Ignore Michael MIC failure reports if cipher is not TKIP
Some stations have been reported to send EAPOL-Key Error Reports indicating Michael MIC failures even when the cipher is not TKIP (e.g., when the network is using only CCMP). Ignore such reports to avoid starting TKIP countermeasures unnecessarily. This can prevent certaint types of denial of service attacks by insiders, but mostly this is to work around invalid station implementations. Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
ec02780529
commit
fbc72d32c6
1 changed files with 14 additions and 3 deletions
|
@ -718,9 +718,20 @@ static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
|
||||||
"received EAPOL-Key Error Request "
|
"received EAPOL-Key Error Request "
|
||||||
"(STA detected Michael MIC failure (group=%d))",
|
"(STA detected Michael MIC failure (group=%d))",
|
||||||
group);
|
group);
|
||||||
|
|
||||||
|
if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
|
||||||
|
wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
|
||||||
|
"ignore Michael MIC failure report since "
|
||||||
|
"group cipher is not TKIP");
|
||||||
|
} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
|
||||||
|
wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
|
||||||
|
"ignore Michael MIC failure report since "
|
||||||
|
"pairwise cipher is not TKIP");
|
||||||
|
} else {
|
||||||
wpa_auth_mic_failure_report(wpa_auth, sm->addr);
|
wpa_auth_mic_failure_report(wpa_auth, sm->addr);
|
||||||
sm->dot11RSNAStatsTKIPRemoteMICFailures++;
|
sm->dot11RSNAStatsTKIPRemoteMICFailures++;
|
||||||
wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
|
wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Error report is not a request for a new key handshake, but since
|
* Error report is not a request for a new key handshake, but since
|
||||||
|
|
Loading…
Reference in a new issue