Missing GCMP-256 support in DPP client

Yan, Zihan zihan.yan at hpe.com
Mon Mar 31 03:26:11 PDT 2025 

Hi,
 
We encountered a problem with connecting a client (running wpa_supplicant) to AP via DPP.
 
We want wpa_supplicant to automatically connect to the ssid via the network profile obtained from the DPP provision. When AP SSID’s pairwise_cipher is CCMP-128, there is no problem with the connection. However, when AP SSID’s  pairwise_cipher is GCMP-256, the following problem occurs 
 
         	Output from Client’s wpa_supplicant.log :
	1742375082.487211: wlo2: 2: 94:64:24:e4:a4:60 ssid='00_han_dpp' wpa_ie_len=0 	rsn_ie_len=30 caps=0x411 level=-18 freq=5240 
	1742375082.487272: wlo2:    skip RSN IE - PTK cipher mismatch
	1742375082.487340: wlo2:    skip - MFP Required but network not MFP Capable
 
The reason we found is that during DPP Provision, function wpas_dpp_add_network() assigns ssid->pairwise_cipher and ssid->group_cipher via wpa_config_set_network_defaults() with the default values DEFAULT_PAIRWISE and DEFAULT_GROUP. Therefore, during subsequent network access scanning of the ssid, the pairwise_cipher provided by the AP (GCMP-256) does not match the pairwise_cipher of the client (CCMP-128), resulting in a connection failure.
 
After I add GCMP-256 to the default value of pairwise_cipher, the connection is successful. Here is the diff:
	+++ b/wpa_supplicant/dpp_supplicant.c
	@@ -1410,6 +1410,8 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
                return NULL;
        	wpas_notify_network_added(wpa_s, ssid);
        	wpa_config_set_network_defaults(ssid);
	+       ssid->pairwise_cipher |= WPA_CIPHER_GCMP_256;
	+       ssid->group_cipher |= WPA_CIPHER_GCMP_256;
       	 ssid->disabled = 1;

Here are my questions:
1. Why the default value of ssid->pairwise_cipher for DPP network profile is set to CCMP or CCMP+TKIP?  Could GCMP_256 be added to the default value of DEFAULT_PAIRWISE and DEFAULT_GROUP?
2. Can we add the default value GCMP_256 to ssid->pairwise_cipher of the DPP network profile as the diff above?
 
wpa_supplicant.conf is configured as follows:
	ctrl_interface=/var/run/wpa_supplicant
	ctrl_interface_group=0
	#update_config=1
	p2p_disabled=1
	bss_expiration_age=250
	pmf=1
	sae_pwe=2
	dpp_config_processing=2
 
Thanks in advance for your help and looking forward to your reply!
 
Kind Regards,
Zihan
 
 

More information about the Hostap mailing list