<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: correct group cipher setting</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Leaving group_cipher at its default value works for me. Thanks for the advice!<BR>
<BR>
---chuck<BR>
<BR>
-----Original Message-----<BR>
From: hostap-bounces@lists.shmoo.com on behalf of Jouni Malinen<BR>
Sent: Mon 1/12/2009 9:26 AM<BR>
To: hostap@lists.shmoo.com<BR>
Subject: Re: correct group cipher setting<BR>
<BR>
On Mon, Jan 12, 2009 at 06:23:00PM +0200, Chuck Tuffli wrote:<BR>
<BR>
> What is the correct value for group cipher (i.e. ssid->group_cipher) in the case of an open network (no encryption)? I naively assumed it should be WPA_CIPHER_NONE, but if it is, the saved configuration file causes an error:<BR>
<BR>
In theory, WPA_CIPHER_NONE would indeed be the correct value. However,<BR>
the 'group' parameter from configuration is not really used if WPA/WPA2<BR>
is not in use and the default value (WEP40|WEP104|TKIP|CCMP) is normally<BR>
left as the ssid->group_cipher in that case.<BR>
<BR>
> group=NONE<BR>
<BR>
> 1064.264451: Line 9: not allowed group cipher (0x1).<BR>
> 1064.266121: Line 9: failed to parse group 'NONE'.<BR>
><BR>
> Should wpa_config_parse_group() allow WPA_CIPHER_NONE as a valid group cipher or does this open an exploit? Note this is running 0.5.10 with my WPS patch, but the logic looks the same as 0.6.x.<BR>
<BR>
I think the easiest workaround for that would be to just leave the group<BR>
cipher at its default value from wpa_config_set_network_defaults() when<BR>
not using WPA/WPA2. wpa_supplicant will internally end up converting<BR>
this to WPA_CIPHER_NONE when requesting association.<BR>
<BR>
In theory, the strict requirement of unconditionally not allowing<BR>
WPA_CIPHER_NONE is not correct. However, allowing NONE as the cipher<BR>
would (likely) break WPA/WPA2 validation. It could potentially be moved<BR>
from wpa_config_parse_group() into a check that is done after all<BR>
network block variables have been set. However, there is not such place<BR>
in the current code and doing this would be complicated at best when<BR>
allowing dynamic configuration changes over control interfaces..<BR>
<BR>
--<BR>
Jouni Malinen PGP id EFC895FA<BR>
_______________________________________________<BR>
HostAP mailing list<BR>
HostAP@lists.shmoo.com<BR>
<A HREF="http://lists.shmoo.com/mailman/listinfo/hostap">http://lists.shmoo.com/mailman/listinfo/hostap</A><BR>
<BR>
______________________________________________________________________<BR>
DSP Group, Inc. automatically scans all emails and attachments using MessageLabs Email Security System.<BR>
_____________________________________________________________________<BR>
<BR>
</FONT>
</P>
<BR>
______________________________________________________________________<BR>
DSP Group, Inc. automatically scans all emails and attachments using MessageLabs Email Security System.<BR>
_____________________________________________________________________<BR>
</BODY>
</HTML>