From 254dd7d7d9c88e1b05dad44615213de9a0a4e462 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 11 Jun 2025 11:28:12 +0200
Subject: [PATCH] wifi-scripts: enable GCMP-256 by default on WPA3/OWE
 configurations with HE or EHT

GCMP-256 support is mandatory with EHT, but HE hardware can already be expected
to support it.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 .../files-ucode/usr/share/ucode/wifi/ap.uc    |  2 +-
 .../files-ucode/usr/share/ucode/wifi/iface.uc | 86 +++++++++++--------
 .../files/lib/netifd/netifd-wireless.sh       | 11 ++-
 3 files changed, 58 insertions(+), 41 deletions(-)

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index d72abdd3e4a..316dc24f00e 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -437,7 +437,7 @@ export function generate(interface, data, config, vlans, stas, phy_features) {
 
 	iface_setup(config);
 
-	iface.parse_encryption(config);
+	iface.parse_encryption(config, data.config);
 	if (data.config.band == '6g') {
 		if (config.auth_type == 'psk-sae')
 			config.auth_type = 'sae';
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
index 710ded10e51..52b76b43967 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
@@ -3,46 +3,9 @@
 import { append_value, log } from 'wifi.common';
 import * as fs from 'fs';
 
-export function parse_encryption(config) {
+export function parse_encryption(config, dev_config) {
 	let encryption = split(config.encryption, '+', 2);
 
-	config.wpa_pairwise = (config.hw_mode == 'ad') ? 'GCMP' : 'CCMP';
-
-	switch(encryption[1]){
-	case 'tkip+aes':
-	case 'tkip+ccmp':
-	case 'aes+tkip':
-	case 'ccmp+tkip':
-		config.wpa_pairwise = 'CCMP TKIP';
-		break;
-
-	case 'ccmp256':
-		config.wpa_pairwise = 'CCMP-256';
-		break;
-
-	case 'aes':
-	case 'ccmp':
-		config.wpa_pairwise = 'CCMP';
-		break;
-
-	case 'tkip':
-		config.wpa_pairwise = 'TKIP';
-		break;
-
-	case 'gcmp256':
-		config.wpa_pairwise = 'GCMP-256';
-		break;
-
-	case 'gcmp':
-		config.wpa_pairwise = 'GCMP';
-		break;
-
-	default:
-		if (config.encryption == 'wpa3-192')
-			config.wpa_pairwise = 'GCMP-256';
-		break;
-	}
-
 	config.wpa = 0;
 	for (let k, v in { 'wpa2*': 2, 'wpa3*': 2, '*psk2*': 2, 'psk3*': 2, 'sae*': 2,
 			'owe*': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
@@ -53,10 +16,17 @@ export function parse_encryption(config) {
 	if (!config.wpa)
 		config.wpa_pairwise = null;
 
+	config.wpa_pairwise = (config.hw_mode == 'ad') ? 'GCMP' : 'CCMP';
 	config.auth_type = encryption[0] ?? 'none';
+
+	let wpa3_pairwise = config.wpa_pairwise;
+	if (wildcard(dev_config?.htmode, 'EHT*') || wildcard(dev_config?.htmode, 'HE*'))
+		wpa3_pairwise = 'GCMP-256 ' + wpa3_pairwise;
+
 	switch(config.auth_type) {
 	case 'owe':
 		config.auth_type = 'owe';
+		config.wpa_pairwise = wpa3_pairwise;
 		break;
 
 	case 'wpa3-192':
@@ -65,10 +35,12 @@ export function parse_encryption(config) {
 
 	case 'wpa3-mixed':
 		config.auth_type = 'eap-eap2';
+		config.wpa_pairwise = wpa3_pairwise;
 		break;
 
 	case 'wpa3':
 		config.auth_type = 'eap2';
+		config.wpa_pairwise = wpa3_pairwise;
 		break;
 
 	case 'psk-mixed':
@@ -77,11 +49,13 @@ export function parse_encryption(config) {
 
 	case 'psk3':
 		config.auth_type = 'sae';
+		config.wpa_pairwise = wpa3_pairwise;
 		break;
 
 	case 'psk3-mixed':
 	case 'sae-mixed':
 		config.auth_type = 'psk-sae';
+		config.wpa_pairwise = wpa3_pairwise;
 		break;
 
 	case 'wpa':
@@ -90,6 +64,42 @@ export function parse_encryption(config) {
 		config.auth_type = 'eap';
 		break;
 	}
+
+	switch(encryption[1]){
+	case 'tkip+aes':
+	case 'tkip+ccmp':
+	case 'aes+tkip':
+	case 'ccmp+tkip':
+		config.wpa_pairwise = 'CCMP TKIP';
+		break;
+
+	case 'ccmp256':
+		config.wpa_pairwise = 'CCMP-256';
+		break;
+
+	case 'aes':
+	case 'ccmp':
+		config.wpa_pairwise = 'CCMP';
+		break;
+
+	case 'tkip':
+		config.wpa_pairwise = 'TKIP';
+		break;
+
+	case 'gcmp256':
+		config.wpa_pairwise = 'GCMP-256';
+		break;
+
+	case 'gcmp':
+		config.wpa_pairwise = 'GCMP';
+		break;
+
+	default:
+		if (config.encryption == 'wpa3-192')
+			config.wpa_pairwise = 'GCMP-256';
+		break;
+	}
+
 };
 
 export function wpa_key_mgmt(config) {
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
index c3772bb4431..8460de4653d 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
@@ -39,11 +39,10 @@ prepare_key_wep() {
 }
 
 _wdev_prepare_channel() {
-	json_get_vars channel band hwmode
+	json_get_vars channel band hwmode htmode
 
 	auto_channel=0
 	enable_ht=0
-	htmode=
 	hwmode="${hwmode##11}"
 
 	case "$channel" in
@@ -80,6 +79,11 @@ _wdev_prepare_channel() {
 			esac
 		;;
 	esac
+
+	case "$htmode" in
+		HE*|EHT*) wpa3_cipher="GCMP-256 ";;
+		*) wpa3_cipher="";;
+	esac
 }
 
 _wdev_handler() {
@@ -216,6 +220,9 @@ wireless_vif_parse_encryption() {
 		wpa_cipher="GCMP"
 	else
 		wpa_cipher="CCMP"
+		case "$encryption" in
+			sae*|wpa3*|psk3*|owe) wpa_cipher="${wpa3_cipher}$wpa_cipher";;
+		esac
 	fi
 
 	case "$encryption" in
-- 
2.47.2