[PATCH] Avoid PMF negotiation for networks if the driver does not support PMF

[Jeffery Miller]

On Wed, Aug 25, 2021 at 8:49 AM Jouni Malinen <j at w1.fi> wrote:
>
> What's the use case for this change?

For my use case setting pmf=1 globally and leaving ieee80211w unset on
the explicit network configurations does allow this code to connect to an
optional network without PMF.
I simply expected the explicit ieee80211w=1 would behave the same as the
global pmf=1 setting in my case but instead it fails "to configure
IGTK to the driver".

> I'm not completely sure about the nl80211 cases since the BIP cipher
> suite support indication might have been added later than the initial
> PMF implementation. This may have resulted in there being no strict
> rejection of BIP configuration with drivers that do not have explicit
> indication for it in the supported ciphers list.

Thank you for the insight. I had not thought of a driver supporting
PMF without indicating support for BIP.

> As such, it may be a
> bit difficult to do this type of a change in wpa_supplicant without the
> kernel interface(s) changing first to explicitly indicate whether PMF is
> supported.

This is likely out of the scope of my current needs.
Additionally, that would require adding the explicit interface to
non-nl80211 drivers
as well wouldn't it?

Thank you for clarifying the reasons behind these differences.
Jeff