Allow group cipher selection to be overridden
The new hostapd configuration parameter group_cipher can now be used to override the automatic cipher selection based on enabled pairwise ciphers. It should be noted that selecting an unexpected group cipher can result in interoperability issues and this new capability is mainly for testing purposes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
aab6612836
commit
27781c0ab5
4 changed files with 37 additions and 5 deletions
|
@ -2643,6 +2643,20 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
||||||
line, pos);
|
line, pos);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
} else if (os_strcmp(buf, "group_cipher") == 0) {
|
||||||
|
bss->group_cipher = hostapd_config_parse_cipher(line, pos);
|
||||||
|
if (bss->group_cipher == -1 || bss->group_cipher == 0)
|
||||||
|
return 1;
|
||||||
|
if (bss->group_cipher != WPA_CIPHER_TKIP &&
|
||||||
|
bss->group_cipher != WPA_CIPHER_CCMP &&
|
||||||
|
bss->group_cipher != WPA_CIPHER_GCMP &&
|
||||||
|
bss->group_cipher != WPA_CIPHER_GCMP_256 &&
|
||||||
|
bss->group_cipher != WPA_CIPHER_CCMP_256) {
|
||||||
|
wpa_printf(MSG_ERROR,
|
||||||
|
"Line %d: unsupported group cipher suite '%s'",
|
||||||
|
line, pos);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
#ifdef CONFIG_RSN_PREAUTH
|
#ifdef CONFIG_RSN_PREAUTH
|
||||||
} else if (os_strcmp(buf, "rsn_preauth") == 0) {
|
} else if (os_strcmp(buf, "rsn_preauth") == 0) {
|
||||||
bss->rsn_preauth = atoi(pos);
|
bss->rsn_preauth = atoi(pos);
|
||||||
|
|
|
@ -1269,18 +1269,31 @@ own_ip_addr=127.0.0.1
|
||||||
|
|
||||||
# Set of accepted cipher suites (encryption algorithms) for pairwise keys
|
# Set of accepted cipher suites (encryption algorithms) for pairwise keys
|
||||||
# (unicast packets). This is a space separated list of algorithms:
|
# (unicast packets). This is a space separated list of algorithms:
|
||||||
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
|
# CCMP = AES in Counter mode with CBC-MAC (CCMP-128)
|
||||||
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
|
# TKIP = Temporal Key Integrity Protocol
|
||||||
|
# CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key
|
||||||
|
# GCMP = Galois/counter mode protocol (GCMP-128)
|
||||||
|
# GCMP-256 = Galois/counter mode protocol with 256-bit key
|
||||||
# Group cipher suite (encryption algorithm for broadcast and multicast frames)
|
# Group cipher suite (encryption algorithm for broadcast and multicast frames)
|
||||||
# is automatically selected based on this configuration. If only CCMP is
|
# is automatically selected based on this configuration. If only CCMP is
|
||||||
# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
|
# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
|
||||||
# TKIP will be used as the group cipher.
|
# TKIP will be used as the group cipher. The optional group_cipher parameter can
|
||||||
|
# be used to override this automatic selection.
|
||||||
|
#
|
||||||
# (dot11RSNAConfigPairwiseCiphersTable)
|
# (dot11RSNAConfigPairwiseCiphersTable)
|
||||||
# Pairwise cipher for WPA (v1) (default: TKIP)
|
# Pairwise cipher for WPA (v1) (default: TKIP)
|
||||||
#wpa_pairwise=TKIP CCMP
|
#wpa_pairwise=TKIP CCMP
|
||||||
# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
|
# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
|
||||||
#rsn_pairwise=CCMP
|
#rsn_pairwise=CCMP
|
||||||
|
|
||||||
|
# Optional override for automatic group cipher selection
|
||||||
|
# This can be used to select a specific group cipher regardless of which
|
||||||
|
# pairwise ciphers were enabled for WPA and RSN. It should be noted that
|
||||||
|
# overriding the group cipher with an unexpected value can result in
|
||||||
|
# interoperability issues and in general, this parameter is mainly used for
|
||||||
|
# testing purposes.
|
||||||
|
#group_cipher=CCMP
|
||||||
|
|
||||||
# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
|
# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
|
||||||
# seconds. (dot11RSNAConfigGroupRekeyTime)
|
# seconds. (dot11RSNAConfigGroupRekeyTime)
|
||||||
# This defaults to 86400 seconds (once per day) when using CCMP/GCMP as the
|
# This defaults to 86400 seconds (once per day) when using CCMP/GCMP as the
|
||||||
|
|
|
@ -1046,8 +1046,12 @@ void hostapd_set_security_params(struct hostapd_bss_config *bss,
|
||||||
|
|
||||||
if ((bss->wpa & 2) && bss->rsn_pairwise == 0)
|
if ((bss->wpa & 2) && bss->rsn_pairwise == 0)
|
||||||
bss->rsn_pairwise = bss->wpa_pairwise;
|
bss->rsn_pairwise = bss->wpa_pairwise;
|
||||||
bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, bss->wpa_pairwise,
|
if (bss->group_cipher)
|
||||||
bss->rsn_pairwise);
|
bss->wpa_group = bss->group_cipher;
|
||||||
|
else
|
||||||
|
bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
|
||||||
|
bss->wpa_pairwise,
|
||||||
|
bss->rsn_pairwise);
|
||||||
if (!bss->wpa_group_rekey_set)
|
if (!bss->wpa_group_rekey_set)
|
||||||
bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ?
|
bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ?
|
||||||
600 : 86400;
|
600 : 86400;
|
||||||
|
|
|
@ -325,6 +325,7 @@ struct hostapd_bss_config {
|
||||||
PSK_RADIUS_REQUIRED = 2
|
PSK_RADIUS_REQUIRED = 2
|
||||||
} wpa_psk_radius;
|
} wpa_psk_radius;
|
||||||
int wpa_pairwise;
|
int wpa_pairwise;
|
||||||
|
int group_cipher; /* wpa_group value override from configuation */
|
||||||
int wpa_group;
|
int wpa_group;
|
||||||
int wpa_group_rekey;
|
int wpa_group_rekey;
|
||||||
int wpa_group_rekey_set;
|
int wpa_group_rekey_set;
|
||||||
|
|
Loading…
Reference in a new issue