static void hostapd_wps_reenable_ap_pin(void *eloop_data, void *user_ctx)
{
struct hostapd_data *hapd = eloop_data;
if (hapd->conf->ap_setup_locked)
return;
wpa_printf(MSG_DEBUG, "WPS: Re-enable AP PIN");
wpa_msg(hapd->msg_ctx, MSG_INFO, WPS_EVENT_AP_SETUP_UNLOCKED);
hapd->wps->ap_setup_locked = 0;
wps_registrar_update_ie(hapd->wps->registrar);
}
static int wps_pwd_auth_fail(struct hostapd_data *hapd, void *ctx)
{
struct wps_event_pwd_auth_fail *data = ctx;
if (!data->enrollee || hapd->conf->ap_pin == NULL || hapd->wps == NULL)
return 0;
/*
* Registrar failed to prove its knowledge of the AP PIN. Lock AP setup
* for some time if this happens multiple times to slow down brute
* force attacks.
*/
hapd->ap_pin_failures++;
hapd->ap_pin_failures_consecutive++;
wpa_printf(MSG_DEBUG, "WPS: AP PIN authentication failure number %u "
"(%u consecutive)",
hapd->ap_pin_failures, hapd->ap_pin_failures_consecutive);
if (hapd->ap_pin_failures < 3)
return 0;
wpa_msg(hapd->msg_ctx, MSG_INFO, WPS_EVENT_AP_SETUP_LOCKED);
hapd->wps->ap_setup_locked = 1;
wps_registrar_update_ie(hapd->wps->registrar);
if (!hapd->conf->ap_setup_locked &&
hapd->ap_pin_failures_consecutive >= 10) {
/*
* In indefinite lockdown - disable automatic AP PIN
* reenablement.
*/
eloop_cancel_timeout(hostapd_wps_reenable_ap_pin, hapd, NULL);
wpa_printf(MSG_DEBUG, "WPS: AP PIN disabled indefinitely");
} else if (!hapd->conf->ap_setup_locked) {
if (hapd->ap_pin_lockout_time == 0)
hapd->ap_pin_lockout_time = 60;
else if (hapd->ap_pin_lockout_time < 365 * 24 * 60 * 60 &&
(hapd->ap_pin_failures % 3) == 0)
hapd->ap_pin_lockout_time *= 2;
wpa_printf(MSG_DEBUG, "WPS: Disable AP PIN for %u seconds",
hapd->ap_pin_lockout_time);
eloop_cancel_timeout(hostapd_wps_reenable_ap_pin, hapd, NULL);
eloop_register_timeout(hapd->ap_pin_lockout_time, 0,
hostapd_wps_reenable_ap_pin, hapd,
NULL);
}
return 0;
}
static void hostapd_wps_ap_pin_enable(struct hostapd_data *hapd, int timeout)
{
wpa_printf(MSG_DEBUG, "WPS: Enabling AP PIN (timeout=%d)", timeout);
hapd->ap_pin_failures = 0;
hapd->conf->ap_setup_locked = 0;
if (hapd->wps->ap_setup_locked) {
wpa_msg(hapd->msg_ctx, MSG_INFO, WPS_EVENT_AP_SETUP_UNLOCKED);
hapd->wps->ap_setup_locked = 0;
wps_registrar_update_ie(hapd->wps->registrar);
}
eloop_cancel_timeout(hostapd_wps_ap_pin_timeout, hapd, NULL);
if (timeout > 0)
eloop_register_timeout(timeout, 0,
hostapd_wps_ap_pin_timeout, hapd, NULL);
}
void hostapd_update_wps(struct hostapd_data *hapd)
{
if (hapd->wps == NULL)
return;
#ifdef CONFIG_WPS_UPNP
hapd->wps->friendly_name = hapd->conf->friendly_name;
hapd->wps->manufacturer_url = hapd->conf->manufacturer_url;
hapd->wps->model_description = hapd->conf->model_description;
hapd->wps->model_url = hapd->conf->model_url;
hapd->wps->upc = hapd->conf->upc;
#endif /* CONFIG_WPS_UPNP */
if (hapd->conf->wps_state)
wps_registrar_update_ie(hapd->wps->registrar);
else
hostapd_deinit_wps(hapd);
}
static void hostapd_pwd_auth_fail(struct hostapd_data *hapd,
struct wps_event_pwd_auth_fail *data)
{
FILE *f;
if (!data->enrollee)
return;
/*
* Registrar failed to prove its knowledge of the AP PIN. Lock AP setup
* if this happens multiple times.
*/
hapd->ap_pin_failures++;
if (hapd->ap_pin_failures < 4)
return;
wpa_msg(hapd, MSG_INFO, WPS_EVENT_AP_SETUP_LOCKED);
hapd->wps->ap_setup_locked = 1;
wps_registrar_update_ie(hapd->wps->registrar);
if (hapd->conf->wps_cred_processing == 1)
return;
f = fopen(hapd->iface->config_fname, "a");
if (f == NULL) {
wpa_printf(MSG_WARNING, "WPS: Could not append to the current "
"configuration file");
return;
}
fprintf(f, "# WPS AP Setup Locked based on possible attack\n");
fprintf(f, "ap_setup_locked=1\n");
fclose(f);
/* TODO: dualband AP may need to update multiple configuration files */
wpa_printf(MSG_DEBUG, "WPS: AP configuration updated");
}
static int wps_update_ie(struct hostapd_data *hapd, void *ctx)
{
if (hapd->wps)
wps_registrar_update_ie(hapd->wps->registrar);
return 0;
}
