wifi: cfg80211: add support for IEEE 802.1X Authentication Protocol

Add an extended feature flag NL80211_EXT_FEATURE_IEEE8021X_AUTH to
allow a driver to indicate support for the IEEE 802.1X authentication
protocol in non-AP STA mode, as defined in
"IEEE P802.11bi/D4.0, 12.16.5".

In case of SME in userspace, the Authentication frame body is prepared
in userspace while the driver finalizes the Authentication frame once
it receives the required fields and elements. The driver indicates
support for IEEE 802.1X authentication using the extended feature flag
so that userspace can initiate IEEE 802.1X authentication.

When the feature flag is set, process IEEE 802.1X Authentication frames
from userspace in non-AP STA mode. If the flag is not set, reject
IEEE 802.1X Authentication frames.

Define a new authentication type NL80211_AUTHTYPE_IEEE8021X for
IEEE 802.1X authentication.

Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
Link: https://patch.msgid.link/20260226185553.1516290-4-kavita.kavita@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 0aa2fb8f88de4f55f12dc4322689f3a04b966be3..1bf806f853727434a15839f458cb950f6521c4b6 100644 (file)
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -1358,6 +1358,7 @@ struct ieee80211_tdls_data {
 #define WLAN_AUTH_FILS_SK 4
 #define WLAN_AUTH_FILS_SK_PFS 5
 #define WLAN_AUTH_FILS_PK 6
+#define WLAN_AUTH_IEEE8021X 8
 #define WLAN_AUTH_EPPKE 9
 #define WLAN_AUTH_LEAP 128
 

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index fe2c8c8d6dd63c7060c2ed4fbc7773f5a8d05e20..0b7a06c2b9f78668decd322b1601cf470b88923a 100644 (file)
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -5491,6 +5491,8 @@ enum nl80211_bss_status {
  * @NL80211_AUTHTYPE_FILS_SK_PFS: Fast Initial Link Setup shared key with PFS
  * @NL80211_AUTHTYPE_FILS_PK: Fast Initial Link Setup public key
  * @NL80211_AUTHTYPE_EPPKE: Enhanced Privacy Protection Key Exchange
+ * @NL80211_AUTHTYPE_IEEE8021X: IEEE 802.1X authentication utilizing
+ *     Authentication frames
  * @__NL80211_AUTHTYPE_NUM: internal
  * @NL80211_AUTHTYPE_MAX: maximum valid auth algorithm
  * @NL80211_AUTHTYPE_AUTOMATIC: determine automatically (if necessary by
@@ -5507,6 +5509,7 @@ enum nl80211_auth_type {
        NL80211_AUTHTYPE_FILS_SK_PFS,
        NL80211_AUTHTYPE_FILS_PK,
        NL80211_AUTHTYPE_EPPKE,
+       NL80211_AUTHTYPE_IEEE8021X,
 
        /* keep last */
        __NL80211_AUTHTYPE_NUM,
@@ -6820,6 +6823,11 @@ enum nl80211_feature_flags {
  *     frames in both non‑AP STA and AP mode as specified in
  *     "IEEE P802.11bi/D3.0, 12.16.6".
  *
+ * @NL80211_EXT_FEATURE_IEEE8021X_AUTH: Driver supports IEEE 802.1X
+ *     authentication utilizing Authentication frames with user space SME
+ *     (NL80211_CMD_AUTHENTICATE) in non-AP STA mode, as specified in
+ *     "IEEE P802.11bi/D4.0, 12.16.5".
+ *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
  */
@@ -6898,6 +6906,7 @@ enum nl80211_ext_feature_index {
        NL80211_EXT_FEATURE_BEACON_RATE_EHT,
        NL80211_EXT_FEATURE_EPPKE,
        NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION,
+       NL80211_EXT_FEATURE_IEEE8021X_AUTH,
 
        /* add new features before the definition below */
        NUM_NL80211_EXT_FEATURES,

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index f54b3cca69754bcfdf208e1f87794886be02275a..de7956dbe0a0089734797c3581cf5130e0a3a807 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6550,6 +6550,10 @@ static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
                                             NL80211_EXT_FEATURE_EPPKE) &&
                    auth_type == NL80211_AUTHTYPE_EPPKE)
                        return false;
+               if (!wiphy_ext_feature_isset(&rdev->wiphy,
+                                            NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
+                   auth_type == NL80211_AUTHTYPE_IEEE8021X)
+                       return false;
                return true;
        case NL80211_CMD_CONNECT:
                if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
@@ -6571,6 +6575,10 @@ static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
                                             NL80211_EXT_FEATURE_EPPKE) &&
                    auth_type == NL80211_AUTHTYPE_EPPKE)
                        return false;
+               if (!wiphy_ext_feature_isset(&rdev->wiphy,
+                                            NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
+                   auth_type == NL80211_AUTHTYPE_IEEE8021X)
+                       return false;
                return true;
        case NL80211_CMD_START_AP:
                if (!wiphy_ext_feature_isset(&rdev->wiphy,
@@ -12103,7 +12111,8 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
             auth_type == NL80211_AUTHTYPE_FILS_SK ||
             auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
             auth_type == NL80211_AUTHTYPE_FILS_PK ||
-            auth_type == NL80211_AUTHTYPE_EPPKE) &&
+            auth_type == NL80211_AUTHTYPE_EPPKE ||
+            auth_type == NL80211_AUTHTYPE_IEEE8021X) &&
            !info->attrs[NL80211_ATTR_AUTH_DATA])
                return -EINVAL;
 
@@ -12112,7 +12121,8 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
                    auth_type != NL80211_AUTHTYPE_FILS_SK &&
                    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
                    auth_type != NL80211_AUTHTYPE_FILS_PK &&
-                   auth_type != NL80211_AUTHTYPE_EPPKE)
+                   auth_type != NL80211_AUTHTYPE_EPPKE &&
+                   auth_type != NL80211_AUTHTYPE_IEEE8021X)
                        return -EINVAL;
                req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
                req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);