Do not remove CCMP group cipher if any CCMP/GCMP cipher is enabled

CCMP group cipher was removed if CCMP was not allowed as a pairwise
cipher when loading a configuration file (but not actually when changing
configuration during runtime). This is needed to avoid issues with
configurations that use the default group cipher (TKIP CCMP) while
modifying pairwise cipher from the default CCMP TKIP) to TKIP. However,
there is not really a need to remove the CCMP group cipher if any GCMP
or CCMP cipher is enabled as a pairwise cipher.

Change the network profile validation routine to not remove CCMP as
group cipher if CCMP-256, GCMP, or GCMP-256 is enabled as a pairwise
cipher even if CCMP is not.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 985c371fa5cdbbe86dd9bdb69d3da0b8fa9030bf..d186f78eb87ce05c6f71c38ea05f0c777b5e6382 100644 (file)
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -141,8 +141,9 @@ static int wpa_config_validate_network(struct wpa_ssid *ssid, int line)
                ssid->p2p_persistent_group = 1;
 
        if ((ssid->group_cipher & WPA_CIPHER_CCMP) &&
-           !(ssid->pairwise_cipher & WPA_CIPHER_CCMP) &&
-           !(ssid->pairwise_cipher & WPA_CIPHER_NONE)) {
+           !(ssid->pairwise_cipher & (WPA_CIPHER_CCMP | WPA_CIPHER_CCMP_256 |
+                                      WPA_CIPHER_GCMP | WPA_CIPHER_GCMP_256 |
+                                      WPA_CIPHER_NONE))) {
                /* Group cipher cannot be stronger than the pairwise cipher. */
                wpa_printf(MSG_DEBUG, "Line %d: removed CCMP from group cipher"
                           " list since it was not allowed for pairwise "