2 * Wi-Fi Protected Setup - Registrar
3 * Copyright (c) 2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
20 #include "ieee802_11_defs.h"
23 #include "wps_dev_attr.h"
27 struct wps_uuid_pin *next;
28 u8 uuid[WPS_UUID_LEN];
36 static void wps_free_pin(struct wps_uuid_pin *pin)
43 static void wps_free_pins(struct wps_uuid_pin *pins)
45 struct wps_uuid_pin *pin, *prev;
56 struct wps_pbc_session {
57 struct wps_pbc_session *next;
59 u8 uuid_e[WPS_UUID_LEN];
60 struct os_time timestamp;
64 static void wps_free_pbc_sessions(struct wps_pbc_session *pbc)
66 struct wps_pbc_session *prev;
76 struct wps_registrar {
77 struct wps_context *wps;
80 int selected_registrar;
82 int (*new_psk_cb)(void *ctx, const u8 *mac_addr, const u8 *psk,
84 int (*set_ie_cb)(void *ctx, const u8 *beacon_ie, size_t beacon_ie_len,
85 const u8 *probe_resp_ie, size_t probe_resp_ie_len);
86 void (*pin_needed_cb)(void *ctx, const u8 *uuid_e,
87 const struct wps_device_data *dev);
90 struct wps_uuid_pin *pins;
91 struct wps_pbc_session *pbc_sessions;
95 static int wps_set_ie(struct wps_registrar *reg);
96 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx);
99 static void wps_registrar_add_pbc_session(struct wps_registrar *reg,
100 const u8 *addr, const u8 *uuid_e)
102 struct wps_pbc_session *pbc, *prev = NULL;
107 pbc = reg->pbc_sessions;
109 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 &&
110 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) {
112 prev->next = pbc->next;
114 reg->pbc_sessions = pbc->next;
122 pbc = os_zalloc(sizeof(*pbc));
125 os_memcpy(pbc->addr, addr, ETH_ALEN);
127 os_memcpy(pbc->uuid_e, uuid_e, WPS_UUID_LEN);
130 pbc->next = reg->pbc_sessions;
131 reg->pbc_sessions = pbc;
132 pbc->timestamp = now;
134 /* remove entries that have timed out */
139 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME) {
141 wps_free_pbc_sessions(pbc);
150 static void wps_registrar_remove_pbc_session(struct wps_registrar *reg,
151 const u8 *addr, const u8 *uuid_e)
153 struct wps_pbc_session *pbc, *prev = NULL;
155 pbc = reg->pbc_sessions;
157 if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 &&
158 os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) {
160 prev->next = pbc->next;
162 reg->pbc_sessions = pbc->next;
172 int wps_registrar_pbc_overlap(struct wps_registrar *reg,
173 const u8 *addr, const u8 *uuid_e)
176 struct wps_pbc_session *pbc;
181 for (pbc = reg->pbc_sessions; pbc; pbc = pbc->next) {
182 if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME)
184 if (addr == NULL || os_memcmp(addr, pbc->addr, ETH_ALEN) ||
186 os_memcmp(uuid_e, pbc->uuid_e, WPS_UUID_LEN))
193 return count > 1 ? 1 : 0;
197 static int wps_build_wps_state(struct wps_context *wps, struct wpabuf *msg)
199 wpa_printf(MSG_DEBUG, "WPS: * Wi-Fi Protected Setup State (%d)",
201 wpabuf_put_be16(msg, ATTR_WPS_STATE);
202 wpabuf_put_be16(msg, 1);
203 wpabuf_put_u8(msg, wps->wps_state);
208 static int wps_build_ap_setup_locked(struct wps_context *wps,
211 if (wps->ap_setup_locked) {
212 wpa_printf(MSG_DEBUG, "WPS: * AP Setup Locked");
213 wpabuf_put_be16(msg, ATTR_AP_SETUP_LOCKED);
214 wpabuf_put_be16(msg, 1);
215 wpabuf_put_u8(msg, 1);
221 static int wps_build_selected_registrar(struct wps_registrar *reg,
224 if (!reg->selected_registrar)
226 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar");
227 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR);
228 wpabuf_put_be16(msg, 1);
229 wpabuf_put_u8(msg, 1);
234 static int wps_build_sel_reg_dev_password_id(struct wps_registrar *reg,
237 u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT;
238 if (!reg->selected_registrar)
240 wpa_printf(MSG_DEBUG, "WPS: * Device Password ID (%d)", id);
241 wpabuf_put_be16(msg, ATTR_DEV_PASSWORD_ID);
242 wpabuf_put_be16(msg, 2);
243 wpabuf_put_be16(msg, id);
248 static int wps_build_sel_reg_config_methods(struct wps_registrar *reg,
252 if (!reg->selected_registrar)
254 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
256 methods |= WPS_CONFIG_PUSHBUTTON;
257 wpa_printf(MSG_DEBUG, "WPS: * Selected Registrar Config Methods (%x)",
259 wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR_CONFIG_METHODS);
260 wpabuf_put_be16(msg, 2);
261 wpabuf_put_be16(msg, methods);
266 static int wps_build_probe_config_methods(struct wps_registrar *reg,
271 wpa_printf(MSG_DEBUG, "WPS: * Config Methods (%x)", methods);
272 wpabuf_put_be16(msg, ATTR_CONFIG_METHODS);
273 wpabuf_put_be16(msg, 2);
274 wpabuf_put_be16(msg, methods);
279 static int wps_build_config_methods_r(struct wps_registrar *reg,
283 methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
285 methods |= WPS_CONFIG_PUSHBUTTON;
286 return wps_build_config_methods(msg, methods);
290 static int wps_build_resp_type(struct wps_registrar *reg, struct wpabuf *msg)
292 u8 resp = reg->wps->ap ? WPS_RESP_AP : WPS_RESP_REGISTRAR;
293 wpa_printf(MSG_DEBUG, "WPS: * Response Type (%d)", resp);
294 wpabuf_put_be16(msg, ATTR_RESPONSE_TYPE);
295 wpabuf_put_be16(msg, 1);
296 wpabuf_put_u8(msg, resp);
301 struct wps_registrar *
302 wps_registrar_init(struct wps_context *wps,
303 const struct wps_registrar_config *cfg)
305 struct wps_registrar *reg = os_zalloc(sizeof(*reg));
310 reg->new_psk_cb = cfg->new_psk_cb;
311 reg->set_ie_cb = cfg->set_ie_cb;
312 reg->pin_needed_cb = cfg->pin_needed_cb;
313 reg->cb_ctx = cfg->cb_ctx;
315 if (wps_set_ie(reg)) {
316 wps_registrar_deinit(reg);
324 void wps_registrar_deinit(struct wps_registrar *reg)
328 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
329 wps_free_pins(reg->pins);
330 wps_free_pbc_sessions(reg->pbc_sessions);
335 int wps_registrar_add_pin(struct wps_registrar *reg, const u8 *uuid,
336 const u8 *pin, size_t pin_len)
338 struct wps_uuid_pin *p;
340 p = os_zalloc(sizeof(*p));
344 p->wildcard_uuid = 1;
346 os_memcpy(p->uuid, uuid, WPS_UUID_LEN);
347 p->pin = os_malloc(pin_len);
348 if (p->pin == NULL) {
352 os_memcpy(p->pin, pin, pin_len);
353 p->pin_len = pin_len;
358 wpa_printf(MSG_DEBUG, "WPS: A new PIN configured");
359 wpa_hexdump(MSG_DEBUG, "WPS: UUID", uuid, WPS_UUID_LEN);
360 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: PIN", pin, pin_len);
361 reg->selected_registrar = 1;
369 int wps_registrar_invalidate_pin(struct wps_registrar *reg, const u8 *uuid)
371 struct wps_uuid_pin *pin, *prev;
376 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
378 reg->pins = pin->next;
380 prev->next = pin->next;
381 wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID",
382 pin->uuid, WPS_UUID_LEN);
394 static const u8 * wps_registrar_get_pin(struct wps_registrar *reg,
395 const u8 *uuid, size_t *pin_len)
397 struct wps_uuid_pin *pin;
401 if (!pin->wildcard_uuid &&
402 os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0)
408 /* Check for wildcard UUIDs since none of the UUID-specific
412 if (pin->wildcard_uuid == 1) {
413 wpa_printf(MSG_DEBUG, "WPS: Found a wildcard "
414 "PIN. Assigned it for this UUID-E");
415 pin->wildcard_uuid = 2;
416 os_memcpy(pin->uuid, uuid, WPS_UUID_LEN);
427 * Lock the PIN to avoid attacks based on concurrent re-use of the PIN
428 * that could otherwise avoid PIN invalidations.
431 wpa_printf(MSG_DEBUG, "WPS: Selected PIN locked - do not "
432 "allow concurrent re-use");
435 *pin_len = pin->pin_len;
441 int wps_registrar_unlock_pin(struct wps_registrar *reg, const u8 *uuid)
443 struct wps_uuid_pin *pin;
447 if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
448 if (pin->wildcard_uuid == 2) {
449 wpa_printf(MSG_DEBUG, "WPS: Invalidating used "
451 return wps_registrar_invalidate_pin(reg, uuid);
463 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx)
465 struct wps_registrar *reg = eloop_ctx;
467 wpa_printf(MSG_DEBUG, "WPS: PBC timed out - disable PBC mode");
468 reg->selected_registrar = 0;
474 int wps_registrar_button_pushed(struct wps_registrar *reg)
476 if (wps_registrar_pbc_overlap(reg, NULL, NULL)) {
477 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - do not start PBC "
481 wpa_printf(MSG_DEBUG, "WPS: Button pushed - PBC mode started");
482 reg->selected_registrar = 1;
486 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
487 eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wps_registrar_pbc_timeout,
493 static void wps_registrar_pbc_completed(struct wps_registrar *reg)
495 wpa_printf(MSG_DEBUG, "WPS: PBC completed - stopping PBC mode");
496 eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
497 reg->selected_registrar = 0;
503 void wps_registrar_probe_req_rx(struct wps_registrar *reg, const u8 *addr,
504 const struct wpabuf *wps_data)
506 struct wps_parse_attr attr;
509 wpa_hexdump_buf(MSG_MSGDUMP,
510 "WPS: Probe Request with WPS data received",
513 if (wps_parse_msg(wps_data, &attr) < 0 ||
514 attr.version == NULL || *attr.version != WPS_VERSION) {
515 wpa_printf(MSG_DEBUG, "WPS: Unsupported ProbeReq WPS IE "
516 "version 0x%x", attr.version ? *attr.version : 0);
520 if (attr.config_methods == NULL) {
521 wpa_printf(MSG_DEBUG, "WPS: No Config Methods attribute in "
526 methods = WPA_GET_BE16(attr.config_methods);
527 if (!(methods & WPS_CONFIG_PUSHBUTTON))
528 return; /* Not PBC */
530 wpa_printf(MSG_DEBUG, "WPS: Probe Request for PBC received from "
531 MACSTR, MAC2STR(addr));
533 wps_registrar_add_pbc_session(reg, addr, attr.uuid_e);
537 static int wps_cb_new_psk(struct wps_registrar *reg, const u8 *mac_addr,
538 const u8 *psk, size_t psk_len)
540 if (reg->new_psk_cb == NULL)
543 return reg->new_psk_cb(reg->cb_ctx, mac_addr, psk, psk_len);
547 static void wps_cb_pin_needed(struct wps_registrar *reg, const u8 *uuid_e,
548 const struct wps_device_data *dev)
550 if (reg->pin_needed_cb == NULL)
553 reg->pin_needed_cb(reg->cb_ctx, uuid_e, dev);
557 static int wps_cb_set_ie(struct wps_registrar *reg,
558 const struct wpabuf *beacon_ie,
559 const struct wpabuf *probe_resp_ie)
561 if (reg->set_ie_cb == NULL)
564 return reg->set_ie_cb(reg->cb_ctx, wpabuf_head(beacon_ie),
565 wpabuf_len(beacon_ie),
566 wpabuf_head(probe_resp_ie),
567 wpabuf_len(probe_resp_ie));
571 /* Encapsulate WPS IE data with one (or more, if needed) IE headers */
572 static struct wpabuf * wps_ie_encapsulate(struct wpabuf *data)
577 ie = wpabuf_alloc(wpabuf_len(data) + 100);
583 pos = wpabuf_head(data);
584 end = pos + wpabuf_len(data);
587 size_t frag_len = end - pos;
590 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
591 wpabuf_put_u8(ie, 4 + frag_len);
592 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
593 wpabuf_put_data(ie, pos, frag_len);
603 static int wps_set_ie(struct wps_registrar *reg)
605 struct wpabuf *beacon;
606 struct wpabuf *probe;
609 wpa_printf(MSG_DEBUG, "WPS: Build Beacon and Probe Response IEs");
611 beacon = wpabuf_alloc(300);
614 probe = wpabuf_alloc(400);
620 if (wps_build_version(beacon) ||
621 wps_build_wps_state(reg->wps, beacon) ||
622 wps_build_ap_setup_locked(reg->wps, beacon) ||
623 wps_build_selected_registrar(reg, beacon) ||
624 wps_build_sel_reg_dev_password_id(reg, beacon) ||
625 wps_build_sel_reg_config_methods(reg, beacon) ||
626 wps_build_version(probe) ||
627 wps_build_wps_state(reg->wps, probe) ||
628 wps_build_ap_setup_locked(reg->wps, probe) ||
629 wps_build_selected_registrar(reg, probe) ||
630 wps_build_sel_reg_dev_password_id(reg, probe) ||
631 wps_build_sel_reg_config_methods(reg, probe) ||
632 wps_build_resp_type(reg, probe) ||
633 wps_build_uuid_e(probe, reg->wps->uuid) ||
634 wps_build_device_attrs(®->wps->dev, probe) ||
635 wps_build_probe_config_methods(reg, probe) ||
636 wps_build_rf_bands(®->wps->dev, probe)) {
642 beacon = wps_ie_encapsulate(beacon);
643 probe = wps_ie_encapsulate(probe);
645 if (!beacon || !probe) {
651 ret = wps_cb_set_ie(reg, beacon, probe);
659 static int wps_get_dev_password(struct wps_data *wps)
664 os_free(wps->dev_password);
665 wps->dev_password = NULL;
668 wpa_printf(MSG_DEBUG, "WPS: Use default PIN for PBC");
669 pin = (const u8 *) "00000000";
672 pin = wps_registrar_get_pin(wps->registrar, wps->uuid_e,
676 wpa_printf(MSG_DEBUG, "WPS: No Device Password available for "
678 wps_cb_pin_needed(wps->registrar, wps->uuid_e, &wps->peer_dev);
682 wps->dev_password = os_malloc(pin_len);
683 if (wps->dev_password == NULL)
685 os_memcpy(wps->dev_password, pin, pin_len);
686 wps->dev_password_len = pin_len;
692 static int wps_build_uuid_r(struct wps_data *wps, struct wpabuf *msg)
694 wpa_printf(MSG_DEBUG, "WPS: * UUID-R");
695 wpabuf_put_be16(msg, ATTR_UUID_R);
696 wpabuf_put_be16(msg, WPS_UUID_LEN);
697 wpabuf_put_data(msg, wps->uuid_r, WPS_UUID_LEN);
702 static int wps_build_r_hash(struct wps_data *wps, struct wpabuf *msg)
708 if (os_get_random(wps->snonce, 2 * WPS_SECRET_NONCE_LEN) < 0)
710 wpa_hexdump(MSG_DEBUG, "WPS: R-S1", wps->snonce, WPS_SECRET_NONCE_LEN);
711 wpa_hexdump(MSG_DEBUG, "WPS: R-S2",
712 wps->snonce + WPS_SECRET_NONCE_LEN, WPS_SECRET_NONCE_LEN);
714 if (wps->dh_pubkey_e == NULL || wps->dh_pubkey_r == NULL) {
715 wpa_printf(MSG_DEBUG, "WPS: DH public keys not available for "
716 "R-Hash derivation");
720 wpa_printf(MSG_DEBUG, "WPS: * R-Hash1");
721 wpabuf_put_be16(msg, ATTR_R_HASH1);
722 wpabuf_put_be16(msg, SHA256_MAC_LEN);
723 hash = wpabuf_put(msg, SHA256_MAC_LEN);
724 /* R-Hash1 = HMAC_AuthKey(R-S1 || PSK1 || PK_E || PK_R) */
725 addr[0] = wps->snonce;
726 len[0] = WPS_SECRET_NONCE_LEN;
728 len[1] = WPS_PSK_LEN;
729 addr[2] = wpabuf_head(wps->dh_pubkey_e);
730 len[2] = wpabuf_len(wps->dh_pubkey_e);
731 addr[3] = wpabuf_head(wps->dh_pubkey_r);
732 len[3] = wpabuf_len(wps->dh_pubkey_r);
733 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
734 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash1", hash, SHA256_MAC_LEN);
736 wpa_printf(MSG_DEBUG, "WPS: * R-Hash2");
737 wpabuf_put_be16(msg, ATTR_R_HASH2);
738 wpabuf_put_be16(msg, SHA256_MAC_LEN);
739 hash = wpabuf_put(msg, SHA256_MAC_LEN);
740 /* R-Hash2 = HMAC_AuthKey(R-S2 || PSK2 || PK_E || PK_R) */
741 addr[0] = wps->snonce + WPS_SECRET_NONCE_LEN;
743 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
744 wpa_hexdump(MSG_DEBUG, "WPS: R-Hash2", hash, SHA256_MAC_LEN);
750 static int wps_build_r_snonce1(struct wps_data *wps, struct wpabuf *msg)
752 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce1");
753 wpabuf_put_be16(msg, ATTR_R_SNONCE1);
754 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
755 wpabuf_put_data(msg, wps->snonce, WPS_SECRET_NONCE_LEN);
760 static int wps_build_r_snonce2(struct wps_data *wps, struct wpabuf *msg)
762 wpa_printf(MSG_DEBUG, "WPS: * R-SNonce2");
763 wpabuf_put_be16(msg, ATTR_R_SNONCE2);
764 wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
765 wpabuf_put_data(msg, wps->snonce + WPS_SECRET_NONCE_LEN,
766 WPS_SECRET_NONCE_LEN);
771 static int wps_build_cred_network_idx(struct wpabuf *msg,
772 struct wps_credential *cred)
774 wpa_printf(MSG_DEBUG, "WPS: * Network Index");
775 wpabuf_put_be16(msg, ATTR_NETWORK_INDEX);
776 wpabuf_put_be16(msg, 1);
777 wpabuf_put_u8(msg, 0);
782 static int wps_build_cred_ssid(struct wpabuf *msg,
783 struct wps_credential *cred)
785 wpa_printf(MSG_DEBUG, "WPS: * SSID");
786 wpabuf_put_be16(msg, ATTR_SSID);
787 wpabuf_put_be16(msg, cred->ssid_len);
788 wpabuf_put_data(msg, cred->ssid, cred->ssid_len);
793 static int wps_build_cred_auth_type(struct wpabuf *msg,
794 struct wps_credential *cred)
796 wpa_printf(MSG_DEBUG, "WPS: * Authentication Type (0x%x)",
798 wpabuf_put_be16(msg, ATTR_AUTH_TYPE);
799 wpabuf_put_be16(msg, 2);
800 wpabuf_put_be16(msg, cred->auth_type);
805 static int wps_build_cred_encr_type(struct wpabuf *msg,
806 struct wps_credential *cred)
808 wpa_printf(MSG_DEBUG, "WPS: * Encryption Type (0x%x)",
810 wpabuf_put_be16(msg, ATTR_ENCR_TYPE);
811 wpabuf_put_be16(msg, 2);
812 wpabuf_put_be16(msg, cred->encr_type);
817 static int wps_build_cred_network_key(struct wpabuf *msg,
818 struct wps_credential *cred)
820 wpa_printf(MSG_DEBUG, "WPS: * Network Key");
821 wpabuf_put_be16(msg, ATTR_NETWORK_KEY);
822 wpabuf_put_be16(msg, cred->key_len);
823 wpabuf_put_data(msg, cred->key, cred->key_len);
828 static int wps_build_cred_mac_addr(struct wpabuf *msg,
829 struct wps_credential *cred)
831 wpa_printf(MSG_DEBUG, "WPS: * MAC Address");
832 wpabuf_put_be16(msg, ATTR_MAC_ADDR);
833 wpabuf_put_be16(msg, ETH_ALEN);
834 wpabuf_put_data(msg, cred->mac_addr, ETH_ALEN);
839 static int wps_build_credential(struct wpabuf *msg,
840 struct wps_credential *cred)
842 if (wps_build_cred_network_idx(msg, cred) ||
843 wps_build_cred_ssid(msg, cred) ||
844 wps_build_cred_auth_type(msg, cred) ||
845 wps_build_cred_encr_type(msg, cred) ||
846 wps_build_cred_network_key(msg, cred) ||
847 wps_build_cred_mac_addr(msg, cred))
853 static int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
857 wpa_printf(MSG_DEBUG, "WPS: * Credential");
858 os_memset(&wps->cred, 0, sizeof(wps->cred));
860 os_memcpy(wps->cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
861 wps->cred.ssid_len = wps->wps->ssid_len;
863 /* Select the best authentication and encryption type */
864 if (wps->auth_type & WPS_AUTH_WPA2PSK)
865 wps->auth_type = WPS_AUTH_WPA2PSK;
866 else if (wps->auth_type & WPS_AUTH_WPAPSK)
867 wps->auth_type = WPS_AUTH_WPAPSK;
868 else if (wps->auth_type & WPS_AUTH_OPEN)
869 wps->auth_type = WPS_AUTH_OPEN;
870 else if (wps->auth_type & WPS_AUTH_SHARED)
871 wps->auth_type = WPS_AUTH_SHARED;
873 wpa_printf(MSG_DEBUG, "WPS: Unsupported auth_type 0x%x",
877 wps->cred.auth_type = wps->auth_type;
879 if (wps->auth_type == WPS_AUTH_WPA2PSK ||
880 wps->auth_type == WPS_AUTH_WPAPSK) {
881 if (wps->encr_type & WPS_ENCR_AES)
882 wps->encr_type = WPS_ENCR_AES;
883 else if (wps->encr_type & WPS_ENCR_TKIP)
884 wps->encr_type = WPS_ENCR_TKIP;
886 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
887 "type for WPA/WPA2");
891 if (wps->encr_type & WPS_ENCR_WEP)
892 wps->encr_type = WPS_ENCR_WEP;
893 else if (wps->encr_type & WPS_ENCR_NONE)
894 wps->encr_type = WPS_ENCR_NONE;
896 wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
897 "type for non-WPA/WPA2 mode");
901 wps->cred.encr_type = wps->encr_type;
902 os_memcpy(wps->cred.mac_addr, wps->mac_addr_e, ETH_ALEN);
904 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->wps->ap) {
906 /* Generate a random passphrase */
907 if (os_get_random(r, sizeof(r)) < 0)
909 os_free(wps->new_psk);
910 wps->new_psk = base64_encode(r, sizeof(r), &wps->new_psk_len);
911 if (wps->new_psk == NULL)
913 wps->new_psk_len--; /* remove newline */
914 while (wps->new_psk_len &&
915 wps->new_psk[wps->new_psk_len - 1] == '=')
917 wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Generated passphrase",
918 wps->new_psk, wps->new_psk_len);
919 os_memcpy(wps->cred.key, wps->new_psk, wps->new_psk_len);
920 wps->cred.key_len = wps->new_psk_len;
921 } else if (wps->wps->network_key) {
922 os_memcpy(wps->cred.key, wps->wps->network_key,
923 wps->wps->network_key_len);
924 wps->cred.key_len = wps->wps->network_key_len;
925 } else if (wps->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) {
927 /* Generate a random per-device PSK */
928 os_free(wps->new_psk);
929 wps->new_psk_len = 32;
930 wps->new_psk = os_malloc(wps->new_psk_len);
931 if (wps->new_psk == NULL)
933 if (os_get_random(wps->new_psk, wps->new_psk_len) < 0) {
934 os_free(wps->new_psk);
938 wpa_hexdump_key(MSG_DEBUG, "WPS: Generated per-device PSK",
939 wps->new_psk, wps->new_psk_len);
940 wpa_snprintf_hex(hex, sizeof(hex), wps->new_psk,
942 os_memcpy(wps->cred.key, hex, wps->new_psk_len * 2);
943 wps->cred.key_len = wps->new_psk_len * 2;
946 cred = wpabuf_alloc(200);
950 if (wps_build_credential(cred, &wps->cred)) {
955 wpabuf_put_be16(msg, ATTR_CRED);
956 wpabuf_put_be16(msg, wpabuf_len(cred));
957 wpabuf_put_buf(msg, cred);
964 static int wps_build_ap_settings(struct wps_data *wps, struct wpabuf *msg)
966 wpa_printf(MSG_DEBUG, "WPS: * AP Settings");
968 if (wps_build_credential(msg, &wps->cred))
975 static struct wpabuf * wps_build_m2(struct wps_data *wps)
979 if (os_get_random(wps->nonce_r, WPS_NONCE_LEN) < 0)
981 wpa_hexdump(MSG_DEBUG, "WPS: Registrar Nonce",
982 wps->nonce_r, WPS_NONCE_LEN);
983 os_memcpy(wps->uuid_r, wps->wps->uuid, WPS_UUID_LEN);
984 wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN);
986 wpa_printf(MSG_DEBUG, "WPS: Building Message M2");
987 msg = wpabuf_alloc(1000);
991 if (wps_build_version(msg) ||
992 wps_build_msg_type(msg, WPS_M2) ||
993 wps_build_enrollee_nonce(wps, msg) ||
994 wps_build_registrar_nonce(wps, msg) ||
995 wps_build_uuid_r(wps, msg) ||
996 wps_build_public_key(wps, msg) ||
997 wps_derive_keys(wps) ||
998 wps_build_auth_type_flags(wps, msg) ||
999 wps_build_encr_type_flags(wps, msg) ||
1000 wps_build_conn_type_flags(wps, msg) ||
1001 wps_build_config_methods_r(wps->registrar, msg) ||
1002 wps_build_device_attrs(&wps->wps->dev, msg) ||
1003 wps_build_rf_bands(&wps->wps->dev, msg) ||
1004 wps_build_assoc_state(wps, msg) ||
1005 wps_build_config_error(msg, WPS_CFG_NO_ERROR) ||
1006 wps_build_dev_password_id(msg, DEV_PW_DEFAULT) ||
1007 wps_build_os_version(&wps->wps->dev, msg) ||
1008 wps_build_authenticator(wps, msg)) {
1013 wps->state = RECV_M3;
1018 static struct wpabuf * wps_build_m2d(struct wps_data *wps)
1021 u16 err = WPS_CFG_NO_ERROR;
1023 wpa_printf(MSG_DEBUG, "WPS: Building Message M2D");
1024 msg = wpabuf_alloc(1000);
1028 if (wps->authenticator && wps->wps->ap_setup_locked)
1029 err = WPS_CFG_SETUP_LOCKED;
1031 if (wps_build_version(msg) ||
1032 wps_build_msg_type(msg, WPS_M2D) ||
1033 wps_build_enrollee_nonce(wps, msg) ||
1034 wps_build_registrar_nonce(wps, msg) ||
1035 wps_build_uuid_r(wps, msg) ||
1036 wps_build_auth_type_flags(wps, msg) ||
1037 wps_build_encr_type_flags(wps, msg) ||
1038 wps_build_conn_type_flags(wps, msg) ||
1039 wps_build_config_methods_r(wps->registrar, msg) ||
1040 wps_build_device_attrs(&wps->wps->dev, msg) ||
1041 wps_build_rf_bands(&wps->wps->dev, msg) ||
1042 wps_build_assoc_state(wps, msg) ||
1043 wps_build_config_error(msg, err) ||
1044 wps_build_os_version(&wps->wps->dev, msg)) {
1049 wps->state = RECV_M2D_ACK;
1054 static struct wpabuf * wps_build_m4(struct wps_data *wps)
1056 struct wpabuf *msg, *plain;
1058 wpa_printf(MSG_DEBUG, "WPS: Building Message M4");
1060 wps_derive_psk(wps, wps->dev_password, wps->dev_password_len);
1062 plain = wpabuf_alloc(200);
1066 msg = wpabuf_alloc(1000);
1072 if (wps_build_version(msg) ||
1073 wps_build_msg_type(msg, WPS_M4) ||
1074 wps_build_enrollee_nonce(wps, msg) ||
1075 wps_build_r_hash(wps, msg) ||
1076 wps_build_r_snonce1(wps, plain) ||
1077 wps_build_key_wrap_auth(wps, plain) ||
1078 wps_build_encr_settings(wps, msg, plain) ||
1079 wps_build_authenticator(wps, msg)) {
1086 wps->state = RECV_M5;
1091 static struct wpabuf * wps_build_m6(struct wps_data *wps)
1093 struct wpabuf *msg, *plain;
1095 wpa_printf(MSG_DEBUG, "WPS: Building Message M6");
1097 plain = wpabuf_alloc(200);
1101 msg = wpabuf_alloc(1000);
1107 if (wps_build_version(msg) ||
1108 wps_build_msg_type(msg, WPS_M6) ||
1109 wps_build_enrollee_nonce(wps, msg) ||
1110 wps_build_r_snonce2(wps, plain) ||
1111 wps_build_key_wrap_auth(wps, plain) ||
1112 wps_build_encr_settings(wps, msg, plain) ||
1113 wps_build_authenticator(wps, msg)) {
1120 wps->wps_pin_revealed = 1;
1121 wps->state = RECV_M7;
1126 static struct wpabuf * wps_build_m8(struct wps_data *wps)
1128 struct wpabuf *msg, *plain;
1130 wpa_printf(MSG_DEBUG, "WPS: Building Message M8");
1132 plain = wpabuf_alloc(500);
1136 msg = wpabuf_alloc(1000);
1142 if (wps_build_version(msg) ||
1143 wps_build_msg_type(msg, WPS_M8) ||
1144 wps_build_enrollee_nonce(wps, msg) ||
1145 (wps->wps->ap && wps_build_cred(wps, plain)) ||
1146 (!wps->wps->ap && wps_build_ap_settings(wps, plain)) ||
1147 wps_build_key_wrap_auth(wps, plain) ||
1148 wps_build_encr_settings(wps, msg, plain) ||
1149 wps_build_authenticator(wps, msg)) {
1156 wps->state = RECV_DONE;
1161 static struct wpabuf * wps_build_wsc_ack(struct wps_data *wps)
1165 wpa_printf(MSG_DEBUG, "WPS: Building Message WSC_ACK");
1167 msg = wpabuf_alloc(1000);
1171 if (wps_build_version(msg) ||
1172 wps_build_msg_type(msg, WPS_WSC_ACK) ||
1173 wps_build_enrollee_nonce(wps, msg) ||
1174 wps_build_registrar_nonce(wps, msg)) {
1183 static struct wpabuf * wps_build_wsc_nack(struct wps_data *wps)
1187 wpa_printf(MSG_DEBUG, "WPS: Building Message WSC_NACK");
1189 msg = wpabuf_alloc(1000);
1193 if (wps_build_version(msg) ||
1194 wps_build_msg_type(msg, WPS_WSC_NACK) ||
1195 wps_build_enrollee_nonce(wps, msg) ||
1196 wps_build_registrar_nonce(wps, msg) ||
1197 wps_build_config_error(msg, wps->config_error)) {
1206 struct wpabuf * wps_registrar_get_msg(struct wps_data *wps, u8 *op_code)
1210 switch (wps->state) {
1212 if (wps_get_dev_password(wps) < 0)
1213 msg = wps_build_m2d(wps);
1215 msg = wps_build_m2(wps);
1219 msg = wps_build_m2d(wps);
1223 msg = wps_build_m4(wps);
1227 msg = wps_build_m6(wps);
1231 msg = wps_build_m8(wps);
1235 msg = wps_build_wsc_ack(wps);
1239 msg = wps_build_wsc_nack(wps);
1240 *op_code = WSC_NACK;
1243 wpa_printf(MSG_DEBUG, "WPS: Unsupported state %d for building "
1244 "a message", wps->state);
1249 if (*op_code == WSC_MSG && msg) {
1250 /* Save a copy of the last message for Authenticator derivation
1252 wpabuf_free(wps->last_msg);
1253 wps->last_msg = wpabuf_dup(msg);
1260 static int wps_process_enrollee_nonce(struct wps_data *wps, const u8 *e_nonce)
1262 if (e_nonce == NULL) {
1263 wpa_printf(MSG_DEBUG, "WPS: No Enrollee Nonce received");
1267 os_memcpy(wps->nonce_e, e_nonce, WPS_NONCE_LEN);
1268 wpa_hexdump(MSG_DEBUG, "WPS: Enrollee Nonce",
1269 wps->nonce_e, WPS_NONCE_LEN);
1275 static int wps_process_registrar_nonce(struct wps_data *wps, const u8 *r_nonce)
1277 if (r_nonce == NULL) {
1278 wpa_printf(MSG_DEBUG, "WPS: No Registrar Nonce received");
1282 if (os_memcmp(wps->nonce_r, r_nonce, WPS_NONCE_LEN) != 0) {
1283 wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Nonce received");
1291 static int wps_process_uuid_e(struct wps_data *wps, const u8 *uuid_e)
1293 if (uuid_e == NULL) {
1294 wpa_printf(MSG_DEBUG, "WPS: No UUID-E received");
1298 os_memcpy(wps->uuid_e, uuid_e, WPS_UUID_LEN);
1299 wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", wps->uuid_e, WPS_UUID_LEN);
1305 static int wps_process_dev_password_id(struct wps_data *wps, const u8 *pw_id)
1307 if (pw_id == NULL) {
1308 wpa_printf(MSG_DEBUG, "WPS: No Device Password ID received");
1312 wps->dev_pw_id = WPA_GET_BE16(pw_id);
1313 wpa_printf(MSG_DEBUG, "WPS: Device Password ID %d", wps->dev_pw_id);
1319 static int wps_process_e_hash1(struct wps_data *wps, const u8 *e_hash1)
1321 if (e_hash1 == NULL) {
1322 wpa_printf(MSG_DEBUG, "WPS: No E-Hash1 received");
1326 os_memcpy(wps->peer_hash1, e_hash1, WPS_HASH_LEN);
1327 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN);
1333 static int wps_process_e_hash2(struct wps_data *wps, const u8 *e_hash2)
1335 if (e_hash2 == NULL) {
1336 wpa_printf(MSG_DEBUG, "WPS: No E-Hash2 received");
1340 os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN);
1341 wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN);
1347 static int wps_process_e_snonce1(struct wps_data *wps, const u8 *e_snonce1)
1349 u8 hash[SHA256_MAC_LEN];
1353 if (e_snonce1 == NULL) {
1354 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce1 received");
1358 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce1", e_snonce1,
1359 WPS_SECRET_NONCE_LEN);
1361 /* E-Hash1 = HMAC_AuthKey(E-S1 || PSK1 || PK_E || PK_R) */
1362 addr[0] = e_snonce1;
1363 len[0] = WPS_SECRET_NONCE_LEN;
1364 addr[1] = wps->psk1;
1365 len[1] = WPS_PSK_LEN;
1366 addr[2] = wpabuf_head(wps->dh_pubkey_e);
1367 len[2] = wpabuf_len(wps->dh_pubkey_e);
1368 addr[3] = wpabuf_head(wps->dh_pubkey_r);
1369 len[3] = wpabuf_len(wps->dh_pubkey_r);
1370 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
1372 if (os_memcmp(wps->peer_hash1, hash, WPS_HASH_LEN) != 0) {
1373 wpa_printf(MSG_DEBUG, "WPS: E-Hash1 derived from E-S1 does "
1374 "not match with the pre-committed value");
1375 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE;
1379 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the first "
1380 "half of the device password");
1386 static int wps_process_e_snonce2(struct wps_data *wps, const u8 *e_snonce2)
1388 u8 hash[SHA256_MAC_LEN];
1392 if (e_snonce2 == NULL) {
1393 wpa_printf(MSG_DEBUG, "WPS: No E-SNonce2 received");
1397 wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce2", e_snonce2,
1398 WPS_SECRET_NONCE_LEN);
1400 /* E-Hash2 = HMAC_AuthKey(E-S2 || PSK2 || PK_E || PK_R) */
1401 addr[0] = e_snonce2;
1402 len[0] = WPS_SECRET_NONCE_LEN;
1403 addr[1] = wps->psk2;
1404 len[1] = WPS_PSK_LEN;
1405 addr[2] = wpabuf_head(wps->dh_pubkey_e);
1406 len[2] = wpabuf_len(wps->dh_pubkey_e);
1407 addr[3] = wpabuf_head(wps->dh_pubkey_r);
1408 len[3] = wpabuf_len(wps->dh_pubkey_r);
1409 hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
1411 if (os_memcmp(wps->peer_hash2, hash, WPS_HASH_LEN) != 0) {
1412 wpa_printf(MSG_DEBUG, "WPS: E-Hash2 derived from E-S2 does "
1413 "not match with the pre-committed value");
1414 wps_registrar_invalidate_pin(wps->registrar, wps->uuid_e);
1415 wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE;
1419 wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the second "
1420 "half of the device password");
1421 wps->wps_pin_revealed = 0;
1422 wps_registrar_unlock_pin(wps->registrar, wps->uuid_e);
1428 static int wps_process_mac_addr(struct wps_data *wps, const u8 *mac_addr)
1430 if (mac_addr == NULL) {
1431 wpa_printf(MSG_DEBUG, "WPS: No MAC Address received");
1435 wpa_printf(MSG_DEBUG, "WPS: Enrollee MAC Address " MACSTR,
1437 os_memcpy(wps->mac_addr_e, mac_addr, ETH_ALEN);
1438 os_memcpy(wps->peer_dev.mac_addr, mac_addr, ETH_ALEN);
1444 static int wps_process_pubkey(struct wps_data *wps, const u8 *pk,
1447 if (pk == NULL || pk_len == 0) {
1448 wpa_printf(MSG_DEBUG, "WPS: No Public Key received");
1452 wpabuf_free(wps->dh_pubkey_e);
1453 wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len);
1454 if (wps->dh_pubkey_e == NULL)
1461 static int wps_process_auth_type_flags(struct wps_data *wps, const u8 *auth)
1466 wpa_printf(MSG_DEBUG, "WPS: No Authentication Type flags "
1471 auth_types = WPA_GET_BE16(auth);
1473 wpa_printf(MSG_DEBUG, "WPS: Enrollee Authentication Type flags 0x%x",
1475 wps->auth_type = wps->wps->auth_types & auth_types;
1476 if (wps->auth_type == 0) {
1477 wpa_printf(MSG_DEBUG, "WPS: No match in supported "
1478 "authentication types (own 0x%x Enrollee 0x%x)",
1479 wps->wps->auth_types, auth_types);
1487 static int wps_process_encr_type_flags(struct wps_data *wps, const u8 *encr)
1492 wpa_printf(MSG_DEBUG, "WPS: No Encryption Type flags "
1497 encr_types = WPA_GET_BE16(encr);
1499 wpa_printf(MSG_DEBUG, "WPS: Enrollee Encryption Type flags 0x%x",
1501 wps->encr_type = wps->wps->encr_types & encr_types;
1502 if (wps->encr_type == 0) {
1503 wpa_printf(MSG_DEBUG, "WPS: No match in supported "
1504 "encryption types");
1512 static int wps_process_conn_type_flags(struct wps_data *wps, const u8 *conn)
1515 wpa_printf(MSG_DEBUG, "WPS: No Connection Type flags "
1520 wpa_printf(MSG_DEBUG, "WPS: Enrollee Connection Type flags 0x%x",
1527 static int wps_process_config_methods(struct wps_data *wps, const u8 *methods)
1531 if (methods == NULL) {
1532 wpa_printf(MSG_DEBUG, "WPS: No Config Methods received");
1536 m = WPA_GET_BE16(methods);
1538 wpa_printf(MSG_DEBUG, "WPS: Enrollee Config Methods 0x%x", m);
1544 static int wps_process_wps_state(struct wps_data *wps, const u8 *state)
1546 if (state == NULL) {
1547 wpa_printf(MSG_DEBUG, "WPS: No Wi-Fi Protected Setup State "
1552 wpa_printf(MSG_DEBUG, "WPS: Enrollee Wi-Fi Protected Setup State %d",
1559 static int wps_process_assoc_state(struct wps_data *wps, const u8 *assoc)
1563 if (assoc == NULL) {
1564 wpa_printf(MSG_DEBUG, "WPS: No Association State received");
1568 a = WPA_GET_BE16(assoc);
1569 wpa_printf(MSG_DEBUG, "WPS: Enrollee Association State %d", a);
1575 static int wps_process_config_error(struct wps_data *wps, const u8 *err)
1580 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error received");
1584 e = WPA_GET_BE16(err);
1585 wpa_printf(MSG_DEBUG, "WPS: Enrollee Configuration Error %d", e);
1591 static enum wps_process_res wps_process_m1(struct wps_data *wps,
1592 struct wps_parse_attr *attr)
1594 wpa_printf(MSG_DEBUG, "WPS: Received M1");
1596 if (wps->state != RECV_M1) {
1597 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1598 "receiving M1", wps->state);
1602 if (wps_process_uuid_e(wps, attr->uuid_e) ||
1603 wps_process_mac_addr(wps, attr->mac_addr) ||
1604 wps_process_enrollee_nonce(wps, attr->enrollee_nonce) ||
1605 wps_process_pubkey(wps, attr->public_key, attr->public_key_len) ||
1606 wps_process_auth_type_flags(wps, attr->auth_type_flags) ||
1607 wps_process_encr_type_flags(wps, attr->encr_type_flags) ||
1608 wps_process_conn_type_flags(wps, attr->conn_type_flags) ||
1609 wps_process_config_methods(wps, attr->config_methods) ||
1610 wps_process_wps_state(wps, attr->wps_state) ||
1611 wps_process_device_attrs(&wps->peer_dev, attr) ||
1612 wps_process_rf_bands(&wps->peer_dev, attr->rf_bands) ||
1613 wps_process_assoc_state(wps, attr->assoc_state) ||
1614 wps_process_dev_password_id(wps, attr->dev_password_id) ||
1615 wps_process_config_error(wps, attr->config_error) ||
1616 wps_process_os_version(&wps->peer_dev, attr->os_version))
1619 if (wps->dev_pw_id != DEV_PW_DEFAULT &&
1620 wps->dev_pw_id != DEV_PW_USER_SPECIFIED &&
1621 wps->dev_pw_id != DEV_PW_MACHINE_SPECIFIED &&
1622 wps->dev_pw_id != DEV_PW_REGISTRAR_SPECIFIED &&
1623 (wps->dev_pw_id != DEV_PW_PUSHBUTTON || !wps->registrar->pbc)) {
1624 wpa_printf(MSG_DEBUG, "WPS: Unsupported Device Password ID %d",
1626 wps->state = SEND_M2D;
1627 return WPS_CONTINUE;
1630 if (wps->dev_pw_id == DEV_PW_PUSHBUTTON) {
1631 if (wps_registrar_pbc_overlap(wps->registrar, wps->mac_addr_e,
1633 wpa_printf(MSG_DEBUG, "WPS: PBC overlap - deny PBC "
1635 wps->state = SEND_M2D;
1636 return WPS_CONTINUE;
1638 wps_registrar_add_pbc_session(wps->registrar, wps->mac_addr_e,
1643 wps->state = SEND_M2;
1644 return WPS_CONTINUE;
1648 static enum wps_process_res wps_process_m3(struct wps_data *wps,
1649 const struct wpabuf *msg,
1650 struct wps_parse_attr *attr)
1652 wpa_printf(MSG_DEBUG, "WPS: Received M3");
1654 if (wps->state != RECV_M3) {
1655 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1656 "receiving M3", wps->state);
1657 wps->state = SEND_WSC_NACK;
1658 return WPS_CONTINUE;
1661 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
1662 wps_process_authenticator(wps, attr->authenticator, msg) ||
1663 wps_process_e_hash1(wps, attr->e_hash1) ||
1664 wps_process_e_hash2(wps, attr->e_hash2)) {
1665 wps->state = SEND_WSC_NACK;
1666 return WPS_CONTINUE;
1669 wps->state = SEND_M4;
1670 return WPS_CONTINUE;
1674 static enum wps_process_res wps_process_m5(struct wps_data *wps,
1675 const struct wpabuf *msg,
1676 struct wps_parse_attr *attr)
1678 struct wpabuf *decrypted;
1679 struct wps_parse_attr eattr;
1681 wpa_printf(MSG_DEBUG, "WPS: Received M5");
1683 if (wps->state != RECV_M5) {
1684 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1685 "receiving M5", wps->state);
1686 wps->state = SEND_WSC_NACK;
1687 return WPS_CONTINUE;
1690 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
1691 wps_process_authenticator(wps, attr->authenticator, msg)) {
1692 wps->state = SEND_WSC_NACK;
1693 return WPS_CONTINUE;
1696 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
1697 attr->encr_settings_len);
1698 if (decrypted == NULL) {
1699 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted "
1700 "Settings attribute");
1701 wps->state = SEND_WSC_NACK;
1702 return WPS_CONTINUE;
1705 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
1707 if (wps_parse_msg(decrypted, &eattr) < 0 ||
1708 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
1709 wps_process_e_snonce1(wps, eattr.e_snonce1)) {
1710 wpabuf_free(decrypted);
1711 wps->state = SEND_WSC_NACK;
1712 return WPS_CONTINUE;
1714 wpabuf_free(decrypted);
1716 wps->state = SEND_M6;
1717 return WPS_CONTINUE;
1721 static int wps_process_ap_settings_r(struct wps_data *wps,
1722 struct wps_parse_attr *attr)
1727 /* AP Settings Attributes in M7 when Enrollee is an AP */
1728 if (wps_process_ap_settings(attr, &wps->cred) < 0)
1731 wpa_printf(MSG_INFO, "WPS: Received old AP configuration from AP");
1734 * TODO: Provide access to AP settings and allow changes before sending
1735 * out M8. For now, just copy the settings unchanged into M8.
1742 static enum wps_process_res wps_process_m7(struct wps_data *wps,
1743 const struct wpabuf *msg,
1744 struct wps_parse_attr *attr)
1746 struct wpabuf *decrypted;
1747 struct wps_parse_attr eattr;
1749 wpa_printf(MSG_DEBUG, "WPS: Received M7");
1751 if (wps->state != RECV_M7) {
1752 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1753 "receiving M7", wps->state);
1754 wps->state = SEND_WSC_NACK;
1755 return WPS_CONTINUE;
1758 if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
1759 wps_process_authenticator(wps, attr->authenticator, msg)) {
1760 wps->state = SEND_WSC_NACK;
1761 return WPS_CONTINUE;
1764 decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
1765 attr->encr_settings_len);
1766 if (decrypted == NULL) {
1767 wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted "
1768 "Settings attribute");
1769 wps->state = SEND_WSC_NACK;
1770 return WPS_CONTINUE;
1773 wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
1775 if (wps_parse_msg(decrypted, &eattr) < 0 ||
1776 wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
1777 wps_process_e_snonce2(wps, eattr.e_snonce2) ||
1778 wps_process_ap_settings_r(wps, &eattr)) {
1779 wpabuf_free(decrypted);
1780 wps->state = SEND_WSC_NACK;
1781 return WPS_CONTINUE;
1784 wpabuf_free(decrypted);
1786 wps->state = SEND_M8;
1787 return WPS_CONTINUE;
1791 static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps,
1792 const struct wpabuf *msg)
1794 struct wps_parse_attr attr;
1795 enum wps_process_res ret = WPS_CONTINUE;
1797 wpa_printf(MSG_DEBUG, "WPS: Received WSC_MSG");
1799 if (wps_parse_msg(msg, &attr) < 0)
1802 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1803 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1804 attr.version ? *attr.version : 0);
1808 if (attr.msg_type == NULL) {
1809 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1813 if (*attr.msg_type != WPS_M1 &&
1814 (attr.registrar_nonce == NULL ||
1815 os_memcmp(wps->nonce_r, attr.registrar_nonce,
1816 WPS_NONCE_LEN != 0))) {
1817 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1821 switch (*attr.msg_type) {
1823 ret = wps_process_m1(wps, &attr);
1826 ret = wps_process_m3(wps, msg, &attr);
1829 ret = wps_process_m5(wps, msg, &attr);
1832 ret = wps_process_m7(wps, msg, &attr);
1835 wpa_printf(MSG_DEBUG, "WPS: Unsupported Message Type %d",
1840 if (ret == WPS_CONTINUE) {
1841 /* Save a copy of the last message for Authenticator derivation
1843 wpabuf_free(wps->last_msg);
1844 wps->last_msg = wpabuf_dup(msg);
1851 static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps,
1852 const struct wpabuf *msg)
1854 struct wps_parse_attr attr;
1856 wpa_printf(MSG_DEBUG, "WPS: Received WSC_ACK");
1858 if (wps_parse_msg(msg, &attr) < 0)
1861 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1862 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1863 attr.version ? *attr.version : 0);
1867 if (attr.msg_type == NULL) {
1868 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1872 if (*attr.msg_type != WPS_WSC_ACK) {
1873 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
1878 if (attr.registrar_nonce == NULL ||
1879 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0))
1881 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1885 if (attr.enrollee_nonce == NULL ||
1886 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) {
1887 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
1891 if (wps->state == RECV_M2D_ACK) {
1892 /* TODO: support for multiple registrars and sending of
1893 * multiple M2/M2D messages */
1895 wpa_printf(MSG_DEBUG, "WPS: No more registrars available - "
1896 "terminate negotiation");
1903 static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps,
1904 const struct wpabuf *msg)
1906 struct wps_parse_attr attr;
1908 wpa_printf(MSG_DEBUG, "WPS: Received WSC_NACK");
1910 wps->state = SEND_WSC_NACK;
1912 if (wps_parse_msg(msg, &attr) < 0)
1915 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1916 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1917 attr.version ? *attr.version : 0);
1921 if (attr.msg_type == NULL) {
1922 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1926 if (*attr.msg_type != WPS_WSC_NACK) {
1927 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
1932 if (attr.registrar_nonce == NULL ||
1933 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0))
1935 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1939 if (attr.enrollee_nonce == NULL ||
1940 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) {
1941 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
1945 if (attr.config_error == NULL) {
1946 wpa_printf(MSG_DEBUG, "WPS: No Configuration Error attribute "
1951 wpa_printf(MSG_DEBUG, "WPS: Enrollee terminated negotiation with "
1952 "Configuration Error %d", WPA_GET_BE16(attr.config_error));
1958 static enum wps_process_res wps_process_wsc_done(struct wps_data *wps,
1959 const struct wpabuf *msg)
1961 struct wps_parse_attr attr;
1963 wpa_printf(MSG_DEBUG, "WPS: Received WSC_Done");
1965 if (wps->state != RECV_DONE) {
1966 wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
1967 "receiving WSC_Done", wps->state);
1971 if (wps_parse_msg(msg, &attr) < 0)
1974 if (attr.version == NULL || *attr.version != WPS_VERSION) {
1975 wpa_printf(MSG_DEBUG, "WPS: Unsupported message version 0x%x",
1976 attr.version ? *attr.version : 0);
1980 if (attr.msg_type == NULL) {
1981 wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
1985 if (*attr.msg_type != WPS_WSC_DONE) {
1986 wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
1991 if (attr.registrar_nonce == NULL ||
1992 os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN != 0))
1994 wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
1998 if (attr.enrollee_nonce == NULL ||
1999 os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN != 0)) {
2000 wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
2004 wpa_printf(MSG_DEBUG, "WPS: Negotiation completed successfully");
2006 if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->new_psk &&
2008 struct wps_credential cred;
2010 wpa_printf(MSG_DEBUG, "WPS: Moving to Configured state based "
2011 "on first Enrollee connection");
2013 os_memset(&cred, 0, sizeof(cred));
2014 os_memcpy(cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
2015 cred.ssid_len = wps->wps->ssid_len;
2016 cred.auth_type = WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK;
2017 cred.encr_type = WPS_ENCR_TKIP | WPS_ENCR_AES;
2018 os_memcpy(cred.key, wps->new_psk, wps->new_psk_len);
2019 cred.key_len = wps->new_psk_len;
2021 wps->wps->wps_state = WPS_STATE_CONFIGURED;
2022 wpa_hexdump_ascii_key(MSG_DEBUG,
2023 "WPS: Generated random passphrase",
2024 wps->new_psk, wps->new_psk_len);
2025 if (wps->wps->cred_cb)
2026 wps->wps->cred_cb(wps->wps->cb_ctx, &cred);
2028 os_free(wps->new_psk);
2029 wps->new_psk = NULL;
2032 if (!wps->wps->ap) {
2033 wpa_printf(MSG_DEBUG, "WPS: Update local configuration based "
2034 "on the modified AP configuration");
2035 if (wps->wps->cred_cb)
2036 wps->wps->cred_cb(wps->wps->cb_ctx, &wps->cred);
2040 if (wps_cb_new_psk(wps->registrar, wps->mac_addr_e,
2041 wps->new_psk, wps->new_psk_len)) {
2042 wpa_printf(MSG_DEBUG, "WPS: Failed to configure the "
2045 os_free(wps->new_psk);
2046 wps->new_psk = NULL;
2050 wps_registrar_remove_pbc_session(wps->registrar,
2051 wps->mac_addr_e, wps->uuid_e);
2052 wps_registrar_pbc_completed(wps->registrar);
2059 enum wps_process_res wps_registrar_process_msg(struct wps_data *wps,
2061 const struct wpabuf *msg)
2064 wpa_printf(MSG_DEBUG, "WPS: Processing received message (len=%lu "
2066 (unsigned long) wpabuf_len(msg), op_code);
2070 return wps_process_wsc_msg(wps, msg);
2072 return wps_process_wsc_ack(wps, msg);
2074 return wps_process_wsc_nack(wps, msg);
2076 return wps_process_wsc_done(wps, msg);
2078 wpa_printf(MSG_DEBUG, "WPS: Unsupported op_code %d", op_code);