SAE: Fix potential infinite loop in mismatching PMK case on AP

Commit e61fea6b467bec0702096c795b06195584d32a6c ('SAE: Fix PMKSA caching
behavior in AP mode') modified the PSK fetching loop to not override PMK
in case of SAE with PMKSA caching. However, that commit missed the error
path cases where there is need to break from the loop with exact
negative of the check in the beginning of the loop. This could result in
hitting an infinite loop in hostapd if a station derived a different PMK
value from otherwise successfully completed SAE authentication or if a
STA used a different PMK with a PMKSA caching attempt after a previously
completed successful authentication.

Fix this by adding the matching break condition on SAE AKM within the
loops.

Fixes: e61fea6b467b ("SAE: Fix PMKSA caching behavior in AP mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index ccb21fe4cccdc57a2c9d6ceaac8f8d072b1a663e..9b287af9efd3fa9d6a3e90b5ea83905715c87e03 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -881,7 +881,8 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
                        break;
                }
 
-               if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
+               if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
+                   wpa_key_mgmt_sae(sm->wpa_key_mgmt))
                        break;
        }
 
@@ -2680,7 +2681,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
                }
 #endif /* CONFIG_FILS */
 
-               if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
+               if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
+                   wpa_key_mgmt_sae(sm->wpa_key_mgmt))
                        break;
        }