Reject association if HT STA tries to use TKIP as pairwise cipher

diff --git a/hostapd/ieee802_11.c b/hostapd/ieee802_11.c
index 39cc837..fe2d88f 100644 (file)
--- a/hostapd/ieee802_11.c
+++ b/hostapd/ieee802_11.c
@@ -930,6 +930,16 @@ static void handle_assoc(struct hostapd_data *hapd,
                                goto fail;
                }
 #endif /* CONFIG_IEEE80211R */
+#ifdef CONFIG_IEEE80211N
+               if ((sta->flags & WLAN_STA_HT) &&
+                   wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
+                       wpa_printf(MSG_DEBUG, "HT: " MACSTR " tried to "
+                                  "use TKIP with HT association",
+                                  MAC2STR(sta->addr));
+                       resp = WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
+                       goto fail;
+               }
+#endif /* CONFIG_IEEE80211N */
        } else
                wpa_auth_sta_no_wpa(sta->wpa_sm);
 

diff --git a/hostapd/wpa.c b/hostapd/wpa.c
index 0d173c0..e995562 100644 (file)
--- a/hostapd/wpa.c
+++ b/hostapd/wpa.c
@@ -2305,6 +2305,12 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
 }
 
 
+int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
+{
+       return sm->pairwise;
+}
+
+
 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
 {
        if (sm == NULL)

diff --git a/hostapd/wpa.h b/hostapd/wpa.h
index e347923..44cb92d 100644 (file)
--- a/hostapd/wpa.h
+++ b/hostapd/wpa.h
@@ -246,6 +246,7 @@ int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen);
 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen);
 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth);
 int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
+int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,