brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

Thu Jun 27 07:46:52 PDT 2024

On June 27, 2024 3:46:35 PM KeithG <ys3al35l at gmail.com> wrote:

> On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l at gmail.com> wrote:
>>
>> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
>> <arend.vanspriel at broadcom.com> wrote:
>>>
>>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l at gmail.com> wrote:
>>>
>>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
>>>> <arend.vanspriel at broadcom.com> wrote:
>>>>>
>>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l at gmail.com> wrote:
>>>>>
>>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
>>>>>> <arend.vanspriel at broadcom.com> wrote:
>>>>>>>
>>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l at gmail.com> wrote:
>>>>>>>
>>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
>>>>>>>> <arend.vanspriel at broadcom.com> wrote:
>>>>>>>>>
>>>>>>>>> + Jouni
>>>>>>>>>
>>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
>>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
>>>>>>>>>> 0x18; available group 0x10
>>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
>>>>>>>>>> pairwise 0x10; available pairwise 0x10
>>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
>>>>>>>>>> key_mgmt 0x400; available key_mgmt 0x0
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I suspect the message above indicates the problem as there is no
>>>>>>>>> available key_mgmt to select so looked it up in the code and here it is:
>>>>>>>>>
>>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
>>>>>>>>> #ifdef CONFIG_SAE
>>>>>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
>>>>>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>>>>>>>> WPA_KEY_MGMT_FT_SAE |
>>>>>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
>>>>>>>>> #endif /* CONFIG_SAE */
>>>>>>>>> #ifdef CONFIG_IEEE80211R
>>>>>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
>>>>>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
>>>>>>>>> sel &= ~WPA_KEY_MGMT_FT;
>>>>>>>>> #endif /* CONFIG_IEEE80211R */
>>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
>>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>>>>>>>>> available key_mgmt 0x%x",
>>>>>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
>>>>>>>>>
>>>>>>>>> So 0x400 matches the expectation:
>>>>>>>>>
>>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
>>>>>>>>>
>>>>>>>>> You already confirmed that the driver reports SAE and SAE offload
>>>>>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
>>>>>>>>> check whether the AP and network profile are setup to MFP. This seems to
>>>>>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
>>>>>>>>> ieee80211w=2 defined. This function can only return true when
>>>>>>>>> is enabled in configuration file:
>>>>>>>>>
>>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
>>>>>>>>> # 0 = Do not check PMF for SAE (default)
>>>>>>>>> # 1 = Limit SAE when PMF is not enabled
>>>>>>>>> #
>>>>>>>>> # When enabled SAE will not be selected if PMF will not be used
>>>>>>>>> # for the connection.
>>>>>>>>> # Scenarios where this check will limit SAE:
>>>>>>>>> #  1) ieee80211w=0 is set for the network
>>>>>>>>> #  2) The AP does not have PMF enabled.
>>>>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>>>>>>>>> #     the device does not support the BIP cipher.
>>>>>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
>>>>>>>>> pmf=1 and a
>>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>>>>>>>>> # In the example WPA-PSK will be used if the device does not support
>>>>>>>>> # the BIP cipher or the AP has PMF disabled.
>>>>>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
>>>>>>>>> # that is configured with sae_requires_mfp=1 if the device does
>>>>>>>>> # not support PMF due to lack of the BIP cipher.
>>>>>>>>>
>>>>>>>>> The default is not to check it and you wpa_supplicant.conf does not
>>>>>>>>> specify it.
>>>>>>>>>
>>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>>>>>> update_config=1
>>>>>>>>> network={
>>>>>>>>> ssid="deskSAE"
>>>>>>>>> sae_password="secret123"
>>>>>>>>> proto=RSN
>>>>>>>>> key_mgmt=SAE
>>>>>>>>> pairwise=CCMP
>>>>>>>>> ieee80211w=2
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> $ cat /etc/hostapd/hostapd.conf
>>>>>>>>> # interface and driver
>>>>>>>>> interface=ap0
>>>>>>>>> driver=nl80211
>>>>>>>>>
>>>>>>>>> # WIFI-Config
>>>>>>>>> ssid=deskSAE
>>>>>>>>> channel=1
>>>>>>>>> hw_mode=g
>>>>>>>>>
>>>>>>>>> wpa=2
>>>>>>>>> wpa_key_mgmt=SAE
>>>>>>>>> wpa_pairwise=CCMP
>>>>>>>>> sae_password=secret123
>>>>>>>>> sae_groups=19
>>>>>>>>> ieee80211w=2
>>>>>>>>> sae_pwe=0
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Arend
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
>>>>>>>>>> management type
>>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
>>>>>>>>>> encryption suites
>>>>>>>>
>>>>>>>> Arend,
>>>>>>>>
>>>>>>>> I find the wpa_supplicant docs really hard to understand. I have read
>>>>>>>> through your response a few times and am still a bit confused. Does
>>>>>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
>>>>>>>
>>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>>>>>>>
>>>>>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
>>>>>>>> still cannot get a connection, so I must be doing something wrong.
>>>>>>>> I commented the ieee80211w line on both and it would not connect.
>>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
>>>>>>>> it still would not connect.
>>>>>>>>
>>>>>>>> What *should* the configurations be in the hostapd.conf and
>>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
>>>>>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
>>>>>>>> with the original hostapd setup, but I have no idea what it is doing
>>>>>>>
>>>>>>> As I mentioned in my previous email both config files listed above look
>>>>>>> okay to me (might be wrong though). The problem seems to be with
>>>>>>> wpas_is_sae_avoided(). For it to return true the config should have:
>>>>>>>
>>>>>>> sae_check_mfp=1
>>>>>>>
>>>>>>> But you don't have that and default is 0 so it should check for MFP. This
>>>>>>> is where my trail ends. To learn more I would add additional debug prints.
>>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
>>>>>>>
>>>>>>> Regards,
>>>>>>> Arend
>>>>>>
>>>>>> Arend,
>>>>>>
>>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
>>>>>> source. This is on RPi, so debian *.debs which are a pain, but I think
>>>>>> I can do it.
>>>>>>
>>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
>>>>>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
>>>>>> anything changes.
>>>>>
>>>>> Ok. We can try first to put following in wpa_supplicant.conf:
>>>>>
>>>>> sae_check_mfp=0
>>>>>
>>>>> Let me know if that makes any difference.
>>>>>
>>>>>> Why would I have to re-build wpa_supplicant?
>>>>>
>>>>> I would provide a patch with additional debug prints so I get better
>>>>> understanding what is going wrong. Would be great if you can apply that and
>>>>> rebuild.
>>>>>
>>>>> Regards,
>>>>> Arend
>>>> Arend,
>>>>
>>>> I was able to try it this afternoon.
>>>> My hostapd is still:
>>>> # interface and driver
>>>> interface=ap0
>>>> driver=nl80211
>>>>
>>>> # WIFI-Config
>>>> ssid=deskSAE
>>>> channel=1
>>>> hw_mode=g
>>>>
>>>> wpa=2
>>>> wpa_key_mgmt=SAE
>>>> wpa_pairwise=CCMP
>>>> sae_password=secret123
>>>> sae_groups=19
>>>> ieee80211w=2
>>>> sae_pwe=0
>>>>
>>>> and I can still connect from my phone to this AP.
>>>>
>>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>> update_config=1
>>>> network={
>>>> ssid="deskSAE"
>>>> sae_password="secret123"
>>>> proto=RSN
>>>> key_mgmt=SAE
>>>> pairwise=CCMP
>>>> ieee80211w=2
>>>> sae_check_mfp=1
>>>> }
>>>>
>>>> and when I try to connect, I get:
>>>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>> Successfully initialized wpa_supplicant
>>>> Line 10: unknown network field 'sae_check_mfp'.
>>>> Line 11: failed to parse network block.
>>>
>>> Right. The setting sae_check_mfp is a global setting like update_config. So
>>> it should be moved outside the network block.
>>>
>>> Regards,
>>> Arend
>> Arend,
>>
>> Thanks for the hand holding, I am out of my depth here!
>>
>> I tried this config and get a similar result.
>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>> update_config=1
>> sae_check_mfp=1
>> network={
>> ssid="deskSAE"
>> sae_password="secret123"
>> proto=RSN
>> key_mgmt=SAE
>> pairwise=CCMP
>> ieee80211w=2
>> }
>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>> Successfully initialized wpa_supplicant
>> Line 3: unknown global field 'sae_check_mfp=1'.
>> Line 3: Invalid configuration line 'sae_check_mfp=1'.
>> Failed to read or parse configuration
>> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
>> : CTRL-EVENT-DSCP-POLICY clear_all
>>
>> seems it doesn't recognize this parameter.
>>
>> Keith
>
> Replying to my own post.
> I re-built wpa_supplicant from the current git:
> # wpa_supplicant -v
> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> Copyright (c) 2003-2022, Jouni Malinen <j at w1.fi> and contributors
>
> It now seems to recognize the 'sae_check_mfp' parameter, but still
> does not connect:
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> Successfully initialized wpa_supplicant
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> auth_failures=1 duration=10 reason=CONN_FAILED
> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
> ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> auth_failures=2 duration=20 reason=CONN_FAILED
> ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
> p2p-dev-wlan0: CTRL-EVENT-TERMINATING
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> nl80211: deinit ifname=wlan0 disabled_11b_rates=0
> wlan0: CTRL-EVENT-TERMINATING
>
> I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
> connect with this 'current' version of wpa_supplicant.

Right. So I should have asked about the wpa_supplicant from the start. Let 
me work on patch for debugging this based on git version (SHA1: c9db4925f).

Regards,
Arend

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4219 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20240627/7ead8d4e/attachment-0001.p7s>