Do not try session resumption after EAP failure

If session resumption fails for any reason, do not try it again because
that is just likely to fail. Instead, drop back to using full
authentication which may work. This is a workaround for servers that do
not like session resumption, but do not know how to fall back to full
authentication properly.

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 5f1c9e0..e8e504a 100644 (file)
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -134,7 +134,8 @@ SM_STATE(EAP, INITIALIZE)
 {
        SM_ENTRY(EAP, INITIALIZE);
        if (sm->fast_reauth && sm->m && sm->m->has_reauth_data &&
-           sm->m->has_reauth_data(sm, sm->eap_method_priv)) {
+           sm->m->has_reauth_data(sm, sm->eap_method_priv) &&
+           !sm->prev_failure) {
                wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for "
                           "fast reauthentication");
                sm->m->deinit_for_reauth(sm, sm->eap_method_priv);
@@ -165,6 +166,7 @@ SM_STATE(EAP, INITIALIZE)
        eapol_set_bool(sm, EAPOL_eapResp, FALSE);
        eapol_set_bool(sm, EAPOL_eapNoResp, FALSE);
        sm->num_rounds = 0;
+       sm->prev_failure = 0;
 }
 
 
@@ -505,6 +507,8 @@ SM_STATE(EAP, FAILURE)
 
        wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
                "EAP authentication failed");
+
+       sm->prev_failure = 1;
 }
 
 

diff --git a/src/eap_peer/eap_i.h b/src/eap_peer/eap_i.h
index 4b7029e..e7c826e 100644 (file)
--- a/src/eap_peer/eap_i.h
+++ b/src/eap_peer/eap_i.h
@@ -333,6 +333,8 @@ struct eap_sm {
        int force_disabled;
 
        struct wps_context *wps;
+
+       int prev_failure;
 };
 
 const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len);