tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

wifi: mac80211: add support for EPPKE authentication protocol in non-AP STA mode

Add support for the Enhanced Privacy Protection Key Exchange (EPPKE)
authentication protocol in non-AP STA mode, as specified in
"IEEE P802.11bi/D3.0, 12.16.9".

EPPKE is an RSNA authentication protocol that operates using
Pre-Association Security Negotiation (PASN) procedures. It consists
of three Authentication frames with transaction sequence numbers 1, 2,
and 3. The first and third from the non-AP STA and the second from the
AP STA.

Extend mac80211 to process EPPKE Authentication frames during the
authentication phase. Currently, mac80211 processes only frames with
the expected transaction number. In the case of EPPKE, process the
Authentication frame from the AP only if the transaction number matches
the expected value, which is 2.

After receiving the final Authentication frame with transaction number 3
from the non-AP STA, it indicates that both the non-AP STA and the AP
confirm there are no issues with authentication. Since this is the final
confirmation frame to send out, mark the state as authenticated in
mac80211.

For EPPKE authentication, the Multi-Link element (MLE) must be included
in the Authentication frame body by userspace in case of MLO connection.
If the MLE is not present, reject the Authentication frame.

Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
Link: https://patch.msgid.link/20260114111900.2196941-8-kavita.kavita@oss.qualcomm.com
[remove a single stray space]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

authored by

Kavita Kavita and committed by
Johannes Berg 0e7e5099 5329ed8f

+26 -7
+1 -1
net/mac80211/ieee80211_i.h
··· 430 430 431 431 u8 ap_addr[ETH_ALEN] __aligned(2); 432 432 433 - u16 sae_trans, sae_status; 433 + u16 trans, status; 434 434 size_t data_len; 435 435 u8 data[]; 436 436 };
+25 -6
net/mac80211/mlme.c
··· 4911 4911 case WLAN_AUTH_FILS_SK: 4912 4912 case WLAN_AUTH_FILS_SK_PFS: 4913 4913 case WLAN_AUTH_FILS_PK: 4914 + case WLAN_AUTH_EPPKE: 4914 4915 break; 4915 4916 case WLAN_AUTH_SHARED_KEY: 4916 4917 if (ifmgd->auth_data->expected_transaction != 4) { ··· 8278 8277 if (WARN_ON_ONCE(!auth_data)) 8279 8278 return -EINVAL; 8280 8279 8280 + if (auth_data->algorithm == WLAN_AUTH_EPPKE && 8281 + ieee80211_vif_is_mld(&sdata->vif) && 8282 + !cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_MULTI_LINK, 8283 + auth_data->data, auth_data->data_len)) 8284 + return -EINVAL; 8285 + 8281 8286 auth_data->tries++; 8282 8287 8283 8288 if (auth_data->tries > IEEE80211_AUTH_MAX_TRIES) { ··· 8312 8305 auth_data->expected_transaction = 2; 8313 8306 8314 8307 if (auth_data->algorithm == WLAN_AUTH_SAE) { 8315 - trans = auth_data->sae_trans; 8316 - status = auth_data->sae_status; 8308 + trans = auth_data->trans; 8309 + status = auth_data->status; 8317 8310 auth_data->expected_transaction = trans; 8311 + } else if (auth_data->algorithm == WLAN_AUTH_EPPKE) { 8312 + trans = auth_data->trans; 8313 + status = auth_data->status; 8318 8314 } 8319 8315 8320 8316 if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) ··· 9232 9222 case NL80211_AUTHTYPE_FILS_PK: 9233 9223 auth_alg = WLAN_AUTH_FILS_PK; 9234 9224 break; 9225 + case NL80211_AUTHTYPE_EPPKE: 9226 + auth_alg = WLAN_AUTH_EPPKE; 9227 + break; 9235 9228 default: 9236 9229 return -EOPNOTSUPP; 9237 9230 } ··· 9259 9246 auth_data->link_id = req->link_id; 9260 9247 9261 9248 if (req->auth_data_len >= 4) { 9262 - if (req->auth_type == NL80211_AUTHTYPE_SAE) { 9249 + if (req->auth_type == NL80211_AUTHTYPE_SAE || 9250 + req->auth_type == NL80211_AUTHTYPE_EPPKE) { 9263 9251 __le16 *pos = (__le16 *) req->auth_data; 9264 9252 9265 - auth_data->sae_trans = le16_to_cpu(pos[0]); 9266 - auth_data->sae_status = le16_to_cpu(pos[1]); 9253 + auth_data->trans = le16_to_cpu(pos[0]); 9254 + auth_data->status = le16_to_cpu(pos[1]); 9267 9255 } 9256 + 9268 9257 memcpy(auth_data->data, req->auth_data + 4, 9269 9258 req->auth_data_len - 4); 9270 9259 auth_data->data_len += req->auth_data_len - 4; ··· 9317 9302 * out SAE Confirm. 9318 9303 */ 9319 9304 if (cont_auth && req->auth_type == NL80211_AUTHTYPE_SAE && 9320 - auth_data->peer_confirmed && auth_data->sae_trans == 2) 9305 + auth_data->peer_confirmed && auth_data->trans == 2) 9306 + ieee80211_mark_sta_auth(sdata); 9307 + 9308 + if (cont_auth && req->auth_type == NL80211_AUTHTYPE_EPPKE && 9309 + auth_data->trans == 3) 9321 9310 ieee80211_mark_sta_auth(sdata); 9322 9311 9323 9312 if (ifmgd->associated) {