From patchwork Wed Feb 7 21:16:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wang X-Patchwork-Id: 1896334 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=0XWyLALd; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=D/OU4HgB; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TVXxM279lz23gM for ; Thu, 8 Feb 2024 08:16:55 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=4wndDlygZUFGW4vKXWJ5KUzC5ZfpW+8oGrvvfpXSwxE=; b=0XWyLALd0mwpUW GO3HOe+vVnLdwM2HCujBL7xLoDBwMsTKXIe52wLIrP1xmqL1758CsTkhLYkAoHkKXmRJereyf+WVW iZmgntuXFV3/hjldNMPKmKeekzhy3RJ8gZhb7wErNRWTSkKM6HJnM98fZzJib/oa5x3qBC599X9CN iMUpMQM7NLP3wNpODW5YRSaMPSIenmGpDYTrcVIHz9fOfnGaYCuJ/nbfRN6otBYCy4xPlj24rsuJN PlMwtRyAoj+ippEpeG54tthdbIMeKuDaY4ztG1Ux303EjUU0IcGBZcWYP0I1JXVcEVZk55jBIO2+b iu7YkHdxox7wDiyKZGLQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rXpHR-0000000BpFe-390q; Wed, 07 Feb 2024 21:16:29 +0000 Received: from mail-wm1-x330.google.com ([2a00:1450:4864:20::330]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rXpHO-0000000BpEm-0Uxp for hostap@lists.infradead.org; Wed, 07 Feb 2024 21:16:27 +0000 Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-41033a54c87so270235e9.2 for ; Wed, 07 Feb 2024 13:16:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1707340583; x=1707945383; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=CL7y7HNXKKZVxLIrwrlTNwpyixaVVaD3QbCo0+m7Yjc=; b=D/OU4HgBidLF5wto8+e4+brsiQqAsYPPL0O5nbTvacIXsfgNV4BFwpwaObgXqRUtei nR9BC1JEgPmTQFD7e/60DLP3KTwdzKmNB4cp5qUFg+fD1IZQ55tunduYL7LWnwZX9AJu 8S0C7JKsQIshRtklzKMMpjcy8edbCA1rz3+GA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707340583; x=1707945383; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CL7y7HNXKKZVxLIrwrlTNwpyixaVVaD3QbCo0+m7Yjc=; b=wk8fBesjisWtdaCfpwavFMS9fUqusb7Q7WIExnQNcCbnCOMLVBm5zcyRzQT1LzWLYs UaNoJZ3e6f0ctBQAbuimizHE4+uL3ut2nAL5RVj8NxmWy1kbOs87UAB/wI6KqXo4/LML pviSl7D2M0I65m+4xtXpdt+y2x5mDNCo3cEECqwJU6hLfpF24nHlXKWlEdWDCof7waTV iSqHw1v0ktc81Jh+IcOb8Jznt8jBM5hy7hyWwE+8SSEBrKKhY1Egwo+rCz1AEn2yOOCX 9Bcs3DgdZXY80Q0pV1NB8RfxTIn5LAJj3OrEgUNgjEp4tPFyuRJtE0oQcvgtDPagPJHB vOtw== X-Gm-Message-State: AOJu0Yx28VPk0MA2sgdITGGRbDDp4Sldp9sTt1oAy8yhF9WJSvi/A0A3 hi/7f4bCqlZ5JdIWTQ6yzEnLAjggtRxZSCCEMObZikLqocCW8Xdl8BsOdedMww== X-Google-Smtp-Source: AGHT+IHrLYNhpJfkzYYSsgVjC9wdaJhU4bcDMSlyDDoKgv5z9yFdr+5FlwrR2vzoc3Y1mfiPcI0Nbw== X-Received: by 2002:a05:600c:4f54:b0:40f:dc4e:69e8 with SMTP id m20-20020a05600c4f5400b0040fdc4e69e8mr5617074wmq.27.1707340583081; Wed, 07 Feb 2024 13:16:23 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCVa4pAtSQLFHyoZ0RYbM6A9+GeBZS6t/JaJt/2TAYoXhqLfDIJdEM798tzbfK6T86u7olEIjkJto7QYuxSP/uSRZpAn/wvvmhfe Received: from matthewmwangcros2.c.googlers.com.com (230.213.79.34.bc.googleusercontent.com. [34.79.213.230]) by smtp.gmail.com with ESMTPSA id e37-20020a5d5965000000b0033b4f82b301sm1922864wri.3.2024.02.07.13.16.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Feb 2024 13:16:22 -0800 (PST) From: Matthew Wang To: j@w1.fi Cc: hostap@lists.infradead.org, matthewmwang@chromium.org Subject: [PATCH 1/2] Check driver support before selecting ciphers Date: Wed, 7 Feb 2024 21:16:19 +0000 Message-ID: <20240207211620.3917804-1-matthewmwang@chromium.org> X-Mailer: git-send-email 2.43.0.594.gd9cf4e227d-goog MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240207_131626_210888_12BBDE1E X-CRM114-Status: GOOD ( 14.71 ) X-Spam-Score: -0.3 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We currently don't check driver support before selecting pairwise and group ciphers. Check that the driver supports a cipher before selecting it, otherwise fall back. Change-Id: I343b6656bd695d074ed2ac42d35378711ec1426e Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 41 ++++++++++++++++++++++++++----- wpa_supplicant/wpa [...] Content analysis details: (-0.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:330 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. -0.1 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org We currently don't check driver support before selecting pairwise and group ciphers. Check that the driver supports a cipher before selecting it, otherwise fall back. Change-Id: I343b6656bd695d074ed2ac42d35378711ec1426e Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 41 ++++++++++++++++++++++++++----- wpa_supplicant/wpa_supplicant_i.h | 1 + 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 172a863cb..bec2c9037 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1747,10 +1747,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_s->group_cipher = WPA_CIPHER_NONE; wpa_s->pairwise_cipher = WPA_CIPHER_NONE; #else /* CONFIG_NO_WPA */ - sel = ie.group_cipher & ssid->group_cipher; + sel = ie.group_cipher & ssid->group_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP group 0x%x network profile group 0x%x; available group 0x%x", - ie.group_cipher, ssid->group_cipher, sel); + "WPA: AP group 0x%x network profile group 0x%x driver supported ciphers 0x%x; available group 0x%x", + ie.group_cipher, ssid->group_cipher, wpa_s->drv_ciphers, sel); wpa_s->group_cipher = wpa_pick_group_cipher(sel); if (wpa_s->group_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select group " @@ -1760,10 +1760,11 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using GTK %s", wpa_cipher_txt(wpa_s->group_cipher)); - sel = ie.pairwise_cipher & ssid->pairwise_cipher; + sel = ie.pairwise_cipher & ssid->pairwise_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP pairwise 0x%x network profile pairwise 0x%x; available pairwise 0x%x", - ie.pairwise_cipher, ssid->pairwise_cipher, sel); + "WPA: AP pairwise 0x%x network profile pairwise 0x%x driver supported ciphers 0x%x; available pairwise 0x%x", + ie.pairwise_cipher, ssid->pairwise_cipher, wpa_s->drv_ciphers, + sel); wpa_s->pairwise_cipher = wpa_pick_pairwise_cipher(sel, 1); if (wpa_s->pairwise_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select pairwise " @@ -7040,6 +7041,33 @@ static void wpas_gas_server_tx(void *ctx, int freq, const u8 *da, #endif /* CONFIG_GAS_SERVER */ +static unsigned int wpas_drv_enc_to_ciphers(unsigned int drv_enc) +{ + unsigned int ciphers = 0; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP40) + ciphers |= WPA_CIPHER_WEP40; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP104) + ciphers |= WPA_CIPHER_WEP104; + if (drv_enc & WPA_DRIVER_CAPA_ENC_TKIP) + ciphers |= WPA_CIPHER_TKIP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP) + ciphers |= WPA_CIPHER_CCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP) + ciphers |= WPA_CIPHER_GCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256) + ciphers |= WPA_CIPHER_GCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256) + ciphers |= WPA_CIPHER_CCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_128) + ciphers |= WPA_CIPHER_BIP_GMAC_128; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_256) + ciphers |= WPA_CIPHER_BIP_GMAC_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_CMAC_256) + ciphers |= WPA_CIPHER_BIP_CMAC_256; + return ciphers; +} + + static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, const struct wpa_interface *iface) { @@ -7224,6 +7252,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, wpa_s->drv_flags = capa.flags; wpa_s->drv_flags2 = capa.flags2; wpa_s->drv_enc = capa.enc; + wpa_s->drv_ciphers = wpas_drv_enc_to_ciphers(wpa_s->drv_enc); wpa_s->drv_rrm_flags = capa.rrm_flags; wpa_s->drv_max_acl_mac_addrs = capa.max_acl_mac_addrs; wpa_s->probe_resp_offloads = capa.probe_resp_offloads; diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 933fc3626..55929e667 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -920,6 +920,7 @@ struct wpa_supplicant { u64 drv_flags; u64 drv_flags2; unsigned int drv_enc; + unsigned int drv_ciphers; unsigned int drv_rrm_flags; unsigned int drv_max_acl_mac_addrs;