[RFC] netdev: avoid PMKSA for fullmac drivers

[RFC] netdev: avoid PMKSA for fullmac drivers

[James Prestwood]

The fullmac drivers need additional support to correctly work with
PMKSA. This can be disabled via main.conf, but to avoid extra user
configuration avoid the use of PMKSA for fullmac drivers
automatically.
---
 src/netdev.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/netdev.c b/src/netdev.c
index 2a6d94fc..7af3c39a 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct netdev_handshake_state *nhs)
 
 		l_debug("Invoking handshake_event()");
 
-		handshake_state_cache_pmksa(&nhs->super);
+		if (nhs->type != CONNECTION_TYPE_FULLMAC)
+			handshake_state_cache_pmksa(&nhs->super);
 
 		if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
 			return;
@@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct netdev *netdev)
 		eapol_register(netdev->sm);
 }
 
+static bool netdev_handshake_can_use_pmksa(struct netdev_handshake_state *nhs)
+{
+	/*
+	 * Do not use PMKSA if this is a fullmac driver as they need additional
+	 * support (SET_PMKSA) in order to function properly. Until this support
+	 * is added fullmac drivers will not utilize PMKSA.
+	 */
+	if (nhs->type == CONNECTION_TYPE_FULLMAC)
+		return false;
+
+	return nhs->super.have_pmksa;
+}
+
 static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
 						struct handshake_state *hs,
 						const uint8_t *prev_bssid)
@@ -2473,7 +2487,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
 	 *       0 (open) for FT Initial Mobility Domain Association over
 	 *         PMKSA caching
 	 */
-	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ?
+	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
+					!netdev_handshake_can_use_pmksa(nhs) ?
 					NL80211_AUTHTYPE_SAE :
 					NL80211_AUTHTYPE_OPEN_SYSTEM;
 	enum mpdu_management_subtype subtype = prev_bssid ?
@@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev *netdev,
 	 * If SAE, and we have a valid PMKSA cache we can skip the entire SAE
 	 * protocol and authenticate using the cached keys.
 	 */
-	if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) {
+	if (IE_AKM_IS_SAE(hs->akm_suite) &&
+					netdev_handshake_can_use_pmksa(nhs)) {
 		l_debug("Skipping SAE by using PMKSA cache");
 		goto build_cmd_connect;
 	}
-- 
2.34.1

Re: [RFC] netdev: avoid PMKSA for fullmac drivers

[Martin Petzold]

Dear James,

Am 28.01.25 um 19:04 schrieb James Prestwood:
> The fullmac drivers need additional support to correctly work with
> PMKSA. This can be disabled via main.conf, but to avoid extra user
> configuration avoid the use of PMKSA for fullmac drivers
> automatically.
> ---
>   src/netdev.c | 22 +++++++++++++++++++---
>   1 file changed, 19 insertions(+), 3 deletions(-)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index 2a6d94fc..7af3c39a 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct netdev_handshake_state *nhs)
>   
>   		l_debug("Invoking handshake_event()");
>   
> -		handshake_state_cache_pmksa(&nhs->super);
> +		if (nhs->type != CONNECTION_TYPE_FULLMAC)
> +			handshake_state_cache_pmksa(&nhs->super);
>   
>   		if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
>   			return;
> @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct netdev *netdev)
>   		eapol_register(netdev->sm);
>   }
>   
> +static bool netdev_handshake_can_use_pmksa(struct netdev_handshake_state *nhs)
> +{
> +	/*
> +	 * Do not use PMKSA if this is a fullmac driver as they need additional
> +	 * support (SET_PMKSA) in order to function properly. Until this support
> +	 * is added fullmac drivers will not utilize PMKSA.
> +	 */
> +	if (nhs->type == CONNECTION_TYPE_FULLMAC)
> +		return false;
> +
> +	return nhs->super.have_pmksa;
> +}
> +
>   static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
>   						struct handshake_state *hs,
>   						const uint8_t *prev_bssid)
> @@ -2473,7 +2487,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
>   	 *       0 (open) for FT Initial Mobility Domain Association over
>   	 *         PMKSA caching
>   	 */
> -	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ?
> +	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
> +					!netdev_handshake_can_use_pmksa(nhs) ?
>   					NL80211_AUTHTYPE_SAE :
>   					NL80211_AUTHTYPE_OPEN_SYSTEM;
>   	enum mpdu_management_subtype subtype = prev_bssid ?
> @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev *netdev,
>   	 * If SAE, and we have a valid PMKSA cache we can skip the entire SAE
>   	 * protocol and authenticate using the cached keys.
>   	 */
> -	if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) {
> +	if (IE_AKM_IS_SAE(hs->akm_suite) &&
> +					netdev_handshake_can_use_pmksa(nhs)) {
>   		l_debug("Skipping SAE by using PMKSA cache");
>   		goto build_cmd_connect;
>   	}

I also still had problems with the brcmfmac driver and IWD. It was not 
finally resolved. I will try to check again with this patch.

I would really appreciate, if you could have 2-3 brcmfmac devices 
running in your testing environment.

Thanks,

Martin

Re: [RFC] netdev: avoid PMKSA for fullmac drivers

[James Prestwood]

Hi Martin,

On 1/29/25 12:54 AM, Martin Petzold wrote:
> Dear James,
>
> Am 28.01.25 um 19:04 schrieb James Prestwood:
>> The fullmac drivers need additional support to correctly work with
>> PMKSA. This can be disabled via main.conf, but to avoid extra user
>> configuration avoid the use of PMKSA for fullmac drivers
>> automatically.
>> ---
>>   src/netdev.c | 22 +++++++++++++++++++---
>>   1 file changed, 19 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/netdev.c b/src/netdev.c
>> index 2a6d94fc..7af3c39a 100644
>> --- a/src/netdev.c
>> +++ b/src/netdev.c
>> @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct 
>> netdev_handshake_state *nhs)
>>             l_debug("Invoking handshake_event()");
>>   -        handshake_state_cache_pmksa(&nhs->super);
>> +        if (nhs->type != CONNECTION_TYPE_FULLMAC)
>> +            handshake_state_cache_pmksa(&nhs->super);
>>             if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
>>               return;
>> @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct 
>> netdev *netdev)
>>           eapol_register(netdev->sm);
>>   }
>>   +static bool netdev_handshake_can_use_pmksa(struct 
>> netdev_handshake_state *nhs)
>> +{
>> +    /*
>> +     * Do not use PMKSA if this is a fullmac driver as they need 
>> additional
>> +     * support (SET_PMKSA) in order to function properly. Until this 
>> support
>> +     * is added fullmac drivers will not utilize PMKSA.
>> +     */
>> +    if (nhs->type == CONNECTION_TYPE_FULLMAC)
>> +        return false;
>> +
>> +    return nhs->super.have_pmksa;
>> +}
>> +
>>   static struct l_genl_msg *netdev_build_cmd_connect(struct netdev 
>> *netdev,
>>                           struct handshake_state *hs,
>>                           const uint8_t *prev_bssid)
>> @@ -2473,7 +2487,8 @@ static struct l_genl_msg 
>> *netdev_build_cmd_connect(struct netdev *netdev,
>>        *       0 (open) for FT Initial Mobility Domain Association over
>>        *         PMKSA caching
>>        */
>> -    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && 
>> !hs->have_pmksa ?
>> +    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
>> +                    !netdev_handshake_can_use_pmksa(nhs) ?
>>                       NL80211_AUTHTYPE_SAE :
>>                       NL80211_AUTHTYPE_OPEN_SYSTEM;
>>       enum mpdu_management_subtype subtype = prev_bssid ?
>> @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev 
>> *netdev,
>>        * If SAE, and we have a valid PMKSA cache we can skip the 
>> entire SAE
>>        * protocol and authenticate using the cached keys.
>>        */
>> -    if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) {
>> +    if (IE_AKM_IS_SAE(hs->akm_suite) &&
>> +                    netdev_handshake_can_use_pmksa(nhs)) {
>>           l_debug("Skipping SAE by using PMKSA cache");
>>           goto build_cmd_connect;
>>       }
>
> I also still had problems with the brcmfmac driver and IWD. It was not 
> finally resolved. I will try to check again with this patch.
>
> I would really appreciate, if you could have 2-3 brcmfmac devices 
> running in your testing environment.

Happy to receive any brcmfmac devices you'd like to send my way ;)

Thanks,

James


>
> Thanks,
>
> Martin
> tea

Re: [RFC] netdev: avoid PMKSA for fullmac drivers

[KeithG]

On Wed, Jan 29, 2025 at 8:17 AM James Prestwood <prestwoj@gmail.com> wrote:
>
> Hi Martin,
>
> On 1/29/25 12:54 AM, Martin Petzold wrote:
> > Dear James,
> >
> > Am 28.01.25 um 19:04 schrieb James Prestwood:
> >> The fullmac drivers need additional support to correctly work with
> >> PMKSA. This can be disabled via main.conf, but to avoid extra user
> >> configuration avoid the use of PMKSA for fullmac drivers
> >> automatically.
> >> ---
> >>   src/netdev.c | 22 +++++++++++++++++++---
> >>   1 file changed, 19 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/src/netdev.c b/src/netdev.c
> >> index 2a6d94fc..7af3c39a 100644
> >> --- a/src/netdev.c
> >> +++ b/src/netdev.c
> >> @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct
> >> netdev_handshake_state *nhs)
> >>             l_debug("Invoking handshake_event()");
> >>   -        handshake_state_cache_pmksa(&nhs->super);
> >> +        if (nhs->type != CONNECTION_TYPE_FULLMAC)
> >> +            handshake_state_cache_pmksa(&nhs->super);
> >>             if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
> >>               return;
> >> @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct
> >> netdev *netdev)
> >>           eapol_register(netdev->sm);
> >>   }
> >>   +static bool netdev_handshake_can_use_pmksa(struct
> >> netdev_handshake_state *nhs)
> >> +{
> >> +    /*
> >> +     * Do not use PMKSA if this is a fullmac driver as they need
> >> additional
> >> +     * support (SET_PMKSA) in order to function properly. Until this
> >> support
> >> +     * is added fullmac drivers will not utilize PMKSA.
> >> +     */
> >> +    if (nhs->type == CONNECTION_TYPE_FULLMAC)
> >> +        return false;
> >> +
> >> +    return nhs->super.have_pmksa;
> >> +}
> >> +
> >>   static struct l_genl_msg *netdev_build_cmd_connect(struct netdev
> >> *netdev,
> >>                           struct handshake_state *hs,
> >>                           const uint8_t *prev_bssid)
> >> @@ -2473,7 +2487,8 @@ static struct l_genl_msg
> >> *netdev_build_cmd_connect(struct netdev *netdev,
> >>        *       0 (open) for FT Initial Mobility Domain Association over
> >>        *         PMKSA caching
> >>        */
> >> -    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
> >> !hs->have_pmksa ?
> >> +    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
> >> +                    !netdev_handshake_can_use_pmksa(nhs) ?
> >>                       NL80211_AUTHTYPE_SAE :
> >>                       NL80211_AUTHTYPE_OPEN_SYSTEM;
> >>       enum mpdu_management_subtype subtype = prev_bssid ?
> >> @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev
> >> *netdev,
> >>        * If SAE, and we have a valid PMKSA cache we can skip the
> >> entire SAE
> >>        * protocol and authenticate using the cached keys.
> >>        */
> >> -    if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) {
> >> +    if (IE_AKM_IS_SAE(hs->akm_suite) &&
> >> +                    netdev_handshake_can_use_pmksa(nhs)) {
> >>           l_debug("Skipping SAE by using PMKSA cache");
> >>           goto build_cmd_connect;
> >>       }
> >
> > I also still had problems with the brcmfmac driver and IWD. It was not
> > finally resolved. I will try to check again with this patch.
> >
> > I would really appreciate, if you could have 2-3 brcmfmac devices
> > running in your testing environment.
>
> Happy to receive any brcmfmac devices you'd like to send my way ;)
>
> Thanks,
>
> James
>
>
> >
> > Thanks,
> >
> > Martin
> > tea
>
Actually, I'd be happier to not have any brcmfmac devices but here we are.