From: Jouni Malinen Date: Fri, 28 Mar 2025 08:33:18 +0000 (+0200) Subject: Prefer GCMP-256 over CCMP-256 as the pairwise/group cipher X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e4798ecfb65da7c67b570c08881e4125a0133c01;p=thirdparty%2Fhostap.git Prefer GCMP-256 over CCMP-256 as the pairwise/group cipher While there is not any significant reason from the protocol or security view points, there is significant difference in how much testing and deployment there has been for these cipher suites. GCMP-256 is the expected cipher suite to be used for new Wi-Fi 7 deployments and there is more or less no deploymeny of CCMP-256 or plans for trying to change that. While selecting either option in cases where both ciphers have been enabled, likelihood of interoperability issues due to limited testing is higher with CCMP-256. As such, prefer GCMP-256 over it whenever there is option to select either of those two ciphers. Signed-off-by: Jouni Malinen --- diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index 613ea7fde..e5e99b95d 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -3158,10 +3158,10 @@ int wpa_cipher_put_suites(u8 *start, int ciphers) int wpa_pick_pairwise_cipher(int ciphers, int none_allowed) { - if (ciphers & WPA_CIPHER_CCMP_256) - return WPA_CIPHER_CCMP_256; if (ciphers & WPA_CIPHER_GCMP_256) return WPA_CIPHER_GCMP_256; + if (ciphers & WPA_CIPHER_CCMP_256) + return WPA_CIPHER_CCMP_256; if (ciphers & WPA_CIPHER_CCMP) return WPA_CIPHER_CCMP; if (ciphers & WPA_CIPHER_GCMP) @@ -3176,10 +3176,10 @@ int wpa_pick_pairwise_cipher(int ciphers, int none_allowed) int wpa_pick_group_cipher(int ciphers) { - if (ciphers & WPA_CIPHER_CCMP_256) - return WPA_CIPHER_CCMP_256; if (ciphers & WPA_CIPHER_GCMP_256) return WPA_CIPHER_GCMP_256; + if (ciphers & WPA_CIPHER_CCMP_256) + return WPA_CIPHER_CCMP_256; if (ciphers & WPA_CIPHER_CCMP) return WPA_CIPHER_CCMP; if (ciphers & WPA_CIPHER_GCMP)