WPS 2.0: Enforce new security policy of received AP Settings

When receiving new AP Settings from ER, reject WEP configuration
and upgrade WPA-Personal/TKIP only to mixed mode (i.e., add
WPA2-Personal/CCMP).
This commit is contained in:
Jouni Malinen 2010-05-29 12:41:15 +03:00 committed by Jouni Malinen
parent 6b633b4da7
commit 6be2d7f826

View file

@ -770,6 +770,46 @@ static int wps_process_ap_settings_e(struct wps_data *wps,
#endif /* CONFIG_WPS_STRICT */ #endif /* CONFIG_WPS_STRICT */
} }
if (!(cred.encr_type & (WPS_ENCR_NONE | WPS_ENCR_TKIP | WPS_ENCR_AES)))
{
if (cred.encr_type & WPS_ENCR_WEP) {
wpa_printf(MSG_INFO, "WPS: Reject new AP settings "
"due to WEP configuration");
return -1;
}
wpa_printf(MSG_INFO, "WPS: Reject new AP settings due to "
"invalid encr_type 0x%x", cred.encr_type);
return -1;
}
#ifdef CONFIG_WPS_STRICT
if (wps2) {
if ((cred.encr_type & (WPS_ENCR_TKIP | WPS_ENCR_AES)) ==
WPS_ENCR_TKIP ||
(cred.auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) ==
WPS_AUTH_WPAPSK) {
wpa_printf(MSG_INFO, "WPS-STRICT: Invalid WSC 2.0 "
"AP Settings: WPA-Personal/TKIP only");
return -1;
}
}
#endif /* CONFIG_WPS_STRICT */
if ((cred.encr_type & (WPS_ENCR_TKIP | WPS_ENCR_AES)) == WPS_ENCR_TKIP)
{
wpa_printf(MSG_DEBUG, "WPS: Upgrade encr_type TKIP -> "
"TKIP+AES");
cred.encr_type |= WPS_ENCR_AES;
}
if ((cred.auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK)) ==
WPS_AUTH_WPAPSK) {
wpa_printf(MSG_DEBUG, "WPS: Upgrade auth_type WPAPSK -> "
"WPAPSK+WPA2PSK");
cred.auth_type |= WPS_AUTH_WPA2PSK;
}
if (wps->wps->cred_cb) { if (wps->wps->cred_cb) {
cred.cred_attr = wpabuf_head(attrs); cred.cred_attr = wpabuf_head(attrs);
cred.cred_attr_len = wpabuf_len(attrs); cred.cred_attr_len = wpabuf_len(attrs);