wifi: mac80211: allow key installation before association

Currently, mac80211 allows key installation only after association
completes. However, Enhanced Privacy Protection Key Exchange (EPPKE)
requires key installation before association to enable encryption and
decryption of (Re)Association Request and Response frames.

Add support to install keys prior to association when the peer is an
Enhanced Privacy Protection (EPP) peer that requires encryption and
decryption of (Re)Association Request and Response frames.

Introduce a new boolean parameter "epp_peer" in the "ieee80211_sta"
profile to indicate that the peer supports the Enhanced Privacy
Protection Key Exchange (EPPKE) protocol. For non-AP STA mode, it
is set when the authentication algorithm is WLAN_AUTH_EPPKE during
station profile initialization. For AP mode, it is set during
NL80211_CMD_NEW_STA and NL80211_CMD_ADD_LINK_STA.

When "epp_peer" parameter is set, mac80211 now accepts keys before
association and enables encryption of the (Re)Association
Request/Response frames.

Co-developed-by: Sai Pratyusha Magam <sai.magam@oss.qualcomm.com>
Signed-off-by: Sai Pratyusha Magam <sai.magam@oss.qualcomm.com>
Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
Link: https://patch.msgid.link/20260114111900.2196941-6-kavita.kavita@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 36daccef6554625c9e0aa63554183b4a96cd9d0a..36ae7fe9ddf35190921f4fee0fe3294418007a56 100644 (file)
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -2520,6 +2520,7 @@ struct ieee80211_link_sta {
  *     by the AP.
  * @valid_links: bitmap of valid links, or 0 for non-MLO
  * @spp_amsdu: indicates whether the STA uses SPP A-MSDU or not.
+ * @epp_peer: indicates that the peer is an EPP peer.
  */
 struct ieee80211_sta {
        u8 addr[ETH_ALEN] __aligned(2);
@@ -2544,6 +2545,7 @@ struct ieee80211_sta {
        struct ieee80211_txq *txq[IEEE80211_NUM_TIDS + 1];
 
        u16 valid_links;
+       bool epp_peer;
        struct ieee80211_link_sta deflink;
        struct ieee80211_link_sta __rcu *link[IEEE80211_MLD_MAX_NUM_LINKS];
 

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index fe6be11a7f440ca931b3b4aaa3ca136a08f04242..964f440e31cdb2517f3daba5f003c6115316c227 100644 (file)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -680,10 +680,18 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
                 * association has completed, this rejects that attempt
                 * so it will set the key again after association.
                 *
+                * With (re)association frame encryption enabled, cfg80211
+                * may deliver keys to mac80211 before the station has
+                * associated. In that case, accept the key if the station
+                * is an Enhanced Privacy Protection (EPP) peer.
+                * If (re)association frame encryption support is not present,
+                * cfg80211 will not allow key installation in non‑AP STA mode.
+                *
                 * TODO: accept the key if we have a station entry and
-                *       add it to the device after the station.
+                *       add it to the device after the station associates.
                 */
-               if (!sta || !test_sta_flag(sta, WLAN_STA_ASSOC)) {
+               if (!sta || (!sta->sta.epp_peer &&
+                            !test_sta_flag(sta, WLAN_STA_ASSOC))) {
                        ieee80211_key_free_unused(key);
                        return -ENOENT;
                }
@@ -2198,6 +2206,9 @@ static int sta_apply_parameters(struct ieee80211_local *local,
        mask = params->sta_flags_mask;
        set = params->sta_flags_set;
 
+       if (params->epp_peer)
+               sta->sta.epp_peer = true;
+
        if (ieee80211_vif_is_mesh(&sdata->vif)) {
                /*
                 * In mesh mode, ASSOCIATED isn't part of the nl80211

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ddff090e7dce320c885aebd034cea03cb2b55059..977303fdfd9feac18970536bcf01351a7e864686 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -8964,6 +8964,10 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
                        goto out_err;
                }
 
+               if (ifmgd->auth_data &&
+                   ifmgd->auth_data->algorithm == WLAN_AUTH_EPPKE)
+                       new_sta->sta.epp_peer = true;
+
                new_sta->sta.mlo = mlo;
        }