From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 7 Aug 2019 08:51:44 +0000 (+0300)
Subject: Clear external eapSuccess setting in driver-authorized cases
X-Git-Tag: hostap_2_10~2507
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b0b25c5bbc52a6af3b1cbb38b125ad659e90f446;p=thirdparty%2Fhostap.git

Clear external eapSuccess setting in driver-authorized cases

The conditions for the eapol_sm_notify_eap_success(FALSE) calls did not
cover the case where eapol_sm_notify_eap_success(TRUE) had been called
based on offloaded 4-way handshake and driver notification of
authorization in wpa_supplicant_event_port_authorized(). This could
result in eapSuccess and altSuccess state machine variables being left
TRUE when roaming to another BSS and that results in EAP failure if the
following roaming case does not get fully authorized through the driver
offload.

Fix this by clearing eapSuccess/altSuccess when processing a new
association (including roaming) event and also when disconnecting from
the network.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 87dad0811..89c9452f7 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -316,8 +316,9 @@ void wpa_supplicant_mark_disassoc(struct wpa_supplicant *wpa_s)
 	eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
 	if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
 	    wpa_s->key_mgmt == WPA_KEY_MGMT_OWE ||
-	    wpa_s->key_mgmt == WPA_KEY_MGMT_DPP)
+	    wpa_s->key_mgmt == WPA_KEY_MGMT_DPP || wpa_s->drv_authorized_port)
 		eapol_sm_notify_eap_success(wpa_s->eapol, FALSE);
+	wpa_s->drv_authorized_port = 0;
 	wpa_s->ap_ies_from_associnfo = 0;
 	wpa_s->current_ssid = NULL;
 	eapol_sm_notify_config(wpa_s->eapol, NULL, NULL);
@@ -2831,7 +2832,7 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
 	if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
 	    wpa_s->key_mgmt == WPA_KEY_MGMT_DPP ||
 	    wpa_s->key_mgmt == WPA_KEY_MGMT_OWE || ft_completed ||
-	    already_authorized)
+	    already_authorized || wpa_s->drv_authorized_port)
 		eapol_sm_notify_eap_success(wpa_s->eapol, FALSE);
 	/* 802.1X::portControl = Auto */
 	eapol_sm_notify_portEnabled(wpa_s->eapol, TRUE);
@@ -3935,6 +3936,7 @@ static void wpa_supplicant_event_port_authorized(struct wpa_supplicant *wpa_s)
 		wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
 		eapol_sm_notify_portValid(wpa_s->eapol, TRUE);
 		eapol_sm_notify_eap_success(wpa_s->eapol, TRUE);
+		wpa_s->drv_authorized_port = 1;
 	}
 }
 
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 8a4bdf8cb..32f390fd9 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -1254,6 +1254,7 @@ struct wpa_supplicant {
 	unsigned int ieee80211ac:1;
 	unsigned int enabled_4addr_mode:1;
 	unsigned int multi_bss_support:1;
+	unsigned int drv_authorized_port:1;
 };