Home | History | Annotate | Download | only in wps
      1 /*
      2  * Wi-Fi Protected Setup - Registrar
      3  * Copyright (c) 2008-2013, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "utils/includes.h"
     10 
     11 #include "utils/common.h"
     12 #include "utils/base64.h"
     13 #include "utils/eloop.h"
     14 #include "utils/uuid.h"
     15 #include "utils/list.h"
     16 #include "crypto/crypto.h"
     17 #include "crypto/sha256.h"
     18 #include "crypto/random.h"
     19 #include "common/ieee802_11_defs.h"
     20 #include "wps_i.h"
     21 #include "wps_dev_attr.h"
     22 #include "wps_upnp.h"
     23 #include "wps_upnp_i.h"
     24 
     25 #ifndef CONFIG_WPS_STRICT
     26 #define WPS_WORKAROUNDS
     27 #endif /* CONFIG_WPS_STRICT */
     28 
     29 #ifdef CONFIG_WPS_NFC
     30 
     31 struct wps_nfc_pw_token {
     32 	struct dl_list list;
     33 	u8 pubkey_hash[WPS_OOB_PUBKEY_HASH_LEN];
     34 	u16 pw_id;
     35 	u8 dev_pw[WPS_OOB_DEVICE_PASSWORD_LEN * 2 + 1];
     36 	size_t dev_pw_len;
     37 };
     38 
     39 
     40 static void wps_remove_nfc_pw_token(struct wps_nfc_pw_token *token)
     41 {
     42 	dl_list_del(&token->list);
     43 	os_free(token);
     44 }
     45 
     46 
     47 static void wps_free_nfc_pw_tokens(struct dl_list *tokens, u16 pw_id)
     48 {
     49 	struct wps_nfc_pw_token *token, *prev;
     50 	dl_list_for_each_safe(token, prev, tokens, struct wps_nfc_pw_token,
     51 			      list) {
     52 		if (pw_id == 0 || pw_id == token->pw_id)
     53 			wps_remove_nfc_pw_token(token);
     54 	}
     55 }
     56 
     57 
     58 static struct wps_nfc_pw_token * wps_get_nfc_pw_token(struct dl_list *tokens,
     59 						      u16 pw_id)
     60 {
     61 	struct wps_nfc_pw_token *token;
     62 	dl_list_for_each(token, tokens, struct wps_nfc_pw_token, list) {
     63 		if (pw_id == token->pw_id)
     64 			return token;
     65 	}
     66 	return NULL;
     67 }
     68 
     69 #else /* CONFIG_WPS_NFC */
     70 
     71 #define wps_free_nfc_pw_tokens(t, p) do { } while (0)
     72 
     73 #endif /* CONFIG_WPS_NFC */
     74 
     75 
     76 struct wps_uuid_pin {
     77 	struct dl_list list;
     78 	u8 uuid[WPS_UUID_LEN];
     79 	int wildcard_uuid;
     80 	u8 *pin;
     81 	size_t pin_len;
     82 #define PIN_LOCKED BIT(0)
     83 #define PIN_EXPIRES BIT(1)
     84 	int flags;
     85 	struct os_time expiration;
     86 	u8 enrollee_addr[ETH_ALEN];
     87 };
     88 
     89 
     90 static void wps_free_pin(struct wps_uuid_pin *pin)
     91 {
     92 	os_free(pin->pin);
     93 	os_free(pin);
     94 }
     95 
     96 
     97 static void wps_remove_pin(struct wps_uuid_pin *pin)
     98 {
     99 	dl_list_del(&pin->list);
    100 	wps_free_pin(pin);
    101 }
    102 
    103 
    104 static void wps_free_pins(struct dl_list *pins)
    105 {
    106 	struct wps_uuid_pin *pin, *prev;
    107 	dl_list_for_each_safe(pin, prev, pins, struct wps_uuid_pin, list)
    108 		wps_remove_pin(pin);
    109 }
    110 
    111 
    112 struct wps_pbc_session {
    113 	struct wps_pbc_session *next;
    114 	u8 addr[ETH_ALEN];
    115 	u8 uuid_e[WPS_UUID_LEN];
    116 	struct os_time timestamp;
    117 };
    118 
    119 
    120 static void wps_free_pbc_sessions(struct wps_pbc_session *pbc)
    121 {
    122 	struct wps_pbc_session *prev;
    123 
    124 	while (pbc) {
    125 		prev = pbc;
    126 		pbc = pbc->next;
    127 		os_free(prev);
    128 	}
    129 }
    130 
    131 
    132 struct wps_registrar_device {
    133 	struct wps_registrar_device *next;
    134 	struct wps_device_data dev;
    135 	u8 uuid[WPS_UUID_LEN];
    136 };
    137 
    138 
    139 struct wps_registrar {
    140 	struct wps_context *wps;
    141 
    142 	int pbc;
    143 	int selected_registrar;
    144 
    145 	int (*new_psk_cb)(void *ctx, const u8 *mac_addr, const u8 *p2p_dev_addr,
    146 			  const u8 *psk, size_t psk_len);
    147 	int (*set_ie_cb)(void *ctx, struct wpabuf *beacon_ie,
    148 			 struct wpabuf *probe_resp_ie);
    149 	void (*pin_needed_cb)(void *ctx, const u8 *uuid_e,
    150 			      const struct wps_device_data *dev);
    151 	void (*reg_success_cb)(void *ctx, const u8 *mac_addr,
    152 			       const u8 *uuid_e, const u8 *dev_pw,
    153 			       size_t dev_pw_len);
    154 	void (*set_sel_reg_cb)(void *ctx, int sel_reg, u16 dev_passwd_id,
    155 			       u16 sel_reg_config_methods);
    156 	void (*enrollee_seen_cb)(void *ctx, const u8 *addr, const u8 *uuid_e,
    157 				 const u8 *pri_dev_type, u16 config_methods,
    158 				 u16 dev_password_id, u8 request_type,
    159 				 const char *dev_name);
    160 	void *cb_ctx;
    161 
    162 	struct dl_list pins;
    163 	struct dl_list nfc_pw_tokens;
    164 	struct wps_pbc_session *pbc_sessions;
    165 
    166 	int skip_cred_build;
    167 	struct wpabuf *extra_cred;
    168 	int disable_auto_conf;
    169 	int sel_reg_union;
    170 	int sel_reg_dev_password_id_override;
    171 	int sel_reg_config_methods_override;
    172 	int static_wep_only;
    173 	int dualband;
    174 	int force_per_enrollee_psk;
    175 
    176 	struct wps_registrar_device *devices;
    177 
    178 	int force_pbc_overlap;
    179 
    180 	u8 authorized_macs[WPS_MAX_AUTHORIZED_MACS][ETH_ALEN];
    181 	u8 authorized_macs_union[WPS_MAX_AUTHORIZED_MACS][ETH_ALEN];
    182 
    183 	u8 p2p_dev_addr[ETH_ALEN];
    184 
    185 	u8 pbc_ignore_uuid[WPS_UUID_LEN];
    186 	struct os_time pbc_ignore_start;
    187 };
    188 
    189 
    190 static int wps_set_ie(struct wps_registrar *reg);
    191 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx);
    192 static void wps_registrar_set_selected_timeout(void *eloop_ctx,
    193 					       void *timeout_ctx);
    194 static void wps_registrar_remove_pin(struct wps_registrar *reg,
    195 				     struct wps_uuid_pin *pin);
    196 
    197 
    198 static void wps_registrar_add_authorized_mac(struct wps_registrar *reg,
    199 					     const u8 *addr)
    200 {
    201 	int i;
    202 	wpa_printf(MSG_DEBUG, "WPS: Add authorized MAC " MACSTR,
    203 		   MAC2STR(addr));
    204 	for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++)
    205 		if (os_memcmp(reg->authorized_macs[i], addr, ETH_ALEN) == 0) {
    206 			wpa_printf(MSG_DEBUG, "WPS: Authorized MAC was "
    207 				   "already in the list");
    208 			return; /* already in list */
    209 		}
    210 	for (i = WPS_MAX_AUTHORIZED_MACS - 1; i > 0; i--)
    211 		os_memcpy(reg->authorized_macs[i], reg->authorized_macs[i - 1],
    212 			  ETH_ALEN);
    213 	os_memcpy(reg->authorized_macs[0], addr, ETH_ALEN);
    214 	wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs",
    215 		    (u8 *) reg->authorized_macs, sizeof(reg->authorized_macs));
    216 }
    217 
    218 
    219 static void wps_registrar_remove_authorized_mac(struct wps_registrar *reg,
    220 						const u8 *addr)
    221 {
    222 	int i;
    223 	wpa_printf(MSG_DEBUG, "WPS: Remove authorized MAC " MACSTR,
    224 		   MAC2STR(addr));
    225 	for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++) {
    226 		if (os_memcmp(reg->authorized_macs, addr, ETH_ALEN) == 0)
    227 			break;
    228 	}
    229 	if (i == WPS_MAX_AUTHORIZED_MACS) {
    230 		wpa_printf(MSG_DEBUG, "WPS: Authorized MAC was not in the "
    231 			   "list");
    232 		return; /* not in the list */
    233 	}
    234 	for (; i + 1 < WPS_MAX_AUTHORIZED_MACS; i++)
    235 		os_memcpy(reg->authorized_macs[i], reg->authorized_macs[i + 1],
    236 			  ETH_ALEN);
    237 	os_memset(reg->authorized_macs[WPS_MAX_AUTHORIZED_MACS - 1], 0,
    238 		  ETH_ALEN);
    239 	wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs",
    240 		    (u8 *) reg->authorized_macs, sizeof(reg->authorized_macs));
    241 }
    242 
    243 
    244 static void wps_free_devices(struct wps_registrar_device *dev)
    245 {
    246 	struct wps_registrar_device *prev;
    247 
    248 	while (dev) {
    249 		prev = dev;
    250 		dev = dev->next;
    251 		wps_device_data_free(&prev->dev);
    252 		os_free(prev);
    253 	}
    254 }
    255 
    256 
    257 static struct wps_registrar_device * wps_device_get(struct wps_registrar *reg,
    258 						    const u8 *addr)
    259 {
    260 	struct wps_registrar_device *dev;
    261 
    262 	for (dev = reg->devices; dev; dev = dev->next) {
    263 		if (os_memcmp(dev->dev.mac_addr, addr, ETH_ALEN) == 0)
    264 			return dev;
    265 	}
    266 	return NULL;
    267 }
    268 
    269 
    270 static void wps_device_clone_data(struct wps_device_data *dst,
    271 				  struct wps_device_data *src)
    272 {
    273 	os_memcpy(dst->mac_addr, src->mac_addr, ETH_ALEN);
    274 	os_memcpy(dst->pri_dev_type, src->pri_dev_type, WPS_DEV_TYPE_LEN);
    275 
    276 #define WPS_STRDUP(n) \
    277 	os_free(dst->n); \
    278 	dst->n = src->n ? os_strdup(src->n) : NULL
    279 
    280 	WPS_STRDUP(device_name);
    281 	WPS_STRDUP(manufacturer);
    282 	WPS_STRDUP(model_name);
    283 	WPS_STRDUP(model_number);
    284 	WPS_STRDUP(serial_number);
    285 #undef WPS_STRDUP
    286 }
    287 
    288 
    289 int wps_device_store(struct wps_registrar *reg,
    290 		     struct wps_device_data *dev, const u8 *uuid)
    291 {
    292 	struct wps_registrar_device *d;
    293 
    294 	d = wps_device_get(reg, dev->mac_addr);
    295 	if (d == NULL) {
    296 		d = os_zalloc(sizeof(*d));
    297 		if (d == NULL)
    298 			return -1;
    299 		d->next = reg->devices;
    300 		reg->devices = d;
    301 	}
    302 
    303 	wps_device_clone_data(&d->dev, dev);
    304 	os_memcpy(d->uuid, uuid, WPS_UUID_LEN);
    305 
    306 	return 0;
    307 }
    308 
    309 
    310 static void wps_registrar_add_pbc_session(struct wps_registrar *reg,
    311 					  const u8 *addr, const u8 *uuid_e)
    312 {
    313 	struct wps_pbc_session *pbc, *prev = NULL;
    314 	struct os_time now;
    315 
    316 	os_get_time(&now);
    317 
    318 	pbc = reg->pbc_sessions;
    319 	while (pbc) {
    320 		if (os_memcmp(pbc->addr, addr, ETH_ALEN) == 0 &&
    321 		    os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) {
    322 			if (prev)
    323 				prev->next = pbc->next;
    324 			else
    325 				reg->pbc_sessions = pbc->next;
    326 			break;
    327 		}
    328 		prev = pbc;
    329 		pbc = pbc->next;
    330 	}
    331 
    332 	if (!pbc) {
    333 		pbc = os_zalloc(sizeof(*pbc));
    334 		if (pbc == NULL)
    335 			return;
    336 		os_memcpy(pbc->addr, addr, ETH_ALEN);
    337 		if (uuid_e)
    338 			os_memcpy(pbc->uuid_e, uuid_e, WPS_UUID_LEN);
    339 	}
    340 
    341 	pbc->next = reg->pbc_sessions;
    342 	reg->pbc_sessions = pbc;
    343 	pbc->timestamp = now;
    344 
    345 	/* remove entries that have timed out */
    346 	prev = pbc;
    347 	pbc = pbc->next;
    348 
    349 	while (pbc) {
    350 		if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME) {
    351 			prev->next = NULL;
    352 			wps_free_pbc_sessions(pbc);
    353 			break;
    354 		}
    355 		prev = pbc;
    356 		pbc = pbc->next;
    357 	}
    358 }
    359 
    360 
    361 static void wps_registrar_remove_pbc_session(struct wps_registrar *reg,
    362 					     const u8 *uuid_e,
    363 					     const u8 *p2p_dev_addr)
    364 {
    365 	struct wps_pbc_session *pbc, *prev = NULL, *tmp;
    366 
    367 	pbc = reg->pbc_sessions;
    368 	while (pbc) {
    369 		if (os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0 ||
    370 #ifdef ANDROID_P2P
    371 		    (p2p_dev_addr && !is_zero_ether_addr(pbc->addr) &&
    372 		     os_memcmp(pbc->addr, p2p_dev_addr, ETH_ALEN) ==
    373 #else
    374 		    (p2p_dev_addr && !is_zero_ether_addr(reg->p2p_dev_addr) &&
    375 		     os_memcmp(reg->p2p_dev_addr, p2p_dev_addr, ETH_ALEN) ==
    376 #endif
    377 		     0)) {
    378 			if (prev)
    379 				prev->next = pbc->next;
    380 			else
    381 				reg->pbc_sessions = pbc->next;
    382 			tmp = pbc;
    383 			pbc = pbc->next;
    384 			wpa_printf(MSG_DEBUG, "WPS: Removing PBC session for "
    385 				   "addr=" MACSTR, MAC2STR(tmp->addr));
    386 			wpa_hexdump(MSG_DEBUG, "WPS: Removed UUID-E",
    387 				    tmp->uuid_e, WPS_UUID_LEN);
    388 			os_free(tmp);
    389 			continue;
    390 		}
    391 		prev = pbc;
    392 		pbc = pbc->next;
    393 	}
    394 }
    395 
    396 
    397 int wps_registrar_pbc_overlap(struct wps_registrar *reg,
    398 			      const u8 *addr, const u8 *uuid_e)
    399 {
    400 	int count = 0;
    401 	struct wps_pbc_session *pbc;
    402 	struct wps_pbc_session *first = NULL;
    403 	struct os_time now;
    404 
    405 	os_get_time(&now);
    406 
    407 	wpa_printf(MSG_DEBUG, "WPS: Checking active PBC sessions for overlap");
    408 
    409 	if (uuid_e) {
    410 		wpa_printf(MSG_DEBUG, "WPS: Add one for the requested UUID");
    411 		wpa_hexdump(MSG_DEBUG, "WPS: Requested UUID",
    412 			    uuid_e, WPS_UUID_LEN);
    413 		count++;
    414 	}
    415 
    416 	for (pbc = reg->pbc_sessions; pbc; pbc = pbc->next) {
    417 		wpa_printf(MSG_DEBUG, "WPS: Consider PBC session with " MACSTR,
    418 			   MAC2STR(pbc->addr));
    419 		wpa_hexdump(MSG_DEBUG, "WPS: UUID-E",
    420 			    pbc->uuid_e, WPS_UUID_LEN);
    421 		if (now.sec > pbc->timestamp.sec + WPS_PBC_WALK_TIME) {
    422 			wpa_printf(MSG_DEBUG, "WPS: PBC walk time has "
    423 				   "expired");
    424 			break;
    425 		}
    426 		if (first &&
    427 		    os_memcmp(pbc->uuid_e, first->uuid_e, WPS_UUID_LEN) == 0) {
    428 			wpa_printf(MSG_DEBUG, "WPS: Same Enrollee");
    429 			continue; /* same Enrollee */
    430 		}
    431 		if (uuid_e == NULL ||
    432 		    os_memcmp(uuid_e, pbc->uuid_e, WPS_UUID_LEN)) {
    433 			wpa_printf(MSG_DEBUG, "WPS: New Enrollee");
    434 			count++;
    435 		}
    436 		if (first == NULL)
    437 			first = pbc;
    438 	}
    439 
    440 	wpa_printf(MSG_DEBUG, "WPS: %u active PBC session(s) found", count);
    441 
    442 	return count > 1 ? 1 : 0;
    443 }
    444 
    445 
    446 static int wps_build_wps_state(struct wps_context *wps, struct wpabuf *msg)
    447 {
    448 	wpa_printf(MSG_DEBUG, "WPS:  * Wi-Fi Protected Setup State (%d)",
    449 		   wps->wps_state);
    450 	wpabuf_put_be16(msg, ATTR_WPS_STATE);
    451 	wpabuf_put_be16(msg, 1);
    452 	wpabuf_put_u8(msg, wps->wps_state);
    453 	return 0;
    454 }
    455 
    456 
    457 #ifdef CONFIG_WPS_UPNP
    458 static void wps_registrar_free_pending_m2(struct wps_context *wps)
    459 {
    460 	struct upnp_pending_message *p, *p2, *prev = NULL;
    461 	p = wps->upnp_msgs;
    462 	while (p) {
    463 		if (p->type == WPS_M2 || p->type == WPS_M2D) {
    464 			if (prev == NULL)
    465 				wps->upnp_msgs = p->next;
    466 			else
    467 				prev->next = p->next;
    468 			wpa_printf(MSG_DEBUG, "WPS UPnP: Drop pending M2/M2D");
    469 			p2 = p;
    470 			p = p->next;
    471 			wpabuf_free(p2->msg);
    472 			os_free(p2);
    473 			continue;
    474 		}
    475 		prev = p;
    476 		p = p->next;
    477 	}
    478 }
    479 #endif /* CONFIG_WPS_UPNP */
    480 
    481 
    482 static int wps_build_ap_setup_locked(struct wps_context *wps,
    483 				     struct wpabuf *msg)
    484 {
    485 	if (wps->ap_setup_locked && wps->ap_setup_locked != 2) {
    486 		wpa_printf(MSG_DEBUG, "WPS:  * AP Setup Locked");
    487 		wpabuf_put_be16(msg, ATTR_AP_SETUP_LOCKED);
    488 		wpabuf_put_be16(msg, 1);
    489 		wpabuf_put_u8(msg, 1);
    490 	}
    491 	return 0;
    492 }
    493 
    494 
    495 static int wps_build_selected_registrar(struct wps_registrar *reg,
    496 					struct wpabuf *msg)
    497 {
    498 	if (!reg->sel_reg_union)
    499 		return 0;
    500 	wpa_printf(MSG_DEBUG, "WPS:  * Selected Registrar");
    501 	wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR);
    502 	wpabuf_put_be16(msg, 1);
    503 	wpabuf_put_u8(msg, 1);
    504 	return 0;
    505 }
    506 
    507 
    508 static int wps_build_sel_reg_dev_password_id(struct wps_registrar *reg,
    509 					     struct wpabuf *msg)
    510 {
    511 	u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT;
    512 	if (!reg->sel_reg_union)
    513 		return 0;
    514 	if (reg->sel_reg_dev_password_id_override >= 0)
    515 		id = reg->sel_reg_dev_password_id_override;
    516 	wpa_printf(MSG_DEBUG, "WPS:  * Device Password ID (%d)", id);
    517 	wpabuf_put_be16(msg, ATTR_DEV_PASSWORD_ID);
    518 	wpabuf_put_be16(msg, 2);
    519 	wpabuf_put_be16(msg, id);
    520 	return 0;
    521 }
    522 
    523 
    524 static int wps_build_sel_pbc_reg_uuid_e(struct wps_registrar *reg,
    525 					struct wpabuf *msg)
    526 {
    527 	u16 id = reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT;
    528 	if (!reg->sel_reg_union)
    529 		return 0;
    530 	if (reg->sel_reg_dev_password_id_override >= 0)
    531 		id = reg->sel_reg_dev_password_id_override;
    532 	if (id != DEV_PW_PUSHBUTTON || !reg->dualband)
    533 		return 0;
    534 	return wps_build_uuid_e(msg, reg->wps->uuid);
    535 }
    536 
    537 
    538 static void wps_set_pushbutton(u16 *methods, u16 conf_methods)
    539 {
    540 	*methods |= WPS_CONFIG_PUSHBUTTON;
    541 #ifdef CONFIG_WPS2
    542 	if ((conf_methods & WPS_CONFIG_VIRT_PUSHBUTTON) ==
    543 	    WPS_CONFIG_VIRT_PUSHBUTTON)
    544 		*methods |= WPS_CONFIG_VIRT_PUSHBUTTON;
    545 	if ((conf_methods & WPS_CONFIG_PHY_PUSHBUTTON) ==
    546 	    WPS_CONFIG_PHY_PUSHBUTTON)
    547 		*methods |= WPS_CONFIG_PHY_PUSHBUTTON;
    548 	if ((*methods & WPS_CONFIG_VIRT_PUSHBUTTON) !=
    549 	    WPS_CONFIG_VIRT_PUSHBUTTON &&
    550 	    (*methods & WPS_CONFIG_PHY_PUSHBUTTON) !=
    551 	    WPS_CONFIG_PHY_PUSHBUTTON) {
    552 		/*
    553 		 * Required to include virtual/physical flag, but we were not
    554 		 * configured with push button type, so have to default to one
    555 		 * of them.
    556 		 */
    557 		*methods |= WPS_CONFIG_PHY_PUSHBUTTON;
    558 	}
    559 #endif /* CONFIG_WPS2 */
    560 }
    561 
    562 
    563 static int wps_build_sel_reg_config_methods(struct wps_registrar *reg,
    564 					    struct wpabuf *msg)
    565 {
    566 	u16 methods;
    567 	if (!reg->sel_reg_union)
    568 		return 0;
    569 	methods = reg->wps->config_methods;
    570 	methods &= ~WPS_CONFIG_PUSHBUTTON;
    571 #ifdef CONFIG_WPS2
    572 	methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON |
    573 		     WPS_CONFIG_PHY_PUSHBUTTON);
    574 #endif /* CONFIG_WPS2 */
    575 	if (reg->pbc)
    576 		wps_set_pushbutton(&methods, reg->wps->config_methods);
    577 	if (reg->sel_reg_config_methods_override >= 0)
    578 		methods = reg->sel_reg_config_methods_override;
    579 	wpa_printf(MSG_DEBUG, "WPS:  * Selected Registrar Config Methods (%x)",
    580 		   methods);
    581 	wpabuf_put_be16(msg, ATTR_SELECTED_REGISTRAR_CONFIG_METHODS);
    582 	wpabuf_put_be16(msg, 2);
    583 	wpabuf_put_be16(msg, methods);
    584 	return 0;
    585 }
    586 
    587 
    588 static int wps_build_probe_config_methods(struct wps_registrar *reg,
    589 					  struct wpabuf *msg)
    590 {
    591 	u16 methods;
    592 	/*
    593 	 * These are the methods that the AP supports as an Enrollee for adding
    594 	 * external Registrars.
    595 	 */
    596 	methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
    597 #ifdef CONFIG_WPS2
    598 	methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON |
    599 		     WPS_CONFIG_PHY_PUSHBUTTON);
    600 #endif /* CONFIG_WPS2 */
    601 	wpa_printf(MSG_DEBUG, "WPS:  * Config Methods (%x)", methods);
    602 	wpabuf_put_be16(msg, ATTR_CONFIG_METHODS);
    603 	wpabuf_put_be16(msg, 2);
    604 	wpabuf_put_be16(msg, methods);
    605 	return 0;
    606 }
    607 
    608 
    609 static int wps_build_config_methods_r(struct wps_registrar *reg,
    610 				      struct wpabuf *msg)
    611 {
    612 	return wps_build_config_methods(msg, reg->wps->config_methods);
    613 }
    614 
    615 
    616 const u8 * wps_authorized_macs(struct wps_registrar *reg, size_t *count)
    617 {
    618 	*count = 0;
    619 
    620 #ifdef CONFIG_WPS2
    621 	while (*count < WPS_MAX_AUTHORIZED_MACS) {
    622 		if (is_zero_ether_addr(reg->authorized_macs_union[*count]))
    623 			break;
    624 		(*count)++;
    625 	}
    626 #endif /* CONFIG_WPS2 */
    627 
    628 	return (const u8 *) reg->authorized_macs_union;
    629 }
    630 
    631 
    632 /**
    633  * wps_registrar_init - Initialize WPS Registrar data
    634  * @wps: Pointer to longterm WPS context
    635  * @cfg: Registrar configuration
    636  * Returns: Pointer to allocated Registrar data or %NULL on failure
    637  *
    638  * This function is used to initialize WPS Registrar functionality. It can be
    639  * used for a single Registrar run (e.g., when run in a supplicant) or multiple
    640  * runs (e.g., when run as an internal Registrar in an AP). Caller is
    641  * responsible for freeing the returned data with wps_registrar_deinit() when
    642  * Registrar functionality is not needed anymore.
    643  */
    644 struct wps_registrar *
    645 wps_registrar_init(struct wps_context *wps,
    646 		   const struct wps_registrar_config *cfg)
    647 {
    648 	struct wps_registrar *reg = os_zalloc(sizeof(*reg));
    649 	if (reg == NULL)
    650 		return NULL;
    651 
    652 	dl_list_init(&reg->pins);
    653 	dl_list_init(&reg->nfc_pw_tokens);
    654 	reg->wps = wps;
    655 	reg->new_psk_cb = cfg->new_psk_cb;
    656 	reg->set_ie_cb = cfg->set_ie_cb;
    657 	reg->pin_needed_cb = cfg->pin_needed_cb;
    658 	reg->reg_success_cb = cfg->reg_success_cb;
    659 	reg->set_sel_reg_cb = cfg->set_sel_reg_cb;
    660 	reg->enrollee_seen_cb = cfg->enrollee_seen_cb;
    661 	reg->cb_ctx = cfg->cb_ctx;
    662 	reg->skip_cred_build = cfg->skip_cred_build;
    663 	if (cfg->extra_cred) {
    664 		reg->extra_cred = wpabuf_alloc_copy(cfg->extra_cred,
    665 						    cfg->extra_cred_len);
    666 		if (reg->extra_cred == NULL) {
    667 			os_free(reg);
    668 			return NULL;
    669 		}
    670 	}
    671 	reg->disable_auto_conf = cfg->disable_auto_conf;
    672 	reg->sel_reg_dev_password_id_override = -1;
    673 	reg->sel_reg_config_methods_override = -1;
    674 	reg->static_wep_only = cfg->static_wep_only;
    675 	reg->dualband = cfg->dualband;
    676 	reg->force_per_enrollee_psk = cfg->force_per_enrollee_psk;
    677 
    678 	if (wps_set_ie(reg)) {
    679 		wps_registrar_deinit(reg);
    680 		return NULL;
    681 	}
    682 
    683 	return reg;
    684 }
    685 
    686 
    687 /**
    688  * wps_registrar_deinit - Deinitialize WPS Registrar data
    689  * @reg: Registrar data from wps_registrar_init()
    690  */
    691 void wps_registrar_deinit(struct wps_registrar *reg)
    692 {
    693 	if (reg == NULL)
    694 		return;
    695 	eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
    696 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
    697 	wps_free_pins(&reg->pins);
    698 	wps_free_nfc_pw_tokens(&reg->nfc_pw_tokens, 0);
    699 	wps_free_pbc_sessions(reg->pbc_sessions);
    700 	wpabuf_free(reg->extra_cred);
    701 	wps_free_devices(reg->devices);
    702 	os_free(reg);
    703 }
    704 
    705 
    706 static void wps_registrar_invalidate_unused(struct wps_registrar *reg)
    707 {
    708 	struct wps_uuid_pin *pin;
    709 
    710 	dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
    711 		if (pin->wildcard_uuid == 1 && !(pin->flags & PIN_LOCKED)) {
    712 			wpa_printf(MSG_DEBUG, "WPS: Invalidate previously "
    713 				   "configured wildcard PIN");
    714 			wps_registrar_remove_pin(reg, pin);
    715 			break;
    716 		}
    717 	}
    718 }
    719 
    720 
    721 /**
    722  * wps_registrar_add_pin - Configure a new PIN for Registrar
    723  * @reg: Registrar data from wps_registrar_init()
    724  * @addr: Enrollee MAC address or %NULL if not known
    725  * @uuid: UUID-E or %NULL for wildcard (any UUID)
    726  * @pin: PIN (Device Password)
    727  * @pin_len: Length of pin in octets
    728  * @timeout: Time (in seconds) when the PIN will be invalidated; 0 = no timeout
    729  * Returns: 0 on success, -1 on failure
    730  */
    731 int wps_registrar_add_pin(struct wps_registrar *reg, const u8 *addr,
    732 			  const u8 *uuid, const u8 *pin, size_t pin_len,
    733 			  int timeout)
    734 {
    735 	struct wps_uuid_pin *p;
    736 
    737 	p = os_zalloc(sizeof(*p));
    738 	if (p == NULL)
    739 		return -1;
    740 	if (addr)
    741 		os_memcpy(p->enrollee_addr, addr, ETH_ALEN);
    742 	if (uuid == NULL)
    743 		p->wildcard_uuid = 1;
    744 	else
    745 		os_memcpy(p->uuid, uuid, WPS_UUID_LEN);
    746 	p->pin = os_malloc(pin_len);
    747 	if (p->pin == NULL) {
    748 		os_free(p);
    749 		return -1;
    750 	}
    751 	os_memcpy(p->pin, pin, pin_len);
    752 	p->pin_len = pin_len;
    753 
    754 	if (timeout) {
    755 		p->flags |= PIN_EXPIRES;
    756 		os_get_time(&p->expiration);
    757 		p->expiration.sec += timeout;
    758 	}
    759 
    760 	if (p->wildcard_uuid)
    761 		wps_registrar_invalidate_unused(reg);
    762 
    763 	dl_list_add(&reg->pins, &p->list);
    764 
    765 	wpa_printf(MSG_DEBUG, "WPS: A new PIN configured (timeout=%d)",
    766 		   timeout);
    767 	wpa_hexdump(MSG_DEBUG, "WPS: UUID", uuid, WPS_UUID_LEN);
    768 	wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: PIN", pin, pin_len);
    769 	reg->selected_registrar = 1;
    770 	reg->pbc = 0;
    771 	if (addr)
    772 		wps_registrar_add_authorized_mac(reg, addr);
    773 	else
    774 		wps_registrar_add_authorized_mac(
    775 			reg, (u8 *) "\xff\xff\xff\xff\xff\xff");
    776 	wps_registrar_selected_registrar_changed(reg, 0);
    777 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
    778 	eloop_register_timeout(WPS_PBC_WALK_TIME, 0,
    779 			       wps_registrar_set_selected_timeout,
    780 			       reg, NULL);
    781 
    782 	return 0;
    783 }
    784 
    785 
    786 static void wps_registrar_remove_pin(struct wps_registrar *reg,
    787 				     struct wps_uuid_pin *pin)
    788 {
    789 	u8 *addr;
    790 	u8 bcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
    791 
    792 	if (is_zero_ether_addr(pin->enrollee_addr))
    793 		addr = bcast;
    794 	else
    795 		addr = pin->enrollee_addr;
    796 	wps_registrar_remove_authorized_mac(reg, addr);
    797 	wps_remove_pin(pin);
    798 	wps_registrar_selected_registrar_changed(reg, 0);
    799 }
    800 
    801 
    802 static void wps_registrar_expire_pins(struct wps_registrar *reg)
    803 {
    804 	struct wps_uuid_pin *pin, *prev;
    805 	struct os_time now;
    806 
    807 	os_get_time(&now);
    808 	dl_list_for_each_safe(pin, prev, &reg->pins, struct wps_uuid_pin, list)
    809 	{
    810 		if ((pin->flags & PIN_EXPIRES) &&
    811 		    os_time_before(&pin->expiration, &now)) {
    812 			wpa_hexdump(MSG_DEBUG, "WPS: Expired PIN for UUID",
    813 				    pin->uuid, WPS_UUID_LEN);
    814 			wps_registrar_remove_pin(reg, pin);
    815 		}
    816 	}
    817 }
    818 
    819 
    820 /**
    821  * wps_registrar_invalidate_wildcard_pin - Invalidate a wildcard PIN
    822  * @reg: Registrar data from wps_registrar_init()
    823  * @dev_pw: PIN to search for or %NULL to match any
    824  * @dev_pw_len: Length of dev_pw in octets
    825  * Returns: 0 on success, -1 if not wildcard PIN is enabled
    826  */
    827 static int wps_registrar_invalidate_wildcard_pin(struct wps_registrar *reg,
    828 						 const u8 *dev_pw,
    829 						 size_t dev_pw_len)
    830 {
    831 	struct wps_uuid_pin *pin, *prev;
    832 
    833 	dl_list_for_each_safe(pin, prev, &reg->pins, struct wps_uuid_pin, list)
    834 	{
    835 		if (dev_pw && pin->pin &&
    836 		    (dev_pw_len != pin->pin_len ||
    837 		     os_memcmp(dev_pw, pin->pin, dev_pw_len) != 0))
    838 			continue; /* different PIN */
    839 		if (pin->wildcard_uuid) {
    840 			wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID",
    841 				    pin->uuid, WPS_UUID_LEN);
    842 			wps_registrar_remove_pin(reg, pin);
    843 			return 0;
    844 		}
    845 	}
    846 
    847 	return -1;
    848 }
    849 
    850 
    851 /**
    852  * wps_registrar_invalidate_pin - Invalidate a PIN for a specific UUID-E
    853  * @reg: Registrar data from wps_registrar_init()
    854  * @uuid: UUID-E
    855  * Returns: 0 on success, -1 on failure (e.g., PIN not found)
    856  */
    857 int wps_registrar_invalidate_pin(struct wps_registrar *reg, const u8 *uuid)
    858 {
    859 	struct wps_uuid_pin *pin, *prev;
    860 
    861 	dl_list_for_each_safe(pin, prev, &reg->pins, struct wps_uuid_pin, list)
    862 	{
    863 		if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
    864 			wpa_hexdump(MSG_DEBUG, "WPS: Invalidated PIN for UUID",
    865 				    pin->uuid, WPS_UUID_LEN);
    866 			wps_registrar_remove_pin(reg, pin);
    867 			return 0;
    868 		}
    869 	}
    870 
    871 	return -1;
    872 }
    873 
    874 
    875 static const u8 * wps_registrar_get_pin(struct wps_registrar *reg,
    876 					const u8 *uuid, size_t *pin_len)
    877 {
    878 	struct wps_uuid_pin *pin, *found = NULL;
    879 
    880 	wps_registrar_expire_pins(reg);
    881 
    882 	dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
    883 		if (!pin->wildcard_uuid &&
    884 		    os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
    885 			found = pin;
    886 			break;
    887 		}
    888 	}
    889 
    890 	if (!found) {
    891 		/* Check for wildcard UUIDs since none of the UUID-specific
    892 		 * PINs matched */
    893 		dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
    894 			if (pin->wildcard_uuid == 1 ||
    895 			    pin->wildcard_uuid == 2) {
    896 				wpa_printf(MSG_DEBUG, "WPS: Found a wildcard "
    897 					   "PIN. Assigned it for this UUID-E");
    898 				pin->wildcard_uuid++;
    899 				os_memcpy(pin->uuid, uuid, WPS_UUID_LEN);
    900 				found = pin;
    901 				break;
    902 			}
    903 		}
    904 	}
    905 
    906 	if (!found)
    907 		return NULL;
    908 
    909 	/*
    910 	 * Lock the PIN to avoid attacks based on concurrent re-use of the PIN
    911 	 * that could otherwise avoid PIN invalidations.
    912 	 */
    913 	if (found->flags & PIN_LOCKED) {
    914 		wpa_printf(MSG_DEBUG, "WPS: Selected PIN locked - do not "
    915 			   "allow concurrent re-use");
    916 		return NULL;
    917 	}
    918 	*pin_len = found->pin_len;
    919 	found->flags |= PIN_LOCKED;
    920 	return found->pin;
    921 }
    922 
    923 
    924 /**
    925  * wps_registrar_unlock_pin - Unlock a PIN for a specific UUID-E
    926  * @reg: Registrar data from wps_registrar_init()
    927  * @uuid: UUID-E
    928  * Returns: 0 on success, -1 on failure
    929  *
    930  * PINs are locked to enforce only one concurrent use. This function unlocks a
    931  * PIN to allow it to be used again. If the specified PIN was configured using
    932  * a wildcard UUID, it will be removed instead of allowing multiple uses.
    933  */
    934 int wps_registrar_unlock_pin(struct wps_registrar *reg, const u8 *uuid)
    935 {
    936 	struct wps_uuid_pin *pin;
    937 
    938 	dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
    939 		if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
    940 			if (pin->wildcard_uuid == 3) {
    941 				wpa_printf(MSG_DEBUG, "WPS: Invalidating used "
    942 					   "wildcard PIN");
    943 				return wps_registrar_invalidate_pin(reg, uuid);
    944 			}
    945 			pin->flags &= ~PIN_LOCKED;
    946 			return 0;
    947 		}
    948 	}
    949 
    950 	return -1;
    951 }
    952 
    953 
    954 static void wps_registrar_stop_pbc(struct wps_registrar *reg)
    955 {
    956 	reg->selected_registrar = 0;
    957 	reg->pbc = 0;
    958 	os_memset(reg->p2p_dev_addr, 0, ETH_ALEN);
    959 	wps_registrar_remove_authorized_mac(reg,
    960 					    (u8 *) "\xff\xff\xff\xff\xff\xff");
    961 	wps_registrar_selected_registrar_changed(reg, 0);
    962 }
    963 
    964 
    965 static void wps_registrar_pbc_timeout(void *eloop_ctx, void *timeout_ctx)
    966 {
    967 	struct wps_registrar *reg = eloop_ctx;
    968 
    969 	wpa_printf(MSG_DEBUG, "WPS: PBC timed out - disable PBC mode");
    970 	wps_pbc_timeout_event(reg->wps);
    971 	wps_registrar_stop_pbc(reg);
    972 }
    973 
    974 
    975 /**
    976  * wps_registrar_button_pushed - Notify Registrar that AP button was pushed
    977  * @reg: Registrar data from wps_registrar_init()
    978  * @p2p_dev_addr: Limit allowed PBC devices to the specified P2P device, %NULL
    979  *	indicates no such filtering
    980  * Returns: 0 on success, -1 on failure, -2 on session overlap
    981  *
    982  * This function is called on an AP when a push button is pushed to activate
    983  * PBC mode. The PBC mode will be stopped after walk time (2 minutes) timeout
    984  * or when a PBC registration is completed. If more than one Enrollee in active
    985  * PBC mode has been detected during the monitor time (previous 2 minutes), the
    986  * PBC mode is not activated and -2 is returned to indicate session overlap.
    987  * This is skipped if a specific Enrollee is selected.
    988  */
    989 int wps_registrar_button_pushed(struct wps_registrar *reg,
    990 				const u8 *p2p_dev_addr)
    991 {
    992 	if (p2p_dev_addr == NULL &&
    993 	    wps_registrar_pbc_overlap(reg, NULL, NULL)) {
    994 		wpa_printf(MSG_DEBUG, "WPS: PBC overlap - do not start PBC "
    995 			   "mode");
    996 		wps_pbc_overlap_event(reg->wps);
    997 		return -2;
    998 	}
    999 	wpa_printf(MSG_DEBUG, "WPS: Button pushed - PBC mode started");
   1000 	reg->force_pbc_overlap = 0;
   1001 	reg->selected_registrar = 1;
   1002 	reg->pbc = 1;
   1003 	if (p2p_dev_addr)
   1004 		os_memcpy(reg->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
   1005 	else
   1006 		os_memset(reg->p2p_dev_addr, 0, ETH_ALEN);
   1007 	wps_registrar_add_authorized_mac(reg,
   1008 					 (u8 *) "\xff\xff\xff\xff\xff\xff");
   1009 	wps_registrar_selected_registrar_changed(reg, 0);
   1010 
   1011 	wps_pbc_active_event(reg->wps);
   1012 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
   1013 	eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
   1014 	eloop_register_timeout(WPS_PBC_WALK_TIME, 0, wps_registrar_pbc_timeout,
   1015 			       reg, NULL);
   1016 	return 0;
   1017 }
   1018 
   1019 
   1020 static void wps_registrar_pbc_completed(struct wps_registrar *reg)
   1021 {
   1022 	wpa_printf(MSG_DEBUG, "WPS: PBC completed - stopping PBC mode");
   1023 	eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
   1024 	wps_registrar_stop_pbc(reg);
   1025 	wps_pbc_disable_event(reg->wps);
   1026 }
   1027 
   1028 
   1029 static void wps_registrar_pin_completed(struct wps_registrar *reg)
   1030 {
   1031 	wpa_printf(MSG_DEBUG, "WPS: PIN completed using internal Registrar");
   1032 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
   1033 	reg->selected_registrar = 0;
   1034 	wps_registrar_selected_registrar_changed(reg, 0);
   1035 }
   1036 
   1037 
   1038 void wps_registrar_complete(struct wps_registrar *registrar, const u8 *uuid_e,
   1039 			    const u8 *dev_pw, size_t dev_pw_len)
   1040 {
   1041 	if (registrar->pbc) {
   1042 		wps_registrar_remove_pbc_session(registrar,
   1043 						 uuid_e, NULL);
   1044 		wps_registrar_pbc_completed(registrar);
   1045 		os_get_time(&registrar->pbc_ignore_start);
   1046 		os_memcpy(registrar->pbc_ignore_uuid, uuid_e, WPS_UUID_LEN);
   1047 	} else {
   1048 		wps_registrar_pin_completed(registrar);
   1049 	}
   1050 
   1051 	if (dev_pw &&
   1052 	    wps_registrar_invalidate_wildcard_pin(registrar, dev_pw,
   1053 						  dev_pw_len) == 0) {
   1054 		wpa_hexdump_key(MSG_DEBUG, "WPS: Invalidated wildcard PIN",
   1055 				dev_pw, dev_pw_len);
   1056 	}
   1057 }
   1058 
   1059 
   1060 int wps_registrar_wps_cancel(struct wps_registrar *reg)
   1061 {
   1062 	if (reg->pbc) {
   1063 		wpa_printf(MSG_DEBUG, "WPS: PBC is set - cancelling it");
   1064 		wps_registrar_pbc_timeout(reg, NULL);
   1065 		eloop_cancel_timeout(wps_registrar_pbc_timeout, reg, NULL);
   1066 		return 1;
   1067 	} else if (reg->selected_registrar) {
   1068 		/* PIN Method */
   1069 		wpa_printf(MSG_DEBUG, "WPS: PIN is set - cancelling it");
   1070 		wps_registrar_pin_completed(reg);
   1071 		wps_registrar_invalidate_wildcard_pin(reg, NULL, 0);
   1072 		return 1;
   1073 	}
   1074 	return 0;
   1075 }
   1076 
   1077 
   1078 /**
   1079  * wps_registrar_probe_req_rx - Notify Registrar of Probe Request
   1080  * @reg: Registrar data from wps_registrar_init()
   1081  * @addr: MAC address of the Probe Request sender
   1082  * @wps_data: WPS IE contents
   1083  *
   1084  * This function is called on an AP when a Probe Request with WPS IE is
   1085  * received. This is used to track PBC mode use and to detect possible overlap
   1086  * situation with other WPS APs.
   1087  */
   1088 void wps_registrar_probe_req_rx(struct wps_registrar *reg, const u8 *addr,
   1089 				const struct wpabuf *wps_data,
   1090 				int p2p_wildcard)
   1091 {
   1092 	struct wps_parse_attr attr;
   1093 	int skip_add = 0;
   1094 
   1095 	wpa_hexdump_buf(MSG_MSGDUMP,
   1096 			"WPS: Probe Request with WPS data received",
   1097 			wps_data);
   1098 
   1099 	if (wps_parse_msg(wps_data, &attr) < 0)
   1100 		return;
   1101 
   1102 	if (attr.config_methods == NULL) {
   1103 		wpa_printf(MSG_DEBUG, "WPS: No Config Methods attribute in "
   1104 			   "Probe Request");
   1105 		return;
   1106 	}
   1107 
   1108 	if (attr.dev_password_id == NULL) {
   1109 		wpa_printf(MSG_DEBUG, "WPS: No Device Password Id attribute "
   1110 			   "in Probe Request");
   1111 		return;
   1112 	}
   1113 
   1114 	if (reg->enrollee_seen_cb && attr.uuid_e &&
   1115 	    attr.primary_dev_type && attr.request_type && !p2p_wildcard) {
   1116 		char *dev_name = NULL;
   1117 		if (attr.dev_name) {
   1118 			dev_name = os_zalloc(attr.dev_name_len + 1);
   1119 			if (dev_name) {
   1120 				os_memcpy(dev_name, attr.dev_name,
   1121 					  attr.dev_name_len);
   1122 			}
   1123 		}
   1124 		reg->enrollee_seen_cb(reg->cb_ctx, addr, attr.uuid_e,
   1125 				      attr.primary_dev_type,
   1126 				      WPA_GET_BE16(attr.config_methods),
   1127 				      WPA_GET_BE16(attr.dev_password_id),
   1128 				      *attr.request_type, dev_name);
   1129 		os_free(dev_name);
   1130 	}
   1131 
   1132 	if (WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
   1133 		return; /* Not PBC */
   1134 
   1135 	wpa_printf(MSG_DEBUG, "WPS: Probe Request for PBC received from "
   1136 		   MACSTR, MAC2STR(addr));
   1137 	if (attr.uuid_e == NULL) {
   1138 		wpa_printf(MSG_DEBUG, "WPS: Invalid Probe Request WPS IE: No "
   1139 			   "UUID-E included");
   1140 		return;
   1141 	}
   1142 	wpa_hexdump(MSG_DEBUG, "WPS: UUID-E from Probe Request", attr.uuid_e,
   1143 		    WPS_UUID_LEN);
   1144 
   1145 #ifdef WPS_WORKAROUNDS
   1146 	if (reg->pbc_ignore_start.sec &&
   1147 	    os_memcmp(attr.uuid_e, reg->pbc_ignore_uuid, WPS_UUID_LEN) == 0) {
   1148 		struct os_time now, dur;
   1149 		os_get_time(&now);
   1150 		os_time_sub(&now, &reg->pbc_ignore_start, &dur);
   1151 		if (dur.sec >= 0 && dur.sec < 5) {
   1152 			wpa_printf(MSG_DEBUG, "WPS: Ignore PBC activation "
   1153 				   "based on Probe Request from the Enrollee "
   1154 				   "that just completed PBC provisioning");
   1155 			skip_add = 1;
   1156 		} else
   1157 			reg->pbc_ignore_start.sec = 0;
   1158 	}
   1159 #endif /* WPS_WORKAROUNDS */
   1160 
   1161 	if (!skip_add)
   1162 		wps_registrar_add_pbc_session(reg, addr, attr.uuid_e);
   1163 	if (wps_registrar_pbc_overlap(reg, addr, attr.uuid_e)) {
   1164 		wpa_printf(MSG_DEBUG, "WPS: PBC session overlap detected");
   1165 		reg->force_pbc_overlap = 1;
   1166 		wps_pbc_overlap_event(reg->wps);
   1167 	}
   1168 }
   1169 
   1170 
   1171 static int wps_cb_new_psk(struct wps_registrar *reg, const u8 *mac_addr,
   1172 			  const u8 *p2p_dev_addr, const u8 *psk, size_t psk_len)
   1173 {
   1174 	if (reg->new_psk_cb == NULL)
   1175 		return 0;
   1176 
   1177 	return reg->new_psk_cb(reg->cb_ctx, mac_addr, p2p_dev_addr, psk,
   1178 			       psk_len);
   1179 }
   1180 
   1181 
   1182 static void wps_cb_pin_needed(struct wps_registrar *reg, const u8 *uuid_e,
   1183 			      const struct wps_device_data *dev)
   1184 {
   1185 	if (reg->pin_needed_cb == NULL)
   1186 		return;
   1187 
   1188 	reg->pin_needed_cb(reg->cb_ctx, uuid_e, dev);
   1189 }
   1190 
   1191 
   1192 static void wps_cb_reg_success(struct wps_registrar *reg, const u8 *mac_addr,
   1193 			       const u8 *uuid_e, const u8 *dev_pw,
   1194 			       size_t dev_pw_len)
   1195 {
   1196 	if (reg->reg_success_cb == NULL)
   1197 		return;
   1198 
   1199 	reg->reg_success_cb(reg->cb_ctx, mac_addr, uuid_e, dev_pw, dev_pw_len);
   1200 }
   1201 
   1202 
   1203 static int wps_cb_set_ie(struct wps_registrar *reg, struct wpabuf *beacon_ie,
   1204 			 struct wpabuf *probe_resp_ie)
   1205 {
   1206 	return reg->set_ie_cb(reg->cb_ctx, beacon_ie, probe_resp_ie);
   1207 }
   1208 
   1209 
   1210 static void wps_cb_set_sel_reg(struct wps_registrar *reg)
   1211 {
   1212 	u16 methods = 0;
   1213 	if (reg->set_sel_reg_cb == NULL)
   1214 		return;
   1215 
   1216 	if (reg->selected_registrar) {
   1217 		methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
   1218 #ifdef CONFIG_WPS2
   1219 		methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON |
   1220 			     WPS_CONFIG_PHY_PUSHBUTTON);
   1221 #endif /* CONFIG_WPS2 */
   1222 		if (reg->pbc)
   1223 			wps_set_pushbutton(&methods, reg->wps->config_methods);
   1224 	}
   1225 
   1226 	wpa_printf(MSG_DEBUG, "WPS: wps_cb_set_sel_reg: sel_reg=%d "
   1227 		   "config_methods=0x%x pbc=%d methods=0x%x",
   1228 		   reg->selected_registrar, reg->wps->config_methods,
   1229 		   reg->pbc, methods);
   1230 
   1231 	reg->set_sel_reg_cb(reg->cb_ctx, reg->selected_registrar,
   1232 			    reg->pbc ? DEV_PW_PUSHBUTTON : DEV_PW_DEFAULT,
   1233 			    methods);
   1234 }
   1235 
   1236 
   1237 static int wps_set_ie(struct wps_registrar *reg)
   1238 {
   1239 	struct wpabuf *beacon;
   1240 	struct wpabuf *probe;
   1241 	const u8 *auth_macs;
   1242 	size_t count;
   1243 	size_t vendor_len = 0;
   1244 	int i;
   1245 
   1246 	if (reg->set_ie_cb == NULL)
   1247 		return 0;
   1248 
   1249 	for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++) {
   1250 		if (reg->wps->dev.vendor_ext[i]) {
   1251 			vendor_len += 2 + 2;
   1252 			vendor_len += wpabuf_len(reg->wps->dev.vendor_ext[i]);
   1253 		}
   1254 	}
   1255 
   1256 	beacon = wpabuf_alloc(400 + vendor_len);
   1257 	if (beacon == NULL)
   1258 		return -1;
   1259 	probe = wpabuf_alloc(500 + vendor_len);
   1260 	if (probe == NULL) {
   1261 		wpabuf_free(beacon);
   1262 		return -1;
   1263 	}
   1264 
   1265 	auth_macs = wps_authorized_macs(reg, &count);
   1266 
   1267 	wpa_printf(MSG_DEBUG, "WPS: Build Beacon IEs");
   1268 
   1269 	if (wps_build_version(beacon) ||
   1270 	    wps_build_wps_state(reg->wps, beacon) ||
   1271 	    wps_build_ap_setup_locked(reg->wps, beacon) ||
   1272 	    wps_build_selected_registrar(reg, beacon) ||
   1273 	    wps_build_sel_reg_dev_password_id(reg, beacon) ||
   1274 	    wps_build_sel_reg_config_methods(reg, beacon) ||
   1275 	    wps_build_sel_pbc_reg_uuid_e(reg, beacon) ||
   1276 	    (reg->dualband && wps_build_rf_bands(&reg->wps->dev, beacon, 0)) ||
   1277 	    wps_build_wfa_ext(beacon, 0, auth_macs, count) ||
   1278 	    wps_build_vendor_ext(&reg->wps->dev, beacon)) {
   1279 		wpabuf_free(beacon);
   1280 		wpabuf_free(probe);
   1281 		return -1;
   1282 	}
   1283 
   1284 #ifdef CONFIG_P2P
   1285 	if (wps_build_dev_name(&reg->wps->dev, beacon) ||
   1286 	    wps_build_primary_dev_type(&reg->wps->dev, beacon)) {
   1287 		wpabuf_free(beacon);
   1288 		wpabuf_free(probe);
   1289 		return -1;
   1290 	}
   1291 #endif /* CONFIG_P2P */
   1292 
   1293 	wpa_printf(MSG_DEBUG, "WPS: Build Probe Response IEs");
   1294 
   1295 	if (wps_build_version(probe) ||
   1296 	    wps_build_wps_state(reg->wps, probe) ||
   1297 	    wps_build_ap_setup_locked(reg->wps, probe) ||
   1298 	    wps_build_selected_registrar(reg, probe) ||
   1299 	    wps_build_sel_reg_dev_password_id(reg, probe) ||
   1300 	    wps_build_sel_reg_config_methods(reg, probe) ||
   1301 	    wps_build_resp_type(probe, reg->wps->ap ? WPS_RESP_AP :
   1302 				WPS_RESP_REGISTRAR) ||
   1303 	    wps_build_uuid_e(probe, reg->wps->uuid) ||
   1304 	    wps_build_device_attrs(&reg->wps->dev, probe) ||
   1305 	    wps_build_probe_config_methods(reg, probe) ||
   1306 	    (reg->dualband && wps_build_rf_bands(&reg->wps->dev, probe, 0)) ||
   1307 	    wps_build_wfa_ext(probe, 0, auth_macs, count) ||
   1308 	    wps_build_vendor_ext(&reg->wps->dev, probe)) {
   1309 		wpabuf_free(beacon);
   1310 		wpabuf_free(probe);
   1311 		return -1;
   1312 	}
   1313 
   1314 	beacon = wps_ie_encapsulate(beacon);
   1315 	probe = wps_ie_encapsulate(probe);
   1316 
   1317 	if (!beacon || !probe) {
   1318 		wpabuf_free(beacon);
   1319 		wpabuf_free(probe);
   1320 		return -1;
   1321 	}
   1322 
   1323 	if (reg->static_wep_only) {
   1324 		/*
   1325 		 * Windows XP and Vista clients can get confused about
   1326 		 * EAP-Identity/Request when they probe the network with
   1327 		 * EAPOL-Start. In such a case, they may assume the network is
   1328 		 * using IEEE 802.1X and prompt user for a certificate while
   1329 		 * the correct (non-WPS) behavior would be to ask for the
   1330 		 * static WEP key. As a workaround, use Microsoft Provisioning
   1331 		 * IE to advertise that legacy 802.1X is not supported.
   1332 		 */
   1333 		const u8 ms_wps[7] = {
   1334 			WLAN_EID_VENDOR_SPECIFIC, 5,
   1335 			/* Microsoft Provisioning IE (00:50:f2:5) */
   1336 			0x00, 0x50, 0xf2, 5,
   1337 			0x00 /* no legacy 802.1X or MS WPS */
   1338 		};
   1339 		wpa_printf(MSG_DEBUG, "WPS: Add Microsoft Provisioning IE "
   1340 			   "into Beacon/Probe Response frames");
   1341 		wpabuf_put_data(beacon, ms_wps, sizeof(ms_wps));
   1342 		wpabuf_put_data(probe, ms_wps, sizeof(ms_wps));
   1343 	}
   1344 
   1345 	return wps_cb_set_ie(reg, beacon, probe);
   1346 }
   1347 
   1348 
   1349 static int wps_get_dev_password(struct wps_data *wps)
   1350 {
   1351 	const u8 *pin;
   1352 	size_t pin_len = 0;
   1353 
   1354 	os_free(wps->dev_password);
   1355 	wps->dev_password = NULL;
   1356 
   1357 	if (wps->pbc) {
   1358 		wpa_printf(MSG_DEBUG, "WPS: Use default PIN for PBC");
   1359 		pin = (const u8 *) "00000000";
   1360 		pin_len = 8;
   1361 #ifdef CONFIG_WPS_NFC
   1362 	} else if (wps->nfc_pw_token) {
   1363 		wpa_printf(MSG_DEBUG, "WPS: Use OOB Device Password from NFC "
   1364 			   "Password Token");
   1365 		pin = wps->nfc_pw_token->dev_pw;
   1366 		pin_len = wps->nfc_pw_token->dev_pw_len;
   1367 #endif /* CONFIG_WPS_NFC */
   1368 	} else {
   1369 		pin = wps_registrar_get_pin(wps->wps->registrar, wps->uuid_e,
   1370 					    &pin_len);
   1371 		if (pin && wps->dev_pw_id >= 0x10) {
   1372 			wpa_printf(MSG_DEBUG, "WPS: No match for OOB Device "
   1373 				   "Password ID, but PIN found");
   1374 			/*
   1375 			 * See whether Enrollee is willing to use PIN instead.
   1376 			 */
   1377 			wps->dev_pw_id = DEV_PW_DEFAULT;
   1378 		}
   1379 	}
   1380 	if (pin == NULL) {
   1381 		wpa_printf(MSG_DEBUG, "WPS: No Device Password available for "
   1382 			   "the Enrollee");
   1383 		wps_cb_pin_needed(wps->wps->registrar, wps->uuid_e,
   1384 				  &wps->peer_dev);
   1385 		return -1;
   1386 	}
   1387 
   1388 	wps->dev_password = os_malloc(pin_len);
   1389 	if (wps->dev_password == NULL)
   1390 		return -1;
   1391 	os_memcpy(wps->dev_password, pin, pin_len);
   1392 	wps->dev_password_len = pin_len;
   1393 
   1394 	return 0;
   1395 }
   1396 
   1397 
   1398 static int wps_build_uuid_r(struct wps_data *wps, struct wpabuf *msg)
   1399 {
   1400 	wpa_printf(MSG_DEBUG, "WPS:  * UUID-R");
   1401 	wpabuf_put_be16(msg, ATTR_UUID_R);
   1402 	wpabuf_put_be16(msg, WPS_UUID_LEN);
   1403 	wpabuf_put_data(msg, wps->uuid_r, WPS_UUID_LEN);
   1404 	return 0;
   1405 }
   1406 
   1407 
   1408 static int wps_build_r_hash(struct wps_data *wps, struct wpabuf *msg)
   1409 {
   1410 	u8 *hash;
   1411 	const u8 *addr[4];
   1412 	size_t len[4];
   1413 
   1414 	if (random_get_bytes(wps->snonce, 2 * WPS_SECRET_NONCE_LEN) < 0)
   1415 		return -1;
   1416 	wpa_hexdump(MSG_DEBUG, "WPS: R-S1", wps->snonce, WPS_SECRET_NONCE_LEN);
   1417 	wpa_hexdump(MSG_DEBUG, "WPS: R-S2",
   1418 		    wps->snonce + WPS_SECRET_NONCE_LEN, WPS_SECRET_NONCE_LEN);
   1419 
   1420 	if (wps->dh_pubkey_e == NULL || wps->dh_pubkey_r == NULL) {
   1421 		wpa_printf(MSG_DEBUG, "WPS: DH public keys not available for "
   1422 			   "R-Hash derivation");
   1423 		return -1;
   1424 	}
   1425 
   1426 	wpa_printf(MSG_DEBUG, "WPS:  * R-Hash1");
   1427 	wpabuf_put_be16(msg, ATTR_R_HASH1);
   1428 	wpabuf_put_be16(msg, SHA256_MAC_LEN);
   1429 	hash = wpabuf_put(msg, SHA256_MAC_LEN);
   1430 	/* R-Hash1 = HMAC_AuthKey(R-S1 || PSK1 || PK_E || PK_R) */
   1431 	addr[0] = wps->snonce;
   1432 	len[0] = WPS_SECRET_NONCE_LEN;
   1433 	addr[1] = wps->psk1;
   1434 	len[1] = WPS_PSK_LEN;
   1435 	addr[2] = wpabuf_head(wps->dh_pubkey_e);
   1436 	len[2] = wpabuf_len(wps->dh_pubkey_e);
   1437 	addr[3] = wpabuf_head(wps->dh_pubkey_r);
   1438 	len[3] = wpabuf_len(wps->dh_pubkey_r);
   1439 	hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
   1440 	wpa_hexdump(MSG_DEBUG, "WPS: R-Hash1", hash, SHA256_MAC_LEN);
   1441 
   1442 	wpa_printf(MSG_DEBUG, "WPS:  * R-Hash2");
   1443 	wpabuf_put_be16(msg, ATTR_R_HASH2);
   1444 	wpabuf_put_be16(msg, SHA256_MAC_LEN);
   1445 	hash = wpabuf_put(msg, SHA256_MAC_LEN);
   1446 	/* R-Hash2 = HMAC_AuthKey(R-S2 || PSK2 || PK_E || PK_R) */
   1447 	addr[0] = wps->snonce + WPS_SECRET_NONCE_LEN;
   1448 	addr[1] = wps->psk2;
   1449 	hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
   1450 	wpa_hexdump(MSG_DEBUG, "WPS: R-Hash2", hash, SHA256_MAC_LEN);
   1451 
   1452 	return 0;
   1453 }
   1454 
   1455 
   1456 static int wps_build_r_snonce1(struct wps_data *wps, struct wpabuf *msg)
   1457 {
   1458 	wpa_printf(MSG_DEBUG, "WPS:  * R-SNonce1");
   1459 	wpabuf_put_be16(msg, ATTR_R_SNONCE1);
   1460 	wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
   1461 	wpabuf_put_data(msg, wps->snonce, WPS_SECRET_NONCE_LEN);
   1462 	return 0;
   1463 }
   1464 
   1465 
   1466 static int wps_build_r_snonce2(struct wps_data *wps, struct wpabuf *msg)
   1467 {
   1468 	wpa_printf(MSG_DEBUG, "WPS:  * R-SNonce2");
   1469 	wpabuf_put_be16(msg, ATTR_R_SNONCE2);
   1470 	wpabuf_put_be16(msg, WPS_SECRET_NONCE_LEN);
   1471 	wpabuf_put_data(msg, wps->snonce + WPS_SECRET_NONCE_LEN,
   1472 			WPS_SECRET_NONCE_LEN);
   1473 	return 0;
   1474 }
   1475 
   1476 
   1477 static int wps_build_cred_network_idx(struct wpabuf *msg,
   1478 				      const struct wps_credential *cred)
   1479 {
   1480 	wpa_printf(MSG_DEBUG, "WPS:  * Network Index (1)");
   1481 	wpabuf_put_be16(msg, ATTR_NETWORK_INDEX);
   1482 	wpabuf_put_be16(msg, 1);
   1483 	wpabuf_put_u8(msg, 1);
   1484 	return 0;
   1485 }
   1486 
   1487 
   1488 static int wps_build_cred_ssid(struct wpabuf *msg,
   1489 			       const struct wps_credential *cred)
   1490 {
   1491 	wpa_printf(MSG_DEBUG, "WPS:  * SSID");
   1492 	wpa_hexdump_ascii(MSG_DEBUG, "WPS: SSID for Credential",
   1493 			  cred->ssid, cred->ssid_len);
   1494 	wpabuf_put_be16(msg, ATTR_SSID);
   1495 	wpabuf_put_be16(msg, cred->ssid_len);
   1496 	wpabuf_put_data(msg, cred->ssid, cred->ssid_len);
   1497 	return 0;
   1498 }
   1499 
   1500 
   1501 static int wps_build_cred_auth_type(struct wpabuf *msg,
   1502 				    const struct wps_credential *cred)
   1503 {
   1504 	wpa_printf(MSG_DEBUG, "WPS:  * Authentication Type (0x%x)",
   1505 		   cred->auth_type);
   1506 	wpabuf_put_be16(msg, ATTR_AUTH_TYPE);
   1507 	wpabuf_put_be16(msg, 2);
   1508 	wpabuf_put_be16(msg, cred->auth_type);
   1509 	return 0;
   1510 }
   1511 
   1512 
   1513 static int wps_build_cred_encr_type(struct wpabuf *msg,
   1514 				    const struct wps_credential *cred)
   1515 {
   1516 	wpa_printf(MSG_DEBUG, "WPS:  * Encryption Type (0x%x)",
   1517 		   cred->encr_type);
   1518 	wpabuf_put_be16(msg, ATTR_ENCR_TYPE);
   1519 	wpabuf_put_be16(msg, 2);
   1520 	wpabuf_put_be16(msg, cred->encr_type);
   1521 	return 0;
   1522 }
   1523 
   1524 
   1525 static int wps_build_cred_network_key(struct wpabuf *msg,
   1526 				      const struct wps_credential *cred)
   1527 {
   1528 	wpa_printf(MSG_DEBUG, "WPS:  * Network Key (len=%d)",
   1529 		   (int) cred->key_len);
   1530 	wpa_hexdump_key(MSG_DEBUG, "WPS: Network Key",
   1531 			cred->key, cred->key_len);
   1532 	wpabuf_put_be16(msg, ATTR_NETWORK_KEY);
   1533 	wpabuf_put_be16(msg, cred->key_len);
   1534 	wpabuf_put_data(msg, cred->key, cred->key_len);
   1535 	return 0;
   1536 }
   1537 
   1538 
   1539 static int wps_build_credential(struct wpabuf *msg,
   1540 				const struct wps_credential *cred)
   1541 {
   1542 	if (wps_build_cred_network_idx(msg, cred) ||
   1543 	    wps_build_cred_ssid(msg, cred) ||
   1544 	    wps_build_cred_auth_type(msg, cred) ||
   1545 	    wps_build_cred_encr_type(msg, cred) ||
   1546 	    wps_build_cred_network_key(msg, cred) ||
   1547 	    wps_build_mac_addr(msg, cred->mac_addr))
   1548 		return -1;
   1549 	return 0;
   1550 }
   1551 
   1552 
   1553 int wps_build_credential_wrap(struct wpabuf *msg,
   1554 			      const struct wps_credential *cred)
   1555 {
   1556 	struct wpabuf *wbuf;
   1557 	wbuf = wpabuf_alloc(200);
   1558 	if (wbuf == NULL)
   1559 		return -1;
   1560 	if (wps_build_credential(wbuf, cred)) {
   1561 		wpabuf_free(wbuf);
   1562 		return -1;
   1563 	}
   1564 	wpabuf_put_be16(msg, ATTR_CRED);
   1565 	wpabuf_put_be16(msg, wpabuf_len(wbuf));
   1566 	wpabuf_put_buf(msg, wbuf);
   1567 	wpabuf_free(wbuf);
   1568 	return 0;
   1569 }
   1570 
   1571 
   1572 int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
   1573 {
   1574 	struct wpabuf *cred;
   1575 
   1576 	if (wps->wps->registrar->skip_cred_build)
   1577 		goto skip_cred_build;
   1578 
   1579 	wpa_printf(MSG_DEBUG, "WPS:  * Credential");
   1580 	if (wps->use_cred) {
   1581 		os_memcpy(&wps->cred, wps->use_cred, sizeof(wps->cred));
   1582 		goto use_provided;
   1583 	}
   1584 	os_memset(&wps->cred, 0, sizeof(wps->cred));
   1585 
   1586 	os_memcpy(wps->cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
   1587 	wps->cred.ssid_len = wps->wps->ssid_len;
   1588 
   1589 	/* Select the best authentication and encryption type */
   1590 	if (wps->auth_type & WPS_AUTH_WPA2PSK)
   1591 		wps->auth_type = WPS_AUTH_WPA2PSK;
   1592 	else if (wps->auth_type & WPS_AUTH_WPAPSK)
   1593 		wps->auth_type = WPS_AUTH_WPAPSK;
   1594 	else if (wps->auth_type & WPS_AUTH_OPEN)
   1595 		wps->auth_type = WPS_AUTH_OPEN;
   1596 	else if (wps->auth_type & WPS_AUTH_SHARED)
   1597 		wps->auth_type = WPS_AUTH_SHARED;
   1598 	else {
   1599 		wpa_printf(MSG_DEBUG, "WPS: Unsupported auth_type 0x%x",
   1600 			   wps->auth_type);
   1601 		return -1;
   1602 	}
   1603 	wps->cred.auth_type = wps->auth_type;
   1604 
   1605 	if (wps->auth_type == WPS_AUTH_WPA2PSK ||
   1606 	    wps->auth_type == WPS_AUTH_WPAPSK) {
   1607 		if (wps->encr_type & WPS_ENCR_AES)
   1608 			wps->encr_type = WPS_ENCR_AES;
   1609 		else if (wps->encr_type & WPS_ENCR_TKIP)
   1610 			wps->encr_type = WPS_ENCR_TKIP;
   1611 		else {
   1612 			wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
   1613 				   "type for WPA/WPA2");
   1614 			return -1;
   1615 		}
   1616 	} else {
   1617 		if (wps->encr_type & WPS_ENCR_WEP)
   1618 			wps->encr_type = WPS_ENCR_WEP;
   1619 		else if (wps->encr_type & WPS_ENCR_NONE)
   1620 			wps->encr_type = WPS_ENCR_NONE;
   1621 		else {
   1622 			wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
   1623 				   "type for non-WPA/WPA2 mode");
   1624 			return -1;
   1625 		}
   1626 	}
   1627 	wps->cred.encr_type = wps->encr_type;
   1628 	/*
   1629 	 * Set MAC address in the Credential to be the Enrollee's MAC address
   1630 	 */
   1631 	os_memcpy(wps->cred.mac_addr, wps->mac_addr_e, ETH_ALEN);
   1632 
   1633 	if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->wps->ap &&
   1634 	    !wps->wps->registrar->disable_auto_conf) {
   1635 		u8 r[16];
   1636 		/* Generate a random passphrase */
   1637 		if (random_get_bytes(r, sizeof(r)) < 0)
   1638 			return -1;
   1639 		os_free(wps->new_psk);
   1640 		wps->new_psk = base64_encode(r, sizeof(r), &wps->new_psk_len);
   1641 		if (wps->new_psk == NULL)
   1642 			return -1;
   1643 		wps->new_psk_len--; /* remove newline */
   1644 		while (wps->new_psk_len &&
   1645 		       wps->new_psk[wps->new_psk_len - 1] == '=')
   1646 			wps->new_psk_len--;
   1647 		wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Generated passphrase",
   1648 				      wps->new_psk, wps->new_psk_len);
   1649 		os_memcpy(wps->cred.key, wps->new_psk, wps->new_psk_len);
   1650 		wps->cred.key_len = wps->new_psk_len;
   1651 	} else if (!wps->wps->registrar->force_per_enrollee_psk &&
   1652 		   wps->use_psk_key && wps->wps->psk_set) {
   1653 		char hex[65];
   1654 		wpa_printf(MSG_DEBUG, "WPS: Use PSK format for Network Key");
   1655 		wpa_snprintf_hex(hex, sizeof(hex), wps->wps->psk, 32);
   1656 		os_memcpy(wps->cred.key, hex, 32 * 2);
   1657 		wps->cred.key_len = 32 * 2;
   1658 	} else if (!wps->wps->registrar->force_per_enrollee_psk &&
   1659 		   wps->wps->network_key) {
   1660 		os_memcpy(wps->cred.key, wps->wps->network_key,
   1661 			  wps->wps->network_key_len);
   1662 		wps->cred.key_len = wps->wps->network_key_len;
   1663 	} else if (wps->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) {
   1664 		char hex[65];
   1665 		/* Generate a random per-device PSK */
   1666 		os_free(wps->new_psk);
   1667 		wps->new_psk_len = 32;
   1668 		wps->new_psk = os_malloc(wps->new_psk_len);
   1669 		if (wps->new_psk == NULL)
   1670 			return -1;
   1671 		if (random_get_bytes(wps->new_psk, wps->new_psk_len) < 0) {
   1672 			os_free(wps->new_psk);
   1673 			wps->new_psk = NULL;
   1674 			return -1;
   1675 		}
   1676 		wpa_hexdump_key(MSG_DEBUG, "WPS: Generated per-device PSK",
   1677 				wps->new_psk, wps->new_psk_len);
   1678 		wpa_snprintf_hex(hex, sizeof(hex), wps->new_psk,
   1679 				 wps->new_psk_len);
   1680 		os_memcpy(wps->cred.key, hex, wps->new_psk_len * 2);
   1681 		wps->cred.key_len = wps->new_psk_len * 2;
   1682 	}
   1683 
   1684 use_provided:
   1685 #ifdef CONFIG_WPS_TESTING
   1686 	if (wps_testing_dummy_cred)
   1687 		cred = wpabuf_alloc(200);
   1688 	else
   1689 		cred = NULL;
   1690 	if (cred) {
   1691 		struct wps_credential dummy;
   1692 		wpa_printf(MSG_DEBUG, "WPS: Add dummy credential");
   1693 		os_memset(&dummy, 0, sizeof(dummy));
   1694 		os_memcpy(dummy.ssid, "dummy", 5);
   1695 		dummy.ssid_len = 5;
   1696 		dummy.auth_type = WPS_AUTH_WPA2PSK;
   1697 		dummy.encr_type = WPS_ENCR_AES;
   1698 		os_memcpy(dummy.key, "dummy psk", 9);
   1699 		dummy.key_len = 9;
   1700 		os_memcpy(dummy.mac_addr, wps->mac_addr_e, ETH_ALEN);
   1701 		wps_build_credential(cred, &dummy);
   1702 		wpa_hexdump_buf(MSG_DEBUG, "WPS: Dummy Credential", cred);
   1703 
   1704 		wpabuf_put_be16(msg, ATTR_CRED);
   1705 		wpabuf_put_be16(msg, wpabuf_len(cred));
   1706 		wpabuf_put_buf(msg, cred);
   1707 
   1708 		wpabuf_free(cred);
   1709 	}
   1710 #endif /* CONFIG_WPS_TESTING */
   1711 
   1712 	cred = wpabuf_alloc(200);
   1713 	if (cred == NULL)
   1714 		return -1;
   1715 
   1716 	if (wps_build_credential(cred, &wps->cred)) {
   1717 		wpabuf_free(cred);
   1718 		return -1;
   1719 	}
   1720 
   1721 	wpabuf_put_be16(msg, ATTR_CRED);
   1722 	wpabuf_put_be16(msg, wpabuf_len(cred));
   1723 	wpabuf_put_buf(msg, cred);
   1724 	wpabuf_free(cred);
   1725 
   1726 skip_cred_build:
   1727 	if (wps->wps->registrar->extra_cred) {
   1728 		wpa_printf(MSG_DEBUG, "WPS:  * Credential (pre-configured)");
   1729 		wpabuf_put_buf(msg, wps->wps->registrar->extra_cred);
   1730 	}
   1731 
   1732 	return 0;
   1733 }
   1734 
   1735 
   1736 static int wps_build_ap_settings(struct wps_data *wps, struct wpabuf *msg)
   1737 {
   1738 	wpa_printf(MSG_DEBUG, "WPS:  * AP Settings");
   1739 
   1740 	if (wps_build_credential(msg, &wps->cred))
   1741 		return -1;
   1742 
   1743 	return 0;
   1744 }
   1745 
   1746 
   1747 static struct wpabuf * wps_build_ap_cred(struct wps_data *wps)
   1748 {
   1749 	struct wpabuf *msg, *plain;
   1750 
   1751 	msg = wpabuf_alloc(1000);
   1752 	if (msg == NULL)
   1753 		return NULL;
   1754 
   1755 	plain = wpabuf_alloc(200);
   1756 	if (plain == NULL) {
   1757 		wpabuf_free(msg);
   1758 		return NULL;
   1759 	}
   1760 
   1761 	if (wps_build_ap_settings(wps, plain)) {
   1762 		wpabuf_free(plain);
   1763 		wpabuf_free(msg);
   1764 		return NULL;
   1765 	}
   1766 
   1767 	wpabuf_put_be16(msg, ATTR_CRED);
   1768 	wpabuf_put_be16(msg, wpabuf_len(plain));
   1769 	wpabuf_put_buf(msg, plain);
   1770 	wpabuf_free(plain);
   1771 
   1772 	return msg;
   1773 }
   1774 
   1775 
   1776 static struct wpabuf * wps_build_m2(struct wps_data *wps)
   1777 {
   1778 	struct wpabuf *msg;
   1779 
   1780 	if (random_get_bytes(wps->nonce_r, WPS_NONCE_LEN) < 0)
   1781 		return NULL;
   1782 	wpa_hexdump(MSG_DEBUG, "WPS: Registrar Nonce",
   1783 		    wps->nonce_r, WPS_NONCE_LEN);
   1784 	wpa_hexdump(MSG_DEBUG, "WPS: UUID-R", wps->uuid_r, WPS_UUID_LEN);
   1785 
   1786 	wpa_printf(MSG_DEBUG, "WPS: Building Message M2");
   1787 	msg = wpabuf_alloc(1000);
   1788 	if (msg == NULL)
   1789 		return NULL;
   1790 
   1791 	if (wps_build_version(msg) ||
   1792 	    wps_build_msg_type(msg, WPS_M2) ||
   1793 	    wps_build_enrollee_nonce(wps, msg) ||
   1794 	    wps_build_registrar_nonce(wps, msg) ||
   1795 	    wps_build_uuid_r(wps, msg) ||
   1796 	    wps_build_public_key(wps, msg) ||
   1797 	    wps_derive_keys(wps) ||
   1798 	    wps_build_auth_type_flags(wps, msg) ||
   1799 	    wps_build_encr_type_flags(wps, msg) ||
   1800 	    wps_build_conn_type_flags(wps, msg) ||
   1801 	    wps_build_config_methods_r(wps->wps->registrar, msg) ||
   1802 	    wps_build_device_attrs(&wps->wps->dev, msg) ||
   1803 	    wps_build_rf_bands(&wps->wps->dev, msg,
   1804 			       wps->wps->rf_band_cb(wps->wps->cb_ctx)) ||
   1805 	    wps_build_assoc_state(wps, msg) ||
   1806 	    wps_build_config_error(msg, WPS_CFG_NO_ERROR) ||
   1807 	    wps_build_dev_password_id(msg, wps->dev_pw_id) ||
   1808 	    wps_build_os_version(&wps->wps->dev, msg) ||
   1809 	    wps_build_wfa_ext(msg, 0, NULL, 0) ||
   1810 	    wps_build_authenticator(wps, msg)) {
   1811 		wpabuf_free(msg);
   1812 		return NULL;
   1813 	}
   1814 
   1815 	wps->int_reg = 1;
   1816 	wps->state = RECV_M3;
   1817 	return msg;
   1818 }
   1819 
   1820 
   1821 static struct wpabuf * wps_build_m2d(struct wps_data *wps)
   1822 {
   1823 	struct wpabuf *msg;
   1824 	u16 err = wps->config_error;
   1825 
   1826 	wpa_printf(MSG_DEBUG, "WPS: Building Message M2D");
   1827 	msg = wpabuf_alloc(1000);
   1828 	if (msg == NULL)
   1829 		return NULL;
   1830 
   1831 	if (wps->wps->ap && wps->wps->ap_setup_locked &&
   1832 	    err == WPS_CFG_NO_ERROR)
   1833 		err = WPS_CFG_SETUP_LOCKED;
   1834 
   1835 	if (wps_build_version(msg) ||
   1836 	    wps_build_msg_type(msg, WPS_M2D) ||
   1837 	    wps_build_enrollee_nonce(wps, msg) ||
   1838 	    wps_build_registrar_nonce(wps, msg) ||
   1839 	    wps_build_uuid_r(wps, msg) ||
   1840 	    wps_build_auth_type_flags(wps, msg) ||
   1841 	    wps_build_encr_type_flags(wps, msg) ||
   1842 	    wps_build_conn_type_flags(wps, msg) ||
   1843 	    wps_build_config_methods_r(wps->wps->registrar, msg) ||
   1844 	    wps_build_device_attrs(&wps->wps->dev, msg) ||
   1845 	    wps_build_rf_bands(&wps->wps->dev, msg,
   1846 			       wps->wps->rf_band_cb(wps->wps->cb_ctx)) ||
   1847 	    wps_build_assoc_state(wps, msg) ||
   1848 	    wps_build_config_error(msg, err) ||
   1849 	    wps_build_os_version(&wps->wps->dev, msg) ||
   1850 	    wps_build_wfa_ext(msg, 0, NULL, 0)) {
   1851 		wpabuf_free(msg);
   1852 		return NULL;
   1853 	}
   1854 
   1855 	wps->state = RECV_M2D_ACK;
   1856 	return msg;
   1857 }
   1858 
   1859 
   1860 static struct wpabuf * wps_build_m4(struct wps_data *wps)
   1861 {
   1862 	struct wpabuf *msg, *plain;
   1863 
   1864 	wpa_printf(MSG_DEBUG, "WPS: Building Message M4");
   1865 
   1866 	wps_derive_psk(wps, wps->dev_password, wps->dev_password_len);
   1867 
   1868 	plain = wpabuf_alloc(200);
   1869 	if (plain == NULL)
   1870 		return NULL;
   1871 
   1872 	msg = wpabuf_alloc(1000);
   1873 	if (msg == NULL) {
   1874 		wpabuf_free(plain);
   1875 		return NULL;
   1876 	}
   1877 
   1878 	if (wps_build_version(msg) ||
   1879 	    wps_build_msg_type(msg, WPS_M4) ||
   1880 	    wps_build_enrollee_nonce(wps, msg) ||
   1881 	    wps_build_r_hash(wps, msg) ||
   1882 	    wps_build_r_snonce1(wps, plain) ||
   1883 	    wps_build_key_wrap_auth(wps, plain) ||
   1884 	    wps_build_encr_settings(wps, msg, plain) ||
   1885 	    wps_build_wfa_ext(msg, 0, NULL, 0) ||
   1886 	    wps_build_authenticator(wps, msg)) {
   1887 		wpabuf_free(plain);
   1888 		wpabuf_free(msg);
   1889 		return NULL;
   1890 	}
   1891 	wpabuf_free(plain);
   1892 
   1893 	wps->state = RECV_M5;
   1894 	return msg;
   1895 }
   1896 
   1897 
   1898 static struct wpabuf * wps_build_m6(struct wps_data *wps)
   1899 {
   1900 	struct wpabuf *msg, *plain;
   1901 
   1902 	wpa_printf(MSG_DEBUG, "WPS: Building Message M6");
   1903 
   1904 	plain = wpabuf_alloc(200);
   1905 	if (plain == NULL)
   1906 		return NULL;
   1907 
   1908 	msg = wpabuf_alloc(1000);
   1909 	if (msg == NULL) {
   1910 		wpabuf_free(plain);
   1911 		return NULL;
   1912 	}
   1913 
   1914 	if (wps_build_version(msg) ||
   1915 	    wps_build_msg_type(msg, WPS_M6) ||
   1916 	    wps_build_enrollee_nonce(wps, msg) ||
   1917 	    wps_build_r_snonce2(wps, plain) ||
   1918 	    wps_build_key_wrap_auth(wps, plain) ||
   1919 	    wps_build_encr_settings(wps, msg, plain) ||
   1920 	    wps_build_wfa_ext(msg, 0, NULL, 0) ||
   1921 	    wps_build_authenticator(wps, msg)) {
   1922 		wpabuf_free(plain);
   1923 		wpabuf_free(msg);
   1924 		return NULL;
   1925 	}
   1926 	wpabuf_free(plain);
   1927 
   1928 	wps->wps_pin_revealed = 1;
   1929 	wps->state = RECV_M7;
   1930 	return msg;
   1931 }
   1932 
   1933 
   1934 static struct wpabuf * wps_build_m8(struct wps_data *wps)
   1935 {
   1936 	struct wpabuf *msg, *plain;
   1937 
   1938 	wpa_printf(MSG_DEBUG, "WPS: Building Message M8");
   1939 
   1940 	plain = wpabuf_alloc(500);
   1941 	if (plain == NULL)
   1942 		return NULL;
   1943 
   1944 	msg = wpabuf_alloc(1000);
   1945 	if (msg == NULL) {
   1946 		wpabuf_free(plain);
   1947 		return NULL;
   1948 	}
   1949 
   1950 	if (wps_build_version(msg) ||
   1951 	    wps_build_msg_type(msg, WPS_M8) ||
   1952 	    wps_build_enrollee_nonce(wps, msg) ||
   1953 	    ((wps->wps->ap || wps->er) && wps_build_cred(wps, plain)) ||
   1954 	    (!wps->wps->ap && !wps->er && wps_build_ap_settings(wps, plain)) ||
   1955 	    wps_build_key_wrap_auth(wps, plain) ||
   1956 	    wps_build_encr_settings(wps, msg, plain) ||
   1957 	    wps_build_wfa_ext(msg, 0, NULL, 0) ||
   1958 	    wps_build_authenticator(wps, msg)) {
   1959 		wpabuf_free(plain);
   1960 		wpabuf_free(msg);
   1961 		return NULL;
   1962 	}
   1963 	wpabuf_free(plain);
   1964 
   1965 	wps->state = RECV_DONE;
   1966 	return msg;
   1967 }
   1968 
   1969 
   1970 struct wpabuf * wps_registrar_get_msg(struct wps_data *wps,
   1971 				      enum wsc_op_code *op_code)
   1972 {
   1973 	struct wpabuf *msg;
   1974 
   1975 #ifdef CONFIG_WPS_UPNP
   1976 	if (!wps->int_reg && wps->wps->wps_upnp) {
   1977 		struct upnp_pending_message *p, *prev = NULL;
   1978 		if (wps->ext_reg > 1)
   1979 			wps_registrar_free_pending_m2(wps->wps);
   1980 		p = wps->wps->upnp_msgs;
   1981 		/* TODO: check pending message MAC address */
   1982 		while (p && p->next) {
   1983 			prev = p;
   1984 			p = p->next;
   1985 		}
   1986 		if (p) {
   1987 			wpa_printf(MSG_DEBUG, "WPS: Use pending message from "
   1988 				   "UPnP");
   1989 			if (prev)
   1990 				prev->next = NULL;
   1991 			else
   1992 				wps->wps->upnp_msgs = NULL;
   1993 			msg = p->msg;
   1994 			switch (p->type) {
   1995 			case WPS_WSC_ACK:
   1996 				*op_code = WSC_ACK;
   1997 				break;
   1998 			case WPS_WSC_NACK:
   1999 				*op_code = WSC_NACK;
   2000 				break;
   2001 			default:
   2002 				*op_code = WSC_MSG;
   2003 				break;
   2004 			}
   2005 			os_free(p);
   2006 			if (wps->ext_reg == 0)
   2007 				wps->ext_reg = 1;
   2008 			return msg;
   2009 		}
   2010 	}
   2011 	if (wps->ext_reg) {
   2012 		wpa_printf(MSG_DEBUG, "WPS: Using external Registrar, but no "
   2013 			   "pending message available");
   2014 		return NULL;
   2015 	}
   2016 #endif /* CONFIG_WPS_UPNP */
   2017 
   2018 	switch (wps->state) {
   2019 	case SEND_M2:
   2020 		if (wps_get_dev_password(wps) < 0)
   2021 			msg = wps_build_m2d(wps);
   2022 		else
   2023 			msg = wps_build_m2(wps);
   2024 		*op_code = WSC_MSG;
   2025 		break;
   2026 	case SEND_M2D:
   2027 		msg = wps_build_m2d(wps);
   2028 		*op_code = WSC_MSG;
   2029 		break;
   2030 	case SEND_M4:
   2031 		msg = wps_build_m4(wps);
   2032 		*op_code = WSC_MSG;
   2033 		break;
   2034 	case SEND_M6:
   2035 		msg = wps_build_m6(wps);
   2036 		*op_code = WSC_MSG;
   2037 		break;
   2038 	case SEND_M8:
   2039 		msg = wps_build_m8(wps);
   2040 		*op_code = WSC_MSG;
   2041 		break;
   2042 	case RECV_DONE:
   2043 		msg = wps_build_wsc_ack(wps);
   2044 		*op_code = WSC_ACK;
   2045 		break;
   2046 	case SEND_WSC_NACK:
   2047 		msg = wps_build_wsc_nack(wps);
   2048 		*op_code = WSC_NACK;
   2049 		break;
   2050 	default:
   2051 		wpa_printf(MSG_DEBUG, "WPS: Unsupported state %d for building "
   2052 			   "a message", wps->state);
   2053 		msg = NULL;
   2054 		break;
   2055 	}
   2056 
   2057 	if (*op_code == WSC_MSG && msg) {
   2058 		/* Save a copy of the last message for Authenticator derivation
   2059 		 */
   2060 		wpabuf_free(wps->last_msg);
   2061 		wps->last_msg = wpabuf_dup(msg);
   2062 	}
   2063 
   2064 	return msg;
   2065 }
   2066 
   2067 
   2068 static int wps_process_enrollee_nonce(struct wps_data *wps, const u8 *e_nonce)
   2069 {
   2070 	if (e_nonce == NULL) {
   2071 		wpa_printf(MSG_DEBUG, "WPS: No Enrollee Nonce received");
   2072 		return -1;
   2073 	}
   2074 
   2075 	os_memcpy(wps->nonce_e, e_nonce, WPS_NONCE_LEN);
   2076 	wpa_hexdump(MSG_DEBUG, "WPS: Enrollee Nonce",
   2077 		    wps->nonce_e, WPS_NONCE_LEN);
   2078 
   2079 	return 0;
   2080 }
   2081 
   2082 
   2083 static int wps_process_registrar_nonce(struct wps_data *wps, const u8 *r_nonce)
   2084 {
   2085 	if (r_nonce == NULL) {
   2086 		wpa_printf(MSG_DEBUG, "WPS: No Registrar Nonce received");
   2087 		return -1;
   2088 	}
   2089 
   2090 	if (os_memcmp(wps->nonce_r, r_nonce, WPS_NONCE_LEN) != 0) {
   2091 		wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Nonce received");
   2092 		return -1;
   2093 	}
   2094 
   2095 	return 0;
   2096 }
   2097 
   2098 
   2099 static int wps_process_uuid_e(struct wps_data *wps, const u8 *uuid_e)
   2100 {
   2101 	if (uuid_e == NULL) {
   2102 		wpa_printf(MSG_DEBUG, "WPS: No UUID-E received");
   2103 		return -1;
   2104 	}
   2105 
   2106 	os_memcpy(wps->uuid_e, uuid_e, WPS_UUID_LEN);
   2107 	wpa_hexdump(MSG_DEBUG, "WPS: UUID-E", wps->uuid_e, WPS_UUID_LEN);
   2108 
   2109 	return 0;
   2110 }
   2111 
   2112 
   2113 static int wps_process_dev_password_id(struct wps_data *wps, const u8 *pw_id)
   2114 {
   2115 	if (pw_id == NULL) {
   2116 		wpa_printf(MSG_DEBUG, "WPS: No Device Password ID received");
   2117 		return -1;
   2118 	}
   2119 
   2120 	wps->dev_pw_id = WPA_GET_BE16(pw_id);
   2121 	wpa_printf(MSG_DEBUG, "WPS: Device Password ID %d", wps->dev_pw_id);
   2122 
   2123 	return 0;
   2124 }
   2125 
   2126 
   2127 static int wps_process_e_hash1(struct wps_data *wps, const u8 *e_hash1)
   2128 {
   2129 	if (e_hash1 == NULL) {
   2130 		wpa_printf(MSG_DEBUG, "WPS: No E-Hash1 received");
   2131 		return -1;
   2132 	}
   2133 
   2134 	os_memcpy(wps->peer_hash1, e_hash1, WPS_HASH_LEN);
   2135 	wpa_hexdump(MSG_DEBUG, "WPS: E-Hash1", wps->peer_hash1, WPS_HASH_LEN);
   2136 
   2137 	return 0;
   2138 }
   2139 
   2140 
   2141 static int wps_process_e_hash2(struct wps_data *wps, const u8 *e_hash2)
   2142 {
   2143 	if (e_hash2 == NULL) {
   2144 		wpa_printf(MSG_DEBUG, "WPS: No E-Hash2 received");
   2145 		return -1;
   2146 	}
   2147 
   2148 	os_memcpy(wps->peer_hash2, e_hash2, WPS_HASH_LEN);
   2149 	wpa_hexdump(MSG_DEBUG, "WPS: E-Hash2", wps->peer_hash2, WPS_HASH_LEN);
   2150 
   2151 	return 0;
   2152 }
   2153 
   2154 
   2155 static int wps_process_e_snonce1(struct wps_data *wps, const u8 *e_snonce1)
   2156 {
   2157 	u8 hash[SHA256_MAC_LEN];
   2158 	const u8 *addr[4];
   2159 	size_t len[4];
   2160 
   2161 	if (e_snonce1 == NULL) {
   2162 		wpa_printf(MSG_DEBUG, "WPS: No E-SNonce1 received");
   2163 		return -1;
   2164 	}
   2165 
   2166 	wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce1", e_snonce1,
   2167 			WPS_SECRET_NONCE_LEN);
   2168 
   2169 	/* E-Hash1 = HMAC_AuthKey(E-S1 || PSK1 || PK_E || PK_R) */
   2170 	addr[0] = e_snonce1;
   2171 	len[0] = WPS_SECRET_NONCE_LEN;
   2172 	addr[1] = wps->psk1;
   2173 	len[1] = WPS_PSK_LEN;
   2174 	addr[2] = wpabuf_head(wps->dh_pubkey_e);
   2175 	len[2] = wpabuf_len(wps->dh_pubkey_e);
   2176 	addr[3] = wpabuf_head(wps->dh_pubkey_r);
   2177 	len[3] = wpabuf_len(wps->dh_pubkey_r);
   2178 	hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
   2179 
   2180 	if (os_memcmp(wps->peer_hash1, hash, WPS_HASH_LEN) != 0) {
   2181 		wpa_printf(MSG_DEBUG, "WPS: E-Hash1 derived from E-S1 does "
   2182 			   "not match with the pre-committed value");
   2183 		wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE;
   2184 		wps_pwd_auth_fail_event(wps->wps, 0, 1, wps->mac_addr_e);
   2185 		return -1;
   2186 	}
   2187 
   2188 	wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the first "
   2189 		   "half of the device password");
   2190 
   2191 	return 0;
   2192 }
   2193 
   2194 
   2195 static int wps_process_e_snonce2(struct wps_data *wps, const u8 *e_snonce2)
   2196 {
   2197 	u8 hash[SHA256_MAC_LEN];
   2198 	const u8 *addr[4];
   2199 	size_t len[4];
   2200 
   2201 	if (e_snonce2 == NULL) {
   2202 		wpa_printf(MSG_DEBUG, "WPS: No E-SNonce2 received");
   2203 		return -1;
   2204 	}
   2205 
   2206 	wpa_hexdump_key(MSG_DEBUG, "WPS: E-SNonce2", e_snonce2,
   2207 			WPS_SECRET_NONCE_LEN);
   2208 
   2209 	/* E-Hash2 = HMAC_AuthKey(E-S2 || PSK2 || PK_E || PK_R) */
   2210 	addr[0] = e_snonce2;
   2211 	len[0] = WPS_SECRET_NONCE_LEN;
   2212 	addr[1] = wps->psk2;
   2213 	len[1] = WPS_PSK_LEN;
   2214 	addr[2] = wpabuf_head(wps->dh_pubkey_e);
   2215 	len[2] = wpabuf_len(wps->dh_pubkey_e);
   2216 	addr[3] = wpabuf_head(wps->dh_pubkey_r);
   2217 	len[3] = wpabuf_len(wps->dh_pubkey_r);
   2218 	hmac_sha256_vector(wps->authkey, WPS_AUTHKEY_LEN, 4, addr, len, hash);
   2219 
   2220 	if (os_memcmp(wps->peer_hash2, hash, WPS_HASH_LEN) != 0) {
   2221 		wpa_printf(MSG_DEBUG, "WPS: E-Hash2 derived from E-S2 does "
   2222 			   "not match with the pre-committed value");
   2223 		wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e);
   2224 		wps->config_error = WPS_CFG_DEV_PASSWORD_AUTH_FAILURE;
   2225 		wps_pwd_auth_fail_event(wps->wps, 0, 2, wps->mac_addr_e);
   2226 		return -1;
   2227 	}
   2228 
   2229 	wpa_printf(MSG_DEBUG, "WPS: Enrollee proved knowledge of the second "
   2230 		   "half of the device password");
   2231 	wps->wps_pin_revealed = 0;
   2232 	wps_registrar_unlock_pin(wps->wps->registrar, wps->uuid_e);
   2233 
   2234 	/*
   2235 	 * In case wildcard PIN is used and WPS handshake succeeds in the first
   2236 	 * attempt, wps_registrar_unlock_pin() would not free the PIN, so make
   2237 	 * sure the PIN gets invalidated here.
   2238 	 */
   2239 	wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e);
   2240 
   2241 	return 0;
   2242 }
   2243 
   2244 
   2245 static int wps_process_mac_addr(struct wps_data *wps, const u8 *mac_addr)
   2246 {
   2247 	if (mac_addr == NULL) {
   2248 		wpa_printf(MSG_DEBUG, "WPS: No MAC Address received");
   2249 		return -1;
   2250 	}
   2251 
   2252 	wpa_printf(MSG_DEBUG, "WPS: Enrollee MAC Address " MACSTR,
   2253 		   MAC2STR(mac_addr));
   2254 	os_memcpy(wps->mac_addr_e, mac_addr, ETH_ALEN);
   2255 	os_memcpy(wps->peer_dev.mac_addr, mac_addr, ETH_ALEN);
   2256 
   2257 	return 0;
   2258 }
   2259 
   2260 
   2261 static int wps_process_pubkey(struct wps_data *wps, const u8 *pk,
   2262 			      size_t pk_len)
   2263 {
   2264 	if (pk == NULL || pk_len == 0) {
   2265 		wpa_printf(MSG_DEBUG, "WPS: No Public Key received");
   2266 		return -1;
   2267 	}
   2268 
   2269 	wpabuf_free(wps->dh_pubkey_e);
   2270 	wps->dh_pubkey_e = wpabuf_alloc_copy(pk, pk_len);
   2271 	if (wps->dh_pubkey_e == NULL)
   2272 		return -1;
   2273 
   2274 	return 0;
   2275 }
   2276 
   2277 
   2278 static int wps_process_auth_type_flags(struct wps_data *wps, const u8 *auth)
   2279 {
   2280 	u16 auth_types;
   2281 
   2282 	if (auth == NULL) {
   2283 		wpa_printf(MSG_DEBUG, "WPS: No Authentication Type flags "
   2284 			   "received");
   2285 		return -1;
   2286 	}
   2287 
   2288 	auth_types = WPA_GET_BE16(auth);
   2289 
   2290 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Authentication Type flags 0x%x",
   2291 		   auth_types);
   2292 	wps->auth_type = wps->wps->auth_types & auth_types;
   2293 	if (wps->auth_type == 0) {
   2294 		wpa_printf(MSG_DEBUG, "WPS: No match in supported "
   2295 			   "authentication types (own 0x%x Enrollee 0x%x)",
   2296 			   wps->wps->auth_types, auth_types);
   2297 #ifdef WPS_WORKAROUNDS
   2298 		/*
   2299 		 * Some deployed implementations seem to advertise incorrect
   2300 		 * information in this attribute. For example, Linksys WRT350N
   2301 		 * seems to have a byteorder bug that breaks this negotiation.
   2302 		 * In order to interoperate with existing implementations,
   2303 		 * assume that the Enrollee supports everything we do.
   2304 		 */
   2305 		wpa_printf(MSG_DEBUG, "WPS: Workaround - assume Enrollee "
   2306 			   "does not advertise supported authentication types "
   2307 			   "correctly");
   2308 		wps->auth_type = wps->wps->auth_types;
   2309 #else /* WPS_WORKAROUNDS */
   2310 		return -1;
   2311 #endif /* WPS_WORKAROUNDS */
   2312 	}
   2313 
   2314 	return 0;
   2315 }
   2316 
   2317 
   2318 static int wps_process_encr_type_flags(struct wps_data *wps, const u8 *encr)
   2319 {
   2320 	u16 encr_types;
   2321 
   2322 	if (encr == NULL) {
   2323 		wpa_printf(MSG_DEBUG, "WPS: No Encryption Type flags "
   2324 			   "received");
   2325 		return -1;
   2326 	}
   2327 
   2328 	encr_types = WPA_GET_BE16(encr);
   2329 
   2330 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Encryption Type flags 0x%x",
   2331 		   encr_types);
   2332 	wps->encr_type = wps->wps->encr_types & encr_types;
   2333 	if (wps->encr_type == 0) {
   2334 		wpa_printf(MSG_DEBUG, "WPS: No match in supported "
   2335 			   "encryption types (own 0x%x Enrollee 0x%x)",
   2336 			   wps->wps->encr_types, encr_types);
   2337 #ifdef WPS_WORKAROUNDS
   2338 		/*
   2339 		 * Some deployed implementations seem to advertise incorrect
   2340 		 * information in this attribute. For example, Linksys WRT350N
   2341 		 * seems to have a byteorder bug that breaks this negotiation.
   2342 		 * In order to interoperate with existing implementations,
   2343 		 * assume that the Enrollee supports everything we do.
   2344 		 */
   2345 		wpa_printf(MSG_DEBUG, "WPS: Workaround - assume Enrollee "
   2346 			   "does not advertise supported encryption types "
   2347 			   "correctly");
   2348 		wps->encr_type = wps->wps->encr_types;
   2349 #else /* WPS_WORKAROUNDS */
   2350 		return -1;
   2351 #endif /* WPS_WORKAROUNDS */
   2352 	}
   2353 
   2354 	return 0;
   2355 }
   2356 
   2357 
   2358 static int wps_process_conn_type_flags(struct wps_data *wps, const u8 *conn)
   2359 {
   2360 	if (conn == NULL) {
   2361 		wpa_printf(MSG_DEBUG, "WPS: No Connection Type flags "
   2362 			   "received");
   2363 		return -1;
   2364 	}
   2365 
   2366 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Connection Type flags 0x%x",
   2367 		   *conn);
   2368 
   2369 	return 0;
   2370 }
   2371 
   2372 
   2373 static int wps_process_config_methods(struct wps_data *wps, const u8 *methods)
   2374 {
   2375 	u16 m;
   2376 
   2377 	if (methods == NULL) {
   2378 		wpa_printf(MSG_DEBUG, "WPS: No Config Methods received");
   2379 		return -1;
   2380 	}
   2381 
   2382 	m = WPA_GET_BE16(methods);
   2383 
   2384 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Config Methods 0x%x"
   2385 		   "%s%s%s%s%s%s%s%s%s", m,
   2386 		   m & WPS_CONFIG_USBA ? " [USBA]" : "",
   2387 		   m & WPS_CONFIG_ETHERNET ? " [Ethernet]" : "",
   2388 		   m & WPS_CONFIG_LABEL ? " [Label]" : "",
   2389 		   m & WPS_CONFIG_DISPLAY ? " [Display]" : "",
   2390 		   m & WPS_CONFIG_EXT_NFC_TOKEN ? " [Ext NFC Token]" : "",
   2391 		   m & WPS_CONFIG_INT_NFC_TOKEN ? " [Int NFC Token]" : "",
   2392 		   m & WPS_CONFIG_NFC_INTERFACE ? " [NFC]" : "",
   2393 		   m & WPS_CONFIG_PUSHBUTTON ? " [PBC]" : "",
   2394 		   m & WPS_CONFIG_KEYPAD ? " [Keypad]" : "");
   2395 
   2396 	if (!(m & WPS_CONFIG_DISPLAY) && !wps->use_psk_key) {
   2397 		/*
   2398 		 * The Enrollee does not have a display so it is unlikely to be
   2399 		 * able to show the passphrase to a user and as such, could
   2400 		 * benefit from receiving PSK to reduce key derivation time.
   2401 		 */
   2402 		wpa_printf(MSG_DEBUG, "WPS: Prefer PSK format key due to "
   2403 			   "Enrollee not supporting display");
   2404 		wps->use_psk_key = 1;
   2405 	}
   2406 
   2407 	return 0;
   2408 }
   2409 
   2410 
   2411 static int wps_process_wps_state(struct wps_data *wps, const u8 *state)
   2412 {
   2413 	if (state == NULL) {
   2414 		wpa_printf(MSG_DEBUG, "WPS: No Wi-Fi Protected Setup State "
   2415 			   "received");
   2416 		return -1;
   2417 	}
   2418 
   2419 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Wi-Fi Protected Setup State %d",
   2420 		   *state);
   2421 
   2422 	return 0;
   2423 }
   2424 
   2425 
   2426 static int wps_process_assoc_state(struct wps_data *wps, const u8 *assoc)
   2427 {
   2428 	u16 a;
   2429 
   2430 	if (assoc == NULL) {
   2431 		wpa_printf(MSG_DEBUG, "WPS: No Association State received");
   2432 		return -1;
   2433 	}
   2434 
   2435 	a = WPA_GET_BE16(assoc);
   2436 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Association State %d", a);
   2437 
   2438 	return 0;
   2439 }
   2440 
   2441 
   2442 static int wps_process_config_error(struct wps_data *wps, const u8 *err)
   2443 {
   2444 	u16 e;
   2445 
   2446 	if (err == NULL) {
   2447 		wpa_printf(MSG_DEBUG, "WPS: No Configuration Error received");
   2448 		return -1;
   2449 	}
   2450 
   2451 	e = WPA_GET_BE16(err);
   2452 	wpa_printf(MSG_DEBUG, "WPS: Enrollee Configuration Error %d", e);
   2453 
   2454 	return 0;
   2455 }
   2456 
   2457 
   2458 static int wps_registrar_p2p_dev_addr_match(struct wps_data *wps)
   2459 {
   2460 #ifdef CONFIG_P2P
   2461 	struct wps_registrar *reg = wps->wps->registrar;
   2462 
   2463 	if (is_zero_ether_addr(reg->p2p_dev_addr))
   2464 		return 1; /* no filtering in use */
   2465 
   2466 	if (os_memcmp(reg->p2p_dev_addr, wps->p2p_dev_addr, ETH_ALEN) != 0) {
   2467 		wpa_printf(MSG_DEBUG, "WPS: No match on P2P Device Address "
   2468 			   "filtering for PBC: expected " MACSTR " was "
   2469 			   MACSTR " - indicate PBC session overlap",
   2470 			   MAC2STR(reg->p2p_dev_addr),
   2471 			   MAC2STR(wps->p2p_dev_addr));
   2472 		return 0;
   2473 	}
   2474 #endif /* CONFIG_P2P */
   2475 	return 1;
   2476 }
   2477 
   2478 
   2479 static int wps_registrar_skip_overlap(struct wps_data *wps)
   2480 {
   2481 #ifdef CONFIG_P2P
   2482 	struct wps_registrar *reg = wps->wps->registrar;
   2483 
   2484 	if (is_zero_ether_addr(reg->p2p_dev_addr))
   2485 		return 0; /* no specific Enrollee selected */
   2486 
   2487 	if (os_memcmp(reg->p2p_dev_addr, wps->p2p_dev_addr, ETH_ALEN) == 0) {
   2488 		wpa_printf(MSG_DEBUG, "WPS: Skip PBC overlap due to selected "
   2489 			   "Enrollee match");
   2490 		return 1;
   2491 	}
   2492 #endif /* CONFIG_P2P */
   2493 	return 0;
   2494 }
   2495 
   2496 
   2497 static enum wps_process_res wps_process_m1(struct wps_data *wps,
   2498 					   struct wps_parse_attr *attr)
   2499 {
   2500 	wpa_printf(MSG_DEBUG, "WPS: Received M1");
   2501 
   2502 	if (wps->state != RECV_M1) {
   2503 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
   2504 			   "receiving M1", wps->state);
   2505 		return WPS_FAILURE;
   2506 	}
   2507 
   2508 	if (wps_process_uuid_e(wps, attr->uuid_e) ||
   2509 	    wps_process_mac_addr(wps, attr->mac_addr) ||
   2510 	    wps_process_enrollee_nonce(wps, attr->enrollee_nonce) ||
   2511 	    wps_process_pubkey(wps, attr->public_key, attr->public_key_len) ||
   2512 	    wps_process_auth_type_flags(wps, attr->auth_type_flags) ||
   2513 	    wps_process_encr_type_flags(wps, attr->encr_type_flags) ||
   2514 	    wps_process_conn_type_flags(wps, attr->conn_type_flags) ||
   2515 	    wps_process_config_methods(wps, attr->config_methods) ||
   2516 	    wps_process_wps_state(wps, attr->wps_state) ||
   2517 	    wps_process_device_attrs(&wps->peer_dev, attr) ||
   2518 	    wps_process_rf_bands(&wps->peer_dev, attr->rf_bands) ||
   2519 	    wps_process_assoc_state(wps, attr->assoc_state) ||
   2520 	    wps_process_dev_password_id(wps, attr->dev_password_id) ||
   2521 	    wps_process_config_error(wps, attr->config_error) ||
   2522 	    wps_process_os_version(&wps->peer_dev, attr->os_version))
   2523 		return WPS_FAILURE;
   2524 
   2525 	if (wps->dev_pw_id < 0x10 &&
   2526 	    wps->dev_pw_id != DEV_PW_DEFAULT &&
   2527 	    wps->dev_pw_id != DEV_PW_USER_SPECIFIED &&
   2528 	    wps->dev_pw_id != DEV_PW_MACHINE_SPECIFIED &&
   2529 	    wps->dev_pw_id != DEV_PW_REGISTRAR_SPECIFIED &&
   2530 	    (wps->dev_pw_id != DEV_PW_PUSHBUTTON ||
   2531 	     !wps->wps->registrar->pbc)) {
   2532 		wpa_printf(MSG_DEBUG, "WPS: Unsupported Device Password ID %d",
   2533 			   wps->dev_pw_id);
   2534 		wps->state = SEND_M2D;
   2535 		return WPS_CONTINUE;
   2536 	}
   2537 
   2538 #ifdef CONFIG_WPS_NFC
   2539 	if (wps->dev_pw_id >= 0x10) {
   2540 		struct wps_nfc_pw_token *token;
   2541 		const u8 *addr[1];
   2542 		u8 hash[WPS_HASH_LEN];
   2543 
   2544 		token = wps_get_nfc_pw_token(
   2545 			&wps->wps->registrar->nfc_pw_tokens, wps->dev_pw_id);
   2546 		if (token) {
   2547 			wpa_printf(MSG_DEBUG, "WPS: Found matching NFC "
   2548 				   "Password Token");
   2549 			dl_list_del(&token->list);
   2550 			wps->nfc_pw_token = token;
   2551 
   2552 			addr[0] = attr->public_key;
   2553 			sha256_vector(1, addr, &attr->public_key_len, hash);
   2554 			if (os_memcmp(hash, wps->nfc_pw_token->pubkey_hash,
   2555 				      WPS_OOB_PUBKEY_HASH_LEN) != 0) {
   2556 				wpa_printf(MSG_ERROR, "WPS: Public Key hash "
   2557 					   "mismatch");
   2558 				return WPS_FAILURE;
   2559 			}
   2560 		}
   2561 	}
   2562 #endif /* CONFIG_WPS_NFC */
   2563 
   2564 	if (wps->dev_pw_id == DEV_PW_PUSHBUTTON) {
   2565 		if ((wps->wps->registrar->force_pbc_overlap ||
   2566 		     wps_registrar_pbc_overlap(wps->wps->registrar,
   2567 					       wps->mac_addr_e, wps->uuid_e) ||
   2568 		     !wps_registrar_p2p_dev_addr_match(wps)) &&
   2569 		    !wps_registrar_skip_overlap(wps)) {
   2570 			wpa_printf(MSG_DEBUG, "WPS: PBC overlap - deny PBC "
   2571 				   "negotiation");
   2572 			wps->state = SEND_M2D;
   2573 			wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED;
   2574 			wps_pbc_overlap_event(wps->wps);
   2575 			wps_fail_event(wps->wps, WPS_M1,
   2576 				       WPS_CFG_MULTIPLE_PBC_DETECTED,
   2577 				       WPS_EI_NO_ERROR, wps->mac_addr_e);
   2578 			wps->wps->registrar->force_pbc_overlap = 1;
   2579 			return WPS_CONTINUE;
   2580 		}
   2581 		wps_registrar_add_pbc_session(wps->wps->registrar,
   2582 					      wps->mac_addr_e, wps->uuid_e);
   2583 		wps->pbc = 1;
   2584 	}
   2585 
   2586 #ifdef WPS_WORKAROUNDS
   2587 	/*
   2588 	 * It looks like Mac OS X 10.6.3 and 10.6.4 do not like Network Key in
   2589 	 * passphrase format. To avoid interop issues, force PSK format to be
   2590 	 * used.
   2591 	 */
   2592 	if (!wps->use_psk_key &&
   2593 	    wps->peer_dev.manufacturer &&
   2594 	    os_strncmp(wps->peer_dev.manufacturer, "Apple ", 6) == 0 &&
   2595 	    wps->peer_dev.model_name &&
   2596 	    os_strcmp(wps->peer_dev.model_name, "AirPort") == 0) {
   2597 		wpa_printf(MSG_DEBUG, "WPS: Workaround - Force Network Key in "
   2598 			   "PSK format");
   2599 		wps->use_psk_key = 1;
   2600 	}
   2601 #endif /* WPS_WORKAROUNDS */
   2602 
   2603 	wps->state = SEND_M2;
   2604 	return WPS_CONTINUE;
   2605 }
   2606 
   2607 
   2608 static enum wps_process_res wps_process_m3(struct wps_data *wps,
   2609 					   const struct wpabuf *msg,
   2610 					   struct wps_parse_attr *attr)
   2611 {
   2612 	wpa_printf(MSG_DEBUG, "WPS: Received M3");
   2613 
   2614 	if (wps->state != RECV_M3) {
   2615 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
   2616 			   "receiving M3", wps->state);
   2617 		wps->state = SEND_WSC_NACK;
   2618 		return WPS_CONTINUE;
   2619 	}
   2620 
   2621 	if (wps->pbc && wps->wps->registrar->force_pbc_overlap &&
   2622 	    !wps_registrar_skip_overlap(wps)) {
   2623 		wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC "
   2624 			   "session overlap");
   2625 		wps->state = SEND_WSC_NACK;
   2626 		wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED;
   2627 		return WPS_CONTINUE;
   2628 	}
   2629 
   2630 	if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
   2631 	    wps_process_authenticator(wps, attr->authenticator, msg) ||
   2632 	    wps_process_e_hash1(wps, attr->e_hash1) ||
   2633 	    wps_process_e_hash2(wps, attr->e_hash2)) {
   2634 		wps->state = SEND_WSC_NACK;
   2635 		return WPS_CONTINUE;
   2636 	}
   2637 
   2638 	wps->state = SEND_M4;
   2639 	return WPS_CONTINUE;
   2640 }
   2641 
   2642 
   2643 static enum wps_process_res wps_process_m5(struct wps_data *wps,
   2644 					   const struct wpabuf *msg,
   2645 					   struct wps_parse_attr *attr)
   2646 {
   2647 	struct wpabuf *decrypted;
   2648 	struct wps_parse_attr eattr;
   2649 
   2650 	wpa_printf(MSG_DEBUG, "WPS: Received M5");
   2651 
   2652 	if (wps->state != RECV_M5) {
   2653 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
   2654 			   "receiving M5", wps->state);
   2655 		wps->state = SEND_WSC_NACK;
   2656 		return WPS_CONTINUE;
   2657 	}
   2658 
   2659 	if (wps->pbc && wps->wps->registrar->force_pbc_overlap &&
   2660 	    !wps_registrar_skip_overlap(wps)) {
   2661 		wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC "
   2662 			   "session overlap");
   2663 		wps->state = SEND_WSC_NACK;
   2664 		wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED;
   2665 		return WPS_CONTINUE;
   2666 	}
   2667 
   2668 	if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
   2669 	    wps_process_authenticator(wps, attr->authenticator, msg)) {
   2670 		wps->state = SEND_WSC_NACK;
   2671 		return WPS_CONTINUE;
   2672 	}
   2673 
   2674 	decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
   2675 					      attr->encr_settings_len);
   2676 	if (decrypted == NULL) {
   2677 		wpa_printf(MSG_DEBUG, "WPS: Failed to decrypted Encrypted "
   2678 			   "Settings attribute");
   2679 		wps->state = SEND_WSC_NACK;
   2680 		return WPS_CONTINUE;
   2681 	}
   2682 
   2683 	if (wps_validate_m5_encr(decrypted, attr->version2 != NULL) < 0) {
   2684 		wpabuf_free(decrypted);
   2685 		wps->state = SEND_WSC_NACK;
   2686 		return WPS_CONTINUE;
   2687 	}
   2688 
   2689 	wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
   2690 		   "attribute");
   2691 	if (wps_parse_msg(decrypted, &eattr) < 0 ||
   2692 	    wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
   2693 	    wps_process_e_snonce1(wps, eattr.e_snonce1)) {
   2694 		wpabuf_free(decrypted);
   2695 		wps->state = SEND_WSC_NACK;
   2696 		return WPS_CONTINUE;
   2697 	}
   2698 	wpabuf_free(decrypted);
   2699 
   2700 	wps->state = SEND_M6;
   2701 	return WPS_CONTINUE;
   2702 }
   2703 
   2704 
   2705 static void wps_sta_cred_cb(struct wps_data *wps)
   2706 {
   2707 	/*
   2708 	 * Update credential to only include a single authentication and
   2709 	 * encryption type in case the AP configuration includes more than one
   2710 	 * option.
   2711 	 */
   2712 	if (wps->cred.auth_type & WPS_AUTH_WPA2PSK)
   2713 		wps->cred.auth_type = WPS_AUTH_WPA2PSK;
   2714 	else if (wps->cred.auth_type & WPS_AUTH_WPAPSK)
   2715 		wps->cred.auth_type = WPS_AUTH_WPAPSK;
   2716 	if (wps->cred.encr_type & WPS_ENCR_AES)
   2717 		wps->cred.encr_type = WPS_ENCR_AES;
   2718 	else if (wps->cred.encr_type & WPS_ENCR_TKIP)
   2719 		wps->cred.encr_type = WPS_ENCR_TKIP;
   2720 	wpa_printf(MSG_DEBUG, "WPS: Update local configuration based on the "
   2721 		   "AP configuration");
   2722 	if (wps->wps->cred_cb)
   2723 		wps->wps->cred_cb(wps->wps->cb_ctx, &wps->cred);
   2724 }
   2725 
   2726 
   2727 static void wps_cred_update(struct wps_credential *dst,
   2728 			    struct wps_credential *src)
   2729 {
   2730 	os_memcpy(dst->ssid, src->ssid, sizeof(dst->ssid));
   2731 	dst->ssid_len = src->ssid_len;
   2732 	dst->auth_type = src->auth_type;
   2733 	dst->encr_type = src->encr_type;
   2734 	dst->key_idx = src->key_idx;
   2735 	os_memcpy(dst->key, src->key, sizeof(dst->key));
   2736 	dst->key_len = src->key_len;
   2737 }
   2738 
   2739 
   2740 static int wps_process_ap_settings_r(struct wps_data *wps,
   2741 				     struct wps_parse_attr *attr)
   2742 {
   2743 	struct wpabuf *msg;
   2744 
   2745 	if (wps->wps->ap || wps->er)
   2746 		return 0;
   2747 
   2748 	/* AP Settings Attributes in M7 when Enrollee is an AP */
   2749 	if (wps_process_ap_settings(attr, &wps->cred) < 0)
   2750 		return -1;
   2751 
   2752 	wpa_printf(MSG_INFO, "WPS: Received old AP configuration from AP");
   2753 
   2754 	if (wps->new_ap_settings) {
   2755 		wpa_printf(MSG_INFO, "WPS: Update AP configuration based on "
   2756 			   "new settings");
   2757 		wps_cred_update(&wps->cred, wps->new_ap_settings);
   2758 		return 0;
   2759 	} else {
   2760 		/*
   2761 		 * Use the AP PIN only to receive the current AP settings, not
   2762 		 * to reconfigure the AP.
   2763 		 */
   2764 
   2765 		/*
   2766 		 * Clear selected registrar here since we do not get to
   2767 		 * WSC_Done in this protocol run.
   2768 		 */
   2769 		wps_registrar_pin_completed(wps->wps->registrar);
   2770 
   2771 		msg = wps_build_ap_cred(wps);
   2772 		if (msg == NULL)
   2773 			return -1;
   2774 		wps->cred.cred_attr = wpabuf_head(msg);
   2775 		wps->cred.cred_attr_len = wpabuf_len(msg);
   2776 
   2777 		if (wps->ap_settings_cb) {
   2778 			wps->ap_settings_cb(wps->ap_settings_cb_ctx,
   2779 					    &wps->cred);
   2780 			wpabuf_free(msg);
   2781 			return 1;
   2782 		}
   2783 		wps_sta_cred_cb(wps);
   2784 
   2785 		wps->cred.cred_attr = NULL;
   2786 		wps->cred.cred_attr_len = 0;
   2787 		wpabuf_free(msg);
   2788 
   2789 		return 1;
   2790 	}
   2791 }
   2792 
   2793 
   2794 static enum wps_process_res wps_process_m7(struct wps_data *wps,
   2795 					   const struct wpabuf *msg,
   2796 					   struct wps_parse_attr *attr)
   2797 {
   2798 	struct wpabuf *decrypted;
   2799 	struct wps_parse_attr eattr;
   2800 
   2801 	wpa_printf(MSG_DEBUG, "WPS: Received M7");
   2802 
   2803 	if (wps->state != RECV_M7) {
   2804 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
   2805 			   "receiving M7", wps->state);
   2806 		wps->state = SEND_WSC_NACK;
   2807 		return WPS_CONTINUE;
   2808 	}
   2809 
   2810 	if (wps->pbc && wps->wps->registrar->force_pbc_overlap &&
   2811 	    !wps_registrar_skip_overlap(wps)) {
   2812 		wpa_printf(MSG_DEBUG, "WPS: Reject negotiation due to PBC "
   2813 			   "session overlap");
   2814 		wps->state = SEND_WSC_NACK;
   2815 		wps->config_error = WPS_CFG_MULTIPLE_PBC_DETECTED;
   2816 		return WPS_CONTINUE;
   2817 	}
   2818 
   2819 	if (wps_process_registrar_nonce(wps, attr->registrar_nonce) ||
   2820 	    wps_process_authenticator(wps, attr->authenticator, msg)) {
   2821 		wps->state = SEND_WSC_NACK;
   2822 		return WPS_CONTINUE;
   2823 	}
   2824 
   2825 	decrypted = wps_decrypt_encr_settings(wps, attr->encr_settings,
   2826 					      attr->encr_settings_len);
   2827 	if (decrypted == NULL) {
   2828 		wpa_printf(MSG_DEBUG, "WPS: Failed to decrypt Encrypted "
   2829 			   "Settings attribute");
   2830 		wps->state = SEND_WSC_NACK;
   2831 		return WPS_CONTINUE;
   2832 	}
   2833 
   2834 	if (wps_validate_m7_encr(decrypted, wps->wps->ap || wps->er,
   2835 				 attr->version2 != NULL) < 0) {
   2836 		wpabuf_free(decrypted);
   2837 		wps->state = SEND_WSC_NACK;
   2838 		return WPS_CONTINUE;
   2839 	}
   2840 
   2841 	wpa_printf(MSG_DEBUG, "WPS: Processing decrypted Encrypted Settings "
   2842 		   "attribute");
   2843 	if (wps_parse_msg(decrypted, &eattr) < 0 ||
   2844 	    wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
   2845 	    wps_process_e_snonce2(wps, eattr.e_snonce2) ||
   2846 	    wps_process_ap_settings_r(wps, &eattr)) {
   2847 		wpabuf_free(decrypted);
   2848 		wps->state = SEND_WSC_NACK;
   2849 		return WPS_CONTINUE;
   2850 	}
   2851 
   2852 	wpabuf_free(decrypted);
   2853 
   2854 	wps->state = SEND_M8;
   2855 	return WPS_CONTINUE;
   2856 }
   2857 
   2858 
   2859 static enum wps_process_res wps_process_wsc_msg(struct wps_data *wps,
   2860 						const struct wpabuf *msg)
   2861 {
   2862 	struct wps_parse_attr attr;
   2863 	enum wps_process_res ret = WPS_CONTINUE;
   2864 
   2865 	wpa_printf(MSG_DEBUG, "WPS: Received WSC_MSG");
   2866 
   2867 	if (wps_parse_msg(msg, &attr) < 0)
   2868 		return WPS_FAILURE;
   2869 
   2870 	if (attr.msg_type == NULL) {
   2871 		wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
   2872 		wps->state = SEND_WSC_NACK;
   2873 		return WPS_CONTINUE;
   2874 	}
   2875 
   2876 	if (*attr.msg_type != WPS_M1 &&
   2877 	    (attr.registrar_nonce == NULL ||
   2878 	     os_memcmp(wps->nonce_r, attr.registrar_nonce,
   2879 		       WPS_NONCE_LEN) != 0)) {
   2880 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
   2881 		return WPS_FAILURE;
   2882 	}
   2883 
   2884 	switch (*attr.msg_type) {
   2885 	case WPS_M1:
   2886 		if (wps_validate_m1(msg) < 0)
   2887 			return WPS_FAILURE;
   2888 #ifdef CONFIG_WPS_UPNP
   2889 		if (wps->wps->wps_upnp && attr.mac_addr) {
   2890 			/* Remove old pending messages when starting new run */
   2891 			wps_free_pending_msgs(wps->wps->upnp_msgs);
   2892 			wps->wps->upnp_msgs = NULL;
   2893 
   2894 			upnp_wps_device_send_wlan_event(
   2895 				wps->wps->wps_upnp, attr.mac_addr,
   2896 				UPNP_WPS_WLANEVENT_TYPE_EAP, msg);
   2897 		}
   2898 #endif /* CONFIG_WPS_UPNP */
   2899 		ret = wps_process_m1(wps, &attr);
   2900 		break;
   2901 	case WPS_M3:
   2902 		if (wps_validate_m3(msg) < 0)
   2903 			return WPS_FAILURE;
   2904 		ret = wps_process_m3(wps, msg, &attr);
   2905 		if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK)
   2906 			wps_fail_event(wps->wps, WPS_M3, wps->config_error,
   2907 				       wps->error_indication, wps->mac_addr_e);
   2908 		break;
   2909 	case WPS_M5:
   2910 		if (wps_validate_m5(msg) < 0)
   2911 			return WPS_FAILURE;
   2912 		ret = wps_process_m5(wps, msg, &attr);
   2913 		if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK)
   2914 			wps_fail_event(wps->wps, WPS_M5, wps->config_error,
   2915 				       wps->error_indication, wps->mac_addr_e);
   2916 		break;
   2917 	case WPS_M7:
   2918 		if (wps_validate_m7(msg) < 0)
   2919 			return WPS_FAILURE;
   2920 		ret = wps_process_m7(wps, msg, &attr);
   2921 		if (ret == WPS_FAILURE || wps->state == SEND_WSC_NACK)
   2922 			wps_fail_event(wps->wps, WPS_M7, wps->config_error,
   2923 				       wps->error_indication, wps->mac_addr_e);
   2924 		break;
   2925 	default:
   2926 		wpa_printf(MSG_DEBUG, "WPS: Unsupported Message Type %d",
   2927 			   *attr.msg_type);
   2928 		return WPS_FAILURE;
   2929 	}
   2930 
   2931 	if (ret == WPS_CONTINUE) {
   2932 		/* Save a copy of the last message for Authenticator derivation
   2933 		 */
   2934 		wpabuf_free(wps->last_msg);
   2935 		wps->last_msg = wpabuf_dup(msg);
   2936 	}
   2937 
   2938 	return ret;
   2939 }
   2940 
   2941 
   2942 static enum wps_process_res wps_process_wsc_ack(struct wps_data *wps,
   2943 						const struct wpabuf *msg)
   2944 {
   2945 	struct wps_parse_attr attr;
   2946 
   2947 	wpa_printf(MSG_DEBUG, "WPS: Received WSC_ACK");
   2948 
   2949 	if (wps_parse_msg(msg, &attr) < 0)
   2950 		return WPS_FAILURE;
   2951 
   2952 	if (attr.msg_type == NULL) {
   2953 		wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
   2954 		return WPS_FAILURE;
   2955 	}
   2956 
   2957 	if (*attr.msg_type != WPS_WSC_ACK) {
   2958 		wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
   2959 			   *attr.msg_type);
   2960 		return WPS_FAILURE;
   2961 	}
   2962 
   2963 #ifdef CONFIG_WPS_UPNP
   2964 	if (wps->wps->wps_upnp && wps->ext_reg && wps->state == RECV_M2D_ACK &&
   2965 	    upnp_wps_subscribers(wps->wps->wps_upnp)) {
   2966 		if (wps->wps->upnp_msgs)
   2967 			return WPS_CONTINUE;
   2968 		wpa_printf(MSG_DEBUG, "WPS: Wait for response from an "
   2969 			   "external Registrar");
   2970 		return WPS_PENDING;
   2971 	}
   2972 #endif /* CONFIG_WPS_UPNP */
   2973 
   2974 	if (attr.registrar_nonce == NULL ||
   2975 	    os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0)
   2976 	{
   2977 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
   2978 		return WPS_FAILURE;
   2979 	}
   2980 
   2981 	if (attr.enrollee_nonce == NULL ||
   2982 	    os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) {
   2983 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
   2984 		return WPS_FAILURE;
   2985 	}
   2986 
   2987 	if (wps->state == RECV_M2D_ACK) {
   2988 #ifdef CONFIG_WPS_UPNP
   2989 		if (wps->wps->wps_upnp &&
   2990 		    upnp_wps_subscribers(wps->wps->wps_upnp)) {
   2991 			if (wps->wps->upnp_msgs)
   2992 				return WPS_CONTINUE;
   2993 			if (wps->ext_reg == 0)
   2994 				wps->ext_reg = 1;
   2995 			wpa_printf(MSG_DEBUG, "WPS: Wait for response from an "
   2996 				   "external Registrar");
   2997 			return WPS_PENDING;
   2998 		}
   2999 #endif /* CONFIG_WPS_UPNP */
   3000 
   3001 		wpa_printf(MSG_DEBUG, "WPS: No more registrars available - "
   3002 			   "terminate negotiation");
   3003 	}
   3004 
   3005 	return WPS_FAILURE;
   3006 }
   3007 
   3008 
   3009 static enum wps_process_res wps_process_wsc_nack(struct wps_data *wps,
   3010 						 const struct wpabuf *msg)
   3011 {
   3012 	struct wps_parse_attr attr;
   3013 	int old_state;
   3014 	u16 config_error;
   3015 
   3016 	wpa_printf(MSG_DEBUG, "WPS: Received WSC_NACK");
   3017 
   3018 	old_state = wps->state;
   3019 	wps->state = SEND_WSC_NACK;
   3020 
   3021 	if (wps_parse_msg(msg, &attr) < 0)
   3022 		return WPS_FAILURE;
   3023 
   3024 	if (attr.msg_type == NULL) {
   3025 		wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
   3026 		return WPS_FAILURE;
   3027 	}
   3028 
   3029 	if (*attr.msg_type != WPS_WSC_NACK) {
   3030 		wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
   3031 			   *attr.msg_type);
   3032 		return WPS_FAILURE;
   3033 	}
   3034 
   3035 #ifdef CONFIG_WPS_UPNP
   3036 	if (wps->wps->wps_upnp && wps->ext_reg) {
   3037 		wpa_printf(MSG_DEBUG, "WPS: Negotiation using external "
   3038 			   "Registrar terminated by the Enrollee");
   3039 		return WPS_FAILURE;
   3040 	}
   3041 #endif /* CONFIG_WPS_UPNP */
   3042 
   3043 	if (attr.registrar_nonce == NULL ||
   3044 	    os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0)
   3045 	{
   3046 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
   3047 		return WPS_FAILURE;
   3048 	}
   3049 
   3050 	if (attr.enrollee_nonce == NULL ||
   3051 	    os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) {
   3052 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
   3053 		return WPS_FAILURE;
   3054 	}
   3055 
   3056 	if (attr.config_error == NULL) {
   3057 		wpa_printf(MSG_DEBUG, "WPS: No Configuration Error attribute "
   3058 			   "in WSC_NACK");
   3059 		return WPS_FAILURE;
   3060 	}
   3061 
   3062 	config_error = WPA_GET_BE16(attr.config_error);
   3063 	wpa_printf(MSG_DEBUG, "WPS: Enrollee terminated negotiation with "
   3064 		   "Configuration Error %d", config_error);
   3065 
   3066 	switch (old_state) {
   3067 	case RECV_M3:
   3068 		wps_fail_event(wps->wps, WPS_M2, config_error,
   3069 			       wps->error_indication, wps->mac_addr_e);
   3070 		break;
   3071 	case RECV_M5:
   3072 		wps_fail_event(wps->wps, WPS_M4, config_error,
   3073 			       wps->error_indication, wps->mac_addr_e);
   3074 		break;
   3075 	case RECV_M7:
   3076 		wps_fail_event(wps->wps, WPS_M6, config_error,
   3077 			       wps->error_indication, wps->mac_addr_e);
   3078 		break;
   3079 	case RECV_DONE:
   3080 		wps_fail_event(wps->wps, WPS_M8, config_error,
   3081 			       wps->error_indication, wps->mac_addr_e);
   3082 		break;
   3083 	default:
   3084 		break;
   3085 	}
   3086 
   3087 	return WPS_FAILURE;
   3088 }
   3089 
   3090 
   3091 static enum wps_process_res wps_process_wsc_done(struct wps_data *wps,
   3092 						 const struct wpabuf *msg)
   3093 {
   3094 	struct wps_parse_attr attr;
   3095 
   3096 	wpa_printf(MSG_DEBUG, "WPS: Received WSC_Done");
   3097 
   3098 	if (wps->state != RECV_DONE &&
   3099 	    (!wps->wps->wps_upnp || !wps->ext_reg)) {
   3100 		wpa_printf(MSG_DEBUG, "WPS: Unexpected state (%d) for "
   3101 			   "receiving WSC_Done", wps->state);
   3102 		return WPS_FAILURE;
   3103 	}
   3104 
   3105 	if (wps_parse_msg(msg, &attr) < 0)
   3106 		return WPS_FAILURE;
   3107 
   3108 	if (attr.msg_type == NULL) {
   3109 		wpa_printf(MSG_DEBUG, "WPS: No Message Type attribute");
   3110 		return WPS_FAILURE;
   3111 	}
   3112 
   3113 	if (*attr.msg_type != WPS_WSC_DONE) {
   3114 		wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type %d",
   3115 			   *attr.msg_type);
   3116 		return WPS_FAILURE;
   3117 	}
   3118 
   3119 #ifdef CONFIG_WPS_UPNP
   3120 	if (wps->wps->wps_upnp && wps->ext_reg) {
   3121 		wpa_printf(MSG_DEBUG, "WPS: Negotiation using external "
   3122 			   "Registrar completed successfully");
   3123 		wps_device_store(wps->wps->registrar, &wps->peer_dev,
   3124 				 wps->uuid_e);
   3125 		return WPS_DONE;
   3126 	}
   3127 #endif /* CONFIG_WPS_UPNP */
   3128 
   3129 	if (attr.registrar_nonce == NULL ||
   3130 	    os_memcmp(wps->nonce_r, attr.registrar_nonce, WPS_NONCE_LEN) != 0)
   3131 	{
   3132 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in registrar nonce");
   3133 		return WPS_FAILURE;
   3134 	}
   3135 
   3136 	if (attr.enrollee_nonce == NULL ||
   3137 	    os_memcmp(wps->nonce_e, attr.enrollee_nonce, WPS_NONCE_LEN) != 0) {
   3138 		wpa_printf(MSG_DEBUG, "WPS: Mismatch in enrollee nonce");
   3139 		return WPS_FAILURE;
   3140 	}
   3141 
   3142 	wpa_printf(MSG_DEBUG, "WPS: Negotiation completed successfully");
   3143 	wps_device_store(wps->wps->registrar, &wps->peer_dev,
   3144 			 wps->uuid_e);
   3145 
   3146 	if (wps->wps->wps_state == WPS_STATE_NOT_CONFIGURED && wps->new_psk &&
   3147 	    wps->wps->ap && !wps->wps->registrar->disable_auto_conf) {
   3148 		struct wps_credential cred;
   3149 
   3150 		wpa_printf(MSG_DEBUG, "WPS: Moving to Configured state based "
   3151 			   "on first Enrollee connection");
   3152 
   3153 		os_memset(&cred, 0, sizeof(cred));
   3154 		os_memcpy(cred.ssid, wps->wps->ssid, wps->wps->ssid_len);
   3155 		cred.ssid_len = wps->wps->ssid_len;
   3156 		cred.auth_type = WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK;
   3157 		cred.encr_type = WPS_ENCR_TKIP | WPS_ENCR_AES;
   3158 		os_memcpy(cred.key, wps->new_psk, wps->new_psk_len);
   3159 		cred.key_len = wps->new_psk_len;
   3160 
   3161 		wps->wps->wps_state = WPS_STATE_CONFIGURED;
   3162 		wpa_hexdump_ascii_key(MSG_DEBUG,
   3163 				      "WPS: Generated random passphrase",
   3164 				      wps->new_psk, wps->new_psk_len);
   3165 		if (wps->wps->cred_cb)
   3166 			wps->wps->cred_cb(wps->wps->cb_ctx, &cred);
   3167 
   3168 		os_free(wps->new_psk);
   3169 		wps->new_psk = NULL;
   3170 	}
   3171 
   3172 	if (!wps->wps->ap && !wps->er)
   3173 		wps_sta_cred_cb(wps);
   3174 
   3175 	if (wps->new_psk) {
   3176 		if (wps_cb_new_psk(wps->wps->registrar, wps->mac_addr_e,
   3177 				   wps->p2p_dev_addr, wps->new_psk,
   3178 				   wps->new_psk_len)) {
   3179 			wpa_printf(MSG_DEBUG, "WPS: Failed to configure the "
   3180 				   "new PSK");
   3181 		}
   3182 		os_free(wps->new_psk);
   3183 		wps->new_psk = NULL;
   3184 	}
   3185 
   3186 	wps_cb_reg_success(wps->wps->registrar, wps->mac_addr_e, wps->uuid_e,
   3187 			   wps->dev_password, wps->dev_password_len);
   3188 
   3189 	if (wps->pbc) {
   3190 		wps_registrar_remove_pbc_session(wps->wps->registrar,
   3191 						 wps->uuid_e,
   3192 						 wps->p2p_dev_addr);
   3193 		wps_registrar_pbc_completed(wps->wps->registrar);
   3194 		os_get_time(&wps->wps->registrar->pbc_ignore_start);
   3195 		os_memcpy(wps->wps->registrar->pbc_ignore_uuid, wps->uuid_e,
   3196 			  WPS_UUID_LEN);
   3197 	} else {
   3198 		wps_registrar_pin_completed(wps->wps->registrar);
   3199 	}
   3200 	/* TODO: maintain AuthorizedMACs somewhere separately for each ER and
   3201 	 * merge them into APs own list.. */
   3202 
   3203 	wps_success_event(wps->wps, wps->mac_addr_e);
   3204 
   3205 	return WPS_DONE;
   3206 }
   3207 
   3208 
   3209 enum wps_process_res wps_registrar_process_msg(struct wps_data *wps,
   3210 					       enum wsc_op_code op_code,
   3211 					       const struct wpabuf *msg)
   3212 {
   3213 	enum wps_process_res ret;
   3214 
   3215 	wpa_printf(MSG_DEBUG, "WPS: Processing received message (len=%lu "
   3216 		   "op_code=%d)",
   3217 		   (unsigned long) wpabuf_len(msg), op_code);
   3218 
   3219 #ifdef CONFIG_WPS_UPNP
   3220 	if (wps->wps->wps_upnp && op_code == WSC_MSG && wps->ext_reg == 1) {
   3221 		struct wps_parse_attr attr;
   3222 		if (wps_parse_msg(msg, &attr) == 0 && attr.msg_type &&
   3223 		    *attr.msg_type == WPS_M3)
   3224 			wps->ext_reg = 2; /* past M2/M2D phase */
   3225 	}
   3226 	if (wps->ext_reg > 1)
   3227 		wps_registrar_free_pending_m2(wps->wps);
   3228 	if (wps->wps->wps_upnp && wps->ext_reg &&
   3229 	    wps->wps->upnp_msgs == NULL &&
   3230 	    (op_code == WSC_MSG || op_code == WSC_Done || op_code == WSC_NACK))
   3231 	{
   3232 		struct wps_parse_attr attr;
   3233 		int type;
   3234 		if (wps_parse_msg(msg, &attr) < 0 || attr.msg_type == NULL)
   3235 			type = -1;
   3236 		else
   3237 			type = *attr.msg_type;
   3238 		wpa_printf(MSG_DEBUG, "WPS: Sending received message (type %d)"
   3239 			   " to external Registrar for processing", type);
   3240 		upnp_wps_device_send_wlan_event(wps->wps->wps_upnp,
   3241 						wps->mac_addr_e,
   3242 						UPNP_WPS_WLANEVENT_TYPE_EAP,
   3243 						msg);
   3244 		if (op_code == WSC_MSG)
   3245 			return WPS_PENDING;
   3246 	} else if (wps->wps->wps_upnp && wps->ext_reg && op_code == WSC_MSG) {
   3247 		wpa_printf(MSG_DEBUG, "WPS: Skip internal processing - using "
   3248 			   "external Registrar");
   3249 		return WPS_CONTINUE;
   3250 	}
   3251 #endif /* CONFIG_WPS_UPNP */
   3252 
   3253 	switch (op_code) {
   3254 	case WSC_MSG:
   3255 		return wps_process_wsc_msg(wps, msg);
   3256 	case WSC_ACK:
   3257 		if (wps_validate_wsc_ack(msg) < 0)
   3258 			return WPS_FAILURE;
   3259 		return wps_process_wsc_ack(wps, msg);
   3260 	case WSC_NACK:
   3261 		if (wps_validate_wsc_nack(msg) < 0)
   3262 			return WPS_FAILURE;
   3263 		return wps_process_wsc_nack(wps, msg);
   3264 	case WSC_Done:
   3265 		if (wps_validate_wsc_done(msg) < 0)
   3266 			return WPS_FAILURE;
   3267 		ret = wps_process_wsc_done(wps, msg);
   3268 		if (ret == WPS_FAILURE) {
   3269 			wps->state = SEND_WSC_NACK;
   3270 			wps_fail_event(wps->wps, WPS_WSC_DONE,
   3271 				       wps->config_error,
   3272 				       wps->error_indication, wps->mac_addr_e);
   3273 		}
   3274 		return ret;
   3275 	default:
   3276 		wpa_printf(MSG_DEBUG, "WPS: Unsupported op_code %d", op_code);
   3277 		return WPS_FAILURE;
   3278 	}
   3279 }
   3280 
   3281 
   3282 int wps_registrar_update_ie(struct wps_registrar *reg)
   3283 {
   3284 	return wps_set_ie(reg);
   3285 }
   3286 
   3287 
   3288 static void wps_registrar_set_selected_timeout(void *eloop_ctx,
   3289 					       void *timeout_ctx)
   3290 {
   3291 	struct wps_registrar *reg = eloop_ctx;
   3292 
   3293 	wpa_printf(MSG_DEBUG, "WPS: Selected Registrar timeout - "
   3294 		   "unselect internal Registrar");
   3295 	reg->selected_registrar = 0;
   3296 	reg->pbc = 0;
   3297 	wps_registrar_selected_registrar_changed(reg, 0);
   3298 }
   3299 
   3300 
   3301 #ifdef CONFIG_WPS_UPNP
   3302 static void wps_registrar_sel_reg_add(struct wps_registrar *reg,
   3303 				      struct subscription *s)
   3304 {
   3305 	int i, j;
   3306 	wpa_printf(MSG_DEBUG, "WPS: External Registrar selected (dev_pw_id=%d "
   3307 		   "config_methods=0x%x)",
   3308 		   s->dev_password_id, s->config_methods);
   3309 	reg->sel_reg_union = 1;
   3310 	if (reg->sel_reg_dev_password_id_override != DEV_PW_PUSHBUTTON)
   3311 		reg->sel_reg_dev_password_id_override = s->dev_password_id;
   3312 	if (reg->sel_reg_config_methods_override == -1)
   3313 		reg->sel_reg_config_methods_override = 0;
   3314 	reg->sel_reg_config_methods_override |= s->config_methods;
   3315 	for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++)
   3316 		if (is_zero_ether_addr(reg->authorized_macs_union[i]))
   3317 			break;
   3318 	for (j = 0; i < WPS_MAX_AUTHORIZED_MACS && j < WPS_MAX_AUTHORIZED_MACS;
   3319 	     j++) {
   3320 		if (is_zero_ether_addr(s->authorized_macs[j]))
   3321 			break;
   3322 		wpa_printf(MSG_DEBUG, "WPS: Add authorized MAC into union: "
   3323 			   MACSTR, MAC2STR(s->authorized_macs[j]));
   3324 		os_memcpy(reg->authorized_macs_union[i],
   3325 			  s->authorized_macs[j], ETH_ALEN);
   3326 		i++;
   3327 	}
   3328 	wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs union",
   3329 		    (u8 *) reg->authorized_macs_union,
   3330 		    sizeof(reg->authorized_macs_union));
   3331 }
   3332 #endif /* CONFIG_WPS_UPNP */
   3333 
   3334 
   3335 static void wps_registrar_sel_reg_union(struct wps_registrar *reg)
   3336 {
   3337 #ifdef CONFIG_WPS_UPNP
   3338 	struct subscription *s;
   3339 
   3340 	if (reg->wps->wps_upnp == NULL)
   3341 		return;
   3342 
   3343 	dl_list_for_each(s, &reg->wps->wps_upnp->subscriptions,
   3344 			 struct subscription, list) {
   3345 		struct subscr_addr *sa;
   3346 		sa = dl_list_first(&s->addr_list, struct subscr_addr, list);
   3347 		if (sa) {
   3348 			wpa_printf(MSG_DEBUG, "WPS: External Registrar %s:%d",
   3349 				   inet_ntoa(sa->saddr.sin_addr),
   3350 				   ntohs(sa->saddr.sin_port));
   3351 		}
   3352 		if (s->selected_registrar)
   3353 			wps_registrar_sel_reg_add(reg, s);
   3354 		else
   3355 			wpa_printf(MSG_DEBUG, "WPS: External Registrar not "
   3356 				   "selected");
   3357 	}
   3358 #endif /* CONFIG_WPS_UPNP */
   3359 }
   3360 
   3361 
   3362 /**
   3363  * wps_registrar_selected_registrar_changed - SetSelectedRegistrar change
   3364  * @reg: Registrar data from wps_registrar_init()
   3365  *
   3366  * This function is called when selected registrar state changes, e.g., when an
   3367  * AP receives a SetSelectedRegistrar UPnP message.
   3368  */
   3369 void wps_registrar_selected_registrar_changed(struct wps_registrar *reg,
   3370 					      u16 dev_pw_id)
   3371 {
   3372 	wpa_printf(MSG_DEBUG, "WPS: Selected registrar information changed");
   3373 
   3374 	reg->sel_reg_union = reg->selected_registrar;
   3375 	reg->sel_reg_dev_password_id_override = -1;
   3376 	reg->sel_reg_config_methods_override = -1;
   3377 	os_memcpy(reg->authorized_macs_union, reg->authorized_macs,
   3378 		  WPS_MAX_AUTHORIZED_MACS * ETH_ALEN);
   3379 	wpa_hexdump(MSG_DEBUG, "WPS: Authorized MACs union (start with own)",
   3380 		    (u8 *) reg->authorized_macs_union,
   3381 		    sizeof(reg->authorized_macs_union));
   3382 	if (reg->selected_registrar) {
   3383 		u16 methods;
   3384 
   3385 		methods = reg->wps->config_methods & ~WPS_CONFIG_PUSHBUTTON;
   3386 #ifdef CONFIG_WPS2
   3387 		methods &= ~(WPS_CONFIG_VIRT_PUSHBUTTON |
   3388 			     WPS_CONFIG_PHY_PUSHBUTTON);
   3389 #endif /* CONFIG_WPS2 */
   3390 		if (reg->pbc) {
   3391 			reg->sel_reg_dev_password_id_override =
   3392 				DEV_PW_PUSHBUTTON;
   3393 			wps_set_pushbutton(&methods, reg->wps->config_methods);
   3394 		} else if (dev_pw_id)
   3395 			reg->sel_reg_dev_password_id_override = dev_pw_id;
   3396 		wpa_printf(MSG_DEBUG, "WPS: Internal Registrar selected "
   3397 			   "(pbc=%d)", reg->pbc);
   3398 		reg->sel_reg_config_methods_override = methods;
   3399 	} else
   3400 		wpa_printf(MSG_DEBUG, "WPS: Internal Registrar not selected");
   3401 
   3402 	wps_registrar_sel_reg_union(reg);
   3403 
   3404 	wps_set_ie(reg);
   3405 	wps_cb_set_sel_reg(reg);
   3406 }
   3407 
   3408 
   3409 int wps_registrar_get_info(struct wps_registrar *reg, const u8 *addr,
   3410 			   char *buf, size_t buflen)
   3411 {
   3412 	struct wps_registrar_device *d;
   3413 	int len = 0, ret;
   3414 	char uuid[40];
   3415 	char devtype[WPS_DEV_TYPE_BUFSIZE];
   3416 
   3417 	d = wps_device_get(reg, addr);
   3418 	if (d == NULL)
   3419 		return 0;
   3420 	if (uuid_bin2str(d->uuid, uuid, sizeof(uuid)))
   3421 		return 0;
   3422 
   3423 	ret = os_snprintf(buf + len, buflen - len,
   3424 			  "wpsUuid=%s\n"
   3425 			  "wpsPrimaryDeviceType=%s\n"
   3426 			  "wpsDeviceName=%s\n"
   3427 			  "wpsManufacturer=%s\n"
   3428 			  "wpsModelName=%s\n"
   3429 			  "wpsModelNumber=%s\n"
   3430 			  "wpsSerialNumber=%s\n",
   3431 			  uuid,
   3432 			  wps_dev_type_bin2str(d->dev.pri_dev_type, devtype,
   3433 					       sizeof(devtype)),
   3434 			  d->dev.device_name ? d->dev.device_name : "",
   3435 			  d->dev.manufacturer ? d->dev.manufacturer : "",
   3436 			  d->dev.model_name ? d->dev.model_name : "",
   3437 			  d->dev.model_number ? d->dev.model_number : "",
   3438 			  d->dev.serial_number ? d->dev.serial_number : "");
   3439 	if (ret < 0 || (size_t) ret >= buflen - len)
   3440 		return len;
   3441 	len += ret;
   3442 
   3443 	return len;
   3444 }
   3445 
   3446 
   3447 int wps_registrar_config_ap(struct wps_registrar *reg,
   3448 			    struct wps_credential *cred)
   3449 {
   3450 #ifdef CONFIG_WPS2
   3451 	printf("encr_type=0x%x\n", cred->encr_type);
   3452 	if (!(cred->encr_type & (WPS_ENCR_NONE | WPS_ENCR_TKIP |
   3453 				 WPS_ENCR_AES))) {
   3454 		if (cred->encr_type & WPS_ENCR_WEP) {
   3455 			wpa_printf(MSG_INFO, "WPS: Reject new AP settings "
   3456 				   "due to WEP configuration");
   3457 			return -1;
   3458 		}
   3459 
   3460 		wpa_printf(MSG_INFO, "WPS: Reject new AP settings due to "
   3461 			   "invalid encr_type 0x%x", cred->encr_type);
   3462 		return -1;
   3463 	}
   3464 
   3465 	if ((cred->encr_type & (WPS_ENCR_TKIP | WPS_ENCR_AES)) ==
   3466 	    WPS_ENCR_TKIP) {
   3467 		wpa_printf(MSG_DEBUG, "WPS: Upgrade encr_type TKIP -> "
   3468 			   "TKIP+AES");
   3469 		cred->encr_type |= WPS_ENCR_AES;
   3470 	}
   3471 
   3472 	if ((cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) ==
   3473 	    WPS_AUTH_WPAPSK) {
   3474 		wpa_printf(MSG_DEBUG, "WPS: Upgrade auth_type WPAPSK -> "
   3475 			   "WPAPSK+WPA2PSK");
   3476 		cred->auth_type |= WPS_AUTH_WPA2PSK;
   3477 	}
   3478 #endif /* CONFIG_WPS2 */
   3479 
   3480 	if (reg->wps->cred_cb)
   3481 		return reg->wps->cred_cb(reg->wps->cb_ctx, cred);
   3482 
   3483 	return -1;
   3484 }
   3485 
   3486 
   3487 #ifdef CONFIG_WPS_NFC
   3488 
   3489 int wps_registrar_add_nfc_pw_token(struct wps_registrar *reg,
   3490 				   const u8 *pubkey_hash, u16 pw_id,
   3491 				   const u8 *dev_pw, size_t dev_pw_len)
   3492 {
   3493 	struct wps_nfc_pw_token *token;
   3494 
   3495 	if (dev_pw_len > WPS_OOB_DEVICE_PASSWORD_LEN)
   3496 		return -1;
   3497 
   3498 	wps_free_nfc_pw_tokens(&reg->nfc_pw_tokens, pw_id);
   3499 
   3500 	token = os_zalloc(sizeof(*token));
   3501 	if (token == NULL)
   3502 		return -1;
   3503 
   3504 	os_memcpy(token->pubkey_hash, pubkey_hash, WPS_OOB_PUBKEY_HASH_LEN);
   3505 	token->pw_id = pw_id;
   3506 	wpa_snprintf_hex_uppercase((char *) token->dev_pw,
   3507 				   sizeof(token->dev_pw),
   3508 				   dev_pw, dev_pw_len);
   3509 	token->dev_pw_len = dev_pw_len * 2;
   3510 
   3511 	dl_list_add(&reg->nfc_pw_tokens, &token->list);
   3512 
   3513 	reg->selected_registrar = 1;
   3514 	reg->pbc = 0;
   3515 	wps_registrar_add_authorized_mac(reg,
   3516 					 (u8 *) "\xff\xff\xff\xff\xff\xff");
   3517 	wps_registrar_selected_registrar_changed(reg, pw_id);
   3518 	eloop_cancel_timeout(wps_registrar_set_selected_timeout, reg, NULL);
   3519 	eloop_register_timeout(WPS_PBC_WALK_TIME, 0,
   3520 			       wps_registrar_set_selected_timeout,
   3521 			       reg, NULL);
   3522 
   3523 	wpa_printf(MSG_DEBUG, "WPS: Added NFC Device Password %u to Registrar",
   3524 		   pw_id);
   3525 
   3526 	return 0;
   3527 }
   3528 
   3529 
   3530 int wps_registrar_add_nfc_password_token(struct wps_registrar *reg,
   3531 					 const u8 *oob_dev_pw,
   3532 					 size_t oob_dev_pw_len)
   3533 {
   3534 	const u8 *pos, *hash, *dev_pw;
   3535 	u16 id;
   3536 	size_t dev_pw_len;
   3537 
   3538 	if (oob_dev_pw_len < WPS_OOB_PUBKEY_HASH_LEN + 2 +
   3539 	    WPS_OOB_DEVICE_PASSWORD_MIN_LEN ||
   3540 	    oob_dev_pw_len > WPS_OOB_PUBKEY_HASH_LEN + 2 +
   3541 	    WPS_OOB_DEVICE_PASSWORD_LEN)
   3542 		return -1;
   3543 
   3544 	hash = oob_dev_pw;
   3545 	pos = oob_dev_pw + WPS_OOB_PUBKEY_HASH_LEN;
   3546 	id = WPA_GET_BE16(pos);
   3547 	dev_pw = pos + 2;
   3548 	dev_pw_len = oob_dev_pw + oob_dev_pw_len - dev_pw;
   3549 
   3550 	wpa_printf(MSG_DEBUG, "WPS: Add NFC Password Token for Password ID %u",
   3551 		   id);
   3552 
   3553 	wpa_hexdump(MSG_DEBUG, "WPS: Public Key Hash",
   3554 		    hash, WPS_OOB_PUBKEY_HASH_LEN);
   3555 	wpa_hexdump_key(MSG_DEBUG, "WPS: Device Password", dev_pw, dev_pw_len);
   3556 
   3557 	return wps_registrar_add_nfc_pw_token(reg, hash, id, dev_pw,
   3558 					      dev_pw_len);
   3559 }
   3560 
   3561 
   3562 void wps_registrar_remove_nfc_pw_token(struct wps_registrar *reg,
   3563 				       struct wps_nfc_pw_token *token)
   3564 {
   3565 	wps_registrar_remove_authorized_mac(reg,
   3566 					    (u8 *) "\xff\xff\xff\xff\xff\xff");
   3567 	wps_registrar_selected_registrar_changed(reg, 0);
   3568 }
   3569 
   3570 #endif /* CONFIG_WPS_NFC */
   3571