src/wps/wps.c

   1 /*
   2  * Wi-Fi Protected Setup
   3  * Copyright (c) 2007-2009, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "crypto/dh_group5.h"
  19 #include "common/ieee802_11_defs.h"
  20 #include "wps_i.h"
  21 #include "wps_dev_attr.h"
  22
  23
  24 /**
  25  * wps_init - Initialize WPS Registration protocol data
  26  * @cfg: WPS configuration
  27  * Returns: Pointer to allocated data or %NULL on failure
  28  *
  29  * This function is used to initialize WPS data for a registration protocol
  30  * instance (i.e., each run of registration protocol as a Registrar of
  31  * Enrollee. The caller is responsible for freeing this data after the
  32  * registration run has been completed by calling wps_deinit().
  33  */
  34 struct wps_data * wps_init(const struct wps_config *cfg)
  35 {
  36         struct wps_data *data = os_zalloc(sizeof(*data));
  37         if (data == NULL)
  38                 return NULL;
  39         data->wps = cfg->wps;
  40         data->registrar = cfg->registrar;
  41         if (cfg->registrar) {
  42                 os_memcpy(data->uuid_r, cfg->wps->uuid, WPS_UUID_LEN);
  43         } else {
  44                 os_memcpy(data->mac_addr_e, cfg->wps->dev.mac_addr, ETH_ALEN);
  45                 os_memcpy(data->uuid_e, cfg->wps->uuid, WPS_UUID_LEN);
  46         }
  47         if (cfg->pin) {
  48                 data->dev_pw_id = data->wps->oob_dev_pw_id == 0 ?
  49                         DEV_PW_DEFAULT : data->wps->oob_dev_pw_id;
  50                 data->dev_password = os_malloc(cfg->pin_len);
  51                 if (data->dev_password == NULL) {
  52                         os_free(data);
  53                         return NULL;
  54                 }
  55                 os_memcpy(data->dev_password, cfg->pin, cfg->pin_len);
  56                 data->dev_password_len = cfg->pin_len;
  57         }
  58
  59         data->pbc = cfg->pbc;
  60         if (cfg->pbc) {
  61                 /* Use special PIN '00000000' for PBC */
  62                 data->dev_pw_id = DEV_PW_PUSHBUTTON;
  63                 os_free(data->dev_password);
  64                 data->dev_password = os_malloc(8);
  65                 if (data->dev_password == NULL) {
  66                         os_free(data);
  67                         return NULL;
  68                 }
  69                 os_memset(data->dev_password, '0', 8);
  70                 data->dev_password_len = 8;
  71         }
  72
  73         data->state = data->registrar ? RECV_M1 : SEND_M1;
  74
  75         if (cfg->assoc_wps_ie) {
  76                 struct wps_parse_attr attr;
  77                 wpa_hexdump_buf(MSG_DEBUG, "WPS: WPS IE from (Re)AssocReq",
  78                                 cfg->assoc_wps_ie);
  79                 if (wps_parse_msg(cfg->assoc_wps_ie, &attr) < 0) {
  80                         wpa_printf(MSG_DEBUG, "WPS: Failed to parse WPS IE "
  81                                    "from (Re)AssocReq");
  82                 } else if (attr.request_type == NULL) {
  83                         wpa_printf(MSG_DEBUG, "WPS: No Request Type attribute "
  84                                    "in (Re)AssocReq WPS IE");
  85                 } else {
  86                         wpa_printf(MSG_DEBUG, "WPS: Request Type (from WPS IE "
  87                                    "in (Re)AssocReq WPS IE): %d",
  88                                    *attr.request_type);
  89                         data->request_type = *attr.request_type;
  90                 }
  91         }
  92
  93         if (cfg->new_ap_settings) {
  94                 data->new_ap_settings =
  95                         os_malloc(sizeof(*data->new_ap_settings));
  96                 if (data->new_ap_settings == NULL) {
  97                         os_free(data);
  98                         return NULL;
  99                 }
 100                 os_memcpy(data->new_ap_settings, cfg->new_ap_settings,
 101                           sizeof(*data->new_ap_settings));
 102         }
 103
 104         if (cfg->peer_addr)
 105                 os_memcpy(data->peer_dev.mac_addr, cfg->peer_addr, ETH_ALEN);
 106
 107         return data;
 108 }
 109
 110
 111 /**
 112  * wps_deinit - Deinitialize WPS Registration protocol data
 113  * @data: WPS Registration protocol data from wps_init()
 114  */
 115 void wps_deinit(struct wps_data *data)
 116 {
 117         if (data->wps_pin_revealed) {
 118                 wpa_printf(MSG_DEBUG, "WPS: Full PIN information revealed and "
 119                            "negotiation failed");
 120                 if (data->registrar)
 121                         wps_registrar_invalidate_pin(data->wps->registrar,
 122                                                      data->uuid_e);
 123         } else if (data->registrar)
 124                 wps_registrar_unlock_pin(data->wps->registrar, data->uuid_e);
 125
 126         wpabuf_free(data->dh_privkey);
 127         wpabuf_free(data->dh_pubkey_e);
 128         wpabuf_free(data->dh_pubkey_r);
 129         wpabuf_free(data->last_msg);
 130         os_free(data->dev_password);
 131         os_free(data->new_psk);
 132         wps_device_data_free(&data->peer_dev);
 133         os_free(data->new_ap_settings);
 134         dh5_free(data->dh_ctx);
 135         os_free(data);
 136 }
 137
 138
 139 /**
 140  * wps_process_msg - Process a WPS message
 141  * @wps: WPS Registration protocol data from wps_init()
 142  * @op_code: Message OP Code
 143  * @msg: Message data
 144  * Returns: Processing result
 145  *
 146  * This function is used to process WPS messages with OP Codes WSC_ACK,
 147  * WSC_NACK, WSC_MSG, and WSC_Done. The caller (e.g., EAP server/peer) is
 148  * responsible for reassembling the messages before calling this function.
 149  * Response to this message is built by calling wps_get_msg().
 150  */
 151 enum wps_process_res wps_process_msg(struct wps_data *wps,
 152                                      enum wsc_op_code op_code,
 153                                      const struct wpabuf *msg)
 154 {
 155         if (wps->registrar)
 156                 return wps_registrar_process_msg(wps, op_code, msg);
 157         else
 158                 return wps_enrollee_process_msg(wps, op_code, msg);
 159 }
 160
 161
 162 /**
 163  * wps_get_msg - Build a WPS message
 164  * @wps: WPS Registration protocol data from wps_init()
 165  * @op_code: Buffer for returning message OP Code
 166  * Returns: The generated WPS message or %NULL on failure
 167  *
 168  * This function is used to build a response to a message processed by calling
 169  * wps_process_msg(). The caller is responsible for freeing the buffer.
 170  */
 171 struct wpabuf * wps_get_msg(struct wps_data *wps, enum wsc_op_code *op_code)
 172 {
 173         if (wps->registrar)
 174                 return wps_registrar_get_msg(wps, op_code);
 175         else
 176                 return wps_enrollee_get_msg(wps, op_code);
 177 }
 178
 179
 180 /**
 181  * wps_is_selected_pbc_registrar - Check whether WPS IE indicates active PBC
 182  * @msg: WPS IE contents from Beacon or Probe Response frame
 183  * Returns: 1 if PBC Registrar is active, 0 if not
 184  */
 185 int wps_is_selected_pbc_registrar(const struct wpabuf *msg)
 186 {
 187         struct wps_parse_attr attr;
 188
 189         /*
 190          * In theory, this could also verify that attr.sel_reg_config_methods
 191          * includes WPS_CONFIG_PUSHBUTTON, but some deployed AP implementations
 192          * do not set Selected Registrar Config Methods attribute properly, so
 193          * it is safer to just use Device Password ID here.
 194          */
 195
 196         if (wps_parse_msg(msg, &attr) < 0 ||
 197             !attr.selected_registrar || *attr.selected_registrar == 0 ||
 198             !attr.dev_password_id ||
 199             WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
 200                 return 0;
 201
 202         return 1;
 203 }
 204
 205
 206 /**
 207  * wps_is_selected_pin_registrar - Check whether WPS IE indicates active PIN
 208  * @msg: WPS IE contents from Beacon or Probe Response frame
 209  * Returns: 1 if PIN Registrar is active, 0 if not
 210  */
 211 int wps_is_selected_pin_registrar(const struct wpabuf *msg)
 212 {
 213         struct wps_parse_attr attr;
 214
 215         /*
 216          * In theory, this could also verify that attr.sel_reg_config_methods
 217          * includes WPS_CONFIG_LABEL, WPS_CONFIG_DISPLAY, or WPS_CONFIG_KEYPAD,
 218          * but some deployed AP implementations do not set Selected Registrar
 219          * Config Methods attribute properly, so it is safer to just use
 220          * Device Password ID here.
 221          */
 222
 223         if (wps_parse_msg(msg, &attr) < 0)
 224                 return 0;
 225
 226         if (!attr.selected_registrar || *attr.selected_registrar == 0)
 227                 return 0;
 228
 229         if (attr.dev_password_id != NULL &&
 230             WPA_GET_BE16(attr.dev_password_id) == DEV_PW_PUSHBUTTON)
 231                 return 0;
 232
 233         return 1;
 234 }
 235
 236
 237 /**
 238  * wps_get_uuid_e - Get UUID-E from WPS IE
 239  * @msg: WPS IE contents from Beacon or Probe Response frame
 240  * Returns: Pointer to UUID-E or %NULL if not included
 241  *
 242  * The returned pointer is to the msg contents and it remains valid only as
 243  * long as the msg buffer is valid.
 244  */
 245 const u8 * wps_get_uuid_e(const struct wpabuf *msg)
 246 {
 247         struct wps_parse_attr attr;
 248
 249         if (wps_parse_msg(msg, &attr) < 0)
 250                 return NULL;
 251         return attr.uuid_e;
 252 }
 253
 254
 255 /**
 256  * wps_build_assoc_req_ie - Build WPS IE for (Re)Association Request
 257  * @req_type: Value for Request Type attribute
 258  * Returns: WPS IE or %NULL on failure
 259  *
 260  * The caller is responsible for freeing the buffer.
 261  */
 262 struct wpabuf * wps_build_assoc_req_ie(enum wps_request_type req_type)
 263 {
 264         struct wpabuf *ie;
 265         u8 *len;
 266
 267         wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association "
 268                    "Request");
 269         ie = wpabuf_alloc(100);
 270         if (ie == NULL)
 271                 return NULL;
 272
 273         wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
 274         len = wpabuf_put(ie, 1);
 275         wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
 276
 277         if (wps_build_version(ie) ||
 278             wps_build_req_type(ie, req_type)) {
 279                 wpabuf_free(ie);
 280                 return NULL;
 281         }
 282
 283         *len = wpabuf_len(ie) - 2;
 284
 285         return ie;
 286 }
 287
 288
 289 /**
 290  * wps_build_probe_req_ie - Build WPS IE for Probe Request
 291  * @pbc: Whether searching for PBC mode APs
 292  * @dev: Device attributes
 293  * @uuid: Own UUID
 294  * @req_type: Value for Request Type attribute
 295  * Returns: WPS IE or %NULL on failure
 296  *
 297  * The caller is responsible for freeing the buffer.
 298  */
 299 struct wpabuf * wps_build_probe_req_ie(int pbc, struct wps_device_data *dev,
 300                                        const u8 *uuid,
 301                                        enum wps_request_type req_type)
 302 {
 303         struct wpabuf *ie;
 304         u8 *len;
 305         u16 methods;
 306
 307         wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for Probe Request");
 308
 309         ie = wpabuf_alloc(200);
 310         if (ie == NULL)
 311                 return NULL;
 312
 313         wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
 314         len = wpabuf_put(ie, 1);
 315         wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
 316
 317         if (pbc)
 318                 methods = WPS_CONFIG_PUSHBUTTON;
 319         else {
 320                 methods = WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY |
 321                         WPS_CONFIG_KEYPAD;
 322 #ifdef CONFIG_WPS_UFD
 323                 methods |= WPS_CONFIG_USBA;
 324 #endif /* CONFIG_WPS_UFD */
 325 #ifdef CONFIG_WPS_NFC
 326                 methods |= WPS_CONFIG_NFC_INTERFACE;
 327 #endif /* CONFIG_WPS_NFC */
 328         }
 329
 330         if (wps_build_version(ie) ||
 331             wps_build_req_type(ie, req_type) ||
 332             wps_build_config_methods(ie, methods) ||
 333             wps_build_uuid_e(ie, uuid) ||
 334             wps_build_primary_dev_type(dev, ie) ||
 335             wps_build_rf_bands(dev, ie) ||
 336             wps_build_assoc_state(NULL, ie) ||
 337             wps_build_config_error(ie, WPS_CFG_NO_ERROR) ||
 338             wps_build_dev_password_id(ie, pbc ? DEV_PW_PUSHBUTTON :
 339                                       DEV_PW_DEFAULT)) {
 340                 wpabuf_free(ie);
 341                 return NULL;
 342         }
 343
 344         *len = wpabuf_len(ie) - 2;
 345
 346         return ie;
 347 }
 348
 349
 350 void wps_free_pending_msgs(struct upnp_pending_message *msgs)
 351 {
 352         struct upnp_pending_message *p, *prev;
 353         p = msgs;
 354         while (p) {
 355                 prev = p;
 356                 p = p->next;
 357                 wpabuf_free(prev->msg);
 358                 os_free(prev);
 359         }
 360 }
 361
 362
 363 int wps_attr_text(struct wpabuf *data, char *buf, char *end)
 364 {
 365         struct wps_parse_attr attr;
 366         char *pos = buf;
 367         int ret;
 368
 369         if (wps_parse_msg(data, &attr) < 0)
 370                 return -1;
 371
 372         if (attr.wps_state) {
 373                 if (*attr.wps_state == WPS_STATE_NOT_CONFIGURED)
 374                         ret = os_snprintf(pos, end - pos,
 375                                           "wps_state=unconfigured\n");
 376                 else if (*attr.wps_state == WPS_STATE_CONFIGURED)
 377                         ret = os_snprintf(pos, end - pos,
 378                                           "wps_state=configured\n");
 379                 else
 380                         ret = 0;
 381                 if (ret < 0 || ret >= end - pos)
 382                         return pos - buf;
 383                 pos += ret;
 384         }
 385
 386         if (attr.ap_setup_locked && *attr.ap_setup_locked) {
 387                 ret = os_snprintf(pos, end - pos,
 388                                   "wps_ap_setup_locked=1\n");
 389                 if (ret < 0 || ret >= end - pos)
 390                         return pos - buf;
 391                 pos += ret;
 392         }
 393
 394         if (attr.selected_registrar && *attr.selected_registrar) {
 395                 ret = os_snprintf(pos, end - pos,
 396                                   "wps_selected_registrar=1\n");
 397                 if (ret < 0 || ret >= end - pos)
 398                         return pos - buf;
 399                 pos += ret;
 400         }
 401
 402         if (attr.dev_password_id) {
 403                 ret = os_snprintf(pos, end - pos,
 404                                   "wps_device_password_id=%u\n",
 405                                   WPA_GET_BE16(attr.dev_password_id));
 406                 if (ret < 0 || ret >= end - pos)
 407                         return pos - buf;
 408                 pos += ret;
 409         }
 410
 411         if (attr.sel_reg_config_methods) {
 412                 ret = os_snprintf(pos, end - pos,
 413                                   "wps_selected_registrar_config_methods="
 414                                   "0x%04x\n",
 415                                   WPA_GET_BE16(attr.sel_reg_config_methods));
 416                 if (ret < 0 || ret >= end - pos)
 417                         return pos - buf;
 418                 pos += ret;
 419         }
 420
 421         if (attr.primary_dev_type) {
 422                 char devtype[WPS_DEV_TYPE_BUFSIZE];
 423                 ret = os_snprintf(pos, end - pos,
 424                                   "wps_primary_device_type=%s\n",
 425                                   wps_dev_type_bin2str(attr.primary_dev_type,
 426                                                        devtype,
 427                                                        sizeof(devtype)));
 428                 if (ret < 0 || ret >= end - pos)
 429                         return pos - buf;
 430                 pos += ret;
 431         }
 432
 433         if (attr.dev_name) {
 434                 char *str = os_malloc(attr.dev_name_len + 1);
 435                 size_t i;
 436                 if (str == NULL)
 437                         return pos - buf;
 438                 for (i = 0; i < attr.dev_name_len; i++) {
 439                         if (attr.dev_name[i] < 32)
 440                                 str[i] = '_';
 441                         else
 442                                 str[i] = attr.dev_name[i];
 443                 }
 444                 str[i] = '\0';
 445                 ret = os_snprintf(pos, end - pos, "wps_device_name=%s\n", str);
 446                 os_free(str);
 447                 if (ret < 0 || ret >= end - pos)
 448                         return pos - buf;
 449                 pos += ret;
 450         }
 451
 452         if (attr.config_methods) {
 453                 ret = os_snprintf(pos, end - pos,
 454                                   "wps_config_methods=0x%04x\n",
 455                                   WPA_GET_BE16(attr.config_methods));
 456                 if (ret < 0 || ret >= end - pos)
 457                         return pos - buf;
 458                 pos += ret;
 459         }
 460
 461         return pos - buf;
 462 }