SAE: Fix AKM suite selector check for external authentication

AKM suite selector check was initially implemented with incorrect byte
swapping of the value from the driver (nl80211). Fix this and leave a
workaround option for any potentially deployed device where the driver
might be using the swapped byte order.

Fixes: 5ff39c1380d9 ("SAE: Support external authentication offload for driver-SME cases")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 41b67f8ebd636d5d2d8b8e98f3d1172b86bd90a4..aa94e5c733559626e2eb7be7be9cdded9e63eb45 100644 (file)
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1182,11 +1182,25 @@ static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s,
 }
 
 
+static bool is_sae_key_mgmt_suite(u32 suite)
+{
+       /* suite is supposed to be the selector value in host byte order with
+        * the OUI in three most significant octets. However, the initial
+        * implementation swapped that byte order and did not work with drivers
+        * that followed the expected byte order. Keep a workaround here to
+        * match that initial implementation so that already deployed use cases
+        * remain functional. */
+       if (RSN_SELECTOR_GET(&suite) == RSN_AUTH_KEY_MGMT_SAE)
+               return true;
+
+       return suite == RSN_AUTH_KEY_MGMT_SAE;
+}
+
+
 void sme_external_auth_trigger(struct wpa_supplicant *wpa_s,
                               union wpa_event_data *data)
 {
-       if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) !=
-           RSN_AUTH_KEY_MGMT_SAE)
+       if (!is_sae_key_mgmt_suite(data->external_auth.key_mgmt_suite))
                return;
 
        if (data->external_auth.action == EXT_AUTH_START) {