SAE: Fix peer-commit-scalar reuse check

Only one peer-commit-scalar value was stored for a specific STA (i.e.,
one per MAC address) and that value got replaced when the next SAE
Authentication exchange was started. This ended up breaking the check
against re-use of peer-commit-scalar from an Accepted instance when
anti-clogging token was requested. The first SAE commit message (the one
without anti-clogging token) ended up overwriting the cached
peer-commit-scalar value while leaving that instance in Accepted state.
The second SAE commit message (with anti-clogging token) added ended up
getting rejected if it used the same value again (and re-use is expected
in this particular case where the value was not used in Accepted
instance).

Fix this by using a separate pointer for storing the peer-commit-scalar
value that was used in an Accepted instance. There is no need to
allocate memory for two values, i.e., it is sufficient to maintain
separate pointers to the value and move the stored value to the special
Accepted state pointer when moving to the Accepted state.

This fixes issues where a peer STA ends up running back-to-back SAE
authentication within couple of seconds, i.e., without hostapd timing
out the STA entry for a case where anti-clogging token is required.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index ffa303d6927e2ca4d758cc5a2ef2177cbe08e9af..237549b56cdf978156abc647f2dc45f1e49e7f47 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -839,6 +839,9 @@ void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
        mlme_authenticate_indication(hapd, sta);
        wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
        sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
+       crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
+       sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
+       sta->sae->peer_commit_scalar = NULL;
        wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
                               sta->sae->pmk, sta->sae->pmkid);
        sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);

diff --git a/src/common/sae.c b/src/common/sae.c
index 94ec1a39c1fa98483ead77c19e97bc1039172bb0..7ed53be1cd303c297152cf4507603c4ca6b778f2 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -123,6 +123,7 @@ void sae_clear_data(struct sae_data *sae)
                return;
        sae_clear_temp_data(sae);
        crypto_bignum_deinit(sae->peer_commit_scalar, 0);
+       crypto_bignum_deinit(sae->peer_commit_scalar_accepted, 0);
        os_memset(sae, 0, sizeof(*sae));
 }
 
@@ -1833,8 +1834,9 @@ static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
         * shall be dropped if the peer-scalar is identical to the one used in
         * the existing protocol instance.
         */
-       if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar &&
-           crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) {
+       if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar_accepted &&
+           crypto_bignum_cmp(sae->peer_commit_scalar_accepted,
+                             peer_scalar) == 0) {
                wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous "
                           "peer-commit-scalar");
                crypto_bignum_deinit(peer_scalar, 0);

diff --git a/src/common/sae.h b/src/common/sae.h
index b3787e4fc6ce5bfdf19a8e82ec2b1d2a7df683d7..e3e7d0eec1a469e3a004e9040927954c9d2c6929 100644 (file)
--- a/src/common/sae.h
+++ b/src/common/sae.h
@@ -70,6 +70,7 @@ struct sae_data {
        u8 pmk[SAE_PMK_LEN];
        u8 pmkid[SAE_PMKID_LEN];
        struct crypto_bignum *peer_commit_scalar;
+       struct crypto_bignum *peer_commit_scalar_accepted;
        int group;
        unsigned int sync; /* protocol instance variable: Sync */
        u16 rc; /* protocol instance variable: Rc (received send-confirm) */