2 * Wi-Fi Protected Setup - Registrar
3 * Copyright (c) 2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
20 #include "ieee802_11_defs.h"
23 #include "wps_dev_attr.h"
27 struct wps_uuid_pin *next;
28 u8 uuid[WPS_UUID_LEN];
36 static void wps_free_pin(struct wps_uuid_pin *pin)
43 static void wps_free_pins(struct wps_uuid_pin *pins)
45 struct wps_uuid_pin *pin, *prev;
56 struct wps_pbc_session {
57 struct wps_pbc_session *next;
59 u8 uuid_e[WPS_UUID_LEN];
60 struct os_time timestamp;
64 static void wps_free_pbc_sessions(struct wps_pbc_session *pbc)
66 struct wps_pbc_session *prev;
76 struct wps_registrar {
77 struct wps_context *wps;
80 int selected_registrar;
82 int (*new_psk_cb)(void *ctx, const u8 *mac_addr, const u8 *psk,
84 int (*set_ie_cb)(void *ctx, const u8 *beacon_ie, size_t beacon_ie_len,
85 const u8 *probe_resp_ie, size_t probe_resp_ie_len);
86 void (*pin_needed_cb)(void *ctx, const u8 *uuid_e,
87 const struct wps_device_data *dev);
90 struct wps_uuid_pin *pins;
91 struct wps_pbc_session *pbc_sessions;
95 static int wps_set_ie(struct wps_registrar *reg);
96 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx);
99 static void wps_registrar_add_pbc_session(struct wps_registrar *reg,
100 const u8 *addr, const u8 *uuid_e)
102 struct wps_pbc_session *pbc, *prev = NULL;
107 pbc = reg->pbc_sessions;
109 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 &&
110 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) {
112 prev->next = pbc->next;
114 reg->pbc_sessions = pbc->next;
122 pbc = os_zalloc(sizeof(*pbc));
125 os_memcpy(pbc->addr, addr, ETH_ALEN);
127 os_memcpy(pbc->uuid_e, uuid_e, WPS_UUID_LEN);
130 pbc->next = reg->pbc_sessions;
131 reg->pbc_sessions = pbc;
132 pbc->timestamp = now;
134 /* remove entries that have timed out */
139 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME) {
141 wps_free_pbc_sessions(pbc);
150 static void wps_registrar_remove_pbc_session(struct wps_registrar *reg,
151 const u8 *addr, const u8 *uuid_e)
153 struct wps_pbc_session *pbc, *prev = NULL;
155 pbc = reg->pbc_sessions;
157 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 &&
158 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) {
160 prev->next = pbc->next;
162 reg->pbc_sessions = pbc->next;
172 int wps_registrar_pbc_overlap(struct wps_registrar *reg,
173 const u8 *addr, const u8 *uuid_e)
176 struct wps_pbc_session *pbc;
181 for (pbc = reg->pbc_sessions; pbc; pbc = pbc->next) {
182 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME)
184 if (addr == NULL || os_memcmp(addr, pbc->addr, ETH_ALEN) ||
186 os_memcmp(uuid_e, pbc->uuid_e, WPS_UUID_LEN))
193 return count > 1 ? 1 : 0;
197 static int wps_build_wps_state(struct wps_context *wps, struct wpabuf *msg)
199 wpa_printf(MSG_DEBUG, "WPS: * Wi-Fi Protected Setup State (%d)",
201 wpabuf_put_be16(msg, ATTR_WPS_STATE);
202 wpabuf_put_be16(msg, 1);
203 wpabuf_put_u8(msg, wps->wps_state);
208 static int wps_build_ap_setup_locked(struct wps_context *wps,
211 if (wps->ap_setup_locked) {
212 wpa_printf(MSG_DEBUG, "WPS: * AP Setup Locked");
213 wpabuf_put_be16(msg, ATTR_AP_SETUP_LOCKED);
214 wpabuf_put_be16(msg, 1);
215 wpabuf_put_u8(msg, 1);
221 static int wps_build_selected_registrar(struct wps_registrar *reg,
224 if (!reg->selected_registrar)
226 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar");
227 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR);
228 wpabuf_put_be16(msg, 1);
229 wpabuf_put_u8(msg, 1);
234 static int wps_build_sel_reg_dev_password_id(struct wps_registrar *reg,
237 u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT;
238 if (!reg->selected_registrar)
240 wpa_printf(MSG_DEBUG, "WPS: * Device Password ID (%d)", id);
241 wpabuf_put_be16(msg, ATTR_DEV_PASSWORD_ID);
242 wpabuf_put_be16(msg, 2);
243 wpabuf_put_be16(msg, id);
248 static int wps_build_sel_reg_config_methods(struct wps_registrar *reg,
252 if (!reg->selected_registrar)
254 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
256 methods |= WPS_CONFIG_PUSHBUTTON;
257 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar Config Methods (%x)",
259 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR_CONFIG_METHODS);
260 wpabuf_put_be16(msg, 2);
261 wpabuf_put_be16(msg, methods);
266 static int wps_build_probe_config_methods(struct wps_registrar *reg,
271 wpa_printf(MSG_DEBUG, "WPS: * Config Methods (%x)", methods);
272 wpabuf_put_be16(msg, ATTR_CONFIG_METHODS);
273 wpabuf_put_be16(msg, 2);
274 wpabuf_put_be16(msg, methods);
279 static int wps_build_config_methods_r(struct wps_registrar *reg,
283 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
285 methods |= WPS_CONFIG_PUSHBUTTON;
286 return wps_build_config_methods(msg, methods);
290 static int wps_build_resp_type(struct wps_registrar *reg, struct wpabuf *msg)
292 u8 resp = reg->wps->ap ? WPS_RESP_AP : WPS_RESP_REGISTRAR;
293 wpa_printf(MSG_DEBUG, "WPS: * Response Type (%d)", resp);
294 wpabuf_put_be16(msg, ATTR_RESPONSE_TYPE);
295 wpabuf_put_be16(msg, 1);
296 wpabuf_put_u8(msg, resp);
301 struct wps_registrar *
302 wps_registrar_init(struct wps_context *wps,
303 const struct wps_registrar_config *cfg)
305 struct wps_registrar *reg = os_zalloc(sizeof(*reg));
310 reg->new_psk_cb = cfg->new_psk_cb;
311 reg->set_ie_cb = cfg->set_ie_cb;
312 reg->pin_needed_cb = cfg->pin_needed_cb;
313 reg->cb_ctx = cfg->cb_ctx;
315 if (wps_set_ie(reg)) {
316 wps_registrar_deinit(reg);
324 void wps_registrar_deinit(struct wps_registrar *reg)
328 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
329 wps_free_pins(reg->pins);
330 wps_free_pbc_sessions(reg->pbc_sessions);
335 int wps_registrar_add_pin(struct wps_registrar *reg, const u8 *uuid,
336 const u8 *pin, size_t pin_len)
338 struct wps_uuid_pin *p;
340 p = os_zalloc(sizeof(*p));
344 p->wildcard_uuid = 1;
346 os_memcpy(p->uuid, uuid, WPS_UUID_LEN);
347 p->pin = os_malloc(pin_len);
348 if (p->pin == NULL) {
352 os_memcpy(p->pin, pin, pin_len);
353 p->pin_len = pin_len;
358 wpa_printf(MSG_DEBUG, "WPS: A new PIN configured");
359 wpa_hexdump(MSG_DEBUG, "WPS: UUID", uuid, WPS_UUID_LEN);
360 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: PIN", pin, pin_len);
361 reg->selected_registrar = 1;
369 int wps_registrar_invalidate_pin(struct wps_registrar *reg, const u8 *uuid)
371 struct wps_uuid_pin *pin, *prev;
376 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
378 reg->pins = pin->next;
380 prev->next = pin->next;
381 wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID",
382 pin->uuid, WPS_UUID_LEN);
394 static const u8 * wps_registrar_get_pin(struct wps_registrar *reg,
395 const u8 *uuid, size_t *pin_len)
397 struct wps_uuid_pin *pin;
401 if (!pin->wildcard_uuid &&
402 os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0)
408 /* Check for wildcard UUIDs since none of the UUID-specific
412 if (pin->wildcard_uuid == 1) {
413 wpa_printf(MSG_DEBUG, "WPS: Found a wildcard "
414 "PIN. Assigned it for this UUID-E");
415 pin->wildcard_uuid = 2;
416 os_memcpy(pin->uuid, uuid, WPS_UUID_LEN);
427 * Lock the PIN to avoid attacks based on concurrent re-use of the PIN
428 * that could otherwise avoid PIN invalidations.
431 wpa_printf(MSG_DEBUG, "WPS: Selected PIN locked - do not "
432 "allow concurrent re-use");
435 *pin_len = pin->pin_len;
441 int wps_registrar_unlock_pin(struct wps_registrar *reg, const u8 *uuid)
443 struct wps_uuid_pin *pin;
447 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
448 if (pin->wildcard_uuid == 2) {
449 wpa_printf(MSG_DEBUG, "WPS: Invalidating used "
451 return wps_registrar_invalidate_pin(reg, uuid);
463 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx)
465 struct wps_registrar *reg = eloop_ctx;
467 wpa_printf(MSG_DEBUG, "WPS: PBC timed out - disable PBC mode");
468 reg->selected_registrar = 0;
474 int wps_registrar_button_pushed(struct wps_registrar *reg)
476 if (wps_registrar_pbc_overlap(reg, NULL, NULL)) {
477 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - do not start PBC "
481 wpa_printf(MSG_DEBUG, "WPS: Button pushed - PBC mode started");
482 reg->selected_registrar = 1;
486 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
487 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wps_registrar_pbc_timeout,
493 static void wps_registrar_pbc_completed(struct wps_registrar *reg)
495 wpa_printf(MSG_DEBUG, "WPS: PBC completed - stopping PBC mode");
496 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
497 reg->selected_registrar = 0;
503 void wps_registrar_probe_req_rx(struct wps_registrar *reg, const u8 *addr,
504 const struct wpabuf *wps_data)
506 struct wps_parse_attr attr;
509 wpa_hexdump_buf(MSG_MSGDUMP,
510 "WPS: Probe Request with WPS data received",
513 if (wps_parse_msg(wps_data, &attr) < 0 ||
514 attr.version == NULL || *attr.version != WPS_VERSION) {
515 wpa_printf(MSG_DEBUG, "WPS: Unsupported ProbeReq WPS IE "
516 "version 0x%x", attr.version ? *attr.version : 0);
520 if (attr.config_methods == NULL) {
521 wpa_printf(MSG_DEBUG, "WPS: No Config Methods attribute in "
526 methods = WPA_GET_BE16(attr.config_methods);
527 if (!(methods & WPS_CONFIG_PUSHBUTTON))
528 return; /* Not PBC */
530 wpa_printf(MSG_DEBUG, "WPS: Probe Request for PBC received from "
531 MACSTR, MAC2STR(addr));
533 wps_registrar_add_pbc_session(reg, addr, attr.uuid_e);
537 static int wps_cb_new_psk(struct wps_registrar *reg, const u8 *mac_addr,
538 const u8 *psk, size_t psk_len)
540 if (reg->new_psk_cb == NULL)
543 return reg->new_psk_cb(reg->cb_ctx, mac_addr, psk, psk_len);
547 static void wps_cb_pin_needed(struct wps_registrar *reg, const u8 *uuid_e,
548 const struct wps_device_data *dev)
550 if (reg->pin_needed_cb == NULL)
553 reg->pin_needed_cb(reg->cb_ctx, uuid_e, dev);
557 static int wps_cb_set_ie(struct wps_registrar *reg,
558 const struct wpabuf *beacon_ie,
559 const struct wpabuf *probe_resp_ie)
561 if (reg->set_ie_cb == NULL)
564 return reg->set_ie_cb(reg->cb_ctx, wpabuf_head(beacon_ie),
565 wpabuf_len(beacon_ie),
566 wpabuf_head(probe_resp_ie),
567 wpabuf_len(probe_resp_ie));
571 /* Encapsulate WPS IE data with one (or more, if needed) IE headers */
572 static struct wpabuf * wps_ie_encapsulate(struct wpabuf *data)
577 ie = wpabuf_alloc(wpabuf_len(data) + 100);
583 pos = wpabuf_head(data);
584 end = pos + wpabuf_len(data);
587 size_t frag_len = end - pos;
590 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
591 wpabuf_put_u8(ie, 4 + frag_len);
592 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
593 wpabuf_put_data(ie, pos, frag_len);
603 static int wps_set_ie(struct wps_registrar *reg)
605 struct wpabuf *beacon;
606 struct wpabuf *probe;
609 wpa_printf(MSG_DEBUG, "WPS: Build Beacon and Probe Response IEs");
611 beacon = wpabuf_alloc(300);
614 probe = wpabuf_alloc(400);
620 if (wps_build_version(beacon) ||
621 wps_build_wps_state(reg->wps, beacon) ||
622 wps_build_ap_setup_locked(reg->wps, beacon) ||
623 wps_build_selected_registrar(reg, beacon) ||
624 wps_build_sel_reg_dev_password_id(reg, beacon) ||
625 wps_build_sel_reg_config_methods(reg, beacon) ||
626 wps_build_version(probe) ||
627 wps_build_wps_state(reg->wps, probe) ||
628 wps_build_ap_setup_locked(reg->wps, probe) ||
629 wps_build_selected_registrar(reg, probe) ||
630 wps_build_sel_reg_dev_password_id(reg, probe) ||
631 wps_build_sel_reg_config_methods(reg, probe) ||
632 wps_build_resp_type(reg, probe) ||
633 wps_build_uuid_e(probe, reg->wps->uuid) ||
634 wps_build_device_attrs(®->wps->dev, probe) ||
635 wps_build_probe_config_methods(reg, probe) ||
636 wps_build_rf_bands(®->wps->dev, probe)) {
642 beacon = wps_ie_encapsulate(beacon);
643 probe = wps_ie_encapsulate(probe);
645 if (!beacon || !probe) {
651 ret = wps_cb_set_ie(reg, beacon, probe);
659 static int wps_get_dev_password(struct wps_data *wps)
664 os_free(wps->dev_password);
665 wps->dev_password = NULL;
668 wpa_printf(MSG_DEBUG, "WPS: Use default PIN for PBC");
669 pin = (const u8 *) "00000000";
672 pin = wps_registrar_get_pin(wps->registrar, wps->uuid_e,
676 wpa_printf(MSG_DEBUG, "WPS: No Device Password available for "
678 wps_cb_pin_needed(wps->registrar, wps->uuid_e, &wps->peer_dev);
682 wps->dev_password = os_malloc(pin_len);
683 if (wps->dev_password == NULL)
685 os_memcpy(wps->dev_password, pin, pin_len);
686 wps->dev_password_len = pin_len;
692 static int wps_build_uuid_r(struct wps_data *wps, struct wpabuf *msg)
694 wpa_printf(MSG_DEBUG, "WPS: * UUID-R");
695 wpabuf_put_be16(msg, ATTR_UUID_R);
696 wpabuf_put_be16(msg, WPS_UUID_LEN);
697 wpabuf_put_data(msg, wps->uuid_r, WPS_UUID_LEN);
702 static int wps_build_r_hash(struct wps_data *wps, struct wpabuf *msg)
708 if (os_get_random(wps->snonce, 2 * WPS_SECRET_NONCE_LEN) < 0)
710 wpa_hexdump(MSG_DEBUG, "WPS: R-S1", wps->snonce, WPS_SECRET_NONCE_LEN);
711 wpa_hexdump(MSG_DEBUG, "WPS: R-S2",
712 wps->snonce + WPS_SECRET_NONCE_LEN, WPS_SECRET_NONCE_LEN);
714 if (wps->dh_pubkey_e == NULL || wps->dh_pubkey_r == NULL) {
715 wpa_printf(MSG_DEBUG, "WPS: DH public keys not available for "
716 "R-Hash derivation");
720 wpa_printf(MSG_DEBUG, "WPS: * R-Hash1");
721 wpabuf_put_be16(msg, ATTR_R_HASH1);
722 wpabuf_put_be16(msg, SHA256_MAC_LEN);
723 hash = wpabuf_put(msg, SHA256_MAC_LEN);
724 /* R-Hash1 = HMAC_AuthKey(R-S1 || PSK1 || PK_E || PK_R) */
725 addr[0] = wps->snonce;
726 len[0] = WPS_SECRET_NONCE_LEN;
728 len[1] = WPS_PSK_LEN;
729 addr[2] = wpabuf_head(wps->dh_pubkey_e);
730 len[2] = wpabuf_len(wps->dh_pubkey_e);
731 addr[3] = wpabuf_head(wps->dh_pubkey_r);
732 len[3] = wpabuf_len(wps->dh_pubkey_r);
733 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
734 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash1", hash, SHA256_MAC_LEN);
736 wpa_printf(MSG_DEBUG, "WPS: * R-Hash2");
737 wpabuf_put_be16(msg, ATTR_R_HASH2);
738 wpabuf_put_be16(msg, SHA256_MAC_LEN);
739 hash = wpabuf_put(msg, SHA256_MAC_LEN);
740 /* R-Hash2 = HMAC_AuthKey(R-S2 || PSK2 || PK_E || PK_R) */
741 addr[0] = wps->snonce + WPS_SECRET_NONCE_LEN;
743 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
744 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash2", hash, SHA256_MAC_LEN);
750 static int wps_build_r_snonce1(struct wps_data *wps, struct wpabuf *msg)
752 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce1");
753 wpabuf_put_be16(msg, ATTR_R_SNONCE1);
754 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
755 wpabuf_put_data(msg, wps->snonce, WPS_SECRET_NONCE_LEN);
760 static int wps_build_r_snonce2(struct wps_data *wps, struct wpabuf *msg)
762 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce2");
763 wpabuf_put_be16(msg, ATTR_R_SNONCE2);
764 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
765 wpabuf_put_data(msg, wps->snonce + WPS_SECRET_NONCE_LEN,
766 WPS_SECRET_NONCE_LEN);
771 static int wps_build_cred_network_idx(struct wpabuf *msg,
772 struct wps_credential *cred)
774 wpa_printf(MSG_DEBUG, "WPS: * Network Index");
775 wpabuf_put_be16(msg, ATTR_NETWORK_INDEX);
776 wpabuf_put_be16(msg, 1);
777 wpabuf_put_u8(msg, 0);
782 static int wps_build_cred_ssid(struct wpabuf *msg,
783 struct wps_credential *cred)
785 wpa_printf(MSG_DEBUG, "WPS: * SSID");
786 wpabuf_put_be16(msg, ATTR_SSID);
787 wpabuf_put_be16(msg, cred->ssid_len);
788 wpabuf_put_data(msg, cred->ssid, cred->ssid_len);
793 static int wps_build_cred_auth_type(struct wpabuf *msg,
794 struct wps_credential *cred)
796 wpa_printf(MSG_DEBUG, "WPS: * Authentication Type (0x%x)",
798 wpabuf_put_be16(msg, ATTR_AUTH_TYPE);
799 wpabuf_put_be16(msg, 2);
800 wpabuf_put_be16(msg, cred->auth_type);
805 static int wps_build_cred_encr_type(struct wpabuf *msg,
806 struct wps_credential *cred)
808 wpa_printf(MSG_DEBUG, "WPS: * Encryption Type (0x%x)",
810 wpabuf_put_be16(msg, ATTR_ENCR_TYPE);
811 wpabuf_put_be16(msg, 2);
812 wpabuf_put_be16(msg, cred->encr_type);
817 static int wps_build_cred_network_key(struct wpabuf *msg,
818 struct wps_credential *cred)
820 wpa_printf(MSG_DEBUG, "WPS: * Network Key");
821 wpabuf_put_be16(msg, ATTR_NETWORK_KEY);
822 wpabuf_put_be16(msg, cred->key_len);
823 wpabuf_put_data(msg, cred->key, cred->key_len);
828 static int wps_build_cred_mac_addr(struct wpabuf *msg,
829 struct wps_credential *cred)
831 wpa_printf(MSG_DEBUG, "WPS: * MAC Address");
832 wpabuf_put_be16(msg, ATTR_MAC_ADDR);
833 wpabuf_put_be16(msg, ETH_ALEN);
834 wpabuf_put_data(msg, cred->mac_addr, ETH_ALEN);
839 static int wps_build_credential(struct wpabuf *msg,
840 struct wps_credential *cred)
842 if (wps_build_cred_network_idx(msg, cred) ||
843 wps_build_cred_ssid(msg, cred) ||
844 wps_build_cred_auth_type(msg, cred) ||
845 wps_build_cred_encr_type(msg, cred) ||
846 wps_build_cred_network_key(msg, cred) ||
847 wps_build_cred_mac_addr(msg, cred))
853 static int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
857 wpa_printf(MSG_DEBUG, "WPS: * Credential");
858 os_memset(&wps->cred, 0, sizeof(wps->cred));
860 os_memcpy(wps->cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
861 wps->cred.ssid_len = wps->wps->ssid_len;
863 /* Select the best authentication and encryption type */
864 if (wps->auth_type & WPS_AUTH_WPA2PSK)
865 wps->auth_type = WPS_AUTH_WPA2PSK;
866 else if (wps->auth_type & WPS_AUTH_WPAPSK)
867 wps->auth_type = WPS_AUTH_WPAPSK;
868 else if (wps->auth_type & WPS_AUTH_OPEN)
869 wps->auth_type = WPS_AUTH_OPEN;
870 else if (wps->auth_type & WPS_AUTH_SHARED)
871 wps->auth_type = WPS_AUTH_SHARED;
873 wpa_printf(MSG_DEBUG, "WPS: Unsupported auth_type 0x%x",
877 wps->cred.auth_type = wps->auth_type;
879 if (wps->auth_type == WPS_AUTH_WPA2PSK ||
880 wps->auth_type == WPS_AUTH_WPAPSK) {
881 if (wps->encr_type & WPS_ENCR_AES)
882 wps->encr_type = WPS_ENCR_AES;
883 else if (wps->encr_type & WPS_ENCR_TKIP)
884 wps->encr_type = WPS_ENCR_TKIP;
886 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
887 "type for WPA/WPA2");
891 if (wps->encr_type & WPS_ENCR_WEP)
892 wps->encr_type = WPS_ENCR_WEP;
893 else if (wps->encr_type & WPS_ENCR_NONE)
894 wps->encr_type = WPS_ENCR_NONE;
896 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
897 "type for non-WPA/WPA2 mode");
901 wps->cred.encr_type = wps->encr_type;
902 os_memcpy(wps->cred.mac_addr, wps->mac_addr_e, ETH_ALEN);
904 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->wps->ap) {
906 /* Generate a random passphrase */
907 if (os_get_random(r, sizeof(r)) < 0)
909 os_free(wps->new_psk);
910 wps->new_psk = base64_encode(r, sizeof(r), &wps->new_psk_len);
911 if (wps->new_psk == NULL)
913 wps->new_psk_len--; /* remove newline */
914 while (wps->new_psk_len &&
915 wps->new_psk[wps->new_psk_len - 1] == '=')
917 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Generated passphrase",
918 wps->new_psk, wps->new_psk_len);
919 os_memcpy(wps->cred.key, wps->new_psk, wps->new_psk_len);
920 wps->cred.key_len = wps->new_psk_len;
921 } else if (wps->wps->network_key) {
922 os_memcpy(wps->cred.key, wps->wps->network_key,
923 wps->wps->network_key_len);
924 wps->cred.key_len = wps->wps->network_key_len;
925 } else if (wps->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) {
927 /* Generate a random per-device PSK */
928 os_free(wps->new_psk);
929 wps->new_psk_len = 32;
930 wps->new_psk = os_malloc(wps->new_psk_len);
931 if (wps->new_psk == NULL)
933 if (os_get_random(wps->new_psk, wps->new_psk_len) < 0) {
934 os_free(wps->new_psk);
938 wpa_hexdump_key(MSG_DEBUG, "WPS: Generated per-device PSK",
939 wps->new_psk, wps->new_psk_len);
940 wpa_snprintf_hex(hex, sizeof(hex), wps->new_psk,
942 os_memcpy(wps->cred.key, hex, wps->new_psk_len * 2);
943 wps->cred.key_len = wps->new_psk_len * 2;
946 cred = wpabuf_alloc(200);
950 if (wps_build_credential(cred, &wps->cred)) {
955 wpabuf_put_be16(msg, ATTR_CRED);
956 wpabuf_put_be16(msg, wpabuf_len(cred));
957 wpabuf_put_buf(msg, cred);
964 static int wps_build_ap_settings(struct wps_data *wps, struct wpabuf *msg)
966 wpa_printf(MSG_DEBUG, "WPS: * AP Settings");
968 if (wps_build_credential(msg, &wps->cred))
975 static struct wpabuf * wps_build_m2(struct wps_data *wps)
979 if (os_get_random(wps->nonce_r, WPS_NONCE_LEN) < 0)
981 wpa_hexdump(MSG_DEBUG, "WPS: Registrar Nonce",
982 wps->nonce_r, WPS_NONCE_LEN);
983 wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN);
985 wpa_printf(MSG_DEBUG, "WPS: Building Message M2");
986 msg = wpabuf_alloc(1000);
990 if (wps_build_version(msg) ||
991 wps_build_msg_type(msg, WPS_M2) ||
992 wps_build_enrollee_nonce(wps, msg) ||
993 wps_build_registrar_nonce(wps, msg) ||
994 wps_build_uuid_r(wps, msg) ||
995 wps_build_public_key(wps, msg) ||
996 wps_derive_keys(wps) ||
997 wps_build_auth_type_flags(wps, msg) ||
998 wps_build_encr_type_flags(wps, msg) ||
999 wps_build_conn_type_flags(wps, msg) ||
1000 wps_build_config_methods_r(wps->registrar, msg) ||
1001 wps_build_device_attrs(&wps->wps->dev, msg) ||
1002 wps_build_rf_bands(&wps->wps->dev, msg) ||
1003 wps_build_assoc_state(wps, msg) ||
1004 wps_build_config_error(msg, WPS_CFG_NO_ERROR) ||
1005 wps_build_dev_password_id(msg, DEV_PW_DEFAULT) ||
1006 wps_build_os_version(&wps->wps->dev, msg) ||
1007 wps_build_authenticator(wps, msg)) {
1012 wps->state = RECV_M3;
1017 static struct wpabuf * wps_build_m2d(struct wps_data *wps)
1020 u16 err = WPS_CFG_NO_ERROR;
1022 wpa_printf(MSG_DEBUG, "WPS: Building Message M2D");
1023 msg = wpabuf_alloc(1000);
1027 if (wps->authenticator && wps->wps->ap_setup_locked)
1028 err = WPS_CFG_SETUP_LOCKED;
1030 if (wps_build_version(msg) ||
1031 wps_build_msg_type(msg, WPS_M2D) ||
1032 wps_build_enrollee_nonce(wps, msg) ||
1033 wps_build_registrar_nonce(wps, msg) ||
1034 wps_build_uuid_r(wps, msg) ||
1035 wps_build_auth_type_flags(wps, msg) ||
1036 wps_build_encr_type_flags(wps, msg) ||
1037 wps_build_conn_type_flags(wps, msg) ||
1038 wps_build_config_methods_r(wps->registrar, msg) ||
1039 wps_build_device_attrs(&wps->wps->dev, msg) ||
1040 wps_build_rf_bands(&wps->wps->dev, msg) ||
1041 wps_build_assoc_state(wps, msg) ||
1042 wps_build_config_error(msg, err) ||
1043 wps_build_os_version(&wps->wps->dev, msg)) {
1048 wps->state = RECV_M2D_ACK;
1053 static struct wpabuf * wps_build_m4(struct wps_data *wps)
1055 struct wpabuf *msg, *plain;
1057 wpa_printf(MSG_DEBUG, "WPS: Building Message M4");
1059 wps_derive_psk(wps, wps->dev_password, wps->dev_password_len);
1061 plain = wpabuf_alloc(200);
1065 msg = wpabuf_alloc(1000);
1071 if (wps_build_version(msg) ||
1072 wps_build_msg_type(msg, WPS_M4) ||
1073 wps_build_enrollee_nonce(wps, msg) ||
1074 wps_build_r_hash(wps, msg) ||
1075 wps_build_r_snonce1(wps, plain) ||
1076 wps_build_key_wrap_auth(wps, plain) ||
1077 wps_build_encr_settings(wps, msg, plain) ||
1078 wps_build_authenticator(wps, msg)) {
1085 wps->state = RECV_M5;
1090 static struct wpabuf * wps_build_m6(struct wps_data *wps)
1092 struct wpabuf *msg, *plain;
1094 wpa_printf(MSG_DEBUG, "WPS: Building Message M6");
1096 plain = wpabuf_alloc(200);
1100 msg = wpabuf_alloc(1000);
1106 if (wps_build_version(msg) ||
1107 wps_build_msg_type(msg, WPS_M6) ||
1108 wps_build_enrollee_nonce(wps, msg) ||
1109 wps_build_r_snonce2(wps, plain) ||
1110 wps_build_key_wrap_auth(wps, plain) ||
1111 wps_build_encr_settings(wps, msg, plain) ||
1112 wps_build_authenticator(wps, msg)) {
1119 wps->wps_pin_revealed = 1;
1120 wps->state = RECV_M7;
1125 static struct wpabuf * wps_build_m8(struct wps_data *wps)
1127 struct wpabuf *msg, *plain;
1129 wpa_printf(MSG_DEBUG, "WPS: Building Message M8");
1131 plain = wpabuf_alloc(500);
1135 msg = wpabuf_alloc(1000);
1141 if (wps_build_version(msg) ||
1142 wps_build_msg_type(msg, WPS_M8) ||
1143 wps_build_enrollee_nonce(wps, msg) ||
1144 (wps->wps->ap && wps_build_cred(wps, plain)) ||
1145 (!wps->wps->ap && wps_build_ap_settings(wps, plain)) ||
1146 wps_build_key_wrap_auth(wps, plain) ||
1147 wps_build_encr_settings(wps, msg, plain) ||
1148 wps_build_authenticator(wps, msg)) {
1155 wps->state = RECV_DONE;
1160 static struct wpabuf * wps_build_wsc_ack(struct wps_data *wps)
1164 wpa_printf(MSG_DEBUG, "WPS: Building Message WSC_ACK");
1166 msg = wpabuf_alloc(1000);
1170 if (wps_build_version(msg) ||
1171 wps_build_msg_type(msg, WPS_WSC_ACK) ||
1172 wps_build_enrollee_nonce(wps, msg) ||
1173 wps_build_registrar_nonce(wps, msg)) {
1182 static struct wpabuf * wps_build_wsc_nack(struct wps_data *wps)
1186 wpa_printf(MSG_DEBUG, "WPS: Building Message WSC_NACK");
1188 msg = wpabuf_alloc(1000);
1192 if (wps_build_version(msg) ||
1193 wps_build_msg_type(msg, WPS_WSC_NACK) ||
1194 wps_build_enrollee_nonce(wps, msg) ||
1195 wps_build_registrar_nonce(wps, msg) ||
1196 wps_build_config_error(msg, wps->config_error)) {
1205 struct wpabuf * wps_registrar_get_msg(struct wps_data *wps, u8 *op_code)
1209 switch (wps->state) {
1211 if (wps_get_dev_password(wps) < 0)
1212 msg = wps_build_m2d(wps);
1214 msg = wps_build_m2(wps);
1218 msg = wps_build_m2d(wps);
1222 msg = wps_build_m4(wps);
1226 msg = wps_build_m6(wps);
1230 msg = wps_build_m8(wps);
1234 msg = wps_build_wsc_ack(wps);
1238 msg = wps_build_wsc_nack(wps);
1239 *op_code = WSC_NACK;
1242 wpa_printf(MSG_DEBUG, "WPS: Unsupported state %d for building "
1243 "a message", wps->state);
1248 if (*op_code == WSC_MSG && msg) {
1249 /* Save a copy of the last message for Authenticator derivation
1251 wpabuf_free(wps->last_msg);
1252 wps->last_msg = wpabuf_dup(msg);
1259 static int wps_process_enrollee_nonce(struct wps_data *wps, const u8 *e_nonce)
1261 if (e_nonce == NULL) {
1262 wpa_printf(MSG_DEBUG, "WPS: No Enrollee Nonce received");
1266 os_memcpy(wps->nonce_e, e_nonce, WPS_NONCE_LEN);
1267 wpa_hexdump(MSG_DEBUG, "WPS: Enrollee Nonce",
1268 wps->nonce_e, WPS_NONCE_LEN);
1274 static int wps_process_registrar_nonce(struct wps_data *wps, const u8 *r_nonce)
1276 if (r_nonce == NULL) {
1277 wpa_printf(MSG_DEBUG, "WPS: No Registrar Nonce received");
1281 if (os_memcmp(wps->nonce_r, r_nonce, WPS_NONCE_LEN) != 0) {
1282 wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Nonce received");
1290 static int wps_process_uuid_e(struct wps_data *wps, const u8 *uuid_e)
1292 if (uuid_e == NULL) {
1293 wpa_printf(MSG_DEBUG, "WPS: No UUID-E received");
1297 os_memcpy(wps->uuid_e, uuid_e, WPS_UUID_LEN);
1298 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", wps->uuid_e, WPS_UUID_LEN);
1304 static int wps_process_dev_password_id(struct wps_data *wps, const u8 *pw_id)
1306 if (pw_id == NULL) {
1307 wpa_printf(MSG_DEBUG, "WPS: No Device Password ID received");
1311 wps->dev_pw_id = WPA_GET_BE16(pw_id);
1312 wpa_printf(MSG_DEBUG, "WPS: Device Password ID %d", wps->dev_pw_id);
1318 static int wps_process_e_hash1(struct wps_data *wps, const u8 *e_hash1)
1320 if (e_hash1 == NULL) {
1321 wpa_printf(MSG_DEBUG, "WPS: No E-Hash1 received");
1325 os_memcpy(wps->peer_hash1, e_hash1, WPS_HASH_LEN);
1326 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN);
1332 static int wps_process_e_hash2(struct wps_data *wps, const u8 *e_hash2)
1334 if (e_hash2 == NULL) {
1335 wpa_printf(MSG_DEBUG, "WPS: No E-Hash2 received");
1339 os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN);
1340 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN);
1346 static int wps_process_e_snonce1(struct wps_data *wps, const u8 *e_snonce1)
1348 u8 hash[SHA256_MAC_LEN];
1352 if (e_snonce1 == NULL) {
1353 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce1 received");
1357 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce1", e_snonce1,
1358 WPS_SECRET_NONCE_LEN);
1360 /* E-Hash1 = HMAC_AuthKey(E-S1 || PSK1 || PK_E || PK_R) */
1361 addr[0] = e_snonce1;
1362 len[0] = WPS_SECRET_NONCE_LEN;
1363 addr[1] = wps->psk1;
1364 len[1] = WPS_PSK_LEN;
1365 addr[2] = wpabuf_head(wps->dh_pubkey_e);
1366 len[2] = wpabuf_len(wps->dh_pubkey_e);
1367 addr[3] = wpabuf_head(wps->dh_pubkey_r);
1368 len[3] = wpabuf_len(wps->dh_pubkey_r);
1369 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
1371 if (os_memcmp(wps->peer_hash1, hash, WPS_HASH_LEN) != 0) {
1372 wpa_printf(MSG_DEBUG, "WPS: E-Hash1 derived from E-S1 does "
1373 "not match with the pre-committed value");
1374 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE;
1378 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the first "
1379 "half of the device password");
1385 static int wps_process_e_snonce2(struct wps_data *wps, const u8 *e_snonce2)
1387 u8 hash[SHA256_MAC_LEN];
1391 if (e_snonce2 == NULL) {
1392 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce2 received");
1396 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce2", e_snonce2,
1397 WPS_SECRET_NONCE_LEN);
1399 /* E-Hash2 = HMAC_AuthKey(E-S2 || PSK2 || PK_E || PK_R) */
1400 addr[0] = e_snonce2;
1401 len[0] = WPS_SECRET_NONCE_LEN;
1402 addr[1] = wps->psk2;
1403 len[1] = WPS_PSK_LEN;
1404 addr[2] = wpabuf_head(wps->dh_pubkey_e);
1405 len[2] = wpabuf_len(wps->dh_pubkey_e);
1406 addr[3] = wpabuf_head(wps->dh_pubkey_r);
1407 len[3] = wpabuf_len(wps->dh_pubkey_r);
1408 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
1410 if (os_memcmp(wps->peer_hash2, hash, WPS_HASH_LEN) != 0) {
1411 wpa_printf(MSG_DEBUG, "WPS: E-Hash2 derived from E-S2 does "
1412 "not match with the pre-committed value");
1413 wps_registrar_invalidate_pin(wps->registrar, wps->uuid_e);
1414 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE;
1418 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the second "
1419 "half of the device password");
1420 wps->wps_pin_revealed = 0;
1421 wps_registrar_unlock_pin(wps->registrar, wps->uuid_e);
1427 static int wps_process_mac_addr(struct wps_data *wps, const u8 *mac_addr)
1429 if (mac_addr == NULL) {
1430 wpa_printf(MSG_DEBUG, "WPS: No MAC Address received");
1434 wpa_printf(MSG_DEBUG, "WPS: Enrollee MAC Address " MACSTR,
1436 os_memcpy(wps->mac_addr_e, mac_addr, ETH_ALEN);
1437 os_memcpy(wps->peer_dev.mac_addr, mac_addr, ETH_ALEN);
1443 static int wps_process_pubkey(struct wps_data *wps, const u8 *pk,
1446 if (pk == NULL || pk_len == 0) {
1447 wpa_printf(MSG_DEBUG, "WPS: No Public Key received");
1451 wpabuf_free(wps->dh_pubkey_e);
1452 wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len);
1453 if (wps->dh_pubkey_e == NULL)
1460 static int wps_process_auth_type_flags(struct wps_data *wps, const u8 *auth)
1465 wpa_printf(MSG_DEBUG, "WPS: No Authentication Type flags "
1470 auth_types = WPA_GET_BE16(auth);
1472 wpa_printf(MSG_DEBUG, "WPS: Enrollee Authentication Type flags 0x%x",
1474 wps->auth_type = wps->wps->auth_types & auth_types;
1475 if (wps->auth_type == 0) {
1476 wpa_printf(MSG_DEBUG, "WPS: No match in supported "
1477 "authentication types (own 0x%x Enrollee 0x%x)",
1478 wps->wps->auth_types, auth_types);
1486 static int wps_process_encr_type_flags(struct wps_data *wps, const u8 *encr)
1491 wpa_printf(MSG_DEBUG, "WPS: No Encryption Type flags "
1496 encr_types = WPA_GET_BE16(encr);
1498 wpa_printf(MSG_DEBUG, "WPS: Enrollee Encryption Type flags 0x%x",
1500 wps->encr_type = wps->wps->encr_types & encr_types;
1501 if (wps->encr_type == 0) {
1502 wpa_printf(MSG_DEBUG, "WPS: No match in supported "
1503 "encryption types");
1511 static int wps_process_conn_type_flags(struct wps_data *wps, const u8 *conn)
1514 wpa_printf(MSG_DEBUG, "WPS: No Connection Type flags "
1519 wpa_printf(MSG_DEBUG, "WPS: Enrollee Connection Type flags 0x%x",
1526 static int wps_process_config_methods(struct wps_data *wps, const u8 *methods)
1530 if (methods == NULL) {
1531 wpa_printf(MSG_DEBUG, "WPS: No Config Methods received");
1535 m = WPA_GET_BE16(methods);
1537 wpa_printf(MSG_DEBUG, "WPS: Enrollee Config Methods 0x%x", m);
1543 static int wps_process_wps_state(struct wps_data *wps, const u8 *state)
1545 if (state == NULL) {
1546 wpa_printf(MSG_DEBUG, "WPS: No Wi-Fi Protected Setup State "
1551 wpa_printf(MSG_DEBUG, "WPS: Enrollee Wi-Fi Protected Setup State %d",
1558 static int wps_process_assoc_state(struct wps_data *wps, const u8 *assoc)
1562 if (assoc == NULL) {
1563 wpa_printf(MSG_DEBUG, "WPS: No Association State received");
1567 a = WPA_GET_BE16(assoc);
1568 wpa_printf(MSG_DEBUG, "WPS: Enrollee Association State %d", a);
1574 static int wps_process_config_error(struct wps_data *wps, const u8 *err)
1579 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error received");
1583 e = WPA_GET_BE16(err);
1584 wpa_printf(MSG_DEBUG, "WPS: Enrollee Configuration Error %d", e);
1590 static enum wps_process_res wps_process_m1(struct wps_data *wps,
1591 struct wps_parse_attr *attr)
1593 wpa_printf(MSG_DEBUG, "WPS: Received M1");
1595 if (wps->state != RECV_M1) {
1596 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1597 "receiving M1", wps->state);
1601 if (wps_process_uuid_e(wps, attr->uuid_e) ||
1602 wps_process_mac_addr(wps, attr->mac_addr) ||
1603 wps_process_enrollee_nonce(wps, attr->enrollee_nonce) ||
1604 wps_process_pubkey(wps, attr->public_key, attr->public_key_len) ||
1605 wps_process_auth_type_flags(wps, attr->auth_type_flags) ||
1606 wps_process_encr_type_flags(wps, attr->encr_type_flags) ||
1607 wps_process_conn_type_flags(wps, attr->conn_type_flags) ||
1608 wps_process_config_methods(wps, attr->config_methods) ||
1609 wps_process_wps_state(wps, attr->wps_state) ||
1610 wps_process_device_attrs(&wps->peer_dev, attr) ||
1611 wps_process_rf_bands(&wps->peer_dev, attr->rf_bands) ||
1612 wps_process_assoc_state(wps, attr->assoc_state) ||
1613 wps_process_dev_password_id(wps, attr->dev_password_id) ||
1614 wps_process_config_error(wps, attr->config_error) ||
1615 wps_process_os_version(&wps->peer_dev, attr->os_version))
1618 if (wps->dev_pw_id != DEV_PW_DEFAULT &&
1619 wps->dev_pw_id != DEV_PW_USER_SPECIFIED &&
1620 wps->dev_pw_id != DEV_PW_MACHINE_SPECIFIED &&
1621 wps->dev_pw_id != DEV_PW_REGISTRAR_SPECIFIED &&
1622 (wps->dev_pw_id != DEV_PW_PUSHBUTTON || !wps->registrar->pbc)) {
1623 wpa_printf(MSG_DEBUG, "WPS: Unsupported Device Password ID %d",
1625 wps->state = SEND_M2D;
1626 return WPS_CONTINUE;
1629 if (wps->dev_pw_id == DEV_PW_PUSHBUTTON) {
1630 if (wps_registrar_pbc_overlap(wps->registrar, wps->mac_addr_e,
1632 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - deny PBC "
1634 wps->state = SEND_M2D;
1635 return WPS_CONTINUE;
1637 wps_registrar_add_pbc_session(wps->registrar, wps->mac_addr_e,
1642 wps->state = SEND_M2;
1643 return WPS_CONTINUE;
1647 static enum wps_process_res wps_process_m3(struct wps_data *wps,
1648 const struct wpabuf *msg,
1649 struct wps_parse_attr *attr)
1651 wpa_printf(MSG_DEBUG, "WPS: Received M3");
1653 if (wps->state != RECV_M3) {
1654 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1655 "receiving M3", wps->state);
1656 wps->state = SEND_WSC_NACK;
1657 return WPS_CONTINUE;
1660 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
1661 wps_process_authenticator(wps, attr->authenticator, msg) ||
1662 wps_process_e_hash1(wps, attr->e_hash1) ||
1663 wps_process_e_hash2(wps, attr->e_hash2)) {
1664 wps->state = SEND_WSC_NACK;
1665 return WPS_CONTINUE;
1668 wps->state = SEND_M4;
1669 return WPS_CONTINUE;
1673 static enum wps_process_res wps_process_m5(struct wps_data *wps,
1674 const struct wpabuf *msg,
1675 struct wps_parse_attr *attr)
1677 struct wpabuf *decrypted;
1678 struct wps_parse_attr eattr;
1680 wpa_printf(MSG_DEBUG, "WPS: Received M5");
1682 if (wps->state != RECV_M5) {
1683 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1684 "receiving M5", wps->state);
1685 wps->state = SEND_WSC_NACK;
1686 return WPS_CONTINUE;
1689 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
1690 wps_process_authenticator(wps, attr->authenticator, msg)) {
1691 wps->state = SEND_WSC_NACK;
1692 return WPS_CONTINUE;
1695 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
1696 attr->encr_settings_len);
1697 if (decrypted == NULL) {
1698 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted "
1699 "Settings attribute");
1700 wps->state = SEND_WSC_NACK;
1701 return WPS_CONTINUE;
1704 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
1706 if (wps_parse_msg(decrypted, &eattr) < 0 ||
1707 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
1708 wps_process_e_snonce1(wps, eattr.e_snonce1)) {
1709 wpabuf_free(decrypted);
1710 wps->state = SEND_WSC_NACK;
1711 return WPS_CONTINUE;
1713 wpabuf_free(decrypted);
1715 wps->state = SEND_M6;
1716 return WPS_CONTINUE;
1720 static int wps_process_ap_settings_r(struct wps_data *wps,
1721 struct wps_parse_attr *attr)
1726 /* AP Settings Attributes in M7 when Enrollee is an AP */
1727 if (wps_process_ap_settings(attr, &wps->cred) < 0)
1730 wpa_printf(MSG_INFO, "WPS: Received old AP configuration from AP");
1733 * TODO: Provide access to AP settings and allow changes before sending
1734 * out M8. For now, just copy the settings unchanged into M8.
1741 static enum wps_process_res wps_process_m7(struct wps_data *wps,
1742 const struct wpabuf *msg,
1743 struct wps_parse_attr *attr)
1745 struct wpabuf *decrypted;
1746 struct wps_parse_attr eattr;
1748 wpa_printf(MSG_DEBUG, "WPS: Received M7");
1750 if (wps->state != RECV_M7) {
1751 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1752 "receiving M7", wps->state);
1753 wps->state = SEND_WSC_NACK;
1754 return WPS_CONTINUE;
1757 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
1758 wps_process_authenticator(wps, attr->authenticator, msg)) {
1759 wps->state = SEND_WSC_NACK;
1760 return WPS_CONTINUE;
1763 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
1764 attr->encr_settings_len);
1765 if (decrypted == NULL) {
1766 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted "
1767 "Settings attribute");
1768 wps->state = SEND_WSC_NACK;
1769 return WPS_CONTINUE;
1772 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
1774 if (wps_parse_msg(decrypted, &eattr) < 0 ||
1775 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
1776 wps_process_e_snonce2(wps, eattr.e_snonce2) ||
1777 wps_process_ap_settings_r(wps, &eattr)) {
1778 wpabuf_free(decrypted);
1779 wps->state = SEND_WSC_NACK;
1780 return WPS_CONTINUE;
1783 wpabuf_free(decrypted);
1785 wps->state = SEND_M8;
1786 return WPS_CONTINUE;
1790 static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps,
1791 const struct wpabuf *msg)
1793 struct wps_parse_attr attr;
1794 enum wps_process_res ret = WPS_CONTINUE;
1796 wpa_printf(MSG_DEBUG, "WPS: Received WSC_MSG");
1798 if (wps_parse_msg(msg, &attr) < 0)
1801 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1802 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1803 attr.version ? *attr.version : 0);
1807 if (attr.msg_type == NULL) {
1808 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1812 if (*attr.msg_type != WPS_M1 &&
1813 (attr.registrar_nonce == NULL ||
1814 os_memcmp(wps->nonce_r, attr.registrar_nonce,
1815 WPS_NONCE_LEN != 0))) {
1816 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1820 switch (*attr.msg_type) {
1822 ret = wps_process_m1(wps, &attr);
1825 ret = wps_process_m3(wps, msg, &attr);
1826 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK)
1827 wps_fail_event(wps->wps, WPS_M3);
1830 ret = wps_process_m5(wps, msg, &attr);
1831 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK)
1832 wps_fail_event(wps->wps, WPS_M5);
1835 ret = wps_process_m7(wps, msg, &attr);
1836 if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK)
1837 wps_fail_event(wps->wps, WPS_M7);
1840 wpa_printf(MSG_DEBUG, "WPS: Unsupported Message Type %d",
1845 if (ret == WPS_CONTINUE) {
1846 /* Save a copy of the last message for Authenticator derivation
1848 wpabuf_free(wps->last_msg);
1849 wps->last_msg = wpabuf_dup(msg);
1856 static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps,
1857 const struct wpabuf *msg)
1859 struct wps_parse_attr attr;
1861 wpa_printf(MSG_DEBUG, "WPS: Received WSC_ACK");
1863 if (wps_parse_msg(msg, &attr) < 0)
1866 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1867 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1868 attr.version ? *attr.version : 0);
1872 if (attr.msg_type == NULL) {
1873 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1877 if (*attr.msg_type != WPS_WSC_ACK) {
1878 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
1883 if (attr.registrar_nonce == NULL ||
1884 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0))
1886 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1890 if (attr.enrollee_nonce == NULL ||
1891 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) {
1892 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
1896 if (wps->state == RECV_M2D_ACK) {
1897 /* TODO: support for multiple registrars and sending of
1898 * multiple M2/M2D messages */
1900 wpa_printf(MSG_DEBUG, "WPS: No more registrars available - "
1901 "terminate negotiation");
1908 static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps,
1909 const struct wpabuf *msg)
1911 struct wps_parse_attr attr;
1914 wpa_printf(MSG_DEBUG, "WPS: Received WSC_NACK");
1916 old_state = wps->state;
1917 wps->state = SEND_WSC_NACK;
1919 if (wps_parse_msg(msg, &attr) < 0)
1922 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1923 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1924 attr.version ? *attr.version : 0);
1928 if (attr.msg_type == NULL) {
1929 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1933 if (*attr.msg_type != WPS_WSC_NACK) {
1934 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
1939 if (attr.registrar_nonce == NULL ||
1940 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0))
1942 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1946 if (attr.enrollee_nonce == NULL ||
1947 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) {
1948 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
1952 if (attr.config_error == NULL) {
1953 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error attribute "
1958 wpa_printf(MSG_DEBUG, "WPS: Enrollee terminated negotiation with "
1959 "Configuration Error %d", WPA_GET_BE16(attr.config_error));
1961 switch (old_state) {
1963 wps_fail_event(wps->wps, WPS_M2);
1966 wps_fail_event(wps->wps, WPS_M4);
1969 wps_fail_event(wps->wps, WPS_M6);
1972 wps_fail_event(wps->wps, WPS_M8);
1982 static enum wps_process_res wps_process_wsc_done(struct wps_data *wps,
1983 const struct wpabuf *msg)
1985 struct wps_parse_attr attr;
1987 wpa_printf(MSG_DEBUG, "WPS: Received WSC_Done");
1989 if (wps->state != RECV_DONE) {
1990 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1991 "receiving WSC_Done", wps->state);
1995 if (wps_parse_msg(msg, &attr) < 0)
1998 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1999 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
2000 attr.version ? *attr.version : 0);
2004 if (attr.msg_type == NULL) {
2005 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
2009 if (*attr.msg_type != WPS_WSC_DONE) {
2010 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
2015 if (attr.registrar_nonce == NULL ||
2016 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0))
2018 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
2022 if (attr.enrollee_nonce == NULL ||
2023 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) {
2024 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
2028 wpa_printf(MSG_DEBUG, "WPS: Negotiation completed successfully");
2030 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->new_psk &&
2032 struct wps_credential cred;
2034 wpa_printf(MSG_DEBUG, "WPS: Moving to Configured state based "
2035 "on first Enrollee connection");
2037 os_memset(&cred, 0, sizeof(cred));
2038 os_memcpy(cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
2039 cred.ssid_len = wps->wps->ssid_len;
2040 cred.auth_type = WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK;
2041 cred.encr_type = WPS_ENCR_TKIP | WPS_ENCR_AES;
2042 os_memcpy(cred.key, wps->new_psk, wps->new_psk_len);
2043 cred.key_len = wps->new_psk_len;
2045 wps->wps->wps_state = WPS_STATE_CONFIGURED;
2046 wpa_hexdump_ascii_key(MSG_DEBUG,
2047 "WPS: Generated random passphrase",
2048 wps->new_psk, wps->new_psk_len);
2049 if (wps->wps->cred_cb)
2050 wps->wps->cred_cb(wps->wps->cb_ctx, &cred);
2052 os_free(wps->new_psk);
2053 wps->new_psk = NULL;
2056 if (!wps->wps->ap) {
2057 wpa_printf(MSG_DEBUG, "WPS: Update local configuration based "
2058 "on the modified AP configuration");
2059 if (wps->wps->cred_cb)
2060 wps->wps->cred_cb(wps->wps->cb_ctx, &wps->cred);
2064 if (wps_cb_new_psk(wps->registrar, wps->mac_addr_e,
2065 wps->new_psk, wps->new_psk_len)) {
2066 wpa_printf(MSG_DEBUG, "WPS: Failed to configure the "
2069 os_free(wps->new_psk);
2070 wps->new_psk = NULL;
2074 wps_registrar_remove_pbc_session(wps->registrar,
2075 wps->mac_addr_e, wps->uuid_e);
2076 wps_registrar_pbc_completed(wps->registrar);
2079 wps_success_event(wps->wps);
2085 enum wps_process_res wps_registrar_process_msg(struct wps_data *wps,
2087 const struct wpabuf *msg)
2089 enum wps_process_res ret;
2091 wpa_printf(MSG_DEBUG, "WPS: Processing received message (len=%lu "
2093 (unsigned long) wpabuf_len(msg), op_code);
2097 return wps_process_wsc_msg(wps, msg);
2099 return wps_process_wsc_ack(wps, msg);
2101 return wps_process_wsc_nack(wps, msg);
2103 ret = wps_process_wsc_done(wps, msg);
2104 if (ret == WPS_FAILURE) {
2105 wps->state = SEND_WSC_NACK;
2106 wps_fail_event(wps->wps, WPS_WSC_DONE);
2110 wpa_printf(MSG_DEBUG, "WPS: Unsupported op_code %d", op_code);