netifd icon indicating copy to clipboard operation
netifd copied to clipboard
verified publisher icon openwrt

netifd-wireless.sh update for cipher selection

Open Ramon00 opened this issue 1 month ago • 7 comments

Updated netifd-wireless.sh to allow multiple cipher selection for different wpa versions. Works together with updates to luci-mod-network PR commited today.

https://github.com/openwrt/luci/pull/8079

Ramon00 avatar Nov 08 '25 21:11 Ramon00

Forum link:

  • https://forum.openwrt.org/t/security-enhancement-for-wpa3-looking-for-testers-of-prs/242883

Neustradamus avatar Nov 11 '25 20:11 Neustradamus

@Ramon00 could you demonstrate a result of before and after this PR for those properties, i.e. how they look? What fundamentally changed.

systemcrash avatar Nov 14 '25 12:11 systemcrash

in /var/run/hostapd-phy*.conf before for wpa3-sae it would set by default wpa_pairwise=CCMP now by default for wpae-sae it sets wpa_pairwise=CCMP CCMP-256 GCMP GCMP-256 It will now also parse multiple ciphers in /etc/config/wireless , e.g. it allows option encryption 'sae+ccmp+ccmp256+gcmp+gcmp256' or option encryption 'sae+ccmp256+gcmp256' instead of just only limited choice like sae+CCMP or sae+GCMP. It would not (correctly) parse multiple. The Luci PR now also allows you to select any cipher combination you just checkmark the ciphers you like. Note on WPA3-SAE luci did not allow selecting ciphers at all (you could still set it to GCMP via the config file).

If people disagree with the defaults I put it then let me know, i can adjust. As you can see in the code:

			wpa3-192*) wpa_cipher="GCMP-256 ";;
			sae*|wpa3*) wpa_cipher="CCMP CCMP-256 GCMP GCMP-256 "	;;
			psk2*|wpa2*) wpa_cipher="TKIP CCMP CCMP-256 "	;;
			psk*|wep*) wpa_cipher="TKIP CCMP "	;;
			owe*) wpa_cipher="CCMP "	;;

I actually see i put in wep instead of wpa. Let me update the PR. (Not that anybody in their right mind is using wep or wpa....)

Ramon00 avatar Nov 14 '25 16:11 Ramon00

@nbd168 what do I need to do to get this merged?

Ramon00 avatar Nov 18 '25 11:11 Ramon00

For the commit message body, wrap your lines at 74 char

Ok done.

Ramon00 avatar Nov 21 '25 16:11 Ramon00

friendly ping to @nbd168 for wifi crypto changes

systemcrash avatar Nov 21 '25 16:11 systemcrash

so this PR is going nowhere it seems. Let me give it one last attempt before I close this PR. @hauke could you have a look?

Ramon00 avatar Nov 29 '25 20:11 Ramon00

Recommend revising commit message. Compare with previous commits in this repo. Details from https://github.com/openwrt/netifd/pull/60#issuecomment-3533693220 would do well in the commit message.

systemcrash avatar Dec 02 '25 16:12 systemcrash

Recommend revising commit message. Compare with previous commits in this repo. Details from #60 (comment) would do well in the commit message.

The commit message is not that different from the other commit messages as far as I can see, but im happy to update it to anything if that helps it merge this PR. What do you suggest i change it into?

Ramon00 avatar Dec 02 '25 17:12 Ramon00

updated the commit message.

Ramon00 avatar Dec 07 '25 10:12 Ramon00

Works togetherwith. Otherwise, better.

systemcrash avatar Dec 07 '25 13:12 systemcrash

@systemcrash how about i close this PR, and you recreate it? I guess you carry some more weight around here.

Ramon00 avatar Dec 12 '25 20:12 Ramon00

oh well, i will just patch my own installs, guess people do not care enough about security and performance

Ramon00 avatar Dec 13 '25 11:12 Ramon00