If a Registrar tries to configure the AP, but fails to validate the
device password (AP PIN), lock the AP setup after four failures. This
protects the AP PIN against brute force guessing attacks.
This optional configuration parameter can be used to override AP
Settings attributes in M7 similarly to extra_cred option for Credential
attribute(s) in M8.
WPS spec is not very specific on the presentation used for the DH
values. The Public Key attribute is described to be 192 octets long, so
that could be interpreted to imply that other places use fixed length
presentation for the DH keys. Change the DH derivation to use fixed
length bufferd by zero padding them from beginning if needed. This can
resolve infrequent (about 1/256 chance for both Public Key and Shared
Key being shorter) interop issues.
This is needed to allow external Registrar (at least the implementation
in Windows Vista) to configure the Enrollee.
With this patch and my previous patch (for wps.c) , I could pass "Wi-Fi
WPS Test Plan Version 1.0 [5.1.4. Add to AP using PIN Config method and
PASS PHRASE through wired external registrar]".
I can't pass the "Wi-Fi WPS Test Plan Version 1.0 [5.1.4. Add to AP
using PIN Config method and PASS PHRASE through wired external
registrar]". The wpa_supplicant-0.6.7 can't recoginize the testbed
AP(BCM94704AGRRev-E.2.4) as WPS PIN AP. Because after PIN entered, the
AP sends Selected Registrar attribute=0 and not send Device Password ID
attribute.
The proposed change as-is removed validation of Selected Registrar
attribute completely. However, that part is not included in this commit
since it can cause problems for environments with multiple WPS-enabled
APs. Another workaround for this will be considered in wpa_supplicant
scanning process (e.g., start trying to use WPS with APs that do not set
Selected Registrar to TRUE after couple of scan runs that do not find
any APs with Selected Registrar TRUE).
This operation can now be moved into an external program by configuring
hostapd with wps_cred_processing=1 and skip_cred_build=1. A new
ctrl_iface message (WPS-REG-SUCCESS <Enrollee MAC addr> <UUID-E>) will
be used to notify external programs of each successful registration and
that can be used as a tricker to move from unconfigured to configured
state.
This makes it easier to pass the credential data to external programs
(e.g., Network Manager) for processing. The actual use of this data is
not yet included in hostapd/wpa_supplicant.
Some deployed WPS implementations fail to parse zero-length attributes.
As a workaround, send a null character if the device attribute string is
empty. This allows default values (empty strings) to be used without
interop issues.
Before this change, it looked like an AP that was using wsccmd did not
get activated since wsccmd left the Selected Registrar Config Methods
attribute to be zero. Since Device Password ID can be used to
distinguish PBC from any other method, use only it to figure out whether
PBC or PIN method is active.
This callback is now used to stop wpa_supplicant from trying to continue
using parameters (most likely, device password) that do not work in a
loop. In addition, wpa_gui can now notify user of failed registration.
The event callback will be used for various event messages and the M2D
notification is the first such message. It is used to notify wpa_gui
about Registrar not yet knowing the device password (PIN).
Instead of sending out EAP-Failure on errors (on AP) or stopping (on
Supplicant), send a NACK message based on the allowed EAP state machine
transitions for EAP-WSC.
Since the Registrar may not yet know the UUID-E when a new PIN is
entered, use of a wildcard PIN that works with any UUID-E can be useful.
Such a PIN will be bound to the first Enrollee trying to use it and it
will be invalidated after the first use.
Fragment WPS IE if needed to fit into the IE length limits in hostapd
and Reassemble WPS IE data from multiple IEs in wpa_supplicant.
In addition, moved WPS code from events.c into wps_supplicant.c to clean
up module interfaces.
These functions fit in better with the category of functions included in
wps.c. wps_common.c is now used for generic helper functions (currently,
only crypto code).
WPS IE is now passed from hostapd association processing into EAP-WSC
and WPS processing. Request Type attribute is parsed from this
information and if the request is for a WLAN Manager Registrar,
additional management keys are derived (to be used with UPnP).
Previously, wpa_supplicant as Enrollee case was handled using a
different callback function pointer. However, now that the wps_context
structure is allocated for all cases, the same variable can be used in
all cases.
Previously, hardcoded values were used in wps_enrollee.c. These are now
moved into shared data in struct wps_context. In case of
AP/Authenticator, these are initialized in wps_hostapd.c. In case of
client/supplicant, these are now initialized in EAP-WSC peer method,
but will probably end up being moved into higher layer for better
configuration.
EAP-WSC peer method for
This allows the network to be used after the Registrar configuration
step. The local WPS network is replaced with a new network block
similarly to the case of acting as an Enrollee.
This makes it easier to store old AP settings into wps->cred (and allow
them to modified and taken into use in the future). Separation between
Credential and AP Settings building is also cleaner in this design.
The old (i.e., currently used) AP Settings are processed. For now, they
are copied as-is into M8 as new AP Settings to avoid changing
configuration. This should be changed to allow external programs (e.g.,
GUI) to fetch the old AP settings over ctrl_iface and then allow
settings to be changed before sending M8 with the new settings.
The core processing of attributes into struct wps_credential is now in
wps_common.c (was in wps_enrollee.c), so that the same code can be
shared with Registrar.
This adds WPS support for both hostapd and wpa_supplicant. Both programs
can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN
methods are supported.
Currently, hostapd has more complete configuration option for WPS
parameters and wpa_supplicant configuration style will likely change in
the future. External Registrars are not yet supported in hostapd or
wpa_supplicant. While wpa_supplicant has initial support for acting as
an Registrar to configure an AP, this is still using number of hardcoded
parameters which will need to be made configurable for proper operation.
