[PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend van Spriel]

This patch series add support for offloading the PTK/GTK handshakes for
WPA/WPA2-Personal and 802.1X in nl80211. The nl80211 patches have been
posted as RFC. Compared to that RFC this series also adds a new flag
ATTR_PORT_AUTHORIZED used in both CONNECT and ROAM notifications to
indicate the driver has completed the offloads successfully and the
encryption keys for the connection are applied. Another change is the
addition of the flag ATTR_WANT_1X_4WAY_HS that user-space has to pass
in CONNECT request. Some drivers may need to be aware before the PMK
is programmed through SET_PMK request.

This series also comes with driver implementation in brcmfmac although
it does not use the authorized flag in the ROAM event (yet).

The series applies to the master branch of the mac80211-next repository.

V2:
 - changed patch 2/9 addressing comments from Johannes.

Arend van Spriel (6):
  nl80211: add authorized flag to CONNECT event
  nl80211: remove desciption about request from NL80211_CMD_ROAM
  brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK
  brcmfmac: support 4-way handshake offloading for 802.1X
  brcmfmac: switch to using cfg80211_connect_done()
  brcmfmac: provide port authorized state in CONNECT event

Avraham Stern (2):
  cfg80211: support 4-way handshake offloading for 802.1X
  nl80211: add authorized flag to ROAM event

Eliad Peller (1):
  cfg80211: support 4-way handshake offloading for WPA/WPA2-PSK

 .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 159 +++++++++++++++++++--
 .../broadcom/brcm80211/brcmfmac/cfg80211.h         |  15 +-
 .../wireless/broadcom/brcm80211/brcmfmac/feature.c |   1 +
 .../wireless/broadcom/brcm80211/brcmfmac/feature.h |   4 +-
 .../wireless/broadcom/brcm80211/brcmfmac/fweh.h    |  30 ++++
 .../wireless/broadcom/brcm80211/brcmfmac/fwil.h    |   1 +
 .../broadcom/brcm80211/brcmfmac/fwil_types.h       |  16 +++
 include/linux/ieee80211.h                          |   4 +
 include/net/cfg80211.h                             |  41 ++++++
 include/uapi/linux/nl80211.h                       |  50 ++++++-
 net/wireless/core.c                                |   5 +
 net/wireless/nl80211.c                             | 120 +++++++++++++++-
 net/wireless/rdev-ops.h                            |  25 ++++
 net/wireless/sme.c                                 |   2 +
 net/wireless/trace.h                               |  60 ++++++++
 15 files changed, 510 insertions(+), 23 deletions(-)

-- 
1.9.1

[PATCH V2 1/9] cfg80211: support 4-way handshake offloading for WPA/WPA2-PSK

[Arend van Spriel]

From: Eliad Peller <eliad@wizery.com>

Let drivers advertise support for station-mode 4-way handshake
offloading with a new NL80211_EXT_FEATURE_4WAY_HANDSHAKE_OFFLOAD_STA
flag.

Extend use of NL80211_ATTR_PMK attribute indicating it might be passed
as part of NL80211_CMD_CONNECT command, and contain the PSK (which is
the PMK, hence the name.)

The driver/device is assumed to handle the 4-way handshake by
itself in this case (including key derivations, etc.), instead
of relying on the supplicant.

This patch is somewhat based on this one (by Vladimir Kondratiev):
https://patchwork.kernel.org/patch/1309561/.

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[arend.vanspriel@broadcom.com rebase dealing with existing ATTR_PMK]
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 include/linux/ieee80211.h    |  1 +
 include/net/cfg80211.h       |  2 ++
 include/uapi/linux/nl80211.h | 10 ++++++++--
 net/wireless/nl80211.c       |  9 +++++++++
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 6903335..e97ca3a 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -2401,6 +2401,7 @@ enum ieee80211_sa_query_action {
 #define WLAN_MAX_KEY_LEN		32
 
 #define WLAN_PMKID_LEN			16
+#define WLAN_PMK_LEN			32
 
 #define WLAN_OUI_WFA			0x506f9a
 #define WLAN_OUI_TYPE_WFA_P2P		9
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 6e90f1a..3a2989d 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -649,6 +649,7 @@ struct survey_info {
  * @wep_keys: static WEP keys, if not NULL points to an array of
  *	CFG80211_MAX_WEP_KEYS WEP keys
  * @wep_tx_key: key index (0..3) of the default TX static WEP key
+ * @psk: PSK (for devices supporting 4-way-handshake offload)
  */
 struct cfg80211_crypto_settings {
 	u32 wpa_versions;
@@ -662,6 +663,7 @@ struct cfg80211_crypto_settings {
 	bool control_port_no_encrypt;
 	struct key_params *wep_keys;
 	int wep_tx_key;
+	const u8 *psk;
 };
 
 /**
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index b8c44b9..b9e6d14 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -2080,8 +2080,10 @@ enum nl80211_commands {
  *	identifying the scope of PMKSAs. This is used with
  *	@NL80211_CMD_SET_PMKSA and @NL80211_CMD_DEL_PMKSA.
  *
- * @NL80211_ATTR_PMK: PMK for the PMKSA identified by %NL80211_ATTR_PMKID.
- *	This is used with @NL80211_CMD_SET_PMKSA.
+ * @NL80211_ATTR_PMK: attribute for passing PMK key material. Used with
+ *	%NL80211_CMD_SET_PMKSA for the PMKSA identified by %NL80211_ATTR_PMKID.
+ *	For %NL80211_CMD_CONNECT it is used to provide PSK for offloading 4-way
+ *	handshake for WPA/WPA2-PSK networks.
  *
  * @NL80211_ATTR_SCHED_SCAN_MULTI: flag attribute which user-space shall use to
  *	indicate that it supports multiple active scheduled scan requests.
@@ -4852,6 +4854,9 @@ enum nl80211_feature_flags {
  *	RSSI threshold values to monitor rather than exactly one threshold.
  * @NL80211_EXT_FEATURE_FILS_SK_OFFLOAD: Driver SME supports FILS shared key
  *	authentication with %NL80211_CMD_CONNECT.
+ * @NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK: Device supports doing 4-way
+ *	handshake with PSK in station mode (PSK is passed as part of the connect
+ *	and associate commands).
  *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
@@ -4872,6 +4877,7 @@ enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI,
 	NL80211_EXT_FEATURE_CQM_RSSI_LIST,
 	NL80211_EXT_FEATURE_FILS_SK_OFFLOAD,
+	NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 570fc95..d93e3e4 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -8156,6 +8156,15 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
 		memcpy(settings->akm_suites, data, len);
 	}
 
+	if (info->attrs[NL80211_ATTR_PMK]) {
+		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
+			return -EINVAL;
+		if (!wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
+			return -EINVAL;
+		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
+	}
+
 	return 0;
 }
 
-- 
1.9.1

[PATCH V2 2/9] cfg80211: support 4-way handshake offloading for 802.1X

[Arend van Spriel]

From: Avraham Stern <avraham.stern@intel.com>

Add API for setting the PMK to the driver. For FT support, allow
setting also the PMK-R0 Name.

This can be used by drivers that support 4-Way handshake offload
while IEEE802.1X authentication is managed by upper layers.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[arend.vanspriel@broadcom.com: add WANT_1X_4WAY_HS attribute]
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 V2:
 - rename ATTR_WANT_1X_OFFLOAD to ATTR_WANT_1X_4WAY_HS.
 - add remarks about driver dealing with PMK clearing upon disconnect.
---
 include/linux/ieee80211.h    |   3 ++
 include/net/cfg80211.h       |  32 +++++++++++++
 include/uapi/linux/nl80211.h |  27 ++++++++++-
 net/wireless/core.c          |   5 +++
 net/wireless/nl80211.c       | 105 +++++++++++++++++++++++++++++++++++++++++++
 net/wireless/rdev-ops.h      |  25 +++++++++++
 net/wireless/trace.h         |  60 +++++++++++++++++++++++++
 7 files changed, 256 insertions(+), 1 deletion(-)

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index e97ca3a..34e1bcd 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -2400,8 +2400,11 @@ enum ieee80211_sa_query_action {
 
 #define WLAN_MAX_KEY_LEN		32
 
+#define WLAN_PMK_NAME_LEN		16
 #define WLAN_PMKID_LEN			16
+#define WLAN_PMK_LEN_EAP_LEAP		16
 #define WLAN_PMK_LEN			32
+#define WLAN_PMK_LEN_SUITE_B_192	48
 
 #define WLAN_OUI_WFA			0x506f9a
 #define WLAN_OUI_TYPE_WFA_P2P		9
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 3a2989d..29118cb 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -2108,6 +2108,8 @@ struct cfg80211_bss_selection {
  * @fils_erp_rrk: ERP re-authentication Root Key (rRK) used to derive additional
  *	keys in FILS or %NULL if not specified.
  * @fils_erp_rrk_len: Length of @fils_erp_rrk in octets.
+ * @want_1x: indicates user-space supports and wants to use 802.1X driver
+ *	offload of 4-way handshake.
  */
 struct cfg80211_connect_params {
 	struct ieee80211_channel *channel;
@@ -2140,6 +2142,7 @@ struct cfg80211_connect_params {
 	u16 fils_erp_next_seq_num;
 	const u8 *fils_erp_rrk;
 	size_t fils_erp_rrk_len;
+	bool want_1x;
 };
 
 /**
@@ -2562,6 +2565,23 @@ struct cfg80211_nan_func {
 };
 
 /**
+ * struct cfg80211_pmk_conf - PMK configuration
+ *
+ * @aa: authenticator address
+ * @pmk_len: PMK length in bytes.
+ * @pmk: the PMK material
+ * @pmk_r0_name: PMK-R0 Name. NULL if not applicable (i.e., the PMK
+ *	is not PMK-R0). When pmk_r0_name is not NULL, the pmk field
+ *	holds PMK-R0.
+ */
+struct cfg80211_pmk_conf {
+	const u8 *aa;
+	u8 pmk_len;
+	const u8 *pmk;
+	const u8 *pmk_r0_name;
+};
+
+/**
  * struct cfg80211_ops - backend description for wireless configuration
  *
  * This struct is registered by fullmac card drivers and/or wireless stacks
@@ -2877,6 +2897,13 @@ struct cfg80211_nan_func {
  *	All other parameters must be ignored.
  *
  * @set_multicast_to_unicast: configure multicast to unicast conversion for BSS
+ *
+ * @set_pmk: configure the PMK to be used for offloaded 802.1X 4-Way handshake.
+ *	If not deleted through @del_pmk the PMK remains valid until disconnect
+ *	upon which the driver should clear it.
+ *	(invoked with the wireless_dev mutex held)
+ * @del_pmk: delete the previously configured PMK for the given authenticator.
+ *	(invoked with the wireless_dev mutex held)
  */
 struct cfg80211_ops {
 	int	(*suspend)(struct wiphy *wiphy, struct cfg80211_wowlan *wow);
@@ -3165,6 +3192,11 @@ struct cfg80211_ops {
 	int	(*set_multicast_to_unicast)(struct wiphy *wiphy,
 					    struct net_device *dev,
 					    const bool enabled);
+
+	int	(*set_pmk)(struct wiphy *wiphy, struct net_device *dev,
+			   const struct cfg80211_pmk_conf *conf);
+	int	(*del_pmk)(struct wiphy *wiphy, struct net_device *dev,
+			   const u8 *aa);
 };
 
 /*
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index b9e6d14..00eb686 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -947,6 +947,14 @@
  *	does not result in a change for the current association. Currently,
  *	only the %NL80211_ATTR_IE data is used and updated with this command.
  *
+ * @NL80211_CMD_SET_PMK: For offloaded 4-Way handshake, set the PMK or PMK-R0
+ *	for the given authenticator address (specified with &NL80211_ATTR_MAC).
+ *	When &NL80211_ATTR_PMKR0_NAME is set, &NL80211_ATTR_PMK specifies the
+ *	PMK-R0, otherwise it specifies the PMK.
+ * @NL80211_CMD_DEL_PMK: For offloaded 4-Way handshake, delete the previously
+ *	configured PMK for the authenticator address identified by
+ *	&NL80211_ATTR_MAC.
+ *
  * @NL80211_CMD_MAX: highest used command number
  * @__NL80211_CMD_AFTER_LAST: internal use
  */
@@ -1146,6 +1154,9 @@ enum nl80211_commands {
 
 	NL80211_CMD_UPDATE_CONNECT_PARAMS,
 
+	NL80211_CMD_SET_PMK,
+	NL80211_CMD_DEL_PMK,
+
 	/* add new commands above here */
 
 	/* used to define NL80211_CMD_MAX below */
@@ -2083,13 +2094,20 @@ enum nl80211_commands {
  * @NL80211_ATTR_PMK: attribute for passing PMK key material. Used with
  *	%NL80211_CMD_SET_PMKSA for the PMKSA identified by %NL80211_ATTR_PMKID.
  *	For %NL80211_CMD_CONNECT it is used to provide PSK for offloading 4-way
- *	handshake for WPA/WPA2-PSK networks.
+ *	handshake for WPA/WPA2-PSK networks. For 802.1X authentication it is
+ *	used with %NL80211_CMD_SET_PMK. This attribute specifies the PMK-R0
+ *	when &NL80211_ATTR_PMKR0_NAME is specified in %NL80211_CMD_CONNECT.
  *
  * @NL80211_ATTR_SCHED_SCAN_MULTI: flag attribute which user-space shall use to
  *	indicate that it supports multiple active scheduled scan requests.
  * @NL80211_ATTR_SCHED_SCAN_MAX_REQS: indicates maximum number of scheduled
  *	scan request that may be active for the device (u32).
  *
+ * @NL80211_ATTR_WANT_1X_4WAY_HS: flag attribute which user-space can include
+ *	in %NL80211_CMD_CONNECT to indicate that for 802.1X authentication it
+ *	wants to use the supported offload of the 4-way handshake.
+ * @NL80211_ATTR_PMKR0_NAME: PMK-R0 Name for offloaded FT.
+ *
  * @NUM_NL80211_ATTR: total number of nl80211_attrs available
  * @NL80211_ATTR_MAX: highest attribute number currently defined
  * @__NL80211_ATTR_AFTER_LAST: internal use
@@ -2512,6 +2530,9 @@ enum nl80211_attrs {
 	NL80211_ATTR_SCHED_SCAN_MULTI,
 	NL80211_ATTR_SCHED_SCAN_MAX_REQS,
 
+	NL80211_ATTR_WANT_1X_4WAY_HS,
+	NL80211_ATTR_PMKR0_NAME,
+
 	/* add attributes here, update the policy in nl80211.c */
 
 	__NL80211_ATTR_AFTER_LAST,
@@ -4857,6 +4878,9 @@ enum nl80211_feature_flags {
  * @NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK: Device supports doing 4-way
  *	handshake with PSK in station mode (PSK is passed as part of the connect
  *	and associate commands).
+ * @NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X: Device supports doing 4-way
+ *	handshake with 802.1X in station mode (needs to pass EAP frames to
+ *	the host and accept the set_pmk/del_pmk commands).
  *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
@@ -4878,6 +4902,7 @@ enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_CQM_RSSI_LIST,
 	NL80211_EXT_FEATURE_FILS_SK_OFFLOAD,
 	NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK,
+	NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 83ea164..7b33e8c 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -711,6 +711,11 @@ int wiphy_register(struct wiphy *wiphy)
 		    (wiphy->bss_select_support & ~(BIT(__NL80211_BSS_SELECT_ATTR_AFTER_LAST) - 2))))
 		return -EINVAL;
 
+	if (WARN_ON(wiphy_ext_feature_isset(&rdev->wiphy,
+					    NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X) &&
+		    (!rdev->ops->set_pmk || !rdev->ops->del_pmk)))
+		return -EINVAL;
+
 	if (wiphy->addresses)
 		memcpy(wiphy->perm_addr, wiphy->addresses[0].addr, ETH_ALEN);
 
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index d93e3e4..3810e7e 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -8869,6 +8869,12 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
 
 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
 
+	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
+	    !wiphy_ext_feature_isset(&rdev->wiphy,
+				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
+		return -EINVAL;
+	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
+
 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
 				      NL80211_MAX_NR_CIPHER_SUITES);
 	if (err)
@@ -12250,6 +12256,90 @@ static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
 }
 
+static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
+{
+	struct cfg80211_registered_device *rdev = info->user_ptr[0];
+	struct net_device *dev = info->user_ptr[1];
+	struct wireless_dev *wdev = dev->ieee80211_ptr;
+	struct cfg80211_pmk_conf pmk_conf = {};
+	int ret;
+
+	if (wdev->iftype != NL80211_IFTYPE_STATION &&
+	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
+		return -EOPNOTSUPP;
+
+	if (!wiphy_ext_feature_isset(&rdev->wiphy,
+				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
+		return -EOPNOTSUPP;
+
+	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
+		return -EINVAL;
+
+	wdev_lock(wdev);
+	if (!wdev->current_bss) {
+		ret = -ENOTCONN;
+		goto out;
+	}
+
+	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
+	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
+		ret = -EINVAL;
+		goto out;
+	}
+
+	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
+	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
+	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
+	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
+		ret = -EINVAL;
+		goto out;
+	}
+
+	if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
+		int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
+
+		if (r0_name_len != WLAN_PMK_NAME_LEN) {
+			ret = -EINVAL;
+			goto out;
+		}
+
+		pmk_conf.pmk_r0_name =
+			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
+	}
+
+	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
+out:
+	wdev_unlock(wdev);
+	return ret;
+}
+
+static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
+{
+	struct cfg80211_registered_device *rdev = info->user_ptr[0];
+	struct net_device *dev = info->user_ptr[1];
+	struct wireless_dev *wdev = dev->ieee80211_ptr;
+	const u8 *aa;
+	int ret;
+
+	if (wdev->iftype != NL80211_IFTYPE_STATION &&
+	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
+		return -EOPNOTSUPP;
+
+	if (!wiphy_ext_feature_isset(&rdev->wiphy,
+				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
+		return -EOPNOTSUPP;
+
+	if (!info->attrs[NL80211_ATTR_MAC])
+		return -EINVAL;
+
+	wdev_lock(wdev);
+	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
+	ret = rdev_del_pmk(rdev, dev, aa);
+	wdev_unlock(wdev);
+
+	return ret;
+}
+
 #define NL80211_FLAG_NEED_WIPHY		0x01
 #define NL80211_FLAG_NEED_NETDEV	0x02
 #define NL80211_FLAG_NEED_RTNL		0x04
@@ -13125,6 +13215,21 @@ static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
 				  NL80211_FLAG_NEED_RTNL,
 	},
+	{
+		.cmd = NL80211_CMD_SET_PMK,
+		.doit = nl80211_set_pmk,
+		.policy = nl80211_policy,
+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+				  NL80211_FLAG_NEED_RTNL,
+	},
+	{
+		.cmd = NL80211_CMD_DEL_PMK,
+		.doit = nl80211_del_pmk,
+		.policy = nl80211_policy,
+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+				  NL80211_FLAG_NEED_RTNL,
+	},
+
 };
 
 static struct genl_family nl80211_fam __ro_after_init = {
diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h
index 0598c1e..ce23d7d 100644
--- a/net/wireless/rdev-ops.h
+++ b/net/wireless/rdev-ops.h
@@ -1164,4 +1164,29 @@ static inline int rdev_set_qos_map(struct cfg80211_registered_device *rdev,
 	trace_rdev_return_int(&rdev->wiphy, ret);
 	return ret;
 }
+
+static inline int rdev_set_pmk(struct cfg80211_registered_device *rdev,
+			       struct net_device *dev,
+			       struct cfg80211_pmk_conf *pmk_conf)
+{
+	int ret = -EOPNOTSUPP;
+
+	trace_rdev_set_pmk(&rdev->wiphy, dev, pmk_conf);
+	if (rdev->ops->set_pmk)
+		ret = rdev->ops->set_pmk(&rdev->wiphy, dev, pmk_conf);
+	trace_rdev_return_int(&rdev->wiphy, ret);
+	return ret;
+}
+
+static inline int rdev_del_pmk(struct cfg80211_registered_device *rdev,
+			       struct net_device *dev, const u8 *aa)
+{
+	int ret = -EOPNOTSUPP;
+
+	trace_rdev_del_pmk(&rdev->wiphy, dev, aa);
+	if (rdev->ops->del_pmk)
+		ret = rdev->ops->del_pmk(&rdev->wiphy, dev, aa);
+	trace_rdev_return_int(&rdev->wiphy, ret);
+	return ret;
+}
 #endif /* __CFG80211_RDEV_OPS */
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
index ca8b205..0f8db41 100644
--- a/net/wireless/trace.h
+++ b/net/wireless/trace.h
@@ -2258,6 +2258,66 @@
 		  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(addr))
 );
 
+TRACE_EVENT(rdev_set_pmk,
+	TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+		 struct cfg80211_pmk_conf *pmk_conf),
+
+	TP_ARGS(wiphy, netdev, pmk_conf),
+
+	TP_STRUCT__entry(
+		WIPHY_ENTRY
+		NETDEV_ENTRY
+		MAC_ENTRY(aa)
+		__field(u8, pmk_len)
+		__field(u8, pmk_r0_name_len)
+		__dynamic_array(u8, pmk, pmk_conf->pmk_len)
+		__dynamic_array(u8, pmk_r0_name, WLAN_PMK_NAME_LEN)
+	),
+
+	TP_fast_assign(
+		WIPHY_ASSIGN;
+		NETDEV_ASSIGN;
+		MAC_ASSIGN(aa, pmk_conf->aa);
+		__entry->pmk_len = pmk_conf->pmk_len;
+		__entry->pmk_r0_name_len =
+		pmk_conf->pmk_r0_name ? WLAN_PMK_NAME_LEN : 0;
+		memcpy(__get_dynamic_array(pmk), pmk_conf->pmk,
+		       pmk_conf->pmk_len);
+		memcpy(__get_dynamic_array(pmk_r0_name), pmk_conf->pmk_r0_name,
+		       pmk_conf->pmk_r0_name ? WLAN_PMK_NAME_LEN : 0);
+	),
+
+	TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", " MAC_PR_FMT
+		  "pmk_len=%u, pmk: %s pmk_r0_name: %s", WIPHY_PR_ARG,
+		  NETDEV_PR_ARG, MAC_PR_ARG(aa), __entry->pmk_len,
+		  __print_array(__get_dynamic_array(pmk),
+				__get_dynamic_array_len(pmk), 1),
+		  __entry->pmk_r0_name_len ?
+		  __print_array(__get_dynamic_array(pmk_r0_name),
+				__get_dynamic_array_len(pmk_r0_name), 1) : "")
+);
+
+TRACE_EVENT(rdev_del_pmk,
+	TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, const u8 *aa),
+
+	TP_ARGS(wiphy, netdev, aa),
+
+	TP_STRUCT__entry(
+		WIPHY_ENTRY
+		NETDEV_ENTRY
+		MAC_ENTRY(aa)
+	),
+
+	TP_fast_assign(
+		WIPHY_ASSIGN;
+		NETDEV_ASSIGN;
+		MAC_ASSIGN(aa, aa);
+	),
+
+	TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", " MAC_PR_FMT,
+		  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(aa))
+);
+
 /*************************************************************
  *	     cfg80211 exported functions traces		     *
  *************************************************************/
-- 
1.9.1

[PATCH V2 3/9] nl80211: add authorized flag to CONNECT event

[Arend van Spriel]

When the driver supports offloading of the PTK/GTK handshakes
completion of that during connect changes the layer 2 control
port state to authorized. This patch allows the driver to pass
that state in cfg80211_connect_done() resulting in adding the
new flag NL80211_ATTR_PORT_AUTHORIZED in the NL80211_CMD_CONNECT
notification. For 802.1X the driver is expected to issue the
NL80211_CMD_CONNECT notification twice. First without the new
attribute to inform user-space that 802.1X authentication can
start and a second one with the new attribute to indicate the
completion of the handshakes.

Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 include/net/cfg80211.h       | 3 +++
 include/uapi/linux/nl80211.h | 4 ++++
 net/wireless/nl80211.c       | 2 ++
 net/wireless/sme.c           | 1 +
 4 files changed, 10 insertions(+)

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 29118cb..9e2719c 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -5276,6 +5276,8 @@ static inline void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
  *	not known. This value is used only if @status < 0 to indicate that the
  *	failure is due to a timeout and not due to explicit rejection by the AP.
  *	This value is ignored in other cases (@status >= 0).
+ * @authorized: Indicates whether the connection is ready to transport
+ *	data packets.
  */
 struct cfg80211_connect_resp_params {
 	int status;
@@ -5293,6 +5295,7 @@ struct cfg80211_connect_resp_params {
 	size_t pmk_len;
 	const u8 *pmkid;
 	enum nl80211_timeout_reason timeout_reason;
+	bool authorized;
 };
 
 /**
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 00eb686..92bed43 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -2107,6 +2107,9 @@ enum nl80211_commands {
  *	in %NL80211_CMD_CONNECT to indicate that for 802.1X authentication it
  *	wants to use the supported offload of the 4-way handshake.
  * @NL80211_ATTR_PMKR0_NAME: PMK-R0 Name for offloaded FT.
+ * @NL80211_ATTR_PORT_AUTHORIZED: flag attribute used in %NL80211_CMD_CONNECT
+ *	notification indicating that PTK/GTK handshakes for 802.1X have been
+ *	completed successfully.
  *
  * @NUM_NL80211_ATTR: total number of nl80211_attrs available
  * @NL80211_ATTR_MAX: highest attribute number currently defined
@@ -2532,6 +2535,7 @@ enum nl80211_attrs {
 
 	NL80211_ATTR_WANT_1X_4WAY_HS,
 	NL80211_ATTR_PMKR0_NAME,
+	NL80211_ATTR_PORT_AUTHORIZED,
 
 	/* add attributes here, update the policy in nl80211.c */
 
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 3810e7e..42e7811 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -13730,6 +13730,8 @@ void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
 			  cr->timeout_reason))) ||
+	    (cr->authorized &&
+	     nla_put_flag(msg, NL80211_ATTR_PORT_AUTHORIZED)) ||
 	    (cr->req_ie &&
 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
 	    (cr->resp_ie &&
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 532a000..a46eda8 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -861,6 +861,7 @@ void cfg80211_connect_done(struct net_device *dev,
 	ev->cr.bss = params->bss;
 	ev->cr.status = params->status;
 	ev->cr.timeout_reason = params->timeout_reason;
+	ev->cr.authorized = params->authorized;
 
 	spin_lock_irqsave(&wdev->event_lock, flags);
 	list_add_tail(&ev->list, &wdev->event_list);
-- 
1.9.1

[PATCH V2 4/9] nl80211: add authorized flag to ROAM event

[Arend van Spriel]

From: Avraham Stern <avraham.stern@intel.com>

Drivers that initiate roaming while being connected to a network that
uses 802.1X authentication need to inform user space if 802.1X
authentication is further required after roaming.
For example, when using the Fast transition protocol, roaming within
the mobility domain does not require new 802.1X authentication, but
roaming to another mobility domain does.
In addition, some drivers may not support 802.1X authentication
(so it has to be done in user space), while other drivers do.

Add a flag to the roaming notification to indicate if user space is
required to do 802.1X authentication after the roaming or not.
This flag will only be used for networks that use 802.1X
authentication. For networks that do not use 802.1X authentication it
is assumed that no further action is required from user space after
the roaming notification.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
[arend.vanspriel@broadcom.com reuse NL80211_ATTR_PORT_AUTHORIZED]
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 include/net/cfg80211.h       |  4 ++++
 include/uapi/linux/nl80211.h | 10 +++++++++-
 net/wireless/nl80211.c       |  4 +++-
 net/wireless/sme.c           |  1 +
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 9e2719c..58475d1 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -5440,6 +5440,9 @@ void cfg80211_connect_done(struct net_device *dev,
  * @req_ie_len: association request IEs length
  * @resp_ie: association response IEs (may be %NULL)
  * @resp_ie_len: assoc response IEs length
+ * @authorized: true if the 802.1X authentication was done by the driver or is
+ *	not needed (e.g., when Fast Transition protocol was used), false
+ *	otherwise. Ignored for networks that don't use 802.1X authentication.
  */
 struct cfg80211_roam_info {
 	struct ieee80211_channel *channel;
@@ -5449,6 +5452,7 @@ struct cfg80211_roam_info {
 	size_t req_ie_len;
 	const u8 *resp_ie;
 	size_t resp_ie_len;
+	bool authorized;
 };
 
 /**
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 92bed43..1eaa340 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -548,6 +548,12 @@
  *	well to remain backwards compatible.
  * @NL80211_CMD_ROAM: request that the card roam (currently not implemented),
  *	sent as an event when the card/driver roamed by itself.
+ *	When used as an event, and the driver roamed in a network that requires
+ *	802.1X authentication, %NL80211_ATTR_PORT_AUTHORIZED should be set
+ *	if the 802.1X authentication was done by the driver or if roaming was
+ *	done using Fast Transition protocol (in which case 802.1X authentication
+ *	is not needed). If %NL80211_ATTR_PORT_AUTHORIZED is not set, user space
+ *	is responsible for the 802.1X authentication.
  * @NL80211_CMD_DISCONNECT: drop a given connection; also used to notify
  *	userspace that a connection was dropped by the AP or due to other
  *	reasons, for this the %NL80211_ATTR_DISCONNECTED_BY_AP and
@@ -2109,7 +2115,9 @@ enum nl80211_commands {
  * @NL80211_ATTR_PMKR0_NAME: PMK-R0 Name for offloaded FT.
  * @NL80211_ATTR_PORT_AUTHORIZED: flag attribute used in %NL80211_CMD_CONNECT
  *	notification indicating that PTK/GTK handshakes for 802.1X have been
- *	completed successfully.
+ *	completed successfully. Also used in %NL80211_CMD_ROAM to indicate
+ *	that 802.1X authentication was done by the driver or is not needed
+ *	(because roaming used the Fast Transition protocol).
  *
  * @NUM_NL80211_ATTR: total number of nl80211_attrs available
  * @NL80211_ATTR_MAX: highest attribute number currently defined
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 42e7811..eab60d7 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -13787,7 +13787,9 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
 		     info->req_ie)) ||
 	    (info->resp_ie &&
 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
-		     info->resp_ie)))
+		     info->resp_ie)) ||
+	    (info->authorized &&
+	     nla_put_flag(msg, NL80211_ATTR_PORT_AUTHORIZED)))
 		goto nla_put_failure;
 
 	genlmsg_end(msg, hdr);
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index a46eda8..9eb9234 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -961,6 +961,7 @@ void cfg80211_roamed(struct net_device *dev, struct cfg80211_roam_info *info,
 	ev->rm.resp_ie_len = info->resp_ie_len;
 	memcpy((void *)ev->rm.resp_ie, info->resp_ie, info->resp_ie_len);
 	ev->rm.bss = info->bss;
+	ev->rm.authorized = info->authorized;
 
 	spin_lock_irqsave(&wdev->event_lock, flags);
 	list_add_tail(&ev->list, &wdev->event_list);
-- 
1.9.1

[PATCH V2 5/9] nl80211: remove desciption about request from NL80211_CMD_ROAM

[Arend van Spriel]

The description of NL80211_CMD_ROAM indicated possibility for a
request to roam issued by user-space. However, it also states that
as not being implemented right now. This has been so since commit
b23aa676ab9d ("cfg80211: connect/disconnect API") added in 2009.
So it seems safe to assume it will not be added any time soon and
thus remove it.

Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 include/uapi/linux/nl80211.h | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 1eaa340..47053c8 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -546,14 +546,13 @@
  *	authentication/association or not receiving a response from the AP.
  *	Non-zero %NL80211_ATTR_STATUS_CODE value is indicated in that case as
  *	well to remain backwards compatible.
- * @NL80211_CMD_ROAM: request that the card roam (currently not implemented),
- *	sent as an event when the card/driver roamed by itself.
- *	When used as an event, and the driver roamed in a network that requires
- *	802.1X authentication, %NL80211_ATTR_PORT_AUTHORIZED should be set
- *	if the 802.1X authentication was done by the driver or if roaming was
- *	done using Fast Transition protocol (in which case 802.1X authentication
- *	is not needed). If %NL80211_ATTR_PORT_AUTHORIZED is not set, user space
- *	is responsible for the 802.1X authentication.
+ * @NL80211_CMD_ROAM: notifcation indicating the card/driver roamed by itself.
+ *	When the driver roamed in a network that requires 802.1X authentication,
+ *	%NL80211_ATTR_PORT_AUTHORIZED should be set if the 802.1X authentication
+ *	was done by the driver or if roaming was done using Fast Transition
+ *	protocol (in which case 802.1X authentication is not needed). If
+ *	%NL80211_ATTR_PORT_AUTHORIZED is not set, user space is responsible for
+ *	the 802.1X authentication.
  * @NL80211_CMD_DISCONNECT: drop a given connection; also used to notify
  *	userspace that a connection was dropped by the AP or due to other
  *	reasons, for this the %NL80211_ATTR_DISCONNECTED_BY_AP and
-- 
1.9.1

[PATCH V2 6/9] brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK

[Arend van Spriel]

From: Arend van Spriel <arend@broadcom.com>

The firmware may have supplicant code built-in. This is detected
by the driver and indicated in the wiphy features flags. User-space
can use this flag to determine whether or not to provide the
pre-shared key material in the nl80211 CONNECT command.

Reviewed-by: Gautam (Gautam Kumar) Shukla <gautams@broadcom.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 75 ++++++++++++++++++++--
 .../broadcom/brcm80211/brcmfmac/cfg80211.h         | 14 +++-
 .../wireless/broadcom/brcm80211/brcmfmac/feature.c |  1 +
 .../wireless/broadcom/brcm80211/brcmfmac/feature.h |  4 +-
 .../wireless/broadcom/brcm80211/brcmfmac/fweh.h    | 30 +++++++++
 .../wireless/broadcom/brcm80211/brcmfmac/fwil.h    |  1 +
 .../broadcom/brcm80211/brcmfmac/fwil_types.h       | 16 +++++
 7 files changed, 134 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index cd1d673..27a89dc 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1344,6 +1344,27 @@ static u16 brcmf_map_fw_linkdown_reason(const struct brcmf_event_msg *e)
 	return reason;
 }
 
+static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len)
+{
+	struct brcmf_wsec_pmk_le pmk;
+	int i, err;
+
+	/* convert to firmware key format */
+	pmk.key_len = cpu_to_le16(pmk_len << 1);
+	pmk.flags = cpu_to_le16(BRCMF_WSEC_PASSPHRASE);
+	for (i = 0; i < pmk_len; i++)
+		snprintf(&pmk.key[2 * i], 3, "%02x", pmk_data[i]);
+
+	/* store psk in firmware */
+	err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_WSEC_PMK,
+				     &pmk, sizeof(pmk));
+	if (err < 0)
+		brcmf_err("failed to change PSK in firmware (len=%u)\n",
+			  pmk_len);
+
+	return err;
+}
+
 static void brcmf_link_down(struct brcmf_cfg80211_vif *vif, u16 reason)
 {
 	struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(vif->wdev.wiphy);
@@ -1366,6 +1387,10 @@ static void brcmf_link_down(struct brcmf_cfg80211_vif *vif, u16 reason)
 	clear_bit(BRCMF_VIF_STATUS_CONNECTING, &vif->sme_state);
 	clear_bit(BRCMF_SCAN_STATUS_SUPPRESS, &cfg->scan_status);
 	brcmf_btcoex_set_mode(vif, BRCMF_BTCOEX_ENABLED, 0);
+	if (vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_NONE) {
+		brcmf_set_pmk(vif->ifp, NULL, 0);
+		vif->profile.use_fwsup = BRCMF_PROFILE_FWSUP_NONE;
+	}
 	brcmf_dbg(TRACE, "Exit\n");
 }
 
@@ -1999,6 +2024,23 @@ static void brcmf_set_join_pref(struct brcmf_if *ifp,
 		goto done;
 	}
 
+	if (sme->crypto.psk) {
+		brcmf_dbg(INFO, "using PSK offload\n");
+
+		/* enable firmware supplicant for this interface */
+		err = brcmf_fil_iovar_int_set(ifp, "sup_wpa", 1);
+		if (err < 0) {
+			brcmf_err("failed to enable fw supplicant\n");
+			goto done;
+		}
+		ifp->vif->profile.use_fwsup = BRCMF_PROFILE_FWSUP_PSK;
+
+		err = brcmf_set_pmk(ifp, sme->crypto.psk,
+				    BRCMF_WSEC_MAX_PSK_LEN);
+		if (err)
+			goto done;
+	}
+
 	/* Join with specific BSSID and cached SSID
 	 * If SSID is zero join based on BSSID only
 	 */
@@ -5228,16 +5270,30 @@ void brcmf_cfg80211_free_netdev(struct net_device *ndev)
 	free_netdev(ndev);
 }
 
-static bool brcmf_is_linkup(const struct brcmf_event_msg *e)
+static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
+			    const struct brcmf_event_msg *e)
 {
 	u32 event = e->event_code;
 	u32 status = e->status;
 
+	if (event == BRCMF_E_PSK_SUP &&
+	    status == BRCMF_E_STATUS_FWSUP_COMPLETED)
+		set_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
 	if (event == BRCMF_E_SET_SSID && status == BRCMF_E_STATUS_SUCCESS) {
 		brcmf_dbg(CONN, "Processing set ssid\n");
-		return true;
+		memcpy(vif->profile.bssid, e->addr, ETH_ALEN);
+		if (vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_PSK)
+			return true;
+
+		set_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
 	}
 
+	if (test_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state) &&
+	    test_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state)) {
+		clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
+		clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
+		return true;
+	}
 	return false;
 }
 
@@ -5272,6 +5328,13 @@ static bool brcmf_is_nonetwork(struct brcmf_cfg80211_info *cfg,
 		return true;
 	}
 
+	if (event == BRCMF_E_PSK_SUP &&
+	    status != BRCMF_E_STATUS_FWSUP_COMPLETED) {
+		brcmf_dbg(CONN, "Processing failed supplicant state: %u\n",
+			  status);
+		return true;
+	}
+
 	return false;
 }
 
@@ -5429,7 +5492,6 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
 			       &ifp->vif->sme_state)) {
 		if (completed) {
 			brcmf_get_assoc_ies(cfg, ifp);
-			memcpy(profile->bssid, e->addr, ETH_ALEN);
 			brcmf_update_bss_info(cfg, ifp);
 			set_bit(BRCMF_VIF_STATUS_CONNECTED,
 				&ifp->vif->sme_state);
@@ -5508,7 +5570,7 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
 
 	if (brcmf_is_apmode(ifp->vif)) {
 		err = brcmf_notify_connect_status_ap(cfg, ndev, e, data);
-	} else if (brcmf_is_linkup(e)) {
+	} else if (brcmf_is_linkup(ifp->vif, e)) {
 		brcmf_dbg(CONN, "Linkup\n");
 		if (brcmf_is_ibssmode(ifp->vif)) {
 			brcmf_inform_ibss(cfg, ndev, e->addr);
@@ -5676,6 +5738,8 @@ static void brcmf_register_event_handlers(struct brcmf_cfg80211_info *cfg)
 			    brcmf_p2p_notify_action_tx_complete);
 	brcmf_fweh_register(cfg->pub, BRCMF_E_ACTION_FRAME_OFF_CHAN_COMPLETE,
 			    brcmf_p2p_notify_action_tx_complete);
+	brcmf_fweh_register(cfg->pub, BRCMF_E_PSK_SUP,
+			    brcmf_notify_connect_status);
 }
 
 static void brcmf_deinit_priv_mem(struct brcmf_cfg80211_info *cfg)
@@ -6481,6 +6545,9 @@ static int brcmf_setup_wiphy(struct wiphy *wiphy, struct brcmf_if *ifp)
 		wiphy->flags |= WIPHY_FLAG_SUPPORTS_TDLS;
 	if (!ifp->drvr->settings->roamoff)
 		wiphy->flags |= WIPHY_FLAG_SUPPORTS_FW_ROAM;
+	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_FWSUP))
+		wiphy_ext_feature_set(wiphy,
+				      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK);
 	wiphy->mgmt_stypes = brcmf_txrx_stypes;
 	wiphy->max_remain_on_channel_duration = 5000;
 	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_PNO))
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
index 8f19d95..779e9b5 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
@@ -113,6 +113,11 @@ struct brcmf_cfg80211_security {
 	u32 cipher_group;
 };
 
+enum brcmf_profile_fwsup {
+	BRCMF_PROFILE_FWSUP_NONE,
+	BRCMF_PROFILE_FWSUP_PSK
+};
+
 /**
  * struct brcmf_cfg80211_profile - profile information.
  *
@@ -124,6 +129,7 @@ struct brcmf_cfg80211_profile {
 	u8 bssid[ETH_ALEN];
 	struct brcmf_cfg80211_security sec;
 	struct brcmf_wsec_key key[BRCMF_MAX_DEFAULT_KEYS];
+	enum brcmf_profile_fwsup use_fwsup;
 };
 
 /**
@@ -131,16 +137,20 @@ struct brcmf_cfg80211_profile {
  *
  * @BRCMF_VIF_STATUS_READY: ready for operation.
  * @BRCMF_VIF_STATUS_CONNECTING: connect/join in progress.
- * @BRCMF_VIF_STATUS_CONNECTED: connected/joined succesfully.
+ * @BRCMF_VIF_STATUS_CONNECTED: connected/joined successfully.
  * @BRCMF_VIF_STATUS_DISCONNECTING: disconnect/disable in progress.
  * @BRCMF_VIF_STATUS_AP_CREATED: AP operation started.
+ * @BRCMF_VIF_STATUS_EAP_SUCCUSS: EAPOL handshake successful.
+ * @BRCMF_VIF_STATUS_ASSOC_SUCCESS: successful SET_SSID received.
  */
 enum brcmf_vif_status {
 	BRCMF_VIF_STATUS_READY,
 	BRCMF_VIF_STATUS_CONNECTING,
 	BRCMF_VIF_STATUS_CONNECTED,
 	BRCMF_VIF_STATUS_DISCONNECTING,
-	BRCMF_VIF_STATUS_AP_CREATED
+	BRCMF_VIF_STATUS_AP_CREATED,
+	BRCMF_VIF_STATUS_EAP_SUCCESS,
+	BRCMF_VIF_STATUS_ASSOC_SUCCESS,
 };
 
 /**
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
index 62985f2..05bd939 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
@@ -175,6 +175,7 @@ void brcmf_feat_attach(struct brcmf_pub *drvr)
 			  drvr->settings->feature_disable);
 		ifp->drvr->feat_flags &= ~drvr->settings->feature_disable;
 	}
+	brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_FWSUP, "sup_wpa");
 
 	/* set chip related quirks */
 	switch (drvr->bus_if->chip) {
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
index db4733a..a0a846b 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
@@ -31,6 +31,7 @@
  * WOWL_GTK: (WOWL) GTK rekeying offload
  * WOWL_ARP_ND: ARP and Neighbor Discovery offload support during WOWL.
  * MFP: 802.11w Management Frame Protection.
+ * FWSUP: Firmware supplicant.
  */
 #define BRCMF_FEAT_LIST \
 	BRCMF_FEAT_DEF(MBSS) \
@@ -44,7 +45,8 @@
 	BRCMF_FEAT_DEF(WOWL_ND) \
 	BRCMF_FEAT_DEF(WOWL_GTK) \
 	BRCMF_FEAT_DEF(WOWL_ARP_ND) \
-	BRCMF_FEAT_DEF(MFP)
+	BRCMF_FEAT_DEF(MFP) \
+	BRCMF_FEAT_DEF(FWSUP)
 
 /*
  * Quirks:
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
index 5fba4b4..816f80e 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
@@ -142,6 +142,16 @@ enum brcmf_fweh_event_code {
 #define BRCMF_E_STATUS_CS_ABORT			15
 #define BRCMF_E_STATUS_ERROR			16
 
+/* status field values for PSK_SUP event */
+#define BRCMF_E_STATUS_FWSUP_WAIT_M1		4
+#define BRCMF_E_STATUS_FWSUP_PREP_M2		5
+#define BRCMF_E_STATUS_FWSUP_COMPLETED		6
+#define BRCMF_E_STATUS_FWSUP_TIMEOUT		7
+#define BRCMF_E_STATUS_FWSUP_WAIT_M3		8
+#define BRCMF_E_STATUS_FWSUP_PREP_M4		9
+#define BRCMF_E_STATUS_FWSUP_WAIT_G1		10
+#define BRCMF_E_STATUS_FWSUP_PREP_G2		11
+
 /* reason field values in struct brcmf_event_msg */
 #define BRCMF_E_REASON_INITIAL_ASSOC		0
 #define BRCMF_E_REASON_LOW_RSSI			1
@@ -161,6 +171,26 @@ enum brcmf_fweh_event_code {
 #define BRCMF_E_REASON_TDLS_PEER_CONNECTED	1
 #define BRCMF_E_REASON_TDLS_PEER_DISCONNECTED	2
 
+/* reason field values for PSK_SUP event */
+#define BRCMF_E_REASON_FWSUP_OTHER		0
+#define BRCMF_E_REASON_FWSUP_DECRYPT_KEY_DATA	1
+#define BRCMF_E_REASON_FWSUP_BAD_UCAST_WEP128	2
+#define BRCMF_E_REASON_FWSUP_BAD_UCAST_WEP40	3
+#define BRCMF_E_REASON_FWSUP_UNSUP_KEY_LEN	4
+#define BRCMF_E_REASON_FWSUP_PW_KEY_CIPHER	5
+#define BRCMF_E_REASON_FWSUP_MSG3_TOO_MANY_IE	6
+#define BRCMF_E_REASON_FWSUP_MSG3_IE_MISMATCH	7
+#define BRCMF_E_REASON_FWSUP_NO_INSTALL_FLAG	8
+#define BRCMF_E_REASON_FWSUP_MSG3_NO_GTK	9
+#define BRCMF_E_REASON_FWSUP_GRP_KEY_CIPHER	10
+#define BRCMF_E_REASON_FWSUP_GRP_MSG1_NO_GTK	11
+#define BRCMF_E_REASON_FWSUP_GTK_DECRYPT_FAIL	12
+#define BRCMF_E_REASON_FWSUP_SEND_FAIL		13
+#define BRCMF_E_REASON_FWSUP_DEAUTH		14
+#define BRCMF_E_REASON_FWSUP_WPA_PSK_TMO	15
+#define BRCMF_E_REASON_FWSUP_WPA_PSK_M1_TMO	16
+#define BRCMF_E_REASON_FWSUP_WPA_PSK_M3_TMO	17
+
 /* action field values for brcmf_ifevent */
 #define BRCMF_E_IF_ADD				1
 #define BRCMF_E_IF_DEL				2
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h
index 3a9a76d..63b1287 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h
@@ -85,6 +85,7 @@
 #define BRCMF_C_SET_SCAN_PASSIVE_TIME		258
 #define BRCMF_C_GET_VAR				262
 #define BRCMF_C_SET_VAR				263
+#define BRCMF_C_SET_WSEC_PMK			268
 
 s32 brcmf_fil_cmd_data_set(struct brcmf_if *ifp, u32 cmd, void *data, u32 len);
 s32 brcmf_fil_cmd_data_get(struct brcmf_if *ifp, u32 cmd, void *data, u32 len);
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
index 9a1eb5a..8b89507 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
@@ -45,6 +45,9 @@
 #define BRCMF_SCAN_PARAMS_COUNT_MASK	0x0000ffff
 #define BRCMF_SCAN_PARAMS_NSSID_SHIFT	16
 
+#define BRCMF_WSEC_MAX_PSK_LEN		32
+#define	BRCMF_WSEC_PASSPHRASE		BIT(0)
+
 /* primary (ie tx) key */
 #define BRCMF_PRIMARY_KEY		(1 << 1)
 #define DOT11_BSSTYPE_ANY		2
@@ -470,6 +473,19 @@ struct brcmf_wsec_key_le {
 	u8 ea[ETH_ALEN];	/* per station */
 };
 
+/**
+ * struct brcmf_wsec_pmk_le - firmware pmk material.
+ *
+ * @key_len: number of octets in key material.
+ * @flags: key handling qualifiers.
+ * @key: PMK key material.
+ */
+struct brcmf_wsec_pmk_le {
+	__le16  key_len;
+	__le16  flags;
+	u8 key[2 * BRCMF_WSEC_MAX_PSK_LEN + 1];
+};
+
 /* Used to get specific STA parameters */
 struct brcmf_scb_val_le {
 	__le32 val;
-- 
1.9.1

[PATCH V2 7/9] brcmfmac: support 4-way handshake offloading for 802.1X

[Arend van Spriel]

Adding callbacks for PMK provisioning. If firmware supports offloading
it is indicated to user-space that 802.1X offload is supported.

Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 61 ++++++++++++++++++++--
 .../broadcom/brcm80211/brcmfmac/cfg80211.h         |  3 +-
 2 files changed, 60 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 27a89dc..cc5b8ba 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1704,6 +1704,7 @@ static s32 brcmf_set_auth_type(struct net_device *ndev,
 brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
 {
 	struct brcmf_if *ifp = netdev_priv(ndev);
+	struct brcmf_cfg80211_profile *profile = &ifp->vif->profile;
 	s32 val;
 	s32 err;
 	const struct brcmf_tlv *rsn_ie;
@@ -1714,6 +1715,8 @@ static s32 brcmf_set_auth_type(struct net_device *ndev,
 	u32 mfp;
 	u16 count;
 
+	profile->use_fwsup = BRCMF_PROFILE_FWSUP_NONE;
+
 	if (!sme->crypto.n_akm_suites)
 		return 0;
 
@@ -1726,6 +1729,8 @@ static s32 brcmf_set_auth_type(struct net_device *ndev,
 		switch (sme->crypto.akm_suites[0]) {
 		case WLAN_AKM_SUITE_8021X:
 			val = WPA_AUTH_UNSPECIFIED;
+			if (sme->want_1x)
+				profile->use_fwsup = BRCMF_PROFILE_FWSUP_1X;
 			break;
 		case WLAN_AKM_SUITE_PSK:
 			val = WPA_AUTH_PSK;
@@ -1739,9 +1744,13 @@ static s32 brcmf_set_auth_type(struct net_device *ndev,
 		switch (sme->crypto.akm_suites[0]) {
 		case WLAN_AKM_SUITE_8021X:
 			val = WPA2_AUTH_UNSPECIFIED;
+			if (sme->want_1x)
+				profile->use_fwsup = BRCMF_PROFILE_FWSUP_1X;
 			break;
 		case WLAN_AKM_SUITE_8021X_SHA256:
 			val = WPA2_AUTH_1X_SHA256;
+			if (sme->want_1x)
+				profile->use_fwsup = BRCMF_PROFILE_FWSUP_1X;
 			break;
 		case WLAN_AKM_SUITE_PSK_SHA256:
 			val = WPA2_AUTH_PSK_SHA256;
@@ -1756,6 +1765,9 @@ static s32 brcmf_set_auth_type(struct net_device *ndev,
 		}
 	}
 
+	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X)
+		brcmf_dbg(INFO, "using 1X offload\n");
+
 	if (!brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MFP))
 		goto skip_mfp_config;
 	/* The MFP mode (1 or 2) needs to be determined, parse IEs. The
@@ -1928,6 +1940,7 @@ static void brcmf_set_join_pref(struct brcmf_if *ifp,
 {
 	struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
 	struct brcmf_if *ifp = netdev_priv(ndev);
+	struct brcmf_cfg80211_profile *profile = &ifp->vif->profile;
 	struct ieee80211_channel *chan = sme->channel;
 	struct brcmf_join_params join_params;
 	size_t join_params_size;
@@ -2025,16 +2038,24 @@ static void brcmf_set_join_pref(struct brcmf_if *ifp,
 	}
 
 	if (sme->crypto.psk) {
+		if (WARN_ON(profile->use_fwsup != BRCMF_PROFILE_FWSUP_NONE)) {
+			err = -EINVAL;
+			goto done;
+		}
 		brcmf_dbg(INFO, "using PSK offload\n");
+		profile->use_fwsup = BRCMF_PROFILE_FWSUP_PSK;
+	}
 
+	if (profile->use_fwsup != BRCMF_PROFILE_FWSUP_NONE) {
 		/* enable firmware supplicant for this interface */
 		err = brcmf_fil_iovar_int_set(ifp, "sup_wpa", 1);
 		if (err < 0) {
 			brcmf_err("failed to enable fw supplicant\n");
 			goto done;
 		}
-		ifp->vif->profile.use_fwsup = BRCMF_PROFILE_FWSUP_PSK;
+	}
 
+	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_PSK) {
 		err = brcmf_set_pmk(ifp, sme->crypto.psk,
 				    BRCMF_WSEC_MAX_PSK_LEN);
 		if (err)
@@ -5173,6 +5194,34 @@ static int brcmf_cfg80211_tdls_oper(struct wiphy *wiphy,
 }
 #endif
 
+static int brcmf_cfg80211_set_pmk(struct wiphy *wiphy, struct net_device *dev,
+				  const struct cfg80211_pmk_conf *conf)
+{
+	struct brcmf_if *ifp;
+
+	brcmf_dbg(TRACE, "enter\n");
+
+	/* expect using firmware supplicant for 1X */
+	ifp = netdev_priv(dev);
+	if (WARN_ON(ifp->vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_1X))
+		return -EINVAL;
+
+	return brcmf_set_pmk(ifp, conf->pmk, conf->pmk_len);
+}
+
+static int brcmf_cfg80211_del_pmk(struct wiphy *wiphy, struct net_device *dev,
+				  const u8 *aa)
+{
+	struct brcmf_if *ifp;
+
+	brcmf_dbg(TRACE, "enter\n");
+	ifp = netdev_priv(dev);
+	if (WARN_ON(ifp->vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_1X))
+		return -EINVAL;
+
+	return brcmf_set_pmk(ifp, NULL, 0);
+}
+
 static struct cfg80211_ops brcmf_cfg80211_ops = {
 	.add_virtual_intf = brcmf_cfg80211_add_iface,
 	.del_virtual_intf = brcmf_cfg80211_del_iface,
@@ -5216,6 +5265,8 @@ static int brcmf_cfg80211_tdls_oper(struct wiphy *wiphy,
 	.crit_proto_stop = brcmf_cfg80211_crit_proto_stop,
 	.tdls_oper = brcmf_cfg80211_tdls_oper,
 	.update_connect_params = brcmf_cfg80211_update_conn_params,
+	.set_pmk = brcmf_cfg80211_set_pmk,
+	.del_pmk = brcmf_cfg80211_del_pmk,
 };
 
 struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
@@ -5276,7 +5327,8 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
 	u32 event = e->event_code;
 	u32 status = e->status;
 
-	if (event == BRCMF_E_PSK_SUP &&
+	if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_PSK &&
+	    event == BRCMF_E_PSK_SUP &&
 	    status == BRCMF_E_STATUS_FWSUP_COMPLETED)
 		set_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
 	if (event == BRCMF_E_SET_SSID && status == BRCMF_E_STATUS_SUCCESS) {
@@ -6545,9 +6597,12 @@ static int brcmf_setup_wiphy(struct wiphy *wiphy, struct brcmf_if *ifp)
 		wiphy->flags |= WIPHY_FLAG_SUPPORTS_TDLS;
 	if (!ifp->drvr->settings->roamoff)
 		wiphy->flags |= WIPHY_FLAG_SUPPORTS_FW_ROAM;
-	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_FWSUP))
+	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_FWSUP)) {
 		wiphy_ext_feature_set(wiphy,
 				      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK);
+		wiphy_ext_feature_set(wiphy,
+				      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X);
+	}
 	wiphy->mgmt_stypes = brcmf_txrx_stypes;
 	wiphy->max_remain_on_channel_duration = 5000;
 	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_PNO))
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
index 779e9b5..c6b6fbb 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
@@ -115,7 +115,8 @@ struct brcmf_cfg80211_security {
 
 enum brcmf_profile_fwsup {
 	BRCMF_PROFILE_FWSUP_NONE,
-	BRCMF_PROFILE_FWSUP_PSK
+	BRCMF_PROFILE_FWSUP_PSK,
+	BRCMF_PROFILE_FWSUP_1X
 };
 
 /**
-- 
1.9.1

[PATCH V2 8/9] brcmfmac: switch to using cfg80211_connect_done()

[Arend van Spriel]

The driver used cfg80211_connect_result() which is basically a wrapper
around cfg80211_connect_done() passing a subset of the information that
can be passed. For upcoming functionality this is not sufficient so
switching to use cfg80211_connect_done().

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c  | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index cc5b8ba..9d345c7 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -5537,26 +5537,28 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
 	struct brcmf_if *ifp = netdev_priv(ndev);
 	struct brcmf_cfg80211_profile *profile = &ifp->vif->profile;
 	struct brcmf_cfg80211_connect_info *conn_info = cfg_to_conn(cfg);
+	struct cfg80211_connect_resp_params conn_params;
 
 	brcmf_dbg(TRACE, "Enter\n");
 
 	if (test_and_clear_bit(BRCMF_VIF_STATUS_CONNECTING,
 			       &ifp->vif->sme_state)) {
+		memset(&conn_params, 0, sizeof(conn_params));
 		if (completed) {
 			brcmf_get_assoc_ies(cfg, ifp);
 			brcmf_update_bss_info(cfg, ifp);
 			set_bit(BRCMF_VIF_STATUS_CONNECTED,
 				&ifp->vif->sme_state);
+			conn_params.status = WLAN_STATUS_SUCCESS;
+		} else {
+			conn_params.status = WLAN_STATUS_AUTH_TIMEOUT;
 		}
-		cfg80211_connect_result(ndev,
-					(u8 *)profile->bssid,
-					conn_info->req_ie,
-					conn_info->req_ie_len,
-					conn_info->resp_ie,
-					conn_info->resp_ie_len,
-					completed ? WLAN_STATUS_SUCCESS :
-						    WLAN_STATUS_AUTH_TIMEOUT,
-					GFP_KERNEL);
+		conn_params.bssid = profile->bssid;
+		conn_params.req_ie = conn_info->req_ie;
+		conn_params.req_ie_len = conn_info->req_ie_len;
+		conn_params.resp_ie = conn_info->resp_ie;
+		conn_params.resp_ie_len = conn_info->resp_ie_len;
+		cfg80211_connect_done(ndev, &conn_params, GFP_KERNEL);
 		brcmf_dbg(CONN, "Report connect result - connection %s\n",
 			  completed ? "succeeded" : "failed");
 	}
-- 
1.9.1

[PATCH V2 9/9] brcmfmac: provide port authorized state in CONNECT event

[Arend van Spriel]

Fill struct cfg80211_connection_params::authorized field according
the supplicant state received from the device.

Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 27 +++++++++++++---------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 9d345c7..0e45993 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -5327,10 +5327,12 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
 	u32 event = e->event_code;
 	u32 status = e->status;
 
-	if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_PSK &&
-	    event == BRCMF_E_PSK_SUP &&
-	    status == BRCMF_E_STATUS_FWSUP_COMPLETED)
+	if (event == BRCMF_E_PSK_SUP &&
+	    status == BRCMF_E_STATUS_FWSUP_COMPLETED) {
 		set_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
+		if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_1X)
+			return true;
+	}
 	if (event == BRCMF_E_SET_SSID && status == BRCMF_E_STATUS_SUCCESS) {
 		brcmf_dbg(CONN, "Processing set ssid\n");
 		memcpy(vif->profile.bssid, e->addr, ETH_ALEN);
@@ -5341,11 +5343,9 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
 	}
 
 	if (test_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state) &&
-	    test_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state)) {
-		clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
-		clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
+	    test_and_clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state))
 		return true;
-	}
+
 	return false;
 }
 
@@ -5542,22 +5542,27 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
 	brcmf_dbg(TRACE, "Enter\n");
 
 	if (test_and_clear_bit(BRCMF_VIF_STATUS_CONNECTING,
-			       &ifp->vif->sme_state)) {
+			       &ifp->vif->sme_state) ||
+	    e->event_code == BRCMF_E_PSK_SUP) {
 		memset(&conn_params, 0, sizeof(conn_params));
-		if (completed) {
+		if (e->event_code != BRCMF_E_PSK_SUP && completed) {
 			brcmf_get_assoc_ies(cfg, ifp);
 			brcmf_update_bss_info(cfg, ifp);
 			set_bit(BRCMF_VIF_STATUS_CONNECTED,
 				&ifp->vif->sme_state);
+		}
+		if (completed)
 			conn_params.status = WLAN_STATUS_SUCCESS;
-		} else {
+		else
 			conn_params.status = WLAN_STATUS_AUTH_TIMEOUT;
-		}
 		conn_params.bssid = profile->bssid;
 		conn_params.req_ie = conn_info->req_ie;
 		conn_params.req_ie_len = conn_info->req_ie_len;
 		conn_params.resp_ie = conn_info->resp_ie;
 		conn_params.resp_ie_len = conn_info->resp_ie_len;
+		conn_params.authorized =
+			test_and_clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS,
+					   &ifp->vif->sme_state);
 		cfg80211_connect_done(ndev, &conn_params, GFP_KERNEL);
 		brcmf_dbg(CONN, "Report connect result - connection %s\n",
 			  completed ? "succeeded" : "failed");
-- 
1.9.1

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Johannes Berg]

Hi,

I think this looks really good. One thing though:

> Another change is the
> addition of the flag ATTR_WANT_1X_4WAY_HS that user-space has to pass
> in CONNECT request. Some drivers may need to be aware before the PMK
> is programmed through SET_PMK request.

I wonder how we really should do this, and if this is good enough.

There might be drivers that simply don't support the non-offloaded
case, so they assume you always have the newer wpa_s. That would seem
to be a legitimate decision, since the compatibility with that might
not make much sense for a completely new driver, and it might be a lot
of work to support TK operations.

We should therefore probably set the expectation that wpa_s - if it's
new enough - always uses the offloaded functionality and always sets
the WANT_1X. Then this is even better with such drivers, since they can
immediately reject the connect() command if want_1x isn't set.

Thoughts?

johannes

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend Van Spriel]

+ hostap list

On 17-5-2017 16:19, Johannes Berg wrote:
> Hi,
> 
> I think this looks really good. One thing though:
> 
>> Another change is the
>> addition of the flag ATTR_WANT_1X_4WAY_HS that user-space has to pass
>> in CONNECT request. Some drivers may need to be aware before the PMK
>> is programmed through SET_PMK request.
> 
> I wonder how we really should do this, and if this is good enough.
> 
> There might be drivers that simply don't support the non-offloaded
> case, so they assume you always have the newer wpa_s. That would seem
> to be a legitimate decision, since the compatibility with that might
> not make much sense for a completely new driver, and it might be a lot
> of work to support TK operations.
> 
> We should therefore probably set the expectation that wpa_s - if it's
> new enough - always uses the offloaded functionality and always sets
> the WANT_1X. Then this is even better with such drivers, since they can
> immediately reject the connect() command if want_1x isn't set.
> 
> Thoughts?

Personally I am fine with this and it is how I tested it. So no network
configuration or driver parameter in wpa_s.conf (mainly because I am
lazy ;-) ). However, if the driver supports both offload and non-offload
why not leave it up to user-space. Might be useful if people can try
either way for example when debugging connection issues.

Regards,
Arend

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Johannes Berg]

On Thu, 2017-05-18 at 10:18 +0200, Arend Van Spriel wrote:
> 
> > We should therefore probably set the expectation that wpa_s - if
> > it's new enough - always uses the offloaded functionality and
> > always sets the WANT_1X. Then this is even better with such
> > drivers, since they can immediately reject the connect() command if
> > want_1x isn't set.

> Personally I am fine with this and it is how I tested it. So no
> network configuration or driver parameter in wpa_s.conf (mainly
> because I am lazy ;-) ). However, if the driver supports both offload
> and non-offload why not leave it up to user-space. Might be useful if
> people can try either way for example when debugging connection
> issues.

If that should be possible though, then we'd probably want to have
feature bit both ways, otherwise we'll probably get hard-to-debug
failures at some point with this?

johannes

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend Van Spriel]

On 18-5-2017 11:22, Johannes Berg wrote:
> On Thu, 2017-05-18 at 10:18 +0200, Arend Van Spriel wrote:
>>
>>> We should therefore probably set the expectation that wpa_s - if
>>> it's new enough - always uses the offloaded functionality and
>>> always sets the WANT_1X. Then this is even better with such
>>> drivers, since they can immediately reject the connect() command if
>>> want_1x isn't set.

Getting back at this. With "always" you mean for every connect()
regardless whether it is using 1X or PSK?

>> Personally I am fine with this and it is how I tested it. So no
>> network configuration or driver parameter in wpa_s.conf (mainly
>> because I am lazy ;-) ). However, if the driver supports both offload
>> and non-offload why not leave it up to user-space. Might be useful if
>> people can try either way for example when debugging connection
>> issues.
> 
> If that should be possible though, then we'd probably want to have
> feature bit both ways, otherwise we'll probably get hard-to-debug
> failures at some point with this?

You mean adding a nl80211 command in which user-space can indicate what
features it supports? Do you want to use the same feature bits on both
sides to easily determine the combined feature set? ext_feature does not
really have much overlapping so not sure if it adds value.

Regards,
Arend

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Johannes Berg]

On Thu, 2017-05-18 at 12:29 +0200, Arend Van Spriel wrote:
> On 18-5-2017 11:22, Johannes Berg wrote:
> > On Thu, 2017-05-18 at 10:18 +0200, Arend Van Spriel wrote:
> > > 
> > > > We should therefore probably set the expectation that wpa_s -
> > > > if
> > > > it's new enough - always uses the offloaded functionality and
> > > > always sets the WANT_1X. Then this is even better with such
> > > > drivers, since they can immediately reject the connect()
> > > > command if
> > > > want_1x isn't set.
> 
> Getting back at this. With "always" you mean for every connect()
> regardless whether it is using 1X or PSK?

No, I just meant it would never use the non-offloaded functionality for
1X, as long as wpa_s was new enough to support it.

The same consideration kinda applies to (non-)offloaded 4-way-HS for
PSK though I guess, with some drivers (devices) not able to not offload
it.

> You mean adding a nl80211 command in which user-space can indicate
> what features it supports? Do you want to use the same feature bits
> on both sides to easily determine the combined feature set?
> ext_feature does not really have much overlapping so not sure if it
> adds value.

No, I meant that we have NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X
today, but then we might need also
NL80211_EXT_FEATURE_HOST_4WAY_HANDSHAKE_STA_1X.

Come to think of it though, I guess the fact that the NEW_KEY command
isn't support would already indicate that.

johannes

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend Van Spriel]

On 18-5-2017 12:40, Johannes Berg wrote:
> On Thu, 2017-05-18 at 12:29 +0200, Arend Van Spriel wrote:
>> On 18-5-2017 11:22, Johannes Berg wrote:
>>> On Thu, 2017-05-18 at 10:18 +0200, Arend Van Spriel wrote:
>>>>
>>>>> We should therefore probably set the expectation that wpa_s -
>>>>> if
>>>>> it's new enough - always uses the offloaded functionality and
>>>>> always sets the WANT_1X. Then this is even better with such
>>>>> drivers, since they can immediately reject the connect()
>>>>> command if
>>>>> want_1x isn't set.
>>
>> Getting back at this. With "always" you mean for every connect()
>> regardless whether it is using 1X or PSK?
> 
> No, I just meant it would never use the non-offloaded functionality for
> 1X, as long as wpa_s was new enough to support it.
> 
> The same consideration kinda applies to (non-)offloaded 4-way-HS for
> PSK though I guess, with some drivers (devices) not able to not offload
> it.

Thanks for clarifying that. And indeed it applies to both cases.

>> You mean adding a nl80211 command in which user-space can indicate
>> what features it supports? Do you want to use the same feature bits
>> on both sides to easily determine the combined feature set?
>> ext_feature does not really have much overlapping so not sure if it
>> adds value.
> 
> No, I meant that we have NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X
> today, but then we might need also
> NL80211_EXT_FEATURE_HOST_4WAY_HANDSHAKE_STA_1X.
> 
> Come to think of it though, I guess the fact that the NEW_KEY command
> isn't support would already indicate that.

True. However, we touched this topic a while ago in generic context, ie.
preference for ext_features over supported_commands. Right now
wpa_supplicant does not check NEW_KEY support so we can go either way.

I have cleaned up the wpa_supplicant patches for the offloads, but
waited with submitting them until the kernel side got applied. So
depending on what is decided here I can rework it.

Regards,
Arend

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Johannes Berg]

On Thu, 2017-05-18 at 14:48 +0200, Arend Van Spriel wrote:

> True. However, we touched this topic a while ago in generic context,
> ie. preference for ext_features over supported_commands. Right now
> wpa_supplicant does not check NEW_KEY support so we can go either
> way.

Right. That's a separate discussion though - whether we add two flags
here or check NEW_KEY support doesn't really matter, except that we
need to decide

 * if we want to support such an override at all, and
 * if it should be tested at all
   (perhaps we can just live with that failing entirely?)

> I have cleaned up the wpa_supplicant patches for the offloads, but
> waited with submitting them until the kernel side got applied. So
> depending on what is decided here I can rework it.

I don't really know. I personally don't think that we need to allow
both ways, but then I'm coming with a driver that doesn't even support
the old way.

So you should probably decide yourself if you want to keep this
fallback option, and how well it should work (be rejected if used on a
driver that doesn't support it, or just fail later?)

johannes

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend van Spriel]

On 5/19/2017 12:21 PM, Johannes Berg wrote:
> On Thu, 2017-05-18 at 14:48 +0200, Arend Van Spriel wrote:
> 
>> True. However, we touched this topic a while ago in generic context,
>> ie. preference for ext_features over supported_commands. Right now
>> wpa_supplicant does not check NEW_KEY support so we can go either
>> way.
> 
> Right. That's a separate discussion though - whether we add two flags
> here or check NEW_KEY support doesn't really matter, except that we
> need to decide
> 
>   * if we want to support such an override at all, and
>   * if it should be tested at all
>     (perhaps we can just live with that failing entirely?)
> 
>> I have cleaned up the wpa_supplicant patches for the offloads, but
>> waited with submitting them until the kernel side got applied. So
>> depending on what is decided here I can rework it.
> 
> I don't really know. I personally don't think that we need to allow
> both ways, but then I'm coming with a driver that doesn't even support
> the old way.

Ok. I know for sure that I have firmware in linux-firmware that supports 
the offload. So for people using that out there things will change from 
one way to the other when they change to a newer wpa_supplicant.

> So you should probably decide yourself if you want to keep this
> fallback option, and how well it should work (be rejected if used on a
> driver that doesn't support it, or just fail later?)

There is a (small) chance of regression with older devices as stated 
above and I would like to keep the fallback option for that. Also people 
may like to have a choice. I am not so sure about whether NEW_KEY 
support is enough or a new ext_feature flag is needed. I am inclined to 
say the NEW_KEY support is sufficient.

Regards,
Arend

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Johannes Berg]

On Mon, 2017-05-22 at 12:14 +0200, Arend van Spriel wrote:
> 
> There is a (small) chance of regression with older devices as stated 
> above and I would like to keep the fallback option for that. Also
> people  may like to have a choice. I am not so sure about whether
> NEW_KEY support is enough or a new ext_feature flag is needed. I am
> inclined to say the NEW_KEY support is sufficient.

Ok, your call.

Note that this (checking NEW_KEY) only works when you don't have any
split between AP/client cases. Not sure what's the case for you.

johannes

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend van Spriel]

On 5/22/2017 12:28 PM, Johannes Berg wrote:
> On Mon, 2017-05-22 at 12:14 +0200, Arend van Spriel wrote:
>>
>> There is a (small) chance of regression with older devices as stated
>> above and I would like to keep the fallback option for that. Also
>> people  may like to have a choice. I am not so sure about whether
>> NEW_KEY support is enough or a new ext_feature flag is needed. I am
>> inclined to say the NEW_KEY support is sufficient.
> 
> Ok, your call.
> 
> Note that this (checking NEW_KEY) only works when you don't have any
> split between AP/client cases. Not sure what's the case for you.

Late response so hopefully you recall, but what do you mean by "any 
split between AP/client cases"?

Regards,
Arend

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Johannes Berg]

Hi Arend,

> > Note that this (checking NEW_KEY) only works when you don't have
> > any split between AP/client cases. Not sure what's the case for
> > you.
> 
> Late response so hopefully you recall, but what do you mean by "any 
> split between AP/client cases"?

I meant the capability split - let's say you support 4-way-HS only for
client, but not for AP. Then you have to support the NEW_KEY command
for the AP case, even if you might not support non-offloaded 4-way-HS
for the client case.

So if something supports the following:

 * client: offloaded 4-way-HS only
 * AP: not offloaded 4-way-HS only

Then you have to support NEW_KEY (AP case) and then using NEW_KEY to
detect whether or not a wpa_s configuration option to not use offloaded
4-way-HS can be used will not work correctly.

I don't really see that this is a sensible configuration, but I could
imagine it existing if somebody "bolted on" AP functionality for a
client-side chipset or something like that.

Again, I think I'm happy to leave this up to you - this kind of
configuration option should really only be used for debugging anyway,
so just getting errors later is probably fine.

johannes

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend van Spriel]

On 5/29/2017 11:31 AM, Johannes Berg wrote:
> Hi Arend,
> 
>>> Note that this (checking NEW_KEY) only works when you don't have
>>> any split between AP/client cases. Not sure what's the case for
>>> you.
>>
>> Late response so hopefully you recall, but what do you mean by "any
>> split between AP/client cases"?
> 
> I meant the capability split - let's say you support 4-way-HS only for
> client, but not for AP. Then you have to support the NEW_KEY command
> for the AP case, even if you might not support non-offloaded 4-way-HS
> for the client case.
> 
> So if something supports the following:
> 
>   * client: offloaded 4-way-HS only
>   * AP: not offloaded 4-way-HS only
> 
> Then you have to support NEW_KEY (AP case) and then using NEW_KEY to
> detect whether or not a wpa_s configuration option to not use offloaded
> 4-way-HS can be used will not work correctly.
> 
> I don't really see that this is a sensible configuration, but I could
> imagine it existing if somebody "bolted on" AP functionality for a
> client-side chipset or something like that.
> 
> Again, I think I'm happy to leave this up to you - this kind of
> configuration option should really only be used for debugging anyway,
> so just getting errors later is probably fine.

Hi Johannes,

I was thinking about adding a DOC section in nl80211.h:

/**
  * DOC: WPA/WPA2 temporal key exchange offload
  *
  * By setting @NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK flag drivers
  * can indicate offload support of EAPOL handshakes for WPA/WPA2
  * preshared key authentication. In %NL80211_CMD_CONNECT the preshared
  * key should be specified using %NL80211_ATTR_PMK. Drivers supporting
  * this offload may reject the %NL80211_CMD_CONNECT when no preshared
  * key material is provided. For example when that driver does not
  * support setting the temporal keys through %NL80211_CMD_NEW_KEY.
  *
  * Similarly @NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X flag can be
  * set by drivers indicating offload support of the PTK/GTK EAPOL
  * handshakes during 802.1X authentication. In order to use the offload
  * the %NL80211_CMD_CONNECT should have %NL80211_ATTR_WANT_1X_4WAY_HS
  * attribute flag. Drivers supporting this offload may reject the
  * %NL80211_CMD_CONNECT when the attribute flag is not present.
  */

Could add description for FT, ie. PMK-R0 handling as well. Do you think 
this change warrants a separate section or not. Any comments on the text 
itself are welcome.

Regards,
Arend

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Johannes Berg]

On Fri, 2017-06-02 at 13:19 +0200, Arend van Spriel wrote:

> I was thinking about adding a DOC section in nl80211.h:

Sure!

> /**
>   * DOC: WPA/WPA2 temporal key exchange offload
>   *
>   * By setting @NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK flag
> drivers
>   * can indicate offload support of EAPOL handshakes for WPA/WPA2

can indicate they support offloading EAPOL ...?

>   * preshared key authentication. In %NL80211_CMD_CONNECT the
> preshared
>   * key should be specified using %NL80211_ATTR_PMK. Drivers
> supporting
>   * this offload may reject the %NL80211_CMD_CONNECT when no
> preshared
>   * key material is provided. For example when that driver does not
>   * support setting the temporal keys through %NL80211_CMD_NEW_KEY.

[...] is provided, for example when [...]

I think? Starting with "For example" seems odd to me.

>   *
>   * Similarly @NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X flag can be
>   * set by drivers indicating offload support of the PTK/GTK EAPOL
>   * handshakes during 802.1X authentication. In order to use the
> offload
>   * the %NL80211_CMD_CONNECT should have
> %NL80211_ATTR_WANT_1X_4WAY_HS
>   * attribute flag. Drivers supporting this offload may reject the
>   * %NL80211_CMD_CONNECT when the attribute flag is not present.
>   */
> 
> Could add description for FT, ie. PMK-R0 handling as well. Do you
> think this change warrants a separate section or not. Any comments on
> the text itself are welcome.

I think that's good to have.

johannes

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend van Spriel]

On 29-05-17 11:31, Johannes Berg wrote:
> So if something supports the following:
> 
>  * client: offloaded 4-way-HS only
>  * AP: not offloaded 4-way-HS only
> 
> Then you have to support NEW_KEY (AP case) and then using NEW_KEY to
> detect whether or not a wpa_s configuration option to not use offloaded
> 4-way-HS can be used will not work correctly.
> 
> I don't really see that this is a sensible configuration, but I could
> imagine it existing if somebody "bolted on" AP functionality for a
> client-side chipset or something like that.

Hi Johannes,

So I want to get back to this as to assure we have the same
understanding. First off, the proposed offloads are STA-only. So if a
driver supports STA and AP mode and the 4-way-HS offload, we could
already have the case you describe here. So not really a "bolted on"
scenario I would say. It does raise the question whether or not we want
similar offloads for AP.

Regards,
Arend

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Johannes Berg]

Hi Arend,

Sorry about the delay.

> > Then you have to support NEW_KEY (AP case) and then using NEW_KEY
> > to
> > detect whether or not a wpa_s configuration option to not use
> > offloaded
> > 4-way-HS can be used will not work correctly.
> > 
> > I don't really see that this is a sensible configuration, but I
> > could
> > imagine it existing if somebody "bolted on" AP functionality for a
> > client-side chipset or something like that.

> So I want to get back to this as to assure we have the same
> understanding. First off, the proposed offloads are STA-only. 

Right. But we at least also want to have them for AP mode, which
answers your below question.

> So if a
> driver supports STA and AP mode and the 4-way-HS offload, we could
> already have the case you describe here. So not really a "bolted on"
> scenario I would say.

But if you say you don't have it in AP mode, or you didn't even think
about it in AP mode yet, then I think you're right and the "bolted on"
part doesn't really apply (*).

However, this does mean that checking for NEW_KEY support _isn't_
sufficient to understand whether or not the device also supports doing
the 4-way-HS in the host, because the device might _not_ support that
in client mode, yet implement NEW_KEY for AP mode, right?

In any case - I don't think this changes much my opinion. I think that
newer wpa_s should always use the offload where available, and if
there's a debug option to turn that off, and that debug option causes
failures because the driver rejects the NEW_KEY command, rather than
causing an up-front configuration failure because wpa_s knows that the
NEW_KEY wouldn't be supported, then I don't think for a debug option
that makes a big difference. For something that higher layers might
need to set, it would make a difference - but that's not at stake here.

johannes

(*) my line of thinking was that if you have the necessary state
machine for client in the firmware, then it's not a huge step to also
have it for AP, since you have the crypto primitives for it

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend van Spriel]

On 6/9/2017 11:08 AM, Johannes Berg wrote:
> Hi Arend,
> 
> Sorry about the delay.

No problem.

>>> Then you have to support NEW_KEY (AP case) and then using NEW_KEY
>>> to
>>> detect whether or not a wpa_s configuration option to not use
>>> offloaded
>>> 4-way-HS can be used will not work correctly.
>>>
>>> I don't really see that this is a sensible configuration, but I
>>> could
>>> imagine it existing if somebody "bolted on" AP functionality for a
>>> client-side chipset or something like that.
> 
>> So I want to get back to this as to assure we have the same
>> understanding. First off, the proposed offloads are STA-only.
> 
> Right. But we at least also want to have them for AP mode, which
> answers your below question.
> 
>> So if a
>> driver supports STA and AP mode and the 4-way-HS offload, we could
>> already have the case you describe here. So not really a "bolted on"
>> scenario I would say.
> 
> But if you say you don't have it in AP mode, or you didn't even think
> about it in AP mode yet, then I think you're right and the "bolted on"
> part doesn't really apply (*).

yup.

> However, this does mean that checking for NEW_KEY support _isn't_
> sufficient to understand whether or not the device also supports doing
> the 4-way-HS in the host, because the device might _not_ support that
> in client mode, yet implement NEW_KEY for AP mode, right?

Indeed. I did not state it explicitly, but that is also my understanding 
so not going to do that.

> In any case - I don't think this changes much my opinion. I think that
> newer wpa_s should always use the offload where available, and if
> there's a debug option to turn that off, and that debug option causes
> failures because the driver rejects the NEW_KEY command, rather than
> causing an up-front configuration failure because wpa_s knows that the
> NEW_KEY wouldn't be supported, then I don't think for a debug option
> that makes a big difference. For something that higher layers might
> need to set, it would make a difference - but that's not at stake here.

Not trying to change your opinion ;-). Just getting it all clear. As a 
matter of fact I already have my wpa_s use the offload without any 
debug/config option. As brcmfmac can use override to disable firmware 
features I also do not need such in wpa_s.

> (*) my line of thinking was that if you have the necessary state
> machine for client in the firmware, then it's not a huge step to also
> have it for AP, since you have the crypto primitives for it

Agree. However, in our firmware they are two modules that can be 
compiled in, ie. idsup and idauth.

Regards,
Arend

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Johannes Berg]

On Fri, 2017-06-09 at 12:34 +0200, Arend van Spriel wrote:

> Not trying to change your opinion ;-). Just getting it all clear. As
> a matter of fact I already have my wpa_s use the offload without any 
> debug/config option. As brcmfmac can use override to disable
> firmware features I also do not need such in wpa_s.

Sounds good to me :)

So I guess we're aligned on this - do you need to respin as a result of
this discussion, or should I review the patches again?

johannes

Re: [PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

[Arend van Spriel]

On 6/9/2017 12:59 PM, Johannes Berg wrote:
> On Fri, 2017-06-09 at 12:34 +0200, Arend van Spriel wrote:
> 
>> Not trying to change your opinion ;-). Just getting it all clear. As
>> a matter of fact I already have my wpa_s use the offload without any
>> debug/config option. As brcmfmac can use override to disable
>> firmware features I also do not need such in wpa_s.
> 
> Sounds good to me :)
> 
> So I guess we're aligned on this - do you need to respin as a result of
> this discussion, or should I review the patches again?

I will respin. Actually only change will be the extra documentation 
section in which I need to incorporate your feedback.

Regards,
Arend