We currently don't check driver support before selecting pairwise and group ciphers. Check that the driver supports a cipher before selecting it, otherwise fall back. Signed-off-by: Matthew Wang <matthewmwang@xxxxxxxxxxxx> --- wpa_supplicant/wpa_supplicant.c | 41 ++++++++++++++++++++++++++----- wpa_supplicant/wpa_supplicant_i.h | 1 + 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 172a863cb..bec2c9037 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1747,10 +1747,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_s->group_cipher = WPA_CIPHER_NONE; wpa_s->pairwise_cipher = WPA_CIPHER_NONE; #else /* CONFIG_NO_WPA */ - sel = ie.group_cipher & ssid->group_cipher; + sel = ie.group_cipher & ssid->group_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP group 0x%x network profile group 0x%x; available group 0x%x", - ie.group_cipher, ssid->group_cipher, sel); + "WPA: AP group 0x%x network profile group 0x%x driver supported ciphers 0x%x; available group 0x%x", + ie.group_cipher, ssid->group_cipher, wpa_s->drv_ciphers, sel); wpa_s->group_cipher = wpa_pick_group_cipher(sel); if (wpa_s->group_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select group " @@ -1760,10 +1760,11 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using GTK %s", wpa_cipher_txt(wpa_s->group_cipher)); - sel = ie.pairwise_cipher & ssid->pairwise_cipher; + sel = ie.pairwise_cipher & ssid->pairwise_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP pairwise 0x%x network profile pairwise 0x%x; available pairwise 0x%x", - ie.pairwise_cipher, ssid->pairwise_cipher, sel); + "WPA: AP pairwise 0x%x network profile pairwise 0x%x driver supported ciphers 0x%x; available pairwise 0x%x", + ie.pairwise_cipher, ssid->pairwise_cipher, wpa_s->drv_ciphers, + sel); wpa_s->pairwise_cipher = wpa_pick_pairwise_cipher(sel, 1); if (wpa_s->pairwise_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select pairwise " @@ -7040,6 +7041,33 @@ static void wpas_gas_server_tx(void *ctx, int freq, const u8 *da, #endif /* CONFIG_GAS_SERVER */ +static unsigned int wpas_drv_enc_to_ciphers(unsigned int drv_enc) +{ + unsigned int ciphers = 0; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP40) + ciphers |= WPA_CIPHER_WEP40; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP104) + ciphers |= WPA_CIPHER_WEP104; + if (drv_enc & WPA_DRIVER_CAPA_ENC_TKIP) + ciphers |= WPA_CIPHER_TKIP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP) + ciphers |= WPA_CIPHER_CCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP) + ciphers |= WPA_CIPHER_GCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256) + ciphers |= WPA_CIPHER_GCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256) + ciphers |= WPA_CIPHER_CCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_128) + ciphers |= WPA_CIPHER_BIP_GMAC_128; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_256) + ciphers |= WPA_CIPHER_BIP_GMAC_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_CMAC_256) + ciphers |= WPA_CIPHER_BIP_CMAC_256; + return ciphers; +} + + static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, const struct wpa_interface *iface) { @@ -7224,6 +7252,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, wpa_s->drv_flags = capa.flags; wpa_s->drv_flags2 = capa.flags2; wpa_s->drv_enc = capa.enc; + wpa_s->drv_ciphers = wpas_drv_enc_to_ciphers(wpa_s->drv_enc); wpa_s->drv_rrm_flags = capa.rrm_flags; wpa_s->drv_max_acl_mac_addrs = capa.max_acl_mac_addrs; wpa_s->probe_resp_offloads = capa.probe_resp_offloads; diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 933fc3626..55929e667 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -920,6 +920,7 @@ struct wpa_supplicant { u64 drv_flags; u64 drv_flags2; unsigned int drv_enc; + unsigned int drv_ciphers; unsigned int drv_rrm_flags; unsigned int drv_max_acl_mac_addrs; -- 2.43.0.594.gd9cf4e227d-goog _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap