SAE: Make dot11RSNASAESync configurable
The new hostapd.conf parameter sae_sync (default: 5) can now be used to configure the dot11RSNASAESync value to specify the maximum number of synchronization errors that are allowed to happen prior to disassociation of the offending SAE peer. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
8b5a497325
commit
d8b841eba8
6 changed files with 16 additions and 10 deletions
|
@ -3634,6 +3634,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
||||||
return 1;
|
return 1;
|
||||||
} else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) {
|
} else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) {
|
||||||
bss->sae_anti_clogging_threshold = atoi(pos);
|
bss->sae_anti_clogging_threshold = atoi(pos);
|
||||||
|
} else if (os_strcmp(buf, "sae_sync") == 0) {
|
||||||
|
bss->sae_sync = atoi(pos);
|
||||||
} else if (os_strcmp(buf, "sae_groups") == 0) {
|
} else if (os_strcmp(buf, "sae_groups") == 0) {
|
||||||
if (hostapd_parse_intlist(&bss->sae_groups, pos)) {
|
if (hostapd_parse_intlist(&bss->sae_groups, pos)) {
|
||||||
wpa_printf(MSG_ERROR,
|
wpa_printf(MSG_ERROR,
|
||||||
|
|
|
@ -1429,6 +1429,11 @@ own_ip_addr=127.0.0.1
|
||||||
# same time before the anti-clogging mechanism is taken into use.
|
# same time before the anti-clogging mechanism is taken into use.
|
||||||
#sae_anti_clogging_threshold=5
|
#sae_anti_clogging_threshold=5
|
||||||
|
|
||||||
|
# Maximum number of SAE synchronization errors (dot11RSNASAESync)
|
||||||
|
# The offending SAe peer will be disconnected if more than this many
|
||||||
|
# synchronization errors happen.
|
||||||
|
#sae_sync=5
|
||||||
|
|
||||||
# Enabled SAE finite cyclic groups
|
# Enabled SAE finite cyclic groups
|
||||||
# SAE implementation are required to support group 19 (ECC group defined over a
|
# SAE implementation are required to support group 19 (ECC group defined over a
|
||||||
# 256-bit prime order field). All groups that are supported by the
|
# 256-bit prime order field). All groups that are supported by the
|
||||||
|
|
|
@ -108,6 +108,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
|
||||||
bss->radius_das_time_window = 300;
|
bss->radius_das_time_window = 300;
|
||||||
|
|
||||||
bss->sae_anti_clogging_threshold = 5;
|
bss->sae_anti_clogging_threshold = 5;
|
||||||
|
bss->sae_sync = 5;
|
||||||
|
|
||||||
bss->gas_frag_limit = 1400;
|
bss->gas_frag_limit = 1400;
|
||||||
|
|
||||||
|
|
|
@ -584,6 +584,7 @@ struct hostapd_bss_config {
|
||||||
struct wpabuf *assocresp_elements;
|
struct wpabuf *assocresp_elements;
|
||||||
|
|
||||||
unsigned int sae_anti_clogging_threshold;
|
unsigned int sae_anti_clogging_threshold;
|
||||||
|
unsigned int sae_sync;
|
||||||
int *sae_groups;
|
int *sae_groups;
|
||||||
char *sae_password;
|
char *sae_password;
|
||||||
|
|
||||||
|
|
|
@ -354,9 +354,6 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
|
||||||
|
|
||||||
#ifdef CONFIG_SAE
|
#ifdef CONFIG_SAE
|
||||||
|
|
||||||
#define dot11RSNASAESync 5 /* attempts */
|
|
||||||
|
|
||||||
|
|
||||||
static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
|
static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
|
||||||
struct sta_info *sta, int update)
|
struct sta_info *sta, int update)
|
||||||
{
|
{
|
||||||
|
@ -517,9 +514,9 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static int sae_check_big_sync(struct sta_info *sta)
|
static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
|
||||||
{
|
{
|
||||||
if (sta->sae->sync > dot11RSNASAESync) {
|
if (sta->sae->sync > hapd->conf->sae_sync) {
|
||||||
sta->sae->state = SAE_NOTHING;
|
sta->sae->state = SAE_NOTHING;
|
||||||
sta->sae->sync = 0;
|
sta->sae->sync = 0;
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -534,7 +531,7 @@ static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
|
||||||
struct sta_info *sta = eloop_data;
|
struct sta_info *sta = eloop_data;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
if (sae_check_big_sync(sta))
|
if (sae_check_big_sync(hapd, sta))
|
||||||
return;
|
return;
|
||||||
sta->sae->sync++;
|
sta->sae->sync++;
|
||||||
wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
|
wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
|
||||||
|
@ -667,7 +664,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
|
||||||
* In mesh case, follow SAE finite state machine and
|
* In mesh case, follow SAE finite state machine and
|
||||||
* send Commit now, if sync count allows.
|
* send Commit now, if sync count allows.
|
||||||
*/
|
*/
|
||||||
if (sae_check_big_sync(sta))
|
if (sae_check_big_sync(hapd, sta))
|
||||||
return WLAN_STATUS_SUCCESS;
|
return WLAN_STATUS_SUCCESS;
|
||||||
sta->sae->sync++;
|
sta->sae->sync++;
|
||||||
|
|
||||||
|
@ -699,7 +696,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
|
||||||
case SAE_CONFIRMED:
|
case SAE_CONFIRMED:
|
||||||
sae_clear_retransmit_timer(hapd, sta);
|
sae_clear_retransmit_timer(hapd, sta);
|
||||||
if (auth_transaction == 1) {
|
if (auth_transaction == 1) {
|
||||||
if (sae_check_big_sync(sta))
|
if (sae_check_big_sync(hapd, sta))
|
||||||
return WLAN_STATUS_SUCCESS;
|
return WLAN_STATUS_SUCCESS;
|
||||||
sta->sae->sync++;
|
sta->sae->sync++;
|
||||||
|
|
||||||
|
@ -727,7 +724,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
|
||||||
ap_free_sta(hapd, sta);
|
ap_free_sta(hapd, sta);
|
||||||
wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
|
wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
|
||||||
} else {
|
} else {
|
||||||
if (sae_check_big_sync(sta))
|
if (sae_check_big_sync(hapd, sta))
|
||||||
return WLAN_STATUS_SUCCESS;
|
return WLAN_STATUS_SUCCESS;
|
||||||
sta->sae->sync++;
|
sta->sae->sync++;
|
||||||
|
|
||||||
|
|
|
@ -48,7 +48,7 @@ struct sae_data {
|
||||||
u8 pmkid[SAE_PMKID_LEN];
|
u8 pmkid[SAE_PMKID_LEN];
|
||||||
struct crypto_bignum *peer_commit_scalar;
|
struct crypto_bignum *peer_commit_scalar;
|
||||||
int group;
|
int group;
|
||||||
int sync;
|
unsigned int sync; /* protocol instance variable: Sync */
|
||||||
struct sae_temporary_data *tmp;
|
struct sae_temporary_data *tmp;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue