WPS 2.0: Disable WPS workarounds if CONFIG_WPS_STRICT is defined

diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index 008a88a7443c0de3acd28b6f9be0c1ea005e61f6..0698a8f705af82c185e9e1a80f14668608951c9f 100644 (file)
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -865,6 +865,7 @@ static int hostapd_rx_req_put_wlan_response(
         */
 
        sta = ap_get_sta(hapd, mac_addr);
+#ifndef CONFIG_WPS_STRICT
        if (!sta) {
                /*
                 * Workaround - Intel wsccmd uses bogus NewWLANEventMAC:
@@ -878,6 +879,7 @@ static int hostapd_rx_req_put_wlan_response(
                                break;
                }
        }
+#endif /* CONFIG_WPS_STRICT */
 
        if (!sta) {
                wpa_printf(MSG_DEBUG, "WPS UPnP: No matching STA found");

diff --git a/src/wps/wps.c b/src/wps/wps.c
index 9f42b16d456cd8d3b158a319a02446233656642f..04bc4331f5b817fe739a5ed85dbf01e2ecd65b8c 100644 (file)
--- a/src/wps/wps.c
+++ b/src/wps/wps.c
@@ -201,6 +201,13 @@ int wps_is_selected_pbc_registrar(const struct wpabuf *msg)
            WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
                return 0;
 
+#ifdef CONFIG_WPS_STRICT
+       if (!attr.sel_reg_config_methods ||
+           !(WPA_GET_BE16(attr.sel_reg_config_methods) &
+             WPS_CONFIG_PUSHBUTTON))
+               return 0;
+#endif /* CONFIG_WPS_STRICT */
+
        return 1;
 }
 
@@ -222,6 +229,13 @@ static int is_selected_pin_registrar(struct wps_parse_attr *attr)
            WPA_GET_BE16(attr->dev_password_id) == DEV_PW_PUSHBUTTON)
                return 0;
 
+#ifdef CONFIG_WPS_STRICT
+       if (!attr->sel_reg_config_methods ||
+           !(WPA_GET_BE16(attr->sel_reg_config_methods) &
+             (WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY | WPS_CONFIG_KEYPAD)))
+               return 0;
+#endif /* CONFIG_WPS_STRICT */
+
        return 1;
 }
 

diff --git a/src/wps/wps_attr_parse.c b/src/wps/wps_attr_parse.c
index 24374ecdeaa524f0b952a274c1786687da0c1526..ffce495911129e1d25407145fb00cb0a596abc2b 100644 (file)
--- a/src/wps/wps_attr_parse.c
+++ b/src/wps/wps_attr_parse.c
@@ -17,7 +17,9 @@
 #include "common.h"
 #include "wps_i.h"
 
+#ifndef CONFIG_WPS_STRICT
 #define WPS_WORKAROUNDS
+#endif /* CONFIG_WPS_STRICT */
 
 
 static int wps_set_attr(struct wps_parse_attr *attr, u16 type,

diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c
index 4751bbce823224f4f4b921320de7f8150f15d539..07e087daf868a3abb4e050428586ba30baec7c0a 100644 (file)
--- a/src/wps/wps_attr_process.c
+++ b/src/wps/wps_attr_process.c
@@ -264,11 +264,18 @@ static int wps_process_cred_802_1x_enabled(struct wps_credential *cred,
 }
 
 
-static void wps_workaround_cred_key(struct wps_credential *cred)
+static int wps_workaround_cred_key(struct wps_credential *cred)
 {
        if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
            cred->key_len > 8 && cred->key_len < 64 &&
            cred->key[cred->key_len - 1] == 0) {
+#ifdef CONFIG_WPS_STRICT
+               wpa_printf(MSG_INFO, "WPS: WPA/WPA2-Personal passphrase uses "
+                          "forbidden NULL termination");
+               wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
+                                     cred->key, cred->key_len);
+               return -1;
+#else /* CONFIG_WPS_STRICT */
                /*
                 * A deployed external registrar is known to encode ASCII
                 * passphrases incorrectly. Remove the extra NULL termination
@@ -277,7 +284,9 @@ static void wps_workaround_cred_key(struct wps_credential *cred)
                wpa_printf(MSG_DEBUG, "WPS: Workaround - remove NULL "
                           "termination from ASCII passphrase");
                cred->key_len--;
+#endif /* CONFIG_WPS_STRICT */
        }
+       return 0;
 }
 
 
@@ -303,9 +312,7 @@ int wps_process_cred(struct wps_parse_attr *attr,
            wps_process_cred_802_1x_enabled(cred, attr->dot1x_enabled))
                return -1;
 
-       wps_workaround_cred_key(cred);
-
-       return 0;
+       return wps_workaround_cred_key(cred);
 }
 
 
@@ -324,7 +331,5 @@ int wps_process_ap_settings(struct wps_parse_attr *attr,
            wps_process_cred_mac_addr(cred, attr->mac_addr))
                return -1;
 
-       wps_workaround_cred_key(cred);
-
-       return 0;
+       return wps_workaround_cred_key(cred);
 }

diff --git a/src/wps/wps_enrollee.c b/src/wps/wps_enrollee.c
index 262922849d6aa5affefb8e03bdb73d319abaa570..1821fbe82ba4cd69ea58e59ced8df43e30a35506 100644 (file)
--- a/src/wps/wps_enrollee.c
+++ b/src/wps/wps_enrollee.c
@@ -664,7 +664,7 @@ static int wps_process_r_snonce2(struct wps_data *wps, const u8 *r_snonce2)
 
 
 static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
-                             size_t cred_len)
+                             size_t cred_len, int wps2)
 {
        struct wps_parse_attr attr;
        struct wpabuf msg;
@@ -689,6 +689,13 @@ static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
                 * reasons, allow this to be processed since we do not really
                 * use the MAC Address information for anything.
                 */
+#ifdef CONFIG_WPS_STRICT
+               if (wps2) {
+                       wpa_printf(MSG_INFO, "WPS: Do not accept incorrect "
+                                  "MAC Address in AP Settings");
+                       return -1;
+               }
+#endif /* CONFIG_WPS_STRICT */
        }
 
        if (wps->wps->cred_cb) {
@@ -704,7 +711,7 @@ static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
 
 
 static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
-                            size_t cred_len[], size_t num_cred)
+                            size_t cred_len[], size_t num_cred, int wps2)
 {
        size_t i;
 
@@ -718,7 +725,7 @@ static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
        }
 
        for (i = 0; i < num_cred; i++) {
-               if (wps_process_cred_e(wps, cred[i], cred_len[i]))
+               if (wps_process_cred_e(wps, cred[i], cred_len[i], wps2))
                        return -1;
        }
 
@@ -728,7 +735,7 @@ static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
 
 static int wps_process_ap_settings_e(struct wps_data *wps,
                                     struct wps_parse_attr *attr,
-                                    struct wpabuf *attrs)
+                                    struct wpabuf *attrs, int wps2)
 {
        struct wps_credential cred;
 
@@ -754,6 +761,13 @@ static int wps_process_ap_settings_e(struct wps_data *wps,
                 * reasons, allow this to be processed since we do not really
                 * use the MAC Address information for anything.
                 */
+#ifdef CONFIG_WPS_STRICT
+               if (wps2) {
+                       wpa_printf(MSG_INFO, "WPS: Do not accept incorrect "
+                                  "MAC Address in AP Settings");
+                       return -1;
+               }
+#endif /* CONFIG_WPS_STRICT */
        }
 
        if (wps->wps->cred_cb) {
@@ -994,8 +1008,9 @@ static enum wps_process_res wps_process_m8(struct wps_data *wps,
        if (wps_parse_msg(decrypted, &eattr) < 0 ||
            wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
            wps_process_creds(wps, eattr.cred, eattr.cred_len,
-                             eattr.num_cred) ||
-           wps_process_ap_settings_e(wps, &eattr, decrypted)) {
+                             eattr.num_cred, attr->version2 != NULL) ||
+           wps_process_ap_settings_e(wps, &eattr, decrypted,
+                                     attr->version2 != NULL)) {
                wpabuf_free(decrypted);
                wps->state = SEND_WSC_NACK;
                return WPS_CONTINUE;

diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
index dc0dd87bd713f0654f90da75ce2c64ab012d41fa..05fc7f2e041b9731ad5f13f69de063e794bd43b6 100644 (file)
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@@ -27,7 +27,9 @@
 #include "wps_upnp.h"
 #include "wps_upnp_i.h"
 
+#ifndef CONFIG_WPS_STRICT
 #define WPS_WORKAROUNDS
+#endif /* CONFIG_WPS_STRICT */
 
 struct wps_uuid_pin {
        struct dl_list list;

diff --git a/src/wps/wps_upnp_web.c b/src/wps/wps_upnp_web.c
index 9a6b36e021704d3bfccf812856e601ff294c87c6..7e2d174c46c818571232475883d43eb8aaa92e8e 100644 (file)
--- a/src/wps/wps_upnp_web.c
+++ b/src/wps/wps_upnp_web.c
@@ -523,6 +523,11 @@ web_process_put_wlan_response(struct upnp_wps_device_sm *sm, char *data,
        if (hwaddr_aton(val, macaddr)) {
                wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid NewWLANEventMAC in "
                           "PutWLANResponse: '%s'", val);
+#ifdef CONFIG_WPS_STRICT
+               wpabuf_free(msg);
+               os_free(val);
+               return UPNP_ARG_VALUE_INVALID;
+#else /* CONFIG_WPS_STRICT */
                if (hwaddr_aton2(val, macaddr) > 0) {
                        /*
                         * At least some versions of Intel PROset seem to be
@@ -536,6 +541,7 @@ web_process_put_wlan_response(struct upnp_wps_device_sm *sm, char *data,
                        os_free(val);
                        return UPNP_ARG_VALUE_INVALID;
                }
+#endif /* CONFIG_WPS_STRICT */
        }
        os_free(val);
        if (ev_type == UPNP_WPS_WLANEVENT_TYPE_EAP) {