PASN authentication mandates support for comeback flow, which among others can be used for anti-clogging purposes. As the SAE support for anti clogging can also be used for PASN, start modifying the source code so the anti clogging support can be used for both SAE and PASN. As a start, rename some variables/functions etc. so that they would not be SAE specific. Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx> --- hostapd/config_file.c | 4 +-- src/ap/ap_config.c | 2 +- src/ap/ap_config.h | 2 +- src/ap/hostapd.h | 8 ++--- src/ap/ieee802_11.c | 67 +++++++++++++++++++++-------------------- tests/hwsim/test_sae.py | 8 ++--- 6 files changed, 47 insertions(+), 44 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 90c24d806b..e8b1d544d2 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -4178,8 +4178,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, } else if (os_strcmp(buf, "assocresp_elements") == 0) { if (parse_wpabuf_hex(line, buf, &bss->assocresp_elements, pos)) return 1; - } else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) { - bss->sae_anti_clogging_threshold = atoi(pos); + } else if (os_strcmp(buf, "anti_clogging_threshold") == 0) { + bss->anti_clogging_threshold = atoi(pos); } else if (os_strcmp(buf, "sae_sync") == 0) { bss->sae_sync = atoi(pos); } else if (os_strcmp(buf, "sae_groups") == 0) { diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index c6a63c6ca7..72ee55d2e4 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -111,7 +111,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) bss->radius_das_time_window = 300; - bss->sae_anti_clogging_threshold = 5; + bss->anti_clogging_threshold = 5; bss->sae_sync = 5; bss->gas_frag_limit = 1400; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index af9e86fb6e..473bf869ba 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -648,7 +648,7 @@ struct hostapd_bss_config { struct wpabuf *vendor_elements; struct wpabuf *assocresp_elements; - unsigned int sae_anti_clogging_threshold; + unsigned int anti_clogging_threshold; unsigned int sae_sync; int sae_require_mfp; int sae_confirm_immediate; diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h index f5a7a5b658..d82ac08c7b 100644 --- a/src/ap/hostapd.h +++ b/src/ap/hostapd.h @@ -318,10 +318,10 @@ struct hostapd_data { #ifdef CONFIG_SAE /** Key used for generating SAE anti-clogging tokens */ - u8 sae_token_key[8]; - struct os_reltime last_sae_token_key_update; - u16 sae_token_idx; - u16 sae_pending_token_idx[256]; + u8 comeback_key[8]; + struct os_reltime last_comeback_key_update; + u16 comeback_idx; + u16 comeback_pending_idx[256]; int dot11RSNASAERetransPeriod; /* msec */ struct dl_list sae_commit_queue; /* struct hostapd_sae_commit_queue */ #endif /* CONFIG_SAE */ diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 6b36ec0d84..20d65b257f 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -584,12 +584,12 @@ static int auth_sae_send_confirm(struct hostapd_data *hapd, } -static int use_sae_anti_clogging(struct hostapd_data *hapd) +static int use_anti_clogging(struct hostapd_data *hapd) { struct sta_info *sta; unsigned int open = 0; - if (hapd->conf->sae_anti_clogging_threshold == 0) + if (hapd->conf->anti_clogging_threshold == 0) return 1; for (sta = hapd->sta_list; sta; sta = sta->next) { @@ -599,7 +599,7 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd) sta->sae->state != SAE_CONFIRMED) continue; open++; - if (open >= hapd->conf->sae_anti_clogging_threshold) + if (open >= hapd->conf->anti_clogging_threshold) return 1; } @@ -607,25 +607,25 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd) * there are enough pending commit messages in the processing queue to * potentially result in too many open sessions. */ if (open + dl_list_len(&hapd->sae_commit_queue) >= - hapd->conf->sae_anti_clogging_threshold) + hapd->conf->anti_clogging_threshold) return 1; return 0; } -static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr) +static u8 comeback_token_hash(struct hostapd_data *hapd, const u8 *addr) { u8 hash[SHA256_MAC_LEN]; - hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), + hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key), addr, ETH_ALEN, hash); return hash[0]; } -static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, - const u8 *token, size_t token_len) +static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr, + const u8 *token, size_t token_len) { u8 mac[SHA256_MAC_LEN]; const u8 *addrs[2]; @@ -635,10 +635,11 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, if (token_len != SHA256_MAC_LEN) return -1; - idx = sae_token_hash(hapd, addr); - token_idx = hapd->sae_pending_token_idx[idx]; + idx = comeback_token_hash(hapd, addr); + token_idx = hapd->comeback_pending_idx[idx]; if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) { - wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from " + wpa_printf(MSG_DEBUG, + "Comeback: Invalid anti-clogging token from " MACSTR " - token_idx 0x%04x, expected 0x%04x", MAC2STR(addr), WPA_GET_BE16(token), token_idx); return -1; @@ -648,12 +649,12 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, len[0] = ETH_ALEN; addrs[1] = token; len[1] = 2; - if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key), + if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key), 2, addrs, len, mac) < 0 || os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0) return -1; - hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */ + hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */ return 0; } @@ -672,18 +673,19 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, u16 token_idx; os_get_reltime(&now); - if (!os_reltime_initialized(&hapd->last_sae_token_key_update) || - os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) || - hapd->sae_token_idx == 0xffff) { - if (random_get_bytes(hapd->sae_token_key, - sizeof(hapd->sae_token_key)) < 0) + if (!os_reltime_initialized(&hapd->last_comeback_key_update) || + os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) || + hapd->comeback_idx == 0xffff) { + if (random_get_bytes(hapd->comeback_key, + sizeof(hapd->comeback_key)) < 0) return NULL; - wpa_hexdump(MSG_DEBUG, "SAE: Updated token key", - hapd->sae_token_key, sizeof(hapd->sae_token_key)); - hapd->last_sae_token_key_update = now; - hapd->sae_token_idx = 0; - os_memset(hapd->sae_pending_token_idx, 0, - sizeof(hapd->sae_pending_token_idx)); + wpa_hexdump(MSG_DEBUG, + "Comeback: Updated token key", + hapd->comeback_key, sizeof(hapd->comeback_key)); + hapd->last_comeback_key_update = now; + hapd->comeback_idx = 0; + os_memset(hapd->comeback_pending_idx, 0, + sizeof(hapd->comeback_pending_idx)); } buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN); @@ -692,12 +694,12 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ - p_idx = sae_token_hash(hapd, addr); - token_idx = hapd->sae_pending_token_idx[p_idx]; + p_idx = comeback_token_hash(hapd, addr); + token_idx = hapd->comeback_pending_idx[p_idx]; if (!token_idx) { - hapd->sae_token_idx++; - token_idx = hapd->sae_token_idx; - hapd->sae_pending_token_idx[p_idx] = token_idx; + hapd->comeback_idx++; + token_idx = hapd->comeback_idx; + hapd->comeback_pending_idx[p_idx] = token_idx; } WPA_PUT_BE16(idx, token_idx); token = wpabuf_put(buf, SHA256_MAC_LEN); @@ -705,7 +707,7 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, len[0] = ETH_ALEN; addrs[1] = idx; len[1] = sizeof(idx); - if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key), + if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key), 2, addrs, len, token) < 0) { wpabuf_free(buf); return NULL; @@ -1305,7 +1307,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, goto remove_sta; } - if (token && check_sae_token(hapd, sta->addr, token, token_len) + if (token && check_comeback_token(hapd, sta->addr, token, + token_len) < 0) { wpa_printf(MSG_DEBUG, "SAE: Drop commit message with " "incorrect token from " MACSTR, @@ -1324,7 +1327,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, goto reply; } - if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) { + if (!token && use_anti_clogging(hapd) && !allow_reuse) { wpa_printf(MSG_DEBUG, "SAE: Request anti-clogging token from " MACSTR, MAC2STR(sta->addr)); diff --git a/tests/hwsim/test_sae.py b/tests/hwsim/test_sae.py index 7e9120c355..6b386c60b0 100644 --- a/tests/hwsim/test_sae.py +++ b/tests/hwsim/test_sae.py @@ -258,7 +258,7 @@ def test_sae_anti_clogging(dev, apdev): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE' - params['sae_anti_clogging_threshold'] = '1' + params['anti_clogging_threshold'] = '1' hostapd.add_ap(apdev[0], params) dev[0].request("SET sae_groups ") @@ -279,7 +279,7 @@ def test_sae_forced_anti_clogging(dev, apdev): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE WPA-PSK' - params['sae_anti_clogging_threshold'] = '0' + params['anti_clogging_threshold'] = '0' hostapd.add_ap(apdev[0], params) dev[2].connect("test-sae", psk="12345678", scan_freq="2412") for i in range(0, 2): @@ -293,7 +293,7 @@ def test_sae_mixed(dev, apdev): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE WPA-PSK' - params['sae_anti_clogging_threshold'] = '0' + params['anti_clogging_threshold'] = '0' hapd = hostapd.add_ap(apdev[0], params) dev[2].connect("test-sae", psk="12345678", scan_freq="2412") @@ -1671,7 +1671,7 @@ def test_sae_forced_anti_clogging_pw_id(dev, apdev): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae") params['wpa_key_mgmt'] = 'SAE' - params['sae_anti_clogging_threshold'] = '0' + params['anti_clogging_threshold'] = '0' params['sae_password'] = 'secret|id=' + 29*'A' hostapd.add_ap(apdev[0], params) for i in range(0, 2): -- 2.17.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap