wifi-scripts: ucode: do not leak SAE options onto non-SAE BSSes

sae_require_mfp and sae_pwe are SAE-specific knobs but iface_auth_type() set them on every auth type that requires PMF (sae, owe, eap2, eap192, dpp) and on both PMF-optional transition modes (psk-sae, eap-eap2). hostapd silently ignores the stray settings on non-SAE BSSes, but they clutter the generated configuration and make it harder to tell at a glance which knobs actually apply. Split the grouping: keep ieee80211w (and rsn_override_mfp for transition modes) where it was, and move sae_require_mfp / sae_pwe into a separate check that only fires for the two auth types that actually run SAE (sae and psk-sae). No functional change on the air. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Link: https://github.com/openwrt/openwrt/pull/23009 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2026-05-04 09:31:26 +02:00 · 2026-04-19 02:36:13 +02:00 · 2026-04-19 02:36:13 +02:00 · 9aeea77b8d
commit 9aeea77b8d
parent e4b3d5c799
1 changed files with 4 additions and 5 deletions
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@ -82,17 +82,16 @@ function iface_accounting_server(config) {
 }

 function iface_auth_type(config) {
-	if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ]) {
+	if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ])
 		config.ieee80211w = 2;
-		config.sae_require_mfp = 1;
-		if (!config.ppsk)
-			set_default(config, 'sae_pwe', 2);
-	}

 	if (config.auth_type in [ 'psk-sae', 'eap-eap2' ]) {
 		set_default(config, 'ieee80211w', 1);
 		if (config.rsn_override)
 			config.rsn_override_mfp = 2;
+	}
+
+	if (config.auth_type in [ 'sae', 'psk-sae' ]) {
 		config.sae_require_mfp = 1;
 		if (!config.ppsk)
 			set_default(config, 'sae_pwe', 2);