From 72b6e5d1e2dec31f775bd7a71effb4d63a8fa96f Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 23 Apr 2018 13:40:39 +0300 Subject: [PATCH] Do not remove CCMP group cipher if any CCMP/GCMP cipher is enabled CCMP group cipher was removed if CCMP was not allowed as a pairwise cipher when loading a configuration file (but not actually when changing configuration during runtime). This is needed to avoid issues with configurations that use the default group cipher (TKIP CCMP) while modifying pairwise cipher from the default CCMP TKIP) to TKIP. However, there is not really a need to remove the CCMP group cipher if any GCMP or CCMP cipher is enabled as a pairwise cipher. Change the network profile validation routine to not remove CCMP as group cipher if CCMP-256, GCMP, or GCMP-256 is enabled as a pairwise cipher even if CCMP is not. Signed-off-by: Jouni Malinen --- wpa_supplicant/config_file.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 985c371fa..d186f78eb 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -141,8 +141,9 @@ static int wpa_config_validate_network(struct wpa_ssid *ssid, int line) ssid->p2p_persistent_group = 1; if ((ssid->group_cipher & WPA_CIPHER_CCMP) && - !(ssid->pairwise_cipher & WPA_CIPHER_CCMP) && - !(ssid->pairwise_cipher & WPA_CIPHER_NONE)) { + !(ssid->pairwise_cipher & (WPA_CIPHER_CCMP | WPA_CIPHER_CCMP_256 | + WPA_CIPHER_GCMP | WPA_CIPHER_GCMP_256 | + WPA_CIPHER_NONE))) { /* Group cipher cannot be stronger than the pairwise cipher. */ wpa_printf(MSG_DEBUG, "Line %d: removed CCMP from group cipher" " list since it was not allowed for pairwise "