Hello,
This patch series introduces support for userspace SAE (Simultaneous
Authentication of Equals) daemons through nl80211 and mac80211. This
authentication scheme is documented in IEEE 802.11s section 8.2a.1.
Regards,
Thomas Pedersen
cozybit, inc.
From: Javier Cardona <[email protected]>
Add RSN information element as a mesh setup parameter.
---
include/linux/nl80211.h | 4 ++++
include/net/cfg80211.h | 4 ++++
net/mac80211/cfg.c | 19 ++++++++++++++++---
net/mac80211/ieee80211_i.h | 2 ++
net/mac80211/mesh.c | 7 +++++++
net/mac80211/tx.c | 3 ++-
net/wireless/nl80211.c | 13 +++++++++++++
7 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/include/linux/nl80211.h b/include/linux/nl80211.h
index 821ffb9..7f53bdf 100644
--- a/include/linux/nl80211.h
+++ b/include/linux/nl80211.h
@@ -1687,6 +1687,9 @@ enum nl80211_meshconf_params {
* element that vendors will use to identify the path selection methods and
* metrics in use.
*
+ * @NL80211_MESH_SETUP_RSN_IE: The Robust Security Network information element
+ * use to advertise security capabilities of this mesh network.
+ *
* @NL80211_MESH_SETUP_ATTR_MAX: highest possible mesh setup attribute number
* @__NL80211_MESH_SETUP_ATTR_AFTER_LAST: Internal use
*/
@@ -1695,6 +1698,7 @@ enum nl80211_mesh_setup_params {
NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL,
NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC,
NL80211_MESH_SETUP_VENDOR_PATH_SEL_IE,
+ NL80211_MESH_SETUP_RSN_IE,
/* keep last */
__NL80211_MESH_SETUP_ATTR_AFTER_LAST,
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 679a049..5d3f0e8 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -653,6 +653,8 @@ struct mesh_config {
* @path_metric: which metric to use
* @vendor_ie: vendor information elements (optional)
* @vendor_ie_len: length of vendor information elements
+ * @rsn_ie: robust secure network information elements (for SAE)
+ * @rsn_ie_len: length of rsn_ie
*
* These parameters are fixed when the mesh is created.
*/
@@ -663,6 +665,8 @@ struct mesh_setup {
u8 path_metric;
const u8 *vendor_ie;
u8 vendor_ie_len;
+ const u8 *rsn_ie;
+ u8 rsn_ie_len;
};
/**
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 2ba3af8..b70e2a6 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1017,15 +1017,28 @@ static int copy_mesh_setup(struct ieee80211_if_mesh *ifmsh,
if (!new_ie)
return -ENOMEM;
}
+ ifmsh->vendor_ie = new_ie;
+ kfree(old_ie);
+
+ /* then allocate the new rsn information element */
+ new_ie = NULL;
+ old_ie = ifmsh->rsn_ie;
+
+ ifmsh->rsn_ie_len = setup->rsn_ie_len;
+ if (setup->rsn_ie_len) {
+ new_ie = kmemdup(setup->rsn_ie, setup->rsn_ie_len,
+ GFP_KERNEL);
+ if (!new_ie)
+ return -ENOMEM;
+ }
+ ifmsh->rsn_ie = new_ie;
+ kfree(old_ie);
/* now copy the rest of the setup parameters */
ifmsh->mesh_id_len = setup->mesh_id_len;
memcpy(ifmsh->mesh_id, setup->mesh_id, ifmsh->mesh_id_len);
ifmsh->mesh_pp_id = setup->path_sel_proto;
ifmsh->mesh_pm_id = setup->path_metric;
- ifmsh->vendor_ie = new_ie;
-
- kfree(old_ie);
return 0;
}
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index f2ef15d..4df7b69 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -490,6 +490,8 @@ struct ieee80211_if_mesh {
bool accepting_plinks;
const u8 *vendor_ie;
u8 vendor_ie_len;
+ const u8 *rsn_ie;
+ u8 rsn_ie_len;
};
#ifdef CONFIG_MAC80211_MESH
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 2a57cc0..c0635c5 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -279,6 +279,13 @@ void mesh_mgmt_ies_add(struct sk_buff *skb, struct ieee80211_sub_if_data *sdata)
MESHCONF_CAPAB_ACCEPT_PLINKS : 0x00;
*pos++ = 0x00;
+ if (sdata->u.mesh.rsn_ie) {
+ int len = sdata->u.mesh.rsn_ie_len;
+ const u8 *data = sdata->u.mesh.rsn_ie;
+ if (skb_tailroom(skb) > len)
+ memcpy(skb_put(skb, len), data, len);
+ }
+
if (sdata->u.mesh.vendor_ie) {
int len = sdata->u.mesh.vendor_ie_len;
const u8 *data = sdata->u.mesh.vendor_ie;
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 17ef4f4..5e643fe 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2313,7 +2313,8 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
/* headroom, head length, tail length and maximum TIM length */
skb = dev_alloc_skb(local->tx_headroom + 400 +
- sdata->u.mesh.vendor_ie_len);
+ sdata->u.mesh.vendor_ie_len +
+ sdata->u.mesh.rsn_ie_len);
if (!skb)
goto out;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 864ddfb..dc21ab5 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2788,6 +2788,8 @@ static const struct nla_policy
[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
[NL80211_MESH_SETUP_VENDOR_PATH_SEL_IE] = { .type = NLA_BINARY,
.len = IEEE80211_MAX_DATA_LEN },
+ [NL80211_MESH_SETUP_RSN_IE] = { .type = NLA_BINARY,
+ .len = IEEE80211_MAX_DATA_LEN },
};
static int nl80211_parse_mesh_config(struct genl_info *info,
@@ -2897,6 +2899,17 @@ static int nl80211_parse_mesh_setup(struct genl_info *info,
setup->vendor_ie_len = nla_len(ieattr);
}
+ if (tb[NL80211_MESH_SETUP_RSN_IE]) {
+ struct nlattr *ieattr = tb[NL80211_MESH_SETUP_RSN_IE];
+ u8 *eid = nla_data(ieattr);
+ if (eid[0] != WLAN_EID_RSN)
+ return -EINVAL;
+ if (!is_valid_ie_attr(ieattr))
+ return -EINVAL;
+ setup->rsn_ie = nla_data(ieattr);
+ setup->rsn_ie_len = nla_len(ieattr);
+ }
+
return 0;
}
--
1.7.0.4
On Fri, Feb 25, 2011 at 05:32:35PM -0800, Thomas Pedersen wrote:
> This patch series introduces support for userspace SAE (Simultaneous
> Authentication of Equals) daemons through nl80211 and mac80211. This
> authentication scheme is documented in IEEE 802.11s section 8.2a.1.
While the SAE mechanism is specified in IEEE 802.11s, it is not in any
way specific to mesh. Some of these patches looked generic, but at least
the one touching ieee80211_default_mgmt_stypes addressed only the mesh
point iftype. Do you have plans on making this more generic to allow SAE
to be used in station mode interface with WPA2-Personal? I would assume
that AP side can already be handled in hostapd without kernel changes,
but it would be useful to allow wpa_supplicant to implement SAE for the
station interface even if there is no use of mesh in the network.
--
Jouni Malinen PGP id EFC895FA
From: Javier Cardona <[email protected]>
---
net/mac80211/rx.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 045b2fe..670e304 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -502,7 +502,8 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
if (ieee80211_is_probe_req(hdr->frame_control) ||
ieee80211_is_probe_resp(hdr->frame_control) ||
- ieee80211_is_beacon(hdr->frame_control))
+ ieee80211_is_beacon(hdr->frame_control) ||
+ ieee80211_is_auth(hdr->frame_control))
return RX_CONTINUE;
return RX_DROP_MONITOR;
--
1.7.0.4
Hi Jouni,
On Sun, Feb 27, 2011 at 2:47 AM, Jouni Malinen <[email protected]> wrote:
> On Fri, Feb 25, 2011 at 05:32:37PM -0800, Thomas Pedersen wrote:
>> From: Javier Cardona <[email protected]>
>> @@ -529,7 +529,9 @@ ieee80211_default_mgmt_stypes[NUM_NL80211_IFTYPES] = {
>> ? ? ? [NL80211_IFTYPE_MESH_POINT] = {
>> + ? ? ? ? ? ? .rx = BIT(IEEE80211_STYPE_ACTION >> 4) |
>> + ? ? ? ? ? ? ? ? ? ? BIT(IEEE80211_STYPE_AUTH >> 4) |
>> + ? ? ? ? ? ? ? ? ? ? BIT(IEEE80211_STYPE_DEAUTH >> 4),
>
> This seems to be pointing towards processing the full Authentication
> frame in user space. However, some other patches in this series seemed
> to be extending the NL80211_CMD_AUTHENTICATE mechanism to allow SAE to
> be implemented on top of it. Which direction is being taken here? Or are
> both mechanisms going to be used depending on iftype?
The patches were sent to the list before proper review. The changes
to NL80211_CMD_AUTHENTICATE were left over from an earlier
implementation variant and will be removed in the final submission.
> For non-mesh cases, I would probably prefer NL80211_CMD_AUTHENTICATE
> extension for the station vif to continue with the style we started for
> FT. The AP vif is already handling the full Authentication frame in user
> space, so that is fine to for SAE, too.
Ah, thanks for the suggestion. As I mentioned on a previous e-mail,
our current goal is to implement SAE for mesh interfaces. But will
definitely follow your advice if we ever attempt to implement station
mode support.
Cheers,
Javier
--
Javier Cardona
cozybit Inc.
http://www.cozybit.com
From: Javier Cardona <[email protected]>
---
include/linux/nl80211.h | 7 ++++++-
net/mac80211/cfg.c | 6 ++++++
net/wireless/nl80211.c | 2 +-
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/include/linux/nl80211.h b/include/linux/nl80211.h
index 528cd4c..625f8dc 100644
--- a/include/linux/nl80211.h
+++ b/include/linux/nl80211.h
@@ -1159,8 +1159,11 @@ enum nl80211_iftype {
/**
* enum nl80211_sta_flags - station flags
*
- * Station flags. When a station is added to an AP interface, it is
+ * Station flags. Stations added to an AP interface, are
* assumed to be already associated (and hence authenticated.)
+ * Mesh peers are added when they are discovered and authenticated later,
+ * either by userspace (SAE authentication) or in the kernel (open
+ * authentication).
*
* @__NL80211_STA_FLAG_INVALID: attribute number 0 is reserved
* @NL80211_STA_FLAG_AUTHORIZED: station is authorized (802.1X)
@@ -1168,6 +1171,7 @@ enum nl80211_iftype {
* with short barker preamble
* @NL80211_STA_FLAG_WME: station is WME/QoS capable
* @NL80211_STA_FLAG_MFP: station uses management frame protection
+ * @NL80211_STA_FLAG_AUTHENTICATED: (mesh) station is authenticated
* @NL80211_STA_FLAG_MAX: highest station flag number currently defined
* @__NL80211_STA_FLAG_AFTER_LAST: internal use
*/
@@ -1177,6 +1181,7 @@ enum nl80211_sta_flags {
NL80211_STA_FLAG_SHORT_PREAMBLE,
NL80211_STA_FLAG_WME,
NL80211_STA_FLAG_MFP,
+ NL80211_STA_FLAG_AUTHENTICATED,
/* keep last */
__NL80211_STA_FLAG_AFTER_LAST,
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index b70e2a6..a292c2a 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -662,6 +662,12 @@ static void sta_apply_parameters(struct ieee80211_local *local,
if (set & BIT(NL80211_STA_FLAG_MFP))
sta->flags |= WLAN_STA_MFP;
}
+
+ if (mask & BIT(NL80211_STA_FLAG_AUTHENTICATED)) {
+ sta->flags &= ~WLAN_STA_AUTH;
+ if (set & BIT(NL80211_STA_FLAG_AUTHENTICATED))
+ sta->flags |= WLAN_STA_AUTH;
+ }
spin_unlock_irqrestore(&sta->flaglock, flags);
/*
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 4651bcf..21f2533 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2244,7 +2244,7 @@ static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
err = -EINVAL;
if (params.supported_rates)
err = -EINVAL;
- if (params.sta_flags_mask)
+ if (params.sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHENTICATED))
err = -EINVAL;
break;
default:
--
1.7.0.4
Hey Thomas,
I had asked you to review my patches, not submit them :)
John,
Please disregard this series. We'll resubmit shortly.
Thanks,
Javier
On Fri, Feb 25, 2011 at 5:32 PM, Thomas Pedersen <[email protected]> wrote:
> Hello,
>
> This patch series introduces support for userspace SAE (Simultaneous
> Authentication of Equals) daemons through nl80211 and mac80211. This
> authentication scheme is documented in IEEE 802.11s section 8.2a.1.
>
> Regards,
> Thomas Pedersen
> cozybit, inc.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to [email protected]
> More majordomo info at ?http://vger.kernel.org/majordomo-info.html
>
--
Javier Cardona
cozybit Inc.
http://www.cozybit.com
On Fri, Feb 25, 2011 at 05:32:37PM -0800, Thomas Pedersen wrote:
> From: Javier Cardona <[email protected]>
> @@ -529,7 +529,9 @@ ieee80211_default_mgmt_stypes[NUM_NL80211_IFTYPES] = {
> [NL80211_IFTYPE_MESH_POINT] = {
> + .rx = BIT(IEEE80211_STYPE_ACTION >> 4) |
> + BIT(IEEE80211_STYPE_AUTH >> 4) |
> + BIT(IEEE80211_STYPE_DEAUTH >> 4),
This seems to be pointing towards processing the full Authentication
frame in user space. However, some other patches in this series seemed
to be extending the NL80211_CMD_AUTHENTICATE mechanism to allow SAE to
be implemented on top of it. Which direction is being taken here? Or are
both mechanisms going to be used depending on iftype?
For non-mesh cases, I would probably prefer NL80211_CMD_AUTHENTICATE
extension for the station vif to continue with the style we started for
FT. The AP vif is already handling the full Authentication frame in user
space, so that is fine to for SAE, too.
--
Jouni Malinen PGP id EFC895FA
From: Javier Cardona <[email protected]>
---
net/mac80211/main.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index c155c0b..299e8e3 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -529,7 +529,9 @@ ieee80211_default_mgmt_stypes[NUM_NL80211_IFTYPES] = {
},
[NL80211_IFTYPE_MESH_POINT] = {
.tx = 0xffff,
- .rx = BIT(IEEE80211_STYPE_ACTION >> 4),
+ .rx = BIT(IEEE80211_STYPE_ACTION >> 4) |
+ BIT(IEEE80211_STYPE_AUTH >> 4) |
+ BIT(IEEE80211_STYPE_DEAUTH >> 4),
},
};
--
1.7.0.4
From: Javier Cardona <[email protected]>
---
include/linux/nl80211.h | 2 ++
net/mac80211/mlme.c | 3 +++
net/wireless/nl80211.c | 3 ++-
3 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/include/linux/nl80211.h b/include/linux/nl80211.h
index 7f53bdf..528cd4c 100644
--- a/include/linux/nl80211.h
+++ b/include/linux/nl80211.h
@@ -1814,6 +1814,7 @@ enum nl80211_bss_status {
* @NL80211_AUTHTYPE_SHARED_KEY: Shared Key authentication (WEP only)
* @NL80211_AUTHTYPE_FT: Fast BSS Transition (IEEE 802.11r)
* @NL80211_AUTHTYPE_NETWORK_EAP: Network EAP (some Cisco APs and mainly LEAP)
+ * @NL80211_AUTHTYPE_SAE: Simultaneous Authentication of Equals
* @__NL80211_AUTHTYPE_NUM: internal
* @NL80211_AUTHTYPE_MAX: maximum valid auth algorithm
* @NL80211_AUTHTYPE_AUTOMATIC: determine automatically (if necessary by
@@ -1825,6 +1826,7 @@ enum nl80211_auth_type {
NL80211_AUTHTYPE_SHARED_KEY,
NL80211_AUTHTYPE_FT,
NL80211_AUTHTYPE_NETWORK_EAP,
+ NL80211_AUTHTYPE_SAE,
/* keep last */
__NL80211_AUTHTYPE_NUM,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index f77adf1..2dbe703 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2260,6 +2260,9 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
case NL80211_AUTHTYPE_NETWORK_EAP:
auth_alg = WLAN_AUTH_LEAP;
break;
+ case NL80211_AUTHTYPE_SAE:
+ auth_alg = WLAN_AUTH_SAE;
+ break;
default:
return -EOPNOTSUPP;
}
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index dc21ab5..4651bcf 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3591,7 +3591,8 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
return -EOPNOTSUPP;
if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
- dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
+ dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
+ dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
return -EOPNOTSUPP;
bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
--
1.7.0.4
Hi Jouni,
On Sun, Feb 27, 2011 at 1:43 AM, Jouni Malinen <[email protected]> wrote:
> On Fri, Feb 25, 2011 at 05:32:35PM -0800, Thomas Pedersen wrote:
>> This patch series introduces support for userspace SAE (Simultaneous
>> Authentication of Equals) daemons through nl80211 and mac80211. This
>> authentication scheme is documented in IEEE 802.11s section 8.2a.1.
>
> While the SAE mechanism is specified in IEEE 802.11s, it is not in any
> way specific to mesh. Some of these patches looked generic, but at least
> the one touching ieee80211_default_mgmt_stypes addressed only the mesh
> point iftype. Do you have plans on making this more generic to allow SAE
> to be used in station mode interface with WPA2-Personal?
Our goal is to implement SAE for mesh mode interfaces in the most
generic way so it can easily be extended for station mode interfaces.
If we have the bandwidth, we might try to implement station mode
support ourselves, but can't guarantee it at this time. We'll gladly
accept feedback on the best way to implement SAE support in the most
generic way.
> I would assume that AP side can already be handled in hostapd without kernel changes,
> but it would be useful to allow wpa_supplicant to implement SAE for the
> station interface even if there is no use of mesh in the network.
We have prototyped an SAE authentication daemon here:
https://github.com/cozybit/authsae . The current version successfully
authenticates mesh nodes (the kernel requires the patches in this
series). The next step is to roll that functionality into
wpa_supplicant and hope that the maintainer considers our patches
favorably. When we do that we'll make sure that we cover the case of
station interfaces, but I don't think we'll be able to implement the
AP side in hostapd. Do you have plans to support SAE in hostapd?
Cheers,
Javier
--
Javier Cardona
cozybit Inc.
http://www.cozybit.com