wifi-scripts: ucode: enable Beacon Protection by default with PMF

The WPA3 and Wi-Fi Enhanced Open Deployment and Implementation Guide
v1.1, Table 4 (Common security configuration) marks Beacon Protection
as MAND for EHT-enabled APs and RECOM otherwise for all WPA3 and
Wi-Fi Enhanced Open modes.

The ucode path blindly passed beacon_prot through from UCI in iface
setup, which ran before encryption and MFP had been configured, and
left hostapd at its insecure default of 0 when the user did not
explicitly opt in.

Default beacon_prot to 1 in iface_mfp after MFP has been confirmed to
be enabled, and emit it there instead of in iface_setup so the option
is only written when PMF support is actually negotiated. Users can
still disable it explicitly via UCI.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index c0a3ddfe3b3ecc30a95cf59573cc18bdce963cf2..633858d95d902bcd6b145605006b9a8a851108ca 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -57,7 +57,7 @@ function iface_setup(config) {
                'disassoc_low_ack', 'skip_inactivity_poll', 'ignore_broadcast_ssid', 'uapsd_advertisement_enabled',
                'utf8_ssid', 'multi_ap', 'multi_ap_vlanid', 'multi_ap_profile', 'tdls_prohibit', 'bridge',
                'wds_sta', 'wds_bridge', 'snoop_iface', 'vendor_elements', 'nas_identifier', 'radius_acct_interim_interval',
-               'ocv', 'beacon_prot', 'spp_amsdu', 'multicast_to_unicast', 'preamble', 'proxy_arp', 'per_sta_vif', 'mbo',
+               'ocv', 'spp_amsdu', 'multicast_to_unicast', 'preamble', 'proxy_arp', 'per_sta_vif', 'mbo',
                'bss_transition', 'wnm_sleep_mode', 'wnm_sleep_mode_no_keys', 'qos_map_set', 'max_listen_int',
                'dtim_period', 'wmm_enabled', 'start_disabled', 'na_mcast_to_ucast', 'no_probe_resp_if_max_sta',
        ]);
@@ -412,8 +412,11 @@ function iface_mfp(config) {
        else
                config.group_mgmt_cipher = config.ieee80211w_mgmt_cipher ?? 'AES-128-CMAC';
 
+       set_default(config, 'beacon_prot', 1);
+
        append_vars(config, [
-               'ieee80211w', 'group_mgmt_cipher', 'assoc_sa_query_max_timeout', 'assoc_sa_query_retry_timeout'
+               'ieee80211w', 'group_mgmt_cipher', 'beacon_prot',
+               'assoc_sa_query_max_timeout', 'assoc_sa_query_retry_timeout'
        ]);
 }