[PATCH 0/4] Fix mesh anti-clogging functionality

Masashi Honma masashi.honma
Wed Nov 26 17:26:37 PST 2014

2014-11-25 23:57 GMT+09:00 Jouni Malinen <j at w1.fi>:
> On Tue, Nov 25, 2014 at 11:04:39AM +0900, Masashi Honma wrote:
>> The mesh anti-clogging functionality is implemented partially. So it causes
>> some issues. This patchset implements it and fixes some issues.
>> Masashi Honma (4):
>>   mesh: Fix anti-clogging functionality for mesh
>>   SAE: Fix Anti-Clogging Token request frame format
> Thanks! Applied those two with some changes.
>>   SAE: Fix confirm frame tx on error path
>>   SAE: Fix auth_transaction error handling


> As noted in previous emails, these do not look correct to me, so I
> dropped these. If there are issues with continuous frame exchanges in
> error cases, I'd claim that the other end of the connection should be
> fixed (and assuming that this wpa_supplicant, those changes would be
> somewhere else in SAE/authentication processing). I did not see these
> issues when trying to force those error paths to trigger in
> infrastructure BSS cases (didn't try mesh, though).

Thank you for your review.

Unfortunately, continuous frame exchanges still occurs on mesh case.
And all peers are wpa_supplicant (all uses identical source code).
My reproduction way for 3/4 is
- use only 2 peers
- for peer1. set sae_anti_clogging_threshold to 0
- for peer2. insert a test code to sae_check_confirm() to fail only first time
The code is like this.

diff --git a/src/common/sae.c b/src/common/sae.c
index 87d49b6..76533bb 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1024,11 +1024,18 @@ void sae_write_confirm(struct sae_data *sae,
struct wpabuf *buf)
                                   wpabuf_put(buf, SHA256_MAC_LEN));

+static int first = 1;

 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
        u8 verifier[SHA256_MAC_LEN];

+       if (first) {
+               first = 0;
+               wpa_printf(MSG_INFO, "SAE: %s failed", __func__);
+               return -1;
+       }
        if (len < 2 + SHA256_MAC_LEN) {
                wpa_printf(MSG_DEBUG, "SAE: Too short confirm message");
                return -1;

So I will modify previous patches to fix this matter.

More information about the Hostap mailing list