jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fix EAPOL/EAP reauthentication with external RADIUS server

Browse source 
The EAP server state machine will need to have special code in
getDecision() to avoid starting passthrough operations before having
completed Identity round in the beginning of reauthentication. This was
broken when moving into using the full authenticator state machine from
RFC 4137 in 0.6.x.
This commit is contained in:
Jouni Malinen 2009-03-02 19:06:23 +02:00 committed by Jouni Malinen
parent 049a292f89
commit 1fd4b0db7c
3 changed files with 15 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hostapd/ChangeLog
View file

@ -10,6 +10,8 @@ ChangeLog for hostapd
reported correctly; TX/RX packets not yet available from kernel)
* added support for WPS USBA out-of-band mechanism with USB Flash
Drives (UFD) (CONFIG_WPS_UFD=y)
* fixed EAPOL/EAP reauthentication when using an external RADIUS
authentication server
2009-01-06 - v0.6.7
* added support for Wi-Fi Protected Setup (WPS)

13
src/eap_server/eap.c
View file

@ -573,6 +573,13 @@ SM_STATE(EAP, SUCCESS2)
}
sm->eap_if.eapSuccess = TRUE;
/*
* Start reauthentication with identity request even though we know the
* previously used identity. This is needed to get reauthentication
* started properly.
*/
sm->start_reauth = TRUE;
}
@ -1070,7 +1077,7 @@ static EapType eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor)
static int eap_sm_Policy_getDecision(struct eap_sm *sm)
{
if (!sm->eap_server && sm->identity) {
if (!sm->eap_server && sm->identity && !sm->start_reauth) {
wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
return DECISION_PASSTHROUGH;
}
@ -1091,7 +1098,8 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
return DECISION_FAILURE;
}
if ((sm->user == NULL || sm->update_user) && sm->identity) {
if ((sm->user == NULL || sm->update_user) && sm->identity &&
!sm->start_reauth) {
/*
* Allow Identity method to be started once to allow identity
* selection hint to be sent from the authentication server,
@ -1118,6 +1126,7 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
}
sm->update_user = FALSE;
}
sm->start_reauth = FALSE;
if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
(sm->user->methods[sm->user_eap_method_index].vendor !=

2
src/eap_server/eap_i.h
View file

@ -183,6 +183,8 @@ struct eap_sm {
int tnc;
struct wps_context *wps;
struct wpabuf *assoc_wps_ie;
Boolean start_reauth;
};
int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,