This improves on openwrt/openwrt@aeb9028aab by adding support for
other Dell EMC Edge620/640/680 devices and mapping
the interfaces to match the markings on the device.
This modifies the netdevices.mk file to set the boot flag for
ixgbe driver to load it in early stage of the boot process to
allow for proper mapping of the network interface PCI paths
inside the 02_network script. This will also allow other devices
using the ixgbe driver to do proper mapping in 02_network script.
The 02_network script is then modified to support all
dell-emc-620/640/680 devices. It now maps the network
interfaces via PCI paths to match the markings on the device.
The interface marked GE6 is still used for WAN with
interfaces GE1-GE5 used for LAN.
The SFP1 and SFP2 interfaces are left to be assigned by
the user.
Signed-off-by: Raylynn Knight <rayknight@me.com>
Link: https://github.com/openwrt/openwrt/pull/23110
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Ethernet LAN port is set to `eth1` (silkscreen "ETH2" and case label "2") next to the 2x USB Type-A
ports and WAN is set to `eth0` (silkscreen "ETH1" and case label "1") next to the USB Type-C port.
The USER ("reset") button serves as the reset button. A short press will reboot and a long press
will reset to factory settings (deleting all data) if using squashfs image.
MASK ("maskrom") and RCRY ("recovery") buttons are enabled but are not set to any specific function
Pressing the POWER button will `poweroff` the device and it will stay off until a power cycle.
Hardware
---------------
* SoC: RockChip RK3576 64-bit ARMv8-A 8 cores big.LITTLE (4x A72 and 4x A53)
* RAM: 3/4GB LPDDR4X or 8/16GB LPDDR5
* Ethernet: 2x GbE (SoC RGMII MAC, RTL8211F PHY)
* 3x LEDs (SYS - red / 1 (WAN) - green / 2 (LAN) - green)
* 4x Buttons (MASK ("maskrom"), RCRY ("recovery"), USER ("reset" - OpenWrt reset), POWER)
* 1x 16MiB SPI NOR on board
* 1x UFS slot for optional UFS 2.0 module (currently not supported)
* 1x microSD card slot (UHS-I)
* 1x HDMI OUT
* 1x Headphone OUT 3.5mm
* 1x M.2 M-key 2280 PCIe slot (PCIe 2.1 x1 supports NVMe SSD)
* 1x M.2 E-key *SDIO* slot for optional RTL8822CS Wi-Fi 5
* the case has integrated antennae as well as 2x knockouts
* the device tree is missing the nodes relevant to Wi-Fi operations so it's not supported for now.
* 2x USB 3.2 Gen 1 Type-A Ports
* Power: 1x USB Type-C 6V-20V with both DC and USB PD supported
* Serial: 1500000 8N1 3.3V - 2.54mm 3-pin header next to HDMI
MAC addresses
---------------
WAN (`eth0` case label "1"): generated from /sys/.../mmcblk0/cid (CID of SD card)
LAN (`eth1` case label "2"): WAN + 1
Installation
---------------
Decompress the archive of the OpenWrt sysupgrade image and write it to a microSD card using `dd`
or use Balena Etcher (no need to decompress).
Boot
---------------
Insert microSD card, set boot switch to "UFS/SD" and then supply power.
Signed-off-by: Ryan Leung <untilscour@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/23008
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Apply pending U-Boot patches so that Rockchip RK3576 devices can boot from SD card. The problem:
"The BootROM on RK3576 has an issue loading boot images from an SD-card. This issue can be worked
around by injecting an initial boot image before TPL…and return to BootROM to load next image, TPL"
Compilation of the initial boot image has been added to the U-Boot build recipe.
Tested on FriendlyELEC NanoPi M5
Signed-off-by: Ryan Leung <untilscour@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/23008
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Select `CONFIG_ROCKCHIP_SARADC=y` to enable Rockchip SAR ADC
Add ADC Ladder Buttons driver as a kernel module as well as `kmod-button-hotplug` to the list of
default packages for Rockchip targets that have buttons connected to ADC, not including some
devices (e.g. NanoPi R76S) that have ADC buttons which are not in the device tree.
This is needed to use buttons on Rockchip devices that are connected to ADC and not GPIO
Tested on FriendlyELEC NanoPi M5
Signed-off-by: Ryan Leung <untilscour@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/23008
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The current 150s watchdog timeout is too aggressive, leading to
premature hostname re-resolution on alive connections.
Even with a 25s keepalive, handshakes may not occur within the 150s window.
Increasing the timeout to 180s aligns the watchdog with WireGuard's
REJECT_AFTER_TIME constant, ensuring we only re-resolve when the connection
is truly considered dead.
Signed-off-by: Roberto Almeida Silva <robertoalmeidasilva1981@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23248
Signed-off-by: Robert Marko <robimarko@gmail.com>
The vendor firmware checks for a bmt header in the last 528 erase blocks
of flash. The OpenWrt partition table did not respect that requirement,
and therefore the vendor and openwrt chainloader fight over those blocks
on every boot, potentially corrupting data stored in UBI blocks there.
This commit increases the size of the reserved_bmt partition to avoid
that fight.
Although the vendor bootloader only seems to touch the final 250 erase
blocks[1], the original vendor firmware system partition ended at
0x1be00000[2], so to be conservative, the consensus is to use that as
the end of mtd2 (ubi) partition and leave the last 528 blocks for mtd3
(reserved_bmt).
From https://openwrt.org/toh/gemtek/mxf-w1700k:
[1] OEM bootlog: [ 5.324337] bmt pool size: 250
[2] OEM bootlog: [ 5.478927] 0x000008600000-0x00001be00000 : "system"
Adds a compat_version to warn users to re-install to accomodate the
shrunken mtd2 ubi partition.
Fixed two nits suggested by Claude, zero padding a hex value and removed
an extra space.
Removed the wildcard setting of compat_version for other boards, as
suggested by Robert Marko, set compat_version only for the w1700k.
Reported-by: Loïc Yhuel <loic.yhuel@gmail.com>
Signed-off-by: Russell Senior <russell@personaltelco.net>
Link: https://github.com/openwrt/openwrt/pull/23061
Signed-off-by: Robert Marko <robimarko@gmail.com>
895f92164b66 uloop: add ULOOP_PRIORITY support for EPOLLPRI events
f9b1f3ff17ba uloop: revert my flag changes from the ULOOP_PRIORITY change
2982bfb1c325 blob: fix wrong type for realloc result in blob_buffer_grow()
78c20f6c8579 json_script: convert recursive __json_script_file_free() to iterative
e7c13bf8cbca usock: fix off-by-one in nanosecond normalization in poll_restart()
68b3f1588de4 uloop: usock: add error checking for fcntl and remove duplicate include
03821f942c49 uloop: fix undefined behavior in signal bit operations for signals > 32
e6e6fd83e26d blobmsg: fix policy name length overflow and add bounds check in blobmsg_parse()
d30b9cc1a02d usock: fix integer overflow in timeout calculations
406e342bb900 udebug: fix double off-by-one in udebug_entry_vprintf()
700eca0bac66 blobmsg_json: fix integer overflow in blobmsg_puts()
6351fe552162 blobmsg_json: floor strbuf size and tighten the post-format guard
58b6543f1b25 blobmsg: fix unsigned integer overflow in blobmsg_alloc_string_buffer()
d7a3ae699df0 blobmsg: use correct byte-order macro when setting BLOB_ATTR_EXTENDED
23c6618a5b90 blobmsg_json: fix double format string to avoid truncation and data loss
1edf1d704e76 jshn: fix integer overflow and type confusion in jshn_parse_file
9b488010c4a7 utils: fix integer overflow in __calloc_a()
40a87f734b94 blob: fix integer overflow in buffer growth functions
02fccb465651 blob: use size_t for blob_memdup() length
0fa612ca08f7 json_script: avoid alloca() on attacker-controlled pattern length
8c9862b6921b blobmsg: fix integer overflow in blobmsg_realloc_string_buffer()
5fbef5bb94fb ustream: avoid INT_MAX overflow on malloc in ustream_vprintf()
1501e60e5554 md5: detect read errors in md5sum() instead of returning a bogus hash
Link: https://github.com/openwrt/openwrt/pull/23212
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
kmod-sound-midi2 expects sound/core/snd-ump.ko, but
CONFIG_SND_UMP=y builds it in-kernel rather than as
a module. Replace the forced built-in setting with
plain CONFIG_SND_UMP so the module can be packaged
correctly.
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Link: https://github.com/openwrt/openwrt/pull/23265
Signed-off-by: Robert Marko <robimarko@gmail.com>
This commit adds support for Qihoo 360T7 (UBI layout).
Aims
----
1. +20 MB additional free space for the packages
2. More reliable storage for the factory and fip partitions (in UBI)
Install (from non-UBI OpenWrt)
------------------------------
1. Navigate http://192.168.1.1/ and download mtd backups
2. Upgrade OpenWrt with installer initramfs image (force upgrade, don't
keep settings). Wait until OpenWrt reboots and until installer:
- Prepare new factory partition
- Format new ubi
- Make ubi volumes
- Write new fip and bl2
3. Navigate http://192.168.1.1/ and Upgrade with OpenWrt 'sysupgrade.bin'
image (don't keep settings)
Installer
---------
Based on OpenWrt UBI Installer Image Generator for Linksys E8450 and
Belkin RT3200
Link: https://github.com/dangowrt/owrt-ubi-installer
Ready installer image
Link: https://github.com/csharper2005/owrt-ubi-installer/tree/qihoo/bin
Installer script
Link: https://github.com/csharper2005/owrt-ubi-installer/blob/qihoo/files/
installer/install.sh
Committing to the parent Daniel's repository is not yet possible because
there are no official images and imagebuilder for Qihoo 360T7 (UBI) yet.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22797
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit adds U-Boot for Qihoo 360T7 (UBI layout).
Aims:
1. +20 MB additional free space for the packages;
2. More reliable storage for the factory and fip partitions (in UBI).
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22797
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The Allwinner T113-s3 (sun8i) SoC features a dual-core Cortex-A7 ARM CPU and
128MB of DDR3 memory in the same physical package. It supports industrial
temperature ranges. Most of the IP blocks are shared with the D1/D1s core.
There are multiple variants of the SoC, which may vary in the included memory
size, with some of them including a C906 RISC-V co-processor.
Boards supported:
- MangoPi MQDual T113
- wireless-only (RTL8723DS)
- MYIR MYD-YT113 eMMC
- 1Gbit ethernet (Motorcomm YT8531 PHY)
- 4GByte eMMC
- M.2-type slot for 4G/5G cards, plus 2x SIM slot
- USB 2.0 ports
- GPIO/I2C/SPI/CAN ports
- FNLink 6131 (rtl8733bu) wifi module
- MYIR MYD-YT113 SPI
- Same as above but with 256Mbyte SPI-NAND flash instead of eMMC
- Rongpin RP-T113
- 100Mbit ethernet (ICplus IP101GR PHY)
- miniPCIe slot for 4G cards, plus 1x SIM slot
- 3x USB 2.0 ports
- RTL8723BS wireless
- HYM8563 RTC
- GPIO/I2C/SPI/CAN ports
- Olimex T113-Olinuxino
- 100Mbit ethernet (ICplus IP101GR)
- UEXT connector (GPIO/I2C/SPI ports)
- 1x USB 2.0
- audio jack, LEDC
Installation:
Use the standard sunxi installation to an SD-card.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
rebuilding x86 did fail in an existing build directory
mkdir fails if the folder exists already
Signed-off-by: Sander Schutten <schutten@hotmail.com>
Signed-off-by: Florian Maurer <fmaurer@disroot.org>
The ucode migration wrote "basic_rate" into the wpa_supplicant network
block, but that is not a valid wpa_supplicant network field, causing:
Line 15: unknown network field 'basic_rate'.
failed to parse network block.
Map UCI basic_rate to the correct wpa_supplicant fields, matching the
behavior of the legacy shell script (hostapd.sh):
- mesh mode: mesh_basic_rates (space-separated, 100 kb/s units)
- sta/adhoc: rates (comma-separated Mbps)
Link: https://github.com/openwrt/openwrt/commit/a854d833eabdbc3b42065927c136d75b981a1021
Signed-off-by: Florian Maurer <f.maurer@outlook.de>
[fix commit message link]
Signed-off-by: David Bauer <mail@david-bauer.net>
find_mtd_part() outputs /dev/mtdblockX, to which fw_setenv cannot
write, "/dev/mtd$(find_mtd_index '<vol name>')" could be used instead.
The envsize should also be changed to 0x1000 to make the CRC checksum
valid and the env block recognized by the uboot-envtools, but the
flash sector size remains 0x10000, otherwise the env block will be
readable but not writable.
The "read-only" mark within device tree is also removed.
Signed-off-by: Edward Chow <equu@openmail.cc>
Link: https://github.com/openwrt/openwrt/pull/23121
Signed-off-by: Robert Marko <robimarko@gmail.com>
In AP+STA mode, wifi-scripts emits start_disabled=1 in the per-BSS
section of the generated hostapd config so that hostapd defers
beaconing on every BSS until apsta_state up clears the flag for the
whole iface (uc_hostapd_iface_start clears start_disabled on every BSS
and calls ieee802_11_set_beacon).
When a new BSS is added later via iface.add_bss while the iface is
already in HAPD_IFACE_ENABLED state, the freshly parsed config still
carries start_disabled=1 for that BSS. hostapd_setup_bss is invoked
with start_beacon=true, but hostapd_start_beacon then skips
ieee802_11_set_beacon because conf->start_disabled is set. The kernel
netdev is created without ever starting beacons, the carrier never
comes up, and probe-response transmission attempts fail with
"handle_probe_req: send failed".
Mirror what iface.start does: when the iface is already enabled, the
apsta channel selection has happened, so clear start_disabled for the
incoming BSS before starting it.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Surface SAE confirm mismatches (wrong password) through the same
key-mismatch ubus notification that is already used for PSK failures, so
consumers can react uniformly regardless of the authentication method.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
mld_set_config() treated any call with empty prev_mld as a fresh
configuration and triggered a full Reload all interfaces, even when the
new config was also empty (the typical path on non-MLD devices).
Reloading every BSS on each netifd reconf disrupted associated stations
including PMF-protected backhaul STAs, which would self-deauth after the
SA Query timeout.
Only treat the call as a new configuration when the new config is
actually non-empty.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This contains many fixes from upstream Linux.
The code block from this patch was moved a bit in the function:
subsys/110-mac80211_keep_keys_on_stop_ap.patch
This patch was applied upstream:
subsys/330-mac80211-fix-crash-in-ieee80211_chan_bw_change-for-A.patch
Link: https://github.com/openwrt/openwrt/pull/23167
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Backport upstream iw commit d90618809e06 ("iw: scan: print RSN
Element Override IEs") as 001-*.patch so `iw scan` decodes the
RSNOE (vendor WFA type 41) and RSNO2E (type 42) elements that
hostapd emits for WPA3 Compatibility / RSN Overriding APs.
Also refresh the hunk offsets in 200-reduce_size.patch.
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Two of the IW_FULL guards in 200-reduce_size.patch were inverted
or incomplete:
* the "unknown event" handler unconditionally replaced the
verbose print with the short form, so IW_FULL builds lost
the command name decoding;
* the early return before the vendor IE parser used
#ifdef IW_FULL, which suppressed parsing in the full build
instead of the size-reduced one.
Wrap both with the correct #ifndef IW_FULL / #else so the full
and reduced builds produce the intended output.
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The WPA3 and Wi-Fi Enhanced Open Deployment Guide v1.1 (Table 4,
"SAE Groups") recommends that WPA3-Personal APs advertise support
for SAE groups 19, 20 and 21:
* group 19 - ECP 256-bit (NIST P-256)
* group 20 - ECP 384-bit (NIST P-384)
* group 21 - ECP 521-bit (NIST P-521)
hostapd's default is group 19 only, which leaves the two larger
ECP groups unavailable even though the peer may prefer them.
Set sae_groups = "19 20 21" as the default for any BSS whose
auth_type is sae or psk-sae (SAE, SAE Transition and SAE
Compatibility modes).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The WPA3 and Wi-Fi Enhanced Open Deployment and Implementation Guide
v1.1 (Tables 4, 5, 6) requires the group-management cipher (BIP) to
match the mode and strength of the pairwise cipher: GCM-mode pairwise
ciphers pair with BIP-GMAC integrity, CCM-mode pairwise ciphers with
BIP-CMAC integrity. The ucode pipeline hard-coded group_mgmt_cipher
to AES-128-CMAC (BIP-CMAC-128) regardless of the pairwise cipher,
except for the eap192 special case that already forced BIP-GMAC-256.
An EHT WPA3-Personal BSS therefore emitted wpa_pairwise=GCMP-256
alongside group_mgmt_cipher=AES-128-CMAC -- the integrity cipher two
steps weaker than the data cipher and a spec violation on EHT.
hostapd has a single group_mgmt_cipher knob, so the selected BIP has
to be compatible with every pairwise cipher in wpa_pairwise. Picking
from the first token would mis-select on mixed lists -- e.g.
wpa_pairwise=\"GCMP-256 CCMP\" would yield BIP-GMAC-256, which a
CCMP-only STA cannot negotiate.
Walk the wpa_pairwise tokens and pick the BIP that matches the
weakest cipher present:
CCMP / TKIP -> AES-128-CMAC (BIP-CMAC-128)
CCMP-256 -> BIP-CMAC-256
GCMP -> BIP-GMAC-128
GCMP-256 -> BIP-GMAC-256
Token matching uses fnmatch wildcards against a copy of wpa_pairwise
that is padded with leading and trailing spaces, so each token is
space-bounded regardless of its position in the list.
The RSN override pairwise lists are not consulted: in the only
caller that sets them (WPA3-Personal Compatibility Mode), Tables 6
and 7 require BIP-CMAC-128 across RSNE/RSNOE/RSNO2E even when the
override lists advertise GCMP-256, so wpa_pairwise=CCMP already
yields the correct BIP.
An explicit ieee80211w_mgmt_cipher UCI value still wins over the
derived default.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
WPA3 Specification v3.5 §13 defines the Transition Disable element sent
inside message 3 of the 4-way handshake. An AP that is no longer
offering a transition mode for its SSID sets the matching bit so that
compliant STAs permanently stop falling back to WPA-PSK / WPA-EAP /
open for that SSID, hardening against downgrade attacks and against
operator mistakes where a transition-mode BSS is briefly brought up on
an SSID that previously ran WPA3-only.
Expose this as a UCI list 'transition_disable' with three classes of
entries:
* The existing OpenWrt encryption tokens 'sae' (bit 0x01), 'sae-pk'
(0x02), 'wpa3' (0x04) and 'owe' (0x08) OR into the bitmap. SAE-PK
itself is not yet wired through wifi-scripts; the token only lets
an operator who configured SAE-PK out of band also hand the
matching bit to hostapd.
* 'on' derives the bitmap from the AP's auth_type ('sae' -> 0x01,
'eap2'/'eap192' -> 0x04, pure 'owe' -> 0x08) and overrides any
other explicit tokens in the same list. Transition BSSes
(psk-sae, eap-eap2, owe with owe_transition set) produce no
bits even under 'on' because they are by definition still in
transition.
* 'off' unconditionally suppresses the element regardless of any
other entries. Operators who need to revert a WPA3-only SSID back
to a transition mode can set this proactively, giving compliant
STAs time to forget the permanent bit before the mode change.
Leave the list unset by default. Advertising Transition Disable is a
one-way door -- once a compliant STA has seen the permanent bit for an
SSID it will refuse to associate to a transition-mode BSS of the same
name ever again -- so it must be opted in to per SSID, never flipped
on by a firmware bump. This also matches the WPA3 and Wi-Fi Enhanced
Open Deployment and Implementation Guide v1.1 Table 4 requirement that
Transition Disable be MAND disabled by default on APs.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The WPA3 and Wi-Fi Enhanced Open Deployment and Implementation Guide
v1.1 (Tables 7 and 8) mandates "H2E Only" for SAE on 6 GHz, in both
WPA3-Personal Only and WPA3-Personal Compatibility Mode: the 6 GHz
band disallows the legacy Hunting-and-Pecking password element, so
the AP must advertise BSS Membership Selector 123 to force STAs onto
H2E.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The WPA3 and Wi-Fi Enhanced Open Deployment and Implementation Guide
v1.1 §2.4 (Tables 6 and 7) defines WPA3-Personal Compatibility Mode:
the AP advertises a legacy-looking RSNE (WPA-PSK, CCMP-128, PMF
Disabled) while RSN Override Elements layered on top expose SAE and,
on EHT, SAE-EXT-KEY. WPA2-only STAs and STAs that ignore RSN
Overriding associate unchanged; modern STAs pick up the stronger WPA3
AKM via RSNOE or RSNO2E.
Only the pairwise cipher differs between elements: RSNE and RSNOE
advertise CCMP-128, RSNO2E advertises GCMP-256 (EHT only). Group
data (CCMP-128) and group management cipher (BIP-CMAC-128) are the
same in all three per Tables 6/7, so hostapd's BSS-wide group_cipher
and group_mgmt_cipher singletons produce the spec-correct values.
Unlike WPA3-Personal Transition Mode (sae-mixed), which puts PSK and
SAE together in the main RSNE with PMF Capable, Compatibility Mode
keeps the main RSNE strictly WPA2-shaped so clients that choke on a
mixed AKM list or PMF=Capable still see a pure WPA2 BSS. The trade-
off is that clients without RSN Overriding support never pick up SAE.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The WPA3 and Wi-Fi Enhanced Open Deployment and Implementation Guide
v1.1, Table 4 (Common security configuration) marks Beacon Protection
as MAND for EHT-enabled APs and RECOM otherwise for all WPA3 and
Wi-Fi Enhanced Open modes.
The ucode path blindly passed beacon_prot through from UCI in iface
setup, which ran before encryption and MFP had been configured, and
left hostapd at its insecure default of 0 when the user did not
explicitly opt in.
Default beacon_prot to 1 in iface_mfp after MFP has been confirmed to
be enabled, and emit it there instead of in iface_setup so the option
is only written when PMF support is actually negotiated. Users can
still disable it explicitly via UCI.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
WPA3 Specification v3.5 §2.5.4 mandates that an AP's BSS Configuration
enables AKM suite selector 00-0F-AC:24 (SAE-EXT-KEY, SAE with a
group-dependent hash) whenever EHT or MLO is enabled. The WPA3 and
Wi-Fi Enhanced Open Deployment Guide v1.1 also recommends it on
non-EHT APs (Tables 3, 5, 6, 8).
Add a new sae_ext_key UCI option (enabled by default) that advertises
SAE-EXT-KEY, and FT-SAE-EXT-KEY when 802.11r is enabled, alongside
plain SAE/FT-SAE for the sae and psk-sae encryption modes.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
parse_encryption() stashed a preliminary wpa_pairwise value in a
local wpa3_pairwise variable, cleared it per auth_type, then let a
switch default either copy it back or special-case wpa3-192. The
result was three separate places where wpa_pairwise was clobbered
and behavior that was awkward to trace when the explicit cipher
suffix (encryption[1]) and the auth_type disagreed.
Replace the scaffolding with a single block at the end of
parse_encryption() that only assigns wpa_pairwise via ??= when no
earlier branch (explicit cipher suffix, wpa3-192, or sae-compat)
has already set one:
no WPA -> null
60 GHz (hw_mode=ad) -> GCMP
HE or EHT htmode -> GCMP-256 CCMP
everything else -> CCMP
wpa3-192 now sets wpa_pairwise='GCMP-256' directly in its switch
case, so the final default block can stay short. No functional
change for existing encryption values.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The rsn_override UCI number was scaffolding that let a Transition
Mode BSS (sae-mixed, wpa3-mixed) automatically overlay a WPA3
Compatibility-Mode-like layout: WPA3 AKMs were moved from the main
RSNE into RSNOE/RSNO2E, and with rsn_override=2 the main RSNE even
dropped SAE entirely to placate clients that refuse to associate to
a mixed AKM list.
This layout does not match any mode defined in the WPA3 and Wi-Fi
Enhanced Open Deployment and Implementation Guide v1.1: Transition
Mode (Table 5) advertises the full AKM list in a single RSNE, and
Compatibility Mode (§2.4, Tables 6 and 7) requires a specific
combination of RSNE, RSNOE and RSNO2E contents that the knob cannot
express. In practice it also triggers interop failures: Pixel 10
phones refuse to associate to a Transition-Mode BSS whose SAE-EXT-KEY
AKM has been shoved into RSNO2E by this scaffolding, even though the
same BSS works fine when the full AKM list stays in the main RSNE.
Keep the generated configuration honest by removing the knob; the RSN
override plumbing stays in place for a future caller that sets the
override fields explicitly. SAE-EXT-KEY advertisement will be added
back in a later commit via a dedicated sae_ext_key path that places
the AKM where the Deployment Guide actually requires it.
Drop the rsn_override schema entry and every wifi-scripts path that
read it:
* parse_encryption no longer diverts the WPA3 pairwise cipher
into rsn_override_pairwise.
* wpa_key_mgmt no longer mirrors WPA-EAP into
rsn_override_key_mgmt, moves SAE/SAE-EXT-KEY into the override
for psk-sae, or drops the main RSNE AKM list when
rsn_override > 1.
* generate() no longer back-fills missing rsn_override_* fields
from the main RSNE or duplicates the override element into an
MLO-gated RSNO2E.
The RSN override elements are now emitted only when each of
(rsn_override_key_mgmt, rsn_override_pairwise, rsn_override_mfp) --
and their _2 counterparts -- has been populated explicitly, which
keeps the machinery from firing on transition modes where it was
never spec-compliant.
Fixes: https://github.com/openwrt/openwrt/issues/21486
Fixes: https://github.com/openwrt/openwrt/issues/22200
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/openwrt/pull/23009
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Andy Chiang
Raylynn Knight
Qingfang Deng
Ryan Leung
Mikhail Zhilkin
Hannu Nyman
Shiji Yang
Roberto Almeida Silva
Russell Senior
Paul Spooren
Hauke Mehrtens
Mieczyslaw Nalewaj
Zoltan HERPAI
Til Kaiser
Wei-Ting Yang
Sander Schutten
Florian Maurer
Michael Pfeifroth
Christoph Krapp
Robert Marko
Andre Heider
Edward Chow
Magnus Kroken
Felix Fietkau
INAGAKI Hiroshi