DPP: Conditionally add cipher support based on driver capabilities

By default, wpa_supplicant sets the pairwise and group ciphers to CCMP
(or CCMP+TKIP) when provisioning a network via DPP. As a result,
DPP-provisioned clients are unable to connect to networks that require
GCMP or GCMP-256 ciphers due to cipher mismatch. This issue does not
affect manually-configured network profiles, where supported cipher
suites can be explicitly specified.

Addresse the issue by conditionally enabling the appropriate cipher
suites in the DPP-generated network profile, based on driver
capabilities.

Tested on various chipsets with different cipher capabilities:

| Test ID | Wi-Fi Chipset     | Cipher Support     | AP Cipher | Result    |
|---------|-------------------|--------------------|-----------|-----------|
| TC-01   | Intel AX211       | GCMP-256, CCMP-128 | GCMP-256  | Success   |
| TC-02   | Legacy chipset    |           CCMP-128 | GCMP-256  | Failure   |
| TC-03   | Intel AX211       | GCMP-256, CCMP-128 | CCMP-128  | Success   |
| TC-04   | Legacy chipset    |           CCMP-128 | CCMP-128  | Success   |

Signed-off-by: Yan Zihan <zihan.yan10@gmail.com>

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index bdb3e2b9a12879ac80bf769cb577d110deb8f34b..74b0ef1f8fd311b7038232ef0788f00ad13d0024 100644 (file)
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -1423,6 +1423,21 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
                return NULL;
        wpas_notify_network_added(wpa_s, ssid);
        wpa_config_set_network_defaults(ssid);
+       if (wpa_s->drv_capa_known &&
+           (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP)) {
+               ssid->pairwise_cipher |= WPA_CIPHER_GCMP;
+               ssid->group_cipher |= WPA_CIPHER_GCMP;
+       }
+       if (wpa_s->drv_capa_known &&
+           (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256)) {
+               ssid->pairwise_cipher |= WPA_CIPHER_GCMP_256;
+               ssid->group_cipher |= WPA_CIPHER_GCMP_256;
+       }
+       if (wpa_s->drv_capa_known &&
+           (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256)) {
+               ssid->pairwise_cipher |= WPA_CIPHER_CCMP_256;
+               ssid->group_cipher |= WPA_CIPHER_CCMP_256;
+       }
        ssid->disabled = 1;
 
        ssid->ssid = os_malloc(conf->ssid_len);