From: Beniamino Galvani Date: Mon, 4 Apr 2022 09:13:12 +0200 Subject: AP: guard FT-SAE code with CONFIG_IEEE80211R_AP wpa_supplicant doesn't support FT in AP mode, but it still negotiates FT-SAE. This can lead to an authentication failure when the AP is started with key_mgmt="SAE FT-SAE" and the STA supports both. Ensure that FT-SAE is not negotiated when CONFIG_IEEE80211R_AP is not defined. Signed-off-by: Beniamino Galvani --- src/ap/wpa_auth_ie.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 524922e..d63cbeb 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -228,11 +228,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len, pos += RSN_SELECTOR_LEN; num_suites++; } +#ifdef CONFIG_IEEE80211R_AP if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) { RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE); pos += RSN_SELECTOR_LEN; num_suites++; } +#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_SAE */ if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B); @@ -670,8 +672,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, #ifdef CONFIG_SAE else if (data.key_mgmt & WPA_KEY_MGMT_SAE) selector = RSN_AUTH_KEY_MGMT_SAE; +#ifdef CONFIG_IEEE80211R_AP else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE) selector = RSN_AUTH_KEY_MGMT_FT_SAE; +#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_SAE */ else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X) selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; @@ -778,8 +782,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, #ifdef CONFIG_SAE else if (key_mgmt & WPA_KEY_MGMT_SAE) sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE; +#ifdef CONFIG_IEEE80211R_AP else if (key_mgmt & WPA_KEY_MGMT_FT_SAE) sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE; +#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_SAE */ else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X) sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X;