From 8f8473cebbeb6504d29c301d0dcc75b0ec227d46 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 5 Feb 2020 02:06:27 +0200 Subject: [PATCH] SAE: Fix peer-commit-scalar reuse check Only one peer-commit-scalar value was stored for a specific STA (i.e., one per MAC address) and that value got replaced when the next SAE Authentication exchange was started. This ended up breaking the check against re-use of peer-commit-scalar from an Accepted instance when anti-clogging token was requested. The first SAE commit message (the one without anti-clogging token) ended up overwriting the cached peer-commit-scalar value while leaving that instance in Accepted state. The second SAE commit message (with anti-clogging token) added ended up getting rejected if it used the same value again (and re-use is expected in this particular case where the value was not used in Accepted instance). Fix this by using a separate pointer for storing the peer-commit-scalar value that was used in an Accepted instance. There is no need to allocate memory for two values, i.e., it is sufficient to maintain separate pointers to the value and move the stored value to the special Accepted state pointer when moving to the Accepted state. This fixes issues where a peer STA ends up running back-to-back SAE authentication within couple of seconds, i.e., without hostapd timing out the STA entry for a case where anti-clogging token is required. Signed-off-by: Jouni Malinen --- src/ap/ieee802_11.c | 3 +++ src/common/sae.c | 6 ++++-- src/common/sae.h | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index ffa303d69..237549b56 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -839,6 +839,9 @@ void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta) mlme_authenticate_indication(hapd, sta); wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm"); + crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0); + sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar; + sta->sae->peer_commit_scalar = NULL; wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr, sta->sae->pmk, sta->sae->pmkid); sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS); diff --git a/src/common/sae.c b/src/common/sae.c index 94ec1a39c..7ed53be1c 100644 --- a/src/common/sae.c +++ b/src/common/sae.c @@ -123,6 +123,7 @@ void sae_clear_data(struct sae_data *sae) return; sae_clear_temp_data(sae); crypto_bignum_deinit(sae->peer_commit_scalar, 0); + crypto_bignum_deinit(sae->peer_commit_scalar_accepted, 0); os_memset(sae, 0, sizeof(*sae)); } @@ -1833,8 +1834,9 @@ static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos, * shall be dropped if the peer-scalar is identical to the one used in * the existing protocol instance. */ - if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar && - crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) { + if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar_accepted && + crypto_bignum_cmp(sae->peer_commit_scalar_accepted, + peer_scalar) == 0) { wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous " "peer-commit-scalar"); crypto_bignum_deinit(peer_scalar, 0); diff --git a/src/common/sae.h b/src/common/sae.h index b3787e4fc..e3e7d0eec 100644 --- a/src/common/sae.h +++ b/src/common/sae.h @@ -70,6 +70,7 @@ struct sae_data { u8 pmk[SAE_PMK_LEN]; u8 pmkid[SAE_PMKID_LEN]; struct crypto_bignum *peer_commit_scalar; + struct crypto_bignum *peer_commit_scalar_accepted; int group; unsigned int sync; /* protocol instance variable: Sync */ u16 rc; /* protocol instance variable: Rc (received send-confirm) */