[patch] wpa: ignore Michael MIC failure reports in CCMP-only mode

Jouni Malinen j
Wed Oct 5 11:42:36 PDT 2011

On Tue, Oct 04, 2011 at 05:50:04PM +0300, Andriy Tkachuk wrote:
> some dummy STAs (like Axis camera) may send such reports when AP is
> working on CCMP-only mode. I propose to just ignore such reports:

I agree with skipping TKIP counter measures if the error report is for a
key that is for something else than TKIP. However, the patch does not
seem to be doing this correctly.

> diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
> @@ -1019,9 +1019,15 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
>  			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
>  					"received EAPOL-Key Error Request "
>  					"(STA detected Michael MIC failure)");
> -			wpa_auth_mic_failure_report(wpa_auth, sm->addr);
> -			sm->dot11RSNAStatsTKIPRemoteMICFailures++;
> -			wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
> +			if (wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {

The report can be either for pairwise or group cipher. As such, checking
wpa_group != WPA_CIPHER_TKIP here does not look correct. This needs to
be conditional on whether the WPA_KEY_INFO_KEY_TYPE field is set in key
info (if it is, error is for the pairwise cipher and sm->pairwise would
need to be used instead of wpa_group).

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list