SAE: Disable protocol instance temporarily on sync error in mesh

Reduce the number of unwanted SAE commit retries in synchronization
error cases when Sync > dot11RSNASAESync in mesh cases by discarding
received SAE commit messages for 10 seconds after a sync error has been
detected.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 2d361fc59e397b4bad8898723f0086fb5ba607d4..efcc27a5042d4747a411d6911d356179e846f60a 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -813,12 +813,41 @@ static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
        if (sta->sae->sync > hapd->conf->sae_sync) {
                sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
                sta->sae->sync = 0;
+               if (sta->sae->tmp) {
+                       /* Disable this SAE instance for 10 seconds to avoid
+                        * unnecessary flood of multiple SAE commits in
+                        * unexpected mesh cases. */
+                       if (os_get_reltime(&sta->sae->tmp->disabled_until) == 0)
+                               sta->sae->tmp->disabled_until.sec += 10;
+               }
                return -1;
        }
        return 0;
 }
 
 
+static bool sae_proto_instance_disabled(struct sta_info *sta)
+{
+       struct sae_temporary_data *tmp;
+
+       if (!sta->sae)
+               return false;
+       tmp = sta->sae->tmp;
+       if (!tmp)
+               return false;
+
+       if (os_reltime_initialized(&tmp->disabled_until)) {
+               struct os_reltime now;
+
+               os_get_reltime(&now);
+               if (os_reltime_before(&now, &tmp->disabled_until))
+                       return true;
+       }
+
+       return false;
+}
+
+
 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
 {
        struct hostapd_data *hapd = eloop_ctx;
@@ -962,6 +991,13 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
        wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
                   MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
                   auth_transaction);
+
+       if (auth_transaction == 1 && sae_proto_instance_disabled(sta)) {
+               wpa_printf(MSG_DEBUG,
+                          "SAE: Protocol instance temporarily disabled - discard received SAE commit");
+               return WLAN_STATUS_SUCCESS;
+       }
+
        switch (sta->sae->state) {
        case SAE_NOTHING:
                if (auth_transaction == 1) {
@@ -1403,6 +1439,12 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
                if (!sae_status_success(hapd, status_code))
                        goto remove_sta;
 
+               if (sae_proto_instance_disabled(sta)) {
+                       wpa_printf(MSG_DEBUG,
+                                  "SAE: Protocol instance temporarily disabled - discard received SAE commit");
+                       return;
+               }
+
                if (!(hapd->conf->mesh & MESH_ENABLED) &&
                    sta->sae->state == SAE_COMMITTED) {
                        /* This is needed in the infrastructure BSS case to

diff --git a/src/common/sae.h b/src/common/sae.h
index c446da3964a7b1dd2618a3f1501992ac03353e61..a353aa8da357b6214506e64a4938e295020df005 100644 (file)
--- a/src/common/sae.h
+++ b/src/common/sae.h
@@ -82,6 +82,8 @@ struct sae_temporary_data {
        bool omit_pk_elem;
 #endif /* CONFIG_TESTING_OPTIONS */
 #endif /* CONFIG_SAE_PK */
+
+       struct os_reltime disabled_until;
 };
 
 struct sae_pt {