static int are_ies_equal(const struct wpa_bss *old,
const struct wpa_scan_res *new_res, u32 ie)
{
const u8 *old_ie, *new_ie;
struct wpabuf *old_ie_buff = NULL;
struct wpabuf *new_ie_buff = NULL;
int new_ie_len, old_ie_len, ret, is_multi;
switch (ie) {
case WPA_IE_VENDOR_TYPE:
old_ie = wpa_bss_get_vendor_ie(old, ie);
new_ie = wpa_scan_get_vendor_ie(new_res, ie);
is_multi = 0;
break;
case WPS_IE_VENDOR_TYPE:
old_ie_buff = wpa_bss_get_vendor_ie_multi(old, ie);
new_ie_buff = wpa_scan_get_vendor_ie_multi(new_res, ie);
is_multi = 1;
break;
case WLAN_EID_RSN:
case WLAN_EID_SUPP_RATES:
case WLAN_EID_EXT_SUPP_RATES:
old_ie = wpa_bss_get_ie(old, ie);
new_ie = wpa_scan_get_ie(new_res, ie);
is_multi = 0;
break;
default:
wpa_printf(MSG_DEBUG, "bss: %s: cannot compare IEs", __func__);
return 0;
}
if (is_multi) {
/* in case of multiple IEs stored in buffer */
old_ie = old_ie_buff ? wpabuf_head_u8(old_ie_buff) : NULL;
new_ie = new_ie_buff ? wpabuf_head_u8(new_ie_buff) : NULL;
old_ie_len = old_ie_buff ? wpabuf_len(old_ie_buff) : 0;
new_ie_len = new_ie_buff ? wpabuf_len(new_ie_buff) : 0;
} else {
/* in case of single IE */
old_ie_len = old_ie ? old_ie[1] + 2 : 0;
new_ie_len = new_ie ? new_ie[1] + 2 : 0;
}
if (!old_ie || !new_ie)
ret = !old_ie && !new_ie;
else
ret = (old_ie_len == new_ie_len &&
os_memcmp(old_ie, new_ie, old_ie_len) == 0);
wpabuf_free(old_ie_buff);
wpabuf_free(new_ie_buff);
return ret;
}
int wpas_mbo_ie(struct wpa_supplicant *wpa_s, u8 *buf, size_t len)
{
struct wpabuf *mbo;
int res;
if (len < MBO_IE_HEADER + 3 + 7)
return 0;
/* Leave room for the MBO IE header */
mbo = wpabuf_alloc(len - MBO_IE_HEADER);
if (!mbo)
return 0;
/* Add non-preferred channels attribute */
wpas_mbo_non_pref_chan_attrs(wpa_s, mbo, 0);
/*
* Send cellular capabilities attribute even if AP does not advertise
* cellular capabilities.
*/
wpabuf_put_u8(mbo, MBO_ATTR_ID_CELL_DATA_CAPA);
wpabuf_put_u8(mbo, 1);
wpabuf_put_u8(mbo, wpa_s->conf->mbo_cell_capa);
res = mbo_add_ie(buf, len, wpabuf_head_u8(mbo), wpabuf_len(mbo));
if (!res)
wpa_printf(MSG_ERROR, "Failed to add MBO IE");
wpabuf_free(mbo);
return res;
}
static struct wpabuf * eap_tnc_build_msg(struct eap_tnc_data *data, u8 id)
{
struct wpabuf *req;
u8 flags;
size_t send_len, plen;
wpa_printf(MSG_DEBUG, "EAP-TNC: Generating Request");
flags = EAP_TNC_VERSION;
send_len = wpabuf_len(data->out_buf) - data->out_used;
if (1 + send_len > data->fragment_size) {
send_len = data->fragment_size - 1;
flags |= EAP_TNC_FLAGS_MORE_FRAGMENTS;
if (data->out_used == 0) {
flags |= EAP_TNC_FLAGS_LENGTH_INCLUDED;
send_len -= 4;
}
}
plen = 1 + send_len;
if (flags & EAP_TNC_FLAGS_LENGTH_INCLUDED)
plen += 4;
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TNC, plen,
EAP_CODE_REQUEST, id);
if (req == NULL)
return NULL;
wpabuf_put_u8(req, flags); /* Flags */
if (flags & EAP_TNC_FLAGS_LENGTH_INCLUDED)
wpabuf_put_be32(req, wpabuf_len(data->out_buf));
wpabuf_put_data(req, wpabuf_head_u8(data->out_buf) + data->out_used,
send_len);
data->out_used += send_len;
if (data->out_used == wpabuf_len(data->out_buf)) {
wpa_printf(MSG_DEBUG, "EAP-TNC: Sending out %lu bytes "
"(message sent completely)",
(unsigned long) send_len);
wpabuf_free(data->out_buf);
data->out_buf = NULL;
data->out_used = 0;
if (data->was_fail)
eap_tnc_set_state(data, FAIL);
else if (data->was_done)
eap_tnc_set_state(data, DONE);
} else {
wpa_printf(MSG_DEBUG, "EAP-TNC: Sending out %lu bytes "
"(%lu more to send)", (unsigned long) send_len,
(unsigned long) wpabuf_len(data->out_buf) -
data->out_used);
if (data->state == FAIL)
data->was_fail = 1;
else if (data->state == DONE)
data->was_done = 1;
eap_tnc_set_state(data, WAIT_FRAG_ACK);
}
return req;
}
u8 * eap_sim_msg_add_mac(struct eap_sim_msg *msg, u8 attr)
{
u8 *pos = eap_sim_msg_add(msg, attr, 0, NULL, EAP_SIM_MAC_LEN);
if (pos)
msg->mac = (pos - wpabuf_head_u8(msg->buf)) + 4;
return pos;
}
int radius_msg_verify(struct radius_msg *msg, const u8 *secret,
size_t secret_len, struct radius_msg *sent_msg, int auth)
{
const u8 *addr[4];
size_t len[4];
u8 hash[MD5_MAC_LEN];
if (sent_msg == NULL) {
printf("No matching Access-Request message found\n");
return 1;
}
if (auth &&
radius_msg_verify_msg_auth(msg, secret, secret_len,
sent_msg->hdr->authenticator)) {
return 1;
}
/* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */
addr[0] = (u8 *) msg->hdr;
len[0] = 1 + 1 + 2;
addr[1] = sent_msg->hdr->authenticator;
len[1] = MD5_MAC_LEN;
addr[2] = wpabuf_head_u8(msg->buf) + sizeof(struct radius_hdr);
len[2] = wpabuf_len(msg->buf) - sizeof(struct radius_hdr);
addr[3] = secret;
len[3] = secret_len;
md5_vector(4, addr, len, hash);
if (os_memcmp(hash, msg->hdr->authenticator, MD5_MAC_LEN) != 0) {
printf("Response Authenticator invalid!\n");
return 1;
}
return 0;
}
static ssize_t tls_pull_func(gnutls_transport_ptr ptr, void *buf,
size_t len)
{
struct tls_connection *conn = (struct tls_connection *) ptr;
const u8 *end;
if (conn->pull_buf == NULL) {
errno = EWOULDBLOCK;
return -1;
}
end = wpabuf_head_u8(conn->pull_buf) + wpabuf_len(conn->pull_buf);
if ((size_t) (end - conn->pull_buf_offset) < len)
len = end - conn->pull_buf_offset;
os_memcpy(buf, conn->pull_buf_offset, len);
conn->pull_buf_offset += len;
if (conn->pull_buf_offset == end) {
wpa_printf(MSG_DEBUG, "%s - pull_buf consumed", __func__);
wpabuf_free(conn->pull_buf);
conn->pull_buf = NULL;
conn->pull_buf_offset = NULL;
} else {
wpa_printf(MSG_DEBUG, "%s - %lu bytes remaining in pull_buf",
__func__,
(unsigned long) (end - conn->pull_buf_offset));
}
return len;
}
/**
* gas_anqp_set_len - Set Query Request/Response Length
* @buf: GAS message
*
* This function is used to update the Query Request/Response Length field once
* the payload has been filled.
*/
void gas_anqp_set_len(struct wpabuf *buf)
{
u8 action;
size_t offset;
u8 *len;
if (buf == NULL || wpabuf_len(buf) < 2)
return;
action = *(wpabuf_head_u8(buf) + 1);
switch (action) {
case WLAN_PA_GAS_INITIAL_REQ:
offset = 3 + 4;
break;
case WLAN_PA_GAS_INITIAL_RESP:
offset = 7 + 4;
break;
case WLAN_PA_GAS_COMEBACK_RESP:
offset = 8 + 4;
break;
default:
return;
}
if (wpabuf_len(buf) < offset + 2)
return;
len = wpabuf_mhead_u8(buf) + offset;
WPA_PUT_LE16(len, (u8 *) wpabuf_put(buf, 0) - len - 2);
}
int eap_sim_msg_add_encr_end(struct eap_sim_msg *msg, u8 *k_encr, int attr_pad)
{
size_t encr_len;
if (msg == NULL || k_encr == NULL || msg->iv == 0 || msg->encr == 0)
return -1;
encr_len = wpabuf_len(msg->buf) - msg->encr - 4;
if (encr_len % 16) {
u8 *pos;
int pad_len = 16 - (encr_len % 16);
if (pad_len < 4) {
wpa_printf(MSG_WARNING, "EAP-SIM: "
"eap_sim_msg_add_encr_end - invalid pad_len"
" %d", pad_len);
return -1;
}
wpa_printf(MSG_DEBUG, " *AT_PADDING");
pos = eap_sim_msg_add(msg, attr_pad, 0, NULL, pad_len - 4);
if (pos == NULL)
return -1;
os_memset(pos + 4, 0, pad_len - 4);
encr_len += pad_len;
}
wpa_printf(MSG_DEBUG, " (AT_ENCR_DATA data len %lu)",
(unsigned long) encr_len);
wpabuf_mhead_u8(msg->buf)[msg->encr + 1] = encr_len / 4 + 1;
return aes_128_cbc_encrypt(k_encr, wpabuf_head_u8(msg->buf) + msg->iv,
wpabuf_mhead_u8(msg->buf) + msg->encr + 4,
encr_len);
}
/**
* p2p_parse_p2p_ie - Parse P2P IE
* @buf: Concatenated P2P IE(s) payload
* @msg: Buffer for returning parsed attributes
* Returns: 0 on success, -1 on failure
*
* Note: Caller is responsible for clearing the msg data structure before
* calling this function.
*/
int p2p_parse_p2p_ie(const struct wpabuf *buf, struct p2p_message *msg)
{
const u8 *pos = wpabuf_head_u8(buf);
const u8 *end = pos + wpabuf_len(buf);
wpa_printf(MSG_DEBUG, "P2P: Parsing P2P IE");
while (pos < end) {
u16 attr_len;
if (pos + 2 >= end) {
wpa_printf(MSG_DEBUG, "P2P: Invalid P2P attribute");
return -1;
}
attr_len = WPA_GET_LE16(pos + 1);
wpa_printf(MSG_DEBUG, "P2P: Attribute %d length %u",
pos[0], attr_len);
if (pos + 3 + attr_len > end) {
wpa_printf(MSG_DEBUG, "P2P: Attribute underflow "
"(len=%u left=%d)",
attr_len, (int) (end - pos - 3));
wpa_hexdump(MSG_MSGDUMP, "P2P: Data", pos, end - pos);
return -1;
}
if (p2p_parse_attribute(pos[0], pos + 3, attr_len, msg))
return -1;
pos += 3 + attr_len;
}
return 0;
}
struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
int eap_type, int version, u8 id)
{
struct wpabuf *req;
u8 flags;
size_t send_len, plen;
wpa_printf(MSG_DEBUG, "SSL: Generating Request");
if (data->tls_out == NULL) {
wpa_printf(MSG_ERROR, "SSL: tls_out NULL in %s", __func__);
return NULL;
}
flags = version;
send_len = wpabuf_len(data->tls_out) - data->tls_out_pos;
if (1 + send_len > data->tls_out_limit) {
send_len = data->tls_out_limit - 1;
flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
if (data->tls_out_pos == 0) {
flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
send_len -= 4;
}
}
plen = 1 + send_len;
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
plen += 4;
req = eap_msg_alloc(EAP_VENDOR_IETF, eap_type, plen,
EAP_CODE_REQUEST, id);
if (req == NULL)
return NULL;
wpabuf_put_u8(req, flags); /* Flags */
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
wpabuf_put_be32(req, wpabuf_len(data->tls_out));
wpabuf_put_data(req, wpabuf_head_u8(data->tls_out) + data->tls_out_pos,
send_len);
data->tls_out_pos += send_len;
if (data->tls_out_pos == wpabuf_len(data->tls_out)) {
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
"(message sent completely)",
(unsigned long) send_len);
wpabuf_free(data->tls_out);
data->tls_out = NULL;
data->tls_out_pos = 0;
data->state = MSG;
} else {
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
"(%lu more to send)", (unsigned long) send_len,
(unsigned long) wpabuf_len(data->tls_out) -
data->tls_out_pos);
data->state = WAIT_FRAG_ACK;
}
return req;
}
static struct wpabuf *eap_wsc_build_msg(struct eap_wsc_data *data, struct eap_method_ret *ret, u8 id)
{
struct wpabuf *resp;
u8 flags;
size_t send_len, plen;
ret->ignore = FALSE;
wpa_printf(MSG_DEBUG, "EAP-WSC: Generating Response");
ret->allowNotifications = TRUE;
flags = 0;
send_len = wpabuf_len(data->out_buf) - data->out_used;
if (2 + send_len > data->fragment_size) {
send_len = data->fragment_size - 2;
flags |= WSC_FLAGS_MF;
if (data->out_used == 0) {
flags |= WSC_FLAGS_LF;
send_len -= 2;
}
}
plen = 2 + send_len;
if (flags & WSC_FLAGS_LF) {
plen += 2;
}
resp = eap_msg_alloc(EAP_VENDOR_WFA, EAP_VENDOR_TYPE_WSC, plen, EAP_CODE_RESPONSE, id);
if (resp == NULL) {
return NULL;
}
wpabuf_put_u8(resp, data->out_op_code); /* Op-Code */
wpabuf_put_u8(resp, flags); /* Flags */
if (flags & WSC_FLAGS_LF) {
wpabuf_put_be16(resp, wpabuf_len(data->out_buf));
}
wpabuf_put_data(resp, wpabuf_head_u8(data->out_buf) + data->out_used, send_len);
data->out_used += send_len;
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_FAIL;
if (data->out_used == wpabuf_len(data->out_buf)) {
wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes " "(message sent completely)", (unsigned long)send_len);
wpabuf_free(data->out_buf);
data->out_buf = NULL;
data->out_used = 0;
if ((data->state == FAIL && data->out_op_code == WSC_ACK) || data->out_op_code == WSC_NACK || data->out_op_code == WSC_Done) {
eap_wsc_state(data, FAIL);
ret->methodState = METHOD_DONE;
} else {
eap_wsc_state(data, MESG);
}
} else {
wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes " "(%lu more to send)", (unsigned long)send_len, (unsigned long)wpabuf_len(data->out_buf) - data->out_used);
eap_wsc_state(data, WAIT_FRAG_ACK);
}
return resp;
}
static struct wpabuf * eap_tnc_build_msg(struct eap_tnc_data *data,
struct eap_method_ret *ret, u8 id)
{
struct wpabuf *resp;
u8 flags;
size_t send_len, plen;
ret->ignore = FALSE;
wpa_printf(MSG_DEBUG, "EAP-TNC: Generating Response");
ret->allowNotifications = TRUE;
flags = EAP_TNC_VERSION;
send_len = wpabuf_len(data->out_buf) - data->out_used;
if (1 + send_len > data->fragment_size) {
send_len = data->fragment_size - 1;
flags |= EAP_TNC_FLAGS_MORE_FRAGMENTS;
if (data->out_used == 0) {
flags |= EAP_TNC_FLAGS_LENGTH_INCLUDED;
send_len -= 4;
}
}
plen = 1 + send_len;
if (flags & EAP_TNC_FLAGS_LENGTH_INCLUDED)
plen += 4;
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TNC, plen,
EAP_CODE_RESPONSE, id);
if (resp == NULL)
return NULL;
wpabuf_put_u8(resp, flags); /* Flags */
if (flags & EAP_TNC_FLAGS_LENGTH_INCLUDED)
wpabuf_put_be32(resp, wpabuf_len(data->out_buf));
wpabuf_put_data(resp, wpabuf_head_u8(data->out_buf) + data->out_used,
send_len);
data->out_used += send_len;
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_FAIL;
if (data->out_used == wpabuf_len(data->out_buf)) {
wpa_printf(MSG_DEBUG, "EAP-TNC: Sending out %lu bytes "
"(message sent completely)",
(unsigned long) send_len);
wpabuf_free(data->out_buf);
data->out_buf = NULL;
data->out_used = 0;
} else {
wpa_printf(MSG_DEBUG, "EAP-TNC: Sending out %lu bytes "
"(%lu more to send)", (unsigned long) send_len,
(unsigned long) wpabuf_len(data->out_buf) -
data->out_used);
data->state = WAIT_FRAG_ACK;
}
return resp;
}
static struct wpabuf * eap_wsc_build_msg(struct eap_wsc_data *data, u8 id)
{
struct wpabuf *req;
u8 flags;
size_t send_len, plen;
flags = 0;
send_len = wpabuf_len(data->out_buf) - data->out_used;
if (2 + send_len > data->fragment_size) {
send_len = data->fragment_size - 2;
flags |= WSC_FLAGS_MF;
if (data->out_used == 0) {
flags |= WSC_FLAGS_LF;
send_len -= 2;
}
}
plen = 2 + send_len;
if (flags & WSC_FLAGS_LF)
plen += 2;
req = eap_msg_alloc(EAP_VENDOR_WFA, EAP_VENDOR_TYPE_WSC, plen,
EAP_CODE_REQUEST, id);
if (req == NULL) {
wpa_printf(MSG_ERROR, "EAP-WSC: Failed to allocate memory for "
"request");
return NULL;
}
wpabuf_put_u8(req, data->out_op_code); /* Op-Code */
wpabuf_put_u8(req, flags); /* Flags */
if (flags & WSC_FLAGS_LF)
wpabuf_put_be16(req, wpabuf_len(data->out_buf));
wpabuf_put_data(req, wpabuf_head_u8(data->out_buf) + data->out_used,
send_len);
data->out_used += send_len;
if (data->out_used == wpabuf_len(data->out_buf)) {
wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes "
"(message sent completely)",
(unsigned long) send_len);
wpabuf_free(data->out_buf);
data->out_buf = NULL;
data->out_used = 0;
eap_wsc_state(data, MESG);
} else {
wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes "
"(%lu more to send)", (unsigned long) send_len,
(unsigned long) wpabuf_len(data->out_buf) -
data->out_used);
eap_wsc_state(data, WAIT_FRAG_ACK);
}
return req;
}
static void wpas_mbo_non_pref_chan_changed(struct wpa_supplicant *wpa_s)
{
struct wpabuf *buf;
buf = wpabuf_alloc(512);
if (!buf)
return;
wpas_mbo_non_pref_chan_attrs(wpa_s, buf, 1);
wpas_mbo_send_wnm_notification(wpa_s, wpabuf_head_u8(buf),
wpabuf_len(buf));
wpabuf_free(buf);
}
int eap_sim_msg_add_encr_start(struct eap_sim_msg *msg, u8 attr_iv,
u8 attr_encr)
{
u8 *pos = eap_sim_msg_add(msg, attr_iv, 0, NULL, EAP_SIM_IV_LEN);
if (pos == NULL)
return -1;
msg->iv = (pos - wpabuf_head_u8(msg->buf)) + 4;
if (random_get_bytes(wpabuf_mhead_u8(msg->buf) + msg->iv,
EAP_SIM_IV_LEN)) {
msg->iv = 0;
return -1;
}
pos = eap_sim_msg_add(msg, attr_encr, 0, NULL, 0);
if (pos == NULL) {
msg->iv = 0;
return -1;
}
msg->encr = pos - wpabuf_head_u8(msg->buf);
return 0;
}
int eap_sim_verify_mac_sha256(const u8 *k_aut, const struct wpabuf *req,
const u8 *mac, const u8 *extra, size_t extra_len)
{
unsigned char hmac[SHA256_MAC_LEN];
const u8 *addr[2];
size_t len[2];
u8 *tmp;
if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||
mac < wpabuf_head_u8(req) ||
mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)
return -1;
tmp = os_malloc(wpabuf_len(req));
if (tmp == NULL)
return -1;
addr[0] = tmp;
len[0] = wpabuf_len(req);
addr[1] = extra;
len[1] = extra_len;
/* HMAC-SHA-256-128 */
os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));
os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);
wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - msg",
tmp, wpabuf_len(req));
wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - extra data",
extra, extra_len);
wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Verify MAC - K_aut",
k_aut, EAP_AKA_PRIME_K_AUT_LEN);
hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);
wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC: MAC",
hmac, EAP_SIM_MAC_LEN);
os_free(tmp);
return (os_memcmp(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;
}
struct wpabuf * wps_decrypt_encr_settings(struct wps_data *wps, const u8 *encr,
size_t encr_len)
{
struct wpabuf *decrypted;
const size_t block_size = 16;
size_t i;
u8 pad;
const u8 *pos;
/* AES-128-CBC */
if (encr == NULL || encr_len < 2 * block_size || encr_len % block_size)
{
wpa_printf(MSG_DEBUG, "WPS: No Encrypted Settings received");
return NULL;
}
decrypted = wpabuf_alloc(encr_len - block_size);
if (decrypted == NULL)
return NULL;
wpa_hexdump(MSG_MSGDUMP, "WPS: Encrypted Settings", encr, encr_len);
wpabuf_put_data(decrypted, encr + block_size, encr_len - block_size);
if (aes_128_cbc_decrypt(wps->keywrapkey, encr, wpabuf_mhead(decrypted),
wpabuf_len(decrypted))) {
wpabuf_free(decrypted);
return NULL;
}
wpa_hexdump_buf_key(MSG_MSGDUMP, "WPS: Decrypted Encrypted Settings",
decrypted);
pos = wpabuf_head_u8(decrypted) + wpabuf_len(decrypted) - 1;
pad = *pos;
if (pad > wpabuf_len(decrypted)) {
wpa_printf(MSG_DEBUG, "WPS: Invalid PKCS#5 v2.0 pad value");
wpabuf_free(decrypted);
return NULL;
}
for (i = 0; i < pad; i++) {
if (*pos-- != pad) {
wpa_printf(MSG_DEBUG, "WPS: Invalid PKCS#5 v2.0 pad "
"string");
wpabuf_free(decrypted);
return NULL;
}
}
decrypted->used -= pad;
return decrypted;
}
char * wifi_display_subelem_hex(const struct wpabuf *wfd_subelems, u8 id)
{
char *subelem = NULL;
const u8 *buf;
size_t buflen;
size_t i = 0;
u16 elen;
if (!wfd_subelems)
return NULL;
buf = wpabuf_head_u8(wfd_subelems);
if (!buf)
return NULL;
buflen = wpabuf_len(wfd_subelems);
while (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN < buflen) {
elen = WPA_GET_BE16(buf + i + 1);
if (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN + elen > buflen)
break; /* truncated subelement */
if (buf[i] == id) {
/*
* Limit explicitly to an arbitrary length to avoid
* unnecessarily large allocations. In practice, this
* is limited to maximum frame length anyway, so the
* maximum memory allocation here is not really that
* large. Anyway, the Wi-Fi Display subelements that
* are fetched with this function are even shorter.
*/
if (elen > 1000)
break;
subelem = os_zalloc(2 * elen + 1);
if (!subelem)
return NULL;
wpa_snprintf_hex(subelem, 2 * elen + 1,
buf + i +
WIFI_DISPLAY_SUBELEM_HEADER_LEN,
elen);
break;
}
i += elen + WIFI_DISPLAY_SUBELEM_HEADER_LEN;
}
return subelem;
}
static void
gas_server_handle_rx_comeback_req(struct gas_server_response *response)
{
struct gas_server_handler *handler = response->handler;
struct gas_server *gas = handler->gas;
size_t max_len = (response->freq > 56160) ? 928 : 1400;
size_t hdr_len = 24 + 2 + 6 + 3 + handler->adv_proto_id_len + 2;
size_t remaining, resp_frag_len;
struct wpabuf *resp;
remaining = wpabuf_len(response->resp) - response->offset;
if (hdr_len + remaining > max_len)
resp_frag_len = max_len - hdr_len;
else
resp_frag_len = remaining;
wpa_printf(MSG_DEBUG,
"GAS: Sending out %u/%u remaining Query Response octets",
(unsigned int) resp_frag_len, (unsigned int) remaining);
resp = gas_build_comeback_resp(response->dialog_token,
WLAN_STATUS_SUCCESS,
response->frag_id++,
resp_frag_len < remaining, 0,
handler->adv_proto_id_len +
resp_frag_len);
if (!resp) {
gas_server_free_response(response);
return;
}
/* Advertisement Protocol element */
wpabuf_put_u8(resp, WLAN_EID_ADV_PROTO);
wpabuf_put_u8(resp, 1 + handler->adv_proto_id_len); /* Length */
wpabuf_put_u8(resp, 0x7f);
/* Advertisement Protocol ID */
wpabuf_put_data(resp, handler->adv_proto_id, handler->adv_proto_id_len);
/* Query Response Length */
wpabuf_put_le16(resp, resp_frag_len);
wpabuf_put_data(resp, wpabuf_head_u8(response->resp) + response->offset,
resp_frag_len);
response->offset += resp_frag_len;
gas->tx(gas->ctx, response->freq, response->dst, resp,
remaining > resp_frag_len ? 2000 : 0);
wpabuf_free(resp);
}
static void EAP_Restart(pana_session_t * pacs) {
paa_ctx_t * ctx = pacs->ctx;
struct wpabuf * eap_resq = NULL;
eap_md5_reset(ctx->method_data);
ctx->method_data = eap_md5_init();
eap_resq = eap_md5_buildReq(ctx->method_data, EAP_VENDOR_IETF);
if (eap_resq != NULL) {
ctx->eap_resp_payload = bytebuff_from_bytes(wpabuf_head_u8(eap_resq),
eap_resq->used);
EAP_REQUEST_Set();
}
wpabuf_free(eap_resq);
}
int wps_build_vendor_ext(struct wps_device_data *dev, struct wpabuf *msg)
{
int i;
for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++) {
if (dev->vendor_ext[i] == NULL)
continue;
wpa_hexdump(MSG_DEBUG, "WPS: * Vendor Extension",
wpabuf_head_u8(dev->vendor_ext[i]),
wpabuf_len(dev->vendor_ext[i]));
wpabuf_put_be16(msg, ATTR_VENDOR_EXT);
wpabuf_put_be16(msg, wpabuf_len(dev->vendor_ext[i]));
wpabuf_put_buf(msg, dev->vendor_ext[i]);
}
return 0;
}
int wifi_display_subelem_get(struct wpa_global *global, char *cmd,
char *buf, size_t buflen)
{
int subelem;
subelem = atoi(cmd);
if (subelem < 0 || subelem >= MAX_WFD_SUBELEMS)
return -1;
if (global->wfd_subelem[subelem] == NULL)
return 0;
return wpa_snprintf_hex(buf, buflen,
wpabuf_head_u8(global->wfd_subelem[subelem]) +
1,
wpabuf_len(global->wfd_subelem[subelem]) - 1);
}
static void http_client_tx_ready(int sock, void *eloop_ctx, void *sock_ctx)
{
struct http_client *c = eloop_ctx;
int res;
size_t send_len;
send_len = wpabuf_len(c->req) - c->req_pos;
wpa_printf(MSG_DEBUG, "HTTP: Send client request to %s:%d (%lu of %lu "
"bytes remaining)",
inet_ntoa(c->dst.sin_addr), ntohs(c->dst.sin_port),
(unsigned long) wpabuf_len(c->req),
(unsigned long) send_len);
res = send(c->sd, wpabuf_head_u8(c->req) + c->req_pos, send_len, 0);
if (res < 0) {
wpa_printf(MSG_DEBUG, "HTTP: Failed to send buffer: %s",
strerror(errno));
eloop_unregister_sock(c->sd, EVENT_TYPE_WRITE);
c->cb(c->cb_ctx, c, HTTP_CLIENT_FAILED);
return;
}
if ((size_t) res < send_len) {
wpa_printf(MSG_DEBUG, "HTTP: Sent %d of %lu bytes; %lu bytes "
"remaining",
res, (unsigned long) wpabuf_len(c->req),
(unsigned long) send_len - res);
c->req_pos += res;
return;
}
wpa_printf(MSG_DEBUG, "HTTP: Full client request sent to %s:%d",
inet_ntoa(c->dst.sin_addr), ntohs(c->dst.sin_port));
eloop_unregister_sock(c->sd, EVENT_TYPE_WRITE);
wpabuf_free(c->req);
c->req = NULL;
c->hread = httpread_create(c->sd, http_client_got_response, c,
c->max_response, HTTP_CLIENT_TIMEOUT_SEC);
if (c->hread == NULL) {
c->cb(c->cb_ctx, c, HTTP_CLIENT_FAILED);
return;
}
}
static int radius_msg_add_attr_to_array(struct radius_msg *msg,
struct radius_attr_hdr *attr)
{
if (msg->attr_used >= msg->attr_size) {
size_t *nattr_pos;
int nlen = msg->attr_size * 2;
nattr_pos = os_realloc(msg->attr_pos,
nlen * sizeof(*msg->attr_pos));
if (nattr_pos == NULL)
return -1;
msg->attr_pos = nattr_pos;
msg->attr_size = nlen;
}
msg->attr_pos[msg->attr_used++] =
(unsigned char *) attr - wpabuf_head_u8(msg->buf);
return 0;
}
int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret,
size_t secret_len, const u8 *req_authenticator)
{
u8 auth[MD5_MAC_LEN];
struct radius_attr_hdr *attr;
const u8 *addr[4];
size_t len[4];
os_memset(auth, 0, MD5_MAC_LEN);
attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
auth, MD5_MAC_LEN);
if (attr == NULL) {
printf("WARNING: Could not add Message-Authenticator\n");
return -1;
}
msg->hdr->length = htons(wpabuf_len(msg->buf));
os_memcpy(msg->hdr->authenticator, req_authenticator,
sizeof(msg->hdr->authenticator));
hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
wpabuf_len(msg->buf), (u8 *) (attr + 1));
/* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */
addr[0] = (u8 *) msg->hdr;
len[0] = 1 + 1 + 2;
addr[1] = req_authenticator;
len[1] = MD5_MAC_LEN;
addr[2] = wpabuf_head_u8(msg->buf) + sizeof(struct radius_hdr);
len[2] = wpabuf_len(msg->buf) - sizeof(struct radius_hdr);
addr[3] = secret;
len[3] = secret_len;
md5_vector(4, addr, len, msg->hdr->authenticator);
if (wpabuf_len(msg->buf) > 0xffff) {
wpa_printf(MSG_WARNING, "RADIUS: Too long message (%lu)",
(unsigned long) wpabuf_len(msg->buf));
return -1;
}
return 0;
}
int radius_msg_finish_das_resp(struct radius_msg *msg, const u8 *secret,
size_t secret_len,
const struct radius_hdr *req_hdr)
{
const u8 *addr[2];
size_t len[2];
u8 auth[MD5_MAC_LEN];
struct radius_attr_hdr *attr;
os_memset(auth, 0, MD5_MAC_LEN);
attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
auth, MD5_MAC_LEN);
if (attr == NULL) {
wpa_printf(MSG_WARNING, "Could not add Message-Authenticator");
return -1;
}
msg->hdr->length = host_to_be16(wpabuf_len(msg->buf));
os_memcpy(msg->hdr->authenticator, req_hdr->authenticator, 16);
hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
wpabuf_len(msg->buf), (u8 *) (attr + 1));
/* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */
addr[0] = wpabuf_head_u8(msg->buf);
len[0] = wpabuf_len(msg->buf);
addr[1] = secret;
len[1] = secret_len;
if (md5_vector(2, addr, len, msg->hdr->authenticator) < 0)
return -1;
if (wpabuf_len(msg->buf) > 0xffff) {
wpa_printf(MSG_WARNING, "RADIUS: Too long message (%lu)",
(unsigned long) wpabuf_len(msg->buf));
return -1;
}
return 0;
}
static struct nai_realm * nai_realm_parse(struct wpabuf *anqp, u16 *count)
{
struct nai_realm *realm;
const u8 *pos, *end;
u16 i, num;
if (anqp == NULL || wpabuf_len(anqp) < 2)
return NULL;
pos = wpabuf_head_u8(anqp);
end = pos + wpabuf_len(anqp);
num = WPA_GET_LE16(pos);
wpa_printf(MSG_DEBUG, "NAI Realm Count: %u", num);
pos += 2;
if (num * 5 > end - pos) {
wpa_printf(MSG_DEBUG, "Invalid NAI Realm Count %u - not "
"enough data (%u octets) for that many realms",
num, (unsigned int) (end - pos));
return NULL;
}
realm = os_zalloc(num * sizeof(struct nai_realm));
if (realm == NULL)
return NULL;
for (i = 0; i < num; i++) {
pos = nai_realm_parse_realm(&realm[i], pos, end);
if (pos == NULL) {
nai_realm_free(realm, num);
return NULL;
}
}
*count = num;
return realm;
}
int hostapd_wps_nfc_tag_read(struct hostapd_data *hapd,
const struct wpabuf *data)
{
const struct wpabuf *wps = data;
struct wpabuf *tmp = NULL;
int ret;
if (wpabuf_len(data) < 4)
return -1;
if (*wpabuf_head_u8(data) != 0x10) {
/* Assume this contains full NDEF record */
tmp = ndef_parse_wifi(data);
if (tmp == NULL) {
wpa_printf(MSG_DEBUG, "WPS: Could not parse NDEF");
return -1;
}
wps = tmp;
}
ret = hostapd_wps_nfc_tag_process(hapd, wps);
wpabuf_free(tmp);
return ret;
}
void p2p_rx_gas_comeback_req(struct p2p_data *p2p, const u8 *sa,
const u8 *data, size_t len, int rx_freq)
{
struct wpabuf *resp;
u8 dialog_token;
size_t frag_len;
int more = 0;
wpa_hexdump(MSG_DEBUG, "P2P: RX GAS Comeback Request", data, len);
if (len < 1)
return;
dialog_token = *data;
p2p_dbg(p2p, "Dialog Token: %u", dialog_token);
if (dialog_token != p2p->sd_resp_dialog_token) {
p2p_dbg(p2p, "No pending SD response fragment for dialog token %u",
dialog_token);
return;
}
if (p2p->sd_resp == NULL) {
p2p_dbg(p2p, "No pending SD response fragment available");
return;
}
if (os_memcmp(sa, p2p->sd_resp_addr, ETH_ALEN) != 0) {
p2p_dbg(p2p, "No pending SD response fragment for " MACSTR,
MAC2STR(sa));
return;
}
frag_len = wpabuf_len(p2p->sd_resp) - p2p->sd_resp_pos;
if (frag_len > 1400) {
frag_len = 1400;
more = 1;
}
resp = p2p_build_gas_comeback_resp(dialog_token, WLAN_STATUS_SUCCESS,
p2p->srv_update_indic,
wpabuf_head_u8(p2p->sd_resp) +
p2p->sd_resp_pos, frag_len,
p2p->sd_frag_id, more,
wpabuf_len(p2p->sd_resp));
if (resp == NULL)
return;
p2p_dbg(p2p, "Send GAS Comeback Response (frag_id %d more=%d frag_len=%d)",
p2p->sd_frag_id, more, (int) frag_len);
p2p->sd_frag_id++;
p2p->sd_resp_pos += frag_len;
if (more) {
p2p_dbg(p2p, "%d more bytes remain to be sent",
(int) (wpabuf_len(p2p->sd_resp) - p2p->sd_resp_pos));
} else {
p2p_dbg(p2p, "All fragments of SD response sent");
wpabuf_free(p2p->sd_resp);
p2p->sd_resp = NULL;
}
p2p->pending_action_state = P2P_NO_PENDING_ACTION;
if (p2p_send_action(p2p, rx_freq, sa, p2p->cfg->dev_addr,
p2p->cfg->dev_addr,
wpabuf_head(resp), wpabuf_len(resp), 200) < 0)
p2p_dbg(p2p, "Failed to send Action frame");
wpabuf_free(resp);
}
static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data,
struct eap_method_ret *ret,
const struct eap_hdr *req,
const struct wpabuf *in_data,
struct wpabuf **out_data)
{
struct wpabuf *in_decrypted = NULL;
int res, skip_change = 0;
struct eap_hdr *hdr, *rhdr;
struct wpabuf *resp = NULL;
size_t len;
wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
" Phase 2", (unsigned long) wpabuf_len(in_data));
if (data->pending_phase2_req) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - "
"skip decryption and use old data");
/* Clear TLS reassembly state. */
eap_peer_tls_reset_input(&data->ssl);
in_decrypted = data->pending_phase2_req;
data->pending_phase2_req = NULL;
skip_change = 1;
goto continue_req;
}
if (wpabuf_len(in_data) == 0 && sm->workaround &&
data->phase2_success) {
/*
* Cisco ACS seems to be using TLS ACK to terminate
* EAP-PEAPv0/GTC. Try to reply with TLS ACK.
*/
wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but "
"expected data - acknowledge with TLS ACK since "
"Phase 2 has been completed");
ret->decision = DECISION_COND_SUCC;
ret->methodState = METHOD_DONE;
return 1;
} else if (wpabuf_len(in_data) == 0) {
/* Received TLS ACK - requesting more fragments */
return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP,
data->peap_version,
req->identifier, NULL, out_data);
}
res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
if (res)
return res;
continue_req:
wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
in_decrypted);
hdr = wpabuf_mhead(in_decrypted);
if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST &&
be_to_host16(hdr->length) == 5 &&
eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) {
/* At least FreeRADIUS seems to send full EAP header with
* EAP Request Identity */
skip_change = 1;
}
if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST &&
eap_get_type(in_decrypted) == EAP_TYPE_TLV) {
skip_change = 1;
}
if (data->peap_version == 0 && !skip_change) {
struct eap_hdr *nhdr;
struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) +
wpabuf_len(in_decrypted));
if (nmsg == NULL) {
wpabuf_free(in_decrypted);
return 0;
}
nhdr = wpabuf_put(nmsg, sizeof(*nhdr));
wpabuf_put_buf(nmsg, in_decrypted);
nhdr->code = req->code;
nhdr->identifier = req->identifier;
nhdr->length = host_to_be16(sizeof(struct eap_hdr) +
wpabuf_len(in_decrypted));
wpabuf_free(in_decrypted);
in_decrypted = nmsg;
}
if (data->peap_version >= 2) {
struct eap_tlv_hdr *tlv;
struct wpabuf *nmsg;
if (wpabuf_len(in_decrypted) < sizeof(*tlv) + sizeof(*hdr)) {
wpa_printf(MSG_INFO, "EAP-PEAPv2: Too short Phase 2 "
"EAP TLV");
wpabuf_free(in_decrypted);
return 0;
}
tlv = wpabuf_mhead(in_decrypted);
if ((be_to_host16(tlv->tlv_type) & 0x3fff) !=
EAP_TLV_EAP_PAYLOAD_TLV) {
wpa_printf(MSG_INFO, "EAP-PEAPv2: Not an EAP TLV");
wpabuf_free(in_decrypted);
return 0;
}
if (sizeof(*tlv) + be_to_host16(tlv->length) >
wpabuf_len(in_decrypted)) {
wpa_printf(MSG_INFO, "EAP-PEAPv2: Invalid EAP TLV "
"length");
wpabuf_free(in_decrypted);
return 0;
}
hdr = (struct eap_hdr *) (tlv + 1);
if (be_to_host16(hdr->length) > be_to_host16(tlv->length)) {
wpa_printf(MSG_INFO, "EAP-PEAPv2: No room for full "
"EAP packet in EAP TLV");
wpabuf_free(in_decrypted);
return 0;
}
nmsg = wpabuf_alloc(be_to_host16(hdr->length));
if (nmsg == NULL) {
wpabuf_free(in_decrypted);
return 0;
}
wpabuf_put_data(nmsg, hdr, be_to_host16(hdr->length));
wpabuf_free(in_decrypted);
in_decrypted = nmsg;
}
hdr = wpabuf_mhead(in_decrypted);
if (wpabuf_len(in_decrypted) < sizeof(*hdr)) {
wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 "
"EAP frame (len=%lu)",
(unsigned long) wpabuf_len(in_decrypted));
wpabuf_free(in_decrypted);
return 0;
}
len = be_to_host16(hdr->length);
if (len > wpabuf_len(in_decrypted)) {
wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in "
"Phase 2 EAP frame (len=%lu hdr->length=%lu)",
(unsigned long) wpabuf_len(in_decrypted),
(unsigned long) len);
wpabuf_free(in_decrypted);
return 0;
}
if (len < wpabuf_len(in_decrypted)) {
wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has "
"shorter length than full decrypted data "
"(%lu < %lu)",
(unsigned long) len,
(unsigned long) wpabuf_len(in_decrypted));
}
wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d "
"identifier=%d length=%lu", hdr->code, hdr->identifier,
(unsigned long) len);
switch (hdr->code) {
case EAP_CODE_REQUEST:
if (eap_peap_phase2_request(sm, data, ret, in_decrypted,
&resp)) {
wpabuf_free(in_decrypted);
wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request "
"processing failed");
return 0;
}
break;
case EAP_CODE_SUCCESS:
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success");
if (data->peap_version == 1) {
/* EAP-Success within TLS tunnel is used to indicate
* shutdown of the TLS channel. The authentication has
* been completed. */
if (data->phase2_eap_started &&
!data->phase2_eap_success) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
"Success used to indicate success, "
"but Phase 2 EAP was not yet "
"completed successfully");
ret->methodState = METHOD_DONE;
ret->decision = DECISION_FAIL;
wpabuf_free(in_decrypted);
return 0;
}
wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - "
"EAP-Success within TLS tunnel - "
"authentication completed");
ret->decision = DECISION_UNCOND_SUCC;
ret->methodState = METHOD_DONE;
data->phase2_success = 1;
if (data->peap_outer_success == 2) {
wpabuf_free(in_decrypted);
wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK "
"to finish authentication");
return 1;
} else if (data->peap_outer_success == 1) {
/* Reply with EAP-Success within the TLS
* channel to complete the authentication. */
resp = wpabuf_alloc(sizeof(struct eap_hdr));
if (resp) {
rhdr = wpabuf_put(resp, sizeof(*rhdr));
rhdr->code = EAP_CODE_SUCCESS;
rhdr->identifier = hdr->identifier;
rhdr->length =
host_to_be16(sizeof(*rhdr));
}
} else {
/* No EAP-Success expected for Phase 1 (outer,
* unencrypted auth), so force EAP state
* machine to SUCCESS state. */
sm->peap_done = TRUE;
}
} else {
/* FIX: ? */
}
break;
case EAP_CODE_FAILURE:
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure");
ret->decision = DECISION_FAIL;
ret->methodState = METHOD_MAY_CONT;
ret->allowNotifications = FALSE;
/* Reply with EAP-Failure within the TLS channel to complete
* failure reporting. */
resp = wpabuf_alloc(sizeof(struct eap_hdr));
if (resp) {
rhdr = wpabuf_put(resp, sizeof(*rhdr));
rhdr->code = EAP_CODE_FAILURE;
rhdr->identifier = hdr->identifier;
rhdr->length = host_to_be16(sizeof(*rhdr));
}
break;
default:
wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in "
"Phase 2 EAP header", hdr->code);
break;
}
wpabuf_free(in_decrypted);
if (resp) {
int skip_change2 = 0;
struct wpabuf *rmsg, buf;
wpa_hexdump_buf_key(MSG_DEBUG,
"EAP-PEAP: Encrypting Phase 2 data", resp);
/* PEAP version changes */
if (data->peap_version >= 2) {
resp = eap_peapv2_tlv_eap_payload(resp);
if (resp == NULL)
return -1;
}
if (wpabuf_len(resp) >= 5 &&
wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE &&
eap_get_type(resp) == EAP_TYPE_TLV)
skip_change2 = 1;
rmsg = resp;
if (data->peap_version == 0 && !skip_change2) {
wpabuf_set(&buf, wpabuf_head_u8(resp) +
sizeof(struct eap_hdr),
wpabuf_len(resp) - sizeof(struct eap_hdr));
rmsg = &buf;
}
if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP,
data->peap_version, req->identifier,
rmsg, out_data)) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt "
"a Phase 2 frame");
}
wpabuf_free(resp);
}
return 0;
}
