RE: [PATCH v3 2/3] cfg80211/nl80211: Optional authentication offload to userspace

[Srinivas Dasari]

On Tue, Jan 30, 2018 at 1:23 PM, Johannes Berg  
wrote:
> On Thu, 2018-01-25 at 17:13 +0200, Jouni Malinen wrote:
>>
>> + if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT]))
>> + connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
>
> It seems like here we should check for connection owner, no?
>
> If you say yes, I can edit that in.

I guess you are referring  netlink socket owner. 
Yes , we do agree with you and Thanks a lot for adding this check.

Regards,
Srinivas.

Re: [PATCH v3 2/3] cfg80211/nl80211: Optional authentication offload to userspace

[Johannes Berg]

On Thu, 2018-01-25 at 17:13 +0200, Jouni Malinen wrote:
> 
> + if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT]))
> + connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;

It seems like here we should check for connection owner, no?

If you say yes, I can edit that in.

> +int cfg80211_external_auth_request(struct net_device *dev,
> +struct cfg80211_external_auth_params *params,
> +gfp_t gfp)
> +{
> + struct wireless_dev *wdev = dev->ieee80211_ptr;
> + struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
> + struct sk_buff *msg;
> + void *hdr;
> +
> + if (!wdev->conn_owner_nlportid)
> + return -EINVAL;

This still kinda makes sense, of course, though it should only happen
through races (connection owner goes away and we can't tear down the
connection quickly enough before this happens)

johannes

[PATCH v3 2/3] cfg80211/nl80211: Optional authentication offload to userspace

[Jouni Malinen]

From: Srinivas Dasari 

This interface allows the host driver to offload the authentication to
user space. This is exclusively defined for host drivers that do not
define separate commands for authentication and association, but rely on
userspace SME (e.g., in wpa_supplicant for the ~WPA_DRIVER_FLAGS_SME
case) for the authentication to happen. This can be used to implement
SAE without full implementation in the kernel/firmware while still being
able to use NL80211_CMD_CONNECT with driver-based BSS selection.

Host driver sends NL80211_CMD_EXTERNAL_AUTH event to start/abort
authentication to the port on which connect is triggered and status
of authentication is further indicated by user space to host
driver through the same command response interface.

User space entities advertise this capability through the
NL80211_ATTR_EXTERNAL_AUTH_SUPP flag in the NL80211_CMD_CONNECT request.
Host drivers shall look at this capability to offload the authentication.

Signed-off-by: Srinivas Dasari 
Signed-off-by: Jouni Malinen 
---
 include/net/cfg80211.h   | 54 +--
 include/uapi/linux/nl80211.h | 48 
 net/wireless/nl80211.c   | 88 
 net/wireless/rdev-ops.h  | 15 
 net/wireless/trace.h | 23 
 5 files changed, 225 insertions(+), 3 deletions(-)

v3:
- rename CONNECT_REQ_EXTERNAL_AUTH_SUPP to
  CONNECT_REQ_EXTERNAL_AUTH_SUPPORT
- rename NL80211_ATTR_EXTERNAL_AUTH_SUPP to
  NL80211_ATTR_EXTERNAL_AUTH_SUPPORT
- remove NL80211_EXT_FEATURE_EXTERNAL_AUTH
- unicast netlink events to the port used for the connect command

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index ab30a22..1aebcf1 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -1903,11 +1903,16 @@ struct cfg80211_auth_request {
  * @ASSOC_REQ_DISABLE_HT:  Disable HT (802.11n)
  * @ASSOC_REQ_DISABLE_VHT:  Disable VHT
  * @ASSOC_REQ_USE_RRM: Declare RRM capability in this association
+ * @CONNECT_REQ_EXTERNAL_AUTH_SUPPORT: User space indicates external
+ *  authentication capability. Drivers can offload authentication to
+ *  userspace if this flag is set. Only applicable for cfg80211_connect()
+ *  request (connect callback).
  */
 enum cfg80211_assoc_req_flags {
-   ASSOC_REQ_DISABLE_HT= BIT(0),
-   ASSOC_REQ_DISABLE_VHT   = BIT(1),
-   ASSOC_REQ_USE_RRM   = BIT(2),
+   ASSOC_REQ_DISABLE_HT= BIT(0),
+   ASSOC_REQ_DISABLE_VHT   = BIT(1),
+   ASSOC_REQ_USE_RRM   = BIT(2),
+   CONNECT_REQ_EXTERNAL_AUTH_SUPPORT   = BIT(3),
 };
 
 /**
@@ -2599,6 +2604,33 @@ struct cfg80211_pmk_conf {
 };
 
 /**
+ * struct cfg80211_external_auth_params - Trigger External authentication.
+ *
+ * Commonly used across the external auth request and event interfaces.
+ *
+ * @action: action type / trigger for external authentication. Only significant
+ * for the authentication request event interface (driver to user space).
+ * @bssid: BSSID of the peer with which the authentication has
+ * to happen. Used by both the authentication request event and
+ * authentication response command interface.
+ * @ssid: SSID of the AP.  Used by both the authentication request event and
+ * authentication response command interface.
+ * @key_mgmt_suite: AKM suite of the respective authentication. Used by the
+ * authentication request event interface.
+ * @status: status code, %WLAN_STATUS_SUCCESS for successful authentication,
+ * use %WLAN_STATUS_UNSPECIFIED_FAILURE if user space cannot give you
+ * the real status code for failures. Used only for the authentication
+ * response command interface (user space to driver).
+ */
+struct cfg80211_external_auth_params {
+   enum nl80211_external_auth_action action;
+   u8 bssid[ETH_ALEN] __aligned(2);
+   struct cfg80211_ssid ssid;
+   unsigned int key_mgmt_suite;
+   u16 status;
+};
+
+/**
  * struct cfg80211_ops - backend description for wireless configuration
  *
  * This struct is registered by fullmac card drivers and/or wireless stacks
@@ -2921,6 +2953,9 @@ struct cfg80211_pmk_conf {
  * (invoked with the wireless_dev mutex held)
  * @del_pmk: delete the previously configured PMK for the given authenticator.
  * (invoked with the wireless_dev mutex held)
+ *
+ * @external_auth: indicates result of offloaded authentication processing from
+ * user space
  */
 struct cfg80211_ops {
int (*suspend)(struct wiphy *wiphy, struct cfg80211_wowlan *wow);
@@ -3214,6 +3249,8 @@ struct cfg80211_ops {
   const struct cfg80211_pmk_conf *conf);
int (*del_pmk)(struct wiphy *wiphy, struct net_device *dev,
   const u8 *aa);
+   int (*external_auth)(struct wiphy *wiphy, struct