If in a public WLAN WPA2-PSK is used, but the PSK is more or less publicly available, does this mean that an attacker with that PSK can easily decrypt wlan traffic from/to other clients of that WLAN?
Or does WPA2 negotiate sort of a per-client encryption key, so that while an intruder can access the WLAN, he's still not able to decrypt the other clients' traffic?
Curiously, the answer is »Yes« to both questions.
Each client (STA) establishes a different pairwise transient key (PTK) with the access point (AP) for each session, but this PTK is derived from the pairwise master key (PMK). And if you are using a pre-shared key (PSK, usually derived from a password entered by the users), this PSK is used as the PMK.
The derivation of the PTK uses a pair of nonce values sent by both STA and AP in clear text as the first two steps of a 4-way handshake, as well as their MAC addresses (which are public anyway) and the PMK (all hashed together with a hash function).
So, listening on those first two handshake messages and knowing the PSK allows an attacker to listen to any messages between AP and STA, as well as impersonate one or both to do a man-in-the-middle attack.
The standard IEEE 802.11-2007 contains a note about this (page 190, in the PDF on page 239):
NOTE—When an ESS uses PSKs, STAs negotiate a pairwise cipher. However, any STA in the ESS can derive the pairwise keys of any other that uses the same PSK by capturing the first two messages of the 4-Way Handshake. This provides malicious insiders with the ability to eavesdrop as well as the ability to establish a man-in-the-middle attack.