[PATCH] DPP: Conditionally add cipher support based on driver capabilities

zihan.yan10 at gmail.com zihan.yan10 at gmail.com
Tue Apr 15 01:49:25 PDT 2025 

From: Yan Zihan <zihan.yan10 at gmail.com>

By default, wpa_supplicant sets the pairwise and group ciphers to CCMP (or CCMP+TKIP) when provisioning a network via DPP. As a result, DPP-provisioned clients are unable to connect to networks that require GCMP or GCMP-256 ciphers due to cipher mismatch. This issue does not affect manually-configured network profiles, where supported cipher suites can be explicitly specified.

This patch addresses the issue by conditionally setting the appropriate cipher suites in the DPP-generated network profile, based on driver capabilities.

Tested on various chipsets with different cipher capabilities:

| Test ID | Wi-Fi Chipset     | Cipher Support     | AP Cipher | Result    |
|---------|-------------------|--------------------|-----------|-----------|
| TC-01   | Intel AX211       | GCMP-256, CCMP-128 | GCMP-256  | Success   |
| TC-02   | Legacy chipset    |           CCMP-128 | GCMP-256  | Failure   |
| TC-03   | Intel AX211       | GCMP-256, CCMP-128 | CCMP-128  | Success   |
| TC-04   | Legacy chipset    |           CCMP-128 | CCMP-128  | Success   |

Signed-off-by: Yan Zihan <zihan.yan10 at gmail.com>
---
 wpa_supplicant/dpp_supplicant.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index bdb3e2b9a..1fca882b6 100644
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -1423,6 +1423,21 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
 		return NULL;
 	wpas_notify_network_added(wpa_s, ssid);
 	wpa_config_set_network_defaults(ssid);
+	if (wpa_s->drv_capa_known &&
+		(wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP)) {
+		ssid->pairwise_cipher |= WPA_CIPHER_GCMP;
+		ssid->group_cipher |= WPA_CIPHER_GCMP;
+	}
+	if (wpa_s->drv_capa_known &&
+		(wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256)) {
+		ssid->pairwise_cipher |= WPA_CIPHER_GCMP_256;
+		ssid->group_cipher |= WPA_CIPHER_GCMP_256;
+	}
+	if (wpa_s->drv_capa_known &&
+	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256)) {
+		ssid->pairwise_cipher |= WPA_CIPHER_CCMP_256;
+		ssid->group_cipher |= WPA_CIPHER_CCMP_256;
+	}
 	ssid->disabled = 1;
 
 	ssid->ssid = os_malloc(conf->ssid_len);
-- 
2.49.0

More information about the Hostap mailing list