From 86bd1410503913b719417f32457631a2ee1095ed Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 23 Aug 2013 19:27:25 +0300 Subject: [PATCH] Change WEP network selection to reject WPA/WPA2 APs Previously, wpa_supplicant behavior in WEP configuration was to try to mimic a device that is not aware of WPA/WPA2 and as such, it tried to connect to a WPA/WPA2 AP with the assumption that the AP could be providing support for both WEP and WPA/WPA2 stations in the same BSS. Such APs could have been used during transition from WEP to more secure options, but that type of deployment have not been used in large number and are not really of much use anymore taken into account that more or less all new devices support WPA/WPA2. That combined with the preference to deprecate WEP justifies removing this use case and making WEP networking matching more strict by using the knowledge of AP advertising WPA/WPA2 as an indication of WEP not being supported. Signed-hostap: Jouni Malinen --- wpa_supplicant/events.c | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index bcfac21cf..3ecb0ceb9 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -334,10 +334,24 @@ int wpa_supplicant_scard_init(struct wpa_supplicant *wpa_s, #ifndef CONFIG_NO_SCAN_PROCESSING + +static int has_wep_key(struct wpa_ssid *ssid) +{ + int i; + + for (i = 0; i < NUM_WEP_KEYS; i++) { + if (ssid->wep_key_len[i]) + return 1; + } + + return 0; +} + + static int wpa_supplicant_match_privacy(struct wpa_bss *bss, struct wpa_ssid *ssid) { - int i, privacy = 0; + int privacy = 0; if (ssid->mixed_cell) return 1; @@ -347,12 +361,9 @@ static int wpa_supplicant_match_privacy(struct wpa_bss *bss, return 1; #endif /* CONFIG_WPS */ - for (i = 0; i < NUM_WEP_KEYS; i++) { - if (ssid->wep_key_len[i]) { - privacy = 1; - break; - } - } + if (has_wep_key(ssid)) + privacy = 1; + #ifdef IEEE8021X_EAPOL if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) && ssid->eapol_flags & (EAPOL_FLAG_REQUIRE_KEY_UNICAST | @@ -818,6 +829,12 @@ static struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s, continue; } + if (wpa && !wpa_key_mgmt_wpa(ssid->key_mgmt) && + has_wep_key(ssid)) { + wpa_dbg(wpa_s, MSG_DEBUG, " skip - ignore WPA/WPA2 AP for WEP network block"); + continue; + } + if (!wpa_supplicant_match_privacy(bss, ssid)) { wpa_dbg(wpa_s, MSG_DEBUG, " skip - privacy " "mismatch");