From: Jouni Malinen Date: Fri, 8 Nov 2019 22:33:58 +0000 (+0200) Subject: Fix status code in SAE/DPP association PMKID mismatch (driver-AP-SME) X-Git-Tag: hostap_2_10~2221 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93ba13bcfdb4f7aaf4019f76457055209a8a3c89;p=thirdparty%2Fhostap.git Fix status code in SAE/DPP association PMKID mismatch (driver-AP-SME) wpa_validate_wpa_ie() was already extended to cover these cases with WPA_INVALID_PMKID return value, but hostapd_notif_assoc() did not have code for mapping this into the appropriate status code (STATUS_INVALID_PMKID) and ended up using the default (WLAN_STATUS_INVALID_IE) instead. This caused AP SME-in-driver cases returning incorrect status code when the AP did not have a matching PMKSA cache entry. This could result in unexpected station behavior where the station could continue trying to use a PMKSA cache entry that the AP does not have and not being able to recover this. Fix this by adding the previously missed mapping of validation errors to status/reason codes. Fixes: 567da5bbd027 ("DPP: Add new AKM") Fixes: 458d8984de1d ("SAE: Reject request with mismatching PMKID (no PMKSA cache entry)") Signed-off-by: Jouni Malinen --- diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c index 3198bd563..e5ce76d11 100644 --- a/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c @@ -344,6 +344,9 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, } else if (res == WPA_INVALID_MGMT_GROUP_CIPHER) { reason = WLAN_REASON_CIPHER_SUITE_REJECTED; status = WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; + } else if (res == WPA_INVALID_PMKID) { + reason = WLAN_REASON_INVALID_PMKID; + status = WLAN_STATUS_INVALID_PMKID; } else { reason = WLAN_REASON_INVALID_IE; status = WLAN_STATUS_INVALID_IE;