SAE: Make dot11RSNASAESync configurable

The new hostapd.conf parameter sae_sync (default: 5) can now be used to
configure the dot11RSNASAESync value to specify the maximum number of
synchronization errors that are allowed to happen prior to
disassociation of the offending SAE peer.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 289180428b1e2ddf5dccad3734d3023be09ab5f8..3211e1d29ccd8e31961ddbf8f6d25340824fc95f 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3634,6 +3634,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
                        return 1;
        } else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) {
                bss->sae_anti_clogging_threshold = atoi(pos);
+       } else if (os_strcmp(buf, "sae_sync") == 0) {
+               bss->sae_sync = atoi(pos);
        } else if (os_strcmp(buf, "sae_groups") == 0) {
                if (hostapd_parse_intlist(&bss->sae_groups, pos)) {
                        wpa_printf(MSG_ERROR,

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 0d49fd744851a72918ad9871cea972f2edc1632e..083942d1c29e348b5c4547f935dc18cd1eb39b7c 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1429,6 +1429,11 @@ own_ip_addr=127.0.0.1
 # same time before the anti-clogging mechanism is taken into use.
 #sae_anti_clogging_threshold=5
 
+# Maximum number of SAE synchronization errors (dot11RSNASAESync)
+# The offending SAe peer will be disconnected if more than this many
+# synchronization errors happen.
+#sae_sync=5
+
 # Enabled SAE finite cyclic groups
 # SAE implementation are required to support group 19 (ECC group defined over a
 # 256-bit prime order field). All groups that are supported by the

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 23e1bed5ed6d85dce1f7362a744679d718dc2cbe..085ad7ac949e4eb8eb456b48527b5d3e8419376b 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -108,6 +108,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
        bss->radius_das_time_window = 300;
 
        bss->sae_anti_clogging_threshold = 5;
+       bss->sae_sync = 5;
 
        bss->gas_frag_limit = 1400;
 

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index dc0686e69214af3c6ede8a7ef6cba74dd850f30a..c213072202cbe101444c6de8b7e1c18313ca055d 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -584,6 +584,7 @@ struct hostapd_bss_config {
        struct wpabuf *assocresp_elements;
 
        unsigned int sae_anti_clogging_threshold;
+       unsigned int sae_sync;
        int *sae_groups;
        char *sae_password;
 

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 8a307f32b5d9620269f284ccc5f370a7f4e63471..fe8be62ecf35148c1ca3dbadd7e5e801e28afaf9 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -354,9 +354,6 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
 
 #ifdef CONFIG_SAE
 
-#define dot11RSNASAESync 5             /* attempts */
-
-
 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
                                             struct sta_info *sta, int update)
 {
@@ -517,9 +514,9 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
 }
 
 
-static int sae_check_big_sync(struct sta_info *sta)
+static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
 {
-       if (sta->sae->sync > dot11RSNASAESync) {
+       if (sta->sae->sync > hapd->conf->sae_sync) {
                sta->sae->state = SAE_NOTHING;
                sta->sae->sync = 0;
                return -1;
@@ -534,7 +531,7 @@ static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
        struct sta_info *sta = eloop_data;
        int ret;
 
-       if (sae_check_big_sync(sta))
+       if (sae_check_big_sync(hapd, sta))
                return;
        sta->sae->sync++;
        wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
@@ -667,7 +664,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
                         * In mesh case, follow SAE finite state machine and
                         * send Commit now, if sync count allows.
                         */
-                       if (sae_check_big_sync(sta))
+                       if (sae_check_big_sync(hapd, sta))
                                return WLAN_STATUS_SUCCESS;
                        sta->sae->sync++;
 
@@ -699,7 +696,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
        case SAE_CONFIRMED:
                sae_clear_retransmit_timer(hapd, sta);
                if (auth_transaction == 1) {
-                       if (sae_check_big_sync(sta))
+                       if (sae_check_big_sync(hapd, sta))
                                return WLAN_STATUS_SUCCESS;
                        sta->sae->sync++;
 
@@ -727,7 +724,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
                        ap_free_sta(hapd, sta);
                        wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
                } else {
-                       if (sae_check_big_sync(sta))
+                       if (sae_check_big_sync(hapd, sta))
                                return WLAN_STATUS_SUCCESS;
                        sta->sae->sync++;
 

diff --git a/src/common/sae.h b/src/common/sae.h
index a4270bc22d14a015d440795cf3c636db950cc8c5..c85316f5a5437ec583131aca0aeadf587373ad70 100644 (file)
--- a/src/common/sae.h
+++ b/src/common/sae.h
@@ -48,7 +48,7 @@ struct sae_data {
        u8 pmkid[SAE_PMKID_LEN];
        struct crypto_bignum *peer_commit_scalar;
        int group;
-       int sync;
+       unsigned int sync; /* protocol instance variable: Sync */
        struct sae_temporary_data *tmp;
 };