From: Lee Harding <somerandomstring@gmail.com>
Date: Tue, 9 Apr 2024 22:06:38 +0000 (-0700)
Subject: Allow Session-Timeout with PSK RADIUS during 4-way handshake
X-Git-Tag: hostap_2_11~141
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6ec62aa2d68e9436daeb4470260a101a06c9213;p=thirdparty%2Fhostap.git

Allow Session-Timeout with PSK RADIUS during 4-way handshake

When the RADIUS response included a Session-Timeout attribute, but is
otherwise valid (an Access-Accept with a valid Tunnel-Password), the
association still failed due to the strict comparison of the accepted
value with HOSTAPD_ACL_ACCEPT. Apparently this combination wasn't
previously tested.

Extend this to allow a packet containing a valid Session-Timeout
attribute to be accepted by extending the "success" comparison to
include HOSTAPD_ACL_ACCEPT_TIMEOUT.

Fixes: 1c3438fec4ba ("RADIUS ACL/PSK check during 4-way handshake")
Signed-off-by: Lee Harding <somerandomstring@gmail.com>
---

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index e723ae74b..98a877dec 100644
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
 
 	if (query->radius_psk) {
 		struct sta_info *sta;
-		bool success = cache->accepted == HOSTAPD_ACL_ACCEPT;
+		bool success = cache->accepted == HOSTAPD_ACL_ACCEPT ||
+			cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT;
 
 		sta = ap_get_sta(hapd, query->addr);
 		if (!sta || !sta->wpa_sm) {