From patchwork Sun Aug  5 18:31:22 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 10556219
X-Patchwork-Delegate: johannes@sipsolutions.net
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E9C35157B
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Sun,  5 Aug 2018 20:58:33 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D36A6294E0
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Sun,  5 Aug 2018 20:58:33 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C770C294E2; Sun,  5 Aug 2018 20:58:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2637A294E0
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Sun,  5 Aug 2018 20:58:33 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727005AbeHEXEY (ORCPT
        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
        Sun, 5 Aug 2018 19:04:24 -0400
Received: from 17.mo3.mail-out.ovh.net ([87.98.178.58]:38823 "EHLO
        17.mo3.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726794AbeHEXEY (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Sun, 5 Aug 2018 19:04:24 -0400
X-Greylist: delayed 8808 seconds by postgrey-1.27 at vger.kernel.org;
 Sun, 05 Aug 2018 19:04:24 EDT
Received: from player738.ha.ovh.net (unknown [10.109.159.7])
        by mo3.mail-out.ovh.net (Postfix) with ESMTP id 653841C8DF9
        for <linux-wireless@vger.kernel.org>;
 Sun,  5 Aug 2018 20:32:09 +0200 (CEST)
Received: from awhome.eu (p57B7EB85.dip0.t-ipconnect.de [87.183.235.133])
        (Authenticated sender: postmaster@awhome.eu)
        by player738.ha.ovh.net (Postfix) with ESMTPSA id 490B668C;
        Sun,  5 Aug 2018 20:32:07 +0200 (CEST)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
        s=wetzel-home; t=1533493918;
        bh=T1FrQUoiL7z4ZRwc+ofJK+dP919xm2cvruBQBGTXv2Q=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References;
        b=UYzDVBGXF6zTUSrVwPmuDrZfkAUcfnfIEJGM43aQYBr1jfSIK9cLBQyOP1VCpnaeV
         3dNEJj9BY4qODXNXxStnq4zKDr6YbAq+oTZ3ijcp7l9b1FEoFtbuJ5zaUCvNGx83og
         QXFY9WMrCvYqQERJpw0iPY9ikAzWD/f+6efARU3M=
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org,
        Alexander Wetzel <alexander@wetzel-home.de>
Subject: [PATCH v5 1/3] nl80211: Add ATOMIC_KEY_REPLACE API
Date: Sun,  5 Aug 2018 20:31:22 +0200
Message-Id: <20180805183124.29921-2-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180805183124.29921-1-alexander@wetzel-home.de>
References: <20180805183124.29921-1-alexander@wetzel-home.de>
X-Ovh-Tracer-Id: 4803370478651776199
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgedtiedruddttddgudeftdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecu
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Drivers able to correctly replace a in-use key should set
NL80211_EXT_FEATURE_ATOMIC_KEY_REPLACE to allow the userspace (e.g.
hostapd or wpa_supplicant) to rekey PTK keys.

The userspace must detect a PTK rekey attempt and only go ahead with the
rekey when the driver has set this flag. If the driver is not supporting
the feature the userspace either must not replace the PTK key or perform
a full re-association.

Ignoring this flag and continuing to rekey the connection can still
work but has to be considered insecure and broken. It can leak cleartext
packets or freeze the connection and is only supported to allow the
userspace to be updated.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---
 include/uapi/linux/nl80211.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 7acc16f34942..b41b9ade0449 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -5224,6 +5224,11 @@ enum nl80211_feature_flags {
  *	except for supported rates from the probe request content if requested
  *	by the %NL80211_SCAN_FLAG_MIN_PREQ_CONTENT flag.
  *
+ * @NL80211_EXT_FEATURE_ATOMIC_KEY_REPLACE: Driver/device confirm that they are
+ *      able to rekey an in-use key correctly. Userspace must not rekey PTK keys
+ *      if this flag is not set. Ignoring this can leak clear text packets and/or
+ *      freeze the connection.
+ *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
  */
@@ -5259,6 +5264,7 @@ enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_TXQS,
 	NL80211_EXT_FEATURE_SCAN_RANDOM_SN,
 	NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT,
+	NL80211_EXT_FEATURE_ATOMIC_KEY_REPLACE,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,