2 * Wi-Fi Protected Setup
3 * Copyright (c) 2007-2009, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/dh_group5.h"
13 #include "common/ieee802_11_defs.h"
15 #include "wps_dev_attr.h"
18 #ifdef CONFIG_WPS_TESTING
19 int wps_version_number = 0x20;
20 int wps_testing_dummy_cred = 0;
21 int wps_corrupt_pkhash = 0;
22 int wps_force_auth_types_in_use = 0;
23 u16 wps_force_auth_types = 0;
24 int wps_force_encr_types_in_use = 0;
25 u16 wps_force_encr_types = 0;
26 #endif /* CONFIG_WPS_TESTING */
30 * wps_init - Initialize WPS Registration protocol data
31 * @cfg: WPS configuration
32 * Returns: Pointer to allocated data or %NULL on failure
34 * This function is used to initialize WPS data for a registration protocol
35 * instance (i.e., each run of registration protocol as a Registrar of
36 * Enrollee. The caller is responsible for freeing this data after the
37 * registration run has been completed by calling wps_deinit().
39 struct wps_data * wps_init(const struct wps_config *cfg)
41 struct wps_data *data = os_zalloc(sizeof(*data));
45 data->registrar = cfg->registrar;
47 os_memcpy(data->uuid_r, cfg->wps->uuid, WPS_UUID_LEN);
49 os_memcpy(data->mac_addr_e, cfg->wps->dev.mac_addr, ETH_ALEN);
50 os_memcpy(data->uuid_e, cfg->wps->uuid, WPS_UUID_LEN);
53 data->dev_pw_id = cfg->dev_pw_id;
54 data->dev_password = os_memdup(cfg->pin, cfg->pin_len);
55 if (data->dev_password == NULL) {
59 data->dev_password_len = cfg->pin_len;
60 wpa_hexdump_key(MSG_DEBUG, "WPS: AP PIN dev_password",
61 data->dev_password, data->dev_password_len);
65 if (cfg->pin == NULL &&
66 cfg->dev_pw_id == DEV_PW_NFC_CONNECTION_HANDOVER)
67 data->dev_pw_id = cfg->dev_pw_id;
69 if (cfg->wps->ap && !cfg->registrar && cfg->wps->ap_nfc_dev_pw_id) {
70 /* Keep AP PIN as alternative Device Password */
71 data->alt_dev_pw_id = data->dev_pw_id;
72 data->alt_dev_password = data->dev_password;
73 data->alt_dev_password_len = data->dev_password_len;
75 data->dev_pw_id = cfg->wps->ap_nfc_dev_pw_id;
77 os_memdup(wpabuf_head(cfg->wps->ap_nfc_dev_pw),
78 wpabuf_len(cfg->wps->ap_nfc_dev_pw));
79 if (data->dev_password == NULL) {
83 data->dev_password_len = wpabuf_len(cfg->wps->ap_nfc_dev_pw);
84 wpa_hexdump_key(MSG_DEBUG, "WPS: NFC dev_password",
85 data->dev_password, data->dev_password_len);
87 #endif /* CONFIG_WPS_NFC */
91 /* Use special PIN '00000000' for PBC */
92 data->dev_pw_id = DEV_PW_PUSHBUTTON;
93 bin_clear_free(data->dev_password, data->dev_password_len);
94 data->dev_password = (u8 *) os_strdup("00000000");
95 if (data->dev_password == NULL) {
99 data->dev_password_len = 8;
102 data->state = data->registrar ? RECV_M1 : SEND_M1;
104 if (cfg->assoc_wps_ie) {
105 struct wps_parse_attr attr;
106 wpa_hexdump_buf(MSG_DEBUG, "WPS: WPS IE from (Re)AssocReq",
108 if (wps_parse_msg(cfg->assoc_wps_ie, &attr) < 0) {
109 wpa_printf(MSG_DEBUG, "WPS: Failed to parse WPS IE "
110 "from (Re)AssocReq");
111 } else if (attr.request_type == NULL) {
112 wpa_printf(MSG_DEBUG, "WPS: No Request Type attribute "
113 "in (Re)AssocReq WPS IE");
115 wpa_printf(MSG_DEBUG, "WPS: Request Type (from WPS IE "
116 "in (Re)AssocReq WPS IE): %d",
118 data->request_type = *attr.request_type;
122 if (cfg->new_ap_settings) {
123 data->new_ap_settings =
124 os_memdup(cfg->new_ap_settings,
125 sizeof(*data->new_ap_settings));
126 if (data->new_ap_settings == NULL) {
127 bin_clear_free(data->dev_password,
128 data->dev_password_len);
135 os_memcpy(data->peer_dev.mac_addr, cfg->peer_addr, ETH_ALEN);
136 if (cfg->p2p_dev_addr)
137 os_memcpy(data->p2p_dev_addr, cfg->p2p_dev_addr, ETH_ALEN);
139 data->use_psk_key = cfg->use_psk_key;
140 data->pbc_in_m1 = cfg->pbc_in_m1;
142 if (cfg->peer_pubkey_hash) {
143 os_memcpy(data->peer_pubkey_hash, cfg->peer_pubkey_hash,
144 WPS_OOB_PUBKEY_HASH_LEN);
145 data->peer_pubkey_hash_set = 1;
148 data->multi_ap_backhaul_sta = cfg->multi_ap_backhaul_sta;
155 * wps_deinit - Deinitialize WPS Registration protocol data
156 * @data: WPS Registration protocol data from wps_init()
158 void wps_deinit(struct wps_data *data)
160 #ifdef CONFIG_WPS_NFC
161 if (data->registrar && data->nfc_pw_token)
162 wps_registrar_remove_nfc_pw_token(data->wps->registrar,
164 #endif /* CONFIG_WPS_NFC */
166 if (data->wps_pin_revealed) {
167 wpa_printf(MSG_DEBUG, "WPS: Full PIN information revealed and "
168 "negotiation failed");
170 wps_registrar_invalidate_pin(data->wps->registrar,
172 } else if (data->registrar)
173 wps_registrar_unlock_pin(data->wps->registrar, data->uuid_e);
175 wpabuf_clear_free(data->dh_privkey);
176 wpabuf_free(data->dh_pubkey_e);
177 wpabuf_free(data->dh_pubkey_r);
178 wpabuf_free(data->last_msg);
179 bin_clear_free(data->dev_password, data->dev_password_len);
180 bin_clear_free(data->alt_dev_password, data->alt_dev_password_len);
181 bin_clear_free(data->new_psk, data->new_psk_len);
182 wps_device_data_free(&data->peer_dev);
183 bin_clear_free(data->new_ap_settings, sizeof(*data->new_ap_settings));
184 dh5_free(data->dh_ctx);
190 * wps_process_msg - Process a WPS message
191 * @wps: WPS Registration protocol data from wps_init()
192 * @op_code: Message OP Code
194 * Returns: Processing result
196 * This function is used to process WPS messages with OP Codes WSC_ACK,
197 * WSC_NACK, WSC_MSG, and WSC_Done. The caller (e.g., EAP server/peer) is
198 * responsible for reassembling the messages before calling this function.
199 * Response to this message is built by calling wps_get_msg().
201 enum wps_process_res wps_process_msg(struct wps_data *wps,
202 enum wsc_op_code op_code,
203 const struct wpabuf *msg)
206 return wps_registrar_process_msg(wps, op_code, msg);
208 return wps_enrollee_process_msg(wps, op_code, msg);
213 * wps_get_msg - Build a WPS message
214 * @wps: WPS Registration protocol data from wps_init()
215 * @op_code: Buffer for returning message OP Code
216 * Returns: The generated WPS message or %NULL on failure
218 * This function is used to build a response to a message processed by calling
219 * wps_process_msg(). The caller is responsible for freeing the buffer.
221 struct wpabuf * wps_get_msg(struct wps_data *wps, enum wsc_op_code *op_code)
224 return wps_registrar_get_msg(wps, op_code);
226 return wps_enrollee_get_msg(wps, op_code);
231 * wps_is_selected_pbc_registrar - Check whether WPS IE indicates active PBC
232 * @msg: WPS IE contents from Beacon or Probe Response frame
233 * Returns: 1 if PBC Registrar is active, 0 if not
235 int wps_is_selected_pbc_registrar(const struct wpabuf *msg)
237 struct wps_parse_attr attr;
240 * In theory, this could also verify that attr.sel_reg_config_methods
241 * includes WPS_CONFIG_PUSHBUTTON, but some deployed AP implementations
242 * do not set Selected Registrar Config Methods attribute properly, so
243 * it is safer to just use Device Password ID here.
246 if (wps_parse_msg(msg, &attr) < 0 ||
247 !attr.selected_registrar || *attr.selected_registrar == 0 ||
248 !attr.dev_password_id ||
249 WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
252 #ifdef CONFIG_WPS_STRICT
253 if (!attr.sel_reg_config_methods ||
254 !(WPA_GET_BE16(attr.sel_reg_config_methods) &
255 WPS_CONFIG_PUSHBUTTON))
257 #endif /* CONFIG_WPS_STRICT */
263 static int is_selected_pin_registrar(struct wps_parse_attr *attr)
266 * In theory, this could also verify that attr.sel_reg_config_methods
267 * includes WPS_CONFIG_LABEL, WPS_CONFIG_DISPLAY, or WPS_CONFIG_KEYPAD,
268 * but some deployed AP implementations do not set Selected Registrar
269 * Config Methods attribute properly, so it is safer to just use
270 * Device Password ID here.
273 if (!attr->selected_registrar || *attr->selected_registrar == 0)
276 if (attr->dev_password_id != NULL &&
277 WPA_GET_BE16(attr->dev_password_id) == DEV_PW_PUSHBUTTON)
280 #ifdef CONFIG_WPS_STRICT
281 if (!attr->sel_reg_config_methods ||
282 !(WPA_GET_BE16(attr->sel_reg_config_methods) &
283 (WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY | WPS_CONFIG_KEYPAD)))
285 #endif /* CONFIG_WPS_STRICT */
292 * wps_is_selected_pin_registrar - Check whether WPS IE indicates active PIN
293 * @msg: WPS IE contents from Beacon or Probe Response frame
294 * Returns: 1 if PIN Registrar is active, 0 if not
296 int wps_is_selected_pin_registrar(const struct wpabuf *msg)
298 struct wps_parse_attr attr;
300 if (wps_parse_msg(msg, &attr) < 0)
303 return is_selected_pin_registrar(&attr);
308 * wps_is_addr_authorized - Check whether WPS IE authorizes MAC address
309 * @msg: WPS IE contents from Beacon or Probe Response frame
310 * @addr: MAC address to search for
311 * @ver1_compat: Whether to use version 1 compatibility mode
312 * Returns: 2 if the specified address is explicit authorized, 1 if address is
313 * authorized (broadcast), 0 if not
315 int wps_is_addr_authorized(const struct wpabuf *msg, const u8 *addr,
318 struct wps_parse_attr attr;
321 const u8 bcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
323 if (wps_parse_msg(msg, &attr) < 0)
326 if (!attr.version2 && ver1_compat) {
328 * Version 1.0 AP - AuthorizedMACs not used, so revert back to
329 * old mechanism of using SelectedRegistrar.
331 return is_selected_pin_registrar(&attr);
334 if (!attr.authorized_macs)
337 pos = attr.authorized_macs;
338 for (i = 0; i < attr.authorized_macs_len / ETH_ALEN; i++) {
339 if (os_memcmp(pos, addr, ETH_ALEN) == 0)
341 if (os_memcmp(pos, bcast, ETH_ALEN) == 0)
351 * wps_ap_priority_compar - Prioritize WPS IE from two APs
352 * @wps_a: WPS IE contents from Beacon or Probe Response frame
353 * @wps_b: WPS IE contents from Beacon or Probe Response frame
354 * Returns: 1 if wps_b is considered more likely selection for WPS
355 * provisioning, -1 if wps_a is considered more like, or 0 if no preference
357 int wps_ap_priority_compar(const struct wpabuf *wps_a,
358 const struct wpabuf *wps_b)
360 struct wps_parse_attr attr;
363 if (wps_a == NULL || wps_parse_msg(wps_a, &attr) < 0)
365 sel_a = attr.selected_registrar && *attr.selected_registrar != 0;
367 if (wps_b == NULL || wps_parse_msg(wps_b, &attr) < 0)
369 sel_b = attr.selected_registrar && *attr.selected_registrar != 0;
381 * wps_get_uuid_e - Get UUID-E from WPS IE
382 * @msg: WPS IE contents from Beacon or Probe Response frame
383 * Returns: Pointer to UUID-E or %NULL if not included
385 * The returned pointer is to the msg contents and it remains valid only as
386 * long as the msg buffer is valid.
388 const u8 * wps_get_uuid_e(const struct wpabuf *msg)
390 struct wps_parse_attr attr;
392 if (wps_parse_msg(msg, &attr) < 0)
399 * wps_is_20 - Check whether WPS attributes claim support for WPS 2.0
401 int wps_is_20(const struct wpabuf *msg)
403 struct wps_parse_attr attr;
405 if (msg == NULL || wps_parse_msg(msg, &attr) < 0)
407 return attr.version2 != NULL;
412 * wps_build_assoc_req_ie - Build WPS IE for (Re)Association Request
413 * @req_type: Value for Request Type attribute
414 * Returns: WPS IE or %NULL on failure
416 * The caller is responsible for freeing the buffer.
418 struct wpabuf * wps_build_assoc_req_ie(enum wps_request_type req_type)
423 wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association "
425 ie = wpabuf_alloc(100);
429 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
430 len = wpabuf_put(ie, 1);
431 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
433 if (wps_build_version(ie) ||
434 wps_build_req_type(ie, req_type) ||
435 wps_build_wfa_ext(ie, 0, NULL, 0, 0)) {
440 *len = wpabuf_len(ie) - 2;
447 * wps_build_assoc_resp_ie - Build WPS IE for (Re)Association Response
448 * Returns: WPS IE or %NULL on failure
450 * The caller is responsible for freeing the buffer.
452 struct wpabuf * wps_build_assoc_resp_ie(void)
457 wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association "
459 ie = wpabuf_alloc(100);
463 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
464 len = wpabuf_put(ie, 1);
465 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
467 if (wps_build_version(ie) ||
468 wps_build_resp_type(ie, WPS_RESP_AP) ||
469 wps_build_wfa_ext(ie, 0, NULL, 0, 0)) {
474 *len = wpabuf_len(ie) - 2;
481 * wps_build_probe_req_ie - Build WPS IE for Probe Request
482 * @pw_id: Password ID (DEV_PW_PUSHBUTTON for active PBC and DEV_PW_DEFAULT for
483 * most other use cases)
484 * @dev: Device attributes
486 * @req_type: Value for Request Type attribute
487 * @num_req_dev_types: Number of requested device types
488 * @req_dev_types: Requested device types (8 * num_req_dev_types octets) or
490 * Returns: WPS IE or %NULL on failure
492 * The caller is responsible for freeing the buffer.
494 struct wpabuf * wps_build_probe_req_ie(u16 pw_id, struct wps_device_data *dev,
496 enum wps_request_type req_type,
497 unsigned int num_req_dev_types,
498 const u8 *req_dev_types)
502 wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for Probe Request");
504 ie = wpabuf_alloc(500);
508 if (wps_build_version(ie) ||
509 wps_build_req_type(ie, req_type) ||
510 wps_build_config_methods(ie, dev->config_methods) ||
511 wps_build_uuid_e(ie, uuid) ||
512 wps_build_primary_dev_type(dev, ie) ||
513 wps_build_rf_bands(dev, ie, 0) ||
514 wps_build_assoc_state(NULL, ie) ||
515 wps_build_config_error(ie, WPS_CFG_NO_ERROR) ||
516 wps_build_dev_password_id(ie, pw_id) ||
517 wps_build_manufacturer(dev, ie) ||
518 wps_build_model_name(dev, ie) ||
519 wps_build_model_number(dev, ie) ||
520 wps_build_dev_name(dev, ie) ||
521 wps_build_wfa_ext(ie, req_type == WPS_REQ_ENROLLEE, NULL, 0, 0) ||
522 wps_build_req_dev_type(dev, ie, num_req_dev_types, req_dev_types)
524 wps_build_secondary_dev_type(dev, ie)
530 return wps_ie_encapsulate(ie);
534 void wps_free_pending_msgs(struct upnp_pending_message *msgs)
536 struct upnp_pending_message *p, *prev;
541 wpabuf_free(prev->msg);
547 int wps_attr_text(struct wpabuf *data, char *buf, char *end)
549 struct wps_parse_attr attr;
553 if (wps_parse_msg(data, &attr) < 0)
556 if (attr.wps_state) {
557 if (*attr.wps_state == WPS_STATE_NOT_CONFIGURED)
558 ret = os_snprintf(pos, end - pos,
559 "wps_state=unconfigured\n");
560 else if (*attr.wps_state == WPS_STATE_CONFIGURED)
561 ret = os_snprintf(pos, end - pos,
562 "wps_state=configured\n");
565 if (os_snprintf_error(end - pos, ret))
570 if (attr.ap_setup_locked && *attr.ap_setup_locked) {
571 ret = os_snprintf(pos, end - pos,
572 "wps_ap_setup_locked=1\n");
573 if (os_snprintf_error(end - pos, ret))
578 if (attr.selected_registrar && *attr.selected_registrar) {
579 ret = os_snprintf(pos, end - pos,
580 "wps_selected_registrar=1\n");
581 if (os_snprintf_error(end - pos, ret))
586 if (attr.dev_password_id) {
587 ret = os_snprintf(pos, end - pos,
588 "wps_device_password_id=%u\n",
589 WPA_GET_BE16(attr.dev_password_id));
590 if (os_snprintf_error(end - pos, ret))
595 if (attr.sel_reg_config_methods) {
596 ret = os_snprintf(pos, end - pos,
597 "wps_selected_registrar_config_methods="
599 WPA_GET_BE16(attr.sel_reg_config_methods));
600 if (os_snprintf_error(end - pos, ret))
605 if (attr.primary_dev_type) {
606 char devtype[WPS_DEV_TYPE_BUFSIZE];
607 ret = os_snprintf(pos, end - pos,
608 "wps_primary_device_type=%s\n",
609 wps_dev_type_bin2str(attr.primary_dev_type,
612 if (os_snprintf_error(end - pos, ret))
618 char *str = os_malloc(attr.dev_name_len + 1);
622 for (i = 0; i < attr.dev_name_len; i++) {
623 if (attr.dev_name[i] == 0 ||
624 is_ctrl_char(attr.dev_name[i]))
627 str[i] = attr.dev_name[i];
630 ret = os_snprintf(pos, end - pos, "wps_device_name=%s\n", str);
632 if (os_snprintf_error(end - pos, ret))
637 if (attr.config_methods) {
638 ret = os_snprintf(pos, end - pos,
639 "wps_config_methods=0x%04x\n",
640 WPA_GET_BE16(attr.config_methods));
641 if (os_snprintf_error(end - pos, ret))
650 const char * wps_ei_str(enum wps_error_indication ei)
653 case WPS_EI_NO_ERROR:
655 case WPS_EI_SECURITY_TKIP_ONLY_PROHIBITED:
656 return "TKIP Only Prohibited";
657 case WPS_EI_SECURITY_WEP_PROHIBITED:
658 return "WEP Prohibited";
659 case WPS_EI_AUTH_FAILURE:
660 return "Authentication Failure";