2 * EAP-WSC peer for Wi-Fi Protected Setup
3 * Copyright (c) 2007-2009, 2012, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
14 #include "eap_common/eap_wsc_common.h"
16 #include "wps/wps_defs.h"
20 enum { WAIT_START, MESG, FRAG_ACK, WAIT_FRAG_ACK, DONE, FAIL } state;
22 struct wpabuf *in_buf;
23 struct wpabuf *out_buf;
24 enum wsc_op_code in_op_code, out_op_code;
28 struct wps_context *wps_ctx;
32 static const char * eap_wsc_state_txt(int state)
42 return "WAIT_FRAG_ACK";
53 static void eap_wsc_state(struct eap_wsc_data *data, int state)
55 wpa_printf(MSG_DEBUG, "EAP-WSC: %s -> %s",
56 eap_wsc_state_txt(data->state),
57 eap_wsc_state_txt(state));
62 static int eap_wsc_new_ap_settings(struct wps_credential *cred,
65 const char *pos, *end;
68 os_memset(cred, 0, sizeof(*cred));
70 pos = os_strstr(params, "new_ssid=");
74 end = os_strchr(pos, ' ');
79 if ((len & 1) || len > 2 * sizeof(cred->ssid) ||
80 hexstr2bin(pos, cred->ssid, len / 2)) {
81 wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid new_ssid");
84 cred->ssid_len = len / 2;
86 pos = os_strstr(params, "new_auth=");
88 wpa_printf(MSG_DEBUG, "EAP-WSC: Missing new_auth");
91 if (os_strncmp(pos + 9, "OPEN", 4) == 0)
92 cred->auth_type = WPS_AUTH_OPEN;
93 else if (os_strncmp(pos + 9, "WPAPSK", 6) == 0)
94 cred->auth_type = WPS_AUTH_WPAPSK;
95 else if (os_strncmp(pos + 9, "WPA2PSK", 7) == 0)
96 cred->auth_type = WPS_AUTH_WPA2PSK;
98 wpa_printf(MSG_DEBUG, "EAP-WSC: Unknown new_auth");
102 pos = os_strstr(params, "new_encr=");
104 wpa_printf(MSG_DEBUG, "EAP-WSC: Missing new_encr");
107 if (os_strncmp(pos + 9, "NONE", 4) == 0)
108 cred->encr_type = WPS_ENCR_NONE;
109 #ifdef CONFIG_TESTING_OPTIONS
110 else if (os_strncmp(pos + 9, "WEP", 3) == 0)
111 cred->encr_type = WPS_ENCR_WEP;
112 #endif /* CONFIG_TESTING_OPTIONS */
113 else if (os_strncmp(pos + 9, "TKIP", 4) == 0)
114 cred->encr_type = WPS_ENCR_TKIP;
115 else if (os_strncmp(pos + 9, "CCMP", 4) == 0)
116 cred->encr_type = WPS_ENCR_AES;
118 wpa_printf(MSG_DEBUG, "EAP-WSC: Unknown new_encr");
122 pos = os_strstr(params, "new_key=");
126 end = os_strchr(pos, ' ');
128 len = os_strlen(pos);
131 if ((len & 1) || len > 2 * sizeof(cred->key) ||
132 hexstr2bin(pos, cred->key, len / 2)) {
133 wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid new_key");
136 cred->key_len = len / 2;
142 static void * eap_wsc_init(struct eap_sm *sm)
144 struct eap_wsc_data *data;
148 struct wps_config cfg;
149 const char *pos, *end;
151 struct wps_context *wps;
152 struct wps_credential new_ap_settings;
155 u8 pkhash[WPS_OOB_PUBKEY_HASH_LEN];
159 wpa_printf(MSG_ERROR, "EAP-WSC: WPS context not available");
163 identity = eap_get_config_identity(sm, &identity_len);
165 if (identity && identity_len == WSC_ID_REGISTRAR_LEN &&
166 os_memcmp(identity, WSC_ID_REGISTRAR, WSC_ID_REGISTRAR_LEN) == 0)
167 registrar = 1; /* Supplicant is Registrar */
168 else if (identity && identity_len == WSC_ID_ENROLLEE_LEN &&
169 os_memcmp(identity, WSC_ID_ENROLLEE, WSC_ID_ENROLLEE_LEN) == 0)
170 registrar = 0; /* Supplicant is Enrollee */
172 wpa_hexdump_ascii(MSG_INFO, "EAP-WSC: Unexpected identity",
173 identity, identity_len);
177 data = os_zalloc(sizeof(*data));
180 data->state = registrar ? MESG : WAIT_START;
181 data->registrar = registrar;
184 os_memset(&cfg, 0, sizeof(cfg));
186 cfg.registrar = registrar;
188 phase1 = eap_get_config_phase1(sm);
189 if (phase1 == NULL) {
190 wpa_printf(MSG_INFO, "EAP-WSC: phase1 configuration data not "
196 pos = os_strstr(phase1, "pin=");
199 cfg.pin = (const u8 *) pos;
200 while (*pos != '\0' && *pos != ' ')
202 cfg.pin_len = pos - (const char *) cfg.pin;
203 if (cfg.pin_len == 6 &&
204 os_strncmp((const char *) cfg.pin, "nfc-pw", 6) == 0) {
210 pos = os_strstr(phase1, "pbc=1");
215 pos = os_strstr(phase1, "dev_pw_id=");
217 u16 id = atoi(pos + 10);
218 if (id == DEV_PW_NFC_CONNECTION_HANDOVER)
220 if (cfg.pin || id == DEV_PW_NFC_CONNECTION_HANDOVER)
224 if (cfg.pin == NULL && !cfg.pbc && !nfc) {
225 wpa_printf(MSG_INFO, "EAP-WSC: PIN or PBC not set in phase1 "
226 "configuration data");
231 pos = os_strstr(phase1, " pkhash=");
235 end = os_strchr(pos, ' ');
239 len = os_strlen(pos);
240 if (len != 2 * WPS_OOB_PUBKEY_HASH_LEN ||
241 hexstr2bin(pos, pkhash, WPS_OOB_PUBKEY_HASH_LEN)) {
242 wpa_printf(MSG_INFO, "EAP-WSC: Invalid pkhash");
246 cfg.peer_pubkey_hash = pkhash;
249 res = eap_wsc_new_ap_settings(&new_ap_settings, phase1);
252 wpa_printf(MSG_DEBUG, "EAP-WSC: Failed to parse new AP "
257 wpa_printf(MSG_DEBUG, "EAP-WSC: Provide new AP settings for "
259 cfg.new_ap_settings = &new_ap_settings;
262 data->wps = wps_init(&cfg);
263 if (data->wps == NULL) {
265 wpa_printf(MSG_DEBUG, "EAP-WSC: wps_init failed");
268 res = eap_get_config_fragment_size(sm);
270 data->fragment_size = res;
272 data->fragment_size = WSC_FRAGMENT_SIZE;
273 wpa_printf(MSG_DEBUG, "EAP-WSC: Fragment size limit %u",
274 (unsigned int) data->fragment_size);
276 if (registrar && cfg.pin) {
277 wps_registrar_add_pin(data->wps_ctx->registrar, NULL, NULL,
278 cfg.pin, cfg.pin_len, 0);
281 /* Use reduced client timeout for WPS to avoid long wait */
282 if (sm->ClientTimeout > 30)
283 sm->ClientTimeout = 30;
289 static void eap_wsc_deinit(struct eap_sm *sm, void *priv)
291 struct eap_wsc_data *data = priv;
292 wpabuf_free(data->in_buf);
293 wpabuf_free(data->out_buf);
294 wps_deinit(data->wps);
295 os_free(data->wps_ctx->network_key);
296 data->wps_ctx->network_key = NULL;
301 static struct wpabuf * eap_wsc_build_msg(struct eap_wsc_data *data,
302 struct eap_method_ret *ret, u8 id)
306 size_t send_len, plen;
309 wpa_printf(MSG_DEBUG, "EAP-WSC: Generating Response");
310 ret->allowNotifications = TRUE;
313 send_len = wpabuf_len(data->out_buf) - data->out_used;
314 if (2 + send_len > data->fragment_size) {
315 send_len = data->fragment_size - 2;
316 flags |= WSC_FLAGS_MF;
317 if (data->out_used == 0) {
318 flags |= WSC_FLAGS_LF;
323 if (flags & WSC_FLAGS_LF)
325 resp = eap_msg_alloc(EAP_VENDOR_WFA, EAP_VENDOR_TYPE_WSC, plen,
326 EAP_CODE_RESPONSE, id);
330 wpabuf_put_u8(resp, data->out_op_code); /* Op-Code */
331 wpabuf_put_u8(resp, flags); /* Flags */
332 if (flags & WSC_FLAGS_LF)
333 wpabuf_put_be16(resp, wpabuf_len(data->out_buf));
335 wpabuf_put_data(resp, wpabuf_head_u8(data->out_buf) + data->out_used,
337 data->out_used += send_len;
339 ret->methodState = METHOD_MAY_CONT;
340 ret->decision = DECISION_FAIL;
342 if (data->out_used == wpabuf_len(data->out_buf)) {
343 wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes "
344 "(message sent completely)",
345 (unsigned long) send_len);
346 wpabuf_free(data->out_buf);
347 data->out_buf = NULL;
349 if ((data->state == FAIL && data->out_op_code == WSC_ACK) ||
350 data->out_op_code == WSC_NACK ||
351 data->out_op_code == WSC_Done) {
352 eap_wsc_state(data, FAIL);
353 ret->methodState = METHOD_DONE;
355 eap_wsc_state(data, MESG);
357 wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes "
358 "(%lu more to send)", (unsigned long) send_len,
359 (unsigned long) wpabuf_len(data->out_buf) -
361 eap_wsc_state(data, WAIT_FRAG_ACK);
368 static int eap_wsc_process_cont(struct eap_wsc_data *data,
369 const u8 *buf, size_t len, u8 op_code)
371 /* Process continuation of a pending message */
372 if (op_code != data->in_op_code) {
373 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d in "
374 "fragment (expected %d)",
375 op_code, data->in_op_code);
379 if (len > wpabuf_tailroom(data->in_buf)) {
380 wpa_printf(MSG_DEBUG, "EAP-WSC: Fragment overflow");
381 eap_wsc_state(data, FAIL);
385 wpabuf_put_data(data->in_buf, buf, len);
386 wpa_printf(MSG_DEBUG, "EAP-WSC: Received %lu bytes, waiting "
387 "for %lu bytes more", (unsigned long) len,
388 (unsigned long) wpabuf_tailroom(data->in_buf));
394 static struct wpabuf * eap_wsc_process_fragment(struct eap_wsc_data *data,
395 struct eap_method_ret *ret,
396 u8 id, u8 flags, u8 op_code,
398 const u8 *buf, size_t len)
400 /* Process a fragment that is not the last one of the message */
401 if (data->in_buf == NULL && !(flags & WSC_FLAGS_LF)) {
402 wpa_printf(MSG_DEBUG, "EAP-WSC: No Message Length field in a "
403 "fragmented packet");
408 if (data->in_buf == NULL) {
409 /* First fragment of the message */
410 data->in_buf = wpabuf_alloc(message_length);
411 if (data->in_buf == NULL) {
412 wpa_printf(MSG_DEBUG, "EAP-WSC: No memory for "
417 data->in_op_code = op_code;
418 wpabuf_put_data(data->in_buf, buf, len);
419 wpa_printf(MSG_DEBUG, "EAP-WSC: Received %lu bytes in first "
420 "fragment, waiting for %lu bytes more",
422 (unsigned long) wpabuf_tailroom(data->in_buf));
425 return eap_wsc_build_frag_ack(id, EAP_CODE_RESPONSE);
429 static struct wpabuf * eap_wsc_process(struct eap_sm *sm, void *priv,
430 struct eap_method_ret *ret,
431 const struct wpabuf *reqData)
433 struct eap_wsc_data *data = priv;
434 const u8 *start, *pos, *end;
436 u8 op_code, flags, id;
437 u16 message_length = 0;
438 enum wps_process_res res;
439 struct wpabuf tmpbuf;
442 pos = eap_hdr_validate(EAP_VENDOR_WFA, EAP_VENDOR_TYPE_WSC, reqData,
444 if (pos == NULL || len < 2) {
449 id = eap_get_id(reqData);
456 if (flags & WSC_FLAGS_LF) {
458 wpa_printf(MSG_DEBUG, "EAP-WSC: Message underflow");
462 message_length = WPA_GET_BE16(pos);
465 if (message_length < end - pos || message_length > 50000) {
466 wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid Message "
473 wpa_printf(MSG_DEBUG, "EAP-WSC: Received packet: Op-Code %d "
474 "Flags 0x%x Message Length %d",
475 op_code, flags, message_length);
477 if (data->state == WAIT_FRAG_ACK) {
478 if (op_code != WSC_FRAG_ACK) {
479 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d "
480 "in WAIT_FRAG_ACK state", op_code);
484 wpa_printf(MSG_DEBUG, "EAP-WSC: Fragment acknowledged");
485 eap_wsc_state(data, MESG);
486 return eap_wsc_build_msg(data, ret, id);
489 if (op_code != WSC_ACK && op_code != WSC_NACK && op_code != WSC_MSG &&
490 op_code != WSC_Done && op_code != WSC_Start) {
491 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d",
497 if (data->state == WAIT_START) {
498 if (op_code != WSC_Start) {
499 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d "
500 "in WAIT_START state", op_code);
504 wpa_printf(MSG_DEBUG, "EAP-WSC: Received start");
505 eap_wsc_state(data, MESG);
506 /* Start message has empty payload, skip processing */
508 } else if (op_code == WSC_Start) {
509 wpa_printf(MSG_DEBUG, "EAP-WSC: Unexpected Op-Code %d",
516 eap_wsc_process_cont(data, pos, end - pos, op_code) < 0) {
521 if (flags & WSC_FLAGS_MF) {
522 return eap_wsc_process_fragment(data, ret, id, flags, op_code,
527 if (data->in_buf == NULL) {
528 /* Wrap unfragmented messages as wpabuf without extra copy */
529 wpabuf_set(&tmpbuf, pos, end - pos);
530 data->in_buf = &tmpbuf;
533 res = wps_process_msg(data->wps, op_code, data->in_buf);
536 wpa_printf(MSG_DEBUG, "EAP-WSC: WPS processing completed "
537 "successfully - wait for EAP failure");
538 eap_wsc_state(data, FAIL);
541 eap_wsc_state(data, MESG);
545 wpa_printf(MSG_DEBUG, "EAP-WSC: WPS processing failed");
546 eap_wsc_state(data, FAIL);
550 if (data->in_buf != &tmpbuf)
551 wpabuf_free(data->in_buf);
555 if (data->out_buf == NULL) {
556 data->out_buf = wps_get_msg(data->wps, &data->out_op_code);
557 if (data->out_buf == NULL) {
558 wpa_printf(MSG_DEBUG, "EAP-WSC: Failed to receive "
560 eap_wsc_state(data, FAIL);
561 ret->methodState = METHOD_DONE;
562 ret->decision = DECISION_FAIL;
568 eap_wsc_state(data, MESG);
569 r = eap_wsc_build_msg(data, ret, id);
570 if (data->state == FAIL && ret->methodState == METHOD_DONE) {
571 /* Use reduced client timeout for WPS to avoid long wait */
572 if (sm->ClientTimeout > 2)
573 sm->ClientTimeout = 2;
579 int eap_peer_wsc_register(void)
581 struct eap_method *eap;
584 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
585 EAP_VENDOR_WFA, EAP_VENDOR_TYPE_WSC,
590 eap->init = eap_wsc_init;
591 eap->deinit = eap_wsc_deinit;
592 eap->process = eap_wsc_process;
594 ret = eap_peer_method_register(eap);
596 eap_peer_method_free(eap);