wpa_validate_wpa_ie() was already extended to cover these cases with
WPA_INVALID_PMKID return value, but hostapd_notif_assoc() did not have
code for mapping this into the appropriate status code
(STATUS_INVALID_PMKID) and ended up using the default
(WLAN_STATUS_INVALID_IE) instead. This caused AP SME-in-driver cases
returning incorrect status code when the AP did not have a matching
PMKSA cache entry. This could result in unexpected station behavior
where the station could continue trying to use a PMKSA cache entry that
the AP does not have and not being able to recover this.
Fix this by adding the previously missed mapping of validation errors to
status/reason codes.
Fixes: 567da5bbd027 ("DPP: Add new AKM")
Fixes: 458d8984de1d ("SAE: Reject request with mismatching PMKID (no PMKSA cache entry)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
} else if (res == WPA_INVALID_MGMT_GROUP_CIPHER) {
reason = WLAN_REASON_CIPHER_SUITE_REJECTED;
status = WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
+ } else if (res == WPA_INVALID_PMKID) {
+ reason = WLAN_REASON_INVALID_PMKID;
+ status = WLAN_STATUS_INVALID_PMKID;
} else {
reason = WLAN_REASON_INVALID_IE;
status = WLAN_STATUS_INVALID_IE;