase);
1965 			if (cred->key_len >= 64)
1966 				return -1;
1967 			os_memcpy(cred->key, ssid->passphrase, cred->key_len);
1968 		} else if (ssid->psk_set) {
1969 			cred->key_len = 32;
1970 			os_memcpy(cred->key, ssid->psk, 32);
1971 		} else
1972 			return -1;
1973 	} else {
1974 		cred->auth_type = WPS_AUTH_OPEN;
1975 		cred->encr_type = WPS_ENCR_NONE;
1976 	}
1977 
1978 	return 0;
1979 }
1980 
1981 
1982 int wpas_wps_er_set_config(struct wpa_supplicant *wpa_s, const char *uuid,
1983 			   int id)
1984 {
1985 	u8 u[UUID_LEN], *use_uuid = NULL;
1986 	u8 addr[ETH_ALEN], *use_addr = NULL;
1987 	struct wpa_ssid *ssid;
1988 	struct wps_credential cred;
1989 	int ret;
1990 
1991 	if (uuid_str2bin(uuid, u) == 0)
1992 		use_uuid = u;
1993 	else if (hwaddr_aton(uuid, addr) == 0)
1994 		use_addr = addr;
1995 	else
1996 		return -1;
1997 	ssid = wpa_config_get_network(wpa_s->conf, id);
1998 	if (ssid == NULL || ssid->ssid == NULL)
1999 		return -1;
2000 
2001 	if (wpas_wps_network_to_cred(ssid, &cred) < 0)
2002 		return -1;
2003 	ret = wps_er_set_config(wpa_s->wps_er, use_uuid, use_addr, &cred);
2004 	os_memset(&cred, 0, sizeof(cred));
2005 	return ret;
2006 }
2007 
2008 
2009 int wpas_wps_er_config(struct wpa_supplicant *wpa_s, const char *uuid,
2010 		       const char *pin, struct wps_new_ap_settings *settings)
2011 {
2012 	u8 u[UUID_LEN], *use_uuid = NULL;
2013 	u8 addr[ETH_ALEN], *use_addr = NULL;
2014 	struct wps_credential cred;
2015 	size_t len;
2016 
2017 	if (uuid_str2bin(uuid, u) == 0)
2018 		use_uuid = u;
2019 	else if (hwaddr_aton(uuid, addr) == 0)
2020 		use_addr = addr;
2021 	else
2022 		return -1;
2023 	if (settings->ssid_hex == NULL || settings->auth == NULL ||
2024 	    settings->encr == NULL || settings->key_hex == NULL)
2025 		return -1;
2026 
2027 	os_memset(&cred, 0, sizeof(cred));
2028 	len = os_strlen(settings->ssid_hex);
2029 	if ((len & 1) || len > 2 * sizeof(cred.ssid) ||
2030 	    hexstr2bin(settings->ssid_hex, cred.ssid, len / 2))
2031 		return -1;
2032 	cred.ssid_len = len / 2;
2033 
2034 	len = os_strlen(settings->key_hex);
2035 	if ((len & 1) || len > 2 * sizeof(cred.key) ||
2036 	    hexstr2bin(settings->key_hex, cred.key, len / 2))
2037 		return -1;
2038 	cred.key_len = len / 2;
2039 
2040 	if (os_strcmp(settings->auth, "OPEN") == 0)
2041 		cred.auth_type = WPS_AUTH_OPEN;
2042 	else if (os_strcmp(settings->auth, "WPAPSK") == 0)
2043 		cred.auth_type = WPS_AUTH_WPAPSK;
2044 	else if (os_strcmp(settings->auth, "WPA2PSK") == 0)
2045 		cred.auth_type = WPS_AUTH_WPA2PSK;
2046 	else
2047 		return -1;
2048 
2049 	if (os_strcmp(settings->encr, "NONE") == 0)
2050 		cred.encr_type = WPS_ENCR_NONE;
2051 #ifdef CONFIG_TESTING_OPTIONS
2052 	else if (os_strcmp(settings->encr, "WEP") == 0)
2053 		cred.encr_type = WPS_ENCR_WEP;
2054 #endif /* CONFIG_TESTING_OPTIONS */
2055 	else if (os_strcmp(settings->encr, "TKIP") == 0)
2056 		cred.encr_type = WPS_ENCR_TKIP;
2057 	else if (os_strcmp(settings->encr, "CCMP") == 0)
2058 		cred.encr_type = WPS_ENCR_AES;
2059 	else
2060 		return -1;
2061 
2062 	return wps_er_config(wpa_s->wps_er, use_uuid, use_addr,
2063 			     (const u8 *) pin, os_strlen(pin), &cred);
2064 }
2065 
2066 
2067 #ifdef CONFIG_WPS_NFC
2068 struct wpabuf * wpas_wps_er_nfc_config_token(struct wpa_supplicant *wpa_s,
2069 					     int ndef, const char *uuid)
2070 {
2071 	struct wpabuf *ret;
2072 	u8 u[UUID_LEN], *use_uuid = NULL;
2073 	u8 addr[ETH_ALEN], *use_addr = NULL;
2074 
2075 	if (!wpa_s->wps_er)
2076 		return NULL;
2077 
2078 	if (uuid_str2bin(uuid, u) == 0)
2079 		use_uuid = u;
2080 	else if (hwaddr_aton(uuid, addr) == 0)
2081 		use_addr = addr;
2082 	else
2083 		return NULL;
2084 
2085 	ret = wps_er_nfc_config_token(wpa_s->wps_er, use_uuid, use_addr);
2086 	if (ndef && ret) {
2087 		struct wpabuf *tmp;
2088 		tmp = ndef_build_wifi(ret);
2089 		wpabuf_free(ret);
2090 		if (tmp == NULL)
2091 			return NULL;
2092 		ret = tmp;
2093 	}
2094 
2095 	return ret;
2096 }
2097 #endif /* CONFIG_WPS_NFC */
2098 
2099 
2100 static int callbacks_pending = 0;
2101 
2102 static void wpas_wps_terminate_cb(void *ctx)
2103 {
2104 	wpa_printf(MSG_DEBUG, "WPS ER: Terminated");
2105 	if (--callbacks_pending <= 0)
2106 		eloop_terminate();
2107 }
2108 #endif /* CONFIG_WPS_ER */
2109 
2110 
2111 int wpas_wps_terminate_pending(struct wpa_supplicant *wpa_s)
2112 {
2113 #ifdef CONFIG_WPS_ER
2114 	if (wpa_s->wps_er) {
2115 		callbacks_pending++;
2116 		wps_er_deinit(wpa_s->wps_er, wpas_wps_terminate_cb, wpa_s);
2117 		wpa_s->wps_er = NULL;
2118 		return 1;
2119 	}
2120 #endif /* CONFIG_WPS_ER */
2121 	return 0;
2122 }
2123 
2124 
2125 void wpas_wps_update_config(struct wpa_supplicant *wpa_s)
2126 {
2127 	struct wps_context *wps = wpa_s->wps;
2128 
2129 	if (wps == NULL)
2130 		return;
2131 
2132 	if (wpa_s->conf->changed_parameters & CFG_CHANGED_CONFIG_METHODS) {
2133 		wps->config_methods = wps_config_methods_str2bin(
2134 			wpa_s->conf->config_methods);
2135 		if ((wps->config_methods &
2136 		     (WPS_CONFIG_DISPLAY | WPS_CONFIG_LABEL)) ==
2137 		    (WPS_CONFIG_DISPLAY | WPS_CONFIG_LABEL)) {
2138 			wpa_printf(MSG_ERROR, "WPS: Both Label and Display "
2139 				   "config methods are not allowed at the "
2140 				   "same time");
2141 			wps->config_methods &= ~WPS_CONFIG_LABEL;
2142 		}
2143 	}
2144 	wps->config_methods = wps_fix_config_methods(wps->config_methods);
2145 	wps->dev.config_methods = wps->config_methods;
2146 
2147 	if (wpa_s->conf->changed_parameters & CFG_CHANGED_DEVICE_TYPE)
2148 		os_memcpy(wps->dev.pri_dev_type, wpa_s->conf->device_type,
2149 			  WPS_DEV_TYPE_LEN);
2150 
2151 	if (wpa_s->conf->changed_parameters & CFG_CHANGED_SEC_DEVICE_TYPE) {
2152 		wps->dev.num_sec_dev_types = wpa_s->conf->num_sec_device_types;
2153 		os_memcpy(wps->dev.sec_dev_type, wpa_s->conf->sec_device_type,
2154 			  wps->dev.num_sec_dev_types * WPS_DEV_TYPE_LEN);
2155 	}
2156 
2157 	if (wpa_s->conf->changed_parameters & CFG_CHANGED_VENDOR_EXTENSION)
2158 		wpas_wps_set_vendor_ext_m1(wpa_s, wps);
2159 
2160 	if (wpa_s->conf->changed_parameters & CFG_CHANGED_OS_VERSION)
2161 		wps->dev.os_version = WPA_GET_BE32(wpa_s->conf->os_version);
2162 
2163 	if (wpa_s->conf->changed_parameters & CFG_CHANGED_UUID)
2164 		wpas_wps_set_uuid(wpa_s, wps);
2165 
2166 	if (wpa_s->conf->changed_parameters &
2167 	    (CFG_CHANGED_DEVICE_NAME | CFG_CHANGED_WPS_STRING)) {
2168 		/* Update pointers to make sure they refer current values */
2169 		wps->dev.device_name = wpa_s->conf->device_name;
2170 		wps->dev.manufacturer = wpa_s->conf->manufacturer;
2171 		wps->dev.model_name = wpa_s->conf->model_name;
2172 		wps->dev.model_number = wpa_s->conf->model_number;
2173 		wps->dev.serial_number = wpa_s->conf->serial_number;
2174 	}
2175 }
2176 
2177 
2178 #ifdef CONFIG_WPS_NFC
2179 
2180 #ifdef CONFIG_WPS_ER
2181 static struct wpabuf *
2182 wpas_wps_network_config_token(struct wpa_supplicant *wpa_s, int ndef,
2183 			      struct wpa_ssid *ssid)
2184 {
2185 	struct wpabuf *ret;
2186 	struct wps_credential cred;
2187 
2188 	if (wpas_wps_network_to_cred(ssid, &cred) < 0)
2189 		return NULL;
2190 
2191 	ret = wps_er_config_token_from_cred(wpa_s->wps, &cred);
2192 
2193 	if (ndef && ret) {
2194 		struct wpabuf *tmp;
2195 		tmp = ndef_build_wifi(ret);
2196 		wpabuf_free(ret);
2197 		if (tmp == NULL)
2198 			return NULL;
2199 		ret = tmp;
2200 	}
2201 
2202 	return ret;
2203 }
2204 #endif /* CONFIG_WPS_ER */
2205 
2206 
2207 struct wpabuf * wpas_wps_nfc_config_token(struct wpa_supplicant *wpa_s,
2208 					  int ndef, const char *id_str)
2209 {
2210 #ifdef CONFIG_WPS_ER
2211 	if (id_str) {
2212 		int id;
2213 		char *end = NULL;
2214 		struct wpa_ssid *ssid;
2215 
2216 		id = strtol(id_str, &end, 10);
2217 		if (end && *end)
2218 			return NULL;
2219 
2220 		ssid = wpa_config_get_network(wpa_s->conf, id);
2221 		if (ssid == NULL)
2222 			return NULL;
2223 		return wpas_wps_network_config_token(wpa_s, ndef, ssid);
2224 	}
2225 #endif /* CONFIG_WPS_ER */
2226 #ifdef CONFIG_AP
2227 	if (wpa_s->ap_iface)
2228 		return wpas_ap_wps_nfc_config_token(wpa_s, ndef);
2229 #endif /* CONFIG_AP */
2230 	return NULL;
2231 }
2232 
2233 
2234 struct wpabuf * wpas_wps_nfc_token(struct wpa_supplicant *wpa_s, int ndef)
2235 {
2236 	if (wpa_s->conf->wps_nfc_pw_from_config) {
2237 		return wps_nfc_token_build(ndef,
2238 					   wpa_s->conf->wps_nfc_dev_pw_id,
2239 					   wpa_s->conf->wps_nfc_dh_pubkey,
2240 					   wpa_s->conf->wps_nfc_dev_pw);
2241 	}
2242 
2243 	return wps_nfc_token_gen(ndef, &wpa_s->conf->wps_nfc_dev_pw_id,
2244 				 &wpa_s->conf->wps_nfc_dh_pubkey,
2245 				 &wpa_s->conf->wps_nfc_dh_privkey,
2246 				 &wpa_s->conf->wps_nfc_dev_pw);
2247 }
2248 
2249 
2250 int wpas_wps_start_nfc(struct wpa_supplicant *wpa_s, const u8 *go_dev_addr,
2251 		       const u8 *bssid,
2252 		       const struct wpabuf *dev_pw, u16 dev_pw_id,
2253 		       int p2p_group, const u8 *peer_pubkey_hash,
2254 		       const u8 *ssid, size_t ssid_len, int freq)
2255 {
2256 	struct wps_context *wps = wpa_s->wps;
2257 	char pw[32 * 2 + 1];
2258 
2259 	if (dev_pw_id != DEV_PW_NFC_CONNECTION_HANDOVER && dev_pw == NULL) {
2260 		dev_pw = wpa_s->conf->wps_nfc_dev_pw;
2261 		dev_pw_id = wpa_s->conf->wps_nfc_dev_pw_id;
2262 	}
2263 
2264 	if (wpa_s->conf->wps_nfc_dh_pubkey == NULL ||
2265 	    wpa_s->conf->wps_nfc_dh_privkey == NULL) {
2266 		wpa_printf(MSG_DEBUG, "WPS: Missing DH params - "
2267 			   "cannot start NFC-triggered connection");
2268 		return -1;
2269 	}
2270 
2271 	if (dev_pw_id != DEV_PW_NFC_CONNECTION_HANDOVER && dev_pw == NULL) {
2272 		wpa_printf(MSG_DEBUG, "WPS: Missing Device Password (id=%u) - "
2273 			   "cannot start NFC-triggered connection", dev_pw_id);
2274 		return -1;
2275 	}
2276 
2277 	dh5_free(wps->dh_ctx);
2278 	wpabuf_free(wps->dh_pubkey);
2279 	wpabuf_free(wps->dh_privkey);
2280 	wps->dh_privkey = wpabuf_dup(wpa_s->conf->wps_nfc_dh_privkey);
2281 	wps->dh_pubkey = wpabuf_dup(wpa_s->conf->wps_nfc_dh_pubkey);
2282 	if (wps->dh_privkey == NULL || wps->dh_pubkey == NULL) {
2283 		wps->dh_ctx = NULL;
2284 		wpabuf_free(wps->dh_pubkey);
2285 		wps->dh_pubkey = NULL;
2286 		wpabuf_free(wps->dh_privkey);
2287 		wps->dh_privkey = NULL;
2288 		wpa_printf(MSG_DEBUG, "WPS: Failed to get DH priv/pub key");
2289 		return -1;
2290 	}
2291 	wps->dh_ctx = dh5_init_fixed(wps->dh_privkey, wps->dh_pubkey);
2292 	if (wps->dh_ctx == NULL) {
2293 		wpabuf_free(wps->dh_pubkey);
2294 		wps->dh_pubkey = NULL;
2295 		wpabuf_free(wps->dh_privkey);
2296 		wps->dh_privkey = NULL;
2297 		wpa_printf(MSG_DEBUG, "WPS: Failed to initialize DH context");
2298 		return -1;
2299 	}
2300 
2301 	if (dev_pw) {
2302 		wpa_snprintf_hex_uppercase(pw, sizeof(pw),
2303 					   wpabuf_head(dev_pw),
2304 					   wpabuf_len(dev_pw));
2305 	}
2306 	return wpas_wps_start_dev_pw(wpa_s, go_dev_addr, bssid,
2307 				     dev_pw ? pw : NULL,
2308 				     p2p_group, dev_pw_id, peer_pubkey_hash,
2309 				     ssid, ssid_len, freq);
2310 }
2311 
2312 
2313 static int wpas_wps_use_cred(struct wpa_supplicant *wpa_s,
2314 			     struct wps_parse_attr *attr)
2315 {
2316 	/*
2317 	 * Disable existing networks temporarily to allow the newly learned
2318 	 * credential to be preferred. Enable the temporarily disabled networks
2319 	 * after 10 seconds.
2320 	 */
2321 	wpas_wps_temp_disable(wpa_s, NULL);
2322 	eloop_register_timeout(10, 0, wpas_wps_reenable_networks_cb, wpa_s,
2323 			       NULL);
2324 
2325 	if (wps_oob_use_cred(wpa_s->wps, attr) < 0)
2326 		return -1;
2327 
2328 	if (wpa_s->wpa_state == WPA_INTERFACE_DISABLED)
2329 		return 0;
2330 
2331 	if (attr->ap_channel) {
2332 		u16 chan = WPA_GET_BE16(attr->ap_channel);
2333 		int freq = 0;
2334 
2335 		if (chan >= 1 && chan <= 13)
2336 			freq = 2407 + 5 * chan;
2337 		else if (chan == 14)
2338 			freq = 2484;
2339 		else if (chan >= 30)
2340 			freq = 5000 + 5 * chan;
2341 
2342 		if (freq) {
2343 			wpa_printf(MSG_DEBUG, "WPS: Credential container indicated AP channel %u -> %u MHz",
2344 				   chan, freq);
2345 			wpa_s->after_wps = 5;
2346 			wpa_s->wps_freq = freq;
2347 		}
2348 	}
2349 
2350 	wpa_printf(MSG_DEBUG, "WPS: Request reconnection with new network "
2351 		   "based on the received credential added");
2352 	wpa_s->normal_scans = 0;
2353 	wpa_supplicant_reinit_autoscan(wpa_s);
2354 	wpa_s->disconnected = 0;
2355 	wpa_s->reassociate = 1;
2356 
2357 	wpa_supplicant_cancel_sched_scan(wpa_s);
2358 	wpa_supplicant_req_scan(wpa_s, 0, 0);
2359 
2360 	return 0;
2361 }
2362 
2363 
2364 #ifdef CONFIG_WPS_ER
2365 static int wpas_wps_add_nfc_password_token(struct wpa_supplicant *wpa_s,
2366 					   struct wps_parse_attr *attr)
2367 {
2368 	return wps_registrar_add_nfc_password_token(
2369 		wpa_s->wps->registrar, attr->oob_dev_password,
2370 		attr->oob_dev_password_len);
2371 }
2372 #endif /* CONFIG_WPS_ER */
2373 
2374 
2375 static int wpas_wps_nfc_tag_process(struct wpa_supplicant *wpa_s,
2376 				    const struct wpabuf *wps)
2377 {
2378 	struct wps_parse_attr attr;
2379 
2380 	wpa_hexdump_buf(MSG_DEBUG, "WPS: Received NFC tag payload", wps);
2381 
2382 	if (wps_parse_msg(wps, &attr)) {
2383 		wpa_printf(MSG_DEBUG, "WPS: Ignore invalid data from NFC tag");
2384 		return -1;
2385 	}
2386 
2387 	if (attr.num_cred)
2388 		return wpas_wps_use_cred(wpa_s, &attr);
2389 
2390 #ifdef CONFIG_WPS_ER
2391 	if (attr.oob_dev_password)
2392 		return wpas_wps_add_nfc_password_token(wpa_s, &attr);
2393 #endif /* CONFIG_WPS_ER */
2394 
2395 	wpa_printf(MSG_DEBUG, "WPS: Ignore unrecognized NFC tag");
2396 	return -1;
2397 }
2398 
2399 
2400 int wpas_wps_nfc_tag_read(struct wpa_supplicant *wpa_s,
2401 			  const struct wpabuf *data, int forced_freq)
2402 {
2403 	const struct wpabuf *wps = data;
2404 	struct wpabuf *tmp = NULL;
2405 	int ret;
2406 
2407 	if (wpabuf_len(data) < 4)
2408 		return -1;
2409 
2410 	if (*wpabuf_head_u8(data) != 0x10) {
2411 		/* Assume this contains full NDEF record */
2412 		tmp = ndef_parse_wifi(data);
2413 		if (tmp == NULL) {
2414 #ifdef CONFIG_P2P
2415 			tmp = ndef_parse_p2p(data);
2416 			if (tmp) {
2417 				ret = wpas_p2p_nfc_tag_process(wpa_s, tmp,
2418 							       forced_freq);
2419 				wpabuf_free(tmp);
2420 				return ret;
2421 			}
2422 #endif /* CONFIG_P2P */
2423 			wpa_printf(MSG_DEBUG, "WPS: Could not parse NDEF");
2424 			return -1;
2425 		}
2426 		wps = tmp;
2427 	}
2428 
2429 	ret = wpas_wps_nfc_tag_process(wpa_s, wps);
2430 	wpabuf_free(tmp);
2431 	return ret;
2432 }
2433 
2434 
2435 struct wpabuf * wpas_wps_nfc_handover_req(struct wpa_supplicant *wpa_s,
2436 					  int ndef)
2437 {
2438 	struct wpabuf *ret;
2439 
2440 	if (wpa_s->conf->wps_nfc_dh_pubkey == NULL &&
2441 	    wps_nfc_gen_dh(&wpa_s->conf->wps_nfc_dh_pubkey,
2442 			   &wpa_s->conf->wps_nfc_dh_privkey) < 0)
2443 		return NULL;
2444 
2445 	ret = wps_build_nfc_handover_req(wpa_s->wps,
2446 					 wpa_s->conf->wps_nfc_dh_pubkey);
2447 
2448 	if (ndef && ret) {
2449 		struct wpabuf *tmp;
2450 		tmp = ndef_build_wifi(ret);
2451 		wpabuf_free(ret);
2452 		if (tmp == NULL)
2453 			return NULL;
2454 		ret = tmp;
2455 	}
2456 
2457 	return ret;
2458 }
2459 
2460 
2461 #ifdef CONFIG_WPS_NFC
2462 
2463 static struct wpabuf *
2464 wpas_wps_er_nfc_handover_sel(struct wpa_supplicant *wpa_s, int ndef,
2465 			     const char *uuid)
2466 {
2467 #ifdef CONFIG_WPS_ER
2468 	struct wpabuf *ret;
2469 	u8 u[UUID_LEN], *use_uuid = NULL;
2470 	u8 addr[ETH_ALEN], *use_addr = NULL;
2471 	struct wps_context *wps = wpa_s->wps;
2472 
2473 	if (wps == NULL)
2474 		return NULL;
2475 
2476 	if (uuid == NULL)
2477 		return NULL;
2478 	if (uuid_str2bin(uuid, u) == 0)
2479 		use_uuid = u;
2480 	else if (hwaddr_aton(uuid, addr) == 0)
2481 		use_addr = addr;
2482 	else
2483 		return NULL;
2484 
2485 	if (wpa_s->conf->wps_nfc_dh_pubkey == NULL) {
2486 		if (wps_nfc_gen_dh(&wpa_s->conf->wps_nfc_dh_pubkey,
2487 				   &wpa_s->conf->wps_nfc_dh_privkey) < 0)
2488 			return NULL;
2489 	}
2490 
2491 	wpas_wps_nfc_clear(wps);
2492 	wps->ap_nfc_dev_pw_id = DEV_PW_NFC_CONNECTION_HANDOVER;
2493 	wps->ap_nfc_dh_pubkey = wpabuf_dup(wpa_s->conf->wps_nfc_dh_pubkey);
2494 	wps->ap_nfc_dh_privkey = wpabuf_dup(wpa_s->conf->wps_nfc_dh_privkey);
2495 	if (!wps->ap_nfc_dh_pubkey || !wps->ap_nfc_dh_privkey) {
2496 		wpas_wps_nfc_clear(wps);
2497 		return NULL;
2498 	}
2499 
2500 	ret = wps_er_nfc_handover_sel(wpa_s->wps_er, wpa_s->wps, use_uuid,
2501 				      use_addr, wpa_s->conf->wps_nfc_dh_pubkey);
2502 	if (ndef && ret) {
2503 		struct wpabuf *tmp;
2504 		tmp = ndef_build_wifi(ret);
2505 		wpabuf_free(ret);
2506 		if (tmp == NULL)
2507 			return NULL;
2508 		ret = tmp;
2509 	}
2510 
2511 	return ret;
2512 #else /* CONFIG_WPS_ER */
2513 	return NULL;
2514 #endif /* CONFIG_WPS_ER */
2515 }
2516 #endif /* CONFIG_WPS_NFC */
2517 
2518 
2519 struct wpabuf * wpas_wps_nfc_handover_sel(struct wpa_supplicant *wpa_s,
2520 					  int ndef, int cr, const char *uuid)
2521 {
2522 	struct wpabuf *ret;
2523 	if (!cr)
2524 		return NULL;
2525 	ret = wpas_ap_wps_nfc_handover_sel(wpa_s, ndef);
2526 	if (ret)
2527 		return ret;
2528 	return wpas_wps_er_nfc_handover_sel(wpa_s, ndef, uuid);
2529 }
2530 
2531 
2532 static int wpas_wps_nfc_rx_handover_sel(struct wpa_supplicant *wpa_s,
2533 					const struct wpabuf *data)
2534 {
2535 	struct wpabuf *wps;
2536 	int ret = -1;
2537 	u16 wsc_len;
2538 	const u8 *pos;
2539 	struct wpabuf msg;
2540 	struct wps_parse_attr attr;
2541 	u16 dev_pw_id;
2542 	const u8 *bssid = NULL;
2543 	int freq = 0;
2544 
2545 	wps = ndef_parse_wifi(data);
2546 	if (wps == NULL)
2547 		return -1;
2548 	wpa_printf(MSG_DEBUG, "WPS: Received application/vnd.wfa.wsc "
2549 		   "payload from NFC connection handover");
2550 	wpa_hexdump_buf(MSG_DEBUG, "WPS: NFC payload", wps);
2551 	if (wpabuf_len(wps) < 2) {
2552 		wpa_printf(MSG_DEBUG, "WPS: Too short Wi-Fi Handover Select "
2553 			   "Message");
2554 		goto out;
2555 	}
2556 	pos = wpabuf_head(wps);
2557 	wsc_len = WPA_GET_BE16(pos);
2558 	if (wsc_len > wpabuf_len(wps) - 2) {
2559 		wpa_printf(MSG_DEBUG, "WPS: Invalid WSC attribute length (%u) "
2560 			   "in Wi-Fi Handover Select Message", wsc_len);
2561 		goto out;
2562 	}
2563 	pos += 2;
2564 
2565 	wpa_hexdump(MSG_DEBUG,
2566 		    "WPS: WSC attributes in Wi-Fi Handover Select Message",
2567 		    pos, wsc_len);
2568 	if (wsc_len < wpabuf_len(wps) - 2) {
2569 		wpa_hexdump(MSG_DEBUG,
2570 			    "WPS: Ignore extra data after WSC attributes",
2571 			    pos + wsc_len, wpabuf_len(wps) - 2 - wsc_len);
2572 	}
2573 
2574 	wpabuf_set(&msg, pos, wsc_len);
2575 	ret = wps_parse_msg(&msg, &attr);
2576 	if (ret < 0) {
2577 		wpa_printf(MSG_DEBUG, "WPS: Could not parse WSC attributes in "
2578 			   "Wi-Fi Handover Select Message");
2579 		goto out;
2580 	}
2581 
2582 	if (attr.oob_dev_password == NULL ||
2583 	    attr.oob_dev_password_len < WPS_OOB_PUBKEY_HASH_LEN + 2) {
2584 		wpa_printf(MSG_DEBUG, "WPS: No Out-of-Band Device Password "
2585 			   "included in Wi-Fi Handover Select Message");
2586 		ret = -1;
2587 		goto out;
2588 	}
2589 
2590 	if (attr.ssid == NULL) {
2591 		wpa_printf(MSG_DEBUG, "WPS: No SSID included in Wi-Fi Handover "
2592 			   "Select Message");
2593 		ret = -1;
2594 		goto out;
2595 	}
2596 
2597 	wpa_hexdump_ascii(MSG_DEBUG, "WPS: SSID", attr.ssid, attr.ssid_len);
2598 
2599 	if (attr.mac_addr) {
2600 		bssid = attr.mac_addr;
2601 		wpa_printf(MSG_DEBUG, "WPS: MAC Address (BSSID): " MACSTR,
2602 			   MAC2STR(bssid));
2603 	}
2604 
2605 	if (attr.rf_bands)
2606 		wpa_printf(MSG_DEBUG, "WPS: RF Bands: %d", *attr.rf_bands);
2607 
2608 	if (attr.ap_channel) {
2609 		u16 chan = WPA_GET_BE16(attr.ap_channel);
2610 
2611 		wpa_printf(MSG_DEBUG, "WPS: AP Channel: %d", chan);
2612 
2613 		if (chan >= 1 && chan <= 13 &&
2614 		    (attr.rf_bands == NULL || *attr.rf_bands & WPS_RF_24GHZ))
2615 			freq = 2407 + 5 * chan;
2616 		else if (chan == 14 &&
2617 			 (attr.rf_bands == NULL ||
2618 			  *attr.rf_bands & WPS_RF_24GHZ))
2619 			freq = 2484;
2620 		else if (chan >= 30 &&
2621 			 (attr.rf_bands == NULL ||
2622 			  *attr.rf_bands & WPS_RF_50GHZ))
2623 			freq = 5000 + 5 * chan;
2624 		else if (chan >= 1 && chan <= 4 &&
2625 			 (attr.rf_bands == NULL ||
2626 			  *attr.rf_bands & WPS_RF_60GHZ))
2627 			freq = 56160 + 2160 * chan;
2628 
2629 		if (freq) {
2630 			wpa_printf(MSG_DEBUG,
2631 				   "WPS: AP indicated channel %u -> %u MHz",
2632 				   chan, freq);
2633 		}
2634 	}
2635 
2636 	wpa_hexdump(MSG_DEBUG, "WPS: Out-of-Band Device Password",
2637 		    attr.oob_dev_password, attr.oob_dev_password_len);
2638 	dev_pw_id = WPA_GET_BE16(attr.oob_dev_password +
2639 				 WPS_OOB_PUBKEY_HASH_LEN);
2640 	if (dev_pw_id != DEV_PW_NFC_CONNECTION_HANDOVER) {
2641 		wpa_printf(MSG_DEBUG, "WPS: Unexpected OOB Device Password ID "
2642 			   "%u in Wi-Fi Handover Select Message", dev_pw_id);
2643 		ret = -1;
2644 		goto out;
2645 	}
2646 	wpa_hexdump(MSG_DEBUG, "WPS: AP Public Key hash",
2647 		    attr.oob_dev_password, WPS_OOB_PUBKEY_HASH_LEN);
2648 
2649 	ret = wpas_wps_start_nfc(wpa_s, NULL, bssid, NULL, dev_pw_id, 0,
2650 				 attr.oob_dev_password,
2651 				 attr.ssid, attr.ssid_len, freq);
2652 
2653 out:
2654 	wpabuf_free(wps);
2655 	return ret;
2656 }
2657 
2658 
2659 int wpas_wps_nfc_report_handover(struct wpa_supplicant *wpa_s,
2660 				 const struct wpabuf *req,
2661 				 const struct wpabuf *sel)
2662 {
2663 	wpa_printf(MSG_DEBUG, "NFC: WPS connection handover reported");
2664 	wpa_hexdump_buf_key(MSG_DEBUG, "WPS: Carrier record in request", req);
2665 	wpa_hexdump_buf_key(MSG_DEBUG, "WPS: Carrier record in select", sel);
2666 	return wpas_wps_nfc_rx_handover_sel(wpa_s, sel);
2667 }
2668 
2669 
2670 int wpas_er_wps_nfc_report_handover(struct wpa_supplicant *wpa_s,
2671 				    const struct wpabuf *req,
2672 				    const struct wpabuf *sel)
2673 {
2674 	struct wpabuf *wps;
2675 	int ret = -1;
2676 	u16 wsc_len;
2677 	const u8 *pos;
2678 	struct wpabuf msg;
2679 	struct wps_parse_attr attr;
2680 	u16 dev_pw_id;
2681 
2682 	/*
2683 	 * Enrollee/station is always initiator of the NFC connection handover,
2684 	 * so use the request message here to find Enrollee public key hash.
2685 	 */
2686 	wps = ndef_parse_wifi(req);
2687 	if (wps == NULL)
2688 		return -1;
2689 	wpa_printf(MSG_DEBUG, "WPS: Received application/vnd.wfa.wsc "
2690 		   "payload from NFC connection handover");
2691 	wpa_hexdump_buf(MSG_DEBUG, "WPS: NFC payload", wps);
2692 	if (wpabuf_len(wps) < 2) {
2693 		wpa_printf(MSG_DEBUG, "WPS: Too short Wi-Fi Handover Request "
2694 			   "Message");
2695 		goto out;
2696 	}
2697 	pos = wpabuf_head(wps);
2698 	wsc_len = WPA_GET_BE16(pos);
2699 	if (wsc_len > wpabuf_len(wps) - 2) {
2700 		wpa_printf(MSG_DEBUG, "WPS: Invalid WSC attribute length (%u) "
2701 			   "in rt Wi-Fi Handover Request Message", wsc_len);
2702 		goto out;
2703 	}
2704 	pos += 2;
2705 
2706 	wpa_hexdump(MSG_DEBUG,
2707 		    "WPS: WSC attributes in Wi-Fi Handover Request Message",
2708 		    pos, wsc_len);
2709 	if (wsc_len < wpabuf_len(wps) - 2) {
2710 		wpa_hexdump(MSG_DEBUG,
2711 			    "WPS: Ignore extra data after WSC attributes",
2712 			    pos + wsc_len, wpabuf_len(wps) - 2 - wsc_len);
2713 	}
2714 
2715 	wpabuf_set(&msg, pos, wsc_len);
2716 	ret = wps_parse_msg(&msg, &attr);
2717 	if (ret < 0) {
2718 		wpa_printf(MSG_DEBUG, "WPS: Could not parse WSC attributes in "
2719 			   "Wi-Fi Handover Request Message");
2720 		goto out;
2721 	}
2722 
2723 	if (attr.oob_dev_password == NULL ||
2724 	    attr.oob_dev_password_len < WPS_OOB_PUBKEY_HASH_LEN + 2) {
2725 		wpa_printf(MSG_DEBUG, "WPS: No Out-of-Band Device Password "
2726 			   "included in Wi-Fi Handover Request Message");
2727 		ret = -1;
2728 		goto out;
2729 	}
2730 
2731 	if (attr.uuid_e == NULL) {
2732 		wpa_printf(MSG_DEBUG, "WPS: No UUID-E included in Wi-Fi "
2733 			   "Handover Request Message");
2734 		ret = -1;
2735 		goto out;
2736 	}
2737 
2738 	wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", attr.uuid_e, WPS_UUID_LEN);
2739 
2740 	wpa_hexdump(MSG_DEBUG, "WPS: Out-of-Band Device Password",
2741 		    attr.oob_dev_password, attr.oob_dev_password_len);
2742 	dev_pw_id = WPA_GET_BE16(attr.oob_dev_password +
2743 				 WPS_OOB_PUBKEY_HASH_LEN);
2744 	if (dev_pw_id != DEV_PW_NFC_CONNECTION_HANDOVER) {
2745 		wpa_printf(MSG_DEBUG, "WPS: Unexpected OOB Device Password ID "
2746 			   "%u in Wi-Fi Handover Request Message", dev_pw_id);
2747 		ret = -1;
2748 		goto out;
2749 	}
2750 	wpa_hexdump(MSG_DEBUG, "WPS: Enrollee Public Key hash",
2751 		    attr.oob_dev_password, WPS_OOB_PUBKEY_HASH_LEN);
2752 
2753 	ret = wps_registrar_add_nfc_pw_token(wpa_s->wps->registrar,
2754 					     attr.oob_dev_password,
2755 					     DEV_PW_NFC_CONNECTION_HANDOVER,
2756 					     NULL, 0, 1);
2757 
2758 out:
2759 	wpabuf_free(wps);
2760 	return ret;
2761 }
2762 
2763 #endif /* CONFIG_WPS_NFC */
2764 
2765 
2766 static void wpas_wps_dump_ap_info(struct wpa_supplicant *wpa_s)
2767 {
2768 	size_t i;
2769 	struct os_reltime now;
2770 
2771 	if (wpa_debug_level > MSG_DEBUG)
2772 		return;
2773 
2774 	if (wpa_s->wps_ap == NULL)
2775 		return;
2776 
2777 	os_get_reltime(&now);
2778 
2779 	for (i = 0; i < wpa_s->num_wps_ap; i++) {
2780 		struct wps_ap_info *ap = &wpa_s->wps_ap[i];
2781 		struct wpa_blacklist *e = wpa_blacklist_get(wpa_s, ap->bssid);
2782 
2783 		wpa_printf(MSG_DEBUG, "WPS: AP[%d] " MACSTR " type=%d "
2784 			   "tries=%d last_attempt=%d sec ago blacklist=%d",
2785 			   (int) i, MAC2STR(ap->bssid), ap->type, ap->tries,
2786 			   ap->last_attempt.sec > 0 ?
2787 			   (int) now.sec - (int) ap->last_attempt.sec : -1,
2788 			   e ? e->count : 0);
2789 	}
2790 }
2791 
2792 
2793 static struct wps_ap_info * wpas_wps_get_ap_info(struct wpa_supplicant *wpa_s,
2794 						 const u8 *bssid)
2795 {
2796 	size_t i;
2797 
2798 	if (wpa_s->wps_ap == NULL)
2799 		return NULL;
2800 
2801 	for (i = 0; i < wpa_s->num_wps_ap; i++) {
2802 		struct wps_ap_info *ap = &wpa_s->wps_ap[i];
2803 		if (os_memcmp(ap->bssid, bssid, ETH_ALEN) == 0)
2804 			return ap;
2805 	}
2806 
2807 	return NULL;
2808 }
2809 
2810 
2811 static void wpas_wps_update_ap_info_bss(struct wpa_supplicant *wpa_s,
2812 					struct wpa_scan_res *res)
2813 {
2814 	struct wpabuf *wps;
2815 	enum wps_ap_info_type type;
2816 	struct wps_ap_info *ap;
2817 	int r, pbc_active;
2818 	const u8 *uuid;
2819 
2820 	if (wpa_scan_get_vendor_ie(res, WPS_IE_VENDOR_TYPE) == NULL)
2821 		return;
2822 
2823 	wps = wpa_scan_get_vendor_ie_multi(res, WPS_IE_VENDOR_TYPE);
2824 	if (wps == NULL)
2825 		return;
2826 
2827 	r = wps_is_addr_authorized(wps, wpa_s->own_addr, 1);
2828 	if (r == 2)
2829 		type = WPS_AP_SEL_REG_OUR;
2830 	else if (r == 1)
2831 		type = WPS_AP_SEL_REG;
2832 	else
2833 		type = WPS_AP_NOT_SEL_REG;
2834 
2835 	uuid = wps_get_uuid_e(wps);
2836 	pbc_active = wps_is_selected_pbc_registrar(wps);
2837 
2838 	ap = wpas_wps_get_ap_info(wpa_s, res->bssid);
2839 	if (ap) {
2840 		if (ap->type != type) {
2841 			wpa_printf(MSG_DEBUG, "WPS: AP " MACSTR
2842 				   " changed type %d -> %d",
2843 				   MAC2STR(res->bssid), ap->type, type);
2844 			ap->type = type;
2845 			if (type != WPS_AP_NOT_SEL_REG)
2846 				wpa_blacklist_del(wpa_s, ap->bssid);
2847 		}
2848 		ap->pbc_active = pbc_active;
2849 		if (uuid)
2850 			os_memcpy(ap->uuid, uuid, WPS_UUID_LEN);
2851 		goto out;
2852 	}
2853 
2854 	ap = os_realloc_array(wpa_s->wps_ap, wpa_s->num_wps_ap + 1,
2855 			      sizeof(struct wps_ap_info));
2856 	if (ap == NULL)
2857 		goto out;
2858 
2859 	wpa_s->wps_ap = ap;
2860 	ap = &wpa_s->wps_ap[wpa_s->num_wps_ap];
2861 	wpa_s->num_wps_ap++;
2862 
2863 	os_memset(ap, 0, sizeof(*ap));
2864 	os_memcpy(ap->bssid, res->bssid, ETH_ALEN);
2865 	ap->type = type;
2866 	ap->pbc_active = pbc_active;
2867 	if (uuid)
2868 		os_memcpy(ap->uuid, uuid, WPS_UUID_LEN);
2869 	wpa_printf(MSG_DEBUG, "WPS: AP " MACSTR " type %d added",
2870 		   MAC2STR(ap->bssid), ap->type);
2871 
2872 out:
2873 	wpabuf_free(wps);
2874 }
2875 
2876 
2877 void wpas_wps_update_ap_info(struct wpa_supplicant *wpa_s,
2878 			     struct wpa_scan_results *scan_res)
2879 {
2880 	size_t i;
2881 
2882 	for (i = 0; i < scan_res->num; i++)
2883 		wpas_wps_update_ap_info_bss(wpa_s, scan_res->res[i]);
2884 
2885 	wpas_wps_dump_ap_info(wpa_s);
2886 }
2887 
2888 
2889 void wpas_wps_notify_assoc(struct wpa_supplicant *wpa_s, const u8 *bssid)
2890 {
2891 	struct wps_ap_info *ap;
2892 
2893 	wpa_s->after_wps = 0;
2894 
2895 	if (!wpa_s->wps_ap_iter)
2896 		return;
2897 	ap = wpas_wps_get_ap_info(wpa_s, bssid);
2898 	if (ap == NULL)
2899 		return;
2900 	ap->tries++;
2901 	os_get_reltime(&ap->last_attempt);
2902 }
2903