Skip network disabling on expected EAP failure

Some EAP methods can go through a step that is expected to fail and as such, should not trigger temporary network disabling when processing EAP-Failure or deauthentication. EAP-WSC for WPS was already handled as a special case, but similar behavior is needed for EAP-FAST with unauthenticated provisioning. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 10:24:05 +02:00 · 2014-01-08 10:24:05 +02:00 · c60ba9f7ab
commit c60ba9f7ab
parent 7185e16a91
12 changed files with 69 additions and 19 deletions
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@ -179,6 +179,7 @@ SM_STATE(EAP, INITIALIZE)
 	eapol_set_bool(sm, EAPOL_eapNoResp, FALSE);
 	sm->num_rounds = 0;
 	sm->prev_failure = 0;
+	sm->expected_failure = 0;
 }


@ -2417,3 +2418,9 @@ void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len)
 	if (sm->eapol_cb->set_anon_id)
 		sm->eapol_cb->set_anon_id(sm->eapol_ctx, id, len);
 }
+
+
+int eap_peer_was_failure_expected(struct eap_sm *sm)
+{
+	return sm->expected_failure;
+}
--- a/src/eap_peer/eap.h
+++ b/src/eap_peer/eap.h
@ -320,6 +320,7 @@ int eap_is_wps_pin_enrollee(struct eap_peer_config *conf);
 struct ext_password_data;
 void eap_sm_set_ext_pw_ctx(struct eap_sm *sm, struct ext_password_data *ext);
 void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len);
+int eap_peer_was_failure_expected(struct eap_sm *sm);

 #endif /* IEEE8021X_EAPOL */

--- a/src/eap_peer/eap_fast.c
+++ b/src/eap_peer/eap_fast.c
@ -1055,6 +1055,7 @@ static struct wpabuf * eap_fast_process_pac(struct eap_sm *sm,
 		}
 		wpa_printf(MSG_DEBUG, "EAP-FAST: Send PAC-Acknowledgement TLV "
 			   "- Provisioning completed successfully");
+		sm->expected_failure = 1;
 	} else {
 		/*
 		 * This is PAC refreshing, i.e., normal authentication that is
@ -1252,6 +1253,7 @@ static int eap_fast_process_decrypted(struct eap_sm *sm,
 				   "provisioning completed successfully.");
 			ret->methodState = METHOD_DONE;
 			ret->decision = DECISION_FAIL;
+			sm->expected_failure = 1;
 		} else {
 			wpa_printf(MSG_DEBUG, "EAP-FAST: Authentication "
 				   "completed successfully.");
--- a/src/eap_peer/eap_i.h
+++ b/src/eap_peer/eap_i.h
@ -350,6 +350,8 @@ struct eap_sm {
 	struct wpabuf *ext_pw_buf;

 	int external_sim;
+
+	unsigned int expected_failure:1;
 };

 const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len);
--- a/src/eapol_supp/eapol_supp_sm.c
+++ b/src/eapol_supp/eapol_supp_sm.c
@ -940,9 +940,15 @@ void eapol_sm_step(struct eapol_sm *sm)
 	}

 	if (sm->ctx->cb && sm->cb_status != EAPOL_CB_IN_PROGRESS) {
-		int success = sm->cb_status == EAPOL_CB_SUCCESS ? 1 : 0;
+		enum eapol_supp_result result;
+		if (sm->cb_status == EAPOL_CB_SUCCESS)
+			result = EAPOL_SUPP_RESULT_SUCCESS;
+		else if (eap_peer_was_failure_expected(sm->eap))
+			result = EAPOL_SUPP_RESULT_EXPECTED_FAILURE;
+		else
+			result = EAPOL_SUPP_RESULT_FAILURE;
 		sm->cb_status = EAPOL_CB_IN_PROGRESS;
-		sm->ctx->cb(sm, success, sm->ctx->cb_ctx);
+		sm->ctx->cb(sm, result, sm->ctx->cb_ctx);
 	}
 }

--- a/src/eapol_supp/eapol_supp_sm.h
+++ b/src/eapol_supp/eapol_supp_sm.h
@ -63,6 +63,12 @@ struct eapol_config {
 struct eapol_sm;
 struct wpa_config_blob;

+enum eapol_supp_result {
+	EAPOL_SUPP_RESULT_FAILURE,
+	EAPOL_SUPP_RESULT_SUCCESS,
+	EAPOL_SUPP_RESULT_EXPECTED_FAILURE
+};
+
 /**
 * struct eapol_ctx - Global (for all networks) EAPOL state machine context
 */
@ -83,7 +89,7 @@ struct eapol_ctx {
 	/**
 	 * cb - Function to be called when EAPOL negotiation has been completed
 	 * @eapol: Pointer to EAPOL state machine data
-	 * @success: Whether the authentication was completed successfully
+	 * @result: Whether the authentication was completed successfully
 	 * @ctx: Pointer to context data (cb_ctx)
 	 *
 	 * This optional callback function will be called when the EAPOL
@ -91,7 +97,8 @@ struct eapol_ctx {
 	 * EAPOL state machine to process the key and terminate the EAPOL state
 	 * machine. Currently, this is used only in RSN pre-authentication.
 	 */
-	void (*cb)(struct eapol_sm *eapol, int success, void *ctx);
+	void (*cb)(struct eapol_sm *eapol, enum eapol_supp_result result,
+		   void *ctx);

 	/**
 	 * cb_ctx - Callback context for cb()
--- a/src/rsn_supp/preauth.c
+++ b/src/rsn_supp/preauth.c
@ -70,13 +70,14 @@ static void rsn_preauth_receive(void *ctx, const u8 *src_addr,
 }


-static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, int success,
+static void rsn_preauth_eapol_cb(struct eapol_sm *eapol,
+				 enum eapol_supp_result result,
 				 void *ctx)
 {
 	struct wpa_sm *sm = ctx;
 	u8 pmk[PMK_LEN];

-	if (success) {
+	if (result == EAPOL_SUPP_RESULT_SUCCESS) {
 		int res, pmk_len;
 		pmk_len = PMK_LEN;
 		res = eapol_sm_get_key(eapol, pmk, PMK_LEN);
@ -100,13 +101,14 @@ static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, int success,
 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
 				"RSN: failed to get master session key from "
 				"pre-auth EAPOL state machines");
-			success = 0;
+			result = EAPOL_SUPP_RESULT_FAILURE;
 		}
 	}

 	wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "RSN: pre-authentication with "
 		MACSTR " %s", MAC2STR(sm->preauth_bssid),
-		success ? "completed successfully" : "failed");
+		result == EAPOL_SUPP_RESULT_SUCCESS ? "completed successfully" :
+		"failed");

 	rsn_preauth_deinit(sm);
 	rsn_preauth_candidate_process(sm);