From: Yan Zihan <zihan.yan10@gmail.com>
Date: Tue, 15 Apr 2025 08:49:25 +0000 (+0800)
Subject: DPP: Conditionally add cipher support based on driver capabilities
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c0e4dcad9ae7cfd24335bb81cfe62776862425b4;p=thirdparty%2Fhostap.git

DPP: Conditionally add cipher support based on driver capabilities

By default, wpa_supplicant sets the pairwise and group ciphers to CCMP
(or CCMP+TKIP) when provisioning a network via DPP. As a result,
DPP-provisioned clients are unable to connect to networks that require
GCMP or GCMP-256 ciphers due to cipher mismatch. This issue does not
affect manually-configured network profiles, where supported cipher
suites can be explicitly specified.

Addresse the issue by conditionally enabling the appropriate cipher
suites in the DPP-generated network profile, based on driver
capabilities.

Tested on various chipsets with different cipher capabilities:

| Test ID | Wi-Fi Chipset     | Cipher Support     | AP Cipher | Result    |
|---------|-------------------|--------------------|-----------|-----------|
| TC-01   | Intel AX211       | GCMP-256, CCMP-128 | GCMP-256  | Success   |
| TC-02   | Legacy chipset    |           CCMP-128 | GCMP-256  | Failure   |
| TC-03   | Intel AX211       | GCMP-256, CCMP-128 | CCMP-128  | Success   |
| TC-04   | Legacy chipset    |           CCMP-128 | CCMP-128  | Success   |

Signed-off-by: Yan Zihan <zihan.yan10@gmail.com>
---

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index bdb3e2b9a..74b0ef1f8 100644
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -1423,6 +1423,21 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
 		return NULL;
 	wpas_notify_network_added(wpa_s, ssid);
 	wpa_config_set_network_defaults(ssid);
+	if (wpa_s->drv_capa_known &&
+	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP)) {
+		ssid->pairwise_cipher |= WPA_CIPHER_GCMP;
+		ssid->group_cipher |= WPA_CIPHER_GCMP;
+	}
+	if (wpa_s->drv_capa_known &&
+	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256)) {
+		ssid->pairwise_cipher |= WPA_CIPHER_GCMP_256;
+		ssid->group_cipher |= WPA_CIPHER_GCMP_256;
+	}
+	if (wpa_s->drv_capa_known &&
+	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256)) {
+		ssid->pairwise_cipher |= WPA_CIPHER_CCMP_256;
+		ssid->group_cipher |= WPA_CIPHER_CCMP_256;
+	}
 	ssid->disabled = 1;
 
 	ssid->ssid = os_malloc(conf->ssid_len);