[PATCH] netifd: fix WPA3 enterprise ciphers
Hauke Mehrtens
hauke at hauke-m.de
Sat Aug 13 08:31:53 PDT 2022
On 6/26/22 17:21, Joerg Werner wrote:
> WPA3 enterprise requires wpa_cipher to be GCMP-256, so if the user set
> encryption to wpa3 or wpa3-mixed, then add GCMP-256. Also allow explicit
> selection of GCMP-256 by adding gcmp256 at the end of the encryption
> value.
This code from hostapd looks like the driver has to support CCMP_256 or
GCMP_256 to allow operation with SUITE_B_192:
if (drv->capa.enc & (WPA_DRIVER_CAPA_ENC_CCMP_256 |
WPA_DRIVER_CAPA_ENC_GCMP_256))
drv->capa.key_mgmt |=
WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B_192;
https://w1.fi/cgit/hostap/tree/src/drivers/driver_nl80211_capa.c#n1361
>
> Signed-off-by: Joerg Werner <schreibubi at gmail.com>
> ---
> scripts/netifd-wireless.sh | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/netifd-wireless.sh b/scripts/netifd-wireless.sh
> index 0e3293c..435a707 100644
> --- a/scripts/netifd-wireless.sh
> +++ b/scripts/netifd-wireless.sh
> @@ -221,6 +221,7 @@ wireless_vif_parse_encryption() {
> *aes|*ccmp) wpa_cipher="CCMP";;
> *tkip) wpa_cipher="TKIP";;
> *gcmp) wpa_cipher="GCMP";;
> + *gcmp256) wpa_cipher="GCMP-256";;
> esac
>
> # 802.11n requires CCMP for WPA
> @@ -246,7 +247,6 @@ wireless_vif_parse_encryption() {
> wpa_cipher=
> ;;
> esac
> - wpa_pairwise="$wpa_cipher"
>
> case "$encryption" in
> owe*)
> @@ -254,9 +254,11 @@ wireless_vif_parse_encryption() {
> ;;
> wpa3-mixed*)
> auth_type=eap-eap192
> + wpa_cipher="${wpa_cipher} GCMP-256"
> ;;
> wpa3*)
> auth_type=eap192
> + wpa_cipher="GCMP-256"
Instead of setting it here I would prefer if wpa_cipher gets set to the
wpa3 default earlier and can be overwritten if really wanted.
I would prefer if you set it close to here the initial value is set
depending on hwmode and someone could overwrite it with encryption setting.
> ;;
> psk3-mixed*|sae-mixed*)
> auth_type=psk-sae
> @@ -283,6 +285,7 @@ wireless_vif_parse_encryption() {
> esac
> ;;
> esac
> + wpa_pairwise="$wpa_cipher"
>
> case "$encryption" in
> *osen*)
More information about the openwrt-devel
mailing list