1 /* 2 * Wi-Fi Protected Setup 3 * Copyright (c) 2007-2009, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/dh_group5.h" 13 #include "common/ieee802_11_defs.h" 14 #include "wps_i.h" 15 #include "wps_dev_attr.h" 16 17 18 #ifdef CONFIG_WPS_TESTING 19 int wps_version_number = 0x20; 20 int wps_testing_dummy_cred = 0; 21 #endif /* CONFIG_WPS_TESTING */ 22 23 24 /** 25 * wps_init - Initialize WPS Registration protocol data 26 * @cfg: WPS configuration 27 * Returns: Pointer to allocated data or %NULL on failure 28 * 29 * This function is used to initialize WPS data for a registration protocol 30 * instance (i.e., each run of registration protocol as a Registrar of 31 * Enrollee. The caller is responsible for freeing this data after the 32 * registration run has been completed by calling wps_deinit(). 33 */ 34 struct wps_data * wps_init(const struct wps_config *cfg) 35 { 36 struct wps_data *data = os_zalloc(sizeof(*data)); 37 if (data == NULL) 38 return NULL; 39 data->wps = cfg->wps; 40 data->registrar = cfg->registrar; 41 if (cfg->registrar) { 42 os_memcpy(data->uuid_r, cfg->wps->uuid, WPS_UUID_LEN); 43 } else { 44 os_memcpy(data->mac_addr_e, cfg->wps->dev.mac_addr, ETH_ALEN); 45 os_memcpy(data->uuid_e, cfg->wps->uuid, WPS_UUID_LEN); 46 } 47 if (cfg->pin) { 48 data->dev_pw_id = data->wps->oob_dev_pw_id == 0 ? 49 cfg->dev_pw_id : data->wps->oob_dev_pw_id; 50 data->dev_password = os_malloc(cfg->pin_len); 51 if (data->dev_password == NULL) { 52 os_free(data); 53 return NULL; 54 } 55 os_memcpy(data->dev_password, cfg->pin, cfg->pin_len); 56 data->dev_password_len = cfg->pin_len; 57 } 58 59 data->pbc = cfg->pbc; 60 if (cfg->pbc) { 61 /* Use special PIN '00000000' for PBC */ 62 data->dev_pw_id = DEV_PW_PUSHBUTTON; 63 os_free(data->dev_password); 64 data->dev_password = (u8 *) os_strdup("00000000"); 65 if (data->dev_password == NULL) { 66 os_free(data); 67 return NULL; 68 } 69 data->dev_password_len = 8; 70 } 71 72 data->state = data->registrar ? RECV_M1 : SEND_M1; 73 74 if (cfg->assoc_wps_ie) { 75 struct wps_parse_attr attr; 76 wpa_hexdump_buf(MSG_DEBUG, "WPS: WPS IE from (Re)AssocReq", 77 cfg->assoc_wps_ie); 78 if (wps_parse_msg(cfg->assoc_wps_ie, &attr) < 0) { 79 wpa_printf(MSG_DEBUG, "WPS: Failed to parse WPS IE " 80 "from (Re)AssocReq"); 81 } else if (attr.request_type == NULL) { 82 wpa_printf(MSG_DEBUG, "WPS: No Request Type attribute " 83 "in (Re)AssocReq WPS IE"); 84 } else { 85 wpa_printf(MSG_DEBUG, "WPS: Request Type (from WPS IE " 86 "in (Re)AssocReq WPS IE): %d", 87 *attr.request_type); 88 data->request_type = *attr.request_type; 89 } 90 } 91 92 if (cfg->new_ap_settings) { 93 data->new_ap_settings = 94 os_malloc(sizeof(*data->new_ap_settings)); 95 if (data->new_ap_settings == NULL) { 96 os_free(data); 97 return NULL; 98 } 99 os_memcpy(data->new_ap_settings, cfg->new_ap_settings, 100 sizeof(*data->new_ap_settings)); 101 } 102 103 if (cfg->peer_addr) 104 os_memcpy(data->peer_dev.mac_addr, cfg->peer_addr, ETH_ALEN); 105 if (cfg->p2p_dev_addr) 106 os_memcpy(data->p2p_dev_addr, cfg->p2p_dev_addr, ETH_ALEN); 107 108 data->use_psk_key = cfg->use_psk_key; 109 data->pbc_in_m1 = cfg->pbc_in_m1; 110 111 return data; 112 } 113 114 115 /** 116 * wps_deinit - Deinitialize WPS Registration protocol data 117 * @data: WPS Registration protocol data from wps_init() 118 */ 119 void wps_deinit(struct wps_data *data) 120 { 121 if (data->wps_pin_revealed) { 122 wpa_printf(MSG_DEBUG, "WPS: Full PIN information revealed and " 123 "negotiation failed"); 124 if (data->registrar) 125 wps_registrar_invalidate_pin(data->wps->registrar, 126 data->uuid_e); 127 } else if (data->registrar) 128 wps_registrar_unlock_pin(data->wps->registrar, data->uuid_e); 129 130 wpabuf_free(data->dh_privkey); 131 wpabuf_free(data->dh_pubkey_e); 132 wpabuf_free(data->dh_pubkey_r); 133 wpabuf_free(data->last_msg); 134 os_free(data->dev_password); 135 os_free(data->new_psk); 136 wps_device_data_free(&data->peer_dev); 137 os_free(data->new_ap_settings); 138 dh5_free(data->dh_ctx); 139 os_free(data); 140 } 141 142 143 /** 144 * wps_process_msg - Process a WPS message 145 * @wps: WPS Registration protocol data from wps_init() 146 * @op_code: Message OP Code 147 * @msg: Message data 148 * Returns: Processing result 149 * 150 * This function is used to process WPS messages with OP Codes WSC_ACK, 151 * WSC_NACK, WSC_MSG, and WSC_Done. The caller (e.g., EAP server/peer) is 152 * responsible for reassembling the messages before calling this function. 153 * Response to this message is built by calling wps_get_msg(). 154 */ 155 enum wps_process_res wps_process_msg(struct wps_data *wps, 156 enum wsc_op_code op_code, 157 const struct wpabuf *msg) 158 { 159 if (wps->registrar) 160 return wps_registrar_process_msg(wps, op_code, msg); 161 else 162 return wps_enrollee_process_msg(wps, op_code, msg); 163 } 164 165 166 /** 167 * wps_get_msg - Build a WPS message 168 * @wps: WPS Registration protocol data from wps_init() 169 * @op_code: Buffer for returning message OP Code 170 * Returns: The generated WPS message or %NULL on failure 171 * 172 * This function is used to build a response to a message processed by calling 173 * wps_process_msg(). The caller is responsible for freeing the buffer. 174 */ 175 struct wpabuf * wps_get_msg(struct wps_data *wps, enum wsc_op_code *op_code) 176 { 177 if (wps->registrar) 178 return wps_registrar_get_msg(wps, op_code); 179 else 180 return wps_enrollee_get_msg(wps, op_code); 181 } 182 183 184 /** 185 * wps_is_selected_pbc_registrar - Check whether WPS IE indicates active PBC 186 * @msg: WPS IE contents from Beacon or Probe Response frame 187 * Returns: 1 if PBC Registrar is active, 0 if not 188 */ 189 int wps_is_selected_pbc_registrar(const struct wpabuf *msg) 190 { 191 struct wps_parse_attr attr; 192 193 /* 194 * In theory, this could also verify that attr.sel_reg_config_methods 195 * includes WPS_CONFIG_PUSHBUTTON, but some deployed AP implementations 196 * do not set Selected Registrar Config Methods attribute properly, so 197 * it is safer to just use Device Password ID here. 198 */ 199 200 if (wps_parse_msg(msg, &attr) < 0 || 201 !attr.selected_registrar || *attr.selected_registrar == 0 || 202 !attr.dev_password_id || 203 WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON) 204 return 0; 205 206 #ifdef CONFIG_WPS_STRICT 207 if (!attr.sel_reg_config_methods || 208 !(WPA_GET_BE16(attr.sel_reg_config_methods) & 209 WPS_CONFIG_PUSHBUTTON)) 210 return 0; 211 #endif /* CONFIG_WPS_STRICT */ 212 213 return 1; 214 } 215 216 217 static int is_selected_pin_registrar(struct wps_parse_attr *attr) 218 { 219 /* 220 * In theory, this could also verify that attr.sel_reg_config_methods 221 * includes WPS_CONFIG_LABEL, WPS_CONFIG_DISPLAY, or WPS_CONFIG_KEYPAD, 222 * but some deployed AP implementations do not set Selected Registrar 223 * Config Methods attribute properly, so it is safer to just use 224 * Device Password ID here. 225 */ 226 227 if (!attr->selected_registrar || *attr->selected_registrar == 0) 228 return 0; 229 230 if (attr->dev_password_id != NULL && 231 WPA_GET_BE16(attr->dev_password_id) == DEV_PW_PUSHBUTTON) 232 return 0; 233 234 #ifdef CONFIG_WPS_STRICT 235 if (!attr->sel_reg_config_methods || 236 !(WPA_GET_BE16(attr->sel_reg_config_methods) & 237 (WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY | WPS_CONFIG_KEYPAD))) 238 return 0; 239 #endif /* CONFIG_WPS_STRICT */ 240 241 return 1; 242 } 243 244 245 /** 246 * wps_is_selected_pin_registrar - Check whether WPS IE indicates active PIN 247 * @msg: WPS IE contents from Beacon or Probe Response frame 248 * Returns: 1 if PIN Registrar is active, 0 if not 249 */ 250 int wps_is_selected_pin_registrar(const struct wpabuf *msg) 251 { 252 struct wps_parse_attr attr; 253 254 if (wps_parse_msg(msg, &attr) < 0) 255 return 0; 256 257 return is_selected_pin_registrar(&attr); 258 } 259 260 261 /** 262 * wps_is_addr_authorized - Check whether WPS IE authorizes MAC address 263 * @msg: WPS IE contents from Beacon or Probe Response frame 264 * @addr: MAC address to search for 265 * @ver1_compat: Whether to use version 1 compatibility mode 266 * Returns: 1 if address is authorized, 0 if not 267 */ 268 int wps_is_addr_authorized(const struct wpabuf *msg, const u8 *addr, 269 int ver1_compat) 270 { 271 struct wps_parse_attr attr; 272 unsigned int i; 273 const u8 *pos; 274 const u8 bcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 275 276 if (wps_parse_msg(msg, &attr) < 0) 277 return 0; 278 279 if (!attr.version2 && ver1_compat) { 280 /* 281 * Version 1.0 AP - AuthorizedMACs not used, so revert back to 282 * old mechanism of using SelectedRegistrar. 283 */ 284 return is_selected_pin_registrar(&attr); 285 } 286 287 if (!attr.authorized_macs) 288 return 0; 289 290 pos = attr.authorized_macs; 291 for (i = 0; i < attr.authorized_macs_len / ETH_ALEN; i++) { 292 if (os_memcmp(pos, addr, ETH_ALEN) == 0 || 293 os_memcmp(pos, bcast, ETH_ALEN) == 0) 294 return 1; 295 pos += ETH_ALEN; 296 } 297 298 return 0; 299 } 300 301 302 /** 303 * wps_ap_priority_compar - Prioritize WPS IE from two APs 304 * @wps_a: WPS IE contents from Beacon or Probe Response frame 305 * @wps_b: WPS IE contents from Beacon or Probe Response frame 306 * Returns: 1 if wps_b is considered more likely selection for WPS 307 * provisioning, -1 if wps_a is considered more like, or 0 if no preference 308 */ 309 int wps_ap_priority_compar(const struct wpabuf *wps_a, 310 const struct wpabuf *wps_b) 311 { 312 struct wps_parse_attr attr_a, attr_b; 313 int sel_a, sel_b; 314 315 if (wps_a == NULL || wps_parse_msg(wps_a, &attr_a) < 0) 316 return 1; 317 if (wps_b == NULL || wps_parse_msg(wps_b, &attr_b) < 0) 318 return -1; 319 320 sel_a = attr_a.selected_registrar && *attr_a.selected_registrar != 0; 321 sel_b = attr_b.selected_registrar && *attr_b.selected_registrar != 0; 322 323 if (sel_a && !sel_b) 324 return -1; 325 if (!sel_a && sel_b) 326 return 1; 327 328 return 0; 329 } 330 331 332 /** 333 * wps_get_uuid_e - Get UUID-E from WPS IE 334 * @msg: WPS IE contents from Beacon or Probe Response frame 335 * Returns: Pointer to UUID-E or %NULL if not included 336 * 337 * The returned pointer is to the msg contents and it remains valid only as 338 * long as the msg buffer is valid. 339 */ 340 const u8 * wps_get_uuid_e(const struct wpabuf *msg) 341 { 342 struct wps_parse_attr attr; 343 344 if (wps_parse_msg(msg, &attr) < 0) 345 return NULL; 346 return attr.uuid_e; 347 } 348 349 350 /** 351 * wps_is_20 - Check whether WPS attributes claim support for WPS 2.0 352 */ 353 int wps_is_20(const struct wpabuf *msg) 354 { 355 struct wps_parse_attr attr; 356 357 if (msg == NULL || wps_parse_msg(msg, &attr) < 0) 358 return 0; 359 return attr.version2 != NULL; 360 } 361 362 363 /** 364 * wps_build_assoc_req_ie - Build WPS IE for (Re)Association Request 365 * @req_type: Value for Request Type attribute 366 * Returns: WPS IE or %NULL on failure 367 * 368 * The caller is responsible for freeing the buffer. 369 */ 370 struct wpabuf * wps_build_assoc_req_ie(enum wps_request_type req_type) 371 { 372 struct wpabuf *ie; 373 u8 *len; 374 375 wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association " 376 "Request"); 377 ie = wpabuf_alloc(100); 378 if (ie == NULL) 379 return NULL; 380 381 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC); 382 len = wpabuf_put(ie, 1); 383 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA); 384 385 if (wps_build_version(ie) || 386 wps_build_req_type(ie, req_type) || 387 wps_build_wfa_ext(ie, 0, NULL, 0)) { 388 wpabuf_free(ie); 389 return NULL; 390 } 391 392 *len = wpabuf_len(ie) - 2; 393 394 return ie; 395 } 396 397 398 /** 399 * wps_build_assoc_resp_ie - Build WPS IE for (Re)Association Response 400 * Returns: WPS IE or %NULL on failure 401 * 402 * The caller is responsible for freeing the buffer. 403 */ 404 struct wpabuf * wps_build_assoc_resp_ie(void) 405 { 406 struct wpabuf *ie; 407 u8 *len; 408 409 wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association " 410 "Response"); 411 ie = wpabuf_alloc(100); 412 if (ie == NULL) 413 return NULL; 414 415 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC); 416 len = wpabuf_put(ie, 1); 417 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA); 418 419 if (wps_build_version(ie) || 420 wps_build_resp_type(ie, WPS_RESP_AP) || 421 wps_build_wfa_ext(ie, 0, NULL, 0)) { 422 wpabuf_free(ie); 423 return NULL; 424 } 425 426 *len = wpabuf_len(ie) - 2; 427 428 return ie; 429 } 430 431 432 /** 433 * wps_build_probe_req_ie - Build WPS IE for Probe Request 434 * @pbc: Whether searching for PBC mode APs 435 * @dev: Device attributes 436 * @uuid: Own UUID 437 * @req_type: Value for Request Type attribute 438 * @num_req_dev_types: Number of requested device types 439 * @req_dev_types: Requested device types (8 * num_req_dev_types octets) or 440 * %NULL if none 441 * Returns: WPS IE or %NULL on failure 442 * 443 * The caller is responsible for freeing the buffer. 444 */ 445 struct wpabuf * wps_build_probe_req_ie(int pbc, struct wps_device_data *dev, 446 const u8 *uuid, 447 enum wps_request_type req_type, 448 unsigned int num_req_dev_types, 449 const u8 *req_dev_types) 450 { 451 struct wpabuf *ie; 452 453 wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for Probe Request"); 454 455 ie = wpabuf_alloc(500); 456 if (ie == NULL) 457 return NULL; 458 459 if (wps_build_version(ie) || 460 wps_build_req_type(ie, req_type) || 461 wps_build_config_methods(ie, dev->config_methods) || 462 wps_build_uuid_e(ie, uuid) || 463 wps_build_primary_dev_type(dev, ie) || 464 wps_build_rf_bands(dev, ie) || 465 wps_build_assoc_state(NULL, ie) || 466 wps_build_config_error(ie, WPS_CFG_NO_ERROR) || 467 wps_build_dev_password_id(ie, pbc ? DEV_PW_PUSHBUTTON : 468 DEV_PW_DEFAULT) || 469 #ifdef CONFIG_WPS2 470 wps_build_manufacturer(dev, ie) || 471 wps_build_model_name(dev, ie) || 472 wps_build_model_number(dev, ie) || 473 wps_build_dev_name(dev, ie) || 474 wps_build_wfa_ext(ie, req_type == WPS_REQ_ENROLLEE, NULL, 0) || 475 #endif /* CONFIG_WPS2 */ 476 wps_build_req_dev_type(dev, ie, num_req_dev_types, req_dev_types) 477 || 478 wps_build_secondary_dev_type(dev, ie) 479 ) { 480 wpabuf_free(ie); 481 return NULL; 482 } 483 484 #ifndef CONFIG_WPS2 485 if (dev->p2p && wps_build_dev_name(dev, ie)) { 486 wpabuf_free(ie); 487 return NULL; 488 } 489 #endif /* CONFIG_WPS2 */ 490 491 return wps_ie_encapsulate(ie); 492 } 493 494 495 void wps_free_pending_msgs(struct upnp_pending_message *msgs) 496 { 497 struct upnp_pending_message *p, *prev; 498 p = msgs; 499 while (p) { 500 prev = p; 501 p = p->next; 502 wpabuf_free(prev->msg); 503 os_free(prev); 504 } 505 } 506 507 508 int wps_attr_text(struct wpabuf *data, char *buf, char *end) 509 { 510 struct wps_parse_attr attr; 511 char *pos = buf; 512 int ret; 513 514 if (wps_parse_msg(data, &attr) < 0) 515 return -1; 516 517 if (attr.wps_state) { 518 if (*attr.wps_state == WPS_STATE_NOT_CONFIGURED) 519 ret = os_snprintf(pos, end - pos, 520 "wps_state=unconfigured\n"); 521 else if (*attr.wps_state == WPS_STATE_CONFIGURED) 522 ret = os_snprintf(pos, end - pos, 523 "wps_state=configured\n"); 524 else 525 ret = 0; 526 if (ret < 0 || ret >= end - pos) 527 return pos - buf; 528 pos += ret; 529 } 530 531 if (attr.ap_setup_locked && *attr.ap_setup_locked) { 532 ret = os_snprintf(pos, end - pos, 533 "wps_ap_setup_locked=1\n"); 534 if (ret < 0 || ret >= end - pos) 535 return pos - buf; 536 pos += ret; 537 } 538 539 if (attr.selected_registrar && *attr.selected_registrar) { 540 ret = os_snprintf(pos, end - pos, 541 "wps_selected_registrar=1\n"); 542 if (ret < 0 || ret >= end - pos) 543 return pos - buf; 544 pos += ret; 545 } 546 547 if (attr.dev_password_id) { 548 ret = os_snprintf(pos, end - pos, 549 "wps_device_password_id=%u\n", 550 WPA_GET_BE16(attr.dev_password_id)); 551 if (ret < 0 || ret >= end - pos) 552 return pos - buf; 553 pos += ret; 554 } 555 556 if (attr.sel_reg_config_methods) { 557 ret = os_snprintf(pos, end - pos, 558 "wps_selected_registrar_config_methods=" 559 "0x%04x\n", 560 WPA_GET_BE16(attr.sel_reg_config_methods)); 561 if (ret < 0 || ret >= end - pos) 562 return pos - buf; 563 pos += ret; 564 } 565 566 if (attr.primary_dev_type) { 567 char devtype[WPS_DEV_TYPE_BUFSIZE]; 568 ret = os_snprintf(pos, end - pos, 569 "wps_primary_device_type=%s\n", 570 wps_dev_type_bin2str(attr.primary_dev_type, 571 devtype, 572 sizeof(devtype))); 573 if (ret < 0 || ret >= end - pos) 574 return pos - buf; 575 pos += ret; 576 } 577 578 if (attr.dev_name) { 579 char *str = os_malloc(attr.dev_name_len + 1); 580 size_t i; 581 if (str == NULL) 582 return pos - buf; 583 for (i = 0; i < attr.dev_name_len; i++) { 584 if (attr.dev_name[i] < 32) 585 str[i] = '_'; 586 else 587 str[i] = attr.dev_name[i]; 588 } 589 str[i] = '\0'; 590 ret = os_snprintf(pos, end - pos, "wps_device_name=%s\n", str); 591 os_free(str); 592 if (ret < 0 || ret >= end - pos) 593 return pos - buf; 594 pos += ret; 595 } 596 597 if (attr.config_methods) { 598 ret = os_snprintf(pos, end - pos, 599 "wps_config_methods=0x%04x\n", 600 WPA_GET_BE16(attr.config_methods)); 601 if (ret < 0 || ret >= end - pos) 602 return pos - buf; 603 pos += ret; 604 } 605 606 return pos - buf; 607 } 608
