wifi-scripts: add support for RSN overide and use it for improved WPA3 compat

Override via RSNE is a relatively new feature, which can be used to enable
WPA3 features in a way that is invisible to older clients.
Use it by default to mask the GCMP-256 cipher from older clients, since
there are compatibility issues with existing devices.

Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
index e26cd33c28ffd51876f9211e6db592ac121bff09..0d71ca1552d60f1a6987244982d23e9f09ef0958 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
@@ -940,6 +940,11 @@
                "rsn_preauth": {
                        "type": "boolean"
                },
+               "rsn_override": {
+                       "type": "number",
+                       "description": "Use RSNE override IE WPA3 compatibility (0: disabled, 1: enabled, 2:force WPA2 for older devices)",
+                       "default": 1
+               },
                "sae_pwe": {
                        "description": "SAE mechanism for PWE derivation",
                        "type": "number",

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index 316dc24f00e0f9480336a4a4c4d17e231ca229fb..eccd5824cf8d318e26be79fd92ac807ea1609e56 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -84,6 +84,8 @@ function iface_auth_type(config) {
 
        if (config.auth_type in [ 'psk-sae', 'eap-eap2' ]) {
                config.ieee80211w = 1;
+               if (config.rsn_override)
+                       config.rsn_override_mfp = 2;
                config.sae_require_mfp = 1;
                config.sae_pwe = 2;
        }
@@ -171,7 +173,8 @@ function iface_auth_type(config) {
                'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period',
                'radius_das_client', 'radius_das_port', 'own_ip_addr', 'dynamic_own_ip_addr',
                'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise',
-               'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id'
+               'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id',
+               'rsn_override_pairwise', 'rsn_override_mfp'
        ]);
 }
 
@@ -475,7 +478,8 @@ export function generate(interface, data, config, vlans, stas, phy_features) {
 
        iface.wpa_key_mgmt(config);
        append_vars(config, [
-               'wpa_key_mgmt'
+               'wpa_key_mgmt',
+               'rsn_override_key_mgmt'
        ]);
 
        /* raw options */

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
index 52b76b43967693cd7516f37672daf1809b9e0c23..6601a30689f1aacd259afc57d07658ce06d41703 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
@@ -26,7 +26,6 @@ export function parse_encryption(config, dev_config) {
        switch(config.auth_type) {
        case 'owe':
                config.auth_type = 'owe';
-               config.wpa_pairwise = wpa3_pairwise;
                break;
 
        case 'wpa3-192':
@@ -35,33 +34,37 @@ export function parse_encryption(config, dev_config) {
 
        case 'wpa3-mixed':
                config.auth_type = 'eap-eap2';
-               config.wpa_pairwise = wpa3_pairwise;
                break;
 
        case 'wpa3':
                config.auth_type = 'eap2';
-               config.wpa_pairwise = wpa3_pairwise;
                break;
 
+       case 'psk':
        case 'psk-mixed':
                config.auth_type = "psk";
+               config.wpa_pairwise = null;
                break;
 
+       case 'sae':
        case 'psk3':
                config.auth_type = 'sae';
-               config.wpa_pairwise = wpa3_pairwise;
                break;
 
        case 'psk3-mixed':
        case 'sae-mixed':
                config.auth_type = 'psk-sae';
-               config.wpa_pairwise = wpa3_pairwise;
                break;
 
        case 'wpa':
        case 'wpa2':
        case 'wpa-mixed':
                config.auth_type = 'eap';
+               config.wpa_pairwise = null;
+               break;
+
+       default:
+               config.wpa_pairwise = null;
                break;
        }
 
@@ -95,8 +98,18 @@ export function parse_encryption(config, dev_config) {
                break;
 
        default:
-               if (config.encryption == 'wpa3-192')
+               if (config.encryption == 'wpa3-192') {
                        config.wpa_pairwise = 'GCMP-256';
+                       break;
+               }
+
+               if (!wpa3_pairwise)
+                       break;
+
+               if (config.rsn_override)
+                       config.rsn_override_pairwise = wpa3_pairwise;
+               else
+                       config.wpa_pairwise = wpa3_pairwise;
                break;
        }
 
@@ -131,10 +144,12 @@ export function wpa_key_mgmt(config) {
                break;
 
        case 'eap-eap2':
-               append_value(config, 'wpa_key_mgmt', 'WPA-EAP');
                append_value(config, 'wpa_key_mgmt', 'WPA-EAP-SHA256');
                if (config.ieee80211r)
                        append_value(config, 'wpa_key_mgmt', 'FT-EAP');
+
+               config.rsn_override_key_mgmt = config.wpa_key_mgmt;
+               append_value(config, 'wpa_key_mgmt', 'WPA-EAP');
                break;
 
        case 'eap2':
@@ -150,14 +165,18 @@ export function wpa_key_mgmt(config) {
                break;
 
        case 'psk-sae':
-               append_value(config, 'wpa_key_mgmt', 'WPA-PSK');
                append_value(config, 'wpa_key_mgmt', 'SAE');
+               if (config.ieee80211r)
+                       append_value(config, 'wpa_key_mgmt', 'FT-SAE');
+               config.rsn_override_key_mgmt = config.wpa_key_mgmt;
+               if (config.rsn_override > 1)
+                       delete config.wpa_key_mgmt;
+
+               append_value(config, 'wpa_key_mgmt', 'WPA-PSK');
                if (config.ieee80211w)
                        append_value(config, 'wpa_key_mgmt', 'WPA-PSK-SHA256');
-               if (config.ieee80211r) {
+               if (config.ieee80211r)
                        append_value(config, 'wpa_key_mgmt', 'FT-PSK');
-                       append_value(config, 'wpa_key_mgmt', 'FT-SAE');
-               }
                break;
 
        case 'owe':
@@ -179,6 +198,13 @@ export function wpa_key_mgmt(config) {
                        append_value(config, 'wpa_key_mgmt', 'FILS-SHA256');
                        if (config.ieee80211r)
                                append_value(config, 'wpa_key_mgmt', 'FT-FILS-SHA256');
+
+                       if (!config.rsn_override_key_mgmt)
+                               break;
+
+                       append_value(config, 'rsn_override_key_mgmt', 'FILS-SHA256');
+                       if (config.ieee80211r)
+                               append_value(config, 'rsn_override_key_mgmt', 'FT-FILS-SHA256');
                        break;
                }
        }

diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index f15e7f1b43ed508731fd68cc8e20983f0af91631..dd96505f09b09f39e1e002c346642c292ec7d12b 100644 (file)
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -51,9 +51,10 @@ hostapd_append_wpa_key_mgmt() {
                        [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP-SHA384"
                ;;
                eap-eap2)
-                       append wpa_key_mgmt "WPA-EAP"
                        append wpa_key_mgmt "WPA-EAP-SHA256"
                        [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
+                       [ "$rsn_override" -gt 0 ] && rsn_override_key_mgmt="$wpa_key_mgmt"
+                       append wpa_key_mgmt "WPA-EAP"
                ;;
                eap2)
                        [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
@@ -64,13 +65,15 @@ hostapd_append_wpa_key_mgmt() {
                        [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
                ;;
                psk-sae)
+                       append wpa_key_mgmt "SAE"
+                       [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
+                       [ "$rsn_override" -gt 0 ] && rsn_override_key_mgmt="$wpa_key_mgmt"
+                       [ "$rsn_override" -gt 1 ] && wpa_key_mgmt=
                        [ "$band" = "6g" ] || {
                                append wpa_key_mgmt "WPA-PSK"
                                [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
                                [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
                        }
-                       append wpa_key_mgmt "SAE"
-                       [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
                ;;
                owe)
                        append wpa_key_mgmt "OWE"
@@ -86,11 +89,19 @@ hostapd_append_wpa_key_mgmt() {
                        eap*)
                                append wpa_key_mgmt FILS-SHA256
                                [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt FT-FILS-SHA256
+
+                               [ "$rsn_override" -gt 0 ] && {
+                                       append rsn_override_key_mgmt FILS-SHA256
+                                       [ "${ieee80211r:-0}" -gt 0 ] && append rsn_override_key_mgmt FT-FILS-SHA256
+                               }
                        ;;
                esac
        }
 
-       [ "$auth_osen" = "1" ] && append wpa_key_mgmt "OSEN"
+       [ "$auth_osen" = "1" ] && {
+               append wpa_key_mgmt "OSEN"
+               [ "$rsn_override" -gt 0 ] && append rsn_override_key_mgmt OSEN
+       }
 }
 
 hostapd_add_log_config() {
@@ -341,6 +352,7 @@ hostapd_common_add_bss_config() {
        config_add_array r0kh r1kh
 
        config_add_int ieee80211w_max_timeout ieee80211w_retry_timeout
+       config_add_int rsn_override
 
        config_add_string macfilter 'macfile:file'
        config_add_array 'maclist:list(macaddr)'
@@ -611,8 +623,9 @@ hostapd_set_bss_options() {
                ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
                multicast_to_unicast_all proxy_arp per_sta_vif \
                eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients radius_server_auth_port \
-               vendor_elements fils ocv apup
+               vendor_elements fils ocv apup rsn_override
 
+       set_default rsn_override 1
        set_default fils 0
        set_default isolate 0
        set_default maxassoc 0
@@ -849,6 +862,7 @@ hostapd_set_bss_options() {
        append bss_conf "auth_algs=${auth_algs:-1}" "$N"
        append bss_conf "wpa=$wpa" "$N"
        [ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N"
+       [ -n "$rsn_override_pairwise" ] && append bss_conf "rsn_override_pairwise=$rsn_override_pairwise" "$N"
 
        set_default wps_pushbutton 0
        set_default wps_label 0
@@ -961,6 +975,7 @@ hostapd_set_bss_options() {
 
                hostapd_append_wpa_key_mgmt
                [ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
+               [ -n "$rsn_override_key_mgmt" ] && append bss_conf "rsn_override_key_mgmt=$rsn_override_key_mgmt" "$N"
        fi
 
        if [ "$wpa" -ge "2" ]; then

diff --git a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
index 8460de4653d7ba7e309db7779d029ecfbf4d163b..784af7b5ce8132bf50a3c6db30123a5dbe3091a8 100644 (file)
--- a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
@@ -209,19 +209,28 @@ _wdev_wrapper \
        wireless_set_retry \
 
 wireless_vif_parse_encryption() {
-       json_get_vars encryption
+       json_get_vars encryption rsn_override
        set_default encryption none
 
+       set_default rsn_override 1
        auth_mode_open=1
        auth_mode_shared=0
        auth_type=none
+       wpa_override_cipher=
+       rsn_override_pairwise=
 
        if [ "$hwmode" = "ad" ]; then
                wpa_cipher="GCMP"
        else
                wpa_cipher="CCMP"
                case "$encryption" in
-                       sae*|wpa3*|psk3*|owe) wpa_cipher="${wpa3_cipher}$wpa_cipher";;
+                       sae*|wpa3*|psk3*|owe)
+                               if [ "$rsn_override" -gt 0 ]; then
+                                       wpa_override_cipher="${wpa3_cipher}$wpa_cipher"
+                               else
+                                       wpa_cipher="${wpa3_cipher}$wpa_cipher"
+                               fi
+                       ;;
                esac
        fi
 
@@ -233,6 +242,7 @@ wireless_vif_parse_encryption() {
                *gcmp256) wpa_cipher="GCMP-256";;
                *gcmp) wpa_cipher="GCMP";;
                wpa3-192*) wpa_cipher="GCMP-256";;
+               *) rsn_override_pairwise="$wpa_override_cipher";;
        esac
 
        # 802.11n requires CCMP for WPA