Difuse/difos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wifi-scripts: add support for RSN overide and use it for improved WPA3 compat

Browse source 
Override via RSNE is a relatively new feature, which can be used to enable
WPA3 features in a way that is invisible to older clients.
Use it by default to mask the GCMP-256 cipher from older clients, since
there are compatibility issues with existing devices.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
Felix Fietkau 2025-06-24 15:04:17 +02:00
parent 9df3d6b21c
commit b48925fd9c
5 changed files with 80 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
View file

@ -940,6 +940,11 @@
"rsn_preauth": { "rsn_preauth": {
"type": "boolean" "type": "boolean"
}, },
"rsn_override": {
"type": "number",
"description": "Use RSNE override IE WPA3 compatibility (0: disabled, 1: enabled, 2:force WPA2 for older devices)",
"default": 1
},
"sae_pwe": { "sae_pwe": {
"description": "SAE mechanism for PWE derivation", "description": "SAE mechanism for PWE derivation",
"type": "number", "type": "number",

8
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
View file

@ -84,6 +84,8 @@ function iface_auth_type(config) {
if (config.auth_type in [ 'psk-sae', 'eap-eap2' ]) { if (config.auth_type in [ 'psk-sae', 'eap-eap2' ]) {
config.ieee80211w = 1; config.ieee80211w = 1;
if (config.rsn_override)
config.rsn_override_mfp = 2;
config.sae_require_mfp = 1; config.sae_require_mfp = 1;
config.sae_pwe = 2; config.sae_pwe = 2;
} }
@ -171,7 +173,8 @@ function iface_auth_type(config) {
'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period', 'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period',
'radius_das_client', 'radius_das_port', 'own_ip_addr', 'dynamic_own_ip_addr', 'radius_das_client', 'radius_das_port', 'own_ip_addr', 'dynamic_own_ip_addr',
'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise', 'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise',
'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id' 'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id',
'rsn_override_pairwise', 'rsn_override_mfp'
]); ]);
} }
@ -475,7 +478,8 @@ export function generate(interface, data, config, vlans, stas, phy_features) {
iface.wpa_key_mgmt(config); iface.wpa_key_mgmt(config);
append_vars(config, [ append_vars(config, [
'wpa_key_mgmt' 'wpa_key_mgmt',
'rsn_override_key_mgmt'
]); ]);
/* raw options */ /* raw options */

48
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
View file

@ -26,7 +26,6 @@ export function parse_encryption(config, dev_config) {
switch(config.auth_type) { switch(config.auth_type) {
case 'owe': case 'owe':
config.auth_type = 'owe'; config.auth_type = 'owe';
config.wpa_pairwise = wpa3_pairwise;
break; break;
case 'wpa3-192': case 'wpa3-192':
@ -35,33 +34,37 @@ export function parse_encryption(config, dev_config) {
case 'wpa3-mixed': case 'wpa3-mixed':
config.auth_type = 'eap-eap2'; config.auth_type = 'eap-eap2';
config.wpa_pairwise = wpa3_pairwise;
break; break;
case 'wpa3': case 'wpa3':
config.auth_type = 'eap2'; config.auth_type = 'eap2';
config.wpa_pairwise = wpa3_pairwise;
break; break;
case 'psk':
case 'psk-mixed': case 'psk-mixed':
config.auth_type = "psk"; config.auth_type = "psk";
config.wpa_pairwise = null;
break; break;
case 'sae':
case 'psk3': case 'psk3':
config.auth_type = 'sae'; config.auth_type = 'sae';
config.wpa_pairwise = wpa3_pairwise;
break; break;
case 'psk3-mixed': case 'psk3-mixed':
case 'sae-mixed': case 'sae-mixed':
config.auth_type = 'psk-sae'; config.auth_type = 'psk-sae';
config.wpa_pairwise = wpa3_pairwise;
break; break;
case 'wpa': case 'wpa':
case 'wpa2': case 'wpa2':
case 'wpa-mixed': case 'wpa-mixed':
config.auth_type = 'eap'; config.auth_type = 'eap';
config.wpa_pairwise = null;
break;
default:
config.wpa_pairwise = null;
break; break;
} }
@ -95,8 +98,18 @@ export function parse_encryption(config, dev_config) {
break; break;
default: default:
if (config.encryption == 'wpa3-192') if (config.encryption == 'wpa3-192') {
config.wpa_pairwise = 'GCMP-256'; config.wpa_pairwise = 'GCMP-256';
break;
}
if (!wpa3_pairwise)
break;
if (config.rsn_override)
config.rsn_override_pairwise = wpa3_pairwise;
else
config.wpa_pairwise = wpa3_pairwise;
break; break;
} }
@ -131,10 +144,12 @@ export function wpa_key_mgmt(config) {
break; break;
case 'eap-eap2': case 'eap-eap2':
append_value(config, 'wpa_key_mgmt', 'WPA-EAP');
append_value(config, 'wpa_key_mgmt', 'WPA-EAP-SHA256'); append_value(config, 'wpa_key_mgmt', 'WPA-EAP-SHA256');
if (config.ieee80211r) if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-EAP'); append_value(config, 'wpa_key_mgmt', 'FT-EAP');
config.rsn_override_key_mgmt = config.wpa_key_mgmt;
append_value(config, 'wpa_key_mgmt', 'WPA-EAP');
break; break;
case 'eap2': case 'eap2':
@ -150,14 +165,18 @@ export function wpa_key_mgmt(config) {
break; break;
case 'psk-sae': case 'psk-sae':
append_value(config, 'wpa_key_mgmt', 'WPA-PSK');
append_value(config, 'wpa_key_mgmt', 'SAE'); append_value(config, 'wpa_key_mgmt', 'SAE');
if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-SAE');
config.rsn_override_key_mgmt = config.wpa_key_mgmt;
if (config.rsn_override > 1)
delete config.wpa_key_mgmt;
append_value(config, 'wpa_key_mgmt', 'WPA-PSK');
if (config.ieee80211w) if (config.ieee80211w)
append_value(config, 'wpa_key_mgmt', 'WPA-PSK-SHA256'); append_value(config, 'wpa_key_mgmt', 'WPA-PSK-SHA256');
if (config.ieee80211r) { if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-PSK'); append_value(config, 'wpa_key_mgmt', 'FT-PSK');
append_value(config, 'wpa_key_mgmt', 'FT-SAE');
}
break; break;
case 'owe': case 'owe':
@ -179,6 +198,13 @@ export function wpa_key_mgmt(config) {
append_value(config, 'wpa_key_mgmt', 'FILS-SHA256'); append_value(config, 'wpa_key_mgmt', 'FILS-SHA256');
if (config.ieee80211r) if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-FILS-SHA256'); append_value(config, 'wpa_key_mgmt', 'FT-FILS-SHA256');
if (!config.rsn_override_key_mgmt)
break;
append_value(config, 'rsn_override_key_mgmt', 'FILS-SHA256');
if (config.ieee80211r)
append_value(config, 'rsn_override_key_mgmt', 'FT-FILS-SHA256');
break; break;
} }
} }

25
package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
View file

@ -51,9 +51,10 @@ hostapd_append_wpa_key_mgmt() {
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP-SHA384" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP-SHA384"
;; ;;
eap-eap2) eap-eap2)
append wpa_key_mgmt "WPA-EAP"
append wpa_key_mgmt "WPA-EAP-SHA256" append wpa_key_mgmt "WPA-EAP-SHA256"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
[ "$rsn_override" -gt 0 ] && rsn_override_key_mgmt="$wpa_key_mgmt"
append wpa_key_mgmt "WPA-EAP"
;; ;;
eap2) eap2)
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
@ -64,13 +65,15 @@ hostapd_append_wpa_key_mgmt() {
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
;; ;;
psk-sae) psk-sae)
append wpa_key_mgmt "SAE"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
[ "$rsn_override" -gt 0 ] && rsn_override_key_mgmt="$wpa_key_mgmt"
[ "$rsn_override" -gt 1 ] && wpa_key_mgmt=
[ "$band" = "6g" ] || { [ "$band" = "6g" ] || {
append wpa_key_mgmt "WPA-PSK" append wpa_key_mgmt "WPA-PSK"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256" [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
} }
append wpa_key_mgmt "SAE"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
;; ;;
owe) owe)
append wpa_key_mgmt "OWE" append wpa_key_mgmt "OWE"
@ -86,11 +89,19 @@ hostapd_append_wpa_key_mgmt() {
eap*) eap*)
append wpa_key_mgmt FILS-SHA256 append wpa_key_mgmt FILS-SHA256
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt FT-FILS-SHA256 [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt FT-FILS-SHA256
[ "$rsn_override" -gt 0 ] && {
append rsn_override_key_mgmt FILS-SHA256
[ "${ieee80211r:-0}" -gt 0 ] && append rsn_override_key_mgmt FT-FILS-SHA256
}
;; ;;
esac esac
} }
[ "$auth_osen" = "1" ] && append wpa_key_mgmt "OSEN" [ "$auth_osen" = "1" ] && {
append wpa_key_mgmt "OSEN"
[ "$rsn_override" -gt 0 ] && append rsn_override_key_mgmt OSEN
}
} }
hostapd_add_log_config() { hostapd_add_log_config() {
@ -341,6 +352,7 @@ hostapd_common_add_bss_config() {
config_add_array r0kh r1kh config_add_array r0kh r1kh
config_add_int ieee80211w_max_timeout ieee80211w_retry_timeout config_add_int ieee80211w_max_timeout ieee80211w_retry_timeout
config_add_int rsn_override
config_add_string macfilter 'macfile:file' config_add_string macfilter 'macfile:file'
config_add_array 'maclist:list(macaddr)' config_add_array 'maclist:list(macaddr)'
@ -611,8 +623,9 @@ hostapd_set_bss_options() {
ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \ ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
multicast_to_unicast_all proxy_arp per_sta_vif \ multicast_to_unicast_all proxy_arp per_sta_vif \
eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients radius_server_auth_port \ eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients radius_server_auth_port \
vendor_elements fils ocv apup vendor_elements fils ocv apup rsn_override
set_default rsn_override 1
set_default fils 0 set_default fils 0
set_default isolate 0 set_default isolate 0
set_default maxassoc 0 set_default maxassoc 0
@ -849,6 +862,7 @@ hostapd_set_bss_options() {
append bss_conf "auth_algs=${auth_algs:-1}" "$N" append bss_conf "auth_algs=${auth_algs:-1}" "$N"
append bss_conf "wpa=$wpa" "$N" append bss_conf "wpa=$wpa" "$N"
[ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N" [ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N"
[ -n "$rsn_override_pairwise" ] && append bss_conf "rsn_override_pairwise=$rsn_override_pairwise" "$N"
set_default wps_pushbutton 0 set_default wps_pushbutton 0
set_default wps_label 0 set_default wps_label 0
@ -961,6 +975,7 @@ hostapd_set_bss_options() {
hostapd_append_wpa_key_mgmt hostapd_append_wpa_key_mgmt
[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N" [ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
[ -n "$rsn_override_key_mgmt" ] && append bss_conf "rsn_override_key_mgmt=$rsn_override_key_mgmt" "$N"
fi fi
if [ "$wpa" -ge "2" ]; then if [ "$wpa" -ge "2" ]; then

14
package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
View file

@ -209,19 +209,28 @@ _wdev_wrapper \
wireless_set_retry \ wireless_set_retry \
wireless_vif_parse_encryption() { wireless_vif_parse_encryption() {
json_get_vars encryption json_get_vars encryption rsn_override
set_default encryption none set_default encryption none
set_default rsn_override 1
auth_mode_open=1 auth_mode_open=1
auth_mode_shared=0 auth_mode_shared=0
auth_type=none auth_type=none
wpa_override_cipher=
rsn_override_pairwise=
if [ "$hwmode" = "ad" ]; then if [ "$hwmode" = "ad" ]; then
wpa_cipher="GCMP" wpa_cipher="GCMP"
else else
wpa_cipher="CCMP" wpa_cipher="CCMP"
case "$encryption" in case "$encryption" in
sae*|wpa3*|psk3*|owe) wpa_cipher="${wpa3_cipher}$wpa_cipher";; sae*|wpa3*|psk3*|owe)
if [ "$rsn_override" -gt 0 ]; then
wpa_override_cipher="${wpa3_cipher}$wpa_cipher"
else
wpa_cipher="${wpa3_cipher}$wpa_cipher"
fi
;;
esac esac
fi fi
@ -233,6 +242,7 @@ wireless_vif_parse_encryption() {
*gcmp256) wpa_cipher="GCMP-256";; *gcmp256) wpa_cipher="GCMP-256";;
*gcmp) wpa_cipher="GCMP";; *gcmp) wpa_cipher="GCMP";;
wpa3-192*) wpa_cipher="GCMP-256";; wpa3-192*) wpa_cipher="GCMP-256";;
*) rsn_override_pairwise="$wpa_override_cipher";;
esac esac
# 802.11n requires CCMP for WPA # 802.11n requires CCMP for WPA