hostapd: SAE: Do not ignore option sae_require_mfp

This patch was send for integration into the hostapd project.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

1 files changed, 26 insertions, 0 deletions

diff --git a/package/network/services/hostapd/patches/130-SAE-Do-not-ignore-option-sae_require_mfp.patch b/package/network/services/hostapd/patches/130-SAE-Do-not-ignore-option-sae_require_mfp.patch
new file mode 100644
index 0000000000..8810774665
--- /dev/null
+++ b/package/network/services/hostapd/patches/130-SAE-Do-not-ignore-option-sae_require_mfp.patch
@@ -0,0 +1,26 @@
+From 54e0de1a9ee81477e9dfb93985c1fbf105b3d1d4 Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Wed, 10 Oct 2018 23:22:23 +0200
+Subject: SAE: Do not ignore option sae_require_mfp
+
+Without this patch sae_require_mfp is always activate, when ieee80211w
+is set to optional all stations negotiating SAEs are being rejected when
+they do not support PMF. With this patch hostapd only rejects these
+stations in case sae_require_mfp is set to some value and not null.
+
+Fixes ba3d435fe43 ("SAE: Add option to require MFP for SAE associations")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+---
+ src/ap/wpa_auth_ie.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/src/ap/wpa_auth_ie.c
++++ b/src/ap/wpa_auth_ie.c
+@@ -721,6 +721,7 @@ int wpa_validate_wpa_ie(struct wpa_authe
+ 
+ #ifdef CONFIG_SAE
+ 	if (wpa_auth->conf.ieee80211w == MGMT_FRAME_PROTECTION_OPTIONAL &&
++	    wpa_auth->conf.sae_require_mfp &&
+ 	    wpa_key_mgmt_sae(sm->wpa_key_mgmt) &&
+ 	    !(data.capabilities & WPA_CAPABILITY_MFPC)) {
+ 		wpa_printf(MSG_DEBUG,