* [PATCH] netdev: use SAE PWE both for fullmac external auth
@ 2026-04-03 17:50 Jeremy Blum
2026-04-23 14:22 ` James Prestwood
0 siblings, 1 reply; 2+ messages in thread
From: Jeremy Blum @ 2026-04-03 17:50 UTC (permalink / raw)
To: iwd; +Cc: denkenz, prestwoj, marcel, Jeremy Blum
For fullmac external SAE, iwd currently forces Hunt-and-Peck and does
not include NL80211_ATTR_SAE_PWE in the connect request.
This prevents successful association with H2E-capable APs on at least
some fullmac drivers, since userspace is effectively constraining SAE
to Hunt-and-Peck while not advertising the intended SAE PWE policy to
nl80211.
For fullmac SAE connections without PMKSA reuse, request
NL80211_SAE_PWE_BOTH and stop forcing Hunt-and-Peck on the SAE state
machine. This keeps the fullmac external-auth path aligned with the
actual SAE policy instead of hard-wiring HnP.
Tested on a CYW43455/brcmfmac fullmac device using firmware 7.45.286,
where this change fixes WPA3 association and traffic on H2E-capable APs.
Signed-off-by: Jeremy Blum <jeremy@jeremyblum.com>
---
src/netdev.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/netdev.c b/src/netdev.c
index e639a1f8..94520b5c 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2600,6 +2600,11 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ?
NL80211_AUTHTYPE_SAE :
NL80211_AUTHTYPE_OPEN_SYSTEM;
+ uint8_t sae_pwe = nhs->type == CONNECTION_TYPE_FULLMAC &&
+ IE_AKM_IS_SAE(hs->akm_suite) &&
+ !hs->have_pmksa ?
+ NL80211_SAE_PWE_BOTH :
+ NL80211_SAE_PWE_UNSPECIFIED;
enum mpdu_management_subtype subtype = prev_bssid ?
MPDU_MANAGEMENT_SUBTYPE_REASSOCIATION_REQUEST :
MPDU_MANAGEMENT_SUBTYPE_ASSOCIATION_REQUEST;
@@ -2618,6 +2623,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, hs->aa);
l_genl_msg_append_attr(msg, NL80211_ATTR_SSID, hs->ssid_len, hs->ssid);
l_genl_msg_append_attr(msg, NL80211_ATTR_AUTH_TYPE, 4, &auth_type);
+ if (sae_pwe != NL80211_SAE_PWE_UNSPECIFIED)
+ l_genl_msg_append_attr(msg, NL80211_ATTR_SAE_PWE, 1, &sae_pwe);
switch (nhs->type) {
case CONNECTION_TYPE_SOFTMAC:
@@ -4218,7 +4225,6 @@ static void netdev_connect_common(struct netdev *netdev,
netdev_external_auth_sae_tx_associate,
netdev);
sae_sm_force_default_group(netdev->ap);
- sae_sm_force_hunt_and_peck(netdev->ap);
}
if (sae_sm_is_h2e(netdev->ap)) {
base-commit: d003d0e593323b3de427f01284ede81ba61e9dcc
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] netdev: use SAE PWE both for fullmac external auth
2026-04-03 17:50 [PATCH] netdev: use SAE PWE both for fullmac external auth Jeremy Blum
@ 2026-04-23 14:22 ` James Prestwood
0 siblings, 0 replies; 2+ messages in thread
From: James Prestwood @ 2026-04-23 14:22 UTC (permalink / raw)
To: Jeremy Blum, iwd; +Cc: denkenz, marcel
Hi Jeremy,
On 4/3/26 10:50 AM, Jeremy Blum wrote:
> For fullmac external SAE, iwd currently forces Hunt-and-Peck and does
> not include NL80211_ATTR_SAE_PWE in the connect request.
>
> This prevents successful association with H2E-capable APs on at least
> some fullmac drivers, since userspace is effectively constraining SAE
> to Hunt-and-Peck while not advertising the intended SAE PWE policy to
> nl80211.
>
> For fullmac SAE connections without PMKSA reuse, request
> NL80211_SAE_PWE_BOTH and stop forcing Hunt-and-Peck on the SAE state
> machine. This keeps the fullmac external-auth path aligned with the
> actual SAE policy instead of hard-wiring HnP.
>
> Tested on a CYW43455/brcmfmac fullmac device using firmware 7.45.286,
> where this change fixes WPA3 association and traffic on H2E-capable APs.
>
> Signed-off-by: Jeremy Blum <jeremy@jeremyblum.com>
> ---
> src/netdev.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index e639a1f8..94520b5c 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -2600,6 +2600,11 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
> uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ?
> NL80211_AUTHTYPE_SAE :
> NL80211_AUTHTYPE_OPEN_SYSTEM;
> + uint8_t sae_pwe = nhs->type == CONNECTION_TYPE_FULLMAC &&
> + IE_AKM_IS_SAE(hs->akm_suite) &&
> + !hs->have_pmksa ?
> + NL80211_SAE_PWE_BOTH :
> + NL80211_SAE_PWE_UNSPECIFIED;
> enum mpdu_management_subtype subtype = prev_bssid ?
> MPDU_MANAGEMENT_SUBTYPE_REASSOCIATION_REQUEST :
> MPDU_MANAGEMENT_SUBTYPE_ASSOCIATION_REQUEST;
> @@ -2618,6 +2623,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
> l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, hs->aa);
> l_genl_msg_append_attr(msg, NL80211_ATTR_SSID, hs->ssid_len, hs->ssid);
> l_genl_msg_append_attr(msg, NL80211_ATTR_AUTH_TYPE, 4, &auth_type);
> + if (sae_pwe != NL80211_SAE_PWE_UNSPECIFIED)
> + l_genl_msg_append_attr(msg, NL80211_ATTR_SAE_PWE, 1, &sae_pwe);
>
> switch (nhs->type) {
> case CONNECTION_TYPE_SOFTMAC:
> @@ -4218,7 +4225,6 @@ static void netdev_connect_common(struct netdev *netdev,
> netdev_external_auth_sae_tx_associate,
> netdev);
> sae_sm_force_default_group(netdev->ap);
> - sae_sm_force_hunt_and_peck(netdev->ap);
> }
>
> if (sae_sm_is_h2e(netdev->ap)) {
>
> base-commit: d003d0e593323b3de427f01284ede81ba61e9dcc
This looks good to me, though I haven't tested it myself to confirm.
I'll wait for Denis to comment but I'd be ok merging if it solves you're
problem.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-23 14:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-03 17:50 [PATCH] netdev: use SAE PWE both for fullmac external auth Jeremy Blum
2026-04-23 14:22 ` James Prestwood
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox