Allow Session-Timeout with PSK RADIUS during 4-way handshake

When the RADIUS response included a Session-Timeout attribute, but is
otherwise valid (an Access-Accept with a valid Tunnel-Password), the
association still failed due to the strict comparison of the accepted
value with HOSTAPD_ACL_ACCEPT. Apparently this combination wasn't
previously tested.

Extend this to allow a packet containing a valid Session-Timeout
attribute to be accepted by extending the "success" comparison to
include HOSTAPD_ACL_ACCEPT_TIMEOUT.

Fixes: 1c3438fec4ba ("RADIUS ACL/PSK check during 4-way handshake")
Signed-off-by: Lee Harding <somerandomstring@gmail.com>

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index e723ae74ba7fc3a89e0daf58067892458f0b3acf..98a877dece146c69b0115789bf84d040d4c2e014 100644 (file)
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
 
        if (query->radius_psk) {
                struct sta_info *sta;
-               bool success = cache->accepted == HOSTAPD_ACL_ACCEPT;
+               bool success = cache->accepted == HOSTAPD_ACL_ACCEPT ||
+                       cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT;
 
                sta = ap_get_sta(hapd, query->addr);
                if (!sta || !sta->wpa_sm) {