From: Johannes Berg <johannes@sipsolutions.net>
To: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
Cc: linux-wireless@vger.kernel.org, Jouni Malinen <j@w1.fi>,
ilan.peer@intel.com
Subject: Re: [PATCH wireless-next v3 2/2] wifi: mac80211: set assoc_encrypted for EPP associations
Date: Mon, 04 May 2026 16:15:46 +0200 [thread overview]
Message-ID: <0a53312265b6f466f01e169f0b385a0ef4d0b157.camel@sipsolutions.net> (raw)
In-Reply-To: <20260504123624.529218-3-kavita.kavita@oss.qualcomm.com>
Hi,
> + /*
> + * If epp_peer set, unprotected (Re)Association Request/Response frames
> + * are dropped, which ensures that the (re)association exchange is
> + * encrypted over the air.
> + */
> + sta = sta_info_get_bss(sdata, sdata->vif.cfg.ap_addr);
> + resp.assoc_encrypted = sta && sta->sta.epp_peer;
>
Not related to this patch, but something I realised just now looking at
this, coming from your earlier commit 63e7e3b6433f ("wifi: mac80211:
allow key installation before association") ...
The code you added in that commit seems insufficient to me. As far as I
can tell, it's possible to have assoc frame encryption with FT (see
802.11bi D4.0 "12.16.8.2 FT protocol"), but that doesn't explicitly
specify that it can only be FT-over-the-air. If FT-over-the-DS is
possible, then the code in mac80211 cannot support it, because the only
way to get the sta->epp_peer flag set is via authentication (802.1X over
auth frames or EPPKE), and the only way to install the TK before
association is to *have* a station entry in the first place, and have it
have the epp_peer flag already from authentication. It also sort of
breaks down if the station entry is removed for some reason (rather than
not being present in the first place) and from mac80211's POV we go to
assoc immediately without having the station.
One way to fix it would be to add the TK to the ASSOCIATE command, but
that would have to replicate a number of settings there, I'm not sure
that's desirable.
Another way to fix it would be to have an NL80211_AUTHTYPE_FT_EPP or so,
that just does all the processing, adds the AP's station entry and
immediately moves it to authenticated while setting the epp_peer flag.
That way, wpa_s could do this and then proceed to install the key and do
association as it otherwise would.
johannes
next prev parent reply other threads:[~2026-05-04 14:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 12:36 [PATCH wireless-next v3 0/2] wifi: cfg80211/mac80211: indicate (Re)Association frame encryption in SME-in-driver mode Kavita Kavita
2026-05-04 12:36 ` [PATCH wireless-next v3 1/2] wifi: cfg80211: indicate (Re)Association frame encryption to userspace Kavita Kavita
2026-05-04 12:36 ` [PATCH wireless-next v3 2/2] wifi: mac80211: set assoc_encrypted for EPP associations Kavita Kavita
2026-05-04 14:15 ` Johannes Berg [this message]
2026-05-06 8:58 ` Kavita Kavita
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0a53312265b6f466f01e169f0b385a0ef4d0b157.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=ilan.peer@intel.com \
--cc=j@w1.fi \
--cc=kavita.kavita@oss.qualcomm.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox