From: Jouni Malinen <jouni.malinen@atheros.com>
Date: Mon, 2 Mar 2009 17:06:23 +0000 (+0200)
Subject: Fix EAPOL/EAP reauthentication with external RADIUS server
X-Git-Tag: hostap_0_7_0~484
X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=1fd4b0db7c1dc82e09234f33d798bd07a69ab0c7;p=libeap.git

Fix EAPOL/EAP reauthentication with external RADIUS server

The EAP server state machine will need to have special code in
getDecision() to avoid starting passthrough operations before having
completed Identity round in the beginning of reauthentication. This was
broken when moving into using the full authenticator state machine from
RFC 4137 in 0.6.x.
---

diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index b98cbc9..1c8be84 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -10,6 +10,8 @@ ChangeLog for hostapd
 	  reported correctly; TX/RX packets not yet available from kernel)
 	* added support for WPS USBA out-of-band mechanism with USB Flash
 	  Drives (UFD) (CONFIG_WPS_UFD=y)
+	* fixed EAPOL/EAP reauthentication when using an external RADIUS
+	  authentication server
 
 2009-01-06 - v0.6.7
 	* added support for Wi-Fi Protected Setup (WPS)
diff --git a/src/eap_server/eap.c b/src/eap_server/eap.c
index dea91e6..d23ae2f 100644
--- a/src/eap_server/eap.c
+++ b/src/eap_server/eap.c
@@ -573,6 +573,13 @@ SM_STATE(EAP, SUCCESS2)
 	}
 
 	sm->eap_if.eapSuccess = TRUE;
+
+	/*
+	 * Start reauthentication with identity request even though we know the
+	 * previously used identity. This is needed to get reauthentication
+	 * started properly.
+	 */
+	sm->start_reauth = TRUE;
 }
 
 
@@ -1070,7 +1077,7 @@ static EapType eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor)
 
 static int eap_sm_Policy_getDecision(struct eap_sm *sm)
 {
-	if (!sm->eap_server && sm->identity) {
+	if (!sm->eap_server && sm->identity && !sm->start_reauth) {
 		wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
 		return DECISION_PASSTHROUGH;
 	}
@@ -1091,7 +1098,8 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
 		return DECISION_FAILURE;
 	}
 
-	if ((sm->user == NULL || sm->update_user) && sm->identity) {
+	if ((sm->user == NULL || sm->update_user) && sm->identity &&
+	    !sm->start_reauth) {
 		/*
 		 * Allow Identity method to be started once to allow identity
 		 * selection hint to be sent from the authentication server,
@@ -1118,6 +1126,7 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
 		}
 		sm->update_user = FALSE;
 	}
+	sm->start_reauth = FALSE;
 
 	if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
 	    (sm->user->methods[sm->user_eap_method_index].vendor !=
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 61f564d..d52b86f 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -183,6 +183,8 @@ struct eap_sm {
 	int tnc;
 	struct wps_context *wps;
 	struct wpabuf *assoc_wps_ie;
+
+	Boolean start_reauth;
 };
 
 int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,