Merge "cfg80211: Add support for FILS shared key authentication offload"

	WLAN_STATUS_REJECT_DSE_BAND = 96,

	WLAN_STATUS_DENIED_WITH_SUGGESTED_BAND_AND_CHANNEL = 99,

	WLAN_STATUS_DENIED_DUE_TO_SPECTRUM_MANAGEMENT = 103,

	/* 802.11ai */

	WLAN_STATUS_FILS_AUTHENTICATION_FAILURE = 108,

	WLAN_STATUS_UNKNOWN_AUTHENTICATION_SERVER = 109,

};

#define FILS_NONCE_LEN			16

#define FILS_MAX_KEK_LEN		64

#define FILS_ERP_MAX_USERNAME_LEN	16

#define FILS_ERP_MAX_REALM_LEN		253

#define FILS_ERP_MAX_RRK_LEN		64

#define PMK_MAX_LEN			48

/* Public action codes */

enum ieee80211_pub_actioncode {

	WLAN_PUB_ACTION_EXT_CHANSW_ANN = 4,

#define WLAN_AKM_SUITE_TDLS		SUITE(0x000FAC, 7)

#define WLAN_AKM_SUITE_SAE		SUITE(0x000FAC, 8)

#define WLAN_AKM_SUITE_FT_OVER_SAE	SUITE(0x000FAC, 9)

#define WLAN_AKM_SUITE_FILS_SHA256	SUITE(0x000FAC, 14)

#define WLAN_AKM_SUITE_FILS_SHA384	SUITE(0x000FAC, 15)

#define WLAN_AKM_SUITE_FT_FILS_SHA256	SUITE(0x000FAC, 16)

#define WLAN_AKM_SUITE_FT_FILS_SHA384	SUITE(0x000FAC, 17)

#define WLAN_MAX_KEY_LEN		32

 *	the BSSID of the current association, i.e., to the value that is

 *	included in the Current AP address field of the Reassociation Request

 *	frame.

 * @fils_erp_username: EAP re-authentication protocol (ERP) username part of the

 *	NAI or %NULL if not specified. This is used to construct FILS wrapped

 *	data IE.

 * @fils_erp_username_len: Length of @fils_erp_username in octets.

 * @fils_erp_realm: EAP re-authentication protocol (ERP) realm part of NAI or

 *	%NULL if not specified. This specifies the domain name of ER server and

 *	is used to construct FILS wrapped data IE.

 * @fils_erp_realm_len: Length of @fils_erp_realm in octets.

 * @fils_erp_next_seq_num: The next sequence number to use in the FILS ERP

 *	messages. This is also used to construct FILS wrapped data IE.

 * @fils_erp_rrk: ERP re-authentication Root Key (rRK) used to derive additional

 *	keys in FILS or %NULL if not specified.

 * @fils_erp_rrk_len: Length of @fils_erp_rrk in octets.

 */

struct cfg80211_connect_params {

	struct ieee80211_channel *channel;

	bool pbss;

	struct cfg80211_bss_selection bss_select;

	const u8 *prev_bssid;

	const u8 *fils_erp_username;

	size_t fils_erp_username_len;

	const u8 *fils_erp_realm;

	size_t fils_erp_realm_len;

	u16 fils_erp_next_seq_num;

	const u8 *fils_erp_rrk;

	size_t fils_erp_rrk_len;

};

/**

 * This structure is passed to the set/del_pmksa() method for PMKSA

 * caching.

 *

 * @bssid: The AP's BSSID.

 * @pmkid: The PMK material itself.

 * @bssid: The AP's BSSID (may be %NULL).

 * @pmkid: The identifier to refer a PMKSA.

 * @pmk: The PMK for the PMKSA identified by @pmkid. This is used for key

 *	derivation by a FILS STA. Otherwise, %NULL.

 * @pmk_len: Length of the @pmk. The length of @pmk can differ depending on

 *	the hash algorithm used to generate this.

 * @ssid: SSID to specify the ESS within which a PMKSA is valid when using FILS

 *	cache identifier (may be %NULL).

 * @ssid_len: Length of the @ssid in octets.

 * @cache_id: 2-octet cache identifier advertized by a FILS AP identifying the

 *	scope of PMKSA. This is valid only if @ssid_len is non-zero (may be

 *	%NULL).

 */

struct cfg80211_pmksa {

	const u8 *bssid;

	const u8 *pmkid;

	const u8 *pmk;

	size_t pmk_len;

	const u8 *ssid;

	size_t ssid_len;

	const u8 *cache_id;

};

/**

#define CFG80211_TESTMODE_DUMP(cmd)

#endif

/**

 * struct cfg80211_connect_resp_params - Connection response params

 * @status: Status code, %WLAN_STATUS_SUCCESS for successful connection, use

 *	%WLAN_STATUS_UNSPECIFIED_FAILURE if your device cannot give you

 *	the real status code for failures. If this call is used to report a

 *	failure due to a timeout (e.g., not receiving an Authentication frame

 *	from the AP) instead of an explicit rejection by the AP, -1 is used to

 *	indicate that this is a failure, but without a status code.

 *	@timeout_reason is used to report the reason for the timeout in that

 *	case.

 * @bssid: The BSSID of the AP (may be %NULL)

 * @bss: Entry of bss to which STA got connected to, can be obtained through

 *	cfg80211_get_bss() (may be %NULL). Only one parameter among @bssid and

 *	@bss needs to be specified.

 * @req_ie: Association request IEs (may be %NULL)

 * @req_ie_len: Association request IEs length

 * @resp_ie: Association response IEs (may be %NULL)

 * @resp_ie_len: Association response IEs length

 * @fils_kek: KEK derived from a successful FILS connection (may be %NULL)

 * @fils_kek_len: Length of @fils_kek in octets

 * @update_erp_next_seq_num: Boolean value to specify whether the value in

 *	@fils_erp_next_seq_num is valid.

 * @fils_erp_next_seq_num: The next sequence number to use in ERP message in

 *	FILS Authentication. This value should be specified irrespective of the

 *	status for a FILS connection.

 * @pmk: A new PMK if derived from a successful FILS connection (may be %NULL).

 * @pmk_len: Length of @pmk in octets

 * @pmkid: A new PMKID if derived from a successful FILS connection or the PMKID

 *	used for this FILS connection (may be %NULL).

 * @timeout_reason: Reason for connection timeout. This is used when the

 *	connection fails due to a timeout instead of an explicit rejection from

 *	the AP. %NL80211_TIMEOUT_UNSPECIFIED is used when the timeout reason is

 *	not known. This value is used only if @status < 0 to indicate that the

 *	failure is due to a timeout and not due to explicit rejection by the AP.

 *	This value is ignored in other cases (@status >= 0).

 */

struct cfg80211_connect_resp_params {

	int status;

	const u8 *bssid;

	struct cfg80211_bss *bss;

	const u8 *req_ie;

	size_t req_ie_len;

	const u8 *resp_ie;

	size_t resp_ie_len;

	const u8 *fils_kek;

	size_t fils_kek_len;

	bool update_erp_next_seq_num;

	u16 fils_erp_next_seq_num;

	const u8 *pmk;

	size_t pmk_len;

	const u8 *pmkid;

	enum nl80211_timeout_reason timeout_reason;

};

/**

 * cfg80211_connect_done - notify cfg80211 of connection result

 *

 * @dev: network device

 * @params: connection response parameters

 * @gfp: allocation flags

 *

 * It should be called by the underlying driver once execution of the connection

 * request from connect() has been completed. This is similar to

 * cfg80211_connect_bss(), but takes a structure pointer for connection response

 * parameters. Only one of the functions among cfg80211_connect_bss(),

 * cfg80211_connect_result(), cfg80211_connect_timeout(),

 * and cfg80211_connect_done() should be called.

 */

void cfg80211_connect_done(struct net_device *dev,

			   struct cfg80211_connect_resp_params *params,

			   gfp_t gfp);

/**

 * cfg80211_connect_bss - notify cfg80211 of connection result

 *

 * It should be called by the underlying driver once execution of the connection

 * request from connect() has been completed. This is similar to

 * cfg80211_connect_result(), but with the option of identifying the exact bss

 * entry for the connection. Only one of these functions should be called.

 * entry for the connection. Only one of the functions among

 * cfg80211_connect_bss(), cfg80211_connect_result(),

 * cfg80211_connect_timeout(), and cfg80211_connect_done() should be called.

 */

void cfg80211_connect_bss(struct net_device *dev, const u8 *bssid,

static inline void

cfg80211_connect_bss(struct net_device *dev, const u8 *bssid,

		     struct cfg80211_bss *bss, const u8 *req_ie,

		     size_t req_ie_len, const u8 *resp_ie,

		     size_t resp_ie_len, int status, gfp_t gfp,

			  enum nl80211_timeout_reason timeout_reason);

		     enum nl80211_timeout_reason timeout_reason)

{

	struct cfg80211_connect_resp_params params;

	memset(&params, 0, sizeof(params));

	params.status = status;

	params.bssid = bssid;

	params.bss = bss;

	params.req_ie = req_ie;

	params.req_ie_len = req_ie_len;

	params.resp_ie = resp_ie;

	params.resp_ie_len = resp_ie_len;

	params.timeout_reason = timeout_reason;

	cfg80211_connect_done(dev, &params, gfp);

}

/**

 * cfg80211_connect_result - notify cfg80211 of connection result

 * It should be called by the underlying driver once execution of the connection

 * request from connect() has been completed. This is similar to

 * cfg80211_connect_bss() which allows the exact bss entry to be specified. Only

 * one of these functions should be called.

 * one of the functions among cfg80211_connect_bss(), cfg80211_connect_result(),

 * cfg80211_connect_timeout(), and cfg80211_connect_done() should be called.

 */

static inline void

cfg80211_connect_result(struct net_device *dev, const u8 *bssid,

 * in a sequence where no explicit authentication/association rejection was

 * received from the AP. This could happen, e.g., due to not being able to send

 * out the Authentication or Association Request frame or timing out while

 * waiting for the response.

 * waiting for the response. Only one of the functions among

 * cfg80211_connect_bss(), cfg80211_connect_result(),

 * cfg80211_connect_timeout(), and cfg80211_connect_done() should be called.

 */

static inline void

cfg80211_connect_timeout(struct net_device *dev, const u8 *bssid,

 * Multiple such rules can be created.

 */

/**

 * DOC: FILS shared key authentication offload

 *

 * FILS shared key authentication offload can be advertized by drivers by

 * setting @NL80211_EXT_FEATURE_FILS_SK_OFFLOAD flag. The drivers that support

 * FILS shared key authentication offload should be able to construct the

 * authentication and association frames for FILS shared key authentication and

 * eventually do a key derivation as per IEEE 802.11ai. The below additional

 * parameters should be given to driver in %NL80211_CMD_CONNECT.

 *	%NL80211_ATTR_FILS_ERP_USERNAME - used to construct keyname_nai

 *	%NL80211_ATTR_FILS_ERP_REALM - used to construct keyname_nai

 *	%NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM - used to construct erp message

 *	%NL80211_ATTR_FILS_ERP_RRK - used to generate the rIK and rMSK

 * rIK should be used to generate an authentication tag on the ERP message and

 * rMSK should be used to derive a PMKSA.

 * rIK, rMSK should be generated and keyname_nai, sequence number should be used

 * as specified in IETF RFC 6696.

 *

 * When FILS shared key authentication is completed, driver needs to provide the

 * below additional parameters to userspace.

 *	%NL80211_ATTR_FILS_KEK - used for key renewal

 *	%NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM - used in further EAP-RP exchanges

 *	%NL80211_ATTR_PMKID - used to identify the PMKSA used/generated

 *	%Nl80211_ATTR_PMK - used to update PMKSA cache in userspace

 * The PMKSA can be maintained in userspace persistently so that it can be used

 * later after reboots or wifi turn off/on also.

 *

 * %NL80211_ATTR_FILS_CACHE_ID is the cache identifier advertized by a FILS

 * capable AP supporting PMK caching. It specifies the scope within which the

 * PMKSAs are cached in an ESS. %NL80211_CMD_SET_PMKSA and

 * %NL80211_CMD_DEL_PMKSA are enhanced to allow support for PMKSA caching based

 * on FILS cache identifier. Additionally %NL80211_ATTR_PMK is used with

 * %NL80211_SET_PMKSA to specify the PMK corresponding to a PMKSA for driver to

 * use in a FILS shared key connection with PMKSA caching.

 */

/**

 * enum nl80211_commands - supported nl80211 commands

 *

 * @NL80211_CMD_NEW_SURVEY_RESULTS: survey data notification (as a reply to

 *	NL80211_CMD_GET_SURVEY and on the "scan" multicast group)

 *

 * @NL80211_CMD_SET_PMKSA: Add a PMKSA cache entry, using %NL80211_ATTR_MAC

 *	(for the BSSID) and %NL80211_ATTR_PMKID.

 * @NL80211_CMD_SET_PMKSA: Add a PMKSA cache entry using %NL80211_ATTR_MAC

 *	(for the BSSID), %NL80211_ATTR_PMKID, and optionally %NL80211_ATTR_PMK

 *	(PMK is used for PTKSA derivation in case of FILS shared key offload) or

 *	using %NL80211_ATTR_SSID, %NL80211_ATTR_FILS_CACHE_ID,

 *	%NL80211_ATTR_PMKID, and %NL80211_ATTR_PMK in case of FILS

 *	authentication where %NL80211_ATTR_FILS_CACHE_ID is the identifier

 *	advertized by a FILS capable AP identifying the scope of PMKSA in an

 *	ESS.

 * @NL80211_CMD_DEL_PMKSA: Delete a PMKSA cache entry, using %NL80211_ATTR_MAC

 *	(for the BSSID) and %NL80211_ATTR_PMKID.

 *	(for the BSSID) and %NL80211_ATTR_PMKID or using %NL80211_ATTR_SSID,

 *	%NL80211_ATTR_FILS_CACHE_ID, and %NL80211_ATTR_PMKID in case of FILS

 *	authentication.

 * @NL80211_CMD_FLUSH_PMKSA: Flush all PMKSA cache entries.

 *

 * @NL80211_CMD_REG_CHANGE: indicates to userspace the regulatory domain

 *	u32 attribute with an &enum nl80211_timeout_reason value. This is used,

 *	e.g., with %NL80211_CMD_CONNECT event.

 *

 * @NL80211_ATTR_FILS_ERP_USERNAME: EAP Re-authentication Protocol (ERP)

 *	username part of NAI used to refer keys rRK and rIK. This is used with

 *	%NL80211_CMD_CONNECT.

 *

 * @NL80211_ATTR_FILS_ERP_REALM: EAP Re-authentication Protocol (ERP) realm part

 *	of NAI specifying the domain name of the ER server. This is used with

 *	%NL80211_CMD_CONNECT.

 *

 * @NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM: Unsigned 16-bit ERP next sequence number

 *	to use in ERP messages. This is used in generating the FILS wrapped data

 *	for FILS authentication and is used with %NL80211_CMD_CONNECT.

 *

 * @NL80211_ATTR_FILS_ERP_RRK: ERP re-authentication Root Key (rRK) for the

 *	NAI specified by %NL80211_ATTR_FILS_ERP_USERNAME and

 *	%NL80211_ATTR_FILS_ERP_REALM. This is used for generating rIK and rMSK

 *	from successful FILS authentication and is used with

 *	%NL80211_CMD_CONNECT.

 *

 * @NL80211_ATTR_FILS_CACHE_ID: A 2-octet identifier advertized by a FILS AP

 *	identifying the scope of PMKSAs. This is used with

 *	@NL80211_CMD_SET_PMKSA and @NL80211_CMD_DEL_PMKSA.

 *

 * @NL80211_ATTR_PMK: PMK for the PMKSA identified by %NL80211_ATTR_PMKID.

 *	This is used with @NL80211_CMD_SET_PMKSA.

 *

 * @NUM_NL80211_ATTR: total number of nl80211_attrs available

 * @NL80211_ATTR_MAX: highest attribute number currently defined

 * @__NL80211_ATTR_AFTER_LAST: internal use

	NL80211_ATTR_TIMEOUT_REASON,

	NL80211_ATTR_FILS_ERP_USERNAME,

	NL80211_ATTR_FILS_ERP_REALM,

	NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,

	NL80211_ATTR_FILS_ERP_RRK,

	NL80211_ATTR_FILS_CACHE_ID,

	NL80211_ATTR_PMK,

	/* add attributes here, update the policy in nl80211.c */

	__NL80211_ATTR_AFTER_LAST,

 * @NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI: The driver supports sched_scan

 *	for reporting BSSs with better RSSI than the current connected BSS

 *	(%NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI).

 * @NL80211_EXT_FEATURE_CQM_RSSI_LIST: With this driver the

 *	%NL80211_ATTR_CQM_RSSI_THOLD attribute accepts a list of zero or more

 *	RSSI threshold values to monitor rather than exactly one threshold.

 * @NL80211_EXT_FEATURE_FILS_SK_OFFLOAD: Driver SME supports FILS shared key

 *	authentication with %NL80211_CMD_CONNECT.

 *

 * @NUM_NL80211_EXT_FEATURES: number of extended features.

 * @MAX_NL80211_EXT_FEATURES: highest extended feature index.

	NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA,

	NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA_CONNECTED,

	NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI,

	NL80211_EXT_FEATURE_CQM_RSSI_LIST,

	NL80211_EXT_FEATURE_FILS_SK_OFFLOAD,

	/* add new features before the definition below */

	NUM_NL80211_EXT_FEATURES,

	enum cfg80211_event_type type;

	union {

		struct {

			u8 bssid[ETH_ALEN];

			const u8 *req_ie;

			const u8 *resp_ie;

			size_t req_ie_len;

			size_t resp_ie_len;

			struct cfg80211_bss *bss;

			int status; /* -1 = failed; 0..65535 = status code */

			enum nl80211_timeout_reason timeout_reason;

		} cr;

		struct cfg80211_connect_resp_params cr;

		struct {

			const u8 *req_ie;

			const u8 *resp_ie;

		     struct cfg80211_connect_params *connect,

		     struct cfg80211_cached_keys *connkeys,

		     const u8 *prev_bssid);

void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,

			       const u8 *req_ie, size_t req_ie_len,

			       const u8 *resp_ie, size_t resp_ie_len,

			       int status, bool wextev,

			       struct cfg80211_bss *bss,

			       enum nl80211_timeout_reason timeout_reason);

void __cfg80211_connect_result(struct net_device *dev,

			       struct cfg80211_connect_resp_params *params,

			       bool wextev);

void __cfg80211_disconnected(struct net_device *dev, const u8 *ie,

			     size_t ie_len, u16 reason, bool from_ap);

int cfg80211_disconnect(struct cfg80211_registered_device *rdev,

	struct wiphy *wiphy = wdev->wiphy;

	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);

	struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf;

	u8 *ie = mgmt->u.assoc_resp.variable;

	int ieoffs = offsetof(struct ieee80211_mgmt, u.assoc_resp.variable);

	u16 status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);

	struct cfg80211_connect_resp_params cr;

	memset(&cr, 0, sizeof(cr));

	cr.status = (int)le16_to_cpu(mgmt->u.assoc_resp.status_code);

	cr.bssid = mgmt->bssid;

	cr.bss = bss;

	cr.resp_ie = mgmt->u.assoc_resp.variable;

	cr.resp_ie_len =

		len - offsetof(struct ieee80211_mgmt, u.assoc_resp.variable);

	cr.timeout_reason = NL80211_TIMEOUT_UNSPECIFIED;

	trace_cfg80211_send_rx_assoc(dev, bss);

	 * and got a reject -- we only try again with an assoc

	 * frame instead of reassoc.

	 */

	if (cfg80211_sme_rx_assoc_resp(wdev, status_code)) {

	if (cfg80211_sme_rx_assoc_resp(wdev, cr.status)) {

		cfg80211_unhold_bss(bss_from_pub(bss));

		cfg80211_put_bss(wiphy, bss);

		return;

	nl80211_send_rx_assoc(rdev, dev, buf, len, GFP_KERNEL, uapsd_queues);

	/* update current_bss etc., consumes the bss reference */

	__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,

				  status_code,

				  status_code == WLAN_STATUS_SUCCESS, bss,

				  NL80211_TIMEOUT_UNSPECIFIED);

	__cfg80211_connect_result(dev, &cr, cr.status == WLAN_STATUS_SUCCESS);

}

EXPORT_SYMBOL(cfg80211_rx_assoc_resp);