Message ID | 1327853435-6208-1-git-send-email-ordex@autistici.org |
---|---|
State | Superseded |
Headers | show |
On Sun, Jan 29, 2012 at 05:10:35PM +0100, Antonio Quartulli wrote: > In IBSS RSN cfg80211/mac80211 now waits for userspace to authorize new stations. > This patch makes wpa_supplicant notify the driver when a station can be > considered authorised. > - If the kernel has not been patched already with the corresponding > "cfg80211/mac80211: userspace peer authorization in IBSS" patch, the > set_station message will simply return EINVAL and wpa_s will continue to work > as usual. I prefer to wait with this until the kernel patch gets approved and pushed into wireless-testing.git. > diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c > @@ -6427,6 +6427,9 @@ retry: > NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, params->bssid); > } > > + if (params->key_mgmt_suite == KEY_MGMT_802_1X) > + NLA_PUT_FLAG(msg, NL80211_ATTR_CONTROL_PORT); Could you please explain what this is trying to do? It does not look correct taking into account that I would assume similar control port behavior to be used with KEY_MGMT_802_1X, KEY_MGMT_PSK, KEY_MGMT_802_1X_SHA256, and KEY_MGMT_PSK_SHA256.
On Sun, Jan 29, 2012 at 07:52:31PM +0200, Jouni Malinen wrote: > On Sun, Jan 29, 2012 at 05:10:35PM +0100, Antonio Quartulli wrote: > > In IBSS RSN cfg80211/mac80211 now waits for userspace to authorize new stations. > > This patch makes wpa_supplicant notify the driver when a station can be > > considered authorised. > > > - If the kernel has not been patched already with the corresponding > > "cfg80211/mac80211: userspace peer authorization in IBSS" patch, the > > set_station message will simply return EINVAL and wpa_s will continue to work > > as usual. > > I prefer to wait with this until the kernel patch gets approved and > pushed into wireless-testing.git. ok! > > > diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c > > @@ -6427,6 +6427,9 @@ retry: > > NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, params->bssid); > > } > > > > + if (params->key_mgmt_suite == KEY_MGMT_802_1X) > > + NLA_PUT_FLAG(msg, NL80211_ATTR_CONTROL_PORT); > > Could you please explain what this is trying to do? It does not look > correct taking into account that I would assume similar control port > behavior to be used with KEY_MGMT_802_1X, KEY_MGMT_PSK, > KEY_MGMT_802_1X_SHA256, and KEY_MGMT_PSK_SHA256. well, First of all let me say that I'm not really familiar with all those define, and I probably need to reserve some time to read and understand them all. The idea is that in case of creating a RSN protected IBSS network, wpa_s has to tell the kernelspace that such network is RSN protected. But probably I got it wrong and such comparison should be done against WPA_KEY_MGMT_PSK instead of KEY_MGMT_802_1X. Can KEY_MGMT_802_1X_SHA256 and KEY_MGMT_PSK_SHA256 be allowed values for params->key_mgmt_suite in IBSS_RSN? Cheers, > > -- > Jouni Malinen PGP id EFC895FA > _______________________________________________ > HostAP mailing list > HostAP@lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/hostap
On Sun, Jan 29, 2012 at 06:58:23PM +0100, Antonio Quartulli wrote: > On Sun, Jan 29, 2012 at 07:52:31PM +0200, Jouni Malinen wrote: > > Could you please explain what this is trying to do? It does not look > > correct taking into account that I would assume similar control port > > behavior to be used with KEY_MGMT_802_1X, KEY_MGMT_PSK, > > KEY_MGMT_802_1X_SHA256, and KEY_MGMT_PSK_SHA256. > The idea is that in case of creating a RSN protected IBSS network, wpa_s has to > tell the kernelspace that such network is RSN protected. But probably I got it > wrong and such comparison should be done against WPA_KEY_MGMT_PSK instead of > KEY_MGMT_802_1X. Well, it should really be that full list above. Not that we really fully support IEEE 802.1X with RSN IBSS at the moment, but anyway, we could potentially do that and the driver wrapper does not need to know this anyway, so better include all possibilities that would use the new authorization mechanism. > Can KEY_MGMT_802_1X_SHA256 and KEY_MGMT_PSK_SHA256 be allowed values for > params->key_mgmt_suite in IBSS_RSN? Yes. Though, the only once that are likely to work at this point are WPA_KEY_MGMT_PSK and KEY_MGMT_PSK_SHA256. I don't think the version you used previously ever set this flag, so it would be interesting to hear how this was tested. Since the kernel change was not yet in wireless-testing.git, I just verified that the authorization operations are failing and left the patch waiting until the kernel side is ready.
On Sun, Jan 29, 2012 at 09:10:56PM +0200, Jouni Malinen wrote: > On Sun, Jan 29, 2012 at 06:58:23PM +0100, Antonio Quartulli wrote: > > On Sun, Jan 29, 2012 at 07:52:31PM +0200, Jouni Malinen wrote: > > > Could you please explain what this is trying to do? It does not look > > > correct taking into account that I would assume similar control port > > > behavior to be used with KEY_MGMT_802_1X, KEY_MGMT_PSK, > > > KEY_MGMT_802_1X_SHA256, and KEY_MGMT_PSK_SHA256. > > > The idea is that in case of creating a RSN protected IBSS network, wpa_s has to > > tell the kernelspace that such network is RSN protected. But probably I got it > > wrong and such comparison should be done against WPA_KEY_MGMT_PSK instead of > > KEY_MGMT_802_1X. > > Well, it should really be that full list above. Not that we really fully > support IEEE 802.1X with RSN IBSS at the moment, but anyway, we could > potentially do that and the driver wrapper does not need to know this > anyway, so better include all possibilities that would use the new > authorization mechanism. ok, patch v3 is coming.
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index 0bf1dca..1f3e3f9 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -6427,6 +6427,9 @@ retry: NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, params->bssid); } + if (params->key_mgmt_suite == KEY_MGMT_802_1X) + NLA_PUT_FLAG(msg, NL80211_ATTR_CONTROL_PORT); + if (params->wpa_ie) { wpa_hexdump(MSG_DEBUG, " * Extra IEs for Beacon/Probe Response frames", diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c index f9a9090..f1e4e21 100644 --- a/wpa_supplicant/ibss_rsn.c +++ b/wpa_supplicant/ibss_rsn.c @@ -320,6 +320,55 @@ static int auth_for_each_sta(void *ctx, int (*cb)(struct wpa_state_machine *sm, } +static void ibss_set_sta_authorized(struct ibss_rsn *ibss_rsn, + struct ibss_rsn_peer *peer, int authorized) +{ + int res; + + if (authorized) { + res = wpa_drv_sta_set_flags(ibss_rsn->wpa_s, peer->addr, + WPA_STA_AUTHORIZED, + WPA_STA_AUTHORIZED, ~0); + wpa_printf(MSG_DEBUG, "AUTH: " MACSTR " authorizing port", + MAC2STR(peer->addr)); + } else { + res = wpa_drv_sta_set_flags(ibss_rsn->wpa_s, peer->addr, + 0, 0, ~WPA_STA_AUTHORIZED); + wpa_printf(MSG_DEBUG, "AUTH: " MACSTR " unauthorizing port", + MAC2STR(peer->addr)); + } + + if (res && errno != ENOENT) { + wpa_printf(MSG_DEBUG, "Could not set station " MACSTR " flags " + "for kernel driver (errno=%d)", + MAC2STR(peer->addr), errno); + } +} + + + +static void auth_set_eapol(void *ctx, const u8 *addr, + wpa_eapol_variable var, int value) +{ + struct ibss_rsn *ibss_rsn = ctx; + struct ibss_rsn_peer *peer = ibss_rsn_get_peer(ibss_rsn, addr); + + if (peer == NULL) + return; + + switch (var) { + case WPA_EAPOL_authorized: + ibss_set_sta_authorized(ibss_rsn, peer, value); + break; + default: + /* do not handle any other event */ + wpa_printf(MSG_DEBUG, "AUTH: eapol event not handled %d", var); + break; + } +} + + + static int ibss_rsn_auth_init_group(struct ibss_rsn *ibss_rsn, const u8 *own_addr) { @@ -340,6 +389,7 @@ static int ibss_rsn_auth_init_group(struct ibss_rsn *ibss_rsn, os_memset(&cb, 0, sizeof(cb)); cb.ctx = ibss_rsn; cb.logger = auth_logger; + cb.set_eapol = auth_set_eapol; cb.send_eapol = auth_send_eapol; cb.get_psk = auth_get_psk; cb.set_key = auth_set_key;