SAE: Make dot11RSNASAESync configurable

The new hostapd.conf parameter sae_sync (default: 5) can now be used to
configure the dot11RSNASAESync value to specify the maximum number of
synchronization errors that are allowed to happen prior to
disassociation of the offending SAE peer.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2017-12-26 12:46:22 +02:00
parent 8b5a497325
commit d8b841eba8
6 changed files with 16 additions and 10 deletions

View file

@ -3634,6 +3634,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
return 1; return 1;
} else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) { } else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) {
bss->sae_anti_clogging_threshold = atoi(pos); bss->sae_anti_clogging_threshold = atoi(pos);
} else if (os_strcmp(buf, "sae_sync") == 0) {
bss->sae_sync = atoi(pos);
} else if (os_strcmp(buf, "sae_groups") == 0) { } else if (os_strcmp(buf, "sae_groups") == 0) {
if (hostapd_parse_intlist(&bss->sae_groups, pos)) { if (hostapd_parse_intlist(&bss->sae_groups, pos)) {
wpa_printf(MSG_ERROR, wpa_printf(MSG_ERROR,

View file

@ -1429,6 +1429,11 @@ own_ip_addr=127.0.0.1
# same time before the anti-clogging mechanism is taken into use. # same time before the anti-clogging mechanism is taken into use.
#sae_anti_clogging_threshold=5 #sae_anti_clogging_threshold=5
# Maximum number of SAE synchronization errors (dot11RSNASAESync)
# The offending SAe peer will be disconnected if more than this many
# synchronization errors happen.
#sae_sync=5
# Enabled SAE finite cyclic groups # Enabled SAE finite cyclic groups
# SAE implementation are required to support group 19 (ECC group defined over a # SAE implementation are required to support group 19 (ECC group defined over a
# 256-bit prime order field). All groups that are supported by the # 256-bit prime order field). All groups that are supported by the

View file

@ -108,6 +108,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
bss->radius_das_time_window = 300; bss->radius_das_time_window = 300;
bss->sae_anti_clogging_threshold = 5; bss->sae_anti_clogging_threshold = 5;
bss->sae_sync = 5;
bss->gas_frag_limit = 1400; bss->gas_frag_limit = 1400;

View file

@ -584,6 +584,7 @@ struct hostapd_bss_config {
struct wpabuf *assocresp_elements; struct wpabuf *assocresp_elements;
unsigned int sae_anti_clogging_threshold; unsigned int sae_anti_clogging_threshold;
unsigned int sae_sync;
int *sae_groups; int *sae_groups;
char *sae_password; char *sae_password;

View file

@ -354,9 +354,6 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
#define dot11RSNASAESync 5 /* attempts */
static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
struct sta_info *sta, int update) struct sta_info *sta, int update)
{ {
@ -517,9 +514,9 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
} }
static int sae_check_big_sync(struct sta_info *sta) static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
{ {
if (sta->sae->sync > dot11RSNASAESync) { if (sta->sae->sync > hapd->conf->sae_sync) {
sta->sae->state = SAE_NOTHING; sta->sae->state = SAE_NOTHING;
sta->sae->sync = 0; sta->sae->sync = 0;
return -1; return -1;
@ -534,7 +531,7 @@ static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
struct sta_info *sta = eloop_data; struct sta_info *sta = eloop_data;
int ret; int ret;
if (sae_check_big_sync(sta)) if (sae_check_big_sync(hapd, sta))
return; return;
sta->sae->sync++; sta->sae->sync++;
wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
@ -667,7 +664,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
* In mesh case, follow SAE finite state machine and * In mesh case, follow SAE finite state machine and
* send Commit now, if sync count allows. * send Commit now, if sync count allows.
*/ */
if (sae_check_big_sync(sta)) if (sae_check_big_sync(hapd, sta))
return WLAN_STATUS_SUCCESS; return WLAN_STATUS_SUCCESS;
sta->sae->sync++; sta->sae->sync++;
@ -699,7 +696,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
case SAE_CONFIRMED: case SAE_CONFIRMED:
sae_clear_retransmit_timer(hapd, sta); sae_clear_retransmit_timer(hapd, sta);
if (auth_transaction == 1) { if (auth_transaction == 1) {
if (sae_check_big_sync(sta)) if (sae_check_big_sync(hapd, sta))
return WLAN_STATUS_SUCCESS; return WLAN_STATUS_SUCCESS;
sta->sae->sync++; sta->sae->sync++;
@ -727,7 +724,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
ap_free_sta(hapd, sta); ap_free_sta(hapd, sta);
wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
} else { } else {
if (sae_check_big_sync(sta)) if (sae_check_big_sync(hapd, sta))
return WLAN_STATUS_SUCCESS; return WLAN_STATUS_SUCCESS;
sta->sae->sync++; sta->sae->sync++;

View file

@ -48,7 +48,7 @@ struct sae_data {
u8 pmkid[SAE_PMKID_LEN]; u8 pmkid[SAE_PMKID_LEN];
struct crypto_bignum *peer_commit_scalar; struct crypto_bignum *peer_commit_scalar;
int group; int group;
int sync; unsigned int sync; /* protocol instance variable: Sync */
struct sae_temporary_data *tmp; struct sae_temporary_data *tmp;
}; };