The anti-clogging code was under CONFIG_SAE. Move it around so it can be used both with CONFIG_SAE and CONFIG_PSAN. Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx> --- src/ap/ieee802_11.c | 276 +++++++++++++++++++++++--------------------- 1 file changed, 142 insertions(+), 134 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 20d65b257f..1af714f0d0 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -412,6 +412,148 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, #endif /* CONFIG_IEEE80211R_AP */ +#if defined(CONFIG_SAE) || defined(CONFIG_PASN) + +static int use_anti_clogging(struct hostapd_data *hapd) +{ + struct sta_info *sta; + unsigned int open = 0; + + if (hapd->conf->anti_clogging_threshold == 0) + return 1; + + for (sta = hapd->sta_list; sta; sta = sta->next) { +#ifdef CONFIG_SAE + if (!sta->sae) + continue; + if (sta->sae->state != SAE_COMMITTED && + sta->sae->state != SAE_CONFIRMED) + continue; + open++; +#endif /* CONFIG_SAE */ + + if (open >= hapd->conf->anti_clogging_threshold) + return 1; + } + +#ifdef CONFIG_SAE + /* In addition to already existing open SAE sessions, check whether + * there are enough pending commit messages in the processing queue to + * potentially result in too many open sessions. */ + if (open + dl_list_len(&hapd->sae_commit_queue) >= + hapd->conf->anti_clogging_threshold) + return 1; +#endif /* CONFIG_SAE */ + + return 0; +} + + +static u8 comeback_token_hash(struct hostapd_data *hapd, const u8 *addr) +{ + u8 hash[SHA256_MAC_LEN]; + + hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key), + addr, ETH_ALEN, hash); + return hash[0]; +} + + +static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr, + const u8 *token, size_t token_len) +{ + u8 mac[SHA256_MAC_LEN]; + const u8 *addrs[2]; + size_t len[2]; + u16 token_idx; + u8 idx; + + if (token_len != SHA256_MAC_LEN) + return -1; + idx = comeback_token_hash(hapd, addr); + token_idx = hapd->comeback_pending_idx[idx]; + if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) { + wpa_printf(MSG_DEBUG, + "Comeback: Invalid anti-clogging token from " + MACSTR " - token_idx 0x%04x, expected 0x%04x", + MAC2STR(addr), WPA_GET_BE16(token), token_idx); + return -1; + } + + addrs[0] = addr; + len[0] = ETH_ALEN; + addrs[1] = token; + len[1] = 2; + if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key), + 2, addrs, len, mac) < 0 || + os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0) + return -1; + + hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */ + + return 0; +} + + +static struct wpabuf *auth_build_token_req(struct hostapd_data *hapd, + int group, const u8 *addr) +{ + struct wpabuf *buf; + u8 *token; + struct os_reltime now; + u8 idx[2]; + const u8 *addrs[2]; + size_t len[2]; + u8 p_idx; + u16 token_idx; + + os_get_reltime(&now); + if (!os_reltime_initialized(&hapd->last_comeback_key_update) || + os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) || + hapd->comeback_idx == 0xffff) { + if (random_get_bytes(hapd->comeback_key, + sizeof(hapd->comeback_key)) < 0) + return NULL; + wpa_hexdump(MSG_DEBUG, + "Comeback: Updated token key", + hapd->comeback_key, sizeof(hapd->comeback_key)); + hapd->last_comeback_key_update = now; + hapd->comeback_idx = 0; + os_memset(hapd->comeback_pending_idx, 0, + sizeof(hapd->comeback_pending_idx)); + } + + buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN); + if (!buf) + return NULL; + + wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ + + p_idx = comeback_token_hash(hapd, addr); + token_idx = hapd->comeback_pending_idx[p_idx]; + if (!token_idx) { + hapd->comeback_idx++; + token_idx = hapd->comeback_idx; + hapd->comeback_pending_idx[p_idx] = token_idx; + } + WPA_PUT_BE16(idx, token_idx); + token = wpabuf_put(buf, SHA256_MAC_LEN); + addrs[0] = addr; + len[0] = ETH_ALEN; + addrs[1] = idx; + len[1] = sizeof(idx); + if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key), + 2, addrs, len, token) < 0) { + wpabuf_free(buf); + return NULL; + } + WPA_PUT_BE16(token, token_idx); + + return buf; +} + +#endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */ + #ifdef CONFIG_SAE static void sae_set_state(struct sta_info *sta, enum sae_state state, @@ -584,140 +726,6 @@ static int auth_sae_send_confirm(struct hostapd_data *hapd, } -static int use_anti_clogging(struct hostapd_data *hapd) -{ - struct sta_info *sta; - unsigned int open = 0; - - if (hapd->conf->anti_clogging_threshold == 0) - return 1; - - for (sta = hapd->sta_list; sta; sta = sta->next) { - if (!sta->sae) - continue; - if (sta->sae->state != SAE_COMMITTED && - sta->sae->state != SAE_CONFIRMED) - continue; - open++; - if (open >= hapd->conf->anti_clogging_threshold) - return 1; - } - - /* In addition to already existing open SAE sessions, check whether - * there are enough pending commit messages in the processing queue to - * potentially result in too many open sessions. */ - if (open + dl_list_len(&hapd->sae_commit_queue) >= - hapd->conf->anti_clogging_threshold) - return 1; - - return 0; -} - - -static u8 comeback_token_hash(struct hostapd_data *hapd, const u8 *addr) -{ - u8 hash[SHA256_MAC_LEN]; - - hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key), - addr, ETH_ALEN, hash); - return hash[0]; -} - - -static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr, - const u8 *token, size_t token_len) -{ - u8 mac[SHA256_MAC_LEN]; - const u8 *addrs[2]; - size_t len[2]; - u16 token_idx; - u8 idx; - - if (token_len != SHA256_MAC_LEN) - return -1; - idx = comeback_token_hash(hapd, addr); - token_idx = hapd->comeback_pending_idx[idx]; - if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) { - wpa_printf(MSG_DEBUG, - "Comeback: Invalid anti-clogging token from " - MACSTR " - token_idx 0x%04x, expected 0x%04x", - MAC2STR(addr), WPA_GET_BE16(token), token_idx); - return -1; - } - - addrs[0] = addr; - len[0] = ETH_ALEN; - addrs[1] = token; - len[1] = 2; - if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key), - 2, addrs, len, mac) < 0 || - os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0) - return -1; - - hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */ - - return 0; -} - - -static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, - int group, const u8 *addr) -{ - struct wpabuf *buf; - u8 *token; - struct os_reltime now; - u8 idx[2]; - const u8 *addrs[2]; - size_t len[2]; - u8 p_idx; - u16 token_idx; - - os_get_reltime(&now); - if (!os_reltime_initialized(&hapd->last_comeback_key_update) || - os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) || - hapd->comeback_idx == 0xffff) { - if (random_get_bytes(hapd->comeback_key, - sizeof(hapd->comeback_key)) < 0) - return NULL; - wpa_hexdump(MSG_DEBUG, - "Comeback: Updated token key", - hapd->comeback_key, sizeof(hapd->comeback_key)); - hapd->last_comeback_key_update = now; - hapd->comeback_idx = 0; - os_memset(hapd->comeback_pending_idx, 0, - sizeof(hapd->comeback_pending_idx)); - } - - buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN); - if (buf == NULL) - return NULL; - - wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ - - p_idx = comeback_token_hash(hapd, addr); - token_idx = hapd->comeback_pending_idx[p_idx]; - if (!token_idx) { - hapd->comeback_idx++; - token_idx = hapd->comeback_idx; - hapd->comeback_pending_idx[p_idx] = token_idx; - } - WPA_PUT_BE16(idx, token_idx); - token = wpabuf_put(buf, SHA256_MAC_LEN); - addrs[0] = addr; - len[0] = ETH_ALEN; - addrs[1] = idx; - len[1] = sizeof(idx); - if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key), - 2, addrs, len, token) < 0) { - wpabuf_free(buf); - return NULL; - } - WPA_PUT_BE16(token, token_idx); - - return buf; -} - - static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta) { if (sta->sae->sync > hapd->conf->sae_sync) { -- 2.17.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap