Change WEP network selection to reject WPA/WPA2 APs

Previously, wpa_supplicant behavior in WEP configuration was to try to
mimic a device that is not aware of WPA/WPA2 and as such, it tried to
connect to a WPA/WPA2 AP with the assumption that the AP could be
providing support for both WEP and WPA/WPA2 stations in the same BSS.
Such APs could have been used during transition from WEP to more secure
options, but that type of deployment have not been used in large number
and are not really of much use anymore taken into account that more or
less all new devices support WPA/WPA2. That combined with the preference
to deprecate WEP justifies removing this use case and making WEP
networking matching more strict by using the knowledge of AP advertising
WPA/WPA2 as an indication of WEP not being supported.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index bcfac21..3ecb0ce 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -334,10 +334,24 @@ int wpa_supplicant_scard_init(struct wpa_supplicant *wpa_s,
 
 
 #ifndef CONFIG_NO_SCAN_PROCESSING
+
+static int has_wep_key(struct wpa_ssid *ssid)
+{
+       int i;
+
+       for (i = 0; i < NUM_WEP_KEYS; i++) {
+               if (ssid->wep_key_len[i])
+                       return 1;
+       }
+
+       return 0;
+}
+
+
 static int wpa_supplicant_match_privacy(struct wpa_bss *bss,
                                        struct wpa_ssid *ssid)
 {
-       int i, privacy = 0;
+       int privacy = 0;
 
        if (ssid->mixed_cell)
                return 1;
@@ -347,12 +361,9 @@ static int wpa_supplicant_match_privacy(struct wpa_bss *bss,
                return 1;
 #endif /* CONFIG_WPS */
 
-       for (i = 0; i < NUM_WEP_KEYS; i++) {
-               if (ssid->wep_key_len[i]) {
-                       privacy = 1;
-                       break;
-               }
-       }
+       if (has_wep_key(ssid))
+               privacy = 1;
+
 #ifdef IEEE8021X_EAPOL
        if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) &&
            ssid->eapol_flags & (EAPOL_FLAG_REQUIRE_KEY_UNICAST |
@@ -818,6 +829,12 @@ static struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
                        continue;
                }
 
+               if (wpa && !wpa_key_mgmt_wpa(ssid->key_mgmt) &&
+                   has_wep_key(ssid)) {
+                       wpa_dbg(wpa_s, MSG_DEBUG, "   skip - ignore WPA/WPA2 AP for WEP network block");
+                       continue;
+               }
+
                if (!wpa_supplicant_match_privacy(bss, ssid)) {
                        wpa_dbg(wpa_s, MSG_DEBUG, "   skip - privacy "
                                "mismatch");