From 254dd7d7d9c88e1b05dad44615213de9a0a4e462 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 11 Jun 2025 11:28:12 +0200
Subject: [PATCH] wifi-scripts: enable GCMP-256 by default on WPA3/OWE
 configurations with HE or EHT

GCMP-256 support is mandatory with EHT, but HE hardware can already be expected
to support it.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 .../files-ucode/usr/share/ucode/wifi/ap.uc    |   2 +-
 .../files-ucode/usr/share/ucode/wifi/iface.uc | 106 ++++++++++--------
 .../files/lib/netifd/netifd-wireless.sh       |  11 +-
 3 files changed, 68 insertions(+), 51 deletions(-)

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index d72abdd3e4a..316dc24f00e 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -437,7 +437,7 @@ export function generate(interface, data, config, vlans, stas, phy_features) {
 
 	iface_setup(config);
 
-	iface.parse_encryption(config);
+	iface.parse_encryption(config, data.config);
 	if (data.config.band == '6g') {
 		if (config.auth_type == 'psk-sae')
 			config.auth_type = 'sae';
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
index 710ded10e51..52b76b43967 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
@@ -3,10 +3,67 @@
 import { append_value, log } from 'wifi.common';
 import * as fs from 'fs';
 
-export function parse_encryption(config) {
+export function parse_encryption(config, dev_config) {
 	let encryption = split(config.encryption, '+', 2);
 
+	config.wpa = 0;
+	for (let k, v in { 'wpa2*': 2, 'wpa3*': 2, '*psk2*': 2, 'psk3*': 2, 'sae*': 2,
+			'owe*': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
+		if (wildcard(config.encryption, k)) {
+			config.wpa = v;
+			break;
+		}
+	if (!config.wpa)
+		config.wpa_pairwise = null;
+
 	config.wpa_pairwise = (config.hw_mode == 'ad') ? 'GCMP' : 'CCMP';
+	config.auth_type = encryption[0] ?? 'none';
+
+	let wpa3_pairwise = config.wpa_pairwise;
+	if (wildcard(dev_config?.htmode, 'EHT*') || wildcard(dev_config?.htmode, 'HE*'))
+		wpa3_pairwise = 'GCMP-256 ' + wpa3_pairwise;
+
+	switch(config.auth_type) {
+	case 'owe':
+		config.auth_type = 'owe';
+		config.wpa_pairwise = wpa3_pairwise;
+		break;
+
+	case 'wpa3-192':
+		config.auth_type = 'eap192';
+		break;
+
+	case 'wpa3-mixed':
+		config.auth_type = 'eap-eap2';
+		config.wpa_pairwise = wpa3_pairwise;
+		break;
+
+	case 'wpa3':
+		config.auth_type = 'eap2';
+		config.wpa_pairwise = wpa3_pairwise;
+		break;
+
+	case 'psk-mixed':
+		config.auth_type = "psk";
+		break;
+
+	case 'psk3':
+		config.auth_type = 'sae';
+		config.wpa_pairwise = wpa3_pairwise;
+		break;
+
+	case 'psk3-mixed':
+	case 'sae-mixed':
+		config.auth_type = 'psk-sae';
+		config.wpa_pairwise = wpa3_pairwise;
+		break;
+
+	case 'wpa':
+	case 'wpa2':
+	case 'wpa-mixed':
+		config.auth_type = 'eap';
+		break;
+	}
 
 	switch(encryption[1]){
 	case 'tkip+aes':
@@ -43,53 +100,6 @@ export function parse_encryption(config) {
 		break;
 	}
 
-	config.wpa = 0;
-	for (let k, v in { 'wpa2*': 2, 'wpa3*': 2, '*psk2*': 2, 'psk3*': 2, 'sae*': 2,
-			'owe*': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
-		if (wildcard(config.encryption, k)) {
-			config.wpa = v;
-			break;
-		}
-	if (!config.wpa)
-		config.wpa_pairwise = null;
-
-	config.auth_type = encryption[0] ?? 'none';
-	switch(config.auth_type) {
-	case 'owe':
-		config.auth_type = 'owe';
-		break;
-
-	case 'wpa3-192':
-		config.auth_type = 'eap192';
-		break;
-
-	case 'wpa3-mixed':
-		config.auth_type = 'eap-eap2';
-		break;
-
-	case 'wpa3':
-		config.auth_type = 'eap2';
-		break;
-
-	case 'psk-mixed':
-		config.auth_type = "psk";
-		break;
-
-	case 'psk3':
-		config.auth_type = 'sae';
-		break;
-
-	case 'psk3-mixed':
-	case 'sae-mixed':
-		config.auth_type = 'psk-sae';
-		break;
-
-	case 'wpa':
-	case 'wpa2':
-	case 'wpa-mixed':
-		config.auth_type = 'eap';
-		break;
-	}
 };
 
 export function wpa_key_mgmt(config) {
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
index c3772bb4431..8460de4653d 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
@@ -39,11 +39,10 @@ prepare_key_wep() {
 }
 
 _wdev_prepare_channel() {
-	json_get_vars channel band hwmode
+	json_get_vars channel band hwmode htmode
 
 	auto_channel=0
 	enable_ht=0
-	htmode=
 	hwmode="${hwmode##11}"
 
 	case "$channel" in
@@ -80,6 +79,11 @@ _wdev_prepare_channel() {
 			esac
 		;;
 	esac
+
+	case "$htmode" in
+		HE*|EHT*) wpa3_cipher="GCMP-256 ";;
+		*) wpa3_cipher="";;
+	esac
 }
 
 _wdev_handler() {
@@ -216,6 +220,9 @@ wireless_vif_parse_encryption() {
 		wpa_cipher="GCMP"
 	else
 		wpa_cipher="CCMP"
+		case "$encryption" in
+			sae*|wpa3*|psk3*|owe) wpa_cipher="${wpa3_cipher}$wpa_cipher";;
+		esac
 	fi
 
 	case "$encryption" in