Remove WEP40/WEP104 cipher suite support for WPA/WPA2

As far as IEEE 802.11 standard is concerned, WEP is deprecated, but at
least in theory, allowed as a group cipher. This option is unlikely to
be deployed anywhere and to clean up the implementation, we might as
well remove all support for this combination.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index a0747b4..2bac377 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -432,14 +432,10 @@ static int rsn_selector_to_bitfield(const u8 *s)
 {
        if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
                return WPA_CIPHER_NONE;
-       if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP40)
-               return WPA_CIPHER_WEP40;
        if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
                return WPA_CIPHER_TKIP;
        if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
                return WPA_CIPHER_CCMP;
-       if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP104)
-               return WPA_CIPHER_WEP104;
 #ifdef CONFIG_IEEE80211W
        if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
                return WPA_CIPHER_AES_128_CMAC;
@@ -499,8 +495,6 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s)
 static int wpa_cipher_valid_group(int cipher)
 {
        return wpa_cipher_valid_pairwise(cipher) ||
-               cipher == WPA_CIPHER_WEP104 ||
-               cipher == WPA_CIPHER_WEP40 ||
                cipher == WPA_CIPHER_GTK_NOT_USED;
 }
 
@@ -695,14 +689,10 @@ static int wpa_selector_to_bitfield(const u8 *s)
 {
        if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
                return WPA_CIPHER_NONE;
-       if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_WEP40)
-               return WPA_CIPHER_WEP40;
        if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
                return WPA_CIPHER_TKIP;
        if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
                return WPA_CIPHER_CCMP;
-       if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_WEP104)
-               return WPA_CIPHER_WEP104;
        return 0;
 }
 
@@ -1363,10 +1353,6 @@ int wpa_cipher_key_len(int cipher)
                return 16;
        case WPA_CIPHER_TKIP:
                return 32;
-       case WPA_CIPHER_WEP104:
-               return 13;
-       case WPA_CIPHER_WEP40:
-               return 5;
        }
 
        return 0;
@@ -1382,9 +1368,6 @@ int wpa_cipher_rsc_len(int cipher)
        case WPA_CIPHER_GCMP:
        case WPA_CIPHER_TKIP:
                return 6;
-       case WPA_CIPHER_WEP104:
-       case WPA_CIPHER_WEP40:
-               return 0;
        }
 
        return 0;
@@ -1404,9 +1387,6 @@ int wpa_cipher_to_alg(int cipher)
                return WPA_ALG_GCMP;
        case WPA_CIPHER_TKIP:
                return WPA_ALG_TKIP;
-       case WPA_CIPHER_WEP104:
-       case WPA_CIPHER_WEP40:
-               return WPA_ALG_WEP;
        case WPA_CIPHER_AES_128_CMAC:
                return WPA_ALG_IGTK;
        case WPA_CIPHER_BIP_GMAC_128:
@@ -1444,12 +1424,6 @@ u32 wpa_cipher_to_suite(int proto, int cipher)
        if (cipher & WPA_CIPHER_TKIP)
                return (proto == WPA_PROTO_RSN ?
                        RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
-       if (cipher & WPA_CIPHER_WEP104)
-               return (proto == WPA_PROTO_RSN ?
-                       RSN_CIPHER_SUITE_WEP104 : WPA_CIPHER_SUITE_WEP104);
-       if (cipher & WPA_CIPHER_WEP40)
-               return (proto == WPA_PROTO_RSN ?
-                       RSN_CIPHER_SUITE_WEP40 : WPA_CIPHER_SUITE_WEP40);
        if (cipher & WPA_CIPHER_NONE)
                return (proto == WPA_PROTO_RSN ?
                        RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
@@ -1553,10 +1527,6 @@ int wpa_pick_group_cipher(int ciphers)
                return WPA_CIPHER_GTK_NOT_USED;
        if (ciphers & WPA_CIPHER_TKIP)
                return WPA_CIPHER_TKIP;
-       if (ciphers & WPA_CIPHER_WEP104)
-               return WPA_CIPHER_WEP104;
-       if (ciphers & WPA_CIPHER_WEP40)
-               return WPA_CIPHER_WEP40;
        return -1;
 }
 
@@ -1654,20 +1624,6 @@ int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
                        return -1;
                pos += ret;
        }
-       if (ciphers & WPA_CIPHER_WEP104) {
-               ret = os_snprintf(pos, end - pos, "%sWEP104",
-                                 pos == start ? "" : delim);
-               if (os_snprintf_error(end - pos, ret))
-                       return -1;
-               pos += ret;
-       }
-       if (ciphers & WPA_CIPHER_WEP40) {
-               ret = os_snprintf(pos, end - pos, "%sWEP40",
-                                 pos == start ? "" : delim);
-               if (os_snprintf_error(end - pos, ret))
-                       return -1;
-               pos += ret;
-       }
        if (ciphers & WPA_CIPHER_NONE) {
                ret = os_snprintf(pos, end - pos, "%sNONE",
                                  pos == start ? "" : delim);

diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
index 29c3503..d7a590f 100644 (file)
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -22,8 +22,8 @@
 (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_NONE | \
 WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
 #define WPA_ALLOWED_GROUP_CIPHERS \
-(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_WEP104 | \
-WPA_CIPHER_WEP40 | WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \
+(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | \
+WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \
 WPA_CIPHER_GTK_NOT_USED)
 
 #define WPA_SELECTOR_LEN 4
@@ -40,13 +40,8 @@ WPA_CIPHER_GTK_NOT_USED)
 #define WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X RSN_SELECTOR(0x00, 0x50, 0xf2, 2)
 #define WPA_AUTH_KEY_MGMT_CCKM RSN_SELECTOR(0x00, 0x40, 0x96, 0)
 #define WPA_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x50, 0xf2, 0)
-#define WPA_CIPHER_SUITE_WEP40 RSN_SELECTOR(0x00, 0x50, 0xf2, 1)
 #define WPA_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x50, 0xf2, 2)
-#if 0
-#define WPA_CIPHER_SUITE_WRAP RSN_SELECTOR(0x00, 0x50, 0xf2, 3)
-#endif
 #define WPA_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x50, 0xf2, 4)
-#define WPA_CIPHER_SUITE_WEP104 RSN_SELECTOR(0x00, 0x50, 0xf2, 5)
 
 
 #define RSN_AUTH_KEY_MGMT_UNSPEC_802_1X RSN_SELECTOR(0x00, 0x0f, 0xac, 1)
@@ -68,13 +63,11 @@ RSN_SELECTOR(0x00, 0x0f, 0xac, 13)
 #define RSN_AUTH_KEY_MGMT_OSEN RSN_SELECTOR(0x50, 0x6f, 0x9a, 0x01)
 
 #define RSN_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x0f, 0xac, 0)
-#define RSN_CIPHER_SUITE_WEP40 RSN_SELECTOR(0x00, 0x0f, 0xac, 1)
 #define RSN_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x0f, 0xac, 2)
 #if 0
 #define RSN_CIPHER_SUITE_WRAP RSN_SELECTOR(0x00, 0x0f, 0xac, 3)
 #endif
 #define RSN_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 4)
-#define RSN_CIPHER_SUITE_WEP104 RSN_SELECTOR(0x00, 0x0f, 0xac, 5)
 #define RSN_CIPHER_SUITE_AES_128_CMAC RSN_SELECTOR(0x00, 0x0f, 0xac, 6)
 #define RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED RSN_SELECTOR(0x00, 0x0f, 0xac, 7)
 #define RSN_CIPHER_SUITE_GCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 8)

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 239c3e8..4d801cc 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -967,6 +967,13 @@ static int wpa_config_parse_group(const struct parse_data *data,
        val = wpa_config_parse_cipher(line, value);
        if (val == -1)
                return -1;
+
+       /*
+        * Backwards compatibility - filter out WEP ciphers that were previously
+        * allowed.
+        */
+       val &= ~(WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40);
+
        if (val & ~WPA_ALLOWED_GROUP_CIPHERS) {
                wpa_printf(MSG_ERROR, "Line %d: not allowed group cipher "
                           "(0x%x).", line, val);

diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index dbb5a47..1c63e51 100644 (file)
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -20,8 +20,7 @@
 #define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN)
 #define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X)
 #define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
-#define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP | \
-                      WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40)
+#define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
 #define DEFAULT_FRAGMENT_SIZE 1398
 
 #define DEFAULT_BG_SCAN_PERIOD -1