> is not really doing that nicely. This is adding yet another copy of > authentication frame processing and would indeed need a lot more > duplicated code to handle FT, SAE, and FILS authentication algorithms. > > It looks much simpler to fix the regression in the full state state > commit mentioned above with the following change to leave a single > authentication frame processing implementation in use for both cases: > > diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c > @@ -1580,8 +1580,15 @@ static void handle_auth(struct hostapd_data *hapd, > * > * In mesh mode, the station was already added to the driver when the > * NEW_PEER_CANDIDATE event is received. > + * > + * If PMF was negotiated for the existing association, skip this to > + * avoid dropping the STA entry and the associated keys. This is needed > + * to allow the original connection work until the attempt can complete > + * (re)association, so that unprotected Authentication frame cannot be > + * used to bypass PMF protection. > */ > if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) && > + (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) && > !(hapd->conf->mesh & MESH_ENABLED) && > !(sta->added_unassoc)) { > /* > Simpler and nicer. Thanks for handling this, Ilan. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap