MBO: Mandate use of PMF for WPA2+MBO association (STA)

If WPA2 is used, MBO AP must enable PMF. Refuse to select a BSS that has
MBO and WPA2 enabled without PMF.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 3c3b559..318aad7 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -574,6 +574,16 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
                                "   skip RSN IE - no mgmt frame protection enabled but AP requires it");
                        break;
                }
+#ifdef CONFIG_MBO
+               if (!(ie.capabilities & WPA_CAPABILITY_MFPC) &&
+                   wpas_mbo_get_bss_attr(bss, MBO_ATTR_ID_AP_CAPA_IND) &&
+                   wpas_get_ssid_pmf(wpa_s, ssid) !=
+                   NO_MGMT_FRAME_PROTECTION) {
+                       wpa_dbg(wpa_s, MSG_DEBUG,
+                               "   skip RSN IE - no mgmt frame protection enabled on MBO AP");
+                       break;
+               }
+#endif /* CONFIG_MBO */
 
                wpa_dbg(wpa_s, MSG_DEBUG, "   selected based on RSN IE");
                return 1;