WPS 2.0: Disable WPS workarounds if CONFIG_WPS_STRICT is defined
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
5314d652d4
commit
dcc4d8be75
|
|
@ -865,6 +865,7 @@ static int hostapd_rx_req_put_wlan_response(
|
||||||
*/
|
*/
|
||||||
|
|
||||||
sta = ap_get_sta(hapd, mac_addr);
|
sta = ap_get_sta(hapd, mac_addr);
|
||||||
|
#ifndef CONFIG_WPS_STRICT
|
||||||
if (!sta) {
|
if (!sta) {
|
||||||
/*
|
/*
|
||||||
* Workaround - Intel wsccmd uses bogus NewWLANEventMAC:
|
* Workaround - Intel wsccmd uses bogus NewWLANEventMAC:
|
||||||
|
|
@ -878,6 +879,7 @@ static int hostapd_rx_req_put_wlan_response(
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* CONFIG_WPS_STRICT */
|
||||||
|
|
||||||
if (!sta) {
|
if (!sta) {
|
||||||
wpa_printf(MSG_DEBUG, "WPS UPnP: No matching STA found");
|
wpa_printf(MSG_DEBUG, "WPS UPnP: No matching STA found");
|
||||||
|
|
|
||||||
|
|
@ -201,6 +201,13 @@ int wps_is_selected_pbc_registrar(const struct wpabuf *msg)
|
||||||
WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
|
WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
#ifdef CONFIG_WPS_STRICT
|
||||||
|
if (!attr.sel_reg_config_methods ||
|
||||||
|
!(WPA_GET_BE16(attr.sel_reg_config_methods) &
|
||||||
|
WPS_CONFIG_PUSHBUTTON))
|
||||||
|
return 0;
|
||||||
|
#endif /* CONFIG_WPS_STRICT */
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -222,6 +229,13 @@ static int is_selected_pin_registrar(struct wps_parse_attr *attr)
|
||||||
WPA_GET_BE16(attr->dev_password_id) == DEV_PW_PUSHBUTTON)
|
WPA_GET_BE16(attr->dev_password_id) == DEV_PW_PUSHBUTTON)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
#ifdef CONFIG_WPS_STRICT
|
||||||
|
if (!attr->sel_reg_config_methods ||
|
||||||
|
!(WPA_GET_BE16(attr->sel_reg_config_methods) &
|
||||||
|
(WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY | WPS_CONFIG_KEYPAD)))
|
||||||
|
return 0;
|
||||||
|
#endif /* CONFIG_WPS_STRICT */
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,9 @@
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
#include "wps_i.h"
|
#include "wps_i.h"
|
||||||
|
|
||||||
|
#ifndef CONFIG_WPS_STRICT
|
||||||
#define WPS_WORKAROUNDS
|
#define WPS_WORKAROUNDS
|
||||||
|
#endif /* CONFIG_WPS_STRICT */
|
||||||
|
|
||||||
|
|
||||||
static int wps_set_attr(struct wps_parse_attr *attr, u16 type,
|
static int wps_set_attr(struct wps_parse_attr *attr, u16 type,
|
||||||
|
|
|
||||||
|
|
@ -264,11 +264,18 @@ static int wps_process_cred_802_1x_enabled(struct wps_credential *cred,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static void wps_workaround_cred_key(struct wps_credential *cred)
|
static int wps_workaround_cred_key(struct wps_credential *cred)
|
||||||
{
|
{
|
||||||
if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
|
if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
|
||||||
cred->key_len > 8 && cred->key_len < 64 &&
|
cred->key_len > 8 && cred->key_len < 64 &&
|
||||||
cred->key[cred->key_len - 1] == 0) {
|
cred->key[cred->key_len - 1] == 0) {
|
||||||
|
#ifdef CONFIG_WPS_STRICT
|
||||||
|
wpa_printf(MSG_INFO, "WPS: WPA/WPA2-Personal passphrase uses "
|
||||||
|
"forbidden NULL termination");
|
||||||
|
wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
|
||||||
|
cred->key, cred->key_len);
|
||||||
|
return -1;
|
||||||
|
#else /* CONFIG_WPS_STRICT */
|
||||||
/*
|
/*
|
||||||
* A deployed external registrar is known to encode ASCII
|
* A deployed external registrar is known to encode ASCII
|
||||||
* passphrases incorrectly. Remove the extra NULL termination
|
* passphrases incorrectly. Remove the extra NULL termination
|
||||||
|
|
@ -277,7 +284,9 @@ static void wps_workaround_cred_key(struct wps_credential *cred)
|
||||||
wpa_printf(MSG_DEBUG, "WPS: Workaround - remove NULL "
|
wpa_printf(MSG_DEBUG, "WPS: Workaround - remove NULL "
|
||||||
"termination from ASCII passphrase");
|
"termination from ASCII passphrase");
|
||||||
cred->key_len--;
|
cred->key_len--;
|
||||||
|
#endif /* CONFIG_WPS_STRICT */
|
||||||
}
|
}
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -303,9 +312,7 @@ int wps_process_cred(struct wps_parse_attr *attr,
|
||||||
wps_process_cred_802_1x_enabled(cred, attr->dot1x_enabled))
|
wps_process_cred_802_1x_enabled(cred, attr->dot1x_enabled))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
wps_workaround_cred_key(cred);
|
return wps_workaround_cred_key(cred);
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -324,7 +331,5 @@ int wps_process_ap_settings(struct wps_parse_attr *attr,
|
||||||
wps_process_cred_mac_addr(cred, attr->mac_addr))
|
wps_process_cred_mac_addr(cred, attr->mac_addr))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
wps_workaround_cred_key(cred);
|
return wps_workaround_cred_key(cred);
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -664,7 +664,7 @@ static int wps_process_r_snonce2(struct wps_data *wps, const u8 *r_snonce2)
|
||||||
|
|
||||||
|
|
||||||
static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
|
static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
|
||||||
size_t cred_len)
|
size_t cred_len, int wps2)
|
||||||
{
|
{
|
||||||
struct wps_parse_attr attr;
|
struct wps_parse_attr attr;
|
||||||
struct wpabuf msg;
|
struct wpabuf msg;
|
||||||
|
|
@ -689,6 +689,13 @@ static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
|
||||||
* reasons, allow this to be processed since we do not really
|
* reasons, allow this to be processed since we do not really
|
||||||
* use the MAC Address information for anything.
|
* use the MAC Address information for anything.
|
||||||
*/
|
*/
|
||||||
|
#ifdef CONFIG_WPS_STRICT
|
||||||
|
if (wps2) {
|
||||||
|
wpa_printf(MSG_INFO, "WPS: Do not accept incorrect "
|
||||||
|
"MAC Address in AP Settings");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_WPS_STRICT */
|
||||||
}
|
}
|
||||||
|
|
||||||
if (wps->wps->cred_cb) {
|
if (wps->wps->cred_cb) {
|
||||||
|
|
@ -704,7 +711,7 @@ static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
|
||||||
|
|
||||||
|
|
||||||
static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
|
static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
|
||||||
size_t cred_len[], size_t num_cred)
|
size_t cred_len[], size_t num_cred, int wps2)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
|
|
@ -718,7 +725,7 @@ static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < num_cred; i++) {
|
for (i = 0; i < num_cred; i++) {
|
||||||
if (wps_process_cred_e(wps, cred[i], cred_len[i]))
|
if (wps_process_cred_e(wps, cred[i], cred_len[i], wps2))
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -728,7 +735,7 @@ static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
|
||||||
|
|
||||||
static int wps_process_ap_settings_e(struct wps_data *wps,
|
static int wps_process_ap_settings_e(struct wps_data *wps,
|
||||||
struct wps_parse_attr *attr,
|
struct wps_parse_attr *attr,
|
||||||
struct wpabuf *attrs)
|
struct wpabuf *attrs, int wps2)
|
||||||
{
|
{
|
||||||
struct wps_credential cred;
|
struct wps_credential cred;
|
||||||
|
|
||||||
|
|
@ -754,6 +761,13 @@ static int wps_process_ap_settings_e(struct wps_data *wps,
|
||||||
* reasons, allow this to be processed since we do not really
|
* reasons, allow this to be processed since we do not really
|
||||||
* use the MAC Address information for anything.
|
* use the MAC Address information for anything.
|
||||||
*/
|
*/
|
||||||
|
#ifdef CONFIG_WPS_STRICT
|
||||||
|
if (wps2) {
|
||||||
|
wpa_printf(MSG_INFO, "WPS: Do not accept incorrect "
|
||||||
|
"MAC Address in AP Settings");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_WPS_STRICT */
|
||||||
}
|
}
|
||||||
|
|
||||||
if (wps->wps->cred_cb) {
|
if (wps->wps->cred_cb) {
|
||||||
|
|
@ -994,8 +1008,9 @@ static enum wps_process_res wps_process_m8(struct wps_data *wps,
|
||||||
if (wps_parse_msg(decrypted, &eattr) < 0 ||
|
if (wps_parse_msg(decrypted, &eattr) < 0 ||
|
||||||
wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
|
wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
|
||||||
wps_process_creds(wps, eattr.cred, eattr.cred_len,
|
wps_process_creds(wps, eattr.cred, eattr.cred_len,
|
||||||
eattr.num_cred) ||
|
eattr.num_cred, attr->version2 != NULL) ||
|
||||||
wps_process_ap_settings_e(wps, &eattr, decrypted)) {
|
wps_process_ap_settings_e(wps, &eattr, decrypted,
|
||||||
|
attr->version2 != NULL)) {
|
||||||
wpabuf_free(decrypted);
|
wpabuf_free(decrypted);
|
||||||
wps->state = SEND_WSC_NACK;
|
wps->state = SEND_WSC_NACK;
|
||||||
return WPS_CONTINUE;
|
return WPS_CONTINUE;
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,9 @@
|
||||||
#include "wps_upnp.h"
|
#include "wps_upnp.h"
|
||||||
#include "wps_upnp_i.h"
|
#include "wps_upnp_i.h"
|
||||||
|
|
||||||
|
#ifndef CONFIG_WPS_STRICT
|
||||||
#define WPS_WORKAROUNDS
|
#define WPS_WORKAROUNDS
|
||||||
|
#endif /* CONFIG_WPS_STRICT */
|
||||||
|
|
||||||
struct wps_uuid_pin {
|
struct wps_uuid_pin {
|
||||||
struct dl_list list;
|
struct dl_list list;
|
||||||
|
|
|
||||||
|
|
@ -523,6 +523,11 @@ web_process_put_wlan_response(struct upnp_wps_device_sm *sm, char *data,
|
||||||
if (hwaddr_aton(val, macaddr)) {
|
if (hwaddr_aton(val, macaddr)) {
|
||||||
wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid NewWLANEventMAC in "
|
wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid NewWLANEventMAC in "
|
||||||
"PutWLANResponse: '%s'", val);
|
"PutWLANResponse: '%s'", val);
|
||||||
|
#ifdef CONFIG_WPS_STRICT
|
||||||
|
wpabuf_free(msg);
|
||||||
|
os_free(val);
|
||||||
|
return UPNP_ARG_VALUE_INVALID;
|
||||||
|
#else /* CONFIG_WPS_STRICT */
|
||||||
if (hwaddr_aton2(val, macaddr) > 0) {
|
if (hwaddr_aton2(val, macaddr) > 0) {
|
||||||
/*
|
/*
|
||||||
* At least some versions of Intel PROset seem to be
|
* At least some versions of Intel PROset seem to be
|
||||||
|
|
@ -536,6 +541,7 @@ web_process_put_wlan_response(struct upnp_wps_device_sm *sm, char *data,
|
||||||
os_free(val);
|
os_free(val);
|
||||||
return UPNP_ARG_VALUE_INVALID;
|
return UPNP_ARG_VALUE_INVALID;
|
||||||
}
|
}
|
||||||
|
#endif /* CONFIG_WPS_STRICT */
|
||||||
}
|
}
|
||||||
os_free(val);
|
os_free(val);
|
||||||
if (ev_type == UPNP_WPS_WLANEVENT_TYPE_EAP) {
|
if (ev_type == UPNP_WPS_WLANEVENT_TYPE_EAP) {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue