HS 2.0: Fix PMF-in-use check for ANQP Venue URL processing

The previous implementation did not check that we are associated with
the sender of the GAS response before checking for PMF status. This
could have accepted Venue URL when not in associated state. Fix this by
explicitly checking for association with the responder first.

This fixes an issue that was detected, e.g., with these hwsim test case
sequences:
gas_anqp_venue_url_pmf gas_anqp_venue_url
gas_prot_vs_not_prot gas_anqp_venue_url

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

wpa_supplicant/gas_query.c

@@ -272,7 +272,7 @@ static void gas_query_tx_status(struct wpa_supplicant *wpa_s,
 }
 
 
-static int pmf_in_use(struct wpa_supplicant *wpa_s, const u8 *addr)
+int pmf_in_use(struct wpa_supplicant *wpa_s, const u8 *addr)
 {
 	if (wpa_s->current_ssid == NULL ||
 	    wpa_s->wpa_state < WPA_4WAY_HANDSHAKE ||

wpa_supplicant/gas_query.h

@@ -19,6 +19,7 @@ void gas_query_deinit(struct gas_query *gas);
 int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
 		 const u8 *bssid, u8 categ, const u8 *data, size_t len,
 		 int freq);
+int pmf_in_use(struct wpa_supplicant *wpa_s, const u8 *addr);
 
 /**
  * enum gas_query_result - GAS query result

wpa_supplicant/interworking.c

@@ -2983,7 +2983,7 @@ static void interworking_parse_rx_anqp_resp(struct wpa_supplicant *wpa_s,
 			MAC2STR(sa));
 		anqp_add_extra(wpa_s, anqp, info_id, pos, slen);
 
-		if (!wpa_sm_pmf_enabled(wpa_s->wpa)) {
+		if (!pmf_in_use(wpa_s, sa)) {
 			wpa_printf(MSG_DEBUG,
 				   "ANQP: Ignore Venue URL since PMF was not enabled");
 			break;