[5/6] cfg80211: add support for SAE authentication offload
diff mbox series

Message ID 1546582221-143220-5-git-send-email-chi-hsien.lin@cypress.com
State Changes Requested
Delegated to: Johannes Berg
Headers show
Series
  • [1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event
Related show

Commit Message

Chi-Hsien Lin Jan. 4, 2019, 6:11 a.m. UTC
From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

Let drivers advertise support for station-mode SAE authentication
offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 include/linux/ieee80211.h    |  1 +
 include/net/cfg80211.h       |  5 +++++
 include/uapi/linux/nl80211.h | 16 ++++++++++++++++
 net/wireless/nl80211.c       | 14 ++++++++++++++
 4 files changed, 36 insertions(+)

Comments

Marcel Holtmann Jan. 4, 2019, 9:26 a.m. UTC | #1
Hi,

> Let drivers advertise support for station-mode SAE authentication
> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
> 
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
> include/linux/ieee80211.h    |  1 +
> include/net/cfg80211.h       |  5 +++++
> include/uapi/linux/nl80211.h | 16 ++++++++++++++++
> net/wireless/nl80211.c       | 14 ++++++++++++++
> 4 files changed, 36 insertions(+)
> 
> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> index 3b04e72315e1..37d3e655e547 100644
> --- a/include/linux/ieee80211.h
> +++ b/include/linux/ieee80211.h
> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
> #define FILS_ERP_MAX_RRK_LEN		64
> 
> #define PMK_MAX_LEN			64
> +#define SAE_PASSWORD_MAX_LEN		128
> 
> /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
> enum ieee80211_pub_actioncode {
> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> index e0c41eb1c860..5809dac97b33 100644
> --- a/include/net/cfg80211.h
> +++ b/include/net/cfg80211.h
> @@ -740,6 +740,9 @@ struct survey_info {
>  *	CFG80211_MAX_WEP_KEYS WEP keys
>  * @wep_tx_key: key index (0..3) of the default TX static WEP key
>  * @psk: PSK (for devices supporting 4-way-handshake offload)
> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> + *	offload)
> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>  */
> struct cfg80211_crypto_settings {
> 	u32 wpa_versions;
> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
> 	struct key_params *wep_keys;
> 	int wep_tx_key;
> 	const u8 *psk;
> +	const u8 *sae_pwd;
> +	u16 sae_pwd_len;
> };
> 
> /**
> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> index 12762afb3a07..4840aaed39ba 100644
> --- a/include/uapi/linux/nl80211.h
> +++ b/include/uapi/linux/nl80211.h
> @@ -235,6 +235,15 @@
>  */
> 
> /**
> + * DOC: SAE authentication offload
> + *
> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> + * support offloading SAE authentication for WPA3-Personal networks. In
> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> + * %NL80211_ATTR_SAE_PASSWORD.
> + */
> +
> +/**
>  * enum nl80211_commands - supported nl80211 commands
>  *
>  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>  *
>  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>  *	statistics, see &enum nl80211_ftm_responder_stats.
> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> + *	is used with %NL80211_CMD_CONNECT to provide password for offloading
> + *	SAE authentication for WPA3-Personal networks.
>  *
>  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>  *	if the attribute is not given no timeout is requested. Note that 0 is an
> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
> 	NL80211_ATTR_FTM_RESPONDER,
> 
> 	NL80211_ATTR_FTM_RESPONDER_STATS,
> +	NL80211_ATTR_SAE_PASSWORD,
> 
> 	NL80211_ATTR_TIMEOUT,

so you are breaking user-space API on purpose here even when there was a clear comment where to add new attributes:

	/* add attributes here, update the policy in nl80211.c */

More importantly, does this actually need a new attribute and you can not utilize what has already been added for mesh? If this attribute is solely for offload cases, then it might be better named accordingly. Also I am curious on how mixed WPA1/WPA2/WPA3 network credentials are now provided to a CMD_CONNECT. So the CMD_CONNECT description might require an update as well.

Regards

Marcel
Arend Van Spriel Jan. 4, 2019, 11:10 a.m. UTC | #2
On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> Let drivers advertise support for station-mode SAE authentication
> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.

When touching nl80211 api I prefer 'nl80211:' prefix instead of 'cfg80211:'.

> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   include/linux/ieee80211.h    |  1 +
>   include/net/cfg80211.h       |  5 +++++
>   include/uapi/linux/nl80211.h | 16 ++++++++++++++++
>   net/wireless/nl80211.c       | 14 ++++++++++++++
>   4 files changed, 36 insertions(+)
> 
> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> index 3b04e72315e1..37d3e655e547 100644
> --- a/include/linux/ieee80211.h
> +++ b/include/linux/ieee80211.h
> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
>   #define FILS_ERP_MAX_RRK_LEN		64
>   
>   #define PMK_MAX_LEN			64
> +#define SAE_PASSWORD_MAX_LEN		128
>   
>   /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
>   enum ieee80211_pub_actioncode {
> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> index e0c41eb1c860..5809dac97b33 100644
> --- a/include/net/cfg80211.h
> +++ b/include/net/cfg80211.h
> @@ -740,6 +740,9 @@ struct survey_info {
>    *	CFG80211_MAX_WEP_KEYS WEP keys
>    * @wep_tx_key: key index (0..3) of the default TX static WEP key
>    * @psk: PSK (for devices supporting 4-way-handshake offload)
> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> + *	offload)
> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>    */
>   struct cfg80211_crypto_settings {
>   	u32 wpa_versions;
> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
>   	struct key_params *wep_keys;
>   	int wep_tx_key;
>   	const u8 *psk;
> +	const u8 *sae_pwd;
> +	u16 sae_pwd_len;

Not really need u16 as max length is defined earlier as 128.

>   };
>   
>   /**
> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> index 12762afb3a07..4840aaed39ba 100644
> --- a/include/uapi/linux/nl80211.h
> +++ b/include/uapi/linux/nl80211.h
> @@ -235,6 +235,15 @@
>    */
>   
>   /**
> + * DOC: SAE authentication offload
> + *
> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> + * support offloading SAE authentication for WPA3-Personal networks. In
> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> + * %NL80211_ATTR_SAE_PASSWORD.
> + */
> +
> +/**
>    * enum nl80211_commands - supported nl80211 commands
>    *
>    * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>    *
>    * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>    *	statistics, see &enum nl80211_ftm_responder_stats.
> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> + *	is used with %NL80211_CMD_CONNECT to provide password for offloading
> + *	SAE authentication for WPA3-Personal networks.
>    *
>    * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>    *	if the attribute is not given no timeout is requested. Note that 0 is an
> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
>   	NL80211_ATTR_FTM_RESPONDER,
>   
>   	NL80211_ATTR_FTM_RESPONDER_STATS,
> +	NL80211_ATTR_SAE_PASSWORD,

Marcel already commented on this. These enumerations are ABI. You should 
also change the nl80211_policy to assure the max length 
SAE_PASSWORD_MAX_LEN is not exceeded.

Gr. AvS

Patch
diff mbox series

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 3b04e72315e1..37d3e655e547 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -2596,6 +2596,7 @@  enum ieee80211_key_len {
 #define FILS_ERP_MAX_RRK_LEN		64
 
 #define PMK_MAX_LEN			64
+#define SAE_PASSWORD_MAX_LEN		128
 
 /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
 enum ieee80211_pub_actioncode {
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index e0c41eb1c860..5809dac97b33 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -740,6 +740,9 @@  struct survey_info {
  *	CFG80211_MAX_WEP_KEYS WEP keys
  * @wep_tx_key: key index (0..3) of the default TX static WEP key
  * @psk: PSK (for devices supporting 4-way-handshake offload)
+ * @sae_pwd: password for SAE authentication (for devices supporting SAE
+ *	offload)
+ * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
  */
 struct cfg80211_crypto_settings {
 	u32 wpa_versions;
@@ -755,6 +758,8 @@  struct cfg80211_crypto_settings {
 	struct key_params *wep_keys;
 	int wep_tx_key;
 	const u8 *psk;
+	const u8 *sae_pwd;
+	u16 sae_pwd_len;
 };
 
 /**
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 12762afb3a07..4840aaed39ba 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -235,6 +235,15 @@ 
  */
 
 /**
+ * DOC: SAE authentication offload
+ *
+ * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
+ * support offloading SAE authentication for WPA3-Personal networks. In
+ * %NL80211_CMD_CONNECT the password for SAE should be specified using
+ * %NL80211_ATTR_SAE_PASSWORD.
+ */
+
+/**
  * enum nl80211_commands - supported nl80211 commands
  *
  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
@@ -2288,6 +2297,9 @@  enum nl80211_commands {
  *
  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
  *	statistics, see &enum nl80211_ftm_responder_stats.
+ * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
+ *	is used with %NL80211_CMD_CONNECT to provide password for offloading
+ *	SAE authentication for WPA3-Personal networks.
  *
  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
  *	if the attribute is not given no timeout is requested. Note that 0 is an
@@ -2743,6 +2755,7 @@  enum nl80211_attrs {
 	NL80211_ATTR_FTM_RESPONDER,
 
 	NL80211_ATTR_FTM_RESPONDER_STATS,
+	NL80211_ATTR_SAE_PASSWORD,
 
 	NL80211_ATTR_TIMEOUT,
 
@@ -5316,6 +5329,8 @@  enum nl80211_feature_flags {
  *      able to rekey an in-use key correctly. Userspace must not rekey PTK keys
  *      if this flag is not set. Ignoring this can leak clear text packets and/or
  *      freeze the connection.
+ * @NL80211_EXT_FEATURE_SAE_OFFLOAD: Device wants to do SAE authentication in
+ *	station mode (SAE password is passed as part of the connect command).
  *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
@@ -5356,6 +5371,7 @@  enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT,
 	NL80211_EXT_FEATURE_CAN_REPLACE_PTK0,
 	NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER,
+	NL80211_EXT_FEATURE_SAE_OFFLOAD,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index c464ce8bc248..d1ebc93d5d56 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -557,6 +557,8 @@  const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
 	[NL80211_ATTR_PEER_MEASUREMENTS] =
 		NLA_POLICY_NESTED(NL80211_PMSR_FTM_REQ_ATTR_MAX,
 				  nl80211_pmsr_attr_policy),
+	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
+					.len = SAE_PASSWORD_MAX_LEN },
 };
 
 /* policy for the key attributes */
@@ -4348,6 +4350,8 @@  static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
 		return true;
 	case NL80211_CMD_CONNECT:
 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
+		    !wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
 		    auth_type == NL80211_AUTHTYPE_SAE)
 			return false;
 
@@ -8769,6 +8773,16 @@  static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
 	}
 
+	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
+		if (!wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_SAE_OFFLOAD))
+			return -EINVAL;
+		settings->sae_pwd =
+			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
+		settings->sae_pwd_len =
+			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
+	}
+
 	return 0;
 }