WPS 2.0: Disable WPS workarounds if CONFIG_WPS_STRICT is defined

src/ap/wps_hostapd.c

@@ -865,6 +865,7 @@ static int hostapd_rx_req_put_wlan_response(
 	 */
 
 	sta = ap_get_sta(hapd, mac_addr);
+#ifndef CONFIG_WPS_STRICT
 	if (!sta) {
 		/*
 		 * Workaround - Intel wsccmd uses bogus NewWLANEventMAC:
@@ -878,6 +879,7 @@ static int hostapd_rx_req_put_wlan_response(
 				break;
 		}
 	}
+#endif /* CONFIG_WPS_STRICT */
 
 	if (!sta) {
 		wpa_printf(MSG_DEBUG, "WPS UPnP: No matching STA found");

src/wps/wps.c

@@ -201,6 +201,13 @@ int wps_is_selected_pbc_registrar(const struct wpabuf *msg)
 	    WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
 		return 0;
 
+#ifdef CONFIG_WPS_STRICT
+	if (!attr.sel_reg_config_methods ||
+	    !(WPA_GET_BE16(attr.sel_reg_config_methods) &
+	      WPS_CONFIG_PUSHBUTTON))
+		return 0;
+#endif /* CONFIG_WPS_STRICT */
+
 	return 1;
 }
 
@@ -222,6 +229,13 @@ static int is_selected_pin_registrar(struct wps_parse_attr *attr)
 	    WPA_GET_BE16(attr->dev_password_id) == DEV_PW_PUSHBUTTON)
 		return 0;
 
+#ifdef CONFIG_WPS_STRICT
+	if (!attr->sel_reg_config_methods ||
+	    !(WPA_GET_BE16(attr->sel_reg_config_methods) &
+	      (WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY | WPS_CONFIG_KEYPAD)))
+		return 0;
+#endif /* CONFIG_WPS_STRICT */
+
 	return 1;
 }
 

src/wps/wps_attr_parse.c

@@ -17,7 +17,9 @@
 #include "common.h"
 #include "wps_i.h"
 
+#ifndef CONFIG_WPS_STRICT
 #define WPS_WORKAROUNDS
+#endif /* CONFIG_WPS_STRICT */
 
 
 static int wps_set_attr(struct wps_parse_attr *attr, u16 type,

src/wps/wps_attr_process.c

@@ -264,11 +264,18 @@ static int wps_process_cred_802_1x_enabled(struct wps_credential *cred,
 }
 
 
-static void wps_workaround_cred_key(struct wps_credential *cred)
+static int wps_workaround_cred_key(struct wps_credential *cred)
 {
 	if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
 	    cred->key_len > 8 && cred->key_len < 64 &&
 	    cred->key[cred->key_len - 1] == 0) {
+#ifdef CONFIG_WPS_STRICT
+		wpa_printf(MSG_INFO, "WPS: WPA/WPA2-Personal passphrase uses "
+			   "forbidden NULL termination");
+		wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
+				      cred->key, cred->key_len);
+		return -1;
+#else /* CONFIG_WPS_STRICT */
 		/*
 		 * A deployed external registrar is known to encode ASCII
 		 * passphrases incorrectly. Remove the extra NULL termination
@@ -277,7 +284,9 @@ static void wps_workaround_cred_key(struct wps_credential *cred)
 		wpa_printf(MSG_DEBUG, "WPS: Workaround - remove NULL "
 			   "termination from ASCII passphrase");
 		cred->key_len--;
+#endif /* CONFIG_WPS_STRICT */
 	}
+	return 0;
 }
 
 
@@ -303,9 +312,7 @@ int wps_process_cred(struct wps_parse_attr *attr,
 	    wps_process_cred_802_1x_enabled(cred, attr->dot1x_enabled))
 		return -1;
 
-	wps_workaround_cred_key(cred);
-
-	return 0;
+	return wps_workaround_cred_key(cred);
 }
 
 
@@ -324,7 +331,5 @@ int wps_process_ap_settings(struct wps_parse_attr *attr,
 	    wps_process_cred_mac_addr(cred, attr->mac_addr))
 		return -1;
 
-	wps_workaround_cred_key(cred);
-
-	return 0;
+	return wps_workaround_cred_key(cred);
 }

src/wps/wps_enrollee.c

@@ -664,7 +664,7 @@ static int wps_process_r_snonce2(struct wps_data *wps, const u8 *r_snonce2)
 
 
 static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
-			      size_t cred_len)
+			      size_t cred_len, int wps2)
 {
 	struct wps_parse_attr attr;
 	struct wpabuf msg;
@@ -689,6 +689,13 @@ static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
 		 * reasons, allow this to be processed since we do not really
 		 * use the MAC Address information for anything.
 		 */
+#ifdef CONFIG_WPS_STRICT
+		if (wps2) {
+			wpa_printf(MSG_INFO, "WPS: Do not accept incorrect "
+				   "MAC Address in AP Settings");
+			return -1;
+		}
+#endif /* CONFIG_WPS_STRICT */
 	}
 
 	if (wps->wps->cred_cb) {
@@ -704,7 +711,7 @@ static int wps_process_cred_e(struct wps_data *wps, const u8 *cred,
 
 
 static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
-			     size_t cred_len[], size_t num_cred)
+			     size_t cred_len[], size_t num_cred, int wps2)
 {
 	size_t i;
 
@@ -718,7 +725,7 @@ static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
 	}
 
 	for (i = 0; i < num_cred; i++) {
-		if (wps_process_cred_e(wps, cred[i], cred_len[i]))
+		if (wps_process_cred_e(wps, cred[i], cred_len[i], wps2))
 			return -1;
 	}
 
@@ -728,7 +735,7 @@ static int wps_process_creds(struct wps_data *wps, const u8 *cred[],
 
 static int wps_process_ap_settings_e(struct wps_data *wps,
 				     struct wps_parse_attr *attr,
-				     struct wpabuf *attrs)
+				     struct wpabuf *attrs, int wps2)
 {
 	struct wps_credential cred;
 
@@ -754,6 +761,13 @@ static int wps_process_ap_settings_e(struct wps_data *wps,
 		 * reasons, allow this to be processed since we do not really
 		 * use the MAC Address information for anything.
 		 */
+#ifdef CONFIG_WPS_STRICT
+		if (wps2) {
+			wpa_printf(MSG_INFO, "WPS: Do not accept incorrect "
+				   "MAC Address in AP Settings");
+			return -1;
+		}
+#endif /* CONFIG_WPS_STRICT */
 	}
 
 	if (wps->wps->cred_cb) {
@@ -994,8 +1008,9 @@ static enum wps_process_res wps_process_m8(struct wps_data *wps,
 	if (wps_parse_msg(decrypted, &eattr) < 0 ||
 	    wps_process_key_wrap_auth(wps, decrypted, eattr.key_wrap_auth) ||
 	    wps_process_creds(wps, eattr.cred, eattr.cred_len,
-			      eattr.num_cred) ||
-	    wps_process_ap_settings_e(wps, &eattr, decrypted)) {
+			      eattr.num_cred, attr->version2 != NULL) ||
+	    wps_process_ap_settings_e(wps, &eattr, decrypted,
+				      attr->version2 != NULL)) {
 		wpabuf_free(decrypted);
 		wps->state = SEND_WSC_NACK;
 		return WPS_CONTINUE;

src/wps/wps_registrar.c

@@ -27,7 +27,9 @@
 #include "wps_upnp.h"
 #include "wps_upnp_i.h"
 
+#ifndef CONFIG_WPS_STRICT
 #define WPS_WORKAROUNDS
+#endif /* CONFIG_WPS_STRICT */
 
 struct wps_uuid_pin {
 	struct dl_list list;

src/wps/wps_upnp_web.c

@@ -523,6 +523,11 @@ web_process_put_wlan_response(struct upnp_wps_device_sm *sm, char *data,
 	if (hwaddr_aton(val, macaddr)) {
 		wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid NewWLANEventMAC in "
 			   "PutWLANResponse: '%s'", val);
+#ifdef CONFIG_WPS_STRICT
+		wpabuf_free(msg);
+		os_free(val);
+		return UPNP_ARG_VALUE_INVALID;
+#else /* CONFIG_WPS_STRICT */
 		if (hwaddr_aton2(val, macaddr) > 0) {
 			/*
 			 * At least some versions of Intel PROset seem to be
@@ -536,6 +541,7 @@ web_process_put_wlan_response(struct upnp_wps_device_sm *sm, char *data,
 			os_free(val);
 			return UPNP_ARG_VALUE_INVALID;
 		}
+#endif /* CONFIG_WPS_STRICT */
 	}
 	os_free(val);
 	if (ev_type == UPNP_WPS_WLANEVENT_TYPE_EAP) {