[PATCH]: WPS 2.0: Prevent setting WPA in WPS 2.0 configuration
Arnon.Meydav at lantiq.com
Arnon.Meydav
Thu Feb 27 07:13:37 PST 2014
Commit log:
WPS 2.0: Prevent setting WPA in WPS 2.0 configuration, so that legacy WPS 1 STAs can't cause the WPS session to negotiate an illegal WPA-AES configuration.
Signed-off-by: Arnon Meydav <arnon.meydav at lantiq.com>
diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index 3a40125..bedcc46 100644
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -1088,7 +1088,7 @@ int hostapd_init_wps(struct hostapd_data *hapd,
if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
wps->encr_types |= WPS_ENCR_TKIP;
}
-
+#ifndef CONFIG_WPS2
if (conf->wpa & WPA_PROTO_WPA) {
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK)
wps->auth_types |= WPS_AUTH_WPAPSK;
@@ -1100,7 +1100,7 @@ int hostapd_init_wps(struct hostapd_data *hapd,
if (conf->wpa_pairwise & WPA_CIPHER_TKIP)
wps->encr_types |= WPS_ENCR_TKIP;
}
-
+#endif
if (conf->ssid.security_policy == SECURITY_PLAINTEXT) {
wps->encr_types |= WPS_ENCR_NONE;
wps->auth_types |= WPS_AUTH_OPEN;
Details:
We found a legacy retail USB stick (supporting WPS 1), which causes hostapd to select an illegal configuration when running a WPS 2.0 session:
It finishes the WPS session successfully, but selects WPA + AES, instead of WPA2 + AES.
This is in spite of the fact that the AP was configured to support mixed mode: WPA-TKIP and WPA2-AES.
The STA eventually doesn't connect, but due to the STA rejecting the session, not the AP.
The AP should not allow selecting this security combination when configured for WPS 2.0.
We found that hostapd doesn't handle the WPS config with the same level of detail as the WPA config.
i.e. if you are configured for wpa_pairwise=TKIP and rsn_pairwise=AES, in WPS config both TKIP and AES will be set, with no regard to which cipher should work with WPA, and which with RSN.
In addition, in WPS 2.0, WPA is not a valid authentication type, no matter what cipher is used, but it could be selected in the WPS config.
We prevented this case by ignoring the WPA configuration (and therefore auth_types will not allow WPA) if WPS 2.0 is defined.
Final note:
While writing this email, I think I found that my patch above is incomplete.
We should also prevent the setting of TKIP even if it is defined in rsn_pairwise.
This second patch was not tested by me, so I am not uniting together with the previous.
I would be happy for a review/opinion.
Signed-off-by: Arnon Meydav <arnon.meydav at lantiq.com>
diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index bedcc46..082310d 100644
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -1085,8 +1085,10 @@ int hostapd_init_wps(struct hostapd_data *hapd,
if (conf->rsn_pairwise & WPA_CIPHER_CCMP)
wps->encr_types |= WPS_ENCR_AES;
+#ifndef CONFIG_WPS2
if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
wps->encr_types |= WPS_ENCR_TKIP;
+#endif
}
#ifndef CONFIG_WPS2
if (conf->wpa & WPA_PROTO_WPA) {
More information about the Hostap
mailing list