From adb1fce19b6cf462860e3ecc19a1ca260972aeb5 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Mon, 4 Aug 2025 12:39:23 +0200
Subject: [PATCH] wifi-scripts: set rsn_overriding for client mode interfaces

Unless HE/EHT is enabled, the client should not process the RSN override IE.
This prevents picking up unsupported ciphers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 .../files-ucode/usr/share/ucode/wifi/supplicant.uc     |  7 ++++++-
 .../config/wifi-scripts/files/lib/netifd/hostapd.sh    | 10 +++++++++-
 .../wifi-scripts/files/lib/netifd/wireless/mac80211.sh |  2 +-
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
index 49c6888d01..f2d51ed349 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
@@ -59,6 +59,11 @@ function setup_sta(data, config) {
 		config.ieee80211w = 2;
 	else if (config.auth_type in [ 'psk-sae' ])
 		config.ieee80211w = 1;
+	if ((wildcard(data.htmode, 'EHT*') || wildcard(data.htmode, 'HE*')) &&
+		config.rsn_override)
+		config.rsn_overriding = 1;
+	else
+		config.rsn_overriding = 0;
 
 	set_default(config, 'ieee80211r', 0);
 	set_default(config, 'multi_ap', 0);
@@ -159,7 +164,7 @@ function setup_sta(data, config) {
 
 	network_append_string_vars(config, [ 'ssid' ]);
 	network_append_vars(config, [
-		'scan_ssid', 'noscan', 'disabled', 'multi_ap_backhaul_sta',
+		'rsn_overriding', 'scan_ssid', 'noscan', 'disabled', 'multi_ap_backhaul_sta',
 		'ocv', 'key_mgmt', 'psk', 'sae_password', 'pairwise', 'group', 'bssid',
 		'proto', 'mesh_fwding', 'mesh_rssi_threshold', 'frequency', 'fixed_freq',
 		'disable_ht', 'disable_ht40', 'disable_vht', 'vht', 'max_oper_chwidth',
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index c0fcf8dba0..dabb534cf4 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -1316,7 +1316,7 @@ wpa_supplicant_add_network() {
 	wireless_vif_parse_encryption
 
 	json_get_vars \
-		ssid bssid key \
+		ssid bssid key rsn_override \
 		mcast_rate \
 		ieee80211w ieee80211r fils ocv \
 		multi_ap \
@@ -1324,6 +1324,8 @@ wpa_supplicant_add_network() {
 
 	json_get_values basic_rate_list basic_rate
 
+	set_default rsn_override 1
+
 	case "$auth_type" in
 		sae|owe|eap2|eap192)
 			set_default ieee80211w 2
@@ -1374,6 +1376,12 @@ wpa_supplicant_add_network() {
 
 	[ -n "$ocv" ] && append network_data "ocv=$ocv" "$N$T"
 
+	rsn_overriding=0
+	case "$htmode" in
+	EHT*|HE*) [ "$rsn_override" -gt 0 ] && rsn_overriding=1;;
+	esac
+	append network_data "rsn_overriding=$rsn_overriding" "$N$T"
+
 	case "$auth_type" in
 		none) ;;
 		owe)
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/wireless/mac80211.sh b/package/network/config/wifi-scripts/files/lib/netifd/wireless/mac80211.sh
index c9fa2b5fa0..2e939852b6 100755
--- a/package/network/config/wifi-scripts/files/lib/netifd/wireless/mac80211.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/wireless/mac80211.sh
@@ -1015,7 +1015,7 @@ mac80211_setup_supplicant() {
 	wpa_supplicant_prepare_interface "$ifname" nl80211 || return 1
 
 	if [ "$mode" = "sta" ]; then
-		wpa_supplicant_add_network "$ifname"
+		wpa_supplicant_add_network "$ifname" "" "$htmode"
 	else
 		wpa_supplicant_add_network "$ifname" "$freq" "$htmode" "$hostapd_noscan"
 	fi