brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

KeithG ys3al35l at gmail.com
Wed Jun 26 05:04:56 PDT 2024


On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
<arend.vanspriel at broadcom.com> wrote:
>
> On June 21, 2024 2:24:19 PM KeithG <ys3al35l at gmail.com> wrote:
>
> > On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> > <arend.vanspriel at broadcom.com> wrote:
> >>
> >> + Jouni
> >>
> >> On 6/20/2024 8:25 PM, KeithG wrote:
> >>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> >>> 0x18; available group 0x10
> >>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> >>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> >>> pairwise 0x10; available pairwise 0x10
> >>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> >>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> >>> key_mgmt 0x400; available key_mgmt 0x0
> >>
> >>
> >> I suspect the message above indicates the problem as there is no
> >> available key_mgmt to select so looked it up in the code and here it is:
> >>
> >> sel = ie.key_mgmt & ssid->key_mgmt;
> >> #ifdef CONFIG_SAE
> >> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> >> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> >> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> >> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >>          WPA_KEY_MGMT_FT_SAE |
> >> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> >> #endif /* CONFIG_SAE */
> >> #ifdef CONFIG_IEEE80211R
> >> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> >>                   WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> >> sel &= ~WPA_KEY_MGMT_FT;
> >> #endif /* CONFIG_IEEE80211R */
> >> wpa_dbg(wpa_s, MSG_DEBUG,
> >> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> >> available key_mgmt 0x%x",
> >> ie.key_mgmt, ssid->key_mgmt, sel);
> >>
> >> So 0x400 matches the expectation:
> >>
> >> #define WPA_KEY_MGMT_SAE BIT(10)
> >>
> >> You already confirmed that the driver reports SAE and SAE offload
> >> support. So it seems wpas_is_sae_avoided() must return true. That will
> >> check whether the AP and network profile are setup to MFP. This seems to
> >> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> >> ieee80211w=2 defined. This function can only return true when
> >> is enabled in configuration file:
> >>
> >> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> >> # 0 = Do not check PMF for SAE (default)
> >> # 1 = Limit SAE when PMF is not enabled
> >> #
> >> # When enabled SAE will not be selected if PMF will not be used
> >> # for the connection.
> >> # Scenarios where this check will limit SAE:
> >> #  1) ieee80211w=0 is set for the network
> >> #  2) The AP does not have PMF enabled.
> >> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> >> #     the device does not support the BIP cipher.
> >> # Consider the configuration of global parameterss sae_check_mfp=1,
> >> pmf=1 and a
> >> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> >> # In the example WPA-PSK will be used if the device does not support
> >> # the BIP cipher or the AP has PMF disabled.
> >> # Limiting SAE with this check can avoid failing to associate to an AP
> >> # that is configured with sae_requires_mfp=1 if the device does
> >> # not support PMF due to lack of the BIP cipher.
> >>
> >> The default is not to check it and you wpa_supplicant.conf does not
> >> specify it.
> >>
> >> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >> update_config=1
> >> network={
> >> ssid="deskSAE"
> >> sae_password="secret123"
> >> proto=RSN
> >> key_mgmt=SAE
> >> pairwise=CCMP
> >> ieee80211w=2
> >> }
> >>
> >> $ cat /etc/hostapd/hostapd.conf
> >> # interface and driver
> >> interface=ap0
> >> driver=nl80211
> >>
> >> # WIFI-Config
> >> ssid=deskSAE
> >> channel=1
> >> hw_mode=g
> >>
> >> wpa=2
> >> wpa_key_mgmt=SAE
> >> wpa_pairwise=CCMP
> >> sae_password=secret123
> >> sae_groups=19
> >> ieee80211w=2
> >> sae_pwe=0
> >>
> >> Regards,
> >> Arend
> >>
> >>
> >>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> >>> management type
> >>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> >>> encryption suites
> >
> > Arend,
> >
> > I find the wpa_supplicant docs really hard to understand. I have read
> > through your response a few times and am still a bit confused. Does
> > this have to do with a pure wpa3 versus a wpa2/3 AP?
>
> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>
> > I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> > still cannot get a connection, so I must be doing something wrong.
> > I commented the ieee80211w line on both and it would not connect.
> > I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> > it still would not connect.
> >
> > What *should* the configurations be in the hostapd.conf and
> > wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> > should it be to be a wpa2/3 setup? My phone worked fine to connect
> > with the original hostapd setup, but I have no idea what it is doing
>
> As I mentioned in my previous email both config files listed above look
> okay to me (might be wrong though). The problem seems to be with
> wpas_is_sae_avoided(). For it to return true the config should have:
>
> sae_check_mfp=1
>
> But you don't have that and default is 0 so it should check for MFP. This
> is where my trail ends. To learn more I would add additional debug prints.
> Are you comfortable rebuilding wpa_supplicant from source?
>
> Regards,
> Arend
>
>

Arend,

Thanks for the reply. I could try to rebuild wpa_supplicant from
source. This is on RPi, so debian *.debs which are a pain, but I think
I can do it.

Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
the hostapd.conf and wpa_supplicant.conf? I can try that and see if
anything changes.

Why would I have to re-build wpa_supplicant?

Keith

Keith



More information about the Hostap mailing list