Fw: 11w and WPA_CIPHER_AES_128_CMAC

Jouni Malinen j at w1.fi
Sat Feb 25 00:39:07 PST 2017

On Wed, Feb 22, 2017 at 02:04:21AM +0000, rosect190 at yahoo.com wrote:
> Starting from hostapd 2.5, in src/ap/wpa_auth_ie.c, wpa_write_rsn_ie(..), this condition is added at line 265:
> conf->group_mgmt_cipher != WPA_CIPHER_AES_128_CMAC

This was added to remove the optional fields from RSNE as a workaround
for some interoperability issues. The commit log has more details:

> However, in the following switch statement, this condition is actually evaluated:
> switch (conf->group_mgmt_cipher) {
>         case WPA_CIPHER_AES_128_CMAC:
>             break;
> I do not quite understand this seemingly contradictory situation. Could someone explain? Thanks in advance. 

It looks safer to leave the full set of management group cipher suites
in the switch statement even though this WPA_CIPHER_AES_128_CMAC case is
currently unreachable. Otherwise, this code might accidentally be copied
somewhere else and or re-enabled without realizing that one of the
options was missing.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list