[PATCH v3 5/5] wpa_supplicant: Use MLD address in SAE authentication
Andrei Otcheretianski
andrei.otcheretianski at intel.com
Tue Dec 6 01:46:09 PST 2022
Use MLD address in SAE commit derivation and PMKSA storing.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
---
wpa_supplicant/sme.c | 44 ++++++++++++++++++++++++---------
wpa_supplicant/wpa_supplicant.c | 6 ++++-
2 files changed, 37 insertions(+), 13 deletions(-)
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 0a44824604..dc2029b64e 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -85,7 +85,9 @@ static int sme_set_sae_group(struct wpa_supplicant *wpa_s)
static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid,
- const u8 *bssid, int external,
+ const u8 *bssid,
+ const u8 *mld_addr,
+ int external,
int reuse, int *ret_use_pt,
bool *ret_use_pk)
{
@@ -97,6 +99,9 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
bool use_pk = false;
u8 rsnxe_capa = 0;
+ if (!mld_addr)
+ mld_addr = bssid;
+
if (ret_use_pt)
*ret_use_pt = 0;
if (ret_use_pk)
@@ -159,7 +164,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
}
if (reuse && wpa_s->sme.sae.tmp &&
- os_memcmp(bssid, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) {
+ os_memcmp(mld_addr, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) {
wpa_printf(MSG_DEBUG,
"SAE: Reuse previously generated PWE on a retry with the same AP");
use_pt = wpa_s->sme.sae.h2e;
@@ -227,7 +232,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
if (use_pt &&
sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt,
- wpa_s->own_addr, bssid,
+ wpa_s->own_addr, mld_addr,
wpa_s->sme.sae_rejected_groups, NULL) < 0)
goto fail;
if (!use_pt &&
@@ -238,13 +243,13 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
goto fail;
}
if (wpa_s->sme.sae.tmp) {
- os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN);
+ os_memcpy(wpa_s->sme.sae.tmp->bssid, mld_addr, ETH_ALEN);
if (use_pt && use_pk)
wpa_s->sme.sae.pk = 1;
#ifdef CONFIG_SAE_PK
os_memcpy(wpa_s->sme.sae.tmp->own_addr, wpa_s->own_addr,
ETH_ALEN);
- os_memcpy(wpa_s->sme.sae.tmp->peer_addr, bssid, ETH_ALEN);
+ os_memcpy(wpa_s->sme.sae.tmp->peer_addr, mld_addr, ETH_ALEN);
sae_pk_set_password(&wpa_s->sme.sae, password);
#endif /* CONFIG_SAE_PK */
}
@@ -691,7 +696,9 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
if (wpa_key_mgmt_fils(ssid->key_mgmt))
cache_id = wpa_bss_get_fils_cache_id(bss);
#endif /* CONFIG_FILS */
- if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
+ if (pmksa_cache_set_current(wpa_s->wpa, NULL,
+ params.mld ?
+ params.ap_mld_addr : params.bssid,
wpa_s->current_ssid,
try_opportunistic, cache_id,
0) == 0)
@@ -993,7 +1000,10 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
#ifdef CONFIG_SAE
if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE &&
- pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0,
+ pmksa_cache_set_current(wpa_s->wpa, NULL,
+ params.mld ?
+ params.ap_mld_addr : params.bssid,
+ ssid, 0,
NULL,
wpa_key_mgmt_sae(wpa_s->key_mgmt) ?
wpa_s->key_mgmt :
@@ -1008,7 +1018,10 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) {
if (start)
resp = sme_auth_build_sae_commit(wpa_s, ssid,
- bss->bssid, 0,
+ bss->bssid,
+ params.mld ?
+ params.ap_mld_addr :
+ NULL, 0,
start == 2, NULL,
NULL);
else
@@ -1087,7 +1100,9 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
goto no_fils;
}
- if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
+ if (pmksa_cache_set_current(wpa_s->wpa, NULL,
+ params.mld ? params.ap_mld_addr :
+ params.bssid,
ssid, 0,
wpa_bss_get_fils_cache_id(bss),
0) == 0)
@@ -1323,8 +1338,8 @@ static int sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s,
bool use_pk;
u16 status;
- resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1, 0, &use_pt,
- &use_pk);
+ resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, NULL,
+ 1, 0, &use_pt, &use_pk);
if (!resp) {
wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit");
return -1;
@@ -1864,6 +1879,8 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
#ifdef CONFIG_SAE
if (data->auth.auth_type == WLAN_AUTH_SAE) {
+ u8 *bss = wpa_s->pending_bssid;
+
int res;
res = sme_sae_auth(wpa_s, data->auth.auth_transaction,
data->auth.status_code, data->auth.ies,
@@ -1877,7 +1894,10 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
if (res != 1)
return;
- if (sme_sae_set_pmk(wpa_s, wpa_s->pending_bssid) < 0)
+ if (wpa_s->valid_links)
+ bss = wpa_s->ap_mld_addr;
+
+ if (sme_sae_set_pmk(wpa_s, bss) < 0)
return;
}
#endif /* CONFIG_SAE */
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 7849b40296..14d741f43f 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -3137,6 +3137,10 @@ static u8 * wpas_populate_assoc_ies(
wpa_key_mgmt_wpa(ssid->key_mgmt)) {
int try_opportunistic;
const u8 *cache_id = NULL;
+ u8 *bssid = bss->bssid;
+
+ if (wpa_s->valid_links)
+ bssid = wpa_s->ap_mld_addr;
try_opportunistic = (ssid->proactive_key_caching < 0 ?
wpa_s->conf->okc :
@@ -3146,7 +3150,7 @@ static u8 * wpas_populate_assoc_ies(
if (wpa_key_mgmt_fils(ssid->key_mgmt))
cache_id = wpa_bss_get_fils_cache_id(bss);
#endif /* CONFIG_FILS */
- if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
+ if (pmksa_cache_set_current(wpa_s->wpa, NULL, bssid,
ssid, try_opportunistic,
cache_id, 0) == 0) {
eapol_sm_notify_pmkid_attempt(wpa_s->eapol);
--
2.25.1
More information about the Hostap
mailing list