From patchwork Tue Apr 9 22:06:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lee Harding X-Patchwork-Id: 1921626 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=yDf8gfJb; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=YxN5h0vL; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDg7G3TNzz1yYL for ; Wed, 10 Apr 2024 08:07:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:Reply-To:List-Subscribe:List-Help: List-Post:List-Archive:List-Unsubscribe:List-Id:To:Subject:Message-ID:Date: From:In-Reply-To:References:MIME-Version:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=1xkDhf9k52zmKZk8JUn1oRPi+49Ha/OfE5Ujinf+qXI=; b=yDf8gfJbPwwBkU U5SfPM1yGkHByRBEXz36G7d0ouk4C47w/eAP+mJWqkzdvEnHKTGa2UrrjdNeVTH9iJYNKev6cy4Pu bqI4JFfD8vSXXTV2RzJOT8ckQj7Wny/aeBNovSmdbKtQ5vROnyPC8aPnkfbmRIY8ZVvniNrn0W+Uc LQFcOZEK+2OXCYoZSvf75ZSimZOt+52PRO/KteyV6jbQE1SV8x06pEQ5WS6T+9OMw8MgA4zhxWUAq ge6PJg5el1xYP/Ga5Xd1QY6Iir3TnZm6ml0oKTSXR2kLsy257QhOYc3rhiUwFAjd18Cb7Wj8Pgl5S mbLp0SGkBUKSE87P7F5Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1ruJcH-00000003zvM-1yjS; Tue, 09 Apr 2024 22:06:57 +0000 Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1ruJcE-00000003zu0-1GI3 for hostap@lists.infradead.org; Tue, 09 Apr 2024 22:06:56 +0000 Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-1e0bec01232so50073005ad.3 for ; Tue, 09 Apr 2024 15:06:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712700410; x=1713305210; darn=lists.infradead.org; h=to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uvSEqc15ebiHZXUTbbXNNzXZdTyX6Y8nVPti3GgLRIo=; b=YxN5h0vLOxWcRoDP7e+rPUWqfyP9r2BwRyxJ0KL3sS091BDc9GkTtgwfRsC2wWSwjN 4Ssyi4sVrRzoQNm3l7xX8WX74knnWBjgyZYJeJnmFS0wtWKlxenktTR66QxK+KOhd9Kq nEelZcn4Dr0Y6T/q+T3A99aVzXe+o7pA1JUD1VrrzKWdaGlRVfRcaoP63tTXLo8WwgWn 57jCPsDc/7FHbVBFTb9yMf73LVclbvf3/H+ydje/55cWeXL3/mNHAAaADIPb0L96IDku PGgd4gQfLetS5EKUExEWaoIPlHPhZqM3CkqTTUTmiEN/VxqyspCWGE5Y1Vf/1rQdyIqv lFPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712700410; x=1713305210; h=to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uvSEqc15ebiHZXUTbbXNNzXZdTyX6Y8nVPti3GgLRIo=; b=IJkysVH7Sj8LSDOsAEW7Qu2NtJ5rGaYMV14szX00W7H0z/+U6Cc1pR7KeYWd2N7+m3 O0KzcdZARsZQC11A8oBrDpxB8q+8BxGF/ujxdzUf4TTZG8UqvPcjtCZmLyhX2ShJvlYF D8MHvwPcjysfGAXWU0IAXZ+6wkx/EpuyHTfW+FpjWCJDtyjixKqJD7bsXlkK06ttAjZg 5JCf1Md2Sv+ZyJZzv4zgIxeYt9fP3v3gbOj+O8HXlYl6Pg42+kcXZY/+M48RR8/XUqx3 GD1Me7V2v5yEpWsLLzaNF30VSzGZsPHbesk6C+QrbhMefwn9VquQinMddvCs7EcLf+rP 32AA== X-Gm-Message-State: AOJu0YwO3iql2La+VQmrCsrWUDWiIBMS3sm+PRpaSz3G/+7RBXVSFu0H 4KFsjk/fDJYmOzE2LelBoNB1FP9V63W1OqvVM2J6GpK0+HtP5fw8MmrQBzyANi1HI5ptsCPivFb fxfOs2Z8FKDoQOaGVJkpu+1PXHk/jXZS8 X-Google-Smtp-Source: AGHT+IGik5kZ1SiU3BpGAvS6FY0MyDwumGMFLDgT3hFUmPt6qpZZsR9nVywc7JHJBhjFB1CzIiwVh81J8MrIQEE5ifs= X-Received: by 2002:a17:902:ce81:b0:1e2:718d:f290 with SMTP id f1-20020a170902ce8100b001e2718df290mr1057901plg.67.1712700409983; Tue, 09 Apr 2024 15:06:49 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Lee Harding Date: Tue, 9 Apr 2024 15:06:38 -0700 Message-ID: Subject: [PATCH] Allow Session-Timeout with PSK RADIUS during 4 Way Handshake To: hostap@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240409_150654_405901_1BA5E603 X-CRM114-Status: UNSURE ( 9.18 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I've been reading the code and testing the PSK via RADIUS functionality in hostap and discovered what I believe to be a bug. When the RADIUS response includes a Session-Timeout and is otherwise valid [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [somerandomstring(at)gmail.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:634 listed in] [list.dnswl.org] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: muir.lee.harding@orst.edu Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org I've been reading the code and testing the PSK via RADIUS functionality in hostap and discovered what I believe to be a bug. When the RADIUS response includes a Session-Timeout and is otherwise valid (an Access-Accept with a valid Tunnel-Password) the association still fails due to the strict comparison of the accepted value with HOSTAPD_ACL_ACCEPT. Apparently this wasn't previously tested. The patch below allows a packet containing a valid Session-Timeout attribute to be accepted by extending the "success" comparison to include HOSTAPD_ACL_ACCEPT_TIMEOUT. Signed-off-by: Lee Harding Diff inline below: if (!sta || !sta->wpa_sm) { diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index e723ae74b..7b3b0137f 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, if (query->radius_psk) { struct sta_info *sta; - bool success = cache->accepted == HOSTAPD_ACL_ACCEPT; + bool success = cache->accepted == HOSTAPD_ACL_ACCEPT + || cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT; sta = ap_get_sta(hapd, query->addr);