[PATCH] nl80211: add an option to allow MFP without requiring it

[PATCH] nl80211: add an option to allow MFP without requiring it

[Emmanuel Grumbach]

User space can now allow the kernel to associate to an AP
that requires MFP or that doesn't have MFP enabled in the
same NL80211_CMD_CONNECT command.
The driver / firmware will decide whether to use it or not.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
---
A short tour of the drivers taught me that only Quantenna really look
at cfg80211_connect_params::sme which can now be 2. This is why
the maintainer of this driver is CCed.
---
 include/uapi/linux/nl80211.h | 10 ++++++++--
 net/wireless/nl80211.c       |  1 +
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 7950c71c0ad4..ea1cfecbf6f4 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -1410,8 +1410,12 @@ enum nl80211_commands {
  *
  * @NL80211_ATTR_USE_MFP: Whether management frame protection (IEEE 802.11w) is
  *	used for the association (&enum nl80211_mfp, represented as a u32);
- *	this attribute can be used
- *	with %NL80211_CMD_ASSOCIATE and %NL80211_CMD_CONNECT requests
+ *	this attribute can be used with %NL80211_CMD_ASSOCIATE and
+ *	%NL80211_CMD_CONNECT requests. %NL80211_MFP_OPTIONAL is not allowed for
+ *	%NL80211_CMD_ASSOCIATE since user space SME is expected and hence, it
+ *	must have decided whether to use management frame protection or not.
+ *	Setting %NL80211_MFP_OPTIONAL with a %NL80211_CMD_CONNECT request will
+ *	let the driver (or the firmware) decide whether to use MFP or not.
  *
  * @NL80211_ATTR_STA_FLAGS2: Attribute containing a
  *	&struct nl80211_sta_flag_update.
@@ -4086,10 +4090,12 @@ enum nl80211_key_type {
  * enum nl80211_mfp - Management frame protection state
  * @NL80211_MFP_NO: Management frame protection not used
  * @NL80211_MFP_REQUIRED: Management frame protection required
+ * @NL80211_MFP_OPTIONAL: Management frame is optional
  */
 enum nl80211_mfp {
 	NL80211_MFP_NO,
 	NL80211_MFP_REQUIRED,
+	NL80211_MFP_OPTIONAL,
 };
 
 enum nl80211_wpa_versions {
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 8f035d9868d1..829867132326 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9115,6 +9115,7 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
 		if (connect.mfp != NL80211_MFP_REQUIRED &&
+		    connect.mfp != NL80211_MFP_OPTIONAL &&
 		    connect.mfp != NL80211_MFP_NO)
 			return -EINVAL;
 	} else {
-- 
2.9.3

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Kalle Valo]

Emmanuel Grumbach <emmanuel.grumbach@intel.com> writes:

> User space can now allow the kernel to associate to an AP
> that requires MFP or that doesn't have MFP enabled in the
> same NL80211_CMD_CONNECT command.
> The driver / firmware will decide whether to use it or not.
>
> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

[...]

> @@ -4086,10 +4090,12 @@ enum nl80211_key_type {
>   * enum nl80211_mfp - Management frame protection state
>   * @NL80211_MFP_NO: Management frame protection not used
>   * @NL80211_MFP_REQUIRED: Management frame protection required
> + * @NL80211_MFP_OPTIONAL: Management frame is optional
>   */
>  enum nl80211_mfp {
>  	NL80211_MFP_NO,
>  	NL80211_MFP_REQUIRED,
> +	NL80211_MFP_OPTIONAL,
>  };
>  
>  enum nl80211_wpa_versions {
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 8f035d9868d1..829867132326 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -9115,6 +9115,7 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
>  	if (info->attrs[NL80211_ATTR_USE_MFP]) {
>  		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
>  		if (connect.mfp != NL80211_MFP_REQUIRED &&
> +		    connect.mfp != NL80211_MFP_OPTIONAL &&
>  		    connect.mfp != NL80211_MFP_NO)
>  			return -EINVAL;
>  	} else {

I guess I'm missing something, but how is backwards compatibility
supposed to work from user space point of view? If user space uses
NL80211_MFP_OPTIONAL with an old kernel, the kernel will reject the
command with -EINVAL and user space will try again without
NL80211_MFP_OPTIONAL?

-- 
Kalle Valo

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Grumbach, Emmanuel]

T24gTW9uLCAyMDE3LTA4LTE0IGF0IDIwOjE0ICswMzAwLCBLYWxsZSBWYWxvIHdyb3RlOg0KPiBF
bW1hbnVlbCBHcnVtYmFjaCA8ZW1tYW51ZWwuZ3J1bWJhY2hAaW50ZWwuY29tPiB3cml0ZXM6DQo+
IA0KPiA+IFVzZXIgc3BhY2UgY2FuIG5vdyBhbGxvdyB0aGUga2VybmVsIHRvIGFzc29jaWF0ZSB0
byBhbiBBUA0KPiA+IHRoYXQgcmVxdWlyZXMgTUZQIG9yIHRoYXQgZG9lc24ndCBoYXZlIE1GUCBl
bmFibGVkIGluIHRoZQ0KPiA+IHNhbWUgTkw4MDIxMV9DTURfQ09OTkVDVCBjb21tYW5kLg0KPiA+
IFRoZSBkcml2ZXIgLyBmaXJtd2FyZSB3aWxsIGRlY2lkZSB3aGV0aGVyIHRvIHVzZSBpdCBvciBu
b3QuDQo+ID4gDQo+ID4gU2lnbmVkLW9mZi1ieTogRW1tYW51ZWwgR3J1bWJhY2ggPGVtbWFudWVs
LmdydW1iYWNoQGludGVsLmNvbT4NCj4gDQo+IFsuLi5dDQo+IA0KPiA+IEBAIC00MDg2LDEwICs0
MDkwLDEyIEBAIGVudW0gbmw4MDIxMV9rZXlfdHlwZSB7DQo+ID4gwqAgKiBlbnVtIG5sODAyMTFf
bWZwIC0gTWFuYWdlbWVudCBmcmFtZSBwcm90ZWN0aW9uIHN0YXRlDQo+ID4gwqAgKiBATkw4MDIx
MV9NRlBfTk86IE1hbmFnZW1lbnQgZnJhbWUgcHJvdGVjdGlvbiBub3QgdXNlZA0KPiA+IMKgICog
QE5MODAyMTFfTUZQX1JFUVVJUkVEOiBNYW5hZ2VtZW50IGZyYW1lIHByb3RlY3Rpb24gcmVxdWly
ZWQNCj4gPiArICogQE5MODAyMTFfTUZQX09QVElPTkFMOiBNYW5hZ2VtZW50IGZyYW1lIGlzIG9w
dGlvbmFsDQo+ID4gwqAgKi8NCj4gPiDCoGVudW0gbmw4MDIxMV9tZnAgew0KPiA+IMKgCU5MODAy
MTFfTUZQX05PLA0KPiA+IMKgCU5MODAyMTFfTUZQX1JFUVVJUkVELA0KPiA+ICsJTkw4MDIxMV9N
RlBfT1BUSU9OQUwsDQo+ID4gwqB9Ow0KPiA+IMKgDQo+ID4gwqBlbnVtIG5sODAyMTFfd3BhX3Zl
cnNpb25zIHsNCj4gPiBkaWZmIC0tZ2l0IGEvbmV0L3dpcmVsZXNzL25sODAyMTEuYyBiL25ldC93
aXJlbGVzcy9ubDgwMjExLmMNCj4gPiBpbmRleCA4ZjAzNWQ5ODY4ZDEuLjgyOTg2NzEzMjMyNiAx
MDA2NDQNCj4gPiAtLS0gYS9uZXQvd2lyZWxlc3Mvbmw4MDIxMS5jDQo+ID4gKysrIGIvbmV0L3dp
cmVsZXNzL25sODAyMTEuYw0KPiA+IEBAIC05MTE1LDYgKzkxMTUsNyBAQCBzdGF0aWMgaW50IG5s
ODAyMTFfY29ubmVjdChzdHJ1Y3Qgc2tfYnVmZg0KPiA+ICpza2IsIHN0cnVjdCBnZW5sX2luZm8g
KmluZm8pDQo+ID4gwqAJaWYgKGluZm8tPmF0dHJzW05MODAyMTFfQVRUUl9VU0VfTUZQXSkgew0K
PiA+IMKgCQljb25uZWN0Lm1mcCA9IG5sYV9nZXRfdTMyKGluZm8tDQo+ID4gPmF0dHJzW05MODAy
MTFfQVRUUl9VU0VfTUZQXSk7DQo+ID4gwqAJCWlmIChjb25uZWN0Lm1mcCAhPSBOTDgwMjExX01G
UF9SRVFVSVJFRCAmJg0KPiA+ICsJCcKgwqDCoMKgY29ubmVjdC5tZnAgIT0gTkw4MDIxMV9NRlBf
T1BUSU9OQUwgJiYNCj4gPiDCoAkJwqDCoMKgwqBjb25uZWN0Lm1mcCAhPSBOTDgwMjExX01GUF9O
TykNCj4gPiDCoAkJCXJldHVybiAtRUlOVkFMOw0KPiA+IMKgCX0gZWxzZSB7DQo+IA0KPiBJIGd1
ZXNzIEknbSBtaXNzaW5nIHNvbWV0aGluZywgYnV0IGhvdyBpcyBiYWNrd2FyZHMgY29tcGF0aWJp
bGl0eQ0KPiBzdXBwb3NlZCB0byB3b3JrIGZyb20gdXNlciBzcGFjZSBwb2ludCBvZiB2aWV3PyBJ
ZiB1c2VyIHNwYWNlIHVzZXMNCj4gTkw4MDIxMV9NRlBfT1BUSU9OQUwgd2l0aCBhbiBvbGQga2Vy
bmVsLCB0aGUga2VybmVsIHdpbGwgcmVqZWN0IHRoZQ0KPiBjb21tYW5kIHdpdGggLUVJTlZBTCBh
bmQgdXNlciBzcGFjZSB3aWxsIHRyeSBhZ2FpbiB3aXRob3V0DQo+IE5MODAyMTFfTUZQX09QVElP
TkFMPw0KPiANCg0KDQpObyB5b3UgYXJlIG5vdC4gSSBzaW1wbHkgZm9yZ290IHRoYXQgcG9pbnQu
IEkgZ3Vlc3MgdGhhdCB0aGlzIHdvdWxkIGJlDQp0aGUgYmVoYXZpb3IsIHllcy4uLiBUaGlzIGlz
IHJlbGV2YW50IGZvciBhcF9zY2FuPTIgd3BhX3MgY29uZmlndXJhdGlvbg0Kb25seSB3aGljaCBt
YWtlcyBpdCBub3QgcmVhbGx5IGNvbW1vbiwgYnV0IHN0aWxsLCB5b3UgYXJlIHJpZ2h0Lg0KTm90
IHN1cmUgaG93IGVhc3kgaXQgd2lsbCBiZSB0byB3cml0ZSB0aGlzIGxvZ2ljIGluIHRoZSBzdXBw
bGljYW50DQp0aG91Z2guLi4gVW5sZXNzIHdlIGFkZCBhbiBubDgwMjExIGZlYXR1cmUgYml0IGJ1
dCBJIGZlZWwgaXQnZCBiZSBhIGJpdA0Kb2YgYSB3YXN0ZS4NCkpvdW5pLCB3aGF0IGRvIHlvdSB0
aGluaz8NCkkga25vdyB5b3UgaGF2ZW4ndCBzZWVuIHRoZSBzdXBwbGljYW50IHBhdGNoIHlldCwg
YnV0IGhlcmUgaXMgdGhlIGdpc3QNCm9mIGl0LiBJIGFsbG93IE9QVElPTkFMIGluIGNvbm5lY3Qo
KSBvbmx5LCBhbmQgbm90IGluIGFzc29jaWF0ZSgpOg0KDQpAQCAtNTc5MCw2ICs1Nzg2LDE0IEBA
IHN0YXRpYyBpbnQgd3BhX2RyaXZlcl9ubDgwMjExX3RyeV9jb25uZWN0KA0KwqDCoMKgwqDCoMKg
wqDCoGlmIChyZXQpDQrCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoGdvdG8gZmFpbDsN
CsKgDQorwqDCoMKgwqDCoMKgwqBpZiAocGFyYW1zLT5tZ210X2ZyYW1lX3Byb3RlY3Rpb24gPT0g
TUdNVF9GUkFNRV9QUk9URUNUSU9OX1JFUVVJUkVEICYmDQorwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oG5sYV9wdXRfdTMyKG1zZywgTkw4MDIxMV9BVFRSX1VTRV9NRlAsIE5MODAyMTFfTUZQX1JFUVVJ
UkVEKSkNCivCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqBnb3RvIGZhaWw7DQorDQorwqDC
oMKgwqDCoMKgwqBpZiAocGFyYW1zLT5tZ210X2ZyYW1lX3Byb3RlY3Rpb24gPT0gTUdNVF9GUkFN
RV9QUk9URUNUSU9OX09QVElPTkFMICYmDQorwqDCoMKgwqDCoMKgwqDCoMKgwqDCoG5sYV9wdXRf
dTMyKG1zZywgTkw4MDIxMV9BVFRSX1VTRV9NRlAsIE5MODAyMTFfTUZQX09QVElPTkFMKSkNCivC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqBnb3RvIGZhaWw7DQorDQrCoMKgwqDCoMKgwqDC
oMKgYWxncyA9IDA7DQrCoMKgwqDCoMKgwqDCoMKgaWYgKHBhcmFtcy0+YXV0aF9hbGcgJiBXUEFf
QVVUSF9BTEdfT1BFTikNCsKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgYWxncysrOw0K
DQog

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Igor Mitsyanko]

On 08/14/2017 06:49 AM, Emmanuel Grumbach wrote:
> 
> User space can now allow the kernel to associate to an AP
> that requires MFP or that doesn't have MFP enabled in the
> same NL80211_CMD_CONNECT command.
> The driver / firmware will decide whether to use it or not.
> 
> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
> ---

No issues from quantenna driver.

Acked-by Igor Mitsyanko <igor.mitsyanko.os@quantenna.com>

[...]

> @@ -4086,10 +4090,12 @@ enum nl80211_key_type {
>    * enum nl80211_mfp - Management frame protection state
>    * @NL80211_MFP_NO: Management frame protection not used
>    * @NL80211_MFP_REQUIRED: Management frame protection required
> + * @NL80211_MFP_OPTIONAL: Management frame is optional

Probable meant to be "Management frame _protection_ is optional"

>    */
>   enum nl80211_mfp {
>          NL80211_MFP_NO,
>          NL80211_MFP_REQUIRED,
> +       NL80211_MFP_OPTIONAL,
>   };
> 
>   enum nl80211_wpa_versions {
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 8f035d9868d1..829867132326 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -9115,6 +9115,7 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
>          if (info->attrs[NL80211_ATTR_USE_MFP]) {
>                  connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
>                  if (connect.mfp != NL80211_MFP_REQUIRED &&
> +                   connect.mfp != NL80211_MFP_OPTIONAL &&
>                      connect.mfp != NL80211_MFP_NO)
>                          return -EINVAL;
>          } else {
> --
> 2.9.3
> 

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Igor Mitsyanko]

On 08/14/2017 06:49 AM, Emmanuel Grumbach wrote:
> 
> User space can now allow the kernel to associate to an AP
> that requires MFP or that doesn't have MFP enabled in the
> same NL80211_CMD_CONNECT command.
> The driver / firmware will decide whether to use it or not.
> 
> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
> ---

No issues from quantenna driver.

Acked-by Igor Mitsyanko <igor.mitsyanko.os@quantenna.com>

[...]

> @@ -4086,10 +4090,12 @@ enum nl80211_key_type {
>    * enum nl80211_mfp - Management frame protection state
>    * @NL80211_MFP_NO: Management frame protection not used
>    * @NL80211_MFP_REQUIRED: Management frame protection required
> + * @NL80211_MFP_OPTIONAL: Management frame is optional

Probably meant to be "Management frame _protection_ is optional"

>    */
>   enum nl80211_mfp {
>          NL80211_MFP_NO,
>          NL80211_MFP_REQUIRED,
> +       NL80211_MFP_OPTIONAL,
>   };
> 
>   enum nl80211_wpa_versions {
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 8f035d9868d1..829867132326 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -9115,6 +9115,7 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
>          if (info->attrs[NL80211_ATTR_USE_MFP]) {
>                  connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
>                  if (connect.mfp != NL80211_MFP_REQUIRED &&
> +                   connect.mfp != NL80211_MFP_OPTIONAL &&
>                      connect.mfp != NL80211_MFP_NO)
>                          return -EINVAL;
>          } else {
> --
> 2.9.3
> 

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Arend van Spriel]

On 14-08-17 15:49, Emmanuel Grumbach wrote:
> User space can now allow the kernel to associate to an AP
> that requires MFP or that doesn't have MFP enabled in the
> same NL80211_CMD_CONNECT command.
> The driver / firmware will decide whether to use it or not.
> 
> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
> ---
> A short tour of the drivers taught me that only Quantenna really look
> at cfg80211_connect_params::sme which can now be 2. This is why
> the maintainer of this driver is CCed.

Indeed in brcmfmac the IE is processed to determine whether it is 
required or optional. Probably will change our driver to use the 
explicit mfp values from cfg80211_connect_params::sme.

Thanks,
Arend

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Igor Mitsyanko]

On 08/14/2017 12:22 PM, Arend van Spriel wrote:
> On 14-08-17 15:49, Emmanuel Grumbach wrote:
>> User space can now allow the kernel to associate to an AP
>> that requires MFP or that doesn't have MFP enabled in the
>> same NL80211_CMD_CONNECT command.
>> The driver / firmware will decide whether to use it or not.
>>
>> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
>> ---
>> A short tour of the drivers taught me that only Quantenna really look
>> at cfg80211_connect_params::sme which can now be 2. This is why
>> the maintainer of this driver is CCed.
> 
> Indeed in brcmfmac the IE is processed to determine whether it is
> required or optional. Probably will change our driver to use the
> explicit mfp values from cfg80211_connect_params::sme.

Maybe this is a right way to do that, avoiding that compatibility 
problem (no new NL* flags)? Except for maybe nl80211 layer should parse 
it instead, not driver.

It is kind of not clear right now for drivers where to get information from:
- NL attributes passed from userspace and forwarded to a driver
- IEs passed from userspace, parsed by nl80211 and forwarded to a driver
- IEs that are passed from userspace and parsed by drivers directly

> 
> Thanks,
> Arend

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Grumbach, Emmanuel]

T24gTW9uLCAyMDE3LTA4LTE0IGF0IDEzOjA4IC0wNzAwLCBJZ29yIE1pdHN5YW5rbyB3cm90ZToN
Cj4gT24gMDgvMTQvMjAxNyAxMjoyMiBQTSwgQXJlbmQgdmFuIFNwcmllbCB3cm90ZToNCj4gPiBP
biAxNC0wOC0xNyAxNTo0OSwgRW1tYW51ZWwgR3J1bWJhY2ggd3JvdGU6DQo+ID4gPiBVc2VyIHNw
YWNlIGNhbiBub3cgYWxsb3cgdGhlIGtlcm5lbCB0byBhc3NvY2lhdGUgdG8gYW4gQVANCj4gPiA+
IHRoYXQgcmVxdWlyZXMgTUZQIG9yIHRoYXQgZG9lc24ndCBoYXZlIE1GUCBlbmFibGVkIGluIHRo
ZQ0KPiA+ID4gc2FtZSBOTDgwMjExX0NNRF9DT05ORUNUIGNvbW1hbmQuDQo+ID4gPiBUaGUgZHJp
dmVyIC8gZmlybXdhcmUgd2lsbCBkZWNpZGUgd2hldGhlciB0byB1c2UgaXQgb3Igbm90Lg0KPiA+
ID4gDQo+ID4gPiBTaWduZWQtb2ZmLWJ5OiBFbW1hbnVlbCBHcnVtYmFjaCA8ZW1tYW51ZWwuZ3J1
bWJhY2hAaW50ZWwuY29tPg0KPiA+ID4gLS0tDQo+ID4gPiBBIHNob3J0IHRvdXIgb2YgdGhlIGRy
aXZlcnMgdGF1Z2h0IG1lIHRoYXQgb25seSBRdWFudGVubmEgcmVhbGx5DQo+ID4gPiBsb29rDQo+
ID4gPiBhdCBjZmc4MDIxMV9jb25uZWN0X3BhcmFtczo6c21lIHdoaWNoIGNhbiBub3cgYmUgMi4g
VGhpcyBpcyB3aHkNCj4gPiA+IHRoZSBtYWludGFpbmVyIG9mIHRoaXMgZHJpdmVyIGlzIENDZWQu
DQo+ID4gDQo+ID4gSW5kZWVkIGluIGJyY21mbWFjIHRoZSBJRSBpcyBwcm9jZXNzZWQgdG8gZGV0
ZXJtaW5lIHdoZXRoZXIgaXQgaXMNCj4gPiByZXF1aXJlZCBvciBvcHRpb25hbC4gUHJvYmFibHkg
d2lsbCBjaGFuZ2Ugb3VyIGRyaXZlciB0byB1c2UgdGhlDQo+ID4gZXhwbGljaXQgbWZwIHZhbHVl
cyBmcm9tIGNmZzgwMjExX2Nvbm5lY3RfcGFyYW1zOjpzbWUuDQo+IA0KPiBNYXliZSB0aGlzIGlz
IGEgcmlnaHQgd2F5IHRvIGRvIHRoYXQsIGF2b2lkaW5nIHRoYXQgY29tcGF0aWJpbGl0ecKgDQo+
IHByb2JsZW0gKG5vIG5ldyBOTCogZmxhZ3MpPyBFeGNlcHQgZm9yIG1heWJlIG5sODAyMTEgbGF5
ZXIgc2hvdWxkDQo+IHBhcnNlwqANCj4gaXQgaW5zdGVhZCwgbm90IGRyaXZlci4NCg0KU2VlbXMg
b2RkIHRvIG1lLCBzaW5jZSB0aGVyZSBhbHJlYWR5IGlzIGFuIE5MIGF0dHJpYnV0ZSBmb3IgdGhp
cyBhbmQNCnlvdSB3YW50IHRoZSB1c2VyIHNwYWNlIHRvIGRlY2lkZSBvbiB0aGUgcG9saWN5IEkg
dGhpbmsuDQoNCj4gDQo+IEl0IGlzIGtpbmQgb2Ygbm90IGNsZWFyIHJpZ2h0IG5vdyBmb3IgZHJp
dmVycyB3aGVyZSB0byBnZXQNCj4gaW5mb3JtYXRpb24gZnJvbToNCj4gLSBOTCBhdHRyaWJ1dGVz
IHBhc3NlZCBmcm9tIHVzZXJzcGFjZSBhbmQgZm9yd2FyZGVkIHRvIGEgZHJpdmVyDQoNClNpbmNl
IHRob3NlIGV4aXN0LCBpdCBzZWVtcyB0byBtYWtlIG1vcmUgc2Vuc2UgdG8gbWUgdG8gdXNlIHRo
b3NlDQpyYXRoZXIgdGhhbiBhbnkgaW4tZHJpdmVyIGRlY2lkZWQgcG9saWN5LiBVc3VhbGx5LCBk
ZWNpZGluZyB1cG9uDQpwb2xpY2llcyBmcm9tIGxvd2VyIGxldmVscyBpcyBmcm93bmVkIHVwb24g
SSdkIHNheS4NCg0KPiAtIElFcyBwYXNzZWQgZnJvbSB1c2Vyc3BhY2UsIHBhcnNlZCBieSBubDgw
MjExIGFuZCBmb3J3YXJkZWQgdG8gYQ0KPiBkcml2ZXINCj4gLSBJRXMgdGhhdCBhcmUgcGFzc2Vk
IGZyb20gdXNlcnNwYWNlIGFuZCBwYXJzZWQgYnkgZHJpdmVycyBkaXJlY3RseQ0KPiANCj4gPiAN
Cj4gPiBUaGFua3MsDQo+ID4gQXJlbmQNCj4gDQo+IA==

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Igor Mitsyanko]

On 08/14/2017 01:13 PM, Grumbach, Emmanuel wrote:
>> It is kind of not clear right now for drivers where to get
>> information from:
>> - NL attributes passed from userspace and forwarded to a driver
> 
> Since those exist, it seems to make more sense to me to use those
> rather than any in-driver decided policy. Usually, deciding upon
> policies from lower levels is frowned upon I'd say.

I agree, what I mean is that drivers should know where to take this 
information from, if there are multiple sources.

An example are HT/VHT capabilities for start_ap command: they can be 
parsed directly by drivers by looking at beacon's IEs in 
"cfg80211_ap_settings". At the same time those are also parsed by 
nl80211 which fills cfg80211_ap_settings::ht_cap, 
cfg80211_ap_settings::vht_cap.
Why HT/VHT caps are not passed directly from usespace as one of NL 
attributes? I guess because there is not much point in it since 
userspace passes entire IE set anyway, which can be used by lower levels.


> 
>> - IEs passed from userspace, parsed by nl80211 and forwarded to a
>> driver
>> - IEs that are passed from userspace and parsed by drivers directly
>>
>>>
>>> Thanks,
>>> Arend
>>
>>

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Grumbach, Emmanuel]

T24gTW9uLCAyMDE3LTA4LTE0IGF0IDEzOjM2IC0wNzAwLCBJZ29yIE1pdHN5YW5rbyB3cm90ZToN
Cj4gT24gMDgvMTQvMjAxNyAwMToxMyBQTSwgR3J1bWJhY2gsIEVtbWFudWVsIHdyb3RlOg0KPiA+
ID4gSXQgaXMga2luZCBvZiBub3QgY2xlYXIgcmlnaHQgbm93IGZvciBkcml2ZXJzIHdoZXJlIHRv
IGdldA0KPiA+ID4gaW5mb3JtYXRpb24gZnJvbToNCj4gPiA+IC0gTkwgYXR0cmlidXRlcyBwYXNz
ZWQgZnJvbSB1c2Vyc3BhY2UgYW5kIGZvcndhcmRlZCB0byBhIGRyaXZlcg0KPiA+IA0KPiA+IFNp
bmNlIHRob3NlIGV4aXN0LCBpdCBzZWVtcyB0byBtYWtlIG1vcmUgc2Vuc2UgdG8gbWUgdG8gdXNl
IHRob3NlDQo+ID4gcmF0aGVyIHRoYW4gYW55IGluLWRyaXZlciBkZWNpZGVkIHBvbGljeS4gVXN1
YWxseSwgZGVjaWRpbmcgdXBvbg0KPiA+IHBvbGljaWVzIGZyb20gbG93ZXIgbGV2ZWxzIGlzIGZy
b3duZWQgdXBvbiBJJ2Qgc2F5Lg0KPiANCj4gSSBhZ3JlZSwgd2hhdCBJIG1lYW4gaXMgdGhhdCBk
cml2ZXJzIHNob3VsZCBrbm93IHdoZXJlIHRvIHRha2UgdGhpc8KgDQo+IGluZm9ybWF0aW9uIGZy
b20sIGlmIHRoZXJlIGFyZSBtdWx0aXBsZSBzb3VyY2VzLg0KPiANCj4gQW4gZXhhbXBsZSBhcmUg
SFQvVkhUIGNhcGFiaWxpdGllcyBmb3Igc3RhcnRfYXAgY29tbWFuZDogdGhleSBjYW4gYmXCoA0K
PiBwYXJzZWQgZGlyZWN0bHkgYnkgZHJpdmVycyBieSBsb29raW5nIGF0IGJlYWNvbidzIElFcyBp
bsKgDQo+ICJjZmc4MDIxMV9hcF9zZXR0aW5ncyIuIEF0IHRoZSBzYW1lIHRpbWUgdGhvc2UgYXJl
IGFsc28gcGFyc2VkIGJ5wqANCj4gbmw4MDIxMSB3aGljaCBmaWxscyBjZmc4MDIxMV9hcF9zZXR0
aW5nczo6aHRfY2FwLMKgDQo+IGNmZzgwMjExX2FwX3NldHRpbmdzOjp2aHRfY2FwLg0KPiBXaHkg
SFQvVkhUIGNhcHMgYXJlIG5vdCBwYXNzZWQgZGlyZWN0bHkgZnJvbSB1c2VzcGFjZSBhcyBvbmUg
b2YgTkzCoA0KPiBhdHRyaWJ1dGVzPyBJIGd1ZXNzIGJlY2F1c2UgdGhlcmUgaXMgbm90IG11Y2gg
cG9pbnQgaW4gaXQgc2luY2XCoA0KPiB1c2Vyc3BhY2UgcGFzc2VzIGVudGlyZSBJRSBzZXQgYW55
d2F5LCB3aGljaCBjYW4gYmUgdXNlZCBieSBsb3dlcg0KPiBsZXZlbHMuDQoNCkkgdW5kZXJzdGFu
ZCB5b3VyIHBvaW50IGFib3V0IHRoZSBpbmZvcm1hdGlvbiBiZWluZyBjb252ZXllZCB0byB0aGUN
Cmtlcm5lbCB0aHJvdWdoIG11bHRpcGxlIHBpcGVzLiBCdXQgbm90ZSB0aGF0IGZvciBIVC9WSFQg
aW4gQVAgbW9kZSwgdGhlDQpkZWNpc2lvbiBtYWtlciBpcyB0aGUgdXNlciBzcGFjZS4gVXNlciBz
cGFjZSBjYW4gZ2V0IGl0IGZyb20gYSB0aGUgdXNlcg0KaGltc2VsZiAoaG9zdGFwZC5jb25mKSBv
ciBmcm9tIGludGVybmFsIGtub3dsZWRnZSAoT0JTUyBwYXJhbWV0ZXJzIGluDQpBUCBtb2RlIHRo
YXQgYXJlIGhhbmRsZWQgaW50ZXJuYWxseSBpbiBob3N0YXBkKSwgYnV0IGl0IGVzc2VudGlhbGx5
DQpkb2Vzbid0IG1hdHRlci4gVGhlIGtlcm5lbCBkb2VzIG5vdGhpbmcgZWxzZSBidXQgaW1wbGVt
ZW50aW5nIHRoZQ0KcG9saWN5IGRlY2lkZWQgYnkgdGhlIHVzZXIgc3BhY2UuDQoNCldoZW4geW91
IHN0YXJ0IHRoaW5raW5nIGFib3V0IGZpcm13YXJlcyB3aXRoIG1vcmUgbG9naWMsIHRoZSBwaWN0
dXJlIGlzDQpkaWZmZXJlbnQuIFdoZW4gSm91bmkgYWRkZWQgTUZQIHN1cHBvcnQgaW4gdGhlIGtl
cm5lbCBpbiAyMDA5IGhlIHdyb3RlOg0KDQogIFNpbmNlIHdlIGFyZSBjdXJyZW50bHkgdXNpbmcg
bmw4MDIxMSBmb3IgTUZQIG9ubHkgd2l0aCBkcml2ZXJzIHRoYXQNCsKgwqB1c2UgdXNlciBzcGFj
ZSBTTUUsIG9ubHkgTUZQIGRpc2FibGVkIGFuZCByZXF1aXJlZCB2YWx1ZXMgYXJlDQrCoMKgdXNl
ZC4gSG93ZXZlciwgdGhlIE5MODAyMTFfQVRUUl9VU0VfTUZQIGF0dHJpYnV0ZSBpcyBhbiBlbnVt
IHRoYXQgY2FuDQrCoMKgYmUgZXh0ZW5kZWQgd2l0aCBNRlAgb3B0aW9uYWwgaW4gdGhlIGZ1dHVy
ZSwgaWYgdGhhdCBpcyBuZWVkZWQgd2l0aA0KwqDCoHNvbWUgZHJpdmVycyAoZS5nLiwgaWYgdGhl
IFJTTiBJRSBpcyBnZW5lcmF0ZWQgYnkgdGhlIGRyaXZlcikuDQoNCihTZWUgY29tbWl0IGRjNjM4
MmNlZDA3ZDZiYWQ2MWQwYjU5MWZiMTJhYjVkYTdjYTYzMmMpLg0KDQpIZXJlIGlzIHRoZSB0aGlu
ZzogdW50aWwgbm93LCBNRlAgd2FzIHN1cHBvcnRlZCBvbmx5IGZvciBkcml2ZXJzIHRoYXQNCnVz
ZSB1c2VyIHNwYWNlIFNNRSwgbWVhbmluZyBkcml2ZXJzIHRoYXQgbGV0IHRoZSB1c2VyIHNwYWNl
IGRlY2lkZQ0KYWJvdXQgcHJldHR5IG11Y2ggZXZlcnl0aGluZzogaXQgc2VuZHMgdGhlIEFzc29j
IFJlcXVlc3Qgd2hpY2ggbWVhbnMNCnRoYXQgaXQga25vd3MgX2V2ZXJ5dGhpbmdfIGFib3V0IHRo
ZSBBUCBpdCBjb25uZWN0cyB0by4gV2hlbiB5b3UgZG9uJ3QNCnVzZSB1c2VyIHNwYWNlIFNNRSAo
bWVhbmluZyB5b3UgdXNlIE5MODAyMTFfQ01EX0NPTk5FQ1QgYW5kIG5vdA0KTkw4MDIxMV9DTURf
e0FVVEhFTlRJQ0FURSxBU1NPQ0lBVEV9KSwgdGhlIHVzZXIgc3BhY2UgbWF5IG5vdCBrbm93IG11
Y2gNCmFib3V0IHRoZSBBUCBpbmNsdWRpbmcgbm90IGl0cyBSU04gY2Fwcy4gRXNzZW50aWFsbHks
IHRoZSB1c2VyIHNwYWNlIGlzDQpzZW5kaW5nIGEgc3VwcGxpY2FudCdzIG5ldHdvcmsgYmxvY2sg
dG8gdGhlIGtlcm5lbCBhbmQgYXNrcyB0aGUga2VybmVsDQp0byBjb25uZWN0IHRvIHRoYXQgdGhp
bmcuIFRoZSB1c2VyIHNwYWNlIG1heSBub3QgZXZlbiBrbm93IHRoYXQgdGhpcw0KbmV0d29yayBp
cyBpbiB0aGUgdmljaW5pdHkgKHdoaWNoIGlzIHdoYXQgYXBfc2Nhbj0yIGluIHRoZSB3cGFfcyBt
ZWFucw0KSUlVQykuDQoNClNvIHdoYXQgSSBhbSB0cnlpbmcgdG8gZG8gaGVyZSB0byBzaGlmdCB0
aGUgcG93ZXIgb2YgdGhlIGRlY2lzaW9uIGZyb20NCnRoZSB1c2VyIHNwYWNlIHRvIHRoZSBrZXJu
ZWwgaW4gY2VydGFpbiBjYXNlcywgb3IgYXQgbGVhc3QgdG8gYWxsb3cgdGhlDQp1c2VyIHNwYWNl
IHRvIHRlbGwgdGhlIGtlcm5lbCBob3cgdG8gYmVoYXZlIGluIHNldmVyYWwgc2NlbmFyaW9zIHNp
bmNlDQp0aGUgdXNlciBzcGFjZSBkb2Vzbid0IGhhdmUgYWxsIHRoZSBpbmZvcm1hdGlvbiBpbiBo
YW5kLg0KDQpOTDgwMjExX01GUF9OTyBpcyBjbGVhcjogeW91IGNhbid0IGFzc29jaWF0ZSB0byBh
biBBUCB0aGF0IGhhcyBNRlBDPTENCk1GUFI9MQ0KTkw4MDIxMV9NRlBfUkVRVUlSRUQgaXMgY2xl
YXI6IHlvdSBjYW4ndCBhc3NvY2lhdGUgdG8gYW4gQVAgdGhhdCBoYXMNCk1GUEM9MCBNRlBSPTAN
Cg0KVGhpcyBpcyBwb3NzaWJsZSB3aGVuIHRoZSB1c2VyIHNwYWNlIGtub3dzIGhvdyB0aGUgUlNO
IElFIG9mIHRoZSBBUA0KbG9va3MgbGlrZS4gSWYgaXQgZG9lc24ndCwgdGhlbiBpdCdkIG1lYW4g
dGhhdCB0aGUgdXNlciBzcGFjZSBoYXMgbm8NCndheSB0byBzYXk6IEkgd2FudCB0byB1c2UgTUZQ
IGlmIHJlcXVpcmVkIGJ5IHRoZSBBUCwgYnV0IGRvbid0IGNhcmUgYWxsDQp0aGF0IG11Y2ggaWYg
dGhlIEFQIGRvZXNuJ3Qgc3VwcG9ydCBpdCwgYW5kIHRoaXMgaXMgZXhhY3RseSB3aGF0IHRoZQ0K
Tkw4MDIxMV9NRlBfT1BUSU9OQUwgY29tZXMgdG8gYWRkLg0KDQpJIHdyb3RlIHRoaXMgdG8gZXhw
bGFpbiB0aGF0IEkgY2FuJ3QgdXNlIHRoZSBJRXMgZm9yIHRoaXMgc2luY2UgSSBhbQ0KYWRkaW5n
IE5MODAyMTFfTUZQX09QVElPTkFMIHByZWNpc2VseSBiZWNhdXNlIHRoZSB1c2VyIHNwYWNlIGRv
ZXNuJ3QNCmhhdmUgdGhlIElFcy4NCg0KUmVnYXJkaW5nIHRoZSBiYWNrd2FyZCBjb21wYXRpYmls
aXR5LCB0aGlzIGlzIGEgcmVhbCBwcm9ibGVtLiBJIGFtIG5vdA0KZXZlbiBzdXJlIHRoYXQgYWRk
aW5nIGEgZmVhdHVyZSBmbGFnIHdpbGwgaGVscCBzaW5jZSBpbiBjYXNlIHdwYV9zDQpkb2Vzbid0
IGtub3cgdGhlIElFcyBvZiB0aGUgQVAsIGl0IGNhbid0IHJlYWxseSBrbm93IHdoYXQgTUZQDQpw
YXJhbWV0ZXJzIHRvIHNlbmQgKFJFUSBvciBOTyBhc3N1bWluZyB3cGFfcyBkZXRlY3RlZCB0aGF0
IHRoZSBrZXJuZWwNCndvdWxkbid0IHN1cHBvcnQgT1BUSU9OQUwpLiBOb3RlIHRoYXQgYWxsIHRo
aXMgaXMgcmVhbGx5IHJlbGV2YW50IG9ubHkNCmZvciBhcF9zY2FuPTIgY29uZmlndXJhdGlvbiBp
biB3cGFfcyB3aGljaCBpcyBub3QgcmVhbGx5IHN1cHBvcnRlZCB3ZWxsDQppbiBubDgwMjExIGRy
aXZlciByaWdodCBub3cgKGF0IGxlYXN0IGJhc2VkIG9uIHRoZSBjb21tZW50cyBpbiB0aGUNCndw
YV9zIGNvZGUpLiBBc2tpbmcgd2h5IEkgYW0gYWRkaW5nIHRoaXMgaW4gbmw4MDIxMSBrZXJuZWwg
c2lkZSBpZiB0aGUNCm9ubHkgdXNlciB3b3VsZCBiZSB3cGFfcyB3aXRoIG5sODAyMTEgYW5kIGFw
X3NjYW49MiAod2hpY2ggaXMNCnJlcG9ydGVkbHkgbm90IHJlYWxseSB3b3JraW5nKSBpcyBhIGZh
aXIgcXVlc3Rpb24gOikNCkkgYW0gYmFzaWNhbGx5IHdvcmtpbmcgaW4gdGhlIGNvbnRleHQgb2Yg
YSBmaXJtd2FyZSB0aGF0IGRvZXMgdGhlIHNjYW4NCmJlZm9yZSBjb25uZWN0IGludGVybmFsbHku
DQoNCj4gDQo+IA0KPiA+IA0KPiA+ID4gLSBJRXMgcGFzc2VkIGZyb20gdXNlcnNwYWNlLCBwYXJz
ZWQgYnkgbmw4MDIxMSBhbmQgZm9yd2FyZGVkIHRvIGENCj4gPiA+IGRyaXZlcg0KPiA+ID4gLSBJ
RXMgdGhhdCBhcmUgcGFzc2VkIGZyb20gdXNlcnNwYWNlIGFuZCBwYXJzZWQgYnkgZHJpdmVycw0K
PiA+ID4gZGlyZWN0bHkNCj4gPiA+IA0KPiA+ID4gPiANCj4gPiA+ID4gVGhhbmtzLA0KPiA+ID4g
PiBBcmVuZA0KPiA+ID4gDQo+ID4gPiANCj4g

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Kalle Valo]

"Grumbach, Emmanuel" <emmanuel.grumbach@intel.com> writes:

> On Mon, 2017-08-14 at 20:14 +0300, Kalle Valo wrote:
>> Emmanuel Grumbach <emmanuel.grumbach@intel.com> writes:
>>=20
>> > User space can now allow the kernel to associate to an AP
>> > that requires MFP or that doesn't have MFP enabled in the
>> > same NL80211_CMD_CONNECT command.
>> > The driver / firmware will decide whether to use it or not.
>> >=20
>> > Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

[...]

>> > --- a/net/wireless/nl80211.c
>> > +++ b/net/wireless/nl80211.c
>> > @@ -9115,6 +9115,7 @@ static int nl80211_connect(struct sk_buff
>> > *skb, struct genl_info *info)
>> > =C2=A0	if (info->attrs[NL80211_ATTR_USE_MFP]) {
>> > =C2=A0		connect.mfp =3D nla_get_u32(info-
>> > >attrs[NL80211_ATTR_USE_MFP]);
>> > =C2=A0		if (connect.mfp !=3D NL80211_MFP_REQUIRED &&
>> > +		=C2=A0=C2=A0=C2=A0=C2=A0connect.mfp !=3D NL80211_MFP_OPTIONAL &&
>> > =C2=A0		=C2=A0=C2=A0=C2=A0=C2=A0connect.mfp !=3D NL80211_MFP_NO)
>> > =C2=A0			return -EINVAL;
>> > =C2=A0	} else {
>>=20
>> I guess I'm missing something, but how is backwards compatibility
>> supposed to work from user space point of view? If user space uses
>> NL80211_MFP_OPTIONAL with an old kernel, the kernel will reject the
>> command with -EINVAL and user space will try again without
>> NL80211_MFP_OPTIONAL?
>
> No you are not. I simply forgot that point. I guess that this would be
> the behavior, yes...

I don't think that's very robust. How would user space (wpasupplicant)
know if the the EINVAL is because NL80211_MFP_OPTIONAL is not supported
by the kernel or because of some other error?

> This is relevant for ap_scan=3D2 wpa_s configuration only which makes it
> not really common, but still, you are right. Not sure how easy it will
> be to write this logic in the supplicant though... Unless we add an
> nl80211 feature bit but I feel it'd be a bit of a waste.

I don't feel that adding a feature bit is waste, I rather use a feature
flag than making ugly hacks to user space. But of course this is up to
Jouni and Johannes.

--=20
Kalle Valo

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Grumbach, Emmanuel]

T24gVHVlLCAyMDE3LTA4LTE1IGF0IDEwOjE2ICswMzAwLCBLYWxsZSBWYWxvIHdyb3RlOg0KPiAi
R3J1bWJhY2gsIEVtbWFudWVsIiA8ZW1tYW51ZWwuZ3J1bWJhY2hAaW50ZWwuY29tPiB3cml0ZXM6
DQo+IA0KPiA+IE9uIE1vbiwgMjAxNy0wOC0xNCBhdCAyMDoxNCArMDMwMCwgS2FsbGUgVmFsbyB3
cm90ZToNCj4gPiA+IEVtbWFudWVsIEdydW1iYWNoIDxlbW1hbnVlbC5ncnVtYmFjaEBpbnRlbC5j
b20+IHdyaXRlczoNCj4gPiA+IA0KPiA+ID4gPiBVc2VyIHNwYWNlIGNhbiBub3cgYWxsb3cgdGhl
IGtlcm5lbCB0byBhc3NvY2lhdGUgdG8gYW4gQVANCj4gPiA+ID4gdGhhdCByZXF1aXJlcyBNRlAg
b3IgdGhhdCBkb2Vzbid0IGhhdmUgTUZQIGVuYWJsZWQgaW4gdGhlDQo+ID4gPiA+IHNhbWUgTkw4
MDIxMV9DTURfQ09OTkVDVCBjb21tYW5kLg0KPiA+ID4gPiBUaGUgZHJpdmVyIC8gZmlybXdhcmUg
d2lsbCBkZWNpZGUgd2hldGhlciB0byB1c2UgaXQgb3Igbm90Lg0KPiA+ID4gPiANCj4gPiA+ID4g
U2lnbmVkLW9mZi1ieTogRW1tYW51ZWwgR3J1bWJhY2ggPGVtbWFudWVsLmdydW1iYWNoQGludGVs
LmNvbT4NCj4gDQo+IFsuLi5dDQo+IA0KPiA+ID4gPiAtLS0gYS9uZXQvd2lyZWxlc3Mvbmw4MDIx
MS5jDQo+ID4gPiA+ICsrKyBiL25ldC93aXJlbGVzcy9ubDgwMjExLmMNCj4gPiA+ID4gQEAgLTkx
MTUsNiArOTExNSw3IEBAIHN0YXRpYyBpbnQgbmw4MDIxMV9jb25uZWN0KHN0cnVjdCBza19idWZm
DQo+ID4gPiA+ICpza2IsIHN0cnVjdCBnZW5sX2luZm8gKmluZm8pDQo+ID4gPiA+IMKgCWlmIChp
bmZvLT5hdHRyc1tOTDgwMjExX0FUVFJfVVNFX01GUF0pIHsNCj4gPiA+ID4gwqAJCWNvbm5lY3Qu
bWZwID0gbmxhX2dldF91MzIoaW5mby0NCj4gPiA+ID4gPiBhdHRyc1tOTDgwMjExX0FUVFJfVVNF
X01GUF0pOw0KPiA+ID4gPiANCj4gPiA+ID4gwqAJCWlmIChjb25uZWN0Lm1mcCAhPSBOTDgwMjEx
X01GUF9SRVFVSVJFRCAmJg0KPiA+ID4gPiArCQnCoMKgwqDCoGNvbm5lY3QubWZwICE9IE5MODAy
MTFfTUZQX09QVElPTkFMICYmDQo+ID4gPiA+IMKgCQnCoMKgwqDCoGNvbm5lY3QubWZwICE9IE5M
ODAyMTFfTUZQX05PKQ0KPiA+ID4gPiDCoAkJCXJldHVybiAtRUlOVkFMOw0KPiA+ID4gPiDCoAl9
IGVsc2Ugew0KPiA+ID4gDQo+ID4gPiBJIGd1ZXNzIEknbSBtaXNzaW5nIHNvbWV0aGluZywgYnV0
IGhvdyBpcyBiYWNrd2FyZHMgY29tcGF0aWJpbGl0eQ0KPiA+ID4gc3VwcG9zZWQgdG8gd29yayBm
cm9tIHVzZXIgc3BhY2UgcG9pbnQgb2Ygdmlldz8gSWYgdXNlciBzcGFjZQ0KPiA+ID4gdXNlcw0K
PiA+ID4gTkw4MDIxMV9NRlBfT1BUSU9OQUwgd2l0aCBhbiBvbGQga2VybmVsLCB0aGUga2VybmVs
IHdpbGwgcmVqZWN0DQo+ID4gPiB0aGUNCj4gPiA+IGNvbW1hbmQgd2l0aCAtRUlOVkFMIGFuZCB1
c2VyIHNwYWNlIHdpbGwgdHJ5IGFnYWluIHdpdGhvdXQNCj4gPiA+IE5MODAyMTFfTUZQX09QVElP
TkFMPw0KPiA+IA0KPiA+IE5vIHlvdSBhcmUgbm90LiBJIHNpbXBseSBmb3Jnb3QgdGhhdCBwb2lu
dC4gSSBndWVzcyB0aGF0IHRoaXMgd291bGQNCj4gPiBiZQ0KPiA+IHRoZSBiZWhhdmlvciwgeWVz
Li4uDQo+IA0KPiBJIGRvbid0IHRoaW5rIHRoYXQncyB2ZXJ5IHJvYnVzdC4gSG93IHdvdWxkIHVz
ZXIgc3BhY2UNCj4gKHdwYXN1cHBsaWNhbnQpDQo+IGtub3cgaWYgdGhlIHRoZSBFSU5WQUwgaXMg
YmVjYXVzZSBOTDgwMjExX01GUF9PUFRJT05BTCBpcyBub3QNCj4gc3VwcG9ydGVkDQo+IGJ5IHRo
ZSBrZXJuZWwgb3IgYmVjYXVzZSBvZiBzb21lIG90aGVyIGVycm9yPw0KDQpJIGhlYXIsIEkgaGVh
ci4gVGhpcyBpcyBub3QgYW4gb3B0aW9uLCB5b3UgYXJlIHJpZ2h0Lg0KDQo+IA0KPiA+IFRoaXMg
aXMgcmVsZXZhbnQgZm9yIGFwX3NjYW49MiB3cGFfcyBjb25maWd1cmF0aW9uIG9ubHkgd2hpY2gg
bWFrZXMNCj4gPiBpdA0KPiA+IG5vdCByZWFsbHkgY29tbW9uLCBidXQgc3RpbGwsIHlvdSBhcmUg
cmlnaHQuIE5vdCBzdXJlIGhvdyBlYXN5IGl0DQo+ID4gd2lsbA0KPiA+IGJlIHRvIHdyaXRlIHRo
aXMgbG9naWMgaW4gdGhlIHN1cHBsaWNhbnQgdGhvdWdoLi4uIFVubGVzcyB3ZSBhZGQgYW4NCj4g
PiBubDgwMjExIGZlYXR1cmUgYml0IGJ1dCBJIGZlZWwgaXQnZCBiZSBhIGJpdCBvZiBhIHdhc3Rl
Lg0KPiANCj4gSSBkb24ndCBmZWVsIHRoYXQgYWRkaW5nIGEgZmVhdHVyZSBiaXQgaXMgd2FzdGUs
IEkgcmF0aGVyIHVzZSBhDQo+IGZlYXR1cmUNCj4gZmxhZyB0aGFuIG1ha2luZyB1Z2x5IGhhY2tz
IHRvIHVzZXIgc3BhY2UuIEJ1dCBvZiBjb3Vyc2UgdGhpcyBpcyB1cA0KPiB0bw0KPiBKb3VuaSBh
bmQgSm9oYW5uZXMuDQoNCk15IGxhdGVzdCBwb2ludCBpcyB0aGF0IGl0IHdvdWxkbid0IGhlbHAg
c2luY2UgdGhlIHVzZWZ1bCB1c2FnZSB3YXMNCndpdGggYXBfc2Nhbj0yIGluIHdoaWNoIHdwYV9z
dXBwbGljYW50IGNhbid0IHJlYWxseSBrbm93IHdoYXQgdG8gcHV0DQp0aGVyZS4gT3IuLi4gTm8u
IEl0IF9jYW5fIHdvcmsuIFRoZSB1c2VyIHdvdWxkIGNvbmZpZ3VyZSBwbWY9b3B0aW9uYWwNCmlu
IHRoZSB3cGFfc3VwcGxpY2FudCBjb25maWd1cmF0aW9uLCBhbmQgd3BhX3N1cHBsaWNhbnQgY2Fu
IGNoZWNrIGlmDQp0aGF0IHRoZSB1bmRlcmx5aW5nIGtlcm5lbCBzdXBwb3J0cyBpdCB3aXRoIHRo
ZSBoZWxwIG9mIHRoZSBmZWF0dXJlDQpmbGFnLg0KU2luY2UgdGhlIHBtZj1vcHRpb25hbCBjb25m
aWd1cmF0aW9uIGluIHdwYV9zdXBwbGljYW50IHdpbGwgY29tZSBmcm9tDQp0aGUgdXNlciAodGhh
dCBjb25maWd1cmVzIHRoZSBuZXR3b3JrIGluc2lkZSB3cGFfc3VwcGxpY2FudCksDQp3cGFfc3Vw
cGxpY2FudCBjYW4gZG8gdGhpcyBjaGVjay4NCg0KSSdsbCBhZGQgdGhpcy4=

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Grumbach, Emmanuel]

T24gVHVlLCAyMDE3LTA4LTE1IGF0IDEwOjQ5ICswMzAwLCBFbW1hbnVlbCBHcnVtYmFjaCB3cm90
ZToNCj4gT24gVHVlLCAyMDE3LTA4LTE1IGF0IDEwOjE2ICswMzAwLCBLYWxsZSBWYWxvIHdyb3Rl
Og0KPiA+ICJHcnVtYmFjaCwgRW1tYW51ZWwiIDxlbW1hbnVlbC5ncnVtYmFjaEBpbnRlbC5jb20+
IHdyaXRlczoNCj4gPiANCj4gPiA+IE9uIE1vbiwgMjAxNy0wOC0xNCBhdCAyMDoxNCArMDMwMCwg
S2FsbGUgVmFsbyB3cm90ZToNCj4gPiA+ID4gRW1tYW51ZWwgR3J1bWJhY2ggPGVtbWFudWVsLmdy
dW1iYWNoQGludGVsLmNvbT4gd3JpdGVzOg0KPiA+ID4gPiANCj4gPiA+ID4gPiBVc2VyIHNwYWNl
IGNhbiBub3cgYWxsb3cgdGhlIGtlcm5lbCB0byBhc3NvY2lhdGUgdG8gYW4gQVANCj4gPiA+ID4g
PiB0aGF0IHJlcXVpcmVzIE1GUCBvciB0aGF0IGRvZXNuJ3QgaGF2ZSBNRlAgZW5hYmxlZCBpbiB0
aGUNCj4gPiA+ID4gPiBzYW1lIE5MODAyMTFfQ01EX0NPTk5FQ1QgY29tbWFuZC4NCj4gPiA+ID4g
PiBUaGUgZHJpdmVyIC8gZmlybXdhcmUgd2lsbCBkZWNpZGUgd2hldGhlciB0byB1c2UgaXQgb3Ig
bm90Lg0KPiA+ID4gPiA+IA0KPiA+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IEVtbWFudWVsIEdydW1i
YWNoIDxlbW1hbnVlbC5ncnVtYmFjaEBpbnRlbC5jb20NCj4gPiA+ID4gPiA+DQo+ID4gDQo+ID4g
Wy4uLl0NCj4gPiANCj4gPiA+ID4gPiAtLS0gYS9uZXQvd2lyZWxlc3Mvbmw4MDIxMS5jDQo+ID4g
PiA+ID4gKysrIGIvbmV0L3dpcmVsZXNzL25sODAyMTEuYw0KPiA+ID4gPiA+IEBAIC05MTE1LDYg
KzkxMTUsNyBAQCBzdGF0aWMgaW50IG5sODAyMTFfY29ubmVjdChzdHJ1Y3QNCj4gPiA+ID4gPiBz
a19idWZmDQo+ID4gPiA+ID4gKnNrYiwgc3RydWN0IGdlbmxfaW5mbyAqaW5mbykNCj4gPiA+ID4g
PiDCoAlpZiAoaW5mby0+YXR0cnNbTkw4MDIxMV9BVFRSX1VTRV9NRlBdKSB7DQo+ID4gPiA+ID4g
wqAJCWNvbm5lY3QubWZwID0gbmxhX2dldF91MzIoaW5mby0NCj4gPiA+ID4gPiA+IGF0dHJzW05M
ODAyMTFfQVRUUl9VU0VfTUZQXSk7DQo+ID4gPiA+ID4gDQo+ID4gPiA+ID4gwqAJCWlmIChjb25u
ZWN0Lm1mcCAhPSBOTDgwMjExX01GUF9SRVFVSVJFRCAmJg0KPiA+ID4gPiA+ICsJCcKgwqDCoMKg
Y29ubmVjdC5tZnAgIT0gTkw4MDIxMV9NRlBfT1BUSU9OQUwgJiYNCj4gPiA+ID4gPiDCoAkJwqDC
oMKgwqBjb25uZWN0Lm1mcCAhPSBOTDgwMjExX01GUF9OTykNCj4gPiA+ID4gPiDCoAkJCXJldHVy
biAtRUlOVkFMOw0KPiA+ID4gPiA+IMKgCX0gZWxzZSB7DQo+ID4gPiA+IA0KPiA+ID4gPiBJIGd1
ZXNzIEknbSBtaXNzaW5nIHNvbWV0aGluZywgYnV0IGhvdyBpcyBiYWNrd2FyZHMNCj4gPiA+ID4g
Y29tcGF0aWJpbGl0eQ0KPiA+ID4gPiBzdXBwb3NlZCB0byB3b3JrIGZyb20gdXNlciBzcGFjZSBw
b2ludCBvZiB2aWV3PyBJZiB1c2VyIHNwYWNlDQo+ID4gPiA+IHVzZXMNCj4gPiA+ID4gTkw4MDIx
MV9NRlBfT1BUSU9OQUwgd2l0aCBhbiBvbGQga2VybmVsLCB0aGUga2VybmVsIHdpbGwgcmVqZWN0
DQo+ID4gPiA+IHRoZQ0KPiA+ID4gPiBjb21tYW5kIHdpdGggLUVJTlZBTCBhbmQgdXNlciBzcGFj
ZSB3aWxsIHRyeSBhZ2FpbiB3aXRob3V0DQo+ID4gPiA+IE5MODAyMTFfTUZQX09QVElPTkFMPw0K
PiA+ID4gDQo+ID4gPiBObyB5b3UgYXJlIG5vdC4gSSBzaW1wbHkgZm9yZ290IHRoYXQgcG9pbnQu
IEkgZ3Vlc3MgdGhhdCB0aGlzDQo+ID4gPiB3b3VsZA0KPiA+ID4gYmUNCj4gPiA+IHRoZSBiZWhh
dmlvciwgeWVzLi4uDQo+ID4gDQo+ID4gSSBkb24ndCB0aGluayB0aGF0J3MgdmVyeSByb2J1c3Qu
IEhvdyB3b3VsZCB1c2VyIHNwYWNlDQo+ID4gKHdwYXN1cHBsaWNhbnQpDQo+ID4ga25vdyBpZiB0
aGUgdGhlIEVJTlZBTCBpcyBiZWNhdXNlIE5MODAyMTFfTUZQX09QVElPTkFMIGlzIG5vdA0KPiA+
IHN1cHBvcnRlZA0KPiA+IGJ5IHRoZSBrZXJuZWwgb3IgYmVjYXVzZSBvZiBzb21lIG90aGVyIGVy
cm9yPw0KPiANCj4gSSBoZWFyLCBJIGhlYXIuIFRoaXMgaXMgbm90IGFuIG9wdGlvbiwgeW91IGFy
ZSByaWdodC4NCj4gDQo+ID4gDQo+ID4gPiBUaGlzIGlzIHJlbGV2YW50IGZvciBhcF9zY2FuPTIg
d3BhX3MgY29uZmlndXJhdGlvbiBvbmx5IHdoaWNoDQo+ID4gPiBtYWtlcw0KPiA+ID4gaXQNCj4g
PiA+IG5vdCByZWFsbHkgY29tbW9uLCBidXQgc3RpbGwsIHlvdSBhcmUgcmlnaHQuIE5vdCBzdXJl
IGhvdyBlYXN5IGl0DQo+ID4gPiB3aWxsDQo+ID4gPiBiZSB0byB3cml0ZSB0aGlzIGxvZ2ljIGlu
IHRoZSBzdXBwbGljYW50IHRob3VnaC4uLiBVbmxlc3Mgd2UgYWRkDQo+ID4gPiBhbg0KPiA+ID4g
bmw4MDIxMSBmZWF0dXJlIGJpdCBidXQgSSBmZWVsIGl0J2QgYmUgYSBiaXQgb2YgYSB3YXN0ZS4N
Cj4gPiANCj4gPiBJIGRvbid0IGZlZWwgdGhhdCBhZGRpbmcgYSBmZWF0dXJlIGJpdCBpcyB3YXN0
ZSwgSSByYXRoZXIgdXNlIGENCj4gPiBmZWF0dXJlDQo+ID4gZmxhZyB0aGFuIG1ha2luZyB1Z2x5
IGhhY2tzIHRvIHVzZXIgc3BhY2UuIEJ1dCBvZiBjb3Vyc2UgdGhpcyBpcyB1cA0KPiA+IHRvDQo+
ID4gSm91bmkgYW5kIEpvaGFubmVzLg0KPiANCj4gTXkgbGF0ZXN0IHBvaW50IGlzIHRoYXQgaXQg
d291bGRuJ3QgaGVscCBzaW5jZSB0aGUgdXNlZnVsIHVzYWdlIHdhcw0KPiB3aXRoIGFwX3NjYW49
MiBpbiB3aGljaCB3cGFfc3VwcGxpY2FudCBjYW4ndCByZWFsbHkga25vdyB3aGF0IHRvIHB1dA0K
PiB0aGVyZS4gT3IuLi4gTm8uIEl0IF9jYW5fIHdvcmsuIFRoZSB1c2VyIHdvdWxkIGNvbmZpZ3Vy
ZSBwbWY9b3B0aW9uYWwNCj4gaW4gdGhlIHdwYV9zdXBwbGljYW50IGNvbmZpZ3VyYXRpb24sIGFu
ZCB3cGFfc3VwcGxpY2FudCBjYW4gY2hlY2sgaWYNCj4gdGhhdCB0aGUgdW5kZXJseWluZyBrZXJu
ZWwgc3VwcG9ydHMgaXQgd2l0aCB0aGUgaGVscCBvZiB0aGUgZmVhdHVyZQ0KPiBmbGFnLg0KPiBT
aW5jZSB0aGUgcG1mPW9wdGlvbmFsIGNvbmZpZ3VyYXRpb24gaW4gd3BhX3N1cHBsaWNhbnQgd2ls
bCBjb21lIGZyb20NCj4gdGhlIHVzZXIgKHRoYXQgY29uZmlndXJlcyB0aGUgbmV0d29yayBpbnNp
ZGUgd3BhX3N1cHBsaWNhbnQpLA0KPiB3cGFfc3VwcGxpY2FudCBjYW4gZG8gdGhpcyBjaGVjay4N
Cj4gDQo+IEknbGwgYWRkIHRoaXMuDQo+IA0KDQpBbmQgdGhlbiwgdGhlIGNmZzgwMjExIGRyaXZl
ciBjYW4gYWRkIHRoaXMgYnkgaXRzZWxmLCBzbyB0aGF0IHF1YW50ZW5uYQ0KZm9sa3MgZG9uJ3Qg
aGF2ZSB0byBmZWFyIGdldHRpbmcgdGhlIG5ldyB2YWx1ZSBpbnRvIHRoZWlyIGZpcm13YXJlLA0K
YWx0aG91Z2ggdGhleSBhbHJlYWR5IHJlcG9ydGVkIGl0J2Qgd29yayBmb3IgdGhlbS4=

[PATCH v2] nl80211: add an option to allow MFP without requiring it

[Emmanuel Grumbach]

User space can now allow the kernel to associate to an AP
that requires MFP or that doesn't have MFP enabled in the
same NL80211_CMD_CONNECT command.
The driver / firmware will decide whether to use it or not.
Add a feature bit to inform the user space the kernel
supports this setting.

This new option will be useful for firmwares that can
generate the RSN IE internally and when the user space does
not have the RSN IE of the AP we're connecting to. Since
the user space doesn't see the RSN IE of the AP, it cannot
fully decide whether to require or to forbid MFP. It needs
to be given the possibility to allow the driver to use MFP
without making it mandatory.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
---
v2: * add a feature flag
    * fix the comment of NL80211_MFP_OPTIONAL as pointed out by Igor
---
 include/uapi/linux/nl80211.h | 13 +++++++++++--
 net/wireless/nl80211.c       |  1 +
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 7950c71c0ad4..e98c93d86220 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -1410,8 +1410,12 @@ enum nl80211_commands {
  *
  * @NL80211_ATTR_USE_MFP: Whether management frame protection (IEEE 802.11w) is
  *	used for the association (&enum nl80211_mfp, represented as a u32);
- *	this attribute can be used
- *	with %NL80211_CMD_ASSOCIATE and %NL80211_CMD_CONNECT requests
+ *	this attribute can be used with %NL80211_CMD_ASSOCIATE and
+ *	%NL80211_CMD_CONNECT requests. %NL80211_MFP_OPTIONAL is not allowed for
+ *	%NL80211_CMD_ASSOCIATE since user space SME is expected and hence, it
+ *	must have decided whether to use management frame protection or not.
+ *	Setting %NL80211_MFP_OPTIONAL with a %NL80211_CMD_CONNECT request will
+ *	let the driver (or the firmware) decide whether to use MFP or not.
  *
  * @NL80211_ATTR_STA_FLAGS2: Attribute containing a
  *	&struct nl80211_sta_flag_update.
@@ -4086,10 +4090,12 @@ enum nl80211_key_type {
  * enum nl80211_mfp - Management frame protection state
  * @NL80211_MFP_NO: Management frame protection not used
  * @NL80211_MFP_REQUIRED: Management frame protection required
+ * @NL80211_MFP_OPTIONAL: Management frame protection is optional
  */
 enum nl80211_mfp {
 	NL80211_MFP_NO,
 	NL80211_MFP_REQUIRED,
+	NL80211_MFP_OPTIONAL,
 };
 
 enum nl80211_wpa_versions {
@@ -5058,6 +5064,8 @@ enum nl80211_feature_flags {
  *	the first probe request in each channel at rate of at least 5.5Mbps.
  * @NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION: Driver supports
  *	probe request tx deferral and suppression
+ * @NL80211_EXT_FEATURE_MFP_OPTIONAL: Driver supports the %NL80211_MFP_OPTIONAL
+ *	value in %NL80211_ATTR_USE_MFP.
  *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
@@ -5083,6 +5091,7 @@ enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP,
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE,
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
+	NL80211_EXT_FEATURE_MFP_OPTIONAL,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 8f035d9868d1..829867132326 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9115,6 +9115,7 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
 		if (connect.mfp != NL80211_MFP_REQUIRED &&
+		    connect.mfp != NL80211_MFP_OPTIONAL &&
 		    connect.mfp != NL80211_MFP_NO)
 			return -EINVAL;
 	} else {
-- 
2.9.3

[PATCH v3] nl80211: add an option to allow MFP without requiring it

[Emmanuel Grumbach]

User space can now allow the kernel to associate to an AP
that requires MFP or that doesn't have MFP enabled in the
same NL80211_CMD_CONNECT command.
The driver / firmware will decide whether to use it or not.
Add a feature bit to inform the user space the kernel
supports this setting.

This new option will be useful for firmwares that can
generate the RSN IE internally and when the user space does
not have the RSN IE of the AP we're connecting to. Since
the user space doesn't see the RSN IE of the AP, it cannot
fully decide whether to require or to forbid MFP. It needs
to be given the possibility to allow the driver to use MFP
without making it mandatory.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
---
v2: * add a feature flag
    * fix the comment of NL80211_MFP_OPTIONAL as pointed out by Igor
v3: check the feature flag
---
 include/uapi/linux/nl80211.h | 13 +++++++++++--
 net/wireless/nl80211.c       |  5 ++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 7950c71c0ad4..e98c93d86220 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -1410,8 +1410,12 @@ enum nl80211_commands {
  *
  * @NL80211_ATTR_USE_MFP: Whether management frame protection (IEEE 802.11w) is
  *	used for the association (&enum nl80211_mfp, represented as a u32);
- *	this attribute can be used
- *	with %NL80211_CMD_ASSOCIATE and %NL80211_CMD_CONNECT requests
+ *	this attribute can be used with %NL80211_CMD_ASSOCIATE and
+ *	%NL80211_CMD_CONNECT requests. %NL80211_MFP_OPTIONAL is not allowed for
+ *	%NL80211_CMD_ASSOCIATE since user space SME is expected and hence, it
+ *	must have decided whether to use management frame protection or not.
+ *	Setting %NL80211_MFP_OPTIONAL with a %NL80211_CMD_CONNECT request will
+ *	let the driver (or the firmware) decide whether to use MFP or not.
  *
  * @NL80211_ATTR_STA_FLAGS2: Attribute containing a
  *	&struct nl80211_sta_flag_update.
@@ -4086,10 +4090,12 @@ enum nl80211_key_type {
  * enum nl80211_mfp - Management frame protection state
  * @NL80211_MFP_NO: Management frame protection not used
  * @NL80211_MFP_REQUIRED: Management frame protection required
+ * @NL80211_MFP_OPTIONAL: Management frame protection is optional
  */
 enum nl80211_mfp {
 	NL80211_MFP_NO,
 	NL80211_MFP_REQUIRED,
+	NL80211_MFP_OPTIONAL,
 };
 
 enum nl80211_wpa_versions {
@@ -5058,6 +5064,8 @@ enum nl80211_feature_flags {
  *	the first probe request in each channel at rate of at least 5.5Mbps.
  * @NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION: Driver supports
  *	probe request tx deferral and suppression
+ * @NL80211_EXT_FEATURE_MFP_OPTIONAL: Driver supports the %NL80211_MFP_OPTIONAL
+ *	value in %NL80211_ATTR_USE_MFP.
  *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
@@ -5083,6 +5091,7 @@ enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP,
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE,
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
+	NL80211_EXT_FEATURE_MFP_OPTIONAL,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 8f035d9868d1..42a48577f3f7 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9115,7 +9115,10 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
 		if (connect.mfp != NL80211_MFP_REQUIRED &&
-		    connect.mfp != NL80211_MFP_NO)
+		    connect.mfp != NL80211_MFP_NO &&
+		    (connect.mfp != NL80211_MFP_OPTIONAL ||
+		     !wiphy_ext_feature_isset(&rdev->wiphy,
+					NL80211_EXT_FEATURE_MFP_OPTIONAL)))
 			return -EINVAL;
 	} else {
 		connect.mfp = NL80211_MFP_NO;
-- 
2.9.3

[PATCH v4 12/19] nl80211: add an option to allow MFP without requiring it

[Luca Coelho]

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

The user space can now allow the kernel to associate to an AP that
requires MFP or that doesn't have MFP enabled in the same
NL80211_CMD_CONNECT command, by using a new NL80211_MFP_OPTIONAL flag.
The driver / firmware will decide whether to use it or not.

Include a feature bit to advertise support for NL80211_MFP_OPTIONAL.
This allows new user space to run on old kernels and know that it
cannot use the new attribute if it isn't supported.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
v2: * add a feature flag
    * fix the comment of NL80211_MFP_OPTIONAL as pointed out by Igor
v3: check the feature flag
v4: return -EOPNOTSUPP if OPTIONAL is set but not supported by the
    driver (internal review)

 include/uapi/linux/nl80211.h | 13 +++++++++++--
 net/wireless/nl80211.c       |  8 +++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 76404d8a8863..59ba6ca66a0d 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -1407,8 +1407,12 @@ enum nl80211_commands {
  *
  * @NL80211_ATTR_USE_MFP: Whether management frame protection (IEEE 802.11w) is
  *	used for the association (&enum nl80211_mfp, represented as a u32);
- *	this attribute can be used
- *	with %NL80211_CMD_ASSOCIATE and %NL80211_CMD_CONNECT requests
+ *	this attribute can be used with %NL80211_CMD_ASSOCIATE and
+ *	%NL80211_CMD_CONNECT requests. %NL80211_MFP_OPTIONAL is not allowed for
+ *	%NL80211_CMD_ASSOCIATE since user space SME is expected and hence, it
+ *	must have decided whether to use management frame protection or not.
+ *	Setting %NL80211_MFP_OPTIONAL with a %NL80211_CMD_CONNECT request will
+ *	let the driver (or the firmware) decide whether to use MFP or not.
  *
  * @NL80211_ATTR_STA_FLAGS2: Attribute containing a
  *	&struct nl80211_sta_flag_update.
@@ -3947,10 +3951,12 @@ enum nl80211_key_type {
  * enum nl80211_mfp - Management frame protection state
  * @NL80211_MFP_NO: Management frame protection not used
  * @NL80211_MFP_REQUIRED: Management frame protection required
+ * @NL80211_MFP_OPTIONAL: Management frame protection is optional
  */
 enum nl80211_mfp {
 	NL80211_MFP_NO,
 	NL80211_MFP_REQUIRED,
+	NL80211_MFP_OPTIONAL,
 };
 
 enum nl80211_wpa_versions {
@@ -4923,6 +4929,8 @@ enum nl80211_feature_flags {
  *	the first probe request in each channel at rate of at least 5.5Mbps.
  * @NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION: Driver supports
  *	probe request tx deferral and suppression
+ * @NL80211_EXT_FEATURE_MFP_OPTIONAL: Driver supports the %NL80211_MFP_OPTIONAL
+ *	value in %NL80211_ATTR_USE_MFP.
  *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
@@ -4949,6 +4957,7 @@ enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP,
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE,
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
+	NL80211_EXT_FEATURE_MFP_OPTIONAL,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index d57abdfa60da..8ed9ef40bbee 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -8948,8 +8948,14 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
 
 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
+		if (connect.mfp == NL80211_MFP_OPTIONAL &&
+		    !wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
+			return -EOPNOTSUPP;
+
 		if (connect.mfp != NL80211_MFP_REQUIRED &&
-		    connect.mfp != NL80211_MFP_NO)
+		    connect.mfp != NL80211_MFP_NO &&
+		    connect.mfp != NL80211_MFP_OPTIONAL)
 			return -EINVAL;
 	} else {
 		connect.mfp = NL80211_MFP_NO;
-- 
2.14.1