Re: [RFC] netdev: avoid PMKSA for fullmac drivers

[James Prestwood <prestwoj@gmail.com>]

Hi Martin,

On 1/29/25 12:54 AM, Martin Petzold wrote:
> Dear James,
>
> Am 28.01.25 um 19:04 schrieb James Prestwood:
>> The fullmac drivers need additional support to correctly work with
>> PMKSA. This can be disabled via main.conf, but to avoid extra user
>> configuration avoid the use of PMKSA for fullmac drivers
>> automatically.
>> ---
>>   src/netdev.c | 22 +++++++++++++++++++---
>>   1 file changed, 19 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/netdev.c b/src/netdev.c
>> index 2a6d94fc..7af3c39a 100644
>> --- a/src/netdev.c
>> +++ b/src/netdev.c
>> @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct 
>> netdev_handshake_state *nhs)
>>             l_debug("Invoking handshake_event()");
>>   -        handshake_state_cache_pmksa(&nhs->super);
>> +        if (nhs->type != CONNECTION_TYPE_FULLMAC)
>> +            handshake_state_cache_pmksa(&nhs->super);
>>             if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
>>               return;
>> @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct 
>> netdev *netdev)
>>           eapol_register(netdev->sm);
>>   }
>>   +static bool netdev_handshake_can_use_pmksa(struct 
>> netdev_handshake_state *nhs)
>> +{
>> +    /*
>> +     * Do not use PMKSA if this is a fullmac driver as they need 
>> additional
>> +     * support (SET_PMKSA) in order to function properly. Until this 
>> support
>> +     * is added fullmac drivers will not utilize PMKSA.
>> +     */
>> +    if (nhs->type == CONNECTION_TYPE_FULLMAC)
>> +        return false;
>> +
>> +    return nhs->super.have_pmksa;
>> +}
>> +
>>   static struct l_genl_msg *netdev_build_cmd_connect(struct netdev 
>> *netdev,
>>                           struct handshake_state *hs,
>>                           const uint8_t *prev_bssid)
>> @@ -2473,7 +2487,8 @@ static struct l_genl_msg 
>> *netdev_build_cmd_connect(struct netdev *netdev,
>>        *       0 (open) for FT Initial Mobility Domain Association over
>>        *         PMKSA caching
>>        */
>> -    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && 
>> !hs->have_pmksa ?
>> +    uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) &&
>> +                    !netdev_handshake_can_use_pmksa(nhs) ?
>>                       NL80211_AUTHTYPE_SAE :
>>                       NL80211_AUTHTYPE_OPEN_SYSTEM;
>>       enum mpdu_management_subtype subtype = prev_bssid ?
>> @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev 
>> *netdev,
>>        * If SAE, and we have a valid PMKSA cache we can skip the 
>> entire SAE
>>        * protocol and authenticate using the cached keys.
>>        */
>> -    if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) {
>> +    if (IE_AKM_IS_SAE(hs->akm_suite) &&
>> +                    netdev_handshake_can_use_pmksa(nhs)) {
>>           l_debug("Skipping SAE by using PMKSA cache");
>>           goto build_cmd_connect;
>>       }
>
> I also still had problems with the brcmfmac driver and IWD. It was not 
> finally resolved. I will try to check again with this patch.
>
> I would really appreciate, if you could have 2-3 brcmfmac devices 
> running in your testing environment.

Happy to receive any brcmfmac devices you'd like to send my way ;)

Thanks,

James


>
> Thanks,
>
> Martin
> tea