[PATCH] netifd: fix WPA3 enterprise ciphers

Hauke Mehrtens hauke at hauke-m.de
Sat Aug 13 08:31:53 PDT 2022


On 6/26/22 17:21, Joerg Werner wrote:
> WPA3 enterprise requires wpa_cipher to be GCMP-256, so if the user set
> encryption to wpa3 or wpa3-mixed, then add GCMP-256. Also allow explicit
> selection of GCMP-256 by adding gcmp256 at the end of the encryption
> value.

This code from hostapd looks like the driver has to support CCMP_256 or 
GCMP_256 to allow operation with SUITE_B_192:
		if (drv->capa.enc & (WPA_DRIVER_CAPA_ENC_CCMP_256 |
				     WPA_DRIVER_CAPA_ENC_GCMP_256))
			drv->capa.key_mgmt |=
				WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B_192;
https://w1.fi/cgit/hostap/tree/src/drivers/driver_nl80211_capa.c#n1361



> 
> Signed-off-by: Joerg Werner <schreibubi at gmail.com>
> ---
>   scripts/netifd-wireless.sh | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/scripts/netifd-wireless.sh b/scripts/netifd-wireless.sh
> index 0e3293c..435a707 100644
> --- a/scripts/netifd-wireless.sh
> +++ b/scripts/netifd-wireless.sh
> @@ -221,6 +221,7 @@ wireless_vif_parse_encryption() {
>   		*aes|*ccmp) wpa_cipher="CCMP";;
>   		*tkip) wpa_cipher="TKIP";;
>   		*gcmp) wpa_cipher="GCMP";;
> +		*gcmp256) wpa_cipher="GCMP-256";;
>   	esac
>   
>   	# 802.11n requires CCMP for WPA
> @@ -246,7 +247,6 @@ wireless_vif_parse_encryption() {
>   			wpa_cipher=
>   		;;
>   	esac
> -	wpa_pairwise="$wpa_cipher"
>   
>   	case "$encryption" in
>   		owe*)
> @@ -254,9 +254,11 @@ wireless_vif_parse_encryption() {
>   		;;
>   		wpa3-mixed*)
>   			auth_type=eap-eap192
> +			wpa_cipher="${wpa_cipher} GCMP-256"
>   		;;
>   		wpa3*)
>   			auth_type=eap192
> +			wpa_cipher="GCMP-256"

Instead of setting it here I would prefer if wpa_cipher gets set to the 
wpa3 default earlier and can be overwritten if really wanted.
I would prefer if you set it close to here the initial value is set 
depending on hwmode and someone could overwrite it with encryption setting.

>   		;;
>   		psk3-mixed*|sae-mixed*)
>   			auth_type=psk-sae
> @@ -283,6 +285,7 @@ wireless_vif_parse_encryption() {
>   			esac
>   		;;
>   	esac
> +	wpa_pairwise="$wpa_cipher"
>   
>   	case "$encryption" in
>   		*osen*)




More information about the openwrt-devel mailing list