wifi-scripts: ucode: default sae_groups to NIST ECP 19/20/21

The WPA3 and Wi-Fi Enhanced Open Deployment Guide v1.1 (Table 4,
"SAE Groups") recommends that WPA3-Personal APs advertise support
for SAE groups 19, 20 and 21:

  * group 19 - ECP 256-bit (NIST P-256)
  * group 20 - ECP 384-bit (NIST P-384)
  * group 21 - ECP 521-bit (NIST P-521)

hostapd's default is group 19 only, which leaves the two larger
ECP groups unavailable even though the peer may prefer them.

Set sae_groups = "19 20 21" as the default for any BSS whose
auth_type is sae or psk-sae (SAE, SAE Transition and SAE
Compatibility modes).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index f9b676197e69f72a2156fb62c0779c2d25d5bacc..6c675b79a4d6ebdbecbb45eb05b75b9e68e2c765 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -100,8 +100,14 @@ function iface_auth_type(config, band) {
                        config.rsn_override_mfp_2 = 2;
        }
 
+       if (config.auth_type == 'owe') {
+               set_default(config, 'owe_groups', '19 20 21');
+               set_default(config, 'owe_ptk_workaround', 1);
+       }
+
        if (config.auth_type in [ 'sae', 'psk-sae', 'psk-sae-compat' ]) {
                config.sae_require_mfp = 1;
+               set_default(config, 'sae_groups', '19 20 21');
                if (!config.ppsk) {
                        if (band == '6g')
                                set_default(config, 'sae_pwe', 1);
@@ -199,11 +205,11 @@ function iface_auth_type(config, band) {
        }
 
        append_vars(config, [
-               'sae_require_mfp', 'sae_password_file', 'sae_pwe', 'sae_track_password', 'time_advertisement', 'time_zone',
+               'sae_require_mfp', 'sae_password_file', 'sae_pwe', 'sae_groups', 'sae_track_password', 'time_advertisement', 'time_zone',
                'wpa_group_rekey', 'wpa_ptk_rekey', 'wpa_gmk_rekey', 'wpa_strict_rekey',
                'macaddr_acl', 'wpa_psk_radius', 'wpa_psk', 'wpa_passphrase', 'wpa_psk_file',
                'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period',
-               'radius_das_client', 'radius_das_port', 'own_ip_addr', 'dynamic_own_ip_addr',
+               'radius_das_client', 'radius_das_port', 'owe_groups', 'owe_ptk_workaround', 'own_ip_addr', 'dynamic_own_ip_addr',
                'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise',
                'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id'
        ]);