From: Surya Prakash Sivaraj Date: Mon, 22 Dec 2025 09:00:20 +0000 (+0530) Subject: Defer EAPOL frames during ext auth SAE reassociation to the same AP X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e6ecccef2fc73150178046732c975039a592b1b;p=thirdparty%2Fhostap.git Defer EAPOL frames during ext auth SAE reassociation to the same AP With commit 3ab35a660364 ("Extend EAPOL frames processing workaround for roaming cases") wpa_supplicant postpones EAPOL frame processing till roam indication from the driver when the source address of EAPOL frame does not match the current BSSID/AP MLD MAC address. In driver-based SME, the FT roaming is handled at the driver/firmware. However, when there is a deauth from the FT AP, the driver/firmware attempts reassociation via full SAE to the same connected AP. In such cases, the device offloads the EAPOL handling of FT AKMs to the wpa_supplicant. If the M1 frame is received before the roamed event, the wpa_supplicant treats this EAPOL frame as PTK rekey frame and replies with the M2 frame. Roam event gets processed next(before M3) which resets the temporary PTK derived from M1. Without this TPTK, the MIC validation in M3 fails and leads to disconnection. To fix this, extend the current EAPOL-defer logic to defer the frames received after a successful external authentication to the same AP until the roamed event is processed. Signed-off-by: Surya Prakash Sivaraj --- diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index d831557b3..da10414dd 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -447,6 +447,7 @@ void wpa_supplicant_mark_disassoc(struct wpa_supplicant *wpa_s) wpabuf_free(wpa_s->pending_eapol_rx); wpa_s->pending_eapol_rx = NULL; + wpa_s->ext_auth_to_same_bss = false; } @@ -4561,6 +4562,7 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s, } wpa_s->last_eapol_matches_bssid = 0; + wpa_s->ext_auth_to_same_bss = false; #ifdef CONFIG_TESTING_OPTIONS if (wpa_s->rsne_override_eapol) { diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index 860b75f92..a1a7b1710 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -1954,6 +1954,16 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, wpa_s_clear_sae_rejected(wpa_s); if (external) { + const u8 *connected_addr = wpa_s->valid_links ? + wpa_s->ap_mld_addr : wpa_s->bssid; + const u8 *src = wpa_s->sme.ext_ml_auth ? + wpa_s->sme.ext_auth_ap_mld_addr : + wpa_s->sme.ext_auth_bssid; + + wpa_s->ext_auth_to_same_bss = + wpa_s->wpa_state > WPA_ASSOCIATED && + ether_addr_equal(src, connected_addr); + /* Report success to driver */ sme_send_external_auth_status(wpa_s, WLAN_STATUS_SUCCESS); diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 293d4920e..aa620ef4e 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -6050,6 +6050,7 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr, #endif /* CONFIG_TESTING_OPTIONS */ if (wpa_s->wpa_state < WPA_ASSOCIATED || + wpa_s->ext_auth_to_same_bss || (wpa_s->last_eapol_matches_bssid && #ifdef CONFIG_AP !wpa_s->ap_iface && diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 4379b053c..8c784304d 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -1655,6 +1655,9 @@ struct wpa_supplicant { unsigned int next_beacon_check; bool scs_reconfigure; + bool ext_auth_to_same_bss; /* Whether external authentication has been + * completed successfully with the BSS that + * we are already associated with. */ };