From 27781c0ab5d02be9ea22b9636b3ecf59e3b89ddc Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 17 Nov 2017 12:31:41 +0200 Subject: [PATCH] Allow group cipher selection to be overridden The new hostapd configuration parameter group_cipher can now be used to override the automatic cipher selection based on enabled pairwise ciphers. It should be noted that selecting an unexpected group cipher can result in interoperability issues and this new capability is mainly for testing purposes. Signed-off-by: Jouni Malinen --- hostapd/config_file.c | 14 ++++++++++++++ hostapd/hostapd.conf | 19 ++++++++++++++++--- src/ap/ap_config.c | 8 ++++++-- src/ap/ap_config.h | 1 + 4 files changed, 37 insertions(+), 5 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 2230c8fe2..4e9ace1d8 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2643,6 +2643,20 @@ static int hostapd_config_fill(struct hostapd_config *conf, line, pos); return 1; } + } else if (os_strcmp(buf, "group_cipher") == 0) { + bss->group_cipher = hostapd_config_parse_cipher(line, pos); + if (bss->group_cipher == -1 || bss->group_cipher == 0) + return 1; + if (bss->group_cipher != WPA_CIPHER_TKIP && + bss->group_cipher != WPA_CIPHER_CCMP && + bss->group_cipher != WPA_CIPHER_GCMP && + bss->group_cipher != WPA_CIPHER_GCMP_256 && + bss->group_cipher != WPA_CIPHER_CCMP_256) { + wpa_printf(MSG_ERROR, + "Line %d: unsupported group cipher suite '%s'", + line, pos); + return 1; + } #ifdef CONFIG_RSN_PREAUTH } else if (os_strcmp(buf, "rsn_preauth") == 0) { bss->rsn_preauth = atoi(pos); diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 2cd8ae5fa..140c8d6ff 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1269,18 +1269,31 @@ own_ip_addr=127.0.0.1 # Set of accepted cipher suites (encryption algorithms) for pairwise keys # (unicast packets). This is a space separated list of algorithms: -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] +# CCMP = AES in Counter mode with CBC-MAC (CCMP-128) +# TKIP = Temporal Key Integrity Protocol +# CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key +# GCMP = Galois/counter mode protocol (GCMP-128) +# GCMP-256 = Galois/counter mode protocol with 256-bit key # Group cipher suite (encryption algorithm for broadcast and multicast frames) # is automatically selected based on this configuration. If only CCMP is # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, -# TKIP will be used as the group cipher. +# TKIP will be used as the group cipher. The optional group_cipher parameter can +# be used to override this automatic selection. +# # (dot11RSNAConfigPairwiseCiphersTable) # Pairwise cipher for WPA (v1) (default: TKIP) #wpa_pairwise=TKIP CCMP # Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) #rsn_pairwise=CCMP +# Optional override for automatic group cipher selection +# This can be used to select a specific group cipher regardless of which +# pairwise ciphers were enabled for WPA and RSN. It should be noted that +# overriding the group cipher with an unexpected value can result in +# interoperability issues and in general, this parameter is mainly used for +# testing purposes. +#group_cipher=CCMP + # Time interval for rekeying GTK (broadcast/multicast encryption keys) in # seconds. (dot11RSNAConfigGroupRekeyTime) # This defaults to 86400 seconds (once per day) when using CCMP/GCMP as the diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 07310f93c..68658ae36 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -1046,8 +1046,12 @@ void hostapd_set_security_params(struct hostapd_bss_config *bss, if ((bss->wpa & 2) && bss->rsn_pairwise == 0) bss->rsn_pairwise = bss->wpa_pairwise; - bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, bss->wpa_pairwise, - bss->rsn_pairwise); + if (bss->group_cipher) + bss->wpa_group = bss->group_cipher; + else + bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, + bss->wpa_pairwise, + bss->rsn_pairwise); if (!bss->wpa_group_rekey_set) bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ? 600 : 86400; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 6548892fb..caf2e3295 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -325,6 +325,7 @@ struct hostapd_bss_config { PSK_RADIUS_REQUIRED = 2 } wpa_psk_radius; int wpa_pairwise; + int group_cipher; /* wpa_group value override from configuation */ int wpa_group; int wpa_group_rekey; int wpa_group_rekey_set;