path: root/src/ap
diff options
authorJouni Malinen <jouni@qca.qualcomm.com>2016-11-29 14:15:31 (GMT)
committerJouni Malinen <j@w1.fi>2016-11-29 14:26:00 (GMT)
commit2ab09656ae53af3416765428df2bbba45fe1e60d (patch)
tree289db6d18c12ee24424f2459c735a4a1eb11115a /src/ap
parentc85fcff2b16967951eab1351e78860e1445e44f2 (diff)
AP: Do not drop STA entry if PMF is used with full AP client state
This fixes a regression from commit bb598c3bdd0616f0c15e1a42e99591d8f3ff3323 ('AP: Add support for full station state'). That commit added code to remove and re-add the kernel STA entry when processing Authentication frames with a driver that advertises support for full AP client state. That resulted in bypassing PMF protections for unprotected Authentication frames with such drivers since the TK was lost in this operation. It is simplest to skip the STA entry clearing in this type of case completely to leave the TK in place and to process the new authentication exchange otherwise normally. This matches the behavior used with the drivers that do not implement full AP client state. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Diffstat (limited to 'src/ap')
1 files changed, 7 insertions, 0 deletions
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 0b3d2f2..3e65fd3 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1580,8 +1580,15 @@ static void handle_auth(struct hostapd_data *hapd,
* In mesh mode, the station was already added to the driver when the
* NEW_PEER_CANDIDATE event is received.
+ *
+ * If PMF was negotiated for the existing association, skip this to
+ * avoid dropping the STA entry and the associated keys. This is needed
+ * to allow the original connection work until the attempt can complete
+ * (re)association, so that unprotected Authentication frame cannot be
+ * used to bypass PMF protection.
if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
+ (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
!(hapd->conf->mesh & MESH_ENABLED) &&
!(sta->added_unassoc)) {