From 8392ea9e75eacf30cb09671e463d9a37c3eadd6a Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 16 Oct 2022 18:25:11 +0300 Subject: [PATCH] SAE: Fix AKM suite selector check for external authentication AKM suite selector check was initially implemented with incorrect byte swapping of the value from the driver (nl80211). Fix this and leave a workaround option for any potentially deployed device where the driver might be using the swapped byte order. Fixes: 5ff39c1380d9 ("SAE: Support external authentication offload for driver-SME cases") Signed-off-by: Jouni Malinen --- wpa_supplicant/sme.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index 41b67f8eb..aa94e5c73 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -1182,11 +1182,25 @@ static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s, } +static bool is_sae_key_mgmt_suite(u32 suite) +{ + /* suite is supposed to be the selector value in host byte order with + * the OUI in three most significant octets. However, the initial + * implementation swapped that byte order and did not work with drivers + * that followed the expected byte order. Keep a workaround here to + * match that initial implementation so that already deployed use cases + * remain functional. */ + if (RSN_SELECTOR_GET(&suite) == RSN_AUTH_KEY_MGMT_SAE) + return true; + + return suite == RSN_AUTH_KEY_MGMT_SAE; +} + + void sme_external_auth_trigger(struct wpa_supplicant *wpa_s, union wpa_event_data *data) { - if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) != - RSN_AUTH_KEY_MGMT_SAE) + if (!is_sae_key_mgmt_suite(data->external_auth.key_mgmt_suite)) return; if (data->external_auth.action == EXT_AUTH_START) {