[PATCH v2 08/14] AP: Move anti clogging handling code
Ilan Peer
ilan.peer at intel.com
Wed Dec 16 06:00:59 EST 2020
The anti-clogging code was under CONFIG_SAE. Move it
around so it can be used both with CONFIG_SAE and
CONFIG_PSAN.
Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
src/ap/ieee802_11.c | 308 +++++++++++++++++++++++---------------------
1 file changed, 158 insertions(+), 150 deletions(-)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 0a24e297ff..0f5a3a27c0 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -473,6 +473,164 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
}
#endif /* CONFIG_IEEE80211R_AP */
+#if defined(CONFIG_SAE) || defined(CONFIG_PASN)
+
+static int use_anti_clogging(struct hostapd_data *hapd)
+{
+ struct sta_info *sta;
+ unsigned int open = 0;
+
+ if (hapd->conf->anti_clogging_threshold == 0)
+ return 1;
+
+ for (sta = hapd->sta_list; sta; sta = sta->next) {
+#ifdef CONFIG_SAE
+ if (!sta->sae)
+ continue;
+ if (sta->sae->state != SAE_COMMITTED &&
+ sta->sae->state != SAE_CONFIRMED)
+ continue;
+ open++;
+#endif /* CONFIG_SAE */
+
+ if (open >= hapd->conf->anti_clogging_threshold)
+ return 1;
+ }
+
+#ifdef CONFIG_SAE
+ /* In addition to already existing open SAE sessions, check whether
+ * there are enough pending commit messages in the processing queue to
+ * potentially result in too many open sessions. */
+ if (open + dl_list_len(&hapd->sae_commit_queue) >=
+ hapd->conf->anti_clogging_threshold)
+ return 1;
+#endif /* CONFIG_SAE */
+
+ return 0;
+}
+
+
+static int comeback_token_hash(struct hostapd_data *hapd, const u8 *addr,
+ u8 *idx)
+{
+ u8 hash[SHA256_MAC_LEN];
+
+ if (hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key),
+ addr, ETH_ALEN, hash) < 0)
+ return -1;
+
+ *idx = hash[0];
+ return 0;
+}
+
+
+static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr,
+ const u8 *token, size_t token_len)
+{
+ u8 mac[SHA256_MAC_LEN];
+ const u8 *addrs[2];
+ size_t len[2];
+ u16 token_idx;
+ u8 idx;
+
+ if (token_len != SHA256_MAC_LEN ||
+ comeback_token_hash(hapd, addr, &idx) < 0)
+ return -1;
+
+ token_idx = hapd->comeback_pending_idx[idx];
+ if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
+ wpa_printf(MSG_DEBUG,
+ "Comeback: Invalid anti-clogging token from "
+ MACSTR " - token_idx 0x%04x, expected 0x%04x",
+ MAC2STR(addr), WPA_GET_BE16(token), token_idx);
+ return -1;
+ }
+
+ addrs[0] = addr;
+ len[0] = ETH_ALEN;
+ addrs[1] = token;
+ len[1] = 2;
+ if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
+ 2, addrs, len, mac) < 0 ||
+ os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
+ return -1;
+
+ hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */
+
+ return 0;
+}
+
+
+static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
+ int group, const u8 *addr, int h2e)
+{
+ struct wpabuf *buf;
+ u8 *token;
+ struct os_reltime now;
+ u8 idx[2];
+ const u8 *addrs[2];
+ size_t len[2];
+ u8 p_idx;
+ u16 token_idx;
+
+ os_get_reltime(&now);
+ if (!os_reltime_initialized(&hapd->last_comeback_key_update) ||
+ os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) ||
+ hapd->comeback_idx == 0xffff) {
+ if (random_get_bytes(hapd->comeback_key,
+ sizeof(hapd->comeback_key)) < 0)
+ return NULL;
+ wpa_hexdump(MSG_DEBUG,
+ "Comeback: Updated token key",
+ hapd->comeback_key, sizeof(hapd->comeback_key));
+ hapd->last_comeback_key_update = now;
+ hapd->comeback_idx = 0;
+ os_memset(hapd->comeback_pending_idx, 0,
+ sizeof(hapd->comeback_pending_idx));
+ }
+
+ buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
+ if (buf == NULL)
+ return NULL;
+
+ wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
+
+ if (h2e) {
+ /* Encapsulate Anti-clogging Token field in a container IE */
+ wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
+ wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
+ wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
+ }
+
+ if (comeback_token_hash(hapd, addr, &p_idx) < 0) {
+ wpabuf_free(buf);
+ return NULL;
+ }
+
+ token_idx = hapd->comeback_pending_idx[p_idx];
+ if (!token_idx) {
+ hapd->comeback_idx++;
+ token_idx = hapd->comeback_idx;
+ hapd->comeback_pending_idx[p_idx] = token_idx;
+ }
+ WPA_PUT_BE16(idx, token_idx);
+ token = wpabuf_put(buf, SHA256_MAC_LEN);
+ addrs[0] = addr;
+ len[0] = ETH_ALEN;
+ addrs[1] = idx;
+ len[1] = sizeof(idx);
+ if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
+ 2, addrs, len, token) < 0) {
+ wpabuf_free(buf);
+ return NULL;
+ }
+ WPA_PUT_BE16(token, token_idx);
+
+ return buf;
+}
+
+
+#endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */
#ifdef CONFIG_SAE
@@ -685,156 +843,6 @@ static int auth_sae_send_confirm(struct hostapd_data *hapd,
}
-static int use_anti_clogging(struct hostapd_data *hapd)
-{
- struct sta_info *sta;
- unsigned int open = 0;
-
- if (hapd->conf->anti_clogging_threshold == 0)
- return 1;
-
- for (sta = hapd->sta_list; sta; sta = sta->next) {
- if (!sta->sae)
- continue;
- if (sta->sae->state != SAE_COMMITTED &&
- sta->sae->state != SAE_CONFIRMED)
- continue;
- open++;
- if (open >= hapd->conf->anti_clogging_threshold)
- return 1;
- }
-
- /* In addition to already existing open SAE sessions, check whether
- * there are enough pending commit messages in the processing queue to
- * potentially result in too many open sessions. */
- if (open + dl_list_len(&hapd->sae_commit_queue) >=
- hapd->conf->anti_clogging_threshold)
- return 1;
-
- return 0;
-}
-
-
-static int comeback_token_hash(struct hostapd_data *hapd, const u8 *addr,
- u8 *idx)
-{
- u8 hash[SHA256_MAC_LEN];
-
- if (hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key),
- addr, ETH_ALEN, hash) < 0)
- return -1;
-
- *idx = hash[0];
- return 0;
-}
-
-
-static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr,
- const u8 *token, size_t token_len)
-{
- u8 mac[SHA256_MAC_LEN];
- const u8 *addrs[2];
- size_t len[2];
- u16 token_idx;
- u8 idx;
-
- if (token_len != SHA256_MAC_LEN ||
- comeback_token_hash(hapd, addr, &idx) < 0)
- return -1;
-
- token_idx = hapd->comeback_pending_idx[idx];
- if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
- wpa_printf(MSG_DEBUG,
- "Comeback: Invalid anti-clogging token from "
- MACSTR " - token_idx 0x%04x, expected 0x%04x",
- MAC2STR(addr), WPA_GET_BE16(token), token_idx);
- return -1;
- }
-
- addrs[0] = addr;
- len[0] = ETH_ALEN;
- addrs[1] = token;
- len[1] = 2;
- if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
- 2, addrs, len, mac) < 0 ||
- os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
- return -1;
-
- hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */
-
- return 0;
-}
-
-
-static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
- int group, const u8 *addr, int h2e)
-{
- struct wpabuf *buf;
- u8 *token;
- struct os_reltime now;
- u8 idx[2];
- const u8 *addrs[2];
- size_t len[2];
- u8 p_idx;
- u16 token_idx;
-
- os_get_reltime(&now);
- if (!os_reltime_initialized(&hapd->last_comeback_key_update) ||
- os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) ||
- hapd->comeback_idx == 0xffff) {
- if (random_get_bytes(hapd->comeback_key,
- sizeof(hapd->comeback_key)) < 0)
- return NULL;
- wpa_hexdump(MSG_DEBUG,
- "Comeback: Updated token key",
- hapd->comeback_key, sizeof(hapd->comeback_key));
- hapd->last_comeback_key_update = now;
- hapd->comeback_idx = 0;
- os_memset(hapd->comeback_pending_idx, 0,
- sizeof(hapd->comeback_pending_idx));
- }
-
- buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
- if (buf == NULL)
- return NULL;
-
- wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
-
- if (h2e) {
- /* Encapsulate Anti-clogging Token field in a container IE */
- wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
- wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
- wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
- }
-
- if (comeback_token_hash(hapd, addr, &p_idx) < 0) {
- wpabuf_free(buf);
- return NULL;
- }
-
- token_idx = hapd->comeback_pending_idx[p_idx];
- if (!token_idx) {
- hapd->comeback_idx++;
- token_idx = hapd->comeback_idx;
- hapd->comeback_pending_idx[p_idx] = token_idx;
- }
- WPA_PUT_BE16(idx, token_idx);
- token = wpabuf_put(buf, SHA256_MAC_LEN);
- addrs[0] = addr;
- len[0] = ETH_ALEN;
- addrs[1] = idx;
- len[1] = sizeof(idx);
- if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
- 2, addrs, len, token) < 0) {
- wpabuf_free(buf);
- return NULL;
- }
- WPA_PUT_BE16(token, token_idx);
-
- return buf;
-}
-
-
static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
{
if (sta->sae->sync > hapd->conf->sae_sync) {
--
2.17.1
More information about the Hostap
mailing list