diff mbox series

[5/6] cfg80211: add support for SAE authentication offload

Message ID 1546582221-143220-5-git-send-email-chi-hsien.lin@cypress.com (mailing list archive)
State Changes Requested
Delegated to: Johannes Berg
Headers show
Series [1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event | expand

Commit Message

Chi-Hsien Lin Jan. 4, 2019, 6:11 a.m. UTC 
From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

Let drivers advertise support for station-mode SAE authentication
offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 include/linux/ieee80211.h    |  1 +
 include/net/cfg80211.h       |  5 +++++
 include/uapi/linux/nl80211.h | 16 ++++++++++++++++
 net/wireless/nl80211.c       | 14 ++++++++++++++
 4 files changed, 36 insertions(+)

Comments

Marcel Holtmann Jan. 4, 2019, 9:26 a.m. UTC | #1 
Hi,

> Let drivers advertise support for station-mode SAE authentication
> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
> 
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
> include/linux/ieee80211.h    |  1 +
> include/net/cfg80211.h       |  5 +++++
> include/uapi/linux/nl80211.h | 16 ++++++++++++++++
> net/wireless/nl80211.c       | 14 ++++++++++++++
> 4 files changed, 36 insertions(+)
> 
> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> index 3b04e72315e1..37d3e655e547 100644
> --- a/include/linux/ieee80211.h
> +++ b/include/linux/ieee80211.h
> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
> #define FILS_ERP_MAX_RRK_LEN		64
> 
> #define PMK_MAX_LEN			64
> +#define SAE_PASSWORD_MAX_LEN		128
> 
> /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
> enum ieee80211_pub_actioncode {
> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> index e0c41eb1c860..5809dac97b33 100644
> --- a/include/net/cfg80211.h
> +++ b/include/net/cfg80211.h
> @@ -740,6 +740,9 @@ struct survey_info {
>  *	CFG80211_MAX_WEP_KEYS WEP keys
>  * @wep_tx_key: key index (0..3) of the default TX static WEP key
>  * @psk: PSK (for devices supporting 4-way-handshake offload)
> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> + *	offload)
> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>  */
> struct cfg80211_crypto_settings {
> 	u32 wpa_versions;
> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
> 	struct key_params *wep_keys;
> 	int wep_tx_key;
> 	const u8 *psk;
> +	const u8 *sae_pwd;
> +	u16 sae_pwd_len;
> };
> 
> /**
> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> index 12762afb3a07..4840aaed39ba 100644
> --- a/include/uapi/linux/nl80211.h
> +++ b/include/uapi/linux/nl80211.h
> @@ -235,6 +235,15 @@
>  */
> 
> /**
> + * DOC: SAE authentication offload
> + *
> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> + * support offloading SAE authentication for WPA3-Personal networks. In
> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> + * %NL80211_ATTR_SAE_PASSWORD.
> + */
> +
> +/**
>  * enum nl80211_commands - supported nl80211 commands
>  *
>  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>  *
>  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>  *	statistics, see &enum nl80211_ftm_responder_stats.
> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> + *	is used with %NL80211_CMD_CONNECT to provide password for offloading
> + *	SAE authentication for WPA3-Personal networks.
>  *
>  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>  *	if the attribute is not given no timeout is requested. Note that 0 is an
> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
> 	NL80211_ATTR_FTM_RESPONDER,
> 
> 	NL80211_ATTR_FTM_RESPONDER_STATS,
> +	NL80211_ATTR_SAE_PASSWORD,
> 
> 	NL80211_ATTR_TIMEOUT,

so you are breaking user-space API on purpose here even when there was a clear comment where to add new attributes:

	/* add attributes here, update the policy in nl80211.c */

More importantly, does this actually need a new attribute and you can not utilize what has already been added for mesh? If this attribute is solely for offload cases, then it might be better named accordingly. Also I am curious on how mixed WPA1/WPA2/WPA3 network credentials are now provided to a CMD_CONNECT. So the CMD_CONNECT description might require an update as well.

Regards

Marcel
Arend Van Spriel Jan. 4, 2019, 11:10 a.m. UTC | #2 
On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> Let drivers advertise support for station-mode SAE authentication
> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.

When touching nl80211 api I prefer 'nl80211:' prefix instead of 'cfg80211:'.

> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   include/linux/ieee80211.h    |  1 +
>   include/net/cfg80211.h       |  5 +++++
>   include/uapi/linux/nl80211.h | 16 ++++++++++++++++
>   net/wireless/nl80211.c       | 14 ++++++++++++++
>   4 files changed, 36 insertions(+)
> 
> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> index 3b04e72315e1..37d3e655e547 100644
> --- a/include/linux/ieee80211.h
> +++ b/include/linux/ieee80211.h
> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
>   #define FILS_ERP_MAX_RRK_LEN		64
>   
>   #define PMK_MAX_LEN			64
> +#define SAE_PASSWORD_MAX_LEN		128
>   
>   /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
>   enum ieee80211_pub_actioncode {
> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> index e0c41eb1c860..5809dac97b33 100644
> --- a/include/net/cfg80211.h
> +++ b/include/net/cfg80211.h
> @@ -740,6 +740,9 @@ struct survey_info {
>    *	CFG80211_MAX_WEP_KEYS WEP keys
>    * @wep_tx_key: key index (0..3) of the default TX static WEP key
>    * @psk: PSK (for devices supporting 4-way-handshake offload)
> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> + *	offload)
> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>    */
>   struct cfg80211_crypto_settings {
>   	u32 wpa_versions;
> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
>   	struct key_params *wep_keys;
>   	int wep_tx_key;
>   	const u8 *psk;
> +	const u8 *sae_pwd;
> +	u16 sae_pwd_len;

Not really need u16 as max length is defined earlier as 128.

>   };
>   
>   /**
> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> index 12762afb3a07..4840aaed39ba 100644
> --- a/include/uapi/linux/nl80211.h
> +++ b/include/uapi/linux/nl80211.h
> @@ -235,6 +235,15 @@
>    */
>   
>   /**
> + * DOC: SAE authentication offload
> + *
> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> + * support offloading SAE authentication for WPA3-Personal networks. In
> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> + * %NL80211_ATTR_SAE_PASSWORD.
> + */
> +
> +/**
>    * enum nl80211_commands - supported nl80211 commands
>    *
>    * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>    *
>    * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>    *	statistics, see &enum nl80211_ftm_responder_stats.
> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> + *	is used with %NL80211_CMD_CONNECT to provide password for offloading
> + *	SAE authentication for WPA3-Personal networks.
>    *
>    * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>    *	if the attribute is not given no timeout is requested. Note that 0 is an
> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
>   	NL80211_ATTR_FTM_RESPONDER,
>   
>   	NL80211_ATTR_FTM_RESPONDER_STATS,
> +	NL80211_ATTR_SAE_PASSWORD,

Marcel already commented on this. These enumerations are ABI. You should 
also change the nl80211_policy to assure the max length 
SAE_PASSWORD_MAX_LEN is not exceeded.

Gr. AvS
Chung-Hsien Hsu May 9, 2019, 9:02 a.m. UTC | #3 
On Fri, Jan 04, 2019 at 12:10:01PM +0100, Arend Van Spriel wrote:
> On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> >From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> >
> >Let drivers advertise support for station-mode SAE authentication
> >offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
>
> When touching nl80211 api I prefer 'nl80211:' prefix instead of 'cfg80211:'.

Thanks for the comment. Will change it in V2.

>
> >Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> >Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> >---
> >  include/linux/ieee80211.h    |  1 +
> >  include/net/cfg80211.h       |  5 +++++
> >  include/uapi/linux/nl80211.h | 16 ++++++++++++++++
> >  net/wireless/nl80211.c       | 14 ++++++++++++++
> >  4 files changed, 36 insertions(+)
> >
> >diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> >index 3b04e72315e1..37d3e655e547 100644
> >--- a/include/linux/ieee80211.h
> >+++ b/include/linux/ieee80211.h
> >@@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
> >  #define FILS_ERP_MAX_RRK_LEN64
> >  #define PMK_MAX_LEN64
> >+#define SAE_PASSWORD_MAX_LEN128
> >  /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
> >  enum ieee80211_pub_actioncode {
> >diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> >index e0c41eb1c860..5809dac97b33 100644
> >--- a/include/net/cfg80211.h
> >+++ b/include/net/cfg80211.h
> >@@ -740,6 +740,9 @@ struct survey_info {
> >   *CFG80211_MAX_WEP_KEYS WEP keys
> >   * @wep_tx_key: key index (0..3) of the default TX static WEP key
> >   * @psk: PSK (for devices supporting 4-way-handshake offload)
> >+ * @sae_pwd: password for SAE authentication (for devices supporting SAE
> >+ *offload)
> >+ * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
> >   */
> >  struct cfg80211_crypto_settings {
> >  u32 wpa_versions;
> >@@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
> >  struct key_params *wep_keys;
> >  int wep_tx_key;
> >  const u8 *psk;
> >+const u8 *sae_pwd;
> >+u16 sae_pwd_len;
>
> Not really need u16 as max length is defined earlier as 128.

It will be changed to u8 in V2.

>
> >  };
> >  /**
> >diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> >index 12762afb3a07..4840aaed39ba 100644
> >--- a/include/uapi/linux/nl80211.h
> >+++ b/include/uapi/linux/nl80211.h
> >@@ -235,6 +235,15 @@
> >   */
> >  /**
> >+ * DOC: SAE authentication offload
> >+ *
> >+ * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> >+ * support offloading SAE authentication for WPA3-Personal networks. In
> >+ * %NL80211_CMD_CONNECT the password for SAE should be specified using
> >+ * %NL80211_ATTR_SAE_PASSWORD.
> >+ */
> >+
> >+/**
> >   * enum nl80211_commands - supported nl80211 commands
> >   *
> >   * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> >@@ -2288,6 +2297,9 @@ enum nl80211_commands {
> >   *
> >   * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
> >   *statistics, see &enum nl80211_ftm_responder_stats.
> >+ * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> >+ *is used with %NL80211_CMD_CONNECT to provide password for offloading
> >+ *SAE authentication for WPA3-Personal networks.
> >   *
> >   * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
> >   *if the attribute is not given no timeout is requested. Note that 0 is an
> >@@ -2743,6 +2755,7 @@ enum nl80211_attrs {
> >  NL80211_ATTR_FTM_RESPONDER,
> >  NL80211_ATTR_FTM_RESPONDER_STATS,
> >+NL80211_ATTR_SAE_PASSWORD,
>
> Marcel already commented on this. These enumerations are ABI. You
> should also change the nl80211_policy to assure the max length
> SAE_PASSWORD_MAX_LEN is not exceeded.

It will be moved to the bottom. The corresponding change in
nl80211_policy has been made.

Regards,
Chung-Hsien

>
> Gr. AvS

This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
Chung-Hsien Hsu May 9, 2019, 9:21 a.m. UTC | #4 
On Fri, Jan 04, 2019 at 10:26:33AM +0100, Marcel Holtmann wrote:
> Hi,
>
> > Let drivers advertise support for station-mode SAE authentication
> > offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
> >
> > Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> > Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> > ---
> > include/linux/ieee80211.h    |  1 +
> > include/net/cfg80211.h       |  5 +++++
> > include/uapi/linux/nl80211.h | 16 ++++++++++++++++
> > net/wireless/nl80211.c       | 14 ++++++++++++++
> > 4 files changed, 36 insertions(+)
> >
> > diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> > index 3b04e72315e1..37d3e655e547 100644
> > --- a/include/linux/ieee80211.h
> > +++ b/include/linux/ieee80211.h
> > @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
> > #define FILS_ERP_MAX_RRK_LEN64
> >
> > #define PMK_MAX_LEN64
> > +#define SAE_PASSWORD_MAX_LEN128
> >
> > /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
> > enum ieee80211_pub_actioncode {
> > diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> > index e0c41eb1c860..5809dac97b33 100644
> > --- a/include/net/cfg80211.h
> > +++ b/include/net/cfg80211.h
> > @@ -740,6 +740,9 @@ struct survey_info {
> >  *CFG80211_MAX_WEP_KEYS WEP keys
> >  * @wep_tx_key: key index (0..3) of the default TX static WEP key
> >  * @psk: PSK (for devices supporting 4-way-handshake offload)
> > + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> > + *offload)
> > + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
> >  */
> > struct cfg80211_crypto_settings {
> > u32 wpa_versions;
> > @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
> > struct key_params *wep_keys;
> > int wep_tx_key;
> > const u8 *psk;
> > +const u8 *sae_pwd;
> > +u16 sae_pwd_len;
> > };
> >
> > /**
> > diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> > index 12762afb3a07..4840aaed39ba 100644
> > --- a/include/uapi/linux/nl80211.h
> > +++ b/include/uapi/linux/nl80211.h
> > @@ -235,6 +235,15 @@
> >  */
> >
> > /**
> > + * DOC: SAE authentication offload
> > + *
> > + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> > + * support offloading SAE authentication for WPA3-Personal networks. In
> > + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> > + * %NL80211_ATTR_SAE_PASSWORD.
> > + */
> > +
> > +/**
> >  * enum nl80211_commands - supported nl80211 commands
> >  *
> >  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> > @@ -2288,6 +2297,9 @@ enum nl80211_commands {
> >  *
> >  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
> >  *statistics, see &enum nl80211_ftm_responder_stats.
> > + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> > + *is used with %NL80211_CMD_CONNECT to provide password for offloading
> > + *SAE authentication for WPA3-Personal networks.
> >  *
> >  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
> >  *if the attribute is not given no timeout is requested. Note that 0 is an
> > @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
> > NL80211_ATTR_FTM_RESPONDER,
> >
> > NL80211_ATTR_FTM_RESPONDER_STATS,
> > +NL80211_ATTR_SAE_PASSWORD,
> >
> > NL80211_ATTR_TIMEOUT,
>
> so you are breaking user-space API on purpose here even when there was a clear comment where to add new attributes:
>
> /* add attributes here, update the policy in nl80211.c */

Hi Marcel,

Thanks for pointing this out. It was a mistake caused by rebasing the
patch. Will fix it in V2.

>
> More importantly, does this actually need a new attribute and you can not utilize what has already been added for mesh? If this attribute is solely for offload cases, then it might be better named accordingly. Also I am curious on how mixed WPA1/WPA2/WPA3 network credentials are now provided to a CMD_CONNECT. So the CMD_CONNECT description might require an update as well.

This new attribute is used to pass the sae_password value, set in the
configuration file of wpa_supplicant, for offloading SAE authentication.
It seems that the existing attributes can not be utilized for the
purpose. Could you please point it out if you know the proper one? To
reflect the content of the attribute, NL80211_ATTR_SAE_PASSWORD should
be a proper name.

As for the mixed WPA/WPA2/WPA3 network credentials, no key materials
will be provided in a NL80211_CMD_CONNECT for non-offload cases. When
offload is considered, there is no conflict between WPA/WPA2 4-way
handshake offload and SAE authentication offload. For the WPA/WPA2
4-way handshake offload, the PSK is specified using NL80211_ATTR_PMK in
the NL80211_CMD_CONNECT. The corresponding description can be found in
the section "DOC: WPA/WPA2 EAPOL handshake offload". As for the SAE
authentication offload, the sae_password value is provided by
NL80211_ATTR_SAE_PASSWORD in NL80211_CMD_CONNECT. It is described in
the section "DOC: SAE authentication offload" proposed in this patch.

Regards,
Chung-Hsien

>
> Regards
>
> Marcel
>

This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
Marcel Holtmann May 10, 2019, 8:32 a.m. UTC | #5 
Hi Stanley,

>>> Let drivers advertise support for station-mode SAE authentication
>>> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
>>> 
>>> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
>>> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
>>> ---
>>> include/linux/ieee80211.h    |  1 +
>>> include/net/cfg80211.h       |  5 +++++
>>> include/uapi/linux/nl80211.h | 16 ++++++++++++++++
>>> net/wireless/nl80211.c       | 14 ++++++++++++++
>>> 4 files changed, 36 insertions(+)
>>> 
>>> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
>>> index 3b04e72315e1..37d3e655e547 100644
>>> --- a/include/linux/ieee80211.h
>>> +++ b/include/linux/ieee80211.h
>>> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
>>> #define FILS_ERP_MAX_RRK_LEN64
>>> 
>>> #define PMK_MAX_LEN64
>>> +#define SAE_PASSWORD_MAX_LEN128
>>> 
>>> /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
>>> enum ieee80211_pub_actioncode {
>>> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
>>> index e0c41eb1c860..5809dac97b33 100644
>>> --- a/include/net/cfg80211.h
>>> +++ b/include/net/cfg80211.h
>>> @@ -740,6 +740,9 @@ struct survey_info {
>>> *CFG80211_MAX_WEP_KEYS WEP keys
>>> * @wep_tx_key: key index (0..3) of the default TX static WEP key
>>> * @psk: PSK (for devices supporting 4-way-handshake offload)
>>> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
>>> + *offload)
>>> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>>> */
>>> struct cfg80211_crypto_settings {
>>> u32 wpa_versions;
>>> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
>>> struct key_params *wep_keys;
>>> int wep_tx_key;
>>> const u8 *psk;
>>> +const u8 *sae_pwd;
>>> +u16 sae_pwd_len;
>>> };
>>> 
>>> /**
>>> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
>>> index 12762afb3a07..4840aaed39ba 100644
>>> --- a/include/uapi/linux/nl80211.h
>>> +++ b/include/uapi/linux/nl80211.h
>>> @@ -235,6 +235,15 @@
>>> */
>>> 
>>> /**
>>> + * DOC: SAE authentication offload
>>> + *
>>> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
>>> + * support offloading SAE authentication for WPA3-Personal networks. In
>>> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
>>> + * %NL80211_ATTR_SAE_PASSWORD.
>>> + */
>>> +
>>> +/**
>>> * enum nl80211_commands - supported nl80211 commands
>>> *
>>> * @NL80211_CMD_UNSPEC: unspecified command to catch errors
>>> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>>> *
>>> * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>>> *statistics, see &enum nl80211_ftm_responder_stats.
>>> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
>>> + *is used with %NL80211_CMD_CONNECT to provide password for offloading
>>> + *SAE authentication for WPA3-Personal networks.
>>> *
>>> * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>>> *if the attribute is not given no timeout is requested. Note that 0 is an
>>> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
>>> NL80211_ATTR_FTM_RESPONDER,
>>> 
>>> NL80211_ATTR_FTM_RESPONDER_STATS,
>>> +NL80211_ATTR_SAE_PASSWORD,
>>> 
>>> NL80211_ATTR_TIMEOUT,
>> 
>> so you are breaking user-space API on purpose here even when there was a clear comment where to add new attributes:
>> 
>> /* add attributes here, update the policy in nl80211.c */
> 
> Hi Marcel,
> 
> Thanks for pointing this out. It was a mistake caused by rebasing the
> patch. Will fix it in V2.
> 
>> 
>> More importantly, does this actually need a new attribute and you can not utilize what has already been added for mesh? If this attribute is solely for offload cases, then it might be better named accordingly. Also I am curious on how mixed WPA1/WPA2/WPA3 network credentials are now provided to a CMD_CONNECT. So the CMD_CONNECT description might require an update as well.
> 
> This new attribute is used to pass the sae_password value, set in the
> configuration file of wpa_supplicant, for offloading SAE authentication.
> It seems that the existing attributes can not be utilized for the
> purpose. Could you please point it out if you know the proper one? To
> reflect the content of the attribute, NL80211_ATTR_SAE_PASSWORD should
> be a proper name.

not everything is wpa_supplicant config files. How does this work with iwd for example. The user can not set a specific SAW password since that is all handled internally.

> As for the mixed WPA/WPA2/WPA3 network credentials, no key materials
> will be provided in a NL80211_CMD_CONNECT for non-offload cases. When
> offload is considered, there is no conflict between WPA/WPA2 4-way
> handshake offload and SAE authentication offload. For the WPA/WPA2
> 4-way handshake offload, the PSK is specified using NL80211_ATTR_PMK in
> the NL80211_CMD_CONNECT. The corresponding description can be found in
> the section "DOC: WPA/WPA2 EAPOL handshake offload". As for the SAE
> authentication offload, the sae_password value is provided by
> NL80211_ATTR_SAE_PASSWORD in NL80211_CMD_CONNECT. It is described in
> the section "DOC: SAE authentication offload" proposed in this patch.

Do we have some documentation on how to handle offload for mixed WPA/WPA2/WPA3 networks? I really wonder how nl80211 is supposed to be used in these cases. As mentioned above, not everything is wpa_supplicant and I am curious on how seamless roaming will actually work for offload cases.

Regards

Marcel
diff mbox series

Patch

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 3b04e72315e1..37d3e655e547 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -2596,6 +2596,7 @@  enum ieee80211_key_len {
 #define FILS_ERP_MAX_RRK_LEN		64
 
 #define PMK_MAX_LEN			64
+#define SAE_PASSWORD_MAX_LEN		128
 
 /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
 enum ieee80211_pub_actioncode {
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index e0c41eb1c860..5809dac97b33 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -740,6 +740,9 @@  struct survey_info {
  *	CFG80211_MAX_WEP_KEYS WEP keys
  * @wep_tx_key: key index (0..3) of the default TX static WEP key
  * @psk: PSK (for devices supporting 4-way-handshake offload)
+ * @sae_pwd: password for SAE authentication (for devices supporting SAE
+ *	offload)
+ * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
  */
 struct cfg80211_crypto_settings {
 	u32 wpa_versions;
@@ -755,6 +758,8 @@  struct cfg80211_crypto_settings {
 	struct key_params *wep_keys;
 	int wep_tx_key;
 	const u8 *psk;
+	const u8 *sae_pwd;
+	u16 sae_pwd_len;
 };
 
 /**
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 12762afb3a07..4840aaed39ba 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -235,6 +235,15 @@ 
  */
 
 /**
+ * DOC: SAE authentication offload
+ *
+ * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
+ * support offloading SAE authentication for WPA3-Personal networks. In
+ * %NL80211_CMD_CONNECT the password for SAE should be specified using
+ * %NL80211_ATTR_SAE_PASSWORD.
+ */
+
+/**
  * enum nl80211_commands - supported nl80211 commands
  *
  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
@@ -2288,6 +2297,9 @@  enum nl80211_commands {
  *
  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
  *	statistics, see &enum nl80211_ftm_responder_stats.
+ * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
+ *	is used with %NL80211_CMD_CONNECT to provide password for offloading
+ *	SAE authentication for WPA3-Personal networks.
  *
  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
  *	if the attribute is not given no timeout is requested. Note that 0 is an
@@ -2743,6 +2755,7 @@  enum nl80211_attrs {
 	NL80211_ATTR_FTM_RESPONDER,
 
 	NL80211_ATTR_FTM_RESPONDER_STATS,
+	NL80211_ATTR_SAE_PASSWORD,
 
 	NL80211_ATTR_TIMEOUT,
 
@@ -5316,6 +5329,8 @@  enum nl80211_feature_flags {
  *      able to rekey an in-use key correctly. Userspace must not rekey PTK keys
  *      if this flag is not set. Ignoring this can leak clear text packets and/or
  *      freeze the connection.
+ * @NL80211_EXT_FEATURE_SAE_OFFLOAD: Device wants to do SAE authentication in
+ *	station mode (SAE password is passed as part of the connect command).
  *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
@@ -5356,6 +5371,7 @@  enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT,
 	NL80211_EXT_FEATURE_CAN_REPLACE_PTK0,
 	NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER,
+	NL80211_EXT_FEATURE_SAE_OFFLOAD,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index c464ce8bc248..d1ebc93d5d56 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -557,6 +557,8 @@  const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
 	[NL80211_ATTR_PEER_MEASUREMENTS] =
 		NLA_POLICY_NESTED(NL80211_PMSR_FTM_REQ_ATTR_MAX,
 				  nl80211_pmsr_attr_policy),
+	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
+					.len = SAE_PASSWORD_MAX_LEN },
 };
 
 /* policy for the key attributes */
@@ -4348,6 +4350,8 @@  static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
 		return true;
 	case NL80211_CMD_CONNECT:
 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
+		    !wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
 		    auth_type == NL80211_AUTHTYPE_SAE)
 			return false;
 
@@ -8769,6 +8773,16 @@  static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
 	}
 
+	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
+		if (!wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_SAE_OFFLOAD))
+			return -EINVAL;
+		settings->sae_pwd =
+			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
+		settings->sae_pwd_len =
+			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
+	}
+
 	return 0;
 }