Re: AW: brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

[Arend van Spriel <arend.vanspriel@broadcom.com>]

[-- Attachment #1: Type: text/plain, Size: 13662 bytes --]

On 7/14/2024 8:42 PM, KeithG wrote:
> On Sat, Jul 13, 2024 at 7:13 AM Arend Van Spriel
> <arend.vanspriel@broadcom.com> wrote:
>>
>> On July 8, 2024 1:33:02 PM "Dembianny Sven (BSH GDE-EDSD5)"
>> <Sven.Dembianny@bshg.com> wrote:
>>
>>>> On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@gmail.com> wrote:
>>>>>
>>>>> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>
>>>>>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
>>>>>>
>>>>>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
>>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>>
>>>>>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
>>>>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>>>>
>>>>>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
>>>>>>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> + Jouni
>>>>>>>>>>>>
>>>>>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
>>>>>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile
>>>>>>>>>>>>> group 0x18; available group 0x10
>>>>>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>>>>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network
>>>>>>>>>>>>> profile pairwise 0x10; available pairwise 0x10
>>>>>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>>>>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network
>>>>>>>>>>>>> profile key_mgmt 0x400; available key_mgmt 0x0
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I suspect the message above indicates the problem as there is
>>>>>>>>>>>> no available key_mgmt to select so looked it up in the code and here it is:
>>>>>>>>>>>>
>>>>>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if
>>>>>>>>>>>> ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>>>>>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>>>>>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &=
>>>>>>>>>>>> ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>>>>>>>>>>> WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /*
>>>>>>>>>>>> CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags
>>>>>>>>>>>> & (WPA_DRIVER_FLAGS_SME |
>>>>>>>>>>>>          WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &=
>>>>>>>>>>>> ~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */
>>>>>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
>>>>>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>>>>>>>>>>>> available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel);
>>>>>>>>>>>>
>>>>>>>>>>>> So 0x400 matches the expectation:
>>>>>>>>>>>>
>>>>>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
>>>>>>>>>>>>
>>>>>>>>>>>> You already confirmed that the driver reports SAE and SAE
>>>>>>>>>>>> offload support. So it seems wpas_is_sae_avoided() must
>>>>>>>>>>>> return true. That will check whether the AP and network
>>>>>>>>>>>> profile are setup to MFP. This seems to be the fact as your
>>>>>>>>>>>> hostapd.conf and wpa_supplicant.conf both have
>>>>>>>>>>>> ieee80211w=2 defined. This function can only return true when
>>>>>>>>>>>> is enabled in configuration file:
>>>>>>>>>>>>
>>>>>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt #
>>>>>>>>>>>> 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when
>>>>>>>>>>>> PMF is not enabled # # When enabled SAE will not be selected
>>>>>>>>>>>> if PMF will not be used # for the connection.
>>>>>>>>>>>> # Scenarios where this check will limit SAE:
>>>>>>>>>>>> #  1) ieee80211w=0 is set for the network #  2) The AP does
>>>>>>>>>>>> not have PMF enabled.
>>>>>>>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>>>>>>>>>>>> #     the device does not support the BIP cipher.
>>>>>>>>>>>> # Consider the configuration of global parameterss
>>>>>>>>>>>> sae_check_mfp=1,
>>>>>>>>>>>> pmf=1 and a
>>>>>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>>>>>>>>>>>> # In the example WPA-PSK will be used if the device does not
>>>>>>>>>>>> support # the BIP cipher or the AP has PMF disabled.
>>>>>>>>>>>> # Limiting SAE with this check can avoid failing to associate
>>>>>>>>>>>> to an AP # that is configured with sae_requires_mfp=1 if the
>>>>>>>>>>>> device does # not support PMF due to lack of the BIP cipher.
>>>>>>>>>>>>
>>>>>>>>>>>> The default is not to check it and you wpa_supplicant.conf
>>>>>>>>>>>> does not specify it.
>>>>>>>>>>>>
>>>>>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>>>>>>>>> update_config=1
>>>>>>>>>>>> network={
>>>>>>>>>>>> ssid="deskSAE"
>>>>>>>>>>>> sae_password="secret123"
>>>>>>>>>>>> proto=RSN
>>>>>>>>>>>> key_mgmt=SAE
>>>>>>>>>>>> pairwise=CCMP
>>>>>>>>>>>> ieee80211w=2
>>>>>>>>>>>> }
>>>>>>>>>>>>
>>>>>>>>>>>> $ cat /etc/hostapd/hostapd.conf # interface and driver
>>>>>>>>>>>> interface=ap0
>>>>>>>>>>>> driver=nl80211
>>>>>>>>>>>>
>>>>>>>>>>>> # WIFI-Config
>>>>>>>>>>>> ssid=deskSAE
>>>>>>>>>>>> channel=1
>>>>>>>>>>>> hw_mode=g
>>>>>>>>>>>>
>>>>>>>>>>>> wpa=2
>>>>>>>>>>>> wpa_key_mgmt=SAE
>>>>>>>>>>>> wpa_pairwise=CCMP
>>>>>>>>>>>> sae_password=secret123
>>>>>>>>>>>> sae_groups=19
>>>>>>>>>>>> ieee80211w=2
>>>>>>>>>>>> sae_pwe=0
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Arend
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select
>>>>>>>>>>>>> authenticated key management type
>>>>>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key
>>>>>>>>>>>>> management and encryption suites
>>>>>>>>>>>
>>>>>>>>>>> Arend,
>>>>>>>>>>>
>>>>>>>>>>> I find the wpa_supplicant docs really hard to understand. I
>>>>>>>>>>> have read through your response a few times and am still a bit
>>>>>>>>>>> confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?
>>>>>>>>>>
>>>>>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>>>>>>>>>>
>>>>>>>>>>> I have tried editing my hostapd.conf and my
>>>>>>>>>>> wpa_supplicant.conf and still cannot get a connection, so I must be doing
>>>>>>>>>>> something wrong.
>>>>>>>>>>> I commented the ieee80211w line on both and it would not connect.
>>>>>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE
>>>>>>>>>>> WPA_PSK' and it still would not connect.
>>>>>>>>>>>
>>>>>>>>>>> What *should* the configurations be in the hostapd.conf and
>>>>>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup?
>>>>>>>>>>> What should it be to be a wpa2/3 setup? My phone worked fine
>>>>>>>>>>> to connect with the original hostapd setup, but I have no idea
>>>>>>>>>>> what it is doing
>>>>>>>>>>
>>>>>>>>>> As I mentioned in my previous email both config files listed
>>>>>>>>>> above look okay to me (might be wrong though). The problem
>>>>>>>>>> seems to be with wpas_is_sae_avoided(). For it to return true the config
>>>>>>>>>> should have:
>>>>>>>>>>
>>>>>>>>>> sae_check_mfp=1
>>>>>>>>>>
>>>>>>>>>> But you don't have that and default is 0 so it should check for
>>>>>>>>>> MFP. This is where my trail ends. To learn more I would add additional
>>>>>>>>>> debug prints.
>>>>>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Arend
>>>>>>>>>
>>>>>>>>> Arend,
>>>>>>>>>
>>>>>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
>>>>>>>>> source. This is on RPi, so debian *.debs which are a pain, but I
>>>>>>>>> think I can do it.
>>>>>>>>>
>>>>>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to
>>>>>>>>> be in the hostapd.conf and wpa_supplicant.conf? I can try that
>>>>>>>>> and see if anything changes.
>>>>>>>>
>>>>>>>> Ok. We can try first to put following in wpa_supplicant.conf:
>>>>>>>>
>>>>>>>> sae_check_mfp=0
>>>>>>>>
>>>>>>>> Let me know if that makes any difference.
>>>>>>>>
>>>>>>>>> Why would I have to re-build wpa_supplicant?
>>>>>>>>
>>>>>>>> I would provide a patch with additional debug prints so I get
>>>>>>>> better understanding what is going wrong. Would be great if you
>>>>>>>> can apply that and rebuild.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Arend
>>>>>>> Arend,
>>>>>>>
>>>>>>> I was able to try it this afternoon.
>>>>>>> My hostapd is still:
>>>>>>> # interface and driver
>>>>>>> interface=ap0
>>>>>>> driver=nl80211
>>>>>>>
>>>>>>> # WIFI-Config
>>>>>>> ssid=deskSAE
>>>>>>> channel=1
>>>>>>> hw_mode=g
>>>>>>>
>>>>>>> wpa=2
>>>>>>> wpa_key_mgmt=SAE
>>>>>>> wpa_pairwise=CCMP
>>>>>>> sae_password=secret123
>>>>>>> sae_groups=19
>>>>>>> ieee80211w=2
>>>>>>> sae_pwe=0
>>>>>>>
>>>>>>> and I can still connect from my phone to this AP.
>>>>>>>
>>>>>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>>>> update_config=1
>>>>>>> network={
>>>>>>> ssid="deskSAE"
>>>>>>> sae_password="secret123"
>>>>>>> proto=RSN
>>>>>>> key_mgmt=SAE
>>>>>>> pairwise=CCMP
>>>>>>> ieee80211w=2
>>>>>>> sae_check_mfp=1
>>>>>>> }
>>>>>>>
>>>>>>> and when I try to connect, I get:
>>>>>>> # wpa_supplicant -i wlan0 -c
>>>>>>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>>> Successfully initialized wpa_supplicant Line 10: unknown network
>>>>>>> field 'sae_check_mfp'.
>>>>>>> Line 11: failed to parse network block.
>>>>>>
>>>>>> Right. The setting sae_check_mfp is a global setting like
>>>>>> update_config. So it should be moved outside the network block.
>>>>>>
>>>>>> Regards,
>>>>>> Arend
>>>>> Arend,
>>>>>
>>>>> Thanks for the hand holding, I am out of my depth here!
>>>>>
>>>>> I tried this config and get a similar result.
>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>> update_config=1
>>>>> sae_check_mfp=1
>>>>> network={
>>>>> ssid="deskSAE"
>>>>> sae_password="secret123"
>>>>> proto=RSN
>>>>> key_mgmt=SAE
>>>>> pairwise=CCMP
>>>>> ieee80211w=2
>>>>> }
>>>>> # wpa_supplicant -i wlan0 -c
>>>>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>> Successfully initialized wpa_supplicant Line 3: unknown global field
>>>>> 'sae_check_mfp=1'.
>>>>> Line 3: Invalid configuration line 'sae_check_mfp=1'.
>>>>> Failed to read or parse configuration
>>>>> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
>>>>> : CTRL-EVENT-DSCP-POLICY clear_all
>>>>>
>>>>> seems it doesn't recognize this parameter.
>>>>>
>>>>> Keith
>>>>
>>>> Replying to my own post.
>>>> I re-built wpa_supplicant from the current git:
>>>> # wpa_supplicant -v
>>>> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
>>>> Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
>>>>
>>>> It now seems to recognize the 'sae_check_mfp' parameter, but still does not
>>>> connect:
>>>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>> Successfully initialized wpa_supplicant
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
>>>> auth_failures=1 duration=10 reason=CONN_FAILED
>>>> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
>>>> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring
>>>> for 10 seconds
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
>>>> auth_failures=2 duration=20 reason=CONN_FAILED
>>>> ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>>>> p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>>>> nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
>>>> p2p-dev-wlan0: CTRL-EVENT-TERMINATING
>>>> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>>>> nl80211: deinit ifname=wlan0 disabled_11b_rates=0
>>>> wlan0: CTRL-EVENT-TERMINATING
>>>>
>>>> I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
>>>> connect with this 'current' version of
>>>> wpa_supplicant.
>>>>
>>>> Keith
>>> Hi Keith,
>>>
>>> maybe you are missing sae_pwe=2 in your wpa_supplicant.conf
>>> At least in our setup it works.
>>
>> I think Keith already reported success in earlier email.
>>
>> @Keith: If I am mistaken let me know.
>>
>> Regards,
>> Arend
>>
> Arend,
> 
> Yes, I figured it out. As per the link shared: I had to put the latest
> firmware on and use the latest wpa_supplicant, but with these 2
> changes, it did connect.

Good to know.

Regards,
Arend

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4219 bytes --]