SAE: Fix peer-commit-scalar reuse check
Only one peer-commit-scalar value was stored for a specific STA (i.e., one per MAC address) and that value got replaced when the next SAE Authentication exchange was started. This ended up breaking the check against re-use of peer-commit-scalar from an Accepted instance when anti-clogging token was requested. The first SAE commit message (the one without anti-clogging token) ended up overwriting the cached peer-commit-scalar value while leaving that instance in Accepted state. The second SAE commit message (with anti-clogging token) added ended up getting rejected if it used the same value again (and re-use is expected in this particular case where the value was not used in Accepted instance). Fix this by using a separate pointer for storing the peer-commit-scalar value that was used in an Accepted instance. There is no need to allocate memory for two values, i.e., it is sufficient to maintain separate pointers to the value and move the stored value to the special Accepted state pointer when moving to the Accepted state. This fixes issues where a peer STA ends up running back-to-back SAE authentication within couple of seconds, i.e., without hostapd timing out the STA entry for a case where anti-clogging token is required. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen
parent
6fb526d457
commit
8f8473cebb
3 changed files with 8 additions and 2 deletions
|
|
@ -839,6 +839,9 @@ void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
|
|||
mlme_authenticate_indication(hapd, sta);
|
||||
wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
|
||||
sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
|
||||
crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
|
||||
sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
|
||||
sta->sae->peer_commit_scalar = NULL;
|
||||
wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
|
||||
sta->sae->pmk, sta->sae->pmkid);
|
||||
sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
|
||||
|
|
|
|||
|
|
@ -123,6 +123,7 @@ void sae_clear_data(struct sae_data *sae)
|
|||
return;
|
||||
sae_clear_temp_data(sae);
|
||||
crypto_bignum_deinit(sae->peer_commit_scalar, 0);
|
||||
crypto_bignum_deinit(sae->peer_commit_scalar_accepted, 0);
|
||||
os_memset(sae, 0, sizeof(*sae));
|
||||
}
|
||||
|
||||
|
|
@ -1833,8 +1834,9 @@ static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
|
|||
* shall be dropped if the peer-scalar is identical to the one used in
|
||||
* the existing protocol instance.
|
||||
*/
|
||||
if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar &&
|
||||
crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) {
|
||||
if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar_accepted &&
|
||||
crypto_bignum_cmp(sae->peer_commit_scalar_accepted,
|
||||
peer_scalar) == 0) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous "
|
||||
"peer-commit-scalar");
|
||||
crypto_bignum_deinit(peer_scalar, 0);
|
||||
|
|
|
|||
|
|
@ -70,6 +70,7 @@ struct sae_data {
|
|||
u8 pmk[SAE_PMK_LEN];
|
||||
u8 pmkid[SAE_PMKID_LEN];
|
||||
struct crypto_bignum *peer_commit_scalar;
|
||||
struct crypto_bignum *peer_commit_scalar_accepted;
|
||||
int group;
|
||||
unsigned int sync; /* protocol instance variable: Sync */
|
||||
u16 rc; /* protocol instance variable: Rc (received send-confirm) */
|
||||
|
|
|
|||
Loading…
Reference in a new issue