SAE: Do not ignore option sae_require_mfp

Message ID 20181010214307.27605-1-hauke@hauke-m.de
State Accepted
Headers show
Series
  • SAE: Do not ignore option sae_require_mfp
Related show

Commit Message

Hauke Mehrtens Oct. 10, 2018, 9:43 p.m.
Without this patch sae_require_mfp is always activate, when ieee80211w
is set to optional all stations negotiating SAEs are being rejected when
they do not support PMF. With this patch hostapd only rejects these
stations in case sae_require_mfp is set to some value and not null.

Fixes ba3d435fe43 ("SAE: Add option to require MFP for SAE associations")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---
 src/ap/wpa_auth_ie.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Jouni Malinen Oct. 14, 2018, 7:59 p.m. | #1
On Wed, Oct 10, 2018 at 11:43:07PM +0200, Hauke Mehrtens wrote:
> Without this patch sae_require_mfp is always activate, when ieee80211w
> is set to optional all stations negotiating SAEs are being rejected when
> they do not support PMF. With this patch hostapd only rejects these
> stations in case sae_require_mfp is set to some value and not null.

Thanks, applied.

Patch

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 421dd5a6f..253fe6e10 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -751,6 +751,7 @@  int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 
 #ifdef CONFIG_SAE
 	if (wpa_auth->conf.ieee80211w == MGMT_FRAME_PROTECTION_OPTIONAL &&
+	    wpa_auth->conf.sae_require_mfp &&
 	    wpa_key_mgmt_sae(sm->wpa_key_mgmt) &&
 	    !(data.capabilities & WPA_CAPABILITY_MFPC)) {
 		wpa_printf(MSG_DEBUG,