I've been reading the code and testing the PSK via RADIUS
functionality in hostap and discovered what I believe to be a bug.
When the RADIUS response includes a Session-Timeout and is otherwise
valid (an Access-Accept with a valid Tunnel-Password) the association
still fails due to the strict comparison of the accepted value with
HOSTAPD_ACL_ACCEPT. Apparently this wasn't previously tested.
The patch below allows a packet containing a valid Session-Timeout
attribute to be accepted by extending the "success" comparison to
include HOSTAPD_ACL_ACCEPT_TIMEOUT.
Signed-off-by: Lee Harding <somerandomstring@xxxxxxxxx>
Diff inline below:
diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index e723ae74b..7b3b0137f 100644
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg,
struct radius_msg *req,
if (query->radius_psk) {
struct sta_info *sta;
- bool success = cache->accepted == HOSTAPD_ACL_ACCEPT;
+ bool success = cache->accepted == HOSTAPD_ACL_ACCEPT
+ || cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT;
sta = ap_get_sta(hapd, query->addr);
if (!sta || !sta->wpa_sm) {
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
