[PATCH] Avoid PMF negotiation for networks if the driver does not support PMF

Fri Jul 16 08:45:21 PDT 2021

Networks configured with ieee80211w=1 will fail to connect
to a PMF enabled AP during negotiation if the driver does
not support PMF.
Extend the existing global driver PMF capability check to
apply when the network specific ieee80211w configuration
value is set to optional.
This allows networks configured with PMF as optional to
make use of this existing driver check.

Signed-off-by: Jeffery Miller <jefferymiller at google.com>
---
 wpa_supplicant/wpa_supplicant.c | 50 +++++++++++++++++----------------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 0d9b9caa5..75778a75e 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -7718,34 +7718,36 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 
 int wpas_get_ssid_pmf(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 {
-	if (ssid == NULL || ssid->ieee80211w == MGMT_FRAME_PROTECTION_DEFAULT) {
-		if (wpa_s->conf->pmf == MGMT_FRAME_PROTECTION_OPTIONAL &&
-		    !(wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_BIP)) {
-			/*
-			 * Driver does not support BIP -- ignore pmf=1 default
-			 * since the connection with PMF would fail and the
-			 * configuration does not require PMF to be enabled.
-			 */
-			return NO_MGMT_FRAME_PROTECTION;
-		}
+	int pmf;
 
-		if (ssid &&
-		    (ssid->key_mgmt &
-		     ~(WPA_KEY_MGMT_NONE | WPA_KEY_MGMT_WPS |
-		       WPA_KEY_MGMT_IEEE8021X_NO_WPA)) == 0) {
-			/*
-			 * Do not use the default PMF value for non-RSN networks
-			 * since PMF is available only with RSN and pmf=2
-			 * configuration would otherwise prevent connections to
-			 * all open networks.
-			 */
-			return NO_MGMT_FRAME_PROTECTION;
-		}
+	if (ssid && ssid->ieee80211w != MGMT_FRAME_PROTECTION_DEFAULT)
+		pmf = ssid->ieee80211w;
+	else
+		pmf = wpa_s->conf->pmf;
 
-		return wpa_s->conf->pmf;
+	if (pmf == MGMT_FRAME_PROTECTION_OPTIONAL &&
+		!(wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_BIP)) {
+		/*
+		 * Driver does not support BIP -- ignore pmf=1 default
+		 * since the connection with PMF would fail and the
+		 * configuration does not require PMF to be enabled.
+		 */
+		return NO_MGMT_FRAME_PROTECTION;
 	}
 
-	return ssid->ieee80211w;
+	if (ssid && ssid->ieee80211w == MGMT_FRAME_PROTECTION_DEFAULT &&
+	    (ssid->key_mgmt &
+	     ~(WPA_KEY_MGMT_NONE | WPA_KEY_MGMT_WPS |
+	       WPA_KEY_MGMT_IEEE8021X_NO_WPA)) == 0) {
+		/*
+		 * Do not use the default PMF value for non-RSN networks
+		 * since PMF is available only with RSN and pmf=2
+		 * configuration would otherwise prevent connections to
+		 * all open networks.
+		 */
+		return NO_MGMT_FRAME_PROTECTION;
+	}
+	return pmf;
 }
 
 
-- 
2.32.0.93.g670b81a890-goog


