[PATCH 0/2] nl80211/cfg80211: Support PMF on drivers with integrated AP SME

[PATCH 0/2] nl80211/cfg80211: Support PMF on drivers with integrated AP SME

[Chet Lanctot]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 2544 bytes --]

These patches represent a small number of changes to the
nl80211/cfg80211 interface to support Protected Management Frames
(PMF, 802.11w) on an AP.  Specifically, these changes are needed for
drivers that have the AP SME integrated.

Support is added for drivers that do not implement the SA Query procedure
that is part of PMF.  Instead, the need for upper layer software to
do this procedure is advertised.  And support is added so that  whether
PMF should be used for station connections is communicated to the driver.

The following changes are made to nl80211/cfg80211.

1.  A new nl80211_ap_sme_feature is defined which is the driver
advertising that it does not support the SA query procedure.  This
means that the upper layer software must register for Re/Association
Request frames from the driver so that these frames can be delivered
by the driver to start an SA Query procedure.  An example of code in
the driver that sets this feature is as follows:
     struct wiphy *wiphy; /* wiphy defined in cfg80211.h */
     .
     .
     .
     wiphy->ap_sme_capa |= BIT(NL80211_AP_SME_FEATURE_NO_SA_QUERY);

2.  A new entry is made in cfg80211_ap_settings that communicates
to the driver whether management frame protection should be used
for station connections.  This entry is passed by upper layer software
using NL80211_CMD_START_AP.  Existing type nl80211_mfp defines the
values that can be used for this entry.  Existing value ^[-Y´no¡ means
that PMF connections cannot be made with stations. Existing value
´required¡ means that all station connections must be PMF protected.
A new value ´optional¡ is defined which means that a connection can
be made if the station supports it, but it is not required.

3.  A new station flag is defined that indicates to the driver that
no SA Query procedure is needed when an Re/Association Request is
received from a station with which there is already a PMF connection.
The upper layer software will set this for a station when an SA Query
procedure for that station has timed out to indicate to the driver
that the next Re/Association Request should be accepted and not passed
to upper layer software.

Chet Lanctot (2):
  nl80211/cfg80211: Driver with AP SME advertises need for PMF SA Query
  nl80211/cfg80211: PMF Requirement communicated to driver with AP SME

 include/net/cfg80211.h       |  3 +++
 include/uapi/linux/nl80211.h | 25 ++++++++++++++++++-------
 net/wireless/nl80211.c       | 12 +++++++++++-
 3 files changed, 32 insertions(+), 8 deletions(-)

-- 
1.7.12.rc0.22.gcdd159b

[PATCH 1/2] nl80211/cfg80211: Driver with AP SME advertises need for PMF SA Query

[Chet Lanctot]

Needed for drivers that have AP SME integrated but do not implement
The SA Query procedure that is part of Protected Management Frames
(PMF, 802.11w).  Instead, the need for upper layer software to do
this procedure is advertised through nl80211/cfg80211.

Signed-off-by: Chet Lanctot <clanctot@codeaurora.org>
---
 include/uapi/linux/nl80211.h | 11 ++++++++---
 net/wireless/nl80211.c       |  3 ++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index eb68735..aa1d122 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -1891,6 +1891,9 @@ enum nl80211_iftype {
  * @NL80211_STA_FLAG_ASSOCIATED: station is associated; used with drivers
  *	that support %NL80211_FEATURE_FULL_AP_CLIENT_STATE to transition a
  *	previously added station into associated state
+ * @NL80211_STA_FLAG_NO_SA_QUERY_REQUIRED: no SA Query procedure is needed
+ *	when an association request is received from a station with which there
+ *	is already a MFP connection
  * @NL80211_STA_FLAG_MAX: highest station flag number currently defined
  * @__NL80211_STA_FLAG_AFTER_LAST: internal use
  */
@@ -1903,6 +1906,7 @@ enum nl80211_sta_flags {
 	NL80211_STA_FLAG_AUTHENTICATED,
 	NL80211_STA_FLAG_TDLS_PEER,
 	NL80211_STA_FLAG_ASSOCIATED,
+	NL80211_STA_FLAG_NO_SA_QUERY_REQUIRED,
 
 	/* keep last */
 	__NL80211_STA_FLAG_AFTER_LAST,
@@ -3648,11 +3652,12 @@ enum nl80211_tdls_operation {
 
 /*
  * enum nl80211_ap_sme_features - device-integrated AP features
- * Reserved for future use, no bits are defined in
- * NL80211_ATTR_DEVICE_AP_SME yet.
+ * @NL80211_ATTR_AP_SME_NO_SA_QUERY: This device is not able to do
+ *	the MFP SA query procedure and needs hostapd to do this procedure
+ */
 enum nl80211_ap_sme_features {
+	NL80211_AP_SME_FEATURE_NO_SA_QUERY
 };
- */
 
 /**
  * enum nl80211_feature_flags - device/driver features
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 587ff84..14a14d4 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3766,7 +3766,8 @@ int cfg80211_check_station_change(struct wiphy *wiphy,
 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
 				  BIT(NL80211_STA_FLAG_WME) |
-				  BIT(NL80211_STA_FLAG_MFP)))
+				  BIT(NL80211_STA_FLAG_MFP) |
+				  BIT(NL80211_STA_FLAG_SA_QUERY_REQUIRED)))
 			return -EINVAL;
 
 		/* but authenticated/associated only if driver handles it */
-- 
1.7.12.rc0.22.gcdd159b

Re: [PATCH 1/2] nl80211/cfg80211: Driver with AP SME advertises need for PMF SA Query

[Johannes Berg]

On Tue, 2013-09-17 at 12:31 -0700, Chet Lanctot wrote:
> Needed for drivers that have AP SME integrated but do not implement
> The SA Query procedure that is part of Protected Management Frames
> (PMF, 802.11w).  Instead, the need for upper layer software to do
> this procedure is advertised through nl80211/cfg80211.
> 
> Signed-off-by: Chet Lanctot <clanctot@codeaurora.org>
> ---
>  include/uapi/linux/nl80211.h | 11 ++++++++---
>  net/wireless/nl80211.c       |  3 ++-
>  2 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
> index eb68735..aa1d122 100644
> --- a/include/uapi/linux/nl80211.h
> +++ b/include/uapi/linux/nl80211.h
> @@ -1891,6 +1891,9 @@ enum nl80211_iftype {
>   * @NL80211_STA_FLAG_ASSOCIATED: station is associated; used with drivers
>   *	that support %NL80211_FEATURE_FULL_AP_CLIENT_STATE to transition a
>   *	previously added station into associated state
> + * @NL80211_STA_FLAG_NO_SA_QUERY_REQUIRED: no SA Query procedure is needed
> + *	when an association request is received from a station with which there
> + *	is already a MFP connection

I don't understand this part, and also why is it part of the *station*
info? Shouldn't it be part of the new-station event or something like
that? How can it be valid when reading station info later?

johannes

Re: [PATCH 1/2] nl80211/cfg80211: Driver with AP SME advertises need for PMF SA Query

[clanctot]

> On Tue, 2013-09-17 at 12:31 -0700, Chet Lanctot wrote:
>> Needed for drivers that have AP SME integrated but do not implement
>> The SA Query procedure that is part of Protected Management Frames
>> (PMF, 802.11w).  Instead, the need for upper layer software to do
>> this procedure is advertised through nl80211/cfg80211.
>>
>> Signed-off-by: Chet Lanctot <clanctot@codeaurora.org>
>> ---
>>  include/uapi/linux/nl80211.h | 11 ++++++++---
>>  net/wireless/nl80211.c       |  3 ++-
>>  2 files changed, 10 insertions(+), 4 deletions(-)
>>
>> diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
>> index eb68735..aa1d122 100644
>> --- a/include/uapi/linux/nl80211.h
>> +++ b/include/uapi/linux/nl80211.h
>> @@ -1891,6 +1891,9 @@ enum nl80211_iftype {
>>   * @NL80211_STA_FLAG_ASSOCIATED: station is associated; used with
>> drivers
>>   *	that support %NL80211_FEATURE_FULL_AP_CLIENT_STATE to transition a
>>   *	previously added station into associated state
>> + * @NL80211_STA_FLAG_NO_SA_QUERY_REQUIRED: no SA Query procedure is
>> needed
>> + *	when an association request is received from a station with which
>> there
>> + *	is already a MFP connection
>
> I don't understand this part, and also why is it part of the *station*
> info? Shouldn't it be part of the new-station event or something like
> that? How can it be valid when reading station info later?
>
> johannes
>
>

Johannes,

Thank you for your feedback.

>From your comment I can see I did not make clear the purpose of this flag.

“no SA Query required” will be set for the station after the station is
associated with the AP and after the driver has delivered a unprotected
Re/Association Request from the station to hostapd for which hostapd will
initiate an SA Query procedure.  If the SA Query procedure times out (no
response is received) then this “no SA Query required” state will be set
for the station to inform the driver that it should accept the next
Re/Association Request from the station and process it in the normal way.

I will try to make the code comment for this flag clearer.  I will also
try to clarify the commit text to make the change easier to understand.

          - Chet Lanctot

[PATCH 2/2] nl80211/cfg80211: PMF Requirement communicated to driver with AP SME

[Chet Lanctot]

Needed for drivers that have AP SME integrated.  Whether PMF (Protected
Management Frames, 802.11w) should be used for station connections
is communicated from upper layer software through nl80211/cfg80211.

Signed-off-by: Chet Lanctot <clanctot@codeaurora.org>
---
 include/net/cfg80211.h       |  3 +++
 include/uapi/linux/nl80211.h | 14 ++++++++++----
 net/wireless/nl80211.c       |  9 +++++++++
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index aeaf6df..5ac389c 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -636,6 +636,8 @@ struct cfg80211_acl_data {
  *	user space)
  * @ssid_len: length of @ssid
  * @hidden_ssid: whether to hide the SSID in Beacon/Probe Response frames
+ * @mfp: indicate whether management frame protection is used for 
+ *	station connections 
  * @crypto: crypto settings
  * @privacy: the BSS uses privacy
  * @auth_type: Authentication type (algorithm)
@@ -655,6 +657,7 @@ struct cfg80211_ap_settings {
 	const u8 *ssid;
 	size_t ssid_len;
 	enum nl80211_hidden_ssid hidden_ssid;
+	enum nl80211_mfp mfp;
 	struct cfg80211_crypto_settings crypto;
 	bool privacy;
 	enum nl80211_auth_type auth_type;
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index aa1d122..f711ab5 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -1063,8 +1063,8 @@ enum nl80211_commands {
  *
  * @NL80211_ATTR_USE_MFP: Whether management frame protection (IEEE 802.11w) is
  *	used for the association (&enum nl80211_mfp, represented as a u32);
- *	this attribute can be used
- *	with %NL80211_CMD_ASSOCIATE and %NL80211_CMD_CONNECT requests
+ *	this attribute can be used with %NL80211_CMD_ASSOCIATE,
+ *	%NL80211_CMD_CONNECT, and @NL80211_CMD_START_AP requests
  *
  * @NL80211_ATTR_STA_FLAGS2: Attribute containing a
  *	&struct nl80211_sta_flag_update.
@@ -2934,12 +2934,18 @@ enum nl80211_key_type {
 
 /**
  * enum nl80211_mfp - Management frame protection state
- * @NL80211_MFP_NO: Management frame protection not used
- * @NL80211_MFP_REQUIRED: Management frame protection required
+ * @NL80211_MFP_NO: Management frame protection not used on 
+ *	any connection 
+ * @NL80211_MFP_REQUIRED: Management frame protection required 
+ *	on all connections 
+ * @NL80211_MFP_OPTIONAL: For an AP, management frame 
+ *	protection is optional for a station connection depending
+ *	on whether the station supports MFP
  */
 enum nl80211_mfp {
 	NL80211_MFP_NO,
 	NL80211_MFP_REQUIRED,
+	NL80211_MFP_OPTIONAL,
 };
 
 enum nl80211_wpa_versions {
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 14a14d4..1702ae9 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3207,6 +3207,15 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
 			return PTR_ERR(params.acl);
 	}
 
+	if (info->attrs[NL80211_ATTR_USE_MFP]) {
+		params.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
+		if (params.mfp != NL80211_MFP_REQUIRED &&
+		    params.mfp != NL80211_MFP_OPTIONAL &&
+		    params.mfp != NL80211_MFP_NO)
+			return -EINVAL;
+	} else
+		params.mfp = NL80211_MFP_NO;
+
 	err = rdev_start_ap(rdev, dev, &params);
 	if (!err) {
 		wdev->preset_chandef = params.chandef;
-- 
1.7.12.rc0.22.gcdd159b

Re: [PATCH 2/2] nl80211/cfg80211: PMF Requirement communicated to driver with AP SME

[Johannes Berg]

On Tue, 2013-09-17 at 12:31 -0700, Chet Lanctot wrote:
> Needed for drivers that have AP SME integrated.  Whether PMF (Protected
> Management Frames, 802.11w) should be used for station connections
> is communicated from upper layer software through nl80211/cfg80211.

This is a bit unclear, what's expected of the driver?


> +	if (info->attrs[NL80211_ATTR_USE_MFP]) {
> +		params.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
> +		if (params.mfp != NL80211_MFP_REQUIRED &&
> +		    params.mfp != NL80211_MFP_OPTIONAL &&
> +		    params.mfp != NL80211_MFP_NO)
> +			return -EINVAL;
> +	} else
> +		params.mfp = NL80211_MFP_NO;
> +

checkpatch.

johannes

Re: [PATCH 2/2] nl80211/cfg80211: PMF Requirement communicated to driver with AP SME

[clanctot]

> On Tue, 2013-09-17 at 12:31 -0700, Chet Lanctot wrote:
>> Needed for drivers that have AP SME integrated.  Whether PMF (Protected
>> Management Frames, 802.11w) should be used for station connections
>> is communicated from upper layer software through nl80211/cfg80211.
>
> This is a bit unclear, what's expected of the driver?
>

Johannes,

Thank you for your feedback.

I will expand the commit text to make it clearer that is expected of the
driver.

>
>> +	if (info->attrs[NL80211_ATTR_USE_MFP]) {
>> +		params.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
>> +		if (params.mfp != NL80211_MFP_REQUIRED &&
>> +		    params.mfp != NL80211_MFP_OPTIONAL &&
>> +		    params.mfp != NL80211_MFP_NO)
>> +			return -EINVAL;
>> +	} else
>> +		params.mfp = NL80211_MFP_NO;
>> +
>
> checkpatch.
>
> johannes
>
>

Re: [PATCH 0/2] nl80211/cfg80211: Support PMF on drivers with integrated AP SME

[Jouni Malinen]

On Tue, Sep 17, 2013 at 12:31:34PM -0700, Chet Lanctot wrote:
> These patches represent a small number of changes to the
> nl80211/cfg80211 interface to support Protected Management Frames
> (PMF, 802.11w) on an AP.  Specifically, these changes are needed for
> drivers that have the AP SME integrated.
> 
> Support is added for drivers that do not implement the SA Query procedure
> that is part of PMF.  Instead, the need for upper layer software to
> do this procedure is advertised.  And support is added so that  whether
> PMF should be used for station connections is communicated to the driver.

The patches here have some issues in not compiling and formatting
(trailing whitespace) and as such, cannot be applied as-is. I'd expect a
new version to be posted to address those issues.

That said, if there is any feedback on the general direction used here,
that would obviously be welcome even before the updated patches are
posted.

-- 
Jouni Malinen                                            PGP id EFC895FA

Re: [PATCH 0/2] nl80211/cfg80211: Support PMF on drivers with integrated AP SME

[clanctot]

> On Tue, Sep 17, 2013 at 12:31:34PM -0700, Chet Lanctot wrote:
>> These patches represent a small number of changes to the
>> nl80211/cfg80211 interface to support Protected Management Frames
>> (PMF, 802.11w) on an AP.  Specifically, these changes are needed for
>> drivers that have the AP SME integrated.
>>
>> Support is added for drivers that do not implement the SA Query
>> procedure
>> that is part of PMF.  Instead, the need for upper layer software to
>> do this procedure is advertised.  And support is added so that  whether
>> PMF should be used for station connections is communicated to the
>> driver.
>
> The patches here have some issues in not compiling and formatting
> (trailing whitespace) and as such, cannot be applied as-is. I'd expect a
> new version to be posted to address those issues.
>
> That said, if there is any feedback on the general direction used here,
> that would obviously be welcome even before the updated patches are
> posted.
>
> --
> Jouni Malinen                                            PGP id EFC895FA
>

Thank you Jouni for your comments.

You are correct, a new version of the patches will be sent out that
address the compiling and formatting issues.  I am also getting feedback
from others, and I will incorporate that feedback as well before sending
out the updated patches.

   - Chet Lanctot