From 8a77f1be86a36dc4be83316960628d9388b5484d Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Fri, 9 Aug 2013 23:41:29 +0300
Subject: [PATCH] HS 2.0R2: Slow down connection attempts on EAP failures

This is needed to limit the number of consecutive authentication
attempts to no more than 10 within a 10-minute interval to avoid
unnecessary load on the authentication server. In addition, use a random
component in the delay to avoid multiple stations hitting the same
timing in case of simultaneous disconnection from the network.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
---
 wpa_supplicant/wpa_supplicant.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 14e2c3a5c..ad1a03e18 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -4344,17 +4344,23 @@ void wpas_auth_failed(struct wpa_supplicant *wpa_s)
 
 	if (ssid->auth_failures > 50)
 		dur = 300;
-	else if (ssid->auth_failures > 20)
-		dur = 120;
 	else if (ssid->auth_failures > 10)
-		dur = 60;
+		dur = 120;
 	else if (ssid->auth_failures > 5)
+		dur = 90;
+	else if (ssid->auth_failures > 3)
+		dur = 60;
+	else if (ssid->auth_failures > 2)
 		dur = 30;
 	else if (ssid->auth_failures > 1)
 		dur = 20;
 	else
 		dur = 10;
 
+	if (ssid->auth_failures > 1 &&
+	    wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt))
+		dur += os_random() % (ssid->auth_failures * 10);
+
 	os_get_reltime(&now);
 	if (now.sec + dur <= ssid->disabled_until.sec)
 		return;