From c8fa5e5899575fe5c0a0a6c3013fdc4527d2cdb4 Mon Sep 17 00:00:00 2001
From: Gang Li <gang.li_1@nxp.com>
Date: Fri, 11 Jul 2025 12:05:36 +0200
Subject: [PATCH] modules: hostap: set the cipher suites for WPA2 & WPA3 SAE
 mode

When the external AP is in WPA3 SAE mode, the group cipher uses
TKIP and the pairwise cipher uses TKIP and CCMP. Should not
connect to the AP.
For WPA2 & WPA3 SAE & WPA2/WPA3 mixed mode, set group cipher to
CCMP, pairwise cipher to CCMP.

Signed-off-by: Gang Li <gang.li_1@nxp.com>
---
 modules/hostap/src/supp_api.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c
index d39986b571c..c40933dd6a6 100644
--- a/modules/hostap/src/supp_api.c
+++ b/modules/hostap/src/supp_api.c
@@ -756,6 +756,14 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 					goto out;
 				}
 			}
+
+			if (!wpa_cli_cmd_v("set_network %d group CCMP", resp.network_id)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d pairwise CCMP", resp.network_id)) {
+				goto out;
+			}
 		} else if (params->security == WIFI_SECURITY_TYPE_PSK_SHA256) {
 			if (!wpa_cli_cmd_v("set_network %d psk \"%s\"",
 					   resp.network_id, psk_null_terminated)) {
@@ -766,6 +774,14 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 					   resp.network_id)) {
 				goto out;
 			}
+
+			if (!wpa_cli_cmd_v("set_network %d group CCMP", resp.network_id)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d pairwise CCMP", resp.network_id)) {
+				goto out;
+			}
 		} else if (params->security == WIFI_SECURITY_TYPE_PSK ||
 			   params->security == WIFI_SECURITY_TYPE_WPA_PSK) {
 			if (!wpa_cli_cmd_v("set_network %d psk \"%s\"",
@@ -783,6 +799,15 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 						   resp.network_id)) {
 					goto out;
 				}
+			} else {
+				if (!wpa_cli_cmd_v("set_network %d group CCMP", resp.network_id)) {
+					goto out;
+				}
+
+				if (!wpa_cli_cmd_v("set_network %d pairwise CCMP",
+						   resp.network_id)) {
+					goto out;
+				}
 			}
 		} else if (params->security == WIFI_SECURITY_TYPE_WPA_AUTO_PERSONAL) {
 			if (!wpa_cli_cmd_v("set_network %d psk \"%s\"", resp.network_id,
@@ -810,6 +835,14 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 					   resp.network_id)) {
 				goto out;
 			}
+
+			if (!wpa_cli_cmd_v("set_network %d group CCMP", resp.network_id)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d pairwise CCMP", resp.network_id)) {
+				goto out;
+			}
 #ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 		} else if (is_eap_valid_security(params->security)) {
 			if (process_cipher_config(params, &cipher_config)) {