From: Hauke Mehrtens Date: Fri, 3 Jul 2026 22:23:32 +0000 (+0200) Subject: wifi-scripts: ucode: default the SAE-EXT-KEY AKM per WPA3 mode X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fc652db52a20afd4e5aa1c7b9d4456425780b814;p=thirdparty%2Fopenwrt.git wifi-scripts: ucode: default the SAE-EXT-KEY AKM per WPA3 mode Commit a12cec9ea3c8 ("wifi-scripts: ucode: advertise SAE-EXT-KEY AKM alongside SAE") advertised the SAE-EXT-KEY AKM (00-0F-AC:24, SAE using a group-dependent hash, aka SAE-GDH) by default on every sae, sae-mixed and sae-compat BSS. WPA3 Specification v3.5 only makes this AKM mandatory when the BSS enables EHT or MLO (section 2.5, item 4); for HE and below it is merely recommended (sections 2.2 and 2.3). In practice the FT-SAE-EXT-KEY AKM (SAE-EXT-KEY combined with 802.11r), which gets added automatically once Fast Transition is enabled, keeps some clients from associating (a Samsung Galaxy Tab S10 FE) or makes them reboot shortly after connecting (a Poco X6). Plain SAE-EXT-KEY without FT was seen to work on the same tablet, but its interoperability is not well tested. Drop the fixed schema default and pick the default from the auth type in parse_encryption instead. Only default it on where it is both mandatory and safe to offer: on Compatibility mode (sae-compat) BSSes running an EHT htmode, which carry it in a separate RSN Override element that legacy clients ignore. Keep it off for WPA3-Personal (sae) and Transition (sae-mixed) mode, where it would sit in the main RSNE that a choking client cannot ignore, and off on non-EHT BSSes. An explicit 'option sae_ext_key 0/1' still overrides this per BSS. The SAE-EXT-KEY AKM in the sae-compat RSN Override 2 element now keys off config.sae_ext_key alone; the extra config.rsn_override_pairwise_2 guard is dropped, decoupling the AKM from the GCMP-256 pairwise cipher so each follows its own option. Fixes: a12cec9ea3c8 ("wifi-scripts: ucode: advertise SAE-EXT-KEY AKM alongside SAE") Assisted-by: Claude:claude-opus-4-8 Link: https://github.com/openwrt/openwrt/pull/24041 Signed-off-by: Hauke Mehrtens --- diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json index c32a49170cb..38886ef336c 100644 --- a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json +++ b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json @@ -963,9 +963,8 @@ "type": "boolean" }, "sae_ext_key": { - "description": "Advertise the SAE-EXT-KEY AKM alongside plain SAE. Mandatory for EHT, enabled by default.", - "type": "boolean", - "default": true + "description": "Advertise the SAE-EXT-KEY AKM (SAE using a group-dependent hash) alongside plain SAE. Mandatory for EHT, recommended otherwise. Defaults off for sae and sae-mixed because some clients misbehave when SAE-EXT-KEY is offered, and on for sae-compat BSSes using an EHT htmode (where SAE-EXT-KEY is mandatory), carried in a separate RSN Override element that legacy clients ignore.", + "type": "boolean" }, "sae_password_file": { "description": "External file containing VLAN SAE MAC address triplets", diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc index a05a0d39202..a0efea0d74a 100644 --- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc +++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc @@ -19,6 +19,18 @@ export function parse_encryption(config, dev_config, phy_features) { config.auth_type = encryption[0] ?? 'none'; + /* + * The SAE-EXT-KEY (SAE-GDH) AKM is only mandatory for EHT/MLO and breaks + * interoperability with some clients, so only default it on where it is + * both required and safe to offer: on Compatibility mode (sae-compat) + * BSSes that run an EHT htmode, which carry it in a separate RSN Override + * element that legacy clients ignore. It stays off for WPA3-Personal (sae) + * and Transition (sae-mixed) mode and on non-EHT BSSes. An explicit + * sae_ext_key option overrides this per BSS. + */ + let compat = (config.auth_type == 'sae-compat'); + config.sae_ext_key ??= compat && wildcard(dev_config?.htmode ?? '', 'EHT*'); + switch(config.auth_type) { case 'owe': config.auth_type = 'owe'; @@ -189,7 +201,7 @@ export function wpa_key_mgmt(config, band) { if (config.ieee80211r) append_value(config, 'wpa_key_mgmt', 'FT-SAE'); - if (config.sae_ext_key && config.rsn_override_pairwise_2) { + if (config.sae_ext_key) { append_value(config, 'rsn_override_key_mgmt_2', 'SAE-EXT-KEY'); if (config.ieee80211r) append_value(config, 'rsn_override_key_mgmt_2', 'FT-SAE-EXT-KEY'); @@ -205,7 +217,7 @@ export function wpa_key_mgmt(config, band) { if (config.ieee80211r) append_value(config, 'rsn_override_key_mgmt', 'FT-SAE'); - if (config.sae_ext_key && config.rsn_override_pairwise_2) { + if (config.sae_ext_key) { append_value(config, 'rsn_override_key_mgmt_2', 'SAE-EXT-KEY'); if (config.ieee80211r) append_value(config, 'rsn_override_key_mgmt_2', 'FT-SAE-EXT-KEY');