git.ipfire.org Git - thirdparty/hostap.git/commit

author	Jouni Malinen <jouni@qca.qualcomm.com>
	Fri, 14 Nov 2014 18:57:05 +0000 (20:57 +0200)
committer	Jouni Malinen <j@w1.fi>
	Fri, 14 Nov 2014 19:01:13 +0000 (21:01 +0200)
commit	9f6a7cddc42811883d6035032854089475f2fc65
tree	566b9396a92d050501979702e9a62c326b05bbb8	tree \| snapshot
parent	9128f520c3bafa22d38ed775ea90ce0575ccc40f	commit \| diff

Work around AP misbehavior on EAPOL-Key descriptor version

It looks like some APs are incorrectly selecting descriptor version 3
(AES-128-CMAC) for EAPOL-Key frames when version 2 (HMAC-SHA1) was
expected to be used. This is likely triggered by an attempt to negotiate
PMF with SHA1-based AKM.

Since AES-128-CMAC is considered stronger than HMAC-SHA1, allow the
incorrect, but stronger, option to be used in these cases to avoid
interoperability issues with deployed APs.

This issue shows up with "WPA: CCMP is used, but EAPOL-Key descriptor
version (3) is not 2" in debug log. With the new workaround, this issue
is ignored and "WPA: Interoperability workaround: allow incorrect
(should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor
version to be used" is written to the log.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>