DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Ignore Michael MIC failure reports if cipher is not TKIP

Browse source 
Some stations have been reported to send EAPOL-Key Error Reports
indicating Michael MIC failures even when the cipher is not TKIP
(e.g., when the network is using only CCMP). Ignore such reports
to avoid starting TKIP countermeasures unnecessarily. This can
prevent certaint types of denial of service attacks by insiders,
but mostly this is to work around invalid station implementations.

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2011-10-30 12:49:26 +02:00
parent ec02780529
commit fbc72d32c6
1 changed files with 14 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
src/ap/wpa_auth.c
View file

@ -718,9 +718,20 @@ static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
"received EAPOL-Key Error Request " "received EAPOL-Key Error Request "
"(STA detected Michael MIC failure (group=%d))", "(STA detected Michael MIC failure (group=%d))",
group); group);
wpa_auth_mic_failure_report(wpa_auth, sm->addr);
sm->dot11RSNAStatsTKIPRemoteMICFailures++; if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
"ignore Michael MIC failure report since "
"group cipher is not TKIP");
} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
"ignore Michael MIC failure report since "
"pairwise cipher is not TKIP");
} else {
wpa_auth_mic_failure_report(wpa_auth, sm->addr);
sm->dot11RSNAStatsTKIPRemoteMICFailures++;
wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
}
/* /*
* Error report is not a request for a new key handshake, but since * Error report is not a request for a new key handshake, but since