Clear EAPOL authenticator authFail for PMKSA caching/FT

This fixes a corner case where a STA that has PMKSA cache entry (or
valid FT keys) could try to use full EAPOL/EAP authentication and fail.
If the STA will then try to use the still valid PMKSA cache entry (or
FT) before the STA entry has been cleared, authFail could have been left
to TRUE. That will make EAPOL authenticator PAE state machine enter HELD
state even though authSuccess was already forced to TRUE. This results
in the STA getting disconnected even though it should be allowed to
continue with 4-way handshake. While this is unlikely to happen in
practice, it is better to get this fixed by clearing authFail when
setting authSuccess.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 153b27137d70bb3a8b6d5d9de3796db2cc227f3f..11f25b0614fbc1d1a9daa5a61f9ead414ee25d54 100644 (file)
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -1,6 +1,6 @@
 /*
  * hostapd / IEEE 802.1X-2004 Authenticator
- * Copyright (c) 2002-2011, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -918,6 +918,7 @@ void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
                sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
                sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
                sta->eapol_sm->authSuccess = TRUE;
+               sta->eapol_sm->authFail = FALSE;
                if (sta->eapol_sm->eap)
                        eap_sm_notify_cached(sta->eapol_sm->eap);
                /* TODO: get vlan_id from R0KH using RRB message */
@@ -939,6 +940,7 @@ void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
                sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
                sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
                sta->eapol_sm->authSuccess = TRUE;
+               sta->eapol_sm->authFail = FALSE;
                if (sta->eapol_sm->eap)
                        eap_sm_notify_cached(sta->eapol_sm->eap);
                old_vlanid = sta->vlan_id;