SAE: Do not ignore option sae_require_mfp

Without this patch sae_require_mfp is always activate, when ieee80211w
is set to optional all stations negotiating SAEs are being rejected when
they do not support PMF. With this patch hostapd only rejects these
stations in case sae_require_mfp is set to some value and not null.

Fixes ba3d435fe43 ("SAE: Add option to require MFP for SAE associations")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 421dd5a6fccc0ce38f5b95a5fd59cb278e70f010..253fe6e10134a5cb827dbdea7bbd4dba10ce48aa 100644 (file)
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -751,6 +751,7 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 
 #ifdef CONFIG_SAE
        if (wpa_auth->conf.ieee80211w == MGMT_FRAME_PROTECTION_OPTIONAL &&
+           wpa_auth->conf.sae_require_mfp &&
            wpa_key_mgmt_sae(sm->wpa_key_mgmt) &&
            !(data.capabilities & WPA_CAPABILITY_MFPC)) {
                wpa_printf(MSG_DEBUG,