diff mbox

: WPS 2.0: Prevent setting WPA in WPS 2.0 configuration

Message ID 10D0CC65D322B8498995F168AE8D89DAFCB00A22@MUCSE039.lantiq.com
State Rejected
Headers show

Commit Message

Arnon.Meydav@lantiq.com Feb. 27, 2014, 3:13 p.m. UTC 
Commit log:
WPS 2.0: Prevent setting WPA in WPS 2.0 configuration, so that legacy WPS 1 STAs can't cause the WPS session to negotiate an illegal WPA-AES configuration.

Signed-off-by: Arnon Meydav <arnon.meydav@lantiq.com>
diff mbox

Patch

diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index 3a40125..bedcc46 100644
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -1088,7 +1088,7 @@  int hostapd_init_wps(struct hostapd_data *hapd,
                if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
                        wps->encr_types |= WPS_ENCR_TKIP;
        }
-
+#ifndef CONFIG_WPS2
        if (conf->wpa & WPA_PROTO_WPA) {
                if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK)
                        wps->auth_types |= WPS_AUTH_WPAPSK;
@@ -1100,7 +1100,7 @@  int hostapd_init_wps(struct hostapd_data *hapd,
                if (conf->wpa_pairwise & WPA_CIPHER_TKIP)
                        wps->encr_types |= WPS_ENCR_TKIP;
        }
-
+#endif
        if (conf->ssid.security_policy == SECURITY_PLAINTEXT) {
                wps->encr_types |= WPS_ENCR_NONE;
                wps->auth_types |= WPS_AUTH_OPEN;



Details:
We found a legacy retail USB stick (supporting WPS 1), which causes hostapd to select an illegal configuration when running a WPS 2.0 session: 
It finishes the WPS session successfully, but selects WPA + AES, instead of WPA2 + AES.
This is in spite of the fact that the AP was configured to support mixed mode: WPA-TKIP and WPA2-AES.
The STA eventually doesn't connect, but due to the STA rejecting the session, not the AP. 
The AP should not allow selecting this security combination when configured for WPS 2.0.

We found that hostapd doesn't handle the WPS config with the same level of detail as the WPA config.
i.e. if you are configured for wpa_pairwise=TKIP and rsn_pairwise=AES, in WPS config both TKIP and AES will be set, with no regard to which cipher should work with WPA, and which with RSN.
In addition, in WPS 2.0, WPA is not a valid authentication type, no matter what cipher is used, but it could be selected in the WPS config.

We prevented this case by ignoring the WPA configuration (and therefore auth_types will not allow WPA) if WPS 2.0 is defined.


Final note:
While writing this email, I think I found that my patch above is incomplete.
We should also prevent the setting of TKIP even if it is defined in rsn_pairwise.
This second patch was not tested by me, so I am not uniting together with the previous.
I would be happy for a review/opinion.

Signed-off-by: Arnon Meydav <arnon.meydav@lantiq.com>

diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index bedcc46..082310d 100644
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -1085,8 +1085,10 @@  int hostapd_init_wps(struct hostapd_data *hapd,

                if (conf->rsn_pairwise & WPA_CIPHER_CCMP)
                        wps->encr_types |= WPS_ENCR_AES;
+#ifndef CONFIG_WPS2
                if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
                        wps->encr_types |= WPS_ENCR_TKIP;
+#endif
        }
 #ifndef CONFIG_WPS2
        if (conf->wpa & WPA_PROTO_WPA) {