[PATCH 16/20] wpa_supplicant: Fix EAP over Auth frame RSNXE advertisement

Wed Jun 10 06:12:09 PDT 2026

From: Ilan Peer <ilan.peer at intel.com>

Commit 285c2e1df6ba ("EAP-AUTH: Advertise IEEE 802.1X in Authentication
frames in RSNXE (STA)") set eap_over_auth_frame once at init time based
only on driver capability flags. This meant the RSNXE capability bit
was advertised regardless of the AP capabilities and the per-network
configuration. As a result, security profile matching was failing.

Fix this by introducing WPA_PARAM_EAP_OVER_AUTH_FRAME and setting it
per-connection based on:

1. If a security profile is used, use the dot1x_in_auth_frame field from
   the profile.
2. Otherwise, check driver support, AP support and network configuration
   including it.

Since wpa_sm_set_802_1x_auth_caps() is no longer needed, remove it.

Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
 src/rsn_supp/wpa.c              | 10 +++-------
 src/rsn_supp/wpa.h              |  2 +-
 wpa_supplicant/wpa_supplicant.c | 24 +++++++++++++++++-------
 3 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index b8025afc02..627b3b8b3e 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -5289,6 +5289,9 @@ int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
 	case WPA_PARAM_PMKSA_CACHING_PRIVACY:
 		sm->pmksa_privacy = !!value;
 		break;
+	case WPA_PARAM_EAP_OVER_AUTH_FRAME:
+		sm->eap_over_auth_frame = !!value;
+		break;
 	case WPA_PARAM_KEK_IN_PASN:
 		sm->kek_in_pasn = !!value;
 		break;
@@ -8050,13 +8053,6 @@ bool wpa_sm_pmksa_privacy_supported(struct wpa_sm *sm)
 
 #ifdef CONFIG_IEEE8021X_AUTH
 
-void wpa_sm_set_802_1x_auth_caps(struct wpa_sm *sm, u64 flags2)
-{
-	sm->eap_over_auth_frame =
-		!!(flags2 & WPA_DRIVER_FLAGS2_802_1X_AUTH);
-}
-
-
 const u8 * wpa_sm_get_pmk(struct wpa_sm *sm, const u8 *addr, const u8 *pmkid,
 			  size_t *pmk_len)
 {
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index c66753e1fa..3b900a1049 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -147,6 +147,7 @@ enum wpa_sm_conf_params {
 	WPA_PARAM_SAE_PW_ID_CHANGE,
 	WPA_PARAM_ASSOC_ENC,
 	WPA_PARAM_PMKSA_CACHING_PRIVACY,
+	WPA_PARAM_EAP_OVER_AUTH_FRAME,
 	WPA_PARAM_KEK_IN_PASN,
 };
 
@@ -731,7 +732,6 @@ int wpa_sm_install_mlo_group_keys(struct wpa_sm *sm, const u8 *key_data,
 				  size_t key_data_len, u16 added_links_bitmap);
 bool wpa_sm_pmksa_privacy_supported(struct wpa_sm *sm);
 
-void wpa_sm_set_802_1x_auth_caps(struct wpa_sm *sm, u64 flags2);
 const u8 * wpa_sm_get_pmk(struct wpa_sm *sm, const u8 *addr, const u8 *pmkid,
 			  size_t *pmk_len);
 
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index b7c84219a6..62185c7542 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -456,6 +456,7 @@ void wpa_supplicant_set_non_wpa_policy(struct wpa_supplicant *wpa_s,
 			 wpa_s->mgmt_group_cipher);
 	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SSID_PROTECTION, 0);
 	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_ASSOC_ENC, 0);
+	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EAP_OVER_AUTH_FRAME, 0);
 	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEK_IN_PASN, 0);
 
 	pmksa_cache_clear_current(wpa_s->wpa);
@@ -2485,11 +2486,17 @@ proto_match_done:
 		wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SSID_PROTECTION, false);
 	}
 
+	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_ASSOC_ENC, false);
+	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EAP_OVER_AUTH_FRAME,
+			 false);
+	wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEK_IN_PASN, false);
+
 #ifdef CONFIG_ENC_ASSOC
 	if (proto == WPA_PROTO_RSN &&
 	    (wpa_s->drv_flags2 &
 	     WPA_DRIVER_FLAGS2_ASSOCIATION_FRAME_ENCRYPTION)) {
 		bool assoc_enc;
+		bool eap_over_auth;
 		bool kek_in_pasn;
 
 		/* Enable association frame encryption based on the AP
@@ -2500,11 +2507,18 @@ proto_match_done:
 		if (sec_profile) {
 			assoc_enc =
 				sec_profile->assoc_frame_enc_and_pmksa_privacy;
+			eap_over_auth = sec_profile->dot1x_in_auth_frame;
 			kek_in_pasn = sec_profile->kek_in_pasn;
 		} else {
 			assoc_enc = ieee802_11_rsnx_capab(
 				bss_rsnx,
 				WLAN_RSNX_CAPAB_ASSOC_FRAME_ENCRYPTION);
+			eap_over_auth = ssid->eap_over_auth_frame &&
+				(wpa_s->drv_flags2 &
+				 WPA_DRIVER_FLAGS2_802_1X_AUTH) &&
+				ieee802_11_rsnx_capab(
+					bss_rsnx,
+					WLAN_RSNX_CAPAB_802_1X_IN_AUTH_FRAMES);
 			kek_in_pasn =
 				(ssid->key_mgmt & WPA_KEY_MGMT_EPPKE) &&
 				ieee802_11_rsnx_capab(
@@ -2514,12 +2528,12 @@ proto_match_done:
 		if (!skip_default_rsne) {
 			wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_ASSOC_ENC,
 					 assoc_enc);
+			wpa_sm_set_param(wpa_s->wpa,
+					 WPA_PARAM_EAP_OVER_AUTH_FRAME,
+					 eap_over_auth);
 			wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEK_IN_PASN,
 					 kek_in_pasn);
 		}
-	} else {
-		wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_ASSOC_ENC, false);
-		wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEK_IN_PASN, false);
 	}
 #endif /* CONFIG_ENC_ASSOC */
 
@@ -8200,10 +8214,6 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
 	wpa_pasn_sm_set_caps(wpa_s->wpa, wpa_s->drv_flags2);
 #endif /* CONFIG_PASN */
 
-#ifdef CONFIG_IEEE8021X_AUTH
-	wpa_sm_set_802_1x_auth_caps(wpa_s->wpa, wpa_s->drv_flags2);
-#endif /* CONFIG_IEEE8021X_AUTH */
-
 	wpa_sm_set_driver_bss_selection(wpa_s->wpa,
 					!!(wpa_s->drv_flags &
 					   WPA_DRIVER_FLAGS_BSS_SELECTION));
-- 
2.53.0


