From 9aeea77b8d36ce6ac5db1b8a6fae654f86322d4e Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Sun, 19 Apr 2026 02:36:13 +0200 Subject: [PATCH] wifi-scripts: ucode: do not leak SAE options onto non-SAE BSSes sae_require_mfp and sae_pwe are SAE-specific knobs but iface_auth_type() set them on every auth type that requires PMF (sae, owe, eap2, eap192, dpp) and on both PMF-optional transition modes (psk-sae, eap-eap2). hostapd silently ignores the stray settings on non-SAE BSSes, but they clutter the generated configuration and make it harder to tell at a glance which knobs actually apply. Split the grouping: keep ieee80211w (and rsn_override_mfp for transition modes) where it was, and move sae_require_mfp / sae_pwe into a separate check that only fires for the two auth types that actually run SAE (sae and psk-sae). No functional change on the air. Co-Authored-By: Claude Opus 4.7 Link: https://github.com/openwrt/openwrt/pull/23009 Signed-off-by: Hauke Mehrtens --- .../wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc index 032a434281..2c4559bf74 100644 --- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc +++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc @@ -82,17 +82,16 @@ function iface_accounting_server(config) { } function iface_auth_type(config) { - if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ]) { + if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ]) config.ieee80211w = 2; - config.sae_require_mfp = 1; - if (!config.ppsk) - set_default(config, 'sae_pwe', 2); - } if (config.auth_type in [ 'psk-sae', 'eap-eap2' ]) { set_default(config, 'ieee80211w', 1); if (config.rsn_override) config.rsn_override_mfp = 2; + } + + if (config.auth_type in [ 'sae', 'psk-sae' ]) { config.sae_require_mfp = 1; if (!config.ppsk) set_default(config, 'sae_pwe', 2);