Fix EAPOL reauth after FT protocol or offloaded PMKSA cache use

The EAP peer state machine moved from IDLE to FAILURE state when the
EAPOL Authenticator triggered reauthentication with an
EAP-Request/Identity in a case where the associated started with FT
protocol or offloaded PMKSA cache use (4-way handshake using a
previously acquired PMK). This happened due to the altSuccess=TRUE
setting being left behind and not cleared when processing the restart of
authentication. Fix this by clearing altAccept and eapSuccess when going
through SUPP_PAE RESTART state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
index 09cf4f6b922256d93f26af9e4aa3bf610cd5b41f..65460fc3bec05071d5db89e3420c340f4838c39b 100644 (file)
--- a/src/eapol_supp/eapol_supp_sm.c
+++ b/src/eapol_supp/eapol_supp_sm.c
@@ -314,6 +314,16 @@ SM_STATE(SUPP_PAE, RESTART)
 {
        SM_ENTRY(SUPP_PAE, RESTART);
        sm->eapRestart = TRUE;
+       if (sm->altAccept) {
+               /*
+                * Prevent EAP peer state machine from failing due to prior
+                * external EAP success notification (altSuccess=TRUE in the
+                * IDLE state could result in a transition to the FAILURE state.
+                */
+               wpa_printf(MSG_DEBUG, "EAPOL: Clearing prior altAccept TRUE");
+               sm->eapSuccess = FALSE;
+               sm->altAccept = FALSE;
+       }
 }