wifi: cfg80211: add support for EPPKE Authentication Protocol

Add an extended feature flag NL80211_EXT_FEATURE_EPPKE to allow a
driver to indicate support for the Enhanced Privacy Protection Key
Exchange (EPPKE) authentication protocol in non-AP STA mode, as
defined in "IEEE P802.11bi/D3.0, 12.16.9".

In case of SME in userspace, the Authentication frame body is prepared
in userspace while the driver finalizes the Authentication frame once
it receives the required fields and elements. The driver indicates
support for EPPKE using the extended feature flag so that userspace
can initiate EPPKE authentication.

When the feature flag is set, process EPPKE Authentication frames from
userspace in non-AP STA mode. If the flag is not set, reject EPPKE
Authentication frames.

Define a new authentication type NL80211_AUTHTYPE_EPPKE for EPPKE.

Signed-off-by: Ainy Kumari <ainy.kumari@oss.qualcomm.com>
Co-developed-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
Link: https://patch.msgid.link/20260114111900.2196941-2-kavita.kavita@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 96439de55f07a64d8d1965b5b157fd031e9abbf1..fbde215c25aa79efd339aa530896a29dbb1a8ff8 100644 (file)
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -1351,6 +1351,7 @@ struct ieee80211_tdls_data {
 #define WLAN_AUTH_FILS_SK 4
 #define WLAN_AUTH_FILS_SK_PFS 5
 #define WLAN_AUTH_FILS_PK 6
+#define WLAN_AUTH_EPPKE 9
 #define WLAN_AUTH_LEAP 128
 
 #define WLAN_AUTH_CHALLENGE_LEN 128

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 964e1c779cdd3a5bba3c9367bc5382d47ea5f8cd..351d4d176f87d6b176ee8ad9a49c60038580ba48 100644 (file)
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -5429,6 +5429,7 @@ enum nl80211_bss_status {
  * @NL80211_AUTHTYPE_FILS_SK: Fast Initial Link Setup shared key
  * @NL80211_AUTHTYPE_FILS_SK_PFS: Fast Initial Link Setup shared key with PFS
  * @NL80211_AUTHTYPE_FILS_PK: Fast Initial Link Setup public key
+ * @NL80211_AUTHTYPE_EPPKE: Enhanced Privacy Protection Key Exchange
  * @__NL80211_AUTHTYPE_NUM: internal
  * @NL80211_AUTHTYPE_MAX: maximum valid auth algorithm
  * @NL80211_AUTHTYPE_AUTOMATIC: determine automatically (if necessary by
@@ -5444,6 +5445,7 @@ enum nl80211_auth_type {
        NL80211_AUTHTYPE_FILS_SK,
        NL80211_AUTHTYPE_FILS_SK_PFS,
        NL80211_AUTHTYPE_FILS_PK,
+       NL80211_AUTHTYPE_EPPKE,
 
        /* keep last */
        __NL80211_AUTHTYPE_NUM,
@@ -6748,6 +6750,10 @@ enum nl80211_feature_flags {
  * @NL80211_EXT_FEATURE_BEACON_RATE_EHT: Driver supports beacon rate
  *     configuration (AP/mesh) with EHT rates.
  *
+ * @NL80211_EXT_FEATURE_EPPKE: Driver supports Enhanced Privacy Protection
+ *     Key Exchange (EPPKE) with user space SME (NL80211_CMD_AUTHENTICATE)
+ *     in non-AP STA mode.
+ *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
  */
@@ -6824,6 +6830,7 @@ enum nl80211_ext_feature_index {
        NL80211_EXT_FEATURE_DFS_CONCURRENT,
        NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT,
        NL80211_EXT_FEATURE_BEACON_RATE_EHT,
+       NL80211_EXT_FEATURE_EPPKE,
 
        /* add new features before the definition below */
        NUM_NL80211_EXT_FEATURES,

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 225580507a4b9068b8bfe00544b151578bc5dc77..8f3a27b7d4fdd20e779778f3916eca8301cb9b39 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6473,6 +6473,10 @@ static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
                     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
                     auth_type == NL80211_AUTHTYPE_FILS_PK))
                        return false;
+               if (!wiphy_ext_feature_isset(&rdev->wiphy,
+                                            NL80211_EXT_FEATURE_EPPKE) &&
+                   auth_type == NL80211_AUTHTYPE_EPPKE)
+                       return false;
                return true;
        case NL80211_CMD_CONNECT:
                if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
@@ -6490,6 +6494,10 @@ static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
                            NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
                    auth_type == NL80211_AUTHTYPE_FILS_SK)
                        return false;
+               if (!wiphy_ext_feature_isset(&rdev->wiphy,
+                                            NL80211_EXT_FEATURE_EPPKE) &&
+                   auth_type == NL80211_AUTHTYPE_EPPKE)
+                       return false;
                return true;
        case NL80211_CMD_START_AP:
                if (!wiphy_ext_feature_isset(&rdev->wiphy,
@@ -11956,7 +11964,8 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
        if ((auth_type == NL80211_AUTHTYPE_SAE ||
             auth_type == NL80211_AUTHTYPE_FILS_SK ||
             auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
-            auth_type == NL80211_AUTHTYPE_FILS_PK) &&
+            auth_type == NL80211_AUTHTYPE_FILS_PK ||
+            auth_type == NL80211_AUTHTYPE_EPPKE) &&
            !info->attrs[NL80211_ATTR_AUTH_DATA])
                return -EINVAL;
 
@@ -11964,7 +11973,8 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
                if (auth_type != NL80211_AUTHTYPE_SAE &&
                    auth_type != NL80211_AUTHTYPE_FILS_SK &&
                    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
-                   auth_type != NL80211_AUTHTYPE_FILS_PK)
+                   auth_type != NL80211_AUTHTYPE_FILS_PK &&
+                   auth_type != NL80211_AUTHTYPE_EPPKE)
                        return -EINVAL;
                req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
                req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);