Re: [PATCH] netdev: use SAE PWE both for fullmac external auth

[James Prestwood <prestwoj@gmail.com>]

Hi Jeremy,

On 4/3/26 10:50 AM, Jeremy Blum wrote:
> For fullmac external SAE, iwd currently forces Hunt-and-Peck and does
> not include NL80211_ATTR_SAE_PWE in the connect request.
>
> This prevents successful association with H2E-capable APs on at least
> some fullmac drivers, since userspace is effectively constraining SAE
> to Hunt-and-Peck while not advertising the intended SAE PWE policy to
> nl80211.
>
> For fullmac SAE connections without PMKSA reuse, request
> NL80211_SAE_PWE_BOTH and stop forcing Hunt-and-Peck on the SAE state
> machine. This keeps the fullmac external-auth path aligned with the
> actual SAE policy instead of hard-wiring HnP.
>
> Tested on a CYW43455/brcmfmac fullmac device using firmware 7.45.286,
> where this change fixes WPA3 association and traffic on H2E-capable APs.
>
> Signed-off-by: Jeremy Blum <jeremy@jeremyblum.com>
> ---
>   src/netdev.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index e639a1f8..94520b5c 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -2600,6 +2600,11 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
>   	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ?
>   					NL80211_AUTHTYPE_SAE :
>   					NL80211_AUTHTYPE_OPEN_SYSTEM;
> +	uint8_t sae_pwe = nhs->type == CONNECTION_TYPE_FULLMAC &&
> +				IE_AKM_IS_SAE(hs->akm_suite) &&
> +				!hs->have_pmksa ?
> +				NL80211_SAE_PWE_BOTH :
> +				NL80211_SAE_PWE_UNSPECIFIED;
>   	enum mpdu_management_subtype subtype = prev_bssid ?
>   				MPDU_MANAGEMENT_SUBTYPE_REASSOCIATION_REQUEST :
>   				MPDU_MANAGEMENT_SUBTYPE_ASSOCIATION_REQUEST;
> @@ -2618,6 +2623,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
>   	l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, hs->aa);
>   	l_genl_msg_append_attr(msg, NL80211_ATTR_SSID, hs->ssid_len, hs->ssid);
>   	l_genl_msg_append_attr(msg, NL80211_ATTR_AUTH_TYPE, 4, &auth_type);
> +	if (sae_pwe != NL80211_SAE_PWE_UNSPECIFIED)
> +		l_genl_msg_append_attr(msg, NL80211_ATTR_SAE_PWE, 1, &sae_pwe);
>   
>   	switch (nhs->type) {
>   	case CONNECTION_TYPE_SOFTMAC:
> @@ -4218,7 +4225,6 @@ static void netdev_connect_common(struct netdev *netdev,
>   					netdev_external_auth_sae_tx_associate,
>   					netdev);
>   		sae_sm_force_default_group(netdev->ap);
> -		sae_sm_force_hunt_and_peck(netdev->ap);
>   	}
>   
>   	if (sae_sm_is_h2e(netdev->ap)) {
>
> base-commit: d003d0e593323b3de427f01284ede81ba61e9dcc

This looks good to me, though I haven't tested it myself to confirm. 
I'll wait for Denis to comment but I'd be ok merging if it solves you're 
problem.