[PATCH 15/20] wpa_supplicant: Fix KEK_IN_PASN RSNXE advertisement

Wed Jun 10 06:12:08 PDT 2026

From: Ilan Peer <ilan.peer at intel.com>

Commit 9aa9cd3b645e ("EPPKE: Advertise RSNXE capabilities in
(Re)Association Request frame") incorrectly tied the KEK_IN_PASN
RSNXE capability bit to the 'assoc_encryption' flag.

This caused KEK_IN_PASN to always be advertised whenever association
frame encryption was enabled, regardless of whether EPPKE was actually
being used. Specifically, this is wrong when 802.1X EAP over
authentication frames is used.

Fix this by introducing a separate 'kek_in_pasn' flag and set it:

1. When a Security Profile is available, use the 'kek_in_pasn' field
   from the profile.
2. Otherwise, when EPPKE AKM is used and the AP advertised support
   for KEK in PASN.

Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
 src/rsn_supp/wpa.c              |  3 +++
 src/rsn_supp/wpa.h              |  1 +
 src/rsn_supp/wpa_i.h            |  1 +
 src/rsn_supp/wpa_ie.c           |  5 +++--
 wpa_supplicant/wpa_supplicant.c | 19 ++++++++++++++++---
 5 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index e0b9241583..b8025afc02 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -5289,6 +5289,9 @@ int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
 	case WPA_PARAM_PMKSA_CACHING_PRIVACY:
 		sm->pmksa_privacy = !!value;
 		break;
+	case WPA_PARAM_KEK_IN_PASN:
+		sm->kek_in_pasn = !!value;
+		break;
 	default:
 		break;
 	}
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index 3adfb2b79d..c66753e1fa 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -147,6 +147,7 @@ enum wpa_sm_conf_params {
 	WPA_PARAM_SAE_PW_ID_CHANGE,
 	WPA_PARAM_ASSOC_ENC,
 	WPA_PARAM_PMKSA_CACHING_PRIVACY,
+	WPA_PARAM_KEK_IN_PASN,
 };
 
 enum wpa_rsn_override {
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index 9514a47825..de89a9208f 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -120,6 +120,7 @@ struct wpa_sm {
 	unsigned int assoc_encryption:1;
 	unsigned int pmksa_privacy:1;
 	unsigned int eap_over_auth_frame:1;
+	unsigned int kek_in_pasn:1;
 
 	u8 *assoc_wpa_ie; /* Own WPA/RSN IE from (Re)AssocReq */
 	size_t assoc_wpa_ie_len;
diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index eeb3d01190..bd6d4b8470 100644
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -441,8 +441,9 @@ int wpa_gen_rsnxe(struct wpa_sm *sm, u8 *rsnxe, size_t rsnxe_len)
 		capab |= BIT_ULL(WLAN_RSNX_CAPAB_SAE_PW_ID_CHANGE);
 #ifdef CONFIG_ENC_ASSOC
 	if (sm->assoc_encryption)
-		capab |= BIT(WLAN_RSNX_CAPAB_ASSOC_FRAME_ENCRYPTION) |
-			BIT(WLAN_RSNX_CAPAB_KEK_IN_PASN);
+		capab |= BIT(WLAN_RSNX_CAPAB_ASSOC_FRAME_ENCRYPTION);
+	if (sm->kek_in_pasn)
+		capab |= BIT(WLAN_RSNX_CAPAB_KEK_IN_PASN);
 #endif /* CONFIG_ENC_ASSOC */
 #ifdef CONFIG_PMKSA_PRIVACY
 	if (sm->pmksa_privacy)
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 08bba0bed8..b7c84219a6 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -456,6 +456,7 @@ void wpa_supplicant_set_non_wpa_policy(struct wpa_supplicant *wpa_s,
 			 wpa_s->mgmt_group_cipher);
 	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SSID_PROTECTION, 0);
 	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_ASSOC_ENC, 0);
+	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEK_IN_PASN, 0);
 
 	pmksa_cache_clear_current(wpa_s->wpa);
 	os_memset(&mlo, 0, sizeof(mlo));
@@ -2489,24 +2490,36 @@ proto_match_done:
 	    (wpa_s->drv_flags2 &
 	     WPA_DRIVER_FLAGS2_ASSOCIATION_FRAME_ENCRYPTION)) {
 		bool assoc_enc;
+		bool kek_in_pasn;
 
 		/* Enable association frame encryption based on the AP
 		 * advertising support for it to avoid potential
 		 * interoperability issues with incorrect AP behavior if we
 		 * were to send an "unexpected" RSNXE with multiple octets of
 		 * payload. */
-		if (sec_profile)
+		if (sec_profile) {
 			assoc_enc =
 				sec_profile->assoc_frame_enc_and_pmksa_privacy;
-		else
+			kek_in_pasn = sec_profile->kek_in_pasn;
+		} else {
 			assoc_enc = ieee802_11_rsnx_capab(
 				bss_rsnx,
 				WLAN_RSNX_CAPAB_ASSOC_FRAME_ENCRYPTION);
-		if (!skip_default_rsne)
+			kek_in_pasn =
+				(ssid->key_mgmt & WPA_KEY_MGMT_EPPKE) &&
+				ieee802_11_rsnx_capab(
+					bss_rsnx,
+					WLAN_RSNX_CAPAB_KEK_IN_PASN);
+		}
+		if (!skip_default_rsne) {
 			wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_ASSOC_ENC,
 					 assoc_enc);
+			wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEK_IN_PASN,
+					 kek_in_pasn);
+		}
 	} else {
 		wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_ASSOC_ENC, false);
+		wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEK_IN_PASN, false);
 	}
 #endif /* CONFIG_ENC_ASSOC */
 
-- 
2.53.0


