Re: brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On June 27, 2024 3:46:35 PM KeithG <ys3al35l@xxxxxxxxx> wrote:

On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@xxxxxxxxx> wrote:

On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:

On June 27, 2024 12:47:02 AM KeithG <ys3al35l@xxxxxxxxx> wrote:

On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:

On June 26, 2024 2:05:07 PM KeithG <ys3al35l@xxxxxxxxx> wrote:

On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:

On June 21, 2024 2:24:19 PM KeithG <ys3al35l@xxxxxxxxx> wrote:

On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:

+ Jouni

On 6/20/2024 8:25 PM, KeithG wrote:
1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
0x18; available group 0x10
1718907734.308748: wlan0: WPA: using GTK CCMP
1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
pairwise 0x10; available pairwise 0x10
1718907734.308767: wlan0: WPA: using PTK CCMP
1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
key_mgmt 0x400; available key_mgmt 0x0


I suspect the message above indicates the problem as there is no
available key_mgmt to select so looked it up in the code and here it is:

sel = ie.key_mgmt & ssid->key_mgmt;
#ifdef CONFIG_SAE
if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
!(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
wpas_is_sae_avoided(wpa_s, ssid, &ie))
sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE |
WPA_KEY_MGMT_FT_SAE_EXT_KEY);
#endif /* CONFIG_SAE */
#ifdef CONFIG_IEEE80211R
if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
        WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
sel &= ~WPA_KEY_MGMT_FT;
#endif /* CONFIG_IEEE80211R */
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
available key_mgmt 0x%x",
ie.key_mgmt, ssid->key_mgmt, sel);

So 0x400 matches the expectation:

#define WPA_KEY_MGMT_SAE BIT(10)

You already confirmed that the driver reports SAE and SAE offload
support. So it seems wpas_is_sae_avoided() must return true. That will
check whether the AP and network profile are setup to MFP. This seems to
be the fact as your hostapd.conf and wpa_supplicant.conf both have
ieee80211w=2 defined. This function can only return true when
is enabled in configuration file:

# sae_check_mfp: Require PMF support to select SAE key_mgmt
# 0 = Do not check PMF for SAE (default)
# 1 = Limit SAE when PMF is not enabled
#
# When enabled SAE will not be selected if PMF will not be used
# for the connection.
# Scenarios where this check will limit SAE:
#  1) ieee80211w=0 is set for the network
#  2) The AP does not have PMF enabled.
#  3) ieee80211w is unset, pmf=1 is enabled globally, and
#     the device does not support the BIP cipher.
# Consider the configuration of global parameterss sae_check_mfp=1,
pmf=1 and a
# network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
# In the example WPA-PSK will be used if the device does not support
# the BIP cipher or the AP has PMF disabled.
# Limiting SAE with this check can avoid failing to associate to an AP
# that is configured with sae_requires_mfp=1 if the device does
# not support PMF due to lack of the BIP cipher.

The default is not to check it and you wpa_supplicant.conf does not
specify it.

# cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="deskSAE"
sae_password="secret123"
proto=RSN
key_mgmt=SAE
pairwise=CCMP
ieee80211w=2
}

$ cat /etc/hostapd/hostapd.conf
# interface and driver
interface=ap0
driver=nl80211

# WIFI-Config
ssid=deskSAE
channel=1
hw_mode=g

wpa=2
wpa_key_mgmt=SAE
wpa_pairwise=CCMP
sae_password=secret123
sae_groups=19
ieee80211w=2
sae_pwe=0

Regards,
Arend


1718907734.308779: wlan0: WPA: Failed to select authenticated key
management type
1718907734.308787: wlan0: WPA: Failed to set WPA key management and
encryption suites

Arend,

I find the wpa_supplicant docs really hard to understand. I have read
through your response a few times and am still a bit confused. Does
this have to do with a pure wpa3 versus a wpa2/3 AP?

Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.

I have tried editing my hostapd.conf and my wpa_supplicant.conf and
still cannot get a connection, so I must be doing something wrong.
I commented the ieee80211w line on both and it would not connect.
I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
it still would not connect.

What *should* the configurations be in the hostapd.conf and
wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
should it be to be a wpa2/3 setup? My phone worked fine to connect
with the original hostapd setup, but I have no idea what it is doing

As I mentioned in my previous email both config files listed above look
okay to me (might be wrong though). The problem seems to be with
wpas_is_sae_avoided(). For it to return true the config should have:

sae_check_mfp=1

But you don't have that and default is 0 so it should check for MFP. This
is where my trail ends. To learn more I would add additional debug prints.
Are you comfortable rebuilding wpa_supplicant from source?

Regards,
Arend

Arend,

Thanks for the reply. I could try to rebuild wpa_supplicant from
source. This is on RPi, so debian *.debs which are a pain, but I think
I can do it.

Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
the hostapd.conf and wpa_supplicant.conf? I can try that and see if
anything changes.

Ok. We can try first to put following in wpa_supplicant.conf:

sae_check_mfp=0

Let me know if that makes any difference.

Why would I have to re-build wpa_supplicant?

I would provide a patch with additional debug prints so I get better
understanding what is going wrong. Would be great if you can apply that and
rebuild.

Regards,
Arend
Arend,

I was able to try it this afternoon.
My hostapd is still:
# interface and driver
interface=ap0
driver=nl80211

# WIFI-Config
ssid=deskSAE
channel=1
hw_mode=g

wpa=2
wpa_key_mgmt=SAE
wpa_pairwise=CCMP
sae_password=secret123
sae_groups=19
ieee80211w=2
sae_pwe=0

and I can still connect from my phone to this AP.

I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="deskSAE"
sae_password="secret123"
proto=RSN
key_mgmt=SAE
pairwise=CCMP
ieee80211w=2
sae_check_mfp=1
}

and when I try to connect, I get:
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
Line 10: unknown network field 'sae_check_mfp'.
Line 11: failed to parse network block.

Right. The setting sae_check_mfp is a global setting like update_config. So
it should be moved outside the network block.

Regards,
Arend
Arend,

Thanks for the hand holding, I am out of my depth here!

I tried this config and get a similar result.
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
sae_check_mfp=1
network={
ssid="deskSAE"
sae_password="secret123"
proto=RSN
key_mgmt=SAE
pairwise=CCMP
ieee80211w=2
}
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
Line 3: unknown global field 'sae_check_mfp=1'.
Line 3: Invalid configuration line 'sae_check_mfp=1'.
Failed to read or parse configuration
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
: CTRL-EVENT-DSCP-POLICY clear_all

seems it doesn't recognize this parameter.

Keith

Replying to my own post.
I re-built wpa_supplicant from the current git:
# wpa_supplicant -v
wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
Copyright (c) 2003-2022, Jouni Malinen <j@xxxxx> and contributors

It now seems to recognize the 'sae_check_mfp' parameter, but still
does not connect:
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
auth_failures=1 duration=10 reason=CONN_FAILED
wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
auth_failures=2 duration=20 reason=CONN_FAILED
^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
p2p-dev-wlan0: CTRL-EVENT-TERMINATING
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
wlan0: CTRL-EVENT-TERMINATING

I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
connect with this 'current' version of wpa_supplicant.

Right. So I should have asked about the wpa_supplicant from the start. Let me work on patch for debugging this based on git version (SHA1: c9db4925f).

Regards,
Arend


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux