[RFC] netdev: avoid PMKSA for fullmac drivers

public inbox for iwd@lists.linux.dev
 help / color / mirror / Atom feed

* [RFC] netdev: avoid PMKSA for fullmac drivers
@ 2025-01-28 18:04 James Prestwood
  2025-01-29  8:54 ` Martin Petzold
  0 siblings, 1 reply; 4+ messages in thread
From: James Prestwood @ 2025-01-28 18:04 UTC (permalink / raw)
  To: iwd; +Cc: James Prestwood

The fullmac drivers need additional support to correctly work with
PMKSA. This can be disabled via main.conf, but to avoid extra user
configuration avoid the use of PMKSA for fullmac drivers
automatically.
---
 src/netdev.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/netdev.c b/src/netdev.c
index 2a6d94fc..7af3c39a 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct netdev_handshake_state *nhs)
 
 		l_debug("Invoking handshake_event()");
 
-		handshake_state_cache_pmksa(&nhs->super);
+		if (nhs->type != CONNECTION_TYPE_FULLMAC)
+			handshake_state_cache_pmksa(&nhs->super);
 
 		if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
 			return;
@@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct netdev *netdev)
 		eapol_register(netdev->sm);
 }
 
+static bool netdev_handshake_can_use_pmksa(struct netdev_handshake_state *nhs)
+{
+	/*
+	 * Do not use PMKSA if this is a fullmac driver as they need additional
+	 * support (SET_PMKSA) in order to function properly. Until this support
+	 * is added fullmac drivers will not utilize PMKSA.
+	 */
+	if (nhs->type == CONNECTION_TYPE_FULLMAC)
+		return false;
+
+	return nhs->super.have_pmksa;
+}
+
 static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
 						struct handshake_state *hs,
 						const uint8_t *prev_bssid)
@@ -2473,7 +2487,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
 	 *       0 (open) for FT Initial Mobility Domain Association over
 	 *         PMKSA caching
 	 */
-	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ?
+	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
+					!netdev_handshake_can_use_pmksa(nhs) ?
 					NL80211_AUTHTYPE_SAE :
 					NL80211_AUTHTYPE_OPEN_SYSTEM;
 	enum mpdu_management_subtype subtype = prev_bssid ?
@@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev *netdev,
 	 * If SAE, and we have a valid PMKSA cache we can skip the entire SAE
 	 * protocol and authenticate using the cached keys.
 	 */
-	if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) {
+	if (IE_AKM_IS_SAE(hs->akm_suite) &&
+					netdev_handshake_can_use_pmksa(nhs)) {
 		l_debug("Skipping SAE by using PMKSA cache");
 		goto build_cmd_connect;
 	}
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [RFC] netdev: avoid PMKSA for fullmac drivers
  2025-01-28 18:04 [RFC] netdev: avoid PMKSA for fullmac drivers James Prestwood
@ 2025-01-29  8:54 ` Martin Petzold
  2025-01-29 14:17   ` James Prestwood
  0 siblings, 1 reply; 4+ messages in thread
From: Martin Petzold @ 2025-01-29  8:54 UTC (permalink / raw)
  To: James Prestwood; +Cc: iwd

Dear James,

Am 28.01.25 um 19:04 schrieb James Prestwood:
> The fullmac drivers need additional support to correctly work with
> PMKSA. This can be disabled via main.conf, but to avoid extra user
> configuration avoid the use of PMKSA for fullmac drivers
> automatically.
> ---
>   src/netdev.c | 22 +++++++++++++++++++---
>   1 file changed, 19 insertions(+), 3 deletions(-)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index 2a6d94fc..7af3c39a 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct netdev_handshake_state *nhs)
>   
>   		l_debug("Invoking handshake_event()");
>   
> -		handshake_state_cache_pmksa(&nhs->super);
> +		if (nhs->type != CONNECTION_TYPE_FULLMAC)
> +			handshake_state_cache_pmksa(&nhs->super);
>   
>   		if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
>   			return;
> @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct netdev *netdev)
>   		eapol_register(netdev->sm);
>   }
>   
> +static bool netdev_handshake_can_use_pmksa(struct netdev_handshake_state *nhs)
> +{
> +	/*
> +	 * Do not use PMKSA if this is a fullmac driver as they need additional
> +	 * support (SET_PMKSA) in order to function properly. Until this support
> +	 * is added fullmac drivers will not utilize PMKSA.
> +	 */
> +	if (nhs->type == CONNECTION_TYPE_FULLMAC)
> +		return false;
> +
> +	return nhs->super.have_pmksa;
> +}
> +
>   static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
>   						struct handshake_state *hs,
>   						const uint8_t *prev_bssid)
> @@ -2473,7 +2487,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
>   	 *       0 (open) for FT Initial Mobility Domain Association over
>   	 *         PMKSA caching
>   	 */
> -	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ?
> +	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
> +					!netdev_handshake_can_use_pmksa(nhs) ?
>   					NL80211_AUTHTYPE_SAE :
>   					NL80211_AUTHTYPE_OPEN_SYSTEM;
>   	enum mpdu_management_subtype subtype = prev_bssid ?
> @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev *netdev,
>   	 * If SAE, and we have a valid PMKSA cache we can skip the entire SAE
>   	 * protocol and authenticate using the cached keys.
>   	 */
> -	if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) {
> +	if (IE_AKM_IS_SAE(hs->akm_suite) &&
> +					netdev_handshake_can_use_pmksa(nhs)) {
>   		l_debug("Skipping SAE by using PMKSA cache");
>   		goto build_cmd_connect;
>   	}

I also still had problems with the brcmfmac driver and IWD. It was not 
finally resolved. I will try to check again with this patch.

I would really appreciate, if you could have 2-3 brcmfmac devices 
running in your testing environment.

Thanks,

Martin


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RFC] netdev: avoid PMKSA for fullmac drivers
  2025-01-29  8:54 ` Martin Petzold
@ 2025-01-29 14:17   ` James Prestwood
  2025-01-29 16:17     ` KeithG
  0 siblings, 1 reply; 4+ messages in thread
From: James Prestwood @ 2025-01-29 14:17 UTC (permalink / raw)
  To: Martin Petzold; +Cc: iwd

Hi Martin,

On 1/29/25 12:54 AM, Martin Petzold wrote:
> Dear James,
>
> Am 28.01.25 um 19:04 schrieb James Prestwood:
>> The fullmac drivers need additional support to correctly work with
>> PMKSA. This can be disabled via main.conf, but to avoid extra user
>> configuration avoid the use of PMKSA for fullmac drivers
>> automatically.
>> ---
>>   src/netdev.c | 22 +++++++++++++++++++---
>>   1 file changed, 19 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/netdev.c b/src/netdev.c
>> index 2a6d94fc..7af3c39a 100644
>> --- a/src/netdev.c
>> +++ b/src/netdev.c
>> @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct 
>> netdev_handshake_state *nhs)
>>             l_debug("Invoking handshake_event()");
>>   -        handshake_state_cache_pmksa(&nhs->super);
>> +        if (nhs->type != CONNECTION_TYPE_FULLMAC)
>> +            handshake_state_cache_pmksa(&nhs->super);
>>             if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
>>               return;
>> @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct 
>> netdev *netdev)
>>           eapol_register(netdev->sm);
>>   }
>>   +static bool netdev_handshake_can_use_pmksa(struct 
>> netdev_handshake_state *nhs)
>> +{
>> +    /*
>> +     * Do not use PMKSA if this is a fullmac driver as they need 
>> additional
>> +     * support (SET_PMKSA) in order to function properly. Until this 
>> support
>> +     * is added fullmac drivers will not utilize PMKSA.
>> +     */
>> +    if (nhs->type == CONNECTION_TYPE_FULLMAC)
>> +        return false;
>> +
>> +    return nhs->super.have_pmksa;
>> +}
>> +
>>   static struct l_genl_msg *netdev_build_cmd_connect(struct netdev 
>> *netdev,
>>                           struct handshake_state *hs,
>>                           const uint8_t *prev_bssid)
>> @@ -2473,7 +2487,8 @@ static struct l_genl_msg 
>> *netdev_build_cmd_connect(struct netdev *netdev,
>>        *       0 (open) for FT Initial Mobility Domain Association over
>>        *         PMKSA caching
>>        */
>> -    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && 
>> !hs->have_pmksa ?
>> +    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
>> +                    !netdev_handshake_can_use_pmksa(nhs) ?
>>                       NL80211_AUTHTYPE_SAE :
>>                       NL80211_AUTHTYPE_OPEN_SYSTEM;
>>       enum mpdu_management_subtype subtype = prev_bssid ?
>> @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev 
>> *netdev,
>>        * If SAE, and we have a valid PMKSA cache we can skip the 
>> entire SAE
>>        * protocol and authenticate using the cached keys.
>>        */
>> -    if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) {
>> +    if (IE_AKM_IS_SAE(hs->akm_suite) &&
>> +                    netdev_handshake_can_use_pmksa(nhs)) {
>>           l_debug("Skipping SAE by using PMKSA cache");
>>           goto build_cmd_connect;
>>       }
>
> I also still had problems with the brcmfmac driver and IWD. It was not 
> finally resolved. I will try to check again with this patch.
>
> I would really appreciate, if you could have 2-3 brcmfmac devices 
> running in your testing environment.

Happy to receive any brcmfmac devices you'd like to send my way ;)

Thanks,

James


>
> Thanks,
>
> Martin
> tea

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RFC] netdev: avoid PMKSA for fullmac drivers
  2025-01-29 14:17   ` James Prestwood
@ 2025-01-29 16:17     ` KeithG
  0 siblings, 0 replies; 4+ messages in thread
From: KeithG @ 2025-01-29 16:17 UTC (permalink / raw)
  To: James Prestwood; +Cc: Martin Petzold, iwd

On Wed, Jan 29, 2025 at 8:17 AM James Prestwood <prestwoj@gmail.com> wrote:
>
> Hi Martin,
>
> On 1/29/25 12:54 AM, Martin Petzold wrote:
> > Dear James,
> >
> > Am 28.01.25 um 19:04 schrieb James Prestwood:
> >> The fullmac drivers need additional support to correctly work with
> >> PMKSA. This can be disabled via main.conf, but to avoid extra user
> >> configuration avoid the use of PMKSA for fullmac drivers
> >> automatically.
> >> ---
> >>   src/netdev.c | 22 +++++++++++++++++++---
> >>   1 file changed, 19 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/src/netdev.c b/src/netdev.c
> >> index 2a6d94fc..7af3c39a 100644
> >> --- a/src/netdev.c
> >> +++ b/src/netdev.c
> >> @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct
> >> netdev_handshake_state *nhs)
> >>             l_debug("Invoking handshake_event()");
> >>   -        handshake_state_cache_pmksa(&nhs->super);
> >> +        if (nhs->type != CONNECTION_TYPE_FULLMAC)
> >> +            handshake_state_cache_pmksa(&nhs->super);
> >>             if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
> >>               return;
> >> @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct
> >> netdev *netdev)
> >>           eapol_register(netdev->sm);
> >>   }
> >>   +static bool netdev_handshake_can_use_pmksa(struct
> >> netdev_handshake_state *nhs)
> >> +{
> >> +    /*
> >> +     * Do not use PMKSA if this is a fullmac driver as they need
> >> additional
> >> +     * support (SET_PMKSA) in order to function properly. Until this
> >> support
> >> +     * is added fullmac drivers will not utilize PMKSA.
> >> +     */
> >> +    if (nhs->type == CONNECTION_TYPE_FULLMAC)
> >> +        return false;
> >> +
> >> +    return nhs->super.have_pmksa;
> >> +}
> >> +
> >>   static struct l_genl_msg *netdev_build_cmd_connect(struct netdev
> >> *netdev,
> >>                           struct handshake_state *hs,
> >>                           const uint8_t *prev_bssid)
> >> @@ -2473,7 +2487,8 @@ static struct l_genl_msg
> >> *netdev_build_cmd_connect(struct netdev *netdev,
> >>        *       0 (open) for FT Initial Mobility Domain Association over
> >>        *         PMKSA caching
> >>        */
> >> -    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
> >> !hs->have_pmksa ?
> >> +    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
> >> +                    !netdev_handshake_can_use_pmksa(nhs) ?
> >>                       NL80211_AUTHTYPE_SAE :
> >>                       NL80211_AUTHTYPE_OPEN_SYSTEM;
> >>       enum mpdu_management_subtype subtype = prev_bssid ?
> >> @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev
> >> *netdev,
> >>        * If SAE, and we have a valid PMKSA cache we can skip the
> >> entire SAE
> >>        * protocol and authenticate using the cached keys.
> >>        */
> >> -    if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) {
> >> +    if (IE_AKM_IS_SAE(hs->akm_suite) &&
> >> +                    netdev_handshake_can_use_pmksa(nhs)) {
> >>           l_debug("Skipping SAE by using PMKSA cache");
> >>           goto build_cmd_connect;
> >>       }
> >
> > I also still had problems with the brcmfmac driver and IWD. It was not
> > finally resolved. I will try to check again with this patch.
> >
> > I would really appreciate, if you could have 2-3 brcmfmac devices
> > running in your testing environment.
>
> Happy to receive any brcmfmac devices you'd like to send my way ;)
>
> Thanks,
>
> James
>
>
> >
> > Thanks,
> >
> > Martin
> > tea
>
Actually, I'd be happier to not have any brcmfmac devices but here we are.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-01-29 16:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-28 18:04 [RFC] netdev: avoid PMKSA for fullmac drivers James Prestwood
2025-01-29  8:54 ` Martin Petzold
2025-01-29 14:17   ` James Prestwood
2025-01-29 16:17     ` KeithG

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox