EAP peer: Clear ignore flag in INITIALIZE state

While this is not part of RFC 4137, the way m.check(eapReqData) is
implemented in wpa_supplicant allows an EAP method to not update the
ignore value even though each such call is really supposed to get a new
response. It seems to be possible to hit a sequence where a previous EAP
authentication attempt terminates with sm->ignore set from the last
m.check() call and the following EAP authentication attempt could fail
to go through the expected code path if it does not clear the ignore
flag. This is likely only hit in some error cases, though. The hwsim
test cases could trigger this with the following sequence:
eap_proto_ikev2 ap_wps_m1_oom

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-10-31 19:39:23 +02:00
parent 1f1e619282
commit 17b7032891

View file

@ -188,6 +188,14 @@ SM_STATE(EAP, INITIALIZE)
*/
eapol_set_bool(sm, EAPOL_eapResp, FALSE);
eapol_set_bool(sm, EAPOL_eapNoResp, FALSE);
/*
* RFC 4137 does not reset ignore here, but since it is possible for
* some method code paths to end up not setting ignore=FALSE, clear the
* value here to avoid issues if a previous authentication attempt
* failed with ignore=TRUE being left behind in the last
* m.check(eapReqData) operation.
*/
sm->ignore = 0;
sm->num_rounds = 0;
sm->prev_failure = 0;
sm->expected_failure = 0;