If FT over-the-DS case is enforced through the "FT_DS <BSSID>" control
interface command, the PMF capability check during BSS selection is not
used and that could have allowed PMF to be disabled in the over-the-DS
case even if the local network profile mandated use of PMF. Check
against this explicitly to avoid unexpected cases if the APs within the
same mobility domain are not configured consistently.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"RSN IE: %d", ret);
return -1;
}
+ parse->rsn_capab = data.capabilities;
if (data.num_pmkid == 1 && data.pmkid)
parse->rsn_pmkid = data.pmkid;
parse->key_mgmt = data.key_mgmt;
size_t r0kh_id_len;
const u8 *rsn;
size_t rsn_len;
+ u16 rsn_capab;
const u8 *rsn_pmkid;
const u8 *tie;
size_t tie_len;
return -1;
}
+#ifdef CONFIG_IEEE80211W
+ if (sm->mfp == 2 && !(parse.rsn_capab & WPA_CAPABILITY_MFPC)) {
+ wpa_printf(MSG_INFO,
+ "FT: Target AP does not support PMF, but local configuration requires that");
+ return -1;
+ }
+#endif /* CONFIG_IEEE80211W */
+
os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", sm->r1kh_id, FT_R1KH_ID_LEN);
wpa_hexdump(MSG_DEBUG, "FT: SNonce", sm->snonce, WPA_NONCE_LEN);