brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
KeithG
ys3al35l at gmail.com
Mon Jul 1 13:08:12 PDT 2024
On Thu, Jun 27, 2024 at 9:46 AM Arend Van Spriel
<arend.vanspriel at broadcom.com> wrote:
>
> On June 27, 2024 3:46:35 PM KeithG <ys3al35l at gmail.com> wrote:
>
> > On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l at gmail.com> wrote:
> >>
> >> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
> >> <arend.vanspriel at broadcom.com> wrote:
> >>>
> >>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l at gmail.com> wrote:
> >>>
> >>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> >>>> <arend.vanspriel at broadcom.com> wrote:
> >>>>>
> >>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l at gmail.com> wrote:
> >>>>>
> >>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> >>>>>> <arend.vanspriel at broadcom.com> wrote:
> >>>>>>>
> >>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l at gmail.com> wrote:
> >>>>>>>
> >>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> >>>>>>>> <arend.vanspriel at broadcom.com> wrote:
> >>>>>>>>>
> >>>>>>>>> + Jouni
> >>>>>>>>>
> >>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> >>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> >>>>>>>>>> 0x18; available group 0x10
> >>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> >>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> >>>>>>>>>> pairwise 0x10; available pairwise 0x10
> >>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> >>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> >>>>>>>>>> key_mgmt 0x400; available key_mgmt 0x0
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> I suspect the message above indicates the problem as there is no
> >>>>>>>>> available key_mgmt to select so looked it up in the code and here it is:
> >>>>>>>>>
> >>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
> >>>>>>>>> #ifdef CONFIG_SAE
> >>>>>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> >>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> >>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> >>>>>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >>>>>>>>> WPA_KEY_MGMT_FT_SAE |
> >>>>>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> >>>>>>>>> #endif /* CONFIG_SAE */
> >>>>>>>>> #ifdef CONFIG_IEEE80211R
> >>>>>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> >>>>>>>>> WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> >>>>>>>>> sel &= ~WPA_KEY_MGMT_FT;
> >>>>>>>>> #endif /* CONFIG_IEEE80211R */
> >>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> >>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> >>>>>>>>> available key_mgmt 0x%x",
> >>>>>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
> >>>>>>>>>
> >>>>>>>>> So 0x400 matches the expectation:
> >>>>>>>>>
> >>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> >>>>>>>>>
> >>>>>>>>> You already confirmed that the driver reports SAE and SAE offload
> >>>>>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
> >>>>>>>>> check whether the AP and network profile are setup to MFP. This seems to
> >>>>>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> >>>>>>>>> ieee80211w=2 defined. This function can only return true when
> >>>>>>>>> is enabled in configuration file:
> >>>>>>>>>
> >>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> >>>>>>>>> # 0 = Do not check PMF for SAE (default)
> >>>>>>>>> # 1 = Limit SAE when PMF is not enabled
> >>>>>>>>> #
> >>>>>>>>> # When enabled SAE will not be selected if PMF will not be used
> >>>>>>>>> # for the connection.
> >>>>>>>>> # Scenarios where this check will limit SAE:
> >>>>>>>>> # 1) ieee80211w=0 is set for the network
> >>>>>>>>> # 2) The AP does not have PMF enabled.
> >>>>>>>>> # 3) ieee80211w is unset, pmf=1 is enabled globally, and
> >>>>>>>>> # the device does not support the BIP cipher.
> >>>>>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
> >>>>>>>>> pmf=1 and a
> >>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> >>>>>>>>> # In the example WPA-PSK will be used if the device does not support
> >>>>>>>>> # the BIP cipher or the AP has PMF disabled.
> >>>>>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
> >>>>>>>>> # that is configured with sae_requires_mfp=1 if the device does
> >>>>>>>>> # not support PMF due to lack of the BIP cipher.
> >>>>>>>>>
> >>>>>>>>> The default is not to check it and you wpa_supplicant.conf does not
> >>>>>>>>> specify it.
> >>>>>>>>>
> >>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>>>>>>> update_config=1
> >>>>>>>>> network={
> >>>>>>>>> ssid="deskSAE"
> >>>>>>>>> sae_password="secret123"
> >>>>>>>>> proto=RSN
> >>>>>>>>> key_mgmt=SAE
> >>>>>>>>> pairwise=CCMP
> >>>>>>>>> ieee80211w=2
> >>>>>>>>> }
> >>>>>>>>>
> >>>>>>>>> $ cat /etc/hostapd/hostapd.conf
> >>>>>>>>> # interface and driver
> >>>>>>>>> interface=ap0
> >>>>>>>>> driver=nl80211
> >>>>>>>>>
> >>>>>>>>> # WIFI-Config
> >>>>>>>>> ssid=deskSAE
> >>>>>>>>> channel=1
> >>>>>>>>> hw_mode=g
> >>>>>>>>>
> >>>>>>>>> wpa=2
> >>>>>>>>> wpa_key_mgmt=SAE
> >>>>>>>>> wpa_pairwise=CCMP
> >>>>>>>>> sae_password=secret123
> >>>>>>>>> sae_groups=19
> >>>>>>>>> ieee80211w=2
> >>>>>>>>> sae_pwe=0
> >>>>>>>>>
> >>>>>>>>> Regards,
> >>>>>>>>> Arend
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> >>>>>>>>>> management type
> >>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> >>>>>>>>>> encryption suites
> >>>>>>>>
> >>>>>>>> Arend,
> >>>>>>>>
> >>>>>>>> I find the wpa_supplicant docs really hard to understand. I have read
> >>>>>>>> through your response a few times and am still a bit confused. Does
> >>>>>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
> >>>>>>>
> >>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> >>>>>>>
> >>>>>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> >>>>>>>> still cannot get a connection, so I must be doing something wrong.
> >>>>>>>> I commented the ieee80211w line on both and it would not connect.
> >>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> >>>>>>>> it still would not connect.
> >>>>>>>>
> >>>>>>>> What *should* the configurations be in the hostapd.conf and
> >>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> >>>>>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
> >>>>>>>> with the original hostapd setup, but I have no idea what it is doing
> >>>>>>>
> >>>>>>> As I mentioned in my previous email both config files listed above look
> >>>>>>> okay to me (might be wrong though). The problem seems to be with
> >>>>>>> wpas_is_sae_avoided(). For it to return true the config should have:
> >>>>>>>
> >>>>>>> sae_check_mfp=1
> >>>>>>>
> >>>>>>> But you don't have that and default is 0 so it should check for MFP. This
> >>>>>>> is where my trail ends. To learn more I would add additional debug prints.
> >>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>> Arend
> >>>>>>
> >>>>>> Arend,
> >>>>>>
> >>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> >>>>>> source. This is on RPi, so debian *.debs which are a pain, but I think
> >>>>>> I can do it.
> >>>>>>
> >>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> >>>>>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> >>>>>> anything changes.
> >>>>>
> >>>>> Ok. We can try first to put following in wpa_supplicant.conf:
> >>>>>
> >>>>> sae_check_mfp=0
> >>>>>
> >>>>> Let me know if that makes any difference.
> >>>>>
> >>>>>> Why would I have to re-build wpa_supplicant?
> >>>>>
> >>>>> I would provide a patch with additional debug prints so I get better
> >>>>> understanding what is going wrong. Would be great if you can apply that and
> >>>>> rebuild.
> >>>>>
> >>>>> Regards,
> >>>>> Arend
> >>>> Arend,
> >>>>
> >>>> I was able to try it this afternoon.
> >>>> My hostapd is still:
> >>>> # interface and driver
> >>>> interface=ap0
> >>>> driver=nl80211
> >>>>
> >>>> # WIFI-Config
> >>>> ssid=deskSAE
> >>>> channel=1
> >>>> hw_mode=g
> >>>>
> >>>> wpa=2
> >>>> wpa_key_mgmt=SAE
> >>>> wpa_pairwise=CCMP
> >>>> sae_password=secret123
> >>>> sae_groups=19
> >>>> ieee80211w=2
> >>>> sae_pwe=0
> >>>>
> >>>> and I can still connect from my phone to this AP.
> >>>>
> >>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>> update_config=1
> >>>> network={
> >>>> ssid="deskSAE"
> >>>> sae_password="secret123"
> >>>> proto=RSN
> >>>> key_mgmt=SAE
> >>>> pairwise=CCMP
> >>>> ieee80211w=2
> >>>> sae_check_mfp=1
> >>>> }
> >>>>
> >>>> and when I try to connect, I get:
> >>>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>> Successfully initialized wpa_supplicant
> >>>> Line 10: unknown network field 'sae_check_mfp'.
> >>>> Line 11: failed to parse network block.
> >>>
> >>> Right. The setting sae_check_mfp is a global setting like update_config. So
> >>> it should be moved outside the network block.
> >>>
> >>> Regards,
> >>> Arend
> >> Arend,
> >>
> >> Thanks for the hand holding, I am out of my depth here!
> >>
> >> I tried this config and get a similar result.
> >> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >> update_config=1
> >> sae_check_mfp=1
> >> network={
> >> ssid="deskSAE"
> >> sae_password="secret123"
> >> proto=RSN
> >> key_mgmt=SAE
> >> pairwise=CCMP
> >> ieee80211w=2
> >> }
> >> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >> Successfully initialized wpa_supplicant
> >> Line 3: unknown global field 'sae_check_mfp=1'.
> >> Line 3: Invalid configuration line 'sae_check_mfp=1'.
> >> Failed to read or parse configuration
> >> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
> >> : CTRL-EVENT-DSCP-POLICY clear_all
> >>
> >> seems it doesn't recognize this parameter.
> >>
> >> Keith
> >
> > Replying to my own post.
> > I re-built wpa_supplicant from the current git:
> > # wpa_supplicant -v
> > wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> > Copyright (c) 2003-2022, Jouni Malinen <j at w1.fi> and contributors
> >
> > It now seems to recognize the 'sae_check_mfp' parameter, but still
> > does not connect:
> > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > Successfully initialized wpa_supplicant
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> > auth_failures=1 duration=10 reason=CONN_FAILED
> > wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
> > wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
> > ignoring for 10 seconds
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> > auth_failures=2 duration=20 reason=CONN_FAILED
> > ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
> > p2p-dev-wlan0: CTRL-EVENT-TERMINATING
> > wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > nl80211: deinit ifname=wlan0 disabled_11b_rates=0
> > wlan0: CTRL-EVENT-TERMINATING
> >
> > I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
> > connect with this 'current' version of wpa_supplicant.
>
> Right. So I should have asked about the wpa_supplicant from the start. Let
> me work on patch for debugging this based on git version (SHA1: c9db4925f).
>
> Regards,
> Arend
>
Arend,
I ran across this note today and investigated it with the
wpa_supplicant I am now using:
https://github.com/raspberrypi/linux/pull/5945
It still will not connect with this firmware
# dmesg | grep brcmfm
[ 1.995113] brcmfmac: F1 signature read @0x18000000=0x15264345
[ 2.002317] brcmfmac: brcmf_fw_alloc_request: using
brcm/brcmfmac43455-sdio for chip BCM4345/6
[ 2.002497] usbcore: registered new interface driver brcmfmac
[ 2.223405] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob
available (err=-2)
[ 2.224010] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6
wl0: Aug 29 2023 01:47:08 version 7.45.265 (28bca26 CY) FWID
01-b677b91b
[ 109.454302] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save enabled
[ 109.508572] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save disabled
[ 113.543122] brcmfmac: brcmf_set_channel: set chanspec 0xd022 fail, reason -52
this config:
# cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="deskSAE"
sae_password="secret123"
proto=RSN
key_mgmt=SAE
ieee80211w=2
}
# wpa_supplicant -v
wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
Copyright (c) 2003-2022, Jouni Malinen <j at w1.fi> and contributors
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
...
nl80211: kernel reports: Match already configured
wlan0: Authentication with d8:3a:dd:60:a3:0c timed out.
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
nl80211: send_event_marker failed: Source based routing not supported
wlan0: CTRL-EVENT-DISCONNECTED bssid=d8:3a:dd:60:a3:0c reason=3
locally_generated=1
wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
ignoring for 10 seconds
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlan0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
wlan0: Trying to associate with SSID 'deskSAE'
...
More information about the Hostap
mailing list