Shouldn't we separate group cipher for WPA and RSN?

Andriy Tkachuk andriy.v.tkachuk
Fri Oct 16 02:03:41 PDT 2009

Hi folks.

In hostapd.conf about group cipher configuration there is following written:

# Group cipher suite (encryption algorithm for broadcast and multicast 
# is automatically selected based on this configuration. If only CCMP is
# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
# TKIP will be used as the group cipher.

It is clear, but. Let's review following configuration:


What group cipher should be selected for RSN? According to description 
it might be CCMP, no? But today it is set to TKIP (because it is set for 

Here is the code from config.c which explains how it is set:

                /* Select group cipher based on the enabled pairwise cipher
                 * suites */
                pairwise = 0;
                if (bss->wpa & 1)
                        pairwise |= bss->wpa_pairwise;
                if (bss->wpa & 2) {
                        if (bss->rsn_pairwise == 0)
                                bss->rsn_pairwise = bss->wpa_pairwise;
                        pairwise |= bss->rsn_pairwise;
                if (pairwise & WPA_CIPHER_TKIP)
                        bss->wpa_group = WPA_CIPHER_TKIP;
                        bss->wpa_group = WPA_CIPHER_CCMP;

Shouldn't we introduce bss->rsn_group ?

Thank you,

More information about the Hostap mailing list