[PATCH] rsn_supp: Don't encrypt EAPOL-Key 4/4.

Jouni Malinen j at w1.fi
Mon Feb 13 05:48:48 EST 2012


On Mon, Feb 13, 2012 at 11:25:02AM +0100, Andreas Hartmann wrote:
> Jouni Malinen schrieb:
> > It is not that much of a problem of being able to do this, but the
> > problem of this not being the correct way of handling this.. If that AP
> > was indeed using mac80211, too, I think we need to fix the AP behavior
> > to drop such a frame.
> 
> I think this would be a bad idea, because it would break compatibility
> (see above) and it would be against the defined standard (according
> Nicolas).

Sure, the interoperability part needs to be researched more. However, as
far as the standard is concerned, I would claim that the defined
behavior is to encrypt EAPOL frames whenever a PTK is in configured and
that is very much the case during the PTK rekeying.

There has been number of poor WPA implementations that did not exactly
follow the rules correctly, but as far as RSN (WPA2) is concerned, these
frames should really be encrypted.

> I'll try my best. But it should be really easy for you to reproduce this
> problem yourself, as it comes up here in 99%.

For some reason, I did not seem to hit this in my tests when I was
testing some of the EAPOL retransmission timeouts with heavy background
traffic some time ago. I'll try this again, but I'm not sure when I'll
find the time for this.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list