The rsn_override UCI number was scaffolding that let a Transition
Mode BSS (sae-mixed, wpa3-mixed) automatically overlay a WPA3
Compatibility-Mode-like layout: WPA3 AKMs were moved from the main
RSNE into RSNOE/RSNO2E, and with rsn_override=2 the main RSNE even
dropped SAE entirely to placate clients that refuse to associate to
a mixed AKM list.
This layout does not match any mode defined in the WPA3 and Wi-Fi
Enhanced Open Deployment and Implementation Guide v1.1: Transition
Mode (Table 5) advertises the full AKM list in a single RSNE, and
Compatibility Mode (ยง2.4, Tables 6 and 7) requires a specific
combination of RSNE, RSNOE and RSNO2E contents that the knob cannot
express. In practice it also triggers interop failures: Pixel 10
phones refuse to associate to a Transition-Mode BSS whose SAE-EXT-KEY
AKM has been shoved into RSNO2E by this scaffolding, even though the
same BSS works fine when the full AKM list stays in the main RSNE.
Keep the generated configuration honest by removing the knob; the RSN
override plumbing stays in place for a future caller that sets the
override fields explicitly. SAE-EXT-KEY advertisement will be added
back in a later commit via a dedicated sae_ext_key path that places
the AKM where the Deployment Guide actually requires it.
Drop the rsn_override schema entry and every wifi-scripts path that
read it:
* parse_encryption no longer diverts the WPA3 pairwise cipher
into rsn_override_pairwise.
* wpa_key_mgmt no longer mirrors WPA-EAP into
rsn_override_key_mgmt, moves SAE/SAE-EXT-KEY into the override
for psk-sae, or drops the main RSNE AKM list when
rsn_override > 1.
* generate() no longer back-fills missing rsn_override_* fields
from the main RSNE or duplicates the override element into an
MLO-gated RSNO2E.
The RSN override elements are now emitted only when each of
(rsn_override_key_mgmt, rsn_override_pairwise, rsn_override_mfp) --
and their _2 counterparts -- has been populated explicitly, which
keeps the machinery from firing on transition modes where it was
never spec-compliant.
Fixes: https://github.com/openwrt/openwrt/issues/21486
Fixes: https://github.com/openwrt/openwrt/issues/22200
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
"rsn_preauth": {
"type": "boolean"
},
- "rsn_override": {
- "type": "number",
- "description": "Use RSNE override IE WPA3 compatibility (0: disabled, 1: enabled, 2:force WPA2 for older devices)",
- "default": 1
- },
"sae_password_file": {
"description": "External file containing VLAN SAE MAC address triplets",
"type": "string"
if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ])
config.ieee80211w = 2;
- if (config.auth_type in [ 'psk-sae', 'eap-eap2' ]) {
+ if (config.auth_type in [ 'psk-sae', 'eap-eap2' ])
set_default(config, 'ieee80211w', 1);
- if (config.rsn_override)
- config.rsn_override_mfp = 2;
- }
if (config.auth_type in [ 'sae', 'psk-sae' ]) {
config.sae_require_mfp = 1;
'wpa_key_mgmt',
]);
- if (config.rsn_override_key_mgmt || config.rsn_override_pairwise) {
- config.rsn_override_mfp ??= config.ieee80211w;
- config.rsn_override_key_mgmt ??= config.wpa_key_mgmt;
- config.rsn_override_pairwise ??= config.wpa_pairwise;
+ if (config.rsn_override_key_mgmt && config.rsn_override_pairwise && config.rsn_override_mfp) {
append_vars(config, [
'rsn_override_key_mgmt',
'rsn_override_pairwise',
'rsn_override_mfp'
]);
+ }
- if (config.mlo) {
- config.rsn_override_mfp_2 ??= config.rsn_override_mfp;
- config.rsn_override_key_mgmt_2 ??= config.rsn_override_key_mgmt;
- config.rsn_override_pairwise_2 ??= config.rsn_override_pairwise;
-
- append_vars(config, [
- 'rsn_override_key_mgmt_2',
- 'rsn_override_pairwise_2',
- 'rsn_override_mfp_2'
- ]);
- }
+ if (config.rsn_override_key_mgmt_2 && config.rsn_override_pairwise_2 && config.rsn_override_mfp_2) {
+ append_vars(config, [
+ 'rsn_override_key_mgmt_2',
+ 'rsn_override_pairwise_2',
+ 'rsn_override_mfp_2'
+ ]);
}
/* raw options */
if (!wpa3_pairwise)
break;
- if (config.rsn_override && wpa3_pairwise != config.wpa_pairwise)
- config.rsn_override_pairwise = wpa3_pairwise;
- else
- config.wpa_pairwise = wpa3_pairwise;
+ config.wpa_pairwise = wpa3_pairwise;
break;
}
if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-EAP');
- if (config.rsn_override)
- config.rsn_override_key_mgmt = config.wpa_key_mgmt;
-
append_value(config, 'wpa_key_mgmt', 'WPA-EAP');
break;
if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-SAE');
- if (config.rsn_override) {
- config.rsn_override_key_mgmt = config.wpa_key_mgmt;
-
- append_value(config, 'rsn_override_key_mgmt_2', 'SAE-EXT-KEY');
- if (config.ieee80211r)
- append_value(config, 'rsn_override_key_mgmt_2', 'FT-SAE-EXT-KEY');
- }
-
- if (config.rsn_override > 1)
- delete config.wpa_key_mgmt;
-
append_value(config, 'wpa_key_mgmt', 'WPA-PSK');
if (config.ieee80211w)
append_value(config, 'wpa_key_mgmt', 'WPA-PSK-SHA256');
append_value(config, 'wpa_key_mgmt', 'FILS-SHA256');
if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-FILS-SHA256');
-
- if (!config.rsn_override_key_mgmt)
- break;
-
- append_value(config, 'rsn_override_key_mgmt', 'FILS-SHA256');
- if (config.ieee80211r)
- append_value(config, 'rsn_override_key_mgmt', 'FT-FILS-SHA256');
break;
}
}
projects / thirdparty / openwrt.git / commitdiff
