Linux-Wireless Archive on lore.kernel.org
 help / Atom feed
* [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event
@ 2019-01-04  6:11 Chi-Hsien Lin
  2019-01-04  6:11 ` [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload Chi-Hsien Lin
                   ` (6 more replies)
  0 siblings, 7 replies; 12+ messages in thread
From: Chi-Hsien Lin @ 2019-01-04  6:11 UTC (permalink / raw)
  To: linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Arend van Spriel,
	Franky Lin, Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu,
	Chi-Hsien Lin

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

Add NL80211_ATTR_IFINDEX attribute to port authorized event to indicate
the operating interface of the device.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 net/wireless/nl80211.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 5e49492d5911..594aeba2982a 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -14727,7 +14727,8 @@ void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
 		return;
 	}
 
-	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
+	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
+	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
 		goto nla_put_failure;
 
 	genlmsg_end(msg, hdr);
-- 
2.1.0


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload
  2019-01-04  6:11 [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Chi-Hsien Lin
@ 2019-01-04  6:11 ` Chi-Hsien Lin
  2019-01-07  9:44   ` Arend Van Spriel
  2019-01-04  6:11 ` [PATCH 3/6] brcmfmac: send port authorized event for FT-802.1X Chi-Hsien Lin
                   ` (5 subsequent siblings)
  6 siblings, 1 reply; 12+ messages in thread
From: Chi-Hsien Lin @ 2019-01-04  6:11 UTC (permalink / raw)
  To: linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Arend van Spriel,
	Franky Lin, Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu,
	Chi-Hsien Lin

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

With 4-way handshake offload for 802.1X authentication, a port
authorized event should be sent to user space after the completion of
4-way handshake. It is used to indicate that a connection is authorized
and 802.1X authentication is no longer required.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 23 +++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 35301237d435..ad0d775a1244 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -5266,10 +5266,13 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
 	u32 event = e->event_code;
 	u32 status = e->status;
 
-	if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_PSK &&
-	    event == BRCMF_E_PSK_SUP &&
-	    status == BRCMF_E_STATUS_FWSUP_COMPLETED)
+	if (event == BRCMF_E_PSK_SUP &&
+	    status == BRCMF_E_STATUS_FWSUP_COMPLETED) {
 		set_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
+		if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_1X)
+			return true;
+	}
+
 	if (event == BRCMF_E_SET_SSID && status == BRCMF_E_STATUS_SUCCESS) {
 		brcmf_dbg(CONN, "Processing set ssid\n");
 		memcpy(vif->profile.bssid, e->addr, ETH_ALEN);
@@ -5280,11 +5283,10 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
 	}
 
 	if (test_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state) &&
-	    test_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state)) {
-		clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
-		clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
+	    test_and_clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS,
+			       &vif->sme_state))
 		return true;
-	}
+
 	return false;
 }
 
@@ -5501,6 +5503,13 @@ brcmf_bss_connect_done(struct brcmf_cfg80211_info *cfg,
 		brcmf_dbg(CONN, "Report connect result - connection %s\n",
 			  completed ? "succeeded" : "failed");
 	}
+
+	if (test_and_clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS,
+			       &ifp->vif->sme_state) &&
+	    profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X) {
+		cfg80211_port_authorized(ndev, profile->bssid, GFP_KERNEL);
+		brcmf_dbg(CONN, "Report port authorized\n");
+	}
 	brcmf_dbg(TRACE, "Exit\n");
 	return 0;
 }
-- 
2.1.0


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH 3/6] brcmfmac: send port authorized event for FT-802.1X
  2019-01-04  6:11 [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Chi-Hsien Lin
  2019-01-04  6:11 ` [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload Chi-Hsien Lin
@ 2019-01-04  6:11 ` Chi-Hsien Lin
  2019-01-07 12:00   ` Arend Van Spriel
  2019-01-04  6:11 ` [PATCH 4/6] nl80211: add WPA3 definition for SAE authentication Chi-Hsien Lin
                   ` (4 subsequent siblings)
  6 siblings, 1 reply; 12+ messages in thread
From: Chi-Hsien Lin @ 2019-01-04  6:11 UTC (permalink / raw)
  To: linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Arend van Spriel,
	Franky Lin, Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu,
	Chi-Hsien Lin

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

With FT-802.1X, driver should send a port authorized event right after
sending a roamed event. It is used to indicate that a new AP is already
authorized so 802.1X is not required.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++++++
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h | 1 +
 2 files changed, 9 insertions(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index ad0d775a1244..854abf010aa7 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1607,6 +1607,7 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
 	u16 count;
 
 	profile->use_fwsup = BRCMF_PROFILE_FWSUP_NONE;
+	profile->is_ft = false;
 
 	if (!sme->crypto.n_akm_suites)
 		return 0;
@@ -1651,11 +1652,13 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
 			break;
 		case WLAN_AKM_SUITE_FT_8021X:
 			val = WPA2_AUTH_UNSPECIFIED | WPA2_AUTH_FT;
+			profile->is_ft = true;
 			if (sme->want_1x)
 				profile->use_fwsup = BRCMF_PROFILE_FWSUP_1X;
 			break;
 		case WLAN_AKM_SUITE_FT_PSK:
 			val = WPA2_AUTH_PSK | WPA2_AUTH_FT;
+			profile->is_ft = true;
 			break;
 		default:
 			brcmf_err("invalid cipher group (%d)\n",
@@ -5465,6 +5468,11 @@ brcmf_bss_roaming_done(struct brcmf_cfg80211_info *cfg,
 	cfg80211_roamed(ndev, &roam_info, GFP_KERNEL);
 	brcmf_dbg(CONN, "Report roaming result\n");
 
+	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X && profile->is_ft) {
+		cfg80211_port_authorized(ndev, profile->bssid, GFP_KERNEL);
+		brcmf_dbg(CONN, "Report port authorized\n");
+	}
+
 	set_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state);
 	brcmf_dbg(TRACE, "Exit\n");
 	return err;
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
index 9a6287f084a9..6a7dec908b6f 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
@@ -133,6 +133,7 @@ struct brcmf_cfg80211_profile {
 	struct brcmf_cfg80211_security sec;
 	struct brcmf_wsec_key key[BRCMF_MAX_DEFAULT_KEYS];
 	enum brcmf_profile_fwsup use_fwsup;
+	bool is_ft;
 };
 
 /**
-- 
2.1.0


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH 4/6] nl80211: add WPA3 definition for SAE authentication
  2019-01-04  6:11 [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Chi-Hsien Lin
  2019-01-04  6:11 ` [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload Chi-Hsien Lin
  2019-01-04  6:11 ` [PATCH 3/6] brcmfmac: send port authorized event for FT-802.1X Chi-Hsien Lin
@ 2019-01-04  6:11 ` Chi-Hsien Lin
  2019-01-04  6:11 ` [PATCH 5/6] cfg80211: add support for SAE authentication offload Chi-Hsien Lin
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 12+ messages in thread
From: Chi-Hsien Lin @ 2019-01-04  6:11 UTC (permalink / raw)
  To: linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Arend van Spriel,
	Franky Lin, Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu,
	Chi-Hsien Lin

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

Add definition of WPA version 3 for SAE authentication.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 include/uapi/linux/nl80211.h | 1 +
 net/wireless/nl80211.c       | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 31ae5c7f10e3..12762afb3a07 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -4319,6 +4319,7 @@ enum nl80211_mfp {
 enum nl80211_wpa_versions {
 	NL80211_WPA_VERSION_1 = 1 << 0,
 	NL80211_WPA_VERSION_2 = 1 << 1,
+	NL80211_WPA_VERSION_3 = 1 << 2,
 };
 
 /**
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 594aeba2982a..c464ce8bc248 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -8532,7 +8532,8 @@ static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
 {
 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
-				  NL80211_WPA_VERSION_2));
+				  NL80211_WPA_VERSION_2 |
+				  NL80211_WPA_VERSION_3));
 }
 
 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
-- 
2.1.0


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH 5/6] cfg80211: add support for SAE authentication offload
  2019-01-04  6:11 [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Chi-Hsien Lin
                   ` (2 preceding siblings ...)
  2019-01-04  6:11 ` [PATCH 4/6] nl80211: add WPA3 definition for SAE authentication Chi-Hsien Lin
@ 2019-01-04  6:11 ` Chi-Hsien Lin
  2019-01-04  9:26   ` Marcel Holtmann
  2019-01-04 11:10   ` Arend Van Spriel
  2019-01-04  6:11 ` [PATCH 6/6] brcmfmac: " Chi-Hsien Lin
                   ` (2 subsequent siblings)
  6 siblings, 2 replies; 12+ messages in thread
From: Chi-Hsien Lin @ 2019-01-04  6:11 UTC (permalink / raw)
  To: linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Arend van Spriel,
	Franky Lin, Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu,
	Chi-Hsien Lin

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

Let drivers advertise support for station-mode SAE authentication
offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 include/linux/ieee80211.h    |  1 +
 include/net/cfg80211.h       |  5 +++++
 include/uapi/linux/nl80211.h | 16 ++++++++++++++++
 net/wireless/nl80211.c       | 14 ++++++++++++++
 4 files changed, 36 insertions(+)

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 3b04e72315e1..37d3e655e547 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
 #define FILS_ERP_MAX_RRK_LEN		64
 
 #define PMK_MAX_LEN			64
+#define SAE_PASSWORD_MAX_LEN		128
 
 /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
 enum ieee80211_pub_actioncode {
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index e0c41eb1c860..5809dac97b33 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -740,6 +740,9 @@ struct survey_info {
  *	CFG80211_MAX_WEP_KEYS WEP keys
  * @wep_tx_key: key index (0..3) of the default TX static WEP key
  * @psk: PSK (for devices supporting 4-way-handshake offload)
+ * @sae_pwd: password for SAE authentication (for devices supporting SAE
+ *	offload)
+ * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
  */
 struct cfg80211_crypto_settings {
 	u32 wpa_versions;
@@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
 	struct key_params *wep_keys;
 	int wep_tx_key;
 	const u8 *psk;
+	const u8 *sae_pwd;
+	u16 sae_pwd_len;
 };
 
 /**
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 12762afb3a07..4840aaed39ba 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -235,6 +235,15 @@
  */
 
 /**
+ * DOC: SAE authentication offload
+ *
+ * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
+ * support offloading SAE authentication for WPA3-Personal networks. In
+ * %NL80211_CMD_CONNECT the password for SAE should be specified using
+ * %NL80211_ATTR_SAE_PASSWORD.
+ */
+
+/**
  * enum nl80211_commands - supported nl80211 commands
  *
  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
@@ -2288,6 +2297,9 @@ enum nl80211_commands {
  *
  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
  *	statistics, see &enum nl80211_ftm_responder_stats.
+ * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
+ *	is used with %NL80211_CMD_CONNECT to provide password for offloading
+ *	SAE authentication for WPA3-Personal networks.
  *
  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
  *	if the attribute is not given no timeout is requested. Note that 0 is an
@@ -2743,6 +2755,7 @@ enum nl80211_attrs {
 	NL80211_ATTR_FTM_RESPONDER,
 
 	NL80211_ATTR_FTM_RESPONDER_STATS,
+	NL80211_ATTR_SAE_PASSWORD,
 
 	NL80211_ATTR_TIMEOUT,
 
@@ -5316,6 +5329,8 @@ enum nl80211_feature_flags {
  *      able to rekey an in-use key correctly. Userspace must not rekey PTK keys
  *      if this flag is not set. Ignoring this can leak clear text packets and/or
  *      freeze the connection.
+ * @NL80211_EXT_FEATURE_SAE_OFFLOAD: Device wants to do SAE authentication in
+ *	station mode (SAE password is passed as part of the connect command).
  *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
@@ -5356,6 +5371,7 @@ enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT,
 	NL80211_EXT_FEATURE_CAN_REPLACE_PTK0,
 	NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER,
+	NL80211_EXT_FEATURE_SAE_OFFLOAD,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index c464ce8bc248..d1ebc93d5d56 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -557,6 +557,8 @@ const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
 	[NL80211_ATTR_PEER_MEASUREMENTS] =
 		NLA_POLICY_NESTED(NL80211_PMSR_FTM_REQ_ATTR_MAX,
 				  nl80211_pmsr_attr_policy),
+	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
+					.len = SAE_PASSWORD_MAX_LEN },
 };
 
 /* policy for the key attributes */
@@ -4348,6 +4350,8 @@ static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
 		return true;
 	case NL80211_CMD_CONNECT:
 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
+		    !wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
 		    auth_type == NL80211_AUTHTYPE_SAE)
 			return false;
 
@@ -8769,6 +8773,16 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
 	}
 
+	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
+		if (!wiphy_ext_feature_isset(&rdev->wiphy,
+					     NL80211_EXT_FEATURE_SAE_OFFLOAD))
+			return -EINVAL;
+		settings->sae_pwd =
+			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
+		settings->sae_pwd_len =
+			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
+	}
+
 	return 0;
 }
 
-- 
2.1.0


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH 6/6] brcmfmac: add support for SAE authentication offload
  2019-01-04  6:11 [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Chi-Hsien Lin
                   ` (3 preceding siblings ...)
  2019-01-04  6:11 ` [PATCH 5/6] cfg80211: add support for SAE authentication offload Chi-Hsien Lin
@ 2019-01-04  6:11 ` " Chi-Hsien Lin
  2019-01-04 10:51 ` [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Arend Van Spriel
  2019-01-15 13:42 ` Johannes Berg
  6 siblings, 0 replies; 12+ messages in thread
From: Chi-Hsien Lin @ 2019-01-04  6:11 UTC (permalink / raw)
  To: linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Arend van Spriel,
	Franky Lin, Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu,
	Chi-Hsien Lin

From: Chung-Hsien Hsu <stanley.hsu@cypress.com>

The firmware may have SAE authentication code built-in. This is
detected by the driver and indicated in the wiphy features flags.
User-space can use this flag to determine whether or not to provide
the password material for SAE authentication in the nl80211 CONNECT
command.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 72 ++++++++++++++++++++--
 .../broadcom/brcm80211/brcmfmac/cfg80211.h         |  3 +-
 .../wireless/broadcom/brcm80211/brcmfmac/feature.c |  1 +
 .../wireless/broadcom/brcm80211/brcmfmac/feature.h |  4 +-
 .../broadcom/brcm80211/brcmfmac/fwil_types.h       | 13 ++++
 .../broadcom/brcm80211/include/brcmu_wifi.h        |  2 +
 6 files changed, 88 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 854abf010aa7..8e48887e9d14 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1256,6 +1256,30 @@ static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len)
 	return err;
 }
 
+static int brcmf_set_sae_password(struct brcmf_if *ifp, const u8 *pwd_data,
+				  u16 pwd_len)
+{
+	struct brcmf_wsec_sae_pwd_le sae_pwd;
+	int err;
+
+	if (pwd_len > BRCMF_WSEC_MAX_SAE_PASSWORD_LEN) {
+		brcmf_err("sae_password must be less than %d\n",
+			  BRCMF_WSEC_MAX_SAE_PASSWORD_LEN);
+		return -EINVAL;
+	}
+
+	sae_pwd.key_len = cpu_to_le16(pwd_len);
+	memcpy(sae_pwd.key, pwd_data, pwd_len);
+
+	err = brcmf_fil_iovar_data_set(ifp, "sae_password", &sae_pwd,
+				       sizeof(sae_pwd));
+	if (err < 0)
+		brcmf_err("failed to set SAE password in firmware (len=%u)\n",
+			  pwd_len);
+
+	return err;
+}
+
 static void brcmf_link_down(struct brcmf_cfg80211_vif *vif, u16 reason)
 {
 	struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(vif->wdev.wiphy);
@@ -1470,6 +1494,8 @@ static s32 brcmf_set_wpa_version(struct net_device *ndev,
 		val = WPA_AUTH_PSK | WPA_AUTH_UNSPECIFIED;
 	else if (sme->crypto.wpa_versions & NL80211_WPA_VERSION_2)
 		val = WPA2_AUTH_PSK | WPA2_AUTH_UNSPECIFIED;
+	else if (sme->crypto.wpa_versions & NL80211_WPA_VERSION_3)
+		val = WPA3_AUTH_SAE_PSK;
 	else
 		val = WPA_AUTH_DISABLED;
 	brcmf_dbg(CONN, "setting wpa_auth to 0x%0x\n", val);
@@ -1500,6 +1526,10 @@ static s32 brcmf_set_auth_type(struct net_device *ndev,
 		val = 1;
 		brcmf_dbg(CONN, "shared key\n");
 		break;
+	case NL80211_AUTHTYPE_SAE:
+		val = 3;
+		brcmf_dbg(CONN, "SAE authentication\n");
+		break;
 	default:
 		val = 2;
 		brcmf_dbg(CONN, "automatic, auth type (%d)\n", sme->auth_type);
@@ -1665,6 +1695,16 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
 				  sme->crypto.cipher_group);
 			return -EINVAL;
 		}
+	} else if (val & WPA3_AUTH_SAE_PSK) {
+		switch (sme->crypto.akm_suites[0]) {
+		case WLAN_AKM_SUITE_SAE:
+			val = WPA3_AUTH_SAE_PSK;
+			break;
+		default:
+			brcmf_err("invalid cipher group (%d)\n",
+				  sme->crypto.cipher_group);
+			return -EINVAL;
+		}
 	}
 
 	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X)
@@ -1734,7 +1774,8 @@ brcmf_set_sharedkey(struct net_device *ndev,
 	brcmf_dbg(CONN, "wpa_versions 0x%x cipher_pairwise 0x%x\n",
 		  sec->wpa_versions, sec->cipher_pairwise);
 
-	if (sec->wpa_versions & (NL80211_WPA_VERSION_1 | NL80211_WPA_VERSION_2))
+	if (sec->wpa_versions & (NL80211_WPA_VERSION_1 | NL80211_WPA_VERSION_2 |
+				 NL80211_WPA_VERSION_3))
 		return 0;
 
 	if (!(sec->cipher_pairwise &
@@ -1939,7 +1980,13 @@ brcmf_cfg80211_connect(struct wiphy *wiphy, struct net_device *ndev,
 		goto done;
 	}
 
-	if (sme->crypto.psk) {
+	if (sme->crypto.sae_pwd) {
+		brcmf_dbg(INFO, "using SAE offload\n");
+		profile->use_fwsup = BRCMF_PROFILE_FWSUP_SAE;
+	}
+
+	if (sme->crypto.psk &&
+	    profile->use_fwsup != BRCMF_PROFILE_FWSUP_SAE) {
 		if (WARN_ON(profile->use_fwsup != BRCMF_PROFILE_FWSUP_NONE)) {
 			err = -EINVAL;
 			goto done;
@@ -1957,12 +2004,23 @@ brcmf_cfg80211_connect(struct wiphy *wiphy, struct net_device *ndev,
 		}
 	}
 
-	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_PSK) {
+	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_PSK)
 		err = brcmf_set_pmk(ifp, sme->crypto.psk,
 				    BRCMF_WSEC_MAX_PSK_LEN);
-		if (err)
+	else if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_SAE) {
+		/* clean up user-space RSNE */
+		if (brcmf_fil_iovar_data_set(ifp, "wpaie", NULL, 0)) {
+			brcmf_err("failed to clean up user-space RSNE\n");
 			goto done;
+		}
+		err = brcmf_set_sae_password(ifp, sme->crypto.sae_pwd,
+					     sme->crypto.sae_pwd_len);
+		if (!err && sme->crypto.psk)
+			err = brcmf_set_pmk(ifp, sme->crypto.psk,
+					    BRCMF_WSEC_MAX_PSK_LEN);
 	}
+	if (err)
+		goto done;
 
 	/* Join with specific BSSID and cached SSID
 	 * If SSID is zero join based on BSSID only
@@ -5279,7 +5337,8 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
 	if (event == BRCMF_E_SET_SSID && status == BRCMF_E_STATUS_SUCCESS) {
 		brcmf_dbg(CONN, "Processing set ssid\n");
 		memcpy(vif->profile.bssid, e->addr, ETH_ALEN);
-		if (vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_PSK)
+		if (vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_PSK &&
+		    vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_SAE)
 			return true;
 
 		set_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
@@ -6573,6 +6632,9 @@ static int brcmf_setup_wiphy(struct wiphy *wiphy, struct brcmf_if *ifp)
 				      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK);
 		wiphy_ext_feature_set(wiphy,
 				      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X);
+		if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_SAE))
+			wiphy_ext_feature_set(wiphy,
+					      NL80211_EXT_FEATURE_SAE_OFFLOAD);
 	}
 	wiphy->mgmt_stypes = brcmf_txrx_stypes;
 	wiphy->max_remain_on_channel_duration = 5000;
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
index 6a7dec908b6f..c9d4b839b60d 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
@@ -118,7 +118,8 @@ struct brcmf_cfg80211_security {
 enum brcmf_profile_fwsup {
 	BRCMF_PROFILE_FWSUP_NONE,
 	BRCMF_PROFILE_FWSUP_PSK,
-	BRCMF_PROFILE_FWSUP_1X
+	BRCMF_PROFILE_FWSUP_1X,
+	BRCMF_PROFILE_FWSUP_SAE
 };
 
 /**
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
index 4c5a3995dc35..e8b4eb0b67f9 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
@@ -50,6 +50,7 @@ static const struct brcmf_feat_fwcap brcmf_fwcap_map[] = {
 	{ BRCMF_FEAT_P2P, "p2p" },
 	{ BRCMF_FEAT_MONITOR, "monitor" },
 	{ BRCMF_FEAT_MONITOR_FMT_RADIOTAP, "rtap" },
+	{ BRCMF_FEAT_SAE, "sae" },
 };
 
 #ifdef DEBUG
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
index 0b4974df353a..d8b6ba9d0967 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
@@ -35,6 +35,7 @@
  * FWSUP: Firmware supplicant.
  * MONITOR: firmware can pass monitor packets to host.
  * MONITOR_FMT_RADIOTAP: firmware provides monitor packets with radiotap header
+ * SAE: simultaneous authentication of equals
  */
 #define BRCMF_FEAT_LIST \
 	BRCMF_FEAT_DEF(MBSS) \
@@ -52,7 +53,8 @@
 	BRCMF_FEAT_DEF(GSCAN) \
 	BRCMF_FEAT_DEF(FWSUP) \
 	BRCMF_FEAT_DEF(MONITOR) \
-	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP)
+	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP) \
+	BRCMF_FEAT_DEF(SAE)
 
 /*
  * Quirks:
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
index 39ac1bbb6cc0..d81ad6542513 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
@@ -72,6 +72,8 @@
 #define BRCMF_WSEC_MAX_PSK_LEN		32
 #define	BRCMF_WSEC_PASSPHRASE		BIT(0)
 
+#define BRCMF_WSEC_MAX_SAE_PASSWORD_LEN 128
+
 /* primary (ie tx) key */
 #define BRCMF_PRIMARY_KEY		(1 << 1)
 #define DOT11_BSSTYPE_ANY		2
@@ -529,6 +531,17 @@ struct brcmf_wsec_pmk_le {
 	u8 key[2 * BRCMF_WSEC_MAX_PSK_LEN + 1];
 };
 
+/**
+ * struct brcmf_wsec_sae_pwd_le - firmware SAE password material.
+ *
+ * @key_len: number of octets in key materials.
+ * @key: SAE password material.
+ */
+struct brcmf_wsec_sae_pwd_le {
+	__le16 key_len;
+	u8 key[BRCMF_WSEC_MAX_SAE_PASSWORD_LEN];
+};
+
 /* Used to get specific STA parameters */
 struct brcmf_scb_val_le {
 	__le32 val;
diff --git a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
index dddebaa60352..60d7e3221b35 100644
--- a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
+++ b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
@@ -242,6 +242,8 @@ static inline bool ac_bitmap_tst(u8 bitmap, int prec)
 #define WPA2_AUTH_FT		0x4000	/* Fast BSS Transition */
 #define WPA2_AUTH_PSK_SHA256	0x8000	/* PSK with SHA256 key derivation */
 
+#define WPA3_AUTH_SAE_PSK	0x40000	/* SAE with 4-way handshake */
+
 #define DOT11_DEFAULT_RTS_LEN		2347
 #define DOT11_DEFAULT_FRAG_LEN		2346
 
-- 
2.1.0


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH 5/6] cfg80211: add support for SAE authentication offload
  2019-01-04  6:11 ` [PATCH 5/6] cfg80211: add support for SAE authentication offload Chi-Hsien Lin
@ 2019-01-04  9:26   ` Marcel Holtmann
  2019-01-04 11:10   ` Arend Van Spriel
  1 sibling, 0 replies; 12+ messages in thread
From: Marcel Holtmann @ 2019-01-04  9:26 UTC (permalink / raw)
  To: Chi-Hsien Lin
  Cc: linux-wireless, brcm80211-dev-list, brcm80211-dev-list,
	Arend van Spriel, Franky Lin, Hante Meuleman, Wright Feng,
	Kalle Valo, Stanley Hsu

Hi,

> Let drivers advertise support for station-mode SAE authentication
> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.
> 
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
> include/linux/ieee80211.h    |  1 +
> include/net/cfg80211.h       |  5 +++++
> include/uapi/linux/nl80211.h | 16 ++++++++++++++++
> net/wireless/nl80211.c       | 14 ++++++++++++++
> 4 files changed, 36 insertions(+)
> 
> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> index 3b04e72315e1..37d3e655e547 100644
> --- a/include/linux/ieee80211.h
> +++ b/include/linux/ieee80211.h
> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
> #define FILS_ERP_MAX_RRK_LEN		64
> 
> #define PMK_MAX_LEN			64
> +#define SAE_PASSWORD_MAX_LEN		128
> 
> /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
> enum ieee80211_pub_actioncode {
> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> index e0c41eb1c860..5809dac97b33 100644
> --- a/include/net/cfg80211.h
> +++ b/include/net/cfg80211.h
> @@ -740,6 +740,9 @@ struct survey_info {
>  *	CFG80211_MAX_WEP_KEYS WEP keys
>  * @wep_tx_key: key index (0..3) of the default TX static WEP key
>  * @psk: PSK (for devices supporting 4-way-handshake offload)
> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> + *	offload)
> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>  */
> struct cfg80211_crypto_settings {
> 	u32 wpa_versions;
> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
> 	struct key_params *wep_keys;
> 	int wep_tx_key;
> 	const u8 *psk;
> +	const u8 *sae_pwd;
> +	u16 sae_pwd_len;
> };
> 
> /**
> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> index 12762afb3a07..4840aaed39ba 100644
> --- a/include/uapi/linux/nl80211.h
> +++ b/include/uapi/linux/nl80211.h
> @@ -235,6 +235,15 @@
>  */
> 
> /**
> + * DOC: SAE authentication offload
> + *
> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> + * support offloading SAE authentication for WPA3-Personal networks. In
> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> + * %NL80211_ATTR_SAE_PASSWORD.
> + */
> +
> +/**
>  * enum nl80211_commands - supported nl80211 commands
>  *
>  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>  *
>  * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>  *	statistics, see &enum nl80211_ftm_responder_stats.
> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> + *	is used with %NL80211_CMD_CONNECT to provide password for offloading
> + *	SAE authentication for WPA3-Personal networks.
>  *
>  * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>  *	if the attribute is not given no timeout is requested. Note that 0 is an
> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
> 	NL80211_ATTR_FTM_RESPONDER,
> 
> 	NL80211_ATTR_FTM_RESPONDER_STATS,
> +	NL80211_ATTR_SAE_PASSWORD,
> 
> 	NL80211_ATTR_TIMEOUT,

so you are breaking user-space API on purpose here even when there was a clear comment where to add new attributes:

	/* add attributes here, update the policy in nl80211.c */

More importantly, does this actually need a new attribute and you can not utilize what has already been added for mesh? If this attribute is solely for offload cases, then it might be better named accordingly. Also I am curious on how mixed WPA1/WPA2/WPA3 network credentials are now provided to a CMD_CONNECT. So the CMD_CONNECT description might require an update as well.

Regards

Marcel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event
  2019-01-04  6:11 [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Chi-Hsien Lin
                   ` (4 preceding siblings ...)
  2019-01-04  6:11 ` [PATCH 6/6] brcmfmac: " Chi-Hsien Lin
@ 2019-01-04 10:51 ` Arend Van Spriel
  2019-01-15 13:42 ` Johannes Berg
  6 siblings, 0 replies; 12+ messages in thread
From: Arend Van Spriel @ 2019-01-04 10:51 UTC (permalink / raw)
  To: Chi-Hsien Lin, linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Franky Lin,
	Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu

On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> Add NL80211_ATTR_IFINDEX attribute to port authorized event to indicate
> the operating interface of the device.
> 
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   net/wireless/nl80211.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 5e49492d5911..594aeba2982a 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -14727,7 +14727,8 @@ void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
>   		return;
>   	}
>   
> -	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
> +	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
> +	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
>   		goto nla_put_failure;

Maybe also put NL80211_ATTR_WIPHY in the notification to be consistent 
with the other MLME notifications.

Regards,
Arend

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH 5/6] cfg80211: add support for SAE authentication offload
  2019-01-04  6:11 ` [PATCH 5/6] cfg80211: add support for SAE authentication offload Chi-Hsien Lin
  2019-01-04  9:26   ` Marcel Holtmann
@ 2019-01-04 11:10   ` Arend Van Spriel
  1 sibling, 0 replies; 12+ messages in thread
From: Arend Van Spriel @ 2019-01-04 11:10 UTC (permalink / raw)
  To: Chi-Hsien Lin, linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Franky Lin,
	Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu

On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> Let drivers advertise support for station-mode SAE authentication
> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag.

When touching nl80211 api I prefer 'nl80211:' prefix instead of 'cfg80211:'.

> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   include/linux/ieee80211.h    |  1 +
>   include/net/cfg80211.h       |  5 +++++
>   include/uapi/linux/nl80211.h | 16 ++++++++++++++++
>   net/wireless/nl80211.c       | 14 ++++++++++++++
>   4 files changed, 36 insertions(+)
> 
> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> index 3b04e72315e1..37d3e655e547 100644
> --- a/include/linux/ieee80211.h
> +++ b/include/linux/ieee80211.h
> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len {
>   #define FILS_ERP_MAX_RRK_LEN		64
>   
>   #define PMK_MAX_LEN			64
> +#define SAE_PASSWORD_MAX_LEN		128
>   
>   /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */
>   enum ieee80211_pub_actioncode {
> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> index e0c41eb1c860..5809dac97b33 100644
> --- a/include/net/cfg80211.h
> +++ b/include/net/cfg80211.h
> @@ -740,6 +740,9 @@ struct survey_info {
>    *	CFG80211_MAX_WEP_KEYS WEP keys
>    * @wep_tx_key: key index (0..3) of the default TX static WEP key
>    * @psk: PSK (for devices supporting 4-way-handshake offload)
> + * @sae_pwd: password for SAE authentication (for devices supporting SAE
> + *	offload)
> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload)
>    */
>   struct cfg80211_crypto_settings {
>   	u32 wpa_versions;
> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings {
>   	struct key_params *wep_keys;
>   	int wep_tx_key;
>   	const u8 *psk;
> +	const u8 *sae_pwd;
> +	u16 sae_pwd_len;

Not really need u16 as max length is defined earlier as 128.

>   };
>   
>   /**
> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> index 12762afb3a07..4840aaed39ba 100644
> --- a/include/uapi/linux/nl80211.h
> +++ b/include/uapi/linux/nl80211.h
> @@ -235,6 +235,15 @@
>    */
>   
>   /**
> + * DOC: SAE authentication offload
> + *
> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they
> + * support offloading SAE authentication for WPA3-Personal networks. In
> + * %NL80211_CMD_CONNECT the password for SAE should be specified using
> + * %NL80211_ATTR_SAE_PASSWORD.
> + */
> +
> +/**
>    * enum nl80211_commands - supported nl80211 commands
>    *
>    * @NL80211_CMD_UNSPEC: unspecified command to catch errors
> @@ -2288,6 +2297,9 @@ enum nl80211_commands {
>    *
>    * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder
>    *	statistics, see &enum nl80211_ftm_responder_stats.
> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It
> + *	is used with %NL80211_CMD_CONNECT to provide password for offloading
> + *	SAE authentication for WPA3-Personal networks.
>    *
>    * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32),
>    *	if the attribute is not given no timeout is requested. Note that 0 is an
> @@ -2743,6 +2755,7 @@ enum nl80211_attrs {
>   	NL80211_ATTR_FTM_RESPONDER,
>   
>   	NL80211_ATTR_FTM_RESPONDER_STATS,
> +	NL80211_ATTR_SAE_PASSWORD,

Marcel already commented on this. These enumerations are ABI. You should 
also change the nl80211_policy to assure the max length 
SAE_PASSWORD_MAX_LEN is not exceeded.

Gr. AvS

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload
  2019-01-04  6:11 ` [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload Chi-Hsien Lin
@ 2019-01-07  9:44   ` Arend Van Spriel
  0 siblings, 0 replies; 12+ messages in thread
From: Arend Van Spriel @ 2019-01-07  9:44 UTC (permalink / raw)
  To: Chi-Hsien Lin, linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Franky Lin,
	Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu

On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> With 4-way handshake offload for 802.1X authentication, a port
> authorized event should be sent to user space after the completion of
> 4-way handshake. It is used to indicate that a connection is authorized
> and 802.1X authentication is no longer required.

It had been a while since I had looked at our offload code (basically 
since the initial implementation for the nl80211 work) so I was unsure 
why this would be needed.

So initially we added a PORT_AUTHORIZED *attribute* in the nl80211 api 
and later on the PORT_AUTHORIZED *event* was introduced and 4-way hs 
offload support in wpa_supplicant is ignoring the *attribute* and only 
handling the *event*. I think this information is important enough to 
add to this commit message with a reference to commit 503c1fb98ba3 
("cfg80211/nl80211: add a port authorized event") which "broke" the 
functionality in brcmfmac.

Some specific comments below...

Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 23 +++++++++++++++-------
>   1 file changed, 16 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index 35301237d435..ad0d775a1244 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -5266,10 +5266,13 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
>   	u32 event = e->event_code;
>   	u32 status = e->status;
>   
> -	if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_PSK &&
> -	    event == BRCMF_E_PSK_SUP &&
> -	    status == BRCMF_E_STATUS_FWSUP_COMPLETED)
> +	if (event == BRCMF_E_PSK_SUP &&
> +	    status == BRCMF_E_STATUS_FWSUP_COMPLETED) {
>   		set_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
> +		if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_1X)
> +			return true;
> +	}
> +

Here things get a bit tricky I think. The old behaviour was to wait for 
both PSK_SUP and SET_SSID events before calling cfg80211_connect_done(). 
If I recall correctly I did that because they can arrive in different 
order depending on the type of offload (1x or psk) but also depends on 
firmware build, so ....

>   	if (event == BRCMF_E_SET_SSID && status == BRCMF_E_STATUS_SUCCESS) {
>   		brcmf_dbg(CONN, "Processing set ssid\n");
>   		memcpy(vif->profile.bssid, e->addr, ETH_ALEN);
> @@ -5280,11 +5283,10 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
>   	}
>   
>   	if (test_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state) &&
> -	    test_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state)) {
> -		clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
> -		clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
> +	    test_and_clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS,
> +			       &vif->sme_state))
>   		return true;
> -	}
> +
>   	return false;
>   }
>   
> @@ -5501,6 +5503,13 @@ brcmf_bss_connect_done(struct brcmf_cfg80211_info *cfg,
>   		brcmf_dbg(CONN, "Report connect result - connection %s\n",
>   			  completed ? "succeeded" : "failed");
>   	}
> +
> +	if (test_and_clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS,
> +			       &ifp->vif->sme_state) &&
> +	    profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X) {
> +		cfg80211_port_authorized(ndev, profile->bssid, GFP_KERNEL);
> +		brcmf_dbg(CONN, "Report port authorized\n");
> +	}

I would leave the code in brcmf_is_linkup() as before and only check 
profile->use_fwsup here to determine whether cfg80211_port_authorized() 
should be called here.

>   	brcmf_dbg(TRACE, "Exit\n");
>   	return 0;
>   }
> 

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH 3/6] brcmfmac: send port authorized event for FT-802.1X
  2019-01-04  6:11 ` [PATCH 3/6] brcmfmac: send port authorized event for FT-802.1X Chi-Hsien Lin
@ 2019-01-07 12:00   ` Arend Van Spriel
  0 siblings, 0 replies; 12+ messages in thread
From: Arend Van Spriel @ 2019-01-07 12:00 UTC (permalink / raw)
  To: Chi-Hsien Lin, linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Franky Lin,
	Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu

On 1/4/2019 7:11 AM, Chi-Hsien Lin wrote:
> From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> 
> With FT-802.1X, driver should send a port authorized event right after
> sending a roamed event. It is used to indicate that a new AP is already
> authorized so 802.1X is not required.

Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++++++
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h | 1 +
>   2 files changed, 9 insertions(+)

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event
  2019-01-04  6:11 [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Chi-Hsien Lin
                   ` (5 preceding siblings ...)
  2019-01-04 10:51 ` [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Arend Van Spriel
@ 2019-01-15 13:42 ` Johannes Berg
  6 siblings, 0 replies; 12+ messages in thread
From: Johannes Berg @ 2019-01-15 13:42 UTC (permalink / raw)
  To: Chi-Hsien Lin, linux-wireless
  Cc: brcm80211-dev-list, brcm80211-dev-list, Arend van Spriel,
	Franky Lin, Hante Meuleman, Wright Feng, Kalle Valo, Stanley Hsu

Please resend this entire set addressing the comments you already got.

johannes


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, back to index

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-04  6:11 [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Chi-Hsien Lin
2019-01-04  6:11 ` [PATCH 2/6] brcmfmac: send port authorized event for 802.1X 4-way handshake offload Chi-Hsien Lin
2019-01-07  9:44   ` Arend Van Spriel
2019-01-04  6:11 ` [PATCH 3/6] brcmfmac: send port authorized event for FT-802.1X Chi-Hsien Lin
2019-01-07 12:00   ` Arend Van Spriel
2019-01-04  6:11 ` [PATCH 4/6] nl80211: add WPA3 definition for SAE authentication Chi-Hsien Lin
2019-01-04  6:11 ` [PATCH 5/6] cfg80211: add support for SAE authentication offload Chi-Hsien Lin
2019-01-04  9:26   ` Marcel Holtmann
2019-01-04 11:10   ` Arend Van Spriel
2019-01-04  6:11 ` [PATCH 6/6] brcmfmac: " Chi-Hsien Lin
2019-01-04 10:51 ` [PATCH 1/6] nl80211: add NL80211_ATTR_IFINDEX to port authorized event Arend Van Spriel
2019-01-15 13:42 ` Johannes Berg

Linux-Wireless Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wireless/0 linux-wireless/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wireless linux-wireless/ https://lore.kernel.org/linux-wireless \
		linux-wireless@vger.kernel.org linux-wireless@archiver.kernel.org
	public-inbox-index linux-wireless


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wireless


AGPL code for this site: git clone https://public-inbox.org/ public-inbox