WPS: Disable AP PIN after 10 consecutive failures

While the exponential increase in the lockout period provides an
efficient mitigation mechanism against brute force attacks, this
additional trigger to enter indefinite lockout period (cleared by
restarting hostapd) will limit attacks even further by giving maximum of
10 attempts (without authorized user action) even in a very long term
attack.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

2 files changed, 10 insertions, 1 deletions

diff --git a/src/wps/wps.h b/src/wps/wps.h
index 4986881..389be3e 100644
--- a/src/wps/wps.h
+++ b/src/wps/wps.h
@@ -457,7 +457,12 @@ enum wps_event {
 	/**
 	 * WPS_EV_ER_SET_SELECTED_REGISTRAR - ER: SetSelectedRegistrar event
 	 */
-	WPS_EV_ER_SET_SELECTED_REGISTRAR
+	WPS_EV_ER_SET_SELECTED_REGISTRAR,
+
+	/**
+	 * WPS_EV_AP_PIN_SUCCESS - External Registrar used correct AP PIN
+	 */
+	WPS_EV_AP_PIN_SUCCESS
 };
 
 /**
diff --git a/src/wps/wps_enrollee.c b/src/wps/wps_enrollee.c
index 9aef10f..60d5b7e 100644
--- a/src/wps/wps_enrollee.c
+++ b/src/wps/wps_enrollee.c
@@ -1064,6 +1064,10 @@ static enum wps_process_res wps_process_m6(struct wps_data *wps,
 	}
 	wpabuf_free(decrypted);
 
+	if (wps->wps->ap)
+		wps->wps->event_cb(wps->wps->cb_ctx, WPS_EV_AP_PIN_SUCCESS,
+				   NULL);
+
 	wps->state = SEND_M7;
 	return WPS_CONTINUE;
 }