aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2017-12-26 10:46:22 (GMT)
committerJouni Malinen <j@w1.fi>2017-12-26 10:46:22 (GMT)
commitd8b841eba8c85d6542d2c77fafa1eda4659ec66b (patch)
tree97489816b1fb473fb631b5a2b33de7e272444eb9
parent8b5a497325c59bea814e3c090d43505dc57aa34e (diff)
downloadhostap-d8b841eba8c85d6542d2c77fafa1eda4659ec66b.zip
hostap-d8b841eba8c85d6542d2c77fafa1eda4659ec66b.tar.gz
hostap-d8b841eba8c85d6542d2c77fafa1eda4659ec66b.tar.bz2
SAE: Make dot11RSNASAESync configurable
The new hostapd.conf parameter sae_sync (default: 5) can now be used to configure the dot11RSNASAESync value to specify the maximum number of synchronization errors that are allowed to happen prior to disassociation of the offending SAE peer. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--hostapd/config_file.c2
-rw-r--r--hostapd/hostapd.conf5
-rw-r--r--src/ap/ap_config.c1
-rw-r--r--src/ap/ap_config.h1
-rw-r--r--src/ap/ieee802_11.c15
-rw-r--r--src/common/sae.h2
6 files changed, 16 insertions, 10 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 2891804..3211e1d 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3634,6 +3634,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
return 1;
} else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) {
bss->sae_anti_clogging_threshold = atoi(pos);
+ } else if (os_strcmp(buf, "sae_sync") == 0) {
+ bss->sae_sync = atoi(pos);
} else if (os_strcmp(buf, "sae_groups") == 0) {
if (hostapd_parse_intlist(&bss->sae_groups, pos)) {
wpa_printf(MSG_ERROR,
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 0d49fd7..083942d 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1429,6 +1429,11 @@ own_ip_addr=127.0.0.1
# same time before the anti-clogging mechanism is taken into use.
#sae_anti_clogging_threshold=5
+# Maximum number of SAE synchronization errors (dot11RSNASAESync)
+# The offending SAe peer will be disconnected if more than this many
+# synchronization errors happen.
+#sae_sync=5
+
# Enabled SAE finite cyclic groups
# SAE implementation are required to support group 19 (ECC group defined over a
# 256-bit prime order field). All groups that are supported by the
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 23e1bed..085ad7a 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -108,6 +108,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
bss->radius_das_time_window = 300;
bss->sae_anti_clogging_threshold = 5;
+ bss->sae_sync = 5;
bss->gas_frag_limit = 1400;
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index dc0686e..c213072 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -584,6 +584,7 @@ struct hostapd_bss_config {
struct wpabuf *assocresp_elements;
unsigned int sae_anti_clogging_threshold;
+ unsigned int sae_sync;
int *sae_groups;
char *sae_password;
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 8a307f3..fe8be62 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -354,9 +354,6 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
#ifdef CONFIG_SAE
-#define dot11RSNASAESync 5 /* attempts */
-
-
static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
struct sta_info *sta, int update)
{
@@ -517,9 +514,9 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
}
-static int sae_check_big_sync(struct sta_info *sta)
+static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
{
- if (sta->sae->sync > dot11RSNASAESync) {
+ if (sta->sae->sync > hapd->conf->sae_sync) {
sta->sae->state = SAE_NOTHING;
sta->sae->sync = 0;
return -1;
@@ -534,7 +531,7 @@ static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
struct sta_info *sta = eloop_data;
int ret;
- if (sae_check_big_sync(sta))
+ if (sae_check_big_sync(hapd, sta))
return;
sta->sae->sync++;
wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
@@ -667,7 +664,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
* In mesh case, follow SAE finite state machine and
* send Commit now, if sync count allows.
*/
- if (sae_check_big_sync(sta))
+ if (sae_check_big_sync(hapd, sta))
return WLAN_STATUS_SUCCESS;
sta->sae->sync++;
@@ -699,7 +696,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
case SAE_CONFIRMED:
sae_clear_retransmit_timer(hapd, sta);
if (auth_transaction == 1) {
- if (sae_check_big_sync(sta))
+ if (sae_check_big_sync(hapd, sta))
return WLAN_STATUS_SUCCESS;
sta->sae->sync++;
@@ -727,7 +724,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
ap_free_sta(hapd, sta);
wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
} else {
- if (sae_check_big_sync(sta))
+ if (sae_check_big_sync(hapd, sta))
return WLAN_STATUS_SUCCESS;
sta->sae->sync++;
diff --git a/src/common/sae.h b/src/common/sae.h
index a4270bc..c85316f 100644
--- a/src/common/sae.h
+++ b/src/common/sae.h
@@ -48,7 +48,7 @@ struct sae_data {
u8 pmkid[SAE_PMKID_LEN];
struct crypto_bignum *peer_commit_scalar;
int group;
- int sync;
+ unsigned int sync; /* protocol instance variable: Sync */
struct sae_temporary_data *tmp;
};