GTK msg 1/2 fields possibly incorrect

[Jouni Malinen]

On Mon, Feb 06, 2017 at 12:35:58AM +0100, Andrew Zaborowski wrote:
> On 5 February 2017 at 13:03, Jouni Malinen <j at w1.fi> wrote:
> > The Key Length field has a bit more complex story.. P802.11i/D3.0
> > defines that field as having value 16 for EAPOL-Key group message 1/2.
> > That behavior needs to be maintained for WPA interoperability. That
> > said, it looks like it would be fine to clear this to 0 for WPA2 (RSN)
> > cases and hopefully that does not cause any new interop issues.. I'm
> > planning on doing this to address that:
> 
> After looking through the spec again it looks like either value would
> be good here too.  While 802.11-2012 11.6.2 says "length in octets of
> the pairwise temporal key to configure", and so this doesn't apply to
> the GTK, it doesn't list 0 as a special backup value or anything
> similar.  11.6.7.2 shows 0 but the "Key Length" fields in FTE GTK /
> IGTK subelements are the length of the unwrapped / unpadded GTK /
> IGTK.

There are actually three different values discussed here: 0, key length
of pairwise cipher key, and key length of group cipher key.
P802.11i/D3.0 (WPA) defined the Key Length field as indicating the
length of the key to be configured where that key was referring to the
pairwise key in 4-way handshake and group key in the group key
handshake. That design changed in the published IEEE Std 802.11i-2004
(WPA2/RSN) to describe the Key Length field as being specifically for
the pairwise key.

In other words, this cannot really be the same value for WPA and WPA2 if
the pairwise and group ciphers have different key lengths. It looks
cleanest to keep the current (new) behavior where the Key Length field
in group key handshake msg 1/2 is set to 0 for WPA2 and to the length of
the group key for WPA.

-- 
Jouni Malinen                                            PGP id EFC895FA