On Sat, Mar 22, 2025 at 10:45:39AM -0700, Adrian Chadd wrote: > Anyway! I've noticed that while yes I can add GCMP to hostapd and > wpa_supplicant configs, wpa_supplicant REALLY only wants to negotiate > GCMP if it's the only cipher listed. If there's GCMP and CCMP > available, wpa_supplicant reliably chooses CCMP. That is not really a completely accurate description.. wpa_supplicant prefers 256-bit version of CCMP and GCMP over 128-bit versions of either. In other words, GCMP-256 will be selected over CCMP-128. It should be noted that there is practically no deployment of CCMP-256 and deployment of GCMP-128 is limited to 60 GHz cases. In other words, on 2.4, 5, and 6 GHz bands, only CCMP-128 and GCMP-256 are used vast majority of deployments. Between those options, wpa_supplicant will prefer GCMP-256 over CCMP-128 if both are allowed. In other words, I think what you are describing here is quite a theoretical question. > I think i've traced down where in the source this is happening, as > it's choosing CCMP for default for non-11ad, and GCMP default for > 11ad. No, the RSNE default values for omitted fields has nothing to do with this. wpa_pick_pairwise_cipher() is the place where the selection happens. It is currently picking the first available cipher in this order: CCMP-256, GCMP-256, CCMP-128, GCMP-128. I don't think there was really any particular reason for this order as far as CCMP vs. GCMP is concerned, i.e., this just happened to be the case when I added support for GCMP in 2012. Preferring the 256-bit variants over 128-bit variants is by design, but GCMP vs. CCMP is arbitrary since there is no significant difference in security. GCMP is more efficient for hardware implementation, so there is a good reason to moving to it for newer cases and that is indeed what is happening in practice since CCMP-256 is not being deployed. > My questions however are with how the 802.11 specification > could/should allow for cipher choices / priorities. > > * I haven't found anything in 802.11-2020 section 12 (security) that > indicates a formal cipher priority. Is there a formal cipher priority? Not in the IEEE 802.11 standard (and not in the Wi-Fi Alliance WPA3 specification either). > Is there anything stopping wpa_supplicant from choosing GCMP over CCMP > if an AP advertises both? As far as the protocol or security properties are concerned, not really. As far as likelihood of hitting interop issues is concerned, I would continue to prefer CCMP-128 over GCMP-128 on 2.4/5/6 GHz since GCMP-128 has limited very limited testing there. One could argue that with that same logic, wpa_supplicant should preferred GCMP-256 over CCMP-256 and that would seem like a reasonable change, i.e., wpa_pick_pairwise_cipher() could be modified to use this priority order: GCMP-256 CCMP-256 CCMP-128 GCMP-128 > * Is it legal to have GCMP as a pairwise key and CCMP as a group key? Yes > * Has anyone else tried this, and found weird interoperability issues? GCMP-256 as the pairwise cipher and CCMP-128 as the group cipher is something that is quite likely used in many, if not most, Wi-Fi 7 deployments, so at least as far as Wi-Fi 7 enabled devices are concerned, this is likely to work. There might be some theoretical issues with older devices, but such devices would not likely support GCMP-256 and that combined with GCMP-128 not being deployed makes this likely worth not much consideration. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
