Remove WEP40/WEP104 cipher suite support for WPA/WPA2

As far as IEEE 802.11 standard is concerned, WEP is deprecated, but at
least in theory, allowed as a group cipher. This option is unlikely to
be deployed anywhere and to clean up the implementation, we might as
well remove all support for this combination.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-06-20 18:25:15 +03:00
parent 664093b55b
commit ce8963fc9f
4 changed files with 10 additions and 55 deletions

View file

@ -432,14 +432,10 @@ static int rsn_selector_to_bitfield(const u8 *s)
{ {
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE) if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
return WPA_CIPHER_NONE; return WPA_CIPHER_NONE;
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP40)
return WPA_CIPHER_WEP40;
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP) if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
return WPA_CIPHER_TKIP; return WPA_CIPHER_TKIP;
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP) if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
return WPA_CIPHER_CCMP; return WPA_CIPHER_CCMP;
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP104)
return WPA_CIPHER_WEP104;
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC) if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
return WPA_CIPHER_AES_128_CMAC; return WPA_CIPHER_AES_128_CMAC;
@ -499,8 +495,6 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s)
static int wpa_cipher_valid_group(int cipher) static int wpa_cipher_valid_group(int cipher)
{ {
return wpa_cipher_valid_pairwise(cipher) || return wpa_cipher_valid_pairwise(cipher) ||
cipher == WPA_CIPHER_WEP104 ||
cipher == WPA_CIPHER_WEP40 ||
cipher == WPA_CIPHER_GTK_NOT_USED; cipher == WPA_CIPHER_GTK_NOT_USED;
} }
@ -695,14 +689,10 @@ static int wpa_selector_to_bitfield(const u8 *s)
{ {
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE) if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
return WPA_CIPHER_NONE; return WPA_CIPHER_NONE;
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_WEP40)
return WPA_CIPHER_WEP40;
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP) if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
return WPA_CIPHER_TKIP; return WPA_CIPHER_TKIP;
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP) if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
return WPA_CIPHER_CCMP; return WPA_CIPHER_CCMP;
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_WEP104)
return WPA_CIPHER_WEP104;
return 0; return 0;
} }
@ -1363,10 +1353,6 @@ int wpa_cipher_key_len(int cipher)
return 16; return 16;
case WPA_CIPHER_TKIP: case WPA_CIPHER_TKIP:
return 32; return 32;
case WPA_CIPHER_WEP104:
return 13;
case WPA_CIPHER_WEP40:
return 5;
} }
return 0; return 0;
@ -1382,9 +1368,6 @@ int wpa_cipher_rsc_len(int cipher)
case WPA_CIPHER_GCMP: case WPA_CIPHER_GCMP:
case WPA_CIPHER_TKIP: case WPA_CIPHER_TKIP:
return 6; return 6;
case WPA_CIPHER_WEP104:
case WPA_CIPHER_WEP40:
return 0;
} }
return 0; return 0;
@ -1404,9 +1387,6 @@ int wpa_cipher_to_alg(int cipher)
return WPA_ALG_GCMP; return WPA_ALG_GCMP;
case WPA_CIPHER_TKIP: case WPA_CIPHER_TKIP:
return WPA_ALG_TKIP; return WPA_ALG_TKIP;
case WPA_CIPHER_WEP104:
case WPA_CIPHER_WEP40:
return WPA_ALG_WEP;
case WPA_CIPHER_AES_128_CMAC: case WPA_CIPHER_AES_128_CMAC:
return WPA_ALG_IGTK; return WPA_ALG_IGTK;
case WPA_CIPHER_BIP_GMAC_128: case WPA_CIPHER_BIP_GMAC_128:
@ -1444,12 +1424,6 @@ u32 wpa_cipher_to_suite(int proto, int cipher)
if (cipher & WPA_CIPHER_TKIP) if (cipher & WPA_CIPHER_TKIP)
return (proto == WPA_PROTO_RSN ? return (proto == WPA_PROTO_RSN ?
RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP); RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
if (cipher & WPA_CIPHER_WEP104)
return (proto == WPA_PROTO_RSN ?
RSN_CIPHER_SUITE_WEP104 : WPA_CIPHER_SUITE_WEP104);
if (cipher & WPA_CIPHER_WEP40)
return (proto == WPA_PROTO_RSN ?
RSN_CIPHER_SUITE_WEP40 : WPA_CIPHER_SUITE_WEP40);
if (cipher & WPA_CIPHER_NONE) if (cipher & WPA_CIPHER_NONE)
return (proto == WPA_PROTO_RSN ? return (proto == WPA_PROTO_RSN ?
RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE); RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
@ -1553,10 +1527,6 @@ int wpa_pick_group_cipher(int ciphers)
return WPA_CIPHER_GTK_NOT_USED; return WPA_CIPHER_GTK_NOT_USED;
if (ciphers & WPA_CIPHER_TKIP) if (ciphers & WPA_CIPHER_TKIP)
return WPA_CIPHER_TKIP; return WPA_CIPHER_TKIP;
if (ciphers & WPA_CIPHER_WEP104)
return WPA_CIPHER_WEP104;
if (ciphers & WPA_CIPHER_WEP40)
return WPA_CIPHER_WEP40;
return -1; return -1;
} }
@ -1654,20 +1624,6 @@ int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
return -1; return -1;
pos += ret; pos += ret;
} }
if (ciphers & WPA_CIPHER_WEP104) {
ret = os_snprintf(pos, end - pos, "%sWEP104",
pos == start ? "" : delim);
if (os_snprintf_error(end - pos, ret))
return -1;
pos += ret;
}
if (ciphers & WPA_CIPHER_WEP40) {
ret = os_snprintf(pos, end - pos, "%sWEP40",
pos == start ? "" : delim);
if (os_snprintf_error(end - pos, ret))
return -1;
pos += ret;
}
if (ciphers & WPA_CIPHER_NONE) { if (ciphers & WPA_CIPHER_NONE) {
ret = os_snprintf(pos, end - pos, "%sNONE", ret = os_snprintf(pos, end - pos, "%sNONE",
pos == start ? "" : delim); pos == start ? "" : delim);

View file

@ -22,8 +22,8 @@
(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_NONE | \ (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_NONE | \
WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256) WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
#define WPA_ALLOWED_GROUP_CIPHERS \ #define WPA_ALLOWED_GROUP_CIPHERS \
(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_WEP104 | \ (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | \
WPA_CIPHER_WEP40 | WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \ WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \
WPA_CIPHER_GTK_NOT_USED) WPA_CIPHER_GTK_NOT_USED)
#define WPA_SELECTOR_LEN 4 #define WPA_SELECTOR_LEN 4
@ -40,13 +40,8 @@ WPA_CIPHER_GTK_NOT_USED)
#define WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X RSN_SELECTOR(0x00, 0x50, 0xf2, 2) #define WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X RSN_SELECTOR(0x00, 0x50, 0xf2, 2)
#define WPA_AUTH_KEY_MGMT_CCKM RSN_SELECTOR(0x00, 0x40, 0x96, 0) #define WPA_AUTH_KEY_MGMT_CCKM RSN_SELECTOR(0x00, 0x40, 0x96, 0)
#define WPA_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x50, 0xf2, 0) #define WPA_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x50, 0xf2, 0)
#define WPA_CIPHER_SUITE_WEP40 RSN_SELECTOR(0x00, 0x50, 0xf2, 1)
#define WPA_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x50, 0xf2, 2) #define WPA_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x50, 0xf2, 2)
#if 0
#define WPA_CIPHER_SUITE_WRAP RSN_SELECTOR(0x00, 0x50, 0xf2, 3)
#endif
#define WPA_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x50, 0xf2, 4) #define WPA_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x50, 0xf2, 4)
#define WPA_CIPHER_SUITE_WEP104 RSN_SELECTOR(0x00, 0x50, 0xf2, 5)
#define RSN_AUTH_KEY_MGMT_UNSPEC_802_1X RSN_SELECTOR(0x00, 0x0f, 0xac, 1) #define RSN_AUTH_KEY_MGMT_UNSPEC_802_1X RSN_SELECTOR(0x00, 0x0f, 0xac, 1)
@ -68,13 +63,11 @@ RSN_SELECTOR(0x00, 0x0f, 0xac, 13)
#define RSN_AUTH_KEY_MGMT_OSEN RSN_SELECTOR(0x50, 0x6f, 0x9a, 0x01) #define RSN_AUTH_KEY_MGMT_OSEN RSN_SELECTOR(0x50, 0x6f, 0x9a, 0x01)
#define RSN_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x0f, 0xac, 0) #define RSN_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x0f, 0xac, 0)
#define RSN_CIPHER_SUITE_WEP40 RSN_SELECTOR(0x00, 0x0f, 0xac, 1)
#define RSN_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x0f, 0xac, 2) #define RSN_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x0f, 0xac, 2)
#if 0 #if 0
#define RSN_CIPHER_SUITE_WRAP RSN_SELECTOR(0x00, 0x0f, 0xac, 3) #define RSN_CIPHER_SUITE_WRAP RSN_SELECTOR(0x00, 0x0f, 0xac, 3)
#endif #endif
#define RSN_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 4) #define RSN_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 4)
#define RSN_CIPHER_SUITE_WEP104 RSN_SELECTOR(0x00, 0x0f, 0xac, 5)
#define RSN_CIPHER_SUITE_AES_128_CMAC RSN_SELECTOR(0x00, 0x0f, 0xac, 6) #define RSN_CIPHER_SUITE_AES_128_CMAC RSN_SELECTOR(0x00, 0x0f, 0xac, 6)
#define RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED RSN_SELECTOR(0x00, 0x0f, 0xac, 7) #define RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED RSN_SELECTOR(0x00, 0x0f, 0xac, 7)
#define RSN_CIPHER_SUITE_GCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 8) #define RSN_CIPHER_SUITE_GCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 8)

View file

@ -967,6 +967,13 @@ static int wpa_config_parse_group(const struct parse_data *data,
val = wpa_config_parse_cipher(line, value); val = wpa_config_parse_cipher(line, value);
if (val == -1) if (val == -1)
return -1; return -1;
/*
* Backwards compatibility - filter out WEP ciphers that were previously
* allowed.
*/
val &= ~(WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40);
if (val & ~WPA_ALLOWED_GROUP_CIPHERS) { if (val & ~WPA_ALLOWED_GROUP_CIPHERS) {
wpa_printf(MSG_ERROR, "Line %d: not allowed group cipher " wpa_printf(MSG_ERROR, "Line %d: not allowed group cipher "
"(0x%x).", line, val); "(0x%x).", line, val);

View file

@ -20,8 +20,7 @@
#define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN) #define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN)
#define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X) #define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X)
#define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP) #define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
#define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP | \ #define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40)
#define DEFAULT_FRAGMENT_SIZE 1398 #define DEFAULT_FRAGMENT_SIZE 1398
#define DEFAULT_BG_SCAN_PERIOD -1 #define DEFAULT_BG_SCAN_PERIOD -1