AW: brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

KeithG ys3al35l at gmail.com
Sun Jul 14 11:42:00 PDT 2024


On Sat, Jul 13, 2024 at 7:13 AM Arend Van Spriel
<arend.vanspriel at broadcom.com> wrote:
>
> On July 8, 2024 1:33:02 PM "Dembianny Sven (BSH GDE-EDSD5)"
> <Sven.Dembianny at bshg.com> wrote:
>
> >> On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l at gmail.com> wrote:
> >>>
> >>> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
> >>> <arend.vanspriel at broadcom.com> wrote:
> >>>>
> >>>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l at gmail.com> wrote:
> >>>>
> >>>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> >>>>> <arend.vanspriel at broadcom.com> wrote:
> >>>>>>
> >>>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l at gmail.com> wrote:
> >>>>>>
> >>>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> >>>>>>> <arend.vanspriel at broadcom.com> wrote:
> >>>>>>>>
> >>>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l at gmail.com> wrote:
> >>>>>>>>
> >>>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> >>>>>>>>> <arend.vanspriel at broadcom.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>> + Jouni
> >>>>>>>>>>
> >>>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> >>>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile
> >>>>>>>>>>> group 0x18; available group 0x10
> >>>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> >>>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network
> >>>>>>>>>>> profile pairwise 0x10; available pairwise 0x10
> >>>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> >>>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network
> >>>>>>>>>>> profile key_mgmt 0x400; available key_mgmt 0x0
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> I suspect the message above indicates the problem as there is
> >>>>>>>>>> no available key_mgmt to select so looked it up in the code and here it is:
> >>>>>>>>>>
> >>>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if
> >>>>>>>>>> ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> >>>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> >>>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &=
> >>>>>>>>>> ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >>>>>>>>>> WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /*
> >>>>>>>>>> CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags
> >>>>>>>>>> & (WPA_DRIVER_FLAGS_SME |
> >>>>>>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &=
> >>>>>>>>>> ~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */
> >>>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> >>>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> >>>>>>>>>> available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel);
> >>>>>>>>>>
> >>>>>>>>>> So 0x400 matches the expectation:
> >>>>>>>>>>
> >>>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> >>>>>>>>>>
> >>>>>>>>>> You already confirmed that the driver reports SAE and SAE
> >>>>>>>>>> offload support. So it seems wpas_is_sae_avoided() must
> >>>>>>>>>> return true. That will check whether the AP and network
> >>>>>>>>>> profile are setup to MFP. This seems to be the fact as your
> >>>>>>>>>> hostapd.conf and wpa_supplicant.conf both have
> >>>>>>>>>> ieee80211w=2 defined. This function can only return true when
> >>>>>>>>>> is enabled in configuration file:
> >>>>>>>>>>
> >>>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt #
> >>>>>>>>>> 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when
> >>>>>>>>>> PMF is not enabled # # When enabled SAE will not be selected
> >>>>>>>>>> if PMF will not be used # for the connection.
> >>>>>>>>>> # Scenarios where this check will limit SAE:
> >>>>>>>>>> #  1) ieee80211w=0 is set for the network #  2) The AP does
> >>>>>>>>>> not have PMF enabled.
> >>>>>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> >>>>>>>>>> #     the device does not support the BIP cipher.
> >>>>>>>>>> # Consider the configuration of global parameterss
> >>>>>>>>>> sae_check_mfp=1,
> >>>>>>>>>> pmf=1 and a
> >>>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> >>>>>>>>>> # In the example WPA-PSK will be used if the device does not
> >>>>>>>>>> support # the BIP cipher or the AP has PMF disabled.
> >>>>>>>>>> # Limiting SAE with this check can avoid failing to associate
> >>>>>>>>>> to an AP # that is configured with sae_requires_mfp=1 if the
> >>>>>>>>>> device does # not support PMF due to lack of the BIP cipher.
> >>>>>>>>>>
> >>>>>>>>>> The default is not to check it and you wpa_supplicant.conf
> >>>>>>>>>> does not specify it.
> >>>>>>>>>>
> >>>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>>>>>>>> update_config=1
> >>>>>>>>>> network={
> >>>>>>>>>> ssid="deskSAE"
> >>>>>>>>>> sae_password="secret123"
> >>>>>>>>>> proto=RSN
> >>>>>>>>>> key_mgmt=SAE
> >>>>>>>>>> pairwise=CCMP
> >>>>>>>>>> ieee80211w=2
> >>>>>>>>>> }
> >>>>>>>>>>
> >>>>>>>>>> $ cat /etc/hostapd/hostapd.conf # interface and driver
> >>>>>>>>>> interface=ap0
> >>>>>>>>>> driver=nl80211
> >>>>>>>>>>
> >>>>>>>>>> # WIFI-Config
> >>>>>>>>>> ssid=deskSAE
> >>>>>>>>>> channel=1
> >>>>>>>>>> hw_mode=g
> >>>>>>>>>>
> >>>>>>>>>> wpa=2
> >>>>>>>>>> wpa_key_mgmt=SAE
> >>>>>>>>>> wpa_pairwise=CCMP
> >>>>>>>>>> sae_password=secret123
> >>>>>>>>>> sae_groups=19
> >>>>>>>>>> ieee80211w=2
> >>>>>>>>>> sae_pwe=0
> >>>>>>>>>>
> >>>>>>>>>> Regards,
> >>>>>>>>>> Arend
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select
> >>>>>>>>>>> authenticated key management type
> >>>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key
> >>>>>>>>>>> management and encryption suites
> >>>>>>>>>
> >>>>>>>>> Arend,
> >>>>>>>>>
> >>>>>>>>> I find the wpa_supplicant docs really hard to understand. I
> >>>>>>>>> have read through your response a few times and am still a bit
> >>>>>>>>> confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?
> >>>>>>>>
> >>>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> >>>>>>>>
> >>>>>>>>> I have tried editing my hostapd.conf and my
> >>>>>>>>> wpa_supplicant.conf and still cannot get a connection, so I must be doing
> >>>>>>>>> something wrong.
> >>>>>>>>> I commented the ieee80211w line on both and it would not connect.
> >>>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE
> >>>>>>>>> WPA_PSK' and it still would not connect.
> >>>>>>>>>
> >>>>>>>>> What *should* the configurations be in the hostapd.conf and
> >>>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup?
> >>>>>>>>> What should it be to be a wpa2/3 setup? My phone worked fine
> >>>>>>>>> to connect with the original hostapd setup, but I have no idea
> >>>>>>>>> what it is doing
> >>>>>>>>
> >>>>>>>> As I mentioned in my previous email both config files listed
> >>>>>>>> above look okay to me (might be wrong though). The problem
> >>>>>>>> seems to be with wpas_is_sae_avoided(). For it to return true the config
> >>>>>>>> should have:
> >>>>>>>>
> >>>>>>>> sae_check_mfp=1
> >>>>>>>>
> >>>>>>>> But you don't have that and default is 0 so it should check for
> >>>>>>>> MFP. This is where my trail ends. To learn more I would add additional
> >>>>>>>> debug prints.
> >>>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>> Arend
> >>>>>>>
> >>>>>>> Arend,
> >>>>>>>
> >>>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> >>>>>>> source. This is on RPi, so debian *.debs which are a pain, but I
> >>>>>>> think I can do it.
> >>>>>>>
> >>>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to
> >>>>>>> be in the hostapd.conf and wpa_supplicant.conf? I can try that
> >>>>>>> and see if anything changes.
> >>>>>>
> >>>>>> Ok. We can try first to put following in wpa_supplicant.conf:
> >>>>>>
> >>>>>> sae_check_mfp=0
> >>>>>>
> >>>>>> Let me know if that makes any difference.
> >>>>>>
> >>>>>>> Why would I have to re-build wpa_supplicant?
> >>>>>>
> >>>>>> I would provide a patch with additional debug prints so I get
> >>>>>> better understanding what is going wrong. Would be great if you
> >>>>>> can apply that and rebuild.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Arend
> >>>>> Arend,
> >>>>>
> >>>>> I was able to try it this afternoon.
> >>>>> My hostapd is still:
> >>>>> # interface and driver
> >>>>> interface=ap0
> >>>>> driver=nl80211
> >>>>>
> >>>>> # WIFI-Config
> >>>>> ssid=deskSAE
> >>>>> channel=1
> >>>>> hw_mode=g
> >>>>>
> >>>>> wpa=2
> >>>>> wpa_key_mgmt=SAE
> >>>>> wpa_pairwise=CCMP
> >>>>> sae_password=secret123
> >>>>> sae_groups=19
> >>>>> ieee80211w=2
> >>>>> sae_pwe=0
> >>>>>
> >>>>> and I can still connect from my phone to this AP.
> >>>>>
> >>>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>>> update_config=1
> >>>>> network={
> >>>>> ssid="deskSAE"
> >>>>> sae_password="secret123"
> >>>>> proto=RSN
> >>>>> key_mgmt=SAE
> >>>>> pairwise=CCMP
> >>>>> ieee80211w=2
> >>>>> sae_check_mfp=1
> >>>>> }
> >>>>>
> >>>>> and when I try to connect, I get:
> >>>>> # wpa_supplicant -i wlan0 -c
> >>>>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>> Successfully initialized wpa_supplicant Line 10: unknown network
> >>>>> field 'sae_check_mfp'.
> >>>>> Line 11: failed to parse network block.
> >>>>
> >>>> Right. The setting sae_check_mfp is a global setting like
> >>>> update_config. So it should be moved outside the network block.
> >>>>
> >>>> Regards,
> >>>> Arend
> >>> Arend,
> >>>
> >>> Thanks for the hand holding, I am out of my depth here!
> >>>
> >>> I tried this config and get a similar result.
> >>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>> update_config=1
> >>> sae_check_mfp=1
> >>> network={
> >>> ssid="deskSAE"
> >>> sae_password="secret123"
> >>> proto=RSN
> >>> key_mgmt=SAE
> >>> pairwise=CCMP
> >>> ieee80211w=2
> >>> }
> >>> # wpa_supplicant -i wlan0 -c
> >>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>> Successfully initialized wpa_supplicant Line 3: unknown global field
> >>> 'sae_check_mfp=1'.
> >>> Line 3: Invalid configuration line 'sae_check_mfp=1'.
> >>> Failed to read or parse configuration
> >>> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
> >>> : CTRL-EVENT-DSCP-POLICY clear_all
> >>>
> >>> seems it doesn't recognize this parameter.
> >>>
> >>> Keith
> >>
> >> Replying to my own post.
> >> I re-built wpa_supplicant from the current git:
> >> # wpa_supplicant -v
> >> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> >> Copyright (c) 2003-2022, Jouni Malinen <j at w1.fi> and contributors
> >>
> >> It now seems to recognize the 'sae_check_mfp' parameter, but still does not
> >> connect:
> >> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >> Successfully initialized wpa_supplicant
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> >> auth_failures=1 duration=10 reason=CONN_FAILED
> >> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
> >> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring
> >> for 10 seconds
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> >> auth_failures=2 duration=20 reason=CONN_FAILED
> >> ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> >> p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> >> nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
> >> p2p-dev-wlan0: CTRL-EVENT-TERMINATING
> >> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> >> nl80211: deinit ifname=wlan0 disabled_11b_rates=0
> >> wlan0: CTRL-EVENT-TERMINATING
> >>
> >> I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
> >> connect with this 'current' version of
> >> wpa_supplicant.
> >>
> >> Keith
> > Hi Keith,
> >
> > maybe you are missing sae_pwe=2 in your wpa_supplicant.conf
> > At least in our setup it works.
>
> I think Keith already reported success in earlier email.
>
> @Keith: If I am mistaken let me know.
>
> Regards,
> Arend
>
Arend,

Yes, I figured it out. As per the link shared: I had to put the latest
firmware on and use the latest wpa_supplicant, but with these 2
changes, it did connect.



More information about the Hostap mailing list