| Message ID | CAPb_HJx6kDnfsGN4=uVsacyijsPGErnuoSekqbJnt36c=Lpu7w@mail.gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Allow Session-Timeout with PSK RADIUS during 4 Way Handshake | expand |
On Tue, Apr 09, 2024 at 03:06:38PM -0700, Lee Harding wrote: > I've been reading the code and testing the PSK via RADIUS > functionality in hostap and discovered what I believe to be a bug. > When the RADIUS response includes a Session-Timeout and is otherwise > valid (an Access-Accept with a valid Tunnel-Password) the association > still fails due to the strict comparison of the accepted value with > HOSTAPD_ACL_ACCEPT. Apparently this wasn't previously tested. > > The patch below allows a packet containing a valid Session-Timeout > attribute to be accepted by extending the "success" comparison to > include HOSTAPD_ACL_ACCEPT_TIMEOUT. Thanks, applied.
diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index e723ae74b..7b3b0137f 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, if (query->radius_psk) { struct sta_info *sta; - bool success = cache->accepted == HOSTAPD_ACL_ACCEPT; + bool success = cache->accepted == HOSTAPD_ACL_ACCEPT + || cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT; sta = ap_get_sta(hapd, query->addr);
I've been reading the code and testing the PSK via RADIUS functionality in hostap and discovered what I believe to be a bug. When the RADIUS response includes a Session-Timeout and is otherwise valid (an Access-Accept with a valid Tunnel-Password) the association still fails due to the strict comparison of the accepted value with HOSTAPD_ACL_ACCEPT. Apparently this wasn't previously tested. The patch below allows a packet containing a valid Session-Timeout attribute to be accepted by extending the "success" comparison to include HOSTAPD_ACL_ACCEPT_TIMEOUT. Signed-off-by: Lee Harding <somerandomstring@gmail.com> Diff inline below: if (!sta || !sta->wpa_sm) {