From ae05b6a215efbb89a4898cd361d75cf4f1cb1d37 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 16 Aug 2019 13:48:16 +0300 Subject: [PATCH] RSN: Do not allow connection to proceed without MFPC=1 if PMF required PMF capability check is done as part of BSS selection routines, but those are not used when going through the enforced roaming operation ("ROAM " control interface command). While that mechanism is mainly for testing purposes, extend it to do the same check for PMF to prevent cases where forced roaming could end up disabling PMF against the local profile requirement. Signed-off-by: Jouni Malinen --- wpa_supplicant/wpa_supplicant.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 21ef6fad1..d536be0a6 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1529,6 +1529,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_GROUP, wpa_s->group_cipher); #ifdef CONFIG_IEEE80211W + if (!(ie.capabilities & WPA_CAPABILITY_MFPC) && + wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED) { + wpa_msg(wpa_s, MSG_INFO, + "RSN: Management frame protection required but the selected AP does not enable it"); + return -1; + } + sel = ie.mgmt_group_cipher; if (ssid->group_mgmt_cipher) sel &= ssid->group_mgmt_cipher;