From: Michael Braun <michael-dev@xxxxxxxxxxxxx> If the AP is slow, passphrase hashing takes to long to serve the client before timeout. Thus interpret 64 char Tunnel-Password as already hashed PSK and send SSID to RADIUS server. This is especially important for FT-PSK with FT-over-air, where hashing cannot be deferred. Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx> --- src/ap/ieee802_11_auth.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index c6a5b67..8058505 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -460,23 +460,40 @@ static void decode_tunnel_passwords(struct hostapd_data *hapd, */ if (passphrase == NULL) break; + + /* + * Passphase should be 8..63 chars (to be hashed with ssid) + * or 64 chars hex string (already hashed with ssid) + */ + + if (passphraselen < 8 || passphraselen > PASSPHRASE_LEN) + continue; + /* * passphrase does not contain the NULL termination. * Add it here as pbkdf2_sha1() requires it. */ psk = os_zalloc(sizeof(struct hostapd_sta_wpa_psk_short)); if (psk) { - if (passphraselen > PASSPHRASE_LEN - 1) - os_memcpy(psk->passphrase, passphrase, - PASSPHRASE_LEN - 1); - else + if ((passphraselen == PASSPHRASE_LEN) && + (hexstr2bin(passphrase, psk->psk, PMK_LEN) < 0)) { + hostapd_logger(hapd, cache->addr, + HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_WARNING, + "invalid hex string (%d chars) " + "in Tunnel-Password", + passphraselen); + goto skip; + } else if (passphraselen < PASSPHRASE_LEN) { os_memcpy(psk->passphrase, passphrase, passphraselen); - psk->ispassphrase = 1; + psk->ispassphrase = 1; + } psk->next = cache->psk; cache->psk = psk; psk = NULL; } +skip: os_free(psk); os_free(passphrase); } -- 1.9.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap