WPS: Add a workaround for static WEP with Windows network probe

Windows XP and Vista clients can get confused about EAP-Identity/Request
when they probe the network with EAPOL-Start. In such a case, they may
assume the network is using IEEE 802.1X and prompt user for a
certificate while the correct (non-WPS) behavior would be to ask for the
static WEP key. As a workaround, use Microsoft Provisioning IE to
advertise that legacy 802.1X is not supported.

This seems to make Windows ask for a static WEP key when adding a new
network, but at least Windows XP SP3 was still marking IEEE 802.1X
enabled for the network. Anyway, this is better than just leaving the
network configured with IEEE 802.1X and automatic WEP key distribution.

diff --git a/hostapd/wps_hostapd.c b/hostapd/wps_hostapd.c
index 39f67ee..1c2cffe 100644 (file)
--- a/hostapd/wps_hostapd.c
+++ b/hostapd/wps_hostapd.c
@@ -627,6 +627,8 @@ int hostapd_init_wps(struct hostapd_data *hapd,
        cfg.extra_cred_len = conf->extra_cred_len;
        cfg.disable_auto_conf = (hapd->conf->wps_cred_processing == 1) &&
                conf->skip_cred_build;
+       if (conf->ssid.security_policy == SECURITY_STATIC_WEP)
+               cfg.static_wep_only = 1;
 
        wps->registrar = wps_registrar_init(wps, &cfg);
        if (wps->registrar == NULL) {

diff --git a/src/wps/wps.h b/src/wps/wps.h
index 70d8b03..1b3e735 100644 (file)
--- a/src/wps/wps.h
+++ b/src/wps/wps.h
@@ -277,6 +277,11 @@ struct wps_registrar_config {
         * to be set with a suitable Credential and skip_cred_build being used.
         */
        int disable_auto_conf;
+
+       /**
+        * static_wep_only - Whether the BSS supports only static WEP
+        */
+       int static_wep_only;
 };
 
 

diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
index dff635d..fba35e2 100644 (file)
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@@ -99,6 +99,7 @@ struct wps_registrar {
        int disable_auto_conf;
        int sel_reg_dev_password_id_override;
        int sel_reg_config_methods_override;
+       int static_wep_only;
 };
 
 
@@ -377,6 +378,7 @@ wps_registrar_init(struct wps_context *wps,
        reg->disable_auto_conf = cfg->disable_auto_conf;
        reg->sel_reg_dev_password_id_override = -1;
        reg->sel_reg_config_methods_override = -1;
+       reg->static_wep_only = cfg->static_wep_only;
 
        if (wps_set_ie(reg)) {
                wps_registrar_deinit(reg);
@@ -778,6 +780,28 @@ static int wps_set_ie(struct wps_registrar *reg)
                return -1;
        }
 
+       if (reg->static_wep_only) {
+               /*
+                * Windows XP and Vista clients can get confused about
+                * EAP-Identity/Request when they probe the network with
+                * EAPOL-Start. In such a case, they may assume the network is
+                * using IEEE 802.1X and prompt user for a certificate while
+                * the correct (non-WPS) behavior would be to ask for the
+                * static WEP key. As a workaround, use Microsoft Provisioning
+                * IE to advertise that legacy 802.1X is not supported.
+                */
+               const u8 ms_wps[7] = {
+                       WLAN_EID_VENDOR_SPECIFIC, 5,
+                       /* Microsoft Provisioning IE (00:50:f2:5) */
+                       0x00, 0x50, 0xf2, 5,
+                       0x00 /* no legacy 802.1X or MS WPS */
+               };
+               wpa_printf(MSG_DEBUG, "WPS: Add Microsoft Provisioning IE "
+                          "into Beacon/Probe Response frames");
+               wpabuf_put_data(beacon, ms_wps, sizeof(ms_wps));
+               wpabuf_put_data(probe, ms_wps, sizeof(ms_wps));
+       }
+
        ret = wps_cb_set_ie(reg, beacon, probe);
        wpabuf_free(beacon);
        wpabuf_free(probe);