AP MLD: Store PMKSA generated from SAE authentication into ml_pmksa

For an ML association with SAE, store the PMKSA into the MLD-level PMKSA
cache and fetch it from there, too, instead of the per-link PMKSA cache.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index bd2157805e676cb8d699e867ab74a003ee74aefd..9c2dede21dac04eef7d6643b45169568dd052461 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -573,7 +573,8 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
                                          elems.rsnxe ? elems.rsnxe - 2 : NULL,
                                          elems.rsnxe ? elems.rsnxe_len + 2 : 0,
                                          elems.mdie, elems.mdie_len,
-                                         elems.owe_dh, elems.owe_dh_len, NULL);
+                                         elems.owe_dh, elems.owe_dh_len, NULL,
+                                         ap_sta_is_mld(hapd, sta));
                reason = WLAN_REASON_INVALID_IE;
                status = WLAN_STATUS_INVALID_IE;
                switch (res) {

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 9a4869199b5c5e5924e7d139ff0e22cbee63eea1..49fb2820e10ea3a4a83c50c45f5d2fe724e808ce 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1094,7 +1094,8 @@ void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
        sta->sae->peer_commit_scalar = NULL;
        wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
                               sta->sae->pmk, sta->sae->pmk_len,
-                              sta->sae->pmkid, sta->sae->akmp);
+                              sta->sae->pmkid, sta->sae->akmp,
+                              ap_sta_is_mld(hapd, sta));
        sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
 }
 
@@ -2123,7 +2124,8 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
                                  elems.rsn_ie - 2, elems.rsn_ie_len + 2,
                                  elems.rsnxe ? elems.rsnxe - 2 : NULL,
                                  elems.rsnxe ? elems.rsnxe_len + 2 : 0,
-                                 elems.mdie, elems.mdie_len, NULL, 0, NULL);
+                                 elems.mdie, elems.mdie_len, NULL, 0, NULL,
+                                 ap_sta_is_mld(hapd, sta));
        resp = wpa_res_to_status_code(res);
        if (resp != WLAN_STATUS_SUCCESS)
                goto fail;
@@ -4057,7 +4059,8 @@ u16 owe_process_rsn_ie(struct hostapd_data *hapd,
        rsn_ie_len += 2;
        res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
                                  hapd->iface->freq, rsn_ie, rsn_ie_len,
-                                 NULL, 0, NULL, 0, owe_dh, owe_dh_len, NULL);
+                                 NULL, 0, NULL, 0, owe_dh, owe_dh_len, NULL,
+                                 ap_sta_is_mld(hapd, sta));
        status = wpa_res_to_status_code(res);
        if (status != WLAN_STATUS_SUCCESS)
                goto end;
@@ -4413,7 +4416,8 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
                                          0,
                                          elems->mdie, elems->mdie_len,
                                          elems->owe_dh, elems->owe_dh_len,
-                                         assoc_sta ? assoc_sta->wpa_sm : NULL);
+                                         assoc_sta ? assoc_sta->wpa_sm : NULL,
+                                         ap_sta_is_mld(hapd, sta));
                resp = wpa_res_to_status_code(res);
                if (resp != WLAN_STATUS_SUCCESS)
                        return resp;

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 5939d28a5472afd9b4bf1596fd267251f75abb56..f8f704d3e1fd2019e087c51d670a6eaf6cab6f68 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -6535,16 +6535,27 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
 
 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
                           const u8 *pmk, size_t pmk_len, const u8 *pmkid,
-                          int akmp)
+                          int akmp, bool is_ml)
 {
+       struct rsn_pmksa_cache *pmksa = wpa_auth->pmksa;
+       const u8 *aa = wpa_auth->addr;
+
        if (wpa_auth->conf.disable_pmksa_caching)
                return -1;
 
        wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, pmk_len);
        if (!akmp)
                akmp = WPA_KEY_MGMT_SAE;
-       if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
-                                NULL, 0, wpa_auth->addr, addr, 0, NULL, akmp))
+
+#ifdef CONFIG_IEEE80211BE
+       if (is_ml) {
+               pmksa = wpa_auth->ml_pmksa;
+               aa = wpa_auth->mld_addr;
+       }
+#endif /* CONFIG_IEEE80211BE */
+
+       if (pmksa_cache_auth_add(pmksa, pmk, pmk_len, pmkid, NULL, 0, aa, addr,
+                                0, NULL, akmp))
                return 0;
 
        return -1;

diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 2c29baaef5cb8e5ed75a05fb772a29b46042829c..560a2cc55d634cf1eee11a67862672530331282f 100644 (file)
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -457,7 +457,8 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
                    const u8 *rsnxe, size_t rsnxe_len,
                    const u8 *mdie, size_t mdie_len,
                    const u8 *owe_dh, size_t owe_dh_len,
-                   struct wpa_state_machine *assoc_sm);
+                   struct wpa_state_machine *assoc_sm,
+                   bool is_ml);
 int wpa_validate_osen(struct wpa_authenticator *wpa_auth,
                      struct wpa_state_machine *sm,
                      const u8 *osen_ie, size_t osen_ie_len);
@@ -510,7 +511,7 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
                               struct eapol_state_machine *eapol);
 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
                           const u8 *pmk, size_t pmk_len, const u8 *pmkid,
-                          int akmp);
+                          int akmp, bool is_ml);
 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid);
 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
                        const u8 *pmk, size_t pmk_len, const u8 *pmkid,

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 4636f7fde4309dbdd273d67038c1f9ff034f7ef2..480d5bd8e5a79bf9de0bbf876cb08e98f0df7717 100644 (file)
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -798,7 +798,7 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
                    const u8 *rsnxe, size_t rsnxe_len,
                    const u8 *mdie, size_t mdie_len,
                    const u8 *owe_dh, size_t owe_dh_len,
-                   struct wpa_state_machine *assoc_sm)
+                   struct wpa_state_machine *assoc_sm, bool is_ml)
 {
        struct wpa_auth_config *conf = &wpa_auth->conf;
        struct wpa_ie_data data;
@@ -1184,9 +1184,15 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 
        sm->pmksa = NULL;
        for (i = 0; i < data.num_pmkid; i++) {
+               struct rsn_pmksa_cache *pmksa = wpa_auth->pmksa;
+
                wpa_hexdump(MSG_DEBUG, "RSN IE: STA PMKID",
                            &data.pmkid[i * PMKID_LEN], PMKID_LEN);
-               sm->pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sm->addr,
+#ifdef CONFIG_IEEE80211BE
+               if (is_ml)
+                       pmksa = wpa_auth->ml_pmksa;
+#endif /* CONFIG_IEEE80211BE */
+               sm->pmksa = pmksa_cache_auth_get(pmksa, sm->addr,
                                                 &data.pmkid[i * PMKID_LEN]);
                if (!sm->pmksa && !is_zero_ether_addr(sm->p2p_dev_addr))
                        sm->pmksa = pmksa_cache_auth_get(

diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
index 37eb58726262673009a85d38d4bcb026c68317f8..06228d0ef6c98fcb47971d6d969abb507d22d795 100644 (file)
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -497,7 +497,7 @@ static int ibss_rsn_auth_init(struct ibss_rsn *ibss_rsn,
                                "\x01\x00\x00\x0f\xac\x04"
                                "\x01\x00\x00\x0f\xac\x02"
                                "\x00\x00", 22, NULL, 0, NULL, 0, NULL, 0,
-                               NULL) != WPA_IE_OK) {
+                               NULL, false) != WPA_IE_OK) {
                wpa_printf(MSG_DEBUG, "AUTH: wpa_validate_wpa_ie() failed");
                return -1;
        }

diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
index b8add917a4fd6005a699b16482e1928bdb57654b..834c1d534f9e1d9872a48aecbb01a954b4fd7528 100644 (file)
--- a/wpa_supplicant/p2p_supplicant.c
+++ b/wpa_supplicant/p2p_supplicant.c
@@ -2258,7 +2258,8 @@ static void p2p_go_configured(void *ctx, void *data)
                wpa_auth_pmksa_add_sae(hapd->wpa_auth,
                                       params->peer_device_addr,
                                       params->pmk, params->pmk_len,
-                                      params->pmkid, WPA_KEY_MGMT_SAE);
+                                      params->pmkid, WPA_KEY_MGMT_SAE,
+                                      false);
                hostapd_add_pmkid(hapd, params->peer_device_addr,
                                  params->pmk, params->pmk_len,
                                  params->pmkid, WPA_KEY_MGMT_SAE);
@@ -2913,7 +2914,8 @@ static void wpas_set_go_security_config(void *ctx,
                wpa_auth_pmksa_add_sae(hapd->wpa_auth,
                                       params->peer_device_addr,
                                       params->pmk, params->pmk_len,
-                                      params->pmkid, WPA_KEY_MGMT_SAE);
+                                      params->pmkid, WPA_KEY_MGMT_SAE,
+                                      false);
                hostapd_add_pmkid(hapd, params->peer_device_addr,
                                  params->pmk, params->pmk_len,
                                  params->pmkid, WPA_KEY_MGMT_SAE);