diff mbox series

[v3,1/2] mac80211: skip mpath lookup also for control port tx

Message ID 20200617082637.22670-2-markus.theil@tu-ilmenau.de (mailing list archive)
State Accepted
Delegated to: Johannes Berg
Headers show
Series Fixes for 802.1X in mesh mode | expand

Commit Message

Markus Theil June 17, 2020, 8:26 a.m. UTC
When using 802.1X over mesh networks, at first an ordinary
mesh peering is established, then the 802.1X EAPOL dialog
happens, afterwards an authenticated mesh peering exchange
(AMPE) happens, finally the peering is complete and we can
set the STA authorized flag.

As 802.1X is an intermediate step here and key material is
not yet exchanged for stations we have to skip mesh path lookup
for these EAPOL frames. Otherwise the already configure mesh
group encryption key would be used to send a mesh path request
which no one can decipher, because we didn't already establish
key material on both peers, like with SAE and directly using AMPE.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
---
 net/mac80211/tx.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

Comments

Johannes Berg June 25, 2020, 9:04 a.m. UTC | #1
Applied (at least tentatively, haven't run all the tests yet), but

> @@ -3933,6 +3933,7 @@ void __ieee80211_subif_start_xmit(struct sk_buff *skb,
>  	struct ieee80211_local *local = sdata->local;
>  	struct sta_info *sta;
>  	struct sk_buff *next;
> +	u32 ctrl_flags_adapted;

I removed this - the loop can only process fragments of the same frame
that should all be handled the same.
 
> -	if (proto == sdata->control_port_protocol)
> -		ctrl_flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO;
> +	if (proto == sdata->control_port_protocol) {
> +		ctrl_flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO |
> +			      IEEE80211_TX_CTRL_SKIP_MPATH_LOOKUP;
> +	}

And this doesn't need braces.

johannes
diff mbox series

Patch

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index e9ce658141f5..bd86f85a5b73 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3933,6 +3933,7 @@  void __ieee80211_subif_start_xmit(struct sk_buff *skb,
 	struct ieee80211_local *local = sdata->local;
 	struct sta_info *sta;
 	struct sk_buff *next;
+	u32 ctrl_flags_adapted;
 
 	if (unlikely(skb->len < ETH_HLEN)) {
 		kfree_skb(skb);
@@ -3996,8 +3997,12 @@  void __ieee80211_subif_start_xmit(struct sk_buff *skb,
 	skb_list_walk_safe(skb, skb, next) {
 		skb_mark_not_on_list(skb);
 
+		ctrl_flags_adapted = ctrl_flags;
+		if (sdata->control_port_protocol == skb->protocol)
+			ctrl_flags_adapted |= IEEE80211_TX_CTRL_SKIP_MPATH_LOOKUP;
+
 		skb = ieee80211_build_hdr(sdata, skb, info_flags,
-					  sta, ctrl_flags, cookie);
+					  sta, ctrl_flags_adapted, cookie);
 		if (IS_ERR(skb)) {
 			kfree_skb_list(next);
 			goto out;
@@ -5370,8 +5375,10 @@  int ieee80211_tx_control_port(struct wiphy *wiphy, struct net_device *dev,
 	    proto != cpu_to_be16(ETH_P_PREAUTH))
 		return -EINVAL;
 
-	if (proto == sdata->control_port_protocol)
-		ctrl_flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO;
+	if (proto == sdata->control_port_protocol) {
+		ctrl_flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO |
+			      IEEE80211_TX_CTRL_SKIP_MPATH_LOOKUP;
+	}
 
 	if (unencrypted)
 		flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;