Message ID | 20240207211620.3917804-1-matthewmwang@chromium.org |
---|---|
State | New |
Headers | show |
Series | [1/2] Check driver support before selecting ciphers | expand |
I'm not sure how faithfully drivers report this, but the second patch checking the AKMs definitely doesn't work properly (I've found at least one driver that supports an AKM that it doesn't advertise support for), please ignore that one. On Wed, Feb 7, 2024 at 10:16 PM Matthew Wang <matthewmwang@chromium.org> wrote: > > We currently don't check driver support before selecting pairwise and > group ciphers. Check that the driver supports a cipher before selecting > it, otherwise fall back. > > Change-Id: I343b6656bd695d074ed2ac42d35378711ec1426e > Signed-off-by: Matthew Wang <matthewmwang@chromium.org> > --- > wpa_supplicant/wpa_supplicant.c | 41 ++++++++++++++++++++++++++----- > wpa_supplicant/wpa_supplicant_i.h | 1 + > 2 files changed, 36 insertions(+), 6 deletions(-) > > diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c > index 172a863cb..bec2c9037 100644 > --- a/wpa_supplicant/wpa_supplicant.c > +++ b/wpa_supplicant/wpa_supplicant.c > @@ -1747,10 +1747,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, > wpa_s->group_cipher = WPA_CIPHER_NONE; > wpa_s->pairwise_cipher = WPA_CIPHER_NONE; > #else /* CONFIG_NO_WPA */ > - sel = ie.group_cipher & ssid->group_cipher; > + sel = ie.group_cipher & ssid->group_cipher & wpa_s->drv_ciphers; > wpa_dbg(wpa_s, MSG_DEBUG, > - "WPA: AP group 0x%x network profile group 0x%x; available group 0x%x", > - ie.group_cipher, ssid->group_cipher, sel); > + "WPA: AP group 0x%x network profile group 0x%x driver supported ciphers 0x%x; available group 0x%x", > + ie.group_cipher, ssid->group_cipher, wpa_s->drv_ciphers, sel); > wpa_s->group_cipher = wpa_pick_group_cipher(sel); > if (wpa_s->group_cipher < 0) { > wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select group " > @@ -1760,10 +1760,11 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, > wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using GTK %s", > wpa_cipher_txt(wpa_s->group_cipher)); > > - sel = ie.pairwise_cipher & ssid->pairwise_cipher; > + sel = ie.pairwise_cipher & ssid->pairwise_cipher & wpa_s->drv_ciphers; > wpa_dbg(wpa_s, MSG_DEBUG, > - "WPA: AP pairwise 0x%x network profile pairwise 0x%x; available pairwise 0x%x", > - ie.pairwise_cipher, ssid->pairwise_cipher, sel); > + "WPA: AP pairwise 0x%x network profile pairwise 0x%x driver supported ciphers 0x%x; available pairwise 0x%x", > + ie.pairwise_cipher, ssid->pairwise_cipher, wpa_s->drv_ciphers, > + sel); > wpa_s->pairwise_cipher = wpa_pick_pairwise_cipher(sel, 1); > if (wpa_s->pairwise_cipher < 0) { > wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select pairwise " > @@ -7040,6 +7041,33 @@ static void wpas_gas_server_tx(void *ctx, int freq, const u8 *da, > > #endif /* CONFIG_GAS_SERVER */ > > +static unsigned int wpas_drv_enc_to_ciphers(unsigned int drv_enc) > +{ > + unsigned int ciphers = 0; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP40) > + ciphers |= WPA_CIPHER_WEP40; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP104) > + ciphers |= WPA_CIPHER_WEP104; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_TKIP) > + ciphers |= WPA_CIPHER_TKIP; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP) > + ciphers |= WPA_CIPHER_CCMP; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP) > + ciphers |= WPA_CIPHER_GCMP; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256) > + ciphers |= WPA_CIPHER_GCMP_256; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256) > + ciphers |= WPA_CIPHER_CCMP_256; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_128) > + ciphers |= WPA_CIPHER_BIP_GMAC_128; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_256) > + ciphers |= WPA_CIPHER_BIP_GMAC_256; > + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_CMAC_256) > + ciphers |= WPA_CIPHER_BIP_CMAC_256; > + return ciphers; > +} > + > + > static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, > const struct wpa_interface *iface) > { > @@ -7224,6 +7252,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, > wpa_s->drv_flags = capa.flags; > wpa_s->drv_flags2 = capa.flags2; > wpa_s->drv_enc = capa.enc; > + wpa_s->drv_ciphers = wpas_drv_enc_to_ciphers(wpa_s->drv_enc); > wpa_s->drv_rrm_flags = capa.rrm_flags; > wpa_s->drv_max_acl_mac_addrs = capa.max_acl_mac_addrs; > wpa_s->probe_resp_offloads = capa.probe_resp_offloads; > diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h > index 933fc3626..55929e667 100644 > --- a/wpa_supplicant/wpa_supplicant_i.h > +++ b/wpa_supplicant/wpa_supplicant_i.h > @@ -920,6 +920,7 @@ struct wpa_supplicant { > u64 drv_flags; > u64 drv_flags2; > unsigned int drv_enc; > + unsigned int drv_ciphers; > unsigned int drv_rrm_flags; > unsigned int drv_max_acl_mac_addrs; > > -- > 2.43.0.594.gd9cf4e227d-goog >
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 172a863cb..bec2c9037 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1747,10 +1747,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_s->group_cipher = WPA_CIPHER_NONE; wpa_s->pairwise_cipher = WPA_CIPHER_NONE; #else /* CONFIG_NO_WPA */ - sel = ie.group_cipher & ssid->group_cipher; + sel = ie.group_cipher & ssid->group_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP group 0x%x network profile group 0x%x; available group 0x%x", - ie.group_cipher, ssid->group_cipher, sel); + "WPA: AP group 0x%x network profile group 0x%x driver supported ciphers 0x%x; available group 0x%x", + ie.group_cipher, ssid->group_cipher, wpa_s->drv_ciphers, sel); wpa_s->group_cipher = wpa_pick_group_cipher(sel); if (wpa_s->group_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select group " @@ -1760,10 +1760,11 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using GTK %s", wpa_cipher_txt(wpa_s->group_cipher)); - sel = ie.pairwise_cipher & ssid->pairwise_cipher; + sel = ie.pairwise_cipher & ssid->pairwise_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP pairwise 0x%x network profile pairwise 0x%x; available pairwise 0x%x", - ie.pairwise_cipher, ssid->pairwise_cipher, sel); + "WPA: AP pairwise 0x%x network profile pairwise 0x%x driver supported ciphers 0x%x; available pairwise 0x%x", + ie.pairwise_cipher, ssid->pairwise_cipher, wpa_s->drv_ciphers, + sel); wpa_s->pairwise_cipher = wpa_pick_pairwise_cipher(sel, 1); if (wpa_s->pairwise_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select pairwise " @@ -7040,6 +7041,33 @@ static void wpas_gas_server_tx(void *ctx, int freq, const u8 *da, #endif /* CONFIG_GAS_SERVER */ +static unsigned int wpas_drv_enc_to_ciphers(unsigned int drv_enc) +{ + unsigned int ciphers = 0; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP40) + ciphers |= WPA_CIPHER_WEP40; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP104) + ciphers |= WPA_CIPHER_WEP104; + if (drv_enc & WPA_DRIVER_CAPA_ENC_TKIP) + ciphers |= WPA_CIPHER_TKIP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP) + ciphers |= WPA_CIPHER_CCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP) + ciphers |= WPA_CIPHER_GCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256) + ciphers |= WPA_CIPHER_GCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256) + ciphers |= WPA_CIPHER_CCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_128) + ciphers |= WPA_CIPHER_BIP_GMAC_128; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_256) + ciphers |= WPA_CIPHER_BIP_GMAC_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_CMAC_256) + ciphers |= WPA_CIPHER_BIP_CMAC_256; + return ciphers; +} + + static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, const struct wpa_interface *iface) { @@ -7224,6 +7252,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, wpa_s->drv_flags = capa.flags; wpa_s->drv_flags2 = capa.flags2; wpa_s->drv_enc = capa.enc; + wpa_s->drv_ciphers = wpas_drv_enc_to_ciphers(wpa_s->drv_enc); wpa_s->drv_rrm_flags = capa.rrm_flags; wpa_s->drv_max_acl_mac_addrs = capa.max_acl_mac_addrs; wpa_s->probe_resp_offloads = capa.probe_resp_offloads; diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 933fc3626..55929e667 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -920,6 +920,7 @@ struct wpa_supplicant { u64 drv_flags; u64 drv_flags2; unsigned int drv_enc; + unsigned int drv_ciphers; unsigned int drv_rrm_flags; unsigned int drv_max_acl_mac_addrs;
We currently don't check driver support before selecting pairwise and group ciphers. Check that the driver supports a cipher before selecting it, otherwise fall back. Change-Id: I343b6656bd695d074ed2ac42d35378711ec1426e Signed-off-by: Matthew Wang <matthewmwang@chromium.org> --- wpa_supplicant/wpa_supplicant.c | 41 ++++++++++++++++++++++++++----- wpa_supplicant/wpa_supplicant_i.h | 1 + 2 files changed, 36 insertions(+), 6 deletions(-)