X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fwps%2Fwps_enrollee.c;h=1db255d199490119d4b700d0ba0fb52c26d2095f;hb=3237bfb1a3cdd4d3efa34f6fa205478b38bf5b75;hp=f16a05b296c92f718102b3d50df81a534c51719f;hpb=7d7c918d9725b7622e50084459f3f382f50618ac;p=libeap.git diff --git a/src/wps/wps_enrollee.c b/src/wps/wps_enrollee.c index f16a05b..1db255d 100644 --- a/src/wps/wps_enrollee.c +++ b/src/wps/wps_enrollee.c @@ -15,32 +15,12 @@ #include "includes.h" #include "common.h" -#include "sha256.h" -#include "ieee802_11_defs.h" +#include "crypto/crypto.h" +#include "crypto/sha256.h" #include "wps_i.h" #include "wps_dev_attr.h" -static int wps_build_req_type(struct wpabuf *msg, enum wps_request_type type) -{ - wpa_printf(MSG_DEBUG, "WPS: * Request Type"); - wpabuf_put_be16(msg, ATTR_REQUEST_TYPE); - wpabuf_put_be16(msg, 1); - wpabuf_put_u8(msg, type); - return 0; -} - - -static int wps_build_uuid_e(struct wpabuf *msg, const u8 *uuid) -{ - wpa_printf(MSG_DEBUG, "WPS: * UUID-E"); - wpabuf_put_be16(msg, ATTR_UUID_E); - wpabuf_put_be16(msg, WPS_UUID_LEN); - wpabuf_put_data(msg, uuid, WPS_UUID_LEN); - return 0; -} - - static int wps_build_mac_addr(struct wps_data *wps, struct wpabuf *msg) { wpa_printf(MSG_DEBUG, "WPS: * MAC Address"); @@ -51,55 +31,18 @@ static int wps_build_mac_addr(struct wps_data *wps, struct wpabuf *msg) } -static int wps_build_config_methods(struct wpabuf *msg, u16 methods) -{ - wpa_printf(MSG_DEBUG, "WPS: * Config Methods"); - wpabuf_put_be16(msg, ATTR_CONFIG_METHODS); - wpabuf_put_be16(msg, 2); - wpabuf_put_be16(msg, methods); - return 0; -} - - static int wps_build_wps_state(struct wps_data *wps, struct wpabuf *msg) { - wpa_printf(MSG_DEBUG, "WPS: * Wi-Fi Protected Setup State"); + u8 state; + if (wps->wps->ap) + state = wps->wps->wps_state; + else + state = WPS_STATE_NOT_CONFIGURED; + wpa_printf(MSG_DEBUG, "WPS: * Wi-Fi Protected Setup State (%d)", + state); wpabuf_put_be16(msg, ATTR_WPS_STATE); wpabuf_put_be16(msg, 1); - wpabuf_put_u8(msg, WPS_STATE_CONFIGURED); - return 0; -} - - -static int wps_build_rf_bands(struct wps_data *wps, struct wpabuf *msg) -{ - wpa_printf(MSG_DEBUG, "WPS: * RF Bands"); - wpabuf_put_be16(msg, ATTR_RF_BANDS); - wpabuf_put_be16(msg, 1); - wpabuf_put_u8(msg, WPS_RF_24GHZ | WPS_RF_50GHZ); - return 0; -} - - -static int wps_build_dev_password_id(struct wpabuf *msg, u16 id) -{ - wpa_printf(MSG_DEBUG, "WPS: * Device Password ID"); - wpabuf_put_be16(msg, ATTR_DEV_PASSWORD_ID); - wpabuf_put_be16(msg, 2); - wpabuf_put_be16(msg, id); - return 0; -} - - -static int wps_build_config_error(struct wps_data *wps, struct wpabuf *msg) -{ - u16 err = WPS_CFG_NO_ERROR; - wpabuf_put_be16(msg, ATTR_CONFIG_ERROR); - wpabuf_put_be16(msg, 2); - if (wps && wps->authenticator && wps->wps->ap_setup_locked) - err = WPS_CFG_SETUP_LOCKED; - wpa_printf(MSG_DEBUG, "WPS: * Configuration Error (%d)", err); - wpabuf_put_be16(msg, err); + wpabuf_put_u8(msg, state); return 0; } @@ -176,7 +119,6 @@ static int wps_build_e_snonce2(struct wps_data *wps, struct wpabuf *msg) static struct wpabuf * wps_build_m1(struct wps_data *wps) { struct wpabuf *msg; - u16 methods; if (os_get_random(wps->nonce_e, WPS_NONCE_LEN) < 0) return NULL; @@ -188,10 +130,6 @@ static struct wpabuf * wps_build_m1(struct wps_data *wps) if (msg == NULL) return NULL; - methods = WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY | WPS_CONFIG_KEYPAD; - if (wps->pbc) - methods |= WPS_CONFIG_PUSHBUTTON; - if (wps_build_version(msg) || wps_build_msg_type(msg, WPS_M1) || wps_build_uuid_e(msg, wps->uuid_e) || @@ -201,14 +139,15 @@ static struct wpabuf * wps_build_m1(struct wps_data *wps) wps_build_auth_type_flags(wps, msg) || wps_build_encr_type_flags(wps, msg) || wps_build_conn_type_flags(wps, msg) || - wps_build_config_methods(msg, methods) || + wps_build_config_methods(msg, wps->wps->config_methods) || wps_build_wps_state(wps, msg) || wps_build_device_attrs(&wps->wps->dev, msg) || - wps_build_rf_bands(wps, msg) || + wps_build_rf_bands(&wps->wps->dev, msg) || wps_build_assoc_state(wps, msg) || wps_build_dev_password_id(msg, wps->dev_pw_id) || - wps_build_config_error(wps, msg) || - wps_build_os_version(&wps->wps->dev, msg)) { + wps_build_config_error(msg, WPS_CFG_NO_ERROR) || + wps_build_os_version(&wps->wps->dev, msg) || + wps_build_wfa_ext(msg, 0, NULL, 0)) { wpabuf_free(msg); return NULL; } @@ -238,6 +177,7 @@ static struct wpabuf * wps_build_m3(struct wps_data *wps) wps_build_msg_type(msg, WPS_M3) || wps_build_registrar_nonce(wps, msg) || wps_build_e_hash(wps, msg) || + wps_build_wfa_ext(msg, 0, NULL, 0) || wps_build_authenticator(wps, msg)) { wpabuf_free(msg); return NULL; @@ -270,6 +210,7 @@ static struct wpabuf * wps_build_m5(struct wps_data *wps) wps_build_e_snonce1(wps, plain) || wps_build_key_wrap_auth(wps, plain) || wps_build_encr_settings(wps, msg, plain) || + wps_build_wfa_ext(msg, 0, NULL, 0) || wps_build_authenticator(wps, msg)) { wpabuf_free(plain); wpabuf_free(msg); @@ -332,17 +273,34 @@ static int wps_build_cred_mac_addr(struct wps_data *wps, struct wpabuf *msg) } +static int wps_build_ap_settings(struct wps_data *wps, struct wpabuf *plain) +{ + if (wps->wps->ap_settings) { + wpa_printf(MSG_DEBUG, "WPS: * AP Settings (pre-configured)"); + wpabuf_put_data(plain, wps->wps->ap_settings, + wps->wps->ap_settings_len); + return 0; + } + + return wps_build_cred_ssid(wps, plain) || + wps_build_cred_mac_addr(wps, plain) || + wps_build_cred_auth_type(wps, plain) || + wps_build_cred_encr_type(wps, plain) || + wps_build_cred_network_key(wps, plain); +} + + static struct wpabuf * wps_build_m7(struct wps_data *wps) { struct wpabuf *msg, *plain; wpa_printf(MSG_DEBUG, "WPS: Building Message M7"); - plain = wpabuf_alloc(500); + plain = wpabuf_alloc(500 + wps->wps->ap_settings_len); if (plain == NULL) return NULL; - msg = wpabuf_alloc(1000); + msg = wpabuf_alloc(1000 + wps->wps->ap_settings_len); if (msg == NULL) { wpabuf_free(plain); return NULL; @@ -352,14 +310,10 @@ static struct wpabuf * wps_build_m7(struct wps_data *wps) wps_build_msg_type(msg, WPS_M7) || wps_build_registrar_nonce(wps, msg) || wps_build_e_snonce2(wps, plain) || - (wps->authenticator && - (wps_build_cred_ssid(wps, plain) || - wps_build_cred_mac_addr(wps, plain) || - wps_build_cred_auth_type(wps, plain) || - wps_build_cred_encr_type(wps, plain) || - wps_build_cred_network_key(wps, plain))) || + (wps->wps->ap && wps_build_ap_settings(wps, plain)) || wps_build_key_wrap_auth(wps, plain) || wps_build_encr_settings(wps, msg, plain) || + wps_build_wfa_ext(msg, 0, NULL, 0) || wps_build_authenticator(wps, msg)) { wpabuf_free(plain); wpabuf_free(msg); @@ -367,6 +321,16 @@ static struct wpabuf * wps_build_m7(struct wps_data *wps) } wpabuf_free(plain); + if (wps->wps->ap && wps->wps->registrar) { + /* + * If the Registrar is only learning our current configuration, + * it may not continue protocol run to successful completion. + * Store information here to make sure it remains available. + */ + wps_device_store(wps->wps->registrar, &wps->peer_dev, + wps->uuid_r); + } + wps->state = RECV_M8; return msg; } @@ -385,12 +349,18 @@ static struct wpabuf * wps_build_wsc_done(struct wps_data *wps) if (wps_build_version(msg) || wps_build_msg_type(msg, WPS_WSC_DONE) || wps_build_enrollee_nonce(wps, msg) || - wps_build_registrar_nonce(wps, msg)) { + wps_build_registrar_nonce(wps, msg) || + wps_build_wfa_ext(msg, 0, NULL, 0)) { wpabuf_free(msg); return NULL; } - wps->state = wps->authenticator ? RECV_ACK : WPS_FINISHED; + if (wps->wps->ap) + wps->state = RECV_ACK; + else { + wps_success_event(wps->wps); + wps->state = WPS_FINISHED; + } return msg; } @@ -408,7 +378,8 @@ static struct wpabuf * wps_build_wsc_ack(struct wps_data *wps) if (wps_build_version(msg) || wps_build_msg_type(msg, WPS_WSC_ACK) || wps_build_enrollee_nonce(wps, msg) || - wps_build_registrar_nonce(wps, msg)) { + wps_build_registrar_nonce(wps, msg) || + wps_build_wfa_ext(msg, 0, NULL, 0)) { wpabuf_free(msg); return NULL; } @@ -431,7 +402,8 @@ static struct wpabuf * wps_build_wsc_nack(struct wps_data *wps) wps_build_msg_type(msg, WPS_WSC_NACK) || wps_build_enrollee_nonce(wps, msg) || wps_build_registrar_nonce(wps, msg) || - wps_build_config_error(wps, msg)) { + wps_build_config_error(msg, wps->config_error) || + wps_build_wfa_ext(msg, 0, NULL, 0)) { wpabuf_free(msg); return NULL; } @@ -440,7 +412,8 @@ static struct wpabuf * wps_build_wsc_nack(struct wps_data *wps) } -struct wpabuf * wps_enrollee_get_msg(struct wps_data *wps, u8 *op_code) +struct wpabuf * wps_enrollee_get_msg(struct wps_data *wps, + enum wsc_op_code *op_code) { struct wpabuf *msg; @@ -462,6 +435,11 @@ struct wpabuf * wps_enrollee_get_msg(struct wps_data *wps, u8 *op_code) *op_code = WSC_MSG; break; case RECEIVED_M2D: + if (wps->wps->ap) { + msg = wps_build_wsc_nack(wps); + *op_code = WSC_NACK; + break; + } msg = wps_build_wsc_ack(wps); *op_code = WSC_ACK; if (msg) { @@ -548,6 +526,23 @@ static int wps_process_pubkey(struct wps_data *wps, const u8 *pk, return -1; } +#ifdef CONFIG_WPS_OOB + if (wps->dev_pw_id != DEV_PW_DEFAULT && + wps->wps->oob_conf.pubkey_hash) { + const u8 *addr[1]; + u8 hash[WPS_HASH_LEN]; + + addr[0] = pk; + sha256_vector(1, addr, &pk_len, hash); + if (os_memcmp(hash, + wpabuf_head(wps->wps->oob_conf.pubkey_hash), + WPS_OOB_PUBKEY_HASH_LEN) != 0) { + wpa_printf(MSG_ERROR, "WPS: Public Key hash error"); + return -1; + } + } +#endif /* CONFIG_WPS_OOB */ + wpabuf_free(wps->dh_pubkey_r); wps->dh_pubkey_r = wpabuf_alloc_copy(pk, pk_len); if (wps->dh_pubkey_r == NULL) @@ -556,10 +551,6 @@ static int wps_process_pubkey(struct wps_data *wps, const u8 *pk, if (wps_derive_keys(wps) < 0) return -1; - if (wps->request_type == WPS_REQ_WLAN_MANAGER_REGISTRAR && - wps_derive_mgmt_keys(wps) < 0) - return -1; - return 0; } @@ -620,6 +611,8 @@ static int wps_process_r_snonce1(struct wps_data *wps, const u8 *r_snonce1) if (os_memcmp(wps->peer_hash1, hash, WPS_HASH_LEN) != 0) { wpa_printf(MSG_DEBUG, "WPS: R-Hash1 derived from R-S1 does " "not match with the pre-committed value"); + wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE; + wps_pwd_auth_fail_event(wps->wps, 1, 1); return -1; } @@ -658,6 +651,8 @@ static int wps_process_r_snonce2(struct wps_data *wps, const u8 *r_snonce2) if (os_memcmp(wps->peer_hash2, hash, WPS_HASH_LEN) != 0) { wpa_printf(MSG_DEBUG, "WPS: R-Hash2 derived from R-S2 does " "not match with the pre-committed value"); + wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE; + wps_pwd_auth_fail_event(wps->wps, 1, 2); return -1; } @@ -669,7 +664,7 @@ static int wps_process_r_snonce2(struct wps_data *wps, const u8 *r_snonce2) static int wps_process_cred_e(struct wps_data *wps, const u8 *cred, - size_t cred_len) + size_t cred_len, int wps2) { struct wps_parse_attr attr; struct wpabuf msg; @@ -681,19 +676,62 @@ static int wps_process_cred_e(struct wps_data *wps, const u8 *cred, wps_process_cred(&attr, &wps->cred)) return -1; - if (wps->wps->cred_cb) + if (os_memcmp(wps->cred.mac_addr, wps->wps->dev.mac_addr, ETH_ALEN) != + 0) { + wpa_printf(MSG_DEBUG, "WPS: MAC Address in the Credential (" + MACSTR ") does not match with own address (" MACSTR + ")", MAC2STR(wps->cred.mac_addr), + MAC2STR(wps->wps->dev.mac_addr)); + /* + * In theory, this could be consider fatal error, but there are + * number of deployed implementations using other address here + * due to unclarity in the specification. For interoperability + * reasons, allow this to be processed since we do not really + * use the MAC Address information for anything. + */ +#ifdef CONFIG_WPS_STRICT + if (wps2) { + wpa_printf(MSG_INFO, "WPS: Do not accept incorrect " + "MAC Address in AP Settings"); + return -1; + } +#endif /* CONFIG_WPS_STRICT */ + } + +#ifdef CONFIG_WPS2 + if (!(wps->cred.encr_type & + (WPS_ENCR_NONE | WPS_ENCR_TKIP | WPS_ENCR_AES))) { + if (wps->cred.encr_type & WPS_ENCR_WEP) { + wpa_printf(MSG_INFO, "WPS: Reject Credential " + "due to WEP configuration"); + return -2; + } + + wpa_printf(MSG_INFO, "WPS: Reject Credential due to " + "invalid encr_type 0x%x", wps->cred.encr_type); + return -1; + } +#endif /* CONFIG_WPS2 */ + + if (wps->wps->cred_cb) { + wps->cred.cred_attr = cred - 4; + wps->cred.cred_attr_len = cred_len + 4; wps->wps->cred_cb(wps->wps->cb_ctx, &wps->cred); + wps->cred.cred_attr = NULL; + wps->cred.cred_attr_len = 0; + } return 0; } static int wps_process_creds(struct wps_data *wps, const u8 *cred[], - size_t cred_len[], size_t num_cred) + size_t cred_len[], size_t num_cred, int wps2) { size_t i; + int ok = 0; - if (wps->authenticator) + if (wps->wps->ap) return 0; if (num_cred == 0) { @@ -703,20 +741,33 @@ static int wps_process_creds(struct wps_data *wps, const u8 *cred[], } for (i = 0; i < num_cred; i++) { - if (wps_process_cred_e(wps, cred[i], cred_len[i])) + int res; + res = wps_process_cred_e(wps, cred[i], cred_len[i], wps2); + if (res == 0) + ok++; + else if (res == -2) + wpa_printf(MSG_DEBUG, "WPS: WEP credential skipped"); + else return -1; } + if (ok == 0) { + wpa_printf(MSG_DEBUG, "WPS: No valid Credential attribute " + "received"); + return -1; + } + return 0; } static int wps_process_ap_settings_e(struct wps_data *wps, - struct wps_parse_attr *attr) + struct wps_parse_attr *attr, + struct wpabuf *attrs, int wps2) { struct wps_credential cred; - if (!wps->authenticator) + if (!wps->wps->ap) return 0; if (wps_process_ap_settings(attr, &cred) < 0) @@ -725,8 +776,77 @@ static int wps_process_ap_settings_e(struct wps_data *wps, wpa_printf(MSG_INFO, "WPS: Received new AP configuration from " "Registrar"); - if (wps->wps->cred_cb) + if (os_memcmp(cred.mac_addr, wps->wps->dev.mac_addr, ETH_ALEN) != + 0) { + wpa_printf(MSG_DEBUG, "WPS: MAC Address in the AP Settings (" + MACSTR ") does not match with own address (" MACSTR + ")", MAC2STR(cred.mac_addr), + MAC2STR(wps->wps->dev.mac_addr)); + /* + * In theory, this could be consider fatal error, but there are + * number of deployed implementations using other address here + * due to unclarity in the specification. For interoperability + * reasons, allow this to be processed since we do not really + * use the MAC Address information for anything. + */ +#ifdef CONFIG_WPS_STRICT + if (wps2) { + wpa_printf(MSG_INFO, "WPS: Do not accept incorrect " + "MAC Address in AP Settings"); + return -1; + } +#endif /* CONFIG_WPS_STRICT */ + } + +#ifdef CONFIG_WPS2 + if (!(cred.encr_type & (WPS_ENCR_NONE | WPS_ENCR_TKIP | WPS_ENCR_AES))) + { + if (cred.encr_type & WPS_ENCR_WEP) { + wpa_printf(MSG_INFO, "WPS: Reject new AP settings " + "due to WEP configuration"); + return -1; + } + + wpa_printf(MSG_INFO, "WPS: Reject new AP settings due to " + "invalid encr_type 0x%x", cred.encr_type); + return -1; + } +#endif /* CONFIG_WPS2 */ + +#ifdef CONFIG_WPS_STRICT + if (wps2) { + if ((cred.encr_type & (WPS_ENCR_TKIP | WPS_ENCR_AES)) == + WPS_ENCR_TKIP || + (cred.auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) == + WPS_AUTH_WPAPSK) { + wpa_printf(MSG_INFO, "WPS-STRICT: Invalid WSC 2.0 " + "AP Settings: WPA-Personal/TKIP only"); + return -1; + } + } +#endif /* CONFIG_WPS_STRICT */ + +#ifdef CONFIG_WPS2 + if ((cred.encr_type & (WPS_ENCR_TKIP | WPS_ENCR_AES)) == WPS_ENCR_TKIP) + { + wpa_printf(MSG_DEBUG, "WPS: Upgrade encr_type TKIP -> " + "TKIP+AES"); + cred.encr_type |= WPS_ENCR_AES; + } + + if ((cred.auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) == + WPS_AUTH_WPAPSK) { + wpa_printf(MSG_DEBUG, "WPS: Upgrade auth_type WPAPSK -> " + "WPAPSK+WPA2PSK"); + cred.auth_type |= WPS_AUTH_WPA2PSK; + } +#endif /* CONFIG_WPS2 */ + + if (wps->wps->cred_cb) { + cred.cred_attr = wpabuf_head(attrs); + cred.cred_attr_len = wpabuf_len(attrs); wps->wps->cred_cb(wps->wps->cb_ctx, &cred); + } return 0; } @@ -741,19 +861,29 @@ static enum wps_process_res wps_process_m2(struct wps_data *wps, if (wps->state != RECV_M2) { wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " "receiving M2", wps->state); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } if (wps_process_registrar_nonce(wps, attr->registrar_nonce) || wps_process_enrollee_nonce(wps, attr->enrollee_nonce) || - wps_process_uuid_r(wps, attr->uuid_r) || - wps_process_pubkey(wps, attr->public_key, attr->public_key_len) || - wps_process_authenticator(wps, attr->authenticator, msg)) - return WPS_FAILURE; + wps_process_uuid_r(wps, attr->uuid_r)) { + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; + } - if (wps->authenticator && wps->wps->ap_setup_locked) { + if (wps->wps->ap && + (wps->wps->ap_setup_locked || wps->dev_password == NULL)) { wpa_printf(MSG_DEBUG, "WPS: AP Setup is locked - refuse " "registration of a new Registrar"); + wps->config_error = WPS_CFG_SETUP_LOCKED; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; + } + + if (wps_process_pubkey(wps, attr->public_key, attr->public_key_len) || + wps_process_authenticator(wps, attr->authenticator, msg) || + wps_process_device_attrs(&wps->peer_dev, attr)) { wps->state = SEND_WSC_NACK; return WPS_CONTINUE; } @@ -771,7 +901,8 @@ static enum wps_process_res wps_process_m2d(struct wps_data *wps, if (wps->state != RECV_M2) { wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " "receiving M2D", wps->state); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } wpa_hexdump_ascii(MSG_DEBUG, "WPS: Manufacturer", @@ -785,13 +916,35 @@ static enum wps_process_res wps_process_m2d(struct wps_data *wps, wpa_hexdump_ascii(MSG_DEBUG, "WPS: Device Name", attr->dev_name, attr->dev_name_len); - /* - * TODO: notify monitor programs (cli/gui/etc.) of the M2D and provide - * user information about the registrar properties. - */ + if (wps->wps->event_cb) { + union wps_event_data data; + struct wps_event_m2d *m2d = &data.m2d; + os_memset(&data, 0, sizeof(data)); + if (attr->config_methods) + m2d->config_methods = + WPA_GET_BE16(attr->config_methods); + m2d->manufacturer = attr->manufacturer; + m2d->manufacturer_len = attr->manufacturer_len; + m2d->model_name = attr->model_name; + m2d->model_name_len = attr->model_name_len; + m2d->model_number = attr->model_number; + m2d->model_number_len = attr->model_number_len; + m2d->serial_number = attr->serial_number; + m2d->serial_number_len = attr->serial_number_len; + m2d->dev_name = attr->dev_name; + m2d->dev_name_len = attr->dev_name_len; + m2d->primary_dev_type = attr->primary_dev_type; + if (attr->config_error) + m2d->config_error = + WPA_GET_BE16(attr->config_error); + if (attr->dev_password_id) + m2d->dev_password_id = + WPA_GET_BE16(attr->dev_password_id); + wps->wps->event_cb(wps->wps->cb_ctx, WPS_EV_M2D, &data); + } wps->state = RECEIVED_M2D; - return WPS_FAILURE; + return WPS_CONTINUE; } @@ -807,21 +960,31 @@ static enum wps_process_res wps_process_m4(struct wps_data *wps, if (wps->state != RECV_M4) { wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " "receiving M4", wps->state); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } if (wps_process_enrollee_nonce(wps, attr->enrollee_nonce) || wps_process_authenticator(wps, attr->authenticator, msg) || wps_process_r_hash1(wps, attr->r_hash1) || - wps_process_r_hash2(wps, attr->r_hash2)) - return WPS_FAILURE; + wps_process_r_hash2(wps, attr->r_hash2)) { + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; + } decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings, attr->encr_settings_len); if (decrypted == NULL) { wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted " "Settings attribute"); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; + } + + if (wps_validate_m4_encr(decrypted, attr->version2 != 0) < 0) { + wpabuf_free(decrypted); + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings " @@ -830,7 +993,8 @@ static enum wps_process_res wps_process_m4(struct wps_data *wps, wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) || wps_process_r_snonce1(wps, eattr.r_snonce1)) { wpabuf_free(decrypted); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } wpabuf_free(decrypted); @@ -851,19 +1015,29 @@ static enum wps_process_res wps_process_m6(struct wps_data *wps, if (wps->state != RECV_M6) { wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " "receiving M6", wps->state); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } if (wps_process_enrollee_nonce(wps, attr->enrollee_nonce) || - wps_process_authenticator(wps, attr->authenticator, msg)) - return WPS_FAILURE; + wps_process_authenticator(wps, attr->authenticator, msg)) { + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; + } decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings, attr->encr_settings_len); if (decrypted == NULL) { wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted " "Settings attribute"); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; + } + + if (wps_validate_m6_encr(decrypted, attr->version2 != 0) < 0) { + wpabuf_free(decrypted); + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings " @@ -872,7 +1046,8 @@ static enum wps_process_res wps_process_m6(struct wps_data *wps, wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) || wps_process_r_snonce2(wps, eattr.r_snonce2)) { wpabuf_free(decrypted); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } wpabuf_free(decrypted); @@ -893,19 +1068,30 @@ static enum wps_process_res wps_process_m8(struct wps_data *wps, if (wps->state != RECV_M8) { wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for " "receiving M8", wps->state); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } if (wps_process_enrollee_nonce(wps, attr->enrollee_nonce) || - wps_process_authenticator(wps, attr->authenticator, msg)) - return WPS_FAILURE; + wps_process_authenticator(wps, attr->authenticator, msg)) { + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; + } decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings, attr->encr_settings_len); if (decrypted == NULL) { wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted " "Settings attribute"); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; + } + + if (wps_validate_m8_encr(decrypted, wps->wps->ap, attr->version2 != 0) + < 0) { + wpabuf_free(decrypted); + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings " @@ -913,10 +1099,12 @@ static enum wps_process_res wps_process_m8(struct wps_data *wps, if (wps_parse_msg(decrypted, &eattr) < 0 || wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) || wps_process_creds(wps, eattr.cred, eattr.cred_len, - eattr.num_cred) || - wps_process_ap_settings_e(wps, &eattr)) { + eattr.num_cred, attr->version2 != NULL) || + wps_process_ap_settings_e(wps, &eattr, decrypted, + attr->version2 != NULL)) { wpabuf_free(decrypted); - return WPS_FAILURE; + wps->state = SEND_WSC_NACK; + return WPS_CONTINUE; } wpabuf_free(decrypted); @@ -936,12 +1124,6 @@ static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps, if (wps_parse_msg(msg, &attr) < 0) return WPS_FAILURE; - if (attr.version == NULL || *attr.version != WPS_VERSION) { - wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x", - attr.version ? *attr.version : 0); - return WPS_FAILURE; - } - if (attr.enrollee_nonce == NULL || os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) { wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce"); @@ -955,19 +1137,35 @@ static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps, switch (*attr.msg_type) { case WPS_M2: + if (wps_validate_m2(msg) < 0) + return WPS_FAILURE; ret = wps_process_m2(wps, msg, &attr); break; case WPS_M2D: + if (wps_validate_m2d(msg) < 0) + return WPS_FAILURE; ret = wps_process_m2d(wps, &attr); break; case WPS_M4: + if (wps_validate_m4(msg) < 0) + return WPS_FAILURE; ret = wps_process_m4(wps, msg, &attr); + if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) + wps_fail_event(wps->wps, WPS_M4); break; case WPS_M6: + if (wps_validate_m6(msg) < 0) + return WPS_FAILURE; ret = wps_process_m6(wps, msg, &attr); + if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) + wps_fail_event(wps->wps, WPS_M6); break; case WPS_M8: + if (wps_validate_m8(msg) < 0) + return WPS_FAILURE; ret = wps_process_m8(wps, msg, &attr); + if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK) + wps_fail_event(wps->wps, WPS_M8); break; default: wpa_printf(MSG_DEBUG, "WPS: Unsupported Message Type %d", @@ -975,7 +1173,14 @@ static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps, return WPS_FAILURE; } - if (ret == WPS_CONTINUE) { + /* + * Save a copy of the last message for Authenticator derivation if we + * are continuing. However, skip M2D since it is not authenticated and + * neither is the ACK/NACK response frame. This allows the possibly + * following M2 to be processed correctly by using the previously sent + * M1 in Authenticator derivation. + */ + if (ret == WPS_CONTINUE && *attr.msg_type != WPS_M2D) { /* Save a copy of the last message for Authenticator derivation */ wpabuf_free(wps->last_msg); @@ -996,12 +1201,6 @@ static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps, if (wps_parse_msg(msg, &attr) < 0) return WPS_FAILURE; - if (attr.version == NULL || *attr.version != WPS_VERSION) { - wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x", - attr.version ? *attr.version : 0); - return WPS_FAILURE; - } - if (attr.msg_type == NULL) { wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); return WPS_FAILURE; @@ -1026,9 +1225,10 @@ static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps, return WPS_FAILURE; } - if (wps->state == RECV_ACK && wps->authenticator) { + if (wps->state == RECV_ACK && wps->wps->ap) { wpa_printf(MSG_DEBUG, "WPS: External Registrar registration " "completed successfully"); + wps_success_event(wps->wps); wps->state = WPS_FINISHED; return WPS_DONE; } @@ -1047,12 +1247,6 @@ static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps, if (wps_parse_msg(msg, &attr) < 0) return WPS_FAILURE; - if (attr.version == NULL || *attr.version != WPS_VERSION) { - wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x", - attr.version ? *attr.version : 0); - return WPS_FAILURE; - } - if (attr.msg_type == NULL) { wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute"); return WPS_FAILURE; @@ -1091,14 +1285,33 @@ static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps, return WPS_FAILURE; } - wpa_printf(MSG_DEBUG, "WPS: Enrollee terminated negotiation with " + wpa_printf(MSG_DEBUG, "WPS: Registrar terminated negotiation with " "Configuration Error %d", WPA_GET_BE16(attr.config_error)); + switch (wps->state) { + case RECV_M4: + wps_fail_event(wps->wps, WPS_M3); + break; + case RECV_M6: + wps_fail_event(wps->wps, WPS_M5); + break; + case RECV_M8: + wps_fail_event(wps->wps, WPS_M7); + break; + default: + break; + } + + /* Followed by NACK if Enrollee is Supplicant or EAP-Failure if + * Enrollee is Authenticator */ + wps->state = SEND_WSC_NACK; + return WPS_FAILURE; } -enum wps_process_res wps_enrollee_process_msg(struct wps_data *wps, u8 op_code, +enum wps_process_res wps_enrollee_process_msg(struct wps_data *wps, + enum wsc_op_code op_code, const struct wpabuf *msg) { @@ -1106,86 +1319,31 @@ enum wps_process_res wps_enrollee_process_msg(struct wps_data *wps, u8 op_code, "op_code=%d)", (unsigned long) wpabuf_len(msg), op_code); + if (op_code == WSC_UPnP) { + /* Determine the OpCode based on message type attribute */ + struct wps_parse_attr attr; + if (wps_parse_msg(msg, &attr) == 0 && attr.msg_type) { + if (*attr.msg_type == WPS_WSC_ACK) + op_code = WSC_ACK; + else if (*attr.msg_type == WPS_WSC_NACK) + op_code = WSC_NACK; + } + } + switch (op_code) { case WSC_MSG: + case WSC_UPnP: return wps_process_wsc_msg(wps, msg); case WSC_ACK: + if (wps_validate_wsc_ack(msg) < 0) + return WPS_FAILURE; return wps_process_wsc_ack(wps, msg); case WSC_NACK: + if (wps_validate_wsc_nack(msg) < 0) + return WPS_FAILURE; return wps_process_wsc_nack(wps, msg); default: wpa_printf(MSG_DEBUG, "WPS: Unsupported op_code %d", op_code); return WPS_FAILURE; } } - - -struct wpabuf * wps_enrollee_build_assoc_req_ie(void) -{ - struct wpabuf *ie; - u8 *len; - - wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association " - "Request"); - ie = wpabuf_alloc(100); - if (ie == NULL) - return NULL; - - wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC); - len = wpabuf_put(ie, 1); - wpabuf_put_be32(ie, WPS_DEV_OUI_WFA); - - if (wps_build_version(ie) || - wps_build_req_type(ie, WPS_REQ_ENROLLEE)) { - wpabuf_free(ie); - return NULL; - } - - *len = wpabuf_len(ie) - 2; - - return ie; -} - - -struct wpabuf * wps_enrollee_build_probe_req_ie(int pbc, - struct wps_device_data *dev, - const u8 *uuid) -{ - struct wpabuf *ie; - u8 *len; - u16 methods; - - wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for Probe Request"); - - ie = wpabuf_alloc(200); - if (ie == NULL) - return NULL; - - wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC); - len = wpabuf_put(ie, 1); - wpabuf_put_be32(ie, WPS_DEV_OUI_WFA); - - if (pbc) - methods = WPS_CONFIG_PUSHBUTTON; - else - methods = WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY | - WPS_CONFIG_KEYPAD; - - if (wps_build_version(ie) || - wps_build_req_type(ie, WPS_REQ_ENROLLEE) || - wps_build_config_methods(ie, methods) || - wps_build_uuid_e(ie, uuid) || - wps_build_primary_dev_type(dev, ie) || - wps_build_rf_bands(NULL, ie) || - wps_build_assoc_state(NULL, ie) || - wps_build_config_error(NULL, ie) || - wps_build_dev_password_id(ie, pbc ? DEV_PW_PUSHBUTTON : - DEV_PW_DEFAULT)) { - wpabuf_free(ie); - return NULL; - } - - *len = wpabuf_len(ie) - 2; - - return ie; -}