Commit Graph

432 Commits

Author SHA1 Message Date
Jouni Malinen
f19e370e15 WPS: Do not advertise WPA/WPA2-Enterprise Auth Type Flags
While the device itself may support WPA/WPA2-Enterprise, enrollment of
credentials for EAP authentication is not supported through WPS. As
such, there is no need to claim support for these capabilities within
WPS information.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-20 15:13:48 +02:00
Jouni Malinen
fdb45355d4 WPS: Extend per-station PSK to support ER case as well
When wpa_psk_file is used instead of wpa_psk/wpa_passphrase, each WPS
Enrollee was given a unique PSK. This did not work for the
station-as-Registrar case where ER would learn the current AP settings
instead of enrolling itself (i.e., when using the AP PIN instead of
station PIN). That case can be covered with a similar design, so
generate a per-device PSK when building M7 as an AP in wpa_psk_file
configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-13 18:22:25 +02:00
Rahul Jain
8714caa1c2 WPS: Parse Registrar Configuration Methods
This new subelement was added into the WFA Vendor Extension.

Signed-off-by: Rahul Jain <rahul.jain@samsung.com>
2014-03-05 23:26:16 +02:00
Jouni Malinen
3b6170b78d WPS: Remove duplicate variable setting
There is no need to use a for loop here since the h variable is
set identically at the beginning of the body anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:12 +02:00
Jouni Malinen
bd27b1360f Make code path easier for static analyzers
record->type == NULL case was handled through the record->type_length
comparison. While this was correct, it is a bit difficult for static
analyzers to understand, so add an extra check for NULL to avoid false
reports on this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:11 +02:00
Jouni Malinen
329039869a WPS: Fix UNSUBSCRIBE error returns if NT or CALLBACK header is used
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-22 18:58:33 +02:00
Jouni Malinen
f34df28e93 WPS: Fix UNSUBSCRIBE to return 412 if no SID match found
UPnP-arch-DeviceArchitecture describe ErrorCode 412 to be used for the
case where no un-epxired subscription matches. This used to return 200
which is not strictly speaking correct even though it is unlikely to
cause any problems.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-22 18:58:33 +02:00
Jouni Malinen
80f256a568 WPS: Remove unnecessary filename NULL check
The caller of the GET parser is checking this already and the GET case
was the only one that ended up doing the duplicated validation step.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-22 14:07:23 +02:00
Jouni Malinen
3cdcb3a4b3 tests: Add module tests for WPS attribute parsing
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-21 13:41:30 +02:00
Jouni Malinen
da179bd0e1 WPS: Fix parsing of 0-length WFA vendor extension subelement
The previous parser would have skipped a WFA vendor extension attribute
that includes only a single zero-length subelement. No such subelement
has been defined so far, so this does not really affect any
functionality, but better make the parser address this correctly should
such an element ever be added.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-21 13:08:08 +02:00
Jouni Malinen
8c18fcc237 WPS: Add more debug information to M7 AP Settings
This allows the AP Settings data to be included in debug log
(only with -K on command line).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-07 19:33:47 +02:00
Jouni Malinen
d7a15d5953 WPS: Indicate current AP settings in M7 in unconfigurated state
Previously, unconfigured state was forcing the best supported
authentication and encryption state to be shown in WPS messages,
including AP Settings in M7 in case the AP acts as an Enrollee. This is
not really correct for the AP Settings case, so change that one to
indicate the currently configured state.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-07 19:33:19 +02:00
Jouni Malinen
0b5ff2ae12 WPS: Remove unused Credential AP Channel processing
Commit bd3a373767 added a mechanism to use
AP Channel attribute from within a Credential attribute to optimize
scans. However, this design is not actually used with the WPS NFC use
cases. With configuration token, the AP Channel attribute is in the same
container with the Credential attribute (and that was also handled in
the previous implementation). With connection handover, AP Channel
information is outside the Credential attribute as well.

Simplify implementation by removing the AP Channel within Credential
case. This allows wpas_wps_use_cred() to get the AP Channel from the
container instead of having to find this during credential iteration.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-04 13:23:35 +02:00
Jouni Malinen
1536cb5756 WPS: Remove unused 802.1X attribute parsing and processing
This is not really used in practice and there is no need to maintain
unsed code that would only print debug log entries.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-02-04 13:23:35 +02:00
Jouni Malinen
91226e0d12 WPS: Add testing option to corrupt public key hash
If CONFIG_WPS_TESTING=y is enabled in build configuration, the new
wps_corrupt_pkhash parameter (similar to wps_testing_dummy_cred) can be
used to request public key hash to be corrupted in all generated OOB
Device Password attributes. This can be used for testing purposes to
validate public key hash validation steps.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:44:31 +02:00
Jouni Malinen
d2f18378e1 WPS NFC: Add BSSID and AP channel info to Configuration Token
This information can help the Enrollee to find the AP more quickly with
an optimized scan.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:44:31 +02:00
Jouni Malinen
75dbf98157 WPS-STRICT: Update valid Device Password ID and Config Error range
Accept the new values defined for WPS NFC.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:44:31 +02:00
Jouni Malinen
dd87677115 P2P NFC: Enable own NFC Tag on GO Registrar
When "P2P_SET nfc_tag 1" is used to enable the own NFC Tag for P2P, also
enable it for any running GO interface.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:44:30 +02:00
Jouni Malinen
ac08752d28 WPS NFC: Use pubkey mismatch config error from Enrollee
This was already done for Registrar, but the Enrollee case did not
set config error properly if Registrar public key did not match the
hash received during NFC connection handover.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:44:30 +02:00
Jouni Malinen
db6ae69e6b P2P NFC: Report connection handover as trigger for P2P
"NFC_REPORT_HANDOVER {INIT,RESP} P2P <req> <sel>" can now be used to
report completed NFC negotiated connection handover in which the P2P
alternative carrier was selected.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:56 +02:00
Jouni Malinen
5154689468 P2P NFC: Add WPS attribute building for P2P NFC
These functions can be used to build the WPS attributes for P2P NFC
connection handover messages.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
01afd8dbd7 P2P NFC: Add NDEF helpers for P2P connection handover messages
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
14d8645f63 WPS NFC: Allow BSSID and channel to be included in handover select
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
50d1f8901c NFC: Update WPS ER to use the new connection handover design
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
41f9ffb635 WPS NFC: Build new style carrier record for connection handover request
It is more useful to be able to build a single NFC carrier record
instead of the full connection handover request message to allow
external components to decide whether to negotiate which alternative
carrier is used. This updates the carrier record contents to the new
design to include Enrollee public key hash and provides this as a
carrier record instead of full message. An external program is expected
to be used to build the full NFC connection handover message with
potentially other alternative carrier records included.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
3f1639da57 WPS NFC: Split DH key generation to a separate function
This allows DH key generation to be shared for other purposes than just
the case of OOB Device Password building. In addition, force the DH
public key buffer to be full 192 octets with zero padding to avoid
issues with the buffer being used in messages sent to a peer device.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
975491793b WPS NFC: Update NFC connection handover design
The new Device Password ID 7 is used to indicate that NFC connection
handover is used with DH public key hash from both devices being
exchanged over the NFC connection handover messages. This allows an
abbreviated M1-M2 handshake to be used since Device Password does not
need to be used when DH is authenticated with the out-of-band
information (validation of the public key against the hash).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
34b6795015 WPS NFC: Use abbreviated handshake if both PK hashes delivered OOB
When both the Registrar and Enrollee public key hashes are delivered
out-of-band (in NFC connection handover), use abbreviated WPS handshake
(skip M3-M8).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
5f4545573f WPS NFC: Validate peer public key hash on Enrollee
Since the Enrollee can now get the public key hash from the Registrar,
there is need to validate this during the WPS protocol run.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
ff40cd6dd1 WPS NFC: Send M2D with config error 20 on pkhash mismatch
Instead of terminating the WPS protocol immediately, go through an M2D
exchange to notify Enrollee of the public key hash mismatch.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
e435417eef WPS: Remove Version attribute from NFC messages
This old Version attribute is not really needed anymore for these use
cases with the assumption that there are no existing WPS+NFC
deployments. It was removed from the WSC specification, so make the
implementation match that change.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
72403ecef7 WPS: Add builder functions for AP Channel and RF Bands attributes
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
ea6fc58ccf WPS: Convert printf() debug print to use wpa_printf()
Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
67807132cf WPS: Remove unused send_wpabuf()
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 10:00:33 +02:00
Jouni Malinen
75d1d0f7b6 WPS: Allow testing mode to disable 2.0 functionality
Previously, wps_version_number was used only to test extensibility to
newer version numbers, but it can also be used to enable testing of
older versions (1.0), e.g., to avoid hitting some 2.0 specific
validation steps.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 10:00:32 +02:00
Jouni Malinen
f7e2542f28 Remove unused wps_device_data_dup()
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 10:00:32 +02:00
Jouni Malinen
c89d9dba9c Remove unnecessary extra tracking of eloop registration
It is fine to try to cancel a registration that does not exist, so there
is no need to have the duplicated checks for eloop timeout and socket
registration.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 10:00:32 +02:00
Jouni Malinen
c86bf160a7 Replace unnecessary hex_value() with hex2byte()
There is no need to maintain two functions for doing
the same type of hex-to-binary conversion.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 10:00:32 +02:00
Jouni Malinen
c9629476f3 WPS ER: Fix deinit timeout handling with delayed/failing unsubscribe
The five second timeout to call wps_er_deinit_finish() could potentially
be left behind when removing the ER data based on some other event. This
could result in double-freeing of wps_er context killing the process,
e.g., if the WPS ER functionality is stopped while in the process of
unsubscribing from an AP and then restarted.

In addition, AP entries could still be present in the
er->ap_unsubscribing list when the deinit timeout hits. These entries
would still maintain HTTP context pointing to the ER which would be
freed here and as such, the following HTTP client callback could refer
to freed memory and kill the process. Fix this by freeing AP entries
from ap_unsubscribing list when ER is deinitialized from timeout even if
such AP entries have not completed unsubscription from UPnP events.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-12-26 20:50:28 +02:00
Johannes Berg
196a217403 WPS_UPNP: Use monotonic time for event debouncing
The event debouncing isn't very accurate (since it doesn't
take sub-second resolution into account), but it should use
monotonic time anyway since it doesn't care about the wall
clock.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-12-24 07:57:10 +02:00
Johannes Berg
864c9afa6d wps_registrar: Use monotonic time for PBC workaround
The PBC ignore-start workaround just needs to check whether
the time is within 5 seconds, so should use monotonic time.

While at it, add a few more ifdefs to clearly separate the
code and variables needed.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-12-24 07:54:40 +02:00
Johannes Berg
61e98e9cf7 wps_registrar: Use monotonic time for PBC session timeout
PBC sessions are just time-stamped when activated, and
eventually time out, so should use monotonic time.

While at it, make the code use os_reltime_expired().

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-12-24 07:52:49 +02:00
Johannes Berg
3647e5a7cb wps_registrar: Use monotonic time for PIN timeout
If the PIN expires, then a timeout is given, so that monotonic
time should be used.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-12-24 07:51:41 +02:00
Jouni Malinen
7feff06567 Add CONFIG_CODE_COVERAGE=y option for gcov
This can be used to measure code coverage from test scripts.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-24 19:16:12 +02:00
Jouni Malinen
b6881b5218 WPS NFC: Add more debug for NFC Password Token matching
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-11-07 13:48:49 +02:00
Jouni Malinen
67a88a747c WPS NFC: Add debug log entry on OOB Dev Pw attribute addition
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-11-07 13:48:42 +02:00
Jouni Malinen
3318376101 Add explicit buffer length checks for p2p_build_wps_ie()
Even though the length of this buffer is based only on locally
configured information, it is cleaner to include explicit buffer room
validation steps when adding the attributes into the buffer.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-26 15:55:46 +03:00
Jouni Malinen
e88060e1a7 HTTP server: Allow TCP socket to be reused
This makes it easier to handle cases where the application is restarted
and the previously used local TCP port may not have been fully cleared
in the network stack.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-18 14:13:45 +03:00
Jouni Malinen
d047ae6278 WPS: Ignore PBC-to-PIN change from M1 to M2 as a workaround
Some APs may incorrectly change Device Password ID from PBC in M1 to
Default PIN in M2 even when they are ready to continue with PBC. This
behavior used to work with earlier implementation in wpa_supplicant, but
commit b4a17a6ea7 started validating this
as part of a change that is needed to support NFC configuration method.

While this kind of AP behavior is against the WSC specification and
there could be potential use cases for moving from PBC to PIN, e.g., in
case of PBC session overlap, it is justifiable to work around this issue
to avoid interoperability issues with deployed APs. There are no known
implementations of PBC-to-PIN change from M1 to M2, so this should not
reduce available functionality in practice.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-09-14 12:02:33 -07:00
Jouni Malinen
52177fbb70 P2P: Store P2P Device Address in per-device PSK records
This makes the P2P Device Address of the Enrollee available with the PSK
records to allow P2P Device Address instead of P2P Interface Address to
be used for finding the correct PSK.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 10:47:34 +03:00