[PATCH] ath10k: fix station authorization

[PATCH] ath10k: fix station authorization

[Michal Kazior]

Peer authorization should be delayed until
mac80211 says given station has transitioned into
authorized state.

The state is propagated from mac80211 for both
open and protected networks.

This should prevent data traffic to/from given
station until authorization completes. Until now
it was probably possible for unauthorized traffic
to pass leading to possible security issues.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
---
I've been keeping this patch in my closet apparently.

Tested briefly and seems there are no regressions.

 drivers/net/wireless/ath/ath10k/mac.c |   27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 8684e03..0175d22 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -781,7 +781,6 @@ static void ath10k_peer_assoc_h_basic(struct ath10k *ar,
 	memcpy(arg->addr, sta->addr, ETH_ALEN);
 	arg->vdev_id = arvif->vdev_id;
 	arg->peer_aid = sta->aid;
-	arg->peer_flags |= WMI_PEER_AUTH;
 
 	if (arvif->vdev_type == WMI_VDEV_TYPE_STA)
 		/*
@@ -2603,6 +2602,32 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
 		if (ret)
 			ath10k_warn("Failed to disassociate station: %pM\n",
 				    sta->addr);
+	} else if (old_state == IEEE80211_STA_ASSOC &&
+		   new_state == IEEE80211_STA_AUTHORIZED) {
+		/*
+		 * Authorization
+		 */
+		ath10k_dbg(ATH10K_DBG_MAC, "mac sta %pM authorized\n",
+			   sta->addr);
+
+		ret = ath10k_wmi_peer_set_param(ar, arvif->vdev_id, sta->addr,
+						WMI_PEER_AUTHORIZE, 1);
+		if (ret)
+			ath10k_warn("Failed to authorize station: %pM\n",
+				    sta->addr);
+	} else if (old_state == IEEE80211_STA_AUTHORIZED &&
+		   new_state == IEEE80211_STA_ASSOC) {
+		/*
+		 * De-Authorization
+		 */
+		ath10k_dbg(ATH10K_DBG_MAC, "mac sta %pM de-authorized\n",
+			   sta->addr);
+
+		ret = ath10k_wmi_peer_set_param(ar, arvif->vdev_id, sta->addr,
+						WMI_PEER_AUTHORIZE, 0);
+		if (ret)
+			ath10k_warn("Failed to de-authorize station: %pM\n",
+				    sta->addr);
 	}
 
 	mutex_unlock(&ar->conf_mutex);
-- 
1.7.9.5

Re: [PATCH] ath10k: fix station authorization

[Kalle Valo]

Michal Kazior <michal.kazior@tieto.com> writes:

> Peer authorization should be delayed until
> mac80211 says given station has transitioned into
> authorized state.
>
> The state is propagated from mac80211 for both
> open and protected networks.
>
> This should prevent data traffic to/from given
> station until authorization completes. Until now
> it was probably possible for unauthorized traffic
> to pass leading to possible security issues.
>
> Signed-off-by: Michal Kazior <michal.kazior@tieto.com>

Thanks, applied.

-- 
Kalle Valo

Re: [PATCH] ath10k: fix station authorization

[Kalle Valo]

Kalle Valo <kvalo@qca.qualcomm.com> writes:

> Michal Kazior <michal.kazior@tieto.com> writes:
>
>> Peer authorization should be delayed until
>> mac80211 says given station has transitioned into
>> authorized state.
>>
>> The state is propagated from mac80211 for both
>> open and protected networks.
>>
>> This should prevent data traffic to/from given
>> station until authorization completes. Until now
>> it was probably possible for unauthorized traffic
>> to pass leading to possible security issues.
>>
>> Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
>
> Thanks, applied.

Actually I'll take this back. After this patch even ping doesn't work
with D-Link DIR-865L as AP using 10.1.389 firmware. So I have to drop
this patch.

-- 
Kalle Valo