AP: Do not drop STA entry if PMF is used with full AP client state

This fixes a regression from commit
bb598c3bdd0616f0c15e1a42e99591d8f3ff3323 ('AP: Add support for full
station state'). That commit added code to remove and re-add the kernel
STA entry when processing Authentication frames with a driver that
advertises support for full AP client state. That resulted in bypassing
PMF protections for unprotected Authentication frames with such drivers
since the TK was lost in this operation.

It is simplest to skip the STA entry clearing in this type of case
completely to leave the TK in place and to process the new
authentication exchange otherwise normally. This matches the behavior
used with the drivers that do not implement full AP client state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 0b3d2f2f2ffd2a744e24dbf162c920863bc625ca..3e65fd3b7263b4fc542e7a247b2f26b0da2043d1 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1580,8 +1580,15 @@ static void handle_auth(struct hostapd_data *hapd,
         *
         * In mesh mode, the station was already added to the driver when the
         * NEW_PEER_CANDIDATE event is received.
+        *
+        * If PMF was negotiated for the existing association, skip this to
+        * avoid dropping the STA entry and the associated keys. This is needed
+        * to allow the original connection work until the attempt can complete
+        * (re)association, so that unprotected Authentication frame cannot be
+        * used to bypass PMF protection.
         */
        if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
+           (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
            !(hapd->conf->mesh & MESH_ENABLED) &&
            !(sta->added_unassoc)) {
                /*