diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 2230c8fe2..4e9ace1d8 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2643,6 +2643,20 @@ static int hostapd_config_fill(struct hostapd_config *conf, line, pos); return 1; } + } else if (os_strcmp(buf, "group_cipher") == 0) { + bss->group_cipher = hostapd_config_parse_cipher(line, pos); + if (bss->group_cipher == -1 || bss->group_cipher == 0) + return 1; + if (bss->group_cipher != WPA_CIPHER_TKIP && + bss->group_cipher != WPA_CIPHER_CCMP && + bss->group_cipher != WPA_CIPHER_GCMP && + bss->group_cipher != WPA_CIPHER_GCMP_256 && + bss->group_cipher != WPA_CIPHER_CCMP_256) { + wpa_printf(MSG_ERROR, + "Line %d: unsupported group cipher suite '%s'", + line, pos); + return 1; + } #ifdef CONFIG_RSN_PREAUTH } else if (os_strcmp(buf, "rsn_preauth") == 0) { bss->rsn_preauth = atoi(pos); diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 2cd8ae5fa..140c8d6ff 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1269,18 +1269,31 @@ own_ip_addr=127.0.0.1 # Set of accepted cipher suites (encryption algorithms) for pairwise keys # (unicast packets). This is a space separated list of algorithms: -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] +# CCMP = AES in Counter mode with CBC-MAC (CCMP-128) +# TKIP = Temporal Key Integrity Protocol +# CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key +# GCMP = Galois/counter mode protocol (GCMP-128) +# GCMP-256 = Galois/counter mode protocol with 256-bit key # Group cipher suite (encryption algorithm for broadcast and multicast frames) # is automatically selected based on this configuration. If only CCMP is # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, -# TKIP will be used as the group cipher. +# TKIP will be used as the group cipher. The optional group_cipher parameter can +# be used to override this automatic selection. +# # (dot11RSNAConfigPairwiseCiphersTable) # Pairwise cipher for WPA (v1) (default: TKIP) #wpa_pairwise=TKIP CCMP # Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) #rsn_pairwise=CCMP +# Optional override for automatic group cipher selection +# This can be used to select a specific group cipher regardless of which +# pairwise ciphers were enabled for WPA and RSN. It should be noted that +# overriding the group cipher with an unexpected value can result in +# interoperability issues and in general, this parameter is mainly used for +# testing purposes. +#group_cipher=CCMP + # Time interval for rekeying GTK (broadcast/multicast encryption keys) in # seconds. (dot11RSNAConfigGroupRekeyTime) # This defaults to 86400 seconds (once per day) when using CCMP/GCMP as the diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 07310f93c..68658ae36 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -1046,8 +1046,12 @@ void hostapd_set_security_params(struct hostapd_bss_config *bss, if ((bss->wpa & 2) && bss->rsn_pairwise == 0) bss->rsn_pairwise = bss->wpa_pairwise; - bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, bss->wpa_pairwise, - bss->rsn_pairwise); + if (bss->group_cipher) + bss->wpa_group = bss->group_cipher; + else + bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, + bss->wpa_pairwise, + bss->rsn_pairwise); if (!bss->wpa_group_rekey_set) bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ? 600 : 86400; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 6548892fb..caf2e3295 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -325,6 +325,7 @@ struct hostapd_bss_config { PSK_RADIUS_REQUIRED = 2 } wpa_psk_radius; int wpa_pairwise; + int group_cipher; /* wpa_group value override from configuation */ int wpa_group; int wpa_group_rekey; int wpa_group_rekey_set;