openwrt-mirror/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2026-06-17 14:50:15 +04:00
Code Issues Packages Projects Releases Wiki Activity

wifi-scripts: ucode: default sae_groups to NIST ECP 19/20/21

Browse Source 
The WPA3 and Wi-Fi Enhanced Open Deployment Guide v1.1 (Table 4,
"SAE Groups") recommends that WPA3-Personal APs advertise support
for SAE groups 19, 20 and 21:

  * group 19 - ECP 256-bit (NIST P-256)
  * group 20 - ECP 384-bit (NIST P-384)
  * group 21 - ECP 521-bit (NIST P-521)

hostapd's default is group 19 only, which leaves the two larger
ECP groups unavailable even though the peer may prefer them.

Set sae_groups = "19 20 21" as the default for any BSS whose
auth_type is sae or psk-sae (SAE, SAE Transition and SAE
Compatibility modes).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Hauke Mehrtens
2026-04-20 01:42:51 +02:00
parent 68165c85c8
commit 0ca11b32eb
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+8 -2
View File
@@ -100,8 +100,14 @@ function iface_auth_type(config, band) {
config.rsn_override_mfp_2 = 2;
}
if (config.auth_type == 'owe') {
set_default(config, 'owe_groups', '19 20 21');
set_default(config, 'owe_ptk_workaround', 1);
}
if (config.auth_type in [ 'sae', 'psk-sae', 'psk-sae-compat' ]) {
config.sae_require_mfp = 1;
set_default(config, 'sae_groups', '19 20 21');
if (!config.ppsk) {
if (band == '6g')
set_default(config, 'sae_pwe', 1);
@@ -199,11 +205,11 @@ function iface_auth_type(config, band) {
}
append_vars(config, [
'sae_require_mfp', 'sae_password_file', 'sae_pwe', 'sae_track_password', 'time_advertisement', 'time_zone',
'sae_require_mfp', 'sae_password_file', 'sae_pwe', 'sae_groups', 'sae_track_password', 'time_advertisement', 'time_zone',
'wpa_group_rekey', 'wpa_ptk_rekey', 'wpa_gmk_rekey', 'wpa_strict_rekey',
'macaddr_acl', 'wpa_psk_radius', 'wpa_psk', 'wpa_passphrase', 'wpa_psk_file',
'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period',
'radius_das_client', 'radius_das_port', 'own_ip_addr', 'dynamic_own_ip_addr',
'radius_das_client', 'radius_das_port', 'owe_groups', 'owe_ptk_workaround', 'own_ip_addr', 'dynamic_own_ip_addr',
'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise',
'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id'
]);