From patchwork Wed Oct 19 14:14:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Veerendranath Jakkam X-Patchwork-Id: 1692006 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=gDfbPRWX; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=quicinc.com header.i=@quicinc.com header.a=rsa-sha256 header.s=qcppdkim1 header.b=TjQ00itB; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MstV41cnZz23jk for ; Thu, 20 Oct 2022 01:32:12 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=gYRDE4u7ffxN+iZUtKZSwGexrwJSHxs2PK2njpMQQxs=; b=gDfbPRWX6stKlj Px8EzBOWczDsYNyfHkeG1V8cufQAfnoHpD9C3ERO1LKFrX9gTDL/ah8sUtoNuKEyNGoyGzYvh2Z7z SdRxIpM4a7MLm5PjMZ8TmtCLojR1fI0IIsai9bT4zrKwX0fWsnR4041veek/keE2WdP9bOzQ0f0Vq omGv/+MBHV9tYAqQ7osXnY534qGZAjLeCS4r4Z5d8wa81GhtLBY9Z3iGDOxZTAacG4edcuN8LmCz4 /mY6BjkZQ9ly1KPH7oP8gA0dOEtWoZUM2JDM68t4qYCwcGyE1vp0mKHX+RrE+gG19zlb5IzG+5Izw 0HXUddyYM7/pKZDSey5w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1olA6E-002nsc-6c; Wed, 19 Oct 2022 14:31:14 +0000 Received: from mx0a-0031df01.pphosted.com ([205.220.168.131]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1ol9qc-002el2-3f for hostap@lists.infradead.org; Wed, 19 Oct 2022 14:15:08 +0000 Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 29J8jGtZ019176 for ; Wed, 19 Oct 2022 14:15:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=qcppdkim1; bh=JASfm2zB07V9nViB7b3ri9XishJbF3q3aD+1n3ssoc0=; b=TjQ00itBQNUIWFIAxyLvcd+fWOR2uTUwjn3fc3rq9W6RPpUXRYdWTwbrueAei90rqmth MbFvev2/lMS6YuULmVSqn+zQYSLJ02FWBEY5aJ6XlzGCeMpSMjKTG5lVvbSTjiODsBQk uIiyNBNyFZbO3fuKeFnnfmfkuistJ9rBfFFAt24aR8mCXRiUoOu/4Pbqtxiji8WOkaei qRsZoubgc7mDDja59khKvj5FdWvLeqxjeXh0uukPUiBYAfVdLJsWCP3SMzWAsd5GxYie noPExcIn2E8TdwPFcikWbXWjIJDGk0zvRZNXoJKunUSCOclbmqkGjQ4vTEwXXK0+Ke0F Jw== Received: from nalasppmta02.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3k9n2p5pmm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 19 Oct 2022 14:15:05 +0000 Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 29JEF5Xx010677 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 19 Oct 2022 14:15:05 GMT Received: from cnss-mw-linux.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.29; Wed, 19 Oct 2022 07:15:03 -0700 From: Veerendranath Jakkam To: CC: Subject: [PATCH v3 19/21] MLD STA: Add PMKSA entries with both AP MLD address and AP link addresses Date: Wed, 19 Oct 2022 19:44:07 +0530 Message-ID: <20221019141409.535582-20-quic_vjakkam@quicinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221019141409.535582-1-quic_vjakkam@quicinc.com> References: <20221019141409.535582-1-quic_vjakkam@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: cz9KC-pSsfWu6sm_demBYUYIN9af3wsF X-Proofpoint-GUID: cz9KC-pSsfWu6sm_demBYUYIN9af3wsF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-19_08,2022-10-19_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 mlxscore=0 lowpriorityscore=0 suspectscore=0 bulkscore=0 malwarescore=0 priorityscore=1501 phishscore=0 mlxlogscore=999 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210190080 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221019_071506_203088_C084E516 X-CRM114-Status: GOOD ( 29.35 ) X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Add PMKSA entries with both AP MLD address and AP link addresse for MLO connection. Per-BSSID PMKSA entries could be used in case the station wants to associate with one of the BSSs without enabling M [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [205.220.168.131 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Add PMKSA entries with both AP MLD address and AP link addresse for MLO connection. Per-BSSID PMKSA entries could be used in case the station wants to associate with one of the BSSs without enabling MLO capability later. Signed-off-by: Veerendranath Jakkam --- src/rsn_supp/wpa.c | 46 ++++++++++++++++++++++++++++----- src/rsn_supp/wpa.h | 4 +-- wpa_supplicant/events.c | 7 +++-- wpa_supplicant/sme.c | 26 ++++++++++++++++--- wpa_supplicant/wpa_supplicant.c | 6 ++++- 5 files changed, 75 insertions(+), 14 deletions(-) diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 2b8d95f1c..fd3d5c8da 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -2232,6 +2232,25 @@ static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm, } +static void mlo_links_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, + size_t pmk_len, const u8 *pmkid, + const u8 *kck, size_t kck_len, + void *network_ctx, int akmp, + const u8 *cache_id) +{ + int i; + + for (i = 0; i < MAX_NUM_MLO_LINKS; i++) { + if (!(sm->mlo.valid_links & BIT(i))) + continue; + + pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, kck, kck_len, + sm->mlo.links[i].bssid, sm->own_addr, + network_ctx, akmp, cache_id); + } +} + + static void wpa_supplicant_process_mlo_3_of_4(struct wpa_sm *sm, const struct wpa_eapol_key *key, u16 ver, const u8 *key_data, @@ -2373,6 +2392,10 @@ static void wpa_supplicant_process_mlo_3_of_4(struct wpa_sm *sm, sm->network_ctx, sm->key_mgmt, NULL); if (!sm->cur_pmksa) sm->cur_pmksa = sa; + + mlo_links_pmksa_cache_add(sm, sm->pmk, sm->pmk_len, NULL, + sm->ptk.kck, sm->ptk.kck_len, + sm->network_ctx, sm->key_mgmt, NULL); } if (ie.transition_disable) @@ -3959,12 +3982,12 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) * @pmk: The new PMK * @pmk_len: The length of the new PMK in bytes * @pmkid: Calculated PMKID - * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK + * @auth_addr: AA to add into PMKSA cache or %NULL to not cache the PMK * * Configure the PMK for WPA state machine. */ void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, - const u8 *pmkid, const u8 *bssid) + const u8 *pmkid, const u8 *auth_addr) { if (sm == NULL) return; @@ -3980,12 +4003,17 @@ void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, os_memcpy(sm->xxkey, pmk, pmk_len); #endif /* CONFIG_IEEE80211R */ - if (bssid) { + if (auth_addr) { sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, - pmkid, NULL, 0, bssid, + pmkid, NULL, 0, auth_addr, sm->own_addr, sm->network_ctx, sm->key_mgmt, NULL); + if (sm->mlo.valid_links && + os_memcmp(auth_addr, sm->mlo.ap_mld_addr, ETH_ALEN) == 0) + mlo_links_pmksa_cache_add(sm, pmk, pmk_len, pmkid, NULL, + 0, sm->network_ctx, + sm->key_mgmt, NULL); } } @@ -6020,7 +6048,7 @@ fail: } -int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, +int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *auth_addr, const u8 *resp_ies, size_t resp_ies_len) { struct ieee802_11_elems elems; @@ -6171,9 +6199,15 @@ int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len); wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN); pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0, - bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt, + auth_addr, sm->own_addr, sm->network_ctx, sm->key_mgmt, NULL); + if (sm->mlo.valid_links && + os_memcmp(auth_addr, sm->mlo.ap_mld_addr, ETH_ALEN) == 0) + mlo_links_pmksa_cache_add(sm, sm->pmk, sm->pmk_len, pmkid, NULL, + 0, sm->network_ctx, sm->key_mgmt, + NULL); + return 0; } diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h index b97edd551..287864e5a 100644 --- a/src/rsn_supp/wpa.h +++ b/src/rsn_supp/wpa.h @@ -153,7 +153,7 @@ void wpa_sm_deinit(struct wpa_sm *sm); void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid); void wpa_sm_notify_disassoc(struct wpa_sm *sm); void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, - const u8 *pmkid, const u8 *bssid); + const u8 *pmkid, const u8 *auth_addr); void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm); void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth); void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx); @@ -568,7 +568,7 @@ struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek, int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len); struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group); -int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, +int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *auth_addr, const u8 *resp_ies, size_t resp_ies_len); void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set); diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index 4840c82fc..e714ac489 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -3113,7 +3113,8 @@ static int wpa_supplicant_event_associnfo(struct wpa_supplicant *wpa_s, #ifdef CONFIG_OWE if (wpa_s->key_mgmt == WPA_KEY_MGMT_OWE && (!bssid_known || - owe_process_assoc_resp(wpa_s->wpa, bssid, + owe_process_assoc_resp(wpa_s->wpa, + wpa_s->valid_links ? wpa_s->ap_mld_addr : bssid, data->assoc_info.resp_ies, data->assoc_info.resp_ies_len) < 0)) { wpa_supplicant_deauthenticate(wpa_s, WLAN_REASON_UNSPECIFIED); @@ -5036,7 +5037,9 @@ static void wpa_supplicant_event_assoc_auth(struct wpa_supplicant *wpa_s, data->assoc_info.fils_pmk, data->assoc_info.fils_pmk_len, data->assoc_info.fils_pmkid, - wpa_s->bssid, fils_cache_id); + wpa_s->valid_links ? + wpa_s->ap_mld_addr : wpa_s->bssid, + fils_cache_id); } else if (data->assoc_info.fils_pmkid) { /* Update the current PMKSA used for this connection */ pmksa_cache_set_current(wpa_s->wpa, diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index e6e39c4c3..83269968b 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -1548,12 +1548,12 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, } -static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *bssid) +static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *auth_addr) { wpa_printf(MSG_DEBUG, "SME: SAE completed - setting PMK for 4-way handshake"); wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, wpa_s->sme.sae.pmk_len, - wpa_s->sme.sae.pmkid, bssid); + wpa_s->sme.sae.pmkid, auth_addr); if (wpa_s->conf->sae_pmkid_in_assoc) { /* Update the own RSNE contents now that we have set the PMK * and added a PMKSA cache entry based on the successfully @@ -1597,6 +1597,8 @@ void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s, if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) { int res; + struct wpa_bss *bss; + const u8 *auth_addr; res = sme_sae_auth( wpa_s, le_to_host16(header->u.auth.auth_transaction), @@ -1615,7 +1617,25 @@ void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s, if (res != 1) return; - if (sme_sae_set_pmk(wpa_s, wpa_s->sme.ext_auth_bssid) < 0) + auth_addr = wpa_s->sme.ext_auth_bssid; + if (wpa_s->sme.ext_ml_auth) { + bss = wpa_bss_get_bssid_latest( + wpa_s, wpa_s->sme.ext_auth_bssid); + if (!bss) { + wpa_printf(MSG_INFO, + "MLO SAE: BSS not available, update scan result to get BSS"); + wpa_supplicant_update_scan_results(wpa_s); + bss = wpa_bss_get_bssid_latest( + wpa_s, wpa_s->sme.ext_auth_bssid); + } + if (bss && !is_zero_ether_addr(bss->mld_addr)) + auth_addr = bss->mld_addr; + else + wpa_printf(MSG_INFO, + "MLO SAE: AP MLD address fetch failed"); + } + + if (sme_sae_set_pmk(wpa_s, auth_addr) < 0) return; } } diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 4f010ef40..547c00187 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -3101,6 +3101,10 @@ static u8 * wpas_populate_assoc_ies( wpa_key_mgmt_wpa(ssid->key_mgmt)) { int try_opportunistic; const u8 *cache_id = NULL; + const u8 *auth_addr = bss->bssid; + + if (!is_zero_ether_addr(bss->mld_addr)) + auth_addr = bss->mld_addr; try_opportunistic = (ssid->proactive_key_caching < 0 ? wpa_s->conf->okc : @@ -3110,7 +3114,7 @@ static u8 * wpas_populate_assoc_ies( if (wpa_key_mgmt_fils(ssid->key_mgmt)) cache_id = wpa_bss_get_fils_cache_id(bss); #endif /* CONFIG_FILS */ - if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, + if (pmksa_cache_set_current(wpa_s->wpa, NULL, auth_addr, ssid, try_opportunistic, cache_id, 0) == 0) { eapol_sm_notify_pmkid_attempt(wpa_s->eapol);