Currently, while determining the management frame protection (MFP)
setting for a STA, if any of ieee80211w/rsn_override_mfp/override_mfp_2
is set, it is assumed that the AP is MFP capable/required.
In case the AP has following configuration:
ieee80211w=0
rsn_override_mpf=1
rsn_override_mfp_2
and the station has set MFPC in its RSNE and not using RSNO, the AP
determines this association to use MFP and sends IGTK to this station as
well as sets the MFP flag for this STA in the driver.
Since the STA is not using RSNO and has seen MFPC set to 0 in the RSNE
of AP's beacon/probe it will consider the association as non-MFP. This
results in drop of robust Management frame between the AP and the STA.
Fix this by determining AP MFP capability based on the station's RSN
negotiation method (RSNE/RSNOE/RSNO2E) and set the STA MFP flag
accordingly.
Fixes: 12f1edc9e94a ("RSNO: Generate IGTK if any of the RSN variants has PMF enabled")
Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
u32 selector;
size_t i;
const u8 *pmkid = NULL;
+ bool ap_pmf_enabled;
if (wpa_auth == NULL || sm == NULL)
return WPA_NOT_ENABLED;
wpa_auth->conf.ocv : 0);
}
#endif /* CONFIG_OCV */
+ if (sm->rsn_override_2)
+ ap_pmf_enabled = conf->rsn_override_mfp_2 !=
+ NO_MGMT_FRAME_PROTECTION;
+ else if (sm->rsn_override)
+ ap_pmf_enabled = conf->rsn_override_mfp !=
+ NO_MGMT_FRAME_PROTECTION;
+ else
+ ap_pmf_enabled = conf->ieee80211w != NO_MGMT_FRAME_PROTECTION;
- if (!wpa_auth_pmf_enabled(conf) ||
+ if (!ap_pmf_enabled ||
!(data.capabilities & WPA_CAPABILITY_MFPC))
sm->mgmt_frame_prot = 0;
else
projects / thirdparty / hostap.git / commitdiff
