From d8b841eba8c85d6542d2c77fafa1eda4659ec66b Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 26 Dec 2017 12:46:22 +0200 Subject: [PATCH] SAE: Make dot11RSNASAESync configurable The new hostapd.conf parameter sae_sync (default: 5) can now be used to configure the dot11RSNASAESync value to specify the maximum number of synchronization errors that are allowed to happen prior to disassociation of the offending SAE peer. Signed-off-by: Jouni Malinen --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 5 +++++ src/ap/ap_config.c | 1 + src/ap/ap_config.h | 1 + src/ap/ieee802_11.c | 15 ++++++--------- src/common/sae.h | 2 +- 6 files changed, 16 insertions(+), 10 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 289180428..3211e1d29 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -3634,6 +3634,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, return 1; } else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) { bss->sae_anti_clogging_threshold = atoi(pos); + } else if (os_strcmp(buf, "sae_sync") == 0) { + bss->sae_sync = atoi(pos); } else if (os_strcmp(buf, "sae_groups") == 0) { if (hostapd_parse_intlist(&bss->sae_groups, pos)) { wpa_printf(MSG_ERROR, diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 0d49fd744..083942d1c 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1429,6 +1429,11 @@ own_ip_addr=127.0.0.1 # same time before the anti-clogging mechanism is taken into use. #sae_anti_clogging_threshold=5 +# Maximum number of SAE synchronization errors (dot11RSNASAESync) +# The offending SAe peer will be disconnected if more than this many +# synchronization errors happen. +#sae_sync=5 + # Enabled SAE finite cyclic groups # SAE implementation are required to support group 19 (ECC group defined over a # 256-bit prime order field). All groups that are supported by the diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 23e1bed5e..085ad7ac9 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -108,6 +108,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) bss->radius_das_time_window = 300; bss->sae_anti_clogging_threshold = 5; + bss->sae_sync = 5; bss->gas_frag_limit = 1400; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index dc0686e69..c21307220 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -584,6 +584,7 @@ struct hostapd_bss_config { struct wpabuf *assocresp_elements; unsigned int sae_anti_clogging_threshold; + unsigned int sae_sync; int *sae_groups; char *sae_password; diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 8a307f32b..fe8be62ec 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -354,9 +354,6 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, #ifdef CONFIG_SAE -#define dot11RSNASAESync 5 /* attempts */ - - static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, struct sta_info *sta, int update) { @@ -517,9 +514,9 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, } -static int sae_check_big_sync(struct sta_info *sta) +static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta) { - if (sta->sae->sync > dot11RSNASAESync) { + if (sta->sae->sync > hapd->conf->sae_sync) { sta->sae->state = SAE_NOTHING; sta->sae->sync = 0; return -1; @@ -534,7 +531,7 @@ static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data) struct sta_info *sta = eloop_data; int ret; - if (sae_check_big_sync(sta)) + if (sae_check_big_sync(hapd, sta)) return; sta->sae->sync++; wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR @@ -667,7 +664,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, * In mesh case, follow SAE finite state machine and * send Commit now, if sync count allows. */ - if (sae_check_big_sync(sta)) + if (sae_check_big_sync(hapd, sta)) return WLAN_STATUS_SUCCESS; sta->sae->sync++; @@ -699,7 +696,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, case SAE_CONFIRMED: sae_clear_retransmit_timer(hapd, sta); if (auth_transaction == 1) { - if (sae_check_big_sync(sta)) + if (sae_check_big_sync(hapd, sta)) return WLAN_STATUS_SUCCESS; sta->sae->sync++; @@ -727,7 +724,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, ap_free_sta(hapd, sta); wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); } else { - if (sae_check_big_sync(sta)) + if (sae_check_big_sync(hapd, sta)) return WLAN_STATUS_SUCCESS; sta->sae->sync++; diff --git a/src/common/sae.h b/src/common/sae.h index a4270bc22..c85316f5a 100644 --- a/src/common/sae.h +++ b/src/common/sae.h @@ -48,7 +48,7 @@ struct sae_data { u8 pmkid[SAE_PMKID_LEN]; struct crypto_bignum *peer_commit_scalar; int group; - int sync; + unsigned int sync; /* protocol instance variable: Sync */ struct sae_temporary_data *tmp; };