Prefer GCMP-256 over CCMP-256 as the pairwise/group cipher

While there is not any significant reason from the protocol or security
view points, there is significant difference in how much testing and
deployment there has been for these cipher suites. GCMP-256 is the
expected cipher suite to be used for new Wi-Fi 7 deployments and there
is more or less no deploymeny of CCMP-256 or plans for trying to change
that.

While selecting either option in cases where both ciphers have been
enabled, likelihood of interoperability issues due to limited testing is
higher with CCMP-256. As such, prefer GCMP-256 over it whenever there is
option to select either of those two ciphers.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index 613ea7fdeda62724716de450003b190407bdf68a..e5e99b95d8f1bd999f0b81bcd5ba67c0d895d268 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -3158,10 +3158,10 @@ int wpa_cipher_put_suites(u8 *start, int ciphers)
 
 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
 {
-       if (ciphers & WPA_CIPHER_CCMP_256)
-               return WPA_CIPHER_CCMP_256;
        if (ciphers & WPA_CIPHER_GCMP_256)
                return WPA_CIPHER_GCMP_256;
+       if (ciphers & WPA_CIPHER_CCMP_256)
+               return WPA_CIPHER_CCMP_256;
        if (ciphers & WPA_CIPHER_CCMP)
                return WPA_CIPHER_CCMP;
        if (ciphers & WPA_CIPHER_GCMP)
@@ -3176,10 +3176,10 @@ int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
 
 int wpa_pick_group_cipher(int ciphers)
 {
-       if (ciphers & WPA_CIPHER_CCMP_256)
-               return WPA_CIPHER_CCMP_256;
        if (ciphers & WPA_CIPHER_GCMP_256)
                return WPA_CIPHER_GCMP_256;
+       if (ciphers & WPA_CIPHER_CCMP_256)
+               return WPA_CIPHER_CCMP_256;
        if (ciphers & WPA_CIPHER_CCMP)
                return WPA_CIPHER_CCMP;
        if (ciphers & WPA_CIPHER_GCMP)