From 200c7693c9a145508b1850befb200430c1c6a984 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 29 Feb 2020 16:52:39 +0200 Subject: [PATCH] Make WEP functionality an optional build parameter WEP should not be used for anything anymore. As a step towards removing it completely, move all WEP related functionality to be within CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y is explicitly set in build configuration. Signed-off-by: Jouni Malinen --- hostapd/Android.mk | 4 +++ hostapd/Makefile | 4 +++ hostapd/android.config | 8 ++++++ hostapd/config_file.c | 6 +++++ hostapd/defconfig | 8 ++++++ src/ap/ap_config.c | 22 ++++++++++++++++ src/ap/ap_config.h | 8 ++++++ src/ap/beacon.c | 5 +++- src/ap/hostapd.c | 20 ++++++++++++++ src/ap/ieee802_11.c | 10 ++++++- src/ap/ieee802_1x.c | 19 +++++++++++++- src/ap/vlan_init.c | 5 +++- src/ap/wps_hostapd.c | 4 +++ src/common/wpa_common.c | 4 +++ src/eapol_auth/eapol_auth_sm.c | 14 ++++++++++ src/eapol_supp/eapol_supp_sm.c | 2 ++ tests/hwsim/example-hostapd.config | 1 + tests/hwsim/example-wpa_supplicant.config | 1 + tests/hwsim/test_ap_config.py | 22 +++++++++------- tests/hwsim/test_ap_hs20.py | 5 ++-- tests/hwsim/test_ap_params.py | 3 +++ tests/hwsim/test_ap_tdls.py | 3 +++ tests/hwsim/test_ap_wps.py | 2 ++ tests/hwsim/test_cfg80211.py | 2 ++ tests/hwsim/test_connect_cmd.py | 13 ++++++--- tests/hwsim/test_ibss.py | 4 +++ tests/hwsim/test_ieee8021x.py | 8 ++++++ tests/hwsim/test_radius.py | 2 ++ tests/hwsim/test_scan.py | 2 ++ tests/hwsim/test_wep.py | 15 ++++++++++- tests/hwsim/test_wext.py | 3 +++ tests/hwsim/test_wpas_ap.py | 25 ++++++++++-------- tests/hwsim/test_wpas_ctrl.py | 22 +++++++++------- wpa_supplicant/Android.mk | 4 +++ wpa_supplicant/Makefile | 4 +++ wpa_supplicant/android.config | 8 ++++++ wpa_supplicant/ap.c | 10 ++++--- wpa_supplicant/config.c | 6 +++++ wpa_supplicant/config_file.c | 32 ++++++++++++++++++----- wpa_supplicant/config_ssid.h | 2 ++ wpa_supplicant/config_winreg.c | 16 +++++++++--- wpa_supplicant/ctrl_iface.c | 6 +++++ wpa_supplicant/dbus/dbus_new_handlers.c | 15 ++++++++--- wpa_supplicant/defconfig | 8 ++++++ wpa_supplicant/events.c | 16 ++++++++++++ wpa_supplicant/sme.c | 18 ++++++++----- wpa_supplicant/wpa_supplicant.c | 32 ++++++++++++++++++----- wpa_supplicant/wpas_glue.c | 4 +++ 48 files changed, 386 insertions(+), 71 deletions(-) diff --git a/hostapd/Android.mk b/hostapd/Android.mk index 662a6cd18..fce40620f 100644 --- a/hostapd/Android.mk +++ b/hostapd/Android.mk @@ -309,6 +309,10 @@ OBJS += src/fst/fst_ctrl_iface.c endif endif +ifdef CONFIG_WEP +L_CFLAGS += -DCONFIG_WEP +endif + include $(LOCAL_PATH)/src/drivers/drivers.mk diff --git a/hostapd/Makefile b/hostapd/Makefile index dbe0403a1..0a3b8dde7 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -1238,6 +1238,10 @@ OBJS += ../src/fst/fst_ctrl_iface.o endif endif +ifdef CONFIG_WEP +CFLAGS += -DCONFIG_WEP +endif + ALL=hostapd hostapd_cli all: verify_config $(ALL) diff --git a/hostapd/android.config b/hostapd/android.config index d9200beea..94a9bb47b 100644 --- a/hostapd/android.config +++ b/hostapd/android.config @@ -201,3 +201,11 @@ CONFIG_WPA_CLI_EDIT=y # /dev/urandom earlier in boot' seeds /dev/urandom with that entropy before # either wpa_supplicant or hostapd are run. CONFIG_NO_RANDOM_POOL=y + +# Wired equivalent privacy (WEP) +# WEP is an obsolete cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used for anything anymore. The +# functionality needed to use WEP is available in the current hostapd +# release under this optional build parameter. This functionality is subject to +# be completely removed in a future release. +CONFIG_WEP=y diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 6dde59a5a..269f9f3cd 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -793,6 +793,7 @@ static int hostapd_config_parse_cipher(int line, const char *value) } +#ifdef CONFIG_WEP static int hostapd_config_read_wep(struct hostapd_wep_keys *wep, int keyidx, char *val) { @@ -843,6 +844,7 @@ static int hostapd_config_read_wep(struct hostapd_wep_keys *wep, int keyidx, return 0; } +#endif /* CONFIG_WEP */ static int hostapd_parse_chanlist(struct hostapd_config *conf, char *val) @@ -2664,6 +2666,7 @@ static int hostapd_config_fill(struct hostapd_config *conf, } else if (os_strcmp(buf, "erp_domain") == 0) { os_free(bss->erp_domain); bss->erp_domain = os_strdup(pos); +#ifdef CONFIG_WEP } else if (os_strcmp(buf, "wep_key_len_broadcast") == 0) { int val = atoi(pos); @@ -2691,6 +2694,7 @@ static int hostapd_config_fill(struct hostapd_config *conf, line, bss->wep_rekeying_period); return 1; } +#endif /* CONFIG_WEP */ } else if (os_strcmp(buf, "eap_reauth_period") == 0) { bss->eap_reauth_period = atoi(pos); if (bss->eap_reauth_period < 0) { @@ -3311,6 +3315,7 @@ static int hostapd_config_fill(struct hostapd_config *conf, bss->ignore_broadcast_ssid = atoi(pos); } else if (os_strcmp(buf, "no_probe_resp_if_max_sta") == 0) { bss->no_probe_resp_if_max_sta = atoi(pos); +#ifdef CONFIG_WEP } else if (os_strcmp(buf, "wep_default_key") == 0) { bss->ssid.wep.idx = atoi(pos); if (bss->ssid.wep.idx > 3) { @@ -3329,6 +3334,7 @@ static int hostapd_config_fill(struct hostapd_config *conf, line, buf); return 1; } +#endif /* CONFIG_WEP */ #ifndef CONFIG_NO_VLAN } else if (os_strcmp(buf, "dynamic_vlan") == 0) { bss->ssid.dynamic_vlan = atoi(pos); diff --git a/hostapd/defconfig b/hostapd/defconfig index e12260f4a..5133db26b 100644 --- a/hostapd/defconfig +++ b/hostapd/defconfig @@ -380,3 +380,11 @@ CONFIG_IPV6=y # Override default value for the wpa_disable_eapol_key_retries configuration # parameter. See that parameter in hostapd.conf for more details. #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 + +# Wired equivalent privacy (WEP) +# WEP is an obsolete cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used for anything anymore. The +# functionality needed to use WEP is available in the current hostapd +# release under this optional build parameter. This functionality is subject to +# be completely removed in a future release. +#CONFIG_WEP=y diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index fddc8ca44..50974094a 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -54,12 +54,16 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) bss->logger_syslog = (unsigned int) -1; bss->logger_stdout = (unsigned int) -1; +#ifdef CONFIG_WEP bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED; bss->wep_rekeying_period = 300; /* use key0 in individual key and key1 in broadcast key */ bss->broadcast_key_idx_min = 1; bss->broadcast_key_idx_max = 2; +#else /* CONFIG_WEP */ + bss->auth_algs = WPA_AUTH_ALG_OPEN; +#endif /* CONFIG_WEP */ bss->eap_reauth_period = 3600; bss->wpa_group_rekey = 600; @@ -636,6 +640,7 @@ void hostapd_config_free_eap_users(struct hostapd_eap_user *user) } +#ifdef CONFIG_WEP static void hostapd_config_free_wep(struct hostapd_wep_keys *keys) { int i; @@ -644,6 +649,7 @@ static void hostapd_config_free_wep(struct hostapd_wep_keys *keys) keys->key[i] = NULL; } } +#endif /* CONFIG_WEP */ void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l) @@ -732,7 +738,9 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf) str_clear_free(conf->ssid.wpa_passphrase); os_free(conf->ssid.wpa_psk_file); +#ifdef CONFIG_WEP hostapd_config_free_wep(&conf->ssid.wep); +#endif /* CONFIG_WEP */ #ifdef CONFIG_FULL_DYNAMIC_VLAN os_free(conf->ssid.vlan_tagged_interface); #endif /* CONFIG_FULL_DYNAMIC_VLAN */ @@ -1106,6 +1114,7 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss, return -1; } +#ifdef CONFIG_WEP if (bss->wpa) { int wep, i; @@ -1123,6 +1132,7 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss, return -1; } } +#endif /* CONFIG_WEP */ if (full_config && bss->wpa && bss->wpa_psk_radius != PSK_RADIUS_IGNORED && @@ -1177,12 +1187,14 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss, "allowed, disabling HT capabilities"); } +#ifdef CONFIG_WEP if (full_config && conf->ieee80211n && bss->ssid.security_policy == SECURITY_STATIC_WEP) { bss->disable_11n = 1; wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not " "allowed, disabling HT capabilities"); } +#endif /* CONFIG_WEP */ if (full_config && conf->ieee80211n && bss->wpa && !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && @@ -1196,12 +1208,14 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss, } #ifdef CONFIG_IEEE80211AC +#ifdef CONFIG_WEP if (full_config && conf->ieee80211ac && bss->ssid.security_policy == SECURITY_STATIC_WEP) { bss->disable_11ac = 1; wpa_printf(MSG_ERROR, "VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities"); } +#endif /* CONFIG_WEP */ if (full_config && conf->ieee80211ac && bss->wpa && !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && @@ -1221,12 +1235,14 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss, bss->wps_state = 0; } +#ifdef CONFIG_WEP if (full_config && bss->wps_state && bss->ssid.wep.keys_set && bss->wpa == 0) { wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be " "disabled"); bss->wps_state = 0; } +#endif /* CONFIG_WEP */ if (full_config && bss->wps_state && bss->wpa && (!(bss->wpa & 2) || @@ -1350,11 +1366,13 @@ int hostapd_config_check(struct hostapd_config *conf, int full_config) void hostapd_set_security_params(struct hostapd_bss_config *bss, int full_config) { +#ifdef CONFIG_WEP if (bss->individual_wep_key_len == 0) { /* individual keys are not use; can use key idx0 for * broadcast keys */ bss->broadcast_key_idx_min = 0; } +#endif /* CONFIG_WEP */ if ((bss->wpa & 2) && bss->rsn_pairwise == 0) bss->rsn_pairwise = bss->wpa_pairwise; @@ -1380,6 +1398,7 @@ void hostapd_set_security_params(struct hostapd_bss_config *bss, } else if (bss->ieee802_1x) { int cipher = WPA_CIPHER_NONE; bss->ssid.security_policy = SECURITY_IEEE_802_1X; +#ifdef CONFIG_WEP bss->ssid.wep.default_len = bss->default_wep_key_len; if (full_config && bss->default_wep_key_len) { cipher = bss->default_wep_key_len >= 13 ? @@ -1390,11 +1409,13 @@ void hostapd_set_security_params(struct hostapd_bss_config *bss, else cipher = WPA_CIPHER_WEP40; } +#endif /* CONFIG_WEP */ bss->wpa_group = cipher; bss->wpa_pairwise = cipher; bss->rsn_pairwise = cipher; if (full_config) bss->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA; +#ifdef CONFIG_WEP } else if (bss->ssid.wep.keys_set) { int cipher = WPA_CIPHER_WEP40; if (bss->ssid.wep.len[0] >= 13) @@ -1405,6 +1426,7 @@ void hostapd_set_security_params(struct hostapd_bss_config *bss, bss->rsn_pairwise = cipher; if (full_config) bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE; +#endif /* CONFIG_WEP */ } else if (bss->osen) { bss->ssid.security_policy = SECURITY_OSEN; bss->wpa_group = WPA_CIPHER_CCMP; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index b6e11f25f..5d86a332a 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -67,6 +67,7 @@ struct hostapd_radius_servers; struct ft_remote_r0kh; struct ft_remote_r1kh; +#ifdef CONFIG_WEP #define NUM_WEP_KEYS 4 struct hostapd_wep_keys { u8 idx; @@ -75,10 +76,13 @@ struct hostapd_wep_keys { int keys_set; size_t default_len; /* key length used for dynamic key generation */ }; +#endif /* CONFIG_WEP */ typedef enum hostap_security_policy { SECURITY_PLAINTEXT = 0, +#ifdef CONFIG_WEP SECURITY_STATIC_WEP = 1, +#endif /* CONFIG_WEP */ SECURITY_IEEE_802_1X = 2, SECURITY_WPA_PSK = 3, SECURITY_WPA = 4, @@ -102,7 +106,9 @@ struct hostapd_ssid { char *wpa_psk_file; struct sae_pt *pt; +#ifdef CONFIG_WEP struct hostapd_wep_keys wep; +#endif /* CONFIG_WEP */ #define DYNAMIC_VLAN_DISABLED 0 #define DYNAMIC_VLAN_OPTIONAL 1 @@ -321,10 +327,12 @@ struct hostapd_bss_config { size_t eap_req_id_text_len; int eapol_key_index_workaround; +#ifdef CONFIG_WEP size_t default_wep_key_len; int individual_wep_key_len; int wep_rekeying_period; int broadcast_key_idx_min, broadcast_key_idx_max; +#endif /* CONFIG_WEP */ int eap_reauth_period; int erp_send_reauth_start; char *erp_domain; diff --git a/src/ap/beacon.c b/src/ap/beacon.c index f5de17747..53e35492d 100644 --- a/src/ap/beacon.c +++ b/src/ap/beacon.c @@ -1360,10 +1360,13 @@ int ieee802_11_build_ap_params(struct hostapd_data *hapd, params->key_mgmt_suites = hapd->conf->wpa_key_mgmt; params->auth_algs = hapd->conf->auth_algs; params->wpa_version = hapd->conf->wpa; - params->privacy = hapd->conf->ssid.wep.keys_set || hapd->conf->wpa || + params->privacy = hapd->conf->wpa; +#ifdef CONFIG_WEP + params->privacy |= hapd->conf->ssid.wep.keys_set || (hapd->conf->ieee802_1x && (hapd->conf->default_wep_key_len || hapd->conf->individual_wep_key_len)); +#endif /* CONFIG_WEP */ switch (hapd->conf->ignore_broadcast_ssid) { case 0: params->hide_ssid = NO_SSID_HIDING; diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index ccf3f88f2..a6a95debf 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -58,8 +58,10 @@ static int hostapd_flush_old_stations(struct hostapd_data *hapd, u16 reason); +#ifdef CONFIG_WEP static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd); static int hostapd_broadcast_wep_clear(struct hostapd_data *hapd); +#endif /* CONFIG_WEP */ static int setup_interface2(struct hostapd_iface *iface); static void channel_list_update_timeout(void *eloop_ctx, void *timeout_ctx); static void hostapd_interface_setup_failure_handler(void *eloop_ctx, @@ -89,7 +91,9 @@ void hostapd_reconfig_encryption(struct hostapd_data *hapd) return; hostapd_set_privacy(hapd, 0); +#ifdef CONFIG_WEP hostapd_setup_encryption(hapd->conf->iface, hapd); +#endif /* CONFIG_WEP */ } @@ -142,7 +146,9 @@ static void hostapd_reload_bss(struct hostapd_data *hapd) wpa_deinit(hapd->wpa_auth); hapd->wpa_auth = NULL; hostapd_set_privacy(hapd, 0); +#ifdef CONFIG_WEP hostapd_setup_encryption(hapd->conf->iface, hapd); +#endif /* CONFIG_WEP */ hostapd_set_generic_elem(hapd, (u8 *) "", 0); } @@ -170,7 +176,9 @@ static void hostapd_clear_old(struct hostapd_iface *iface) for (j = 0; j < iface->num_bss; j++) { hostapd_flush_old_stations(iface->bss[j], WLAN_REASON_PREV_AUTH_NOT_VALID); +#ifdef CONFIG_WEP hostapd_broadcast_wep_clear(iface->bss[j]); +#endif /* CONFIG_WEP */ #ifndef CONFIG_NO_RADIUS /* TODO: update dynamic data based on changed configuration @@ -284,6 +292,8 @@ int hostapd_reload_config(struct hostapd_iface *iface) } +#ifdef CONFIG_WEP + static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd, const char *ifname) { @@ -339,6 +349,8 @@ static int hostapd_broadcast_wep_set(struct hostapd_data *hapd) return errors; } +#endif /* CONFIG_WEP */ + static void hostapd_free_hapd_data(struct hostapd_data *hapd) { @@ -524,6 +536,8 @@ static void hostapd_cleanup_iface(struct hostapd_iface *iface) } +#ifdef CONFIG_WEP + static void hostapd_clear_wep(struct hostapd_data *hapd) { if (hapd->drv_priv && !hapd->iface->driver_ap_teardown && hapd->conf) { @@ -571,6 +585,8 @@ static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd) return 0; } +#endif /* CONFIG_WEP */ + static int hostapd_flush_old_stations(struct hostapd_data *hapd, u16 reason) { @@ -606,7 +622,9 @@ static void hostapd_bss_deinit_no_free(struct hostapd_data *hapd) { hostapd_free_stas(hapd); hostapd_flush_old_stations(hapd, WLAN_REASON_DEAUTH_LEAVING); +#ifdef CONFIG_WEP hostapd_clear_wep(hapd); +#endif /* CONFIG_WEP */ } @@ -1161,9 +1179,11 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first) WLAN_REASON_PREV_AUTH_NOT_VALID); hostapd_set_privacy(hapd, 0); +#ifdef CONFIG_WEP hostapd_broadcast_wep_clear(hapd); if (hostapd_setup_encryption(conf->iface, hapd)) return -1; +#endif /* CONFIG_WEP */ /* * Fetch the SSID from the system and use it or, diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 03810de4e..47beaa15b 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -223,7 +223,7 @@ u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid, u16 hostapd_own_capab_info(struct hostapd_data *hapd) { int capab = WLAN_CAPABILITY_ESS; - int privacy; + int privacy = 0; int dfs; int i; @@ -239,12 +239,14 @@ u16 hostapd_own_capab_info(struct hostapd_data *hapd) hapd->iconf->preamble == SHORT_PREAMBLE) capab |= WLAN_CAPABILITY_SHORT_PREAMBLE; +#ifdef CONFIG_WEP privacy = hapd->conf->ssid.wep.keys_set; if (hapd->conf->ieee802_1x && (hapd->conf->default_wep_key_len || hapd->conf->individual_wep_key_len)) privacy = 1; +#endif /* CONFIG_WEP */ if (hapd->conf->wpa) privacy = 1; @@ -284,6 +286,7 @@ u16 hostapd_own_capab_info(struct hostapd_data *hapd) } +#ifdef CONFIG_WEP #ifndef CONFIG_NO_RC4 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, u16 auth_transaction, const u8 *challenge, @@ -340,6 +343,7 @@ static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, return 0; } #endif /* CONFIG_NO_RC4 */ +#endif /* CONFIG_WEP */ static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta, @@ -2543,6 +2547,7 @@ static void handle_auth(struct hostapd_data *hapd, sta->auth_alg = WLAN_AUTH_OPEN; mlme_authenticate_indication(hapd, sta); break; +#ifdef CONFIG_WEP #ifndef CONFIG_NO_RC4 case WLAN_AUTH_SHARED_KEY: resp = auth_shared_key(hapd, sta, auth_transaction, challenge, @@ -2561,6 +2566,7 @@ static void handle_auth(struct hostapd_data *hapd, } break; #endif /* CONFIG_NO_RC4 */ +#endif /* CONFIG_WEP */ #ifdef CONFIG_IEEE80211R_AP case WLAN_AUTH_FT: sta->auth_alg = WLAN_AUTH_FT; @@ -4946,6 +4952,7 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd, struct sta_info *sta, char *ifname_wds) { +#ifdef CONFIG_WEP int i; struct hostapd_ssid *ssid = &hapd->conf->ssid; @@ -4966,6 +4973,7 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd, break; } } +#endif /* CONFIG_WEP */ } diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 001b26109..c8e5fb395 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -137,6 +137,7 @@ void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, } +#ifdef CONFIG_WEP #ifndef CONFIG_FIPS #ifndef CONFIG_NO_RC4 @@ -297,6 +298,7 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) #endif /* CONFIG_NO_RC4 */ #endif /* CONFIG_FIPS */ +#endif /* CONFIG_WEP */ const char *radius_mode_txt(struct hostapd_data *hapd) @@ -2114,6 +2116,8 @@ void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) } +#ifdef CONFIG_WEP + static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) { struct eapol_authenticator *eapol = hapd->eapol_auth; @@ -2198,6 +2202,8 @@ static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) } } +#endif /* CONFIG_WEP */ + static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, const u8 *data, size_t datalen) @@ -2361,6 +2367,7 @@ static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) } +#ifdef CONFIG_WEP static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) { #ifndef CONFIG_FIPS @@ -2372,6 +2379,7 @@ static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) #endif /* CONFIG_NO_RC4 */ #endif /* CONFIG_FIPS */ } +#endif /* CONFIG_WEP */ static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, @@ -2422,7 +2430,6 @@ static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) int ieee802_1x_init(struct hostapd_data *hapd) { - int i; struct eapol_auth_config conf; struct eapol_auth_cb cb; @@ -2433,7 +2440,9 @@ int ieee802_1x_init(struct hostapd_data *hapd) conf.ctx = hapd; conf.eap_reauth_period = hapd->conf->eap_reauth_period; conf.wpa = hapd->conf->wpa; +#ifdef CONFIG_WEP conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; +#endif /* CONFIG_WEP */ conf.eap_req_id_text = hapd->conf->eap_req_id_text; conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; @@ -2448,7 +2457,9 @@ int ieee802_1x_init(struct hostapd_data *hapd) cb.logger = ieee802_1x_logger; cb.set_port_authorized = ieee802_1x_set_port_authorized; cb.abort_auth = _ieee802_1x_abort_auth; +#ifdef CONFIG_WEP cb.tx_key = _ieee802_1x_tx_key; +#endif /* CONFIG_WEP */ cb.eapol_event = ieee802_1x_eapol_event; #ifdef CONFIG_ERP cb.erp_get_key = ieee802_1x_erp_get_key; @@ -2469,7 +2480,10 @@ int ieee802_1x_init(struct hostapd_data *hapd) return -1; #endif /* CONFIG_NO_RADIUS */ +#ifdef CONFIG_WEP if (hapd->conf->default_wep_key_len) { + int i; + for (i = 0; i < 4; i++) hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE, NULL, i, 0, 0, NULL, @@ -2480,6 +2494,7 @@ int ieee802_1x_init(struct hostapd_data *hapd) if (!hapd->eapol_auth->default_wep_key) return -1; } +#endif /* CONFIG_WEP */ return 0; } @@ -2499,7 +2514,9 @@ void ieee802_1x_erp_flush(struct hostapd_data *hapd) void ieee802_1x_deinit(struct hostapd_data *hapd) { +#ifdef CONFIG_WEP eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); +#endif /* CONFIG_WEP */ if (hapd->driver && hapd->drv_priv && (hapd->conf->ieee802_1x || hapd->conf->wpa)) diff --git a/src/ap/vlan_init.c b/src/ap/vlan_init.c index e293a0033..53eacfb45 100644 --- a/src/ap/vlan_init.c +++ b/src/ap/vlan_init.c @@ -22,7 +22,9 @@ static int vlan_if_add(struct hostapd_data *hapd, struct hostapd_vlan *vlan, int existsok) { - int ret, i; + int ret; +#ifdef CONFIG_WEP + int i; for (i = 0; i < NUM_WEP_KEYS; i++) { if (!hapd->conf->ssid.wep.key[i]) @@ -32,6 +34,7 @@ static int vlan_if_add(struct hostapd_data *hapd, struct hostapd_vlan *vlan, vlan->ifname); return -1; } +#endif /* CONFIG_WEP */ if (!iface_exists(vlan->ifname)) ret = hostapd_vlan_if_add(hapd, vlan->ifname); diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c index 165d0de9e..1d77b946e 100644 --- a/src/ap/wps_hostapd.c +++ b/src/ap/wps_hostapd.c @@ -651,8 +651,10 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx) (str_starts(buf, "ssid=") || str_starts(buf, "ssid2=") || str_starts(buf, "auth_algs=") || +#ifdef CONFIG_WEP str_starts(buf, "wep_default_key=") || str_starts(buf, "wep_key") || +#endif /* CONFIG_WEP */ str_starts(buf, "wps_state=") || (pmf_changed && str_starts(buf, "ieee80211w=")) || str_starts(buf, "wpa=") || @@ -1196,6 +1198,7 @@ int hostapd_init_wps(struct hostapd_data *hapd, wpa_snprintf_hex((char *) wps->network_key, 2 * PMK_LEN + 1, conf->ssid.wpa_psk->psk, PMK_LEN); wps->network_key_len = 2 * PMK_LEN; +#ifdef CONFIG_WEP } else if (conf->ssid.wep.keys_set && conf->ssid.wep.key[0]) { wps->network_key = os_malloc(conf->ssid.wep.len[0]); if (wps->network_key == NULL) @@ -1203,6 +1206,7 @@ int hostapd_init_wps(struct hostapd_data *hapd, os_memcpy(wps->network_key, conf->ssid.wep.key[0], conf->ssid.wep.len[0]); wps->network_key_len = conf->ssid.wep.len[0]; +#endif /* CONFIG_WEP */ } if (conf->ssid.wpa_psk) { diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index 6cb9180ee..ee306ff50 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -1965,10 +1965,12 @@ const char * wpa_cipher_txt(int cipher) switch (cipher) { case WPA_CIPHER_NONE: return "NONE"; +#ifdef CONFIG_WEP case WPA_CIPHER_WEP40: return "WEP-40"; case WPA_CIPHER_WEP104: return "WEP-104"; +#endif /* CONFIG_WEP */ case WPA_CIPHER_TKIP: return "TKIP"; case WPA_CIPHER_CCMP: @@ -2467,10 +2469,12 @@ int wpa_parse_cipher(const char *value) val |= WPA_CIPHER_GCMP; else if (os_strcmp(start, "TKIP") == 0) val |= WPA_CIPHER_TKIP; +#ifdef CONFIG_WEP else if (os_strcmp(start, "WEP104") == 0) val |= WPA_CIPHER_WEP104; else if (os_strcmp(start, "WEP40") == 0) val |= WPA_CIPHER_WEP40; +#endif /* CONFIG_WEP */ else if (os_strcmp(start, "NONE") == 0) val |= WPA_CIPHER_NONE; else if (os_strcmp(start, "GTK_NOT_USED") == 0) diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c index 5a2ba261d..2e79614fd 100644 --- a/src/eapol_auth/eapol_auth_sm.c +++ b/src/eapol_auth/eapol_auth_sm.c @@ -648,6 +648,8 @@ SM_STEP(REAUTH_TIMER) +#ifdef CONFIG_WEP + /* Authenticator Key Transmit state machine */ SM_STATE(AUTH_KEY_TX, NO_KEY_TRANSMIT) @@ -726,6 +728,8 @@ SM_STEP(KEY_RX) } } +#endif /* CONFIG_WEP */ + /* Controlled Directions state machine */ @@ -813,10 +817,12 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr, sm->portControl = Auto; +#ifdef CONFIG_WEP if (!eapol->conf.wpa && (eapol->default_wep_key || eapol->conf.individual_wep_key_len > 0)) sm->keyTxEnabled = TRUE; else +#endif /* CONFIG_WEP */ sm->keyTxEnabled = FALSE; if (eapol->conf.wpa) sm->portValid = FALSE; @@ -910,10 +916,12 @@ restart: SM_STEP_RUN(BE_AUTH); if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr)) SM_STEP_RUN(REAUTH_TIMER); +#ifdef CONFIG_WEP if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr)) SM_STEP_RUN(AUTH_KEY_TX); if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr)) SM_STEP_RUN(KEY_RX); +#endif /* CONFIG_WEP */ if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr)) SM_STEP_RUN(CTRL_DIR); @@ -1167,7 +1175,9 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst, dst->ctx = src->ctx; dst->eap_reauth_period = src->eap_reauth_period; dst->wpa = src->wpa; +#ifdef CONFIG_WEP dst->individual_wep_key_len = src->individual_wep_key_len; +#endif /* CONFIG_WEP */ os_free(dst->eap_req_id_text); if (src->eap_req_id_text) { dst->eap_req_id_text = os_memdup(src->eap_req_id_text, @@ -1221,10 +1231,12 @@ struct eapol_authenticator * eapol_auth_init(struct eapol_auth_config *conf, return NULL; } +#ifdef CONFIG_WEP if (conf->individual_wep_key_len > 0) { /* use key0 in individual key and key1 in broadcast key */ eapol->default_wep_key_idx = 1; } +#endif /* CONFIG_WEP */ eapol->cb.eapol_send = cb->eapol_send; eapol->cb.aaa_send = cb->aaa_send; @@ -1249,6 +1261,8 @@ void eapol_auth_deinit(struct eapol_authenticator *eapol) return; eapol_auth_conf_free(&eapol->conf); +#ifdef CONFIG_WEP os_free(eapol->default_wep_key); +#endif /* CONFIG_WEP */ os_free(eapol); } diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c index a34cc0be2..1734d6efb 100644 --- a/src/eapol_supp/eapol_supp_sm.c +++ b/src/eapol_supp/eapol_supp_sm.c @@ -692,6 +692,7 @@ struct eap_key_data { static void eapol_sm_processKey(struct eapol_sm *sm) { +#ifdef CONFIG_WEP #ifndef CONFIG_FIPS struct ieee802_1x_hdr *hdr; struct ieee802_1x_eapol_key *key; @@ -866,6 +867,7 @@ static void eapol_sm_processKey(struct eapol_sm *sm) } } #endif /* CONFIG_FIPS */ +#endif /* CONFIG_WEP */ } diff --git a/tests/hwsim/example-hostapd.config b/tests/hwsim/example-hostapd.config index 942134a51..f1a9adf7b 100644 --- a/tests/hwsim/example-hostapd.config +++ b/tests/hwsim/example-hostapd.config @@ -110,3 +110,4 @@ CONFIG_FILS_SK_PFS=y CONFIG_OWE=y CONFIG_DPP=y CONFIG_DPP2=y +CONFIG_WEP=y diff --git a/tests/hwsim/example-wpa_supplicant.config b/tests/hwsim/example-wpa_supplicant.config index d494caf86..253f329bb 100644 --- a/tests/hwsim/example-wpa_supplicant.config +++ b/tests/hwsim/example-wpa_supplicant.config @@ -153,3 +153,4 @@ CONFIG_PMKSA_CACHE_EXTERNAL=y CONFIG_OWE=y CONFIG_DPP=y CONFIG_DPP2=y +CONFIG_WEP=y diff --git a/tests/hwsim/test_ap_config.py b/tests/hwsim/test_ap_config.py index dc05a4854..e93c91477 100644 --- a/tests/hwsim/test_ap_config.py +++ b/tests/hwsim/test_ap_config.py @@ -429,8 +429,6 @@ def test_ap_config_set_oom(dev, apdev): tests = [(1, "hostapd_parse_das_client", "SET radius_das_client 192.168.1.123 pw"), - (1, "hostapd_config_read_wep", "SET wep_key0 \"hello\""), - (1, "hostapd_config_read_wep", "SET wep_key0 0102030405"), (1, "hostapd_parse_chanlist", "SET chanlist 1 6 11-13"), (1, "hostapd_config_bss", "SET bss foo"), (2, "hostapd_config_bss", "SET bss foo"), @@ -486,6 +484,9 @@ def test_ap_config_set_oom(dev, apdev): (1, "hostapd_parse_intlist", "SET sae_groups 19 25"), (1, "hostapd_parse_intlist", "SET basic_rates 10 20 55 110"), (1, "hostapd_parse_intlist", "SET supported_rates 10 20 55 110")] + if "WEP40" in dev[0].get_capability("group"): + tests += [(1, "hostapd_config_read_wep", "SET wep_key0 \"hello\""), + (1, "hostapd_config_read_wep", "SET wep_key0 0102030405")] for count, func, cmd in tests: with alloc_fail(hapd, count, func): if "FAIL" not in hapd.request(cmd): @@ -533,14 +534,15 @@ def test_ap_config_set_oom(dev, apdev): def test_ap_config_set_errors(dev, apdev): """hostapd configuration parsing errors""" hapd = hostapd.add_ap(apdev[0], {"ssid": "foobar"}) - hapd.set("wep_key0", '"hello"') - hapd.set("wep_key1", '"hello"') - hapd.set("wep_key0", '') - hapd.set("wep_key0", '"hello"') - if "FAIL" not in hapd.request("SET wep_key1 \"hello\""): - raise Exception("SET wep_key1 allowed to override existing key") - hapd.set("wep_key1", '') - hapd.set("wep_key1", '"hello"') + if "WEP40" in dev[0].get_capability("group"): + hapd.set("wep_key0", '"hello"') + hapd.set("wep_key1", '"hello"') + hapd.set("wep_key0", '') + hapd.set("wep_key0", '"hello"') + if "FAIL" not in hapd.request("SET wep_key1 \"hello\""): + raise Exception("SET wep_key1 allowed to override existing key") + hapd.set("wep_key1", '') + hapd.set("wep_key1", '"hello"') hapd.set("auth_server_addr", "127.0.0.1") hapd.set("acct_server_addr", "127.0.0.1") diff --git a/tests/hwsim/test_ap_hs20.py b/tests/hwsim/test_ap_hs20.py index 374ba2278..a8dac6b70 100644 --- a/tests/hwsim/test_ap_hs20.py +++ b/tests/hwsim/test_ap_hs20.py @@ -2662,8 +2662,9 @@ def test_ap_hs20_osen(dev, apdev): dev[1].connect("osen", key_mgmt="NONE", scan_freq="2412", wait_connect=False) - dev[2].connect("osen", key_mgmt="NONE", wep_key0='"hello"', - scan_freq="2412", wait_connect=False) + if "WEP40" in dev[2].get_capability("group"): + dev[2].connect("osen", key_mgmt="NONE", wep_key0='"hello"', + scan_freq="2412", wait_connect=False) dev[0].flush_scan_cache() dev[0].connect("osen", proto="OSEN", key_mgmt="OSEN", pairwise="CCMP", group="GTK_NOT_USED CCMP", diff --git a/tests/hwsim/test_ap_params.py b/tests/hwsim/test_ap_params.py index aa0b28128..d72e64ab2 100644 --- a/tests/hwsim/test_ap_params.py +++ b/tests/hwsim/test_ap_params.py @@ -16,6 +16,7 @@ import hwsim_utils import hostapd from tshark import run_tshark from utils import alloc_fail, HwsimSkip, parse_ie +from test_wep import check_wep_capa @remote_compatible def test_ap_fragmentation_rts_set_high(dev, apdev): @@ -334,6 +335,7 @@ def test_ap_wds_sta_open(dev, apdev): def test_ap_wds_sta_wep(dev, apdev): """WEP AP with STA using 4addr mode""" + check_wep_capa(dev[0]) ssid = "test-wds-wep" params = {} params['ssid'] = ssid @@ -658,6 +660,7 @@ def test_ap_beacon_rate_vht(dev, apdev): def test_ap_wep_to_wpa(dev, apdev): """WEP to WPA2-PSK configuration change in hostapd""" + check_wep_capa(dev[0]) hapd = hostapd.add_ap(apdev[0], {"ssid": "wep-to-wpa", "wep_key0": '"hello"'}) diff --git a/tests/hwsim/test_ap_tdls.py b/tests/hwsim/test_ap_tdls.py index caba13df9..31d581516 100644 --- a/tests/hwsim/test_ap_tdls.py +++ b/tests/hwsim/test_ap_tdls.py @@ -17,6 +17,7 @@ import hostapd from utils import HwsimSkip, skip_with_fips from wlantest import Wlantest from test_ap_vht import vht_supported +from test_wep import check_wep_capa def start_ap_wpa2_psk(ap): params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678") @@ -313,6 +314,8 @@ def test_ap_wpa_mixed_tdls(dev, apdev): def test_ap_wep_tdls(dev, apdev): """WEP AP and two stations using TDLS""" + check_wep_capa(dev[0]) + check_wep_capa(dev[1]) hapd = hostapd.add_ap(apdev[0], {"ssid": "test-wep", "wep_key0": '"hello"'}) wlantest_setup(hapd) diff --git a/tests/hwsim/test_ap_wps.py b/tests/hwsim/test_ap_wps.py index 958341667..234531c5d 100644 --- a/tests/hwsim/test_ap_wps.py +++ b/tests/hwsim/test_ap_wps.py @@ -45,6 +45,7 @@ from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips from utils import wait_fail_trigger, clear_regdom from test_ap_eap import int_eap_server_params from test_sae import check_sae_capab +from test_wep import check_wep_capa def wps_start_ap(apdev, ssid="test-wps-conf"): params = {"ssid": ssid, "eap_server": "1", "wps_state": "2", @@ -10036,6 +10037,7 @@ def test_ap_wps_ignore_broadcast_ssid(dev, apdev): def test_ap_wps_wep(dev, apdev): """WPS AP trying to enable WEP""" + check_wep_capa(dev[0]) ssid = "test-wps" hapd = hostapd.add_ap(apdev[0], {"ssid": ssid, "eap_server": "1", "wps_state": "1", diff --git a/tests/hwsim/test_cfg80211.py b/tests/hwsim/test_cfg80211.py index a461fe0ce..9c7935e70 100644 --- a/tests/hwsim/test_cfg80211.py +++ b/tests/hwsim/test_cfg80211.py @@ -16,6 +16,7 @@ import hwsim_utils from tshark import run_tshark from nl80211 import * from wpasupplicant import WpaSupplicant +from test_wep import check_wep_capa def nl80211_command(dev, cmd, attr): res = dev.request("VENDOR ffffffff {} {}".format(nl80211_cmd[cmd], @@ -101,6 +102,7 @@ def test_cfg80211_tx_frame(dev, apdev, params): @remote_compatible def test_cfg80211_wep_key_idx_change(dev, apdev): """WEP Shared Key authentication and key index change without deauth""" + check_wep_capa(dev[0]) hapd = hostapd.add_ap(apdev[0], {"ssid": "wep-shared-key", "wep_key0": '"hello12345678"', diff --git a/tests/hwsim/test_connect_cmd.py b/tests/hwsim/test_connect_cmd.py index 87122aa32..07a9ab651 100644 --- a/tests/hwsim/test_connect_cmd.py +++ b/tests/hwsim/test_connect_cmd.py @@ -12,6 +12,7 @@ import hwsim_utils import hostapd from wpasupplicant import WpaSupplicant from p2p_utils import * +from test_wep import check_wep_capa def test_connect_cmd_open(dev, apdev): """Open connection using cfg80211 connect command""" @@ -31,11 +32,13 @@ def test_connect_cmd_open(dev, apdev): def test_connect_cmd_wep(dev, apdev): """WEP Open System using cfg80211 connect command""" + wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5') + wpas.interface_add("wlan5", drv_params="force_connect_cmd=1") + check_wep_capa(wpas) + params = {"ssid": "sta-connect-wep", "wep_key0": '"hello"'} hapd = hostapd.add_ap(apdev[0], params) - wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5') - wpas.interface_add("wlan5", drv_params="force_connect_cmd=1") wpas.connect("sta-connect-wep", key_mgmt="NONE", scan_freq="2412", wep_key0='"hello"') wpas.dump_monitor() @@ -46,12 +49,14 @@ def test_connect_cmd_wep(dev, apdev): def test_connect_cmd_wep_shared(dev, apdev): """WEP Shared key using cfg80211 connect command""" + wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5') + wpas.interface_add("wlan5", drv_params="force_connect_cmd=1") + check_wep_capa(wpas) + params = {"ssid": "sta-connect-wep", "wep_key0": '"hello"', "auth_algs": "2"} hapd = hostapd.add_ap(apdev[0], params) - wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5') - wpas.interface_add("wlan5", drv_params="force_connect_cmd=1") id = wpas.connect("sta-connect-wep", key_mgmt="NONE", scan_freq="2412", auth_alg="SHARED", wep_key0='"hello"') wpas.dump_monitor() diff --git a/tests/hwsim/test_ibss.py b/tests/hwsim/test_ibss.py index a9b7e11b0..ce7e5eda3 100644 --- a/tests/hwsim/test_ibss.py +++ b/tests/hwsim/test_ibss.py @@ -13,6 +13,7 @@ import subprocess import hwsim_utils from utils import alloc_fail, wait_fail_trigger +from test_wep import check_wep_capa def connect_ibss_cmd(dev, id, freq=2412): dev.dump_monitor() @@ -395,6 +396,9 @@ def test_ibss_rsn_tkip(dev): def test_ibss_wep(dev): """IBSS with WEP""" + check_wep_capa(dev[0]) + check_wep_capa(dev[1]) + ssid = "ibss-wep" id = add_ibss(dev[0], ssid, key_mgmt="NONE", wep_key0='"hello"') diff --git a/tests/hwsim/test_ieee8021x.py b/tests/hwsim/test_ieee8021x.py index bc1c3c939..194694819 100644 --- a/tests/hwsim/test_ieee8021x.py +++ b/tests/hwsim/test_ieee8021x.py @@ -15,11 +15,13 @@ import hostapd import hwsim_utils from utils import skip_with_fips from tshark import run_tshark +from test_wep import check_wep_capa logger = logging.getLogger() def test_ieee8021x_wep104(dev, apdev): """IEEE 802.1X connection using dynamic WEP104""" + check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" @@ -36,6 +38,7 @@ def test_ieee8021x_wep104(dev, apdev): def test_ieee8021x_wep40(dev, apdev): """IEEE 802.1X connection using dynamic WEP40""" + check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" @@ -52,6 +55,7 @@ def test_ieee8021x_wep40(dev, apdev): def test_ieee8021x_wep_index_workaround(dev, apdev): """IEEE 802.1X and EAPOL-Key index workaround""" + check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" @@ -100,6 +104,7 @@ def test_ieee8021x_static_wep104(dev, apdev): run_static_wep(dev, apdev, '"hello-there-/"') def run_static_wep(dev, apdev, key): + check_wep_capa(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" @@ -252,6 +257,7 @@ def send_eapol_key(dev, bssid, signkey, frame_start, frame_end): def test_ieee8021x_eapol_key(dev, apdev): """IEEE 802.1X connection and EAPOL-Key protocol tests""" + check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" @@ -317,6 +323,7 @@ def test_ieee8021x_reauth(dev, apdev): def test_ieee8021x_reauth_wep(dev, apdev, params): """IEEE 802.1X and EAPOL_REAUTH request with WEP""" + check_wep_capa(dev[0]) logdir = params['logdir'] params = hostapd.radius_params() @@ -492,6 +499,7 @@ def test_ieee8021x_open_leap(dev, apdev): def test_ieee8021x_and_wpa_enabled(dev, apdev): """IEEE 802.1X connection using dynamic WEP104 when WPA enabled""" + check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" diff --git a/tests/hwsim/test_radius.py b/tests/hwsim/test_radius.py index fde5650de..6729f372d 100644 --- a/tests/hwsim/test_radius.py +++ b/tests/hwsim/test_radius.py @@ -21,6 +21,7 @@ import hostapd from utils import HwsimSkip, require_under_vm, skip_with_fips, alloc_fail, fail_test, wait_fail_trigger from test_ap_hs20 import build_dhcp_ack from test_ap_ft import ft_params1 +from test_wep import check_wep_capa def connect(dev, ssid, wait_connect=True): dev.connect(ssid, key_mgmt="WPA-EAP", scan_freq="2412", @@ -442,6 +443,7 @@ def test_radius_acct_ft_psk(dev, apdev): def test_radius_acct_ieee8021x(dev, apdev): """RADIUS Accounting - IEEE 802.1X""" + check_wep_capa(dev[0]) skip_with_fips(dev[0]) as_hapd = hostapd.Hostapd("as") params = hostapd.radius_params() diff --git a/tests/hwsim/test_scan.py b/tests/hwsim/test_scan.py index 682f427d1..0b7eca882 100644 --- a/tests/hwsim/test_scan.py +++ b/tests/hwsim/test_scan.py @@ -19,6 +19,7 @@ from utils import HwsimSkip, fail_test, alloc_fail, wait_fail_trigger, parse_ie from utils import clear_regdom_dev from tshark import run_tshark from test_ap_csa import switch_channel, wait_channel_switch, csa_supported +from test_wep import check_wep_capa def check_scan(dev, params, other_started=False, test_busy=False): if not other_started: @@ -434,6 +435,7 @@ def test_scan_for_auth_fail(dev, apdev): @remote_compatible def test_scan_for_auth_wep(dev, apdev): """cfg80211 scan-for-auth workaround with WEP keys""" + check_wep_capa(dev[0]) dev[0].flush_scan_cache() hapd = hostapd.add_ap(apdev[0], {"ssid": "wep", "wep_key0": '"abcde"', diff --git a/tests/hwsim/test_wep.py b/tests/hwsim/test_wep.py index d6af730ae..38e34964a 100644 --- a/tests/hwsim/test_wep.py +++ b/tests/hwsim/test_wep.py @@ -11,11 +11,16 @@ import subprocess from remotehost import remote_compatible import hostapd import hwsim_utils -from utils import clear_regdom +from utils import clear_regdom, HwsimSkip + +def check_wep_capa(dev): + if "WEP40" not in dev.get_capability("group"): + raise HwsimSkip("WEP not supported") @remote_compatible def test_wep_open_auth(dev, apdev): """WEP Open System authentication""" + check_wep_capa(dev[0]) hapd = hostapd.add_ap(apdev[0], {"ssid": "wep-open", "wep_key0": '"hello"'}) @@ -35,6 +40,8 @@ def test_wep_open_auth(dev, apdev): @remote_compatible def test_wep_shared_key_auth(dev, apdev): """WEP Shared Key authentication""" + check_wep_capa(dev[0]) + check_wep_capa(dev[1]) hapd = hostapd.add_ap(apdev[0], {"ssid": "wep-shared-key", "wep_key0": '"hello12345678"', @@ -50,6 +57,7 @@ def test_wep_shared_key_auth(dev, apdev): @remote_compatible def test_wep_shared_key_auth_not_allowed(dev, apdev): """WEP Shared Key authentication not allowed""" + check_wep_capa(dev[0]) hostapd.add_ap(apdev[0], {"ssid": "wep-shared-key", "wep_key0": '"hello12345678"', @@ -63,6 +71,9 @@ def test_wep_shared_key_auth_not_allowed(dev, apdev): def test_wep_shared_key_auth_multi_key(dev, apdev): """WEP Shared Key authentication with multiple keys""" + check_wep_capa(dev[0]) + check_wep_capa(dev[1]) + check_wep_capa(dev[2]) hapd = hostapd.add_ap(apdev[0], {"ssid": "wep-shared-key", "wep_key0": '"hello12345678"', @@ -92,6 +103,7 @@ def test_wep_shared_key_auth_multi_key(dev, apdev): def test_wep_ht_vht(dev, apdev): """WEP and HT/VHT""" + check_wep_capa(dev[0]) dev[0].flush_scan_cache() try: hapd = None @@ -124,6 +136,7 @@ def test_wep_ht_vht(dev, apdev): def test_wep_ifdown(dev, apdev): """AP with WEP and external ifconfig down""" + check_wep_capa(dev[0]) hapd = hostapd.add_ap(apdev[0], {"ssid": "wep-open", "wep_key0": '"hello"'}) diff --git a/tests/hwsim/test_wext.py b/tests/hwsim/test_wext.py index 1668ccd69..8e1ed7159 100644 --- a/tests/hwsim/test_wext.py +++ b/tests/hwsim/test_wext.py @@ -13,6 +13,7 @@ import hwsim_utils from wpasupplicant import WpaSupplicant from utils import HwsimSkip, skip_with_fips from test_rfkill import get_rfkill +from test_wep import check_wep_capa def get_wext_interface(): if not os.path.exists("/proc/net/wireless"): @@ -149,6 +150,7 @@ def test_wext_pmksa_cache(dev, apdev): def test_wext_wep_open_auth(dev, apdev): """WEP Open System authentication""" wpas = get_wext_interface() + check_wep_capa(wpas) hapd = hostapd.add_ap(apdev[0], {"ssid": "wep-open", @@ -162,6 +164,7 @@ def test_wext_wep_open_auth(dev, apdev): def test_wext_wep_shared_key_auth(dev, apdev): """WEP Shared Key authentication""" wpas = get_wext_interface() + check_wep_capa(wpas) hapd = hostapd.add_ap(apdev[0], {"ssid": "wep-shared-key", diff --git a/tests/hwsim/test_wpas_ap.py b/tests/hwsim/test_wpas_ap.py index 5d6dfedde..29005f48e 100644 --- a/tests/hwsim/test_wpas_ap.py +++ b/tests/hwsim/test_wpas_ap.py @@ -13,6 +13,7 @@ import hwsim_utils from utils import HwsimSkip, alloc_fail, clear_regdom_dev from wpasupplicant import WpaSupplicant from test_p2p_channel import set_country +from test_wep import check_wep_capa def wait_ap_ready(dev): ev = dev.wait_event(["CTRL-EVENT-CONNECTED"]) @@ -103,6 +104,7 @@ def test_wpas_ap_open_isolate(dev): @remote_compatible def test_wpas_ap_wep(dev): """wpa_supplicant AP mode - WEP""" + check_wep_capa(dev[0]) id = dev[0].add_network() dev[0].set_network(id, "mode", "2") dev[0].set_network_quoted(id, "ssid", "wpas-ap-wep") @@ -540,17 +542,18 @@ def test_wpas_ap_oom(dev): dev[0].wait_disconnected() dev[0].request("REMOVE_NETWORK all") - id = dev[0].add_network() - dev[0].set_network(id, "mode", "2") - dev[0].set_network_quoted(id, "ssid", "wpas-ap") - dev[0].set_network(id, "key_mgmt", "NONE") - dev[0].set_network_quoted(id, "wep_key0", "hello") - dev[0].set_network(id, "frequency", "2412") - dev[0].set_network(id, "scan_freq", "2412") - with alloc_fail(dev[0], 1, "=wpa_supplicant_conf_ap"): - dev[0].select_network(id) - dev[0].wait_disconnected() - dev[0].request("REMOVE_NETWORK all") + if "WEP40" in dev[0].get_capability("group"): + id = dev[0].add_network() + dev[0].set_network(id, "mode", "2") + dev[0].set_network_quoted(id, "ssid", "wpas-ap") + dev[0].set_network(id, "key_mgmt", "NONE") + dev[0].set_network_quoted(id, "wep_key0", "hello") + dev[0].set_network(id, "frequency", "2412") + dev[0].set_network(id, "scan_freq", "2412") + with alloc_fail(dev[0], 1, "=wpa_supplicant_conf_ap"): + dev[0].select_network(id) + dev[0].wait_disconnected() + dev[0].request("REMOVE_NETWORK all") wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5') wpas.interface_add("wlan5") diff --git a/tests/hwsim/test_wpas_ctrl.py b/tests/hwsim/test_wpas_ctrl.py index 91f440191..cd3053460 100644 --- a/tests/hwsim/test_wpas_ctrl.py +++ b/tests/hwsim/test_wpas_ctrl.py @@ -145,11 +145,12 @@ def test_wpas_ctrl_network(dev): if "FAIL" not in dev[0].request("SET_NETWORK " + str(id) + ' identity 12x3'): raise Exception("Unexpected success for invalid identity string") - for i in range(0, 4): - if "FAIL" in dev[0].request("SET_NETWORK " + str(id) + ' wep_key' + str(i) + ' aabbccddee'): - raise Exception("Unexpected wep_key set failure") - if dev[0].get_network(id, "wep_key" + str(i)) != '*': - raise Exception("Unexpected wep_key get failure") + if "WEP40" in dev[0].get_capability("group"): + for i in range(0, 4): + if "FAIL" in dev[0].request("SET_NETWORK " + str(id) + ' wep_key' + str(i) + ' aabbccddee'): + raise Exception("Unexpected wep_key set failure") + if dev[0].get_network(id, "wep_key" + str(i)) != '*': + raise Exception("Unexpected wep_key get failure") if "FAIL" in dev[0].request("SET_NETWORK " + str(id) + ' psk_list P2P-00:11:22:33:44:55-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef'): raise Exception("Unexpected failure for psk_list string") @@ -205,11 +206,12 @@ def test_wpas_ctrl_network(dev): raise Exception("Invalid WEP key accepted") if "FAIL" not in dev[0].request('SET_NETWORK ' + str(id) + ' wep_key0 "12345678901234567"'): raise Exception("Too long WEP key accepted") - # too short WEP key is ignored - dev[0].set_network_quoted(id, "wep_key0", "1234") - dev[0].set_network_quoted(id, "wep_key1", "12345") - dev[0].set_network_quoted(id, "wep_key2", "1234567890123") - dev[0].set_network_quoted(id, "wep_key3", "1234567890123456") + if "WEP40" in dev[0].get_capability("group"): + # too short WEP key is ignored + dev[0].set_network_quoted(id, "wep_key0", "1234") + dev[0].set_network_quoted(id, "wep_key1", "12345") + dev[0].set_network_quoted(id, "wep_key2", "1234567890123") + dev[0].set_network_quoted(id, "wep_key3", "1234567890123456") dev[0].set_network(id, "go_p2p_dev_addr", "any") if dev[0].get_network(id, "go_p2p_dev_addr") is not None: diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index 0883e749c..c348766ca 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -378,6 +378,10 @@ OBJS += src/fst/fst_ctrl_iface.c endif endif +ifdef CONFIG_WEP +L_CFLAGS += -DCONFIG_WEP +endif + include $(LOCAL_PATH)/src/drivers/drivers.mk diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index e41464f4d..88f688b62 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -1843,6 +1843,10 @@ OBJS_t2 += $(FST_OBJS) OBJS_nfc += $(FST_OBJS) endif +ifdef CONFIG_WEP +CFLAGS += -DCONFIG_WEP +endif + ifndef LDO LDO=$(CC) endif diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config index 69dc7127f..283f8eb0a 100644 --- a/wpa_supplicant/android.config +++ b/wpa_supplicant/android.config @@ -534,4 +534,12 @@ CONFIG_WIFI_DISPLAY=y # Experimental implementation of draft-harkins-owe-07.txt #CONFIG_OWE=y +# Wired equivalent privacy (WEP) +# WEP is an obsolete cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used for anything anymore. The +# functionality needed to use WEP is available in the current wpa_supplicant +# release under this optional build parameter. This functionality is subject to +# be completely removed in a future release. +CONFIG_WEP=y + include $(wildcard $(LOCAL_PATH)/android_config_*.inc) diff --git a/wpa_supplicant/ap.c b/wpa_supplicant/ap.c index bbd8f05fd..87573ef10 100644 --- a/wpa_supplicant/ap.c +++ b/wpa_supplicant/ap.c @@ -390,6 +390,7 @@ static int wpa_supplicant_conf_ap(struct wpa_supplicant *wpa_s, bss->ssid.wpa_psk_set = 1; } else if (ssid->passphrase) { bss->ssid.wpa_passphrase = os_strdup(ssid->passphrase); +#ifdef CONFIG_WEP } else if (ssid->wep_key_len[0] || ssid->wep_key_len[1] || ssid->wep_key_len[2] || ssid->wep_key_len[3]) { struct hostapd_wep_keys *wep = &bss->ssid.wep; @@ -405,6 +406,7 @@ static int wpa_supplicant_conf_ap(struct wpa_supplicant *wpa_s, } wep->idx = ssid->wep_tx_keyidx; wep->keys_set = 1; +#endif /* CONFIG_WEP */ } #ifdef CONFIG_SAE if (ssid->sae_password) { @@ -486,11 +488,12 @@ static int wpa_supplicant_conf_ap(struct wpa_supplicant *wpa_s, bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, bss->wpa_pairwise, bss->rsn_pairwise); - if (bss->wpa && bss->ieee802_1x) + if (bss->wpa && bss->ieee802_1x) { bss->ssid.security_policy = SECURITY_WPA; - else if (bss->wpa) + } else if (bss->wpa) { bss->ssid.security_policy = SECURITY_WPA_PSK; - else if (bss->ieee802_1x) { +#ifdef CONFIG_WEP + } else if (bss->ieee802_1x) { int cipher = WPA_CIPHER_NONE; bss->ssid.security_policy = SECURITY_IEEE_802_1X; bss->ssid.wep.default_len = bss->default_wep_key_len; @@ -508,6 +511,7 @@ static int wpa_supplicant_conf_ap(struct wpa_supplicant *wpa_s, bss->wpa_group = cipher; bss->wpa_pairwise = cipher; bss->rsn_pairwise = cipher; +#endif /* CONFIG_WEP */ } else { bss->ssid.security_policy = SECURITY_PLAINTEXT; bss->wpa_group = WPA_CIPHER_NONE; diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 938165465..2b9c3f53e 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -1856,6 +1856,8 @@ static char * wpa_config_write_machine_password(const struct parse_data *data, #endif /* IEEE8021X_EAPOL */ +#ifdef CONFIG_WEP + static int wpa_config_parse_wep_key(u8 *key, size_t *len, int line, const char *value, int idx) { @@ -1966,6 +1968,8 @@ static char * wpa_config_write_wep_key3(const struct parse_data *data, } #endif /* NO_CONFIG_WRITE */ +#endif /* CONFIG_WEP */ + #ifdef CONFIG_P2P @@ -2451,11 +2455,13 @@ static const struct parse_data ssid_fields[] = { { STRe(openssl_ciphers, openssl_ciphers) }, { INTe(erp, erp) }, #endif /* IEEE8021X_EAPOL */ +#ifdef CONFIG_WEP { FUNC_KEY(wep_key0) }, { FUNC_KEY(wep_key1) }, { FUNC_KEY(wep_key2) }, { FUNC_KEY(wep_key3) }, { INT(wep_tx_keyidx) }, +#endif /* CONFIG_WEP */ { INT(priority) }, #ifdef IEEE8021X_EAPOL { INT(eap_workaround) }, diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index d453ca541..d100d74cb 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -213,8 +213,22 @@ static struct wpa_ssid * wpa_config_read_network(FILE *f, int *line, int id) } } - if (wpa_config_set(ssid, pos, pos2, *line) < 0) + if (wpa_config_set(ssid, pos, pos2, *line) < 0) { +#ifndef CONFIG_WEP + if (os_strcmp(pos, "wep_key0") == 0 || + os_strcmp(pos, "wep_key1") == 0 || + os_strcmp(pos, "wep_key2") == 0 || + os_strcmp(pos, "wep_key3") == 0 || + os_strcmp(pos, "wep_tx_keyidx") == 0) { + wpa_printf(MSG_ERROR, + "Line %d: unsupported WEP parameter", + *line); + ssid->disabled = 1; + continue; + } +#endif /* CONFIG_WEP */ errors++; + } } if (!end) { @@ -653,6 +667,7 @@ static void write_eap(FILE *f, struct wpa_ssid *ssid) #endif /* IEEE8021X_EAPOL */ +#ifdef CONFIG_WEP static void write_wep_key(FILE *f, int idx, struct wpa_ssid *ssid) { char field[20], *value; @@ -667,6 +682,7 @@ static void write_wep_key(FILE *f, int idx, struct wpa_ssid *ssid) os_free(value); } } +#endif /* CONFIG_WEP */ #ifdef CONFIG_P2P @@ -741,8 +757,6 @@ static void write_mka_ckn(FILE *f, struct wpa_ssid *ssid) static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) { - int i; - #define STR(t) write_str(f, #t, ssid) #define INT(t) write_int(f, #t, ssid->t, 0) #define INTe(t, m) write_int(f, #t, ssid->eap.m, 0) @@ -831,9 +845,15 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(openssl_ciphers); INTe(erp, erp); #endif /* IEEE8021X_EAPOL */ - for (i = 0; i < 4; i++) - write_wep_key(f, i, ssid); - INT(wep_tx_keyidx); +#ifdef CONFIG_WEP + { + int i; + + for (i = 0; i < 4; i++) + write_wep_key(f, i, ssid); + INT(wep_tx_keyidx); + } +#endif /* CONFIG_WEP */ INT(priority); #ifdef IEEE8021X_EAPOL INT_DEF(eap_workaround, DEFAULT_EAP_WORKAROUND); diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index ac08ad863..24c7a3d9b 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -300,6 +300,7 @@ struct wpa_ssid { struct eap_peer_config eap; #endif /* IEEE8021X_EAPOL */ +#ifdef CONFIG_WEP #define NUM_WEP_KEYS 4 #define MAX_WEP_KEY_LEN 16 /** @@ -316,6 +317,7 @@ struct wpa_ssid { * wep_tx_keyidx - Default key index for TX frames using WEP */ int wep_tx_keyidx; +#endif /* CONFIG_WEP */ /** * proactive_key_caching - Enable proactive key caching diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c index 0f2a30a46..598bc7790 100644 --- a/wpa_supplicant/config_winreg.c +++ b/wpa_supplicant/config_winreg.c @@ -823,6 +823,7 @@ static void write_eap(HKEY hk, struct wpa_ssid *ssid) #endif /* IEEE8021X_EAPOL */ +#ifdef CONFIG_WEP static void write_wep_key(HKEY hk, int idx, struct wpa_ssid *ssid) { char field[20], *value; @@ -834,11 +835,12 @@ static void write_wep_key(HKEY hk, int idx, struct wpa_ssid *ssid) os_free(value); } } +#endif /* CONFIG_WEP */ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) { - int i, errors = 0; + int errors = 0; HKEY nhk, netw; LONG ret; TCHAR name[5]; @@ -924,9 +926,15 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) INTe(engine2, phase2_cert.engine); INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS); #endif /* IEEE8021X_EAPOL */ - for (i = 0; i < 4; i++) - write_wep_key(netw, i, ssid); - INT(wep_tx_keyidx); +#ifdef CONFIG_WEP + { + int i; + + for (i = 0; i < 4; i++) + write_wep_key(netw, i, ssid); + INT(wep_tx_keyidx); + } +#endif /* CONFIG_WEP */ INT(priority); #ifdef IEEE8021X_EAPOL INT_DEF(eap_workaround, DEFAULT_EAP_WORKAROUND); diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 10c096129..2c540457b 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -3949,8 +3949,10 @@ static const struct cipher_info ciphers[] = { { WPA_DRIVER_CAPA_ENC_GCMP, "GCMP", 0 }, { WPA_DRIVER_CAPA_ENC_TKIP, "TKIP", 0 }, { WPA_DRIVER_CAPA_KEY_MGMT_WPA_NONE, "NONE", 0 }, +#ifdef CONFIG_WEP { WPA_DRIVER_CAPA_ENC_WEP104, "WEP104", 1 }, { WPA_DRIVER_CAPA_ENC_WEP40, "WEP40", 1 } +#endif /* CONFIG_WEP */ }; static const struct cipher_info ciphers_group_mgmt[] = { @@ -4012,7 +4014,11 @@ static int ctrl_iface_get_capability_group(int res, char *strict, if (res < 0) { if (strict) return 0; +#ifdef CONFIG_WEP len = os_strlcpy(buf, "CCMP TKIP WEP104 WEP40", buflen); +#else /* CONFIG_WEP */ + len = os_strlcpy(buf, "CCMP TKIP", buflen); +#endif /* CONFIG_WEP */ if (len >= buflen) return -1; return len; diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c index 4b6dabcc9..55c5dbc99 100644 --- a/wpa_supplicant/dbus/dbus_new_handlers.c +++ b/wpa_supplicant/dbus/dbus_new_handlers.c @@ -2664,7 +2664,10 @@ dbus_bool_t wpas_dbus_getter_capabilities( /***** group cipher */ if (res < 0) { const char *args[] = { - "ccmp", "tkip", "wep104", "wep40" + "ccmp", "tkip", +#ifdef CONFIG_WEP + "wep104", "wep40" +#endif /* CONFIG_WEP */ }; if (!wpa_dbus_dict_append_string_array( @@ -2691,12 +2694,14 @@ dbus_bool_t wpas_dbus_getter_capabilities( ((capa.enc & WPA_DRIVER_CAPA_ENC_TKIP) && !wpa_dbus_dict_string_array_add_element( &iter_array, "tkip")) || +#ifdef CONFIG_WEP ((capa.enc & WPA_DRIVER_CAPA_ENC_WEP104) && !wpa_dbus_dict_string_array_add_element( &iter_array, "wep104")) || ((capa.enc & WPA_DRIVER_CAPA_ENC_WEP40) && !wpa_dbus_dict_string_array_add_element( &iter_array, "wep40")) || +#endif /* CONFIG_WEP */ !wpa_dbus_dict_end_string_array(&iter_dict, &iter_dict_entry, &iter_dict_val, @@ -4733,9 +4738,14 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( /* Group */ switch (ie_data->group_cipher) { +#ifdef CONFIG_WEP case WPA_CIPHER_WEP40: group = "wep40"; break; + case WPA_CIPHER_WEP104: + group = "wep104"; + break; +#endif /* CONFIG_WEP */ case WPA_CIPHER_TKIP: group = "tkip"; break; @@ -4745,9 +4755,6 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( case WPA_CIPHER_GCMP: group = "gcmp"; break; - case WPA_CIPHER_WEP104: - group = "wep104"; - break; case WPA_CIPHER_CCMP_256: group = "ccmp-256"; break; diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig index 5308b494b..a87b58620 100644 --- a/wpa_supplicant/defconfig +++ b/wpa_supplicant/defconfig @@ -603,3 +603,11 @@ CONFIG_BGSCAN_SIMPLE=y # Device Provisioning Protocol (DPP) CONFIG_DPP=y + +# Wired equivalent privacy (WEP) +# WEP is an obsolete cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used for anything anymore. The +# functionality needed to use WEP is available in the current wpa_supplicant +# release under this optional build parameter. This functionality is subject to +# be completely removed in a future release. +#CONFIG_WEP=y diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index 2851ffc81..37ae306bb 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -479,6 +479,7 @@ int wpa_supplicant_scard_init(struct wpa_supplicant *wpa_s, #ifndef CONFIG_NO_SCAN_PROCESSING +#ifdef CONFIG_WEP static int has_wep_key(struct wpa_ssid *ssid) { int i; @@ -490,6 +491,7 @@ static int has_wep_key(struct wpa_ssid *ssid) return 0; } +#endif /* CONFIG_WEP */ static int wpa_supplicant_match_privacy(struct wpa_bss *bss, @@ -510,8 +512,10 @@ static int wpa_supplicant_match_privacy(struct wpa_bss *bss, return 1; #endif /* CONFIG_OWE */ +#ifdef CONFIG_WEP if (has_wep_key(ssid)) privacy = 1; +#endif /* CONFIG_WEP */ #ifdef IEEE8021X_EAPOL if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) && @@ -540,17 +544,21 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, int proto_match = 0; const u8 *rsn_ie, *wpa_ie; int ret; +#ifdef CONFIG_WEP int wep_ok; +#endif /* CONFIG_WEP */ ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss); if (ret >= 0) return ret; +#ifdef CONFIG_WEP /* Allow TSN if local configuration accepts WEP use without WPA/WPA2 */ wep_ok = !wpa_key_mgmt_wpa(ssid->key_mgmt) && (((ssid->key_mgmt & WPA_KEY_MGMT_NONE) && ssid->wep_key_len[ssid->wep_tx_keyidx] > 0) || (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA)); +#endif /* CONFIG_WEP */ rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN); while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) { @@ -567,6 +575,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, if (!ie.has_group) ie.group_cipher = wpa_default_rsn_cipher(bss->freq); +#ifdef CONFIG_WEP if (wep_ok && (ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104))) { @@ -575,6 +584,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, " selected based on TSN in RSN IE"); return 1; } +#endif /* CONFIG_WEP */ if (!(ie.proto & ssid->proto) && !(ssid->proto & WPA_PROTO_OSEN)) { @@ -655,6 +665,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, break; } +#ifdef CONFIG_WEP if (wep_ok && (ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104))) { @@ -663,6 +674,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, " selected based on TSN in WPA IE"); return 1; } +#endif /* CONFIG_WEP */ if (!(ie.proto & ssid->proto)) { if (debug_print) @@ -1236,6 +1248,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s, continue; } +#ifdef CONFIG_WEP if (wpa && !wpa_key_mgmt_wpa(ssid->key_mgmt) && has_wep_key(ssid)) { if (debug_print) @@ -1243,6 +1256,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s, " skip - ignore WPA/WPA2 AP for WEP network block"); continue; } +#endif /* CONFIG_WEP */ if ((ssid->key_mgmt & WPA_KEY_MGMT_OSEN) && !osen && !rsn_osen) { @@ -3077,6 +3091,7 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s, wpa_s->pending_eapol_rx = NULL; } +#ifdef CONFIG_WEP if ((wpa_s->key_mgmt == WPA_KEY_MGMT_NONE || wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X_NO_WPA) && wpa_s->current_ssid && @@ -3084,6 +3099,7 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s, /* Set static WEP keys again */ wpa_set_wep_keys(wpa_s, wpa_s->current_ssid); } +#endif /* CONFIG_WEP */ #ifdef CONFIG_IBSS_RSN if (wpa_s->current_ssid && diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index 81151a7fb..c320c249b 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -286,7 +286,7 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s, #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS) const u8 *md = NULL; #endif /* CONFIG_IEEE80211R || CONFIG_FILS */ - int i, bssid_changed; + int bssid_changed; struct wpabuf *resp = NULL; u8 ext_capab[18]; int ext_capab_len; @@ -370,12 +370,18 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s, } #endif /* CONFIG_SAE */ - for (i = 0; i < NUM_WEP_KEYS; i++) { - if (ssid->wep_key_len[i]) - params.wep_key[i] = ssid->wep_key[i]; - params.wep_key_len[i] = ssid->wep_key_len[i]; +#ifdef CONFIG_WEP + { + int i; + + for (i = 0; i < NUM_WEP_KEYS; i++) { + if (ssid->wep_key_len[i]) + params.wep_key[i] = ssid->wep_key[i]; + params.wep_key_len[i] = ssid->wep_key_len[i]; + } + params.wep_tx_keyidx = ssid->wep_tx_keyidx; } - params.wep_tx_keyidx = ssid->wep_tx_keyidx; +#endif /* CONFIG_WEP */ if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) || wpa_bss_get_ie(bss, WLAN_EID_RSN)) && diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 634fb290e..9d77efd4e 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -130,6 +130,7 @@ static void wpas_update_owe_connect_params(struct wpa_supplicant *wpa_s); #endif /* CONFIG_OWE */ +#ifdef CONFIG_WEP /* Configure default/group WEP keys for static WEP */ int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) { @@ -150,6 +151,7 @@ int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) return set; } +#endif /* CONFIG_WEP */ int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s, @@ -396,7 +398,9 @@ void wpa_supplicant_initiate_eapol(struct wpa_supplicant *wpa_s) void wpa_supplicant_set_non_wpa_policy(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) { +#ifdef CONFIG_WEP int i; +#endif /* CONFIG_WEP */ if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) wpa_s->key_mgmt = WPA_KEY_MGMT_WPS; @@ -414,6 +418,7 @@ void wpa_supplicant_set_non_wpa_policy(struct wpa_supplicant *wpa_s, wpa_s->group_cipher = WPA_CIPHER_NONE; wpa_s->mgmt_group_cipher = 0; +#ifdef CONFIG_WEP for (i = 0; i < NUM_WEP_KEYS; i++) { if (ssid->wep_key_len[i] > 5) { wpa_s->pairwise_cipher = WPA_CIPHER_WEP104; @@ -425,6 +430,7 @@ void wpa_supplicant_set_non_wpa_policy(struct wpa_supplicant *wpa_s, break; } } +#endif /* CONFIG_WEP */ wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_RSN_ENABLED, 0); wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEY_MGMT, wpa_s->key_mgmt); @@ -3319,7 +3325,7 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) struct wpa_supplicant *wpa_s = work->wpa_s; u8 *wpa_ie; const u8 *edmg_ie_oper; - int use_crypt, ret, i, bssid_changed; + int use_crypt, ret, bssid_changed; unsigned int cipher_pairwise, cipher_group, cipher_group_mgmt; struct wpa_driver_associate_params params; int wep_keys_set = 0; @@ -3429,10 +3435,12 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X_NO_WPA) { if (wpa_s->key_mgmt == WPA_KEY_MGMT_NONE) use_crypt = 0; +#ifdef CONFIG_WEP if (wpa_set_wep_keys(wpa_s, ssid)) { use_crypt = 1; wep_keys_set = 1; } +#endif /* CONFIG_WEP */ } if (wpa_s->key_mgmt == WPA_KEY_MGMT_WPS) use_crypt = 0; @@ -3577,12 +3585,18 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) wpa_s->auth_alg = params.auth_alg; params.mode = ssid->mode; params.bg_scan_period = ssid->bg_scan_period; - for (i = 0; i < NUM_WEP_KEYS; i++) { - if (ssid->wep_key_len[i]) - params.wep_key[i] = ssid->wep_key[i]; - params.wep_key_len[i] = ssid->wep_key_len[i]; +#ifdef CONFIG_WEP + { + int i; + + for (i = 0; i < NUM_WEP_KEYS; i++) { + if (ssid->wep_key_len[i]) + params.wep_key[i] = ssid->wep_key[i]; + params.wep_key_len[i] = ssid->wep_key_len[i]; + } + params.wep_tx_keyidx = ssid->wep_tx_keyidx; } - params.wep_tx_keyidx = ssid->wep_tx_keyidx; +#endif /* CONFIG_WEP */ if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_PSK) && (params.key_mgmt_suite == WPA_KEY_MGMT_PSK || @@ -3740,11 +3754,13 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) wpa_supplicant_req_auth_timeout(wpa_s, timeout, 0); } +#ifdef CONFIG_WEP if (wep_keys_set && (wpa_s->drv_flags & WPA_DRIVER_FLAGS_SET_KEYS_AFTER_ASSOC)) { /* Set static WEP keys again */ wpa_set_wep_keys(wpa_s, ssid); } +#endif /* CONFIG_WEP */ if (wpa_s->current_ssid && wpa_s->current_ssid != ssid) { /* @@ -7330,8 +7346,10 @@ int wpa_supplicant_ctrl_iface_ctrl_rsp_handle(struct wpa_supplicant *wpa_s, int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) { +#ifdef CONFIG_WEP int i; unsigned int drv_enc; +#endif /* CONFIG_WEP */ if (wpa_s->p2p_mgmt) return 1; /* no normal network profiles on p2p_mgmt interface */ @@ -7342,6 +7360,7 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) if (ssid->disabled) return 1; +#ifdef CONFIG_WEP if (wpa_s->drv_capa_known) drv_enc = wpa_s->drv_enc; else @@ -7359,6 +7378,7 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) continue; return 1; /* invalid WEP key */ } +#endif /* CONFIG_WEP */ if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set && (!ssid->passphrase || ssid->ssid_len != 0) && !ssid->ext_psk && diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c index 5ddefce08..cef70a6f5 100644 --- a/wpa_supplicant/wpas_glue.c +++ b/wpa_supplicant/wpas_glue.c @@ -227,6 +227,7 @@ static int wpa_supplicant_eapol_send(void *ctx, int type, const u8 *buf, } +#ifdef CONFIG_WEP /** * wpa_eapol_set_wep_key - set WEP key for the driver * @ctx: Pointer to wpa_supplicant data (wpa_s) @@ -254,6 +255,7 @@ static int wpa_eapol_set_wep_key(void *ctx, int unicast, int keyidx, unicast ? KEY_FLAG_PAIRWISE_RX_TX : KEY_FLAG_GROUP_RX_TX_DEFAULT); } +#endif /* CONFIG_WEP */ static void wpa_supplicant_aborted_cached(void *ctx) @@ -1133,7 +1135,9 @@ int wpa_supplicant_init_eapol(struct wpa_supplicant *wpa_s) ctx->preauth = 0; ctx->eapol_done_cb = wpa_supplicant_notify_eapol_done; ctx->eapol_send = wpa_supplicant_eapol_send; +#ifdef CONFIG_WEP ctx->set_wep_key = wpa_eapol_set_wep_key; +#endif /* CONFIG_WEP */ #ifndef CONFIG_NO_CONFIG_BLOBS ctx->set_config_blob = wpa_supplicant_set_config_blob; ctx->get_config_blob = wpa_supplicant_get_config_blob;