git.ipfire.org Git - thirdparty/openwrt.git/commit

author	Hauke Mehrtens <hauke@hauke-m.de>
	Sun, 19 Apr 2026 19:38:56 +0000 (21:38 +0200)
committer	Hauke Mehrtens <hauke@hauke-m.de>
	Sat, 2 May 2026 18:34:22 +0000 (20:34 +0200)
commit	86b9eec8f02b60dd7e74f92cb5d2c61efe6d16c8
tree	fdccbe0691bcac321a98ef840bf4f6920763ca2e	tree \| snapshot
parent	ef393caee2a97508846e4c3f5e4342473cf234a1	commit \| diff

wifi-scripts: ucode: add WPA3-Personal Compatibility Mode

The WPA3 and Wi-Fi Enhanced Open Deployment and Implementation Guide
v1.1 §2.4 (Tables 6 and 7) defines WPA3-Personal Compatibility Mode:
the AP advertises a legacy-looking RSNE (WPA-PSK, CCMP-128, PMF
Disabled) while RSN Override Elements layered on top expose SAE and,
on EHT, SAE-EXT-KEY.  WPA2-only STAs and STAs that ignore RSN
Overriding associate unchanged; modern STAs pick up the stronger WPA3
AKM via RSNOE or RSNO2E.

Only the pairwise cipher differs between elements: RSNE and RSNOE
advertise CCMP-128, RSNO2E advertises GCMP-256 (EHT only).  Group
data (CCMP-128) and group management cipher (BIP-CMAC-128) are the
same in all three per Tables 6/7, so hostapd's BSS-wide group_cipher
and group_mgmt_cipher singletons produce the spec-correct values.

Unlike WPA3-Personal Transition Mode (sae-mixed), which puts PSK and
SAE together in the main RSNE with PMF Capable, Compatibility Mode
keeps the main RSNE strictly WPA2-shaped so clients that choke on a
mixed AKM list or PMF=Capable still see a pure WPA2 BSS.  The trade-
off is that clients without RSN Overriding support never pick up SAE.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc		diff \| blob \| blame \| history
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc		diff \| blob \| blame \| history