wpa_supplicant 2.11 breaks WPA2-PSK / WPA3-SAE authentication on Linux' brcmfmac

Arend Van Spriel arend.vanspriel at broadcom.com
Sat Aug 10 06:13:46 PDT 2024 

On August 10, 2024 2:02:43 PM "Janne Grunau" <j at jannau.net> wrote:

> Hej,
>
> On Sat, Aug 10, 2024, at 12:43, Arend Van Spriel wrote:
>> On August 10, 2024 11:17:56 AM "Janne Grunau" <j at jannau.net> wrote:
>>> On Sat, Aug 10, 2024, at 10:30, Jouni Malinen wrote:
>>>> On Sun, Aug 04, 2024 at 02:23:56PM +0200, Janne Grunau wrote:
>>>
>>>>> A revert looks to me like a possible/proper fix. I can send that
>>>>> later if no alternative materializes.
>>>>
>>>> I'm inclined to revert this if it is indeed the case that
>>>> NL80211_CMD_PORT_AUTHORIZED is not delivered reliably by the
>>>> upstream driver and this commit was tested only with some non-
>>>> upstream versions.
>>>
>>> I intend extend the upstream kernel driver to post
>>> NL80211_CMD_PORT_AUTHORIZED after successful connection with
>>> authentication offload. I expect that the change will be accepted for
>>> the stable kernel. Infineon/Cypress have non-upstream patches for the
>>> brcmfmac driver which implement it already.
>>
>> Do you have a reference to see what they have done?
>
> I was misremembering their implementation. They removed
> NL80211_CMD_PORT_AUTHORIZED and instead added "authorized" fields to
> struct cfg80211_connect_resp_params and struct cfg80211_roam_info. Those
> fields are then used to set NL80211_ATTR_PORT_AUTHORIZED. This is
> annotated as reserved and as far as I can see unused in upstream Linux
> and hostap. That means the patched Infineon/Cypress driver is broken as
> well. Probably not relevant since they patch hostap as well.
>
> Looking at the RTM/v6.1.19-hedorah branch of
> https://github.com/Infineon/ifx-wireless-drivers (214 mostly brcmfmac
> commits on top of Linux v6.1.19).
> 1. "nl80211: add authorized flag to CONNECT event"
>   https://github.com/Infineon/ifx-wireless-drivers/commit/f7fb21f980b743e319cee406719e18ca0fd6784e
> 2. "brcmfmac: set authorized flag in CONNECT event for PMK caching"
>   https://github.com/Infineon/ifx-wireless-drivers/commit/a665defa7e67b1d5f5735a55643014374e5f53d0
>
> For roaming they do same and revert the NL80211_CMD_PORT_AUTHORIZED
> 1. "nl80211: add authorized flag back to ROAM event"
>   https://github.com/Infineon/ifx-wireless-drivers/commit/d2262fb0a08124153c9549d2cd0e6f9c04d946e9
> 2. "brcmfmac: set authorized flag in ROAM event for offload FT roaming"
>   https://github.com/Infineon/ifx-wireless-drivers/commit/3099d355af9914753927f913b14f62318a33ab55
>
>>> A revert in wpa_supplicant might be still appropriate until exteded
>>> kernel drivers are deployed. The wpa_supplicant Fedora package
>>> carries the revert as patch:
>>> https://src.fedoraproject.org/rpms/wpa_supplicant/c/c2eac195adadd2c48b04f8752cc46b12a351e69
>>
>> Agree that revert makes most sense here. So what upstream drivers use
>> WPA offload. Only brcmsmac and QCA drivers?
>
> It might be only brcmfmac, at least that's the only driver match for
> NL80211_EXT_FEATURE_SAE_OFFLOAD / NL80211_EXT_FEATURE_SAE_OFFLOAD_AP

But the issue was not just with SAE or was it. I thought I saw someone 
mentioning WPA2-PSK was not working with wpa_sup 2.11 and assumed for the 
same reason. So for the NL80211_EXT_FEATURE_4WAY_HANDSHAKE_* flavors.

Regards,
Arend

More information about the Hostap mailing list