On Mon, 2017-08-14 at 20:14 +0300, Kalle Valo wrote: > Emmanuel Grumbach <emmanuel.grumbach@xxxxxxxxx> writes: > > > User space can now allow the kernel to associate to an AP > > that requires MFP or that doesn't have MFP enabled in the > > same NL80211_CMD_CONNECT command. > > The driver / firmware will decide whether to use it or not. > > > > Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@xxxxxxxxx> > > [...] > > > @@ -4086,10 +4090,12 @@ enum nl80211_key_type { > > * enum nl80211_mfp - Management frame protection state > > * @NL80211_MFP_NO: Management frame protection not used > > * @NL80211_MFP_REQUIRED: Management frame protection required > > + * @NL80211_MFP_OPTIONAL: Management frame is optional > > */ > > enum nl80211_mfp { > > NL80211_MFP_NO, > > NL80211_MFP_REQUIRED, > > + NL80211_MFP_OPTIONAL, > > }; > > > > enum nl80211_wpa_versions { > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > > index 8f035d9868d1..829867132326 100644 > > --- a/net/wireless/nl80211.c > > +++ b/net/wireless/nl80211.c > > @@ -9115,6 +9115,7 @@ static int nl80211_connect(struct sk_buff > > *skb, struct genl_info *info) > > if (info->attrs[NL80211_ATTR_USE_MFP]) { > > connect.mfp = nla_get_u32(info- > > >attrs[NL80211_ATTR_USE_MFP]); > > if (connect.mfp != NL80211_MFP_REQUIRED && > > + connect.mfp != NL80211_MFP_OPTIONAL && > > connect.mfp != NL80211_MFP_NO) > > return -EINVAL; > > } else { > > I guess I'm missing something, but how is backwards compatibility > supposed to work from user space point of view? If user space uses > NL80211_MFP_OPTIONAL with an old kernel, the kernel will reject the > command with -EINVAL and user space will try again without > NL80211_MFP_OPTIONAL? > No you are not. I simply forgot that point. I guess that this would be the behavior, yes... This is relevant for ap_scan=2 wpa_s configuration only which makes it not really common, but still, you are right. Not sure how easy it will be to write this logic in the supplicant though... Unless we add an nl80211 feature bit but I feel it'd be a bit of a waste. Jouni, what do you think? I know you haven't seen the supplicant patch yet, but here is the gist of it. I allow OPTIONAL in connect() only, and not in associate(): @@ -5790,6 +5786,14 @@ static int wpa_driver_nl80211_try_connect( if (ret) goto fail; + if (params->mgmt_frame_protection == MGMT_FRAME_PROTECTION_REQUIRED && + nla_put_u32(msg, NL80211_ATTR_USE_MFP, NL80211_MFP_REQUIRED)) + goto fail; + + if (params->mgmt_frame_protection == MGMT_FRAME_PROTECTION_OPTIONAL && + nla_put_u32(msg, NL80211_ATTR_USE_MFP, NL80211_MFP_OPTIONAL)) + goto fail; + algs = 0; if (params->auth_alg & WPA_AUTH_ALG_OPEN) algs++;