mirrors/openwrt
1
0
Fork 0
mirror of https://git.openwrt.org/openwrt/openwrt.git synced 2026-05-04 17:36:12 +02:00
Code Issues Projects Releases Wiki Activity

wifi-scripts: ucode: drop the generic rsn_override UCI knob

Browse Source 
The rsn_override UCI number was scaffolding that let a Transition
Mode BSS (sae-mixed, wpa3-mixed) automatically overlay a WPA3
Compatibility-Mode-like layout: WPA3 AKMs were moved from the main
RSNE into RSNOE/RSNO2E, and with rsn_override=2 the main RSNE even
dropped SAE entirely to placate clients that refuse to associate to
a mixed AKM list.

This layout does not match any mode defined in the WPA3 and Wi-Fi
Enhanced Open Deployment and Implementation Guide v1.1: Transition
Mode (Table 5) advertises the full AKM list in a single RSNE, and
Compatibility Mode (§2.4, Tables 6 and 7) requires a specific
combination of RSNE, RSNOE and RSNO2E contents that the knob cannot
express.  In practice it also triggers interop failures: Pixel 10
phones refuse to associate to a Transition-Mode BSS whose SAE-EXT-KEY
AKM has been shoved into RSNO2E by this scaffolding, even though the
same BSS works fine when the full AKM list stays in the main RSNE.

Keep the generated configuration honest by removing the knob; the RSN
override plumbing stays in place for a future caller that sets the
override fields explicitly.  SAE-EXT-KEY advertisement will be added
back in a later commit via a dedicated sae_ext_key path that places
the AKM where the Deployment Guide actually requires it.

Drop the rsn_override schema entry and every wifi-scripts path that
read it:

  * parse_encryption no longer diverts the WPA3 pairwise cipher
    into rsn_override_pairwise.
  * wpa_key_mgmt no longer mirrors WPA-EAP into
    rsn_override_key_mgmt, moves SAE/SAE-EXT-KEY into the override
    for psk-sae, or drops the main RSNE AKM list when
    rsn_override > 1.
  * generate() no longer back-fills missing rsn_override_* fields
    from the main RSNE or duplicates the override element into an
    MLO-gated RSNO2E.

The RSN override elements are now emitted only when each of
(rsn_override_key_mgmt, rsn_override_pairwise, rsn_override_mfp) --
and their _2 counterparts -- has been populated explicitly, which
keeps the machinery from firing on transition modes where it was
never spec-compliant.

Fixes: https://github.com/openwrt/openwrt/issues/21486
Fixes: https://github.com/openwrt/openwrt/issues/22200
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Hauke Mehrtens 2026-04-19 22:26:59 +02:00
parent 9aeea77b8d
commit 588330e92b
3 changed files with 10 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
View File

@ -962,11 +962,6 @@
"rsn_preauth": {
"type": "boolean"
},
"rsn_override": {
"type": "number",
"description": "Use RSNE override IE WPA3 compatibility (0: disabled, 1: enabled, 2:force WPA2 for older devices)",
"default": 1
},
"sae_password_file": {
"description": "External file containing VLAN SAE MAC address triplets",
"type": "string"

28
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
View File

@ -85,11 +85,8 @@ function iface_auth_type(config) {
if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ])
config.ieee80211w = 2;
if (config.auth_type in [ 'psk-sae', 'eap-eap2' ]) {
if (config.auth_type in [ 'psk-sae', 'eap-eap2' ])
set_default(config, 'ieee80211w', 1);
if (config.rsn_override)
config.rsn_override_mfp = 2;
}
if (config.auth_type in [ 'sae', 'psk-sae' ]) {
config.sae_require_mfp = 1;
@ -525,27 +522,20 @@ export function generate(interface, data, config, vlans, stas, phy_features) {
'wpa_key_mgmt',
]);
if (config.rsn_override_key_mgmt || config.rsn_override_pairwise) {
config.rsn_override_mfp ??= config.ieee80211w;
config.rsn_override_key_mgmt ??= config.wpa_key_mgmt;
config.rsn_override_pairwise ??= config.wpa_pairwise;
if (config.rsn_override_key_mgmt && config.rsn_override_pairwise && config.rsn_override_mfp) {
append_vars(config, [
'rsn_override_key_mgmt',
'rsn_override_pairwise',
'rsn_override_mfp'
]);
}
if (config.mlo) {
config.rsn_override_mfp_2 ??= config.rsn_override_mfp;
config.rsn_override_key_mgmt_2 ??= config.rsn_override_key_mgmt;
config.rsn_override_pairwise_2 ??= config.rsn_override_pairwise;
append_vars(config, [
'rsn_override_key_mgmt_2',
'rsn_override_pairwise_2',
'rsn_override_mfp_2'
]);
}
if (config.rsn_override_key_mgmt_2 && config.rsn_override_pairwise_2 && config.rsn_override_mfp_2) {
append_vars(config, [
'rsn_override_key_mgmt_2',
'rsn_override_pairwise_2',
'rsn_override_mfp_2'
]);
}
/* raw options */

26
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
View File

@ -116,10 +116,7 @@ export function parse_encryption(config, dev_config) {
if (!wpa3_pairwise)
break;
if (config.rsn_override && wpa3_pairwise != config.wpa_pairwise)
config.rsn_override_pairwise = wpa3_pairwise;
else
config.wpa_pairwise = wpa3_pairwise;
config.wpa_pairwise = wpa3_pairwise;
break;
}
@ -158,9 +155,6 @@ export function wpa_key_mgmt(config) {
if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-EAP');
if (config.rsn_override)
config.rsn_override_key_mgmt = config.wpa_key_mgmt;
append_value(config, 'wpa_key_mgmt', 'WPA-EAP');
break;
@ -181,17 +175,6 @@ export function wpa_key_mgmt(config) {
if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-SAE');
if (config.rsn_override) {
config.rsn_override_key_mgmt = config.wpa_key_mgmt;
append_value(config, 'rsn_override_key_mgmt_2', 'SAE-EXT-KEY');
if (config.ieee80211r)
append_value(config, 'rsn_override_key_mgmt_2', 'FT-SAE-EXT-KEY');
}
if (config.rsn_override > 1)
delete config.wpa_key_mgmt;
append_value(config, 'wpa_key_mgmt', 'WPA-PSK');
if (config.ieee80211w)
append_value(config, 'wpa_key_mgmt', 'WPA-PSK-SHA256');
@ -225,13 +208,6 @@ export function wpa_key_mgmt(config) {
append_value(config, 'wpa_key_mgmt', 'FILS-SHA256');
if (config.ieee80211r)
append_value(config, 'wpa_key_mgmt', 'FT-FILS-SHA256');
if (!config.rsn_override_key_mgmt)
break;
append_value(config, 'rsn_override_key_mgmt', 'FILS-SHA256');
if (config.ieee80211r)
append_value(config, 'rsn_override_key_mgmt', 'FT-FILS-SHA256');
break;
}
}