wpa_supplicant: Use MLD address in SAE authentication

Use MLD address in SAE commit derivation and PMKSA storing.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This commit is contained in:
Andrei Otcheretianski 2022-12-06 11:46:09 +02:00 committed by Jouni Malinen
parent 8c0f83ae88
commit e869fdfeef
2 changed files with 35 additions and 13 deletions

View file

@ -86,7 +86,9 @@ static int sme_set_sae_group(struct wpa_supplicant *wpa_s, bool external)
static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid, struct wpa_ssid *ssid,
const u8 *bssid, int external, const u8 *bssid,
const u8 *mld_addr,
int external,
int reuse, int *ret_use_pt, int reuse, int *ret_use_pt,
bool *ret_use_pk) bool *ret_use_pk)
{ {
@ -99,6 +101,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
u8 rsnxe_capa = 0; u8 rsnxe_capa = 0;
int key_mgmt = external ? wpa_s->sme.ext_auth_key_mgmt : int key_mgmt = external ? wpa_s->sme.ext_auth_key_mgmt :
wpa_s->key_mgmt; wpa_s->key_mgmt;
const u8 *addr = mld_addr ? mld_addr : bssid;
if (ret_use_pt) if (ret_use_pt)
*ret_use_pt = 0; *ret_use_pt = 0;
@ -162,7 +165,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
} }
if (reuse && wpa_s->sme.sae.tmp && if (reuse && wpa_s->sme.sae.tmp &&
os_memcmp(bssid, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) { os_memcmp(addr, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"SAE: Reuse previously generated PWE on a retry with the same AP"); "SAE: Reuse previously generated PWE on a retry with the same AP");
use_pt = wpa_s->sme.sae.h2e; use_pt = wpa_s->sme.sae.h2e;
@ -230,7 +233,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
if (use_pt && if (use_pt &&
sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt, sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt,
wpa_s->own_addr, bssid, wpa_s->own_addr, addr,
wpa_s->sme.sae_rejected_groups, NULL) < 0) wpa_s->sme.sae_rejected_groups, NULL) < 0)
goto fail; goto fail;
if (!use_pt && if (!use_pt &&
@ -241,13 +244,13 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
goto fail; goto fail;
} }
if (wpa_s->sme.sae.tmp) { if (wpa_s->sme.sae.tmp) {
os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN); os_memcpy(wpa_s->sme.sae.tmp->bssid, addr, ETH_ALEN);
if (use_pt && use_pk) if (use_pt && use_pk)
wpa_s->sme.sae.pk = 1; wpa_s->sme.sae.pk = 1;
#ifdef CONFIG_SAE_PK #ifdef CONFIG_SAE_PK
os_memcpy(wpa_s->sme.sae.tmp->own_addr, wpa_s->own_addr, os_memcpy(wpa_s->sme.sae.tmp->own_addr, wpa_s->own_addr,
ETH_ALEN); ETH_ALEN);
os_memcpy(wpa_s->sme.sae.tmp->peer_addr, bssid, ETH_ALEN); os_memcpy(wpa_s->sme.sae.tmp->peer_addr, addr, ETH_ALEN);
sae_pk_set_password(&wpa_s->sme.sae, password); sae_pk_set_password(&wpa_s->sme.sae, password);
#endif /* CONFIG_SAE_PK */ #endif /* CONFIG_SAE_PK */
} }
@ -688,7 +691,9 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
if (wpa_key_mgmt_fils(ssid->key_mgmt)) if (wpa_key_mgmt_fils(ssid->key_mgmt))
cache_id = wpa_bss_get_fils_cache_id(bss); cache_id = wpa_bss_get_fils_cache_id(bss);
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, if (pmksa_cache_set_current(wpa_s->wpa, NULL,
params.mld ? params.ap_mld_addr :
bss->bssid,
wpa_s->current_ssid, wpa_s->current_ssid,
try_opportunistic, cache_id, try_opportunistic, cache_id,
0) == 0) 0) == 0)
@ -990,7 +995,10 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE &&
pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, pmksa_cache_set_current(wpa_s->wpa, NULL,
params.mld ? params.ap_mld_addr :
bss->bssid,
ssid, 0,
NULL, NULL,
wpa_key_mgmt_sae(wpa_s->key_mgmt) ? wpa_key_mgmt_sae(wpa_s->key_mgmt) ?
wpa_s->key_mgmt : wpa_s->key_mgmt :
@ -1005,7 +1013,10 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) { if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) {
if (start) if (start)
resp = sme_auth_build_sae_commit(wpa_s, ssid, resp = sme_auth_build_sae_commit(wpa_s, ssid,
bss->bssid, 0, bss->bssid,
params.mld ?
params.ap_mld_addr :
NULL, 0,
start == 2, NULL, start == 2, NULL,
NULL); NULL);
else else
@ -1084,7 +1095,9 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
goto no_fils; goto no_fils;
} }
if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, if (pmksa_cache_set_current(wpa_s->wpa, NULL,
params.mld ? params.ap_mld_addr :
bss->bssid,
ssid, 0, ssid, 0,
wpa_bss_get_fils_cache_id(bss), wpa_bss_get_fils_cache_id(bss),
0) == 0) 0) == 0)
@ -1320,8 +1333,8 @@ static int sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s,
bool use_pk; bool use_pk;
u16 status; u16 status;
resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1, 0, &use_pt, resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, NULL,
&use_pk); 1, 0, &use_pt, &use_pk);
if (!resp) { if (!resp) {
wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit"); wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit");
return -1; return -1;
@ -1869,7 +1882,9 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
if (data->auth.auth_type == WLAN_AUTH_SAE) { if (data->auth.auth_type == WLAN_AUTH_SAE) {
const u8 *addr = wpa_s->pending_bssid;
int res; int res;
res = sme_sae_auth(wpa_s, data->auth.auth_transaction, res = sme_sae_auth(wpa_s, data->auth.auth_transaction,
data->auth.status_code, data->auth.ies, data->auth.status_code, data->auth.ies,
data->auth.ies_len, 0, data->auth.peer, data->auth.ies_len, 0, data->auth.peer,
@ -1882,7 +1897,10 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
if (res != 1) if (res != 1)
return; return;
if (sme_sae_set_pmk(wpa_s, wpa_s->pending_bssid) < 0) if (wpa_s->valid_links)
addr = wpa_s->ap_mld_addr;
if (sme_sae_set_pmk(wpa_s, addr) < 0)
return; return;
} }
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */

View file

@ -3137,6 +3137,10 @@ static u8 * wpas_populate_assoc_ies(
wpa_key_mgmt_wpa(ssid->key_mgmt)) { wpa_key_mgmt_wpa(ssid->key_mgmt)) {
int try_opportunistic; int try_opportunistic;
const u8 *cache_id = NULL; const u8 *cache_id = NULL;
const u8 *addr = bss->bssid;
if (wpa_s->valid_links)
addr = wpa_s->ap_mld_addr;
try_opportunistic = (ssid->proactive_key_caching < 0 ? try_opportunistic = (ssid->proactive_key_caching < 0 ?
wpa_s->conf->okc : wpa_s->conf->okc :
@ -3146,7 +3150,7 @@ static u8 * wpas_populate_assoc_ies(
if (wpa_key_mgmt_fils(ssid->key_mgmt)) if (wpa_key_mgmt_fils(ssid->key_mgmt))
cache_id = wpa_bss_get_fils_cache_id(bss); cache_id = wpa_bss_get_fils_cache_id(bss);
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, if (pmksa_cache_set_current(wpa_s->wpa, NULL, addr,
ssid, try_opportunistic, ssid, try_opportunistic,
cache_id, 0) == 0) { cache_id, 0) == 0) {
eapol_sm_notify_pmkid_attempt(wpa_s->eapol); eapol_sm_notify_pmkid_attempt(wpa_s->eapol);