SAE: Do not drop STA entry on reauthentication in infrastructure BSS

A new SAE Commit message should not be allowed to drop an existing STA
entry since the sender of that Commit message cannot be authenticated
before receiving the Confirm message. This is important in particular
when PMF is used since this would provide a potential new path for
forcing a connection to be dropped.

Fix this by allowing a new SAE Authentication instance to be started
when the old instance is in Accepted state and the new Commit message
does not use the same peer-scalar value (checked in
sae_parse_commit_scalar()). When PMF is used, the AP will use SA Query
procedure when receiving the (Re)Association Request frame. In theory,
that step could be skipped in case of SAE Authentication since the
non-AP STA is demonstrating knowledge of the password. Anyway, there is
no allowance for that exception in the IEEE 802.11 standard, so at least
for now, leave this using SA Query procedure just like any other PMF
case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

src/ap/ieee802_11.c

@@ -753,12 +753,24 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
 		}
 		break;
 	case SAE_ACCEPTED:
-		if (auth_transaction == 1) {
+		if (auth_transaction == 1 &&
+		    (hapd->conf->mesh & MESH_ENABLED)) {
 			wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
 				   ") doing reauthentication",
 				   MAC2STR(sta->addr));
 			ap_free_sta(hapd, sta);
 			wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
+		} else if (auth_transaction == 1) {
+			wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
+			ret = auth_sae_send_commit(hapd, sta, bssid, 1);
+			if (ret)
+				return ret;
+			sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
+
+			if (sae_process_commit(sta->sae) < 0)
+				return WLAN_STATUS_UNSPECIFIED_FAILURE;
+			sta->sae->sync = 0;
+			sae_set_retransmit_timer(hapd, sta);
 		} else {
 			if (sae_check_big_sync(hapd, sta))
 				return WLAN_STATUS_SUCCESS;