AP: Reject WPA-PSK AKM when PMF is required

Message ID	20260515030901.743078-1-Jason.Huang2@infineon.com
State	Rejected
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Jason Huang <Jason.Huang2@infineon.com> To: <hostap@lists.infradead.org> CC: Rakshith P <rakshith.p@infineon.com>, Jason Huang <jason.huang2@infineon.com> Subject: [PATCH] AP: Reject WPA-PSK AKM when PMF is required Date: Fri, 15 May 2026 11:09:01 +0800 Message-ID: <20260515030901.743078-1-Jason.Huang2@infineon.com> MIME-Version: 1.0 preview: From: Rakshith P <rakshith.p@infineon.com> PMF required mode (ieee80211w=2) must not be combined with WPA-PSK AKM. That configuration is internally inconsistent and should be rejected during configuration validation instead of being accepted a [...] Content analysis details: (-2.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.0 DMARC_PASS DMARC pass policy Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	AP: Reject WPA-PSK AKM when PMF is required \| expand AP: Reject WPA-PSK AKM when PMF is required

Message ID

20260515030901.743078-1-Jason.Huang2@infineon.com

State

Rejected

Headers

From: Jason Huang <Jason.Huang2@infineon.com>
To: <hostap@lists.infradead.org>
CC: Rakshith P <rakshith.p@infineon.com>, Jason Huang
	<jason.huang2@infineon.com>
Subject: [PATCH] AP: Reject WPA-PSK AKM when PMF is required
Date: Fri, 15 May 2026 11:09:01 +0800
Message-ID: <20260515030901.743078-1-Jason.Huang2@infineon.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

AP: Reject WPA-PSK AKM when PMF is required | expand

Commit Message

HungTsung Huang May 15, 2026, 3:09 a.m. UTC

From: Rakshith P <rakshith.p@infineon.com>

PMF required mode (ieee80211w=2) must not be combined with WPA-PSK AKM.
That configuration is internally inconsistent and should be rejected during
configuration validation instead of being accepted at startup.

Add a config-time check to fail when PMF is required and the selected AKM
set includes WPA-PSK. Use a bitmask-based test so this also catches mixed
AKM sets (for example, WPA-PSK + SAE), not only one specific AKM
combination.

This makes hostapd fail fast with a clear error for invalid security policy
selection and prevents deployment of unsupported PMF-required PSK setups.

Signed-off-by: Rakshith P <rakshith.p@infineon.com>
Signed-off-by: Jason Huang <jason.huang2@infineon.com>
---
 src/ap/ap_config.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Jouni Malinen May 20, 2026, 8:36 a.m. UTC | #1

On Fri, May 15, 2026 at 11:09:01AM +0800, Jason Huang wrote:
> PMF required mode (ieee80211w=2) must not be combined with WPA-PSK AKM.

Why? That combination is what the PMF program was initially launched
with and I see no reason to suddenly start disallowing it.

> That configuration is internally inconsistent and should be rejected during
> configuration validation instead of being accepted at startup.

What do you mean with being "internally inconsistent"?

> Add a config-time check to fail when PMF is required and the selected AKM
> set includes WPA-PSK. Use a bitmask-based test so this also catches mixed
> AKM sets (for example, WPA-PSK + SAE), not only one specific AKM
> combination.
> 
> This makes hostapd fail fast with a clear error for invalid security policy
> selection and prevents deployment of unsupported PMF-required PSK setups.

This would disallow configurations that are valid and as such, I don't
think this is going to be an acceptable change.

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 36a4dad65..0a7785cce 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -1536,6 +1536,13 @@  static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
 				   WPA_CIPHER_GCMP_256 | WPA_CIPHER_GCMP)))
 		bss->spp_amsdu = false;
 
+	if (full_config && (bss->ieee80211w == 2) &&
+	    (bss->wpa_key_mgmt & WPA_KEY_MGMT_PSK)) {
+		wpa_printf(MSG_ERROR,
+			   "Cannot set ieee80211w=2 along with the selected wpa_key_mgmt");
+		return -1;
+	}
+
 	return 0;
 }

AP: Reject WPA-PSK AKM when PMF is required

Commit Message

Comments

Patch