From: Javier Cardona <javier@cozybit.com>
To: "John W. Linville" <linville@tuxdriver.com>
Cc: Javier Cardona <javier@cozybit.com>,
Thomas Pedersen <thomas@cozybit.com>,
devel@lists.open80211s.org,
Johannes Berg <johannes@sipsolutions.net>,
linux-wireless@vger.kernel.org, jlopex@gmail.com
Subject: [PATCH 01/13] nl80211: Introduce NL80211_MESH_SETUP_USERSPACE_AMPE
Date: Tue, 3 May 2011 16:57:07 -0700 [thread overview]
Message-ID: <1304467039-7730-2-git-send-email-javier@cozybit.com> (raw)
In-Reply-To: <1304467039-7730-1-git-send-email-javier@cozybit.com>
Introduce a new configuration option to support AMPE from userspace.
Prior to this series we only supported authentication in userspace: an
authentication daemon would authenticate peer candidates in userspace
and hand them over to the kernel. From that point the mesh stack would
take over and establish a peer link (Mesh Peering Management).
These patches introduce support for Authenticated Mesh Peering Exchange
in userspace. The userspace daemon implements the AMPE protocol and on
successfull completion create mesh peers and install encryption keys.
Signed-off-by: Javier Cardona <javier@cozybit.com>
---
include/linux/nl80211.h | 10 ++++++++++
include/net/cfg80211.h | 4 +++-
net/mac80211/cfg.c | 6 +++++-
net/mac80211/ieee80211_i.h | 6 +++++-
net/mac80211/mesh.c | 2 +-
net/mac80211/mesh_plink.c | 5 +++--
net/wireless/nl80211.c | 4 +++-
7 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/include/linux/nl80211.h b/include/linux/nl80211.h
index 216b1d8..8684c0a 100644
--- a/include/linux/nl80211.h
+++ b/include/linux/nl80211.h
@@ -1748,6 +1748,15 @@ enum nl80211_meshconf_params {
* @NL80211_MESH_SETUP_USERSPACE_AUTH: Enable this option if an authentication
* daemon will be authenticating mesh candidates.
*
+ * @NL80211_MESH_SETUP_USERSPACE_AMPE: Enable this option if an authentication
+ * daemon will be securing peer link frames. AMPE is a secured version of Mesh
+ * Peering Management (MPM) and is implemented with the assistance of a
+ * userspace daemon. When this flag is set, the kernel will send peer
+ * management frames to a userspace daemon that will implement AMPE
+ * functionality (security capabilities selection, key confirmation, and key
+ * management). When the flag is unset (default), the kernel can autonomously
+ * complete (unsecured) mesh peering without the need of a userspace daemon.
+ *
* @NL80211_MESH_SETUP_ATTR_MAX: highest possible mesh setup attribute number
* @__NL80211_MESH_SETUP_ATTR_AFTER_LAST: Internal use
*/
@@ -1757,6 +1766,7 @@ enum nl80211_mesh_setup_params {
NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC,
NL80211_MESH_SETUP_IE,
NL80211_MESH_SETUP_USERSPACE_AUTH,
+ NL80211_MESH_SETUP_USERSPACE_AMPE,
/* keep last */
__NL80211_MESH_SETUP_ATTR_AFTER_LAST,
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index d30eada..5e4f87b 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -695,7 +695,8 @@ struct mesh_config {
* @path_metric: which metric to use
* @ie: vendor information elements (optional)
* @ie_len: length of vendor information elements
- * @is_secure: or not
+ * @is_authenticated: this mesh requires authentication
+ * @is_secure: this mesh uses security
*
* These parameters are fixed when the mesh is created.
*/
@@ -706,6 +707,7 @@ struct mesh_setup {
u8 path_metric;
const u8 *ie;
u8 ie_len;
+ bool is_authenticated;
bool is_secure;
};
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 12d52ce..7ea13d3 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1064,7 +1064,11 @@ static int copy_mesh_setup(struct ieee80211_if_mesh *ifmsh,
memcpy(ifmsh->mesh_id, setup->mesh_id, ifmsh->mesh_id_len);
ifmsh->mesh_pp_id = setup->path_sel_proto;
ifmsh->mesh_pm_id = setup->path_metric;
- ifmsh->is_secure = setup->is_secure;
+ ifmsh->security = IEEE80211_MESH_SEC_NONE;
+ if (setup->is_authenticated)
+ ifmsh->security |= IEEE80211_MESH_SEC_AUTHED;
+ if (setup->is_secure)
+ ifmsh->security |= IEEE80211_MESH_SEC_SECURED;
return 0;
}
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 027c046..ec360fb 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -490,7 +490,11 @@ struct ieee80211_if_mesh {
bool accepting_plinks;
const u8 *ie;
u8 ie_len;
- bool is_secure;
+ enum {
+ IEEE80211_MESH_SEC_NONE = 0x0,
+ IEEE80211_MESH_SEC_AUTHED = 0x1,
+ IEEE80211_MESH_SEC_SECURED = 0x2,
+ } security;
};
#ifdef CONFIG_MAC80211_MESH
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index c1299e2..2a59eb3 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -574,7 +574,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
&elems);
/* ignore beacons from secure mesh peers if our security is off */
- if (elems.rsn_len && !sdata->u.mesh.is_secure)
+ if (elems.rsn_len && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE)
return;
if (elems.ds_params && elems.ds_params_len == 1)
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index 84e5b05..87abf8d 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -251,7 +251,7 @@ void mesh_neighbour_update(u8 *hw_addr, u32 rates,
rcu_read_unlock();
/* Userspace handles peer allocation when security is enabled
* */
- if (sdata->u.mesh.is_secure)
+ if (sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED)
cfg80211_notify_new_peer_candidate(sdata->dev, hw_addr,
elems->ie_start, elems->total_len,
GFP_KERNEL);
@@ -460,7 +460,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
mpl_dbg("Mesh plink: missing necessary peer link ie\n");
return;
}
- if (elems.rsn_len && !sdata->u.mesh.is_secure) {
+ if (elems.rsn_len &&
+ sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) {
mpl_dbg("Mesh plink: can't establish link with secure peer\n");
return;
}
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0efa7fd..7c1c4de 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2840,6 +2840,7 @@ static const struct nla_policy
[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
.len = IEEE80211_MAX_DATA_LEN },
+ [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
};
static int nl80211_parse_mesh_config(struct genl_info *info,
@@ -2949,7 +2950,8 @@ static int nl80211_parse_mesh_setup(struct genl_info *info,
setup->ie = nla_data(ieattr);
setup->ie_len = nla_len(ieattr);
}
- setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
+ setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
+ setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
return 0;
}
--
1.7.1
next prev parent reply other threads:[~2011-05-03 23:57 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-03 23:57 Support for secure mesh in userspace and other mesh fixes Javier Cardona
2011-05-03 23:57 ` Javier Cardona [this message]
2011-05-04 12:27 ` [PATCH 01/13] nl80211: Introduce NL80211_MESH_SETUP_USERSPACE_AMPE Johannes Berg
2011-05-04 16:32 ` Javier Cardona
2011-05-04 16:34 ` Johannes Berg
2011-05-03 23:57 ` [PATCH 02/13] mac80211: Let userspace send action frames over mesh interfaces Javier Cardona
2011-05-03 23:57 ` [PATCH 03/13] mac80211: Drop MESH_PLINK category and use new ANA-approved MESH_ACTION Javier Cardona
2011-05-03 23:57 ` [PATCH 04/13] open80211s: Stop using zero for address 3 in mesh plink mgmt frames Javier Cardona
2011-05-04 12:57 ` Johannes Berg
2011-05-04 16:28 ` Javier Cardona
2011-05-04 17:24 ` [PATCH] cfg80211: Use capability info to detect mesh beacons Javier Cardona
2011-05-09 8:25 ` Johannes Berg
2011-05-30 10:51 ` Vivek Natarajan
2011-05-31 17:26 ` Javier Cardona
2011-05-31 18:10 ` Eliad Peller
2011-05-31 18:38 ` Javier Cardona
2011-06-01 7:01 ` Eliad Peller
2011-05-03 23:57 ` [PATCH 05/13] nl80211: Let userspace drive the peer link management states Javier Cardona
2011-05-04 12:28 ` Johannes Berg
2011-05-03 23:57 ` [PATCH 06/13] nl80211: allow installing keys for a meshif Javier Cardona
2011-05-03 23:57 ` [PATCH 07/13] nl80211: allow setting MFP flag " Javier Cardona
2011-05-03 23:57 ` [PATCH 08/13] mac80211: Self-protected management frames are not robust Javier Cardona
2011-05-03 23:57 ` [PATCH 09/13] Check size of a new mesh path table for changes since allocation Javier Cardona
2011-05-03 23:57 ` [PATCH 10/13] mac80211: Fix locking bug on mesh path table access Javier Cardona
2011-05-03 23:57 ` [PATCH 11/13] mac80211: Move call to mpp_path_lookup inside RCU-read section Javier Cardona
2011-05-03 23:57 ` [PATCH 12/13] mac80211: allow setting supported rates on mesh peers Javier Cardona
2011-05-03 23:57 ` [PATCH 13/13] ath9k: fix beaconing for mesh interfaces Javier Cardona
2011-05-04 14:42 ` Felix Fietkau
2011-05-04 16:16 ` Steve Brown
2011-05-04 17:13 ` Javier Cardona
2011-05-04 17:25 ` Johannes Berg
2011-05-04 17:31 ` Javier Cardona
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1304467039-7730-2-git-send-email-javier@cozybit.com \
--to=javier@cozybit.com \
--cc=devel@lists.open80211s.org \
--cc=jlopex@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=thomas@cozybit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).