HS 2.0 AP: Do not mandate PMF for HS 2.0 Indication in open OSU network

Even though the station is not supposed to include Hotspot 2.0
Indication element in the Association Request frame when connecting to
the open OSU BSS, some station devices seem to do so. With the strict
PMF-required-with-Hotspot-2.0-R2 interpretation, such connection
attempts were rejected. Relax this to only perform the PMF check if the
local AP configuration has PMF enabled, i.e., for the production BSS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index c85a28db44b7e2ffe8a1a21b5477572ab32bc255..dc3c61ff79d550ea72eba8834d0796a9a7cf4ca9 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -3243,7 +3243,8 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
                sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
                                                 elems.hs20_len - 4);
                release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
-               if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm)) {
+               if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
+                   hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
                        wpa_printf(MSG_DEBUG,
                                   "HS 2.0: PMF not negotiated by release %d station "
                                   MACSTR, release, MAC2STR(sta->addr));