aboutsummaryrefslogtreecommitdiffstats
path: root/src/ap/hostapd.h
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-03-01 20:05:52 (GMT)
committerJouni Malinen <j@w1.fi>2019-03-06 11:07:03 (GMT)
commita9af1da0b544faecf8cc03ec2f418db1dc9ced43 (patch)
treee10650054438f9f768f84b1c9cf64b9277d7eec1 /src/ap/hostapd.h
parentff9f40aee1e405b40bd9ffdf1f5e4edd79f54b19 (diff)
downloadhostap-a9af1da0b544faecf8cc03ec2f418db1dc9ced43.zip
hostap-a9af1da0b544faecf8cc03ec2f418db1dc9ced43.tar.gz
hostap-a9af1da0b544faecf8cc03ec2f418db1dc9ced43.tar.bz2
SAE: Enforce single use for anti-clogging tokens
Add a 16-bit token index into the anti-clogging token. This can be used to enforce only a single use of each issued anti-clogging token request. The token value is now token-index | last-30-octets-of(HMAC-SHA256(sae_token_key, STA-MAC-address | token-index)), i.e., the first two octets of the SHA256 hash value are replaced with the token-index and token-index itself is protected as part of the HMAC context data. Track the used 16-bit token index values and accept received tokens only if they use an index value that has been requested, but has not yet been used. This makes it a bit more difficult for an attacker to perform DoS attacks against the heavy CPU operations needed for processing SAE commit since the attacker cannot simply replay the same frame multiple times and instead, needs to request each token separately. While this does not add significant extra processing/CPU need for the attacker, this can be helpful in combination with the queued processing of SAE commit messages in enforcing more delay during flooding of SAE commit messages since the new anti-clogging token values are not returned before the new message goes through the processing queue. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Diffstat (limited to 'src/ap/hostapd.h')
-rw-r--r--src/ap/hostapd.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h
index 733f3f2..b8637c4 100644
--- a/src/ap/hostapd.h
+++ b/src/ap/hostapd.h
@@ -314,6 +314,8 @@ struct hostapd_data {
/** Key used for generating SAE anti-clogging tokens */
u8 sae_token_key[8];
struct os_reltime last_sae_token_key_update;
+ u16 sae_token_idx;
+ u16 sae_pending_token_idx[256];
int dot11RSNASAERetransPeriod; /* msec */
struct dl_list sae_commit_queue; /* struct hostapd_sae_commit_queue */
#endif /* CONFIG_SAE */