Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix EAPOL/EAP reauthentication with external RADIUS server

The EAP server state machine will need to have special code in
getDecision() to avoid starting passthrough operations before having
completed Identity round in the beginning of reauthentication. This was
broken when moving into using the full authenticator state machine from
RFC 4137 in 0.6.x.
Jouni Malinen 16 years ago
parent
049a292f89
commit
1fd4b0db7c
3 changed files with 15 additions and 2 deletions
Split View Show Diff Stats
  1. 2 0
      hostapd/ChangeLog
  2. 11 2
      src/eap_server/eap.c
  3. 2 0
      src/eap_server/eap_i.h

+ 2 - 0
hostapd/ChangeLog
View File 

@@ -10,6 +10,8 @@ ChangeLog for hostapd
 
 	  reported correctly; TX/RX packets not yet available from kernel)
 
 	* added support for WPS USBA out-of-band mechanism with USB Flash
 
 	  Drives (UFD) (CONFIG_WPS_UFD=y)
 
+	* fixed EAPOL/EAP reauthentication when using an external RADIUS
 
+	  authentication server
 
 
 2009-01-06 - v0.6.7
 
 	* added support for Wi-Fi Protected Setup (WPS)

+ 11 - 2
src/eap_server/eap.c
View File 

@@ -573,6 +573,13 @@ SM_STATE(EAP, SUCCESS2)
 
 	}
 
 
 	sm->eap_if.eapSuccess = TRUE;
 
+
 
+	/*
 
+	 * Start reauthentication with identity request even though we know the
 
+	 * previously used identity. This is needed to get reauthentication
 
+	 * started properly.
 
+	 */
 
+	sm->start_reauth = TRUE;
 
 }
 
 
 
@@ -1070,7 +1077,7 @@ static EapType eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor)
 
 
 static int eap_sm_Policy_getDecision(struct eap_sm *sm)
 
 {
 
-	if (!sm->eap_server && sm->identity) {
 
+	if (!sm->eap_server && sm->identity && !sm->start_reauth) {
 
 		wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
 
 		return DECISION_PASSTHROUGH;
 
 	}
 
@@ -1091,7 +1098,8 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
 
 		return DECISION_FAILURE;
 
 	}
 
 
-	if ((sm->user == NULL || sm->update_user) && sm->identity) {
 
+	if ((sm->user == NULL || sm->update_user) && sm->identity &&
 
+	    !sm->start_reauth) {
 
 		/*
 
 		 * Allow Identity method to be started once to allow identity
 
 		 * selection hint to be sent from the authentication server,
 
@@ -1118,6 +1126,7 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
 
 		}
 
 		sm->update_user = FALSE;
 
 	}
 
+	sm->start_reauth = FALSE;
 
 
 	if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
 
 	    (sm->user->methods[sm->user_eap_method_index].vendor !=

+ 2 - 0
src/eap_server/eap_i.h
View File 

@@ -183,6 +183,8 @@ struct eap_sm {
 
 	int tnc;
 
 	struct wps_context *wps;
 
 	struct wpabuf *assoc_wps_ie;
 
+
 
+	Boolean start_reauth;
 
 };
 
 
 int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,