2 * Wi-Fi Protected Setup - Registrar
3 * Copyright (c) 2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
20 #include "ieee802_11_defs.h"
23 #include "wps_dev_attr.h"
27 struct wps_uuid_pin *next;
28 u8 uuid[WPS_UUID_LEN];
36 static void wps_free_pin(struct wps_uuid_pin *pin)
43 static void wps_free_pins(struct wps_uuid_pin *pins)
45 struct wps_uuid_pin *pin, *prev;
56 struct wps_pbc_session {
57 struct wps_pbc_session *next;
59 u8 uuid_e[WPS_UUID_LEN];
60 struct os_time timestamp;
64 static void wps_free_pbc_sessions(struct wps_pbc_session *pbc)
66 struct wps_pbc_session *prev;
76 struct wps_registrar {
77 struct wps_context *wps;
80 int selected_registrar;
82 int (*new_psk_cb)(void *ctx, const u8 *mac_addr, const u8 *psk,
84 int (*set_ie_cb)(void *ctx, const u8 *beacon_ie, size_t beacon_ie_len,
85 const u8 *probe_resp_ie, size_t probe_resp_ie_len);
86 void (*pin_needed_cb)(void *ctx, const u8 *uuid_e,
87 const struct wps_device_data *dev);
90 struct wps_uuid_pin *pins;
91 struct wps_pbc_session *pbc_sessions;
95 static int wps_set_ie(struct wps_registrar *reg);
96 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx);
99 static void wps_registrar_add_pbc_session(struct wps_registrar *reg,
100 const u8 *addr, const u8 *uuid_e)
102 struct wps_pbc_session *pbc, *prev = NULL;
107 pbc = reg->pbc_sessions;
109 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 &&
110 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) {
112 prev->next = pbc->next;
114 reg->pbc_sessions = pbc->next;
122 pbc = os_zalloc(sizeof(*pbc));
125 os_memcpy(pbc->addr, addr, ETH_ALEN);
127 os_memcpy(pbc->uuid_e, uuid_e, WPS_UUID_LEN);
130 pbc->next = reg->pbc_sessions;
131 reg->pbc_sessions = pbc;
132 pbc->timestamp = now;
134 /* remove entries that have timed out */
139 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME) {
141 wps_free_pbc_sessions(pbc);
150 static void wps_registrar_remove_pbc_session(struct wps_registrar *reg,
151 const u8 *addr, const u8 *uuid_e)
153 struct wps_pbc_session *pbc, *prev = NULL;
155 pbc = reg->pbc_sessions;
157 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 &&
158 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) {
160 prev->next = pbc->next;
162 reg->pbc_sessions = pbc->next;
172 int wps_registrar_pbc_overlap(struct wps_registrar *reg,
173 const u8 *addr, const u8 *uuid_e)
176 struct wps_pbc_session *pbc;
181 for (pbc = reg->pbc_sessions; pbc; pbc = pbc->next) {
182 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME)
184 if (addr == NULL || os_memcmp(addr, pbc->addr, ETH_ALEN) ||
186 os_memcmp(uuid_e, pbc->uuid_e, WPS_UUID_LEN))
193 return count > 1 ? 1 : 0;
197 static int wps_build_wps_state(struct wps_context *wps, struct wpabuf *msg)
199 wpa_printf(MSG_DEBUG, "WPS: * Wi-Fi Protected Setup State (%d)",
201 wpabuf_put_be16(msg, ATTR_WPS_STATE);
202 wpabuf_put_be16(msg, 1);
203 wpabuf_put_u8(msg, wps->wps_state);
208 static int wps_build_ap_setup_locked(struct wps_context *wps,
211 if (wps->ap_setup_locked) {
212 wpa_printf(MSG_DEBUG, "WPS: * AP Setup Locked");
213 wpabuf_put_be16(msg, ATTR_AP_SETUP_LOCKED);
214 wpabuf_put_be16(msg, 1);
215 wpabuf_put_u8(msg, 1);
221 static int wps_build_selected_registrar(struct wps_registrar *reg,
224 if (!reg->selected_registrar)
226 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar");
227 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR);
228 wpabuf_put_be16(msg, 1);
229 wpabuf_put_u8(msg, 1);
234 static int wps_build_sel_reg_dev_password_id(struct wps_registrar *reg,
237 u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT;
238 if (!reg->selected_registrar)
240 wpa_printf(MSG_DEBUG, "WPS: * Device Password ID (%d)", id);
241 wpabuf_put_be16(msg, ATTR_DEV_PASSWORD_ID);
242 wpabuf_put_be16(msg, 2);
243 wpabuf_put_be16(msg, id);
248 static int wps_build_sel_reg_config_methods(struct wps_registrar *reg,
252 if (!reg->selected_registrar)
254 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
256 methods |= WPS_CONFIG_PUSHBUTTON;
257 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar Config Methods (%x)",
259 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR_CONFIG_METHODS);
260 wpabuf_put_be16(msg, 2);
261 wpabuf_put_be16(msg, methods);
266 static int wps_build_probe_config_methods(struct wps_registrar *reg,
271 wpa_printf(MSG_DEBUG, "WPS: * Config Methods (%x)", methods);
272 wpabuf_put_be16(msg, ATTR_CONFIG_METHODS);
273 wpabuf_put_be16(msg, 2);
274 wpabuf_put_be16(msg, methods);
279 static int wps_build_config_methods_r(struct wps_registrar *reg,
283 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
285 methods |= WPS_CONFIG_PUSHBUTTON;
286 return wps_build_config_methods(msg, methods);
290 static int wps_build_resp_type(struct wps_registrar *reg, struct wpabuf *msg)
292 u8 resp = reg->wps->ap ? WPS_RESP_AP : WPS_RESP_REGISTRAR;
293 wpa_printf(MSG_DEBUG, "WPS: * Response Type (%d)", resp);
294 wpabuf_put_be16(msg, ATTR_RESPONSE_TYPE);
295 wpabuf_put_be16(msg, 1);
296 wpabuf_put_u8(msg, resp);
301 struct wps_registrar *
302 wps_registrar_init(struct wps_context *wps,
303 const struct wps_registrar_config *cfg)
305 struct wps_registrar *reg = os_zalloc(sizeof(*reg));
310 reg->new_psk_cb = cfg->new_psk_cb;
311 reg->set_ie_cb = cfg->set_ie_cb;
312 reg->pin_needed_cb = cfg->pin_needed_cb;
313 reg->cb_ctx = cfg->cb_ctx;
315 if (wps_set_ie(reg)) {
316 wps_registrar_deinit(reg);
324 void wps_registrar_deinit(struct wps_registrar *reg)
328 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
329 wps_free_pins(reg->pins);
330 wps_free_pbc_sessions(reg->pbc_sessions);
335 int wps_registrar_add_pin(struct wps_registrar *reg, const u8 *uuid,
336 const u8 *pin, size_t pin_len)
338 struct wps_uuid_pin *p;
340 p = os_zalloc(sizeof(*p));
344 p->wildcard_uuid = 1;
346 os_memcpy(p->uuid, uuid, WPS_UUID_LEN);
347 p->pin = os_malloc(pin_len);
348 if (p->pin == NULL) {
352 os_memcpy(p->pin, pin, pin_len);
353 p->pin_len = pin_len;
358 wpa_printf(MSG_DEBUG, "WPS: A new PIN configured");
359 wpa_hexdump(MSG_DEBUG, "WPS: UUID", uuid, WPS_UUID_LEN);
360 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: PIN", pin, pin_len);
361 reg->selected_registrar = 1;
369 int wps_registrar_invalidate_pin(struct wps_registrar *reg, const u8 *uuid)
371 struct wps_uuid_pin *pin, *prev;
376 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
378 reg->pins = pin->next;
380 prev->next = pin->next;
381 wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID",
382 pin->uuid, WPS_UUID_LEN);
394 static const u8 * wps_registrar_get_pin(struct wps_registrar *reg,
395 const u8 *uuid, size_t *pin_len)
397 struct wps_uuid_pin *pin;
401 if (!pin->wildcard_uuid &&
402 os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0)
408 /* Check for wildcard UUIDs since none of the UUID-specific
412 if (pin->wildcard_uuid == 1) {
413 wpa_printf(MSG_DEBUG, "WPS: Found a wildcard "
414 "PIN. Assigned it for this UUID-E");
415 pin->wildcard_uuid = 2;
416 os_memcpy(pin->uuid, uuid, WPS_UUID_LEN);
427 * Lock the PIN to avoid attacks based on concurrent re-use of the PIN
428 * that could otherwise avoid PIN invalidations.
431 wpa_printf(MSG_DEBUG, "WPS: Selected PIN locked - do not "
432 "allow concurrent re-use");
435 *pin_len = pin->pin_len;
441 int wps_registrar_unlock_pin(struct wps_registrar *reg, const u8 *uuid)
443 struct wps_uuid_pin *pin;
447 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
448 if (pin->wildcard_uuid == 2) {
449 wpa_printf(MSG_DEBUG, "WPS: Invalidating used "
451 return wps_registrar_invalidate_pin(reg, uuid);
463 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx)
465 struct wps_registrar *reg = eloop_ctx;
467 wpa_printf(MSG_DEBUG, "WPS: PBC timed out - disable PBC mode");
468 reg->selected_registrar = 0;
474 int wps_registrar_button_pushed(struct wps_registrar *reg)
476 if (wps_registrar_pbc_overlap(reg, NULL, NULL)) {
477 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - do not start PBC "
481 wpa_printf(MSG_DEBUG, "WPS: Button pushed - PBC mode started");
482 reg->selected_registrar = 1;
486 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
487 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wps_registrar_pbc_timeout,
493 static void wps_registrar_pbc_completed(struct wps_registrar *reg)
495 wpa_printf(MSG_DEBUG, "WPS: PBC completed - stopping PBC mode");
496 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
497 reg->selected_registrar = 0;
503 void wps_registrar_probe_req_rx(struct wps_registrar *reg, const u8 *addr,
504 const struct wpabuf *wps_data)
506 struct wps_parse_attr attr;
509 wpa_hexdump_buf(MSG_MSGDUMP,
510 "WPS: Probe Request with WPS data received",
513 if (wps_parse_msg(wps_data, &attr) < 0 ||
514 attr.version == NULL || *attr.version != WPS_VERSION) {
515 wpa_printf(MSG_DEBUG, "WPS: Unsupported ProbeReq WPS IE "
516 "version 0x%x", attr.version ? *attr.version : 0);
520 if (attr.config_methods == NULL) {
521 wpa_printf(MSG_DEBUG, "WPS: No Config Methods attribute in "
526 methods = WPA_GET_BE16(attr.config_methods);
527 if (!(methods & WPS_CONFIG_PUSHBUTTON))
528 return; /* Not PBC */
530 wpa_printf(MSG_DEBUG, "WPS: Probe Request for PBC received from "
531 MACSTR, MAC2STR(addr));
533 wps_registrar_add_pbc_session(reg, addr, attr.uuid_e);
537 static int wps_cb_new_psk(struct wps_registrar *reg, const u8 *mac_addr,
538 const u8 *psk, size_t psk_len)
540 if (reg->new_psk_cb == NULL)
543 return reg->new_psk_cb(reg->cb_ctx, mac_addr, psk, psk_len);
547 static void wps_cb_pin_needed(struct wps_registrar *reg, const u8 *uuid_e,
548 const struct wps_device_data *dev)
550 if (reg->pin_needed_cb == NULL)
553 reg->pin_needed_cb(reg->cb_ctx, uuid_e, dev);
557 static int wps_cb_set_ie(struct wps_registrar *reg,
558 const struct wpabuf *beacon_ie,
559 const struct wpabuf *probe_resp_ie)
561 if (reg->set_ie_cb == NULL)
564 return reg->set_ie_cb(reg->cb_ctx, wpabuf_head(beacon_ie),
565 wpabuf_len(beacon_ie),
566 wpabuf_head(probe_resp_ie),
567 wpabuf_len(probe_resp_ie));
571 /* Encapsulate WPS IE data with one (or more, if needed) IE headers */
572 static struct wpabuf * wps_ie_encapsulate(struct wpabuf *data)
577 ie = wpabuf_alloc(wpabuf_len(data) + 100);
583 pos = wpabuf_head(data);
584 end = pos + wpabuf_len(data);
587 size_t frag_len = end - pos;
590 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
591 wpabuf_put_u8(ie, 4 + frag_len);
592 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
593 wpabuf_put_data(ie, pos, frag_len);
603 static int wps_set_ie(struct wps_registrar *reg)
605 struct wpabuf *beacon;
606 struct wpabuf *probe;
609 wpa_printf(MSG_DEBUG, "WPS: Build Beacon and Probe Response IEs");
611 beacon = wpabuf_alloc(300);
614 probe = wpabuf_alloc(400);
620 if (wps_build_version(beacon) ||
621 wps_build_wps_state(reg->wps, beacon) ||
622 wps_build_ap_setup_locked(reg->wps, beacon) ||
623 wps_build_selected_registrar(reg, beacon) ||
624 wps_build_sel_reg_dev_password_id(reg, beacon) ||
625 wps_build_sel_reg_config_methods(reg, beacon) ||
626 wps_build_version(probe) ||
627 wps_build_wps_state(reg->wps, probe) ||
628 wps_build_ap_setup_locked(reg->wps, probe) ||
629 wps_build_selected_registrar(reg, probe) ||
630 wps_build_sel_reg_dev_password_id(reg, probe) ||
631 wps_build_sel_reg_config_methods(reg, probe) ||
632 wps_build_resp_type(reg, probe) ||
633 wps_build_uuid_e(probe, reg->wps->uuid) ||
634 wps_build_device_attrs(®->wps->dev, probe) ||
635 wps_build_probe_config_methods(reg, probe) ||
636 wps_build_rf_bands(®->wps->dev, probe)) {
642 beacon = wps_ie_encapsulate(beacon);
643 probe = wps_ie_encapsulate(probe);
645 if (!beacon || !probe) {
651 ret = wps_cb_set_ie(reg, beacon, probe);
659 static int wps_get_dev_password(struct wps_data *wps)
664 os_free(wps->dev_password);
665 wps->dev_password = NULL;
668 wpa_printf(MSG_DEBUG, "WPS: Use default PIN for PBC");
669 pin = (const u8 *) "00000000";
672 pin = wps_registrar_get_pin(wps->registrar, wps->uuid_e,
676 wpa_printf(MSG_DEBUG, "WPS: No Device Password available for "
678 wps_cb_pin_needed(wps->registrar, wps->uuid_e, &wps->peer_dev);
682 wps->dev_password = os_malloc(pin_len);
683 if (wps->dev_password == NULL)
685 os_memcpy(wps->dev_password, pin, pin_len);
686 wps->dev_password_len = pin_len;
692 static int wps_build_uuid_r(struct wps_data *wps, struct wpabuf *msg)
694 wpa_printf(MSG_DEBUG, "WPS: * UUID-R");
695 wpabuf_put_be16(msg, ATTR_UUID_R);
696 wpabuf_put_be16(msg, WPS_UUID_LEN);
697 wpabuf_put_data(msg, wps->uuid_r, WPS_UUID_LEN);
702 static int wps_build_r_hash(struct wps_data *wps, struct wpabuf *msg)
708 if (os_get_random(wps->snonce, 2 * WPS_SECRET_NONCE_LEN) < 0)
710 wpa_hexdump(MSG_DEBUG, "WPS: R-S1", wps->snonce, WPS_SECRET_NONCE_LEN);
711 wpa_hexdump(MSG_DEBUG, "WPS: R-S2",
712 wps->snonce + WPS_SECRET_NONCE_LEN, WPS_SECRET_NONCE_LEN);
714 if (wps->dh_pubkey_e == NULL || wps->dh_pubkey_r == NULL) {
715 wpa_printf(MSG_DEBUG, "WPS: DH public keys not available for "
716 "R-Hash derivation");
720 wpa_printf(MSG_DEBUG, "WPS: * R-Hash1");
721 wpabuf_put_be16(msg, ATTR_R_HASH1);
722 wpabuf_put_be16(msg, SHA256_MAC_LEN);
723 hash = wpabuf_put(msg, SHA256_MAC_LEN);
724 /* R-Hash1 = HMAC_AuthKey(R-S1 || PSK1 || PK_E || PK_R) */
725 addr[0] = wps->snonce;
726 len[0] = WPS_SECRET_NONCE_LEN;
728 len[1] = WPS_PSK_LEN;
729 addr[2] = wpabuf_head(wps->dh_pubkey_e);
730 len[2] = wpabuf_len(wps->dh_pubkey_e);
731 addr[3] = wpabuf_head(wps->dh_pubkey_r);
732 len[3] = wpabuf_len(wps->dh_pubkey_r);
733 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
734 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash1", hash, SHA256_MAC_LEN);
736 wpa_printf(MSG_DEBUG, "WPS: * R-Hash2");
737 wpabuf_put_be16(msg, ATTR_R_HASH2);
738 wpabuf_put_be16(msg, SHA256_MAC_LEN);
739 hash = wpabuf_put(msg, SHA256_MAC_LEN);
740 /* R-Hash2 = HMAC_AuthKey(R-S2 || PSK2 || PK_E || PK_R) */
741 addr[0] = wps->snonce + WPS_SECRET_NONCE_LEN;
743 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
744 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash2", hash, SHA256_MAC_LEN);
750 static int wps_build_r_snonce1(struct wps_data *wps, struct wpabuf *msg)
752 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce1");
753 wpabuf_put_be16(msg, ATTR_R_SNONCE1);
754 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
755 wpabuf_put_data(msg, wps->snonce, WPS_SECRET_NONCE_LEN);
760 static int wps_build_r_snonce2(struct wps_data *wps, struct wpabuf *msg)
762 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce2");
763 wpabuf_put_be16(msg, ATTR_R_SNONCE2);
764 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
765 wpabuf_put_data(msg, wps->snonce + WPS_SECRET_NONCE_LEN,
766 WPS_SECRET_NONCE_LEN);
771 static int wps_build_cred_network_idx(struct wpabuf *msg,
772 struct wps_credential *cred)
774 wpa_printf(MSG_DEBUG, "WPS: * Network Index");
775 wpabuf_put_be16(msg, ATTR_NETWORK_INDEX);
776 wpabuf_put_be16(msg, 1);
777 wpabuf_put_u8(msg, 0);
782 static int wps_build_cred_ssid(struct wpabuf *msg,
783 struct wps_credential *cred)
785 wpa_printf(MSG_DEBUG, "WPS: * SSID");
786 wpabuf_put_be16(msg, ATTR_SSID);
787 wpabuf_put_be16(msg, cred->ssid_len);
788 wpabuf_put_data(msg, cred->ssid, cred->ssid_len);
793 static int wps_build_cred_auth_type(struct wpabuf *msg,
794 struct wps_credential *cred)
796 wpa_printf(MSG_DEBUG, "WPS: * Authentication Type (0x%x)",
798 wpabuf_put_be16(msg, ATTR_AUTH_TYPE);
799 wpabuf_put_be16(msg, 2);
800 wpabuf_put_be16(msg, cred->auth_type);
805 static int wps_build_cred_encr_type(struct wpabuf *msg,
806 struct wps_credential *cred)
808 wpa_printf(MSG_DEBUG, "WPS: * Encryption Type (0x%x)",
810 wpabuf_put_be16(msg, ATTR_ENCR_TYPE);
811 wpabuf_put_be16(msg, 2);
812 wpabuf_put_be16(msg, cred->encr_type);
817 static int wps_build_cred_network_key(struct wpabuf *msg,
818 struct wps_credential *cred)
820 wpa_printf(MSG_DEBUG, "WPS: * Network Key");
821 wpabuf_put_be16(msg, ATTR_NETWORK_KEY);
822 wpabuf_put_be16(msg, cred->key_len);
823 wpabuf_put_data(msg, cred->key, cred->key_len);
828 static int wps_build_cred_mac_addr(struct wpabuf *msg,
829 struct wps_credential *cred)
831 wpa_printf(MSG_DEBUG, "WPS: * MAC Address");
832 wpabuf_put_be16(msg, ATTR_MAC_ADDR);
833 wpabuf_put_be16(msg, ETH_ALEN);
834 wpabuf_put_data(msg, cred->mac_addr, ETH_ALEN);
839 static int wps_build_credential(struct wpabuf *msg,
840 struct wps_credential *cred)
842 if (wps_build_cred_network_idx(msg, cred) ||
843 wps_build_cred_ssid(msg, cred) ||
844 wps_build_cred_auth_type(msg, cred) ||
845 wps_build_cred_encr_type(msg, cred) ||
846 wps_build_cred_network_key(msg, cred) ||
847 wps_build_cred_mac_addr(msg, cred))
853 static int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
857 wpa_printf(MSG_DEBUG, "WPS: * Credential");
858 os_memset(&wps->cred, 0, sizeof(wps->cred));
860 os_memcpy(wps->cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
861 wps->cred.ssid_len = wps->wps->ssid_len;
863 /* Select the best authentication and encryption type */
864 if (wps->auth_type & WPS_AUTH_WPA2PSK)
865 wps->auth_type = WPS_AUTH_WPA2PSK;
866 else if (wps->auth_type & WPS_AUTH_WPAPSK)
867 wps->auth_type = WPS_AUTH_WPAPSK;
868 else if (wps->auth_type & WPS_AUTH_OPEN)
869 wps->auth_type = WPS_AUTH_OPEN;
870 else if (wps->auth_type & WPS_AUTH_SHARED)
871 wps->auth_type = WPS_AUTH_SHARED;
873 wpa_printf(MSG_DEBUG, "WPS: Unsupported auth_type 0x%x",
877 wps->cred.auth_type = wps->auth_type;
879 if (wps->auth_type == WPS_AUTH_WPA2PSK ||
880 wps->auth_type == WPS_AUTH_WPAPSK) {
881 if (wps->encr_type & WPS_ENCR_AES)
882 wps->encr_type = WPS_ENCR_AES;
883 else if (wps->encr_type & WPS_ENCR_TKIP)
884 wps->encr_type = WPS_ENCR_TKIP;
886 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
887 "type for WPA/WPA2");
891 if (wps->encr_type & WPS_ENCR_WEP)
892 wps->encr_type = WPS_ENCR_WEP;
893 else if (wps->encr_type & WPS_ENCR_NONE)
894 wps->encr_type = WPS_ENCR_NONE;
896 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
897 "type for non-WPA/WPA2 mode");
901 wps->cred.encr_type = wps->encr_type;
902 os_memcpy(wps->cred.mac_addr, wps->mac_addr_e, ETH_ALEN);
904 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->wps->ap) {
906 /* Generate a random passphrase */
907 if (os_get_random(r, sizeof(r)) < 0)
909 os_free(wps->new_psk);
910 wps->new_psk = base64_encode(r, sizeof(r), &wps->new_psk_len);
911 if (wps->new_psk == NULL)
913 wps->new_psk_len--; /* remove newline */
914 while (wps->new_psk_len &&
915 wps->new_psk[wps->new_psk_len - 1] == '=')
917 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Generated passphrase",
918 wps->new_psk, wps->new_psk_len);
919 os_memcpy(wps->cred.key, wps->new_psk, wps->new_psk_len);
920 wps->cred.key_len = wps->new_psk_len;
921 } else if (wps->wps->network_key) {
922 os_memcpy(wps->cred.key, wps->wps->network_key,
923 wps->wps->network_key_len);
924 wps->cred.key_len = wps->wps->network_key_len;
925 } else if (wps->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) {
927 /* Generate a random per-device PSK */
928 os_free(wps->new_psk);
929 wps->new_psk_len = 32;
930 wps->new_psk = os_malloc(wps->new_psk_len);
931 if (wps->new_psk == NULL)
933 if (os_get_random(wps->new_psk, wps->new_psk_len) < 0) {
934 os_free(wps->new_psk);
938 wpa_hexdump_key(MSG_DEBUG, "WPS: Generated per-device PSK",
939 wps->new_psk, wps->new_psk_len);
940 wpa_snprintf_hex(hex, sizeof(hex), wps->new_psk,
942 os_memcpy(wps->cred.key, hex, wps->new_psk_len * 2);
943 wps->cred.key_len = wps->new_psk_len * 2;
946 cred = wpabuf_alloc(200);
950 if (wps_build_credential(cred, &wps->cred)) {
955 wpabuf_put_be16(msg, ATTR_CRED);
956 wpabuf_put_be16(msg, wpabuf_len(cred));
957 wpabuf_put_buf(msg, cred);
964 static int wps_build_ap_settings(struct wps_data *wps, struct wpabuf *msg)
966 wpa_printf(MSG_DEBUG, "WPS: * AP Settings");
968 if (wps_build_credential(msg, &wps->cred))
975 static struct wpabuf * wps_build_m2(struct wps_data *wps)
979 if (os_get_random(wps->nonce_r, WPS_NONCE_LEN) < 0)
981 wpa_hexdump(MSG_DEBUG, "WPS: Registrar Nonce",
982 wps->nonce_r, WPS_NONCE_LEN);
983 os_memcpy(wps->uuid_r, wps->wps->uuid, WPS_UUID_LEN);
984 wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN);
986 wpa_printf(MSG_DEBUG, "WPS: Building Message M2");
987 msg = wpabuf_alloc(1000);
991 if (wps_build_version(msg) ||
992 wps_build_msg_type(msg, WPS_M2) ||
993 wps_build_enrollee_nonce(wps, msg) ||
994 wps_build_registrar_nonce(wps, msg) ||
995 wps_build_uuid_r(wps, msg) ||
996 wps_build_public_key(wps, msg) ||
997 wps_derive_keys(wps) ||
998 wps_build_auth_type_flags(wps, msg) ||
999 wps_build_encr_type_flags(wps, msg) ||
1000 wps_build_conn_type_flags(wps, msg) ||
1001 wps_build_config_methods_r(wps->registrar, msg) ||
1002 wps_build_device_attrs(&wps->wps->dev, msg) ||
1003 wps_build_rf_bands(&wps->wps->dev, msg) ||
1004 wps_build_assoc_state(wps, msg) ||
1005 wps_build_config_error(msg, WPS_CFG_NO_ERROR) ||
1006 wps_build_dev_password_id(msg, DEV_PW_DEFAULT) ||
1007 wps_build_os_version(&wps->wps->dev, msg) ||
1008 wps_build_authenticator(wps, msg)) {
1013 wps->state = RECV_M3;
1018 static struct wpabuf * wps_build_m2d(struct wps_data *wps)
1021 u16 err = WPS_CFG_NO_ERROR;
1023 wpa_printf(MSG_DEBUG, "WPS: Building Message M2D");
1024 msg = wpabuf_alloc(1000);
1028 if (wps->authenticator && wps->wps->ap_setup_locked)
1029 err = WPS_CFG_SETUP_LOCKED;
1031 if (wps_build_version(msg) ||
1032 wps_build_msg_type(msg, WPS_M2D) ||
1033 wps_build_enrollee_nonce(wps, msg) ||
1034 wps_build_registrar_nonce(wps, msg) ||
1035 wps_build_uuid_r(wps, msg) ||
1036 wps_build_auth_type_flags(wps, msg) ||
1037 wps_build_encr_type_flags(wps, msg) ||
1038 wps_build_conn_type_flags(wps, msg) ||
1039 wps_build_config_methods_r(wps->registrar, msg) ||
1040 wps_build_device_attrs(&wps->wps->dev, msg) ||
1041 wps_build_rf_bands(&wps->wps->dev, msg) ||
1042 wps_build_assoc_state(wps, msg) ||
1043 wps_build_config_error(msg, err) ||
1044 wps_build_os_version(&wps->wps->dev, msg)) {
1049 wps->state = RECV_M2D_ACK;
1054 static struct wpabuf * wps_build_m4(struct wps_data *wps)
1056 struct wpabuf *msg, *plain;
1058 wpa_printf(MSG_DEBUG, "WPS: Building Message M4");
1060 wps_derive_psk(wps, wps->dev_password, wps->dev_password_len);
1062 plain = wpabuf_alloc(200);
1066 msg = wpabuf_alloc(1000);
1072 if (wps_build_version(msg) ||
1073 wps_build_msg_type(msg, WPS_M4) ||
1074 wps_build_enrollee_nonce(wps, msg) ||
1075 wps_build_r_hash(wps, msg) ||
1076 wps_build_r_snonce1(wps, plain) ||
1077 wps_build_key_wrap_auth(wps, plain) ||
1078 wps_build_encr_settings(wps, msg, plain) ||
1079 wps_build_authenticator(wps, msg)) {
1086 wps->state = RECV_M5;
1091 static struct wpabuf * wps_build_m6(struct wps_data *wps)
1093 struct wpabuf *msg, *plain;
1095 wpa_printf(MSG_DEBUG, "WPS: Building Message M6");
1097 plain = wpabuf_alloc(200);
1101 msg = wpabuf_alloc(1000);
1107 if (wps_build_version(msg) ||
1108 wps_build_msg_type(msg, WPS_M6) ||
1109 wps_build_enrollee_nonce(wps, msg) ||
1110 wps_build_r_snonce2(wps, plain) ||
1111 wps_build_key_wrap_auth(wps, plain) ||
1112 wps_build_encr_settings(wps, msg, plain) ||
1113 wps_build_authenticator(wps, msg)) {
1120 wps->wps_pin_revealed = 1;
1121 wps->state = RECV_M7;
1126 static struct wpabuf * wps_build_m8(struct wps_data *wps)
1128 struct wpabuf *msg, *plain;
1130 wpa_printf(MSG_DEBUG, "WPS: Building Message M8");
1132 plain = wpabuf_alloc(500);
1136 msg = wpabuf_alloc(1000);
1142 if (wps_build_version(msg) ||
1143 wps_build_msg_type(msg, WPS_M8) ||
1144 wps_build_enrollee_nonce(wps, msg) ||
1145 (wps->wps->ap && wps_build_cred(wps, plain)) ||
1146 (!wps->wps->ap && wps_build_ap_settings(wps, plain)) ||
1147 wps_build_key_wrap_auth(wps, plain) ||
1148 wps_build_encr_settings(wps, msg, plain) ||
1149 wps_build_authenticator(wps, msg)) {
1156 wps->state = RECV_DONE;
1161 static struct wpabuf * wps_build_wsc_ack(struct wps_data *wps)
1165 wpa_printf(MSG_DEBUG, "WPS: Building Message WSC_ACK");
1167 msg = wpabuf_alloc(1000);
1171 if (wps_build_version(msg) ||
1172 wps_build_msg_type(msg, WPS_WSC_ACK) ||
1173 wps_build_enrollee_nonce(wps, msg) ||
1174 wps_build_registrar_nonce(wps, msg)) {
1183 struct wpabuf * wps_registrar_get_msg(struct wps_data *wps, u8 *op_code)
1187 switch (wps->state) {
1189 if (wps_get_dev_password(wps) < 0)
1190 msg = wps_build_m2d(wps);
1192 msg = wps_build_m2(wps);
1196 msg = wps_build_m2d(wps);
1200 msg = wps_build_m4(wps);
1204 msg = wps_build_m6(wps);
1208 msg = wps_build_m8(wps);
1212 msg = wps_build_wsc_ack(wps);
1216 wpa_printf(MSG_DEBUG, "WPS: Unsupported state %d for building "
1217 "a message", wps->state);
1222 if (*op_code == WSC_MSG && msg) {
1223 /* Save a copy of the last message for Authenticator derivation
1225 wpabuf_free(wps->last_msg);
1226 wps->last_msg = wpabuf_dup(msg);
1233 static int wps_process_enrollee_nonce(struct wps_data *wps, const u8 *e_nonce)
1235 if (e_nonce == NULL) {
1236 wpa_printf(MSG_DEBUG, "WPS: No Enrollee Nonce received");
1240 os_memcpy(wps->nonce_e, e_nonce, WPS_NONCE_LEN);
1241 wpa_hexdump(MSG_DEBUG, "WPS: Enrollee Nonce",
1242 wps->nonce_e, WPS_NONCE_LEN);
1248 static int wps_process_registrar_nonce(struct wps_data *wps, const u8 *r_nonce)
1250 if (r_nonce == NULL) {
1251 wpa_printf(MSG_DEBUG, "WPS: No Registrar Nonce received");
1255 if (os_memcmp(wps->nonce_r, r_nonce, WPS_NONCE_LEN) != 0) {
1256 wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Nonce received");
1264 static int wps_process_uuid_e(struct wps_data *wps, const u8 *uuid_e)
1266 if (uuid_e == NULL) {
1267 wpa_printf(MSG_DEBUG, "WPS: No UUID-E received");
1271 os_memcpy(wps->uuid_e, uuid_e, WPS_UUID_LEN);
1272 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", wps->uuid_e, WPS_UUID_LEN);
1278 static int wps_process_dev_password_id(struct wps_data *wps, const u8 *pw_id)
1280 if (pw_id == NULL) {
1281 wpa_printf(MSG_DEBUG, "WPS: No Device Password ID received");
1285 wps->dev_pw_id = WPA_GET_BE16(pw_id);
1286 wpa_printf(MSG_DEBUG, "WPS: Device Password ID %d", wps->dev_pw_id);
1292 static int wps_process_e_hash1(struct wps_data *wps, const u8 *e_hash1)
1294 if (e_hash1 == NULL) {
1295 wpa_printf(MSG_DEBUG, "WPS: No E-Hash1 received");
1299 os_memcpy(wps->peer_hash1, e_hash1, WPS_HASH_LEN);
1300 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN);
1306 static int wps_process_e_hash2(struct wps_data *wps, const u8 *e_hash2)
1308 if (e_hash2 == NULL) {
1309 wpa_printf(MSG_DEBUG, "WPS: No E-Hash2 received");
1313 os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN);
1314 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN);
1320 static int wps_process_e_snonce1(struct wps_data *wps, const u8 *e_snonce1)
1322 u8 hash[SHA256_MAC_LEN];
1326 if (e_snonce1 == NULL) {
1327 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce1 received");
1331 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce1", e_snonce1,
1332 WPS_SECRET_NONCE_LEN);
1334 /* E-Hash1 = HMAC_AuthKey(E-S1 || PSK1 || PK_E || PK_R) */
1335 addr[0] = e_snonce1;
1336 len[0] = WPS_SECRET_NONCE_LEN;
1337 addr[1] = wps->psk1;
1338 len[1] = WPS_PSK_LEN;
1339 addr[2] = wpabuf_head(wps->dh_pubkey_e);
1340 len[2] = wpabuf_len(wps->dh_pubkey_e);
1341 addr[3] = wpabuf_head(wps->dh_pubkey_r);
1342 len[3] = wpabuf_len(wps->dh_pubkey_r);
1343 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
1345 if (os_memcmp(wps->peer_hash1, hash, WPS_HASH_LEN) != 0) {
1346 wpa_printf(MSG_DEBUG, "WPS: E-Hash1 derived from E-S1 does "
1347 "not match with the pre-committed value");
1351 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the first "
1352 "half of the device password");
1358 static int wps_process_e_snonce2(struct wps_data *wps, const u8 *e_snonce2)
1360 u8 hash[SHA256_MAC_LEN];
1364 if (e_snonce2 == NULL) {
1365 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce2 received");
1369 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce2", e_snonce2,
1370 WPS_SECRET_NONCE_LEN);
1372 /* E-Hash2 = HMAC_AuthKey(E-S2 || PSK2 || PK_E || PK_R) */
1373 addr[0] = e_snonce2;
1374 len[0] = WPS_SECRET_NONCE_LEN;
1375 addr[1] = wps->psk2;
1376 len[1] = WPS_PSK_LEN;
1377 addr[2] = wpabuf_head(wps->dh_pubkey_e);
1378 len[2] = wpabuf_len(wps->dh_pubkey_e);
1379 addr[3] = wpabuf_head(wps->dh_pubkey_r);
1380 len[3] = wpabuf_len(wps->dh_pubkey_r);
1381 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
1383 if (os_memcmp(wps->peer_hash2, hash, WPS_HASH_LEN) != 0) {
1384 wpa_printf(MSG_DEBUG, "WPS: E-Hash2 derived from E-S2 does "
1385 "not match with the pre-committed value");
1386 wps_registrar_invalidate_pin(wps->registrar, wps->uuid_e);
1390 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the second "
1391 "half of the device password");
1392 wps->wps_pin_revealed = 0;
1393 wps_registrar_unlock_pin(wps->registrar, wps->uuid_e);
1399 static int wps_process_mac_addr(struct wps_data *wps, const u8 *mac_addr)
1401 if (mac_addr == NULL) {
1402 wpa_printf(MSG_DEBUG, "WPS: No MAC Address received");
1406 wpa_printf(MSG_DEBUG, "WPS: Enrollee MAC Address " MACSTR,
1408 os_memcpy(wps->mac_addr_e, mac_addr, ETH_ALEN);
1409 os_memcpy(wps->peer_dev.mac_addr, mac_addr, ETH_ALEN);
1415 static int wps_process_pubkey(struct wps_data *wps, const u8 *pk,
1418 if (pk == NULL || pk_len == 0) {
1419 wpa_printf(MSG_DEBUG, "WPS: No Public Key received");
1423 wpabuf_free(wps->dh_pubkey_e);
1424 wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len);
1425 if (wps->dh_pubkey_e == NULL)
1432 static int wps_process_auth_type_flags(struct wps_data *wps, const u8 *auth)
1437 wpa_printf(MSG_DEBUG, "WPS: No Authentication Type flags "
1442 auth_types = WPA_GET_BE16(auth);
1444 wpa_printf(MSG_DEBUG, "WPS: Enrollee Authentication Type flags 0x%x",
1446 wps->auth_type = wps->wps->auth_types & auth_types;
1447 if (wps->auth_type == 0) {
1448 wpa_printf(MSG_DEBUG, "WPS: No match in supported "
1449 "authentication types (own 0x%x Enrollee 0x%x)",
1450 wps->wps->auth_types, auth_types);
1458 static int wps_process_encr_type_flags(struct wps_data *wps, const u8 *encr)
1463 wpa_printf(MSG_DEBUG, "WPS: No Encryption Type flags "
1468 encr_types = WPA_GET_BE16(encr);
1470 wpa_printf(MSG_DEBUG, "WPS: Enrollee Encryption Type flags 0x%x",
1472 wps->encr_type = wps->wps->encr_types & encr_types;
1473 if (wps->encr_type == 0) {
1474 wpa_printf(MSG_DEBUG, "WPS: No match in supported "
1475 "encryption types");
1483 static int wps_process_conn_type_flags(struct wps_data *wps, const u8 *conn)
1486 wpa_printf(MSG_DEBUG, "WPS: No Connection Type flags "
1491 wpa_printf(MSG_DEBUG, "WPS: Enrollee Connection Type flags 0x%x",
1498 static int wps_process_config_methods(struct wps_data *wps, const u8 *methods)
1502 if (methods == NULL) {
1503 wpa_printf(MSG_DEBUG, "WPS: No Config Methods received");
1507 m = WPA_GET_BE16(methods);
1509 wpa_printf(MSG_DEBUG, "WPS: Enrollee Config Methods 0x%x", m);
1515 static int wps_process_wps_state(struct wps_data *wps, const u8 *state)
1517 if (state == NULL) {
1518 wpa_printf(MSG_DEBUG, "WPS: No Wi-Fi Protected Setup State "
1523 wpa_printf(MSG_DEBUG, "WPS: Enrollee Wi-Fi Protected Setup State %d",
1530 static int wps_process_assoc_state(struct wps_data *wps, const u8 *assoc)
1534 if (assoc == NULL) {
1535 wpa_printf(MSG_DEBUG, "WPS: No Association State received");
1539 a = WPA_GET_BE16(assoc);
1540 wpa_printf(MSG_DEBUG, "WPS: Enrollee Association State %d", a);
1546 static int wps_process_config_error(struct wps_data *wps, const u8 *err)
1551 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error received");
1555 e = WPA_GET_BE16(err);
1556 wpa_printf(MSG_DEBUG, "WPS: Enrollee Configuration Error %d", e);
1562 static enum wps_process_res wps_process_m1(struct wps_data *wps,
1563 struct wps_parse_attr *attr)
1565 wpa_printf(MSG_DEBUG, "WPS: Received M1");
1567 if (wps->state != RECV_M1) {
1568 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1569 "receiving M1", wps->state);
1573 if (wps_process_uuid_e(wps, attr->uuid_e) ||
1574 wps_process_mac_addr(wps, attr->mac_addr) ||
1575 wps_process_enrollee_nonce(wps, attr->enrollee_nonce) ||
1576 wps_process_pubkey(wps, attr->public_key, attr->public_key_len) ||
1577 wps_process_auth_type_flags(wps, attr->auth_type_flags) ||
1578 wps_process_encr_type_flags(wps, attr->encr_type_flags) ||
1579 wps_process_conn_type_flags(wps, attr->conn_type_flags) ||
1580 wps_process_config_methods(wps, attr->config_methods) ||
1581 wps_process_wps_state(wps, attr->wps_state) ||
1582 wps_process_device_attrs(&wps->peer_dev, attr) ||
1583 wps_process_rf_bands(&wps->peer_dev, attr->rf_bands) ||
1584 wps_process_assoc_state(wps, attr->assoc_state) ||
1585 wps_process_dev_password_id(wps, attr->dev_password_id) ||
1586 wps_process_config_error(wps, attr->config_error) ||
1587 wps_process_os_version(&wps->peer_dev, attr->os_version))
1590 if (wps->dev_pw_id != DEV_PW_DEFAULT &&
1591 wps->dev_pw_id != DEV_PW_USER_SPECIFIED &&
1592 wps->dev_pw_id != DEV_PW_MACHINE_SPECIFIED &&
1593 wps->dev_pw_id != DEV_PW_REGISTRAR_SPECIFIED &&
1594 (wps->dev_pw_id != DEV_PW_PUSHBUTTON || !wps->registrar->pbc)) {
1595 wpa_printf(MSG_DEBUG, "WPS: Unsupported Device Password ID %d",
1597 wps->state = SEND_M2D;
1598 return WPS_CONTINUE;
1601 if (wps->dev_pw_id == DEV_PW_PUSHBUTTON) {
1602 if (wps_registrar_pbc_overlap(wps->registrar, wps->mac_addr_e,
1604 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - deny PBC "
1606 wps->state = SEND_M2D;
1607 return WPS_CONTINUE;
1609 wps_registrar_add_pbc_session(wps->registrar, wps->mac_addr_e,
1614 wps->state = SEND_M2;
1615 return WPS_CONTINUE;
1619 static enum wps_process_res wps_process_m3(struct wps_data *wps,
1620 const struct wpabuf *msg,
1621 struct wps_parse_attr *attr)
1623 wpa_printf(MSG_DEBUG, "WPS: Received M3");
1625 if (wps->state != RECV_M3) {
1626 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1627 "receiving M3", wps->state);
1631 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
1632 wps_process_authenticator(wps, attr->authenticator, msg) ||
1633 wps_process_e_hash1(wps, attr->e_hash1) ||
1634 wps_process_e_hash2(wps, attr->e_hash2))
1637 wps->state = SEND_M4;
1638 return WPS_CONTINUE;
1642 static enum wps_process_res wps_process_m5(struct wps_data *wps,
1643 const struct wpabuf *msg,
1644 struct wps_parse_attr *attr)
1646 struct wpabuf *decrypted;
1647 struct wps_parse_attr eattr;
1649 wpa_printf(MSG_DEBUG, "WPS: Received M5");
1651 if (wps->state != RECV_M5) {
1652 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1653 "receiving M5", wps->state);
1657 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
1658 wps_process_authenticator(wps, attr->authenticator, msg))
1661 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
1662 attr->encr_settings_len);
1663 if (decrypted == NULL) {
1664 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted "
1665 "Settings attribute");
1669 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
1671 if (wps_parse_msg(decrypted, &eattr) < 0 ||
1672 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
1673 wps_process_e_snonce1(wps, eattr.e_snonce1)) {
1674 wpabuf_free(decrypted);
1677 wpabuf_free(decrypted);
1679 wps->state = SEND_M6;
1680 return WPS_CONTINUE;
1684 static int wps_process_ap_settings_r(struct wps_data *wps,
1685 struct wps_parse_attr *attr)
1690 /* AP Settings Attributes in M7 when Enrollee is an AP */
1691 if (wps_process_ap_settings(attr, &wps->cred) < 0)
1694 wpa_printf(MSG_INFO, "WPS: Received old AP configuration from AP");
1697 * TODO: Provide access to AP settings and allow changes before sending
1698 * out M8. For now, just copy the settings unchanged into M8.
1705 static enum wps_process_res wps_process_m7(struct wps_data *wps,
1706 const struct wpabuf *msg,
1707 struct wps_parse_attr *attr)
1709 struct wpabuf *decrypted;
1710 struct wps_parse_attr eattr;
1712 wpa_printf(MSG_DEBUG, "WPS: Received M7");
1714 if (wps->state != RECV_M7) {
1715 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1716 "receiving M7", wps->state);
1720 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
1721 wps_process_authenticator(wps, attr->authenticator, msg))
1724 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
1725 attr->encr_settings_len);
1726 if (decrypted == NULL) {
1727 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted "
1728 "Settings attribute");
1732 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
1734 if (wps_parse_msg(decrypted, &eattr) < 0 ||
1735 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
1736 wps_process_e_snonce2(wps, eattr.e_snonce2) ||
1737 wps_process_ap_settings_r(wps, &eattr)) {
1738 wpabuf_free(decrypted);
1742 wpabuf_free(decrypted);
1744 wps->state = SEND_M8;
1745 return WPS_CONTINUE;
1749 static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps,
1750 const struct wpabuf *msg)
1752 struct wps_parse_attr attr;
1753 enum wps_process_res ret = WPS_CONTINUE;
1755 wpa_printf(MSG_DEBUG, "WPS: Received WSC_MSG");
1757 if (wps_parse_msg(msg, &attr) < 0)
1760 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1761 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1762 attr.version ? *attr.version : 0);
1766 if (attr.msg_type == NULL) {
1767 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1771 if (*attr.msg_type != WPS_M1 &&
1772 (attr.registrar_nonce == NULL ||
1773 os_memcmp(wps->nonce_r, attr.registrar_nonce,
1774 WPS_NONCE_LEN != 0))) {
1775 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1779 switch (*attr.msg_type) {
1781 ret = wps_process_m1(wps, &attr);
1784 ret = wps_process_m3(wps, msg, &attr);
1787 ret = wps_process_m5(wps, msg, &attr);
1790 ret = wps_process_m7(wps, msg, &attr);
1793 wpa_printf(MSG_DEBUG, "WPS: Unsupported Message Type %d",
1798 if (ret == WPS_CONTINUE) {
1799 /* Save a copy of the last message for Authenticator derivation
1801 wpabuf_free(wps->last_msg);
1802 wps->last_msg = wpabuf_dup(msg);
1809 static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps,
1810 const struct wpabuf *msg)
1812 struct wps_parse_attr attr;
1814 wpa_printf(MSG_DEBUG, "WPS: Received WSC_ACK");
1816 if (wps_parse_msg(msg, &attr) < 0)
1819 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1820 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1821 attr.version ? *attr.version : 0);
1825 if (attr.msg_type == NULL) {
1826 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1830 if (*attr.msg_type != WPS_WSC_ACK) {
1831 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
1836 if (attr.registrar_nonce == NULL ||
1837 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0))
1839 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1843 if (attr.enrollee_nonce == NULL ||
1844 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) {
1845 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
1849 if (wps->state == RECV_M2D_ACK) {
1850 /* TODO: support for multiple registrars and sending of
1851 * multiple M2/M2D messages */
1853 wpa_printf(MSG_DEBUG, "WPS: No more registrars available - "
1854 "terminate negotiation");
1861 static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps,
1862 const struct wpabuf *msg)
1864 struct wps_parse_attr attr;
1866 wpa_printf(MSG_DEBUG, "WPS: Received WSC_NACK");
1868 if (wps_parse_msg(msg, &attr) < 0)
1871 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1872 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1873 attr.version ? *attr.version : 0);
1877 if (attr.msg_type == NULL) {
1878 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1882 if (*attr.msg_type != WPS_WSC_NACK) {
1883 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
1888 if (attr.registrar_nonce == NULL ||
1889 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0))
1891 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1895 if (attr.enrollee_nonce == NULL ||
1896 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) {
1897 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
1901 if (attr.config_error == NULL) {
1902 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error attribute "
1907 wpa_printf(MSG_DEBUG, "WPS: Enrollee terminated negotiation with "
1908 "Configuration Error %d", WPA_GET_BE16(attr.config_error));
1914 static enum wps_process_res wps_process_wsc_done(struct wps_data *wps,
1915 const struct wpabuf *msg)
1917 struct wps_parse_attr attr;
1919 wpa_printf(MSG_DEBUG, "WPS: Received WSC_Done");
1921 if (wps->state != RECV_DONE) {
1922 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1923 "receiving WSC_Done", wps->state);
1927 if (wps_parse_msg(msg, &attr) < 0)
1930 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1931 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1932 attr.version ? *attr.version : 0);
1936 if (attr.msg_type == NULL) {
1937 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1941 if (*attr.msg_type != WPS_WSC_DONE) {
1942 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
1947 if (attr.registrar_nonce == NULL ||
1948 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0))
1950 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1954 if (attr.enrollee_nonce == NULL ||
1955 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) {
1956 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
1960 wpa_printf(MSG_DEBUG, "WPS: Negotiation completed successfully");
1962 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->new_psk &&
1964 struct wps_credential cred;
1966 wpa_printf(MSG_DEBUG, "WPS: Moving to Configured state based "
1967 "on first Enrollee connection");
1969 os_memset(&cred, 0, sizeof(cred));
1970 os_memcpy(cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
1971 cred.ssid_len = wps->wps->ssid_len;
1972 cred.auth_type = WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK;
1973 cred.encr_type = WPS_ENCR_TKIP | WPS_ENCR_AES;
1974 os_memcpy(cred.key, wps->new_psk, wps->new_psk_len);
1975 cred.key_len = wps->new_psk_len;
1977 wps->wps->wps_state = WPS_STATE_CONFIGURED;
1978 wpa_hexdump_ascii_key(MSG_DEBUG,
1979 "WPS: Generated random passphrase",
1980 wps->new_psk, wps->new_psk_len);
1981 if (wps->wps->cred_cb)
1982 wps->wps->cred_cb(wps->wps->cb_ctx, &cred);
1984 os_free(wps->new_psk);
1985 wps->new_psk = NULL;
1988 if (!wps->wps->ap) {
1989 wpa_printf(MSG_DEBUG, "WPS: Update local configuration based "
1990 "on the modified AP configuration");
1991 if (wps->wps->cred_cb)
1992 wps->wps->cred_cb(wps->wps->cb_ctx, &wps->cred);
1996 if (wps_cb_new_psk(wps->registrar, wps->mac_addr_e,
1997 wps->new_psk, wps->new_psk_len)) {
1998 wpa_printf(MSG_DEBUG, "WPS: Failed to configure the "
2001 os_free(wps->new_psk);
2002 wps->new_psk = NULL;
2006 wps_registrar_remove_pbc_session(wps->registrar,
2007 wps->mac_addr_e, wps->uuid_e);
2008 wps_registrar_pbc_completed(wps->registrar);
2015 enum wps_process_res wps_registrar_process_msg(struct wps_data *wps,
2017 const struct wpabuf *msg)
2020 wpa_printf(MSG_DEBUG, "WPS: Processing received message (len=%lu "
2022 (unsigned long) wpabuf_len(msg), op_code);
2026 return wps_process_wsc_msg(wps, msg);
2028 return wps_process_wsc_ack(wps, msg);
2030 return wps_process_wsc_nack(wps, msg);
2032 return wps_process_wsc_done(wps, msg);
2034 wpa_printf(MSG_DEBUG, "WPS: Unsupported op_code %d", op_code);