From 8601b50312ea816f950b6418a21e67ca11f5d360 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 19 Aug 2012 12:39:39 +0300
Subject: [PATCH] Interworking: Enforce WPA2-Enterprise/CCMP

Since we currently support only HS 2.0 networks with Interworking
network selection, enforce that WPA2-Enterprise/CCMP is used on the
AP instead of allowing any WPA-Enterprise combination.

Signed-hostap: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/interworking.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index cdb7fbc10..71564c1fd 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -624,6 +624,18 @@ static int set_root_nai(struct wpa_ssid *ssid, const char *imsi, char prefix)
 #endif /* INTERWORKING_3GPP */
 
 
+static int interworking_set_hs20_params(struct wpa_ssid *ssid)
+{
+	if (wpa_config_set(ssid, "key_mgmt", "WPA-EAP", 0) < 0)
+		return -1;
+	if (wpa_config_set(ssid, "proto", "RSN", 0) < 0)
+		return -1;
+	if (wpa_config_set(ssid, "pairwise", "CCMP", 0) < 0)
+		return -1;
+	return 0;
+}
+
+
 static int interworking_connect_3gpp(struct wpa_supplicant *wpa_s,
 				     struct wpa_bss *bss)
 {
@@ -689,7 +701,7 @@ static int interworking_connect_3gpp(struct wpa_supplicant *wpa_s,
 	os_memcpy(ssid->ssid, ie + 2, ie[1]);
 	ssid->ssid_len = ie[1];
 
-	if (wpa_config_set(ssid, "key_mgmt", "WPA-EAP", 0) < 0)
+	if (interworking_set_hs20_params(ssid) < 0)
 		goto fail;
 
 	/* TODO: figure out whether to use EAP-SIM, EAP-AKA, or EAP-AKA' */
@@ -956,7 +968,7 @@ static int interworking_connect_roaming_consortium(
 	os_memcpy(ssid->ssid, ssid_ie + 2, ssid_ie[1]);
 	ssid->ssid_len = ssid_ie[1];
 
-	if (wpa_config_set(ssid, "key_mgmt", "WPA-EAP", 0) < 0)
+	if (interworking_set_hs20_params(ssid) < 0)
 		goto fail;
 
 	if (cred->eap_method == NULL) {
@@ -1059,7 +1071,7 @@ int interworking_connect(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
 	os_memcpy(ssid->ssid, ie + 2, ie[1]);
 	ssid->ssid_len = ie[1];
 
-	if (wpa_config_set(ssid, "key_mgmt", "WPA-EAP", 0) < 0)
+	if (interworking_set_hs20_params(ssid) < 0)
 		goto fail;
 
 	if (wpa_config_set(ssid, "eap", eap_get_name(EAP_VENDOR_IETF,