wifi-scripts: ucode: advertise SAE-EXT-KEY AKM alongside SAE

WPA3 Specification v3.5 §2.5.4 mandates that an AP's BSS Configuration
enables AKM suite selector 00-0F-AC:24 (SAE-EXT-KEY, SAE with a
group-dependent hash) whenever EHT or MLO is enabled. The WPA3 and
Wi-Fi Enhanced Open Deployment Guide v1.1 also recommends it on
non-EHT APs (Tables 3, 5, 6, 8).

Add a new sae_ext_key UCI option (enabled by default) that advertises
SAE-EXT-KEY, and FT-SAE-EXT-KEY when 802.11r is enabled, alongside
plain SAE/FT-SAE for the sae and psk-sae encryption modes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
index 0d0e64d67b97337b6e2522c7531f70832095b3b3..97dea0e42ddc83c7cdeab40a9a2bb3712b84ca4d 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
@@ -962,6 +962,11 @@
                "rsn_preauth": {
                        "type": "boolean"
                },
+               "sae_ext_key": {
+                       "description": "Advertise the SAE-EXT-KEY AKM alongside plain SAE. Mandatory for EHT, enabled by default.",
+                       "type": "boolean",
+                       "default": true
+               },
                "sae_password_file": {
                        "description": "External file containing VLAN SAE MAC address triplets",
                        "type": "string"

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
index 4f718327f06fad3c9bcbfbed406646de94566aa5..1f139e3a34e09f123917d5a4ab06d9065c83e97a 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
@@ -148,14 +148,24 @@ export function wpa_key_mgmt(config) {
 
        case 'sae':
                append_value(config, 'wpa_key_mgmt', 'SAE');
-               if (config.ieee80211r)
+               if (config.sae_ext_key)
+                       append_value(config, 'wpa_key_mgmt', 'SAE-EXT-KEY');
+               if (config.ieee80211r) {
                        append_value(config, 'wpa_key_mgmt', 'FT-SAE');
+                       if (config.sae_ext_key)
+                               append_value(config, 'wpa_key_mgmt', 'FT-SAE-EXT-KEY');
+               }
                break;
 
        case 'psk-sae':
                append_value(config, 'wpa_key_mgmt', 'SAE');
-               if (config.ieee80211r)
+               if (config.sae_ext_key)
+                       append_value(config, 'wpa_key_mgmt', 'SAE-EXT-KEY');
+               if (config.ieee80211r) {
                        append_value(config, 'wpa_key_mgmt', 'FT-SAE');
+                       if (config.sae_ext_key)
+                               append_value(config, 'wpa_key_mgmt', 'FT-SAE-EXT-KEY');
+               }
 
                append_value(config, 'wpa_key_mgmt', 'WPA-PSK');
                if (config.ieee80211w)