WPS: Add a workaround for static WEP with Windows network probe

Windows XP and Vista clients can get confused about EAP-Identity/Request
when they probe the network with EAPOL-Start. In such a case, they may
assume the network is using IEEE 802.1X and prompt user for a
certificate while the correct (non-WPS) behavior would be to ask for the
static WEP key. As a workaround, use Microsoft Provisioning IE to
advertise that legacy 802.1X is not supported.

This seems to make Windows ask for a static WEP key when adding a new
network, but at least Windows XP SP3 was still marking IEEE 802.1X
enabled for the network. Anyway, this is better than just leaving the
network configured with IEEE 802.1X and automatic WEP key distribution.

diff --git a/hostapd/wps_hostapd.c b/hostapd/wps_hostapd.c
index 39f67ee28ca9cf4c0cd6d1ef2f1bb241e4553de8..1c2cffe30da87a6d8a3be3d37f6ff58c14ff3bac 100644 (file)
--- a/hostapd/wps_hostapd.c
+++ b/hostapd/wps_hostapd.c
@@ -627,6 +627,8 @@ int hostapd_init_wps(struct hostapd_data *hapd,
        cfg.extra_cred_len = conf->extra_cred_len;
        cfg.disable_auto_conf = (hapd->conf->wps_cred_processing == 1) &&
                conf->skip_cred_build;
+       if (conf->ssid.security_policy == SECURITY_STATIC_WEP)
+               cfg.static_wep_only = 1;
 
        wps->registrar = wps_registrar_init(wps, &cfg);
        if (wps->registrar == NULL) {

diff --git a/src/wps/wps.h b/src/wps/wps.h
index 70d8b0398db4dec4e38425105a0d10d59c36f652..1b3e7350d79daec7ae0b60cc40478cb1c76620a1 100644 (file)
--- a/src/wps/wps.h
+++ b/src/wps/wps.h
@@ -277,6 +277,11 @@ struct wps_registrar_config {
         * to be set with a suitable Credential and skip_cred_build being used.
         */
        int disable_auto_conf;
+
+       /**
+        * static_wep_only - Whether the BSS supports only static WEP
+        */
+       int static_wep_only;
 };
 
 

diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
index dff635db572ec9e15f2906c325146715116f61ff..fba35e21dbb0a889e426dda6b76401b8cd786096 100644 (file)
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@@ -99,6 +99,7 @@ struct wps_registrar {
        int disable_auto_conf;
        int sel_reg_dev_password_id_override;
        int sel_reg_config_methods_override;
+       int static_wep_only;
 };
 
 
@@ -377,6 +378,7 @@ wps_registrar_init(struct wps_context *wps,
        reg->disable_auto_conf = cfg->disable_auto_conf;
        reg->sel_reg_dev_password_id_override = -1;
        reg->sel_reg_config_methods_override = -1;
+       reg->static_wep_only = cfg->static_wep_only;
 
        if (wps_set_ie(reg)) {
                wps_registrar_deinit(reg);
@@ -778,6 +780,28 @@ static int wps_set_ie(struct wps_registrar *reg)
                return -1;
        }
 
+       if (reg->static_wep_only) {
+               /*
+                * Windows XP and Vista clients can get confused about
+                * EAP-Identity/Request when they probe the network with
+                * EAPOL-Start. In such a case, they may assume the network is
+                * using IEEE 802.1X and prompt user for a certificate while
+                * the correct (non-WPS) behavior would be to ask for the
+                * static WEP key. As a workaround, use Microsoft Provisioning
+                * IE to advertise that legacy 802.1X is not supported.
+                */
+               const u8 ms_wps[7] = {
+                       WLAN_EID_VENDOR_SPECIFIC, 5,
+                       /* Microsoft Provisioning IE (00:50:f2:5) */
+                       0x00, 0x50, 0xf2, 5,
+                       0x00 /* no legacy 802.1X or MS WPS */
+               };
+               wpa_printf(MSG_DEBUG, "WPS: Add Microsoft Provisioning IE "
+                          "into Beacon/Probe Response frames");
+               wpabuf_put_data(beacon, ms_wps, sizeof(ms_wps));
+               wpabuf_put_data(probe, ms_wps, sizeof(ms_wps));
+       }
+
        ret = wps_cb_set_ie(reg, beacon, probe);
        wpabuf_free(beacon);
        wpabuf_free(probe);