nl80211: use the new NL80211_MFP_OPTIONAL option

Message ID 1517494917-27712-1-git-send-email-andrei.otcheretianski@intel.com
State Accepted
Headers show
Series
  • nl80211: use the new NL80211_MFP_OPTIONAL option
Related show

Commit Message

Otcheretianski, Andrei Feb. 1, 2018, 2:21 p.m.
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

Now we can configure the network block so that it allows
MFP for the NL80211_CMD_CONNECT command. If the kernel
finds an AP that requires MFP, it'll be able to connect
to it.
Note that since NL80211_MFP_OPTIONAL isn't supported for
NL80211_CMD_ASSOCIATE, we need to take the MFP
configuration outside nl80211_connect_common.
In addition, check that NL80211_EXT_FEATURE_MFP_OPTIONAL is
supported, to be backward compatible with older kernels.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
---
 src/drivers/driver.h              |  2 ++
 src/drivers/driver_nl80211.c      | 17 +++++++++++++----
 src/drivers/driver_nl80211_capa.c |  4 ++++
 3 files changed, 19 insertions(+), 4 deletions(-)

Comments

Otcheretianski, Andrei Feb. 1, 2018, 11:38 a.m. | #1
> -----Original Message-----
> From: Hostap [mailto:hostap-bounces@lists.infradead.org] On Behalf Of Andrei
> Otcheretianski
> Sent: Thursday, February 01, 2018 16:22
> To: hostap@lists.infradead.org
> Cc: Grumbach, Emmanuel <emmanuel.grumbach@intel.com>
> Subject: [PATCH] nl80211: use the new NL80211_MFP_OPTIONAL option
> 
> From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
> 
> Now we can configure the network block so that it allows MFP for the
> NL80211_CMD_CONNECT command. If the kernel finds an AP that requires MFP,
> it'll be able to connect to it.
> Note that since NL80211_MFP_OPTIONAL isn't supported for
> NL80211_CMD_ASSOCIATE, we need to take the MFP configuration outside
> nl80211_connect_common.
> In addition, check that NL80211_EXT_FEATURE_MFP_OPTIONAL is supported, to
> be backward compatible with older kernels.
> 
> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

Hi,

Please note that this patch is supposed to go on top of "4-way handshake offload support" series, or at least it requires to sync the nl80211_copy.h.
Andrei
Jouni Malinen Feb. 17, 2018, 7:19 p.m. | #2
On Thu, Feb 01, 2018 at 04:21:57PM +0200, Andrei Otcheretianski wrote:
> Now we can configure the network block so that it allows
> MFP for the NL80211_CMD_CONNECT command. If the kernel
> finds an AP that requires MFP, it'll be able to connect
> to it.
> Note that since NL80211_MFP_OPTIONAL isn't supported for
> NL80211_CMD_ASSOCIATE, we need to take the MFP
> configuration outside nl80211_connect_common.
> In addition, check that NL80211_EXT_FEATURE_MFP_OPTIONAL is
> supported, to be backward compatible with older kernels.

Thanks, applied.

Patch

diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index e26479f..6eb349e 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -1563,6 +1563,8 @@  struct wpa_driver_capa {
  * functionality but can support only OCE STA-CFON functionality.
  */
 #define WPA_DRIVER_FLAGS_OCE_STA_CFON		0x0020000000000000ULL
+/** Driver supports OPTIONAL MFP in the connect command */
+#define WPA_DRIVER_FLAGS_MFP_OPTIONAL		0x0040000000000000ULL
 	u64 flags;
 
 #define FULL_AP_CLIENT_STATE_SUPP(drv_flags) \
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index b67f4a7..2911187 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -5367,10 +5367,6 @@  static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
 	     nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
 		return -1;
 
-	if (params->mgmt_frame_protection == MGMT_FRAME_PROTECTION_REQUIRED &&
-	    nla_put_u32(msg, NL80211_ATTR_USE_MFP, NL80211_MFP_REQUIRED))
-		return -1;
-
 	if (params->rrm_used) {
 		u32 drv_rrm_flags = drv->capa.rrm_flags;
 		if ((!((drv_rrm_flags &
@@ -5441,6 +5437,15 @@  static int wpa_driver_nl80211_try_connect(
 	if (ret)
 		goto fail;
 
+	if (params->mgmt_frame_protection == MGMT_FRAME_PROTECTION_REQUIRED &&
+	    nla_put_u32(msg, NL80211_ATTR_USE_MFP, NL80211_MFP_REQUIRED))
+		goto fail;
+
+	if (params->mgmt_frame_protection == MGMT_FRAME_PROTECTION_OPTIONAL &&
+	    (drv->capa.flags & WPA_DRIVER_FLAGS_MFP_OPTIONAL) &&
+	    nla_put_u32(msg, NL80211_ATTR_USE_MFP, NL80211_MFP_OPTIONAL))
+		goto fail;
+
 	algs = 0;
 	if (params->auth_alg & WPA_AUTH_ALG_OPEN)
 		algs++;
@@ -5552,6 +5557,10 @@  static int wpa_driver_nl80211_associate(
 	if (ret)
 		goto fail;
 
+	if (params->mgmt_frame_protection == MGMT_FRAME_PROTECTION_REQUIRED &&
+	    nla_put_u32(msg, NL80211_ATTR_USE_MFP, NL80211_MFP_REQUIRED))
+		goto fail;
+
 	if (params->fils_kek) {
 		wpa_printf(MSG_DEBUG, "  * FILS KEK (len=%u)",
 			   (unsigned int) params->fils_kek_len);
diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
index fd8b457..e5bc769 100644
--- a/src/drivers/driver_nl80211_capa.c
+++ b/src/drivers/driver_nl80211_capa.c
@@ -407,6 +407,10 @@  static void wiphy_info_ext_feature_flags(struct wiphy_info_data *info,
 	    ext_feature_isset(ext_features, len,
 			      NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
 		capa->flags |= WPA_DRIVER_FLAGS_4WAY_HANDSHAKE;
+
+	if (ext_feature_isset(ext_features, len,
+			      NL80211_EXT_FEATURE_MFP_OPTIONAL))
+		capa->flags |= WPA_DRIVER_FLAGS_MFP_OPTIONAL;
 }