From patchwork Fri Dec 15 12:09:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vinayak Yadawad X-Patchwork-Id: 1876589 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=GRouPBLD; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=broadcom.com header.i=@broadcom.com header.a=rsa-sha256 header.s=google header.b=E1B0Aidc; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Ss7N53TXwz23nF for ; Fri, 15 Dec 2023 23:10:45 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: MIME-Version:Message-Id:Date:Subject:Cc:To:From:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=gw7WD0K13URJvB3onV+J3Bwraz47OAKwwC4a92UqNjc=; b=GRo uPBLDYMwf32jO6gNr8PQq7BkhXiQHIcOk8dx2BAe3caVK/0gRJyrM6cUxUYJNNzMeE4CccQ8+ILJp bCIPRteoJuEoIBN90zLxTwHehHsG6v+wM4pHuHDdJBNBnRy5HgxWH3a2LOI/7ILtyXKdBe0P/PFEb hnulhHeOkUMXc4oc2NBLdBYqnvAu4ZJVZGhTtfGCOKa9yZE6kbSZiA3mER/pWsId2aNACsgsxmKwP 2CDZNuggmAeJNBl2Yt3dSD1J9XdkLAe9YOPJt4lQUne2Pope95YOjcPiXQMj2soTBjmlivEzNCbrb N/Qa3lh8RaaCJFmKlk91D6shH2+q4jA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rE70j-003Ahq-0M; Fri, 15 Dec 2023 12:09:45 +0000 Received: from mail-pl1-x635.google.com ([2607:f8b0:4864:20::635]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rE70f-003Ah4-18 for hostap@lists.infradead.org; Fri, 15 Dec 2023 12:09:42 +0000 Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1d075392ff6so3785475ad.1 for ; Fri, 15 Dec 2023 04:09:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1702642177; x=1703246977; darn=lists.infradead.org; h=mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=CnecmA1eRNq16DHuP2gmAuBZeVssihFVs0GFyECjOSY=; b=E1B0Aidc7QAXPtx3jkEr7ZNSUFx9Tq3Cte9Kk20Z/8kDpgEBUpgzKdK+fNkmqp/Bpr bCBhiHgr2gjQfPn+eW10rIda6orAON3UD8W+Ym8f6Hdmt2IpTNaGLSPbqmQv/2bgm9bu qNQ8I0HxXlitQrWIsa6Q8cEU5W/I567C8EU14= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702642177; x=1703246977; h=mime-version:message-id:date:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=CnecmA1eRNq16DHuP2gmAuBZeVssihFVs0GFyECjOSY=; b=mKMjG8Fr+x5f9mueaWBANx8Z00kOdUqh/XvhacfAo35G6Rx6MnsHRJXdKmBLu/sulq ePw2YCDandtI9hi5tKuJh6+jqEel8SDWGxMonC/CXCGs566EkDjgDeLm3B2kzYAHFrRG V+eFNHcMyAjSBZA0Az18SgQDMtNZ0bi7FR3tyhJ4czAB1HIuA8SG/zFRLV9RPRq1ZnEU Lr1Gv1ShQ30eiWwRGyh0LmbetGwuFkX3kr/2Bty2iK0wdjC9BFNyf/1IvJkNR12ZjILO nCzc0A5DH6JbCbuXT0qnfzptR+a57qDHt2oOlgnI05lC7ls7M4Ksk/zZx+n4BUantGO9 8fuA== X-Gm-Message-State: AOJu0Yy5u/6zQzbHwEhuuEH1DK4WcdRhdQQD6P3hmA+b5P7NdW2kSrNH tMM2VGuvtniY6NE8ihrQNSL1BMusgkBQxv7VA4cYgrqGaKZfiRtACHN+jPWISCdbbh+TJlHI4tR 0WFT4qrRqmXBFEMVE+0urWBlQmSMuqE1apTYJYMgOTagTBWpptp8xRGFwUq6QmjG6XCAnTUmWZp vBd9WulMDst/ufww== X-Google-Smtp-Source: AGHT+IHZFuDOEF5hAQfiXrWxiXTlWTNybqScvU/s3+Wc1bvSpCmBezaAg3JKvwpl8EUiUqrs/RWjVw== X-Received: by 2002:a17:902:ce81:b0:1d3:3f85:7bb2 with SMTP id f1-20020a170902ce8100b001d33f857bb2mr7541828plg.56.1702642176934; Fri, 15 Dec 2023 04:09:36 -0800 (PST) Received: from ibnvda0196.ibn.broadcom.net ([192.19.252.250]) by smtp.gmail.com with ESMTPSA id j3-20020a170902c08300b001d0b3c4f5fbsm14157484pld.63.2023.12.15.04.09.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Dec 2023 04:09:36 -0800 (PST) From: Vinayak Yadawad To: hostap@lists.infradead.org Cc: jithu.jance@broadcom.com, Vinayak Yadawad Subject: [PATCH 1/1] hostapd: Handle PMKSA flush for SAE/OWE offload cases Date: Fri, 15 Dec 2023 17:39:27 +0530 Message-Id: <0b3e64759ad4aabf3628937cc62b0ad4eb2bae6a.1702642084.git.vinayak.yadawad@broadcom.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231215_040941_415685_3E39FB14 X-CRM114-Status: GOOD ( 15.64 ) X-Spam-Score: 0.6 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: For supplicant based SAE/OWE connection, the supplicant state machine is aware of the PMKID created for a connection and this gets removed when "remove_network all" is called. However when SAE/OWE off [...] Content analysis details: (0.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:635 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 1.0 MIME_NO_TEXT No (properly identified) text body parts -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org For supplicant based SAE/OWE connection, the supplicant state machine is aware of the PMKID created for a connection and this gets removed when "remove_network all" is called. However when SAE/OWE offload is enabled, the supplicant is not aware of the PMKID generated by the driver/firmware. So this patch adds pmksa del indication to the driver from remove_network context so that driver can free PMKs associated with the SSID. Signed-off-by: Vinayak Yadawad --- wpa_supplicant/ctrl_iface.c | 4 ++++ wpa_supplicant/notify.c | 14 +++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 32f964f9c..fefb68d89 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -3575,6 +3575,10 @@ static int wpa_supplicant_ctrl_iface_remove_network( /* cmd: "" or "all" */ if (os_strcmp(cmd, "all") == 0) { wpa_printf(MSG_DEBUG, "CTRL_IFACE: REMOVE_NETWORK all"); + if (wpa_s->drv_flags2 & + (WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA | + WPA_DRIVER_FLAGS2_OWE_OFFLOAD_STA)) + wpa_drv_flush_pmkid(wpa_s); return wpa_supplicant_remove_all_networks(wpa_s); } diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c index 0f9616d38..22b23ad4c 100644 --- a/wpa_supplicant/notify.c +++ b/wpa_supplicant/notify.c @@ -404,8 +404,20 @@ void wpas_notify_network_removed(struct wpa_supplicant *wpa_s, if (wpa_s->sme.ext_auth_wpa_ssid == ssid) wpa_s->sme.ext_auth_wpa_ssid = NULL; #endif /* CONFIG_SME && CONFIG_SAE */ - if (wpa_s->wpa) + if (wpa_s->wpa) { + if ((wpa_key_mgmt_sae(ssid->key_mgmt) && + (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) || + ((ssid->key_mgmt & WPA_KEY_MGMT_OWE) && + (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_OWE_OFFLOAD_STA))) { + /* For cases when PMK is generated at the driver */ + struct wpa_pmkid_params params; + os_memset(¶ms, 0, sizeof(params)); + params.ssid = ssid->ssid; + params.ssid_len = ssid->ssid_len; + wpa_drv_remove_pmkid(wpa_s, ¶ms); + } wpa_sm_pmksa_cache_flush(wpa_s->wpa, ssid); + } if (!ssid->p2p_group && wpa_s->global->p2p_group_formation != wpa_s && !wpa_s->p2p_mgmt) { wpas_dbus_unregister_network(wpa_s, ssid->id);