[PATCH] AP: Reject WPA-PSK AKM when PMF is required
Jason Huang
Jason.Huang2 at infineon.com
Thu May 14 20:09:01 PDT 2026
From: Rakshith P <rakshith.p at infineon.com>
PMF required mode (ieee80211w=2) must not be combined with WPA-PSK AKM.
That configuration is internally inconsistent and should be rejected during
configuration validation instead of being accepted at startup.
Add a config-time check to fail when PMF is required and the selected AKM
set includes WPA-PSK. Use a bitmask-based test so this also catches mixed
AKM sets (for example, WPA-PSK + SAE), not only one specific AKM
combination.
This makes hostapd fail fast with a clear error for invalid security policy
selection and prevents deployment of unsupported PMF-required PSK setups.
Signed-off-by: Rakshith P <rakshith.p at infineon.com>
Signed-off-by: Jason Huang <jason.huang2 at infineon.com>
---
src/ap/ap_config.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 36a4dad65..0a7785cce 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -1536,6 +1536,13 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
WPA_CIPHER_GCMP_256 | WPA_CIPHER_GCMP)))
bss->spp_amsdu = false;
+ if (full_config && (bss->ieee80211w == 2) &&
+ (bss->wpa_key_mgmt & WPA_KEY_MGMT_PSK)) {
+ wpa_printf(MSG_ERROR,
+ "Cannot set ieee80211w=2 along with the selected wpa_key_mgmt");
+ return -1;
+ }
+
return 0;
}
--
2.25.1
More information about the Hostap
mailing list