hostapd: fix session-timeout with radius-psk

backport hostapd commit e6ec62aa2d68e9436daeb4470260a101a06c9213

fixes WIFI-15317

Signed-off-by: Arif Alam <arif.alam@netexperience.com>

feeds/hostapd/hostapd/patches/t00-013-Allow-Session-Timeout-with-PSK-RADIUS-during-4-way-h.patch

@@ -0,0 +1,38 @@
+From e6ec62aa2d68e9436daeb4470260a101a06c9213 Mon Sep 17 00:00:00 2001
+From: Lee Harding <somerandomstring@gmail.com>
+Date: Tue, 9 Apr 2024 15:06:38 -0700
+Subject: [PATCH] Allow Session-Timeout with PSK RADIUS during 4-way handshake
+
+When the RADIUS response included a Session-Timeout attribute, but is
+otherwise valid (an Access-Accept with a valid Tunnel-Password), the
+association still failed due to the strict comparison of the accepted
+value with HOSTAPD_ACL_ACCEPT. Apparently this combination wasn't
+previously tested.
+
+Extend this to allow a packet containing a valid Session-Timeout
+attribute to be accepted by extending the "success" comparison to
+include HOSTAPD_ACL_ACCEPT_TIMEOUT.
+
+Fixes: 1c3438fec4ba ("RADIUS ACL/PSK check during 4-way handshake")
+Signed-off-by: Lee Harding <somerandomstring@gmail.com>
+---
+ src/ap/ieee802_11_auth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
+index e723ae74b..98a877dec 100644
+--- a/src/ap/ieee802_11_auth.c
++++ b/src/ap/ieee802_11_auth.c
+@@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
+ 
+ 	if (query->radius_psk) {
+ 		struct sta_info *sta;
+-		bool success = cache->accepted == HOSTAPD_ACL_ACCEPT;
++		bool success = cache->accepted == HOSTAPD_ACL_ACCEPT ||
++			cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT;
+ 
+ 		sta = ap_get_sta(hapd, query->addr);
+ 		if (!sta || !sta->wpa_sm) {
+-- 
+2.52.0
+

feeds/ipq807x_v5.4/hostapd/patches/t00-014-Allow-Session-Timeout-with-PSK-RADIUS-during-4-way-h.patch

@@ -0,0 +1,38 @@
+From e6ec62aa2d68e9436daeb4470260a101a06c9213 Mon Sep 17 00:00:00 2001
+From: Lee Harding <somerandomstring@gmail.com>
+Date: Tue, 9 Apr 2024 15:06:38 -0700
+Subject: [PATCH] Allow Session-Timeout with PSK RADIUS during 4-way handshake
+
+When the RADIUS response included a Session-Timeout attribute, but is
+otherwise valid (an Access-Accept with a valid Tunnel-Password), the
+association still failed due to the strict comparison of the accepted
+value with HOSTAPD_ACL_ACCEPT. Apparently this combination wasn't
+previously tested.
+
+Extend this to allow a packet containing a valid Session-Timeout
+attribute to be accepted by extending the "success" comparison to
+include HOSTAPD_ACL_ACCEPT_TIMEOUT.
+
+Fixes: 1c3438fec4ba ("RADIUS ACL/PSK check during 4-way handshake")
+Signed-off-by: Lee Harding <somerandomstring@gmail.com>
+---
+ src/ap/ieee802_11_auth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
+index e723ae74b..98a877dec 100644
+--- a/src/ap/ieee802_11_auth.c
++++ b/src/ap/ieee802_11_auth.c
+@@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
+ 
+ 	if (query->radius_psk) {
+ 		struct sta_info *sta;
+-		bool success = cache->accepted == HOSTAPD_ACL_ACCEPT;
++		bool success = cache->accepted == HOSTAPD_ACL_ACCEPT ||
++			cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT;
+ 
+ 		sta = ap_get_sta(hapd, query->addr);
+ 		if (!sta || !sta->wpa_sm) {
+-- 
+2.52.0
+

feeds/qca-wifi-7/hostapd/patches/zzz-t03-Allow-Session-Timeout-with-PSK-RADIUS-during-4-way-h.patch

@@ -0,0 +1,38 @@
+From e6ec62aa2d68e9436daeb4470260a101a06c9213 Mon Sep 17 00:00:00 2001
+From: Lee Harding <somerandomstring@gmail.com>
+Date: Tue, 9 Apr 2024 15:06:38 -0700
+Subject: [PATCH] Allow Session-Timeout with PSK RADIUS during 4-way handshake
+
+When the RADIUS response included a Session-Timeout attribute, but is
+otherwise valid (an Access-Accept with a valid Tunnel-Password), the
+association still failed due to the strict comparison of the accepted
+value with HOSTAPD_ACL_ACCEPT. Apparently this combination wasn't
+previously tested.
+
+Extend this to allow a packet containing a valid Session-Timeout
+attribute to be accepted by extending the "success" comparison to
+include HOSTAPD_ACL_ACCEPT_TIMEOUT.
+
+Fixes: 1c3438fec4ba ("RADIUS ACL/PSK check during 4-way handshake")
+Signed-off-by: Lee Harding <somerandomstring@gmail.com>
+---
+ src/ap/ieee802_11_auth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
+index e723ae74b..98a877dec 100644
+--- a/src/ap/ieee802_11_auth.c
++++ b/src/ap/ieee802_11_auth.c
+@@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
+ 
+ 	if (query->radius_psk) {
+ 		struct sta_info *sta;
+-		bool success = cache->accepted == HOSTAPD_ACL_ACCEPT;
++		bool success = cache->accepted == HOSTAPD_ACL_ACCEPT ||
++			cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT;
+ 
+ 		sta = ap_get_sta(hapd, query->addr);
+ 		if (!sta || !sta->wpa_sm) {
+-- 
+2.52.0
+