From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 4 Feb 2026 05:46:53 +0000 (+0000)
Subject: wifi-scripts: add DPP encryption support
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e25c8bd785e72b8a03b1f1f6bacc21d077cc372;p=thirdparty%2Fopenwrt.git

wifi-scripts: add DPP encryption support

Add support for DPP (Device Provisioning Protocol) as both a primary
encryption type and as an optional addition to existing authentication.

Primary DPP mode (encryption=dpp):
- Sets WPA2 with key_mgmt=DPP
- Requires Management Frame Protection (ieee80211w=2)
- Supports dpp_connector, dpp_csign, dpp_netaccesskey options

Optional DPP mode (dpp=1 boolean on AP):
- Adds DPP to existing key management methods
- Allows AP to accept both DPP and other auth types
- Supports the same connector options

Both ucode and legacy shell implementations are updated for AP and STA
modes.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index 5771e0e2df5..3c29d1bedab 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -82,7 +82,7 @@ function iface_accounting_server(config) {
 }
 
 function iface_auth_type(config) {
-	if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192' ]) {
+	if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ]) {
 		config.ieee80211w = 2;
 		config.sae_require_mfp = 1;
 		if (!config.ppsk)
@@ -117,6 +117,12 @@ function iface_auth_type(config) {
 		]);
 		break;
 
+	case 'dpp':
+		append_vars(config, [
+			'dpp_connector', 'dpp_csign', 'dpp_netaccesskey',
+		]);
+		break;
+
 	case 'psk':
 	case 'psk2':
 	case 'sae':
@@ -188,6 +194,11 @@ function iface_auth_type(config) {
 		'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise',
 		'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id'
 	]);
+
+	if (config.dpp && config.auth_type != 'dpp')
+		append_vars(config, [
+			'dpp_connector', 'dpp_csign', 'dpp_netaccesskey',
+		]);
 }
 
 function iface_ppsk(config) {
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
index 5b7b14b6ff8..50c62f94297 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
@@ -11,7 +11,7 @@ export function parse_encryption(config, dev_config) {
 
 	config.wpa = 0;
 	for (let k, v in { 'wpa2*': 2, 'wpa3*': 2, '*psk2*': 2, 'psk3*': 2, 'sae*': 2,
-			'owe*': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
+			'owe*': 2, 'dpp': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
 		if (wildcard(config.encryption, k)) {
 			config.wpa = v;
 			break;
@@ -32,6 +32,10 @@ export function parse_encryption(config, dev_config) {
 		config.auth_type = 'owe';
 		break;
 
+	case 'dpp':
+		config.auth_type = 'dpp';
+		break;
+
 	case 'wpa3-192':
 		config.auth_type = 'eap192';
 		break;
@@ -198,8 +202,15 @@ export function wpa_key_mgmt(config) {
 	case 'owe':
 		append_value(config, 'wpa_key_mgmt', 'OWE');
 		break;
+
+	case 'dpp':
+		append_value(config, 'wpa_key_mgmt', 'DPP');
+		break;
 	}
 
+	if (config.dpp && config.auth_type != 'dpp')
+		append_value(config, 'wpa_key_mgmt', 'DPP');
+
 	if (config.fils) {
 		switch(config.auth_type) {
 		case 'eap192':
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
index a1daf041a14..e1cc93a806a 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
@@ -58,7 +58,7 @@ export function ratelist(rates) {
 function setup_sta(data, config) {
 	iface.parse_encryption(config);
 
-	if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192' ])
+	if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ])
 		config.ieee80211w = 2;
 	else if (config.auth_type in [ 'psk-sae' ] && !config.ieee80211w)
 		config.ieee80211w = 1;
@@ -122,6 +122,10 @@ function setup_sta(data, config) {
 		iface.wpa_key_mgmt(config);
 		break;
 
+	case 'dpp':
+		iface.wpa_key_mgmt(config);
+		break;
+
 	case 'wps':
 		config.key_mgmt = 'WPS';
 		break;
@@ -183,7 +187,8 @@ function setup_sta(data, config) {
 		'bssid_blacklist', 'bssid_whitelist', 'erp', 'ca_cert', 'identity',
 		'anonymous_identity', 'client_cert', 'private_key', 'private_key_passwd',
 		'subject_match', 'altsubject_match', 'domain_match', 'domain_suffix_match',
-		'ca_cert2', 'client_cert2', 'private_key2', 'private_key2_passwd', 'password'
+		'ca_cert2', 'client_cert2', 'private_key2', 'private_key2_passwd', 'password',
+		'dpp_connector', 'dpp_csign', 'dpp_netaccesskey',
 	]);
 }
 
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index 81ebebbe2b7..21e980b86a3 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -78,8 +78,13 @@ hostapd_append_wpa_key_mgmt() {
 		owe)
 			append wpa_key_mgmt "OWE"
 		;;
+		dpp)
+			append wpa_key_mgmt "DPP"
+		;;
 	esac
 
+	[ "$dpp" -gt 0 ] && [ "$auth_type" != "dpp" ] && append wpa_key_mgmt "DPP"
+
 	[ "$fils" -gt 0 ] && {
 		case "$auth_type" in
 			eap192)
@@ -97,6 +102,7 @@ hostapd_append_wpa_key_mgmt() {
 			;;
 		esac
 	}
+
 }
 
 hostapd_add_log_config() {
@@ -400,6 +406,9 @@ hostapd_common_add_bss_config() {
 	config_add_boolean fils
 	config_add_string fils_dhcp
 
+	config_add_boolean dpp
+	config_add_string dpp_connector dpp_csign dpp_netaccesskey
+
 	config_add_int ocv
 	config_add_boolean beacon_prot spp_amsdu
 
@@ -563,9 +572,10 @@ hostapd_set_bss_options() {
 		ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
 		multicast_to_unicast_all proxy_arp per_sta_vif na_mcast_to_ucast \
 		eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients radius_server_auth_port \
-		vendor_elements fils ocv beacon_prot spp_amsdu apup rsn_override
+		vendor_elements fils ocv beacon_prot spp_amsdu apup rsn_override dpp
 
 	set_default rsn_override 1
+	set_default dpp 0
 	set_default fils 0
 	set_default isolate 0
 	set_default maxassoc 0
@@ -639,7 +649,7 @@ hostapd_set_bss_options() {
 	[ -n "$spp_amsdu" ] && append bss_conf "spp_amsdu=$spp_amsdu" "$N"
 
 	case "$auth_type" in
-		sae|owe|eap2|eap192)
+		sae|owe|eap2|eap192|dpp)
 			set_default ieee80211w 2
 			set_default sae_require_mfp 1
 			[ "$ppsk" -eq 0 ] && set_default sae_pwe 2
@@ -673,6 +683,13 @@ hostapd_set_bss_options() {
 			# with WPS enabled, we got to be in unconfigured state.
 			wps_not_configured=1
 		;;
+		dpp)
+			json_get_vars dpp_connector dpp_csign dpp_netaccesskey
+
+			[ -n "$dpp_connector" ] && append bss_conf "dpp_connector=$dpp_connector" "$N"
+			[ -n "$dpp_csign" ] && append bss_conf "dpp_csign=$dpp_csign" "$N"
+			[ -n "$dpp_netaccesskey" ] && append bss_conf "dpp_netaccesskey=$dpp_netaccesskey" "$N"
+		;;
 		psk|sae|psk-sae)
 			json_get_vars key wpa_psk_file sae_password_file
 			if [ "$ppsk" -ne 0 ]; then
@@ -1193,6 +1210,14 @@ hostapd_set_bss_options() {
 		fi
 	fi
 
+	[ "$dpp" -gt 0 ] && [ "$auth_type" != "dpp" ] && {
+		json_get_vars dpp_connector dpp_csign dpp_netaccesskey
+
+		[ -n "$dpp_connector" ] && append bss_conf "dpp_connector=$dpp_connector" "$N"
+		[ -n "$dpp_csign" ] && append bss_conf "dpp_csign=$dpp_csign" "$N"
+		[ -n "$dpp_netaccesskey" ] && append bss_conf "dpp_netaccesskey=$dpp_netaccesskey" "$N"
+	}
+
 	json_get_values opts hostapd_bss_options
 	for val in $opts; do
 		append bss_conf "$val" "$N"
@@ -1343,7 +1368,7 @@ wpa_supplicant_add_network() {
 	set_default rsn_override 1
 
 	case "$auth_type" in
-		sae|owe|eap2|eap192)
+		sae|owe|eap2|eap192|dpp)
 			set_default ieee80211w 2
 		;;
 		psk-sae)
@@ -1406,6 +1431,10 @@ wpa_supplicant_add_network() {
 			hostapd_append_wpa_key_mgmt
 			key_mgmt="$wpa_key_mgmt"
 		;;
+		dpp)
+			hostapd_append_wpa_key_mgmt
+			key_mgmt="$wpa_key_mgmt"
+		;;
 		wep)
 			local wep_keyidx=0
 			hostapd_append_wep_key network_data
@@ -1633,6 +1662,14 @@ wpa_supplicant_add_network() {
 		append network_data "mcast_rate=$mc_rate" "$N$T"
 	}
 
+	[ "$auth_type" = "dpp" ] && {
+		json_get_vars dpp_connector dpp_csign dpp_netaccesskey
+
+		[ -n "$dpp_connector" ] && append network_data "dpp_connector=$dpp_connector" "$N$T"
+		[ -n "$dpp_csign" ] && append network_data "dpp_csign=$dpp_csign" "$N$T"
+		[ -n "$dpp_netaccesskey" ] && append network_data "dpp_netaccesskey=$dpp_netaccesskey" "$N$T"
+	}
+
 	if [ "$key_mgmt" = "WPS" ]; then
 		echo "wps_cred_processing=1" >> "$_config"
 	else
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
index ac11905facc..328fede2a92 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
@@ -254,7 +254,7 @@ wireless_vif_parse_encryption() {
 	# wpa2/tkip+aes     => WPA2 RADIUS, CCMP+TKIP
 
 	case "$encryption" in
-		wpa2*|wpa3*|*psk2*|psk3*|sae*|owe*)
+		wpa2*|wpa3*|*psk2*|psk3*|sae*|owe*|dpp)
 			wpa=2
 		;;
 		wpa*mixed*|*psk*mixed*)
@@ -274,6 +274,9 @@ wireless_vif_parse_encryption() {
 		owe*)
 			auth_type=owe
 		;;
+		dpp)
+			auth_type=dpp
+		;;
 		wpa3-192*)
 			auth_type=eap192
 		;;