aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2014-11-14 18:57:05 (GMT)
committerJouni Malinen <j@w1.fi>2014-11-14 19:01:13 (GMT)
commit9f6a7cddc42811883d6035032854089475f2fc65 (patch)
tree566b9396a92d050501979702e9a62c326b05bbb8
parent9128f520c3bafa22d38ed775ea90ce0575ccc40f (diff)
downloadhostap-9f6a7cddc42811883d6035032854089475f2fc65.zip
hostap-9f6a7cddc42811883d6035032854089475f2fc65.tar.gz
hostap-9f6a7cddc42811883d6035032854089475f2fc65.tar.bz2
Work around AP misbehavior on EAPOL-Key descriptor version
It looks like some APs are incorrectly selecting descriptor version 3 (AES-128-CMAC) for EAPOL-Key frames when version 2 (HMAC-SHA1) was expected to be used. This is likely triggered by an attempt to negotiate PMF with SHA1-based AKM. Since AES-128-CMAC is considered stronger than HMAC-SHA1, allow the incorrect, but stronger, option to be used in these cases to avoid interoperability issues with deployed APs. This issue shows up with "WPA: CCMP is used, but EAPOL-Key descriptor version (3) is not 2" in debug log. With the new workaround, this issue is ignored and "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used" is written to the log. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-rw-r--r--src/rsn_supp/wpa.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index d95c1bd..f8825d2 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1756,6 +1756,9 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Backwards compatibility: allow invalid "
"version for non-CCMP group keys");
+ } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
+ wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+ "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
} else
goto out;
} else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&