Fix EAPOL supplicant port authorization with PMKSA caching

The previous eapol_sm_notify_cached() implementation forced the port
to be authorized when receiving EAPOL-Key msg 1/4 that included a
matching PMKID in cases when PMKSA caching is used. This is too early
since the port should really be authorized only after the PTK has been
configured which is the case when PMKSA caching is not used.

Fix this by using the EAPOL supplicant PAE state machine to go through
the AUTHENTICATING and AUTHENTICATED states instead of forcing a jump
to AUTHENTICATED without performing full state machine steps. This can
be achieved simply by marking eapSuccess TRUE at least with the current
version of EAP and EAPOL state machines (the earlier commits in this
function seemed to indicate that this may have not been that easy in
the older versions due to the hacks needed here).

This addresses an issue with nl80211-based driver interface when the
driver depends on the STA Authorized flag being used to prevent
unprotected frames from being accepted (both TX and RX) prior to PTK
configuration.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1

diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
index 851cf49bfbac7433cc21f76169c50ff599783e2b..f90fb6257880f895e54fdeb2390394a7cadfbd14 100644 (file)
--- a/src/eapol_supp/eapol_supp_sm.c
+++ b/src/eapol_supp/eapol_supp_sm.c
@@ -1469,10 +1469,7 @@ void eapol_sm_notify_cached(struct eapol_sm *sm)
        if (sm == NULL)
                return;
        wpa_printf(MSG_DEBUG, "EAPOL: PMKSA caching was used - skip EAPOL");
-       sm->SUPP_PAE_state = SUPP_PAE_AUTHENTICATED;
-       sm->suppPortStatus = Authorized;
-       eapol_sm_set_port_authorized(sm);
-       sm->portValid = TRUE;
+       sm->eapSuccess = TRUE;
        eap_notify_success(sm->eap);
        eapol_sm_step(sm);
 }