aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni.malinen@atheros.com>2009-03-02 17:06:23 (GMT)
committerJouni Malinen <j@w1.fi>2009-03-11 19:17:03 (GMT)
commit678f634d2d917e66174dac8968e78151b552381c (patch)
treedf6cbb12fc16cfa61c017871f55c3e2902ccf41a
parent8b19cc2d8c6aa9f7a3dc4feb120e4753a459a736 (diff)
downloadhostap-06-678f634d2d917e66174dac8968e78151b552381c.zip
hostap-06-678f634d2d917e66174dac8968e78151b552381c.tar.gz
hostap-06-678f634d2d917e66174dac8968e78151b552381c.tar.bz2
Fix EAPOL/EAP reauthentication with external RADIUS server
The EAP server state machine will need to have special code in getDecision() to avoid starting passthrough operations before having completed Identity round in the beginning of reauthentication. This was broken when moving into using the full authenticator state machine from RFC 4137 in 0.6.x. (cherry picked from commit 1fd4b0db7c1dc82e09234f33d798bd07a69ab0c7) Conflicts: hostapd/ChangeLog
-rw-r--r--hostapd/ChangeLog2
-rw-r--r--src/eap_server/eap.c13
-rw-r--r--src/eap_server/eap_i.h2
3 files changed, 15 insertions, 2 deletions
diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index 3918aa3..290b81f 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -3,6 +3,8 @@ ChangeLog for hostapd
????-??-?? - v0.6.9
* driver_nl80211: fixed STA accounting data collection (TX/RX bytes
reported correctly; TX/RX packets not yet available from kernel)
+ * fixed EAPOL/EAP reauthentication when using an external RADIUS
+ authentication server
2009-02-15 - v0.6.8
* increased hostapd_cli ping interval to 5 seconds and made this
diff --git a/src/eap_server/eap.c b/src/eap_server/eap.c
index dea91e6..d23ae2f 100644
--- a/src/eap_server/eap.c
+++ b/src/eap_server/eap.c
@@ -573,6 +573,13 @@ SM_STATE(EAP, SUCCESS2)
}
sm->eap_if.eapSuccess = TRUE;
+
+ /*
+ * Start reauthentication with identity request even though we know the
+ * previously used identity. This is needed to get reauthentication
+ * started properly.
+ */
+ sm->start_reauth = TRUE;
}
@@ -1070,7 +1077,7 @@ static EapType eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor)
static int eap_sm_Policy_getDecision(struct eap_sm *sm)
{
- if (!sm->eap_server && sm->identity) {
+ if (!sm->eap_server && sm->identity && !sm->start_reauth) {
wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
return DECISION_PASSTHROUGH;
}
@@ -1091,7 +1098,8 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
return DECISION_FAILURE;
}
- if ((sm->user == NULL || sm->update_user) && sm->identity) {
+ if ((sm->user == NULL || sm->update_user) && sm->identity &&
+ !sm->start_reauth) {
/*
* Allow Identity method to be started once to allow identity
* selection hint to be sent from the authentication server,
@@ -1118,6 +1126,7 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
}
sm->update_user = FALSE;
}
+ sm->start_reauth = FALSE;
if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
(sm->user->methods[sm->user_eap_method_index].vendor !=
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 61f564d..d52b86f 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -183,6 +183,8 @@ struct eap_sm {
int tnc;
struct wps_context *wps;
struct wpabuf *assoc_wps_ie;
+
+ Boolean start_reauth;
};
int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,