[nrf fromlist] drivers: wifi: nrf_wifi: Add per-peer authorized flag

Add per-peer authorized parameter. Port authorization command
from supplicant will set this flag and will be used by driver
to allow or nor allow data traffic.

Upstream PR #: 97183

Signed-off-by: Ravi Dondaputi <[email protected]>
(cherry picked from commit 82fdbd1)

Author: rado17

drivers/wifi/nrf_wifi/inc/fmac_main.h

@@ -75,7 +75,7 @@ struct nrf_wifi_vif_ctx_zep {
 #endif /* CONFIG_NET_STATISTICS_ETHERNET_VENDOR */
 	struct net_stats_eth eth_stats;
 #endif /* CONFIG_NET_STATISTICS_ETHERNET */
-#if defined(CONFIG_NRF70_STA_MODE) || defined(CONFIG_NRF70_RAW_DATA_RX)
+#if defined(CONFIG_NRF70_STA_MODE) || defined(CONFIG_NRF70_RAW_DATA_TX)
 	bool authorized;
 #endif
 #ifdef CONFIG_NRF70_STA_MODE
@@ -154,6 +154,8 @@ void configure_tx_pwr_settings(struct nrf_wifi_tx_pwr_ctrl_params *tx_pwr_ctrl_p
 void configure_board_dep_params(struct nrf_wifi_board_params *board_params);
 void set_tx_pwr_ceil_default(struct nrf_wifi_tx_pwr_ceil_params *pwr_ceil_params);
 const char *nrf_wifi_get_drv_version(void);
+char *nrf_wifi_sprint_ll_addr_buf(const uint8_t *ll, uint8_t ll_len,
+				   char *buf, int buflen);
 enum nrf_wifi_status nrf_wifi_fmac_dev_add_zep(struct nrf_wifi_drv_priv_zep *drv_priv_zep);
 enum nrf_wifi_status nrf_wifi_fmac_dev_rem_zep(struct nrf_wifi_drv_priv_zep *drv_priv_zep);
 struct nrf_wifi_vif_ctx_zep *nrf_wifi_get_vif_ctx(struct net_if *iface);

drivers/wifi/nrf_wifi/src/fmac_main.c

@@ -114,6 +114,61 @@ static const unsigned int rx3_buf_sz = 1000;
 struct nrf_wifi_drv_priv_zep rpu_drv_priv_zep;
 static K_MUTEX_DEFINE(reg_lock);
 
+/**
+ * @brief Format a link layer address to a string buffer.
+ *
+ * @param ll Pointer to the link layer address bytes.
+ * @param ll_len Length of the link layer address (typically 6 for MAC).
+ * @param buf Buffer to store the formatted string.
+ * @param buflen Size of the buffer.
+ *
+ * @return Pointer to the buffer on success, NULL on failure.
+ */
+char *nrf_wifi_sprint_ll_addr_buf(const uint8_t *ll, uint8_t ll_len,
+				   char *buf, int buflen)
+{
+	uint8_t i, len, blen;
+	char *ptr = buf;
+
+	if (ll == NULL) {
+		return "<unknown>";
+	}
+
+	switch (ll_len) {
+	case 8:
+		len = 8U;
+		break;
+	case 6:
+		len = 6U;
+		break;
+	case 2:
+		len = 2U;
+		break;
+	default:
+		len = 6U;
+		break;
+	}
+
+	for (i = 0U, blen = buflen; i < len && blen > 0; i++) {
+		uint8_t high = (ll[i] >> 4) & 0x0f;
+		uint8_t low = ll[i] & 0x0f;
+
+		*ptr++ = (high < 10) ? (char)(high + '0') :
+			 (char)(high - 10 + 'A');
+		*ptr++ = (low < 10) ? (char)(low + '0') :
+			 (char)(low - 10 + 'A');
+		*ptr++ = ':';
+		blen -= 3U;
+	}
+
+	if (!(ptr - buf)) {
+		return NULL;
+	}
+
+	*(ptr - 1) = '\0';
+	return buf;
+}
+
 const char *nrf_wifi_get_drv_version(void)
 {
 	return NRF70_DRIVER_VERSION;

drivers/wifi/nrf_wifi/src/net_if.c

@@ -25,14 +25,12 @@ LOG_MODULE_DECLARE(wifi_nrf, CONFIG_WIFI_NRF70_LOG_LEVEL);
 
 #include "util.h"
 #include "common/fmac_util.h"
+#include "system/fmac_peer.h"
 #include "shim.h"
 #include "fmac_main.h"
 #include "wpa_supp_if.h"
 #include "net_if.h"
 
-extern char *net_sprint_ll_addr_buf(const uint8_t *ll, uint8_t ll_len,
-				    char *buf, int buflen);
-
 #ifdef CONFIG_NRF70_STA_MODE
 static struct net_if_mcast_monitor mcast_monitor;
 #endif /* CONFIG_NRF70_STA_MODE */
@@ -388,6 +386,9 @@ int nrf_wifi_if_send(const struct device *dev,
 	struct rpu_host_stats *host_stats = NULL;
 	void *nbuf = NULL;
 	bool locked = false;
+	unsigned char *ra = NULL;
+	int peer_id = -1;
+	bool authorized;
 
 	if (!dev || !pkt) {
 		LOG_ERR("%s: vif_ctx_zep is NULL", __func__);
@@ -436,12 +437,30 @@ int nrf_wifi_if_send(const struct device *dev,
 						      nbuf);
 	} else {
 #endif /* CONFIG_NRF70_RAW_DATA_TX */
+
+		ra = nrf_wifi_util_get_ra(sys_dev_ctx->vif_ctx[vif_ctx_zep->vif_idx], nbuf);
+		peer_id = nrf_wifi_fmac_peer_get_id(rpu_ctx_zep->rpu_ctx, ra);
+		if (peer_id == -1) {
+			char ra_buf[18] = {0};
+
+			LOG_ERR("%s: Got packet for unknown PEER: %s", __func__,
+				nrf_wifi_sprint_ll_addr_buf(ra, 6, ra_buf,
+							    sizeof(ra_buf)));
+			goto drop;
+		}
+
+		/* VIF or per-peer depending on RA */
+		if (peer_id == MAX_PEERS) {
+			authorized = vif_ctx_zep->authorized;
+		} else {
+			authorized = sys_dev_ctx->tx_config.peers[peer_id].authorized;
+		}
+
 		if ((vif_ctx_zep->if_carr_state != NRF_WIFI_FMAC_IF_CARR_STATE_ON) ||
-		    (!vif_ctx_zep->authorized && !is_eapol(pkt))) {
+		    (!authorized && !is_eapol(pkt))) {
 			ret = -EPERM;
 			goto drop;
 		}
-
 		ret = nrf_wifi_fmac_start_xmit(rpu_ctx_zep->rpu_ctx,
 					       vif_ctx_zep->vif_idx,
 					       nbuf);
@@ -484,7 +503,6 @@ static void ip_maddr_event_handler(struct net_if *iface,
 	struct net_eth_addr mac_addr;
 	struct nrf_wifi_umac_mcast_cfg *mcast_info = NULL;
 	enum nrf_wifi_status status;
-	uint8_t mac_string_buf[sizeof("xx:xx:xx:xx:xx:xx")];
 	struct nrf_wifi_ctx_zep *rpu_ctx_zep = NULL;
 	int ret;
 
@@ -540,12 +558,15 @@ static void ip_maddr_event_handler(struct net_if *iface,
 					      vif_ctx_zep->vif_idx,
 					      mcast_info);
 	if (status == NRF_WIFI_STATUS_FAIL) {
+		char mac_string_buf[sizeof("xx:xx:xx:xx:xx:xx")];
+
 		LOG_ERR("%s: nrf_wifi_fmac_set_multicast failed	for"
 			" mac addr=%s",
 			__func__,
-			net_sprint_ll_addr_buf(mac_addr.addr,
-					       WIFI_MAC_ADDR_LEN, mac_string_buf,
-					       sizeof(mac_string_buf)));
+			nrf_wifi_sprint_ll_addr_buf(mac_addr.addr,
+						   WIFI_MAC_ADDR_LEN,
+						   mac_string_buf,
+						   sizeof(mac_string_buf)));
 	}
 unlock:
 	nrf_wifi_osal_mem_free(mcast_info);

drivers/wifi/nrf_wifi/src/wifi_mgmt.c

@@ -18,6 +18,7 @@
 #include "system/fmac_api.h"
 #include "system/fmac_tx.h"
 #include "common/fmac_util.h"
+#include "common/fmac_structs_common.h"
 #include "fmac_main.h"
 #include "wifi_mgmt.h"
 
@@ -757,6 +758,8 @@ int nrf_wifi_mode(const struct device *dev,
 	struct nrf_wifi_vif_ctx_zep *vif_ctx_zep = NULL;
 	struct nrf_wifi_fmac_dev_ctx *fmac_dev_ctx = NULL;
 	struct nrf_wifi_sys_fmac_dev_ctx *sys_dev_ctx = NULL;
+	struct peers_info *peer = NULL;
+	int i = 0;
 	int ret = -1;
 
 	if (!dev || !mode) {
@@ -798,10 +801,16 @@ int nrf_wifi_mode(const struct device *dev,
 			goto out;
 		}
 
-		if (vif_ctx_zep->authorized && (mode->mode == NRF_WIFI_MONITOR_MODE)) {
-			LOG_ERR("%s: Cannot set monitor mode when station is connected",
-				__func__);
-			goto out;
+		for (i = 0; i < MAX_PEERS; i++) {
+			peer = &sys_dev_ctx->tx_config.peers[i];
+			if (peer->peer_id == -1) {
+				continue;
+			}
+			if (peer->authorized && (mode->mode == NRF_WIFI_MONITOR_MODE)) {
+				LOG_ERR("%s: Cannot set monitor mode when station is connected",
+					__func__);
+					goto out;
+			}
 		}
 
 		/**
@@ -851,6 +860,8 @@ int nrf_wifi_channel(const struct device *dev,
 	struct nrf_wifi_vif_ctx_zep *vif_ctx_zep = NULL;
 	struct nrf_wifi_sys_fmac_dev_ctx *sys_dev_ctx = NULL;
 	struct nrf_wifi_fmac_dev_ctx *fmac_dev_ctx = NULL;
+	struct peers_info *peer = NULL;
+	int i = 0;
 	int ret = -1;
 
 	if (!dev || !channel) {
@@ -864,9 +875,16 @@ int nrf_wifi_channel(const struct device *dev,
 		return ret;
 	}
 
-	if (vif_ctx_zep->authorized) {
-		LOG_ERR("%s: Cannot change channel when in station connected mode", __func__);
-		return ret;
+	for (i = 0; i < MAX_PEERS; i++) {
+		peer = &sys_dev_ctx->tx_config.peers[i];
+		if (peer->peer_id == -1) {
+			continue;
+		}
+		if (peer->authorized) {
+			LOG_ERR("%s: Cannot change channel when in station connected mode",
+				__func__);
+			return ret;
+		}
 	}
 
 	rpu_ctx_zep = vif_ctx_zep->rpu_ctx_zep;

drivers/wifi/nrf_wifi/src/wpa_supp_if.c

@@ -17,6 +17,7 @@
 #include "common/fmac_util.h"
 #include "wifi_mgmt.h"
 #include "wpa_supp_if.h"
+#include <system/fmac_peer.h>
 
 LOG_MODULE_DECLARE(wifi_nrf, CONFIG_WIFI_NRF70_LOG_LEVEL);
 
@@ -1107,6 +1108,7 @@ int nrf_wifi_wpa_set_supp_port(void *if_priv, int authorized, char *bssid)
 	struct nrf_wifi_vif_ctx_zep *vif_ctx_zep = NULL;
 	struct nrf_wifi_umac_chg_sta_info chg_sta_info;
 	struct nrf_wifi_ctx_zep *rpu_ctx_zep = NULL;
+	struct nrf_wifi_sys_fmac_dev_ctx *sys_dev_ctx;
 	enum nrf_wifi_status status = NRF_WIFI_STATUS_FAIL;
 	int ret = -1;
 
@@ -1128,6 +1130,12 @@ int nrf_wifi_wpa_set_supp_port(void *if_priv, int authorized, char *bssid)
 		goto out;
 	}
 
+	sys_dev_ctx = wifi_dev_priv(rpu_ctx_zep->rpu_ctx);
+	if (!sys_dev_ctx) {
+		LOG_ERR("%s: sys_dev_ctx is NULL", __func__);
+		goto out;
+	}
+
 	if (vif_ctx_zep->if_op_state != NRF_WIFI_FMAC_IF_OP_STATE_UP) {
 		LOG_DBG("%s: Interface not UP, ignoring", __func__);
 		ret = 0;
@@ -1139,7 +1147,6 @@ int nrf_wifi_wpa_set_supp_port(void *if_priv, int authorized, char *bssid)
 	memcpy(chg_sta_info.mac_addr, bssid, ETH_ALEN);
 
 	vif_ctx_zep->authorized = authorized;
-
 	if (authorized) {
 		/* BIT(NL80211_STA_FLAG_AUTHORIZED) */
 		chg_sta_info.sta_flags2.nrf_wifi_mask = 1 << 1;
@@ -1157,6 +1164,10 @@ int nrf_wifi_wpa_set_supp_port(void *if_priv, int authorized, char *bssid)
 		goto out;
 	}
 
+	if (vif_ctx_zep->if_type == NRF_WIFI_IFTYPE_STATION) {
+		sys_dev_ctx->tx_config.peers[0].authorized = authorized;
+	}
+
 	ret = 0;
 out:
 	k_mutex_unlock(&vif_ctx_zep->vif_lock);
@@ -2989,8 +3000,11 @@ int nrf_wifi_wpa_supp_sta_set_flags(void *if_priv, const u8 *addr,
 	struct nrf_wifi_vif_ctx_zep *vif_ctx_zep = NULL;
 	struct nrf_wifi_umac_chg_sta_info chg_sta = {0};
 	struct nrf_wifi_ctx_zep *rpu_ctx_zep = NULL;
+	struct nrf_wifi_sys_fmac_dev_ctx *sys_dev_ctx = NULL;
 	enum nrf_wifi_status status = NRF_WIFI_STATUS_FAIL;
+	int peer_id = -1;
 	int ret = -1;
+	char buf[18] = {0};
 
 	if (!if_priv || !addr) {
 		LOG_ERR("%s: Invalid params", __func__);
@@ -3012,18 +3026,46 @@ int nrf_wifi_wpa_supp_sta_set_flags(void *if_priv, const u8 *addr,
 
 	memcpy(chg_sta.mac_addr, addr, sizeof(chg_sta.mac_addr));
 
+	if (!net_eth_is_addr_valid((struct net_eth_addr *)&chg_sta.mac_addr)) {
+		LOG_ERR("%s: Invalid peer MAC address: %s", __func__,
+			nrf_wifi_sprint_ll_addr_buf(chg_sta.mac_addr, 6, buf,
+						    sizeof(buf)));
+		goto out;
+	}
+
+	peer_id = nrf_wifi_fmac_peer_get_id(rpu_ctx_zep->rpu_ctx, chg_sta.mac_addr);
+	if (peer_id == -1) {
+		LOG_ERR("%s: Unknown PEER: %s", __func__,
+			nrf_wifi_sprint_ll_addr_buf(chg_sta.mac_addr, 6, buf,
+						    sizeof(buf)));
+		goto out;
+	}
+
+	if (peer_id == MAX_PEERS) {
+		LOG_ERR("%s: Invalid PEER (group): %s", __func__,
+			nrf_wifi_sprint_ll_addr_buf(chg_sta.mac_addr, 6, buf,
+						    sizeof(buf)));
+		goto out;
+	}
+
 	chg_sta.sta_flags2.nrf_wifi_mask = nrf_wifi_sta_flags_to_nrf(flags_or | ~flags_and);
 	chg_sta.sta_flags2.nrf_wifi_set = nrf_wifi_sta_flags_to_nrf(flags_or);
 
 	LOG_DBG("%s %x, %x", __func__,
 		chg_sta.sta_flags2.nrf_wifi_set, chg_sta.sta_flags2.nrf_wifi_mask);
 
-	status = nrf_wifi_sys_fmac_chg_sta(rpu_ctx_zep->rpu_ctx, vif_ctx_zep->vif_idx, &chg_sta);
+	status = nrf_wifi_sys_fmac_chg_sta(rpu_ctx_zep->rpu_ctx,
+		vif_ctx_zep->vif_idx, &chg_sta);
 	if (status != NRF_WIFI_STATUS_SUCCESS) {
 		LOG_ERR("%s: nrf_wifi_sys_fmac_chg_sta failed", __func__);
 		goto out;
 	}
 
+	sys_dev_ctx = wifi_dev_priv(rpu_ctx_zep->rpu_ctx);
+
+	sys_dev_ctx->tx_config.peers[peer_id].authorized =
+		!!(chg_sta.sta_flags2.nrf_wifi_set & NRF_WIFI_STA_FLAG_AUTHORIZED);
+
 	ret = 0;
 
 out: