* GCMP and other unknown ciphers @ 2022-10-06 13:22 Emil Velikov 2022-10-06 14:34 ` Denis Kenzior 0 siblings, 1 reply; 5+ messages in thread From: Emil Velikov @ 2022-10-06 13:22 UTC (permalink / raw) To: iwd Greetings team, Recently we've noticed that IWD fails to connect to WPA2-PSK networks whenever GCMP+CCMP cipher is used. Browsing through the IWD code-base it appears that it lacks support for GCMP, GCMP-256 and CCMP-256 amongst others. Was my analysis correct - is GCMP supported? Are there any plans on doing so? Somewhat relatedly - is there a configuration knob that one can switch and let IWD fall-back to the other supported ciphers? In the GCMP+CCMP case, we can opt for CCMP for example. Thanks in advance, Emil ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: GCMP and other unknown ciphers 2022-10-06 13:22 GCMP and other unknown ciphers Emil Velikov @ 2022-10-06 14:34 ` Denis Kenzior 2022-10-25 14:27 ` Emil Velikov 0 siblings, 1 reply; 5+ messages in thread From: Denis Kenzior @ 2022-10-06 14:34 UTC (permalink / raw) To: Emil Velikov, iwd [-- Attachment #1: Type: text/plain, Size: 897 bytes --] Hi Emil, On 10/6/22 08:22, Emil Velikov wrote: > Greetings team, > > Recently we've noticed that IWD fails to connect to WPA2-PSK networks > whenever GCMP+CCMP cipher is used. Browsing through the IWD code-base > it appears that it lacks support for GCMP, GCMP-256 and CCMP-256 > amongst others. We do not support or select GCMP. But I'm not sure why this would prevent a connection? We would always select CCMP instead. See wiphy_select_cipher(). Hmm... maybe we reject GCMP at a lower layer...? Try the attached patch? > > Was my analysis correct - is GCMP supported? Are there any plans on doing so? No real plans, patches are always welcome. > > Somewhat relatedly - is there a configuration knob that one can switch > and let IWD fall-back to the other supported ciphers? In the GCMP+CCMP > case, we can opt for CCMP for example. > This should already happen. Regards, -Denis [-- Attachment #2: 0001-ie-Skip-unknown-pairwise-ciphers.patch --] [-- Type: text/x-patch, Size: 1627 bytes --] From 155867e0acbb7ab656676dec666a1b75e25e90e6 Mon Sep 17 00:00:00 2001 From: Denis Kenzior <denkenz@gmail.com> Date: Thu, 6 Oct 2022 09:30:17 -0500 Subject: [PATCH] ie: Skip unknown pairwise ciphers --- src/ie.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/ie.c b/src/ie.c index 070454ef4f8f..13e921dac5bc 100644 --- a/src/ie.c +++ b/src/ie.c @@ -589,15 +589,14 @@ static bool ie_parse_group_cipher(const uint8_t *data, return true; } -static bool ie_parse_pairwise_cipher(const uint8_t *data, +static int ie_parse_pairwise_cipher(const uint8_t *data, enum ie_rsn_cipher_suite *out) { enum ie_rsn_cipher_suite tmp; - bool r = ie_parse_cipher_suite(data, &tmp); if (!r) - return r; + return -ENOENT; switch (tmp) { case IE_RSN_CIPHER_SUITE_CCMP: @@ -607,11 +606,11 @@ static bool ie_parse_pairwise_cipher(const uint8_t *data, case IE_RSN_CIPHER_SUITE_USE_GROUP_CIPHER: break; default: - return false; + return -ERANGE; } *out = tmp; - return true; + return 0; } static bool ie_parse_group_management_cipher(const uint8_t *data, @@ -682,9 +681,12 @@ static int parse_ciphers(const uint8_t *data, size_t len, /* Parse Pairwise Cipher Suite List field */ for (i = 0, out_info->pairwise_ciphers = 0; i < count; i++) { enum ie_rsn_cipher_suite suite; + int r = ie_parse_pairwise_cipher(data + i * 4, &suite); - if (!ie_parse_pairwise_cipher(data + i * 4, &suite)) - return -ERANGE; + if (r == -ENOENT) /* Skip unknown */ + continue; + else if (r < 0) + return r; out_info->pairwise_ciphers |= suite; } -- 2.35.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: GCMP and other unknown ciphers 2022-10-06 14:34 ` Denis Kenzior @ 2022-10-25 14:27 ` Emil Velikov 2022-10-25 15:31 ` Denis Kenzior 0 siblings, 1 reply; 5+ messages in thread From: Emil Velikov @ 2022-10-25 14:27 UTC (permalink / raw) To: Denis Kenzior; +Cc: iwd Hi Denis, Sorry for the late reply - been busy with some non-computer stuff. On Thu, 6 Oct 2022 at 15:34, Denis Kenzior <denkenz@gmail.com> wrote: > > Hi Emil, > > On 10/6/22 08:22, Emil Velikov wrote: > > Greetings team, > > > > Recently we've noticed that IWD fails to connect to WPA2-PSK networks > > whenever GCMP+CCMP cipher is used. Browsing through the IWD code-base > > it appears that it lacks support for GCMP, GCMP-256 and CCMP-256 > > amongst others. > > We do not support or select GCMP. But I'm not sure why this would prevent a > connection? We would always select CCMP instead. See wiphy_select_cipher(). > > Hmm... maybe we reject GCMP at a lower layer...? Try the attached patch? > Now that I've got the hardware at hand, it looks like iwd does not list the network at all. I will try your patch and report shortly. Details: - Nighthawk X10 running dd-wrt - WPA2 Personal (without SHA256) - CCMP-128(AES) + GCMP > > > > Was my analysis correct - is GCMP supported? Are there any plans on doing so? > > No real plans, patches are always welcome. > Do you have a rough estimate of how much work that might be - are we talking about weeks or months? How does one get access to the 802.11 spec these days? > > > > Somewhat relatedly - is there a configuration knob that one can switch > > and let IWD fall-back to the other supported ciphers? In the GCMP+CCMP > > case, we can opt for CCMP for example. > > > > This should already happen. > That was my assumption as well, yet empirically it does not. Thanks again Emil ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: GCMP and other unknown ciphers 2022-10-25 14:27 ` Emil Velikov @ 2022-10-25 15:31 ` Denis Kenzior 2022-11-07 15:53 ` Emil Velikov 0 siblings, 1 reply; 5+ messages in thread From: Denis Kenzior @ 2022-10-25 15:31 UTC (permalink / raw) To: Emil Velikov; +Cc: iwd Hi Emil, >>> >>> Was my analysis correct - is GCMP supported? Are there any plans on doing so? >> >> No real plans, patches are always welcome. >> > Do you have a rough estimate of how much work that might be - are we > talking about weeks or months? How does one get access to the 802.11 > spec these days? > There is a patchset on the mailing list that implements all ciphers listed in 802.11, including GCMP. Only tested in a synthetic environment since none of my commercial APs seem to support anything besides TKIP/CCMP. As far as obtaining 802.11 spec, you would probably need to purchase it from IEEE. Regards, -Denis ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: GCMP and other unknown ciphers 2022-10-25 15:31 ` Denis Kenzior @ 2022-11-07 15:53 ` Emil Velikov 0 siblings, 0 replies; 5+ messages in thread From: Emil Velikov @ 2022-11-07 15:53 UTC (permalink / raw) To: Denis Kenzior; +Cc: iwd On Tue, 25 Oct 2022 at 16:32, Denis Kenzior <denkenz@gmail.com> wrote: > > Hi Emil, > > > >>> > >>> Was my analysis correct - is GCMP supported? Are there any plans on doing so? > >> > >> No real plans, patches are always welcome. > >> > > Do you have a rough estimate of how much work that might be - are we > > talking about weeks or months? How does one get access to the 802.11 > > spec these days? > > > > There is a patchset on the mailing list that implements all ciphers listed in > 802.11, including GCMP. Only tested in a synthetic environment since none of my > commercial APs seem to support anything besides TKIP/CCMP. > I've tested it against a Netgear Nighthawk X10 with the following combinations: WPA2 Personal (without SHA256) - CCMP-128 (AES) + GCMP - CCMP-256 only - GCMP-256 only All of the above are working like a charm. I haven't tried any Enterprise combinations due to some unrelated hiccups on my test rig. Huge thanks for the amazing help Emil ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-07 15:54 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-10-06 13:22 GCMP and other unknown ciphers Emil Velikov 2022-10-06 14:34 ` Denis Kenzior 2022-10-25 14:27 ` Emil Velikov 2022-10-25 15:31 ` Denis Kenzior 2022-11-07 15:53 ` Emil Velikov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).