diff mbox series

ap: disallow TKIP and 'use group cipher'

Message ID 20221024204710.163107-1-prestwoj@gmail.com (mailing list archive)
State New
Headers show
Series ap: disallow TKIP and 'use group cipher' | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
prestwoj/iwd-alpine-ci-fetch success Fetch PR
prestwoj/iwd-ci-gitlint success GitLint
prestwoj/iwd-ci-fetch success Fetch PR
prestwoj/iwd-ci-makedistcheck success Make Distcheck
prestwoj/iwd-ci-incremental_build success Incremental build not run PASS
prestwoj/iwd-alpine-ci-makedistcheck success Make Distcheck
prestwoj/iwd-alpine-ci-incremental_build success Incremental build not run PASS
prestwoj/iwd-ci-build success Build - Configure
prestwoj/iwd-alpine-ci-build success Build - Configure
prestwoj/iwd-ci-clang success clang PASS
prestwoj/iwd-ci-makecheckvalgrind success Make Check w/Valgrind
prestwoj/iwd-ci-makecheck success Make Check
prestwoj/iwd-alpine-ci-makecheckvalgrind success Make Check w/Valgrind
prestwoj/iwd-alpine-ci-makecheck success Make Check
prestwoj/iwd-ci-testrunner success test-runner PASS

Commit Message

James Prestwood Oct. 24, 2022, 8:47 p.m. UTC 
The EAPoL SM does not support either of these ciphers when acting
as an authenticator since ARC4 encryption is not implemented.
(see eapol_encrypt_key_data() for key descriptor version 1)

This can cause 4-way failures if e.g. the hardware only supports
TKIP. Rather than fail the 4-way its better to not even start the
AP and return NotSupported.
---
 src/ap.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Comments

Denis Kenzior Oct. 24, 2022, 10:26 p.m. UTC | #1 
Hi James,

On 10/24/22 15:47, James Prestwood wrote:
> The EAPoL SM does not support either of these ciphers when acting
> as an authenticator since ARC4 encryption is not implemented.
> (see eapol_encrypt_key_data() for key descriptor version 1)
> 
> This can cause 4-way failures if e.g. the hardware only supports
> TKIP. Rather than fail the 4-way its better to not even start the
> AP and return NotSupported.
> ---
>   src/ap.c | 10 +++++++++-
>   1 file changed, 9 insertions(+), 1 deletion(-)
> 

Well, I have a patch pending that limits the ciphers to TKIP or CCMP since P2P 
only works with those.  No sense in choosing GCMP, CCMP-256, etc yet.  So we can 
implement the missing bits in eapol_encrypt_key_data, or simply check whether 
CCMP is supported and only use that.

Regards,
-Denis
diff mbox series

Patch

diff --git a/src/ap.c b/src/ap.c
index 429de560..94eff2a2 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -3303,7 +3303,15 @@  struct ap_state *ap_start(struct netdev *netdev, struct l_settings *config,
 	err = -EINVAL;
 
 	/* TODO: Add all ciphers supported by wiphy */
-	ap->ciphers = wiphy_select_cipher(wiphy, 0xffff);
+	ap->ciphers = wiphy_select_cipher(wiphy,
+				~(IE_RSN_CIPHER_SUITE_USE_GROUP_CIPHER |
+				IE_RSN_CIPHER_SUITE_TKIP));
+	if (!ap->ciphers) {
+		l_error("Hardware does not support required pairwise ciphers!");
+		err = -ENOTSUP;
+		goto error;
+	}
+
 	ap->group_cipher = wiphy_select_cipher(wiphy, 0xffff);
 	ap->beacon_interval = 100;
 	ap->networks = l_queue_new();