[PATCH 3/3] mesh: Fix remaining BLOCKED state after SAE auth failure

Masashi Honma masashi.honma
Thu Feb 5 06:00:01 PST 2015


When SAE authentication failed, wpa_supplicant retries four times. If all the
retries resulted in failure, SAE state machine enters BLOCKED state. Once it
entered the state, wpa_supplicant doesn't retry to re-connect any more. This
patch re-tries to connect even if the state machine entered BLOCKED state.

There could be an opinion "Is this patch needed ? User could know the SAE state
machine is in the BLOCKED mode by MESH-SAE-AUTH-BLOCKED event. Then user can
retry connection. By user action, SAE state machine can change the state from
BLOCKED to another.". Yes, this is a true at the joining mesh STA. But at the
being joined STA (this STA is already a menber of existing mesh BSS) should not
retry connection. Because if the joining mesh STA used wrong password, all the
exsting STA should do something from UI to retry connection.

Signed-off-by: Masashi Honma <masashi.honma at gmail.com>
---
 wpa_supplicant/mesh_rsn.c         | 12 ++++++++++++
 wpa_supplicant/wpa_supplicant_i.h |  1 +
 2 files changed, 13 insertions(+)

diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index 148c292..32823e2 100644
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -27,6 +27,7 @@
 
 #define MESH_AUTH_TIMEOUT 10
 #define MESH_AUTH_RETRY 3
+#define MESH_AUTH_BLOCK_DURATION (3600)
 
 
 void mesh_auth_timer(void *eloop_ctx, void *user_data)
@@ -43,9 +44,19 @@ void mesh_auth_timer(void *eloop_ctx, void *user_data)
 		if (sta->sae_auth_retry < MESH_AUTH_RETRY) {
 			mesh_rsn_auth_sae_sta(wpa_s, sta);
 		} else {
+			if (sta->sae_auth_retry > MESH_AUTH_RETRY) {
+				ap_free_sta(wpa_s->ifmsh->bss[0], sta);
+				return;
+			}
+
 			/* block the STA if exceeded the number of attempts */
 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_BLOCKED);
 			sta->sae->state = SAE_NOTHING;
+			if (wpa_s->mesh_auth_block_duration <
+			    MESH_AUTH_BLOCK_DURATION)
+				wpa_s->mesh_auth_block_duration += 60;
+			eloop_register_timeout(wpa_s->mesh_auth_block_duration,
+					       0, mesh_auth_timer, wpa_s, sta);
 			wpa_msg(wpa_s, MSG_WARNING, MESH_SAE_AUTH_BLOCKED
 				"addr=" MACSTR " duration=%d",
 				MAC2STR(sta->addr),
@@ -306,6 +317,7 @@ int mesh_rsn_auth_sae_sta(struct wpa_supplicant *wpa_s,
 	if (ret)
 		return ret;
 
+	eloop_cancel_timeout(mesh_auth_timer, wpa_s, sta);
 	rnd = rand() % MESH_AUTH_TIMEOUT;
 	eloop_register_timeout(MESH_AUTH_TIMEOUT + rnd, 0, mesh_auth_timer,
 			       wpa_s, sta);
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index c80a620..05c3d92 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -712,6 +712,7 @@ struct wpa_supplicant {
 	int mesh_if_idx;
 	unsigned int mesh_if_created:1;
 	unsigned int mesh_ht_enabled:1;
+	int mesh_auth_block_duration; /* sec */
 #endif /* CONFIG_MESH */
 
 	unsigned int off_channel_freq;
-- 
2.1.0




More information about the Hostap mailing list