Fix EAPOL/EAP reauthentication with external RADIUS server

The EAP server state machine will need to have special code in
getDecision() to avoid starting passthrough operations before having
completed Identity round in the beginning of reauthentication. This was
broken when moving into using the full authenticator state machine from
RFC 4137 in 0.6.x.

diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index b98cbc988b2bb08f4ad75dc2b572989e7cacf25e..1c8be849d9936c79041a7ad8e613f8413c932812 100644 (file)
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -10,6 +10,8 @@ ChangeLog for hostapd
          reported correctly; TX/RX packets not yet available from kernel)
        * added support for WPS USBA out-of-band mechanism with USB Flash
          Drives (UFD) (CONFIG_WPS_UFD=y)
+       * fixed EAPOL/EAP reauthentication when using an external RADIUS
+         authentication server
 
 2009-01-06 - v0.6.7
        * added support for Wi-Fi Protected Setup (WPS)

diff --git a/src/eap_server/eap.c b/src/eap_server/eap.c
index dea91e635d2f4601ba667353f3c75da82cead3da..d23ae2f90d491babc4e80565e56a0a98c37de391 100644 (file)
--- a/src/eap_server/eap.c
+++ b/src/eap_server/eap.c
@@ -573,6 +573,13 @@ SM_STATE(EAP, SUCCESS2)
        }
 
        sm->eap_if.eapSuccess = TRUE;
+
+       /*
+        * Start reauthentication with identity request even though we know the
+        * previously used identity. This is needed to get reauthentication
+        * started properly.
+        */
+       sm->start_reauth = TRUE;
 }
 
 
@@ -1070,7 +1077,7 @@ static EapType eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor)
 
 static int eap_sm_Policy_getDecision(struct eap_sm *sm)
 {
-       if (!sm->eap_server && sm->identity) {
+       if (!sm->eap_server && sm->identity && !sm->start_reauth) {
                wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
                return DECISION_PASSTHROUGH;
        }
@@ -1091,7 +1098,8 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
                return DECISION_FAILURE;
        }
 
-       if ((sm->user == NULL || sm->update_user) && sm->identity) {
+       if ((sm->user == NULL || sm->update_user) && sm->identity &&
+           !sm->start_reauth) {
                /*
                 * Allow Identity method to be started once to allow identity
                 * selection hint to be sent from the authentication server,
@@ -1118,6 +1126,7 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
                }
                sm->update_user = FALSE;
        }
+       sm->start_reauth = FALSE;
 
        if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
            (sm->user->methods[sm->user_eap_method_index].vendor !=

diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 61f564d5c49f3bdb7a24364b572f900216c8d6c1..d52b86f9558f0b3360b49bac85d93b059c6c5019 100644 (file)
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -183,6 +183,8 @@ struct eap_sm {
        int tnc;
        struct wps_context *wps;
        struct wpabuf *assoc_wps_ie;
+
+       Boolean start_reauth;
 };
 
 int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,