[PATCH 00/29] 11bi: Add Support for EPPKE Authentication
Sai Pratyusha Magam
smagam at qti.qualcomm.com
Thu Dec 11 05:14:14 PST 2025
Add support for new authentication protocol Enhanced Privacy Protection
Key Exchange (EPPKE) as specified in section 12.16.9 of IEEE P802.11bi/D2.0.
Verified the EPPKE Authentication for MLO as well as Non-MLO cases with the
new hwsim test script test_eppke.py and working fine. All 19 test cases
are passing successfully.
New hwsim test cases covers below scenario:
1. Initial Connection (MLO and Non-MLO with SAE and SAE-EXT-KEY AKMs)
2. Initial Connection with SAE-EXT-KEY AKM with different groups
3. PMKSA Caching Attempt (MLO and Non-MLO with SAE and SAE-EXT-KEY AKMs)
Brief summary of the implementation deatils in AP mode:
- AP Init Sequence
Fetch feature support from wiphy capabilities, drv flag updates
User Configuration options/knobs to control enablement of the feature
EPPKE AP Discovery: EPPKE key management suite advertisement in RSN IE of beacon and probe response frame
RSNXE capability bit extensions for (Re)Association Request/Response frame encryption support
- Association Handling
Process EPPKE Authentication frames.
Netlink command extensions for EPP peer indication in
NL80211_CMD_NEW_STATION and NL80211_CMD_ADD_LINK_STA
Extensions to existing PASN APIs to accommodate EPPKE
This involves changes in PTK and MIC calculation as per
12.16.9.3.4 PTKSA derivation and MIC computation with EPPKE authentication
Modify PASN Authentication frame header APIs to build
EPPKE Authentication frame header if auth algo is EPPKE
EPPKE Support for MLO - Basic Multi Link IE addition to
EPPKE Authentication frames, Provision PMK to be cached in ML PMK cache.
Skip station object deletion after Authentication frame 3 processing
Bypass the vendor interface to set keys to driver
(QCA_NL80211_VENDOR_SUBCMD_SECURE_RANGING_CONTEXT).
NL80211_CMD_NEW_KEY to be used to set pairwise keys to driver for EPPKE
initiated link after processing of Authentication frame 1
Define New netlink attribute
NL80211_ATTR_EPP_FLAGS for NL80211_CMD_SET_STATION to indicate the negotiated 11bi capabilities of an
EPP AP and an EPP non-AP STA
(Re)Association Response frame changes
RSNE/Key delivery element in (Re)Association Response indicating group KDEs to an EPP non-AP STA
(as mentioned the frame format in section 9.3.3.6 Association Response frame format)
Protected bit in the frame control in 802.11 frame header as an indication to driver/firmware
that this frame needs to be encrypted
Skip 4WH and move PTK state directly to PTKINITDONE and move the peer state to authorized.
Brief summary of the implementation details in STA mode:
- Feature Detection & Enablement
Fetch EPPKE and (re)association frame encryption support from wiphy capabilities.
Control enablement of EPPKE features (e.g., via wpa_supplicant config).
-Authentication Handling
Leverage PASN APIs for EPPKE authentication.
Add EPPKE-specific fields to PASN data structures.
Extend PASN APIs for EPPKE PTK derivation as per IEEE P802.11bi/D2.0 Section 12.16.9.3.4.
Construct EPPKE Authentication frames (M1/M3) and handle EPPKE-specific processing for M2 frames.
Offload MIC computation to kernel for M3 frame in SME-in-Userspace scenarios.
Multi-Link Operation (MLO) Support for EPPKE Authentication.
-Key Management
Skip EAPOL 4-way handshake and update wpa_state after successful Association.
Set supplicant port authorized based on wpa_state.
Install TK to driver after sending Auth M3 to AP successfully.
Remove temporal keys on association failures
NOTE:-
With the new patches, SHA384 and SHA512 support is implemented for SAE-EXT-KEY AKMs.
By default, crypto/sha512.c (which provides SHA384 and SHA512 support) is not compiled
into the kernel. So, need to enable CONFIG_CRYPTO_SHA512=y in the kernel configuration
to compile this crypto module using below steps for hwsim testing:
1. make ARCH=um menuconfig
Navigate to:
Cryptographic API ---> Hashes, digests, and MACs --->
[ ] SHA-384 and SHA-512
[ ] HMAC (Keyed-Hash MAC)
Press `Y` to enable both options, then save and exit.
2. Rebuild Kernel
make -j32 ARCH=um
Depends-on:
[PATCH wireless-next 00/14] wifi: cfg80211/mac80211: Add Support for EPPKE Authentication
[PATCH wireless-next] wifi: mac80211: Fix AAD/Nonce computation for management frames with MLO
Ainy Kumari (12):
PASN: Extend Secure Hash Algorithm support for SAE-EXT-KEY AKMs
tests: Add PASN hwsim test cases for SAE-EXT-KEY AKM with different
groups
Sync nl80211_copy.h with wireless-next linux/nl80211.h
11bi: Rename FILS nonce element and related constants to generic
'nonce'
PASN: Extend RSNXE capability field to 32 bits
EPPKE: Add wiphy capability flag for EPPKE authentication
wpa_supplicant: Add CONFIG_ENC_ASSOC for association frame encryption
support
EPPKE: Add EPPKE support to PASN PTK derivation per IEEE
P802.11bi/D2.0
EPPKE: Add support for EPPKE authentication for SME-in-Userspace case
EPPKE: Pass hash algorithm to kernel via NL80211_ATTR_HASH_ALG
EPPKE: Update RSNE construction and validation per IEEE P802.11bi/D2.0
EPPKE: Skip 4-Way handshake and authorize supplicant port on
association
Kavita Kavita (4):
EPPKE: Skip MIC Element inclusion in auth_data for M3 Auth frame
sme: Add support to install temporal key for EPPKE Authentication
Protocol
Add support for temporal key removal on association failure
tests: Enable CONFIG_ENC_ASSOC for hwsim wpa_supplicant
Sai Pratyusha Magam (13):
11bi: Add wiphy capability flag for (Re)Association frame encryption
support
11bi: Enhanced Privacy Protection (EPP) related definitions
11bi: Configuration options to control EPP feature support in AP mode
11bi: RSNE/RSNXE capability Extensions in AP mode
PASN: Modify PASN Authentication frame header APIs based on auth_algo
EPPKE: Extend existing PASN APIs for EPPKE Authentication
EPPKE: PTK/MIC Computation and key installation changes in Responder
mode
EPPKE: EPP peer indication to driver
EPPKE: EPP capabilities negotiation indication
EPPKE: RSNE/Key delivery element in (Re)Association Response
EPPKE: Skip 4WH and move PTK state directly to PTKINITDONE
tests: Enable CONFIG_ENC_ASSOC for hwsim hostapd
tests: Add EPPKE authentication test cases
hostapd/Makefile | 5 +
hostapd/config_file.c | 12 +
hostapd/defconfig | 3 +
hostapd/hostapd.conf | 23 +
src/ap/ap_config.c | 5 +
src/ap/ap_config.h | 5 +
src/ap/ap_drv_ops.c | 7 +-
src/ap/ap_drv_ops.h | 2 +-
src/ap/ap_mlme.c | 6 +-
src/ap/ieee802_11.c | 173 +++++--
src/ap/ieee802_11_eht.c | 1 +
src/ap/ieee802_11_shared.c | 16 +
src/ap/sta_info.c | 8 +-
src/ap/sta_info.h | 6 +-
src/ap/wpa_auth.c | 126 ++++-
src/ap/wpa_auth.h | 18 +-
src/ap/wpa_auth_glue.c | 25 +
src/ap/wpa_auth_i.h | 3 +
src/ap/wpa_auth_ie.c | 26 +-
src/common/common_module_tests.c | 2 +-
src/common/defs.h | 11 +
src/common/ieee802_11_common.c | 10 +-
src/common/ieee802_11_common.h | 2 +-
src/common/ieee802_11_defs.h | 9 +-
src/common/wpa_common.c | 350 ++++++++++----
src/common/wpa_common.h | 23 +-
src/drivers/driver.h | 24 +
src/drivers/driver_atheros.c | 8 +-
src/drivers/driver_nl80211.c | 64 +++
src/drivers/driver_nl80211_capa.c | 9 +
src/drivers/nl80211_copy.h | 408 +++++++++++++++-
src/p2p/p2p.c | 3 +-
src/pasn/pasn_common.c | 29 +-
src/pasn/pasn_common.h | 40 +-
src/pasn/pasn_initiator.c | 251 ++++++----
src/pasn/pasn_responder.c | 143 +++++-
src/rsn_supp/wpa.c | 20 +-
src/rsn_supp/wpa_i.h | 4 +-
tests/hwsim/example-hostapd.config | 1 +
tests/hwsim/example-wpa_supplicant.config | 1 +
tests/hwsim/test_eppke.py | 556 ++++++++++++++++++++++
tests/hwsim/test_pasn.py | 22 +-
wlantest/rx_mgmt.c | 14 +-
wpa_supplicant/Makefile | 5 +
wpa_supplicant/ctrl_iface.c | 20 +-
wpa_supplicant/defconfig | 3 +
wpa_supplicant/driver_i.h | 3 +-
wpa_supplicant/events.c | 31 +-
wpa_supplicant/ibss_rsn.c | 6 +-
wpa_supplicant/mesh_mpm.c | 6 +-
wpa_supplicant/mesh_rsn.c | 7 +-
wpa_supplicant/pasn_supplicant.c | 6 +-
wpa_supplicant/sme.c | 243 +++++++++-
wpa_supplicant/wpa_supplicant.c | 30 +-
wpa_supplicant/wpa_supplicant_i.h | 2 +-
wpa_supplicant/wpas_glue.c | 9 +-
56 files changed, 2481 insertions(+), 364 deletions(-)
create mode 100644 tests/hwsim/test_eppke.py
base-commit: 3ac77c73f1a04540d7c2a4993389a9f0390921f6
--
2.34.1
More information about the Hostap
mailing list