Hi Jouni, thanks for the quick reply! On Wed, May 13, 2020 at 11:38:17AM +0300, Jouni Malinen wrote: > On Tue, May 12, 2020 at 10:46:12PM +0100, Daniel Golle wrote: > > After hours of bisecting which change between hostapd_2_8 and > > hostapd_2_9 broke SAE in mesh mode with WolfSSL we got a result: > > > > > commit 6c9543fcb7962e26c2a91c43089abe171d073b44 > > > Author: Jouni Malinen <jouni@xxxxxxxxxxxxxx> > > > Date: Thu Apr 25 20:18:27 2019 +0300 > > > > > > Share common SAE and EAP-pwd functionality: random qr/qnr creation > > > > > > Use a shared helper function to create random qr/qnr values. > > > > > > Signed-off-by: Jouni Malinen <jouni@xxxxxxxxxxxxxx> > > > > While when building against OpenSSL, things keep working also after > > the above commit, when building against WolfSSL, the node hangs in > > LISTEN state for a long time and then ends up BLOCKED. > > I've tried with WolfSSL 3.14.4 and WolfSSL 4.3.0-stable-1 with > > identical results. > > This works fine in my tests with 4.3.0. All the mac80211_hwsim test > cases for mesh pass with the current wpa_supplicant snapshot built with > WolfSSL 4.3.0. Odd, but could be endian or sizeof(int) related differences. I assume you are testing on x86_64 glibc while I'm testing this on MIPS24kc (big endian!) with musl libc running on QCA SoCs. > > > Going back to commit 2b84ca4dd > > ("Share common SAE and EAP-pwd functionality: suitable groups") makes > > things working again also with WolfSSL. > > > > On first sight there seems nothing wrong with that commit to me, but > > apparently it does break things :( > > > > Any ideas helping to fix this would be highly appreciated! > > Can you please share some more details on how you are testing this and > ideally, debug logs from two devices for a case that fails with WolfSSL, > but works with OpenSSL? I'd like to also get a confirmation that you are > seeing the issue with the current snapshot of the master branch in > hostap.git since that is the version I would be using for any debugging > of the issue. I've tried plain wpa_supplicant as well as with OpenWrt's patches, all build against WolfSSL 4.3.0-stable. using git revision 2b84ca4d : root@OpenWrt:~# wpa_supplicant -ddd -P /var/run/wpa_supplicant-wlan1-mesh.pid -D nl80211 -i wlan1-mesh -c /var/run/wpa_supplicant-wlan1-mesh.conf Successfully initialized wpa_supplicant Using interface wlan1-mesh with hwaddr 64:70:02:xx:xx:xx and ssid "" wlan1-mesh: interface state UNINITIALIZED->ENABLED wlan1-mesh: AP-ENABLED wlan1-mesh: joining mesh LiMe wlan1-mesh: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=] wlan1-mesh: MESH-GROUP-STARTED ssid="LiMe" id=0 wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx wlan1-mesh: mesh plink with 04:18:d6:xx:xx:xx established wlan1-mesh: MESH-PEER-CONNECTED 04:18:d6:xx:xx:xx using git revision 6c9543fc : root@OpenWrt:~# wpa_supplicant -ddd -P /var/run/wpa_supplicant-wlan1-mesh.pid -D nl80211 -i wlan1-mesh -c /var/run/wpa_supplicant-wlan1-mesh.conf Successfully initialized wpa_supplicant Using interface wlan1-mesh with hwaddr 64:70:02:xx:xx:xx and ssid "" wlan1-mesh: interface state UNINITIALIZED->ENABLED wlan1-mesh: AP-ENABLED wlan1-mesh: joining mesh LiMe wlan1-mesh: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=] wlan1-mesh: MESH-GROUP-STARTED ssid="LiMe" id=0 wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx wlan1-mesh: MESH-SAE-AUTH-BLOCKED addr=04:18:d6:xx:xx:xx duration=300 ...(after a minute or two) using git revision 0f58c88f : root@OpenWrt:~# wpa_supplicant -ddd -P /var/run/wpa_supplicant-wlan1-mesh.pid -D nl80211 -i wlan1-mesh -c /var/run/wpa_supplicant-wlan1-mesh.conf Successfully initialized wpa_supplicant wlan1-mesh: interface state UNINITIALIZED->ENABLED wlan1-mesh: AP-ENABLED wlan1-mesh: joining mesh LiMe wlan1-mesh: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=] wlan1-mesh: MESH-GROUP-STARTED ssid="LiMe" id=0 wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx ... (takes VERY long for each line) using git revision 0f58c88f, but build against OpenSSL 1.1.1g: root@OpenWrt:~# wpa_supplicant -ddd -P /var/run/wpa_supplicant-wlan1-mesh.pid -D nl80211 -i wlan1-mesh -c /var/run/wpa_supplicant-wlan1-mesh.conf Successfully initialized wpa_supplicant wlan1-mesh: interface state UNINITIALIZED->ENABLED wlan1-mesh: AP-ENABLED wlan1-mesh: joining mesh LiMe wlan1-mesh: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=] wlan1-mesh: MESH-GROUP-STARTED ssid="LiMe" id=0 wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx Mesh RSN: frame verification failed! wlan1-mesh: mesh plink with 04:18:d6:xx:xx:xx established wlan1-mesh: MESH-PEER-CONNECTED 04:18:d6:xx:xx:xx configuration is identical for all those tests: network={ ssid="LiMe" key_mgmt=SAE mode=5 fixed_freq=1 frequency=5765 ht40=1 max_oper_chwidth=0 sae_password="XXXXXXXX" beacon_int=100 mcast_rate=6 } The build environment is currently on an otherwise unused system wired up to the two QCA devices for testing. We could arrange remote access remote access via SSH or you can tell me to build/test whatever you'd like me to and I'll report back. If you'd like to reproduce this locally or even include in your CI, I guess that building Linux and wpa_supplicant for MIPS Malta (BE) and running that in qemu-system-mips will show similar results as my testing on real hardware. Best regards Daniel _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap