On Thu, Jan 30, 2020 at 09:06:34AM +0100, Sarada Prasanna Garnayak wrote: > Observed some client adding invalid group cipher in association request which > is not matching with the AP which leads to EAPOL handshake failure due invalid key length. > > e.g. > AP configuration : ieee80211w=1 and group_mgmt_cipher=BIP-GMAC-256 > Station support : group_mgmt_cipher=AES-128-CMAC Would you be able to provide debug logs from the AP and STA for this? > . Hostap sending the IGTK in EAPOL 3rd message length 32 and WPA_supplicant validate > the key length (expecting 16) but the cipher key length is 32 from hostapd as per > the AP group mgmt. cipher. > . Invalid IGTK key length for wpa_supplicant and stop EAPOL handshake state machine > and generate DEAUTH. This should not happen with hostapd and wpa_supplicant.. hostapd should already reject the association due to unsupported group management cipher and wpa_supplicant should not try to associate or even select the AP if there is a mismatch in local configuration and what the AP advertises. > So reject the association request if management frame protection is true and cipher > key length is not matching between AP and STA. This should not be done based on key length, but based on cipher suite. And that should already be done, so I'd like to get more details on how you managed to get to a point where this patch would be needed. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
