From: Ilan Peer Date: Wed, 15 Feb 2023 23:08:50 +0000 (+0200) Subject: WPA_AUTH: MLO: Add functions to get the AA and SPA X-Git-Tag: hostap_2_11~1249 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4cb62ca8ea1ad115f71b8774d3bf516116fba66;p=thirdparty%2Fhostap.git WPA_AUTH: MLO: Add functions to get the AA and SPA As a preparation to use AP MLD address and non-AP MLD address in the RSN Authenticator state machine, add utility functions to get the current AA and SPA. Signed-off-by: Ilan Peer Signed-off-by: Andrei Otcheretianski --- diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index c4fc3c5ad..12b49704b 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -36,7 +36,7 @@ #define STATE_MACHINE_DATA struct wpa_state_machine #define STATE_MACHINE_DEBUG_PREFIX "WPA" -#define STATE_MACHINE_ADDR sm->addr +#define STATE_MACHINE_ADDR wpa_auth_get_spa(sm) static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); @@ -82,6 +82,18 @@ static const int dot11RSNAConfigPMKReauthThreshold = 70; static const int dot11RSNAConfigSATimeout = 60; +static const u8 * wpa_auth_get_aa(const struct wpa_state_machine *sm) +{ + return sm->wpa_auth->addr; +} + + +static const u8 * wpa_auth_get_spa(const struct wpa_state_machine *sm) +{ + return sm->addr; +} + + static inline int wpa_auth_mic_failure_report( struct wpa_authenticator *wpa_auth, const u8 *addr) { @@ -377,7 +389,8 @@ static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) struct wpa_authenticator *wpa_auth = eloop_ctx; struct wpa_state_machine *sm = timeout_ctx; - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, + "rekeying PTK"); wpa_request_new_ptk(sm); wpa_sm_step(sm); } @@ -387,7 +400,8 @@ void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm) { if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) { wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for " - MACSTR " (%d seconds)", MAC2STR(sm->addr), + MACSTR " (%d seconds)", + MAC2STR(wpa_auth_get_spa(sm)), sm->wpa_auth->conf.wpa_ptk_rekey); eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0, @@ -694,7 +708,7 @@ int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, #ifdef CONFIG_IEEE80211R_AP if (sm->ft_completed) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "FT authentication already completed - do not start 4-way handshake"); /* Go to PTKINITDONE state to allow GTK rekeying */ sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; @@ -705,7 +719,7 @@ int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, #ifdef CONFIG_FILS if (sm->fils_completed) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "FILS authentication already completed - do not start 4-way handshake"); /* Go to PTKINITDONE state to allow GTK rekeying */ sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; @@ -720,7 +734,7 @@ int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, return wpa_sm_step(sm); } - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "start authentication"); sm->started = 1; @@ -754,7 +768,8 @@ static void wpa_free_sta_sm(struct wpa_state_machine *sm) MACSTR " (bit %u)", sm->ip_addr[0], sm->ip_addr[1], sm->ip_addr[2], sm->ip_addr[3], - MAC2STR(sm->addr), sm->ip_addr_bit); + MAC2STR(wpa_auth_get_spa(sm)), + sm->ip_addr_bit); bitfield_clear(sm->wpa_auth->ip_pool, sm->ip_addr_bit); } #endif /* CONFIG_P2P */ @@ -786,7 +801,7 @@ void wpa_auth_sta_deinit(struct wpa_state_machine *sm) wpa_auth = sm->wpa_auth; if (wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "strict rekeying - force GTK rekey since STA is leaving"); if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk, wpa_auth, NULL) == -1) @@ -806,7 +821,7 @@ void wpa_auth_sta_deinit(struct wpa_state_machine *sm) * Freeing will be completed in the end of wpa_sm_step(). */ wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state machine deinit for " - MACSTR, MAC2STR(sm->addr)); + MACSTR, MAC2STR(wpa_auth_get_spa(sm))); sm->pending_deinit = 1; } else wpa_free_sta_sm(sm); @@ -821,7 +836,7 @@ static void wpa_request_new_ptk(struct wpa_state_machine *sm) if (!sm->use_ext_key_id && sm->wpa_auth->conf.wpa_deny_ptk0_rekey) { wpa_printf(MSG_INFO, "WPA: PTK0 rekey not allowed, disconnect " MACSTR, - MAC2STR(sm->addr)); + MAC2STR(wpa_auth_get_spa(sm))); sm->Disconnect = true; /* Try to encourage the STA to reconnect */ sm->disconnect_reason = @@ -919,18 +934,19 @@ static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, struct wpa_state_machine *sm, int group) { /* Supplicant reported a Michael MIC error */ - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "received EAPOL-Key Error Request (STA detected Michael MIC failure (group=%d))", group); if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "ignore Michael MIC failure report since group cipher is not TKIP"); } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "ignore Michael MIC failure report since pairwise cipher is not TKIP"); } else { - if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) + if (wpa_auth_mic_failure_report(wpa_auth, + wpa_auth_get_spa(sm)) > 0) return 1; /* STA entry was removed */ sm->dot11RSNAStatsTKIPRemoteMICFailures++; wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; @@ -1078,7 +1094,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, key_data_length = WPA_GET_BE16(mic + mic_len); wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR " key_info=0x%x type=%u mic_len=%zu key_data_length=%u", - MAC2STR(sm->addr), key_info, key->type, + MAC2STR(wpa_auth_get_spa(sm)), key_info, key->type, mic_len, key_data_length); wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key header (ending before Key MIC)", @@ -1153,7 +1169,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, if (wpa_use_cmac(sm->wpa_key_mgmt) && !wpa_use_akm_defined(sm->wpa_key_mgmt) && ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { - wpa_auth_logger(wpa_auth, sm->addr, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_WARNING, "advertised support for AES-128-CMAC, but did not use it"); return; @@ -1162,7 +1178,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, if (!wpa_use_cmac(sm->wpa_key_mgmt) && !wpa_use_akm_defined(sm->wpa_key_mgmt) && ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { - wpa_auth_logger(wpa_auth, sm->addr, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_WARNING, "did not use HMAC-SHA1-AES with CCMP/GCMP"); return; @@ -1171,7 +1187,8 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, if (wpa_use_akm_defined(sm->wpa_key_mgmt) && ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_WARNING, "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); return; } @@ -1181,7 +1198,8 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, if (sm->req_replay_counter_used && os_memcmp(key->replay_counter, sm->req_replay_counter, WPA_REPLAY_COUNTER_LEN) <= 0) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_WARNING, "received EAPOL-Key request with replayed counter"); return; } @@ -1204,7 +1222,8 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, * pending requests, so allow the SNonce to be updated * even if we have already sent out EAPOL-Key 3/4. */ - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "Process SNonce update from STA based on retransmitted EAPOL-Key 1/4"); sm->update_snonce = 1; os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); @@ -1224,7 +1243,8 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, * there was two EAPOL-Key 2/4 messages and they had * different SNonce values. */ - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); goto continue_processing; } @@ -1233,11 +1253,13 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, wpa_replay_counter_valid(sm->prev_key_replay, key->replay_counter) && sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "ignore retransmitted EAPOL-Key %s - SNonce did not change", msgtxt); } else { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "received EAPOL-Key %s with unexpected replay counter", msgtxt); } @@ -1257,7 +1279,7 @@ continue_processing: #ifdef CONFIG_FILS if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame"); return; } @@ -1269,7 +1291,8 @@ continue_processing: sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && (!sm->update_snonce || sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "received EAPOL-Key msg 2/4 in invalid state (%d) - dropped", sm->wpa_ptk_state); return; @@ -1296,7 +1319,8 @@ continue_processing: case PAIRWISE_4: if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || !sm->PTK_valid) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "received EAPOL-Key msg 4/4 in invalid state (%d) - dropped", sm->wpa_ptk_state); return; @@ -1305,7 +1329,8 @@ continue_processing: case GROUP_2: if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING || !sm->PTK_valid) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "received EAPOL-Key msg 2/2 in invalid state (%d) - dropped", sm->wpa_ptk_group_state); return; @@ -1315,18 +1340,18 @@ continue_processing: break; } - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "received EAPOL-Key frame (%s)", msgtxt); if (key_info & WPA_KEY_INFO_ACK) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "received invalid EAPOL-Key: Key Ack set"); return; } if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) && !(key_info & WPA_KEY_INFO_MIC)) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "received invalid EAPOL-Key: Key MIC not set"); return; } @@ -1334,7 +1359,7 @@ continue_processing: #ifdef CONFIG_FILS if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && (key_info & WPA_KEY_INFO_MIC)) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "received invalid EAPOL-Key: Key MIC set"); return; } @@ -1347,7 +1372,8 @@ continue_processing: data, data_len) && (msg != PAIRWISE_4 || !sm->alt_snonce_valid || wpa_try_alt_snonce(sm, data, data_len))) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "received EAPOL-Key with invalid MIC"); #ifdef TEST_FUZZ wpa_printf(MSG_INFO, @@ -1360,7 +1386,8 @@ continue_processing: if (!mic_len && wpa_aead_decrypt(sm, &sm->PTK, data, data_len, &key_data_length) < 0) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "received EAPOL-Key with invalid MIC"); #ifdef TEST_FUZZ wpa_printf(MSG_INFO, @@ -1384,7 +1411,8 @@ continue_processing: os_memcpy(sm->req_replay_counter, key->replay_counter, WPA_REPLAY_COUNTER_LEN); } else { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "received EAPOL-Key request with invalid MIC"); return; } @@ -1400,7 +1428,8 @@ continue_processing: !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) return; /* STA entry was removed */ } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "received EAPOL-Key Request for new 4-Way Handshake"); wpa_request_new_ptk(sm); } else if (key_data_length > 0 && @@ -1408,7 +1437,8 @@ continue_processing: &kde) == 0 && kde.mac_addr) { } else { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "received EAPOL-Key Request for GTK rekeying"); eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); if (wpa_auth_gtk_rekey_in_process(wpa_auth)) @@ -1519,7 +1549,8 @@ static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) } sm->pending_1_of_4_timeout = 0; - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, + "EAPOL-Key timeout"); sm->TimeoutEvt = true; wpa_sm_step(sm); } @@ -1711,7 +1742,8 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, if (key_info & WPA_KEY_INFO_MIC) { if (!sm->PTK_valid || !mic_len) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "PTK not valid when sending EAPOL-Key frame"); os_free(hdr); return; @@ -1727,7 +1759,8 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, if (!pairwise && conf->corrupt_gtk_rekey_mic_probability > 0.0 && drand48() < conf->corrupt_gtk_rekey_mic_probability) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "Corrupting group EAPOL-Key Key MIC"); key_mic[0]++; } @@ -1852,7 +1885,7 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) if (!sm) return -1; - wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "event %d notification", event); switch (event) { @@ -1912,7 +1945,7 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) sm->wpa_auth->conf.wpa_deny_ptk0_rekey) { wpa_printf(MSG_INFO, "WPA: PTK0 rekey not allowed, disconnect " - MACSTR, MAC2STR(sm->addr)); + MACSTR, MAC2STR(wpa_auth_get_spa(sm))); sm->Disconnect = true; /* Try to encourage the STA to reconnect */ sm->disconnect_reason = @@ -2159,7 +2192,8 @@ SM_STATE(WPA_PTK, INITPMK) sm->disconnect_reason = WLAN_REASON_INVALID_PMKID; return; #endif /* CONFIG_DPP */ - } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { + } else if (wpa_auth_get_msk(sm->wpa_auth, wpa_auth_get_spa(sm), + msk, &len) == 0) { unsigned int pmk_len; if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) @@ -2267,7 +2301,7 @@ SM_STATE(WPA_PTK, PTKSTART) return; } - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "sending 1/4 msg of 4-Way Handshake"); /* * For infrastructure BSS cases, it is better for the AP not to include @@ -2346,8 +2380,10 @@ SM_STATE(WPA_PTK, PTKSTART) * Calculate PMKID since no PMKSA cache entry was * available with pre-calculated PMKID. */ - rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, - sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], + rsn_pmkid(sm->PMK, sm->pmk_len, + wpa_auth_get_aa(sm), + wpa_auth_get_spa(sm), + &pmkid[2 + RSN_SELECTOR_LEN], sm->wpa_key_mgmt); wpa_hexdump(MSG_DEBUG, "RSN: Message 1/4 PMKID derived from PMK", @@ -2389,7 +2425,8 @@ static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, ret = wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len, sm->SNonce, sm->ANonce, - sm->addr, sm->wpa_auth->addr, + wpa_auth_get_spa(sm), + wpa_auth_get_aa(sm), sm->pmk_r1_name, ptk, ptk_name, sm->wpa_key_mgmt, sm->pairwise, kdk_len); @@ -2430,9 +2467,9 @@ static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, if (force_sha256) akmp |= WPA_KEY_MGMT_PSK_SHA256; ret = wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", - sm->wpa_auth->addr, sm->addr, sm->ANonce, - snonce, ptk, akmp, sm->pairwise, z, z_len, - kdk_len); + wpa_auth_get_aa(sm), wpa_auth_get_spa(sm), + sm->ANonce, snonce, ptk, akmp, + sm->pairwise, z, z_len, kdk_len); if (ret) { wpa_printf(MSG_DEBUG, "WPA: PTK derivation failed"); @@ -2473,7 +2510,8 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, else kdk_len = 0; - res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr, + res = fils_pmk_to_ptk(pmk, pmk_len, wpa_auth_get_spa(sm), + wpa_auth_get_aa(sm), snonce, anonce, dhss, dhss_len, &sm->PTK, ick, &ick_len, sm->wpa_key_mgmt, sm->pairwise, @@ -2507,7 +2545,7 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, conf->mobility_domain, conf->r0_key_holder, conf->r0_key_holder_len, - sm->addr, pmk_r0, pmk_r0_name, + wpa_auth_get_spa(sm), pmk_r0, pmk_r0_name, sm->wpa_key_mgmt) < 0) return -1; @@ -2515,7 +2553,8 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, forced_memzero(fils_ft, sizeof(fils_ft)); res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder, - sm->addr, sm->pmk_r1_name, + wpa_auth_get_spa(sm), + sm->pmk_r1_name, fils_ft_len); forced_memzero(pmk_r0, PMK_LEN_MAX); if (res < 0) @@ -2527,7 +2566,8 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, #endif /* CONFIG_IEEE80211R_AP */ res = fils_key_auth_sk(ick, ick_len, snonce, anonce, - sm->addr, sm->wpa_auth->addr, + wpa_auth_get_spa(sm), + wpa_auth_get_aa(sm), g_sta ? wpabuf_head(g_sta) : NULL, g_sta ? wpabuf_len(g_sta) : 0, g_ap ? wpabuf_head(g_ap) : NULL, @@ -2562,7 +2602,7 @@ static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, key_data_len = WPA_GET_BE16(pos); if (key_data_len < AES_BLOCK_SIZE || key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) { - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "No room for AES-SIV data in the frame"); return -1; } @@ -2578,7 +2618,7 @@ static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, aad_len[0] = pos - buf; if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len, 1, aad, aad_len, tmp) < 0) { - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "Invalid AES-SIV data in the frame"); bin_clear_free(tmp, key_data_len); return -1; @@ -3176,7 +3216,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) } if (!ok) { - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "invalid MIC in msg 2/4 of 4-Way Handshake"); if (psk_found) wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); @@ -3197,7 +3238,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) goto out; if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "received EAPOL-Key msg 2/4 with invalid Key Data contents"); goto out; } @@ -3215,7 +3256,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) if (!sm->wpa_ie || wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len, eapol_key_ie, eapol_key_ie_len)) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "WPA IE from (Re)AssocReq did not match with msg 2/4"); if (sm->wpa_ie) { wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", @@ -3233,7 +3274,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) (sm->rsnxe && kde.rsnxe && (sm->rsnxe_len != kde.rsnxe_len || os_memcmp(sm->rsnxe, kde.rsnxe, sm->rsnxe_len) != 0))) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "RSNXE from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4"); wpa_hexdump(MSG_DEBUG, "RSNXE in AssocReq", sm->rsnxe, sm->rsnxe_len); @@ -3252,7 +3293,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) enum oci_verify_result res; if (wpa_channel_info(wpa_auth, &ci) != 0) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "Failed to get channel info to validate received OCI in EAPOL-Key 2/4"); goto out; } @@ -3267,17 +3309,20 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) tx_chanwidth, tx_seg1_idx); if (wpa_auth_uses_ocv(sm) == 2 && res == OCI_NOT_FOUND) { /* Work around misbehaving STAs */ - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "Disable OCV with a STA that does not send OCI"); wpa_auth_set_ocv(sm, 0); } else if (res != OCI_SUCCESS) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "OCV failed: %s", ocv_errorstr); if (wpa_auth->conf.msg_ctx) wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO, OCV_FAILURE "addr=" MACSTR " frame=eapol-key-m2 error=%s", - MAC2STR(sm->addr), ocv_errorstr); + MAC2STR(wpa_auth_get_spa(sm)), + ocv_errorstr); goto out; } } @@ -3306,7 +3351,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) MACSTR " (bit %u)", sm->ip_addr[0], sm->ip_addr[1], sm->ip_addr[2], sm->ip_addr[3], - MAC2STR(sm->addr), sm->ip_addr_bit); + MAC2STR(wpa_auth_get_spa(sm)), + sm->ip_addr_bit); } } #endif /* CONFIG_P2P */ @@ -3337,7 +3383,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) */ if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0) { - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "PMKR1Name mismatch in FT 4-way handshake"); wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", @@ -3606,7 +3653,7 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING) wpa_ie = wpa_ie_buf; } #endif /* CONFIG_TESTING_OPTIONS */ - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "sending 3/4 msg of 4-Way Handshake"); if (sm->wpa == WPA_VERSION_WPA2) { if (sm->use_ext_key_id && sm->TimeoutCtr == 1 && @@ -3668,7 +3715,8 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING) * by setting the Secure bit here even in the case of * WPA if the supplicant used it first. */ - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround"); secure = 1; } @@ -3894,14 +3942,14 @@ SM_STATE(WPA_PTK, PTKINITDONE) sm->PInitAKeys = true; else sm->has_GTK = true; - wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "pairwise key handshake completed (%s)", sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO, "EAPOL-4WAY-HS-COMPLETED " MACSTR, MAC2STR(sm->addr)); #ifdef CONFIG_IEEE80211R_AP - wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); + wpa_ft_push_pmk_r1(sm->wpa_auth, wpa_auth_get_spa(sm)); #endif /* CONFIG_IEEE80211R_AP */ sm->ptkstart_without_success = 0; @@ -3917,7 +3965,7 @@ SM_STEP(WPA_PTK) SM_ENTER(WPA_PTK, INITIALIZE); else if (sm->Disconnect /* || FIX: dot11RSNAConfigSALifetime timeout */) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "WPA_PTK: sm->Disconnect"); SM_ENTER(WPA_PTK, DISCONNECT); } @@ -3966,7 +4014,8 @@ SM_STEP(WPA_PTK) #endif /* CONFIG_DPP */ } else { wpa_auth->dot11RSNA4WayHandshakeFailures++; - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "INITPMK - keyAvailable = false"); SM_ENTER(WPA_PTK, DISCONNECT); } @@ -3985,7 +4034,8 @@ SM_STEP(WPA_PTK) "INITPSK: No PSK yet available for STA - use RADIUS later"); SM_ENTER(WPA_PTK, PTKSTART); } else { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "no PSK configured for the STA"); wpa_auth->dot11RSNA4WayHandshakeFailures++; SM_ENTER(WPA_PTK, DISCONNECT); @@ -3997,7 +4047,8 @@ SM_STEP(WPA_PTK) SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); else if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) { wpa_auth->dot11RSNA4WayHandshakeFailures++; - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "PTKSTART: Retry limit %u reached", conf->wpa_pairwise_update_count); sm->disconnect_reason = @@ -4029,7 +4080,8 @@ SM_STEP(WPA_PTK) (conf->wpa_disable_eapol_key_retries && sm->TimeoutCtr > 1)) { wpa_auth->dot11RSNA4WayHandshakeFailures++; - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "PTKINITNEGOTIATING: Retry limit %u reached", conf->wpa_pairwise_update_count); sm->disconnect_reason = @@ -4086,7 +4138,7 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) os_memset(rsc, 0, WPA_KEY_RSC_LEN); if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "sending 1/2 msg of Group Key Handshake"); gtk = gsm->GTK[gsm->GN - 1]; @@ -4167,7 +4219,7 @@ SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) return; if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "received EAPOL-Key group msg 2/2 with invalid Key Data contents"); return; } @@ -4178,7 +4230,8 @@ SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) int tx_seg1_idx; if (wpa_channel_info(wpa_auth, &ci) != 0) { - wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "Failed to get channel info to validate received OCI in EAPOL-Key group 2/2"); return; } @@ -4192,13 +4245,15 @@ SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci, tx_chanwidth, tx_seg1_idx) != OCI_SUCCESS) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), + LOGGER_INFO, "OCV failed: %s", ocv_errorstr); if (wpa_auth->conf.msg_ctx) wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO, OCV_FAILURE "addr=" MACSTR " frame=eapol-key-g2 error=%s", - MAC2STR(sm->addr), ocv_errorstr); + MAC2STR(wpa_auth_get_spa(sm)), + ocv_errorstr); return; } } @@ -4209,7 +4264,7 @@ SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) sm->GUpdateStationKeys = false; sm->GTimeoutCtr = 0; /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "group key handshake completed (%s)", sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); sm->has_GTK = true; @@ -4224,7 +4279,7 @@ SM_STATE(WPA_PTK_GROUP, KEYERROR) sm->GUpdateStationKeys = false; sm->Disconnect = true; sm->disconnect_reason = WLAN_REASON_GROUP_KEY_UPDATE_TIMEOUT; - wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, + wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "group key handshake failed (%s) after %u tries", sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN", sm->wpa_auth->conf.wpa_group_update_count); @@ -4337,7 +4392,8 @@ static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) return 0; if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "Not in PTKINITDONE; skip Group Key update"); sm->GUpdateStationKeys = false; return 0; @@ -4348,7 +4404,8 @@ static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) * Since we clear the GKeyDoneStations before the loop, the * station needs to be counted here anyway. */ - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "GUpdateStationKeys was already set when marking station for GTK rekeying"); } @@ -4582,7 +4639,7 @@ static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) if (sm->group == ctx) { wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR " for disconnection due to fatal failure", - MAC2STR(sm->addr)); + MAC2STR(wpa_auth_get_spa(sm))); sm->Disconnect = true; } @@ -4675,7 +4732,7 @@ static int wpa_sm_step(struct wpa_state_machine *sm) if (sm->pending_deinit) { wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state machine deinit for " - MACSTR, MAC2STR(sm->addr)); + MACSTR, MAC2STR(wpa_auth_get_spa(sm))); wpa_free_sta_sm(sm); return 1; } @@ -5011,7 +5068,8 @@ int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len); if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, sm->PTK.kck, sm->PTK.kck_len, - sm->wpa_auth->addr, sm->addr, session_timeout, + wpa_auth_get_aa(sm), + wpa_auth_get_spa(sm), session_timeout, eapol, sm->wpa_key_mgmt)) return 0; @@ -5421,7 +5479,7 @@ int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state machine for VLAN ID %d", - MAC2STR(sm->addr), vlan_id); + MAC2STR(wpa_auth_get_spa(sm)), vlan_id); wpa_group_get(sm->wpa_auth, group); wpa_group_put(sm->wpa_auth, sm->group); @@ -5437,7 +5495,7 @@ void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, if (!wpa_auth || !sm) return; wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR - " ack=%d", MAC2STR(sm->addr), ack); + " ack=%d", MAC2STR(wpa_auth_get_spa(sm)), ack); if (sm->pending_1_of_4_timeout && ack) { /* * Some deployed supplicant implementations update their SNonce @@ -5635,7 +5693,7 @@ int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce, anonce = anonce_buf; } - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "sending 1/4 msg of 4-Way Handshake (TESTING)"); wpa_send_eapol(sm->wpa_auth, sm, WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, @@ -5677,7 +5735,7 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm, wpa_ie = wpa_ie + wpa_ie[1] + 2; wpa_ie_len = wpa_ie[1] + 2; } - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "sending 3/4 msg of 4-Way Handshake (TESTING)"); if (sm->wpa == WPA_VERSION_WPA2) { /* WPA2 send GTK in the 4-way handshake */ @@ -5702,7 +5760,8 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm, * by setting the Secure bit here even in the case of * WPA if the supplicant used it first. */ - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), + LOGGER_DEBUG, "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround"); secure = 1; } @@ -5839,7 +5898,7 @@ int wpa_auth_resend_group_m1(struct wpa_state_machine *sm, /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ os_memset(rsc, 0, WPA_KEY_RSC_LEN); /* Use 0 RSC */ - wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, + wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG, "sending 1/2 msg of Group Key Handshake (TESTING)"); gtk = gsm->GTK[gsm->GN - 1];