[openwrt/openwrt] wifi-scripts: on psk-sae configurations, disable PSK support on 6 GHz

LEDE Commits lede-commits at lists.infradead.org
Sat Jun 21 11:34:30 PDT 2025 

nbd pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/a17c3be409b066be24b66e748432dd767c1fa61d

commit a17c3be409b066be24b66e748432dd767c1fa61d
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Wed Jun 11 11:05:04 2025 +0200

    wifi-scripts: on psk-sae configurations, disable PSK support on 6 GHz
    
    This allows sharing a wifi-iface section across bands while enforcing the no-PSK
    rule for 6 GHz
    
    Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
 .../wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc      | 12 +++++++++---
 .../wifi-scripts/files-ucode/usr/share/ucode/wifi/hostapd.uc |  8 ++++----
 .../network/config/wifi-scripts/files/lib/netifd/hostapd.sh  |  8 +++++---
 3 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index d6ca3b5dd2..d72abdd3e4 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -76,8 +76,6 @@ function iface_accounting_server(config) {
 }
 
 function iface_auth_type(config) {
-	iface.parse_encryption(config);
-
 	if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192' ]) {
 		config.ieee80211w = 2;
 		config.sae_require_mfp = 1;
@@ -432,13 +430,21 @@ function iface_interworking(config) {
 	]);
 }
 
-export function generate(interface, config, vlans, stas, phy_features) {
+export function generate(interface, data, config, vlans, stas, phy_features) {
 	config.ctrl_interface = '/var/run/hostapd';
 
 	iface_stations(config, stas);
 
 	iface_setup(config);
 
+	iface.parse_encryption(config);
+	if (data.config.band == '6g') {
+		if (config.auth_type == 'psk-sae')
+			config.auth_type = 'sae';
+		if (config.auth_type == 'eap-eap2')
+			config.auth_type = 'eap2';
+	}
+
 	iface_auth_type(config);
 
 	iface_accounting_server(config);
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/hostapd.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/hostapd.uc
index 848f02d323..cc174cda50 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/hostapd.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/hostapd.uc
@@ -523,11 +523,11 @@ function generate(config) {
 }
 
 let iface_idx = 0;
-function setup_interface(interface, config, vlans, stas, phy_features, fixup) {
+function setup_interface(interface, data, config, vlans, stas, phy_features, fixup) {
 	config = { ...config, fixup };
 
 	config.idx = iface_idx++;
-	ap.generate(interface, config, vlans, stas, phy_features);
+	ap.generate(interface, data, config, vlans, stas, phy_features);
 }
 
 export function setup(data) {
@@ -556,9 +556,9 @@ export function setup(data) {
 
 		let owe = interface.config.encryption == 'owe' && interface.config.owe_transition;
 
-		setup_interface(k, interface.config, interface.vlans, interface.stas, phy_features, owe ? 'owe' : null );
+		setup_interface(k, data, interface.config, interface.vlans, interface.stas, phy_features, owe ? 'owe' : null );
 		if (owe)
-			setup_interface(k, interface.config, interface.vlans, interface.stas, phy_features, 'owe-transition');
+			setup_interface(k, data, interface.config, interface.vlans, interface.stas, phy_features, 'owe-transition');
 	}
 
 	let config = dump_config(file_name);
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index 080f15d7a6..f4a7c71bea 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -64,9 +64,11 @@ hostapd_append_wpa_key_mgmt() {
 			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
 		;;
 		psk-sae)
-			append wpa_key_mgmt "WPA-PSK"
-			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
-			[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
+			[ "$band" = "6g" ] || {
+				append wpa_key_mgmt "WPA-PSK"
+				[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
+				[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
+			}
 			append wpa_key_mgmt "SAE"
 			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
 		;;

More information about the lede-commits mailing list