[PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event

[PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event

[Chi-Hsien Lin]

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

Add NL80211_ATTR_IFINDEX attribute to port authorized event to indicate
the operating interface of the device.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 net/wireless/nl80211.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 5e49492d5911..594aeba2982a 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -14727,7 +14727,8 @@ void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
 		return;
 	}
 
-	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
+	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
+	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
 		goto nla_put_failure;
 
 	genlmsg_end(msg, hdr);
-- 
2.1.0

[PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload

[Chi-Hsien Lin]

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

With 4-way handshake offload for 802.1X authentication, a port
authorized event should be sent to user space after the completion of
4-way handshake. It is used to indicate that a connection is authorized
and 802.1X authentication is no longer required.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 23 +++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 35301237d435..ad0d775a1244 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -5266,10 +5266,13 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
 	u32 event = e->event_code;
 	u32 status = e->status;
 
-	if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_PSK &&
-	    event == BRCMF_E_PSK_SUP &&
-	    status == BRCMF_E_STATUS_FWSUP_COMPLETED)
+	if (event == BRCMF_E_PSK_SUP &&
+	    status == BRCMF_E_STATUS_FWSUP_COMPLETED) {
 		set_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
+		if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_1X)
+			return true;
+	}
+
 	if (event == BRCMF_E_SET_SSID && status == BRCMF_E_STATUS_SUCCESS) {
 		brcmf_dbg(CONN, "Processing set ssid\n");
 		memcpy(vif->profile.bssid, e->addr, ETH_ALEN);
@@ -5280,11 +5283,10 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
 	}
 
 	if (test_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state) &&
-	    test_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state)) {
-		clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
-		clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
+	    test_and_clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS,
+			       &vif->sme_state))
 		return true;
-	}
+
 	return false;
 }
 
@@ -5501,6 +5503,13 @@ brcmf_bss_connect_done(struct brcmf_cfg80211_info *cfg,
 		brcmf_dbg(CONN, "Report connect result - connection %s\n",
 			  completed ? "succeeded" : "failed");
 	}
+
+	if (test_and_clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS,
+			       &ifp->vif->sme_state) &&
+	    profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X) {
+		cfg80211_port_authorized(ndev, profile->bssid, GFP_KERNEL);
+		brcmf_dbg(CONN, "Report port authorized\n");
+	}
 	brcmf_dbg(TRACE, "Exit\n");
 	return 0;
 }
-- 
2.1.0

[PATCH 3/6] brcmfmac: send port authorized event for FT-802.1X

[Chi-Hsien Lin]

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

With FT-802.1X, driver should send a port authorized event right after
sending a roamed event. It is used to indicate that a new AP is already
authorized so 802.1X is not required.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++++++
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h | 1 +
 2 files changed, 9 insertions(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index ad0d775a1244..854abf010aa7 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1607,6 +1607,7 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
 	u16 count;
 
 	profile->use_fwsup = BRCMF_PROFILE_FWSUP_NONE;
+	profile->is_ft = false;
 
 	if (!sme->crypto.n_akm_suites)
 		return 0;
@@ -1651,11 +1652,13 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
 			break;
 		case WLAN_AKM_SUITE_FT_8021X:
 			val = WPA2_AUTH_UNSPECIFIED | WPA2_AUTH_FT;
+			profile->is_ft = true;
 			if (sme->want_1x)
 				profile->use_fwsup = BRCMF_PROFILE_FWSUP_1X;
 			break;
 		case WLAN_AKM_SUITE_FT_PSK:
 			val = WPA2_AUTH_PSK | WPA2_AUTH_FT;
+			profile->is_ft = true;
 			break;
 		default:
 			brcmf_err("invalid cipher group (%d)\n",
@@ -5465,6 +5468,11 @@ brcmf_bss_roaming_done(struct brcmf_cfg80211_info *cfg,
 	cfg80211_roamed(ndev, &roam_info, GFP_KERNEL);
 	brcmf_dbg(CONN, "Report roaming result\n");
 
+	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X && profile->is_ft) {
+		cfg80211_port_authorized(ndev, profile->bssid, GFP_KERNEL);
+		brcmf_dbg(CONN, "Report port authorized\n");
+	}
+
 	set_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state);
 	brcmf_dbg(TRACE, "Exit\n");
 	return err;
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
index 9a6287f084a9..6a7dec908b6f 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
@@ -133,6 +133,7 @@ struct brcmf_cfg80211_profile {
 	struct brcmf_cfg80211_security sec;
 	struct brcmf_wsec_key key[BRCMF_MAX_DEFAULT_KEYS];
 	enum brcmf_profile_fwsup use_fwsup;
+	bool is_ft;
 };
 
 /**
-- 
2.1.0

[PATCH 4/6] nl80211: add WPA3 definition for SAE authentication

[Chi-Hsien Lin]

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

Add definition of WPA version 3 for SAE authentication.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 include/uapi/linux/nl80211.h | 1 +
 net/wireless/nl80211.c       | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 31ae5c7f10e3..12762afb3a07 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -4319,6 +4319,7 @@ enum nl80211_mfp {
 enum nl80211_wpa_versions {
 	NL80211_WPA_VERSION_1 = 1 << 0,
 	NL80211_WPA_VERSION_2 = 1 << 1,
+	NL80211_WPA_VERSION_3 = 1 << 2,
 };
 
 /**
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 594aeba2982a..c464ce8bc248 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -8532,7 +8532,8 @@ static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
 {
 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
-				  NL80211_WPA_VERSION_2));
+				  NL80211_WPA_VERSION_2 |
+				  NL80211_WPA_VERSION_3));
 }
 
 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
-- 
2.1.0

[PATCH 5/6] cfg80211: add support for SAE authentication offload

[Chi-Hsien Lin]

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

Let drivers advertise support for station-mode SAE authentication
offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 include/linux/ieee80211.h    |  1 +
 include/net/cfg80211.h       |  5 +++++
 include/uapi/linux/nl80211.h | 16 ++++++++++++++++
 net/wireless/nl80211.c       | 14 ++++++++++++++
 4 files changed, 36 insertions(+)

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 3b04e72315e1..37d3e655e547 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
 #define FILS_ERP_MAX_RRK_LEN		64
 
 #define PMK_MAX_LEN			64
+#define SAE_PASSWORD_MAX_LEN		128
 
 /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
 enum ieee80211_pub_actioncode {
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index e0c41eb1c860..5809dac97b33 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -740,6 +740,9 @@ struct survey_info {
  *	CFG80211_MAX_WEP_KEYS WEP keys
  * @wep_tx_key: key index (0..3) of the default TX static WEP key
  * @psk: PSK (for devices supporting 4-way-handshake offload)
+ * @sae_pwd: password for SAE authentication (for devices supporting SAE
+ *	offload)
+ * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
  */
 struct cfg80211_crypto_settings {
 	u32 wpa_versions;
@@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
 	struct key_params *wep_keys;
 	int wep_tx_key;
 	const u8 *psk;
+	const u8 *sae_pwd;
+	u16 sae_pwd_len;
 };
 
 /**
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 12762afb3a07..4840aaed39ba 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -235,6 +235,15 @@
  */
 
 /**
+ * DOC: SAE authentication offload
+ *
+ * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
+ * support offloading SAE authentication for WPA3-Personal networks. In
+ * %NL80211_CMD_CONNECT the password for SAE should be specified using
+ * %NL80211_ATTR_SAE_PASSWORD.
+ */
+
+/**
  * enum nl80211_commands - supported nl80211 commands
  *
  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
@@ -2288,6 +2297,9 @@ enum nl80211_commands {
  *
  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
  *	statistics, see &enum nl80211_ftm_responder_stats.
+ * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
+ *	is used with %NL80211_CMD_CONNECT to provide password for offloading
+ *	SAE authentication for WPA3-Personal networks.
  *
  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
  *	if the attribute is not given no timeout is requested. Note that 0 is an
@@ -2743,6 +2755,7 @@ enum nl80211_attrs {
 	NL80211_ATTR_FTM_RESPONDER,
 
 	NL80211_ATTR_FTM_RESPONDER_STATS,
+	NL80211_ATTR_SAE_PASSWORD,
 
 	NL80211_ATTR_TIMEOUT,
 
@@ -5316,6 +5329,8 @@ enum nl80211_feature_flags {
  *      able to rekey an in-use key correctly. Userspace must not rekey PTK keys
  *      if this flag is not set. Ignoring this can leak clear text packets and/or
  *      freeze the connection.
+ * @NL80211_EXT_FEATURE_SAE_OFFLOAD: Device wants to do SAE authentication in
+ *	station mode (SAE password is passed as part of the connect command).
  *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
@@ -5356,6 +5371,7 @@ enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT,
 	NL80211_EXT_FEATURE_CAN_REPLACE_PTK0,
 	NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER,
+	NL80211_EXT_FEATURE_SAE_OFFLOAD,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index c464ce8bc248..d1ebc93d5d56 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -557,6 +557,8 @@ const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
 	[NL80211_ATTR_PEER_MEASUREMENTS] =
 		NLA_POLICY_NESTED(NL80211_PMSR_FTM_REQ_ATTR_MAX,
 				  nl80211_pmsr_attr_policy),
+	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
+					.len = SAE_PASSWORD_MAX_LEN },
 };
 
 /* policy for the key attributes */
@@ -4348,6 +4350,8 @@ static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
 		return true;
 	case NL80211_CMD_CONNECT:
 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
+		    !wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
 		    auth_type == NL80211_AUTHTYPE_SAE)
 			return false;
 
@@ -8769,6 +8773,16 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
 	}
 
+	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
+		if (!wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_SAE_OFFLOAD))
+			return -EINVAL;
+		settings->sae_pwd =
+			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
+		settings->sae_pwd_len =
+			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
+	}
+
 	return 0;
 }
 
-- 
2.1.0

[PATCH 6/6] brcmfmac: add support for SAE authentication offload

[Chi-Hsien Lin]

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

The firmware may have SAE authentication code built-in. This is
detected by the driver and indicated in the wiphy features flags.
User-space can use this flag to determine whether or not to provide
the password material for SAE authentication in the nl80211 CONNECT
command.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 72 ++++++++++++++++++++--
 .../broadcom/brcm80211/brcmfmac/cfg80211.h         |  3 +-
 .../wireless/broadcom/brcm80211/brcmfmac/feature.c |  1 +
 .../wireless/broadcom/brcm80211/brcmfmac/feature.h |  4 +-
 .../broadcom/brcm80211/brcmfmac/fwil_types.h       | 13 ++++
 .../broadcom/brcm80211/include/brcmu_wifi.h        |  2 +
 6 files changed, 88 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 854abf010aa7..8e48887e9d14 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1256,6 +1256,30 @@ static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len)
 	return err;
 }
 
+static int brcmf_set_sae_password(struct brcmf_if *ifp, const u8 *pwd_data,
+				  u16 pwd_len)
+{
+	struct brcmf_wsec_sae_pwd_le sae_pwd;
+	int err;
+
+	if (pwd_len > BRCMF_WSEC_MAX_SAE_PASSWORD_LEN) {
+		brcmf_err("sae_password must be less than %d\n",
+			  BRCMF_WSEC_MAX_SAE_PASSWORD_LEN);
+		return -EINVAL;
+	}
+
+	sae_pwd.key_len = cpu_to_le16(pwd_len);
+	memcpy(sae_pwd.key, pwd_data, pwd_len);
+
+	err = brcmf_fil_iovar_data_set(ifp, "sae_password", &sae_pwd,
+				       sizeof(sae_pwd));
+	if (err < 0)
+		brcmf_err("failed to set SAE password in firmware (len=%u)\n",
+			  pwd_len);
+
+	return err;
+}
+
 static void brcmf_link_down(struct brcmf_cfg80211_vif *vif, u16 reason)
 {
 	struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(vif->wdev.wiphy);
@@ -1470,6 +1494,8 @@ static s32 brcmf_set_wpa_version(struct net_device *ndev,
 		val = WPA_AUTH_PSK | WPA_AUTH_UNSPECIFIED;
 	else if (sme->crypto.wpa_versions & NL80211_WPA_VERSION_2)
 		val = WPA2_AUTH_PSK | WPA2_AUTH_UNSPECIFIED;
+	else if (sme->crypto.wpa_versions & NL80211_WPA_VERSION_3)
+		val = WPA3_AUTH_SAE_PSK;
 	else
 		val = WPA_AUTH_DISABLED;
 	brcmf_dbg(CONN, "setting wpa_auth to 0x%0x\n", val);
@@ -1500,6 +1526,10 @@ static s32 brcmf_set_auth_type(struct net_device *ndev,
 		val = 1;
 		brcmf_dbg(CONN, "shared key\n");
 		break;
+	case NL80211_AUTHTYPE_SAE:
+		val = 3;
+		brcmf_dbg(CONN, "SAE authentication\n");
+		break;
 	default:
 		val = 2;
 		brcmf_dbg(CONN, "automatic, auth type (%d)\n", sme->auth_type);
@@ -1665,6 +1695,16 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
 				  sme->crypto.cipher_group);
 			return -EINVAL;
 		}
+	} else if (val & WPA3_AUTH_SAE_PSK) {
+		switch (sme->crypto.akm_suites[0]) {
+		case WLAN_AKM_SUITE_SAE:
+			val = WPA3_AUTH_SAE_PSK;
+			break;
+		default:
+			brcmf_err("invalid cipher group (%d)\n",
+				  sme->crypto.cipher_group);
+			return -EINVAL;
+		}
 	}
 
 	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X)
@@ -1734,7 +1774,8 @@ brcmf_set_sharedkey(struct net_device *ndev,
 	brcmf_dbg(CONN, "wpa_versions 0x%x cipher_pairwise 0x%x\n",
 		  sec->wpa_versions, sec->cipher_pairwise);
 
-	if (sec->wpa_versions & (NL80211_WPA_VERSION_1 | NL80211_WPA_VERSION_2))
+	if (sec->wpa_versions & (NL80211_WPA_VERSION_1 | NL80211_WPA_VERSION_2 |
+				 NL80211_WPA_VERSION_3))
 		return 0;
 
 	if (!(sec->cipher_pairwise &
@@ -1939,7 +1980,13 @@ brcmf_cfg80211_connect(struct wiphy *wiphy, struct net_device *ndev,
 		goto done;
 	}
 
-	if (sme->crypto.psk) {
+	if (sme->crypto.sae_pwd) {
+		brcmf_dbg(INFO, "using SAE offload\n");
+		profile->use_fwsup = BRCMF_PROFILE_FWSUP_SAE;
+	}
+
+	if (sme->crypto.psk &&
+	    profile->use_fwsup != BRCMF_PROFILE_FWSUP_SAE) {
 		if (WARN_ON(profile->use_fwsup != BRCMF_PROFILE_FWSUP_NONE)) {
 			err = -EINVAL;
 			goto done;
@@ -1957,12 +2004,23 @@ brcmf_cfg80211_connect(struct wiphy *wiphy, struct net_device *ndev,
 		}
 	}
 
-	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_PSK) {
+	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_PSK)
 		err = brcmf_set_pmk(ifp, sme->crypto.psk,
 				    BRCMF_WSEC_MAX_PSK_LEN);
-		if (err)
+	else if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_SAE) {
+		/* clean up user-space RSNE */
+		if (brcmf_fil_iovar_data_set(ifp, "wpaie", NULL, 0)) {
+			brcmf_err("failed to clean up user-space RSNE\n");
 			goto done;
+		}
+		err = brcmf_set_sae_password(ifp, sme->crypto.sae_pwd,
+					     sme->crypto.sae_pwd_len);
+		if (!err && sme->crypto.psk)
+			err = brcmf_set_pmk(ifp, sme->crypto.psk,
+					    BRCMF_WSEC_MAX_PSK_LEN);
 	}
+	if (err)
+		goto done;
 
 	/* Join with specific BSSID and cached SSID
 	 * If SSID is zero join based on BSSID only
@@ -5279,7 +5337,8 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
 	if (event == BRCMF_E_SET_SSID && status == BRCMF_E_STATUS_SUCCESS) {
 		brcmf_dbg(CONN, "Processing set ssid\n");
 		memcpy(vif->profile.bssid, e->addr, ETH_ALEN);
-		if (vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_PSK)
+		if (vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_PSK &&
+		    vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_SAE)
 			return true;
 
 		set_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
@@ -6573,6 +6632,9 @@ static int brcmf_setup_wiphy(struct wiphy *wiphy, struct brcmf_if *ifp)
 				      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK);
 		wiphy_ext_feature_set(wiphy,
 				      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X);
+		if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_SAE))
+			wiphy_ext_feature_set(wiphy,
+					      NL80211_EXT_FEATURE_SAE_OFFLOAD);
 	}
 	wiphy->mgmt_stypes = brcmf_txrx_stypes;
 	wiphy->max_remain_on_channel_duration = 5000;
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
index 6a7dec908b6f..c9d4b839b60d 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
@@ -118,7 +118,8 @@ struct brcmf_cfg80211_security {
 enum brcmf_profile_fwsup {
 	BRCMF_PROFILE_FWSUP_NONE,
 	BRCMF_PROFILE_FWSUP_PSK,
-	BRCMF_PROFILE_FWSUP_1X
+	BRCMF_PROFILE_FWSUP_1X,
+	BRCMF_PROFILE_FWSUP_SAE
 };
 
 /**
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
index 4c5a3995dc35..e8b4eb0b67f9 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
@@ -50,6 +50,7 @@ static const struct brcmf_feat_fwcap brcmf_fwcap_map[] = {
 	{ BRCMF_FEAT_P2P, "p2p" },
 	{ BRCMF_FEAT_MONITOR, "monitor" },
 	{ BRCMF_FEAT_MONITOR_FMT_RADIOTAP, "rtap" },
+	{ BRCMF_FEAT_SAE, "sae" },
 };
 
 #ifdef DEBUG
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
index 0b4974df353a..d8b6ba9d0967 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
@@ -35,6 +35,7 @@
  * FWSUP: Firmware supplicant.
  * MONITOR: firmware can pass monitor packets to host.
  * MONITOR_FMT_RADIOTAP: firmware provides monitor packets with radiotap header
+ * SAE: simultaneous authentication of equals
  */
 #define BRCMF_FEAT_LIST \
 	BRCMF_FEAT_DEF(MBSS) \
@@ -52,7 +53,8 @@
 	BRCMF_FEAT_DEF(GSCAN) \
 	BRCMF_FEAT_DEF(FWSUP) \
 	BRCMF_FEAT_DEF(MONITOR) \
-	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP)
+	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP) \
+	BRCMF_FEAT_DEF(SAE)
 
 /*
  * Quirks:
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
index 39ac1bbb6cc0..d81ad6542513 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
@@ -72,6 +72,8 @@
 #define BRCMF_WSEC_MAX_PSK_LEN		32
 #define	BRCMF_WSEC_PASSPHRASE		BIT(0)
 
+#define BRCMF_WSEC_MAX_SAE_PASSWORD_LEN 128
+
 /* primary (ie tx) key */
 #define BRCMF_PRIMARY_KEY		(1 << 1)
 #define DOT11_BSSTYPE_ANY		2
@@ -529,6 +531,17 @@ struct brcmf_wsec_pmk_le {
 	u8 key[2 * BRCMF_WSEC_MAX_PSK_LEN + 1];
 };
 
+/**
+ * struct brcmf_wsec_sae_pwd_le - firmware SAE password material.
+ *
+ * @key_len: number of octets in key materials.
+ * @key: SAE password material.
+ */
+struct brcmf_wsec_sae_pwd_le {
+	__le16 key_len;
+	u8 key[BRCMF_WSEC_MAX_SAE_PASSWORD_LEN];
+};
+
 /* Used to get specific STA parameters */
 struct brcmf_scb_val_le {
 	__le32 val;
diff --git a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
index dddebaa60352..60d7e3221b35 100644
--- a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
+++ b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
@@ -242,6 +242,8 @@ static inline bool ac_bitmap_tst(u8 bitmap, int prec)
 #define WPA2_AUTH_FT		0x4000	/* Fast BSS Transition */
 #define WPA2_AUTH_PSK_SHA256	0x8000	/* PSK with SHA256 key derivation */
 
+#define WPA3_AUTH_SAE_PSK	0x40000	/* SAE with 4-way handshake */
+
 #define DOT11_DEFAULT_RTS_LEN		2347
 #define DOT11_DEFAULT_FRAG_LEN		2346
 
-- 
2.1.0

Re: [PATCH 5/6] cfg80211: add support for SAE authentication offload

[Marcel Holtmann]

Hi,

> Let drivers advertise support for station-mode SAE authentication
> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
> 
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
> include/linux/ieee80211.h    |  1 +
> include/net/cfg80211.h       |  5 +++++
> include/uapi/linux/nl80211.h | 16 ++++++++++++++++
> net/wireless/nl80211.c       | 14 ++++++++++++++
> 4 files changed, 36 insertions(+)
> 
> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> index 3b04e72315e1..37d3e655e547 100644
> --- a/include/linux/ieee80211.h
> +++ b/include/linux/ieee80211.h
> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
> #define FILS_ERP_MAX_RRK_LEN		64
> 
> #define PMK_MAX_LEN			64
> +#define SAE_PASSWORD_MAX_LEN		128
> 
> /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
> enum ieee80211_pub_actioncode {
> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> index e0c41eb1c860..5809dac97b33 100644
> --- a/include/net/cfg80211.h
> +++ b/include/net/cfg80211.h
> @@ -740,6 +740,9 @@ struct survey_info {
>  *	CFG80211_MAX_WEP_KEYS WEP keys
>  * @wep_tx_key: key index (0..3) of the default TX static WEP key
>  * @psk: PSK (for devices supporting 4-way-handshake offload)
> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> + *	offload)
> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>  */
> struct cfg80211_crypto_settings {
> 	u32 wpa_versions;
> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
> 	struct key_params *wep_keys;
> 	int wep_tx_key;
> 	const u8 *psk;
> +	const u8 *sae_pwd;
> +	u16 sae_pwd_len;
> };
> 
> /**
> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> index 12762afb3a07..4840aaed39ba 100644
> --- a/include/uapi/linux/nl80211.h
> +++ b/include/uapi/linux/nl80211.h
> @@ -235,6 +235,15 @@
>  */
> 
> /**
> + * DOC: SAE authentication offload
> + *
> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> + * support offloading SAE authentication for WPA3-Personal networks. In
> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> + * %NL80211_ATTR_SAE_PASSWORD.
> + */
> +
> +/**
>  * enum nl80211_commands - supported nl80211 commands
>  *
>  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>  *
>  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>  *	statistics, see &enum nl80211_ftm_responder_stats.
> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> + *	is used with %NL80211_CMD_CONNECT to provide password for offloading
> + *	SAE authentication for WPA3-Personal networks.
>  *
>  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>  *	if the attribute is not given no timeout is requested. Note that 0 is an
> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
> 	NL80211_ATTR_FTM_RESPONDER,
> 
> 	NL80211_ATTR_FTM_RESPONDER_STATS,
> +	NL80211_ATTR_SAE_PASSWORD,
> 
> 	NL80211_ATTR_TIMEOUT,

so you are breaking user-space API on purpose here even when there was a clear comment where to add new attributes:

	/* add attributes here, update the policy in nl80211.c */

More importantly, does this actually need a new attribute and you can not utilize what has already been added for mesh? If this attribute is solely for offload cases, then it might be better named accordingly. Also I am curious on how mixed WPA1/WPA2/WPA3 network credentials are now provided to a CMD_CONNECT. So the CMD_CONNECT description might require an update as well.

Regards

Marcel

Re: [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event

[Arend Van Spriel]

On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> Add NL80211_ATTR_IFINDEX attribute to port authorized event to indicate
> the operating interface of the device.
> 
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   net/wireless/nl80211.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 5e49492d5911..594aeba2982a 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -14727,7 +14727,8 @@ void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
>   		return;
>   	}
>   
> -	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
> +	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
> +	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
>   		goto nla_put_failure;

Maybe also put NL80211_ATTR_WIPHY in the notification to be consistent 
with the other MLME notifications.

Regards,
Arend

Re: [PATCH 5/6] cfg80211: add support for SAE authentication offload

[Arend Van Spriel]

On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> Let drivers advertise support for station-mode SAE authentication
> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.

When touching nl80211 api I prefer 'nl80211:' prefix instead of 'cfg80211:'.

> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   include/linux/ieee80211.h    |  1 +
>   include/net/cfg80211.h       |  5 +++++
>   include/uapi/linux/nl80211.h | 16 ++++++++++++++++
>   net/wireless/nl80211.c       | 14 ++++++++++++++
>   4 files changed, 36 insertions(+)
> 
> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> index 3b04e72315e1..37d3e655e547 100644
> --- a/include/linux/ieee80211.h
> +++ b/include/linux/ieee80211.h
> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
>   #define FILS_ERP_MAX_RRK_LEN		64
>   
>   #define PMK_MAX_LEN			64
> +#define SAE_PASSWORD_MAX_LEN		128
>   
>   /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
>   enum ieee80211_pub_actioncode {
> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> index e0c41eb1c860..5809dac97b33 100644
> --- a/include/net/cfg80211.h
> +++ b/include/net/cfg80211.h
> @@ -740,6 +740,9 @@ struct survey_info {
>    *	CFG80211_MAX_WEP_KEYS WEP keys
>    * @wep_tx_key: key index (0..3) of the default TX static WEP key
>    * @psk: PSK (for devices supporting 4-way-handshake offload)
> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> + *	offload)
> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>    */
>   struct cfg80211_crypto_settings {
>   	u32 wpa_versions;
> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
>   	struct key_params *wep_keys;
>   	int wep_tx_key;
>   	const u8 *psk;
> +	const u8 *sae_pwd;
> +	u16 sae_pwd_len;

Not really need u16 as max length is defined earlier as 128.

>   };
>   
>   /**
> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> index 12762afb3a07..4840aaed39ba 100644
> --- a/include/uapi/linux/nl80211.h
> +++ b/include/uapi/linux/nl80211.h
> @@ -235,6 +235,15 @@
>    */
>   
>   /**
> + * DOC: SAE authentication offload
> + *
> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> + * support offloading SAE authentication for WPA3-Personal networks. In
> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> + * %NL80211_ATTR_SAE_PASSWORD.
> + */
> +
> +/**
>    * enum nl80211_commands - supported nl80211 commands
>    *
>    * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>    *
>    * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>    *	statistics, see &enum nl80211_ftm_responder_stats.
> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> + *	is used with %NL80211_CMD_CONNECT to provide password for offloading
> + *	SAE authentication for WPA3-Personal networks.
>    *
>    * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>    *	if the attribute is not given no timeout is requested. Note that 0 is an
> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
>   	NL80211_ATTR_FTM_RESPONDER,
>   
>   	NL80211_ATTR_FTM_RESPONDER_STATS,
> +	NL80211_ATTR_SAE_PASSWORD,

Marcel already commented on this. These enumerations are ABI. You should 
also change the nl80211_policy to assure the max length 
SAE_PASSWORD_MAX_LEN is not exceeded.

Gr. AvS

Re: [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload

[Arend Van Spriel]

On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> With 4-way handshake offload for 802.1X authentication, a port
> authorized event should be sent to user space after the completion of
> 4-way handshake. It is used to indicate that a connection is authorized
> and 802.1X authentication is no longer required.

It had been a while since I had looked at our offload code (basically 
since the initial implementation for the nl80211 work) so I was unsure 
why this would be needed.

So initially we added a PORT_AUTHORIZED *attribute* in the nl80211 api 
and later on the PORT_AUTHORIZED *event* was introduced and 4-way hs 
offload support in wpa_supplicant is ignoring the *attribute* and only 
handling the *event*. I think this information is important enough to 
add to this commit message with a reference to commit 503c1fb98ba3 
("cfg80211/nl80211: add a port authorized event") which "broke" the 
functionality in brcmfmac.

Some specific comments below...

Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 23 +++++++++++++++-------
>   1 file changed, 16 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index 35301237d435..ad0d775a1244 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -5266,10 +5266,13 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
>   	u32 event = e->event_code;
>   	u32 status = e->status;
>   
> -	if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_PSK &&
> -	    event == BRCMF_E_PSK_SUP &&
> -	    status == BRCMF_E_STATUS_FWSUP_COMPLETED)
> +	if (event == BRCMF_E_PSK_SUP &&
> +	    status == BRCMF_E_STATUS_FWSUP_COMPLETED) {
>   		set_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
> +		if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_1X)
> +			return true;
> +	}
> +

Here things get a bit tricky I think. The old behaviour was to wait for 
both PSK_SUP and SET_SSID events before calling cfg80211_connect_done(). 
If I recall correctly I did that because they can arrive in different 
order depending on the type of offload (1x or psk) but also depends on 
firmware build, so ....

>   	if (event == BRCMF_E_SET_SSID && status == BRCMF_E_STATUS_SUCCESS) {
>   		brcmf_dbg(CONN, "Processing set ssid\n");
>   		memcpy(vif->profile.bssid, e->addr, ETH_ALEN);
> @@ -5280,11 +5283,10 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
>   	}
>   
>   	if (test_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state) &&
> -	    test_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state)) {
> -		clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
> -		clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
> +	    test_and_clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS,
> +			       &vif->sme_state))
>   		return true;
> -	}
> +
>   	return false;
>   }
>   
> @@ -5501,6 +5503,13 @@ brcmf_bss_connect_done(struct brcmf_cfg80211_info *cfg,
>   		brcmf_dbg(CONN, "Report connect result - connection %s\n",
>   			  completed ? "succeeded" : "failed");
>   	}
> +
> +	if (test_and_clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS,
> +			       &ifp->vif->sme_state) &&
> +	    profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X) {
> +		cfg80211_port_authorized(ndev, profile->bssid, GFP_KERNEL);
> +		brcmf_dbg(CONN, "Report port authorized\n");
> +	}

I would leave the code in brcmf_is_linkup() as before and only check 
profile->use_fwsup here to determine whether cfg80211_port_authorized() 
should be called here.

>   	brcmf_dbg(TRACE, "Exit\n");
>   	return 0;
>   }
> 

Re: [PATCH 3/6] brcmfmac: send port authorized event for FT-802.1X

[Arend Van Spriel]

On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> With FT-802.1X, driver should send a port authorized event right after
> sending a roamed event. It is used to indicate that a new AP is already
> authorized so 802.1X is not required.

Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++++++
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h | 1 +
>   2 files changed, 9 insertions(+)

Re: [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event

[Johannes Berg]

Please resend this entire set addressing the comments you already got.

johannes

Re: [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event

[Stanley Hsu]

On Fri, Jan 04, 2019 at 11:51:19AM +0100, Arend Van Spriel wrote:
> On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> >From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> >
> >Add NL80211_ATTR_IFINDEX attribute to port authorized event to indicate
> >the operating interface of the device.
> >
> >Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> >Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> >---
> >  net/wireless/nl80211.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> >diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> >index 5e49492d5911..594aeba2982a 100644
> >--- a/net/wireless/nl80211.c
> >+++ b/net/wireless/nl80211.c
> >@@ -14727,7 +14727,8 @@ void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
> >  return;
> >  }
> >-if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
> >+if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
> >+    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
> >  goto nla_put_failure;
>
> Maybe also put NL80211_ATTR_WIPHY in the notification to be
> consistent with the other MLME notifications.

Thanks for the comment. Will include it in V2.

Regards,
Chung-Hsien
>
> Regards,
> Arend

This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.

Re: [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload

[Stanley Hsu]

On Mon, Jan 07, 2019 at 10:44:01AM +0100, Arend Van Spriel wrote:
> On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> >From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> >
> >With 4-way handshake offload for 802.1X authentication, a port
> >authorized event should be sent to user space after the completion of
> >4-way handshake. It is used to indicate that a connection is authorized
> >and 802.1X authentication is no longer required.
>
> It had been a while since I had looked at our offload code
> (basically since the initial implementation for the nl80211 work) so
> I was unsure why this would be needed.
>
> So initially we added a PORT_AUTHORIZED *attribute* in the nl80211
> api and later on the PORT_AUTHORIZED *event* was introduced and
> 4-way hs offload support in wpa_supplicant is ignoring the
> *attribute* and only handling the *event*. I think this information
> is important enough to add to this commit message with a reference
> to commit 503c1fb98ba3 ("cfg80211/nl80211: add a port authorized
> event") which "broke" the functionality in brcmfmac.

Thanks a lot for the feedback.
After looking further, it is observed that the connection state will be
set to WPA_COMPLETED in wpa_supplicant after it sets PMK to the driver.
So no need to have this change. Let's drop it form the series.

Regards,
Chung-Hsien

This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.

Re: [PATCH 5/6] cfg80211: add support for SAE authentication offload

[Stanley Hsu]

On Fri, Jan 04, 2019 at 12:10:01PM +0100, Arend Van Spriel wrote:
> On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> >From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> >
> >Let drivers advertise support for station-mode SAE authentication
> >offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
>
> When touching nl80211 api I prefer 'nl80211:' prefix instead of 'cfg80211:'.

Thanks for the comment. Will change it in V2.

>
> >Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> >Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> >---
> >  include/linux/ieee80211.h    |  1 +
> >  include/net/cfg80211.h       |  5 +++++
> >  include/uapi/linux/nl80211.h | 16 ++++++++++++++++
> >  net/wireless/nl80211.c       | 14 ++++++++++++++
> >  4 files changed, 36 insertions(+)
> >
> >diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> >index 3b04e72315e1..37d3e655e547 100644
> >--- a/include/linux/ieee80211.h
> >+++ b/include/linux/ieee80211.h
> >@@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
> >  #define FILS_ERP_MAX_RRK_LEN64
> >  #define PMK_MAX_LEN64
> >+#define SAE_PASSWORD_MAX_LEN128
> >  /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
> >  enum ieee80211_pub_actioncode {
> >diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> >index e0c41eb1c860..5809dac97b33 100644
> >--- a/include/net/cfg80211.h
> >+++ b/include/net/cfg80211.h
> >@@ -740,6 +740,9 @@ struct survey_info {
> >   *CFG80211_MAX_WEP_KEYS WEP keys
> >   * @wep_tx_key: key index (0..3) of the default TX static WEP key
> >   * @psk: PSK (for devices supporting 4-way-handshake offload)
> >+ * @sae_pwd: password for SAE authentication (for devices supporting SAE
> >+ *offload)
> >+ * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
> >   */
> >  struct cfg80211_crypto_settings {
> >  u32 wpa_versions;
> >@@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
> >  struct key_params *wep_keys;
> >  int wep_tx_key;
> >  const u8 *psk;
> >+const u8 *sae_pwd;
> >+u16 sae_pwd_len;
>
> Not really need u16 as max length is defined earlier as 128.

It will be changed to u8 in V2.

>
> >  };
> >  /**
> >diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> >index 12762afb3a07..4840aaed39ba 100644
> >--- a/include/uapi/linux/nl80211.h
> >+++ b/include/uapi/linux/nl80211.h
> >@@ -235,6 +235,15 @@
> >   */
> >  /**
> >+ * DOC: SAE authentication offload
> >+ *
> >+ * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> >+ * support offloading SAE authentication for WPA3-Personal networks. In
> >+ * %NL80211_CMD_CONNECT the password for SAE should be specified using
> >+ * %NL80211_ATTR_SAE_PASSWORD.
> >+ */
> >+
> >+/**
> >   * enum nl80211_commands - supported nl80211 commands
> >   *
> >   * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> >@@ -2288,6 +2297,9 @@ enum nl80211_commands {
> >   *
> >   * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
> >   *statistics, see &enum nl80211_ftm_responder_stats.
> >+ * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> >+ *is used with %NL80211_CMD_CONNECT to provide password for offloading
> >+ *SAE authentication for WPA3-Personal networks.
> >   *
> >   * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
> >   *if the attribute is not given no timeout is requested. Note that 0 is an
> >@@ -2743,6 +2755,7 @@ enum nl80211_attrs {
> >  NL80211_ATTR_FTM_RESPONDER,
> >  NL80211_ATTR_FTM_RESPONDER_STATS,
> >+NL80211_ATTR_SAE_PASSWORD,
>
> Marcel already commented on this. These enumerations are ABI. You
> should also change the nl80211_policy to assure the max length
> SAE_PASSWORD_MAX_LEN is not exceeded.

It will be moved to the bottom. The corresponding change in
nl80211_policy has been made.

Regards,
Chung-Hsien

>
> Gr. AvS

This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.

Re: [PATCH 5/6] cfg80211: add support for SAE authentication offload

[Stanley Hsu]

On Fri, Jan 04, 2019 at 10:26:33AM +0100, Marcel Holtmann wrote:
> Hi,
>
> > Let drivers advertise support for station-mode SAE authentication
> > offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
> >
> > Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> > Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> > ---
> > include/linux/ieee80211.h    |  1 +
> > include/net/cfg80211.h       |  5 +++++
> > include/uapi/linux/nl80211.h | 16 ++++++++++++++++
> > net/wireless/nl80211.c       | 14 ++++++++++++++
> > 4 files changed, 36 insertions(+)
> >
> > diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> > index 3b04e72315e1..37d3e655e547 100644
> > --- a/include/linux/ieee80211.h
> > +++ b/include/linux/ieee80211.h
> > @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
> > #define FILS_ERP_MAX_RRK_LEN64
> >
> > #define PMK_MAX_LEN64
> > +#define SAE_PASSWORD_MAX_LEN128
> >
> > /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
> > enum ieee80211_pub_actioncode {
> > diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> > index e0c41eb1c860..5809dac97b33 100644
> > --- a/include/net/cfg80211.h
> > +++ b/include/net/cfg80211.h
> > @@ -740,6 +740,9 @@ struct survey_info {
> >  *CFG80211_MAX_WEP_KEYS WEP keys
> >  * @wep_tx_key: key index (0..3) of the default TX static WEP key
> >  * @psk: PSK (for devices supporting 4-way-handshake offload)
> > + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> > + *offload)
> > + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
> >  */
> > struct cfg80211_crypto_settings {
> > u32 wpa_versions;
> > @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
> > struct key_params *wep_keys;
> > int wep_tx_key;
> > const u8 *psk;
> > +const u8 *sae_pwd;
> > +u16 sae_pwd_len;
> > };
> >
> > /**
> > diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> > index 12762afb3a07..4840aaed39ba 100644
> > --- a/include/uapi/linux/nl80211.h
> > +++ b/include/uapi/linux/nl80211.h
> > @@ -235,6 +235,15 @@
> >  */
> >
> > /**
> > + * DOC: SAE authentication offload
> > + *
> > + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> > + * support offloading SAE authentication for WPA3-Personal networks. In
> > + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> > + * %NL80211_ATTR_SAE_PASSWORD.
> > + */
> > +
> > +/**
> >  * enum nl80211_commands - supported nl80211 commands
> >  *
> >  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> > @@ -2288,6 +2297,9 @@ enum nl80211_commands {
> >  *
> >  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
> >  *statistics, see &enum nl80211_ftm_responder_stats.
> > + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> > + *is used with %NL80211_CMD_CONNECT to provide password for offloading
> > + *SAE authentication for WPA3-Personal networks.
> >  *
> >  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
> >  *if the attribute is not given no timeout is requested. Note that 0 is an
> > @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
> > NL80211_ATTR_FTM_RESPONDER,
> >
> > NL80211_ATTR_FTM_RESPONDER_STATS,
> > +NL80211_ATTR_SAE_PASSWORD,
> >
> > NL80211_ATTR_TIMEOUT,
>
> so you are breaking user-space API on purpose here even when there was a clear comment where to add new attributes:
>
> /* add attributes here, update the policy in nl80211.c */

Hi Marcel,

Thanks for pointing this out. It was a mistake caused by rebasing the
patch. Will fix it in V2.

>
> More importantly, does this actually need a new attribute and you can not utilize what has already been added for mesh? If this attribute is solely for offload cases, then it might be better named accordingly. Also I am curious on how mixed WPA1/WPA2/WPA3 network credentials are now provided to a CMD_CONNECT. So the CMD_CONNECT description might require an update as well.

This new attribute is used to pass the sae_password value, set in the
configuration file of wpa_supplicant, for offloading SAE authentication.
It seems that the existing attributes can not be utilized for the
purpose. Could you please point it out if you know the proper one? To
reflect the content of the attribute, NL80211_ATTR_SAE_PASSWORD should
be a proper name.

As for the mixed WPA/WPA2/WPA3 network credentials, no key materials
will be provided in a NL80211_CMD_CONNECT for non-offload cases. When
offload is considered, there is no conflict between WPA/WPA2 4-way
handshake offload and SAE authentication offload. For the WPA/WPA2
4-way handshake offload, the PSK is specified using NL80211_ATTR_PMK in
the NL80211_CMD_CONNECT. The corresponding description can be found in
the section "DOC: WPA/WPA2 EAPOL handshake offload". As for the SAE
authentication offload, the sae_password value is provided by
NL80211_ATTR_SAE_PASSWORD in NL80211_CMD_CONNECT. It is described in
the section "DOC: SAE authentication offload" proposed in this patch.

Regards,
Chung-Hsien

>
> Regards
>
> Marcel
>

This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.

Re: [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload

[Arend Van Spriel]

+ Jouni

On 5/9/2019 10:58 AM, Stanley Hsu wrote:
> On Mon, Jan 07, 2019 at 10:44:01AM +0100, Arend Van Spriel wrote:
>> On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
>>> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
>>>
>>> With 4-way handshake offload for 802.1X authentication, a port
>>> authorized event should be sent to user space after the completion of
>>> 4-way handshake. It is used to indicate that a connection is authorized
>>> and 802.1X authentication is no longer required.
>>
>> It had been a while since I had looked at our offload code
>> (basically since the initial implementation for the nl80211 work) so
>> I was unsure why this would be needed.
>>
>> So initially we added a PORT_AUTHORIZED *attribute* in the nl80211
>> api and later on the PORT_AUTHORIZED *event* was introduced and
>> 4-way hs offload support in wpa_supplicant is ignoring the
>> *attribute* and only handling the *event*. I think this information
>> is important enough to add to this commit message with a reference
>> to commit 503c1fb98ba3 ("cfg80211/nl80211: add a port authorized
>> event") which "broke" the functionality in brcmfmac.
> 
> Thanks a lot for the feedback.
> After looking further, it is observed that the connection state will be
> set to WPA_COMPLETED in wpa_supplicant after it sets PMK to the driver.
> So no need to have this change. Let's drop it form the series.

In my opinion wpa_supplicant does set WPA_COMPLETED too early. If we 
were to use eapol-over-nl80211 and set the netdev carrier when the 
connection is authorized it would be kinda ok and we would not need the 
event. Added Jouni to chime in on this.

Regards,
Arend

Re: [PATCH 5/6] cfg80211: add support for SAE authentication offload

[Marcel Holtmann]

Hi Stanley,

>>> Let drivers advertise support for station-mode SAE authentication
>>> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
>>> 
>>> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
>>> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
>>> ---
>>> include/linux/ieee80211.h    |  1 +
>>> include/net/cfg80211.h       |  5 +++++
>>> include/uapi/linux/nl80211.h | 16 ++++++++++++++++
>>> net/wireless/nl80211.c       | 14 ++++++++++++++
>>> 4 files changed, 36 insertions(+)
>>> 
>>> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
>>> index 3b04e72315e1..37d3e655e547 100644
>>> --- a/include/linux/ieee80211.h
>>> +++ b/include/linux/ieee80211.h
>>> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
>>> #define FILS_ERP_MAX_RRK_LEN64
>>> 
>>> #define PMK_MAX_LEN64
>>> +#define SAE_PASSWORD_MAX_LEN128
>>> 
>>> /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
>>> enum ieee80211_pub_actioncode {
>>> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
>>> index e0c41eb1c860..5809dac97b33 100644
>>> --- a/include/net/cfg80211.h
>>> +++ b/include/net/cfg80211.h
>>> @@ -740,6 +740,9 @@ struct survey_info {
>>> *CFG80211_MAX_WEP_KEYS WEP keys
>>> * @wep_tx_key: key index (0..3) of the default TX static WEP key
>>> * @psk: PSK (for devices supporting 4-way-handshake offload)
>>> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
>>> + *offload)
>>> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>>> */
>>> struct cfg80211_crypto_settings {
>>> u32 wpa_versions;
>>> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
>>> struct key_params *wep_keys;
>>> int wep_tx_key;
>>> const u8 *psk;
>>> +const u8 *sae_pwd;
>>> +u16 sae_pwd_len;
>>> };
>>> 
>>> /**
>>> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
>>> index 12762afb3a07..4840aaed39ba 100644
>>> --- a/include/uapi/linux/nl80211.h
>>> +++ b/include/uapi/linux/nl80211.h
>>> @@ -235,6 +235,15 @@
>>> */
>>> 
>>> /**
>>> + * DOC: SAE authentication offload
>>> + *
>>> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
>>> + * support offloading SAE authentication for WPA3-Personal networks. In
>>> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
>>> + * %NL80211_ATTR_SAE_PASSWORD.
>>> + */
>>> +
>>> +/**
>>> * enum nl80211_commands - supported nl80211 commands
>>> *
>>> * @NL80211_CMD_UNSPEC: unspecified command to catch errors
>>> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>>> *
>>> * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>>> *statistics, see &enum nl80211_ftm_responder_stats.
>>> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
>>> + *is used with %NL80211_CMD_CONNECT to provide password for offloading
>>> + *SAE authentication for WPA3-Personal networks.
>>> *
>>> * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>>> *if the attribute is not given no timeout is requested. Note that 0 is an
>>> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
>>> NL80211_ATTR_FTM_RESPONDER,
>>> 
>>> NL80211_ATTR_FTM_RESPONDER_STATS,
>>> +NL80211_ATTR_SAE_PASSWORD,
>>> 
>>> NL80211_ATTR_TIMEOUT,
>> 
>> so you are breaking user-space API on purpose here even when there was a clear comment where to add new attributes:
>> 
>> /* add attributes here, update the policy in nl80211.c */
> 
> Hi Marcel,
> 
> Thanks for pointing this out. It was a mistake caused by rebasing the
> patch. Will fix it in V2.
> 
>> 
>> More importantly, does this actually need a new attribute and you can not utilize what has already been added for mesh? If this attribute is solely for offload cases, then it might be better named accordingly. Also I am curious on how mixed WPA1/WPA2/WPA3 network credentials are now provided to a CMD_CONNECT. So the CMD_CONNECT description might require an update as well.
> 
> This new attribute is used to pass the sae_password value, set in the
> configuration file of wpa_supplicant, for offloading SAE authentication.
> It seems that the existing attributes can not be utilized for the
> purpose. Could you please point it out if you know the proper one? To
> reflect the content of the attribute, NL80211_ATTR_SAE_PASSWORD should
> be a proper name.

not everything is wpa_supplicant config files. How does this work with iwd for example. The user can not set a specific SAW password since that is all handled internally.

> As for the mixed WPA/WPA2/WPA3 network credentials, no key materials
> will be provided in a NL80211_CMD_CONNECT for non-offload cases. When
> offload is considered, there is no conflict between WPA/WPA2 4-way
> handshake offload and SAE authentication offload. For the WPA/WPA2
> 4-way handshake offload, the PSK is specified using NL80211_ATTR_PMK in
> the NL80211_CMD_CONNECT. The corresponding description can be found in
> the section "DOC: WPA/WPA2 EAPOL handshake offload". As for the SAE
> authentication offload, the sae_password value is provided by
> NL80211_ATTR_SAE_PASSWORD in NL80211_CMD_CONNECT. It is described in
> the section "DOC: SAE authentication offload" proposed in this patch.

Do we have some documentation on how to handle offload for mixed WPA/WPA2/WPA3 networks? I really wonder how nl80211 is supposed to be used in these cases. As mentioned above, not everything is wpa_supplicant and I am curious on how seamless roaming will actually work for offload cases.

Regards

Marcel