Re: [PATCH wireless-next v3 2/2] wifi: mac80211: set assoc_encrypted for EPP associations

[Kavita Kavita <kavita.kavita@oss.qualcomm.com>]

On 5/4/2026 7:45 PM, Johannes Berg wrote:
> Hi,
> 
>> +	/*
>> +	 * If epp_peer set, unprotected (Re)Association Request/Response frames
>> +	 * are dropped, which ensures that the (re)association exchange is
>> +	 * encrypted over the air.
>> +	 */
>> +	sta = sta_info_get_bss(sdata, sdata->vif.cfg.ap_addr);
>> +	resp.assoc_encrypted = sta && sta->sta.epp_peer;
>>
> 
> Not related to this patch, but something I realised just now looking at
> this, coming from your earlier commit 63e7e3b6433f ("wifi: mac80211:
> allow key installation before association") ...
> 
> The code you added in that commit seems insufficient to me. As far as I
> can tell, it's possible to have assoc frame encryption with FT (see
> 802.11bi D4.0 "12.16.8.2 FT protocol"), but that doesn't explicitly
> specify that it can only be FT-over-the-air. If FT-over-the-DS is
> possible, then the code in mac80211 cannot support it, because the only
> way to get the sta->epp_peer flag set is via authentication (802.1X over
> auth frames or EPPKE), and the only way to install the TK before
> association is to *have* a station entry in the first place, and have it
> have the epp_peer flag already from authentication. It also sort of
> breaks down if the station entry is removed for some reason (rather than
> not being present in the first place) and from mac80211's POV we go to
> assoc immediately without having the station.
> 
> One way to fix it would be to add the TK to the ASSOCIATE command, but
> that would have to replicate a number of settings there, I'm not sure
> that's desirable.
> 
> Another way to fix it would be to have an NL80211_AUTHTYPE_FT_EPP or so,
> that just does all the processing, adds the AP's station entry and
> immediately moves it to authenticated while setting the epp_peer flag.
> That way, wpa_s could do this and then proceed to install the key and do
> association as it otherwise would.



Thank you for pointing this out. We agree with your points and will follow the
approach you suggested. We will take care of this in the future when we add support
for FT protocol with (Re)Association frame encryption support
("IEEE P802.11bi/D4.0, clause 12.16.8.2").
Currently, we have only implemented support for initial association
(EPPKE and IEEE 802.1X Authentication).



> 
> johannes