diff --git a/package/network/services/hostapd/patches/130-SAE-Do-not-ignore-option-sae_require_mfp.patch b/package/network/services/hostapd/patches/130-SAE-Do-not-ignore-option-sae_require_mfp.patch new file mode 100644 index 00000000000..88107746652 --- /dev/null +++ b/package/network/services/hostapd/patches/130-SAE-Do-not-ignore-option-sae_require_mfp.patch @@ -0,0 +1,26 @@ +From 54e0de1a9ee81477e9dfb93985c1fbf105b3d1d4 Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Wed, 10 Oct 2018 23:22:23 +0200 +Subject: SAE: Do not ignore option sae_require_mfp + +Without this patch sae_require_mfp is always activate, when ieee80211w +is set to optional all stations negotiating SAEs are being rejected when +they do not support PMF. With this patch hostapd only rejects these +stations in case sae_require_mfp is set to some value and not null. + +Fixes ba3d435fe43 ("SAE: Add option to require MFP for SAE associations") +Signed-off-by: Hauke Mehrtens +--- + src/ap/wpa_auth_ie.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/ap/wpa_auth_ie.c ++++ b/src/ap/wpa_auth_ie.c +@@ -721,6 +721,7 @@ int wpa_validate_wpa_ie(struct wpa_authe + + #ifdef CONFIG_SAE + if (wpa_auth->conf.ieee80211w == MGMT_FRAME_PROTECTION_OPTIONAL && ++ wpa_auth->conf.sae_require_mfp && + wpa_key_mgmt_sae(sm->wpa_key_mgmt) && + !(data.capabilities & WPA_CAPABILITY_MFPC)) { + wpa_printf(MSG_DEBUG,