mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-18 02:44:03 -05:00
Remove WEP40/WEP104 cipher suite support for WPA/WPA2
As far as IEEE 802.11 standard is concerned, WEP is deprecated, but at least in theory, allowed as a group cipher. This option is unlikely to be deployed anywhere and to clean up the implementation, we might as well remove all support for this combination. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
664093b55b
commit
ce8963fc9f
@ -432,14 +432,10 @@ static int rsn_selector_to_bitfield(const u8 *s)
|
|||||||
{
|
{
|
||||||
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
|
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
|
||||||
return WPA_CIPHER_NONE;
|
return WPA_CIPHER_NONE;
|
||||||
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP40)
|
|
||||||
return WPA_CIPHER_WEP40;
|
|
||||||
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
|
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
|
||||||
return WPA_CIPHER_TKIP;
|
return WPA_CIPHER_TKIP;
|
||||||
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
|
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
|
||||||
return WPA_CIPHER_CCMP;
|
return WPA_CIPHER_CCMP;
|
||||||
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP104)
|
|
||||||
return WPA_CIPHER_WEP104;
|
|
||||||
#ifdef CONFIG_IEEE80211W
|
#ifdef CONFIG_IEEE80211W
|
||||||
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
|
if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
|
||||||
return WPA_CIPHER_AES_128_CMAC;
|
return WPA_CIPHER_AES_128_CMAC;
|
||||||
@ -499,8 +495,6 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s)
|
|||||||
static int wpa_cipher_valid_group(int cipher)
|
static int wpa_cipher_valid_group(int cipher)
|
||||||
{
|
{
|
||||||
return wpa_cipher_valid_pairwise(cipher) ||
|
return wpa_cipher_valid_pairwise(cipher) ||
|
||||||
cipher == WPA_CIPHER_WEP104 ||
|
|
||||||
cipher == WPA_CIPHER_WEP40 ||
|
|
||||||
cipher == WPA_CIPHER_GTK_NOT_USED;
|
cipher == WPA_CIPHER_GTK_NOT_USED;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -695,14 +689,10 @@ static int wpa_selector_to_bitfield(const u8 *s)
|
|||||||
{
|
{
|
||||||
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
|
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
|
||||||
return WPA_CIPHER_NONE;
|
return WPA_CIPHER_NONE;
|
||||||
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_WEP40)
|
|
||||||
return WPA_CIPHER_WEP40;
|
|
||||||
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
|
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
|
||||||
return WPA_CIPHER_TKIP;
|
return WPA_CIPHER_TKIP;
|
||||||
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
|
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
|
||||||
return WPA_CIPHER_CCMP;
|
return WPA_CIPHER_CCMP;
|
||||||
if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_WEP104)
|
|
||||||
return WPA_CIPHER_WEP104;
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1363,10 +1353,6 @@ int wpa_cipher_key_len(int cipher)
|
|||||||
return 16;
|
return 16;
|
||||||
case WPA_CIPHER_TKIP:
|
case WPA_CIPHER_TKIP:
|
||||||
return 32;
|
return 32;
|
||||||
case WPA_CIPHER_WEP104:
|
|
||||||
return 13;
|
|
||||||
case WPA_CIPHER_WEP40:
|
|
||||||
return 5;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
@ -1382,9 +1368,6 @@ int wpa_cipher_rsc_len(int cipher)
|
|||||||
case WPA_CIPHER_GCMP:
|
case WPA_CIPHER_GCMP:
|
||||||
case WPA_CIPHER_TKIP:
|
case WPA_CIPHER_TKIP:
|
||||||
return 6;
|
return 6;
|
||||||
case WPA_CIPHER_WEP104:
|
|
||||||
case WPA_CIPHER_WEP40:
|
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
@ -1404,9 +1387,6 @@ int wpa_cipher_to_alg(int cipher)
|
|||||||
return WPA_ALG_GCMP;
|
return WPA_ALG_GCMP;
|
||||||
case WPA_CIPHER_TKIP:
|
case WPA_CIPHER_TKIP:
|
||||||
return WPA_ALG_TKIP;
|
return WPA_ALG_TKIP;
|
||||||
case WPA_CIPHER_WEP104:
|
|
||||||
case WPA_CIPHER_WEP40:
|
|
||||||
return WPA_ALG_WEP;
|
|
||||||
case WPA_CIPHER_AES_128_CMAC:
|
case WPA_CIPHER_AES_128_CMAC:
|
||||||
return WPA_ALG_IGTK;
|
return WPA_ALG_IGTK;
|
||||||
case WPA_CIPHER_BIP_GMAC_128:
|
case WPA_CIPHER_BIP_GMAC_128:
|
||||||
@ -1444,12 +1424,6 @@ u32 wpa_cipher_to_suite(int proto, int cipher)
|
|||||||
if (cipher & WPA_CIPHER_TKIP)
|
if (cipher & WPA_CIPHER_TKIP)
|
||||||
return (proto == WPA_PROTO_RSN ?
|
return (proto == WPA_PROTO_RSN ?
|
||||||
RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
|
RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
|
||||||
if (cipher & WPA_CIPHER_WEP104)
|
|
||||||
return (proto == WPA_PROTO_RSN ?
|
|
||||||
RSN_CIPHER_SUITE_WEP104 : WPA_CIPHER_SUITE_WEP104);
|
|
||||||
if (cipher & WPA_CIPHER_WEP40)
|
|
||||||
return (proto == WPA_PROTO_RSN ?
|
|
||||||
RSN_CIPHER_SUITE_WEP40 : WPA_CIPHER_SUITE_WEP40);
|
|
||||||
if (cipher & WPA_CIPHER_NONE)
|
if (cipher & WPA_CIPHER_NONE)
|
||||||
return (proto == WPA_PROTO_RSN ?
|
return (proto == WPA_PROTO_RSN ?
|
||||||
RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
|
RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
|
||||||
@ -1553,10 +1527,6 @@ int wpa_pick_group_cipher(int ciphers)
|
|||||||
return WPA_CIPHER_GTK_NOT_USED;
|
return WPA_CIPHER_GTK_NOT_USED;
|
||||||
if (ciphers & WPA_CIPHER_TKIP)
|
if (ciphers & WPA_CIPHER_TKIP)
|
||||||
return WPA_CIPHER_TKIP;
|
return WPA_CIPHER_TKIP;
|
||||||
if (ciphers & WPA_CIPHER_WEP104)
|
|
||||||
return WPA_CIPHER_WEP104;
|
|
||||||
if (ciphers & WPA_CIPHER_WEP40)
|
|
||||||
return WPA_CIPHER_WEP40;
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1654,20 +1624,6 @@ int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
|
|||||||
return -1;
|
return -1;
|
||||||
pos += ret;
|
pos += ret;
|
||||||
}
|
}
|
||||||
if (ciphers & WPA_CIPHER_WEP104) {
|
|
||||||
ret = os_snprintf(pos, end - pos, "%sWEP104",
|
|
||||||
pos == start ? "" : delim);
|
|
||||||
if (os_snprintf_error(end - pos, ret))
|
|
||||||
return -1;
|
|
||||||
pos += ret;
|
|
||||||
}
|
|
||||||
if (ciphers & WPA_CIPHER_WEP40) {
|
|
||||||
ret = os_snprintf(pos, end - pos, "%sWEP40",
|
|
||||||
pos == start ? "" : delim);
|
|
||||||
if (os_snprintf_error(end - pos, ret))
|
|
||||||
return -1;
|
|
||||||
pos += ret;
|
|
||||||
}
|
|
||||||
if (ciphers & WPA_CIPHER_NONE) {
|
if (ciphers & WPA_CIPHER_NONE) {
|
||||||
ret = os_snprintf(pos, end - pos, "%sNONE",
|
ret = os_snprintf(pos, end - pos, "%sNONE",
|
||||||
pos == start ? "" : delim);
|
pos == start ? "" : delim);
|
||||||
|
@ -22,8 +22,8 @@
|
|||||||
(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_NONE | \
|
(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_NONE | \
|
||||||
WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
|
WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
|
||||||
#define WPA_ALLOWED_GROUP_CIPHERS \
|
#define WPA_ALLOWED_GROUP_CIPHERS \
|
||||||
(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_WEP104 | \
|
(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | \
|
||||||
WPA_CIPHER_WEP40 | WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \
|
WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \
|
||||||
WPA_CIPHER_GTK_NOT_USED)
|
WPA_CIPHER_GTK_NOT_USED)
|
||||||
|
|
||||||
#define WPA_SELECTOR_LEN 4
|
#define WPA_SELECTOR_LEN 4
|
||||||
@ -40,13 +40,8 @@ WPA_CIPHER_GTK_NOT_USED)
|
|||||||
#define WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X RSN_SELECTOR(0x00, 0x50, 0xf2, 2)
|
#define WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X RSN_SELECTOR(0x00, 0x50, 0xf2, 2)
|
||||||
#define WPA_AUTH_KEY_MGMT_CCKM RSN_SELECTOR(0x00, 0x40, 0x96, 0)
|
#define WPA_AUTH_KEY_MGMT_CCKM RSN_SELECTOR(0x00, 0x40, 0x96, 0)
|
||||||
#define WPA_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x50, 0xf2, 0)
|
#define WPA_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x50, 0xf2, 0)
|
||||||
#define WPA_CIPHER_SUITE_WEP40 RSN_SELECTOR(0x00, 0x50, 0xf2, 1)
|
|
||||||
#define WPA_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x50, 0xf2, 2)
|
#define WPA_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x50, 0xf2, 2)
|
||||||
#if 0
|
|
||||||
#define WPA_CIPHER_SUITE_WRAP RSN_SELECTOR(0x00, 0x50, 0xf2, 3)
|
|
||||||
#endif
|
|
||||||
#define WPA_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x50, 0xf2, 4)
|
#define WPA_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x50, 0xf2, 4)
|
||||||
#define WPA_CIPHER_SUITE_WEP104 RSN_SELECTOR(0x00, 0x50, 0xf2, 5)
|
|
||||||
|
|
||||||
|
|
||||||
#define RSN_AUTH_KEY_MGMT_UNSPEC_802_1X RSN_SELECTOR(0x00, 0x0f, 0xac, 1)
|
#define RSN_AUTH_KEY_MGMT_UNSPEC_802_1X RSN_SELECTOR(0x00, 0x0f, 0xac, 1)
|
||||||
@ -68,13 +63,11 @@ RSN_SELECTOR(0x00, 0x0f, 0xac, 13)
|
|||||||
#define RSN_AUTH_KEY_MGMT_OSEN RSN_SELECTOR(0x50, 0x6f, 0x9a, 0x01)
|
#define RSN_AUTH_KEY_MGMT_OSEN RSN_SELECTOR(0x50, 0x6f, 0x9a, 0x01)
|
||||||
|
|
||||||
#define RSN_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x0f, 0xac, 0)
|
#define RSN_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x0f, 0xac, 0)
|
||||||
#define RSN_CIPHER_SUITE_WEP40 RSN_SELECTOR(0x00, 0x0f, 0xac, 1)
|
|
||||||
#define RSN_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x0f, 0xac, 2)
|
#define RSN_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x0f, 0xac, 2)
|
||||||
#if 0
|
#if 0
|
||||||
#define RSN_CIPHER_SUITE_WRAP RSN_SELECTOR(0x00, 0x0f, 0xac, 3)
|
#define RSN_CIPHER_SUITE_WRAP RSN_SELECTOR(0x00, 0x0f, 0xac, 3)
|
||||||
#endif
|
#endif
|
||||||
#define RSN_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 4)
|
#define RSN_CIPHER_SUITE_CCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 4)
|
||||||
#define RSN_CIPHER_SUITE_WEP104 RSN_SELECTOR(0x00, 0x0f, 0xac, 5)
|
|
||||||
#define RSN_CIPHER_SUITE_AES_128_CMAC RSN_SELECTOR(0x00, 0x0f, 0xac, 6)
|
#define RSN_CIPHER_SUITE_AES_128_CMAC RSN_SELECTOR(0x00, 0x0f, 0xac, 6)
|
||||||
#define RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED RSN_SELECTOR(0x00, 0x0f, 0xac, 7)
|
#define RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED RSN_SELECTOR(0x00, 0x0f, 0xac, 7)
|
||||||
#define RSN_CIPHER_SUITE_GCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 8)
|
#define RSN_CIPHER_SUITE_GCMP RSN_SELECTOR(0x00, 0x0f, 0xac, 8)
|
||||||
|
@ -967,6 +967,13 @@ static int wpa_config_parse_group(const struct parse_data *data,
|
|||||||
val = wpa_config_parse_cipher(line, value);
|
val = wpa_config_parse_cipher(line, value);
|
||||||
if (val == -1)
|
if (val == -1)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Backwards compatibility - filter out WEP ciphers that were previously
|
||||||
|
* allowed.
|
||||||
|
*/
|
||||||
|
val &= ~(WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40);
|
||||||
|
|
||||||
if (val & ~WPA_ALLOWED_GROUP_CIPHERS) {
|
if (val & ~WPA_ALLOWED_GROUP_CIPHERS) {
|
||||||
wpa_printf(MSG_ERROR, "Line %d: not allowed group cipher "
|
wpa_printf(MSG_ERROR, "Line %d: not allowed group cipher "
|
||||||
"(0x%x).", line, val);
|
"(0x%x).", line, val);
|
||||||
|
@ -20,8 +20,7 @@
|
|||||||
#define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN)
|
#define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN)
|
||||||
#define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X)
|
#define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X)
|
||||||
#define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
|
#define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
|
||||||
#define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP | \
|
#define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
|
||||||
WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40)
|
|
||||||
#define DEFAULT_FRAGMENT_SIZE 1398
|
#define DEFAULT_FRAGMENT_SIZE 1398
|
||||||
|
|
||||||
#define DEFAULT_BG_SCAN_PERIOD -1
|
#define DEFAULT_BG_SCAN_PERIOD -1
|
||||||
|
Loading…
Reference in New Issue
Block a user