* [PATCH] ap: disallow TKIP and 'use group cipher'
@ 2022-10-24 20:47 James Prestwood
2022-10-24 22:26 ` Denis Kenzior
0 siblings, 1 reply; 2+ messages in thread
From: James Prestwood @ 2022-10-24 20:47 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
The EAPoL SM does not support either of these ciphers when acting
as an authenticator since ARC4 encryption is not implemented.
(see eapol_encrypt_key_data() for key descriptor version 1)
This can cause 4-way failures if e.g. the hardware only supports
TKIP. Rather than fail the 4-way its better to not even start the
AP and return NotSupported.
---
src/ap.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/ap.c b/src/ap.c
index 429de560..94eff2a2 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -3303,7 +3303,15 @@ struct ap_state *ap_start(struct netdev *netdev, struct l_settings *config,
err = -EINVAL;
/* TODO: Add all ciphers supported by wiphy */
- ap->ciphers = wiphy_select_cipher(wiphy, 0xffff);
+ ap->ciphers = wiphy_select_cipher(wiphy,
+ ~(IE_RSN_CIPHER_SUITE_USE_GROUP_CIPHER |
+ IE_RSN_CIPHER_SUITE_TKIP));
+ if (!ap->ciphers) {
+ l_error("Hardware does not support required pairwise ciphers!");
+ err = -ENOTSUP;
+ goto error;
+ }
+
ap->group_cipher = wiphy_select_cipher(wiphy, 0xffff);
ap->beacon_interval = 100;
ap->networks = l_queue_new();
--
2.34.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ap: disallow TKIP and 'use group cipher'
2022-10-24 20:47 [PATCH] ap: disallow TKIP and 'use group cipher' James Prestwood
@ 2022-10-24 22:26 ` Denis Kenzior
0 siblings, 0 replies; 2+ messages in thread
From: Denis Kenzior @ 2022-10-24 22:26 UTC (permalink / raw)
To: James Prestwood, iwd
Hi James,
On 10/24/22 15:47, James Prestwood wrote:
> The EAPoL SM does not support either of these ciphers when acting
> as an authenticator since ARC4 encryption is not implemented.
> (see eapol_encrypt_key_data() for key descriptor version 1)
>
> This can cause 4-way failures if e.g. the hardware only supports
> TKIP. Rather than fail the 4-way its better to not even start the
> AP and return NotSupported.
> ---
> src/ap.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
Well, I have a patch pending that limits the ciphers to TKIP or CCMP since P2P
only works with those. No sense in choosing GCMP, CCMP-256, etc yet. So we can
implement the missing bits in eapol_encrypt_key_data, or simply check whether
CCMP is supported and only use that.
Regards,
-Denis
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-10-24 22:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-24 20:47 [PATCH] ap: disallow TKIP and 'use group cipher' James Prestwood
2022-10-24 22:26 ` Denis Kenzior
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).