From: Ainy Kumari <ainykuma@qti.qualcomm.com>
Date: Thu, 22 May 2025 12:51:40 +0000 (+0530)
Subject: SAE: Fix AKM suite selector for external authentication compatibility
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85fd567df7a98179356759fce3eea4390af39c0f;p=thirdparty%2Fhostap.git

SAE: Fix AKM suite selector for external authentication compatibility

Kernel commit 4f4d8be6dc37 ("wifi: nl80211: force WLAN_AKM_SUITE_SAE in
big endian in NL80211_CMD_EXTERNAL_AUTH") enforces WLAN_AKM_SUITE_SAE to
be passed in big-endian format in NL80211_CMD_EXTERNAL_AUTH for all
drivers. This is causing issues for cross-AKM roaming cases (e.g.,
roaming from SAE-EXT-KEY AP to SAE AP) with current wpa_supplicant
implementation since it is considering the connected AP AKM as the
target AP AKM when WLAN_AKM_SUITE_SAE is indicated in big-endian format
in NL80211_CMD_EXTERNAL_AUTH.

To fix this, always set external authentication AKM as
WLAN_AKM_SUITE_SAE when WLAN_AKM_SUITE_SAE indicated in big endian
format in NL80211_CMD_EXTERNAL_AUTH.

This change is still compatible with old drivers since there is no
change in SAE authentication procedure when the target AP AKM is SAE or
FT-SAE.

Signed-off-by: Ainy Kumari <ainykuma@qti.qualcomm.com>
---

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index d4e9cebbc..47c965bfd 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1499,10 +1499,15 @@ static bool is_sae_key_mgmt_suite(struct wpa_supplicant *wpa_s, u32 suite)
 	 * match that initial implementation so that already deployed use cases
 	 * remain functional. */
 	if (RSN_SELECTOR_GET(&suite) == RSN_AUTH_KEY_MGMT_SAE) {
-		/* Old drivers which follow initial implementation send SAE AKM
-		 * for both SAE and FT-SAE connections. In that case, determine
-		 * the actual AKM from wpa_s->key_mgmt. */
-		wpa_s->sme.ext_auth_key_mgmt = wpa_s->key_mgmt;
+		/* This will be true in following cases
+		 * 1. Old drivers which follow the initial implementation send
+		 *    RSN_AUTH_KEY_MGMT_SAE with swapped byte order for both SAE
+		 *    and FT-SAE connections.
+		 * 2. The driver sending RSN_AUTH_KEY_MGMT_SAE in host byte
+		 *    order but kernel swapped that byte order to follow initial
+		 *    implementation.
+		 * In these cases, update the AKM as WPA_KEY_MGMT_SAE. */
+		wpa_s->sme.ext_auth_key_mgmt = WPA_KEY_MGMT_SAE;
 		return true;
 	}