brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
KeithG
ys3al35l at gmail.com
Thu Jun 27 06:46:22 PDT 2024
On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l at gmail.com> wrote:
>
> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
> <arend.vanspriel at broadcom.com> wrote:
> >
> > On June 27, 2024 12:47:02 AM KeithG <ys3al35l at gmail.com> wrote:
> >
> > > On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> > > <arend.vanspriel at broadcom.com> wrote:
> > >>
> > >> On June 26, 2024 2:05:07 PM KeithG <ys3al35l at gmail.com> wrote:
> > >>
> > >>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> > >>> <arend.vanspriel at broadcom.com> wrote:
> > >>>>
> > >>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l at gmail.com> wrote:
> > >>>>
> > >>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> > >>>>> <arend.vanspriel at broadcom.com> wrote:
> > >>>>>>
> > >>>>>> + Jouni
> > >>>>>>
> > >>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> > >>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> > >>>>>>> 0x18; available group 0x10
> > >>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> > >>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> > >>>>>>> pairwise 0x10; available pairwise 0x10
> > >>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> > >>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> > >>>>>>> key_mgmt 0x400; available key_mgmt 0x0
> > >>>>>>
> > >>>>>>
> > >>>>>> I suspect the message above indicates the problem as there is no
> > >>>>>> available key_mgmt to select so looked it up in the code and here it is:
> > >>>>>>
> > >>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
> > >>>>>> #ifdef CONFIG_SAE
> > >>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> > >>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> > >>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> > >>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> > >>>>>> WPA_KEY_MGMT_FT_SAE |
> > >>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> > >>>>>> #endif /* CONFIG_SAE */
> > >>>>>> #ifdef CONFIG_IEEE80211R
> > >>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> > >>>>>> WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> > >>>>>> sel &= ~WPA_KEY_MGMT_FT;
> > >>>>>> #endif /* CONFIG_IEEE80211R */
> > >>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> > >>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> > >>>>>> available key_mgmt 0x%x",
> > >>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
> > >>>>>>
> > >>>>>> So 0x400 matches the expectation:
> > >>>>>>
> > >>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> > >>>>>>
> > >>>>>> You already confirmed that the driver reports SAE and SAE offload
> > >>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
> > >>>>>> check whether the AP and network profile are setup to MFP. This seems to
> > >>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> > >>>>>> ieee80211w=2 defined. This function can only return true when
> > >>>>>> is enabled in configuration file:
> > >>>>>>
> > >>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> > >>>>>> # 0 = Do not check PMF for SAE (default)
> > >>>>>> # 1 = Limit SAE when PMF is not enabled
> > >>>>>> #
> > >>>>>> # When enabled SAE will not be selected if PMF will not be used
> > >>>>>> # for the connection.
> > >>>>>> # Scenarios where this check will limit SAE:
> > >>>>>> # 1) ieee80211w=0 is set for the network
> > >>>>>> # 2) The AP does not have PMF enabled.
> > >>>>>> # 3) ieee80211w is unset, pmf=1 is enabled globally, and
> > >>>>>> # the device does not support the BIP cipher.
> > >>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
> > >>>>>> pmf=1 and a
> > >>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> > >>>>>> # In the example WPA-PSK will be used if the device does not support
> > >>>>>> # the BIP cipher or the AP has PMF disabled.
> > >>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
> > >>>>>> # that is configured with sae_requires_mfp=1 if the device does
> > >>>>>> # not support PMF due to lack of the BIP cipher.
> > >>>>>>
> > >>>>>> The default is not to check it and you wpa_supplicant.conf does not
> > >>>>>> specify it.
> > >>>>>>
> > >>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > >>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > >>>>>> update_config=1
> > >>>>>> network={
> > >>>>>> ssid="deskSAE"
> > >>>>>> sae_password="secret123"
> > >>>>>> proto=RSN
> > >>>>>> key_mgmt=SAE
> > >>>>>> pairwise=CCMP
> > >>>>>> ieee80211w=2
> > >>>>>> }
> > >>>>>>
> > >>>>>> $ cat /etc/hostapd/hostapd.conf
> > >>>>>> # interface and driver
> > >>>>>> interface=ap0
> > >>>>>> driver=nl80211
> > >>>>>>
> > >>>>>> # WIFI-Config
> > >>>>>> ssid=deskSAE
> > >>>>>> channel=1
> > >>>>>> hw_mode=g
> > >>>>>>
> > >>>>>> wpa=2
> > >>>>>> wpa_key_mgmt=SAE
> > >>>>>> wpa_pairwise=CCMP
> > >>>>>> sae_password=secret123
> > >>>>>> sae_groups=19
> > >>>>>> ieee80211w=2
> > >>>>>> sae_pwe=0
> > >>>>>>
> > >>>>>> Regards,
> > >>>>>> Arend
> > >>>>>>
> > >>>>>>
> > >>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> > >>>>>>> management type
> > >>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> > >>>>>>> encryption suites
> > >>>>>
> > >>>>> Arend,
> > >>>>>
> > >>>>> I find the wpa_supplicant docs really hard to understand. I have read
> > >>>>> through your response a few times and am still a bit confused. Does
> > >>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
> > >>>>
> > >>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> > >>>>
> > >>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> > >>>>> still cannot get a connection, so I must be doing something wrong.
> > >>>>> I commented the ieee80211w line on both and it would not connect.
> > >>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> > >>>>> it still would not connect.
> > >>>>>
> > >>>>> What *should* the configurations be in the hostapd.conf and
> > >>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> > >>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
> > >>>>> with the original hostapd setup, but I have no idea what it is doing
> > >>>>
> > >>>> As I mentioned in my previous email both config files listed above look
> > >>>> okay to me (might be wrong though). The problem seems to be with
> > >>>> wpas_is_sae_avoided(). For it to return true the config should have:
> > >>>>
> > >>>> sae_check_mfp=1
> > >>>>
> > >>>> But you don't have that and default is 0 so it should check for MFP. This
> > >>>> is where my trail ends. To learn more I would add additional debug prints.
> > >>>> Are you comfortable rebuilding wpa_supplicant from source?
> > >>>>
> > >>>> Regards,
> > >>>> Arend
> > >>>
> > >>> Arend,
> > >>>
> > >>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> > >>> source. This is on RPi, so debian *.debs which are a pain, but I think
> > >>> I can do it.
> > >>>
> > >>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> > >>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> > >>> anything changes.
> > >>
> > >> Ok. We can try first to put following in wpa_supplicant.conf:
> > >>
> > >> sae_check_mfp=0
> > >>
> > >> Let me know if that makes any difference.
> > >>
> > >>> Why would I have to re-build wpa_supplicant?
> > >>
> > >> I would provide a patch with additional debug prints so I get better
> > >> understanding what is going wrong. Would be great if you can apply that and
> > >> rebuild.
> > >>
> > >> Regards,
> > >> Arend
> > > Arend,
> > >
> > > I was able to try it this afternoon.
> > > My hostapd is still:
> > > # interface and driver
> > > interface=ap0
> > > driver=nl80211
> > >
> > > # WIFI-Config
> > > ssid=deskSAE
> > > channel=1
> > > hw_mode=g
> > >
> > > wpa=2
> > > wpa_key_mgmt=SAE
> > > wpa_pairwise=CCMP
> > > sae_password=secret123
> > > sae_groups=19
> > > ieee80211w=2
> > > sae_pwe=0
> > >
> > > and I can still connect from my phone to this AP.
> > >
> > > I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > > update_config=1
> > > network={
> > > ssid="deskSAE"
> > > sae_password="secret123"
> > > proto=RSN
> > > key_mgmt=SAE
> > > pairwise=CCMP
> > > ieee80211w=2
> > > sae_check_mfp=1
> > > }
> > >
> > > and when I try to connect, I get:
> > > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > Successfully initialized wpa_supplicant
> > > Line 10: unknown network field 'sae_check_mfp'.
> > > Line 11: failed to parse network block.
> >
> > Right. The setting sae_check_mfp is a global setting like update_config. So
> > it should be moved outside the network block.
> >
> > Regards,
> > Arend
> >
> Arend,
>
> Thanks for the hand holding, I am out of my depth here!
>
> I tried this config and get a similar result.
> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> update_config=1
> sae_check_mfp=1
> network={
> ssid="deskSAE"
> sae_password="secret123"
> proto=RSN
> key_mgmt=SAE
> pairwise=CCMP
> ieee80211w=2
> }
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> Successfully initialized wpa_supplicant
> Line 3: unknown global field 'sae_check_mfp=1'.
> Line 3: Invalid configuration line 'sae_check_mfp=1'.
> Failed to read or parse configuration
> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
> : CTRL-EVENT-DSCP-POLICY clear_all
>
> seems it doesn't recognize this parameter.
>
> Keith
Replying to my own post.
I re-built wpa_supplicant from the current git:
# wpa_supplicant -v
wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
Copyright (c) 2003-2022, Jouni Malinen <j at w1.fi> and contributors
It now seems to recognize the 'sae_check_mfp' parameter, but still
does not connect:
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
auth_failures=1 duration=10 reason=CONN_FAILED
wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
auth_failures=2 duration=20 reason=CONN_FAILED
^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
p2p-dev-wlan0: CTRL-EVENT-TERMINATING
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
wlan0: CTRL-EVENT-TERMINATING
I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
connect with this 'current' version of wpa_supplicant.
Keith
More information about the Hostap
mailing list