Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

wifi: mac80211: allow key installation before association

Currently, mac80211 allows key installation only after association
completes. However, Enhanced Privacy Protection Key Exchange (EPPKE)
requires key installation before association to enable encryption and
decryption of (Re)Association Request and Response frames.

Add support to install keys prior to association when the peer is an
Enhanced Privacy Protection (EPP) peer that requires encryption and
decryption of (Re)Association Request and Response frames.

Introduce a new boolean parameter "epp_peer" in the "ieee80211_sta"
profile to indicate that the peer supports the Enhanced Privacy
Protection Key Exchange (EPPKE) protocol. For non-AP STA mode, it
is set when the authentication algorithm is WLAN_AUTH_EPPKE during
station profile initialization. For AP mode, it is set during
NL80211_CMD_NEW_STA and NL80211_CMD_ADD_LINK_STA.

When "epp_peer" parameter is set, mac80211 now accepts keys before
association and enables encryption of the (Re)Association
Request/Response frames.

Co-developed-by: Sai Pratyusha Magam <sai.magam@oss.qualcomm.com>
Signed-off-by: Sai Pratyusha Magam <sai.magam@oss.qualcomm.com>
Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
Link: https://patch.msgid.link/20260114111900.2196941-6-kavita.kavita@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

authored by

Kavita Kavita and committed by
Johannes Berg
63e7e3b6 6ee3a22c

+19 -2
+2
include/net/mac80211.h
··· 2520 2520 * by the AP. 2521 2521 * @valid_links: bitmap of valid links, or 0 for non-MLO 2522 2522 * @spp_amsdu: indicates whether the STA uses SPP A-MSDU or not. 2523 + * @epp_peer: indicates that the peer is an EPP peer. 2523 2524 */ 2524 2525 struct ieee80211_sta { 2525 2526 u8 addr[ETH_ALEN] __aligned(2); ··· 2545 2544 struct ieee80211_txq *txq[IEEE80211_NUM_TIDS + 1]; 2546 2545 2547 2546 u16 valid_links; 2547 + bool epp_peer; 2548 2548 struct ieee80211_link_sta deflink; 2549 2549 struct ieee80211_link_sta __rcu *link[IEEE80211_MLD_MAX_NUM_LINKS]; 2550 2550
+13 -2
net/mac80211/cfg.c
··· 680 680 * association has completed, this rejects that attempt 681 681 * so it will set the key again after association. 682 682 * 683 + * With (re)association frame encryption enabled, cfg80211 684 + * may deliver keys to mac80211 before the station has 685 + * associated. In that case, accept the key if the station 686 + * is an Enhanced Privacy Protection (EPP) peer. 687 + * If (re)association frame encryption support is not present, 688 + * cfg80211 will not allow key installation in non‑AP STA mode. 689 + * 683 690 * TODO: accept the key if we have a station entry and 684 - * add it to the device after the station. 691 + * add it to the device after the station associates. 685 692 */ 686 - if (!sta || !test_sta_flag(sta, WLAN_STA_ASSOC)) { 693 + if (!sta || (!sta->sta.epp_peer && 694 + !test_sta_flag(sta, WLAN_STA_ASSOC))) { 687 695 ieee80211_key_free_unused(key); 688 696 return -ENOENT; 689 697 } ··· 2205 2197 2206 2198 mask = params->sta_flags_mask; 2207 2199 set = params->sta_flags_set; 2200 + 2201 + if (params->epp_peer) 2202 + sta->sta.epp_peer = true; 2208 2203 2209 2204 if (ieee80211_vif_is_mesh(&sdata->vif)) { 2210 2205 /*
+4
net/mac80211/mlme.c
··· 8964 8964 goto out_err; 8965 8965 } 8966 8966 8967 + if (ifmgd->auth_data && 8968 + ifmgd->auth_data->algorithm == WLAN_AUTH_EPPKE) 8969 + new_sta->sta.epp_peer = true; 8970 + 8967 8971 new_sta->sta.mlo = mlo; 8968 8972 } 8969 8973