diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 289180428..3211e1d29 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -3634,6 +3634,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, return 1; } else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) { bss->sae_anti_clogging_threshold = atoi(pos); + } else if (os_strcmp(buf, "sae_sync") == 0) { + bss->sae_sync = atoi(pos); } else if (os_strcmp(buf, "sae_groups") == 0) { if (hostapd_parse_intlist(&bss->sae_groups, pos)) { wpa_printf(MSG_ERROR, diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 0d49fd744..083942d1c 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1429,6 +1429,11 @@ own_ip_addr=127.0.0.1 # same time before the anti-clogging mechanism is taken into use. #sae_anti_clogging_threshold=5 +# Maximum number of SAE synchronization errors (dot11RSNASAESync) +# The offending SAe peer will be disconnected if more than this many +# synchronization errors happen. +#sae_sync=5 + # Enabled SAE finite cyclic groups # SAE implementation are required to support group 19 (ECC group defined over a # 256-bit prime order field). All groups that are supported by the diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 23e1bed5e..085ad7ac9 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -108,6 +108,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) bss->radius_das_time_window = 300; bss->sae_anti_clogging_threshold = 5; + bss->sae_sync = 5; bss->gas_frag_limit = 1400; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index dc0686e69..c21307220 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -584,6 +584,7 @@ struct hostapd_bss_config { struct wpabuf *assocresp_elements; unsigned int sae_anti_clogging_threshold; + unsigned int sae_sync; int *sae_groups; char *sae_password; diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 8a307f32b..fe8be62ec 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -354,9 +354,6 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, #ifdef CONFIG_SAE -#define dot11RSNASAESync 5 /* attempts */ - - static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, struct sta_info *sta, int update) { @@ -517,9 +514,9 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, } -static int sae_check_big_sync(struct sta_info *sta) +static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta) { - if (sta->sae->sync > dot11RSNASAESync) { + if (sta->sae->sync > hapd->conf->sae_sync) { sta->sae->state = SAE_NOTHING; sta->sae->sync = 0; return -1; @@ -534,7 +531,7 @@ static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data) struct sta_info *sta = eloop_data; int ret; - if (sae_check_big_sync(sta)) + if (sae_check_big_sync(hapd, sta)) return; sta->sae->sync++; wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR @@ -667,7 +664,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, * In mesh case, follow SAE finite state machine and * send Commit now, if sync count allows. */ - if (sae_check_big_sync(sta)) + if (sae_check_big_sync(hapd, sta)) return WLAN_STATUS_SUCCESS; sta->sae->sync++; @@ -699,7 +696,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, case SAE_CONFIRMED: sae_clear_retransmit_timer(hapd, sta); if (auth_transaction == 1) { - if (sae_check_big_sync(sta)) + if (sae_check_big_sync(hapd, sta)) return WLAN_STATUS_SUCCESS; sta->sae->sync++; @@ -727,7 +724,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, ap_free_sta(hapd, sta); wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); } else { - if (sae_check_big_sync(sta)) + if (sae_check_big_sync(hapd, sta)) return WLAN_STATUS_SUCCESS; sta->sae->sync++; diff --git a/src/common/sae.h b/src/common/sae.h index a4270bc22..c85316f5a 100644 --- a/src/common/sae.h +++ b/src/common/sae.h @@ -48,7 +48,7 @@ struct sae_data { u8 pmkid[SAE_PMKID_LEN]; struct crypto_bignum *peer_commit_scalar; int group; - int sync; + unsigned int sync; /* protocol instance variable: Sync */ struct sae_temporary_data *tmp; };