From c60ba9f7abfcd294c7403f54dd53641eafc7d15a Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 8 Jan 2014 10:24:05 +0200 Subject: [PATCH] Skip network disabling on expected EAP failure Some EAP methods can go through a step that is expected to fail and as such, should not trigger temporary network disabling when processing EAP-Failure or deauthentication. EAP-WSC for WPS was already handled as a special case, but similar behavior is needed for EAP-FAST with unauthenticated provisioning. Signed-hostap: Jouni Malinen --- src/eap_peer/eap.c | 7 +++++++ src/eap_peer/eap.h | 1 + src/eap_peer/eap_fast.c | 2 ++ src/eap_peer/eap_i.h | 2 ++ src/eapol_supp/eapol_supp_sm.c | 10 ++++++++-- src/eapol_supp/eapol_supp_sm.h | 11 +++++++++-- src/rsn_supp/preauth.c | 10 ++++++---- wpa_supplicant/eapol_test.c | 5 +++-- wpa_supplicant/events.c | 9 +++++---- wpa_supplicant/wpa_supplicant.c | 1 + wpa_supplicant/wpa_supplicant_i.h | 1 + wpa_supplicant/wpas_glue.c | 29 ++++++++++++++++++++++++----- 12 files changed, 69 insertions(+), 19 deletions(-) diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index 3068b69..47cbbee 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -179,6 +179,7 @@ SM_STATE(EAP, INITIALIZE) eapol_set_bool(sm, EAPOL_eapNoResp, FALSE); sm->num_rounds = 0; sm->prev_failure = 0; + sm->expected_failure = 0; } @@ -2417,3 +2418,9 @@ void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len) if (sm->eapol_cb->set_anon_id) sm->eapol_cb->set_anon_id(sm->eapol_ctx, id, len); } + + +int eap_peer_was_failure_expected(struct eap_sm *sm) +{ + return sm->expected_failure; +} diff --git a/src/eap_peer/eap.h b/src/eap_peer/eap.h index 711f41f..712e929 100644 --- a/src/eap_peer/eap.h +++ b/src/eap_peer/eap.h @@ -320,6 +320,7 @@ int eap_is_wps_pin_enrollee(struct eap_peer_config *conf); struct ext_password_data; void eap_sm_set_ext_pw_ctx(struct eap_sm *sm, struct ext_password_data *ext); void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len); +int eap_peer_was_failure_expected(struct eap_sm *sm); #endif /* IEEE8021X_EAPOL */ diff --git a/src/eap_peer/eap_fast.c b/src/eap_peer/eap_fast.c index b3cbec6..1b0c562 100644 --- a/src/eap_peer/eap_fast.c +++ b/src/eap_peer/eap_fast.c @@ -1055,6 +1055,7 @@ static struct wpabuf * eap_fast_process_pac(struct eap_sm *sm, } wpa_printf(MSG_DEBUG, "EAP-FAST: Send PAC-Acknowledgement TLV " "- Provisioning completed successfully"); + sm->expected_failure = 1; } else { /* * This is PAC refreshing, i.e., normal authentication that is @@ -1252,6 +1253,7 @@ static int eap_fast_process_decrypted(struct eap_sm *sm, "provisioning completed successfully."); ret->methodState = METHOD_DONE; ret->decision = DECISION_FAIL; + sm->expected_failure = 1; } else { wpa_printf(MSG_DEBUG, "EAP-FAST: Authentication " "completed successfully."); diff --git a/src/eap_peer/eap_i.h b/src/eap_peer/eap_i.h index 9307f3f..8288ba5 100644 --- a/src/eap_peer/eap_i.h +++ b/src/eap_peer/eap_i.h @@ -350,6 +350,8 @@ struct eap_sm { struct wpabuf *ext_pw_buf; int external_sim; + + unsigned int expected_failure:1; }; const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len); diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c index 05b9851..cbcde7e 100644 --- a/src/eapol_supp/eapol_supp_sm.c +++ b/src/eapol_supp/eapol_supp_sm.c @@ -940,9 +940,15 @@ void eapol_sm_step(struct eapol_sm *sm) } if (sm->ctx->cb && sm->cb_status != EAPOL_CB_IN_PROGRESS) { - int success = sm->cb_status == EAPOL_CB_SUCCESS ? 1 : 0; + enum eapol_supp_result result; + if (sm->cb_status == EAPOL_CB_SUCCESS) + result = EAPOL_SUPP_RESULT_SUCCESS; + else if (eap_peer_was_failure_expected(sm->eap)) + result = EAPOL_SUPP_RESULT_EXPECTED_FAILURE; + else + result = EAPOL_SUPP_RESULT_FAILURE; sm->cb_status = EAPOL_CB_IN_PROGRESS; - sm->ctx->cb(sm, success, sm->ctx->cb_ctx); + sm->ctx->cb(sm, result, sm->ctx->cb_ctx); } } diff --git a/src/eapol_supp/eapol_supp_sm.h b/src/eapol_supp/eapol_supp_sm.h index 54e8a27..934eda0 100644 --- a/src/eapol_supp/eapol_supp_sm.h +++ b/src/eapol_supp/eapol_supp_sm.h @@ -63,6 +63,12 @@ struct eapol_config { struct eapol_sm; struct wpa_config_blob; +enum eapol_supp_result { + EAPOL_SUPP_RESULT_FAILURE, + EAPOL_SUPP_RESULT_SUCCESS, + EAPOL_SUPP_RESULT_EXPECTED_FAILURE +}; + /** * struct eapol_ctx - Global (for all networks) EAPOL state machine context */ @@ -83,7 +89,7 @@ struct eapol_ctx { /** * cb - Function to be called when EAPOL negotiation has been completed * @eapol: Pointer to EAPOL state machine data - * @success: Whether the authentication was completed successfully + * @result: Whether the authentication was completed successfully * @ctx: Pointer to context data (cb_ctx) * * This optional callback function will be called when the EAPOL @@ -91,7 +97,8 @@ struct eapol_ctx { * EAPOL state machine to process the key and terminate the EAPOL state * machine. Currently, this is used only in RSN pre-authentication. */ - void (*cb)(struct eapol_sm *eapol, int success, void *ctx); + void (*cb)(struct eapol_sm *eapol, enum eapol_supp_result result, + void *ctx); /** * cb_ctx - Callback context for cb() diff --git a/src/rsn_supp/preauth.c b/src/rsn_supp/preauth.c index c51620e..915f85e 100644 --- a/src/rsn_supp/preauth.c +++ b/src/rsn_supp/preauth.c @@ -70,13 +70,14 @@ static void rsn_preauth_receive(void *ctx, const u8 *src_addr, } -static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, int success, +static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, + enum eapol_supp_result result, void *ctx) { struct wpa_sm *sm = ctx; u8 pmk[PMK_LEN]; - if (success) { + if (result == EAPOL_SUPP_RESULT_SUCCESS) { int res, pmk_len; pmk_len = PMK_LEN; res = eapol_sm_get_key(eapol, pmk, PMK_LEN); @@ -100,13 +101,14 @@ static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, int success, wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "RSN: failed to get master session key from " "pre-auth EAPOL state machines"); - success = 0; + result = EAPOL_SUPP_RESULT_FAILURE; } } wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "RSN: pre-authentication with " MACSTR " %s", MAC2STR(sm->preauth_bssid), - success ? "completed successfully" : "failed"); + result == EAPOL_SUPP_RESULT_SUCCESS ? "completed successfully" : + "failed"); rsn_preauth_deinit(sm); rsn_preauth_candidate_process(sm); diff --git a/wpa_supplicant/eapol_test.c b/wpa_supplicant/eapol_test.c index cb71475..ac0ab0b 100644 --- a/wpa_supplicant/eapol_test.c +++ b/wpa_supplicant/eapol_test.c @@ -365,10 +365,11 @@ static int eapol_test_compare_pmk(struct eapol_test_data *e) } -static void eapol_sm_cb(struct eapol_sm *eapol, int success, void *ctx) +static void eapol_sm_cb(struct eapol_sm *eapol, enum eapol_supp_result result, + void *ctx) { struct eapol_test_data *e = ctx; - printf("eapol_sm_cb: success=%d\n", success); + printf("eapol_sm_cb: result=%d\n", result); e->eapol_test_num_reauths--; if (e->eapol_test_num_reauths < 0) eloop_terminate(); diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index abd27d8..632f0fe 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -2547,10 +2547,11 @@ static void wpas_event_disconnect(struct wpa_supplicant *wpa_s, const u8 *addr, wpa_supplicant_event_disassoc(wpa_s, reason_code, locally_generated); - if (reason_code == WLAN_REASON_IEEE_802_1X_AUTH_FAILED || - ((wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) || - (wpa_s->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA)) && - eapol_sm_failed(wpa_s->eapol))) + if (((reason_code == WLAN_REASON_IEEE_802_1X_AUTH_FAILED || + ((wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) || + (wpa_s->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA)) && + eapol_sm_failed(wpa_s->eapol))) && + !wpa_s->eap_expected_failure)) wpas_auth_failed(wpa_s); #ifdef CONFIG_P2P diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 187e5d9..78e2749 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1410,6 +1410,7 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) os_memset(¶ms, 0, sizeof(params)); wpa_s->reassociate = 0; + wpa_s->eap_expected_failure = 0; if (bss && !wpas_driver_bss_selection(wpa_s)) { #ifdef CONFIG_IEEE80211R const u8 *ie, *md = NULL; diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index d1ea77b..0130f81 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -571,6 +571,7 @@ struct wpa_supplicant { struct os_reltime pending_eapol_rx_time; u8 pending_eapol_rx_src[ETH_ALEN]; unsigned int last_eapol_matches_bssid:1; + unsigned int eap_expected_failure:1; struct ibss_rsn *ibss_rsn; diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c index ab6cdca..999d667 100644 --- a/wpa_supplicant/wpas_glue.c +++ b/wpa_supplicant/wpas_glue.c @@ -216,20 +216,38 @@ static void wpa_supplicant_aborted_cached(void *ctx) } -static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol, int success, +static const char * result_str(enum eapol_supp_result result) +{ + switch (result) { + case EAPOL_SUPP_RESULT_FAILURE: + return "FAILURE"; + case EAPOL_SUPP_RESULT_SUCCESS: + return "SUCCESS"; + case EAPOL_SUPP_RESULT_EXPECTED_FAILURE: + return "EXPECTED_FAILURE"; + } + return "?"; +} + + +static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol, + enum eapol_supp_result result, void *ctx) { struct wpa_supplicant *wpa_s = ctx; int res, pmk_len; u8 pmk[PMK_LEN]; - wpa_printf(MSG_DEBUG, "EAPOL authentication completed %ssuccessfully", - success ? "" : "un"); + wpa_printf(MSG_DEBUG, "EAPOL authentication completed - result=%s", + result_str(result)); if (wpas_wps_eapol_cb(wpa_s) > 0) return; - if (!success) { + wpa_s->eap_expected_failure = result == + EAPOL_SUPP_RESULT_EXPECTED_FAILURE; + + if (result != EAPOL_SUPP_RESULT_SUCCESS) { /* * Make sure we do not get stuck here waiting for long EAPOL * timeout if the AP does not disconnect in case of @@ -238,7 +256,8 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol, int success, wpa_supplicant_req_auth_timeout(wpa_s, 2, 0); } - if (!success || !(wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE)) + if (result != EAPOL_SUPP_RESULT_SUCCESS || + !(wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE)) return; if (!wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt)) -- 2.1.4