From: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Date: Thu, 20 Mar 2025 17:05:16 +0000 (+0530)
Subject: RSNO: Set STA MFP flag based on the RSN/override negotiation
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b94126468c3e37acb5147f6cd05f9da195ae5fd;p=thirdparty%2Fhostap.git

RSNO: Set STA MFP flag based on the RSN/override negotiation

Currently, while determining the management frame protection (MFP)
setting for a STA, if any of ieee80211w/rsn_override_mfp/override_mfp_2
is set, it is assumed that the AP is MFP capable/required.

In case the AP has following configuration:
ieee80211w=0
rsn_override_mpf=1
rsn_override_mfp_2

and the station has set MFPC in its RSNE and not using RSNO, the AP
determines this association to use MFP and sends IGTK to this station as
well as sets the MFP flag for this STA in the driver.

Since the STA is not using RSNO and has seen MFPC set to 0 in the RSNE
of AP's beacon/probe it will consider the association as non-MFP. This
results in drop of robust Management frame between the AP and the STA.

Fix this by determining AP MFP capability based on the station's RSN
negotiation method (RSNE/RSNOE/RSNO2E) and set the STA MFP flag
accordingly.

Fixes: 12f1edc9e94a ("RSNO: Generate IGTK if any of the RSN variants has PMF enabled")
Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
---

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index d56eeaa05..2e5f59ec1 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -832,6 +832,7 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 	u32 selector;
 	size_t i;
 	const u8 *pmkid = NULL;
+	bool ap_pmf_enabled;
 
 	if (wpa_auth == NULL || sm == NULL)
 		return WPA_NOT_ENABLED;
@@ -1114,8 +1115,16 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 				 wpa_auth->conf.ocv : 0);
 	}
 #endif /* CONFIG_OCV */
+	if (sm->rsn_override_2)
+		ap_pmf_enabled = conf->rsn_override_mfp_2 !=
+			NO_MGMT_FRAME_PROTECTION;
+	else if (sm->rsn_override)
+		ap_pmf_enabled = conf->rsn_override_mfp !=
+			NO_MGMT_FRAME_PROTECTION;
+	else
+		ap_pmf_enabled = conf->ieee80211w != NO_MGMT_FRAME_PROTECTION;
 
-	if (!wpa_auth_pmf_enabled(conf) ||
+	if (!ap_pmf_enabled ||
 	    !(data.capabilities & WPA_CAPABILITY_MFPC))
 		sm->mgmt_frame_prot = 0;
 	else