From 1dc6256a8bb05d9b5034365290aa931d6eb21bac Mon Sep 17 00:00:00 2001 From: Sarvesh Bodakhe Date: Tue, 26 Aug 2025 08:35:27 +0530 Subject: [PATCH] fix(wifi): add GCMP-128 support for SoftAP and some other bugfixes - GCMP-256 SoftAP support was previously added as part of SAE Extended Key handling. - Fixes the authmode sent in WIFI_EVENT_STA_CONNECTED, which was previously taken directly from the AKM field. This caused incorrect values in some cases. - Updates the security log to show the correct wifi_auth_mode_t. - Fixes wrong authmode strength used in the connection path. --- components/esp_wifi/include/esp_wifi_types_generic.h | 4 ++-- components/esp_wifi/lib | 2 +- components/wpa_supplicant/esp_supplicant/src/esp_hostap.c | 4 ++++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/components/esp_wifi/include/esp_wifi_types_generic.h b/components/esp_wifi/include/esp_wifi_types_generic.h index f8fc1f6b5c..cc8d04a015 100644 --- a/components/esp_wifi/include/esp_wifi_types_generic.h +++ b/components/esp_wifi/include/esp_wifi_types_generic.h @@ -513,13 +513,13 @@ typedef struct { uint8_t password[64]; /**< Password of soft-AP. */ uint8_t ssid_len; /**< Optional length of SSID field. */ uint8_t channel; /**< Channel of soft-AP */ - wifi_auth_mode_t authmode; /**< Auth mode of soft-AP. Do not support AUTH_WEP, AUTH_WAPI_PSK and AUTH_OWE in soft-AP mode. When the auth mode is set to WPA2_PSK, WPA2_WPA3_PSK or WPA3_PSK, the pairwise cipher will be overwritten with WIFI_CIPHER_TYPE_CCMP. */ + wifi_auth_mode_t authmode; /**< Auth mode of soft-AP. Do not support AUTH_WEP, AUTH_WAPI_PSK and AUTH_OWE in soft-AP mode. When the auth mode is set to WPA2_PSK, WPA2_WPA3_PSK or WPA3_PSK, the pairwise cipher will be overwritten with WIFI_CIPHER_TYPE_CCMP by default, unless explicitly set. */ uint8_t ssid_hidden; /**< Broadcast SSID or not, default 0, broadcast the SSID */ uint8_t max_connection; /**< Max number of stations allowed to connect in */ uint16_t beacon_interval; /**< Beacon interval which should be multiples of 100. Unit: TU(time unit, 1 TU = 1024 us). Range: 100 ~ 60000. Default value: 100 */ uint8_t csa_count; /**< Channel Switch Announcement Count. Notify the station that the channel will switch after the csa_count beacon intervals. Default value: 3 */ uint8_t dtim_period; /**< Dtim period of soft-AP. Range: 1 ~ 10. Default value: 1 */ - wifi_cipher_type_t pairwise_cipher; /**< Pairwise cipher of SoftAP, group cipher will be derived using this. Cipher values are valid starting from WIFI_CIPHER_TYPE_TKIP, enum values before that will be considered as invalid and default cipher suites(TKIP+CCMP) will be used. Valid cipher suites in softAP mode are WIFI_CIPHER_TYPE_TKIP, WIFI_CIPHER_TYPE_CCMP and WIFI_CIPHER_TYPE_TKIP_CCMP. */ + wifi_cipher_type_t pairwise_cipher; /**< Pairwise cipher of SoftAP, group cipher will be derived using this. Cipher values are valid starting from WIFI_CIPHER_TYPE_TKIP, enum values before that will be considered as invalid and default cipher suites(TKIP+CCMP) will be used. Valid cipher suites in softAP mode are WIFI_CIPHER_TYPE_TKIP, WIFI_CIPHER_TYPE_CCMP, WIFI_CIPHER_TYPE_TKIP_CCMP, WIFI_CIPHER_TYPE_GCMP and WIFI_CIPHER_TYPE_GCMP256. */ bool ftm_responder; /**< Enable FTM Responder mode */ wifi_pmf_config_t pmf_cfg; /**< Configuration for Protected Management Frame */ wifi_sae_pwe_method_t sae_pwe_h2e; /**< Configuration for SAE PWE derivation method */ diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib index 154481d9d4..047a871bad 160000 --- a/components/esp_wifi/lib +++ b/components/esp_wifi/lib @@ -1 +1 @@ -Subproject commit 154481d9d4527b6a8d1e2f89abe7cec6a60d55aa +Subproject commit 047a871bada53b210101b7d931080eeee3d24895 diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c index c193c33483..b9e5cbbe58 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c @@ -120,6 +120,10 @@ void *hostap_init(void) auth_conf->wpa_group = WPA_CIPHER_GCMP_256; auth_conf->wpa_pairwise = WPA_CIPHER_GCMP_256; auth_conf->rsn_pairwise = WPA_CIPHER_GCMP_256; + } else if (pairwise_cipher == WIFI_CIPHER_TYPE_GCMP) { + auth_conf->wpa_group = WPA_CIPHER_GCMP; + auth_conf->wpa_pairwise = WPA_CIPHER_GCMP; + auth_conf->rsn_pairwise = WPA_CIPHER_GCMP; } else { auth_conf->wpa_group = WPA_CIPHER_TKIP; auth_conf->wpa_pairwise = WPA_CIPHER_CCMP | WPA_CIPHER_TKIP;