Re: AW: brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/14/2024 8:42 PM, KeithG wrote:
On Sat, Jul 13, 2024 at 7:13 AM Arend Van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:

On July 8, 2024 1:33:02 PM "Dembianny Sven (BSH GDE-EDSD5)"
<Sven.Dembianny@xxxxxxxx> wrote:

On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@xxxxxxxxx> wrote:

On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:

On June 27, 2024 12:47:02 AM KeithG <ys3al35l@xxxxxxxxx> wrote:

On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:

On June 26, 2024 2:05:07 PM KeithG <ys3al35l@xxxxxxxxx> wrote:

On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:

On June 21, 2024 2:24:19 PM KeithG <ys3al35l@xxxxxxxxx> wrote:

On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:

+ Jouni

On 6/20/2024 8:25 PM, KeithG wrote:
1718907734.308740: wlan0: WPA: AP group 0x10 network profile
group 0x18; available group 0x10
1718907734.308748: wlan0: WPA: using GTK CCMP
1718907734.308758: wlan0: WPA: AP pairwise 0x10 network
profile pairwise 0x10; available pairwise 0x10
1718907734.308767: wlan0: WPA: using PTK CCMP
1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network
profile key_mgmt 0x400; available key_mgmt 0x0


I suspect the message above indicates the problem as there is
no available key_mgmt to select so looked it up in the code and here it is:

sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if
((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
!(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &=
~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /*
CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags
& (WPA_DRIVER_FLAGS_SME |
         WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &=
~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel);

So 0x400 matches the expectation:

#define WPA_KEY_MGMT_SAE BIT(10)

You already confirmed that the driver reports SAE and SAE
offload support. So it seems wpas_is_sae_avoided() must
return true. That will check whether the AP and network
profile are setup to MFP. This seems to be the fact as your
hostapd.conf and wpa_supplicant.conf both have
ieee80211w=2 defined. This function can only return true when
is enabled in configuration file:

# sae_check_mfp: Require PMF support to select SAE key_mgmt #
0 = Do not check PMF for SAE (default) # 1 = Limit SAE when
PMF is not enabled # # When enabled SAE will not be selected
if PMF will not be used # for the connection.
# Scenarios where this check will limit SAE:
#  1) ieee80211w=0 is set for the network #  2) The AP does
not have PMF enabled.
#  3) ieee80211w is unset, pmf=1 is enabled globally, and
#     the device does not support the BIP cipher.
# Consider the configuration of global parameterss
sae_check_mfp=1,
pmf=1 and a
# network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
# In the example WPA-PSK will be used if the device does not
support # the BIP cipher or the AP has PMF disabled.
# Limiting SAE with this check can avoid failing to associate
to an AP # that is configured with sae_requires_mfp=1 if the
device does # not support PMF due to lack of the BIP cipher.

The default is not to check it and you wpa_supplicant.conf
does not specify it.

# cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="deskSAE"
sae_password="secret123"
proto=RSN
key_mgmt=SAE
pairwise=CCMP
ieee80211w=2
}

$ cat /etc/hostapd/hostapd.conf # interface and driver
interface=ap0
driver=nl80211

# WIFI-Config
ssid=deskSAE
channel=1
hw_mode=g

wpa=2
wpa_key_mgmt=SAE
wpa_pairwise=CCMP
sae_password=secret123
sae_groups=19
ieee80211w=2
sae_pwe=0

Regards,
Arend


1718907734.308779: wlan0: WPA: Failed to select
authenticated key management type
1718907734.308787: wlan0: WPA: Failed to set WPA key
management and encryption suites

Arend,

I find the wpa_supplicant docs really hard to understand. I
have read through your response a few times and am still a bit
confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?

Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.

I have tried editing my hostapd.conf and my
wpa_supplicant.conf and still cannot get a connection, so I must be doing
something wrong.
I commented the ieee80211w line on both and it would not connect.
I tried changing the wpa_key_mgmt on both ends to be 'SAE
WPA_PSK' and it still would not connect.

What *should* the configurations be in the hostapd.conf and
wpa_supplicant.conf to negotiate this as a pure wpa3 setup?
What should it be to be a wpa2/3 setup? My phone worked fine
to connect with the original hostapd setup, but I have no idea
what it is doing

As I mentioned in my previous email both config files listed
above look okay to me (might be wrong though). The problem
seems to be with wpas_is_sae_avoided(). For it to return true the config
should have:

sae_check_mfp=1

But you don't have that and default is 0 so it should check for
MFP. This is where my trail ends. To learn more I would add additional
debug prints.
Are you comfortable rebuilding wpa_supplicant from source?

Regards,
Arend

Arend,

Thanks for the reply. I could try to rebuild wpa_supplicant from
source. This is on RPi, so debian *.debs which are a pain, but I
think I can do it.

Do I understand correctly that 'sae_check_mfp=1' is supposed to
be in the hostapd.conf and wpa_supplicant.conf? I can try that
and see if anything changes.

Ok. We can try first to put following in wpa_supplicant.conf:

sae_check_mfp=0

Let me know if that makes any difference.

Why would I have to re-build wpa_supplicant?

I would provide a patch with additional debug prints so I get
better understanding what is going wrong. Would be great if you
can apply that and rebuild.

Regards,
Arend
Arend,

I was able to try it this afternoon.
My hostapd is still:
# interface and driver
interface=ap0
driver=nl80211

# WIFI-Config
ssid=deskSAE
channel=1
hw_mode=g

wpa=2
wpa_key_mgmt=SAE
wpa_pairwise=CCMP
sae_password=secret123
sae_groups=19
ieee80211w=2
sae_pwe=0

and I can still connect from my phone to this AP.

I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="deskSAE"
sae_password="secret123"
proto=RSN
key_mgmt=SAE
pairwise=CCMP
ieee80211w=2
sae_check_mfp=1
}

and when I try to connect, I get:
# wpa_supplicant -i wlan0 -c
/etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant Line 10: unknown network
field 'sae_check_mfp'.
Line 11: failed to parse network block.

Right. The setting sae_check_mfp is a global setting like
update_config. So it should be moved outside the network block.

Regards,
Arend
Arend,

Thanks for the hand holding, I am out of my depth here!

I tried this config and get a similar result.
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
sae_check_mfp=1
network={
ssid="deskSAE"
sae_password="secret123"
proto=RSN
key_mgmt=SAE
pairwise=CCMP
ieee80211w=2
}
# wpa_supplicant -i wlan0 -c
/etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant Line 3: unknown global field
'sae_check_mfp=1'.
Line 3: Invalid configuration line 'sae_check_mfp=1'.
Failed to read or parse configuration
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
: CTRL-EVENT-DSCP-POLICY clear_all

seems it doesn't recognize this parameter.

Keith

Replying to my own post.
I re-built wpa_supplicant from the current git:
# wpa_supplicant -v
wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
Copyright (c) 2003-2022, Jouni Malinen <j@xxxxx> and contributors

It now seems to recognize the 'sae_check_mfp' parameter, but still does not
connect:
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
auth_failures=1 duration=10 reason=CONN_FAILED
wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring
for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
auth_failures=2 duration=20 reason=CONN_FAILED
^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
p2p-dev-wlan0: CTRL-EVENT-TERMINATING
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
wlan0: CTRL-EVENT-TERMINATING

I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
connect with this 'current' version of
wpa_supplicant.

Keith
Hi Keith,

maybe you are missing sae_pwe=2 in your wpa_supplicant.conf
At least in our setup it works.

I think Keith already reported success in earlier email.

@Keith: If I am mistaken let me know.

Regards,
Arend

Arend,

Yes, I figured it out. As per the link shared: I had to put the latest
firmware on and use the latest wpa_supplicant, but with these 2
changes, it did connect.

Good to know.

Regards,
Arend

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux