[RFC] hostapd: MFP: Handle auth request from an associated station
Peer, Ilan
ilan.peer at intel.com
Wed Nov 30 07:14:26 PST 2016
> is not really doing that nicely. This is adding yet another copy of
> authentication frame processing and would indeed need a lot more
> duplicated code to handle FT, SAE, and FILS authentication algorithms.
>
> It looks much simpler to fix the regression in the full state state
> commit mentioned above with the following change to leave a single
> authentication frame processing implementation in use for both cases:
>
> diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
> @@ -1580,8 +1580,15 @@ static void handle_auth(struct hostapd_data *hapd,
> *
> * In mesh mode, the station was already added to the driver when the
> * NEW_PEER_CANDIDATE event is received.
> + *
> + * If PMF was negotiated for the existing association, skip this to
> + * avoid dropping the STA entry and the associated keys. This is needed
> + * to allow the original connection work until the attempt can complete
> + * (re)association, so that unprotected Authentication frame cannot be
> + * used to bypass PMF protection.
> */
> if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
> + (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
> !(hapd->conf->mesh & MESH_ENABLED) &&
> !(sta->added_unassoc)) {
> /*
>
Simpler and nicer.
Thanks for handling this,
Ilan.
More information about the Hostap
mailing list