Add support for the Enhanced Privacy Protection Key Exchange (EPPKE) authentication protocol in non-AP STA mode, as specified in "IEEE P802.11bi/D3.0, 12.16.9". EPPKE is an RSNA authentication protocol that operates using Pre-Association Security Negotiation (PASN) procedures. It consists of three Authentication frames with transaction sequence numbers 1, 2, and 3. The first and third from the non-AP STA and the second from the AP STA. Extend mac80211 to process EPPKE Authentication frames during the authentication phase. Currently, mac80211 processes only frames with the expected transaction number. In the case of EPPKE, process the Authentication frame from the AP only if the transaction number matches the expected value, which is 2. After receiving the final Authentication frame with transaction number 3 from the non-AP STA, it indicates that both the non-AP STA and the AP confirm there are no issues with authentication. Since this is the final confirmation frame to send out, mark the state as authenticated in mac80211. For EPPKE authentication, the Multi-Link element (MLE) must be included in the Authentication frame body by userspace. If the MLE is not present, reject the Authentication frame. Signed-off-by: Kavita Kavita --- net/mac80211/ieee80211_i.h | 2 +- net/mac80211/mlme.c | 25 +++++++++++++++++++------ net/mac80211/util.c | 3 +++ 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 9d9313eee59f..50fd5e83ed6d 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -430,7 +430,7 @@ struct ieee80211_mgd_auth_data { u8 ap_addr[ETH_ALEN] __aligned(2); - u16 sae_trans, sae_status; + u16 trans, status; size_t data_len; u8 data[]; }; diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index cfb87ae81bb8..4f3ef3d3d4ec 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -4911,6 +4911,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, case WLAN_AUTH_FILS_SK: case WLAN_AUTH_FILS_SK_PFS: case WLAN_AUTH_FILS_PK: + case WLAN_AUTH_EPPKE: break; case WLAN_AUTH_SHARED_KEY: if (ifmgd->auth_data->expected_transaction != 4) { @@ -8305,9 +8306,12 @@ static int ieee80211_auth(struct ieee80211_sub_if_data *sdata) auth_data->expected_transaction = 2; if (auth_data->algorithm == WLAN_AUTH_SAE) { - trans = auth_data->sae_trans; - status = auth_data->sae_status; + trans = auth_data->trans; + status = auth_data->status; auth_data->expected_transaction = trans; + } else if (auth_data->algorithm == WLAN_AUTH_EPPKE) { + trans = auth_data->trans; + status = auth_data->status; } if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) @@ -9222,6 +9226,9 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, case NL80211_AUTHTYPE_FILS_PK: auth_alg = WLAN_AUTH_FILS_PK; break; + case NL80211_AUTHTYPE_EPPKE: + auth_alg = WLAN_AUTH_EPPKE; + break; default: return -EOPNOTSUPP; } @@ -9246,12 +9253,14 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, auth_data->link_id = req->link_id; if (req->auth_data_len >= 4) { - if (req->auth_type == NL80211_AUTHTYPE_SAE) { + if (req->auth_type == NL80211_AUTHTYPE_SAE || + req->auth_type == NL80211_AUTHTYPE_EPPKE) { __le16 *pos = (__le16 *) req->auth_data; - auth_data->sae_trans = le16_to_cpu(pos[0]); - auth_data->sae_status = le16_to_cpu(pos[1]); + auth_data->trans = le16_to_cpu(pos[0]); + auth_data->status = le16_to_cpu(pos[1]); } + memcpy(auth_data->data, req->auth_data + 4, req->auth_data_len - 4); auth_data->data_len += req->auth_data_len - 4; @@ -9302,7 +9311,11 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, * out SAE Confirm. */ if (cont_auth && req->auth_type == NL80211_AUTHTYPE_SAE && - auth_data->peer_confirmed && auth_data->sae_trans == 2) + auth_data->peer_confirmed && auth_data->trans == 2) + ieee80211_mark_sta_auth(sdata); + + if (cont_auth && req->auth_type == NL80211_AUTHTYPE_EPPKE && + auth_data->trans == 3) ieee80211_mark_sta_auth(sdata); if (ifmgd->associated) { diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 3dc712bad8f7..d1eb55d8854b 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1103,6 +1103,9 @@ void ieee80211_send_auth(struct ieee80211_sub_if_data *sdata, !cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_MULTI_LINK, extra, extra_len)); + if (auth_alg == WLAN_AUTH_EPPKE && add_mle) + return; + /* 24 + 6 = header + auth_algo + auth_transaction + status_code */ skb = dev_alloc_skb(local->hw.extra_tx_headroom + IEEE80211_WEP_IV_LEN + 24 + 6 + extra_len + IEEE80211_WEP_ICV_LEN + -- 2.34.1