From 2a71673e27e95201b0f277a0437682136b4891a9 Mon Sep 17 00:00:00 2001 From: Vidyullatha Kanchanapally Date: Mon, 12 Jun 2017 14:55:52 +0530 Subject: [PATCH] ERP: Derive ERP key only after successful EAP authentication ERP key was previously derived immediately after the availability of EMSK and Session-Id and the ERP key hierarchy was saved even if the authentication resulted in failure eventually. Instead, derive the ERP key only after a successful EAP authentication. Signed-off-by: Jouni Malinen --- src/eap_peer/eap.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index 9ff4d8b91..7a987b6b3 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -907,8 +907,6 @@ SM_STATE(EAP, METHOD) if (sm->m->isKeyAvailable && sm->m->getKey && sm->m->isKeyAvailable(sm, sm->eap_method_priv)) { - struct eap_peer_config *config = eap_get_config(sm); - eap_sm_free_key(sm); sm->eapKeyData = sm->m->getKey(sm, sm->eap_method_priv, &sm->eapKeyDataLen); @@ -921,8 +919,6 @@ SM_STATE(EAP, METHOD) wpa_hexdump(MSG_DEBUG, "EAP: Session-Id", sm->eapSessionId, sm->eapSessionIdLen); } - if (config->erp && sm->m->get_emsk && sm->eapSessionId) - eap_peer_erp_init(sm, NULL, 0, NULL, 0); } } @@ -1020,6 +1016,8 @@ SM_STATE(EAP, RETRANSMIT) */ SM_STATE(EAP, SUCCESS) { + struct eap_peer_config *config = eap_get_config(sm); + SM_ENTRY(EAP, SUCCESS); if (sm->eapKeyData != NULL) sm->eapKeyAvailable = TRUE; @@ -1042,6 +1040,11 @@ SM_STATE(EAP, SUCCESS) wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS "EAP authentication completed successfully"); + + if (config->erp && sm->m->get_emsk && sm->eapSessionId && + sm->m->isKeyAvailable && + sm->m->isKeyAvailable(sm, sm->eap_method_priv)) + eap_peer_erp_init(sm, NULL, 0, NULL, 0); }