Currently, in non‑AP STA mode, mac80211 permits key installation only
after association is complete. However, Enhanced Privacy Protection Key
Exchange (EPPKE) requires key installation before association to enable
encryption and decryption of (Re)Association Request and Response frames.

Add support to install keys immediately after authentication, prior to
association, when encryption and decryption of (Re)Association Request
and Response frames is required in non‑AP STA mode.

Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
---
 net/mac80211/cfg.c | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index b51c2c8584ae..2044eeedfa8b 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -680,12 +680,29 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
 		 * association has completed, this rejects that attempt
 		 * so it will set the key again after association.
 		 *
+		 * With (re)association frame encryption enabled, cfg80211
+		 * may deliver keys to mac80211 before the station has
+		 * associated. In that case, accept the key if the station
+		 * is in Authenticated state in non‑AP STA mode.
+		 * If (re)association frame encryption support is not present,
+		 * cfg80211 will not allow key installation in non‑AP STA mode.
+		 *
 		 * TODO: accept the key if we have a station entry and
-		 *       add it to the device after the station.
+		 *	 add it to the device after the station associates.
 		 */
-		if (!sta || !test_sta_flag(sta, WLAN_STA_ASSOC)) {
-			ieee80211_key_free_unused(key);
-			return -ENOENT;
+		if (!sta)
+			goto fail;
+
+		switch (sdata->vif.type) {
+		case NL80211_IFTYPE_STATION:
+			if (!test_sta_flag(sta, WLAN_STA_AUTH) &&
+			    !test_sta_flag(sta, WLAN_STA_ASSOC))
+				goto fail;
+			break;
+		default:
+			if (!test_sta_flag(sta, WLAN_STA_ASSOC))
+				goto fail;
+			break;
 		}
 	}
 
@@ -729,6 +746,10 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
 		err = 0;
 
 	return err;
+
+fail:
+	ieee80211_key_free_unused(key);
+	return -ENOENT;
 }
 
 static struct ieee80211_key *
-- 
2.34.1