HS 2.0R2: Slow down connection attempts on EAP failures

This is needed to limit the number of consecutive authentication
attempts to no more than 10 within a 10-minute interval to avoid
unnecessary load on the authentication server. In addition, use a random
component in the delay to avoid multiple stations hitting the same
timing in case of simultaneous disconnection from the network.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 14e2c3a5c6f0defb8a68d2d9bf8304db5bea20e0..ad1a03e181ae1efca78fb935b67218c6b19cdf08 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -4344,17 +4344,23 @@ void wpas_auth_failed(struct wpa_supplicant *wpa_s)
 
        if (ssid->auth_failures > 50)
                dur = 300;
-       else if (ssid->auth_failures > 20)
-               dur = 120;
        else if (ssid->auth_failures > 10)
-               dur = 60;
+               dur = 120;
        else if (ssid->auth_failures > 5)
+               dur = 90;
+       else if (ssid->auth_failures > 3)
+               dur = 60;
+       else if (ssid->auth_failures > 2)
                dur = 30;
        else if (ssid->auth_failures > 1)
                dur = 20;
        else
                dur = 10;
 
+       if (ssid->auth_failures > 1 &&
+           wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt))
+               dur += os_random() % (ssid->auth_failures * 10);
+
        os_get_reltime(&now);
        if (now.sec + dur <= ssid->disabled_until.sec)
                return;