iwd.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
* [PATCH] ap: disallow TKIP and 'use group cipher'
@ 2022-10-24 20:47 James Prestwood
  2022-10-24 22:26 ` Denis Kenzior
  0 siblings, 1 reply; 2+ messages in thread
From: James Prestwood @ 2022-10-24 20:47 UTC (permalink / raw)
  To: iwd; +Cc: James Prestwood

The EAPoL SM does not support either of these ciphers when acting
as an authenticator since ARC4 encryption is not implemented.
(see eapol_encrypt_key_data() for key descriptor version 1)

This can cause 4-way failures if e.g. the hardware only supports
TKIP. Rather than fail the 4-way its better to not even start the
AP and return NotSupported.
---
 src/ap.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/ap.c b/src/ap.c
index 429de560..94eff2a2 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -3303,7 +3303,15 @@ struct ap_state *ap_start(struct netdev *netdev, struct l_settings *config,
 	err = -EINVAL;
 
 	/* TODO: Add all ciphers supported by wiphy */
-	ap->ciphers = wiphy_select_cipher(wiphy, 0xffff);
+	ap->ciphers = wiphy_select_cipher(wiphy,
+				~(IE_RSN_CIPHER_SUITE_USE_GROUP_CIPHER |
+				IE_RSN_CIPHER_SUITE_TKIP));
+	if (!ap->ciphers) {
+		l_error("Hardware does not support required pairwise ciphers!");
+		err = -ENOTSUP;
+		goto error;
+	}
+
 	ap->group_cipher = wiphy_select_cipher(wiphy, 0xffff);
 	ap->beacon_interval = 100;
 	ap->networks = l_queue_new();
-- 
2.34.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] ap: disallow TKIP and 'use group cipher'
  2022-10-24 20:47 [PATCH] ap: disallow TKIP and 'use group cipher' James Prestwood
@ 2022-10-24 22:26 ` Denis Kenzior
  0 siblings, 0 replies; 2+ messages in thread
From: Denis Kenzior @ 2022-10-24 22:26 UTC (permalink / raw)
  To: James Prestwood, iwd

Hi James,

On 10/24/22 15:47, James Prestwood wrote:
> The EAPoL SM does not support either of these ciphers when acting
> as an authenticator since ARC4 encryption is not implemented.
> (see eapol_encrypt_key_data() for key descriptor version 1)
> 
> This can cause 4-way failures if e.g. the hardware only supports
> TKIP. Rather than fail the 4-way its better to not even start the
> AP and return NotSupported.
> ---
>   src/ap.c | 10 +++++++++-
>   1 file changed, 9 insertions(+), 1 deletion(-)
> 

Well, I have a patch pending that limits the ciphers to TKIP or CCMP since P2P 
only works with those.  No sense in choosing GCMP, CCMP-256, etc yet.  So we can 
implement the missing bits in eapol_encrypt_key_data, or simply check whether 
CCMP is supported and only use that.

Regards,
-Denis

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-10-24 22:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-24 20:47 [PATCH] ap: disallow TKIP and 'use group cipher' James Prestwood
2022-10-24 22:26 ` Denis Kenzior

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).