Re: brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

[Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx>]

On June 21, 2024 2:24:19 PM KeithG <ys3al35l@xxxxxxxxx> wrote:

> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> <arend.vanspriel@xxxxxxxxxxxx> wrote:
> > + Jouni
> >
> > On 6/20/2024 8:25 PM, KeithG wrote:
> > > 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> > > 0x18; available group 0x10
> > > 1718907734.308748: wlan0: WPA: using GTK CCMP
> > > 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> > > pairwise 0x10; available pairwise 0x10
> > > 1718907734.308767: wlan0: WPA: using PTK CCMP
> > > 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> > > key_mgmt 0x400; available key_mgmt 0x0
> >
> >
> > I suspect the message above indicates the problem as there is no
> > available key_mgmt to select so looked it up in the code and here it is:
> >
> > sel = ie.key_mgmt & ssid->key_mgmt;
> > #ifdef CONFIG_SAE
> > if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> > !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> > wpas_is_sae_avoided(wpa_s, ssid, &ie))
> > sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >          WPA_KEY_MGMT_FT_SAE |
> > WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> > #endif /* CONFIG_SAE */
> > #ifdef CONFIG_IEEE80211R
> > if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> >                   WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> > sel &= ~WPA_KEY_MGMT_FT;
> > #endif /* CONFIG_IEEE80211R */
> > wpa_dbg(wpa_s, MSG_DEBUG,
> > "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> > available key_mgmt 0x%x",
> > ie.key_mgmt, ssid->key_mgmt, sel);
> >
> > So 0x400 matches the expectation:
> >
> > #define WPA_KEY_MGMT_SAE BIT(10)
> >
> > You already confirmed that the driver reports SAE and SAE offload
> > support. So it seems wpas_is_sae_avoided() must return true. That will
> > check whether the AP and network profile are setup to MFP. This seems to
> > be the fact as your hostapd.conf and wpa_supplicant.conf both have
> > ieee80211w=2 defined. This function can only return true when
> > is enabled in configuration file:
> >
> > # sae_check_mfp: Require PMF support to select SAE key_mgmt
> > # 0 = Do not check PMF for SAE (default)
> > # 1 = Limit SAE when PMF is not enabled
> > #
> > # When enabled SAE will not be selected if PMF will not be used
> > # for the connection.
> > # Scenarios where this check will limit SAE:
> > #  1) ieee80211w=0 is set for the network
> > #  2) The AP does not have PMF enabled.
> > #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> > #     the device does not support the BIP cipher.
> > # Consider the configuration of global parameterss sae_check_mfp=1,
> > pmf=1 and a
> > # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> > # In the example WPA-PSK will be used if the device does not support
> > # the BIP cipher or the AP has PMF disabled.
> > # Limiting SAE with this check can avoid failing to associate to an AP
> > # that is configured with sae_requires_mfp=1 if the device does
> > # not support PMF due to lack of the BIP cipher.
> >
> > The default is not to check it and you wpa_supplicant.conf does not
> > specify it.
> >
> > # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > update_config=1
> > network={
> > ssid="deskSAE"
> > sae_password="secret123"
> > proto=RSN
> > key_mgmt=SAE
> > pairwise=CCMP
> > ieee80211w=2
> > }
> >
> > $ cat /etc/hostapd/hostapd.conf
> > # interface and driver
> > interface=ap0
> > driver=nl80211
> >
> > # WIFI-Config
> > ssid=deskSAE
> > channel=1
> > hw_mode=g
> >
> > wpa=2
> > wpa_key_mgmt=SAE
> > wpa_pairwise=CCMP
> > sae_password=secret123
> > sae_groups=19
> > ieee80211w=2
> > sae_pwe=0
> >
> > Regards,
> > Arend
> >
> >
> > > 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> > > management type
> > > 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> > > encryption suites
>
> Arend,
>
> I find the wpa_supplicant docs really hard to understand. I have read
> through your response a few times and am still a bit confused. Does
> this have to do with a pure wpa3 versus a wpa2/3 AP?

Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.

> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> still cannot get a connection, so I must be doing something wrong.
> I commented the ieee80211w line on both and it would not connect.
> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> it still would not connect.
>
> What *should* the configurations be in the hostapd.conf and
> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> should it be to be a wpa2/3 setup? My phone worked fine to connect
> with the original hostapd setup, but I have no idea what it is doing

As I mentioned in my previous email both config files listed above look 
okay to me (might be wrong though). The problem seems to be with 
wpas_is_sae_avoided(). For it to return true the config should have:

sae_check_mfp=1

But you don't have that and default is 0 so it should check for MFP. This 
is where my trail ends. To learn more I would add additional debug prints. 
Are you comfortable rebuilding wpa_supplicant from source?

Regards,
Arend

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature