From: Felix Fietkau Date: Wed, 11 Jun 2025 09:05:04 +0000 (+0200) Subject: wifi-scripts: on psk-sae configurations, disable PSK support on 6 GHz X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a17c3be409b066be24b66e748432dd767c1fa61d;p=thirdparty%2Fopenwrt.git wifi-scripts: on psk-sae configurations, disable PSK support on 6 GHz This allows sharing a wifi-iface section across bands while enforcing the no-PSK rule for 6 GHz Signed-off-by: Felix Fietkau --- diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc index d6ca3b5dd26..d72abdd3e4a 100644 --- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc +++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc @@ -76,8 +76,6 @@ function iface_accounting_server(config) { } function iface_auth_type(config) { - iface.parse_encryption(config); - if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192' ]) { config.ieee80211w = 2; config.sae_require_mfp = 1; @@ -432,13 +430,21 @@ function iface_interworking(config) { ]); } -export function generate(interface, config, vlans, stas, phy_features) { +export function generate(interface, data, config, vlans, stas, phy_features) { config.ctrl_interface = '/var/run/hostapd'; iface_stations(config, stas); iface_setup(config); + iface.parse_encryption(config); + if (data.config.band == '6g') { + if (config.auth_type == 'psk-sae') + config.auth_type = 'sae'; + if (config.auth_type == 'eap-eap2') + config.auth_type = 'eap2'; + } + iface_auth_type(config); iface_accounting_server(config); diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/hostapd.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/hostapd.uc index 848f02d323d..cc174cda502 100644 --- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/hostapd.uc +++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/hostapd.uc @@ -523,11 +523,11 @@ function generate(config) { } let iface_idx = 0; -function setup_interface(interface, config, vlans, stas, phy_features, fixup) { +function setup_interface(interface, data, config, vlans, stas, phy_features, fixup) { config = { ...config, fixup }; config.idx = iface_idx++; - ap.generate(interface, config, vlans, stas, phy_features); + ap.generate(interface, data, config, vlans, stas, phy_features); } export function setup(data) { @@ -556,9 +556,9 @@ export function setup(data) { let owe = interface.config.encryption == 'owe' && interface.config.owe_transition; - setup_interface(k, interface.config, interface.vlans, interface.stas, phy_features, owe ? 'owe' : null ); + setup_interface(k, data, interface.config, interface.vlans, interface.stas, phy_features, owe ? 'owe' : null ); if (owe) - setup_interface(k, interface.config, interface.vlans, interface.stas, phy_features, 'owe-transition'); + setup_interface(k, data, interface.config, interface.vlans, interface.stas, phy_features, 'owe-transition'); } let config = dump_config(file_name); diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh index 080f15d7a65..f4a7c71bea1 100644 --- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh +++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh @@ -64,9 +64,11 @@ hostapd_append_wpa_key_mgmt() { [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE" ;; psk-sae) - append wpa_key_mgmt "WPA-PSK" - [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK" - [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256" + [ "$band" = "6g" ] || { + append wpa_key_mgmt "WPA-PSK" + [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK" + [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256" + } append wpa_key_mgmt "SAE" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE" ;;