On 6/26/22 17:21, Joerg Werner wrote:
WPA3 enterprise requires wpa_cipher to be GCMP-256, so if the user set
encryption to wpa3 or wpa3-mixed, then add GCMP-256. Also allow explicit
selection of GCMP-256 by adding gcmp256 at the end of the encryption
value.
This code from hostapd looks like the driver has to support CCMP_256 or
GCMP_256 to allow operation with SUITE_B_192:
if (drv->capa.enc & (WPA_DRIVER_CAPA_ENC_CCMP_256 |
WPA_DRIVER_CAPA_ENC_GCMP_256))
drv->capa.key_mgmt |=
WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B_192;
https://w1.fi/cgit/hostap/tree/src/drivers/driver_nl80211_capa.c#n1361
Signed-off-by: Joerg Werner <[email protected]>
---
scripts/netifd-wireless.sh | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/scripts/netifd-wireless.sh b/scripts/netifd-wireless.sh
index 0e3293c..435a707 100644
--- a/scripts/netifd-wireless.sh
+++ b/scripts/netifd-wireless.sh
@@ -221,6 +221,7 @@ wireless_vif_parse_encryption() {
*aes|*ccmp) wpa_cipher="CCMP";;
*tkip) wpa_cipher="TKIP";;
*gcmp) wpa_cipher="GCMP";;
+ *gcmp256) wpa_cipher="GCMP-256";;
esac
# 802.11n requires CCMP for WPA
@@ -246,7 +247,6 @@ wireless_vif_parse_encryption() {
wpa_cipher=
;;
esac
- wpa_pairwise="$wpa_cipher"
case "$encryption" in
owe*)
@@ -254,9 +254,11 @@ wireless_vif_parse_encryption() {
;;
wpa3-mixed*)
auth_type=eap-eap192
+ wpa_cipher="${wpa_cipher} GCMP-256"
;;
wpa3*)
auth_type=eap192
+ wpa_cipher="GCMP-256"
Instead of setting it here I would prefer if wpa_cipher gets set to the
wpa3 default earlier and can be overwritten if really wanted.
I would prefer if you set it close to here the initial value is set
depending on hwmode and someone could overwrite it with encryption setting.
;;
psk3-mixed*|sae-mixed*)
auth_type=psk-sae
@@ -283,6 +285,7 @@ wireless_vif_parse_encryption() {
esac
;;
esac
+ wpa_pairwise="$wpa_cipher"
case "$encryption" in
*osen*)
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
