cfg80211: Add KEK/nonces for FILS association frames

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The new nl80211 attributes can be used to provide KEK and nonces to
allow the driver to encrypt and decrypt FILS (Re)Association
Request/Response frames in station mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

authored by

Jouni Malinen and committed by

Johannes Berg 9 years ago 348bd456 63181060

+32

4 changed files

expand all

include

linux

ieee80211.h

net

cfg80211.h

uapi

linux

nl80211.h

net

wireless

nl80211.c

include/linux/ieee80211.h

··· 2096 2096 #define IEEE80211_GCMP_MIC_LEN 16 2097 2097 #define IEEE80211_GCMP_PN_LEN 6 2098 2098 2099 + #define FILS_NONCE_LEN 16 2100 + #define FILS_MAX_KEK_LEN 64 2101 + 2099 2102 /* Public action codes */ 2100 2103 enum ieee80211_pub_actioncode { 2101 2104 WLAN_PUB_ACTION_EXT_CHANSW_ANN = 4,

include/net/cfg80211.h

··· 1840 1840 * @ht_capa_mask: The bits of ht_capa which are to be used. 1841 1841 * @vht_capa: VHT capability override 1842 1842 * @vht_capa_mask: VHT capability mask indicating which fields to use 1843 + * @fils_kek: FILS KEK for protecting (Re)Association Request/Response frame or 1844 + * %NULL if FILS is not used. 1845 + * @fils_kek_len: Length of fils_kek in octets 1846 + * @fils_nonces: FILS nonces (part of AAD) for protecting (Re)Association 1847 + * Request/Response frame or %NULL if FILS is not used. This field starts 1848 + * with 16 octets of STA Nonce followed by 16 octets of AP Nonce. 1843 1849 */ 1844 1850 struct cfg80211_assoc_request { 1845 1851 struct cfg80211_bss *bss; ··· 1857 1851 struct ieee80211_ht_cap ht_capa; 1858 1852 struct ieee80211_ht_cap ht_capa_mask; 1859 1853 struct ieee80211_vht_cap vht_capa, vht_capa_mask; 1854 + const u8 *fils_kek; 1855 + size_t fils_kek_len; 1856 + const u8 *fils_nonces; 1860 1857 }; 1861 1858 1862 1859 /**

include/uapi/linux/nl80211.h

··· 1944 1944 * attribute. 1945 1945 * @NL80211_ATTR_NAN_MATCH: used to report a match. This is a nested attribute. 1946 1946 * See &enum nl80211_nan_match_attributes. 1947 + * @NL80211_ATTR_FILS_KEK: KEK for FILS (Re)Association Request/Response frame 1948 + * protection. 1949 + * @NL80211_ATTR_FILS_NONCES: Nonces (part of AAD) for FILS (Re)Association 1950 + * Request/Response frame protection. This attribute contains the 16 octet 1951 + * STA Nonce followed by 16 octets of AP Nonce. 1947 1952 * 1948 1953 * @NUM_NL80211_ATTR: total number of nl80211_attrs available 1949 1954 * @NL80211_ATTR_MAX: highest attribute number currently defined ··· 2348 2343 NL80211_ATTR_NAN_DUAL, 2349 2344 NL80211_ATTR_NAN_FUNC, 2350 2345 NL80211_ATTR_NAN_MATCH, 2346 + 2347 + NL80211_ATTR_FILS_KEK, 2348 + NL80211_ATTR_FILS_NONCES, 2351 2349 2352 2350 /* add attributes here, update the policy in nl80211.c */ 2353 2351

+12

net/wireless/nl80211.c

··· 414 414 [NL80211_ATTR_NAN_MASTER_PREF] = { .type = NLA_U8 }, 415 415 [NL80211_ATTR_NAN_DUAL] = { .type = NLA_U8 }, 416 416 [NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED }, 417 + [NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY, 418 + .len = FILS_MAX_KEK_LEN }, 419 + [NL80211_ATTR_FILS_NONCES] = { .len = 2 * FILS_NONCE_LEN }, 417 420 }; 418 421 419 422 /* policy for the key attributes */ ··· 8034 8031 NL80211_EXT_FEATURE_RRM)) 8035 8032 return -EINVAL; 8036 8033 req.flags |= ASSOC_REQ_USE_RRM; 8034 + } 8035 + 8036 + if (info->attrs[NL80211_ATTR_FILS_KEK]) { 8037 + req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]); 8038 + req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]); 8039 + if (!info->attrs[NL80211_ATTR_FILS_NONCES]) 8040 + return -EINVAL; 8041 + req.fils_nonces = 8042 + nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]); 8037 8043 } 8038 8044 8039 8045 err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);