On Thu, Jun 27, 2024 at 9:46 AM Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote: > > On June 27, 2024 3:46:35 PM KeithG <ys3al35l@xxxxxxxxx> wrote: > > > On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@xxxxxxxxx> wrote: > >> > >> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel > >> <arend.vanspriel@xxxxxxxxxxxx> wrote: > >>> > >>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l@xxxxxxxxx> wrote: > >>> > >>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel > >>>> <arend.vanspriel@xxxxxxxxxxxx> wrote: > >>>>> > >>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@xxxxxxxxx> wrote: > >>>>> > >>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel > >>>>>> <arend.vanspriel@xxxxxxxxxxxx> wrote: > >>>>>>> > >>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@xxxxxxxxx> wrote: > >>>>>>> > >>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel > >>>>>>>> <arend.vanspriel@xxxxxxxxxxxx> wrote: > >>>>>>>>> > >>>>>>>>> + Jouni > >>>>>>>>> > >>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote: > >>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group > >>>>>>>>>> 0x18; available group 0x10 > >>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP > >>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile > >>>>>>>>>> pairwise 0x10; available pairwise 0x10 > >>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP > >>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile > >>>>>>>>>> key_mgmt 0x400; available key_mgmt 0x0 > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> I suspect the message above indicates the problem as there is no > >>>>>>>>> available key_mgmt to select so looked it up in the code and here it is: > >>>>>>>>> > >>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt; > >>>>>>>>> #ifdef CONFIG_SAE > >>>>>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) && > >>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) || > >>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie)) > >>>>>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY | > >>>>>>>>> WPA_KEY_MGMT_FT_SAE | > >>>>>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY); > >>>>>>>>> #endif /* CONFIG_SAE */ > >>>>>>>>> #ifdef CONFIG_IEEE80211R > >>>>>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME | > >>>>>>>>> WPA_DRIVER_FLAGS_UPDATE_FT_IES))) > >>>>>>>>> sel &= ~WPA_KEY_MGMT_FT; > >>>>>>>>> #endif /* CONFIG_IEEE80211R */ > >>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG, > >>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x; > >>>>>>>>> available key_mgmt 0x%x", > >>>>>>>>> ie.key_mgmt, ssid->key_mgmt, sel); > >>>>>>>>> > >>>>>>>>> So 0x400 matches the expectation: > >>>>>>>>> > >>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10) > >>>>>>>>> > >>>>>>>>> You already confirmed that the driver reports SAE and SAE offload > >>>>>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will > >>>>>>>>> check whether the AP and network profile are setup to MFP. This seems to > >>>>>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have > >>>>>>>>> ieee80211w=2 defined. This function can only return true when > >>>>>>>>> is enabled in configuration file: > >>>>>>>>> > >>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt > >>>>>>>>> # 0 = Do not check PMF for SAE (default) > >>>>>>>>> # 1 = Limit SAE when PMF is not enabled > >>>>>>>>> # > >>>>>>>>> # When enabled SAE will not be selected if PMF will not be used > >>>>>>>>> # for the connection. > >>>>>>>>> # Scenarios where this check will limit SAE: > >>>>>>>>> # 1) ieee80211w=0 is set for the network > >>>>>>>>> # 2) The AP does not have PMF enabled. > >>>>>>>>> # 3) ieee80211w is unset, pmf=1 is enabled globally, and > >>>>>>>>> # the device does not support the BIP cipher. > >>>>>>>>> # Consider the configuration of global parameterss sae_check_mfp=1, > >>>>>>>>> pmf=1 and a > >>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK. > >>>>>>>>> # In the example WPA-PSK will be used if the device does not support > >>>>>>>>> # the BIP cipher or the AP has PMF disabled. > >>>>>>>>> # Limiting SAE with this check can avoid failing to associate to an AP > >>>>>>>>> # that is configured with sae_requires_mfp=1 if the device does > >>>>>>>>> # not support PMF due to lack of the BIP cipher. > >>>>>>>>> > >>>>>>>>> The default is not to check it and you wpa_supplicant.conf does not > >>>>>>>>> specify it. > >>>>>>>>> > >>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf > >>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev > >>>>>>>>> update_config=1 > >>>>>>>>> network={ > >>>>>>>>> ssid="deskSAE" > >>>>>>>>> sae_password="secret123" > >>>>>>>>> proto=RSN > >>>>>>>>> key_mgmt=SAE > >>>>>>>>> pairwise=CCMP > >>>>>>>>> ieee80211w=2 > >>>>>>>>> } > >>>>>>>>> > >>>>>>>>> $ cat /etc/hostapd/hostapd.conf > >>>>>>>>> # interface and driver > >>>>>>>>> interface=ap0 > >>>>>>>>> driver=nl80211 > >>>>>>>>> > >>>>>>>>> # WIFI-Config > >>>>>>>>> ssid=deskSAE > >>>>>>>>> channel=1 > >>>>>>>>> hw_mode=g > >>>>>>>>> > >>>>>>>>> wpa=2 > >>>>>>>>> wpa_key_mgmt=SAE > >>>>>>>>> wpa_pairwise=CCMP > >>>>>>>>> sae_password=secret123 > >>>>>>>>> sae_groups=19 > >>>>>>>>> ieee80211w=2 > >>>>>>>>> sae_pwe=0 > >>>>>>>>> > >>>>>>>>> Regards, > >>>>>>>>> Arend > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key > >>>>>>>>>> management type > >>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and > >>>>>>>>>> encryption suites > >>>>>>>> > >>>>>>>> Arend, > >>>>>>>> > >>>>>>>> I find the wpa_supplicant docs really hard to understand. I have read > >>>>>>>> through your response a few times and am still a bit confused. Does > >>>>>>>> this have to do with a pure wpa3 versus a wpa2/3 AP? > >>>>>>> > >>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3. > >>>>>>> > >>>>>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and > >>>>>>>> still cannot get a connection, so I must be doing something wrong. > >>>>>>>> I commented the ieee80211w line on both and it would not connect. > >>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and > >>>>>>>> it still would not connect. > >>>>>>>> > >>>>>>>> What *should* the configurations be in the hostapd.conf and > >>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What > >>>>>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect > >>>>>>>> with the original hostapd setup, but I have no idea what it is doing > >>>>>>> > >>>>>>> As I mentioned in my previous email both config files listed above look > >>>>>>> okay to me (might be wrong though). The problem seems to be with > >>>>>>> wpas_is_sae_avoided(). For it to return true the config should have: > >>>>>>> > >>>>>>> sae_check_mfp=1 > >>>>>>> > >>>>>>> But you don't have that and default is 0 so it should check for MFP. This > >>>>>>> is where my trail ends. To learn more I would add additional debug prints. > >>>>>>> Are you comfortable rebuilding wpa_supplicant from source? > >>>>>>> > >>>>>>> Regards, > >>>>>>> Arend > >>>>>> > >>>>>> Arend, > >>>>>> > >>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from > >>>>>> source. This is on RPi, so debian *.debs which are a pain, but I think > >>>>>> I can do it. > >>>>>> > >>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in > >>>>>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if > >>>>>> anything changes. > >>>>> > >>>>> Ok. We can try first to put following in wpa_supplicant.conf: > >>>>> > >>>>> sae_check_mfp=0 > >>>>> > >>>>> Let me know if that makes any difference. > >>>>> > >>>>>> Why would I have to re-build wpa_supplicant? > >>>>> > >>>>> I would provide a patch with additional debug prints so I get better > >>>>> understanding what is going wrong. Would be great if you can apply that and > >>>>> rebuild. > >>>>> > >>>>> Regards, > >>>>> Arend > >>>> Arend, > >>>> > >>>> I was able to try it this afternoon. > >>>> My hostapd is still: > >>>> # interface and driver > >>>> interface=ap0 > >>>> driver=nl80211 > >>>> > >>>> # WIFI-Config > >>>> ssid=deskSAE > >>>> channel=1 > >>>> hw_mode=g > >>>> > >>>> wpa=2 > >>>> wpa_key_mgmt=SAE > >>>> wpa_pairwise=CCMP > >>>> sae_password=secret123 > >>>> sae_groups=19 > >>>> ieee80211w=2 > >>>> sae_pwe=0 > >>>> > >>>> and I can still connect from my phone to this AP. > >>>> > >>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf > >>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev > >>>> update_config=1 > >>>> network={ > >>>> ssid="deskSAE" > >>>> sae_password="secret123" > >>>> proto=RSN > >>>> key_mgmt=SAE > >>>> pairwise=CCMP > >>>> ieee80211w=2 > >>>> sae_check_mfp=1 > >>>> } > >>>> > >>>> and when I try to connect, I get: > >>>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf > >>>> Successfully initialized wpa_supplicant > >>>> Line 10: unknown network field 'sae_check_mfp'. > >>>> Line 11: failed to parse network block. > >>> > >>> Right. The setting sae_check_mfp is a global setting like update_config. So > >>> it should be moved outside the network block. > >>> > >>> Regards, > >>> Arend > >> Arend, > >> > >> Thanks for the hand holding, I am out of my depth here! > >> > >> I tried this config and get a similar result. > >> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev > >> update_config=1 > >> sae_check_mfp=1 > >> network={ > >> ssid="deskSAE" > >> sae_password="secret123" > >> proto=RSN > >> key_mgmt=SAE > >> pairwise=CCMP > >> ieee80211w=2 > >> } > >> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf > >> Successfully initialized wpa_supplicant > >> Line 3: unknown global field 'sae_check_mfp=1'. > >> Line 3: Invalid configuration line 'sae_check_mfp=1'. > >> Failed to read or parse configuration > >> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'. > >> : CTRL-EVENT-DSCP-POLICY clear_all > >> > >> seems it doesn't recognize this parameter. > >> > >> Keith > > > > Replying to my own post. > > I re-built wpa_supplicant from the current git: > > # wpa_supplicant -v > > wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f > > Copyright (c) 2003-2022, Jouni Malinen <j@xxxxx> and contributors > > > > It now seems to recognize the 'sae_check_mfp' parameter, but still > > does not connect: > > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf > > Successfully initialized wpa_supplicant > > wlan0: Trying to associate with SSID 'deskSAE' > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) > > wlan0: Trying to associate with SSID 'deskSAE' > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) > > wlan0: Trying to associate with SSID 'deskSAE' > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) > > wlan0: Trying to associate with SSID 'deskSAE' > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds > > wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE" > > auth_failures=1 duration=10 reason=CONN_FAILED > > wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE" > > wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, > > ignoring for 10 seconds > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) > > wlan0: Trying to associate with SSID 'deskSAE' > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds > > wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE" > > auth_failures=2 duration=20 reason=CONN_FAILED > > ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all > > p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all > > nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0 > > p2p-dev-wlan0: CTRL-EVENT-TERMINATING > > wlan0: CTRL-EVENT-DSCP-POLICY clear_all > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) > > wlan0: CTRL-EVENT-DSCP-POLICY clear_all > > nl80211: deinit ifname=wlan0 disabled_11b_rates=0 > > wlan0: CTRL-EVENT-TERMINATING > > > > I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot > > connect with this 'current' version of wpa_supplicant. > > Right. So I should have asked about the wpa_supplicant from the start. Let > me work on patch for debugging this based on git version (SHA1: c9db4925f). > > Regards, > Arend > Arend, I ran across this note today and investigated it with the wpa_supplicant I am now using: https://github.com/raspberrypi/linux/pull/5945 It still will not connect with this firmware # dmesg | grep brcmfm [ 1.995113] brcmfmac: F1 signature read @0x18000000=0x15264345 [ 2.002317] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43455-sdio for chip BCM4345/6 [ 2.002497] usbcore: registered new interface driver brcmfmac [ 2.223405] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob available (err=-2) [ 2.224010] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6 wl0: Aug 29 2023 01:47:08 version 7.45.265 (28bca26 CY) FWID 01-b677b91b [ 109.454302] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save enabled [ 109.508572] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save disabled [ 113.543122] brcmfmac: brcmf_set_channel: set chanspec 0xd022 fail, reason -52 this config: # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev update_config=1 network={ ssid="deskSAE" sae_password="secret123" proto=RSN key_mgmt=SAE ieee80211w=2 } # wpa_supplicant -v wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f Copyright (c) 2003-2022, Jouni Malinen <j@xxxxx> and contributors # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf ... nl80211: kernel reports: Match already configured wlan0: Authentication with d8:3a:dd:60:a3:0c timed out. wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds nl80211: send_event_marker failed: Source based routing not supported wlan0: CTRL-EVENT-DISCONNECTED bssid=d8:3a:dd:60:a3:0c reason=3 locally_generated=1 wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring for 10 seconds wlan0: CTRL-EVENT-DSCP-POLICY clear_all wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlan0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US wlan0: Trying to associate with SSID 'deskSAE' ... _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap