[][MAC80211][WiFi6/7][Misc][Change group mgmt cipher setting to align group cipher]
[Description]
Change group mgmt cipher setting to align group cipher. Group mgmt cipher
is independent from other cipher, here we set it more intuitively. And
remain a way to directly set group mgmt cipher.
Before align Logan:
group cipher CMAC-128 CMAC-256 GMAC-128 GMAC-256
group mgmt cipher CMAC-128 CMAC-128 CMAC-128 GMAC-256
After this patch:
group cipher CMAC-128 CMAC-256 GMAC-128 GMAC-256
group mgmt cipher CMAC-128 "CMAC-256 GMAC-128" GMAC-256
[Release-log]
N/A
Change-Id: I6a96cdcecb90970f0771ef4f45881ad71424ba54
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/8384026
diff --git a/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch b/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch
index 9bbb5c3..4f31708 100644
--- a/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch
+++ b/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch
@@ -666,7 +666,7 @@
done
}
diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
-index 28bd210..3bdf3c0 100644
+index 28bd210..0df9a6f 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -60,7 +60,14 @@ hostapd_append_wpa_key_mgmt() {
@@ -704,7 +704,7 @@
[ -n "$beacon_rate" ] && append base_cfg "beacon_rate=$beacon_rate" "$N"
[ -n "$rlist" ] && append base_cfg "supported_rates=$rlist" "$N"
[ -n "$brlist" ] && append base_cfg "basic_rates=$brlist" "$N"
-@@ -376,6 +386,24 @@ hostapd_common_add_bss_config() {
+@@ -376,6 +386,25 @@ hostapd_common_add_bss_config() {
config_add_string fils_dhcp
config_add_int ocv
@@ -725,11 +725,12 @@
+ config_add_array owe_groups
+ config_add_array pairwise
+ config_add_string group_cipher
++ config_add_string group_mgmt_cipher
+
}
hostapd_set_vlan_file() {
-@@ -440,11 +468,11 @@ append_iw_nai_realm() {
+@@ -440,11 +469,11 @@ append_iw_nai_realm() {
}
append_iw_venue_name() {
@@ -743,17 +744,17 @@
}
append_hs20_oper_friendly_name() {
-@@ -562,7 +590,8 @@ hostapd_set_bss_options() {
+@@ -562,7 +591,8 @@ hostapd_set_bss_options() {
ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
multicast_to_unicast_all proxy_arp per_sta_vif \
eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \
- vendor_elements fils ocv
+ vendor_elements fils ocv unsol_bcast_probe_resp_interval fils_discovery_min_interval \
-+ fils_discovery_max_interval rnr group_cipher
++ fils_discovery_max_interval rnr group_cipher group_mgmt_cipher
set_default fils 0
set_default isolate 0
-@@ -790,6 +819,36 @@ hostapd_set_bss_options() {
+@@ -790,6 +820,36 @@ hostapd_set_bss_options() {
local auth_algs="$((($auth_mode_shared << 1) | $auth_mode_open))"
append bss_conf "auth_algs=${auth_algs:-1}" "$N"
append bss_conf "wpa=$wpa" "$N"
@@ -790,7 +791,7 @@
[ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N"
set_default wps_pushbutton 0
-@@ -841,7 +900,7 @@ hostapd_set_bss_options() {
+@@ -841,7 +901,7 @@ hostapd_set_bss_options() {
}
append bss_conf "ssid=$ssid" "$N"
@@ -799,7 +800,7 @@
[ -n "$network_ifname" ] && append bss_conf "snoop_iface=$network_ifname" "$N"
[ -n "$iapp_interface" ] && {
local ifname
-@@ -954,6 +1013,8 @@ hostapd_set_bss_options() {
+@@ -954,6 +1014,8 @@ hostapd_set_bss_options() {
fi
if [ "$wpa" -ge "2" ]; then
@@ -808,7 +809,7 @@
if [ -n "$network_bridge" -a "$rsn_preauth" = 1 ]; then
set_default auth_cache 1
append bss_conf "rsn_preauth=1" "$N"
-@@ -972,17 +1033,42 @@ hostapd_set_bss_options() {
+@@ -972,17 +1034,52 @@ hostapd_set_bss_options() {
append bss_conf "okc=$auth_cache" "$N"
[ "$auth_cache" = 0 -a "$fils" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N"
@@ -834,14 +835,24 @@
+ json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout beacon_prot
append bss_conf "ieee80211w=$ieee80211w" "$N"
[ "$ieee80211w" -gt "0" ] && {
-+ case "$group_cipher" in
-+ CCMP*)
-+ ieee80211w_mgmt_cipher="AES-128-CMAC"
-+ ;;
-+ GCMP-256)
-+ [[ "$encryption" != "*owe*" ]] && ieee80211w_mgmt_cipher="BIP-GMAC-256"
-+ ;;
-+ esac
++ if [ -z "$group_mgmt_cipher" ]; then
++ case "$group_cipher" in
++ CCMP-256)
++ ieee80211w_mgmt_cipher="BIP-CMAC-256"
++ ;;
++ CCMP)
++ ieee80211w_mgmt_cipher="AES-128-CMAC"
++ ;;
++ GCMP-256)
++ ieee80211w_mgmt_cipher="BIP-GMAC-256"
++ ;;
++ GCMP)
++ ieee80211w_mgmt_cipher="BIP-GMAC-128"
++ ;;
++ esac
++ else
++ ieee80211w_mgmt_cipher="$group_mgmt_cipher"
++ fi
if [ "$auth_type" = "eap192" ]; then
append bss_conf "group_mgmt_cipher=BIP-GMAC-256" "$N"
else
@@ -852,7 +863,7 @@
[ -n "$ieee80211w_max_timeout" ] && \
append bss_conf "assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N"
[ -n "$ieee80211w_retry_timeout" ] && \
-@@ -1047,9 +1133,10 @@ hostapd_set_bss_options() {
+@@ -1047,9 +1144,10 @@ hostapd_set_bss_options() {
json_get_vars iw_roaming_consortium iw_domain_name iw_anqp_3gpp_cell_net iw_nai_realm
json_get_vars iw_anqp_elem iw_qos_map_set iw_ipaddr_type_availability iw_gas_address3
json_get_vars iw_venue_name iw_venue_url
@@ -864,7 +875,7 @@
append bss_conf "interworking=1" "$N"
set_default iw_internet 1
set_default iw_asra 0
-@@ -1156,6 +1243,22 @@ hostapd_set_bss_options() {
+@@ -1156,6 +1254,22 @@ hostapd_set_bss_options() {
append bss_conf "$val" "$N"
done
@@ -887,7 +898,7 @@
bss_md5sum="$(echo $bss_conf | md5sum | cut -d" " -f1)"
append bss_conf "config_id=$bss_md5sum" "$N"
-@@ -1246,6 +1349,7 @@ wpa_supplicant_prepare_interface() {
+@@ -1246,6 +1360,7 @@ wpa_supplicant_prepare_interface() {
country_str="country=$country"
}
@@ -895,7 +906,7 @@
multiap_flag_file="${_config}.is_multiap"
if [ "$multi_ap" = "1" ]; then
touch "$multiap_flag_file"
-@@ -1257,6 +1361,7 @@ wpa_supplicant_prepare_interface() {
+@@ -1257,6 +1372,7 @@ wpa_supplicant_prepare_interface() {
${scan_list:+freq_list=$scan_list}
$ap_scan
$country_str
@@ -903,7 +914,7 @@
EOF
return 0
}
-@@ -1528,12 +1633,39 @@ wpa_supplicant_add_network() {
+@@ -1528,12 +1644,39 @@ wpa_supplicant_add_network() {
;;
esac
@@ -912,7 +923,7 @@
- append network_data "group=GCMP" "$N$T"
- }
+ json_get_values pairwise pairwise
-+ json_get_vars group_cipher
++ json_get_vars group_cipher group_mgmt_cipher
+ if [ -n "$pairwise" ]; then
+ case "$pairwise" in
+ *tkip+aes|*tkip+ccmp|*aes+tkip|*ccmp+tkip)
@@ -947,7 +958,7 @@
case "$wpa" in
1)
append network_data "proto=WPA" "$N$T"
-@@ -1543,12 +1675,48 @@ wpa_supplicant_add_network() {
+@@ -1543,12 +1686,58 @@ wpa_supplicant_add_network() {
;;
esac
@@ -974,14 +985,24 @@
+ json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout beacon_prot
+ append network_data "ieee80211w=$ieee80211w" "$N$T"
+ [ "$ieee80211w" -gt "0" ] && {
-+ case "$group_cipher" in
-+ CCMP*)
-+ ieee80211w_mgmt_cipher="AES-128-CMAC"
-+ ;;
-+ GCMP-256)
-+ [[ "$encryption" != "*owe*" ]] && ieee80211w_mgmt_cipher="BIP-GMAC-256"
-+ ;;
-+ esac
++ if [ -z "$group_mgmt_cipher" ]; then
++ case "$group_cipher" in
++ CCMP-256)
++ ieee80211w_mgmt_cipher="BIP-CMAC-256"
++ ;;
++ CCMP)
++ ieee80211w_mgmt_cipher="AES-128-CMAC"
++ ;;
++ GCMP-256)
++ ieee80211w_mgmt_cipher="BIP-GMAC-256"
++ ;;
++ GCMP)
++ ieee80211w_mgmt_cipher="BIP-GMAC-128"
++ ;;
++ esac
++ else
++ ieee80211w_mgmt_cipher="$group_mgmt_cipher"
++ fi
+ if [ "$auth_type" = "eap192" ]; then
+ append network_data "group_mgmt=BIP-GMAC-256" "$N$T"
+ else
@@ -997,7 +1018,7 @@
[ -n "$bssid" ] && append network_data "bssid=$bssid" "$N$T"
[ -n "$beacon_int" ] && append network_data "beacon_int=$beacon_int" "$N$T"
-@@ -1559,6 +1727,20 @@ wpa_supplicant_add_network() {
+@@ -1559,6 +1748,20 @@ wpa_supplicant_add_network() {
[ -n "$bssid_blacklist" ] && append network_data "bssid_blacklist=$bssid_blacklist" "$N$T"
[ -n "$bssid_whitelist" ] && append network_data "bssid_whitelist=$bssid_whitelist" "$N$T"
@@ -1018,7 +1039,7 @@
[ -n "$basic_rate" ] && {
local br rate_list=
for br in $basic_rate; do
-@@ -1573,6 +1755,11 @@ wpa_supplicant_add_network() {
+@@ -1573,6 +1776,11 @@ wpa_supplicant_add_network() {
append network_data "mcast_rate=$mc_rate" "$N$T"
}