From 2ab09656ae53af3416765428df2bbba45fe1e60d Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 29 Nov 2016 16:15:31 +0200 Subject: [PATCH] AP: Do not drop STA entry if PMF is used with full AP client state This fixes a regression from commit bb598c3bdd0616f0c15e1a42e99591d8f3ff3323 ('AP: Add support for full station state'). That commit added code to remove and re-add the kernel STA entry when processing Authentication frames with a driver that advertises support for full AP client state. That resulted in bypassing PMF protections for unprotected Authentication frames with such drivers since the TK was lost in this operation. It is simplest to skip the STA entry clearing in this type of case completely to leave the TK in place and to process the new authentication exchange otherwise normally. This matches the behavior used with the drivers that do not implement full AP client state. Signed-off-by: Jouni Malinen --- src/ap/ieee802_11.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 0b3d2f2f2..3e65fd3b7 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -1580,8 +1580,15 @@ static void handle_auth(struct hostapd_data *hapd, * * In mesh mode, the station was already added to the driver when the * NEW_PEER_CANDIDATE event is received. + * + * If PMF was negotiated for the existing association, skip this to + * avoid dropping the STA entry and the associated keys. This is needed + * to allow the original connection work until the attempt can complete + * (re)association, so that unprotected Authentication frame cannot be + * used to bypass PMF protection. */ if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) && + (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) && !(hapd->conf->mesh & MESH_ENABLED) && !(sta->added_unassoc)) { /*