MBO: Mandate use of PMF for WPA2+MBO association (AP)

If WPA2 and MBO are enabled, PMF needs to be enabled in hostapd
configuration. If PMF is optional in the configuration, an MBO STA is
required to negotiate use of PMF.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 458faa4b8e31d01b6afc9b497095406f85bb0d69..477ea5bb27f8df8068d3bef5096f81a15c36f020 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -881,6 +881,15 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
        }
 #endif /* CONFIG_HS20 */
 
+#ifdef CONFIG_MBO
+       if (full_config && bss->mbo_enabled && (bss->wpa & 2) &&
+           bss->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
+               wpa_printf(MSG_ERROR,
+                          "MBO: PMF needs to be enabled whenever using WPA2 with MBO");
+               return -1;
+       }
+#endif /* CONFIG_MBO */
+
        return 0;
 }
 

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index db18f29747060e3868e6265c52e6cfc767d6ecca..702ee647964f9766321a438335791232336c4b1f 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -350,6 +350,17 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
                        return WLAN_STATUS_INVALID_IE;
 #endif /* CONFIG_HS20 */
        }
+
+#ifdef CONFIG_MBO
+       if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
+           elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
+           hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
+               wpa_printf(MSG_INFO,
+                          "MBO: Reject WPA2 association without PMF");
+               return WLAN_STATUS_UNSPECIFIED_FAILURE;
+       }
+#endif /* CONFIG_MBO */
+
 #ifdef CONFIG_WPS
 skip_wpa_check:
 #endif /* CONFIG_WPS */

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 3ac225deb6a4bece56a41e0d866439779bb6a23e..685ac9bedfce882a2bc21d5ce5e56a23bfa7986d 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1714,8 +1714,18 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
                sta->mb_ies = NULL;
 #endif /* CONFIG_FST */
 
+#ifdef CONFIG_MBO
        mbo_ap_check_sta_assoc(hapd, sta, &elems);
 
+       if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
+           elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
+           hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
+               wpa_printf(MSG_INFO,
+                          "MBO: Reject WPA2 association without PMF");
+               return WLAN_STATUS_UNSPECIFIED_FAILURE;
+       }
+#endif /* CONFIG_MBO */
+
        return WLAN_STATUS_SUCCESS;
 }