@ -688,12 +688,12 @@ static int auth_sae_send_confirm(struct hostapd_data *hapd,
}
static int use_ sae_ anti_clogging( struct hostapd_data * hapd )
static int use_ anti_clogging( struct hostapd_data * hapd )
{
struct sta_info * sta ;
unsigned int open = 0 ;
if ( hapd - > conf - > sae_ anti_clogging_threshold = = 0 )
if ( hapd - > conf - > anti_clogging_threshold = = 0 )
return 1 ;
for ( sta = hapd - > sta_list ; sta ; sta = sta - > next ) {
@ -703,7 +703,7 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd)
sta - > sae - > state ! = SAE_CONFIRMED )
continue ;
open + + ;
if ( open > = hapd - > conf - > sae_ anti_clogging_threshold)
if ( open > = hapd - > conf - > anti_clogging_threshold)
return 1 ;
}
@ -711,18 +711,19 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd)
* there are enough pending commit messages in the processing queue to
* potentially result in too many open sessions . */
if ( open + dl_list_len ( & hapd - > sae_commit_queue ) > =
hapd - > conf - > sae_ anti_clogging_threshold)
hapd - > conf - > anti_clogging_threshold)
return 1 ;
return 0 ;
}
static int sae_token_hash ( struct hostapd_data * hapd , const u8 * addr , u8 * idx )
static int comeback_token_hash ( struct hostapd_data * hapd , const u8 * addr ,
u8 * idx )
{
u8 hash [ SHA256_MAC_LEN ] ;
if ( hmac_sha256 ( hapd - > sae_token_key, sizeof ( hapd - > sae_token _key) ,
if ( hmac_sha256 ( hapd - > comeback_key, sizeof ( hapd - > comeback _key) ,
addr , ETH_ALEN , hash ) < 0 )
return - 1 ;
* idx = hash [ 0 ] ;
@ -730,8 +731,8 @@ static int sae_token_hash(struct hostapd_data *hapd, const u8 *addr, u8 *idx)
}
static int check_ sae _token( struct hostapd_data * hapd , const u8 * addr ,
const u8 * token , size_t token_len )
static int check_ comeback _token( struct hostapd_data * hapd , const u8 * addr ,
const u8 * token , size_t token_len )
{
u8 mac [ SHA256_MAC_LEN ] ;
const u8 * addrs [ 2 ] ;
@ -739,11 +740,13 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
u16 token_idx ;
u8 idx ;
if ( token_len ! = SHA256_MAC_LEN | | sae_token_hash ( hapd , addr , & idx ) < 0 )
if ( token_len ! = SHA256_MAC_LEN | |
comeback_token_hash ( hapd , addr , & idx ) < 0 )
return - 1 ;
token_idx = hapd - > sae_pending_token _idx[ idx ] ;
token_idx = hapd - > comeback_pending _idx[ idx ] ;
if ( token_idx = = 0 | | token_idx ! = WPA_GET_BE16 ( token ) ) {
wpa_printf ( MSG_DEBUG , " SAE: Invalid anti-clogging token from "
wpa_printf ( MSG_DEBUG ,
" Comeback: Invalid anti-clogging token from "
MACSTR " - token_idx 0x%04x, expected 0x%04x " ,
MAC2STR ( addr ) , WPA_GET_BE16 ( token ) , token_idx ) ;
return - 1 ;
@ -753,12 +756,12 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
len [ 0 ] = ETH_ALEN ;
addrs [ 1 ] = token ;
len [ 1 ] = 2 ;
if ( hmac_sha256_vector ( hapd - > sae_token_key, sizeof ( hapd - > sae_token _key) ,
if ( hmac_sha256_vector ( hapd - > comeback_key, sizeof ( hapd - > comeback _key) ,
2 , addrs , len , mac ) < 0 | |
os_memcmp_const ( token + 2 , & mac [ 2 ] , SHA256_MAC_LEN - 2 ) ! = 0 )
return - 1 ;
hapd - > sae_pending_token _idx[ idx ] = 0 ; /* invalidate used token */
hapd - > comeback_pending _idx[ idx ] = 0 ; /* invalidate used token */
return 0 ;
}
@ -777,18 +780,18 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
u16 token_idx ;
os_get_reltime ( & now ) ;
if ( ! os_reltime_initialized ( & hapd - > last_ sae_token _key_update) | |
os_reltime_expired ( & now , & hapd - > last_ sae_token _key_update, 60 ) | |
hapd - > sae_token _idx = = 0xffff ) {
if ( random_get_bytes ( hapd - > sae_token _key,
sizeof ( hapd - > sae_token _key) ) < 0 )
if ( ! os_reltime_initialized ( & hapd - > last_ comeback _key_update) | |
os_reltime_expired ( & now , & hapd - > last_ comeback _key_update, 60 ) | |
hapd - > comeback _idx = = 0xffff ) {
if ( random_get_bytes ( hapd - > comeback _key,
sizeof ( hapd - > comeback _key) ) < 0 )
return NULL ;
wpa_hexdump ( MSG_DEBUG , " SAE : Updated token key" ,
hapd - > sae_token_key, sizeof ( hapd - > sae_token _key) ) ;
hapd - > last_ sae_token _key_update = now ;
hapd - > sae_token _idx = 0 ;
os_memset ( hapd - > sae_pending_token _idx, 0 ,
sizeof ( hapd - > sae_pending_token _idx) ) ;
wpa_hexdump ( MSG_DEBUG , " Comeback : Updated token key" ,
hapd - > comeback_key, sizeof ( hapd - > comeback _key) ) ;
hapd - > last_ comeback _key_update = now ;
hapd - > comeback _idx = 0 ;
os_memset ( hapd - > comeback_pending _idx, 0 ,
sizeof ( hapd - > comeback_pending _idx) ) ;
}
buf = wpabuf_alloc ( sizeof ( le16 ) + 3 + SHA256_MAC_LEN ) ;
@ -804,15 +807,16 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
wpabuf_put_u8 ( buf , WLAN_EID_EXT_ANTI_CLOGGING_TOKEN ) ;
}
if ( sae _token_hash( hapd , addr , & p_idx ) < 0 ) {
if ( comeback _token_hash( hapd , addr , & p_idx ) < 0 ) {
wpabuf_free ( buf ) ;
return NULL ;
}
token_idx = hapd - > sae_pending_token_idx [ p_idx ] ;
token_idx = hapd - > comeback_pending_idx [ p_idx ] ;
if ( ! token_idx ) {
hapd - > sae_token _idx+ + ;
token_idx = hapd - > sae_token _idx;
hapd - > sae_pending_token _idx[ p_idx ] = token_idx ;
hapd - > comeback _idx+ + ;
token_idx = hapd - > comeback _idx;
hapd - > comeback_pending _idx[ p_idx ] = token_idx ;
}
WPA_PUT_BE16 ( idx , token_idx ) ;
token = wpabuf_put ( buf , SHA256_MAC_LEN ) ;
@ -820,7 +824,7 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
len [ 0 ] = ETH_ALEN ;
addrs [ 1 ] = idx ;
len [ 1 ] = sizeof ( idx ) ;
if ( hmac_sha256_vector ( hapd - > sae_token_key, sizeof ( hapd - > sae_token _key) ,
if ( hmac_sha256_vector ( hapd - > comeback_key, sizeof ( hapd - > comeback _key) ,
2 , addrs , len , token ) < 0 ) {
wpabuf_free ( buf ) ;
return NULL ;
@ -1452,7 +1456,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
goto remove_sta ;
}
if ( token & & check_sae_token ( hapd , sta - > addr , token , token_len )
if ( token & &
check_comeback_token ( hapd , sta - > addr , token , token_len )
< 0 ) {
wpa_printf ( MSG_DEBUG , " SAE: Drop commit message with "
" incorrect token from " MACSTR ,
@ -1469,7 +1474,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
goto reply ;
}
if ( ! token & & use_ sae_ anti_clogging( hapd ) & & ! allow_reuse ) {
if ( ! token & & use_ anti_clogging( hapd ) & & ! allow_reuse ) {
int h2e = 0 ;
wpa_printf ( MSG_DEBUG ,