wifi-scripts: add support for RSN overide and use it for improved WPA3 compat

Override via RSNE is a relatively new feature, which can be used to enable WPA3 features in a way that is invisible to older clients. Use it by default to mask the GCMP-256 cipher from older clients, since there are compatibility issues with existing devices. Signed-off-by: Felix Fietkau <nbd@nbd.name>
2025-06-24 15:04:17 +02:00 · 2025-06-24 15:04:17 +02:00 · b48925fd9c
commit b48925fd9c
parent 9df3d6b21c
5 changed files with 80 additions and 20 deletions
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
@ -940,6 +940,11 @@
 		"rsn_preauth": {
 			"type": "boolean"
 		},
+		"rsn_override": {
+			"type": "number",
+			"description": "Use RSNE override IE WPA3 compatibility (0: disabled, 1: enabled, 2:force WPA2 for older devices)",
+			"default": 1
+		},
 		"sae_pwe": {
 			"description": "SAE mechanism for PWE derivation",
 			"type": "number",
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@ -84,6 +84,8 @@ function iface_auth_type(config) {

 	if (config.auth_type in [ 'psk-sae', 'eap-eap2' ]) {
 		config.ieee80211w = 1;
+		if (config.rsn_override)
+			config.rsn_override_mfp = 2;
 		config.sae_require_mfp = 1;
 		config.sae_pwe = 2;
 	}
@ -171,7 +173,8 @@ function iface_auth_type(config) {
 		'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period',
 		'radius_das_client', 'radius_das_port', 'own_ip_addr', 'dynamic_own_ip_addr',
 		'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise',
-		'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id'
+		'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id',
+		'rsn_override_pairwise', 'rsn_override_mfp'
 	]);
 }

@ -475,7 +478,8 @@ export function generate(interface, data, config, vlans, stas, phy_features) {

 	iface.wpa_key_mgmt(config);
 	append_vars(config, [
-		'wpa_key_mgmt'
+		'wpa_key_mgmt',
+		'rsn_override_key_mgmt'
 	]);

 	/* raw options */
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
@ -26,7 +26,6 @@ export function parse_encryption(config, dev_config) {
 	switch(config.auth_type) {
 	case 'owe':
 		config.auth_type = 'owe';
-		config.wpa_pairwise = wpa3_pairwise;
 		break;

 	case 'wpa3-192':
@ -35,33 +34,37 @@ export function parse_encryption(config, dev_config) {

 	case 'wpa3-mixed':
 		config.auth_type = 'eap-eap2';
-		config.wpa_pairwise = wpa3_pairwise;
 		break;

 	case 'wpa3':
 		config.auth_type = 'eap2';
-		config.wpa_pairwise = wpa3_pairwise;
 		break;

+	case 'psk':
 	case 'psk-mixed':
 		config.auth_type = "psk";
+		config.wpa_pairwise = null;
 		break;

+	case 'sae':
 	case 'psk3':
 		config.auth_type = 'sae';
-		config.wpa_pairwise = wpa3_pairwise;
 		break;

 	case 'psk3-mixed':
 	case 'sae-mixed':
 		config.auth_type = 'psk-sae';
-		config.wpa_pairwise = wpa3_pairwise;
 		break;

 	case 'wpa':
 	case 'wpa2':
 	case 'wpa-mixed':
 		config.auth_type = 'eap';
+		config.wpa_pairwise = null;
+		break;
+
+	default:
+		config.wpa_pairwise = null;
 		break;
 	}

@ -95,8 +98,18 @@ export function parse_encryption(config, dev_config) {
 		break;

 	default:
-		if (config.encryption == 'wpa3-192')
+		if (config.encryption == 'wpa3-192') {
 			config.wpa_pairwise = 'GCMP-256';
+			break;
+		}
+
+		if (!wpa3_pairwise)
+			break;
+
+		if (config.rsn_override)
+			config.rsn_override_pairwise = wpa3_pairwise;
+		else
+			config.wpa_pairwise = wpa3_pairwise;
 		break;
 	}

@ -131,10 +144,12 @@ export function wpa_key_mgmt(config) {
 		break;

 	case 'eap-eap2':
-		append_value(config, 'wpa_key_mgmt', 'WPA-EAP');
 		append_value(config, 'wpa_key_mgmt', 'WPA-EAP-SHA256');
 		if (config.ieee80211r)
 			append_value(config, 'wpa_key_mgmt', 'FT-EAP');
+
+		config.rsn_override_key_mgmt = config.wpa_key_mgmt;
+		append_value(config, 'wpa_key_mgmt', 'WPA-EAP');
 		break;

 	case 'eap2':
@ -150,14 +165,18 @@ export function wpa_key_mgmt(config) {
 		break;

 	case 'psk-sae':
-		append_value(config, 'wpa_key_mgmt', 'WPA-PSK');
 		append_value(config, 'wpa_key_mgmt', 'SAE');
+		if (config.ieee80211r)
+			append_value(config, 'wpa_key_mgmt', 'FT-SAE');
+		config.rsn_override_key_mgmt = config.wpa_key_mgmt;
+		if (config.rsn_override > 1)
+			delete config.wpa_key_mgmt;
+
+		append_value(config, 'wpa_key_mgmt', 'WPA-PSK');
 		if (config.ieee80211w)
 			append_value(config, 'wpa_key_mgmt', 'WPA-PSK-SHA256');
-		if (config.ieee80211r) {
+		if (config.ieee80211r)
 			append_value(config, 'wpa_key_mgmt', 'FT-PSK');
-			append_value(config, 'wpa_key_mgmt', 'FT-SAE');
-		}
 		break;

 	case 'owe':
@ -179,6 +198,13 @@ export function wpa_key_mgmt(config) {
 			append_value(config, 'wpa_key_mgmt', 'FILS-SHA256');
 			if (config.ieee80211r)
 				append_value(config, 'wpa_key_mgmt', 'FT-FILS-SHA256');
+
+			if (!config.rsn_override_key_mgmt)
+				break;
+
+			append_value(config, 'rsn_override_key_mgmt', 'FILS-SHA256');
+			if (config.ieee80211r)
+				append_value(config, 'rsn_override_key_mgmt', 'FT-FILS-SHA256');
 			break;
 		}
 	}
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@ -51,9 +51,10 @@ hostapd_append_wpa_key_mgmt() {
 			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP-SHA384"
 		;;
 		eap-eap2)
-			append wpa_key_mgmt "WPA-EAP"
 			append wpa_key_mgmt "WPA-EAP-SHA256"
 			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
+			[ "$rsn_override" -gt 0 ] && rsn_override_key_mgmt="$wpa_key_mgmt"
+			append wpa_key_mgmt "WPA-EAP"
 		;;
 		eap2)
 			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
@ -64,13 +65,15 @@ hostapd_append_wpa_key_mgmt() {
 			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
 		;;
 		psk-sae)
+			append wpa_key_mgmt "SAE"
+			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
+			[ "$rsn_override" -gt 0 ] && rsn_override_key_mgmt="$wpa_key_mgmt"
+			[ "$rsn_override" -gt 1 ] && wpa_key_mgmt=
 			[ "$band" = "6g" ] || {
 				append wpa_key_mgmt "WPA-PSK"
 				[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
 				[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
 			}
-			append wpa_key_mgmt "SAE"
-			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
 		;;
 		owe)
 			append wpa_key_mgmt "OWE"
@ -86,11 +89,19 @@ hostapd_append_wpa_key_mgmt() {
 			eap*)
 				append wpa_key_mgmt FILS-SHA256
 				[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt FT-FILS-SHA256
+
+				[ "$rsn_override" -gt 0 ] && {
+					append rsn_override_key_mgmt FILS-SHA256
+					[ "${ieee80211r:-0}" -gt 0 ] && append rsn_override_key_mgmt FT-FILS-SHA256
+				}
 			;;
 		esac
 	}

-	[ "$auth_osen" = "1" ] && append wpa_key_mgmt "OSEN"
+	[ "$auth_osen" = "1" ] && {
+		append wpa_key_mgmt "OSEN"
+		[ "$rsn_override" -gt 0 ] && append rsn_override_key_mgmt OSEN
+	}
 }

 hostapd_add_log_config() {
@ -341,6 +352,7 @@ hostapd_common_add_bss_config() {
 	config_add_array r0kh r1kh

 	config_add_int ieee80211w_max_timeout ieee80211w_retry_timeout
+	config_add_int rsn_override

 	config_add_string macfilter 'macfile:file'
 	config_add_array 'maclist:list(macaddr)'
@ -611,8 +623,9 @@ hostapd_set_bss_options() {
 		ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
 		multicast_to_unicast_all proxy_arp per_sta_vif \
 		eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients radius_server_auth_port \
-		vendor_elements fils ocv apup
+		vendor_elements fils ocv apup rsn_override

+	set_default rsn_override 1
 	set_default fils 0
 	set_default isolate 0
 	set_default maxassoc 0
@ -849,6 +862,7 @@ hostapd_set_bss_options() {
 	append bss_conf "auth_algs=${auth_algs:-1}" "$N"
 	append bss_conf "wpa=$wpa" "$N"
 	[ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N"
+	[ -n "$rsn_override_pairwise" ] && append bss_conf "rsn_override_pairwise=$rsn_override_pairwise" "$N"

 	set_default wps_pushbutton 0
 	set_default wps_label 0
@ -961,6 +975,7 @@ hostapd_set_bss_options() {

 		hostapd_append_wpa_key_mgmt
 		[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
+		[ -n "$rsn_override_key_mgmt" ] && append bss_conf "rsn_override_key_mgmt=$rsn_override_key_mgmt" "$N"
 	fi

 	if [ "$wpa" -ge "2" ]; then
--- a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
@ -209,19 +209,28 @@ _wdev_wrapper \
 	wireless_set_retry \

 wireless_vif_parse_encryption() {
-	json_get_vars encryption
+	json_get_vars encryption rsn_override
 	set_default encryption none

+	set_default rsn_override 1
 	auth_mode_open=1
 	auth_mode_shared=0
 	auth_type=none
+	wpa_override_cipher=
+	rsn_override_pairwise=

 	if [ "$hwmode" = "ad" ]; then
 		wpa_cipher="GCMP"
 	else
 		wpa_cipher="CCMP"
 		case "$encryption" in
-			sae*|wpa3*|psk3*|owe) wpa_cipher="${wpa3_cipher}$wpa_cipher";;
+			sae*|wpa3*|psk3*|owe)
+				if [ "$rsn_override" -gt 0 ]; then
+					wpa_override_cipher="${wpa3_cipher}$wpa_cipher"
+				else
+					wpa_cipher="${wpa3_cipher}$wpa_cipher"
+				fi
+			;;
 		esac
 	fi

@ -233,6 +242,7 @@ wireless_vif_parse_encryption() {
 		*gcmp256) wpa_cipher="GCMP-256";;
 		*gcmp) wpa_cipher="GCMP";;
 		wpa3-192*) wpa_cipher="GCMP-256";;
+		*) rsn_override_pairwise="$wpa_override_cipher";;
 	esac

 	# 802.11n requires CCMP for WPA