[PATCH] [updated] encodeext vs. encode codepaths

Jouni Malinen jkmaline
Mon Feb 20 20:31:41 PST 2006


On Mon, Feb 20, 2006 at 09:03:09PM -0500, Dan Williams wrote:

> Any status on this?  I'm carrying a variation of my most recent patch in
> the Fedora Core distribution's wpa_supplicant since it needs to reliably
> work with non-ENCODEEXT/non-AUTH drivers...  Seems to work OK at the
> moment.

I have not had a chance to really think about all the consequences of
this change. My main concern is in configuring some drivers to use "open
encryption" in the sense that they would allow unencrypted frames even
when configured to use WEP. I would assume this could happen, e.g., with
Host AP driver when build against a kernel that has WEXT v17 or older
(i.e., no SIOCSIWAUTH). Since this would be a potential security issue,
it is more important for me to make sure that that does not happen than
to fix auth_alg configuration for drivers that do not yet support
SIOCSIWAUTH. Anyway, I'm considering of adding this change into
development branch for some more testing.

Another area that I cannot justify is in modifying the driver interface
API for this kind of driver specific hack (driver meaning driver_wext.c,
not kernel driver). I certainly prefer the way of doing this without
breaking source level backwards compatibility (thanks for the updated
patch), but I would rather hide this all in driver_wext.c and not change
driver.h at all.

The driver interface API is one of the main APIs in the sense of it
being used by people that are not necessarily that familiar with
wpa_supplicant internals and I really want to keep it stable and clear.
In other words, I would like to have very good justification on adding
something to it in order to not confuse people with things that do not
really matter to any other driver interface.

I think that the changes you did can be implemented internally in
driver_wext.c. I haven't tested this yet, but the attached patch should
do the same as your change as far as driver_wext.c is concerned. How
does it look to you?

-- 
Jouni Malinen                                            PGP id EFC895FA
-------------- next part --------------
Index: ChangeLog
===================================================================
RCS file: /home/jm/cvsroot/hostap/wpa_supplicant/ChangeLog,v
retrieving revision 1.264
diff -u -p -u -p -r1.264 ChangeLog
--- ChangeLog	20 Feb 2006 16:38:27 -0000	1.264
+++ ChangeLog	21 Feb 2006 04:12:14 -0000
@@ -5,6 +5,8 @@ ChangeLog for wpa_supplicant
 	  access for a network that has not enabled EAP-AKA
 	* fixed EAP phase 2 Nak for EAP-{PEAP,TTLS,FAST} (this was broken in
 	  v0.5.1 due to the new support for expanded EAP types)
+	* driver_wext: added fallback to use SIOCSIWENCODE for setting auth_alg
+	  if the driver does not support SIOCSIWAUTH
 
 2006-01-29 - v0.5.1
 	* driver_test: added better support for multiple APs and STAs by using
Index: driver_wext.c
===================================================================
RCS file: /home/jm/cvsroot/hostap/wpa_supplicant/driver_wext.c,v
retrieving revision 1.52
diff -u -p -u -p -r1.52 driver_wext.c
--- driver_wext.c	30 Jan 2006 04:11:48 -0000	1.52
+++ driver_wext.c	21 Feb 2006 04:15:48 -0000
@@ -47,6 +47,10 @@ struct wpa_driver_wext_data {
 	struct wpa_driver_capa capa;
 	int has_capability;
 	int we_version_compiled;
+
+	/* for set_auth_alg fallback */
+	int use_crypt;
+	int auth_alg_fallback;
 };
 
 
@@ -69,7 +73,7 @@ static int wpa_driver_wext_set_auth_para
 		perror("ioctl[SIOCSIWAUTH]");
 		fprintf(stderr, "WEXT auth param %d value 0x%x - ",
 			idx, value);
-		ret = -1;
+		ret = errno == EOPNOTSUPP ? -2 : -1;
 	}
 
 	return ret;
@@ -1455,6 +1459,7 @@ static int wpa_driver_wext_set_drop_unen
 {
 	struct wpa_driver_wext_data *drv = priv;
 	wpa_printf(MSG_DEBUG, "%s", __FUNCTION__);
+	drv->use_crypt = enabled;
 	return wpa_driver_wext_set_auth_param(drv, IW_AUTH_DROP_UNENCRYPTED,
 					      enabled);
 }
@@ -1559,6 +1564,50 @@ static int wpa_driver_wext_keymgmt2wext(
 
 
 static int
+wpa_driver_wext_auth_alg_fallback(struct wpa_driver_wext_data *drv,
+				  struct wpa_driver_associate_params *params)
+{
+	struct iwreq iwr;
+	int ret = 0;
+
+	wpa_printf(MSG_DEBUG, "WEXT: Driver did not support "
+		   "SIOCSIWAUTH for AUTH_ALG, trying SIOCSIWENCODE");
+
+	memset(&iwr, 0, sizeof(iwr));
+	strncpy(iwr.ifr_name, drv->ifname, IFNAMSIZ);
+	/* Just changing mode, not actual keys */
+	iwr.u.encoding.flags = 0;
+	iwr.u.encoding.pointer = (caddr_t) NULL;
+	iwr.u.encoding.length = 0;
+
+	/*
+	 * Note: IW_ENCODE_{OPEN,RESTRICTED} can be interpreted to mean two
+	 * different things. Here they are used to indicate Open System vs.
+	 * Shared Key authentication algorithm. However, some drivers may use
+	 * them to select between open/restricted WEP encrypted (open = allow
+	 * both unencrypted and encrypted frames; restricted = only allow
+	 * encrypted frames).
+	 */
+
+	if (!drv->use_crypt) {
+		iwr.u.encoding.flags |= IW_ENCODE_DISABLED;
+	} else {
+		if (params->auth_alg & AUTH_ALG_OPEN_SYSTEM)
+			iwr.u.encoding.flags |= IW_ENCODE_OPEN;
+		if (params->auth_alg & AUTH_ALG_SHARED_KEY)
+			iwr.u.encoding.flags |= IW_ENCODE_RESTRICTED;
+	}
+
+	if (ioctl(drv->ioctl_sock, SIOCSIWENCODE, &iwr) < 0) {
+		perror("ioctl[SIOCSIWENCODE]");
+		ret = -1;
+	}
+
+	return ret;
+}
+
+
+static int
 wpa_driver_wext_associate(void *priv,
 			  struct wpa_driver_associate_params *params)
 {
@@ -1569,6 +1618,14 @@ wpa_driver_wext_associate(void *priv,
 
 	wpa_printf(MSG_DEBUG, "%s", __FUNCTION__);
 
+	/*
+	 * If the driver did not support SIOCSIWAUTH, fallback to
+	 * SIOCSIWENCODE here.
+	 */
+	if (drv->auth_alg_fallback &&
+	    wpa_driver_wext_auth_alg_fallback(drv, params) < 0)
+		ret = -1;
+
 	if (!params->bssid &&
 	    wpa_driver_wext_set_bssid(drv, NULL) < 0)
 		ret = -1;
@@ -1635,7 +1692,7 @@ wpa_driver_wext_associate(void *priv,
 static int wpa_driver_wext_set_auth_alg(void *priv, int auth_alg)
 {
 	struct wpa_driver_wext_data *drv = priv;
-	int algs = 0;
+	int algs = 0, res;
 
 	if (auth_alg & AUTH_ALG_OPEN_SYSTEM)
 		algs |= IW_AUTH_ALG_OPEN_SYSTEM;
@@ -1648,8 +1705,10 @@ static int wpa_driver_wext_set_auth_alg(
 		algs = IW_AUTH_ALG_OPEN_SYSTEM;
 	}
 
-	return wpa_driver_wext_set_auth_param(drv,
-					      IW_AUTH_80211_AUTH_ALG, algs);
+	res = wpa_driver_wext_set_auth_param(drv, IW_AUTH_80211_AUTH_ALG,
+					     algs);
+	drv->auth_alg_fallback = res == -2;
+	return res;
 }
 
 



More information about the Hostap mailing list