From patchwork Mon Mar 11 14:38:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wang X-Patchwork-Id: 1910489 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=BjOCyYMO; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=TO5YSplX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TtfYr24QZz1yWm for ; Tue, 12 Mar 2024 01:39:44 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=ECyPo94YvcFOChnC03RhaSaQpF607pltTttOFTd8Cdw=; b=BjOCyYMOkFyHuE K/AyzzqD6InUx+CbFGBOe00qk1PhEMOpFyXsMArsoYgd/dus7he7paxcJyJopeyj0pPUqju+TuCjC zMSXr5sADKTVqICWkUkZxso9pG8V9wApXqrTCmzXXFS/9Us5XYquJg5WXSzAfdhI6/hPqwNCVNhb9 oNj5o7YKTGygBCdJZeT6t3pG9ZqJT1GIQP11Ip0pG7SFepgi7sIjBFCyWmPEVVCpR9pjBepzd8Vn6 F6OTXHnbTxUgrmjo+h81JPsOcQUTOmmOrm9/cnPX70qMr1vdHaOkCjZDesyCbpIPz7Qn5p+VT5y1J x6yCAmR5Le5LLCxDwtwA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rjgnw-00000001pz8-2rkn; Mon, 11 Mar 2024 14:39:04 +0000 Received: from mail-wm1-x332.google.com ([2a00:1450:4864:20::332]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rjgnq-00000001pxi-4BOq for hostap@lists.infradead.org; Mon, 11 Mar 2024 14:39:01 +0000 Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-4132a2d22bcso5610115e9.3 for ; Mon, 11 Mar 2024 07:38:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1710167934; x=1710772734; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=fppM0p1tS48eM5mSdh3Jek923oPQAYfxY/pYEV9zbbQ=; b=TO5YSplXDLWLMvn9svx+p2GXHhMLvhznW/csANtPSL714rtwg8sZpc8cCRZ4U8NQGr wprwvB9ObVqLN8lIoV0rF/ZezxYJz+4vf30MTCByLKtNYMvQXB+PXCmWJuU7/e1S/KKZ TtoyIosbxoEQ5oOgK3a5FskM0o00kkEe9VyA0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710167934; x=1710772734; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fppM0p1tS48eM5mSdh3Jek923oPQAYfxY/pYEV9zbbQ=; b=S0BS/Z9Kjev070KcZeThaisiQDl2WCVnFGN+dw7OufXTCj2/lYP+vmyrTZI2HYmw15 3DbQCGoStwoZH46SU7FMyuxERCtXNNrJj08fLIwqFYk4QqAf+XlUlDZz3BRlH4ZZGi5V y/IWfH1D6TtycNuma9yYTt2A/e2NMLgUwxNVqyf098TWispP6lJcs8UIGXxQ1RC56zTU Z4y9pHtlwqFt+sxWWN1Fz2KagmTe0vrxYodRBw8JacJ8OPMRGb5hay44s4sJGWqbrhFW 8BCojZanvSTXFlCQGqHcvz5rCshVnrL/ykitYrlzCzobuSGZSCDWa5m/e/ZFFLP9e4D/ kQqQ== X-Gm-Message-State: AOJu0YzGooYwuizT3iZyCMD3KH7m9m4O0u00RkVsofxGFdAEWUUvFQ2A L4AdYs0UwDpQC4mcwoiSKzXsTVfCFZvpep4kSj4daf/1rlrru78sV7pQPZFvcQ== X-Google-Smtp-Source: AGHT+IF+UWeK1flm8KItGIfNHw8wEQZKMxD8GrxNtucp4GCisDwNNJ0sfrvfYW9l3n1+jdBQVMge+g== X-Received: by 2002:a05:600c:4f0e:b0:413:1212:3eed with SMTP id l14-20020a05600c4f0e00b0041312123eedmr4975589wmq.3.1710167934179; Mon, 11 Mar 2024 07:38:54 -0700 (PDT) Received: from matthewmwangcros2.c.googlers.com.com (230.213.79.34.bc.googleusercontent.com. [34.79.213.230]) by smtp.gmail.com with ESMTPSA id l2-20020a05600c4f0200b00412a31d2e2asm9435965wmq.32.2024.03.11.07.38.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Mar 2024 07:38:53 -0700 (PDT) From: Matthew Wang To: j@w1.fi Cc: hostap@lists.infradead.org, matthewmwang@chromium.org Subject: [PATCH RESEND] Check driver support before selecting ciphers Date: Mon, 11 Mar 2024 14:38:46 +0000 Message-ID: <20240311143846.3574071-1-matthewmwang@chromium.org> X-Mailer: git-send-email 2.44.0.278.ge034bb2e1d-goog MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240311_073900_295986_131FFDD5 X-CRM114-Status: GOOD ( 14.15 ) X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We currently don't check driver support before selecting pairwise and group ciphers. Check that the driver supports a cipher before selecting it, otherwise fall back. Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 41 ++++++++++++++++++++++++++----- wpa_supplicant/wpa_supplicant_i.h | 1 + 2 files changed, 36 insertions( [...] Content analysis details: (-1.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:332 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org We currently don't check driver support before selecting pairwise and group ciphers. Check that the driver supports a cipher before selecting it, otherwise fall back. Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 41 ++++++++++++++++++++++++++----- wpa_supplicant/wpa_supplicant_i.h | 1 + 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 172a863cb..bec2c9037 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1747,10 +1747,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_s->group_cipher = WPA_CIPHER_NONE; wpa_s->pairwise_cipher = WPA_CIPHER_NONE; #else /* CONFIG_NO_WPA */ - sel = ie.group_cipher & ssid->group_cipher; + sel = ie.group_cipher & ssid->group_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP group 0x%x network profile group 0x%x; available group 0x%x", - ie.group_cipher, ssid->group_cipher, sel); + "WPA: AP group 0x%x network profile group 0x%x driver supported ciphers 0x%x; available group 0x%x", + ie.group_cipher, ssid->group_cipher, wpa_s->drv_ciphers, sel); wpa_s->group_cipher = wpa_pick_group_cipher(sel); if (wpa_s->group_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select group " @@ -1760,10 +1760,11 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using GTK %s", wpa_cipher_txt(wpa_s->group_cipher)); - sel = ie.pairwise_cipher & ssid->pairwise_cipher; + sel = ie.pairwise_cipher & ssid->pairwise_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP pairwise 0x%x network profile pairwise 0x%x; available pairwise 0x%x", - ie.pairwise_cipher, ssid->pairwise_cipher, sel); + "WPA: AP pairwise 0x%x network profile pairwise 0x%x driver supported ciphers 0x%x; available pairwise 0x%x", + ie.pairwise_cipher, ssid->pairwise_cipher, wpa_s->drv_ciphers, + sel); wpa_s->pairwise_cipher = wpa_pick_pairwise_cipher(sel, 1); if (wpa_s->pairwise_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select pairwise " @@ -7040,6 +7041,33 @@ static void wpas_gas_server_tx(void *ctx, int freq, const u8 *da, #endif /* CONFIG_GAS_SERVER */ +static unsigned int wpas_drv_enc_to_ciphers(unsigned int drv_enc) +{ + unsigned int ciphers = 0; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP40) + ciphers |= WPA_CIPHER_WEP40; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP104) + ciphers |= WPA_CIPHER_WEP104; + if (drv_enc & WPA_DRIVER_CAPA_ENC_TKIP) + ciphers |= WPA_CIPHER_TKIP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP) + ciphers |= WPA_CIPHER_CCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP) + ciphers |= WPA_CIPHER_GCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256) + ciphers |= WPA_CIPHER_GCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256) + ciphers |= WPA_CIPHER_CCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_128) + ciphers |= WPA_CIPHER_BIP_GMAC_128; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_256) + ciphers |= WPA_CIPHER_BIP_GMAC_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_CMAC_256) + ciphers |= WPA_CIPHER_BIP_CMAC_256; + return ciphers; +} + + static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, const struct wpa_interface *iface) { @@ -7224,6 +7252,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, wpa_s->drv_flags = capa.flags; wpa_s->drv_flags2 = capa.flags2; wpa_s->drv_enc = capa.enc; + wpa_s->drv_ciphers = wpas_drv_enc_to_ciphers(wpa_s->drv_enc); wpa_s->drv_rrm_flags = capa.rrm_flags; wpa_s->drv_max_acl_mac_addrs = capa.max_acl_mac_addrs; wpa_s->probe_resp_offloads = capa.probe_resp_offloads; diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 933fc3626..55929e667 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -920,6 +920,7 @@ struct wpa_supplicant { u64 drv_flags; u64 drv_flags2; unsigned int drv_enc; + unsigned int drv_ciphers; unsigned int drv_rrm_flags; unsigned int drv_max_acl_mac_addrs;