brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

Arend Van Spriel arend.vanspriel at broadcom.com
Wed Jun 26 22:01:46 PDT 2024 

On June 27, 2024 12:47:02 AM KeithG <ys3al35l at gmail.com> wrote:

> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> <arend.vanspriel at broadcom.com> wrote:
>>
>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l at gmail.com> wrote:
>>
>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
>>> <arend.vanspriel at broadcom.com> wrote:
>>>>
>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l at gmail.com> wrote:
>>>>
>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
>>>>> <arend.vanspriel at broadcom.com> wrote:
>>>>>>
>>>>>> + Jouni
>>>>>>
>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
>>>>>>> 0x18; available group 0x10
>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
>>>>>>> pairwise 0x10; available pairwise 0x10
>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
>>>>>>> key_mgmt 0x400; available key_mgmt 0x0
>>>>>>
>>>>>>
>>>>>> I suspect the message above indicates the problem as there is no
>>>>>> available key_mgmt to select so looked it up in the code and here it is:
>>>>>>
>>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
>>>>>> #ifdef CONFIG_SAE
>>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
>>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>>>>> WPA_KEY_MGMT_FT_SAE |
>>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
>>>>>> #endif /* CONFIG_SAE */
>>>>>> #ifdef CONFIG_IEEE80211R
>>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
>>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
>>>>>> sel &= ~WPA_KEY_MGMT_FT;
>>>>>> #endif /* CONFIG_IEEE80211R */
>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>>>>>> available key_mgmt 0x%x",
>>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
>>>>>>
>>>>>> So 0x400 matches the expectation:
>>>>>>
>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
>>>>>>
>>>>>> You already confirmed that the driver reports SAE and SAE offload
>>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
>>>>>> check whether the AP and network profile are setup to MFP. This seems to
>>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
>>>>>> ieee80211w=2 defined. This function can only return true when
>>>>>> is enabled in configuration file:
>>>>>>
>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
>>>>>> # 0 = Do not check PMF for SAE (default)
>>>>>> # 1 = Limit SAE when PMF is not enabled
>>>>>> #
>>>>>> # When enabled SAE will not be selected if PMF will not be used
>>>>>> # for the connection.
>>>>>> # Scenarios where this check will limit SAE:
>>>>>> #  1) ieee80211w=0 is set for the network
>>>>>> #  2) The AP does not have PMF enabled.
>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>>>>>> #     the device does not support the BIP cipher.
>>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
>>>>>> pmf=1 and a
>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>>>>>> # In the example WPA-PSK will be used if the device does not support
>>>>>> # the BIP cipher or the AP has PMF disabled.
>>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
>>>>>> # that is configured with sae_requires_mfp=1 if the device does
>>>>>> # not support PMF due to lack of the BIP cipher.
>>>>>>
>>>>>> The default is not to check it and you wpa_supplicant.conf does not
>>>>>> specify it.
>>>>>>
>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>>> update_config=1
>>>>>> network={
>>>>>> ssid="deskSAE"
>>>>>> sae_password="secret123"
>>>>>> proto=RSN
>>>>>> key_mgmt=SAE
>>>>>> pairwise=CCMP
>>>>>> ieee80211w=2
>>>>>> }
>>>>>>
>>>>>> $ cat /etc/hostapd/hostapd.conf
>>>>>> # interface and driver
>>>>>> interface=ap0
>>>>>> driver=nl80211
>>>>>>
>>>>>> # WIFI-Config
>>>>>> ssid=deskSAE
>>>>>> channel=1
>>>>>> hw_mode=g
>>>>>>
>>>>>> wpa=2
>>>>>> wpa_key_mgmt=SAE
>>>>>> wpa_pairwise=CCMP
>>>>>> sae_password=secret123
>>>>>> sae_groups=19
>>>>>> ieee80211w=2
>>>>>> sae_pwe=0
>>>>>>
>>>>>> Regards,
>>>>>> Arend
>>>>>>
>>>>>>
>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
>>>>>>> management type
>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
>>>>>>> encryption suites
>>>>>
>>>>> Arend,
>>>>>
>>>>> I find the wpa_supplicant docs really hard to understand. I have read
>>>>> through your response a few times and am still a bit confused. Does
>>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
>>>>
>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>>>>
>>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
>>>>> still cannot get a connection, so I must be doing something wrong.
>>>>> I commented the ieee80211w line on both and it would not connect.
>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
>>>>> it still would not connect.
>>>>>
>>>>> What *should* the configurations be in the hostapd.conf and
>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
>>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
>>>>> with the original hostapd setup, but I have no idea what it is doing
>>>>
>>>> As I mentioned in my previous email both config files listed above look
>>>> okay to me (might be wrong though). The problem seems to be with
>>>> wpas_is_sae_avoided(). For it to return true the config should have:
>>>>
>>>> sae_check_mfp=1
>>>>
>>>> But you don't have that and default is 0 so it should check for MFP. This
>>>> is where my trail ends. To learn more I would add additional debug prints.
>>>> Are you comfortable rebuilding wpa_supplicant from source?
>>>>
>>>> Regards,
>>>> Arend
>>>
>>> Arend,
>>>
>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
>>> source. This is on RPi, so debian *.debs which are a pain, but I think
>>> I can do it.
>>>
>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
>>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
>>> anything changes.
>>
>> Ok. We can try first to put following in wpa_supplicant.conf:
>>
>> sae_check_mfp=0
>>
>> Let me know if that makes any difference.
>>
>>> Why would I have to re-build wpa_supplicant?
>>
>> I would provide a patch with additional debug prints so I get better
>> understanding what is going wrong. Would be great if you can apply that and
>> rebuild.
>>
>> Regards,
>> Arend
> Arend,
>
> I was able to try it this afternoon.
> My hostapd is still:
> # interface and driver
> interface=ap0
> driver=nl80211
>
> # WIFI-Config
> ssid=deskSAE
> channel=1
> hw_mode=g
>
> wpa=2
> wpa_key_mgmt=SAE
> wpa_pairwise=CCMP
> sae_password=secret123
> sae_groups=19
> ieee80211w=2
> sae_pwe=0
>
> and I can still connect from my phone to this AP.
>
> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> update_config=1
> network={
>  ssid="deskSAE"
>  sae_password="secret123"
>  proto=RSN
>  key_mgmt=SAE
>  pairwise=CCMP
>  ieee80211w=2
>  sae_check_mfp=1
> }
>
> and when I try to connect, I get:
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> Successfully initialized wpa_supplicant
> Line 10: unknown network field 'sae_check_mfp'.
> Line 11: failed to parse network block.

Right. The setting sae_check_mfp is a global setting like update_config. So 
it should be moved outside the network block.

Regards,
Arend


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4219 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20240627/378ac348/attachment.p7s>

More information about the Hostap mailing list