[PATCH 09/29] 11bi: Configuration options to control EPP feature support in AP mode

Sai Pratyusha Magam smagam at qti.qualcomm.com
Thu Dec 11 05:14:23 PST 2025 

Introduce additional configuration options to control the
enablement of each of the below EPP features in AP:
-(Re)Association Request/Response frame encryption support
-PMKSA Caching Privacy Support
-IEEE 802.1X Authentication Utilizing Authentication Frame Support

Signed-off-by: Sai Pratyusha Magam <smagam at qti.qualcomm.com>
Signed-off-by: Rohan Dutta <drohan at qti.qualcomm.com>
---
 hostapd/config_file.c  |  8 ++++++++
 hostapd/hostapd.conf   | 23 +++++++++++++++++++++++
 src/ap/ap_config.c     |  5 +++++
 src/ap/ap_config.h     |  5 +++++
 src/ap/wpa_auth.h      |  6 +++++-
 src/ap/wpa_auth_glue.c | 25 +++++++++++++++++++++++++
 6 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 25e1a0f0d..6084602c8 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2865,6 +2865,14 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 			return 1;
 		}
 		bss->extended_key_id = val;
+#ifdef CONFIG_ENC_ASSOC
+	} else if (os_strcmp(buf, "assoc_frame_encryption") == 0) {
+		bss->assoc_frame_encryption = atoi(pos);
+	} else if (os_strcmp(buf, "pmksa_caching_privacy") == 0) {
+		bss->pmksa_caching_privacy = atoi(pos);
+	} else if (os_strcmp(buf, "eap_using_authentication_frames") == 0) {
+		bss->eap_using_authentication_frames = atoi(pos);
+#endif /* CONFIG_ENC_ASSOC  */
 	} else if (os_strcmp(buf, "wpa_group_rekey") == 0) {
 		bss->wpa_group_rekey = atoi(pos);
 		bss->wpa_group_rekey_set = 1;
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index c76801965..996fa4484 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -3529,3 +3529,26 @@ own_ip_addr=127.0.0.1
 #bridge=br-lan
 #wpa_key_mgmt=SAE
 #bssid=00:03:7f:12:84:85
+
+##### IEEE 802.11bi related configuration #####################################
+
+#IEEE Std 802.11bi D2.0 introduces following EPP feature capabilities
+#(Re)Association Request/Response frame Encryption: Indicates if AP supports
+#encryption of (Re)Association Request and Response frames
+# 0 = disabled (default)
+# 1 = enabled
+#association_frame_encryption_support=0
+
+#PMKSA Caching privacy: Indicates if the AP would recompute the PMKID after the
+#indicated PMKID in the RSNE identifies a cached PMKSA and a PTKSA was established
+#using the identified PMKSA. The recomputed PMKID will be delivered to the non-AP
+#STA in the key delivery element added in the encrypted (Re)Association Response frame
+# 0 = disabled (default)
+# 1 = enabled
+#pmksa_caching_privacy=0
+
+#IEEE802.1X (EAP) Authentication utilizing Authentication frames: Indicates if
+#the EAP PDU will be encapsulated within the IEEE802.1X authentication frames
+# 0 = disabled (default)
+# 1 = enabled
+#eap_using_authentication_frames=0
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index fbe646272..de20bc2f7 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -179,6 +179,11 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 #endif /* CONFIG_PASN */
 	bss->urnm_mfpr_x20 = -1;
 	bss->urnm_mfpr = -1;
+#ifdef CONFIG_ENC_ASSOC
+	bss->assoc_frame_encryption = 0;
+	bss->pmksa_caching_privacy = 0;
+	bss->eap_using_authentication_frames = 0;
+#endif /* CONFIG_ENC_ASSOC */
 }
 
 
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 8a7c9393f..006747517 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -984,6 +984,11 @@ struct hostapd_bss_config {
 	int mbssid_index;
 
 	bool spp_amsdu;
+#ifdef CONFIG_ENC_ASSOC
+	unsigned int assoc_frame_encryption:1;
+	unsigned int pmksa_caching_privacy:1;
+	unsigned int eap_using_authentication_frames:1;
+#endif /* CONFIG_ENC_ASSOC  */
 };
 
 /**
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 12a8b6b1a..36954a19a 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -290,7 +290,11 @@ struct wpa_auth_config {
 	unsigned int secure_ltf:1;
 	unsigned int secure_rtt:1;
 	unsigned int prot_range_neg:1;
-
+#ifdef CONFIG_ENC_ASSOC
+	unsigned int assoc_frame_encryption:1;
+	unsigned int pmksa_caching_privacy:1;
+	unsigned int eap_using_authentication_frames:1;
+#endif /* CONFIG_ENC_ASSOC  */
 	int owe_ptk_workaround;
 	u8 transition_disable;
 #ifdef CONFIG_DPP2
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 8418bf8f0..8c59da3d5 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -81,6 +81,25 @@ static void hostapd_wpa_auth_config_update(struct hostapd_data *hapd,
 		!!(hapd->iface->drv_flags2 &
 		   WPA_DRIVER_FLAGS2_PROT_RANGE_NEG_AP);
 
+#ifdef CONFIG_ENC_ASSOC
+	if (_conf->assoc_frame_encryption &&
+	    (hapd->iface->drv_flags2 &
+		WPA_DRIVER_FLAGS2_ASSOCIATION_FRAME_ENCRYPTION))
+		_conf->assoc_frame_encryption = 1;
+	else
+		_conf->assoc_frame_encryption = 0;
+
+	if (_conf->pmksa_caching_privacy)
+		_conf->pmksa_caching_privacy = 1;
+	else
+		_conf->pmksa_caching_privacy = 0;
+
+	if (_conf->eap_using_authentication_frames)
+		_conf->eap_using_authentication_frames = 1;
+	else
+		_conf->eap_using_authentication_frames = 0;
+#endif /* CONFIG_ENC_ASSOC  */
+
 #ifdef CONFIG_IEEE80211BE
 	_conf->mld_addr = NULL;
 	_conf->link_id = -1;
@@ -112,6 +131,12 @@ static void hostapd_wpa_auth_conf(struct hostapd_iface *iface,
 
 	os_memset(wconf, 0, sizeof(*wconf));
 	wconf->wpa = conf->wpa;
+#ifdef CONFIG_ENC_ASSOC
+	wconf->assoc_frame_encryption = conf->assoc_frame_encryption;
+	wconf->pmksa_caching_privacy = conf->pmksa_caching_privacy;
+	wconf->eap_using_authentication_frames =
+		conf->eap_using_authentication_frames;
+#endif /* CONFIG_ENC_ASSOC  */
 	wconf->extended_key_id = conf->extended_key_id;
 	wconf->wpa_key_mgmt = conf->wpa_key_mgmt;
 	wconf->rsn_override_key_mgmt = conf->rsn_override_key_mgmt;
-- 
2.34.1

More information about the Hostap mailing list