brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

Arend Van Spriel arend.vanspriel at broadcom.com
Wed Jun 26 05:30:26 PDT 2024 

On June 26, 2024 2:05:07 PM KeithG <ys3al35l at gmail.com> wrote:

> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> <arend.vanspriel at broadcom.com> wrote:
>>
>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l at gmail.com> wrote:
>>
>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
>>> <arend.vanspriel at broadcom.com> wrote:
>>>>
>>>> + Jouni
>>>>
>>>> On 6/20/2024 8:25 PM, KeithG wrote:
>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
>>>>> 0x18; available group 0x10
>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
>>>>> pairwise 0x10; available pairwise 0x10
>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
>>>>> key_mgmt 0x400; available key_mgmt 0x0
>>>>
>>>>
>>>> I suspect the message above indicates the problem as there is no
>>>> available key_mgmt to select so looked it up in the code and here it is:
>>>>
>>>> sel = ie.key_mgmt & ssid->key_mgmt;
>>>> #ifdef CONFIG_SAE
>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>>>    WPA_KEY_MGMT_FT_SAE |
>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
>>>> #endif /* CONFIG_SAE */
>>>> #ifdef CONFIG_IEEE80211R
>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
>>>>             WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
>>>> sel &= ~WPA_KEY_MGMT_FT;
>>>> #endif /* CONFIG_IEEE80211R */
>>>> wpa_dbg(wpa_s, MSG_DEBUG,
>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>>>> available key_mgmt 0x%x",
>>>> ie.key_mgmt, ssid->key_mgmt, sel);
>>>>
>>>> So 0x400 matches the expectation:
>>>>
>>>> #define WPA_KEY_MGMT_SAE BIT(10)
>>>>
>>>> You already confirmed that the driver reports SAE and SAE offload
>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
>>>> check whether the AP and network profile are setup to MFP. This seems to
>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
>>>> ieee80211w=2 defined. This function can only return true when
>>>> is enabled in configuration file:
>>>>
>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
>>>> # 0 = Do not check PMF for SAE (default)
>>>> # 1 = Limit SAE when PMF is not enabled
>>>> #
>>>> # When enabled SAE will not be selected if PMF will not be used
>>>> # for the connection.
>>>> # Scenarios where this check will limit SAE:
>>>> #  1) ieee80211w=0 is set for the network
>>>> #  2) The AP does not have PMF enabled.
>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>>>> #     the device does not support the BIP cipher.
>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
>>>> pmf=1 and a
>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>>>> # In the example WPA-PSK will be used if the device does not support
>>>> # the BIP cipher or the AP has PMF disabled.
>>>> # Limiting SAE with this check can avoid failing to associate to an AP
>>>> # that is configured with sae_requires_mfp=1 if the device does
>>>> # not support PMF due to lack of the BIP cipher.
>>>>
>>>> The default is not to check it and you wpa_supplicant.conf does not
>>>> specify it.
>>>>
>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>> update_config=1
>>>> network={
>>>> ssid="deskSAE"
>>>> sae_password="secret123"
>>>> proto=RSN
>>>> key_mgmt=SAE
>>>> pairwise=CCMP
>>>> ieee80211w=2
>>>> }
>>>>
>>>> $ cat /etc/hostapd/hostapd.conf
>>>> # interface and driver
>>>> interface=ap0
>>>> driver=nl80211
>>>>
>>>> # WIFI-Config
>>>> ssid=deskSAE
>>>> channel=1
>>>> hw_mode=g
>>>>
>>>> wpa=2
>>>> wpa_key_mgmt=SAE
>>>> wpa_pairwise=CCMP
>>>> sae_password=secret123
>>>> sae_groups=19
>>>> ieee80211w=2
>>>> sae_pwe=0
>>>>
>>>> Regards,
>>>> Arend
>>>>
>>>>
>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
>>>>> management type
>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
>>>>> encryption suites
>>>
>>> Arend,
>>>
>>> I find the wpa_supplicant docs really hard to understand. I have read
>>> through your response a few times and am still a bit confused. Does
>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
>>
>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>>
>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
>>> still cannot get a connection, so I must be doing something wrong.
>>> I commented the ieee80211w line on both and it would not connect.
>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
>>> it still would not connect.
>>>
>>> What *should* the configurations be in the hostapd.conf and
>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
>>> with the original hostapd setup, but I have no idea what it is doing
>>
>> As I mentioned in my previous email both config files listed above look
>> okay to me (might be wrong though). The problem seems to be with
>> wpas_is_sae_avoided(). For it to return true the config should have:
>>
>> sae_check_mfp=1
>>
>> But you don't have that and default is 0 so it should check for MFP. This
>> is where my trail ends. To learn more I would add additional debug prints.
>> Are you comfortable rebuilding wpa_supplicant from source?
>>
>> Regards,
>> Arend
>
> Arend,
>
> Thanks for the reply. I could try to rebuild wpa_supplicant from
> source. This is on RPi, so debian *.debs which are a pain, but I think
> I can do it.
>
> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> anything changes.

Ok. We can try first to put following in wpa_supplicant.conf:

sae_check_mfp=0

Let me know if that makes any difference.

> Why would I have to re-build wpa_supplicant?

I would provide a patch with additional debug prints so I get better 
understanding what is going wrong. Would be great if you can apply that and 
rebuild.

Regards,
Arend


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4219 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20240626/b2e7a39c/attachment-0001.p7s>

More information about the Hostap mailing list