correct group cipher setting

Jouni Malinen j
Mon Jan 12 09:26:51 PST 2009

On Mon, Jan 12, 2009 at 06:23:00PM +0200, Chuck Tuffli wrote:

> What is the correct value for group cipher (i.e. ssid->group_cipher) in the case of an open network (no encryption)? I naively assumed it should be WPA_CIPHER_NONE, but if it is, the saved configuration file causes an error:

In theory, WPA_CIPHER_NONE would indeed be the correct value. However,
the 'group' parameter from configuration is not really used if WPA/WPA2
is not in use and the default value (WEP40|WEP104|TKIP|CCMP) is normally
left as the ssid->group_cipher in that case.

> 	group=NONE

> 1064.264451: Line 9: not allowed group cipher (0x1).
> 1064.266121: Line 9: failed to parse group 'NONE'.
> Should wpa_config_parse_group() allow WPA_CIPHER_NONE as a valid group cipher or does this open an exploit? Note this is running 0.5.10 with my WPS patch, but the logic looks the same as 0.6.x.

I think the easiest workaround for that would be to just leave the group
cipher at its default value from wpa_config_set_network_defaults() when
not using WPA/WPA2. wpa_supplicant will internally end up converting
this to WPA_CIPHER_NONE when requesting association.

In theory, the strict requirement of unconditionally not allowing
WPA_CIPHER_NONE is not correct. However, allowing NONE as the cipher
would (likely) break WPA/WPA2 validation. It could potentially be moved
from wpa_config_parse_group() into a check that is done after all
network block variables have been set. However, there is not such place
in the current code and doing this would be complicated at best when
allowing dynamic configuration changes over control interfaces..

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list