Ignore Michael MIC failure reports if cipher is not TKIP

Some stations have been reported to send EAPOL-Key Error Reports
indicating Michael MIC failures even when the cipher is not TKIP
(e.g., when the network is using only CCMP). Ignore such reports
to avoid starting TKIP countermeasures unnecessarily. This can
prevent certaint types of denial of service attacks by insiders,
but mostly this is to work around invalid station implementations.

Signed-hostap: Jouni Malinen <j@w1.fi>

src/ap/wpa_auth.c

@@ -718,9 +718,20 @@ static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
 			 "received EAPOL-Key Error Request "
 			 "(STA detected Michael MIC failure (group=%d))",
 			 group);
-	wpa_auth_mic_failure_report(wpa_auth, sm->addr);
-	sm->dot11RSNAStatsTKIPRemoteMICFailures++;
-	wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
+
+	if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
+		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+				"ignore Michael MIC failure report since "
+				"group cipher is not TKIP");
+	} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
+		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+				"ignore Michael MIC failure report since "
+				"pairwise cipher is not TKIP");
+	} else {
+		wpa_auth_mic_failure_report(wpa_auth, sm->addr);
+		sm->dot11RSNAStatsTKIPRemoteMICFailures++;
+		wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
+	}
 
 	/*
 	 * Error report is not a request for a new key handshake, but since