[][MAC80211][WiFi6/7][Misc][Change group mgmt cipher setting to align group cipher]
[Description]
Change group mgmt cipher setting to align group cipher. Group mgmt cipher
is independent from other cipher, here we set it more intuitively. And
remain a way to directly set group mgmt cipher.
Before align Logan:
group cipher CMAC-128 CMAC-256 GMAC-128 GMAC-256
group mgmt cipher CMAC-128 CMAC-128 CMAC-128 GMAC-256
After this patch:
group cipher CMAC-128 CMAC-256 GMAC-128 GMAC-256
group mgmt cipher CMAC-128 "CMAC-256 GMAC-128" GMAC-256
[Release-log]
N/A
Change-Id: I6a96cdcecb90970f0771ef4f45881ad71424ba54
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/8384026
diff --git a/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch b/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch
index 9bbb5c3..4f31708 100644
--- a/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch
+++ b/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch
@@ -666,7 +666,7 @@
done
}
diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
-index 28bd210..3bdf3c0 100644
+index 28bd210..0df9a6f 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -60,7 +60,14 @@ hostapd_append_wpa_key_mgmt() {
@@ -704,7 +704,7 @@
[ -n "$beacon_rate" ] && append base_cfg "beacon_rate=$beacon_rate" "$N"
[ -n "$rlist" ] && append base_cfg "supported_rates=$rlist" "$N"
[ -n "$brlist" ] && append base_cfg "basic_rates=$brlist" "$N"
-@@ -376,6 +386,24 @@ hostapd_common_add_bss_config() {
+@@ -376,6 +386,25 @@ hostapd_common_add_bss_config() {
config_add_string fils_dhcp
config_add_int ocv
@@ -725,11 +725,12 @@
+ config_add_array owe_groups
+ config_add_array pairwise
+ config_add_string group_cipher
++ config_add_string group_mgmt_cipher
+
}
hostapd_set_vlan_file() {
-@@ -440,11 +468,11 @@ append_iw_nai_realm() {
+@@ -440,11 +469,11 @@ append_iw_nai_realm() {
}
append_iw_venue_name() {
@@ -743,17 +744,17 @@
}
append_hs20_oper_friendly_name() {
-@@ -562,7 +590,8 @@ hostapd_set_bss_options() {
+@@ -562,7 +591,8 @@ hostapd_set_bss_options() {
ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
multicast_to_unicast_all proxy_arp per_sta_vif \
eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \
- vendor_elements fils ocv
+ vendor_elements fils ocv unsol_bcast_probe_resp_interval fils_discovery_min_interval \
-+ fils_discovery_max_interval rnr group_cipher
++ fils_discovery_max_interval rnr group_cipher group_mgmt_cipher
set_default fils 0
set_default isolate 0
-@@ -790,6 +819,36 @@ hostapd_set_bss_options() {
+@@ -790,6 +820,36 @@ hostapd_set_bss_options() {
local auth_algs="$((($auth_mode_shared << 1) | $auth_mode_open))"
append bss_conf "auth_algs=${auth_algs:-1}" "$N"
append bss_conf "wpa=$wpa" "$N"
@@ -790,7 +791,7 @@
[ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N"
set_default wps_pushbutton 0
-@@ -841,7 +900,7 @@ hostapd_set_bss_options() {
+@@ -841,7 +901,7 @@ hostapd_set_bss_options() {
}
append bss_conf "ssid=$ssid" "$N"
@@ -799,7 +800,7 @@
[ -n "$network_ifname" ] && append bss_conf "snoop_iface=$network_ifname" "$N"
[ -n "$iapp_interface" ] && {
local ifname
-@@ -954,6 +1013,8 @@ hostapd_set_bss_options() {
+@@ -954,6 +1014,8 @@ hostapd_set_bss_options() {
fi
if [ "$wpa" -ge "2" ]; then
@@ -808,7 +809,7 @@
if [ -n "$network_bridge" -a "$rsn_preauth" = 1 ]; then
set_default auth_cache 1
append bss_conf "rsn_preauth=1" "$N"
-@@ -972,17 +1033,42 @@ hostapd_set_bss_options() {
+@@ -972,17 +1034,52 @@ hostapd_set_bss_options() {
append bss_conf "okc=$auth_cache" "$N"
[ "$auth_cache" = 0 -a "$fils" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N"
@@ -834,14 +835,24 @@
+ json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout beacon_prot
append bss_conf "ieee80211w=$ieee80211w" "$N"
[ "$ieee80211w" -gt "0" ] && {
-+ case "$group_cipher" in
-+ CCMP*)
-+ ieee80211w_mgmt_cipher="AES-128-CMAC"
-+ ;;
-+ GCMP-256)
-+ [[ "$encryption" != "*owe*" ]] && ieee80211w_mgmt_cipher="BIP-GMAC-256"
-+ ;;
-+ esac
++ if [ -z "$group_mgmt_cipher" ]; then
++ case "$group_cipher" in
++ CCMP-256)
++ ieee80211w_mgmt_cipher="BIP-CMAC-256"
++ ;;
++ CCMP)
++ ieee80211w_mgmt_cipher="AES-128-CMAC"
++ ;;
++ GCMP-256)
++ ieee80211w_mgmt_cipher="BIP-GMAC-256"
++ ;;
++ GCMP)
++ ieee80211w_mgmt_cipher="BIP-GMAC-128"
++ ;;
++ esac
++ else
++ ieee80211w_mgmt_cipher="$group_mgmt_cipher"
++ fi
if [ "$auth_type" = "eap192" ]; then
append bss_conf "group_mgmt_cipher=BIP-GMAC-256" "$N"
else
@@ -852,7 +863,7 @@
[ -n "$ieee80211w_max_timeout" ] && \
append bss_conf "assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N"
[ -n "$ieee80211w_retry_timeout" ] && \
-@@ -1047,9 +1133,10 @@ hostapd_set_bss_options() {
+@@ -1047,9 +1144,10 @@ hostapd_set_bss_options() {
json_get_vars iw_roaming_consortium iw_domain_name iw_anqp_3gpp_cell_net iw_nai_realm
json_get_vars iw_anqp_elem iw_qos_map_set iw_ipaddr_type_availability iw_gas_address3
json_get_vars iw_venue_name iw_venue_url
@@ -864,7 +875,7 @@
append bss_conf "interworking=1" "$N"
set_default iw_internet 1
set_default iw_asra 0
-@@ -1156,6 +1243,22 @@ hostapd_set_bss_options() {
+@@ -1156,6 +1254,22 @@ hostapd_set_bss_options() {
append bss_conf "$val" "$N"
done
@@ -887,7 +898,7 @@
bss_md5sum="$(echo $bss_conf | md5sum | cut -d" " -f1)"
append bss_conf "config_id=$bss_md5sum" "$N"
-@@ -1246,6 +1349,7 @@ wpa_supplicant_prepare_interface() {
+@@ -1246,6 +1360,7 @@ wpa_supplicant_prepare_interface() {
country_str="country=$country"
}
@@ -895,7 +906,7 @@
multiap_flag_file="${_config}.is_multiap"
if [ "$multi_ap" = "1" ]; then
touch "$multiap_flag_file"
-@@ -1257,6 +1361,7 @@ wpa_supplicant_prepare_interface() {
+@@ -1257,6 +1372,7 @@ wpa_supplicant_prepare_interface() {
${scan_list:+freq_list=$scan_list}
$ap_scan
$country_str
@@ -903,7 +914,7 @@
EOF
return 0
}
-@@ -1528,12 +1633,39 @@ wpa_supplicant_add_network() {
+@@ -1528,12 +1644,39 @@ wpa_supplicant_add_network() {
;;
esac
@@ -912,7 +923,7 @@
- append network_data "group=GCMP" "$N$T"
- }
+ json_get_values pairwise pairwise
-+ json_get_vars group_cipher
++ json_get_vars group_cipher group_mgmt_cipher
+ if [ -n "$pairwise" ]; then
+ case "$pairwise" in
+ *tkip+aes|*tkip+ccmp|*aes+tkip|*ccmp+tkip)
@@ -947,7 +958,7 @@
case "$wpa" in
1)
append network_data "proto=WPA" "$N$T"
-@@ -1543,12 +1675,48 @@ wpa_supplicant_add_network() {
+@@ -1543,12 +1686,58 @@ wpa_supplicant_add_network() {
;;
esac
@@ -974,14 +985,24 @@
+ json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout beacon_prot
+ append network_data "ieee80211w=$ieee80211w" "$N$T"
+ [ "$ieee80211w" -gt "0" ] && {
-+ case "$group_cipher" in
-+ CCMP*)
-+ ieee80211w_mgmt_cipher="AES-128-CMAC"
-+ ;;
-+ GCMP-256)
-+ [[ "$encryption" != "*owe*" ]] && ieee80211w_mgmt_cipher="BIP-GMAC-256"
-+ ;;
-+ esac
++ if [ -z "$group_mgmt_cipher" ]; then
++ case "$group_cipher" in
++ CCMP-256)
++ ieee80211w_mgmt_cipher="BIP-CMAC-256"
++ ;;
++ CCMP)
++ ieee80211w_mgmt_cipher="AES-128-CMAC"
++ ;;
++ GCMP-256)
++ ieee80211w_mgmt_cipher="BIP-GMAC-256"
++ ;;
++ GCMP)
++ ieee80211w_mgmt_cipher="BIP-GMAC-128"
++ ;;
++ esac
++ else
++ ieee80211w_mgmt_cipher="$group_mgmt_cipher"
++ fi
+ if [ "$auth_type" = "eap192" ]; then
+ append network_data "group_mgmt=BIP-GMAC-256" "$N$T"
+ else
@@ -997,7 +1018,7 @@
[ -n "$bssid" ] && append network_data "bssid=$bssid" "$N$T"
[ -n "$beacon_int" ] && append network_data "beacon_int=$beacon_int" "$N$T"
-@@ -1559,6 +1727,20 @@ wpa_supplicant_add_network() {
+@@ -1559,6 +1748,20 @@ wpa_supplicant_add_network() {
[ -n "$bssid_blacklist" ] && append network_data "bssid_blacklist=$bssid_blacklist" "$N$T"
[ -n "$bssid_whitelist" ] && append network_data "bssid_whitelist=$bssid_whitelist" "$N$T"
@@ -1018,7 +1039,7 @@
[ -n "$basic_rate" ] && {
local br rate_list=
for br in $basic_rate; do
-@@ -1573,6 +1755,11 @@ wpa_supplicant_add_network() {
+@@ -1573,6 +1776,11 @@ wpa_supplicant_add_network() {
append network_data "mcast_rate=$mc_rate" "$N$T"
}
diff --git a/autobuild_mac80211_release/0001-wifi7-mac80211-generate-hostapd-setting-from-ap-cap.patch b/autobuild_mac80211_release/0001-wifi7-mac80211-generate-hostapd-setting-from-ap-cap.patch
index 4e38e54..f045a6e 100644
--- a/autobuild_mac80211_release/0001-wifi7-mac80211-generate-hostapd-setting-from-ap-cap.patch
+++ b/autobuild_mac80211_release/0001-wifi7-mac80211-generate-hostapd-setting-from-ap-cap.patch
@@ -739,7 +739,7 @@
done
}
diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
-index 271c1f7b..c668e822 100644
+index 271c1f7b..80b95116 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -60,7 +60,14 @@ hostapd_append_wpa_key_mgmt() {
@@ -777,7 +777,7 @@
[ -n "$beacon_rate" ] && append base_cfg "beacon_rate=$beacon_rate" "$N"
[ -n "$rlist" ] && append base_cfg "supported_rates=$rlist" "$N"
[ -n "$brlist" ] && append base_cfg "basic_rates=$brlist" "$N"
-@@ -383,6 +393,24 @@ hostapd_common_add_bss_config() {
+@@ -383,6 +393,25 @@ hostapd_common_add_bss_config() {
config_add_string fils_dhcp
config_add_int ocv
@@ -798,11 +798,12 @@
+ config_add_array owe_groups
+ config_add_array pairwise
+ config_add_string group_cipher
++ config_add_string group_mgmt_cipher
+
}
hostapd_set_vlan_file() {
-@@ -447,11 +475,11 @@ append_iw_nai_realm() {
+@@ -447,11 +476,11 @@ append_iw_nai_realm() {
}
append_iw_venue_name() {
@@ -816,17 +817,17 @@
}
append_hs20_oper_friendly_name() {
-@@ -569,7 +597,8 @@ hostapd_set_bss_options() {
+@@ -569,7 +598,8 @@ hostapd_set_bss_options() {
ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
multicast_to_unicast_all proxy_arp per_sta_vif \
eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \
- vendor_elements fils ocv
+ vendor_elements fils ocv unsol_bcast_probe_resp_interval fils_discovery_min_interval \
-+ fils_discovery_max_interval rnr group_cipher
++ fils_discovery_max_interval rnr group_cipher group_mgmt_cipher
set_default fils 0
set_default isolate 0
-@@ -796,6 +825,36 @@ hostapd_set_bss_options() {
+@@ -796,6 +826,36 @@ hostapd_set_bss_options() {
local auth_algs="$((($auth_mode_shared << 1) | $auth_mode_open))"
append bss_conf "auth_algs=${auth_algs:-1}" "$N"
append bss_conf "wpa=$wpa" "$N"
@@ -863,7 +864,7 @@
[ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N"
set_default wps_pushbutton 0
-@@ -847,7 +906,7 @@ hostapd_set_bss_options() {
+@@ -847,7 +907,7 @@ hostapd_set_bss_options() {
}
append bss_conf "ssid=$ssid" "$N"
@@ -872,7 +873,7 @@
[ -n "$network_ifname" ] && append bss_conf "snoop_iface=$network_ifname" "$N"
[ -n "$iapp_interface" ] && {
local ifname
-@@ -962,6 +1021,8 @@ hostapd_set_bss_options() {
+@@ -962,6 +1022,8 @@ hostapd_set_bss_options() {
fi
if [ "$wpa" -ge "2" ]; then
@@ -881,7 +882,7 @@
if [ -n "$network_bridge" -a "$rsn_preauth" = 1 ]; then
set_default auth_cache 1
append bss_conf "rsn_preauth=1" "$N"
-@@ -980,17 +1041,42 @@ hostapd_set_bss_options() {
+@@ -980,17 +1042,52 @@ hostapd_set_bss_options() {
append bss_conf "okc=$auth_cache" "$N"
[ "$auth_cache" = 0 -a "$fils" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N"
@@ -907,14 +908,24 @@
+ json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout beacon_prot
append bss_conf "ieee80211w=$ieee80211w" "$N"
[ "$ieee80211w" -gt "0" ] && {
-+ case "$group_cipher" in
-+ CCMP*)
-+ ieee80211w_mgmt_cipher="AES-128-CMAC"
-+ ;;
-+ GCMP-256)
-+ [[ "$encryption" != "*owe*" ]] && ieee80211w_mgmt_cipher="BIP-GMAC-256"
-+ ;;
-+ esac
++ if [ -z "$group_mgmt_cipher" ]; then
++ case "$group_cipher" in
++ CCMP-256)
++ ieee80211w_mgmt_cipher="BIP-CMAC-256"
++ ;;
++ CCMP)
++ ieee80211w_mgmt_cipher="AES-128-CMAC"
++ ;;
++ GCMP-256)
++ ieee80211w_mgmt_cipher="BIP-GMAC-256"
++ ;;
++ GCMP)
++ ieee80211w_mgmt_cipher="BIP-GMAC-128"
++ ;;
++ esac
++ else
++ ieee80211w_mgmt_cipher="$group_mgmt_cipher"
++ fi
if [ "$auth_type" = "eap192" ]; then
append bss_conf "group_mgmt_cipher=BIP-GMAC-256" "$N"
else
@@ -925,7 +936,7 @@
[ -n "$ieee80211w_max_timeout" ] && \
append bss_conf "assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N"
[ -n "$ieee80211w_retry_timeout" ] && \
-@@ -1055,9 +1141,10 @@ hostapd_set_bss_options() {
+@@ -1055,9 +1152,10 @@ hostapd_set_bss_options() {
json_get_vars iw_roaming_consortium iw_domain_name iw_anqp_3gpp_cell_net iw_nai_realm
json_get_vars iw_anqp_elem iw_qos_map_set iw_ipaddr_type_availability iw_gas_address3
json_get_vars iw_venue_name iw_venue_url
@@ -937,7 +948,7 @@
append bss_conf "interworking=1" "$N"
set_default iw_internet 1
set_default iw_asra 0
-@@ -1164,6 +1251,22 @@ hostapd_set_bss_options() {
+@@ -1164,6 +1262,22 @@ hostapd_set_bss_options() {
append bss_conf "$val" "$N"
done
@@ -960,7 +971,7 @@
append "$var" "$bss_conf" "$N"
return 0
}
-@@ -1251,6 +1354,7 @@ wpa_supplicant_prepare_interface() {
+@@ -1251,6 +1365,7 @@ wpa_supplicant_prepare_interface() {
country_str="country=$country"
}
@@ -968,7 +979,7 @@
multiap_flag_file="${_config}.is_multiap"
if [ "$multi_ap" = "1" ]; then
touch "$multiap_flag_file"
-@@ -1262,6 +1366,7 @@ wpa_supplicant_prepare_interface() {
+@@ -1262,6 +1377,7 @@ wpa_supplicant_prepare_interface() {
${scan_list:+freq_list=$scan_list}
$ap_scan
$country_str
@@ -976,7 +987,7 @@
EOF
return 0
}
-@@ -1533,12 +1638,39 @@ wpa_supplicant_add_network() {
+@@ -1533,12 +1649,39 @@ wpa_supplicant_add_network() {
;;
esac
@@ -985,7 +996,7 @@
- append network_data "group=GCMP" "$N$T"
- }
+ json_get_values pairwise pairwise
-+ json_get_vars group_cipher
++ json_get_vars group_cipher group_mgmt_cipher
+ if [ -n "$pairwise" ]; then
+ case "$pairwise" in
+ *tkip+aes|*tkip+ccmp|*aes+tkip|*ccmp+tkip)
@@ -1020,7 +1031,7 @@
case "$wpa" in
1)
append network_data "proto=WPA" "$N$T"
-@@ -1548,12 +1680,48 @@ wpa_supplicant_add_network() {
+@@ -1548,12 +1691,58 @@ wpa_supplicant_add_network() {
;;
esac
@@ -1047,14 +1058,24 @@
+ json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout beacon_prot
+ append network_data "ieee80211w=$ieee80211w" "$N$T"
+ [ "$ieee80211w" -gt "0" ] && {
-+ case "$group_cipher" in
-+ CCMP*)
-+ ieee80211w_mgmt_cipher="AES-128-CMAC"
-+ ;;
-+ GCMP-256)
-+ [[ "$encryption" != "*owe*" ]] && ieee80211w_mgmt_cipher="BIP-GMAC-256"
-+ ;;
-+ esac
++ if [ -z "$group_mgmt_cipher" ]; then
++ case "$group_cipher" in
++ CCMP-256)
++ ieee80211w_mgmt_cipher="BIP-CMAC-256"
++ ;;
++ CCMP)
++ ieee80211w_mgmt_cipher="AES-128-CMAC"
++ ;;
++ GCMP-256)
++ ieee80211w_mgmt_cipher="BIP-GMAC-256"
++ ;;
++ GCMP)
++ ieee80211w_mgmt_cipher="BIP-GMAC-128"
++ ;;
++ esac
++ else
++ ieee80211w_mgmt_cipher="$group_mgmt_cipher"
++ fi
+ if [ "$auth_type" = "eap192" ]; then
+ append network_data "group_mgmt=BIP-GMAC-256" "$N$T"
+ else
@@ -1070,7 +1091,7 @@
[ -n "$bssid" ] && append network_data "bssid=$bssid" "$N$T"
[ -n "$beacon_int" ] && append network_data "beacon_int=$beacon_int" "$N$T"
-@@ -1564,6 +1732,20 @@ wpa_supplicant_add_network() {
+@@ -1564,6 +1753,20 @@ wpa_supplicant_add_network() {
[ -n "$bssid_blacklist" ] && append network_data "bssid_blacklist=$bssid_blacklist" "$N$T"
[ -n "$bssid_whitelist" ] && append network_data "bssid_whitelist=$bssid_whitelist" "$N$T"
@@ -1091,7 +1112,7 @@
[ -n "$basic_rate" ] && {
local br rate_list=
for br in $basic_rate; do
-@@ -1578,6 +1760,11 @@ wpa_supplicant_add_network() {
+@@ -1578,6 +1781,11 @@ wpa_supplicant_add_network() {
append network_data "mcast_rate=$mc_rate" "$N$T"
}