OCE: Mandate PMF for WPA2 association with OCE AP

An OCE AP with WPA2 enabled shall require PMF negotiation when
associating with an OCE STA. An OCE STA-CFON may negotiate PMF with a
STA when it is operating as an AP. Don't select an OCE AP for connection
if PMF is not enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 89c9452f7a7021f63f49a5ad1cbd7f0a722b1a9a..7ba4345b642bdd2cefc6e7362eadad49ddc96212 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -540,6 +540,9 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
        const u8 *rsn_ie, *wpa_ie;
        int ret;
        int wep_ok;
+#ifdef CONFIG_MBO
+       const u8 *oce_capa_attr;
+#endif /* CONFIG_MBO */
 
        ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss);
        if (ret >= 0)
@@ -631,13 +634,17 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
                        break;
                }
 #ifdef CONFIG_MBO
+               oce_capa_attr = wpas_mbo_get_bss_attr(bss,
+                                                     OCE_ATTR_ID_CAPA_IND);
                if (!(ie.capabilities & WPA_CAPABILITY_MFPC) &&
-                   wpas_mbo_get_bss_attr(bss, MBO_ATTR_ID_AP_CAPA_IND) &&
+                   (wpas_mbo_get_bss_attr(bss, MBO_ATTR_ID_AP_CAPA_IND) ||
+                    (oce_capa_attr && oce_capa_attr[1] >= 1 &&
+                     !(oce_capa_attr[2] & OCE_IS_STA_CFON))) &&
                    wpas_get_ssid_pmf(wpa_s, ssid) !=
                    NO_MGMT_FRAME_PROTECTION) {
                        if (debug_print)
                                wpa_dbg(wpa_s, MSG_DEBUG,
-                                       "   skip RSN IE - no mgmt frame protection enabled on MBO AP");
+                                       "   skip RSN IE - no mgmt frame protection enabled on MBO/OCE AP");
                        break;
                }
 #endif /* CONFIG_MBO */