Patchwork [PATCHv2] wpa_supplicant: support IBSS RSN STA authorization

login
register
mail settings
Submitter Antonio Quartulli
Date Jan. 29, 2012, 4:10 p.m.
Message ID <1327853435-6208-1-git-send-email-ordex@autistici.org>
Download mbox | patch
Permalink /patch/138456/
State Superseded
Headers show

Comments

Antonio Quartulli - Jan. 29, 2012, 4:10 p.m.
In IBSS RSN cfg80211/mac80211 now waits for userspace to authorize new stations.
This patch makes wpa_supplicant notify the driver when a station can be
considered authorised.

Signed-hostap: Antonio Quartulli <ordex@autistici.org>
---

- If the kernel has not been patched already with the corresponding
"cfg80211/mac80211: userspace peer authorization in IBSS" patch, the
set_station message will simply return EINVAL and wpa_s will continue to work
as usual.



 src/drivers/driver_nl80211.c |    3 ++
 wpa_supplicant/ibss_rsn.c    |   50 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 0 deletions(-)
Jouni Malinen - Jan. 29, 2012, 5:52 p.m.
On Sun, Jan 29, 2012 at 05:10:35PM +0100, Antonio Quartulli wrote:
> In IBSS RSN cfg80211/mac80211 now waits for userspace to authorize new stations.
> This patch makes wpa_supplicant notify the driver when a station can be
> considered authorised.

> - If the kernel has not been patched already with the corresponding
> "cfg80211/mac80211: userspace peer authorization in IBSS" patch, the
> set_station message will simply return EINVAL and wpa_s will continue to work
> as usual.

I prefer to wait with this until the kernel patch gets approved and
pushed into wireless-testing.git.

> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> @@ -6427,6 +6427,9 @@ retry:
>  		NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, params->bssid);
>  	}
>  
> +	if (params->key_mgmt_suite == KEY_MGMT_802_1X)
> +		NLA_PUT_FLAG(msg, NL80211_ATTR_CONTROL_PORT);

Could you please explain what this is trying to do? It does not look
correct taking into account that I would assume similar control port
behavior to be used with KEY_MGMT_802_1X, KEY_MGMT_PSK,
KEY_MGMT_802_1X_SHA256, and KEY_MGMT_PSK_SHA256.
Antonio Quartulli - Jan. 29, 2012, 5:58 p.m.
On Sun, Jan 29, 2012 at 07:52:31PM +0200, Jouni Malinen wrote:
> On Sun, Jan 29, 2012 at 05:10:35PM +0100, Antonio Quartulli wrote:
> > In IBSS RSN cfg80211/mac80211 now waits for userspace to authorize new stations.
> > This patch makes wpa_supplicant notify the driver when a station can be
> > considered authorised.
> 
> > - If the kernel has not been patched already with the corresponding
> > "cfg80211/mac80211: userspace peer authorization in IBSS" patch, the
> > set_station message will simply return EINVAL and wpa_s will continue to work
> > as usual.
> 
> I prefer to wait with this until the kernel patch gets approved and
> pushed into wireless-testing.git.

ok!

> 
> > diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> > @@ -6427,6 +6427,9 @@ retry:
> >  		NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, params->bssid);
> >  	}
> >  
> > +	if (params->key_mgmt_suite == KEY_MGMT_802_1X)
> > +		NLA_PUT_FLAG(msg, NL80211_ATTR_CONTROL_PORT);
> 
> Could you please explain what this is trying to do? It does not look
> correct taking into account that I would assume similar control port
> behavior to be used with KEY_MGMT_802_1X, KEY_MGMT_PSK,
> KEY_MGMT_802_1X_SHA256, and KEY_MGMT_PSK_SHA256.

well, First of all let me say that I'm not really familiar with all those
define, and I probably need to reserve some time to read and understand them
all.

The idea is that in case of creating a  RSN protected IBSS network, wpa_s has to
tell the kernelspace that such network is RSN protected. But probably I got it
wrong and such comparison should be done against WPA_KEY_MGMT_PSK instead of
KEY_MGMT_802_1X.

Can KEY_MGMT_802_1X_SHA256 and KEY_MGMT_PSK_SHA256 be allowed values for
params->key_mgmt_suite in IBSS_RSN?

Cheers,

> 
> -- 
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP@lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
Jouni Malinen - Jan. 29, 2012, 7:10 p.m.
On Sun, Jan 29, 2012 at 06:58:23PM +0100, Antonio Quartulli wrote:
> On Sun, Jan 29, 2012 at 07:52:31PM +0200, Jouni Malinen wrote:
> > Could you please explain what this is trying to do? It does not look
> > correct taking into account that I would assume similar control port
> > behavior to be used with KEY_MGMT_802_1X, KEY_MGMT_PSK,
> > KEY_MGMT_802_1X_SHA256, and KEY_MGMT_PSK_SHA256.

> The idea is that in case of creating a  RSN protected IBSS network, wpa_s has to
> tell the kernelspace that such network is RSN protected. But probably I got it
> wrong and such comparison should be done against WPA_KEY_MGMT_PSK instead of
> KEY_MGMT_802_1X.

Well, it should really be that full list above. Not that we really fully
support IEEE 802.1X with RSN IBSS at the moment, but anyway, we could
potentially do that and the driver wrapper does not need to know this
anyway, so better include all possibilities that would use the new
authorization mechanism.

> Can KEY_MGMT_802_1X_SHA256 and KEY_MGMT_PSK_SHA256 be allowed values for
> params->key_mgmt_suite in IBSS_RSN?

Yes. Though, the only once that are likely to work at this point are
WPA_KEY_MGMT_PSK and KEY_MGMT_PSK_SHA256. I don't think the version you
used previously ever set this flag, so it would be interesting to hear
how this was tested. Since the kernel change was not yet in
wireless-testing.git, I just verified that the authorization operations
are failing and left the patch waiting until the kernel side is ready.
Antonio Quartulli - Jan. 29, 2012, 7:31 p.m.
On Sun, Jan 29, 2012 at 09:10:56PM +0200, Jouni Malinen wrote:
> On Sun, Jan 29, 2012 at 06:58:23PM +0100, Antonio Quartulli wrote:
> > On Sun, Jan 29, 2012 at 07:52:31PM +0200, Jouni Malinen wrote:
> > > Could you please explain what this is trying to do? It does not look
> > > correct taking into account that I would assume similar control port
> > > behavior to be used with KEY_MGMT_802_1X, KEY_MGMT_PSK,
> > > KEY_MGMT_802_1X_SHA256, and KEY_MGMT_PSK_SHA256.
> 
> > The idea is that in case of creating a  RSN protected IBSS network, wpa_s has to
> > tell the kernelspace that such network is RSN protected. But probably I got it
> > wrong and such comparison should be done against WPA_KEY_MGMT_PSK instead of
> > KEY_MGMT_802_1X.
> 
> Well, it should really be that full list above. Not that we really fully
> support IEEE 802.1X with RSN IBSS at the moment, but anyway, we could
> potentially do that and the driver wrapper does not need to know this
> anyway, so better include all possibilities that would use the new
> authorization mechanism.

ok, patch v3 is coming.

Patch

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 0bf1dca..1f3e3f9 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -6427,6 +6427,9 @@  retry:
 		NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, params->bssid);
 	}
 
+	if (params->key_mgmt_suite == KEY_MGMT_802_1X)
+		NLA_PUT_FLAG(msg, NL80211_ATTR_CONTROL_PORT);
+
 	if (params->wpa_ie) {
 		wpa_hexdump(MSG_DEBUG,
 			    "  * Extra IEs for Beacon/Probe Response frames",
diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
index f9a9090..f1e4e21 100644
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -320,6 +320,55 @@  static int auth_for_each_sta(void *ctx, int (*cb)(struct wpa_state_machine *sm,
 }
 
 
+static void ibss_set_sta_authorized(struct ibss_rsn *ibss_rsn,
+				    struct ibss_rsn_peer *peer, int authorized)
+{
+	int res;
+
+	if (authorized) {
+		res = wpa_drv_sta_set_flags(ibss_rsn->wpa_s, peer->addr,
+					    WPA_STA_AUTHORIZED,
+					    WPA_STA_AUTHORIZED, ~0);
+		wpa_printf(MSG_DEBUG, "AUTH: " MACSTR " authorizing port",
+			   MAC2STR(peer->addr));
+	} else {
+		res = wpa_drv_sta_set_flags(ibss_rsn->wpa_s, peer->addr,
+					    0, 0, ~WPA_STA_AUTHORIZED);
+		wpa_printf(MSG_DEBUG, "AUTH: " MACSTR " unauthorizing port",
+			   MAC2STR(peer->addr));
+	}
+
+	if (res && errno != ENOENT) {
+		wpa_printf(MSG_DEBUG, "Could not set station " MACSTR " flags "
+			   "for kernel driver (errno=%d)",
+			   MAC2STR(peer->addr), errno);
+	}
+}
+
+
+
+static void auth_set_eapol(void *ctx, const u8 *addr,
+				       wpa_eapol_variable var, int value)
+{
+	struct ibss_rsn *ibss_rsn = ctx;
+	struct ibss_rsn_peer *peer = ibss_rsn_get_peer(ibss_rsn, addr);
+
+	if (peer == NULL)
+		return;
+
+	switch (var) {
+	case WPA_EAPOL_authorized:
+		ibss_set_sta_authorized(ibss_rsn, peer, value);
+		break;
+	default:
+		/* do not handle any other event */
+		wpa_printf(MSG_DEBUG, "AUTH: eapol event not handled %d", var);
+		break;
+	}
+}
+
+
+
 static int ibss_rsn_auth_init_group(struct ibss_rsn *ibss_rsn,
 				    const u8 *own_addr)
 {
@@ -340,6 +389,7 @@  static int ibss_rsn_auth_init_group(struct ibss_rsn *ibss_rsn,
 	os_memset(&cb, 0, sizeof(cb));
 	cb.ctx = ibss_rsn;
 	cb.logger = auth_logger;
+	cb.set_eapol = auth_set_eapol;
 	cb.send_eapol = auth_send_eapol;
 	cb.get_psk = auth_get_psk;
 	cb.set_key = auth_set_key;