mirror/openwrt
1
0
Fork 1
mirror of https://git.openwrt.org/openwrt/openwrt.git synced 2026-02-13 15:19:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

wifi-scripts: add DPP encryption support

Browse source 
Add support for DPP (Device Provisioning Protocol) as both a primary
encryption type and as an optional addition to existing authentication.

Primary DPP mode (encryption=dpp):
- Sets WPA2 with key_mgmt=DPP
- Requires Management Frame Protection (ieee80211w=2)
- Supports dpp_connector, dpp_csign, dpp_netaccesskey options

Optional DPP mode (dpp=1 boolean on AP):
- Adds DPP to existing key management methods
- Allows AP to accept both DPP and other auth types
- Supports the same connector options

Both ucode and legacy shell implementations are updated for AP and STA
modes.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
Felix Fietkau 2026-02-04 05:46:53 +00:00
parent 706c416a30
commit 6e25c8bd78
5 changed files with 75 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
View file

@ -82,7 +82,7 @@ function iface_accounting_server(config) {
}
function iface_auth_type(config) {
if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192' ]) {
if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ]) {
config.ieee80211w = 2;
config.sae_require_mfp = 1;
if (!config.ppsk)
@ -117,6 +117,12 @@ function iface_auth_type(config) {
]);
break;
case 'dpp':
append_vars(config, [
'dpp_connector', 'dpp_csign', 'dpp_netaccesskey',
]);
break;
case 'psk':
case 'psk2':
case 'sae':
@ -188,6 +194,11 @@ function iface_auth_type(config) {
'wpa_disable_eapol_key_retries', 'auth_algs', 'wpa', 'wpa_pairwise',
'erp_domain', 'fils_realm', 'erp_send_reauth_start', 'fils_cache_id'
]);
if (config.dpp && config.auth_type != 'dpp')
append_vars(config, [
'dpp_connector', 'dpp_csign', 'dpp_netaccesskey',
]);
}
function iface_ppsk(config) {

13
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc
View file

@ -11,7 +11,7 @@ export function parse_encryption(config, dev_config) {
config.wpa = 0;
for (let k, v in { 'wpa2*': 2, 'wpa3*': 2, '*psk2*': 2, 'psk3*': 2, 'sae*': 2,
'owe*': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
'owe*': 2, 'dpp': 2, 'wpa*mixed*': 3, '*psk*mixed*': 3, 'wpa*': 1, '*psk*': 1, })
if (wildcard(config.encryption, k)) {
config.wpa = v;
break;
@ -32,6 +32,10 @@ export function parse_encryption(config, dev_config) {
config.auth_type = 'owe';
break;
case 'dpp':
config.auth_type = 'dpp';
break;
case 'wpa3-192':
config.auth_type = 'eap192';
break;
@ -198,8 +202,15 @@ export function wpa_key_mgmt(config) {
case 'owe':
append_value(config, 'wpa_key_mgmt', 'OWE');
break;
case 'dpp':
append_value(config, 'wpa_key_mgmt', 'DPP');
break;
}
if (config.dpp && config.auth_type != 'dpp')
append_value(config, 'wpa_key_mgmt', 'DPP');
if (config.fils) {
switch(config.auth_type) {
case 'eap192':

9
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
View file

@ -58,7 +58,7 @@ export function ratelist(rates) {
function setup_sta(data, config) {
iface.parse_encryption(config);
if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192' ])
if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192', 'dpp' ])
config.ieee80211w = 2;
else if (config.auth_type in [ 'psk-sae' ] && !config.ieee80211w)
config.ieee80211w = 1;
@ -122,6 +122,10 @@ function setup_sta(data, config) {
iface.wpa_key_mgmt(config);
break;
case 'dpp':
iface.wpa_key_mgmt(config);
break;
case 'wps':
config.key_mgmt = 'WPS';
break;
@ -183,7 +187,8 @@ function setup_sta(data, config) {
'bssid_blacklist', 'bssid_whitelist', 'erp', 'ca_cert', 'identity',
'anonymous_identity', 'client_cert', 'private_key', 'private_key_passwd',
'subject_match', 'altsubject_match', 'domain_match', 'domain_suffix_match',
'ca_cert2', 'client_cert2', 'private_key2', 'private_key2_passwd', 'password'
'ca_cert2', 'client_cert2', 'private_key2', 'private_key2_passwd', 'password',
'dpp_connector', 'dpp_csign', 'dpp_netaccesskey',
]);
}

43
package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
View file

@ -78,8 +78,13 @@ hostapd_append_wpa_key_mgmt() {
owe)
append wpa_key_mgmt "OWE"
;;
dpp)
append wpa_key_mgmt "DPP"
;;
esac
[ "$dpp" -gt 0 ] && [ "$auth_type" != "dpp" ] && append wpa_key_mgmt "DPP"
[ "$fils" -gt 0 ] && {
case "$auth_type" in
eap192)
@ -97,6 +102,7 @@ hostapd_append_wpa_key_mgmt() {
;;
esac
}
}
hostapd_add_log_config() {
@ -400,6 +406,9 @@ hostapd_common_add_bss_config() {
config_add_boolean fils
config_add_string fils_dhcp
config_add_boolean dpp
config_add_string dpp_connector dpp_csign dpp_netaccesskey
config_add_int ocv
config_add_boolean beacon_prot spp_amsdu
@ -563,9 +572,10 @@ hostapd_set_bss_options() {
ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
multicast_to_unicast_all proxy_arp per_sta_vif na_mcast_to_ucast \
eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients radius_server_auth_port \
vendor_elements fils ocv beacon_prot spp_amsdu apup rsn_override
vendor_elements fils ocv beacon_prot spp_amsdu apup rsn_override dpp
set_default rsn_override 1
set_default dpp 0
set_default fils 0
set_default isolate 0
set_default maxassoc 0
@ -639,7 +649,7 @@ hostapd_set_bss_options() {
[ -n "$spp_amsdu" ] && append bss_conf "spp_amsdu=$spp_amsdu" "$N"
case "$auth_type" in
sae|owe|eap2|eap192)
sae|owe|eap2|eap192|dpp)
set_default ieee80211w 2
set_default sae_require_mfp 1
[ "$ppsk" -eq 0 ] && set_default sae_pwe 2
@ -673,6 +683,13 @@ hostapd_set_bss_options() {
# with WPS enabled, we got to be in unconfigured state.
wps_not_configured=1
;;
dpp)
json_get_vars dpp_connector dpp_csign dpp_netaccesskey
[ -n "$dpp_connector" ] && append bss_conf "dpp_connector=$dpp_connector" "$N"
[ -n "$dpp_csign" ] && append bss_conf "dpp_csign=$dpp_csign" "$N"
[ -n "$dpp_netaccesskey" ] && append bss_conf "dpp_netaccesskey=$dpp_netaccesskey" "$N"
;;
psk|sae|psk-sae)
json_get_vars key wpa_psk_file sae_password_file
if [ "$ppsk" -ne 0 ]; then
@ -1193,6 +1210,14 @@ hostapd_set_bss_options() {
fi
fi
[ "$dpp" -gt 0 ] && [ "$auth_type" != "dpp" ] && {
json_get_vars dpp_connector dpp_csign dpp_netaccesskey
[ -n "$dpp_connector" ] && append bss_conf "dpp_connector=$dpp_connector" "$N"
[ -n "$dpp_csign" ] && append bss_conf "dpp_csign=$dpp_csign" "$N"
[ -n "$dpp_netaccesskey" ] && append bss_conf "dpp_netaccesskey=$dpp_netaccesskey" "$N"
}
json_get_values opts hostapd_bss_options
for val in $opts; do
append bss_conf "$val" "$N"
@ -1343,7 +1368,7 @@ wpa_supplicant_add_network() {
set_default rsn_override 1
case "$auth_type" in
sae|owe|eap2|eap192)
sae|owe|eap2|eap192|dpp)
set_default ieee80211w 2
;;
psk-sae)
@ -1406,6 +1431,10 @@ wpa_supplicant_add_network() {
hostapd_append_wpa_key_mgmt
key_mgmt="$wpa_key_mgmt"
;;
dpp)
hostapd_append_wpa_key_mgmt
key_mgmt="$wpa_key_mgmt"
;;
wep)
local wep_keyidx=0
hostapd_append_wep_key network_data
@ -1633,6 +1662,14 @@ wpa_supplicant_add_network() {
append network_data "mcast_rate=$mc_rate" "$N$T"
}
[ "$auth_type" = "dpp" ] && {
json_get_vars dpp_connector dpp_csign dpp_netaccesskey
[ -n "$dpp_connector" ] && append network_data "dpp_connector=$dpp_connector" "$N$T"
[ -n "$dpp_csign" ] && append network_data "dpp_csign=$dpp_csign" "$N$T"
[ -n "$dpp_netaccesskey" ] && append network_data "dpp_netaccesskey=$dpp_netaccesskey" "$N$T"
}
if [ "$key_mgmt" = "WPS" ]; then
echo "wps_cred_processing=1" >> "$_config"
else

5
package/network/config/wifi-scripts/files/lib/netifd/netifd-wireless.sh
View file

@ -254,7 +254,7 @@ wireless_vif_parse_encryption() {
# wpa2/tkip+aes => WPA2 RADIUS, CCMP+TKIP
case "$encryption" in
wpa2*|wpa3*|*psk2*|psk3*|sae*|owe*)
wpa2*|wpa3*|*psk2*|psk3*|sae*|owe*|dpp)
wpa=2
;;
wpa*mixed*|*psk*mixed*)
@ -274,6 +274,9 @@ wireless_vif_parse_encryption() {
owe*)
auth_type=owe
;;
dpp)
auth_type=dpp
;;
wpa3-192*)
auth_type=eap192
;;