[openwrt/openwrt] wifi-scripts: fix corner case in RSN override support

Wed Jun 25 01:49:17 PDT 2025

nbd pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/8ad5416d997312a4ae86ebb7bee7dfd1f80c0407

commit 8ad5416d997312a4ae86ebb7bee7dfd1f80c0407
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Wed Jun 25 10:48:34 2025 +0200

    wifi-scripts: fix corner case in RSN override support
    
    When used, all relevant parameters need to be set
    
    Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
 .../wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc   | 15 ++++++++++++---
 .../config/wifi-scripts/files/lib/netifd/hostapd.sh       |  7 +++++--
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index eccd5824cf..add9ec137b 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -173,8 +173,7 @@ function iface_auth_type(config) {
 		'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period',
 		'radius_das_client', 'radius_das_port', 'own_ip_addr', 'dynamic_own_ip_addr',
 		'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise',
-		'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id',
-		'rsn_override_pairwise', 'rsn_override_mfp'
+		'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id'
 	]);
 }
 
@@ -479,9 +478,19 @@ export function generate(interface, data, config, vlans, stas, phy_features) {
 	iface.wpa_key_mgmt(config);
 	append_vars(config, [
 		'wpa_key_mgmt',
-		'rsn_override_key_mgmt'
 	]);
 
+	if (config.rsn_override_key_mgmt || config.rsn_override_pairwise) {
+		config.rsn_override_mfp ??= config.ieee80211w;
+		config.rsn_override_key_mgmt ??= config.wpa_key_mgmt;
+		config.rsn_override_pairwise ??= config.wpa_pairwise;
+		append_vars(config, [
+			'rsn_override_key_mgmt',
+			'rsn_override_pairwise',
+			'rsn_override_mfp'
+		]);
+	}
+
 	/* raw options */
 	for (let raw in config.hostapd_options)
 		append_raw(raw);
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index dd96505f09..623e8ffdb2 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -862,7 +862,6 @@ hostapd_set_bss_options() {
 	append bss_conf "auth_algs=${auth_algs:-1}" "$N"
 	append bss_conf "wpa=$wpa" "$N"
 	[ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N"
-	[ -n "$rsn_override_pairwise" ] && append bss_conf "rsn_override_pairwise=$rsn_override_pairwise" "$N"
 
 	set_default wps_pushbutton 0
 	set_default wps_label 0
@@ -975,7 +974,11 @@ hostapd_set_bss_options() {
 
 		hostapd_append_wpa_key_mgmt
 		[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
-		[ -n "$rsn_override_key_mgmt" ] && append bss_conf "rsn_override_key_mgmt=$rsn_override_key_mgmt" "$N"
+		[ -n "$rsn_override_key_mgmt" -o -n "$rsn_override_pairwise" ] && {
+			append bss_conf "rsn_override_key_mgmt=${rsn_override_key_mgmt:-$wpa_key_mgmt}" "$N"
+			append bss_conf "rsn_override_pairwise=${rsn_override_pairwise:-$wpa_pairwise}" "$N"
+			append bss_conf "rsn_override_mfp=$ieee80211w" "$N"
+		}
 	fi
 
 	if [ "$wpa" -ge "2" ]; then


