[PATCH 09/20] AP: Include Security Profile element in 4-way handshake message 3

Wed Jun 10 06:12:02 PDT 2026

From: Ilan Peer <ilan.peer at intel.com>

If security profile support is enabled, include a security profile
element in message 3 of the 4-way handshake for the MLO case.

Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
 src/ap/ieee802_11.c | 10 ++++++++++
 src/ap/wpa_auth.c   | 31 +++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index b731450b7d..6f78b797ff 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -9061,6 +9061,16 @@ int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
 		return len;
 	len += ret;
 
+#ifdef CONFIG_ENC_ASSOC
+	if (sta->use_sec_profile) {
+		ret = os_snprintf(buf + len, buflen - len,
+				  "sec_profile_in_assoc_req=1\n");
+		if (os_snprintf_error(buflen - len, ret))
+			return len;
+		len += ret;
+	}
+#endif /* CONFIG_ENC_ASSOC */
+
 	return len;
 }
 
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index eec24c5498..4d147b4081 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -13,6 +13,7 @@
 #include "utils/state_machine.h"
 #include "utils/bitfield.h"
 #include "common/ieee802_11_defs.h"
+#include "common/ieee802_11_common.h"
 #include "common/ocv.h"
 #include "common/dpp.h"
 #include "common/wpa_ctrl.h"
@@ -5211,6 +5212,20 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 
 	kde_len += wpa_auth_ml_kdes_len(sm);
 
+	/*
+	 * Include the Security Profile element in message 3 of the 4-way
+	 * handshake.
+	 */
+	if (is_mld && conf->sec_profile_enabled) {
+		const u8 *secp;
+
+		secp = get_ie_ext(sm->wpa_auth->wpa_ie,
+				  sm->wpa_auth->wpa_ie_len,
+				  WLAN_EID_EXT_SECURITY_PROFILE);
+		if (secp)
+			kde_len += 2 + secp[1];
+	}
+
 	if (sm->ssid_protection)
 		kde_len += 2 + conf->ssid_len;
 
@@ -5348,6 +5363,22 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 		goto done;
 	}
 
+	/*
+	 * For MLO, append the Security Profile element here since
+	 * wpa_auth->wpa_ie is not copied as Key Data.
+	 */
+	if (is_mld && conf->sec_profile_enabled) {
+		const u8 *secp;
+
+		secp = get_ie_ext(sm->wpa_auth->wpa_ie,
+				  sm->wpa_auth->wpa_ie_len,
+				  WLAN_EID_EXT_SECURITY_PROFILE);
+		if (secp) {
+			os_memcpy(pos, secp, 2 + secp[1]);
+			pos += 2 + secp[1];
+		}
+	}
+
 	if (sm->ssid_protection) {
 		*pos++ = WLAN_EID_SSID;
 		*pos++ = conf->ssid_len;
-- 
2.53.0


