Add own MAC address used for key derivation to PTKSA cache

On successful PASN handshake or 4-way handshake with a peer, PTK is
derived using the local and peer MAC addresses as input. Store the own
MAC address that is used for key derivation in PTKSA cache to maintain
that state over potential MAC addresses changes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 86cb3965c9b17b90f6620720b8a7fe51be2fa445..53f2aab6f24bc58f56138f05f46e5bba8d79baad 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -3502,8 +3502,8 @@ static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta,
        wpa_printf(MSG_INFO,
                   "PASN: Success handling transaction == 3. Store PTK");
 
-       ptksa_cache_add(hapd->ptksa, sta->addr, sta->pasn->cipher, 43200,
-                       &sta->pasn->ptk);
+       ptksa_cache_add(hapd->ptksa, hapd->own_addr, sta->addr,
+                       sta->pasn->cipher, 43200, &sta->pasn->ptk);
 fail:
        ap_free_sta(hapd, sta);
 }

diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index bef8fd26184e5a7d5db02810dbf348bdeb43fbd8..9c27c7a83acfa06d72761b1b5bbc1f54fe19efcd 100644 (file)
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -934,7 +934,8 @@ static void hostapd_store_ptksa(void *ctx, const u8 *addr,int cipher,
 {
        struct hostapd_data *hapd = ctx;
 
-       ptksa_cache_add(hapd->ptksa, addr, cipher, life_time, ptk);
+       ptksa_cache_add(hapd->ptksa, hapd->own_addr, addr, cipher, life_time,
+                       ptk);
 }
 
 

diff --git a/src/common/ptksa_cache.c b/src/common/ptksa_cache.c
index 8fcb135077f2a8b59b2b3bf7bc5133e0c4cbe337..be7a7605e452352901a5ab07bea1345839ee8446 100644 (file)
--- a/src/common/ptksa_cache.c
+++ b/src/common/ptksa_cache.c
@@ -254,6 +254,7 @@ void ptksa_cache_flush(struct ptksa_cache *ptksa, const u8 *addr, u32 cipher)
 /*
  * ptksa_cache_add - Add a PTKSA cache entry
  * @ptksa: Pointer to PTKSA cache data from ptksa_cache_init()
+ * @own_addr: Own MAC address
  * @addr: Peer address
  * @cipher: The cipher used
  * @life_time: The PTK life time in seconds
@@ -265,6 +266,7 @@ void ptksa_cache_flush(struct ptksa_cache *ptksa, const u8 *addr, u32 cipher)
  * this entry will be replaced with the new entry.
  */
 struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
+                                          const u8 *own_addr,
                                           const u8 *addr, u32 cipher,
                                           u32 life_time,
                                           const struct wpa_ptk *ptk)
@@ -289,6 +291,8 @@ struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
        dl_list_init(&entry->list);
        os_memcpy(entry->addr, addr, ETH_ALEN);
        entry->cipher = cipher;
+       if (own_addr)
+               os_memcpy(entry->own_addr, own_addr, ETH_ALEN);
 
        os_memcpy(&entry->ptk, ptk, sizeof(entry->ptk));
 

diff --git a/src/common/ptksa_cache.h b/src/common/ptksa_cache.h
index 28ef291446472b62b188cd71cd003f438f766227..ee7675fa45000d7451d40827fd2e32daf86ddee3 100644 (file)
--- a/src/common/ptksa_cache.h
+++ b/src/common/ptksa_cache.h
@@ -23,6 +23,7 @@ struct ptksa_cache_entry {
        os_time_t expiration;
        u32 cipher;
        u8 addr[ETH_ALEN];
+       u8 own_addr[ETH_ALEN];
 };
 
 #ifdef CONFIG_PTKSA_CACHE
@@ -35,6 +36,7 @@ struct ptksa_cache_entry * ptksa_cache_get(struct ptksa_cache *ptksa,
                                           const u8 *addr, u32 cipher);
 int ptksa_cache_list(struct ptksa_cache *ptksa, char *buf, size_t len);
 struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
+                                          const u8 *own_addr,
                                           const u8 *addr, u32 cipher,
                                           u32 life_time,
                                           const struct wpa_ptk *ptk);
@@ -64,8 +66,8 @@ static inline int ptksa_cache_list(struct ptksa_cache *ptksa,
 }
 
 static inline struct ptksa_cache_entry *
-ptksa_cache_add(struct ptksa_cache *ptksa, const u8 *addr, u32 cipher,
-               u32 life_time, const struct wpa_ptk *ptk)
+ptksa_cache_add(struct ptksa_cache *ptksa, const u8 *own_addr, const u8 *addr,
+               u32 cipher, u32 life_time, const struct wpa_ptk *ptk)
 {
        return NULL;
 }

diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c
index aa5fc087bf1f3e9b21e09dc3b201947b2d3bd04c..9f2f6ebb9532be7260ea22d1a51ccd6f59e8bd2c 100644 (file)
--- a/wpa_supplicant/pasn_supplicant.c
+++ b/wpa_supplicant/pasn_supplicant.c
@@ -1567,8 +1567,8 @@ int wpas_pasn_auth_rx(struct wpa_supplicant *wpa_s,
 
        wpa_printf(MSG_DEBUG, "PASN: Success sending last frame. Store PTK");
 
-       ptksa_cache_add(wpa_s->ptksa, pasn->bssid, pasn->cipher,
-                       dot11RSNAConfigPMKLifetime, &pasn->ptk);
+       ptksa_cache_add(wpa_s->ptksa, wpa_s->own_addr, pasn->bssid,
+                       pasn->cipher, dot11RSNAConfigPMKLifetime, &pasn->ptk);
 
        forced_memzero(&pasn->ptk, sizeof(pasn->ptk));
 

diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 0d8233626985525bd9d1d66e3b5a41ba036e4751..78ad5a665995a4d6cf12a60ee362983f32fe4087 100644 (file)
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -1378,7 +1378,8 @@ static void wpa_supplicant_store_ptk(void *ctx, u8 *addr, int cipher,
 {
        struct wpa_supplicant *wpa_s = ctx;
 
-       ptksa_cache_add(wpa_s->ptksa, addr, cipher, life_time, ptk);
+       ptksa_cache_add(wpa_s->ptksa, wpa_s->own_addr, addr, cipher, life_time,
+                       ptk);
 }
 
 #endif /* CONFIG_NO_WPA */