+ Jouni
On 26-4-2017 12:05, Arend van Spriel wrote:
> Almost overlooked this one. Thanks for the hint, Johannes.
>
> On 4/26/2017 9:58 AM, Luca Coelho wrote:
>> From: Avraham Stern <avraham.stern@xxxxxxxxx>
>>
>> Drivers that initiate roaming while being connected to a network that
>> uses 802.1X authentication need to inform user space if 802.1X
>> authentication is further required after roaming.
>> For example, when using the Fast transition protocol, roaming within
>> the mobility domain does not require new 802.1X authentication, but
>> roaming to another mobility domain does.
>
> Not sure about the terminology here. Is "mobility domain" the same as
> "ESS" which stands for extended service set as definced in 802.11
> standard. If so, I would prefer use of that term here.
>
>> In addition, some drivers may not support 802.1X authentication
>> (so it has to be done in user space), while other drivers do.
>>
>> Add a flag to the roaming notification to indicate if user space is
>> required to do 802.1X authentication after the roaming or not.
>> This flag will only be used for networks that use 802.1X
>> authentication. For networks that do not use 802.1X authentication it
>> is assumed that no further action is required from user space after
>> the roaming notification.
>>
>> Signed-off-by: Avraham Stern <avraham.stern@xxxxxxxxx>
>> Signed-off-by: Luca Coelho <luciano.coelho@xxxxxxxxx>
>> ---
>> include/net/cfg80211.h | 4 ++++
>> include/uapi/linux/nl80211.h | 14 ++++++++++++++
>> net/wireless/nl80211.c | 4 +++-
>> net/wireless/sme.c | 1 +
>> 4 files changed, 22 insertions(+), 1 deletion(-)
>>
>> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
>> index 115f6fc5a34d..f9f4fde2dc09 100644
>> --- a/include/net/cfg80211.h
>> +++ b/include/net/cfg80211.h
>> @@ -5384,6 +5384,9 @@ cfg80211_connect_timeout(struct net_device *dev,
>> const u8 *bssid,
>> * @req_ie_len: association request IEs length
>> * @resp_ie: association response IEs (may be %NULL)
>> * @resp_ie_len: assoc response IEs length
>> + * @authorized: true if the 802.1X authentication was done by the
>> driver or is
>> + * not needed (e.g., when Fast Transition protocol was used), false
>> + * otherwise. Ignored for networks that don't use 802.1X
>> authentication.
>
> It is not ignored in this patch so it is expected user-space behavior
> you are describing, which is not really needed here in cfg80211 driver api.
>
>> */
>> struct cfg80211_roam_info {
>> struct ieee80211_channel *channel;
>> @@ -5393,6 +5396,7 @@ struct cfg80211_roam_info {
>> size_t req_ie_len;
>> const u8 *resp_ie;
>> size_t resp_ie_len;
>> + bool authorized;
>> };
>> /**
>> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
>> index 6095a6c4c412..7bdbce7c4147 100644
>> --- a/include/uapi/linux/nl80211.h
>> +++ b/include/uapi/linux/nl80211.h
>> @@ -546,6 +546,12 @@
>> * well to remain backwards compatible.
>> * @NL80211_CMD_ROAM: request that the card roam (currently not
>> implemented),
>
> Do we want to keep this comment about the request scenario. Is it likely
> implemented soon/ever?
>
>> * sent as an event when the card/driver roamed by itself.
>> + * When used as an event, and the driver roamed in a network that
>> requires
>> + * 802.1X authentication, %NL80211_ATTR_CONNECTION_AUTHORIZED
>> should be set
>> + * if the 802.1X authentication was done by the driver or if
>> roaming was
>> + * done using Fast Transition protocol (in which case 802.1X
>> authentication
>> + * is not needed). If %NL80211_ATTR_CONNECTION_AUTHORIZED is not set,
>> + * user space is responsible for the 802.1X authentication.
>
> Would you consider using NL80211_ATTR_PORT_AUTHORIZED instead referring
> to the 802.1X port entities.
In wpa_supplicant the function mlme_event_connect() is used to process
NL80211_CMD_CONNECT and NL80211_CMD_ROAM events. The latter is actually
used for processing QCA vendor specific event, which passes a nlattr
called authorized to the function. It is typed as u8:
if (authorized && nla_get_u8(authorized)) {
event.assoc_info.authorized = 1;
wpa_printf(MSG_DEBUG, "nl80211: connection authorized");
}
Not really a good argument, but choosing the same type for the new
attribute would make supporting it relatively easy.
Regards,
Arend
