[v2,16/17] MLD STA: Store AP MLD address in PMKSA entries

Message ID	1664612489-29288-17-git-send-email-quic_vjakkam@quicinc.com
State	Changes Requested
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Veerendranath Jakkam <quic_vjakkam@quicinc.com> To: <hostap@lists.infradead.org> CC: <quic_vjakkam@quicinc.com> Subject: [PATCH v2 16/17] MLD STA: Store AP MLD address in PMKSA entries Date: Sat, 1 Oct 2022 13:51:28 +0530 Message-ID: <1664612489-29288-17-git-send-email-quic_vjakkam@quicinc.com> In-Reply-To: <1664612489-29288-1-git-send-email-quic_vjakkam@quicinc.com> References: <1664612489-29288-1-git-send-email-quic_vjakkam@quicinc.com> MIME-Version: 1.0 preview: For MLO connection AP MLD address is the authenticator address thus store AP MLD address in PMKSA entries instead of assoc link BSSID. Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com> --- src/rsn_supp/wpa.c \| 14 +++++++------- src/rsn_supp/wpa.h \| 4 ++-- wpa_supplicant/events.c \| 7 +++++-- wpa_supplicant/sme.c \| 26 ++++ [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [205.220.180.131 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	MLD STA: Add support for four-way handshake and SAE external authentication \| expand [v2,00/17] MLD STA: Add support for four-way handshake and SAE external authentication [v2,01/17] EHT: Add definitions for STA Control fields of Basic Multi-Link element [v2,02/17] EHT: Add support to parse Multi-Link elements [v2,03/17] EHT: Add support for Multi-Link element defragmentation [v2,04/17] MLD STA: Fetch MLO assoc link ID info to core wpa_supplicant [v2,05/17] MLD STA: set MLO connection info to wpa_sm [v2,06/17] MLD STA: Add MLO KDEs for 2/4 and 4/4 EAPOL frames [v2,07/17] MLD STA: Use AP MLD address to derive pairwise keys [v2,08/17] MLD STA: Configure pairwise keys using AP MLD address [v2,09/17] MLD STA: Add support to configure keys with MLO link ID [v2,10/17] MLD STA: Add support for processing EAPOL 3/4 frame [v2,11/17] MLD STA: Add support for validating MLO KDEs for 4WHS EAPOL frames [v2,12/17] MLD STA: Use AP MLD address as destination for 4WHS EAPOL frames [v2,13/17] MLD STA: Add support for group rekeying [v2,14/17] MLD STA: Add support to process M1 received before association event [v2,15/17] MLD STA: Add support for SAE external authentication [v2,16/17] MLD STA: Store AP MLD address in PMKSA entries [v2,17/17] MLD STA: Indicate supplicant MLO support to driver's SME

Message ID

1664612489-29288-17-git-send-email-quic_vjakkam@quicinc.com

State

Changes Requested

Headers

From: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
To: <hostap@lists.infradead.org>
CC: <quic_vjakkam@quicinc.com>
Subject: [PATCH v2 16/17] MLD STA: Store AP MLD address in PMKSA entries
Date: Sat, 1 Oct 2022 13:51:28 +0530
Message-ID: <1664612489-29288-17-git-send-email-quic_vjakkam@quicinc.com>
In-Reply-To: <1664612489-29288-1-git-send-email-quic_vjakkam@quicinc.com>
References: <1664612489-29288-1-git-send-email-quic_vjakkam@quicinc.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

MLD STA: Add support for four-way handshake and SAE external authentication | expand

Commit Message

Veerendranath Jakkam Oct. 1, 2022, 8:21 a.m. UTC

For MLO connection AP MLD address is the authenticator address thus
store AP MLD address in PMKSA entries instead of assoc link BSSID.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
---
 src/rsn_supp/wpa.c              | 14 +++++++-------
 src/rsn_supp/wpa.h              |  4 ++--
 wpa_supplicant/events.c         |  7 +++++--
 wpa_supplicant/sme.c            | 26 +++++++++++++++++++++++---
 wpa_supplicant/wpa_supplicant.c |  6 +++++-
 5 files changed, 42 insertions(+), 15 deletions(-)

Comments

Peer, Ilan Oct. 3, 2022, 12:30 p.m. UTC | #1

Hi,

> -----Original Message-----
> From: Hostap <hostap-bounces@lists.infradead.org> On Behalf Of
> Veerendranath Jakkam
> Sent: Saturday, October 01, 2022 11:21
> To: hostap@lists.infradead.org
> Cc: quic_vjakkam@quicinc.com
> Subject: [PATCH v2 16/17] MLD STA: Store AP MLD address in PMKSA entries
> 
> For MLO connection AP MLD address is the authenticator address thus store
> AP MLD address in PMKSA entries instead of assoc link BSSID.
> 

Question: Don't we also want to store it per BSSID, so it could later be used in case the station for some reason decided to associate
with one of the BSSs, without setting up a MLD connection.

Regards,

Ilan.

Veerendranath Jakkam Oct. 16, 2022, 1:26 p.m. UTC | #2

On 10/3/2022 6:00 PM, Peer, Ilan wrote:
> Hi,
>
>> -----Original Message-----
>> From: Hostap <hostap-bounces@lists.infradead.org> On Behalf Of
>> Veerendranath Jakkam
>> Sent: Saturday, October 01, 2022 11:21
>> To: hostap@lists.infradead.org
>> Cc: quic_vjakkam@quicinc.com
>> Subject: [PATCH v2 16/17] MLD STA: Store AP MLD address in PMKSA entries
>>
>> For MLO connection AP MLD address is the authenticator address thus store
>> AP MLD address in PMKSA entries instead of assoc link BSSID.
>>
> Question: Don't we also want to store it per BSSID, so it could later be used in case the station for some reason decided to associate
> with one of the BSSs, without setting up a MLD connection.

Agree, That would be valid case. I will fix in v3 series.

- veeru

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index b454159..3e1ceb3 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -2370,7 +2370,7 @@  static void wpa_supplicant_process_mlo_3_of_4(struct wpa_sm *sm,
 
 		sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
 				     sm->ptk.kck, sm->ptk.kck_len,
-				     sm->bssid, sm->own_addr,
+				     wpa_sm_get_auth_addr(sm), sm->own_addr,
 				     sm->network_ctx, sm->key_mgmt, NULL);
 		if (!sm->cur_pmksa)
 			sm->cur_pmksa = sa;
@@ -3974,12 +3974,12 @@  void wpa_sm_notify_disassoc(struct wpa_sm *sm)
  * @pmk: The new PMK
  * @pmk_len: The length of the new PMK in bytes
  * @pmkid: Calculated PMKID
- * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
+ * @auth_addr: AA to add into PMKSA cache or %NULL to not cache the PMK
  *
  * Configure the PMK for WPA state machine.
  */
 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
-		    const u8 *pmkid, const u8 *bssid)
+		    const u8 *pmkid, const u8 *auth_addr)
 {
 	if (sm == NULL)
 		return;
@@ -3995,9 +3995,9 @@  void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
 	os_memcpy(sm->xxkey, pmk, pmk_len);
 #endif /* CONFIG_IEEE80211R */
 
-	if (bssid) {
+	if (auth_addr) {
 		sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
-						pmkid, NULL, 0, bssid,
+						pmkid, NULL, 0, auth_addr,
 						sm->own_addr,
 						sm->network_ctx, sm->key_mgmt,
 						NULL);
@@ -6026,7 +6026,7 @@  fail:
 }
 
 
-int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
+int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *auth_addr,
 			   const u8 *resp_ies, size_t resp_ies_len)
 {
 	struct ieee802_11_elems elems;
@@ -6177,7 +6177,7 @@  int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
 	wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
 	wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
 	pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
-			bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
+			auth_addr, sm->own_addr, sm->network_ctx, sm->key_mgmt,
 			NULL);
 
 	return 0;
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index 3d6574f..8050236 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -153,7 +153,7 @@  void wpa_sm_deinit(struct wpa_sm *sm);
 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid);
 void wpa_sm_notify_disassoc(struct wpa_sm *sm);
 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
-		    const u8 *pmkid, const u8 *bssid);
+		    const u8 *pmkid, const u8 *auth_addr);
 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm);
 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth);
 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx);
@@ -567,7 +567,7 @@  struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len);
 
 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group);
-int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
+int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *auth_addr,
 			   const u8 *resp_ies, size_t resp_ies_len);
 
 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set);
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index ce88cc9..4069e4b 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3113,7 +3113,8 @@  static int wpa_supplicant_event_associnfo(struct wpa_supplicant *wpa_s,
 #ifdef CONFIG_OWE
 	if (wpa_s->key_mgmt == WPA_KEY_MGMT_OWE &&
 	    (!bssid_known ||
-	     owe_process_assoc_resp(wpa_s->wpa, bssid,
+	     owe_process_assoc_resp(wpa_s->wpa,
+				    wpa_s->valid_links ? wpa_s->ap_mld_addr : bssid,
 				    data->assoc_info.resp_ies,
 				    data->assoc_info.resp_ies_len) < 0)) {
 		wpa_supplicant_deauthenticate(wpa_s, WLAN_REASON_UNSPECIFIED);
@@ -5000,7 +5001,9 @@  static void wpa_supplicant_event_assoc_auth(struct wpa_supplicant *wpa_s,
 					       data->assoc_info.fils_pmk,
 					       data->assoc_info.fils_pmk_len,
 					       data->assoc_info.fils_pmkid,
-					       wpa_s->bssid, fils_cache_id);
+					       wpa_s->valid_links ?
+					       wpa_s->ap_mld_addr : wpa_s->bssid,
+					       fils_cache_id);
 		} else if (data->assoc_info.fils_pmkid) {
 			/* Update the current PMKSA used for this connection */
 			pmksa_cache_set_current(wpa_s->wpa,
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index ce409d5..084de3d 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1531,12 +1531,12 @@  static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
 }
 
 
-static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *bssid)
+static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *auth_addr)
 {
 	wpa_printf(MSG_DEBUG,
 		   "SME: SAE completed - setting PMK for 4-way handshake");
 	wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, wpa_s->sme.sae.pmk_len,
-		       wpa_s->sme.sae.pmkid, bssid);
+		       wpa_s->sme.sae.pmkid, auth_addr);
 	if (wpa_s->conf->sae_pmkid_in_assoc) {
 		/* Update the own RSNE contents now that we have set the PMK
 		 * and added a PMKSA cache entry based on the successfully
@@ -1580,6 +1580,8 @@  void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s,
 
 	if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) {
 		int res;
+		struct wpa_bss *bss;
+		const u8 *auth_addr;
 
 		res = sme_sae_auth(
 			wpa_s, le_to_host16(header->u.auth.auth_transaction),
@@ -1598,7 +1600,25 @@  void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s,
 		if (res != 1)
 			return;
 
-		if (sme_sae_set_pmk(wpa_s, wpa_s->sme.ext_auth_bssid) < 0)
+		auth_addr = wpa_s->sme.ext_auth_bssid;
+		if (wpa_s->sme.ext_ml_auth) {
+			bss = wpa_bss_get_bssid_latest(
+				wpa_s, wpa_s->sme.ext_auth_bssid);
+			if (!bss) {
+				wpa_printf(MSG_INFO,
+					   "MLO SAE: BSS not available, update scan result to get BSS");
+				wpa_supplicant_update_scan_results(wpa_s);
+				bss = wpa_bss_get_bssid_latest(
+					wpa_s, wpa_s->sme.ext_auth_bssid);
+			}
+			if (bss && !is_zero_ether_addr(bss->mld_addr))
+				auth_addr = bss->mld_addr;
+			else
+				wpa_printf(MSG_INFO,
+					   "MLO SAE: AP MLD address fetch failed");
+		}
+
+		if (sme_sae_set_pmk(wpa_s, auth_addr) < 0)
 			return;
 	}
 }
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 7fbf5f3..e568413 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -3101,6 +3101,10 @@  static u8 * wpas_populate_assoc_ies(
 	    wpa_key_mgmt_wpa(ssid->key_mgmt)) {
 		int try_opportunistic;
 		const u8 *cache_id = NULL;
+		const u8 *auth_addr = bss->bssid;
+
+		if (!is_zero_ether_addr(bss->mld_addr))
+			auth_addr = bss->mld_addr;
 
 		try_opportunistic = (ssid->proactive_key_caching < 0 ?
 				     wpa_s->conf->okc :
@@ -3110,7 +3114,7 @@  static u8 * wpas_populate_assoc_ies(
 		if (wpa_key_mgmt_fils(ssid->key_mgmt))
 			cache_id = wpa_bss_get_fils_cache_id(bss);
 #endif /* CONFIG_FILS */
-		if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
+		if (pmksa_cache_set_current(wpa_s->wpa, NULL, auth_addr,
 					    ssid, try_opportunistic,
 					    cache_id, 0) == 0) {
 			eapol_sm_notify_pmkid_attempt(wpa_s->eapol);

[v2,16/17] MLD STA: Store AP MLD address in PMKSA entries

Commit Message

Comments

Patch