Double the first group rekey timeout if over 100 associated stations

Increase the first group rekey timeout from 500 ms to 1000 ms when the
number of associated stations is greater than 100. This is to avoid
client disconnections due to group handshake timeout in multiclient
scenarios where it might take more than 500 ms to be able deliver Group
Key msg 1/2 to all associated STAs.

Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 9d153da7da1f3abc1c559d30afa58b594fb5bd1d..385eceaa043ae44bbf49d5233978892e8b53d754 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1800,6 +1800,15 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
 }
 
 
+static int wpa_auth_get_sta_count(struct wpa_authenticator *wpa_auth)
+{
+       if (!wpa_auth->cb->get_sta_count)
+               return -1;
+
+       return wpa_auth->cb->get_sta_count(wpa_auth->cb_ctx);
+}
+
+
 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
                           struct wpa_state_machine *sm, int key_info,
                           const u8 *key_rsc, const u8 *nonce,
@@ -1832,11 +1841,16 @@ static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
 skip_tx:
 #endif /* CONFIG_TESTING_OPTIONS */
 
-       if (ctr == 1 && wpa_auth->conf.tx_status)
-               timeout_ms = pairwise ? eapol_key_timeout_first :
-                       eapol_key_timeout_first_group;
-       else
+       if (ctr == 1 && wpa_auth->conf.tx_status) {
+               if (pairwise)
+                       timeout_ms = eapol_key_timeout_first;
+               else if (wpa_auth_get_sta_count(wpa_auth) > 100)
+                       timeout_ms = eapol_key_timeout_first_group * 2;
+               else
+                       timeout_ms = eapol_key_timeout_first_group;
+       } else {
                timeout_ms = eapol_key_timeout_subseq;
+       }
        if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
            (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
                timeout_ms = eapol_key_timeout_no_retrans;

diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index c076d71a63d73d3584f57c59b799a57a2b38ae6d..28eea83d84ff9daa15d5750eefaee7de24565e0f 100644 (file)
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -342,6 +342,7 @@ struct wpa_auth_callbacks {
        int (*get_seqnum)(void *ctx, const u8 *addr, int idx, u8 *seq);
        int (*send_eapol)(void *ctx, const u8 *addr, const u8 *data,
                          size_t data_len, int encrypt);
+       int (*get_sta_count)(void *ctx);
        int (*for_each_sta)(void *ctx, int (*cb)(struct wpa_state_machine *sm,
                                                 void *ctx), void *cb_ctx);
        int (*for_each_auth)(void *ctx, int (*cb)(struct wpa_authenticator *a,

diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index c810619a4331554ffa91e7895616c4d8693bc242..30a72b1262fac5c115ab9c63a8b276360cced9a9 100644 (file)
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -564,6 +564,14 @@ int hostapd_wpa_auth_send_eapol(void *ctx, const u8 *addr,
 }
 
 
+static int hostapd_wpa_auth_get_sta_count(void *ctx)
+{
+       struct hostapd_data *hapd = ctx;
+
+       return hapd->num_sta;
+}
+
+
 static int hostapd_wpa_auth_for_each_sta(
        void *ctx, int (*cb)(struct wpa_state_machine *sm, void *ctx),
        void *cb_ctx)
@@ -1608,6 +1616,7 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
                .set_key = hostapd_wpa_auth_set_key,
                .get_seqnum = hostapd_wpa_auth_get_seqnum,
                .send_eapol = hostapd_wpa_auth_send_eapol,
+               .get_sta_count = hostapd_wpa_auth_get_sta_count,
                .for_each_sta = hostapd_wpa_auth_for_each_sta,
                .for_each_auth = hostapd_wpa_auth_for_each_auth,
                .send_ether = hostapd_wpa_auth_send_ether,