| Message ID | 20250128180438.65113-1-prestwoj@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC] netdev: avoid PMKSA for fullmac drivers | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| prestwoj/iwd-alpine-ci-fetch | success | Fetch PR |
| prestwoj/iwd-ci-gitlint | success | GitLint |
| prestwoj/iwd-alpine-ci-setupell | success | Prep - Setup ELL |
| prestwoj/iwd-ci-fetch | success | Fetch PR |
| prestwoj/iwd-ci-setupell | success | Prep - Setup ELL |
| prestwoj/iwd-ci-incremental_build | success | Incremental build not run PASS |
| prestwoj/iwd-alpine-ci-makedistcheck | success | Make Distcheck |
| prestwoj/iwd-alpine-ci-incremental_build | success | Incremental build not run PASS |
| prestwoj/iwd-alpine-ci-build | success | Build - Configure |
| prestwoj/iwd-ci-build | success | Build - Configure |
| prestwoj/iwd-alpine-ci-makecheckvalgrind | success | Make Check w/Valgrind |
| prestwoj/iwd-alpine-ci-makecheck | success | Make Check |
| prestwoj/iwd-ci-makecheckvalgrind | success | Make Check w/Valgrind |
| prestwoj/iwd-ci-clang | success | clang PASS |
| prestwoj/iwd-ci-makecheck | success | Make Check |
| prestwoj/iwd-ci-makedistcheck | success | Make Distcheck |
| prestwoj/iwd-ci-testrunner | success | test-runner PASS |
Dear James, Am 28.01.25 um 19:04 schrieb James Prestwood: > The fullmac drivers need additional support to correctly work with > PMKSA. This can be disabled via main.conf, but to avoid extra user > configuration avoid the use of PMKSA for fullmac drivers > automatically. > --- > src/netdev.c | 22 +++++++++++++++++++--- > 1 file changed, 19 insertions(+), 3 deletions(-) > > diff --git a/src/netdev.c b/src/netdev.c > index 2a6d94fc..7af3c39a 100644 > --- a/src/netdev.c > +++ b/src/netdev.c > @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct netdev_handshake_state *nhs) > > l_debug("Invoking handshake_event()"); > > - handshake_state_cache_pmksa(&nhs->super); > + if (nhs->type != CONNECTION_TYPE_FULLMAC) > + handshake_state_cache_pmksa(&nhs->super); > > if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE)) > return; > @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct netdev *netdev) > eapol_register(netdev->sm); > } > > +static bool netdev_handshake_can_use_pmksa(struct netdev_handshake_state *nhs) > +{ > + /* > + * Do not use PMKSA if this is a fullmac driver as they need additional > + * support (SET_PMKSA) in order to function properly. Until this support > + * is added fullmac drivers will not utilize PMKSA. > + */ > + if (nhs->type == CONNECTION_TYPE_FULLMAC) > + return false; > + > + return nhs->super.have_pmksa; > +} > + > static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev, > struct handshake_state *hs, > const uint8_t *prev_bssid) > @@ -2473,7 +2487,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev, > * 0 (open) for FT Initial Mobility Domain Association over > * PMKSA caching > */ > - uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ? > + uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && > + !netdev_handshake_can_use_pmksa(nhs) ? > NL80211_AUTHTYPE_SAE : > NL80211_AUTHTYPE_OPEN_SYSTEM; > enum mpdu_management_subtype subtype = prev_bssid ? > @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev *netdev, > * If SAE, and we have a valid PMKSA cache we can skip the entire SAE > * protocol and authenticate using the cached keys. > */ > - if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) { > + if (IE_AKM_IS_SAE(hs->akm_suite) && > + netdev_handshake_can_use_pmksa(nhs)) { > l_debug("Skipping SAE by using PMKSA cache"); > goto build_cmd_connect; > } I also still had problems with the brcmfmac driver and IWD. It was not finally resolved. I will try to check again with this patch. I would really appreciate, if you could have 2-3 brcmfmac devices running in your testing environment. Thanks, Martin
Hi Martin, On 1/29/25 12:54 AM, Martin Petzold wrote: > Dear James, > > Am 28.01.25 um 19:04 schrieb James Prestwood: >> The fullmac drivers need additional support to correctly work with >> PMKSA. This can be disabled via main.conf, but to avoid extra user >> configuration avoid the use of PMKSA for fullmac drivers >> automatically. >> --- >> src/netdev.c | 22 +++++++++++++++++++--- >> 1 file changed, 19 insertions(+), 3 deletions(-) >> >> diff --git a/src/netdev.c b/src/netdev.c >> index 2a6d94fc..7af3c39a 100644 >> --- a/src/netdev.c >> +++ b/src/netdev.c >> @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct >> netdev_handshake_state *nhs) >> l_debug("Invoking handshake_event()"); >> - handshake_state_cache_pmksa(&nhs->super); >> + if (nhs->type != CONNECTION_TYPE_FULLMAC) >> + handshake_state_cache_pmksa(&nhs->super); >> if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE)) >> return; >> @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct >> netdev *netdev) >> eapol_register(netdev->sm); >> } >> +static bool netdev_handshake_can_use_pmksa(struct >> netdev_handshake_state *nhs) >> +{ >> + /* >> + * Do not use PMKSA if this is a fullmac driver as they need >> additional >> + * support (SET_PMKSA) in order to function properly. Until this >> support >> + * is added fullmac drivers will not utilize PMKSA. >> + */ >> + if (nhs->type == CONNECTION_TYPE_FULLMAC) >> + return false; >> + >> + return nhs->super.have_pmksa; >> +} >> + >> static struct l_genl_msg *netdev_build_cmd_connect(struct netdev >> *netdev, >> struct handshake_state *hs, >> const uint8_t *prev_bssid) >> @@ -2473,7 +2487,8 @@ static struct l_genl_msg >> *netdev_build_cmd_connect(struct netdev *netdev, >> * 0 (open) for FT Initial Mobility Domain Association over >> * PMKSA caching >> */ >> - uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && >> !hs->have_pmksa ? >> + uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && >> + !netdev_handshake_can_use_pmksa(nhs) ? >> NL80211_AUTHTYPE_SAE : >> NL80211_AUTHTYPE_OPEN_SYSTEM; >> enum mpdu_management_subtype subtype = prev_bssid ? >> @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev >> *netdev, >> * If SAE, and we have a valid PMKSA cache we can skip the >> entire SAE >> * protocol and authenticate using the cached keys. >> */ >> - if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) { >> + if (IE_AKM_IS_SAE(hs->akm_suite) && >> + netdev_handshake_can_use_pmksa(nhs)) { >> l_debug("Skipping SAE by using PMKSA cache"); >> goto build_cmd_connect; >> } > > I also still had problems with the brcmfmac driver and IWD. It was not > finally resolved. I will try to check again with this patch. > > I would really appreciate, if you could have 2-3 brcmfmac devices > running in your testing environment. Happy to receive any brcmfmac devices you'd like to send my way ;) Thanks, James > > Thanks, > > Martin > tea
On Wed, Jan 29, 2025 at 8:17 AM James Prestwood <prestwoj@gmail.com> wrote: > > Hi Martin, > > On 1/29/25 12:54 AM, Martin Petzold wrote: > > Dear James, > > > > Am 28.01.25 um 19:04 schrieb James Prestwood: > >> The fullmac drivers need additional support to correctly work with > >> PMKSA. This can be disabled via main.conf, but to avoid extra user > >> configuration avoid the use of PMKSA for fullmac drivers > >> automatically. > >> --- > >> src/netdev.c | 22 +++++++++++++++++++--- > >> 1 file changed, 19 insertions(+), 3 deletions(-) > >> > >> diff --git a/src/netdev.c b/src/netdev.c > >> index 2a6d94fc..7af3c39a 100644 > >> --- a/src/netdev.c > >> +++ b/src/netdev.c > >> @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct > >> netdev_handshake_state *nhs) > >> l_debug("Invoking handshake_event()"); > >> - handshake_state_cache_pmksa(&nhs->super); > >> + if (nhs->type != CONNECTION_TYPE_FULLMAC) > >> + handshake_state_cache_pmksa(&nhs->super); > >> if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE)) > >> return; > >> @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct > >> netdev *netdev) > >> eapol_register(netdev->sm); > >> } > >> +static bool netdev_handshake_can_use_pmksa(struct > >> netdev_handshake_state *nhs) > >> +{ > >> + /* > >> + * Do not use PMKSA if this is a fullmac driver as they need > >> additional > >> + * support (SET_PMKSA) in order to function properly. Until this > >> support > >> + * is added fullmac drivers will not utilize PMKSA. > >> + */ > >> + if (nhs->type == CONNECTION_TYPE_FULLMAC) > >> + return false; > >> + > >> + return nhs->super.have_pmksa; > >> +} > >> + > >> static struct l_genl_msg *netdev_build_cmd_connect(struct netdev > >> *netdev, > >> struct handshake_state *hs, > >> const uint8_t *prev_bssid) > >> @@ -2473,7 +2487,8 @@ static struct l_genl_msg > >> *netdev_build_cmd_connect(struct netdev *netdev, > >> * 0 (open) for FT Initial Mobility Domain Association over > >> * PMKSA caching > >> */ > >> - uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && > >> !hs->have_pmksa ? > >> + uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && > >> + !netdev_handshake_can_use_pmksa(nhs) ? > >> NL80211_AUTHTYPE_SAE : > >> NL80211_AUTHTYPE_OPEN_SYSTEM; > >> enum mpdu_management_subtype subtype = prev_bssid ? > >> @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev > >> *netdev, > >> * If SAE, and we have a valid PMKSA cache we can skip the > >> entire SAE > >> * protocol and authenticate using the cached keys. > >> */ > >> - if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) { > >> + if (IE_AKM_IS_SAE(hs->akm_suite) && > >> + netdev_handshake_can_use_pmksa(nhs)) { > >> l_debug("Skipping SAE by using PMKSA cache"); > >> goto build_cmd_connect; > >> } > > > > I also still had problems with the brcmfmac driver and IWD. It was not > > finally resolved. I will try to check again with this patch. > > > > I would really appreciate, if you could have 2-3 brcmfmac devices > > running in your testing environment. > > Happy to receive any brcmfmac devices you'd like to send my way ;) > > Thanks, > > James > > > > > > Thanks, > > > > Martin > > tea > Actually, I'd be happier to not have any brcmfmac devices but here we are.
diff --git a/src/netdev.c b/src/netdev.c index 2a6d94fc..7af3c39a 100644 --- a/src/netdev.c +++ b/src/netdev.c @@ -1518,7 +1518,8 @@ static void try_handshake_complete(struct netdev_handshake_state *nhs) l_debug("Invoking handshake_event()"); - handshake_state_cache_pmksa(&nhs->super); + if (nhs->type != CONNECTION_TYPE_FULLMAC) + handshake_state_cache_pmksa(&nhs->super); if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE)) return; @@ -2455,6 +2456,19 @@ static void netdev_driver_connected(struct netdev *netdev) eapol_register(netdev->sm); } +static bool netdev_handshake_can_use_pmksa(struct netdev_handshake_state *nhs) +{ + /* + * Do not use PMKSA if this is a fullmac driver as they need additional + * support (SET_PMKSA) in order to function properly. Until this support + * is added fullmac drivers will not utilize PMKSA. + */ + if (nhs->type == CONNECTION_TYPE_FULLMAC) + return false; + + return nhs->super.have_pmksa; +} + static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev, struct handshake_state *hs, const uint8_t *prev_bssid) @@ -2473,7 +2487,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev, * 0 (open) for FT Initial Mobility Domain Association over * PMKSA caching */ - uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ? + uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && + !netdev_handshake_can_use_pmksa(nhs) ? NL80211_AUTHTYPE_SAE : NL80211_AUTHTYPE_OPEN_SYSTEM; enum mpdu_management_subtype subtype = prev_bssid ? @@ -4053,7 +4068,8 @@ static void netdev_connect_common(struct netdev *netdev, * If SAE, and we have a valid PMKSA cache we can skip the entire SAE * protocol and authenticate using the cached keys. */ - if (IE_AKM_IS_SAE(hs->akm_suite) && hs->have_pmksa) { + if (IE_AKM_IS_SAE(hs->akm_suite) && + netdev_handshake_can_use_pmksa(nhs)) { l_debug("Skipping SAE by using PMKSA cache"); goto build_cmd_connect; }