From patchwork Sat Oct 1 08:21:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Veerendranath Jakkam X-Patchwork-Id: 1685173 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Tl+HmdZY; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=quicinc.com header.i=@quicinc.com header.a=rsa-sha256 header.s=qcppdkim1 header.b=FDNdtkXK; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MfgMP72BTz1yqj for ; Sat, 1 Oct 2022 18:32:33 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=LT5fCLm8HaKHwNq3gosyxgSAq2ItDSzzEByvqSI1tsg=; b=Tl+HmdZYEnUDxS uWs1HH4gKn5rNl2yFsPFLwokux0JcUcbCtlfEZicyFWZYgfFr8t9VMb9c6x37h9vE++8aHFNEeF1c wsIBrFpN8JJilYf1Hrg8q/7InOhFMjEiaXjVVcPiqpW6j1Xh64gCjINBa6K52ft/p5mdAs2sQd7+x w6jPLvk0HRv3mJlqjtiDjDi5kDN1ToDYzGzlqTkXHpauLiPItSVEmz72cRNNNWB18gxQUy3fJeYB3 9fvWKRDUGs4AdxZiAo/9pT5H8Gzb1Yjs/iYIsOgk8Cby3NrhyvGYl8XzBgy18TrmnsbQTbIhQ//lz A3NOIEQbCDIbCX5lY0vA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oeXuP-00Dmjy-Qm; Sat, 01 Oct 2022 08:31:42 +0000 Received: from mx0b-0031df01.pphosted.com ([205.220.180.131]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oeXlJ-00Djb6-J4 for hostap@lists.infradead.org; Sat, 01 Oct 2022 08:22:19 +0000 Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 2918MHjA023107 for ; Sat, 1 Oct 2022 08:22:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=qcppdkim1; bh=KvbdcZ1z+7CxLzbMiMcrINl7LvoESEE7r/K7NBgX4R4=; b=FDNdtkXKzpA2jhM2Ko/C1uOc49uBgovzB2oMcXxo/RM8HA895jj44dCWerFfjrXrmAY1 /sN9I5pz4C2AJmogznu3SbfSX50ekkGINqSvGZpGU0KUiBX2NXHvBA5+EUgWr9bm9aJV 1o/sqP3oHSEZ0yTEZfPdJUmB4zQYwSHWCKBkVftbjsvph6BD76LC9jvqFILCAoOFTgXN c+IydoUrHkNsg8bUPtFiOZHfGEY85N8VYTbZ0mlJRVPrN0R0RlW2MGlE1yDUDmWRBHCa CbZjY7R2kE9r1liNvkJMPv8/JJPzBgUfu4xtVzTKz0kWcMwhe9ZRurDr9k1Mpd7Eu/FI jg== Received: from nalasppmta03.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3jxd58gcau-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 01 Oct 2022 08:22:16 +0000 Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA03.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 2918MFGV021340 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 1 Oct 2022 08:22:15 GMT Received: from hu-vjakkam-hyd.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.29; Sat, 1 Oct 2022 01:22:14 -0700 From: Veerendranath Jakkam To: CC: Subject: [PATCH v2 16/17] MLD STA: Store AP MLD address in PMKSA entries Date: Sat, 1 Oct 2022 13:51:28 +0530 Message-ID: <1664612489-29288-17-git-send-email-quic_vjakkam@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1664612489-29288-1-git-send-email-quic_vjakkam@quicinc.com> References: <1664612489-29288-1-git-send-email-quic_vjakkam@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: smUvk8jLgACFEaXvIB8sJSHj9oGPMPsX X-Proofpoint-ORIG-GUID: smUvk8jLgACFEaXvIB8sJSHj9oGPMPsX X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-10-01_06,2022-09-29_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 phishscore=0 mlxscore=0 bulkscore=0 suspectscore=0 malwarescore=0 mlxlogscore=999 priorityscore=1501 clxscore=1015 spamscore=0 adultscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210010051 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221001_012217_765072_51A5E112 X-CRM114-Status: GOOD ( 26.64 ) X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: For MLO connection AP MLD address is the authenticator address thus store AP MLD address in PMKSA entries instead of assoc link BSSID. Signed-off-by: Veerendranath Jakkam --- src/rsn_supp/wpa.c | 14 +++++++------- src/rsn_supp/wpa.h | 4 ++-- wpa_supplicant/events.c | 7 +++++-- wpa_supplicant/sme.c | 26 ++++ [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [205.220.180.131 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org For MLO connection AP MLD address is the authenticator address thus store AP MLD address in PMKSA entries instead of assoc link BSSID. Signed-off-by: Veerendranath Jakkam --- src/rsn_supp/wpa.c | 14 +++++++------- src/rsn_supp/wpa.h | 4 ++-- wpa_supplicant/events.c | 7 +++++-- wpa_supplicant/sme.c | 26 +++++++++++++++++++++++--- wpa_supplicant/wpa_supplicant.c | 6 +++++- 5 files changed, 42 insertions(+), 15 deletions(-) diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index b454159..3e1ceb3 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -2370,7 +2370,7 @@ static void wpa_supplicant_process_mlo_3_of_4(struct wpa_sm *sm, sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL, sm->ptk.kck, sm->ptk.kck_len, - sm->bssid, sm->own_addr, + wpa_sm_get_auth_addr(sm), sm->own_addr, sm->network_ctx, sm->key_mgmt, NULL); if (!sm->cur_pmksa) sm->cur_pmksa = sa; @@ -3974,12 +3974,12 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) * @pmk: The new PMK * @pmk_len: The length of the new PMK in bytes * @pmkid: Calculated PMKID - * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK + * @auth_addr: AA to add into PMKSA cache or %NULL to not cache the PMK * * Configure the PMK for WPA state machine. */ void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, - const u8 *pmkid, const u8 *bssid) + const u8 *pmkid, const u8 *auth_addr) { if (sm == NULL) return; @@ -3995,9 +3995,9 @@ void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, os_memcpy(sm->xxkey, pmk, pmk_len); #endif /* CONFIG_IEEE80211R */ - if (bssid) { + if (auth_addr) { sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, - pmkid, NULL, 0, bssid, + pmkid, NULL, 0, auth_addr, sm->own_addr, sm->network_ctx, sm->key_mgmt, NULL); @@ -6026,7 +6026,7 @@ fail: } -int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, +int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *auth_addr, const u8 *resp_ies, size_t resp_ies_len) { struct ieee802_11_elems elems; @@ -6177,7 +6177,7 @@ int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len); wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN); pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0, - bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt, + auth_addr, sm->own_addr, sm->network_ctx, sm->key_mgmt, NULL); return 0; diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h index 3d6574f..8050236 100644 --- a/src/rsn_supp/wpa.h +++ b/src/rsn_supp/wpa.h @@ -153,7 +153,7 @@ void wpa_sm_deinit(struct wpa_sm *sm); void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid); void wpa_sm_notify_disassoc(struct wpa_sm *sm); void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, - const u8 *pmkid, const u8 *bssid); + const u8 *pmkid, const u8 *auth_addr); void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm); void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth); void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx); @@ -567,7 +567,7 @@ struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek, int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len); struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group); -int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, +int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *auth_addr, const u8 *resp_ies, size_t resp_ies_len); void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set); diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index ce88cc9..4069e4b 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -3113,7 +3113,8 @@ static int wpa_supplicant_event_associnfo(struct wpa_supplicant *wpa_s, #ifdef CONFIG_OWE if (wpa_s->key_mgmt == WPA_KEY_MGMT_OWE && (!bssid_known || - owe_process_assoc_resp(wpa_s->wpa, bssid, + owe_process_assoc_resp(wpa_s->wpa, + wpa_s->valid_links ? wpa_s->ap_mld_addr : bssid, data->assoc_info.resp_ies, data->assoc_info.resp_ies_len) < 0)) { wpa_supplicant_deauthenticate(wpa_s, WLAN_REASON_UNSPECIFIED); @@ -5000,7 +5001,9 @@ static void wpa_supplicant_event_assoc_auth(struct wpa_supplicant *wpa_s, data->assoc_info.fils_pmk, data->assoc_info.fils_pmk_len, data->assoc_info.fils_pmkid, - wpa_s->bssid, fils_cache_id); + wpa_s->valid_links ? + wpa_s->ap_mld_addr : wpa_s->bssid, + fils_cache_id); } else if (data->assoc_info.fils_pmkid) { /* Update the current PMKSA used for this connection */ pmksa_cache_set_current(wpa_s->wpa, diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index ce409d5..084de3d 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -1531,12 +1531,12 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, } -static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *bssid) +static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *auth_addr) { wpa_printf(MSG_DEBUG, "SME: SAE completed - setting PMK for 4-way handshake"); wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, wpa_s->sme.sae.pmk_len, - wpa_s->sme.sae.pmkid, bssid); + wpa_s->sme.sae.pmkid, auth_addr); if (wpa_s->conf->sae_pmkid_in_assoc) { /* Update the own RSNE contents now that we have set the PMK * and added a PMKSA cache entry based on the successfully @@ -1580,6 +1580,8 @@ void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s, if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) { int res; + struct wpa_bss *bss; + const u8 *auth_addr; res = sme_sae_auth( wpa_s, le_to_host16(header->u.auth.auth_transaction), @@ -1598,7 +1600,25 @@ void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s, if (res != 1) return; - if (sme_sae_set_pmk(wpa_s, wpa_s->sme.ext_auth_bssid) < 0) + auth_addr = wpa_s->sme.ext_auth_bssid; + if (wpa_s->sme.ext_ml_auth) { + bss = wpa_bss_get_bssid_latest( + wpa_s, wpa_s->sme.ext_auth_bssid); + if (!bss) { + wpa_printf(MSG_INFO, + "MLO SAE: BSS not available, update scan result to get BSS"); + wpa_supplicant_update_scan_results(wpa_s); + bss = wpa_bss_get_bssid_latest( + wpa_s, wpa_s->sme.ext_auth_bssid); + } + if (bss && !is_zero_ether_addr(bss->mld_addr)) + auth_addr = bss->mld_addr; + else + wpa_printf(MSG_INFO, + "MLO SAE: AP MLD address fetch failed"); + } + + if (sme_sae_set_pmk(wpa_s, auth_addr) < 0) return; } } diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 7fbf5f3..e568413 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -3101,6 +3101,10 @@ static u8 * wpas_populate_assoc_ies( wpa_key_mgmt_wpa(ssid->key_mgmt)) { int try_opportunistic; const u8 *cache_id = NULL; + const u8 *auth_addr = bss->bssid; + + if (!is_zero_ether_addr(bss->mld_addr)) + auth_addr = bss->mld_addr; try_opportunistic = (ssid->proactive_key_caching < 0 ? wpa_s->conf->okc : @@ -3110,7 +3114,7 @@ static u8 * wpas_populate_assoc_ies( if (wpa_key_mgmt_fils(ssid->key_mgmt)) cache_id = wpa_bss_get_fils_cache_id(bss); #endif /* CONFIG_FILS */ - if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, + if (pmksa_cache_set_current(wpa_s->wpa, NULL, auth_addr, ssid, try_opportunistic, cache_id, 0) == 0) { eapol_sm_notify_pmkid_attempt(wpa_s->eapol);