From 1753f5ee63f8a6ff62193f34870c0b2f89394dcf Mon Sep 17 00:00:00 2001
From: Shreyas Sheth <shreyas.sheth@espressif.com>
Date: Fri, 26 Sep 2025 11:20:13 +0530
Subject: [PATCH] fix(esp_wifi): Resolve some comments for wpa3_compatible_mode
 support

---
 components/esp_wifi/Kconfig                   | 16 +++++-----
 components/esp_wifi/lib                       |  2 +-
 .../esp_supplicant/src/esp_hostap.c           |  8 +++--
 .../wpa_supplicant/src/ap/wpa_auth_ie.c       |  4 +--
 .../wpa_supplicant/src/common/wpa_common.c    | 31 ++++++++++++-------
 components/wpa_supplicant/src/rsn_supp/wpa.c  |  2 +-
 .../softAP/main/softap_example_main.c         |  2 --
 7 files changed, 37 insertions(+), 28 deletions(-)

diff --git a/components/esp_wifi/Kconfig b/components/esp_wifi/Kconfig
index 48dccc2157..0053e942d9 100644
--- a/components/esp_wifi/Kconfig
+++ b/components/esp_wifi/Kconfig
@@ -307,13 +307,6 @@ menu "Wi-Fi"
                 explicitly configured before attempting connection. Please refer to the Wi-Fi Driver API Guide
                 for details.
 
-        config ESP_WIFI_ENABLE_SAE_PK
-            bool "Enable SAE-PK"
-            default y
-            depends on (ESP_WIFI_ENABLE_WPA3_SAE && ESP_WIFI_ENABLE_SAE_H2E)
-            help
-                Select this option to enable SAE-PK
-
         config ESP_WIFI_ENABLE_SAE_H2E
             bool "Enable SAE-H2E"
             default y
@@ -321,6 +314,13 @@ menu "Wi-Fi"
             help
                 Select this option to enable SAE-H2E
 
+        config ESP_WIFI_ENABLE_SAE_PK
+            bool "Enable SAE-PK"
+            default y
+            depends on (ESP_WIFI_ENABLE_WPA3_SAE && ESP_WIFI_ENABLE_SAE_H2E)
+            help
+                Select this option to enable SAE-PK
+
         config ESP_WIFI_SOFTAP_SAE_SUPPORT
             bool "Enable WPA3 Personal(SAE) SoftAP"
             default y
@@ -344,7 +344,7 @@ menu "Wi-Fi"
             default y
             depends on ESP_WIFI_ENABLE_SAE_H2E
             help
-                Select this option to enable WPA3 Compatible support in softap mode.
+                Select this option to support wpa3_compatible mode for station and AP
 
         config ESP_WIFI_SLP_IRAM_OPT
             bool "WiFi SLP IRAM speed optimization"
diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib
index 5bcb2be0dd..0b719267d4 160000
--- a/components/esp_wifi/lib
+++ b/components/esp_wifi/lib
@@ -1 +1 @@
-Subproject commit 5bcb2be0dd10ad0da56cba95e8a1a6f16732c5b3
+Subproject commit 0b719267d459d9005e352e22a9c2dfcdf2d3f552
diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c
index b2eb14c324..007a3e928b 100644
--- a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c
+++ b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c
@@ -111,7 +111,6 @@ void *hostap_init(void)
 #endif /* CONFIG_IEEE80211W */
     if (esp_wifi_is_wpa3_compatible_mode_enabled(WIFI_IF_AP)) {
 #ifdef CONFIG_WPA3_COMPAT
-        hapd->conf->sae_pwe = SAE_PWE_HASH_TO_ELEMENT;
         auth_conf->rsn_override_omit_rsnxe = 1;
         hapd->conf->rsn_override_omit_rsnxe = 1;
         hapd->conf->rsn_override_key_mgmt = WPA_KEY_MGMT_SAE;
@@ -219,10 +218,13 @@ void *hostap_init(void)
     hapd->conf->ssid.wpa_passphrase[WIFI_PASSWORD_LEN_MAX - 1] = '\0';
     hapd->conf->max_num_sta = esp_wifi_ap_get_max_sta_conn();
     auth_conf->transition_disable = esp_wifi_ap_get_transition_disable_internal();
+
     if (authmode != WIFI_AUTH_WPA3_PSK &&
-            authmode != WIFI_AUTH_WPA2_WPA3_PSK && auth_conf->transition_disable) {
+            authmode != WIFI_AUTH_WPA2_WPA3_PSK &&
+            !esp_wifi_is_wpa3_compatible_mode_enabled(WIFI_IF_AP) &&
+            auth_conf->transition_disable) {
         auth_conf->transition_disable = 0;
-        wpa_printf(MSG_DEBUG, "overriding transition_disable config with 0 as authmode is not WPA3");
+        wpa_printf(MSG_DEBUG, "overriding transition_disable config with 0 as authmode is not WPA3/WPA2-WPA3/compatible");
     }
 
 #ifdef CONFIG_SAE
diff --git a/components/wpa_supplicant/src/ap/wpa_auth_ie.c b/components/wpa_supplicant/src/ap/wpa_auth_ie.c
index 60a92a5cc8..7d01d002ef 100644
--- a/components/wpa_supplicant/src/ap/wpa_auth_ie.c
+++ b/components/wpa_supplicant/src/ap/wpa_auth_ie.c
@@ -602,8 +602,8 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 #ifdef CONFIG_SAE
 		else if (data.key_mgmt & WPA_KEY_MGMT_SAE)
 			selector = RSN_AUTH_KEY_MGMT_SAE;
-                else if (data.key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY)
-                        selector = RSN_AUTH_KEY_MGMT_SAE_EXT_KEY;
+		else if (data.key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY)
+			selector = RSN_AUTH_KEY_MGMT_SAE_EXT_KEY;
 		else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE)
 			selector = RSN_AUTH_KEY_MGMT_FT_SAE;
 #endif /* CONFIG_SAE */
diff --git a/components/wpa_supplicant/src/common/wpa_common.c b/components/wpa_supplicant/src/common/wpa_common.c
index 4cd49d3d2f..5e5655cfdd 100644
--- a/components/wpa_supplicant/src/common/wpa_common.c
+++ b/components/wpa_supplicant/src/common/wpa_common.c
@@ -426,7 +426,6 @@ int wpa_parse_wpa_ie_rsnxe(const u8 *rsnxe_ie, size_t rsnxe_ie_len,
 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
 			 struct wpa_ie_data *data)
 {
-	const struct rsn_ie_hdr *hdr;
 	const u8 *pos;
 	int left;
 	int i, count;
@@ -453,19 +452,29 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
 		return -1;
 	}
 
-	hdr = (const struct rsn_ie_hdr *) rsn_ie;
+	if (rsn_ie_len >= 2 + 4 + 2 && rsn_ie[1] >= 4 + 2 &&
+		   rsn_ie[1] == rsn_ie_len - 2 &&
+		   (WPA_GET_BE32(&rsn_ie[2]) == RSNE_OVERRIDE_IE_VENDOR_TYPE) &&
+		   WPA_GET_LE16(&rsn_ie[2 + 4]) == RSN_VERSION) {
+		pos = rsn_ie + 2 + 4 + 2;
+		left = rsn_ie_len - 2 - 4 - 2;
+	} else {
+		const struct rsn_ie_hdr *hdr;
 
-	if (hdr->elem_id != WLAN_EID_RSN ||
-	    hdr->len != rsn_ie_len - 2 ||
-	    WPA_GET_LE16(hdr->version) != RSN_VERSION) {
-		wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
-			   __func__);
-		return -2;
+		hdr = (const struct rsn_ie_hdr *) rsn_ie;
+
+		if (hdr->elem_id != WLAN_EID_RSN ||
+		    hdr->len != rsn_ie_len - 2 ||
+		    WPA_GET_LE16(hdr->version) != RSN_VERSION) {
+			wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
+				   __func__);
+			return -2;
+		}
+
+		pos = (const u8 *) (hdr + 1);
+		left = rsn_ie_len - sizeof(*hdr);
 	}
 
-	pos = (const u8 *) (hdr + 1);
-	left = rsn_ie_len - sizeof(*hdr);
-
 	if (left >= RSN_SELECTOR_LEN) {
 		data->group_cipher = rsn_selector_to_bitfield(pos);
 		pos += RSN_SELECTOR_LEN;
diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c
index 19d760e95e..ff260dee9e 100644
--- a/components/wpa_supplicant/src/rsn_supp/wpa.c
+++ b/components/wpa_supplicant/src/rsn_supp/wpa.c
@@ -2479,7 +2479,7 @@ int wpa_set_bss(uint8_t *macddr, uint8_t *bssid, uint8_t pairwise_cipher, uint8_
     int res = 0;
     struct wpa_sm *sm = &gWpaSm;
     bool use_pmk_cache = !esp_wifi_skip_supp_pmkcaching();
-    uint8_t assoc_ie[128];
+    uint8_t assoc_ie[128] = {0};
     uint16_t assoc_ie_len = sizeof(assoc_ie);
     bool reassoc_same_ess = false;
     int try_opportunistic = 0;
diff --git a/examples/wifi/getting_started/softAP/main/softap_example_main.c b/examples/wifi/getting_started/softAP/main/softap_example_main.c
index e9a9d03f45..c2bca87431 100644
--- a/examples/wifi/getting_started/softAP/main/softap_example_main.c
+++ b/examples/wifi/getting_started/softAP/main/softap_example_main.c
@@ -75,8 +75,6 @@ void wifi_init_softap(void)
 #ifdef CONFIG_ESP_WIFI_SOFTAP_SAE_SUPPORT
             .authmode = WIFI_AUTH_WPA3_PSK,
             .sae_pwe_h2e = WPA3_SAE_PWE_BOTH,
-            .pairwise_cipher = WIFI_CIPHER_TYPE_GCMP256,
-            .sae_ext = 1,
 #else /* CONFIG_ESP_WIFI_SOFTAP_SAE_SUPPORT */
             .authmode = WIFI_AUTH_WPA2_PSK,
 #endif