[openwrt/openwrt] wifi-scripts: enable GCMP-256 by default on WPA3/OWE configurations with HE or EHT
LEDE Commits
lede-commits at lists.infradead.org
Sat Jun 21 11:34:31 PDT 2025
nbd pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/254dd7d7d9c88e1b05dad44615213de9a0a4e462
commit 254dd7d7d9c88e1b05dad44615213de9a0a4e462
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Wed Jun 11 11:28:12 2025 +0200
wifi-scripts: enable GCMP-256 by default on WPA3/OWE configurations with HE or EHT
GCMP-256 support is mandatory with EHT, but HE hardware can already be expected
to support it.
Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
.../files-ucode/usr/share/ucode/wifi/ap.uc | 2 +-
.../files-ucode/usr/share/ucode/wifi/iface.uc | 86 ++++++++++++----------
.../files/lib/netifd/netifd-wireless.sh | 11 ++-
3 files changed, 58 insertions(+), 41 deletions(-)
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index d72abdd3e4..316dc24f00 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -437,7 +437,7 @@ export function generate(interface, data, config, vlans, stas, phy_features) {
iface_setup(config);
- iface.parse_encryption(config);
+ iface.parse_encryption(config, data.config);
if (data.config.band == '6g') {
if (config.auth_type == 'psk-sae')
config.auth_type = 'sae';
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
index 710ded10e5..52b76b4396 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
@@ -3,46 +3,9 @@
import { append_value, log } from 'wifi.common';
import * as fs from 'fs';
-export function parse_encryption(config) {
+export function parse_encryption(config, dev_config) {
let encryption = split(config.encryption, '+', 2);
- config.wpa_pairwise = (config.hw_mode == 'ad') ? 'GCMP' : 'CCMP';
-
- switch(encryption[1]){
- case 'tkip+aes':
- case 'tkip+ccmp':
- case 'aes+tkip':
- case 'ccmp+tkip':
- config.wpa_pairwise = 'CCMP TKIP';
- break;
-
- case 'ccmp256':
- config.wpa_pairwise = 'CCMP-256';
- break;
-
- case 'aes':
- case 'ccmp':
- config.wpa_pairwise = 'CCMP';
- break;
-
- case 'tkip':
- config.wpa_pairwise = 'TKIP';
- break;
-
- case 'gcmp256':
- config.wpa_pairwise = 'GCMP-256';
- break;
-
- case 'gcmp':
- config.wpa_pairwise = 'GCMP';
- break;
-
- default:
- if (config.encryption == 'wpa3-192')
- config.wpa_pairwise = 'GCMP-256';
- break;
- }
-
config.wpa = 0;
for (let k, v in { 'wpa2*': 2, 'wpa3*': 2, '*psk2*': 2, 'psk3*': 2, 'sae*': 2,
'owe*': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
@@ -53,10 +16,17 @@ export function parse_encryption(config) {
if (!config.wpa)
config.wpa_pairwise = null;
+ config.wpa_pairwise = (config.hw_mode == 'ad') ? 'GCMP' : 'CCMP';
config.auth_type = encryption[0] ?? 'none';
+
+ let wpa3_pairwise = config.wpa_pairwise;
+ if (wildcard(dev_config?.htmode, 'EHT*') || wildcard(dev_config?.htmode, 'HE*'))
+ wpa3_pairwise = 'GCMP-256 ' + wpa3_pairwise;
+
switch(config.auth_type) {
case 'owe':
config.auth_type = 'owe';
+ config.wpa_pairwise = wpa3_pairwise;
break;
case 'wpa3-192':
@@ -65,10 +35,12 @@ export function parse_encryption(config) {
case 'wpa3-mixed':
config.auth_type = 'eap-eap2';
+ config.wpa_pairwise = wpa3_pairwise;
break;
case 'wpa3':
config.auth_type = 'eap2';
+ config.wpa_pairwise = wpa3_pairwise;
break;
case 'psk-mixed':
@@ -77,11 +49,13 @@ export function parse_encryption(config) {
case 'psk3':
config.auth_type = 'sae';
+ config.wpa_pairwise = wpa3_pairwise;
break;
case 'psk3-mixed':
case 'sae-mixed':
config.auth_type = 'psk-sae';
+ config.wpa_pairwise = wpa3_pairwise;
break;
case 'wpa':
@@ -90,6 +64,42 @@ export function parse_encryption(config) {
config.auth_type = 'eap';
break;
}
+
+ switch(encryption[1]){
+ case 'tkip+aes':
+ case 'tkip+ccmp':
+ case 'aes+tkip':
+ case 'ccmp+tkip':
+ config.wpa_pairwise = 'CCMP TKIP';
+ break;
+
+ case 'ccmp256':
+ config.wpa_pairwise = 'CCMP-256';
+ break;
+
+ case 'aes':
+ case 'ccmp':
+ config.wpa_pairwise = 'CCMP';
+ break;
+
+ case 'tkip':
+ config.wpa_pairwise = 'TKIP';
+ break;
+
+ case 'gcmp256':
+ config.wpa_pairwise = 'GCMP-256';
+ break;
+
+ case 'gcmp':
+ config.wpa_pairwise = 'GCMP';
+ break;
+
+ default:
+ if (config.encryption == 'wpa3-192')
+ config.wpa_pairwise = 'GCMP-256';
+ break;
+ }
+
};
export function wpa_key_mgmt(config) {
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
index c3772bb443..8460de4653 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
@@ -39,11 +39,10 @@ prepare_key_wep() {
}
_wdev_prepare_channel() {
- json_get_vars channel band hwmode
+ json_get_vars channel band hwmode htmode
auto_channel=0
enable_ht=0
- htmode=
hwmode="${hwmode##11}"
case "$channel" in
@@ -80,6 +79,11 @@ _wdev_prepare_channel() {
esac
;;
esac
+
+ case "$htmode" in
+ HE*|EHT*) wpa3_cipher="GCMP-256 ";;
+ *) wpa3_cipher="";;
+ esac
}
_wdev_handler() {
@@ -216,6 +220,9 @@ wireless_vif_parse_encryption() {
wpa_cipher="GCMP"
else
wpa_cipher="CCMP"
+ case "$encryption" in
+ sae*|wpa3*|psk3*|owe) wpa_cipher="${wpa3_cipher}$wpa_cipher";;
+ esac
fi
case "$encryption" in
More information about the lede-commits
mailing list