FT: Do not discard EAPOL-Start frame during initial MD association

Commit c97168f58ae9 ("FT: Discard EAPOL-Start frames when FT was used
for association") started discard EAPOL-Start frames in all cases where
FT is used, including the initial MD association. The exact IEEE 802.11
standard language requiring the STA to perform a new FT initial MD
association when its Supplicant triggers sending of an EAPOL-Start frame
has a condition on this being "after a successful initial mobility
domain association domain", so this would not really apply during the
initial MD association itself.

Relax the conditions on processing EAPOL-Start frames so that they are
still processed during the FT initial mobility domain association, but
are then discarded after that succeeds (i.e., during rest of that
association and any future association started using FT protocol).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index e5dc7cb49e9fb3d6e816afcbe18c1c8a3e505deb..95ae24d80388ec4f0ff71d06772a4dd454171501 100644 (file)
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -1250,8 +1250,10 @@ void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
                               HOSTAPD_LEVEL_DEBUG,
                               "received EAPOL-Start from STA");
 #ifdef CONFIG_IEEE80211R_AP
-               if (hapd->conf->wpa && sta->wpa_sm &&
-                   (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) ||
+               if (hapd->conf->wpa &&
+                   wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && sta->wpa_sm &&
+                   ((wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) &&
+                     (sta->flags & WLAN_STA_AUTHORIZED)) ||
                     sta->auth_alg == WLAN_AUTH_FT)) {
                        /* When FT is used, reauthentication to generate a new
                         * PMK-R0 would be complicated since the current AP