[openwrt/openwrt] wifi-scripts: add DPP encryption support
LEDE Commits
lede-commits at lists.infradead.org
Sat Feb 7 01:28:53 PST 2026
nbd pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/6e25c8bd785e72b8a03b1f1f6bacc21d077cc372
commit 6e25c8bd785e72b8a03b1f1f6bacc21d077cc372
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Wed Feb 4 05:46:53 2026 +0000
wifi-scripts: add DPP encryption support
Add support for DPP (Device Provisioning Protocol) as both a primary
encryption type and as an optional addition to existing authentication.
Primary DPP mode (encryption=dpp):
- Sets WPA2 with key_mgmt=DPP
- Requires Management Frame Protection (ieee80211w=2)
- Supports dpp_connector, dpp_csign, dpp_netaccesskey options
Optional DPP mode (dpp=1 boolean on AP):
- Adds DPP to existing key management methods
- Allows AP to accept both DPP and other auth types
- Supports the same connector options
Both ucode and legacy shell implementations are updated for AP and STA
modes.
Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
.../files-ucode/usr/share/ucode/wifi/ap.uc | 13 ++++++-
.../files-ucode/usr/share/ucode/wifi/iface.uc | 13 ++++++-
.../files-ucode/usr/share/ucode/wifi/supplicant.uc | 9 ++++-
.../wifi-scripts/files/lib/netifd/hostapd.sh | 43 ++++++++++++++++++++--
.../files/lib/netifd/netifd-wireless.sh | 5 ++-
5 files changed, 75 insertions(+), 8 deletions(-)
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index 5771e0e2df..3c29d1beda 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -82,7 +82,7 @@ function iface_accounting_server(config) {
}
function iface_auth_type(config) {
- if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192' ]) {
+ if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ]) {
config.ieee80211w = 2;
config.sae_require_mfp = 1;
if (!config.ppsk)
@@ -117,6 +117,12 @@ function iface_auth_type(config) {
]);
break;
+ case 'dpp':
+ append_vars(config, [
+ 'dpp_connector', 'dpp_csign', 'dpp_netaccesskey',
+ ]);
+ break;
+
case 'psk':
case 'psk2':
case 'sae':
@@ -188,6 +194,11 @@ function iface_auth_type(config) {
'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise',
'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id'
]);
+
+ if (config.dpp && config.auth_type != 'dpp')
+ append_vars(config, [
+ 'dpp_connector', 'dpp_csign', 'dpp_netaccesskey',
+ ]);
}
function iface_ppsk(config) {
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
index 5b7b14b6ff..50c62f9429 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
@@ -11,7 +11,7 @@ export function parse_encryption(config, dev_config) {
config.wpa = 0;
for (let k, v in { 'wpa2*': 2, 'wpa3*': 2, '*psk2*': 2, 'psk3*': 2, 'sae*': 2,
- 'owe*': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
+ 'owe*': 2, 'dpp': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
if (wildcard(config.encryption, k)) {
config.wpa = v;
break;
@@ -32,6 +32,10 @@ export function parse_encryption(config, dev_config) {
config.auth_type = 'owe';
break;
+ case 'dpp':
+ config.auth_type = 'dpp';
+ break;
+
case 'wpa3-192':
config.auth_type = 'eap192';
break;
@@ -198,8 +202,15 @@ export function wpa_key_mgmt(config) {
case 'owe':
append_value(config, 'wpa_key_mgmt', 'OWE');
break;
+
+ case 'dpp':
+ append_value(config, 'wpa_key_mgmt', 'DPP');
+ break;
}
+ if (config.dpp && config.auth_type != 'dpp')
+ append_value(config, 'wpa_key_mgmt', 'DPP');
+
if (config.fils) {
switch(config.auth_type) {
case 'eap192':
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
index a1daf041a1..e1cc93a806 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
@@ -58,7 +58,7 @@ export function ratelist(rates) {
function setup_sta(data, config) {
iface.parse_encryption(config);
- if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192' ])
+ if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ])
config.ieee80211w = 2;
else if (config.auth_type in [ 'psk-sae' ] && !config.ieee80211w)
config.ieee80211w = 1;
@@ -122,6 +122,10 @@ function setup_sta(data, config) {
iface.wpa_key_mgmt(config);
break;
+ case 'dpp':
+ iface.wpa_key_mgmt(config);
+ break;
+
case 'wps':
config.key_mgmt = 'WPS';
break;
@@ -183,7 +187,8 @@ function setup_sta(data, config) {
'bssid_blacklist', 'bssid_whitelist', 'erp', 'ca_cert', 'identity',
'anonymous_identity', 'client_cert', 'private_key', 'private_key_passwd',
'subject_match', 'altsubject_match', 'domain_match', 'domain_suffix_match',
- 'ca_cert2', 'client_cert2', 'private_key2', 'private_key2_passwd', 'password'
+ 'ca_cert2', 'client_cert2', 'private_key2', 'private_key2_passwd', 'password',
+ 'dpp_connector', 'dpp_csign', 'dpp_netaccesskey',
]);
}
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index 81ebebbe2b..21e980b86a 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -78,8 +78,13 @@ hostapd_append_wpa_key_mgmt() {
owe)
append wpa_key_mgmt "OWE"
;;
+ dpp)
+ append wpa_key_mgmt "DPP"
+ ;;
esac
+ [ "$dpp" -gt 0 ] && [ "$auth_type" != "dpp" ] && append wpa_key_mgmt "DPP"
+
[ "$fils" -gt 0 ] && {
case "$auth_type" in
eap192)
@@ -97,6 +102,7 @@ hostapd_append_wpa_key_mgmt() {
;;
esac
}
+
}
hostapd_add_log_config() {
@@ -400,6 +406,9 @@ hostapd_common_add_bss_config() {
config_add_boolean fils
config_add_string fils_dhcp
+ config_add_boolean dpp
+ config_add_string dpp_connector dpp_csign dpp_netaccesskey
+
config_add_int ocv
config_add_boolean beacon_prot spp_amsdu
@@ -563,9 +572,10 @@ hostapd_set_bss_options() {
ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
multicast_to_unicast_all proxy_arp per_sta_vif na_mcast_to_ucast \
eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients radius_server_auth_port \
- vendor_elements fils ocv beacon_prot spp_amsdu apup rsn_override
+ vendor_elements fils ocv beacon_prot spp_amsdu apup rsn_override dpp
set_default rsn_override 1
+ set_default dpp 0
set_default fils 0
set_default isolate 0
set_default maxassoc 0
@@ -639,7 +649,7 @@ hostapd_set_bss_options() {
[ -n "$spp_amsdu" ] && append bss_conf "spp_amsdu=$spp_amsdu" "$N"
case "$auth_type" in
- sae|owe|eap2|eap192)
+ sae|owe|eap2|eap192|dpp)
set_default ieee80211w 2
set_default sae_require_mfp 1
[ "$ppsk" -eq 0 ] && set_default sae_pwe 2
@@ -673,6 +683,13 @@ hostapd_set_bss_options() {
# with WPS enabled, we got to be in unconfigured state.
wps_not_configured=1
;;
+ dpp)
+ json_get_vars dpp_connector dpp_csign dpp_netaccesskey
+
+ [ -n "$dpp_connector" ] && append bss_conf "dpp_connector=$dpp_connector" "$N"
+ [ -n "$dpp_csign" ] && append bss_conf "dpp_csign=$dpp_csign" "$N"
+ [ -n "$dpp_netaccesskey" ] && append bss_conf "dpp_netaccesskey=$dpp_netaccesskey" "$N"
+ ;;
psk|sae|psk-sae)
json_get_vars key wpa_psk_file sae_password_file
if [ "$ppsk" -ne 0 ]; then
@@ -1193,6 +1210,14 @@ hostapd_set_bss_options() {
fi
fi
+ [ "$dpp" -gt 0 ] && [ "$auth_type" != "dpp" ] && {
+ json_get_vars dpp_connector dpp_csign dpp_netaccesskey
+
+ [ -n "$dpp_connector" ] && append bss_conf "dpp_connector=$dpp_connector" "$N"
+ [ -n "$dpp_csign" ] && append bss_conf "dpp_csign=$dpp_csign" "$N"
+ [ -n "$dpp_netaccesskey" ] && append bss_conf "dpp_netaccesskey=$dpp_netaccesskey" "$N"
+ }
+
json_get_values opts hostapd_bss_options
for val in $opts; do
append bss_conf "$val" "$N"
@@ -1343,7 +1368,7 @@ wpa_supplicant_add_network() {
set_default rsn_override 1
case "$auth_type" in
- sae|owe|eap2|eap192)
+ sae|owe|eap2|eap192|dpp)
set_default ieee80211w 2
;;
psk-sae)
@@ -1406,6 +1431,10 @@ wpa_supplicant_add_network() {
hostapd_append_wpa_key_mgmt
key_mgmt="$wpa_key_mgmt"
;;
+ dpp)
+ hostapd_append_wpa_key_mgmt
+ key_mgmt="$wpa_key_mgmt"
+ ;;
wep)
local wep_keyidx=0
hostapd_append_wep_key network_data
@@ -1633,6 +1662,14 @@ wpa_supplicant_add_network() {
append network_data "mcast_rate=$mc_rate" "$N$T"
}
+ [ "$auth_type" = "dpp" ] && {
+ json_get_vars dpp_connector dpp_csign dpp_netaccesskey
+
+ [ -n "$dpp_connector" ] && append network_data "dpp_connector=$dpp_connector" "$N$T"
+ [ -n "$dpp_csign" ] && append network_data "dpp_csign=$dpp_csign" "$N$T"
+ [ -n "$dpp_netaccesskey" ] && append network_data "dpp_netaccesskey=$dpp_netaccesskey" "$N$T"
+ }
+
if [ "$key_mgmt" = "WPS" ]; then
echo "wps_cred_processing=1" >> "$_config"
else
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
index ac11905fac..328fede2a9 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
@@ -254,7 +254,7 @@ wireless_vif_parse_encryption() {
# wpa2/tkip+aes => WPA2 RADIUS, CCMP+TKIP
case "$encryption" in
- wpa2*|wpa3*|*psk2*|psk3*|sae*|owe*)
+ wpa2*|wpa3*|*psk2*|psk3*|sae*|owe*|dpp)
wpa=2
;;
wpa*mixed*|*psk*mixed*)
@@ -274,6 +274,9 @@ wireless_vif_parse_encryption() {
owe*)
auth_type=owe
;;
+ dpp)
+ auth_type=dpp
+ ;;
wpa3-192*)
auth_type=eap192
;;
More information about the lede-commits
mailing list