Ticket #566: 566.patch

net80211/ieee80211_ioctl.h

@@ -591 +591 @@
-        IEEE80211_PARAM_EOSPDROP        = 57,   /* force uapsd EOSP drop (ap only) */
-        IEEE80211_PARAM_MARKDFS         = 58,   /* mark a dfs interference channel when found */
-        IEEE80211_PARAM_REGCLASS        = 59,   /* enable regclass ids in country IE */
+        IEEE80211_PARAM_DROPUNENC_EAPOL = 60,   /* drop unencrypted eapol frames */
-};
-
-#define SIOCG80211STATS                 (SIOCDEVPRIVATE+2)

net80211/ieee80211_wireless.c

@@ -2006 +2006 @@
-                }
-                switch (value) {
-                case IEEE80211_AUTH_WPA:        /* WPA w/ 802.1x */
-                        vap->iv_flags |= IEEE80211_F_PRIVACY;
-                        value = IEEE80211_AUTH_8021X;
-                        break;
-                case IEEE80211_AUTH_OPEN:       /* open */
-|IEEE80211_F_PRIVACY
+
-                        break;
-                case IEEE80211_AUTH_SHARED:     /* shared-key */
-                case IEEE80211_AUTH_AUTO:       /* auto */
-                case IEEE80211_AUTH_8021X:      /* 802.1x */
-                        vap->iv_flags &= ~IEEE80211_F_WPA;
-                        /* both require a key so mark the PRIVACY capability */
-                        vap->iv_flags |= IEEE80211_F_PRIVACY;
-                        break;
-                }
-                /* NB: authenticator attach/detach happens on state change */
@@ -2132 +2129 @@
-                else
-                        vap->iv_flags &= ~IEEE80211_F_DROPUNENC;
-                break;
+        case IEEE80211_PARAM_DROPUNENC_EAPOL:
+                if (value)
+                        IEEE80211_VAP_DROPUNENC_EAPOL_ENABLE(vap);
+                else
+                        IEEE80211_VAP_DROPUNENC_EAPOL_DISABLE(vap);
+                break;
-        case IEEE80211_PARAM_COUNTERMEASURES:
-                if (value) {
-                        if ((vap->iv_flags & IEEE80211_F_WPA) == 0)
@@ -2593 +2596 @@
-        case IEEE80211_PARAM_DROPUNENCRYPTED:
-                param[0] = (vap->iv_flags & IEEE80211_F_DROPUNENC) != 0;
-                break;
+        case IEEE80211_PARAM_DROPUNENC_EAPOL:
+                param[0] = IEEE80211_VAP_DROPUNENC_EAPOL(vap);
+                break;
-        case IEEE80211_PARAM_COUNTERMEASURES:
-                param[0] = (vap->iv_flags & IEEE80211_F_COUNTERM) != 0;
-                break;
@@ -3939 +3945 @@
-}
-
-
-/*
- * The exact meaning of the IW_AUTH_ALG_* values is a little unclear.
- * For example, wpa_supplicant uses IW_AUTH_ALG_OPEN_SYSTEM for WPA-PSK
- * APs, unless you happen to set the auth_alg=SHARED option in your config
- * file in which case it uses IW_AUTH_ALG_SHARED_KEY.  Fortunately,
- * neither makes a any difference to madwifi, so for now we ignore it.
- */
-static int
-siwauth_80211_auth_alg(struct net_device *dev,
-        struct iw_request_info *info, struct iw_param *erq, char *buf)
-{
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-}
-
-static int
@@ -3969 +3987 @@
-        return ieee80211_ioctl_setparam(dev, NULL, NULL, (char*)args);
-}
-
-/*
- * The wext API says that user space gets to decide whether EAPOL frames are 
- * supposed to be encrypted or in cleartext.  The code in WPA supplicant 
- * indicates that if the AP is using 802.1x authentication but not WPA for
- * key mgmt the eapol frames should be encrypted.  However, even if I set
- * up my AP (linkys WRT54G, fw 1.00.2) for that config, it sends eapol frames 
- * in the clear.  I'm uncertain whether my AP is violating the specification, 
- * or if wpa_supplicant is doing the wrong thing.  But if I let wpa_supplicant
- * tell madwifi to drop unencrypted eapol frames, it breaks the authentication.
- *
- * Thus, madwifi ignores this parameter.
- */
-static int
-siwauth_rx_unencrypted_eapol(struct net_device *dev,
-        struct iw_request_info *info, struct iw_param *erq, char *buf)
-{
-
+
+
+
+
+
+
+
+
+
+
-}
-
-static int
@@ -4765 +4780 @@
-          IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1, 0, "regclass" },
-        { IEEE80211_PARAM_REGCLASS,
-          0, IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1, "get_regclass" },
+        { IEEE80211_PARAM_DROPUNENC_EAPOL,
+          IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1, 0, "dropunenceapol" },
+        { IEEE80211_PARAM_DROPUNENC_EAPOL,
+          0, IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1, "get_dropunencea" },
-        /*
-         * NB: these should be roamrssi* etc, but iwpriv usurps all
-         *     strings that start with roam!

net80211/ieee80211_input.c

@@ -118 +118 @@
-static void ieee80211_send_error(struct ieee80211_node *, const u_int8_t *,
-        int, int);
-static void ieee80211_recv_pspoll(struct ieee80211_node *, struct sk_buff *);
+static int accept_data_frame(struct ieee80211vap *, struct ieee80211_node *,
+        struct ieee80211_key *, struct sk_buff *, struct ether_header *);
-
+
-#ifdef ATH_SUPERG_FF
-static void athff_decap(struct sk_buff *);
-#endif
@@ -669 +672 @@
-                        goto err;
-                }
-                eh = (struct ether_header *) skb->data;
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-                vap->iv_devstats.rx_packets++;
-                vap->iv_devstats.rx_bytes += skb->len;
-                IEEE80211_NODE_STAT(ni, rx_data);
@@ -859 +832 @@
-}
-EXPORT_SYMBOL(ieee80211_input);
-
+
-/*
+ * Determines whether a frame should be accepted, based on information
+ * about the frame's origin and encryption, and policy for this vap.
+ */
+static int accept_data_frame(struct ieee80211vap *vap,
+       struct ieee80211_node *ni, struct ieee80211_key *key,
+       struct sk_buff *skb, struct ether_header *eh)
+{
+#define IS_EAPOL(eh) ((eh)->ether_type == __constant_htons(ETHERTYPE_PAE))
+#define PAIRWISE_SET(vap) ((vap)->iv_nw_keys[0].wk_cipher != &ieee80211_cipher_none)
+       if (IS_EAPOL(eh)) {
+               /* encrypted eapol is always OK */
+               if (key)
+                       return 1;
+               /* cleartext eapol is OK if we don't have pairwise keys yet */
+               if (! PAIRWISE_SET(vap))
+                       return 1;
+               /* cleartext eapol is OK if configured to allow it */
+               if (! IEEE80211_VAP_DROPUNENC_EAPOL(vap))
+                       return 1;
+               /* cleartext eapol is OK if other unencrypted is OK */
+               if (! (vap->iv_flags & IEEE80211_F_DROPUNENC))
+                       return 1;
+               /* not OK */
+               vap->iv_stats.is_rx_unauth++;
+               vap->iv_devstats.rx_errors++;
+               IEEE80211_NODE_STAT(ni, rx_unauth);
+               return 0;
+       }
+
+       if (!ieee80211_node_is_authorized(ni)) {
+               /*
+                * Deny any non-PAE frames received prior to
+                * authorization.  For open/shared-key
+                * authentication the port is mark authorized
+                * after authentication completes.  For 802.1x
+                * the port is not marked authorized by the
+                * authenticator until the handshake has completed.
+                */
+               IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+                       eh->ether_shost, "data",
+                       "unauthorized port: ether type 0x%x len %u",
+                       eh->ether_type, skb->len);
+               vap->iv_stats.is_rx_unauth++;
+               vap->iv_devstats.rx_errors++;
+               IEEE80211_NODE_STAT(ni, rx_unauth);
+               return 0;
+       } else {
+               /*
+                * When denying unencrypted frames, discard
+                * any non-PAE frames received without encryption.
+                */
+               if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && key == NULL) {
+                       IEEE80211_NODE_STAT(ni, rx_unencrypted);
+                       return 0;
+               }
+       }
+       return 1;
+
+#undef IS_EAPOL
+#undef PAIRWISE_SET
+}
+
+
+/*
- * Context: softIRQ (tasklet)
- */
-int

net80211/ieee80211_var.h

@@ -450 +450 @@
-#define IEEE80211_FEXT_REGCLASS 0x00000100      /* CONF: send regclassids in country ie */
-#define IEEE80211_FEXT_ERPUPDATE 0x00000200     /* STATUS: update ERP element */
-#define IEEE80211_FEXT_SWBMISS 0x00000400       /* CONF: use software beacon timer */
+#define IEEE80211_FEXT_DROPUNENC_EAPOL 0x00000800      /* CONF: drop unencrypted eapol frames */
-
-#define IEEE80211_COM_UAPSD_ENABLE(_ic)         ((_ic)->ic_flags_ext |= IEEE80211_FEXT_UAPSD)
-#define IEEE80211_COM_UAPSD_DISABLE(_ic)        ((_ic)->ic_flags_ext &= ~IEEE80211_FEXT_UAPSD)
@@ -467 +468 @@
-#define IEEE80211_VAP_EOSPDROP_ENABLE(_v)  ((_v)->iv_flags_ext |= IEEE80211_FEXT_EOSPDROP)
-#define IEEE80211_VAP_EOSPDROP_DISABLE(_v) ((_v)->iv_flags_ext &= ~IEEE80211_FEXT_EOSPDROP)
-#define IEEE80211_VAP_EOSPDROP_ENABLED(_v) ((_v)->iv_flags_ext & IEEE80211_FEXT_EOSPDROP)
+#define IEEE80211_VAP_DROPUNENC_EAPOL_ENABLE(_v)  ((_v)->iv_flags_ext |= IEEE80211_FEXT_DROPUNENC_EAPOL)
+#define IEEE80211_VAP_DROPUNENC_EAPOL_DISABLE(_v) ((_v)->iv_flags_ext &= ~IEEE80211_FEXT_DROPUNENC_EAPOL)
+#define IEEE80211_VAP_DROPUNENC_EAPOL(_v) ((_v)->iv_flags_ext & IEEE80211_FEXT_DROPUNENC_EAPOL)
-
+
-/* ic_caps */
-#define IEEE80211_C_WEP         0x00000001      /* CAPABILITY: WEP available */
-#define IEEE80211_C_TKIP        0x00000002      /* CAPABILITY: TKIP available */