diff --git a/Fix_Fallback_From_Failed_PMKSA_Into_Full_EAP.patch b/Fix_Fallback_From_Failed_PMKSA_Into_Full_EAP.patch new file mode 100644 index 0000000..b1a7024 --- /dev/null +++ b/Fix_Fallback_From_Failed_PMKSA_Into_Full_EAP.patch @@ -0,0 +1,52 @@ +commit b4a1256d3660a2b5239062a9b42de79b8a34286a +Author: Jouni Malinen +Date: Sat May 1 17:35:28 2010 +0300 + + Fix fallback from failed PMKSA caching into full EAP authentication + + Commit 83935317a78fb4157eb6e5134527b9311dbf7b8c added forced + disconnection in case of 4-way handshake failures. However, it should + not have changed the case where the supplicant is requesting fallback + to full EAP authentication if the PMKID in EAPOL-Key message 1/4 is + not know. This case needs to send an EAPOL-Start frame instead of + EAPOL-Key message 2/4. + + This works around a problem with APs that try to force PMKSA caching + even when the client does not include PMKID in (re)association request + frame to request it. [Bug 355] + +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index 885d173..9439f97 100644 +--- src/rsn_supp/wpa.c ++++ src/rsn_supp/wpa.c +@@ -231,6 +231,7 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm, + wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL, + buf, buflen); + os_free(buf); ++ return -2; + } + + return -1; +@@ -361,6 +362,7 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, + struct wpa_eapol_ie_parse ie; + struct wpa_ptk *ptk; + u8 buf[8]; ++ int res; + + if (wpa_sm_get_network_ctx(sm) == NULL) { + wpa_printf(MSG_WARNING, "WPA: No SSID info found (msg 1 of " +@@ -388,7 +390,13 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, + } + #endif /* CONFIG_NO_WPA2 */ + +- if (wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid)) ++ res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid); ++ if (res == -2) { ++ wpa_printf(MSG_DEBUG, "RSN: Do not reply to msg 1/4 - " ++ "requesting full EAP authentication"); ++ return; ++ } ++ if (res) + goto failed; + + if (sm->renew_snonce) { diff --git a/wpa_supplicant.changes b/wpa_supplicant.changes index a34ed91..8b353ff 100644 --- a/wpa_supplicant.changes +++ b/wpa_supplicant.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri May 28 12:49:53 CEST 2010 - vbotka@suse.de + +- Fix fallback from failed PMKSA caching into full EAP authentication + (bnc 601501) + ------------------------------------------------------------------- Sun Jan 31 13:13:46 UTC 2010 - aj@suse.de diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index 61d9d12..8d069db 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -45,6 +45,7 @@ Patch6: wpa_supplicant-fix_dbus_config.patch # roaming is implemented in a clean way this patch should be removed Patch8: wpa_supplicant-roaming.patch Patch9: wpa_supplicant-pkcs11-init-args.patch +Patch10: Fix_Fallback_From_Failed_PMKSA_Into_Full_EAP.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: logrotate @@ -91,6 +92,7 @@ cp %{SOURCE1} wpa_supplicant/.config #%patch8 -p2 # Patch does not apply anymore #%patch9 -p2 +%patch10 -p0 %build cd wpa_supplicant