]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 88ab59d)
Stop authentication attemps if AP does not disconnect us
authorJouni Malinen <quic_jouni@quicinc.com>
Wed, 6 Apr 2022 12:12:06 +0000 (15:12 +0300)
committerJouni Malinen <j@w1.fi>
Wed, 6 Apr 2022 12:28:49 +0000 (15:28 +0300)
It would have been possible for the authentication attemps to go into a
loop if the AP/Authenticator/authentication server were to believe EAP
authentication succeeded when the local conclusion in Supplicant was
failure. Avoid this by timing out authentication immediately on the
second consecutive EAP authentication failure.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant/wpa_supplicant.c patch | blob | blame | history
wpa_supplicant/wpa_supplicant_i.h patch | blob | blame | history
wpa_supplicant/wpas_glue.c patch | blob | blame | history

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 3d3d5465ad7bc40d4b667bbeb074c00d530e2994..64cad0af21d67afad21ec709023c8029ac881350 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2226,6 +2226,7 @@ void wpa_supplicant_associate(struct wpa_supplicant *wpa_s,
        else
                rand_style = ssid->mac_addr;
 
+       wpa_s->eapol_failed = 0;
        wpa_s->multi_ap_ie = 0;
        wmm_ac_clear_saved_tspecs(wpa_s);
        wpa_s->reassoc_same_bss = 0;
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index e759dbd8b71bc5fc1cf1c50d3059cba97ce3e955..da3c36166a30f8c7f14771ee68b8384ea4bf72a6 100644 (file)
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -949,6 +949,7 @@ struct wpa_supplicant {
        struct os_reltime pending_eapol_rx_time;
        u8 pending_eapol_rx_src[ETH_ALEN];
        unsigned int last_eapol_matches_bssid:1;
+       unsigned int eapol_failed:1;
        unsigned int eap_expected_failure:1;
        unsigned int reattach:1; /* reassociation to the same BSS requested */
        unsigned int mac_addr_changed:1;
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 17fc05bcbdab2cb5707e68e9558f8ab3b600e3dd..33bc831f3b3845e73dcfd80debea211c6aade3df 100644 (file)
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -298,13 +298,21 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
                EAPOL_SUPP_RESULT_EXPECTED_FAILURE;
 
        if (result != EAPOL_SUPP_RESULT_SUCCESS) {
+               int timeout = 2;
                /*
                 * Make sure we do not get stuck here waiting for long EAPOL
                 * timeout if the AP does not disconnect in case of
                 * authentication failure.
                 */
-               wpa_supplicant_req_auth_timeout(wpa_s, 2, 0);
+               if (wpa_s->eapol_failed) {
+                       wpa_printf(MSG_DEBUG,
+                                  "EAPOL authentication failed again and AP did not disconnect us");
+                       timeout = 0;
+               }
+               wpa_s->eapol_failed = 1;
+               wpa_supplicant_req_auth_timeout(wpa_s, timeout, 0);
        } else {
+               wpa_s->eapol_failed = 0;
                ieee802_1x_notify_create_actor(wpa_s, wpa_s->last_eapol_src);
        }
 
Unnamed repository; edit this file 'description' to name the repository.