Re: wpa_supplicant 2.11 breaks WPA2-PSK / WPA3-SAE authentication on Linux' brcmfmac

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On August 10, 2024 2:02:43 PM "Janne Grunau" <j@xxxxxxxxxx> wrote:

Hej,

On Sat, Aug 10, 2024, at 12:43, Arend Van Spriel wrote:
On August 10, 2024 11:17:56 AM "Janne Grunau" <j@xxxxxxxxxx> wrote:
On Sat, Aug 10, 2024, at 10:30, Jouni Malinen wrote:
On Sun, Aug 04, 2024 at 02:23:56PM +0200, Janne Grunau wrote:

A revert looks to me like a possible/proper fix. I can send that
later if no alternative materializes.

I'm inclined to revert this if it is indeed the case that
NL80211_CMD_PORT_AUTHORIZED is not delivered reliably by the
upstream driver and this commit was tested only with some non-
upstream versions.

I intend extend the upstream kernel driver to post
NL80211_CMD_PORT_AUTHORIZED after successful connection with
authentication offload. I expect that the change will be accepted for
the stable kernel. Infineon/Cypress have non-upstream patches for the
brcmfmac driver which implement it already.

Do you have a reference to see what they have done?

I was misremembering their implementation. They removed
NL80211_CMD_PORT_AUTHORIZED and instead added "authorized" fields to
struct cfg80211_connect_resp_params and struct cfg80211_roam_info. Those
fields are then used to set NL80211_ATTR_PORT_AUTHORIZED. This is
annotated as reserved and as far as I can see unused in upstream Linux
and hostap. That means the patched Infineon/Cypress driver is broken as
well. Probably not relevant since they patch hostap as well.

Looking at the RTM/v6.1.19-hedorah branch of
https://github.com/Infineon/ifx-wireless-drivers (214 mostly brcmfmac
commits on top of Linux v6.1.19).
1. "nl80211: add authorized flag to CONNECT event"
  https://github.com/Infineon/ifx-wireless-drivers/commit/f7fb21f980b743e319cee406719e18ca0fd6784e
2. "brcmfmac: set authorized flag in CONNECT event for PMK caching"
  https://github.com/Infineon/ifx-wireless-drivers/commit/a665defa7e67b1d5f5735a55643014374e5f53d0

For roaming they do same and revert the NL80211_CMD_PORT_AUTHORIZED
1. "nl80211: add authorized flag back to ROAM event"
  https://github.com/Infineon/ifx-wireless-drivers/commit/d2262fb0a08124153c9549d2cd0e6f9c04d946e9
2. "brcmfmac: set authorized flag in ROAM event for offload FT roaming"
  https://github.com/Infineon/ifx-wireless-drivers/commit/3099d355af9914753927f913b14f62318a33ab55

A revert in wpa_supplicant might be still appropriate until exteded
kernel drivers are deployed. The wpa_supplicant Fedora package
carries the revert as patch:
https://src.fedoraproject.org/rpms/wpa_supplicant/c/c2eac195adadd2c48b04f8752cc46b12a351e69

Agree that revert makes most sense here. So what upstream drivers use
WPA offload. Only brcmsmac and QCA drivers?

It might be only brcmfmac, at least that's the only driver match for
NL80211_EXT_FEATURE_SAE_OFFLOAD / NL80211_EXT_FEATURE_SAE_OFFLOAD_AP

But the issue was not just with SAE or was it. I thought I saw someone mentioning WPA2-PSK was not working with wpa_sup 2.11 and assumed for the same reason. So for the NL80211_EXT_FEATURE_4WAY_HANDSHAKE_* flavors.

Regards,
Arend



_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux