2 * Wi-Fi Protected Setup
3 * Copyright (c) 2007-2009, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/dh_group5.h"
13 #include "common/ieee802_11_defs.h"
15 #include "wps_dev_attr.h"
18 #ifdef CONFIG_WPS_TESTING
19 int wps_version_number
= 0x20;
20 int wps_testing_dummy_cred
= 0;
21 #endif /* CONFIG_WPS_TESTING */
25 * wps_init - Initialize WPS Registration protocol data
26 * @cfg: WPS configuration
27 * Returns: Pointer to allocated data or %NULL on failure
29 * This function is used to initialize WPS data for a registration protocol
30 * instance (i.e., each run of registration protocol as a Registrar of
31 * Enrollee. The caller is responsible for freeing this data after the
32 * registration run has been completed by calling wps_deinit().
34 struct wps_data
* wps_init(const struct wps_config
*cfg
)
36 struct wps_data
*data
= os_zalloc(sizeof(*data
));
40 data
->registrar
= cfg
->registrar
;
42 os_memcpy(data
->uuid_r
, cfg
->wps
->uuid
, WPS_UUID_LEN
);
44 os_memcpy(data
->mac_addr_e
, cfg
->wps
->dev
.mac_addr
, ETH_ALEN
);
45 os_memcpy(data
->uuid_e
, cfg
->wps
->uuid
, WPS_UUID_LEN
);
48 data
->dev_pw_id
= cfg
->dev_pw_id
;
49 data
->dev_password
= os_malloc(cfg
->pin_len
);
50 if (data
->dev_password
== NULL
) {
54 os_memcpy(data
->dev_password
, cfg
->pin
, cfg
->pin_len
);
55 data
->dev_password_len
= cfg
->pin_len
;
56 wpa_hexdump_key(MSG_DEBUG
, "WPS: AP PIN dev_password",
57 data
->dev_password
, data
->dev_password_len
);
61 if (cfg
->pin
== NULL
&&
62 cfg
->dev_pw_id
== DEV_PW_NFC_CONNECTION_HANDOVER
)
63 data
->dev_pw_id
= cfg
->dev_pw_id
;
65 if (cfg
->wps
->ap
&& !cfg
->registrar
&& cfg
->wps
->ap_nfc_dev_pw_id
) {
66 /* Keep AP PIN as alternative Device Password */
67 data
->alt_dev_pw_id
= data
->dev_pw_id
;
68 data
->alt_dev_password
= data
->dev_password
;
69 data
->alt_dev_password_len
= data
->dev_password_len
;
71 data
->dev_pw_id
= cfg
->wps
->ap_nfc_dev_pw_id
;
73 os_malloc(wpabuf_len(cfg
->wps
->ap_nfc_dev_pw
));
74 if (data
->dev_password
== NULL
) {
78 os_memcpy(data
->dev_password
,
79 wpabuf_head(cfg
->wps
->ap_nfc_dev_pw
),
80 wpabuf_len(cfg
->wps
->ap_nfc_dev_pw
));
81 data
->dev_password_len
= wpabuf_len(cfg
->wps
->ap_nfc_dev_pw
);
82 wpa_hexdump_key(MSG_DEBUG
, "WPS: NFC dev_password",
83 data
->dev_password
, data
->dev_password_len
);
85 #endif /* CONFIG_WPS_NFC */
89 /* Use special PIN '00000000' for PBC */
90 data
->dev_pw_id
= DEV_PW_PUSHBUTTON
;
91 os_free(data
->dev_password
);
92 data
->dev_password
= (u8
*) os_strdup("00000000");
93 if (data
->dev_password
== NULL
) {
97 data
->dev_password_len
= 8;
100 data
->state
= data
->registrar
? RECV_M1
: SEND_M1
;
102 if (cfg
->assoc_wps_ie
) {
103 struct wps_parse_attr attr
;
104 wpa_hexdump_buf(MSG_DEBUG
, "WPS: WPS IE from (Re)AssocReq",
106 if (wps_parse_msg(cfg
->assoc_wps_ie
, &attr
) < 0) {
107 wpa_printf(MSG_DEBUG
, "WPS: Failed to parse WPS IE "
108 "from (Re)AssocReq");
109 } else if (attr
.request_type
== NULL
) {
110 wpa_printf(MSG_DEBUG
, "WPS: No Request Type attribute "
111 "in (Re)AssocReq WPS IE");
113 wpa_printf(MSG_DEBUG
, "WPS: Request Type (from WPS IE "
114 "in (Re)AssocReq WPS IE): %d",
116 data
->request_type
= *attr
.request_type
;
120 if (cfg
->new_ap_settings
) {
121 data
->new_ap_settings
=
122 os_malloc(sizeof(*data
->new_ap_settings
));
123 if (data
->new_ap_settings
== NULL
) {
124 os_free(data
->dev_password
);
128 os_memcpy(data
->new_ap_settings
, cfg
->new_ap_settings
,
129 sizeof(*data
->new_ap_settings
));
133 os_memcpy(data
->peer_dev
.mac_addr
, cfg
->peer_addr
, ETH_ALEN
);
134 if (cfg
->p2p_dev_addr
)
135 os_memcpy(data
->p2p_dev_addr
, cfg
->p2p_dev_addr
, ETH_ALEN
);
137 data
->use_psk_key
= cfg
->use_psk_key
;
138 data
->pbc_in_m1
= cfg
->pbc_in_m1
;
140 if (cfg
->peer_pubkey_hash
) {
141 os_memcpy(data
->peer_pubkey_hash
, cfg
->peer_pubkey_hash
,
142 WPS_OOB_PUBKEY_HASH_LEN
);
143 data
->peer_pubkey_hash_set
= 1;
151 * wps_deinit - Deinitialize WPS Registration protocol data
152 * @data: WPS Registration protocol data from wps_init()
154 void wps_deinit(struct wps_data
*data
)
156 #ifdef CONFIG_WPS_NFC
157 if (data
->registrar
&& data
->nfc_pw_token
)
158 wps_registrar_remove_nfc_pw_token(data
->wps
->registrar
,
160 #endif /* CONFIG_WPS_NFC */
162 if (data
->wps_pin_revealed
) {
163 wpa_printf(MSG_DEBUG
, "WPS: Full PIN information revealed and "
164 "negotiation failed");
166 wps_registrar_invalidate_pin(data
->wps
->registrar
,
168 } else if (data
->registrar
)
169 wps_registrar_unlock_pin(data
->wps
->registrar
, data
->uuid_e
);
171 wpabuf_free(data
->dh_privkey
);
172 wpabuf_free(data
->dh_pubkey_e
);
173 wpabuf_free(data
->dh_pubkey_r
);
174 wpabuf_free(data
->last_msg
);
175 os_free(data
->dev_password
);
176 os_free(data
->alt_dev_password
);
177 os_free(data
->new_psk
);
178 wps_device_data_free(&data
->peer_dev
);
179 os_free(data
->new_ap_settings
);
180 dh5_free(data
->dh_ctx
);
186 * wps_process_msg - Process a WPS message
187 * @wps: WPS Registration protocol data from wps_init()
188 * @op_code: Message OP Code
190 * Returns: Processing result
192 * This function is used to process WPS messages with OP Codes WSC_ACK,
193 * WSC_NACK, WSC_MSG, and WSC_Done. The caller (e.g., EAP server/peer) is
194 * responsible for reassembling the messages before calling this function.
195 * Response to this message is built by calling wps_get_msg().
197 enum wps_process_res
wps_process_msg(struct wps_data
*wps
,
198 enum wsc_op_code op_code
,
199 const struct wpabuf
*msg
)
202 return wps_registrar_process_msg(wps
, op_code
, msg
);
204 return wps_enrollee_process_msg(wps
, op_code
, msg
);
209 * wps_get_msg - Build a WPS message
210 * @wps: WPS Registration protocol data from wps_init()
211 * @op_code: Buffer for returning message OP Code
212 * Returns: The generated WPS message or %NULL on failure
214 * This function is used to build a response to a message processed by calling
215 * wps_process_msg(). The caller is responsible for freeing the buffer.
217 struct wpabuf
* wps_get_msg(struct wps_data
*wps
, enum wsc_op_code
*op_code
)
220 return wps_registrar_get_msg(wps
, op_code
);
222 return wps_enrollee_get_msg(wps
, op_code
);
227 * wps_is_selected_pbc_registrar - Check whether WPS IE indicates active PBC
228 * @msg: WPS IE contents from Beacon or Probe Response frame
229 * Returns: 1 if PBC Registrar is active, 0 if not
231 int wps_is_selected_pbc_registrar(const struct wpabuf
*msg
)
233 struct wps_parse_attr attr
;
236 * In theory, this could also verify that attr.sel_reg_config_methods
237 * includes WPS_CONFIG_PUSHBUTTON, but some deployed AP implementations
238 * do not set Selected Registrar Config Methods attribute properly, so
239 * it is safer to just use Device Password ID here.
242 if (wps_parse_msg(msg
, &attr
) < 0 ||
243 !attr
.selected_registrar
|| *attr
.selected_registrar
== 0 ||
244 !attr
.dev_password_id
||
245 WPA_GET_BE16(attr
.dev_password_id
) != DEV_PW_PUSHBUTTON
)
248 #ifdef CONFIG_WPS_STRICT
249 if (!attr
.sel_reg_config_methods
||
250 !(WPA_GET_BE16(attr
.sel_reg_config_methods
) &
251 WPS_CONFIG_PUSHBUTTON
))
253 #endif /* CONFIG_WPS_STRICT */
259 static int is_selected_pin_registrar(struct wps_parse_attr
*attr
)
262 * In theory, this could also verify that attr.sel_reg_config_methods
263 * includes WPS_CONFIG_LABEL, WPS_CONFIG_DISPLAY, or WPS_CONFIG_KEYPAD,
264 * but some deployed AP implementations do not set Selected Registrar
265 * Config Methods attribute properly, so it is safer to just use
266 * Device Password ID here.
269 if (!attr
->selected_registrar
|| *attr
->selected_registrar
== 0)
272 if (attr
->dev_password_id
!= NULL
&&
273 WPA_GET_BE16(attr
->dev_password_id
) == DEV_PW_PUSHBUTTON
)
276 #ifdef CONFIG_WPS_STRICT
277 if (!attr
->sel_reg_config_methods
||
278 !(WPA_GET_BE16(attr
->sel_reg_config_methods
) &
279 (WPS_CONFIG_LABEL
| WPS_CONFIG_DISPLAY
| WPS_CONFIG_KEYPAD
)))
281 #endif /* CONFIG_WPS_STRICT */
288 * wps_is_selected_pin_registrar - Check whether WPS IE indicates active PIN
289 * @msg: WPS IE contents from Beacon or Probe Response frame
290 * Returns: 1 if PIN Registrar is active, 0 if not
292 int wps_is_selected_pin_registrar(const struct wpabuf
*msg
)
294 struct wps_parse_attr attr
;
296 if (wps_parse_msg(msg
, &attr
) < 0)
299 return is_selected_pin_registrar(&attr
);
304 * wps_is_addr_authorized - Check whether WPS IE authorizes MAC address
305 * @msg: WPS IE contents from Beacon or Probe Response frame
306 * @addr: MAC address to search for
307 * @ver1_compat: Whether to use version 1 compatibility mode
308 * Returns: 2 if the specified address is explicit authorized, 1 if address is
309 * authorized (broadcast), 0 if not
311 int wps_is_addr_authorized(const struct wpabuf
*msg
, const u8
*addr
,
314 struct wps_parse_attr attr
;
317 const u8 bcast
[ETH_ALEN
] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
319 if (wps_parse_msg(msg
, &attr
) < 0)
322 if (!attr
.version2
&& ver1_compat
) {
324 * Version 1.0 AP - AuthorizedMACs not used, so revert back to
325 * old mechanism of using SelectedRegistrar.
327 return is_selected_pin_registrar(&attr
);
330 if (!attr
.authorized_macs
)
333 pos
= attr
.authorized_macs
;
334 for (i
= 0; i
< attr
.authorized_macs_len
/ ETH_ALEN
; i
++) {
335 if (os_memcmp(pos
, addr
, ETH_ALEN
) == 0)
337 if (os_memcmp(pos
, bcast
, ETH_ALEN
) == 0)
347 * wps_ap_priority_compar - Prioritize WPS IE from two APs
348 * @wps_a: WPS IE contents from Beacon or Probe Response frame
349 * @wps_b: WPS IE contents from Beacon or Probe Response frame
350 * Returns: 1 if wps_b is considered more likely selection for WPS
351 * provisioning, -1 if wps_a is considered more like, or 0 if no preference
353 int wps_ap_priority_compar(const struct wpabuf
*wps_a
,
354 const struct wpabuf
*wps_b
)
356 struct wps_parse_attr attr_a
, attr_b
;
359 if (wps_a
== NULL
|| wps_parse_msg(wps_a
, &attr_a
) < 0)
361 if (wps_b
== NULL
|| wps_parse_msg(wps_b
, &attr_b
) < 0)
364 sel_a
= attr_a
.selected_registrar
&& *attr_a
.selected_registrar
!= 0;
365 sel_b
= attr_b
.selected_registrar
&& *attr_b
.selected_registrar
!= 0;
377 * wps_get_uuid_e - Get UUID-E from WPS IE
378 * @msg: WPS IE contents from Beacon or Probe Response frame
379 * Returns: Pointer to UUID-E or %NULL if not included
381 * The returned pointer is to the msg contents and it remains valid only as
382 * long as the msg buffer is valid.
384 const u8
* wps_get_uuid_e(const struct wpabuf
*msg
)
386 struct wps_parse_attr attr
;
388 if (wps_parse_msg(msg
, &attr
) < 0)
395 * wps_is_20 - Check whether WPS attributes claim support for WPS 2.0
397 int wps_is_20(const struct wpabuf
*msg
)
399 struct wps_parse_attr attr
;
401 if (msg
== NULL
|| wps_parse_msg(msg
, &attr
) < 0)
403 return attr
.version2
!= NULL
;
408 * wps_build_assoc_req_ie - Build WPS IE for (Re)Association Request
409 * @req_type: Value for Request Type attribute
410 * Returns: WPS IE or %NULL on failure
412 * The caller is responsible for freeing the buffer.
414 struct wpabuf
* wps_build_assoc_req_ie(enum wps_request_type req_type
)
419 wpa_printf(MSG_DEBUG
, "WPS: Building WPS IE for (Re)Association "
421 ie
= wpabuf_alloc(100);
425 wpabuf_put_u8(ie
, WLAN_EID_VENDOR_SPECIFIC
);
426 len
= wpabuf_put(ie
, 1);
427 wpabuf_put_be32(ie
, WPS_DEV_OUI_WFA
);
429 if (wps_build_version(ie
) ||
430 wps_build_req_type(ie
, req_type
) ||
431 wps_build_wfa_ext(ie
, 0, NULL
, 0)) {
436 *len
= wpabuf_len(ie
) - 2;
443 * wps_build_assoc_resp_ie - Build WPS IE for (Re)Association Response
444 * Returns: WPS IE or %NULL on failure
446 * The caller is responsible for freeing the buffer.
448 struct wpabuf
* wps_build_assoc_resp_ie(void)
453 wpa_printf(MSG_DEBUG
, "WPS: Building WPS IE for (Re)Association "
455 ie
= wpabuf_alloc(100);
459 wpabuf_put_u8(ie
, WLAN_EID_VENDOR_SPECIFIC
);
460 len
= wpabuf_put(ie
, 1);
461 wpabuf_put_be32(ie
, WPS_DEV_OUI_WFA
);
463 if (wps_build_version(ie
) ||
464 wps_build_resp_type(ie
, WPS_RESP_AP
) ||
465 wps_build_wfa_ext(ie
, 0, NULL
, 0)) {
470 *len
= wpabuf_len(ie
) - 2;
477 * wps_build_probe_req_ie - Build WPS IE for Probe Request
478 * @pw_id: Password ID (DEV_PW_PUSHBUTTON for active PBC and DEV_PW_DEFAULT for
479 * most other use cases)
480 * @dev: Device attributes
482 * @req_type: Value for Request Type attribute
483 * @num_req_dev_types: Number of requested device types
484 * @req_dev_types: Requested device types (8 * num_req_dev_types octets) or
486 * Returns: WPS IE or %NULL on failure
488 * The caller is responsible for freeing the buffer.
490 struct wpabuf
* wps_build_probe_req_ie(u16 pw_id
, struct wps_device_data
*dev
,
492 enum wps_request_type req_type
,
493 unsigned int num_req_dev_types
,
494 const u8
*req_dev_types
)
498 wpa_printf(MSG_DEBUG
, "WPS: Building WPS IE for Probe Request");
500 ie
= wpabuf_alloc(500);
504 if (wps_build_version(ie
) ||
505 wps_build_req_type(ie
, req_type
) ||
506 wps_build_config_methods(ie
, dev
->config_methods
) ||
507 wps_build_uuid_e(ie
, uuid
) ||
508 wps_build_primary_dev_type(dev
, ie
) ||
509 wps_build_rf_bands(dev
, ie
, 0) ||
510 wps_build_assoc_state(NULL
, ie
) ||
511 wps_build_config_error(ie
, WPS_CFG_NO_ERROR
) ||
512 wps_build_dev_password_id(ie
, pw_id
) ||
514 wps_build_manufacturer(dev
, ie
) ||
515 wps_build_model_name(dev
, ie
) ||
516 wps_build_model_number(dev
, ie
) ||
517 wps_build_dev_name(dev
, ie
) ||
518 wps_build_wfa_ext(ie
, req_type
== WPS_REQ_ENROLLEE
, NULL
, 0) ||
519 #endif /* CONFIG_WPS2 */
520 wps_build_req_dev_type(dev
, ie
, num_req_dev_types
, req_dev_types
)
522 wps_build_secondary_dev_type(dev
, ie
)
529 if (dev
->p2p
&& wps_build_dev_name(dev
, ie
)) {
533 #endif /* CONFIG_WPS2 */
535 return wps_ie_encapsulate(ie
);
539 void wps_free_pending_msgs(struct upnp_pending_message
*msgs
)
541 struct upnp_pending_message
*p
, *prev
;
546 wpabuf_free(prev
->msg
);
552 int wps_attr_text(struct wpabuf
*data
, char *buf
, char *end
)
554 struct wps_parse_attr attr
;
558 if (wps_parse_msg(data
, &attr
) < 0)
561 if (attr
.wps_state
) {
562 if (*attr
.wps_state
== WPS_STATE_NOT_CONFIGURED
)
563 ret
= os_snprintf(pos
, end
- pos
,
564 "wps_state=unconfigured\n");
565 else if (*attr
.wps_state
== WPS_STATE_CONFIGURED
)
566 ret
= os_snprintf(pos
, end
- pos
,
567 "wps_state=configured\n");
570 if (ret
< 0 || ret
>= end
- pos
)
575 if (attr
.ap_setup_locked
&& *attr
.ap_setup_locked
) {
576 ret
= os_snprintf(pos
, end
- pos
,
577 "wps_ap_setup_locked=1\n");
578 if (ret
< 0 || ret
>= end
- pos
)
583 if (attr
.selected_registrar
&& *attr
.selected_registrar
) {
584 ret
= os_snprintf(pos
, end
- pos
,
585 "wps_selected_registrar=1\n");
586 if (ret
< 0 || ret
>= end
- pos
)
591 if (attr
.dev_password_id
) {
592 ret
= os_snprintf(pos
, end
- pos
,
593 "wps_device_password_id=%u\n",
594 WPA_GET_BE16(attr
.dev_password_id
));
595 if (ret
< 0 || ret
>= end
- pos
)
600 if (attr
.sel_reg_config_methods
) {
601 ret
= os_snprintf(pos
, end
- pos
,
602 "wps_selected_registrar_config_methods="
604 WPA_GET_BE16(attr
.sel_reg_config_methods
));
605 if (ret
< 0 || ret
>= end
- pos
)
610 if (attr
.primary_dev_type
) {
611 char devtype
[WPS_DEV_TYPE_BUFSIZE
];
612 ret
= os_snprintf(pos
, end
- pos
,
613 "wps_primary_device_type=%s\n",
614 wps_dev_type_bin2str(attr
.primary_dev_type
,
617 if (ret
< 0 || ret
>= end
- pos
)
623 char *str
= os_malloc(attr
.dev_name_len
+ 1);
627 for (i
= 0; i
< attr
.dev_name_len
; i
++) {
628 if (attr
.dev_name
[i
] < 32)
631 str
[i
] = attr
.dev_name
[i
];
634 ret
= os_snprintf(pos
, end
- pos
, "wps_device_name=%s\n", str
);
636 if (ret
< 0 || ret
>= end
- pos
)
641 if (attr
.config_methods
) {
642 ret
= os_snprintf(pos
, end
- pos
,
643 "wps_config_methods=0x%04x\n",
644 WPA_GET_BE16(attr
.config_methods
));
645 if (ret
< 0 || ret
>= end
- pos
)
654 const char * wps_ei_str(enum wps_error_indication ei
)
657 case WPS_EI_NO_ERROR
:
659 case WPS_EI_SECURITY_TKIP_ONLY_PROHIBITED
:
660 return "TKIP Only Prohibited";
661 case WPS_EI_SECURITY_WEP_PROHIBITED
:
662 return "WEP Prohibited";
663 case WPS_EI_AUTH_FAILURE
:
664 return "Authentication Failure";