wifi-scripts: enable GCMP-256 by default on WPA3/OWE configurations with HE or EHT

author Felix Fietkau <nbd@nbd.name>

Wed, 11 Jun 2025 09:28:12 +0000 (11:28 +0200)

committer Felix Fietkau <nbd@nbd.name>

Sat, 21 Jun 2025 18:34:09 +0000 (20:34 +0200)
author Felix Fietkau <nbd@nbd.name>
Wed, 11 Jun 2025 09:28:12 +0000 (11:28 +0200)
committer Felix Fietkau <nbd@nbd.name>
Sat, 21 Jun 2025 18:34:09 +0000 (20:34 +0200)
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc

index d72abdd3e4ad062eda76061b29c728333ca09bfc..316dc24f00e0f9480336a4a4c4d17e231ca229fb 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -437,7 +437,7 @@ export function generate(interface, data, config, vlans, stas, phy_features) {
  
         iface_setup(config);
  
-       iface.parse_encryption(config);
+       iface.parse_encryption(config, data.config);
         if (data.config.band == '6g') {
                 if (config.auth_type == 'psk-sae')
                         config.auth_type = 'sae';
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc

index 710ded10e51cc8ee71d46ee9609c7ffe539ce398..52b76b43967693cd7516f37672daf1809b9e0c23 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
@@ -3,46 +3,9 @@
  import { append_value, log } from 'wifi.common';
  import * as fs from 'fs';
  
-export function parse_encryption(config) {
+export function parse_encryption(config, dev_config) {
         let encryption = split(config.encryption, '+', 2);
  
-       config.wpa_pairwise = (config.hw_mode == 'ad') ? 'GCMP' : 'CCMP';
-
-       switch(encryption[1]){
-       case 'tkip+aes':
-       case 'tkip+ccmp':
-       case 'aes+tkip':
-       case 'ccmp+tkip':
-               config.wpa_pairwise = 'CCMP TKIP';
-               break;
-
-       case 'ccmp256':
-               config.wpa_pairwise = 'CCMP-256';
-               break;
-
-       case 'aes':
-       case 'ccmp':
-               config.wpa_pairwise = 'CCMP';
-               break;
-
-       case 'tkip':
-               config.wpa_pairwise = 'TKIP';
-               break;
-
-       case 'gcmp256':
-               config.wpa_pairwise = 'GCMP-256';
-               break;
-
-       case 'gcmp':
-               config.wpa_pairwise = 'GCMP';
-               break;
-
-       default:
-               if (config.encryption == 'wpa3-192')
-                       config.wpa_pairwise = 'GCMP-256';
-               break;
-       }
-
         config.wpa = 0;
         for (let k, v in { 'wpa2*': 2, 'wpa3*': 2, '*psk2*': 2, 'psk3*': 2, 'sae*': 2,
                         'owe*': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
@@ -53,10 +16,17 @@ export function parse_encryption(config) {
         if (!config.wpa)
                 config.wpa_pairwise = null;
  
+       config.wpa_pairwise = (config.hw_mode == 'ad') ? 'GCMP' : 'CCMP';
         config.auth_type = encryption[0] ?? 'none';
+
+       let wpa3_pairwise = config.wpa_pairwise;
+       if (wildcard(dev_config?.htmode, 'EHT*') || wildcard(dev_config?.htmode, 'HE*'))
+               wpa3_pairwise = 'GCMP-256 ' + wpa3_pairwise;
+
         switch(config.auth_type) {
         case 'owe':
                 config.auth_type = 'owe';
+               config.wpa_pairwise = wpa3_pairwise;
                 break;
  
         case 'wpa3-192':
@@ -65,10 +35,12 @@ export function parse_encryption(config) {
  
         case 'wpa3-mixed':
                 config.auth_type = 'eap-eap2';
+               config.wpa_pairwise = wpa3_pairwise;
                 break;
  
         case 'wpa3':
                 config.auth_type = 'eap2';
+               config.wpa_pairwise = wpa3_pairwise;
                 break;
  
         case 'psk-mixed':
@@ -77,11 +49,13 @@ export function parse_encryption(config) {
  
         case 'psk3':
                 config.auth_type = 'sae';
+               config.wpa_pairwise = wpa3_pairwise;
                 break;
  
         case 'psk3-mixed':
         case 'sae-mixed':
                 config.auth_type = 'psk-sae';
+               config.wpa_pairwise = wpa3_pairwise;
                 break;
  
         case 'wpa':
@@ -90,6 +64,42 @@ export function parse_encryption(config) {
                 config.auth_type = 'eap';
                 break;
         }
+
+       switch(encryption[1]){
+       case 'tkip+aes':
+       case 'tkip+ccmp':
+       case 'aes+tkip':
+       case 'ccmp+tkip':
+               config.wpa_pairwise = 'CCMP TKIP';
+               break;
+
+       case 'ccmp256':
+               config.wpa_pairwise = 'CCMP-256';
+               break;
+
+       case 'aes':
+       case 'ccmp':
+               config.wpa_pairwise = 'CCMP';
+               break;
+
+       case 'tkip':
+               config.wpa_pairwise = 'TKIP';
+               break;
+
+       case 'gcmp256':
+               config.wpa_pairwise = 'GCMP-256';
+               break;
+
+       case 'gcmp':
+               config.wpa_pairwise = 'GCMP';
+               break;
+
+       default:
+               if (config.encryption == 'wpa3-192')
+                       config.wpa_pairwise = 'GCMP-256';
+               break;
+       }
+
  };
  
  export function wpa_key_mgmt(config) {
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh

index c3772bb44312d4899bedaf5a657ff3c38936a5e4..8460de4653d7ba7e309db7779d029ecfbf4d163b 100644 (file)
--- a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
@@ -39,11 +39,10 @@ prepare_key_wep() {
  }
  
  _wdev_prepare_channel() {
-       json_get_vars channel band hwmode
+       json_get_vars channel band hwmode htmode
  
         auto_channel=0
         enable_ht=0
-       htmode=
         hwmode="${hwmode##11}"
  
         case "$channel" in
@@ -80,6 +79,11 @@ _wdev_prepare_channel() {
                         esac
                 ;;
         esac
+
+       case "$htmode" in
+               HE*|EHT*) wpa3_cipher="GCMP-256 ";;
+               *) wpa3_cipher="";;
+       esac
  }
  
  _wdev_handler() {
@@ -216,6 +220,9 @@ wireless_vif_parse_encryption() {
                 wpa_cipher="GCMP"
         else
                 wpa_cipher="CCMP"
+               case "$encryption" in
+                       sae*|wpa3*|psk3*|owe) wpa_cipher="${wpa3_cipher}$wpa_cipher";;
+               esac
         fi
  
         case "$encryption" in
author	Felix Fietkau <nbd@nbd.name>
	Wed, 11 Jun 2025 09:28:12 +0000 (11:28 +0200)
committer	Felix Fietkau <nbd@nbd.name>
	Sat, 21 Jun 2025 18:34:09 +0000 (20:34 +0200)
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc		patch \| blob \| blame \| history
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc		patch \| blob \| blame \| history
package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh		patch \| blob \| blame \| history