DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-FAST: Allow unprotected EAP-Failure in provisioning case

Browse source 
While EAP-FAST uses protected success notification, RFC 5422, Section
3.5 points out a possibility of EAP-Failure being sent out even after
protected success notification in case of provisioning. Change the
EAP-FAST peer implementation to accept that exception to the protected
success notification. This allows the station to re-connect more quickly
to complete EAP-FAST connection in the case the server rejects the
initial attempt by only allowing it to use to provision a new PAC.
This commit is contained in:
Jouni Malinen 2011-10-12 20:05:02 +03:00 committed by Jouni Malinen
parent 4458d91554
commit 88dc899a1b
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/eap_peer/eap_fast.c
View file

@ -1037,11 +1037,15 @@ static struct wpabuf * eap_fast_process_pac(struct eap_sm *sm,
} else { } else {
/* /*
* This is PAC refreshing, i.e., normal authentication that is * This is PAC refreshing, i.e., normal authentication that is
* expected to be completed with an EAP-Success. * expected to be completed with an EAP-Success. However,
* RFC 5422, Section 3.5 allows EAP-Failure to be sent even
* after protected success exchange in case of EAP-Fast
* provisioning, so we better use DECISION_COND_SUCC here
* instead of DECISION_UNCOND_SUCC.
*/ */
wpa_printf(MSG_DEBUG, "EAP-FAST: Send PAC-Acknowledgement TLV " wpa_printf(MSG_DEBUG, "EAP-FAST: Send PAC-Acknowledgement TLV "
"- PAC refreshing completed successfully"); "- PAC refreshing completed successfully");
ret->decision = DECISION_UNCOND_SUCC; ret->decision = DECISION_COND_SUCC;
} }
ret->methodState = METHOD_DONE; ret->methodState = METHOD_DONE;
return eap_fast_tlv_pac_ack(); return eap_fast_tlv_pac_ack();