From patchwork Wed Oct 10 21:43:07 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hauke Mehrtens <hauke@hauke-m.de>
X-Patchwork-Id: 982303
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=hauke-m.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="kQApDQH5";
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42W2pl3m9qz9s9J
	for <incoming@patchwork.ozlabs.org>;
	Thu, 11 Oct 2018 18:36:47 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=LyXB0YUp+B6Dx4xq+92zF2ptU/KCNvxEX4c8tfdaQXI=;
	b=kQA
	pDQH5JPIBdY4CYubs/gcAjP20Xl+u4SuQJSdc6h70o2FoBFAjgArk/Hkq9TfLRDicbUKnTam6yk+/
	eUsPkOsdCaI11JsqgAHU3V4GiLOnNvWXTovAv/liXMVrBbYF0buo1EmHOvjUpovf+RahC+gKLW48u
	csdkRguL5OC/vQVIhe3g5FyGqd5RaTTYd/BmeGu4FyQiYc3v+D8vm7CmWdIx7hy3p+X/nsy6yH1H2
	Pfhnjt4wwXVpunx/V54mKd3zeK8AZ3XdGZEBovcPO2k8v8yx5MqbwRDN4+xOoWYdfdMqOp3JdKgO0
	Nd83YNn2TOdQJ1FIc1H50M0XHSi4NZA==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1gAVWH-0008M1-CN; Thu, 11 Oct 2018 07:36:29 +0000
Received: from mx1.mailbox.org ([2001:67c:2050:104:0:1:25:1])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1gAMGU-00011W-KM
	for hostap@lists.infradead.org; Wed, 10 Oct 2018 21:43:36 +0000
Received: from smtp1.mailbox.org (unknown [IPv6:2001:67c:2050:105:465:1:1:0])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.mailbox.org (Postfix) with ESMTPS id D979D49CA8;
	Wed, 10 Oct 2018 23:43:14 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240])
	by gerste.heinlein-support.de (gerste.heinlein-support.de
	[91.198.250.173]) (amavisd-new, port 10030)
	with ESMTP id wcUBFE7yePgC; Wed, 10 Oct 2018 23:43:13 +0200 (CEST)
From: Hauke Mehrtens <hauke@hauke-m.de>
To: hostap@lists.infradead.org
Subject: [PATCH] SAE: Do not ignore option sae_require_mfp
Date: Wed, 10 Oct 2018 23:43:07 +0200
Message-Id: <20181010214307.27605-1-hauke@hauke-m.de>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20181010_144334_819423_E59E154C 
X-CRM114-Status: GOOD (  14.48  )
X-Spam-Score: -0.0 (/)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-0.0 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 SPF_PASS               SPF: sender matches SPF record
X-Mailman-Approved-At: Thu, 11 Oct 2018 00:36:28 -0700
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Without this patch sae_require_mfp is always activate, when ieee80211w
is set to optional all stations negotiating SAEs are being rejected when
they do not support PMF. With this patch hostapd only rejects these
stations in case sae_require_mfp is set to some value and not null.

Fixes ba3d435fe43 ("SAE: Add option to require MFP for SAE associations")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---
 src/ap/wpa_auth_ie.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 421dd5a6f..253fe6e10 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -751,6 +751,7 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 
 #ifdef CONFIG_SAE
 	if (wpa_auth->conf.ieee80211w == MGMT_FRAME_PROTECTION_OPTIONAL &&
+	    wpa_auth->conf.sae_require_mfp &&
 	    wpa_key_mgmt_sae(sm->wpa_key_mgmt) &&
 	    !(data.capabilities & WPA_CAPABILITY_MFPC)) {
 		wpa_printf(MSG_DEBUG,