[PATCH 08/20] AP: Add Security Profile element to (Re)Association Response

Andrei Otcheretianski andrei.otcheretianski at intel.com
Wed Jun 10 06:12:01 PDT 2026 

From: Ilan Peer <ilan.peer at intel.com>

If a received (re)association request frame for an EPP station
includes a security profile element, include the AP's security
profile element in the association response.

Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
 src/ap/ieee802_11.c | 22 +++++++++++++++++++++-
 src/ap/sta_info.h   |  2 ++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 23493d6533..b731450b7d 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -5468,6 +5468,10 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
 #endif /* CONFIG_ENC_ASSOC */
 #endif /* CONFIG_SAE */
 
+#ifdef CONFIG_ENC_ASSOC
+	sta->use_sec_profile = false;
+#endif /* CONFIG_ENC_ASSOC */
+
 	if (type != LINK_PARSE_RECONF) {
 		resp = check_ssid(hapd, sta, elems->ssid, elems->ssid_len);
 		if (resp != WLAN_STATUS_SUCCESS)
@@ -5716,6 +5720,15 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
 		goto out;
 	}
 
+#ifdef CONFIG_ENC_ASSOC
+	/*
+	 * If this is an association frame received for an non-AP EPP STA and it
+	 * includes a Security Profile element, the AP shall include the
+	 * Security Profile element in the (Re)Association Response frame.
+	 */
+	sta->use_sec_profile = sta->epp_sta && !!elems->security_profile;
+#endif /* CONFIG_ENC_ASSOC */
+
 	if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems->rsn_ie) {
 		wpa_ie = elems->rsn_ie;
 		wpa_ie_len = elems->rsn_ie_len;
@@ -7021,7 +7034,14 @@ rsnxe_done:
 	}
 #endif /* CONFIG_DPP2 */
 
-	p = hostapd_eid_security_profile(hapd, p, buf + buflen - p);
+#ifdef CONFIG_ENC_ASSOC
+	/*
+	 * Include the Security Profile element in the (Re)Association Response
+	 * frame if needed.
+	 */
+	if (sta && sta->use_sec_profile)
+		p = hostapd_eid_security_profile(hapd, p, buf + buflen - p);
+#endif /* CONFIG_ENC_ASSOC */
 
 #ifdef CONFIG_IEEE80211AC
 	if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index 38967b2f79..b426b55196 100644
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -121,6 +121,8 @@ struct sta_info {
 	u8 qosinfo; /* Valid when WLAN_STA_WMM is set */
 #ifdef CONFIG_ENC_ASSOC
 	bool epp_sta; /* Indicates if the station is an EPP peer */
+	bool use_sec_profile; /* Indicates if the security profile should be
+			       * used */
 #endif /* CONFIG_ENC_ASSOC */
 #ifdef CONFIG_PMKSA_PRIVACY
 	u8 snonce[NONCE_LEN]; /* SNonce to compute next PMKID if
-- 
2.53.0

More information about the Hostap mailing list