MFP: Require MFP is it is enabled and AP scan shows support for it

When using ap_scan=1, we know before the association request that MFP
will be supported, so we can as well require it. This helps mac80211 in
configuring whether to enable MFP.

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index a5a7765..0fb70c3 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1122,6 +1122,18 @@ void wpa_supplicant_associate(struct wpa_supplicant *wpa_s,
                params.mgmt_frame_protection = MGMT_FRAME_PROTECTION_REQUIRED;
                break;
        }
+       if (ssid->ieee80211w != NO_IEEE80211W && bss) {
+               const u8 *rsn = wpa_scan_get_ie(bss, WLAN_EID_RSN);
+               struct wpa_ie_data ie;
+               if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ie) == 0 &&
+                   ie.capabilities &
+                   (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) {
+                       wpa_printf(MSG_DEBUG, "WPA: Selected AP supports MFP: "
+                                  "require MFP");
+                       params.mgmt_frame_protection =
+                               MGMT_FRAME_PROTECTION_REQUIRED;
+               }
+       }
 #endif /* CONFIG_IEEE80211W */
 
        if (wpa_s->use_client_mlme)