Fix EAPOL supplicant port authorization with PMKSA caching
The previous eapol_sm_notify_cached() implementation forced the port to be authorized when receiving EAPOL-Key msg 1/4 that included a matching PMKID in cases when PMKSA caching is used. This is too early since the port should really be authorized only after the PTK has been configured which is the case when PMKSA caching is not used. Fix this by using the EAPOL supplicant PAE state machine to go through the AUTHENTICATING and AUTHENTICATED states instead of forcing a jump to AUTHENTICATED without performing full state machine steps. This can be achieved simply by marking eapSuccess TRUE at least with the current version of EAP and EAPOL state machines (the earlier commits in this function seemed to indicate that this may have not been that easy in the older versions due to the hacks needed here). This addresses an issue with nl80211-based driver interface when the driver depends on the STA Authorized flag being used to prevent unprotected frames from being accepted (both TX and RX) prior to PTK configuration. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
This commit is contained in:
parent
04a3e69dd1
commit
86cf382b80
1 changed files with 1 additions and 4 deletions
|
@ -1469,10 +1469,7 @@ void eapol_sm_notify_cached(struct eapol_sm *sm)
|
|||
if (sm == NULL)
|
||||
return;
|
||||
wpa_printf(MSG_DEBUG, "EAPOL: PMKSA caching was used - skip EAPOL");
|
||||
sm->SUPP_PAE_state = SUPP_PAE_AUTHENTICATED;
|
||||
sm->suppPortStatus = Authorized;
|
||||
eapol_sm_set_port_authorized(sm);
|
||||
sm->portValid = TRUE;
|
||||
sm->eapSuccess = TRUE;
|
||||
eap_notify_success(sm->eap);
|
||||
eapol_sm_step(sm);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue