Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1828006yba; Fri, 10 May 2019 01:34:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqy4xlkIjvk6FlKUpKNGnw0fTTDR3J26m1/3NG133e8u6U6YQdRqi4Tx6t9l9dxowPSqSZau X-Received: by 2002:a62:cfc4:: with SMTP id b187mr12617769pfg.134.1557477252137; Fri, 10 May 2019 01:34:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557477252; cv=none; d=google.com; s=arc-20160816; b=gnbodgYQhKyozn3nVCNsmN3y0JyjVX55aiVPcOK9Ed26teY9favTI95tNDLGBzHHVu j/wDJkUdXrFq5dzY7JCAFnyB7951uZyu2CNMh0kCvgESWOs0+dY4O2tZanfB9jXxRHqZ EX81i6LVkVQ4KUPg+mBXQEZ3VTxuqUy960NZOny6KrjNqzPPuOdNONU+hmKiBkpFxxp7 iLYukYYM0RK3MS7MoSFXVCuMJehtrp9eXatY0Tl9D9x9aVRSdGYoewaPN+xGfSdz+wTF MdYoN+Ug7lMITJf/IzgoFSRwsqVEevJ25VBlqUucgbO6HdBtGZOIsuIoXgE2RPtfpcXz FlIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=dRyUr/6VwbD/Mc1WGmqdLfQPfEsmFdSKJ20IUf0tTHM=; b=H+SWF5p7donloyJrtVqi0XeULUy526XP+bUmh4IJae1p8ShAioSaSq8+RMB2RikX0h Tl290Y6AWHe9nGchf2lUebIWmy2sXB7mJgfnJeKD2Klxo0lg7y/TjPSAb0cgnRC199pj B65snnlrHFq7/yydi3RSvX2z2RrR2Oc5C1VhqH1kFiortysnF6fmdhFXGpY2n0j0e95c DAjxoT9+L3wE1wDqGYYLnXe9VtJzoBsXI12OuNps4aW3XwGmH9AAdBQexMGSchokwcN3 g+A806B9ghhBtVHQrABxQRCpmVzIilyEbs3p0yfFIBCLhASPkRrDIqwfAx5vKlFXDzEa 8a3w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a24si3120023pls.372.2019.05.10.01.33.45; Fri, 10 May 2019 01:34:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727043AbfEJIct convert rfc822-to-8bit (ORCPT + 99 others); Fri, 10 May 2019 04:32:49 -0400 Received: from coyote.holtmann.net ([212.227.132.17]:40792 "EHLO mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727010AbfEJIct (ORCPT ); Fri, 10 May 2019 04:32:49 -0400 Received: from [172.20.10.2] (x590fee18.dyn.telefonica.de [89.15.238.24]) by mail.holtmann.org (Postfix) with ESMTPSA id A1DD0CF170; Fri, 10 May 2019 10:41:01 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\)) Subject: Re: [PATCH 5/6] cfg80211: add support for SAE authentication offload From: Marcel Holtmann In-Reply-To: <20190509092103.GD74912@aremote06.aus.cypress.com> Date: Fri, 10 May 2019 10:32:44 +0200 Cc: Chi-Hsien Lin , "linux-wireless@vger.kernel.org" , "brcm80211-dev-list@broadcom.com" , brcm80211-dev-list , Arend van Spriel , Franky Lin , Hante Meuleman , Wright Feng , Kalle Valo Content-Transfer-Encoding: 8BIT Message-Id: <5B8ACEB5-FDD4-46D0-AC9C-2DF04EE4AC4F@holtmann.org> References: <1546582221-143220-1-git-send-email-chi-hsien.lin@cypress.com> <1546582221-143220-5-git-send-email-chi-hsien.lin@cypress.com> <2FC4C72C-9E57-4195-A682-F7BAE7F3981E@holtmann.org> <20190509092103.GD74912@aremote06.aus.cypress.com> To: Stanley Hsu X-Mailer: Apple Mail (2.3445.104.8) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hi Stanley, >>> Let drivers advertise support for station-mode SAE authentication >>> offload with a new NL80211_EXT_FEATURE_SAE_OFFLOAD flag. >>> >>> Signed-off-by: Chung-Hsien Hsu >>> Signed-off-by: Chi-Hsien Lin >>> --- >>> include/linux/ieee80211.h | 1 + >>> include/net/cfg80211.h | 5 +++++ >>> include/uapi/linux/nl80211.h | 16 ++++++++++++++++ >>> net/wireless/nl80211.c | 14 ++++++++++++++ >>> 4 files changed, 36 insertions(+) >>> >>> diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h >>> index 3b04e72315e1..37d3e655e547 100644 >>> --- a/include/linux/ieee80211.h >>> +++ b/include/linux/ieee80211.h >>> @@ -2596,6 +2596,7 @@ enum ieee80211_key_len { >>> #define FILS_ERP_MAX_RRK_LEN64 >>> >>> #define PMK_MAX_LEN64 >>> +#define SAE_PASSWORD_MAX_LEN128 >>> >>> /* Public action codes (IEEE Std 802.11-2016, 9.6.8.1, Table 9-307) */ >>> enum ieee80211_pub_actioncode { >>> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h >>> index e0c41eb1c860..5809dac97b33 100644 >>> --- a/include/net/cfg80211.h >>> +++ b/include/net/cfg80211.h >>> @@ -740,6 +740,9 @@ struct survey_info { >>> *CFG80211_MAX_WEP_KEYS WEP keys >>> * @wep_tx_key: key index (0..3) of the default TX static WEP key >>> * @psk: PSK (for devices supporting 4-way-handshake offload) >>> + * @sae_pwd: password for SAE authentication (for devices supporting SAE >>> + *offload) >>> + * @sae_pwd_len: length of SAE password (for devices supporting SAE offload) >>> */ >>> struct cfg80211_crypto_settings { >>> u32 wpa_versions; >>> @@ -755,6 +758,8 @@ struct cfg80211_crypto_settings { >>> struct key_params *wep_keys; >>> int wep_tx_key; >>> const u8 *psk; >>> +const u8 *sae_pwd; >>> +u16 sae_pwd_len; >>> }; >>> >>> /** >>> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h >>> index 12762afb3a07..4840aaed39ba 100644 >>> --- a/include/uapi/linux/nl80211.h >>> +++ b/include/uapi/linux/nl80211.h >>> @@ -235,6 +235,15 @@ >>> */ >>> >>> /** >>> + * DOC: SAE authentication offload >>> + * >>> + * By setting @NL80211_EXT_FEATURE_SAE_OFFLOAD flag drivers can indicate they >>> + * support offloading SAE authentication for WPA3-Personal networks. In >>> + * %NL80211_CMD_CONNECT the password for SAE should be specified using >>> + * %NL80211_ATTR_SAE_PASSWORD. >>> + */ >>> + >>> +/** >>> * enum nl80211_commands - supported nl80211 commands >>> * >>> * @NL80211_CMD_UNSPEC: unspecified command to catch errors >>> @@ -2288,6 +2297,9 @@ enum nl80211_commands { >>> * >>> * @NL80211_ATTR_FTM_RESPONDER_STATS: Nested attribute with FTM responder >>> *statistics, see &enum nl80211_ftm_responder_stats. >>> + * @NL80211_ATTR_SAE_PASSWORD: attribute for passing SAE password material. It >>> + *is used with %NL80211_CMD_CONNECT to provide password for offloading >>> + *SAE authentication for WPA3-Personal networks. >>> * >>> * @NL80211_ATTR_TIMEOUT: Timeout for the given operation in milliseconds (u32), >>> *if the attribute is not given no timeout is requested. Note that 0 is an >>> @@ -2743,6 +2755,7 @@ enum nl80211_attrs { >>> NL80211_ATTR_FTM_RESPONDER, >>> >>> NL80211_ATTR_FTM_RESPONDER_STATS, >>> +NL80211_ATTR_SAE_PASSWORD, >>> >>> NL80211_ATTR_TIMEOUT, >> >> so you are breaking user-space API on purpose here even when there was a clear comment where to add new attributes: >> >> /* add attributes here, update the policy in nl80211.c */ > > Hi Marcel, > > Thanks for pointing this out. It was a mistake caused by rebasing the > patch. Will fix it in V2. > >> >> More importantly, does this actually need a new attribute and you can not utilize what has already been added for mesh? If this attribute is solely for offload cases, then it might be better named accordingly. Also I am curious on how mixed WPA1/WPA2/WPA3 network credentials are now provided to a CMD_CONNECT. So the CMD_CONNECT description might require an update as well. > > This new attribute is used to pass the sae_password value, set in the > configuration file of wpa_supplicant, for offloading SAE authentication. > It seems that the existing attributes can not be utilized for the > purpose. Could you please point it out if you know the proper one? To > reflect the content of the attribute, NL80211_ATTR_SAE_PASSWORD should > be a proper name. not everything is wpa_supplicant config files. How does this work with iwd for example. The user can not set a specific SAW password since that is all handled internally. > As for the mixed WPA/WPA2/WPA3 network credentials, no key materials > will be provided in a NL80211_CMD_CONNECT for non-offload cases. When > offload is considered, there is no conflict between WPA/WPA2 4-way > handshake offload and SAE authentication offload. For the WPA/WPA2 > 4-way handshake offload, the PSK is specified using NL80211_ATTR_PMK in > the NL80211_CMD_CONNECT. The corresponding description can be found in > the section "DOC: WPA/WPA2 EAPOL handshake offload". As for the SAE > authentication offload, the sae_password value is provided by > NL80211_ATTR_SAE_PASSWORD in NL80211_CMD_CONNECT. It is described in > the section "DOC: SAE authentication offload" proposed in this patch. Do we have some documentation on how to handle offload for mixed WPA/WPA2/WPA3 networks? I really wonder how nl80211 is supposed to be used in these cases. As mentioned above, not everything is wpa_supplicant and I am curious on how seamless roaming will actually work for offload cases. Regards Marcel