diff mbox series

wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3

Message ID 20240617122609.349582-1-arend.vanspriel@broadcom.com (mailing list archive)
State Accepted
Commit dbb5265a5d7cca1cdba7736dba313ab7d07bc19d
Delegated to: Kalle Valo
Headers show
Series wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 | expand

Commit Message

Arend van Spriel June 17, 2024, 12:26 p.m. UTC
After being asked about support for WPA3 for BCM43224 chipset it
was found that all it takes is setting the MFP_CAPABLE flag and
mac80211 will take care of all that is needed [1].

[1] https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/

Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
 1 file changed, 1 insertion(+)


base-commit: a2ead3445a6317c5d2b53711cf9a98e54c395223

Comments

Peter Robinson June 20, 2024, 8:58 a.m. UTC | #1
Hi Arend,

> After being asked about support for WPA3 for BCM43224 chipset it
> was found that all it takes is setting the MFP_CAPABLE flag and
> mac80211 will take care of all that is needed [1].

Testing this on a Raspberry Pi 4 [1] against a UniFi U6Pro AP I can't
connect to my WPA3 only SSID, it works fine with the SSID that's
WPA2/WPA3 on the same AP. It doesn't connect and I get a whole lot of
the following errors while it tries:

[  155.988865] brcmfmac: brcmf_set_channel: set chanspec 0xd02e fail, reason -52
[  156.100906] brcmfmac: brcmf_set_channel: set chanspec 0xd034 fail, reason -52
[  156.108597] brcmfmac: brcmf_set_channel: set chanspec 0xd038 fail, reason -52
[  156.116317] brcmfmac: brcmf_set_channel: set chanspec 0xd03c fail, reason -52

I also have a RPi3 (BCM43430/1) and a Rock960 (BCM4356/2) with working
brcmfmac WiFi I can test if that's useful.

[1] The upstream linux-firmware FW: BCM4345/6 wl0: Apr 15 2021
03:03:20 version 7.45.234 (4ca95bb CY) FWID 01-996384e2

> [1] https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/
>
> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> ---
>  drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
> index 860ef9c11c46..a5aa58047d39 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
> @@ -1090,6 +1090,7 @@ static int ieee_hw_init(struct ieee80211_hw *hw)
>         ieee80211_hw_set(hw, AMPDU_AGGREGATION);
>         ieee80211_hw_set(hw, SIGNAL_DBM);
>         ieee80211_hw_set(hw, REPORTS_TX_ACK_STATUS);
> +       ieee80211_hw_set(hw, MFP_CAPABLE);
>
>         hw->extra_tx_headroom = brcms_c_get_header_len();
>         hw->queues = N_TX_QUEUES;
>
> base-commit: a2ead3445a6317c5d2b53711cf9a98e54c395223
> --
> 2.32.0
>
Julian Calaby June 20, 2024, 9:46 a.m. UTC | #2
Hi Peter,

On Thu, Jun 20, 2024 at 7:19 PM Peter Robinson <pbrobinson@gmail.com> wrote:
>
> Hi Arend,
>
> > After being asked about support for WPA3 for BCM43224 chipset it
> > was found that all it takes is setting the MFP_CAPABLE flag and
> > mac80211 will take care of all that is needed [1].
>
> Testing this on a Raspberry Pi 4 [1] against a UniFi U6Pro AP I can't
> connect to my WPA3 only SSID, it works fine with the SSID that's
> WPA2/WPA3 on the same AP. It doesn't connect and I get a whole lot of
> the following errors while it tries:
>
> [  155.988865] brcmfmac: brcmf_set_channel: set chanspec 0xd02e fail, reason -52
> [  156.100906] brcmfmac: brcmf_set_channel: set chanspec 0xd034 fail, reason -52
> [  156.108597] brcmfmac: brcmf_set_channel: set chanspec 0xd038 fail, reason -52
> [  156.116317] brcmfmac: brcmf_set_channel: set chanspec 0xd03c fail, reason -52

The Raspberry Pis' WiFi chipsets use the brcmfmac driver and this is a
patch to the brcmsmac driver. This driver is for older and simpler
WiFi chipsets than the ones on the Raspberry Pis.

Thanks,
Peter Robinson June 20, 2024, 9:53 a.m. UTC | #3
On Thu, 20 Jun 2024 at 10:46, Julian Calaby <julian.calaby@gmail.com> wrote:
>
> Hi Peter,
>
> On Thu, Jun 20, 2024 at 7:19 PM Peter Robinson <pbrobinson@gmail.com> wrote:
> >
> > Hi Arend,
> >
> > > After being asked about support for WPA3 for BCM43224 chipset it
> > > was found that all it takes is setting the MFP_CAPABLE flag and
> > > mac80211 will take care of all that is needed [1].
> >
> > Testing this on a Raspberry Pi 4 [1] against a UniFi U6Pro AP I can't
> > connect to my WPA3 only SSID, it works fine with the SSID that's
> > WPA2/WPA3 on the same AP. It doesn't connect and I get a whole lot of
> > the following errors while it tries:
> >
> > [  155.988865] brcmfmac: brcmf_set_channel: set chanspec 0xd02e fail, reason -52
> > [  156.100906] brcmfmac: brcmf_set_channel: set chanspec 0xd034 fail, reason -52
> > [  156.108597] brcmfmac: brcmf_set_channel: set chanspec 0xd038 fail, reason -52
> > [  156.116317] brcmfmac: brcmf_set_channel: set chanspec 0xd03c fail, reason -52
>
> The Raspberry Pis' WiFi chipsets use the brcmfmac driver and this is a
> patch to the brcmsmac driver. This driver is for older and simpler
> WiFi chipsets than the ones on the Raspberry Pis.

Right you are, completely missed that :)
Arend van Spriel June 20, 2024, 11:14 a.m. UTC | #4
On June 20, 2024 11:53:12 AM Peter Robinson <pbrobinson@gmail.com> wrote:

> On Thu, 20 Jun 2024 at 10:46, Julian Calaby <julian.calaby@gmail.com> wrote:
>>
>> Hi Peter,
>>
>> On Thu, Jun 20, 2024 at 7:19 PM Peter Robinson <pbrobinson@gmail.com> wrote:
>>>
>>> Hi Arend,
>>>
>>>> After being asked about support for WPA3 for BCM43224 chipset it
>>>> was found that all it takes is setting the MFP_CAPABLE flag and
>>>> mac80211 will take care of all that is needed [1].
>>>
>>> Testing this on a Raspberry Pi 4 [1] against a UniFi U6Pro AP I can't
>>> connect to my WPA3 only SSID, it works fine with the SSID that's
>>> WPA2/WPA3 on the same AP. It doesn't connect and I get a whole lot of
>>> the following errors while it tries:
>>>
>>> [  155.988865] brcmfmac: brcmf_set_channel: set chanspec 0xd02e fail, 
>>> reason -52
>>> [  156.100906] brcmfmac: brcmf_set_channel: set chanspec 0xd034 fail, 
>>> reason -52
>>> [  156.108597] brcmfmac: brcmf_set_channel: set chanspec 0xd038 fail, 
>>> reason -52
>>> [  156.116317] brcmfmac: brcmf_set_channel: set chanspec 0xd03c fail, 
>>> reason -52
>>
>> The Raspberry Pis' WiFi chipsets use the brcmfmac driver and this is a
>> patch to the brcmsmac driver. This driver is for older and simpler
>> WiFi chipsets than the ones on the Raspberry Pis.
>
> Right you are, completely missed that :)

The devil is in the details ;-) Good that you tested. Maybe we can look 
into the WPA3-only problem. Are you using wpa_supplicant? Can you share 
supplicant log file and kernel log with brcmfmac debug modparam set to 0x1416.

Regards,
Arend
KeithG June 20, 2024, 3:44 p.m. UTC | #5
On Thu, Jun 20, 2024 at 6:14 AM Arend Van Spriel
<arend.vanspriel@broadcom.com> wrote:
>
> On June 20, 2024 11:53:12 AM Peter Robinson <pbrobinson@gmail.com> wrote:
>
> > On Thu, 20 Jun 2024 at 10:46, Julian Calaby <julian.calaby@gmail.com> wrote:
> >>
> >> Hi Peter,
> >>
> >> On Thu, Jun 20, 2024 at 7:19 PM Peter Robinson <pbrobinson@gmail.com> wrote:
> >>>
> >>> Hi Arend,
> >>>
> >>>> After being asked about support for WPA3 for BCM43224 chipset it
> >>>> was found that all it takes is setting the MFP_CAPABLE flag and
> >>>> mac80211 will take care of all that is needed [1].
> >>>
> >>> Testing this on a Raspberry Pi 4 [1] against a UniFi U6Pro AP I can't
> >>> connect to my WPA3 only SSID, it works fine with the SSID that's
> >>> WPA2/WPA3 on the same AP. It doesn't connect and I get a whole lot of
> >>> the following errors while it tries:
> >>>
> >>> [  155.988865] brcmfmac: brcmf_set_channel: set chanspec 0xd02e fail,
> >>> reason -52
> >>> [  156.100906] brcmfmac: brcmf_set_channel: set chanspec 0xd034 fail,
> >>> reason -52
> >>> [  156.108597] brcmfmac: brcmf_set_channel: set chanspec 0xd038 fail,
> >>> reason -52
> >>> [  156.116317] brcmfmac: brcmf_set_channel: set chanspec 0xd03c fail,
> >>> reason -52
> >>
> >> The Raspberry Pis' WiFi chipsets use the brcmfmac driver and this is a
> >> patch to the brcmsmac driver. This driver is for older and simpler
> >> WiFi chipsets than the ones on the Raspberry Pis.
> >
> > Right you are, completely missed that :)
>
> The devil is in the details ;-) Good that you tested. Maybe we can look
> into the WPA3-only problem. Are you using wpa_supplicant? Can you share
> supplicant log file and kernel log with brcmfmac debug modparam set to 0x1416.
>
> Regards,
> Arend
>

The RPis and the brcmfmac cards.
The current RPiOS for 32 bit and 64 bit OS have firmware which loads
on the 5Ghz capable Pis (3b+, 4, 5, 02W) which advertise WPA3
capability (this is a Pi5, but others are similar) This firmware is
from 2021:
# dmesg | grep brcmfmac
[    2.112735] brcmfmac: F1 signature read @0x18000000=0x15264345
[    2.114202] brcmfmac: brcmf_fw_alloc_request: using
brcm/brcmfmac43455-sdio for chip BCM4345/6
[    2.117274] usbcore: registered new interface driver brcmfmac
[    2.335211] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob
available (err=-2)
[    2.335581] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6
wl0: Apr 15 2021 03:03:20 version 7.45.234 (4ca95bb CY) FWID
01-996384e2

# iw list
Wiphy phy0
...
    Supported extended features:
        * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
        * [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
        * [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
        * [ DFS_OFFLOAD ]: DFS offload
        * [ SAE_OFFLOAD ]: SAE offload support
        * [ 4WAY_HANDSHAKE_AP_PSK ]: AP mode PSK offload support
        * [ SAE_OFFLOAD_AP ]: AP mode SAE authentication offload support

# uname -a
Linux pi5 6.6.31+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.6.31-1+rpt1
(2024-05-29) aarch64 GNU/Linux

I am pretty sure I am fully up to date.

I set up hostapd running an WPA3 SAE config on my desktop with an
intel card and can connect to it from my phone.
I cannot connect to it from the Pi5:
I tried using a config file and connecting with wpa_supplicant and it did not:
# cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
 network={
  ssid="deskSAE"
  sae_password="secret123"
  proto=RSN
  key_mgmt=SAE
  pairwise=CCMP
  ieee80211w=2
}
# ifconfig wlan0 up
root@pi5(rw):~# iwlist wlan0 scan | grep deskSAE
                    ESSID:"deskSAE"
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
wlan0: WPA: Failed to select authenticated key management type
wlan0: WPA: Failed to set WPA key management and encryption suites
(never returns command prompt)

I tried using wpa_cli as well and it also fails:
<3>CTRL-EVENT-NETWORK-ADDED 1
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE  "deskS
<4>Failed to initiate sched scan
<3>CTRL-EVENT-NETWORK-NOT-FOUND
> set_network 0 ssid "deskSAE"
OK
> set_network - key_mgmt SAE
OK
> set_network 0 ieee80211w 2
OK
> set_network 0 sae_password "secret123"
OK
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<4>Failed to initiate sched scan
<3>CTRL-EVENT-NETWORK-NOT-FOUND
<3>CTRL-EVENT-SCAN-STARTED
> enable 0
OK
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<4>Failed to initiate sched scan
<3>CTRL-EVENT-NETWORK-NOT-FOUND
<4>WPA: Failed to select authenticated key management type
<4>WPA: Failed to set WPA key management and encryption suites
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<4>WPA: Failed to select authenticated key management type
<4>WPA: Failed to set WPA key management and encryption suites
<3>CTRL-EVENT-SCAN-STARTED

Would love it if there were a way to get wpa3 to work with the
brcmfmac cards on RPI.

Keith
Arend van Spriel June 20, 2024, 5:04 p.m. UTC | #6
On June 20, 2024 5:44:30 PM KeithG <ys3al35l@gmail.com> wrote:

> On Thu, Jun 20, 2024 at 6:14 AM Arend Van Spriel
> <arend.vanspriel@broadcom.com> wrote:
>>
>> On June 20, 2024 11:53:12 AM Peter Robinson <pbrobinson@gmail.com> wrote:
>>
>>> On Thu, 20 Jun 2024 at 10:46, Julian Calaby <julian.calaby@gmail.com> wrote:
>>>>
>>>> Hi Peter,
>>>>
>>>> On Thu, Jun 20, 2024 at 7:19 PM Peter Robinson <pbrobinson@gmail.com> wrote:
>>>>>
>>>>> Hi Arend,
>>>>>
>>>>>> After being asked about support for WPA3 for BCM43224 chipset it
>>>>>> was found that all it takes is setting the MFP_CAPABLE flag and
>>>>>> mac80211 will take care of all that is needed [1].
>>>>>
>>>>> Testing this on a Raspberry Pi 4 [1] against a UniFi U6Pro AP I can't
>>>>> connect to my WPA3 only SSID, it works fine with the SSID that's
>>>>> WPA2/WPA3 on the same AP. It doesn't connect and I get a whole lot of
>>>>> the following errors while it tries:
>>>>>
>>>>> [  155.988865] brcmfmac: brcmf_set_channel: set chanspec 0xd02e fail,
>>>>> reason -52
>>>>> [  156.100906] brcmfmac: brcmf_set_channel: set chanspec 0xd034 fail,
>>>>> reason -52
>>>>> [  156.108597] brcmfmac: brcmf_set_channel: set chanspec 0xd038 fail,
>>>>> reason -52
>>>>> [  156.116317] brcmfmac: brcmf_set_channel: set chanspec 0xd03c fail,
>>>>> reason -52
>>>>
>>>> The Raspberry Pis' WiFi chipsets use the brcmfmac driver and this is a
>>>> patch to the brcmsmac driver. This driver is for older and simpler
>>>> WiFi chipsets than the ones on the Raspberry Pis.
>>>
>>> Right you are, completely missed that :)
>>
>> The devil is in the details ;-) Good that you tested. Maybe we can look
>> into the WPA3-only problem. Are you using wpa_supplicant? Can you share
>> supplicant log file and kernel log with brcmfmac debug modparam set to 0x1416.
>>
>> Regards,
>> Arend
>
> The RPis and the brcmfmac cards.
> The current RPiOS for 32 bit and 64 bit OS have firmware which loads
> on the 5Ghz capable Pis (3b+, 4, 5, 02W) which advertise WPA3
> capability (this is a Pi5, but others are similar) This firmware is
> from 2021:
> # dmesg | grep brcmfmac
> [    2.112735] brcmfmac: F1 signature read @0x18000000=0x15264345
> [    2.114202] brcmfmac: brcmf_fw_alloc_request: using
> brcm/brcmfmac43455-sdio for chip BCM4345/6
> [    2.117274] usbcore: registered new interface driver brcmfmac
> [    2.335211] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob
> available (err=-2)
> [    2.335581] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6
> wl0: Apr 15 2021 03:03:20 version 7.45.234 (4ca95bb CY) FWID
> 01-996384e2
>
> # iw list
> Wiphy phy0
> ...
>    Supported extended features:
>        * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
>        * [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
>        * [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
>        * [ DFS_OFFLOAD ]: DFS offload
>        * [ SAE_OFFLOAD ]: SAE offload support
>        * [ 4WAY_HANDSHAKE_AP_PSK ]: AP mode PSK offload support
>        * [ SAE_OFFLOAD_AP ]: AP mode SAE authentication offload support
>
> # uname -a
> Linux pi5 6.6.31+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.6.31-1+rpt1
> (2024-05-29) aarch64 GNU/Linux
>
> I am pretty sure I am fully up to date.
>
> I set up hostapd running an WPA3 SAE config on my desktop with an
> intel card and can connect to it from my phone.
> I cannot connect to it from the Pi5:

So let's dive in

> I tried using a config file and connecting with wpa_supplicant and it did not:
> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> update_config=1
> network={
>  ssid="deskSAE"
>  sae_password="secret123"
>  proto=RSN
>  key_mgmt=SAE
>  pairwise=CCMP
>  ieee80211w=2
> }

That looks sane to me.

> # ifconfig wlan0 up
> root@pi5(rw):~# iwlist wlan0 scan | grep deskSAE
>                    ESSID:"deskSAE"
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> Successfully initialized wpa_supplicant
> wlan0: WPA: Failed to select authenticated key management type
> wlan0: WPA: Failed to set WPA key management and encryption suites
> (never returns command prompt)

The supplicant remains running in the foreground so that is normal. Could 
you retry with -ddt on the command line. Also having brcmfmac loaded with 
debug=0x1416 while testing. Finally, can you share the hostapd.conf file?

Regards,
Arend

>
> I tried using wpa_cli as well and it also fails:
> <3>CTRL-EVENT-NETWORK-ADDED 1
> <3>CTRL-EVENT-SCAN-STARTED
> <3>CTRL-EVENT-SCAN-RESULTS
> <3>WPS-AP-AVAILABLE  "deskS
> <4>Failed to initiate sched scan
> <3>CTRL-EVENT-NETWORK-NOT-FOUND
>> set_network 0 ssid "deskSAE"
> OK
>> set_network - key_mgmt SAE
> OK
>> set_network 0 ieee80211w 2
> OK
>> set_network 0 sae_password "secret123"
> OK
> <3>CTRL-EVENT-SCAN-STARTED
> <3>CTRL-EVENT-SCAN-RESULTS
> <3>WPS-AP-AVAILABLE
> <4>Failed to initiate sched scan
> <3>CTRL-EVENT-NETWORK-NOT-FOUND
> <3>CTRL-EVENT-SCAN-STARTED
>> enable 0
> OK
> <3>CTRL-EVENT-SCAN-RESULTS
> <3>WPS-AP-AVAILABLE
> <4>Failed to initiate sched scan
> <3>CTRL-EVENT-NETWORK-NOT-FOUND
> <4>WPA: Failed to select authenticated key management type
> <4>WPA: Failed to set WPA key management and encryption suites
> <3>CTRL-EVENT-SCAN-STARTED
> <3>CTRL-EVENT-SCAN-RESULTS
> <3>WPS-AP-AVAILABLE
> <4>WPA: Failed to select authenticated key management type
> <4>WPA: Failed to set WPA key management and encryption suites
> <3>CTRL-EVENT-SCAN-STARTED
>
> Would love it if there were a way to get wpa3 to work with the
> brcmfmac cards on RPI.
>
> Keith
KeithG June 20, 2024, 6:25 p.m. UTC | #7
On Thu, Jun 20, 2024 at 12:04 PM Arend Van Spriel
<arend.vanspriel@broadcom.com> wrote:
>
> On June 20, 2024 5:44:30 PM KeithG <ys3al35l@gmail.com> wrote:
>
> > On Thu, Jun 20, 2024 at 6:14 AM Arend Van Spriel
> > <arend.vanspriel@broadcom.com> wrote:
> >>
> >> On June 20, 2024 11:53:12 AM Peter Robinson <pbrobinson@gmail.com> wrote:
> >>
> >>> On Thu, 20 Jun 2024 at 10:46, Julian Calaby <julian.calaby@gmail.com> wrote:
> >>>>
> >>>> Hi Peter,
> >>>>
> >>>> On Thu, Jun 20, 2024 at 7:19 PM Peter Robinson <pbrobinson@gmail.com> wrote:
> >>>>>
> >>>>> Hi Arend,
> >>>>>
> >>>>>> After being asked about support for WPA3 for BCM43224 chipset it
> >>>>>> was found that all it takes is setting the MFP_CAPABLE flag and
> >>>>>> mac80211 will take care of all that is needed [1].
> >>>>>
> >>>>> Testing this on a Raspberry Pi 4 [1] against a UniFi U6Pro AP I can't
> >>>>> connect to my WPA3 only SSID, it works fine with the SSID that's
> >>>>> WPA2/WPA3 on the same AP. It doesn't connect and I get a whole lot of
> >>>>> the following errors while it tries:
> >>>>>
> >>>>> [  155.988865] brcmfmac: brcmf_set_channel: set chanspec 0xd02e fail,
> >>>>> reason -52
> >>>>> [  156.100906] brcmfmac: brcmf_set_channel: set chanspec 0xd034 fail,
> >>>>> reason -52
> >>>>> [  156.108597] brcmfmac: brcmf_set_channel: set chanspec 0xd038 fail,
> >>>>> reason -52
> >>>>> [  156.116317] brcmfmac: brcmf_set_channel: set chanspec 0xd03c fail,
> >>>>> reason -52
> >>>>
> >>>> The Raspberry Pis' WiFi chipsets use the brcmfmac driver and this is a
> >>>> patch to the brcmsmac driver. This driver is for older and simpler
> >>>> WiFi chipsets than the ones on the Raspberry Pis.
> >>>
> >>> Right you are, completely missed that :)
> >>
> >> The devil is in the details ;-) Good that you tested. Maybe we can look
> >> into the WPA3-only problem. Are you using wpa_supplicant? Can you share
> >> supplicant log file and kernel log with brcmfmac debug modparam set to 0x1416.
> >>
> >> Regards,
> >> Arend
> >
> > The RPis and the brcmfmac cards.
> > The current RPiOS for 32 bit and 64 bit OS have firmware which loads
> > on the 5Ghz capable Pis (3b+, 4, 5, 02W) which advertise WPA3
> > capability (this is a Pi5, but others are similar) This firmware is
> > from 2021:
> > # dmesg | grep brcmfmac
> > [    2.112735] brcmfmac: F1 signature read @0x18000000=0x15264345
> > [    2.114202] brcmfmac: brcmf_fw_alloc_request: using
> > brcm/brcmfmac43455-sdio for chip BCM4345/6
> > [    2.117274] usbcore: registered new interface driver brcmfmac
> > [    2.335211] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob
> > available (err=-2)
> > [    2.335581] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6
> > wl0: Apr 15 2021 03:03:20 version 7.45.234 (4ca95bb CY) FWID
> > 01-996384e2
> >
> > # iw list
> > Wiphy phy0
> > ...
> >    Supported extended features:
> >        * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
> >        * [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
> >        * [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
> >        * [ DFS_OFFLOAD ]: DFS offload
> >        * [ SAE_OFFLOAD ]: SAE offload support
> >        * [ 4WAY_HANDSHAKE_AP_PSK ]: AP mode PSK offload support
> >        * [ SAE_OFFLOAD_AP ]: AP mode SAE authentication offload support
> >
> > # uname -a
> > Linux pi5 6.6.31+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.6.31-1+rpt1
> > (2024-05-29) aarch64 GNU/Linux
> >
> > I am pretty sure I am fully up to date.
> >
> > I set up hostapd running an WPA3 SAE config on my desktop with an
> > intel card and can connect to it from my phone.
> > I cannot connect to it from the Pi5:
>
> So let's dive in
>
> > I tried using a config file and connecting with wpa_supplicant and it did not:
> > # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > update_config=1
> > network={
> >  ssid="deskSAE"
> >  sae_password="secret123"
> >  proto=RSN
> >  key_mgmt=SAE
> >  pairwise=CCMP
> >  ieee80211w=2
> > }
>
> That looks sane to me.
>
> > # ifconfig wlan0 up
> > root@pi5(rw):~# iwlist wlan0 scan | grep deskSAE
> >                    ESSID:"deskSAE"
> > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > Successfully initialized wpa_supplicant
> > wlan0: WPA: Failed to select authenticated key management type
> > wlan0: WPA: Failed to set WPA key management and encryption suites
> > (never returns command prompt)
>
> The supplicant remains running in the foreground so that is normal. Could
> you retry with -ddt on the command line. Also having brcmfmac loaded with
> debug=0x1416 while testing. Finally, can you share the hostapd.conf file?
>
> Regards,
> Arend
>
> >
> > I tried using wpa_cli as well and it also fails:
> > <3>CTRL-EVENT-NETWORK-ADDED 1
> > <3>CTRL-EVENT-SCAN-STARTED
> > <3>CTRL-EVENT-SCAN-RESULTS
> > <3>WPS-AP-AVAILABLE  "deskS
> > <4>Failed to initiate sched scan
> > <3>CTRL-EVENT-NETWORK-NOT-FOUND
> >> set_network 0 ssid "deskSAE"
> > OK
> >> set_network - key_mgmt SAE
> > OK
> >> set_network 0 ieee80211w 2
> > OK
> >> set_network 0 sae_password "secret123"
> > OK
> > <3>CTRL-EVENT-SCAN-STARTED
> > <3>CTRL-EVENT-SCAN-RESULTS
> > <3>WPS-AP-AVAILABLE
> > <4>Failed to initiate sched scan
> > <3>CTRL-EVENT-NETWORK-NOT-FOUND
> > <3>CTRL-EVENT-SCAN-STARTED
> >> enable 0
> > OK
> > <3>CTRL-EVENT-SCAN-RESULTS
> > <3>WPS-AP-AVAILABLE
> > <4>Failed to initiate sched scan
> > <3>CTRL-EVENT-NETWORK-NOT-FOUND
> > <4>WPA: Failed to select authenticated key management type
> > <4>WPA: Failed to set WPA key management and encryption suites
> > <3>CTRL-EVENT-SCAN-STARTED
> > <3>CTRL-EVENT-SCAN-RESULTS
> > <3>WPS-AP-AVAILABLE
> > <4>WPA: Failed to select authenticated key management type
> > <4>WPA: Failed to set WPA key management and encryption suites
> > <3>CTRL-EVENT-SCAN-STARTED
> >
> > Would love it if there were a way to get wpa3 to work with the
> > brcmfmac cards on RPI.
> >
> > Keith
How do I load the debug parameter?

the other stuff you asked is here:

The hostapd on the desktop:
$ cat /etc/hostapd/hostapd.conf
# interface and driver
interface=ap0
driver=nl80211

# WIFI-Config
ssid=deskSAE
channel=1
hw_mode=g

wpa=2
wpa_key_mgmt=SAE
wpa_pairwise=CCMP
sae_password=secret123
sae_groups=19
ieee80211w=2
sae_pwe=0

The response
# wpa_supplicant -ddt -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
1718907727.479763: wpa_supplicant v2.10
1718907727.480131: random: getrandom() support available
1718907727.480155: Successfully initialized wpa_supplicant
1718907727.480167: Initializing interface 'wlan0' conf
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf' driver 'default'
ctrl_interface 'N/A' bridge 'N/A'
1718907727.480179: Configuration file
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf' ->
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'
1718907727.480183: Reading configuration file
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'
1718907727.480213: ctrl_interface='DIR=/run/wpa_supplicant GROUP=netdev'
1718907727.480218: update_config=1
1718907727.480222: Line: 3 - start of a new network block
1718907727.480227: ssid - hexdump_ascii(len=7):
     64 65 73 6b 53 41 45                              deskSAE
1718907727.480243: sae_password - hexdump_ascii(len=9): [REMOVED]
1718907727.480246: proto: 0x2
1718907727.480249: key_mgmt: 0x400
1718907727.480260: pairwise: 0x10
1718907727.480264: ieee80211w=2 (0x2)
1718907727.480271: Priority group 0
1718907727.480273:    id=0 ssid='deskSAE'
1718907727.484146: nl80211: Using driver-based roaming
1718907727.484182: nl80211: Supported cipher 00-0f-ac:1
1718907727.484198: nl80211: Supported cipher 00-0f-ac:5
1718907727.484204: nl80211: Supported cipher 00-0f-ac:2
1718907727.484209: nl80211: Supported cipher 00-0f-ac:4
1718907727.484213: nl80211: Supported cipher 00-0f-ac:6
1718907727.484263: nl80211: Using driver-based off-channel TX
1718907727.484278: nl80211: Supported vendor command: vendor_id=0x1018 subcmd=1
1718907727.484294: nl80211: Use separate P2P group interface (driver
advertised support)
1718907727.484301: nl80211: Enable multi-channel concurrent (driver
advertised support)
1718907727.484311: nl80211: use P2P_DEVICE support
1718907727.484316: nl80211: key_mgmt=0xd0f enc=0x10f auth=0x7
flags=0x20000003804facc rrm_flags=0x0 probe_resp_offloads=0x0
max_stations=0 max_remain_on_chan=5000 max_scan_ssids=10
1718907727.484375: nl80211: interface wlan0 in phy phy0
1718907727.484867: nl80211: Set mode ifindex 3 iftype 2 (STATION)
1718907727.484919: nl80211: Subscribe to mgmt frames with non-AP
handle 0x5556614a4310
1718907727.484935: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0104 multicast=0
1718907727.484967: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=040a multicast=0
1718907727.484981: nl80211: kernel reports: Match already configured
1718907727.484993: nl80211: Register frame command failed (type=208):
ret=-114 (Operation already in progress)
1718907727.485005: nl80211: Register frame match - hexdump(len=2): 04 0a
1718907727.485019: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=040b multicast=0
1718907727.485053: nl80211: kernel reports: Match already configured
1718907727.485077: nl80211: Register frame command failed (type=208):
ret=-114 (Operation already in progress)
1718907727.485088: nl80211: Register frame match - hexdump(len=2): 04 0b
1718907727.485228: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=040c multicast=0
1718907727.485256: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=040d multicast=0
1718907727.485301: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=090a multicast=0
1718907727.485323: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=090b multicast=0
1718907727.485336: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=090c multicast=0
1718907727.485349: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=090d multicast=0
1718907727.485365: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0409506f9a09
multicast=0
1718907727.485379: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=7f506f9a09
multicast=0
1718907727.485395: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0409506f9a1a
multicast=0
1718907727.485408: nl80211: kernel reports: Match already configured
1718907727.485417: nl80211: Register frame command failed (type=208):
ret=-114 (Operation already in progress)
1718907727.485424: nl80211: Register frame match - hexdump(len=6): 04
09 50 6f 9a 1a
1718907727.485430: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0800 multicast=0
1718907727.485466: nl80211: kernel reports: Match already configured
1718907727.485475: nl80211: Register frame command failed (type=208):
ret=-114 (Operation already in progress)
1718907727.485481: nl80211: Register frame match - hexdump(len=2): 08 00
1718907727.485487: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0801 multicast=0
1718907727.485498: nl80211: kernel reports: Match already configured
1718907727.485504: nl80211: Register frame command failed (type=208):
ret=-114 (Operation already in progress)
1718907727.485509: nl80211: Register frame match - hexdump(len=2): 08 01
1718907727.485515: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=12 multicast=0
1718907727.485527: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=06 multicast=0
1718907727.485540: nl80211: kernel reports: Match already configured
1718907727.485547: nl80211: Register frame command failed (type=208):
ret=-114 (Operation already in progress)
1718907727.485552: nl80211: Register frame match - hexdump(len=1): 06
1718907727.485557: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0a07 multicast=0
1718907727.485568: nl80211: kernel reports: Match already configured
1718907727.485574: nl80211: Register frame command failed (type=208):
ret=-114 (Operation already in progress)
1718907727.485593: nl80211: Register frame match - hexdump(len=2): 0a 07
1718907727.485600: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0a11 multicast=0
1718907727.485614: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0a0b multicast=0
1718907727.485628: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0a1a multicast=0
1718907727.485642: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=1101 multicast=0
1718907727.485657: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=1102 multicast=0
1718907727.485672: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0505 multicast=0
1718907727.485686: nl80211: kernel reports: Match already configured
1718907727.485694: nl80211: Register frame command failed (type=208):
ret=-114 (Operation already in progress)
1718907727.485699: nl80211: Register frame match - hexdump(len=2): 05 05
1718907727.485705: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=0500 multicast=0
1718907727.485717: nl80211: kernel reports: Match already configured
1718907727.485724: nl80211: Register frame command failed (type=208):
ret=-114 (Operation already in progress)
1718907727.485730: nl80211: Register frame match - hexdump(len=2): 05 00
1718907727.485737: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=1301 multicast=0
1718907727.485749: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=1305 multicast=0
1718907727.485762: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x5556614a4310 match=7e506f9a1a
multicast=0
1718907727.485794: nl80211: Failed to register Action frame processing
- ignore for now
1718907727.485919: rfkill: initial event: idx=1 type=1 op=0 soft=0 hard=0
1718907727.486194: netlink: Operstate: ifindex=3 linkmode=1
(userspace-control), operstate=5 (IF_OPER_DORMANT)
1718907727.486333: Add interface wlan0 to a new radio phy0
1718907727.486491: nl80211: Regulatory information - country=US (DFS-FCC)
1718907727.486502: nl80211: 902-904 @ 2 MHz 30 mBm
1718907727.486509: nl80211: 904-920 @ 16 MHz 30 mBm
1718907727.486514: nl80211: 920-928 @ 8 MHz 30 mBm
1718907727.486519: nl80211: 2400-2472 @ 40 MHz 30 mBm
1718907727.486524: nl80211: 5150-5250 @ 80 MHz 23 mBm
1718907727.486538: nl80211: 5250-5350 @ 80 MHz 24 mBm (DFS)
1718907727.486548: nl80211: 5470-5730 @ 160 MHz 24 mBm (DFS)
1718907727.486554: nl80211: 5730-5850 @ 80 MHz 30 mBm
1718907727.486592: nl80211: 5850-5895 @ 40 MHz 27 mBm (no outdoor) (no IR)
1718907727.486599: nl80211: 5925-7125 @ 320 MHz 12 mBm (no outdoor) (no IR)
1718907727.486609: nl80211: 57240-71000 @ 2160 MHz 40 mBm
1718907727.486658: nl80211: Added 802.11b mode based on 802.11g information
1718907727.486669: nl80211: Mode IEEE 802.11g: 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467[DISABLED] 2472[DISABLED]
2484[DISABLED]
1718907727.486684: nl80211: Mode IEEE 802.11a: 5170 5180 5190 5200
5210 5220 5230 5240 5260[RADAR] 5280[RADAR] 5300[RADAR] 5320[RADAR]
5500[RADAR] 5520[RADAR] 5540[RADAR] 5560[RADAR] 5580[RADAR]
5600[RADAR] 5620[RADAR] 5640[RADAR] 5660[RADAR]
1718907727.486699: nl80211: Mode IEEE 802.11b: 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467[DISABLED] 2472[DISABLED]
2484[DISABLED]
1718907727.516742: wlan0: Own MAC address: d8:3a:dd:d2:ae:3c
1718907727.516807: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0
addr=(nil) key_idx=0 set_tx=0 seq_len=0 key_len=0 key_flag=0x10
1718907727.516827: nl80211: DEL_KEY
1718907727.516865:    broadcast key
1718907727.516945: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0
addr=(nil) key_idx=1 set_tx=0 seq_len=0 key_len=0 key_flag=0x10
1718907727.516957: nl80211: DEL_KEY
1718907727.516960:    broadcast key
1718907727.516974: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0
addr=(nil) key_idx=2 set_tx=0 seq_len=0 key_len=0 key_flag=0x10
1718907727.516979: nl80211: DEL_KEY
1718907727.516981:    broadcast key
1718907727.516998: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0
addr=(nil) key_idx=3 set_tx=0 seq_len=0 key_len=0 key_flag=0x10
1718907727.517003: nl80211: DEL_KEY
1718907727.517005:    broadcast key
1718907727.517016: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0
addr=(nil) key_idx=4 set_tx=0 seq_len=0 key_len=0 key_flag=0x10
1718907727.517020: nl80211: DEL_KEY
1718907727.517024:    broadcast key
1718907727.517033: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=0
addr=(nil) key_idx=5 set_tx=0 seq_len=0 key_len=0 key_flag=0x10
1718907727.517036: nl80211: DEL_KEY
1718907727.517038:    broadcast key
1718907727.517046: wlan0: RSN: flushing PMKID list in the driver
1718907727.517049: nl80211: Flush PMKIDs
1718907727.552633: TDLS: TDLS operation not supported by driver
1718907727.552771: TDLS: Driver uses internal link setup
1718907727.552778: TDLS: Driver does not support TDLS channel switching
1718907727.555773: wlan0: WPS: UUID based on MAC address:
cc4476f0-3727-5645-ae42-9b9b5943d9ca
1718907727.560692: ENGINE: Loading builtin engines
1718907727.561972: ENGINE: Loading builtin engines
1718907727.562103: EAPOL: SUPP_PAE entering state DISCONNECTED
1718907727.562119: EAPOL: Supplicant port status: Unauthorized
1718907727.562135: nl80211: Skip set_supp_port(unauthorized) while not
associated
1718907727.562143: EAPOL: KEY_RX entering state NO_KEY_RECEIVE
1718907727.562150: EAPOL: SUPP_BE entering state INITIALIZE
1718907727.562164: EAP: EAP entering state DISABLED
1718907727.562263: Using existing control interface directory.
1718907727.563817: ctrl_interface_group=106 (from group name 'netdev')
1718907727.564153: MBO: Update non-preferred channels, non_pref_chan=N/A
1718907727.564234: wlan0: Added interface wlan0
1718907727.564251: wlan0: State: DISCONNECTED -> DISCONNECTED
1718907727.564422: nl80211: Set wlan0 operstate 0->0 (DORMANT)
1718907727.564461: netlink: Operstate: ifindex=3 linkmode=-1 (no
change), operstate=5 (IF_OPER_DORMANT)
1718907727.564669: nl80211: Create interface iftype 10 (P2P_DEVICE)
1718907727.570706: nl80211: New P2P Device interface p2p-dev-wlan0 (0x5) created
1718907727.570800: Initializing interface 'p2p-dev-wlan0' conf
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf' driver 'nl80211'
ctrl_interface 'DIR=/run/wpa_supplicant GROUP=netdev' bridge 'N/A'
1718907727.570823: Configuration file
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf' ->
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'
1718907727.570831: Reading configuration file
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'
1718907727.570915: ctrl_interface='DIR=/run/wpa_supplicant GROUP=netdev'
1718907727.570939: update_config=1
1718907727.570948: Line: 3 - start of a new network block
1718907727.570980: ssid - hexdump_ascii(len=7):
     64 65 73 6b 53 41 45                              deskSAE
1718907727.571062: sae_password - hexdump_ascii(len=9): [REMOVED]
1718907727.571085: proto: 0x2
1718907727.571102: key_mgmt: 0x400
1718907727.571155: pairwise: 0x10
1718907727.571175: ieee80211w=2 (0x2)
1718907727.571224: Priority group 0
1718907727.571237:    id=0 ssid='deskSAE'
1718907727.579439: nl80211: Using driver-based roaming
1718907727.579472: nl80211: Supported cipher 00-0f-ac:1
1718907727.579477: nl80211: Supported cipher 00-0f-ac:5
1718907727.579479: nl80211: Supported cipher 00-0f-ac:2
1718907727.579484: nl80211: Supported cipher 00-0f-ac:4
1718907727.579485: nl80211: Supported cipher 00-0f-ac:6
1718907727.579504: nl80211: Using driver-based off-channel TX
1718907727.579512: nl80211: Supported vendor command: vendor_id=0x1018 subcmd=1
1718907727.579521: nl80211: Use separate P2P group interface (driver
advertised support)
1718907727.579523: nl80211: Enable multi-channel concurrent (driver
advertised support)
1718907727.579525: nl80211: use P2P_DEVICE support
1718907727.579527: nl80211: key_mgmt=0xd0f enc=0x10f auth=0x7
flags=0x20000003804facc rrm_flags=0x0 probe_resp_offloads=0x0
max_stations=0 max_remain_on_chan=5000 max_scan_ssids=10
1718907727.579532: nl80211: interface p2p-dev-wlan0 in phy phy0
1718907727.579615: nl80211: Set mode ifindex 0 iftype 10 (P2P_DEVICE)
1718907727.579639: nl80211: Failed to set interface 0 to mode 10: -22
(Invalid argument)
1718907727.579692: nl80211: Subscribe to mgmt frames with non-AP
handle 0x555661513f30
1718907727.579704: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0104 multicast=0
1718907727.579738: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=040a multicast=0
1718907727.579747: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=040b multicast=0
1718907727.579758: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=040c multicast=0
1718907727.579772: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=040d multicast=0
1718907727.579792: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=090a multicast=0
1718907727.579805: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=090b multicast=0
1718907727.579817: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=090c multicast=0
1718907727.579828: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=090d multicast=0
1718907727.579841: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0409506f9a09
multicast=0
1718907727.579852: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=7f506f9a09
multicast=0
1718907727.579862: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0409506f9a1a
multicast=0
1718907727.579889: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0800 multicast=0
1718907727.579902: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0801 multicast=0
1718907727.579924: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=12 multicast=0
1718907727.579937: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=06 multicast=0
1718907727.579950: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0a07 multicast=0
1718907727.579962: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0a11 multicast=0
1718907727.579984: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0a0b multicast=0
1718907727.580001: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0a1a multicast=0
1718907727.580016: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=1101 multicast=0
1718907727.580032: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=1102 multicast=0
1718907727.580053: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0505 multicast=0
1718907727.580189: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=0500 multicast=0
1718907727.580201: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=1301 multicast=0
1718907727.580212: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=1305 multicast=0
1718907727.580224: nl80211: Register frame type=0xd0
(WLAN_FC_STYPE_ACTION) nl_handle=0x555661513f30 match=7e506f9a1a
multicast=0
1718907727.580343: nl80211: Use (wlan0) to initialize P2P Device rfkill
1718907727.580571: rfkill: initial event: idx=1 type=1 op=0 soft=0 hard=0
1718907727.580618: nl80211: Start P2P Device p2p-dev-wlan0 (0x5): Success
1718907727.580764: Add interface p2p-dev-wlan0 to existing radio phy0
1718907727.580914: nl80211: Regulatory information - country=US (DFS-FCC)
1718907727.580920: nl80211: 902-904 @ 2 MHz 30 mBm
1718907727.580923: nl80211: 904-920 @ 16 MHz 30 mBm
1718907727.580925: nl80211: 920-928 @ 8 MHz 30 mBm
1718907727.580927: nl80211: 2400-2472 @ 40 MHz 30 mBm
1718907727.580930: nl80211: 5150-5250 @ 80 MHz 23 mBm
1718907727.580932: nl80211: 5250-5350 @ 80 MHz 24 mBm (DFS)
1718907727.580934: nl80211: 5470-5730 @ 160 MHz 24 mBm (DFS)
1718907727.580937: nl80211: 5730-5850 @ 80 MHz 30 mBm
1718907727.580938: nl80211: 5850-5895 @ 40 MHz 27 mBm (no outdoor) (no IR)
1718907727.580941: nl80211: 5925-7125 @ 320 MHz 12 mBm (no outdoor) (no IR)
1718907727.580943: nl80211: 57240-71000 @ 2160 MHz 40 mBm
1718907727.580957: nl80211: Added 802.11b mode based on 802.11g information
1718907727.580962: nl80211: Mode IEEE 802.11g: 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467[DISABLED] 2472[DISABLED]
2484[DISABLED]
1718907727.580968: nl80211: Mode IEEE 802.11a: 5170 5180 5190 5200
5210 5220 5230 5240 5260[RADAR] 5280[RADAR] 5300[RADAR] 5320[RADAR]
5500[RADAR] 5520[RADAR] 5540[RADAR] 5560[RADAR] 5580[RADAR]
5600[RADAR] 5620[RADAR] 5640[RADAR] 5660[RADAR]
1718907727.580973: nl80211: Mode IEEE 802.11b: 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467[DISABLED] 2472[DISABLED]
2484[DISABLED]
1718907727.580984: p2p-dev-wlan0: Own MAC address: da:3a:dd:d2:ae:3c
1718907727.580990: p2p-dev-wlan0: RSN: flushing PMKID list in the driver
1718907727.580993: nl80211: Flush PMKIDs
1718907727.581013: p2p-dev-wlan0: State: DISCONNECTED -> INACTIVE
1718907727.581046: p2p-dev-wlan0: WPS: UUID from the first interface:
cc4476f0-3727-5645-ae42-9b9b5943d9ca
1718907727.581770: ENGINE: Loading builtin engines
1718907727.583289: ENGINE: Loading builtin engines
1718907727.583344: EAPOL: SUPP_PAE entering state DISCONNECTED
1718907727.583347: EAPOL: Supplicant port status: Unauthorized
1718907727.583351: nl80211: Skip set_supp_port(unauthorized) while not
associated
1718907727.583353: EAPOL: KEY_RX entering state NO_KEY_RECEIVE
1718907727.583355: EAPOL: SUPP_BE entering state INITIALIZE
1718907727.583358: EAP: EAP entering state DISABLED
1718907727.583390: Using existing control interface directory.
1718907727.583473: ctrl_interface_group=106 (from group name 'netdev')
1718907727.583558: P2P: Add operating class 81
1718907727.583562: P2P: Channels - hexdump(len=11): 01 02 03 04 05 06
07 08 09 0a 0b
1718907727.583568: P2P: Add operating class 115
1718907727.583569: P2P: Channels - hexdump(len=4): 24 28 2c 30
1718907727.583571: P2P: Add operating class 116
1718907727.583572: P2P: Channels - hexdump(len=2): 24 2c
1718907727.583574: P2P: Add operating class 117
1718907727.583575: P2P: Channels - hexdump(len=2): 28 30
1718907727.583577: P2P: Add operating class 124
1718907727.583579: P2P: Channels - hexdump(len=4): 95 99 9d a1
1718907727.583581: P2P: Add operating class 125
1718907727.583583: P2P: Channels - hexdump(len=5): 95 99 9d a1 a5
1718907727.583584: P2P: Add operating class 126
1718907727.583586: P2P: Channels - hexdump(len=2): 95 9d
1718907727.583587: P2P: Add operating class 127
1718907727.583589: P2P: Channels - hexdump(len=2): 99 a1
1718907727.583591: P2P: Add operating class 128
1718907727.583596: P2P: Channels - hexdump(len=8): 24 28 2c 30 95 99 9d a1
1718907727.583605: P2P: Add operating class 130
1718907727.583609: P2P: Channels - hexdump(len=9): 24 28 2c 30 95 99 9d a1 a5
1718907727.583677: P2P: Own listen channel: 81:6
1718907727.583706: P2P: Random operating channel: 81:1
1718907727.583761: P2P: initialized
1718907727.583785: P2P: channels: 81:1,2,3,4,5,6,7,8,9,10,11
115:36,40,44,48 116:36,44 117:40,48 124:149,153,157,161
125:149,153,157,161,165 126:149,157 127:153,161
128:36,40,44,48,149,153,157,161 130:36,40,44,48,149,153,157,161,165
1718907727.583791: P2P: cli_channels:
1718907727.583799: MBO: Update non-preferred channels, non_pref_chan=N/A
1718907727.583809: p2p-dev-wlan0: Added interface p2p-dev-wlan0
1718907727.583815: p2p-dev-wlan0: State: INACTIVE -> DISCONNECTED
1718907727.583818: nl80211: Set p2p-dev-wlan0 operstate 0->0 (DORMANT)
1718907727.583821: netlink: Operstate: ifindex=0 linkmode=-1 (no
change), operstate=5 (IF_OPER_DORMANT)
1718907727.583908: p2p-dev-wlan0: Determining shared radio frequencies
(max len 2)
1718907727.583918: p2p-dev-wlan0: Shared frequencies (len=0):
completed iteration
1718907727.583922: P2P: Add operating class 81
1718907727.583924: P2P: Channels - hexdump(len=11): 01 02 03 04 05 06
07 08 09 0a 0b
1718907727.583928: P2P: Add operating class 115
1718907727.583929: P2P: Channels - hexdump(len=4): 24 28 2c 30
1718907727.583931: P2P: Add operating class 116
1718907727.583932: P2P: Channels - hexdump(len=2): 24 2c
1718907727.583934: P2P: Add operating class 117
1718907727.583935: P2P: Channels - hexdump(len=2): 28 30
1718907727.583937: P2P: Add operating class 124
1718907727.583938: P2P: Channels - hexdump(len=4): 95 99 9d a1
1718907727.583940: P2P: Add operating class 125
1718907727.583941: P2P: Channels - hexdump(len=5): 95 99 9d a1 a5
1718907727.583948: P2P: Add operating class 126
1718907727.583950: P2P: Channels - hexdump(len=2): 95 9d
1718907727.583951: P2P: Add operating class 127
1718907727.583953: P2P: Channels - hexdump(len=2): 99 a1
1718907727.583955: P2P: Add operating class 128
1718907727.583959: P2P: Channels - hexdump(len=8): 24 28 2c 30 95 99 9d a1
1718907727.583966: P2P: Add operating class 130
1718907727.583969: P2P: Channels - hexdump(len=9): 24 28 2c 30 95 99 9d a1 a5
1718907727.583973: P2P: Update channel list
1718907727.583984: P2P: channels: 81:1,2,3,4,5,6,7,8,9,10,11
115:36,40,44,48 116:36,44 117:40,48 124:149,153,157,161
125:149,153,157,161,165 126:149,157 127:153,161
128:36,40,44,48,149,153,157,161 130:36,40,44,48,149,153,157,161,165
1718907727.583987: P2P: cli_channels:
1718907727.620719: wlan0: Starting delayed sched scan
1718907727.620761: wlan0: Use normal scan instead of sched_scan for
initial scans (normal_scans=0)
1718907727.620768: wlan0: Setting scan request: 0.000000 sec
1718907727.620782: wlan0: State: DISCONNECTED -> SCANNING
1718907727.620790: wlan0: Determining shared radio frequencies (max len 2)
1718907727.620793: wlan0: Shared frequencies (len=0): completed iteration
1718907727.620799: P2P: Add operating class 81
1718907727.620803: P2P: Channels - hexdump(len=11): 01 02 03 04 05 06
07 08 09 0a 0b
1718907727.620808: P2P: Add operating class 115
1718907727.620810: P2P: Channels - hexdump(len=4): 24 28 2c 30
1718907727.620811: P2P: Add operating class 116
1718907727.620813: P2P: Channels - hexdump(len=2): 24 2c
1718907727.620814: P2P: Add operating class 117
1718907727.620816: P2P: Channels - hexdump(len=2): 28 30
1718907727.620818: P2P: Add operating class 124
1718907727.620819: P2P: Channels - hexdump(len=4): 95 99 9d a1
1718907727.620821: P2P: Add operating class 125
1718907727.620823: P2P: Channels - hexdump(len=5): 95 99 9d a1 a5
1718907727.620825: P2P: Add operating class 126
1718907727.620827: P2P: Channels - hexdump(len=2): 95 9d
1718907727.620829: P2P: Add operating class 127
1718907727.620830: P2P: Channels - hexdump(len=2): 99 a1
1718907727.620832: P2P: Add operating class 128
1718907727.620837: P2P: Channels - hexdump(len=8): 24 28 2c 30 95 99 9d a1
1718907727.620845: P2P: Add operating class 130
1718907727.620848: P2P: Channels - hexdump(len=9): 24 28 2c 30 95 99 9d a1 a5
1718907727.620853: P2P: Update channel list
1718907727.620866: P2P: channels: 81:1,2,3,4,5,6,7,8,9,10,11
115:36,40,44,48 116:36,44 117:40,48 124:149,153,157,161
125:149,153,157,161,165 126:149,157 127:153,161
128:36,40,44,48,149,153,157,161 130:36,40,44,48,149,153,157,161,165
1718907727.620871: P2P: cli_channels:
1718907727.620876: wlan0: Starting AP scan for wildcard SSID
1718907727.620882: WPS: Building WPS IE for Probe Request
1718907727.620888: WPS:  * Version (hardcoded 0x10)
1718907727.620890: WPS:  * Request Type
1718907727.620891: WPS:  * Config Methods (3148)
1718907727.620893: WPS:  * UUID-E
1718907727.620894: WPS:  * Primary Device Type
1718907727.620896: WPS:  * RF Bands (3)
1718907727.620897: WPS:  * Association State
1718907727.620899: WPS:  * Configuration Error (0)
1718907727.620901: WPS:  * Device Password ID (0)
1718907727.620902: WPS:  * Manufacturer
1718907727.620904: WPS:  * Model Name
1718907727.620905: WPS:  * Model Number
1718907727.620907: WPS:  * Device Name
1718907727.620908: WPS:  * Version2 (0x20)
1718907727.620913: P2P: * P2P IE header
1718907727.620915: P2P: * Capability dev=25 group=00
1718907727.620917: P2P: * Listen Channel: Regulatory Class 81 Channel 6
1718907727.620925: wlan0: Add radio work 'scan'@0x5556615211f0
1718907727.620928: wlan0: First radio work item in the queue -
schedule start immediately
1718907727.620935: wlan0: Starting radio work 'scan'@0x5556615211f0
after 0.000007 second wait
1718907727.620940: wlan0: nl80211: scan request
1718907727.620965: nl80211: Scan SSID
1718907727.620969: nl80211: Scan extra IEs - hexdump(len=150): 7f 0b
00 00 0a 02 00 40 40 00 00 01 20 dd 69 00 50 f2 04 10 4a 00 01 10 10
3a 00 01 00 10 08 00 02 31 48 10 47 00 10 cc 44 76 f0 37 27 56 45 ae
42 9b 9b 59 43 d9 ca 10 54 00 08 00 00 00 00 00 00 00 00 10 3c 00 01
03 10 02 00 02 00 00 10 09 00 02 00 00 10 12 00 02 00 00 10 21 00 01
20 10 23 00 01 20 10 24 00 01 20 10 11 00 01 20 10 49 00 06 00 37 2a
00 01 20 dd 11 50 6f 9a 09 02 02 00 25 00 06 05 00 58 58 04 51 06 72
00 dd 07 50 6f 9a 16 03 01 03
1718907727.643791: Scan requested (ret=0) - scan timeout 10 seconds
1718907727.643856: nl80211: Event message available
1718907727.643874: nl80211: Ignored event 33
(NL80211_CMD_TRIGGER_SCAN) for foreign interface (ifindex 3 wdev 0x0)
1718907727.643882: nl80211: Drv Event 33 (NL80211_CMD_TRIGGER_SCAN)
received for wlan0
1718907727.643889: wlan0: nl80211: Scan trigger
1718907727.643902: wlan0: Event SCAN_STARTED (47) received
1718907727.643906: wlan0: Own scan request started a scan in 0.000070 seconds
1718907728.566827: EAPOL: disable timer tick
1718907728.583520: EAPOL: disable timer tick
1718907730.451869: RTM_NEWLINK: ifi_index=3 ifname=wlan0 wext
ifi_family=0 ifi_flags=0x1003 ([UP])
1718907730.451990: nl80211: Event message available
1718907730.452034: nl80211: Ignored event 34
(NL80211_CMD_NEW_SCAN_RESULTS) for foreign interface (ifindex 3 wdev
0x0)
1718907730.452041: nl80211: Drv Event 34
(NL80211_CMD_NEW_SCAN_RESULTS) received for wlan0
1718907730.452048: wlan0: nl80211: New scan results available
1718907730.452063: nl80211: Scan probed for SSID ''
1718907730.452071: nl80211: Scan included frequencies: 2412 2417 2422
2427 2432 2437 2442 2447 2452 2457 2462 5170 5180 5190 5200 5210 5220
5230 5240 5260 5280 5300 5320 5500 5520 5540 5560 5580 5600 5620 5640
5660 5680 5700 5720 5745 5765 5785 5805 5825
1718907730.452078: wlan0: Event SCAN_RESULTS (3) received
1718907730.452082: wlan0: Scan completed in 2.808176 seconds
1718907730.452210: nl80211: Received scan results (15 BSSes)
1718907734.305349: wlan0: BSS: Start scan result update 1
1718907734.305433: wlan0: BSS: Add new id 0 BSSID a6:2e:48:fd:9e:73
SSID 'spg5' freq 5785
1718907734.305447: wlan0: BSS: Add new id 1 BSSID ca:3a:6b:54:31:75
SSID 'DIRECT-roku-753-779A78' freq 5785
1718907734.305457: wlan0: BSS: Add new id 2 BSSID bc:2e:48:fd:9e:70
SSID 'spg5' freq 2427
1718907734.305464: wlan0: BSS: Add new id 3 BSSID 40:ed:00:ad:b9:36
SSID 'mntwins' freq 2442
1718907734.305469: wlan0: BSS: Add new id 4 BSSID 42:ed:00:ad:b9:36
SSID '' freq 2442
1718907734.305476: wlan0: BSS: Add new id 5 BSSID cc:f4:11:43:4b:0f
SSID 'CAR' freq 2462
1718907734.305483: wlan0: BSS: Add new id 6 BSSID d8:3a:dd:60:a3:cf
SSID 'deskSAE' freq 2412
1718907734.305489: wlan0: BSS: Add new id 7 BSSID b0:e4:d5:02:61:2a
SSID 'CAR' freq 2412
1718907734.305497: wlan0: BSS: Add new id 8 BSSID 88:ad:43:6b:cd:68
SSID 'Gonzalez-Rivera Family' freq 2412
1718907734.305505: wlan0: BSS: Add new id 9 BSSID b0:e4:d5:0a:1b:22
SSID 'CAR' freq 2412
1718907734.305514: wlan0: BSS: Add new id 10 BSSID 40:70:09:11:4e:60
SSID 'HOME-4E62' freq 2462
1718907734.305519: wlan0: BSS: Add new id 11 BSSID 9a:ad:43:6b:cd:70
SSID '' freq 5745
1718907734.305525: wlan0: BSS: Add new id 12 BSSID b0:e4:d5:02:61:2d
SSID 'CAR' freq 5745
1718907734.305531: wlan0: BSS: Add new id 13 BSSID a2:ad:43:6b:cd:68
SSID '' freq 2412
1718907734.305537: wlan0: BSS: Add new id 14 BSSID fa:8f:ca:63:b5:06
SSID 'Living Room TV' freq 2437
1718907734.305545: BSS: last_scan_res_used=15/32
1718907734.305560: wlan0: New scan results available (own=1 ext=0)
1718907734.305581: WPS: Unsupported attribute type 0x1058 len=24
1718907734.305585: WPS: Unsupported attribute type 0x1058 len=24
1718907734.305588: WPS: Unsupported attribute type 0x1058 len=24
1718907734.305614: WPS: Unsupported attribute type 0x1058 len=24
1718907734.305619: WPS: Unsupported attribute type 0x1058 len=24
1718907734.305621: WPS: Unsupported attribute type 0x1058 len=24
1718907734.305627: WPS: AP a6:2e:48:fd:9e:73 type 0 added
1718907734.305635: WPS: AP ca:3a:6b:54:31:75 type 0 added
1718907734.305639: WPS: AP bc:2e:48:fd:9e:70 type 0 added
1718907734.305642: WPS: AP 40:ed:00:ad:b9:36 type 0 added
1718907734.305645: WPS: AP 88:ad:43:6b:cd:68 type 0 added
1718907734.305648: WPS: AP 40:70:09:11:4e:60 type 0 added
1718907734.305652: WPS: AP[0] a6:2e:48:fd:9e:73 type=0 tries=0
last_attempt=-1 sec ago bssid_ignore=0
1718907734.305659: WPS: AP[1] ca:3a:6b:54:31:75 type=0 tries=0
last_attempt=-1 sec ago bssid_ignore=0
1718907734.305662: WPS: AP[2] bc:2e:48:fd:9e:70 type=0 tries=0
last_attempt=-1 sec ago bssid_ignore=0
1718907734.305664: WPS: AP[3] 40:ed:00:ad:b9:36 type=0 tries=0
last_attempt=-1 sec ago bssid_ignore=0
1718907734.305668: WPS: AP[4] 88:ad:43:6b:cd:68 type=0 tries=0
last_attempt=-1 sec ago bssid_ignore=0
1718907734.305670: WPS: AP[5] 40:70:09:11:4e:60 type=0 tries=0
last_attempt=-1 sec ago bssid_ignore=0
1718907734.305680: wlan0: Radio work 'scan'@0x5556615211f0 done in
6.684742 seconds
1718907734.305691: wlan0: radio_work_free('scan'@0x5556615211f0):
num_active_works --> 0
1718907734.305701: wlan0: Selecting BSS from priority group 0
1718907734.305714: wlan0: 0: a6:2e:48:fd:9e:73 ssid='spg5'
wpa_ie_len=0 rsn_ie_len=20 caps=0x511 level=-59 freq=5785  wps
1718907734.305747: wlan0:    skip - SSID mismatch
1718907734.305761: wlan0: 1: ca:3a:6b:54:31:75
ssid='DIRECT-roku-753-779A78' wpa_ie_len=0 rsn_ie_len=20 caps=0x411
level=-42 freq=5785  wps p2p
1718907734.305769: wlan0:    skip - SSID mismatch
1718907734.305778: wlan0: 2: bc:2e:48:fd:9e:70 ssid='spg5'
wpa_ie_len=0 rsn_ie_len=20 caps=0x511 level=-43 freq=2427  wps
1718907734.305786: wlan0:    skip - SSID mismatch
1718907734.305792: wlan0: 3: 40:ed:00:ad:b9:36 ssid='mntwins'
wpa_ie_len=0 rsn_ie_len=20 caps=0x1411 level=-54 freq=2442  wps
1718907734.305798: wlan0:    skip - SSID mismatch
1718907734.305802: wlan0: 4: 42:ed:00:ad:b9:36 ssid='' wpa_ie_len=0
rsn_ie_len=20 caps=0x411 level=-54 freq=2442
1718907734.305806: wlan0:    skip - SSID not known
1718907734.305813: wlan0: 5: cc:f4:11:43:4b:0f ssid='CAR' wpa_ie_len=0
rsn_ie_len=20 caps=0x1431 level=-57 freq=2462
1718907734.305816: wlan0:    skip - SSID mismatch
1718907734.305820: wlan0: 6: d8:3a:dd:60:a3:cf ssid='deskSAE'
wpa_ie_len=0 rsn_ie_len=20 caps=0x411 level=-52 freq=2412
1718907734.305830: wlan0:    selected based on RSN IE
1718907734.305841: wlan0:    selected BSS d8:3a:dd:60:a3:cf ssid='deskSAE'
1718907734.306270: wlan0: Considering connect request: reassociate: 0
selected: d8:3a:dd:60:a3:cf  bssid: 00:00:00:00:00:00  pending:
00:00:00:00:00:00  wpa_state: SCANNING  ssid=0x5556614a4990
current_ssid=(nil)
1718907734.306294: wlan0: Request association with d8:3a:dd:60:a3:cf
1718907734.306312: TDLS: TDLS is allowed in the target BSS
1718907734.306319: TDLS: TDLS channel switch allowed in the target BSS
1718907734.306323: wlan0: No ongoing scan/p2p-scan found to abort
1718907734.306332: wlan0: Add radio work 'connect'@0x5556615211f0
1718907734.306339: wlan0: First radio work item in the queue -
schedule start immediately
1718907734.306357: p2p-dev-wlan0: Updating scan results from sibling
1718907734.307938: nl80211: Received scan results (15 BSSes)
1718907734.308261: p2p-dev-wlan0: BSS: Start scan result update 1
1718907734.308339: p2p-dev-wlan0: BSS: Add new id 0 BSSID
a6:2e:48:fd:9e:73 SSID 'spg5' freq 5785
1718907734.308359: p2p-dev-wlan0: BSS: Add new id 1 BSSID
ca:3a:6b:54:31:75 SSID 'DIRECT-roku-753-779A78' freq 5785
1718907734.308372: p2p-dev-wlan0: BSS: Add new id 2 BSSID
bc:2e:48:fd:9e:70 SSID 'spg5' freq 2427
1718907734.308380: p2p-dev-wlan0: BSS: Add new id 3 BSSID
40:ed:00:ad:b9:36 SSID 'mntwins' freq 2442
1718907734.308391: p2p-dev-wlan0: BSS: Add new id 4 BSSID
42:ed:00:ad:b9:36 SSID '' freq 2442
1718907734.308398: p2p-dev-wlan0: BSS: Add new id 5 BSSID
cc:f4:11:43:4b:0f SSID 'CAR' freq 2462
1718907734.308407: p2p-dev-wlan0: BSS: Add new id 6 BSSID
b0:e4:d5:02:61:2a SSID 'CAR' freq 2412
1718907734.308416: p2p-dev-wlan0: BSS: Add new id 7 BSSID
88:ad:43:6b:cd:68 SSID 'Gonzalez-Rivera Family' freq 2412
1718907734.308424: p2p-dev-wlan0: BSS: Add new id 8 BSSID
d8:3a:dd:60:a3:cf SSID 'deskSAE' freq 2412
1718907734.308429: p2p-dev-wlan0: BSS: Add new id 9 BSSID
9a:ad:43:6b:cd:70 SSID '' freq 5745
1718907734.308434: p2p-dev-wlan0: BSS: Add new id 10 BSSID
b0:e4:d5:0a:1b:22 SSID 'CAR' freq 2412
1718907734.308441: p2p-dev-wlan0: BSS: Add new id 11 BSSID
40:70:09:11:4e:60 SSID 'HOME-4E62' freq 2462
1718907734.308450: p2p-dev-wlan0: BSS: Add new id 12 BSSID
b0:e4:d5:02:61:2d SSID 'CAR' freq 5745
1718907734.308456: p2p-dev-wlan0: BSS: Add new id 13 BSSID
a2:ad:43:6b:cd:68 SSID '' freq 2412
1718907734.308464: p2p-dev-wlan0: BSS: Add new id 14 BSSID
fa:8f:ca:63:b5:06 SSID 'Living Room TV' freq 2437
1718907734.308473: BSS: last_scan_res_used=15/32
1718907734.308610: wlan0: Starting radio work 'connect'@0x5556615211f0
after 0.002253 second wait
1718907734.308655: wlan0: WPA: clearing own WPA/RSN IE
1718907734.308665: wlan0: RSN: clearing own RSNXE
1718907734.308680: RSN: PMKSA cache search -
network_ctx=0x5556614a4990 try_opportunistic=0 akmp=0x0
1718907734.308687: RSN: Search for BSSID d8:3a:dd:60:a3:cf
1718907734.308690: RSN: No PMKSA cache entry found
1718907734.308706: wlan0: RSN: using IEEE 802.11i/D9.0
1718907734.308712: wlan0: WPA: Selected cipher suites: group 16
pairwise 16 key_mgmt 1024 proto 2
1718907734.308716: wlan0: WPA: Selected mgmt group cipher 32
1718907734.308720: wlan0: WPA: clearing AP WPA IE
1718907734.308724: WPA: set AP RSN IE - hexdump(len=22): 30 14 01 00
00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 08 c0 00
1718907734.308735: wlan0: WPA: clearing AP RSNXE
1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
0x18; available group 0x10
1718907734.308748: wlan0: WPA: using GTK CCMP
1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
pairwise 0x10; available pairwise 0x10
1718907734.308767: wlan0: WPA: using PTK CCMP
1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
key_mgmt 0x400; available key_mgmt 0x0
1718907734.308779: wlan0: WPA: Failed to select authenticated key
management type
1718907734.308787: wlan0: WPA: Failed to set WPA key management and
encryption suites
1718907734.308798: wlan0: Radio work 'connect'@0x5556615211f0 done in
0.000205 seconds
1718907734.308805: wlan0: radio_work_free('connect'@0x5556615211f0):
num_active_works --> 0
1718907771.716726: nl80211: Event message available
1718907771.716807: nl80211: Ignored event 33
(NL80211_CMD_TRIGGER_SCAN) for foreign interface (ifindex 3 wdev 0x0)
1718907771.716813: nl80211: Drv Event 33 (NL80211_CMD_TRIGGER_SCAN)
received for wlan0
1718907771.716824: wlan0: nl80211: Scan trigger
1718907771.716838: wlan0: Event SCAN_STARTED (47) received
1718907771.716842: wlan0: External program started a scan
1718907774.517258: RTM_NEWLINK: ifi_index=3 ifname=wlan0 wext
ifi_family=0 ifi_flags=0x1003 ([UP])
1718907774.517518: nl80211: Event message available
1718907774.517560: nl80211: Ignored event 34
(NL80211_CMD_NEW_SCAN_RESULTS) for foreign interface (ifindex 3 wdev
0x0)
1718907774.517571: nl80211: Drv Event 34
(NL80211_CMD_NEW_SCAN_RESULTS) received for wlan0
1718907774.517583: wlan0: nl80211: New scan results available
1718907774.517596: nl80211: Scan probed for SSID ''
1718907774.517606: nl80211: Scan included frequencies: 5180 5200 5210
5220 5240 5260 5280 5300 5320 5500 5520 5540 5560 5580 5600 5620 5640
5660 5680 5700 5720 5745 5765 5785 5805 5825 2412 2417 2422 2427 2432
2437 2442 2447 2452 2457 2462
1718907774.517614: wlan0: Event SCAN_RESULTS (3) received
1718907774.517730: nl80211: Received scan results (17 BSSes)
1718907778.352778: wlan0: BSS: Start scan result update 2
1718907778.352851: wlan0: BSS: Add new id 15 BSSID ca:3a:6b:54:31:75
SSID '' freq 5785
1718907778.352871: wlan0: BSS: Add new id 16 BSSID bc:2e:48:fd:9e:73
SSID '' freq 5785
1718907778.352883: wlan0: BSS: Add new id 17 BSSID 40:ed:00:ad:b9:35
SSID 'mntwins_5G' freq 5765
1718907778.352891: wlan0: BSS: Add new id 18 BSSID 42:ed:00:dd:b9:36
SSID '' freq 5765
1718907778.352898: wlan0: BSS: Add new id 19 BSSID 88:ad:43:6b:cd:70
SSID 'Gonzalez-Rivera Family' freq 5745
1718907778.352904: wlan0: BSS: Add new id 20 BSSID cc:f4:11:43:4b:0b
SSID 'CAR' freq 5745
1718907778.352910: BSS: last_scan_res_used=17/32
1718907778.352919: wlan0: New scan results available (own=0 ext=1)
1718907778.352932: WPS: Unsupported attribute type 0x1058 len=24
1718907778.352935: WPS: Unsupported attribute type 0x1058 len=24
1718907778.352938: WPS: Unsupported attribute type 0x1058 len=24
1718907778.352954: wlan0: Do not use results from externally requested
scan operation for network selection
1718907778.352960: p2p-dev-wlan0: Updating scan results from sibling
1718907778.353089: nl80211: Received scan results (17 BSSes)
1718907778.353137: p2p-dev-wlan0: BSS: Start scan result update 2
1718907778.353157: p2p-dev-wlan0: BSS: Add new id 15 BSSID
bc:2e:48:fd:9e:73 SSID '' freq 5785
1718907778.353162: p2p-dev-wlan0: BSS: Add new id 16 BSSID
ca:3a:6b:54:31:75 SSID '' freq 5785
1718907778.353174: p2p-dev-wlan0: BSS: Add new id 17 BSSID
40:ed:00:ad:b9:35 SSID 'mntwins_5G' freq 5765
1718907778.353178: p2p-dev-wlan0: BSS: Add new id 18 BSSID
42:ed:00:dd:b9:36 SSID '' freq 5765
1718907778.353183: p2p-dev-wlan0: BSS: Add new id 19 BSSID
88:ad:43:6b:cd:70 SSID 'Gonzalez-Rivera Family' freq 5745
1718907778.353187: p2p-dev-wlan0: BSS: Add new id 20 BSSID
cc:f4:11:43:4b:0b SSID 'CAR' freq 5745
1718907778.353194: BSS: last_scan_res_used=17/32
1718907778.353203: p2p-dev-wlan0: New scan results available (own=0 ext=1)
1718907778.353206: p2p-dev-wlan0: Do not use results from externally
requested scan operation for network selection
Arend van Spriel June 21, 2024, 9:09 a.m. UTC | #8
+ Jouni

On 6/20/2024 8:25 PM, KeithG wrote:
> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> 0x18; available group 0x10
> 1718907734.308748: wlan0: WPA: using GTK CCMP
> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> pairwise 0x10; available pairwise 0x10
> 1718907734.308767: wlan0: WPA: using PTK CCMP
> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> key_mgmt 0x400; available key_mgmt 0x0


I suspect the message above indicates the problem as there is no 
available key_mgmt to select so looked it up in the code and here it is:

         sel = ie.key_mgmt & ssid->key_mgmt;
#ifdef CONFIG_SAE
         if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
              !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
             wpas_is_sae_avoided(wpa_s, ssid, &ie))
                 sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
                          WPA_KEY_MGMT_FT_SAE | 
WPA_KEY_MGMT_FT_SAE_EXT_KEY);
#endif /* CONFIG_SAE */
#ifdef CONFIG_IEEE80211R
         if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
                                   WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
                 sel &= ~WPA_KEY_MGMT_FT;
#endif /* CONFIG_IEEE80211R */
         wpa_dbg(wpa_s, MSG_DEBUG,
                 "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x; 
available key_mgmt 0x%x",
                 ie.key_mgmt, ssid->key_mgmt, sel);

So 0x400 matches the expectation:

#define WPA_KEY_MGMT_SAE BIT(10)

You already confirmed that the driver reports SAE and SAE offload 
support. So it seems wpas_is_sae_avoided() must return true. That will 
check whether the AP and network profile are setup to MFP. This seems to 
be the fact as your hostapd.conf and wpa_supplicant.conf both have 
ieee80211w=2 defined. This function can only return true when 
sae_check_mfp is enabled in configuration file:

# sae_check_mfp: Require PMF support to select SAE key_mgmt
# 0 = Do not check PMF for SAE (default)
# 1 = Limit SAE when PMF is not enabled
#
# When enabled SAE will not be selected if PMF will not be used
# for the connection.
# Scenarios where this check will limit SAE:
#  1) ieee80211w=0 is set for the network
#  2) The AP does not have PMF enabled.
#  3) ieee80211w is unset, pmf=1 is enabled globally, and
#     the device does not support the BIP cipher.
# Consider the configuration of global parameterss sae_check_mfp=1, 
pmf=1 and a
# network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
# In the example WPA-PSK will be used if the device does not support
# the BIP cipher or the AP has PMF disabled.
# Limiting SAE with this check can avoid failing to associate to an AP
# that is configured with sae_requires_mfp=1 if the device does
# not support PMF due to lack of the BIP cipher.

The default is not to check it and you wpa_supplicant.conf does not 
specify it.

# cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
network={
  ssid="deskSAE"
  sae_password="secret123"
  proto=RSN
  key_mgmt=SAE
  pairwise=CCMP
  ieee80211w=2
}

$ cat /etc/hostapd/hostapd.conf
# interface and driver
interface=ap0
driver=nl80211

# WIFI-Config
ssid=deskSAE
channel=1
hw_mode=g

wpa=2
wpa_key_mgmt=SAE
wpa_pairwise=CCMP
sae_password=secret123
sae_groups=19
ieee80211w=2
sae_pwe=0

Regards,
Arend


> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> management type
> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> encryption suites
KeithG June 21, 2024, 12:24 p.m. UTC | #9
On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
<arend.vanspriel@broadcom.com> wrote:
>
> + Jouni
>
> On 6/20/2024 8:25 PM, KeithG wrote:
> > 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> > 0x18; available group 0x10
> > 1718907734.308748: wlan0: WPA: using GTK CCMP
> > 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> > pairwise 0x10; available pairwise 0x10
> > 1718907734.308767: wlan0: WPA: using PTK CCMP
> > 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> > key_mgmt 0x400; available key_mgmt 0x0
>
>
> I suspect the message above indicates the problem as there is no
> available key_mgmt to select so looked it up in the code and here it is:
>
>          sel = ie.key_mgmt & ssid->key_mgmt;
> #ifdef CONFIG_SAE
>          if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>               !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>              wpas_is_sae_avoided(wpa_s, ssid, &ie))
>                  sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>                           WPA_KEY_MGMT_FT_SAE |
> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> #endif /* CONFIG_SAE */
> #ifdef CONFIG_IEEE80211R
>          if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
>                                    WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
>                  sel &= ~WPA_KEY_MGMT_FT;
> #endif /* CONFIG_IEEE80211R */
>          wpa_dbg(wpa_s, MSG_DEBUG,
>                  "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> available key_mgmt 0x%x",
>                  ie.key_mgmt, ssid->key_mgmt, sel);
>
> So 0x400 matches the expectation:
>
> #define WPA_KEY_MGMT_SAE BIT(10)
>
> You already confirmed that the driver reports SAE and SAE offload
> support. So it seems wpas_is_sae_avoided() must return true. That will
> check whether the AP and network profile are setup to MFP. This seems to
> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> ieee80211w=2 defined. This function can only return true when
> sae_check_mfp is enabled in configuration file:
>
> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> # 0 = Do not check PMF for SAE (default)
> # 1 = Limit SAE when PMF is not enabled
> #
> # When enabled SAE will not be selected if PMF will not be used
> # for the connection.
> # Scenarios where this check will limit SAE:
> #  1) ieee80211w=0 is set for the network
> #  2) The AP does not have PMF enabled.
> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> #     the device does not support the BIP cipher.
> # Consider the configuration of global parameterss sae_check_mfp=1,
> pmf=1 and a
> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> # In the example WPA-PSK will be used if the device does not support
> # the BIP cipher or the AP has PMF disabled.
> # Limiting SAE with this check can avoid failing to associate to an AP
> # that is configured with sae_requires_mfp=1 if the device does
> # not support PMF due to lack of the BIP cipher.
>
> The default is not to check it and you wpa_supplicant.conf does not
> specify it.
>
> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> update_config=1
> network={
>   ssid="deskSAE"
>   sae_password="secret123"
>   proto=RSN
>   key_mgmt=SAE
>   pairwise=CCMP
>   ieee80211w=2
> }
>
> $ cat /etc/hostapd/hostapd.conf
> # interface and driver
> interface=ap0
> driver=nl80211
>
> # WIFI-Config
> ssid=deskSAE
> channel=1
> hw_mode=g
>
> wpa=2
> wpa_key_mgmt=SAE
> wpa_pairwise=CCMP
> sae_password=secret123
> sae_groups=19
> ieee80211w=2
> sae_pwe=0
>
> Regards,
> Arend
>
>
> > 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> > management type
> > 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> > encryption suites

Arend,

I find the wpa_supplicant docs really hard to understand. I have read
through your response a few times and am still a bit confused. Does
this have to do with a pure wpa3 versus a wpa2/3 AP?

I have tried editing my hostapd.conf and my wpa_supplicant.conf and
still cannot get a connection, so I must be doing something wrong.
I commented the ieee80211w line on both and it would not connect.
I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
it still would not connect.

What *should* the configurations be in the hostapd.conf and
wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
should it be to be a wpa2/3 setup? My phone worked fine to connect
with the original hostapd setup, but I have no idea what it is doing.

Regards,

Keith
Arend van Spriel June 21, 2024, 5:31 p.m. UTC | #10
On June 17, 2024 2:26:25 PM Arend van Spriel <arend.vanspriel@broadcom.com> 
wrote:

> After being asked about support for WPA3 for BCM43224 chipset it
> was found that all it takes is setting the MFP_CAPABLE flag and
> mac80211 will take care of all that is needed [1].
>
> [1] 
> https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/

Tested-by: Reijer Boekhoff <reijerboekhoff@protonmail.com>
> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
> 1 file changed, 1 insertion(+)
KeithG June 21, 2024, 7:43 p.m. UTC | #11
On Fri, Jun 21, 2024 at 12:32 PM Arend Van Spriel
<arend.vanspriel@broadcom.com> wrote:
>
> On June 17, 2024 2:26:25 PM Arend van Spriel <arend.vanspriel@broadcom.com>
> wrote:
>
> > After being asked about support for WPA3 for BCM43224 chipset it
> > was found that all it takes is setting the MFP_CAPABLE flag and
> > mac80211 will take care of all that is needed [1].
> >
> > [1]
> > https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/
>
> Tested-by: Reijer Boekhoff <reijerboekhoff@protonmail.com>
> > Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> > ---
> > drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
> > 1 file changed, 1 insertion(+)
>
I think I get what it is supposed to do, but am unsure of how to do it.

the modules referred to in that link (b43 or ieee80211) do not appear
to be loaded:
# lsmod | grep 802
8021q                  49152  0
garp                   49152  1 8021q
nf_conntrack          180224  1 nf_nat
cfg80211             1032192  1 brcmfmac
rfkill                 49152  7 bluetooth,cfg80211

How do I set this up to work on RPiOS?

Regards,

Keith
Arend van Spriel June 22, 2024, 2:01 p.m. UTC | #12
On June 21, 2024 9:44:00 PM KeithG <ys3al35l@gmail.com> wrote:

> On Fri, Jun 21, 2024 at 12:32 PM Arend Van Spriel
> <arend.vanspriel@broadcom.com> wrote:
>>
>> On June 17, 2024 2:26:25 PM Arend van Spriel <arend.vanspriel@broadcom.com>
>> wrote:
>>
>>> After being asked about support for WPA3 for BCM43224 chipset it
>>> was found that all it takes is setting the MFP_CAPABLE flag and
>>> mac80211 will take care of all that is needed [1].
>>>
>>> [1]
>>> https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/
>>
>> Tested-by: Reijer Boekhoff <reijerboekhoff@protonmail.com>
>>> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
>>> ---
>>> drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
>>> 1 file changed, 1 insertion(+)
> I think I get what it is supposed to do, but am unsure of how to do it.

Sorry, but I think we have hijacked this thread so changing the subject.

@Kalle:
Hope you are not too confused. My comment on my own patch was about adding 
a Tested-by: tag which I forgot to include.

Regards,
Arend
Kalle Valo June 24, 2024, 11:03 a.m. UTC | #13
Arend Van Spriel <arend.vanspriel@broadcom.com> writes:

> On June 21, 2024 9:44:00 PM KeithG <ys3al35l@gmail.com> wrote:
>
>> On Fri, Jun 21, 2024 at 12:32 PM Arend Van Spriel
>> <arend.vanspriel@broadcom.com> wrote:
>>>
>>> On June 17, 2024 2:26:25 PM Arend van Spriel <arend.vanspriel@broadcom.com>
>>> wrote:
>>>
>>>> After being asked about support for WPA3 for BCM43224 chipset it
>>>> was found that all it takes is setting the MFP_CAPABLE flag and
>>>> mac80211 will take care of all that is needed [1].
>>>>
>>>> [1]
>>>> https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/
>>>
>>> Tested-by: Reijer Boekhoff <reijerboekhoff@protonmail.com>
>>>> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
>>>> ---
>>>> drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
>>>> 1 file changed, 1 insertion(+)
>> I think I get what it is supposed to do, but am unsure of how to do it.
>
> Sorry, but I think we have hijacked this thread so changing the subject.
>
> @Kalle:
> Hope you are not too confused. My comment on my own patch was about
> adding a Tested-by: tag which I forgot to include.

I actually figured that out even on my own but thanks for clarifying :)
Arend van Spriel June 26, 2024, 5:49 a.m. UTC | #14
On June 21, 2024 9:44:00 PM KeithG <ys3al35l@gmail.com> wrote:

> On Fri, Jun 21, 2024 at 12:32 PM Arend Van Spriel
> <arend.vanspriel@broadcom.com> wrote:
>>
>> On June 17, 2024 2:26:25 PM Arend van Spriel <arend.vanspriel@broadcom.com>
>> wrote:
>>
>>> After being asked about support for WPA3 for BCM43224 chipset it
>>> was found that all it takes is setting the MFP_CAPABLE flag and
>>> mac80211 will take care of all that is needed [1].
>>>
>>> [1]
>>> https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/
>>
>> Tested-by: Reijer Boekhoff <reijerboekhoff@protonmail.com>
>>> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
>>> ---
>>> drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
>>> 1 file changed, 1 insertion(+)
> I think I get what it is supposed to do, but am unsure of how to do it.

Sorry for the confusion but the above is about brcmsmac, which is a 
different driver not supporting the wifi chips used on Raspberry Pi. Same 
for b43 so it is expected that you don't see them in your list of loaded 
modules. I will respond the email you sent before this one.

Regards,
Arend
Arend van Spriel June 26, 2024, 7:47 a.m. UTC | #15
On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:

> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> <arend.vanspriel@broadcom.com> wrote:
>>
>> + Jouni
>>
>> On 6/20/2024 8:25 PM, KeithG wrote:
>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
>>> 0x18; available group 0x10
>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
>>> pairwise 0x10; available pairwise 0x10
>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
>>> key_mgmt 0x400; available key_mgmt 0x0
>>
>>
>> I suspect the message above indicates the problem as there is no
>> available key_mgmt to select so looked it up in the code and here it is:
>>
>> sel = ie.key_mgmt & ssid->key_mgmt;
>> #ifdef CONFIG_SAE
>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>          WPA_KEY_MGMT_FT_SAE |
>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
>> #endif /* CONFIG_SAE */
>> #ifdef CONFIG_IEEE80211R
>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
>>                   WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
>> sel &= ~WPA_KEY_MGMT_FT;
>> #endif /* CONFIG_IEEE80211R */
>> wpa_dbg(wpa_s, MSG_DEBUG,
>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>> available key_mgmt 0x%x",
>> ie.key_mgmt, ssid->key_mgmt, sel);
>>
>> So 0x400 matches the expectation:
>>
>> #define WPA_KEY_MGMT_SAE BIT(10)
>>
>> You already confirmed that the driver reports SAE and SAE offload
>> support. So it seems wpas_is_sae_avoided() must return true. That will
>> check whether the AP and network profile are setup to MFP. This seems to
>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
>> ieee80211w=2 defined. This function can only return true when
>> is enabled in configuration file:
>>
>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
>> # 0 = Do not check PMF for SAE (default)
>> # 1 = Limit SAE when PMF is not enabled
>> #
>> # When enabled SAE will not be selected if PMF will not be used
>> # for the connection.
>> # Scenarios where this check will limit SAE:
>> #  1) ieee80211w=0 is set for the network
>> #  2) The AP does not have PMF enabled.
>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>> #     the device does not support the BIP cipher.
>> # Consider the configuration of global parameterss sae_check_mfp=1,
>> pmf=1 and a
>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>> # In the example WPA-PSK will be used if the device does not support
>> # the BIP cipher or the AP has PMF disabled.
>> # Limiting SAE with this check can avoid failing to associate to an AP
>> # that is configured with sae_requires_mfp=1 if the device does
>> # not support PMF due to lack of the BIP cipher.
>>
>> The default is not to check it and you wpa_supplicant.conf does not
>> specify it.
>>
>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>> update_config=1
>> network={
>> ssid="deskSAE"
>> sae_password="secret123"
>> proto=RSN
>> key_mgmt=SAE
>> pairwise=CCMP
>> ieee80211w=2
>> }
>>
>> $ cat /etc/hostapd/hostapd.conf
>> # interface and driver
>> interface=ap0
>> driver=nl80211
>>
>> # WIFI-Config
>> ssid=deskSAE
>> channel=1
>> hw_mode=g
>>
>> wpa=2
>> wpa_key_mgmt=SAE
>> wpa_pairwise=CCMP
>> sae_password=secret123
>> sae_groups=19
>> ieee80211w=2
>> sae_pwe=0
>>
>> Regards,
>> Arend
>>
>>
>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
>>> management type
>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
>>> encryption suites
>
> Arend,
>
> I find the wpa_supplicant docs really hard to understand. I have read
> through your response a few times and am still a bit confused. Does
> this have to do with a pure wpa3 versus a wpa2/3 AP?

Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.

> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> still cannot get a connection, so I must be doing something wrong.
> I commented the ieee80211w line on both and it would not connect.
> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> it still would not connect.
>
> What *should* the configurations be in the hostapd.conf and
> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> should it be to be a wpa2/3 setup? My phone worked fine to connect
> with the original hostapd setup, but I have no idea what it is doing

As I mentioned in my previous email both config files listed above look 
okay to me (might be wrong though). The problem seems to be with 
wpas_is_sae_avoided(). For it to return true the config should have:

sae_check_mfp=1

But you don't have that and default is 0 so it should check for MFP. This 
is where my trail ends. To learn more I would add additional debug prints. 
Are you comfortable rebuilding wpa_supplicant from source?

Regards,
Arend
KeithG June 26, 2024, 12:04 p.m. UTC | #16
On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
<arend.vanspriel@broadcom.com> wrote:
>
> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
>
> > On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> > <arend.vanspriel@broadcom.com> wrote:
> >>
> >> + Jouni
> >>
> >> On 6/20/2024 8:25 PM, KeithG wrote:
> >>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> >>> 0x18; available group 0x10
> >>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> >>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> >>> pairwise 0x10; available pairwise 0x10
> >>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> >>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> >>> key_mgmt 0x400; available key_mgmt 0x0
> >>
> >>
> >> I suspect the message above indicates the problem as there is no
> >> available key_mgmt to select so looked it up in the code and here it is:
> >>
> >> sel = ie.key_mgmt & ssid->key_mgmt;
> >> #ifdef CONFIG_SAE
> >> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> >> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> >> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> >> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >>          WPA_KEY_MGMT_FT_SAE |
> >> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> >> #endif /* CONFIG_SAE */
> >> #ifdef CONFIG_IEEE80211R
> >> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> >>                   WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> >> sel &= ~WPA_KEY_MGMT_FT;
> >> #endif /* CONFIG_IEEE80211R */
> >> wpa_dbg(wpa_s, MSG_DEBUG,
> >> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> >> available key_mgmt 0x%x",
> >> ie.key_mgmt, ssid->key_mgmt, sel);
> >>
> >> So 0x400 matches the expectation:
> >>
> >> #define WPA_KEY_MGMT_SAE BIT(10)
> >>
> >> You already confirmed that the driver reports SAE and SAE offload
> >> support. So it seems wpas_is_sae_avoided() must return true. That will
> >> check whether the AP and network profile are setup to MFP. This seems to
> >> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> >> ieee80211w=2 defined. This function can only return true when
> >> is enabled in configuration file:
> >>
> >> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> >> # 0 = Do not check PMF for SAE (default)
> >> # 1 = Limit SAE when PMF is not enabled
> >> #
> >> # When enabled SAE will not be selected if PMF will not be used
> >> # for the connection.
> >> # Scenarios where this check will limit SAE:
> >> #  1) ieee80211w=0 is set for the network
> >> #  2) The AP does not have PMF enabled.
> >> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> >> #     the device does not support the BIP cipher.
> >> # Consider the configuration of global parameterss sae_check_mfp=1,
> >> pmf=1 and a
> >> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> >> # In the example WPA-PSK will be used if the device does not support
> >> # the BIP cipher or the AP has PMF disabled.
> >> # Limiting SAE with this check can avoid failing to associate to an AP
> >> # that is configured with sae_requires_mfp=1 if the device does
> >> # not support PMF due to lack of the BIP cipher.
> >>
> >> The default is not to check it and you wpa_supplicant.conf does not
> >> specify it.
> >>
> >> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >> update_config=1
> >> network={
> >> ssid="deskSAE"
> >> sae_password="secret123"
> >> proto=RSN
> >> key_mgmt=SAE
> >> pairwise=CCMP
> >> ieee80211w=2
> >> }
> >>
> >> $ cat /etc/hostapd/hostapd.conf
> >> # interface and driver
> >> interface=ap0
> >> driver=nl80211
> >>
> >> # WIFI-Config
> >> ssid=deskSAE
> >> channel=1
> >> hw_mode=g
> >>
> >> wpa=2
> >> wpa_key_mgmt=SAE
> >> wpa_pairwise=CCMP
> >> sae_password=secret123
> >> sae_groups=19
> >> ieee80211w=2
> >> sae_pwe=0
> >>
> >> Regards,
> >> Arend
> >>
> >>
> >>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> >>> management type
> >>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> >>> encryption suites
> >
> > Arend,
> >
> > I find the wpa_supplicant docs really hard to understand. I have read
> > through your response a few times and am still a bit confused. Does
> > this have to do with a pure wpa3 versus a wpa2/3 AP?
>
> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>
> > I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> > still cannot get a connection, so I must be doing something wrong.
> > I commented the ieee80211w line on both and it would not connect.
> > I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> > it still would not connect.
> >
> > What *should* the configurations be in the hostapd.conf and
> > wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> > should it be to be a wpa2/3 setup? My phone worked fine to connect
> > with the original hostapd setup, but I have no idea what it is doing
>
> As I mentioned in my previous email both config files listed above look
> okay to me (might be wrong though). The problem seems to be with
> wpas_is_sae_avoided(). For it to return true the config should have:
>
> sae_check_mfp=1
>
> But you don't have that and default is 0 so it should check for MFP. This
> is where my trail ends. To learn more I would add additional debug prints.
> Are you comfortable rebuilding wpa_supplicant from source?
>
> Regards,
> Arend
>
>

Arend,

Thanks for the reply. I could try to rebuild wpa_supplicant from
source. This is on RPi, so debian *.debs which are a pain, but I think
I can do it.

Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
the hostapd.conf and wpa_supplicant.conf? I can try that and see if
anything changes.

Why would I have to re-build wpa_supplicant?

Keith

Keith
Arend van Spriel June 26, 2024, 12:30 p.m. UTC | #17
On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:

> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> <arend.vanspriel@broadcom.com> wrote:
>>
>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
>>
>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
>>> <arend.vanspriel@broadcom.com> wrote:
>>>>
>>>> + Jouni
>>>>
>>>> On 6/20/2024 8:25 PM, KeithG wrote:
>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
>>>>> 0x18; available group 0x10
>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
>>>>> pairwise 0x10; available pairwise 0x10
>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
>>>>> key_mgmt 0x400; available key_mgmt 0x0
>>>>
>>>>
>>>> I suspect the message above indicates the problem as there is no
>>>> available key_mgmt to select so looked it up in the code and here it is:
>>>>
>>>> sel = ie.key_mgmt & ssid->key_mgmt;
>>>> #ifdef CONFIG_SAE
>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>>>    WPA_KEY_MGMT_FT_SAE |
>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
>>>> #endif /* CONFIG_SAE */
>>>> #ifdef CONFIG_IEEE80211R
>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
>>>>             WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
>>>> sel &= ~WPA_KEY_MGMT_FT;
>>>> #endif /* CONFIG_IEEE80211R */
>>>> wpa_dbg(wpa_s, MSG_DEBUG,
>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>>>> available key_mgmt 0x%x",
>>>> ie.key_mgmt, ssid->key_mgmt, sel);
>>>>
>>>> So 0x400 matches the expectation:
>>>>
>>>> #define WPA_KEY_MGMT_SAE BIT(10)
>>>>
>>>> You already confirmed that the driver reports SAE and SAE offload
>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
>>>> check whether the AP and network profile are setup to MFP. This seems to
>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
>>>> ieee80211w=2 defined. This function can only return true when
>>>> is enabled in configuration file:
>>>>
>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
>>>> # 0 = Do not check PMF for SAE (default)
>>>> # 1 = Limit SAE when PMF is not enabled
>>>> #
>>>> # When enabled SAE will not be selected if PMF will not be used
>>>> # for the connection.
>>>> # Scenarios where this check will limit SAE:
>>>> #  1) ieee80211w=0 is set for the network
>>>> #  2) The AP does not have PMF enabled.
>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>>>> #     the device does not support the BIP cipher.
>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
>>>> pmf=1 and a
>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>>>> # In the example WPA-PSK will be used if the device does not support
>>>> # the BIP cipher or the AP has PMF disabled.
>>>> # Limiting SAE with this check can avoid failing to associate to an AP
>>>> # that is configured with sae_requires_mfp=1 if the device does
>>>> # not support PMF due to lack of the BIP cipher.
>>>>
>>>> The default is not to check it and you wpa_supplicant.conf does not
>>>> specify it.
>>>>
>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>> update_config=1
>>>> network={
>>>> ssid="deskSAE"
>>>> sae_password="secret123"
>>>> proto=RSN
>>>> key_mgmt=SAE
>>>> pairwise=CCMP
>>>> ieee80211w=2
>>>> }
>>>>
>>>> $ cat /etc/hostapd/hostapd.conf
>>>> # interface and driver
>>>> interface=ap0
>>>> driver=nl80211
>>>>
>>>> # WIFI-Config
>>>> ssid=deskSAE
>>>> channel=1
>>>> hw_mode=g
>>>>
>>>> wpa=2
>>>> wpa_key_mgmt=SAE
>>>> wpa_pairwise=CCMP
>>>> sae_password=secret123
>>>> sae_groups=19
>>>> ieee80211w=2
>>>> sae_pwe=0
>>>>
>>>> Regards,
>>>> Arend
>>>>
>>>>
>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
>>>>> management type
>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
>>>>> encryption suites
>>>
>>> Arend,
>>>
>>> I find the wpa_supplicant docs really hard to understand. I have read
>>> through your response a few times and am still a bit confused. Does
>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
>>
>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>>
>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
>>> still cannot get a connection, so I must be doing something wrong.
>>> I commented the ieee80211w line on both and it would not connect.
>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
>>> it still would not connect.
>>>
>>> What *should* the configurations be in the hostapd.conf and
>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
>>> with the original hostapd setup, but I have no idea what it is doing
>>
>> As I mentioned in my previous email both config files listed above look
>> okay to me (might be wrong though). The problem seems to be with
>> wpas_is_sae_avoided(). For it to return true the config should have:
>>
>> sae_check_mfp=1
>>
>> But you don't have that and default is 0 so it should check for MFP. This
>> is where my trail ends. To learn more I would add additional debug prints.
>> Are you comfortable rebuilding wpa_supplicant from source?
>>
>> Regards,
>> Arend
>
> Arend,
>
> Thanks for the reply. I could try to rebuild wpa_supplicant from
> source. This is on RPi, so debian *.debs which are a pain, but I think
> I can do it.
>
> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> anything changes.

Ok. We can try first to put following in wpa_supplicant.conf:

sae_check_mfp=0

Let me know if that makes any difference.

> Why would I have to re-build wpa_supplicant?

I would provide a patch with additional debug prints so I get better 
understanding what is going wrong. Would be great if you can apply that and 
rebuild.

Regards,
Arend
Kalle Valo June 26, 2024, 5:50 p.m. UTC | #18
Arend van Spriel <arend.vanspriel@broadcom.com> wrote:

> After being asked about support for WPA3 for BCM43224 chipset it
> was found that all it takes is setting the MFP_CAPABLE flag and
> mac80211 will take care of all that is needed [1].
> 
> Link: https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/ [1]
> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> Tested-by: Reijer Boekhoff <reijerboekhoff@protonmail.com>

Patch applied to wireless-next.git, thanks.

dbb5265a5d7c wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
KeithG June 26, 2024, 10:46 p.m. UTC | #19
On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
<arend.vanspriel@broadcom.com> wrote:
>
> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
>
> > On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> > <arend.vanspriel@broadcom.com> wrote:
> >>
> >> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
> >>
> >>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> >>> <arend.vanspriel@broadcom.com> wrote:
> >>>>
> >>>> + Jouni
> >>>>
> >>>> On 6/20/2024 8:25 PM, KeithG wrote:
> >>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> >>>>> 0x18; available group 0x10
> >>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> >>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> >>>>> pairwise 0x10; available pairwise 0x10
> >>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> >>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> >>>>> key_mgmt 0x400; available key_mgmt 0x0
> >>>>
> >>>>
> >>>> I suspect the message above indicates the problem as there is no
> >>>> available key_mgmt to select so looked it up in the code and here it is:
> >>>>
> >>>> sel = ie.key_mgmt & ssid->key_mgmt;
> >>>> #ifdef CONFIG_SAE
> >>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> >>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> >>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> >>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >>>>    WPA_KEY_MGMT_FT_SAE |
> >>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> >>>> #endif /* CONFIG_SAE */
> >>>> #ifdef CONFIG_IEEE80211R
> >>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> >>>>             WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> >>>> sel &= ~WPA_KEY_MGMT_FT;
> >>>> #endif /* CONFIG_IEEE80211R */
> >>>> wpa_dbg(wpa_s, MSG_DEBUG,
> >>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> >>>> available key_mgmt 0x%x",
> >>>> ie.key_mgmt, ssid->key_mgmt, sel);
> >>>>
> >>>> So 0x400 matches the expectation:
> >>>>
> >>>> #define WPA_KEY_MGMT_SAE BIT(10)
> >>>>
> >>>> You already confirmed that the driver reports SAE and SAE offload
> >>>> support. So it seems wpas_is_sae_avoided() must return true. That will
> >>>> check whether the AP and network profile are setup to MFP. This seems to
> >>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> >>>> ieee80211w=2 defined. This function can only return true when
> >>>> is enabled in configuration file:
> >>>>
> >>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> >>>> # 0 = Do not check PMF for SAE (default)
> >>>> # 1 = Limit SAE when PMF is not enabled
> >>>> #
> >>>> # When enabled SAE will not be selected if PMF will not be used
> >>>> # for the connection.
> >>>> # Scenarios where this check will limit SAE:
> >>>> #  1) ieee80211w=0 is set for the network
> >>>> #  2) The AP does not have PMF enabled.
> >>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> >>>> #     the device does not support the BIP cipher.
> >>>> # Consider the configuration of global parameterss sae_check_mfp=1,
> >>>> pmf=1 and a
> >>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> >>>> # In the example WPA-PSK will be used if the device does not support
> >>>> # the BIP cipher or the AP has PMF disabled.
> >>>> # Limiting SAE with this check can avoid failing to associate to an AP
> >>>> # that is configured with sae_requires_mfp=1 if the device does
> >>>> # not support PMF due to lack of the BIP cipher.
> >>>>
> >>>> The default is not to check it and you wpa_supplicant.conf does not
> >>>> specify it.
> >>>>
> >>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>> update_config=1
> >>>> network={
> >>>> ssid="deskSAE"
> >>>> sae_password="secret123"
> >>>> proto=RSN
> >>>> key_mgmt=SAE
> >>>> pairwise=CCMP
> >>>> ieee80211w=2
> >>>> }
> >>>>
> >>>> $ cat /etc/hostapd/hostapd.conf
> >>>> # interface and driver
> >>>> interface=ap0
> >>>> driver=nl80211
> >>>>
> >>>> # WIFI-Config
> >>>> ssid=deskSAE
> >>>> channel=1
> >>>> hw_mode=g
> >>>>
> >>>> wpa=2
> >>>> wpa_key_mgmt=SAE
> >>>> wpa_pairwise=CCMP
> >>>> sae_password=secret123
> >>>> sae_groups=19
> >>>> ieee80211w=2
> >>>> sae_pwe=0
> >>>>
> >>>> Regards,
> >>>> Arend
> >>>>
> >>>>
> >>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> >>>>> management type
> >>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> >>>>> encryption suites
> >>>
> >>> Arend,
> >>>
> >>> I find the wpa_supplicant docs really hard to understand. I have read
> >>> through your response a few times and am still a bit confused. Does
> >>> this have to do with a pure wpa3 versus a wpa2/3 AP?
> >>
> >> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> >>
> >>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> >>> still cannot get a connection, so I must be doing something wrong.
> >>> I commented the ieee80211w line on both and it would not connect.
> >>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> >>> it still would not connect.
> >>>
> >>> What *should* the configurations be in the hostapd.conf and
> >>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> >>> should it be to be a wpa2/3 setup? My phone worked fine to connect
> >>> with the original hostapd setup, but I have no idea what it is doing
> >>
> >> As I mentioned in my previous email both config files listed above look
> >> okay to me (might be wrong though). The problem seems to be with
> >> wpas_is_sae_avoided(). For it to return true the config should have:
> >>
> >> sae_check_mfp=1
> >>
> >> But you don't have that and default is 0 so it should check for MFP. This
> >> is where my trail ends. To learn more I would add additional debug prints.
> >> Are you comfortable rebuilding wpa_supplicant from source?
> >>
> >> Regards,
> >> Arend
> >
> > Arend,
> >
> > Thanks for the reply. I could try to rebuild wpa_supplicant from
> > source. This is on RPi, so debian *.debs which are a pain, but I think
> > I can do it.
> >
> > Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> > the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> > anything changes.
>
> Ok. We can try first to put following in wpa_supplicant.conf:
>
> sae_check_mfp=0
>
> Let me know if that makes any difference.
>
> > Why would I have to re-build wpa_supplicant?
>
> I would provide a patch with additional debug prints so I get better
> understanding what is going wrong. Would be great if you can apply that and
> rebuild.
>
> Regards,
> Arend
>
>
Arend,

I was able to try it this afternoon.
My hostapd is still:
# interface and driver
interface=ap0
driver=nl80211

# WIFI-Config
ssid=deskSAE
channel=1
hw_mode=g

wpa=2
wpa_key_mgmt=SAE
wpa_pairwise=CCMP
sae_password=secret123
sae_groups=19
ieee80211w=2
sae_pwe=0

and I can still connect from my phone to this AP.

I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
 network={
  ssid="deskSAE"
  sae_password="secret123"
  proto=RSN
  key_mgmt=SAE
  pairwise=CCMP
  ieee80211w=2
  sae_check_mfp=1
}

and when I try to connect, I get:
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
Line 10: unknown network field 'sae_check_mfp'.
Line 11: failed to parse network block.
Failed to read or parse configuration
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
: CTRL-EVENT-DSCP-POLICY clear_all

my version of wpa_supplicant is
# wpa_supplicant -v
wpa_supplicant v2.10
Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors

I will build the latest from git and await your patch.

Keith
Arend van Spriel June 27, 2024, 5:01 a.m. UTC | #20
On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:

> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> <arend.vanspriel@broadcom.com> wrote:
>>
>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
>>
>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
>>> <arend.vanspriel@broadcom.com> wrote:
>>>>
>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
>>>>
>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>
>>>>>> + Jouni
>>>>>>
>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
>>>>>>> 0x18; available group 0x10
>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
>>>>>>> pairwise 0x10; available pairwise 0x10
>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
>>>>>>> key_mgmt 0x400; available key_mgmt 0x0
>>>>>>
>>>>>>
>>>>>> I suspect the message above indicates the problem as there is no
>>>>>> available key_mgmt to select so looked it up in the code and here it is:
>>>>>>
>>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
>>>>>> #ifdef CONFIG_SAE
>>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
>>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>>>>> WPA_KEY_MGMT_FT_SAE |
>>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
>>>>>> #endif /* CONFIG_SAE */
>>>>>> #ifdef CONFIG_IEEE80211R
>>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
>>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
>>>>>> sel &= ~WPA_KEY_MGMT_FT;
>>>>>> #endif /* CONFIG_IEEE80211R */
>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>>>>>> available key_mgmt 0x%x",
>>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
>>>>>>
>>>>>> So 0x400 matches the expectation:
>>>>>>
>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
>>>>>>
>>>>>> You already confirmed that the driver reports SAE and SAE offload
>>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
>>>>>> check whether the AP and network profile are setup to MFP. This seems to
>>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
>>>>>> ieee80211w=2 defined. This function can only return true when
>>>>>> is enabled in configuration file:
>>>>>>
>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
>>>>>> # 0 = Do not check PMF for SAE (default)
>>>>>> # 1 = Limit SAE when PMF is not enabled
>>>>>> #
>>>>>> # When enabled SAE will not be selected if PMF will not be used
>>>>>> # for the connection.
>>>>>> # Scenarios where this check will limit SAE:
>>>>>> #  1) ieee80211w=0 is set for the network
>>>>>> #  2) The AP does not have PMF enabled.
>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>>>>>> #     the device does not support the BIP cipher.
>>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
>>>>>> pmf=1 and a
>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>>>>>> # In the example WPA-PSK will be used if the device does not support
>>>>>> # the BIP cipher or the AP has PMF disabled.
>>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
>>>>>> # that is configured with sae_requires_mfp=1 if the device does
>>>>>> # not support PMF due to lack of the BIP cipher.
>>>>>>
>>>>>> The default is not to check it and you wpa_supplicant.conf does not
>>>>>> specify it.
>>>>>>
>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>>> update_config=1
>>>>>> network={
>>>>>> ssid="deskSAE"
>>>>>> sae_password="secret123"
>>>>>> proto=RSN
>>>>>> key_mgmt=SAE
>>>>>> pairwise=CCMP
>>>>>> ieee80211w=2
>>>>>> }
>>>>>>
>>>>>> $ cat /etc/hostapd/hostapd.conf
>>>>>> # interface and driver
>>>>>> interface=ap0
>>>>>> driver=nl80211
>>>>>>
>>>>>> # WIFI-Config
>>>>>> ssid=deskSAE
>>>>>> channel=1
>>>>>> hw_mode=g
>>>>>>
>>>>>> wpa=2
>>>>>> wpa_key_mgmt=SAE
>>>>>> wpa_pairwise=CCMP
>>>>>> sae_password=secret123
>>>>>> sae_groups=19
>>>>>> ieee80211w=2
>>>>>> sae_pwe=0
>>>>>>
>>>>>> Regards,
>>>>>> Arend
>>>>>>
>>>>>>
>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
>>>>>>> management type
>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
>>>>>>> encryption suites
>>>>>
>>>>> Arend,
>>>>>
>>>>> I find the wpa_supplicant docs really hard to understand. I have read
>>>>> through your response a few times and am still a bit confused. Does
>>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
>>>>
>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>>>>
>>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
>>>>> still cannot get a connection, so I must be doing something wrong.
>>>>> I commented the ieee80211w line on both and it would not connect.
>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
>>>>> it still would not connect.
>>>>>
>>>>> What *should* the configurations be in the hostapd.conf and
>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
>>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
>>>>> with the original hostapd setup, but I have no idea what it is doing
>>>>
>>>> As I mentioned in my previous email both config files listed above look
>>>> okay to me (might be wrong though). The problem seems to be with
>>>> wpas_is_sae_avoided(). For it to return true the config should have:
>>>>
>>>> sae_check_mfp=1
>>>>
>>>> But you don't have that and default is 0 so it should check for MFP. This
>>>> is where my trail ends. To learn more I would add additional debug prints.
>>>> Are you comfortable rebuilding wpa_supplicant from source?
>>>>
>>>> Regards,
>>>> Arend
>>>
>>> Arend,
>>>
>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
>>> source. This is on RPi, so debian *.debs which are a pain, but I think
>>> I can do it.
>>>
>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
>>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
>>> anything changes.
>>
>> Ok. We can try first to put following in wpa_supplicant.conf:
>>
>> sae_check_mfp=0
>>
>> Let me know if that makes any difference.
>>
>>> Why would I have to re-build wpa_supplicant?
>>
>> I would provide a patch with additional debug prints so I get better
>> understanding what is going wrong. Would be great if you can apply that and
>> rebuild.
>>
>> Regards,
>> Arend
> Arend,
>
> I was able to try it this afternoon.
> My hostapd is still:
> # interface and driver
> interface=ap0
> driver=nl80211
>
> # WIFI-Config
> ssid=deskSAE
> channel=1
> hw_mode=g
>
> wpa=2
> wpa_key_mgmt=SAE
> wpa_pairwise=CCMP
> sae_password=secret123
> sae_groups=19
> ieee80211w=2
> sae_pwe=0
>
> and I can still connect from my phone to this AP.
>
> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> update_config=1
> network={
>  ssid="deskSAE"
>  sae_password="secret123"
>  proto=RSN
>  key_mgmt=SAE
>  pairwise=CCMP
>  ieee80211w=2
>  sae_check_mfp=1
> }
>
> and when I try to connect, I get:
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> Successfully initialized wpa_supplicant
> Line 10: unknown network field 'sae_check_mfp'.
> Line 11: failed to parse network block.

Right. The setting sae_check_mfp is a global setting like update_config. So 
it should be moved outside the network block.

Regards,
Arend
KeithG June 27, 2024, 11:34 a.m. UTC | #21
On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
<arend.vanspriel@broadcom.com> wrote:
>
> On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
>
> > On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> > <arend.vanspriel@broadcom.com> wrote:
> >>
> >> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
> >>
> >>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> >>> <arend.vanspriel@broadcom.com> wrote:
> >>>>
> >>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
> >>>>
> >>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> >>>>> <arend.vanspriel@broadcom.com> wrote:
> >>>>>>
> >>>>>> + Jouni
> >>>>>>
> >>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> >>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> >>>>>>> 0x18; available group 0x10
> >>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> >>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> >>>>>>> pairwise 0x10; available pairwise 0x10
> >>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> >>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> >>>>>>> key_mgmt 0x400; available key_mgmt 0x0
> >>>>>>
> >>>>>>
> >>>>>> I suspect the message above indicates the problem as there is no
> >>>>>> available key_mgmt to select so looked it up in the code and here it is:
> >>>>>>
> >>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
> >>>>>> #ifdef CONFIG_SAE
> >>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> >>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> >>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> >>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >>>>>> WPA_KEY_MGMT_FT_SAE |
> >>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> >>>>>> #endif /* CONFIG_SAE */
> >>>>>> #ifdef CONFIG_IEEE80211R
> >>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> >>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> >>>>>> sel &= ~WPA_KEY_MGMT_FT;
> >>>>>> #endif /* CONFIG_IEEE80211R */
> >>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> >>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> >>>>>> available key_mgmt 0x%x",
> >>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
> >>>>>>
> >>>>>> So 0x400 matches the expectation:
> >>>>>>
> >>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> >>>>>>
> >>>>>> You already confirmed that the driver reports SAE and SAE offload
> >>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
> >>>>>> check whether the AP and network profile are setup to MFP. This seems to
> >>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> >>>>>> ieee80211w=2 defined. This function can only return true when
> >>>>>> is enabled in configuration file:
> >>>>>>
> >>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> >>>>>> # 0 = Do not check PMF for SAE (default)
> >>>>>> # 1 = Limit SAE when PMF is not enabled
> >>>>>> #
> >>>>>> # When enabled SAE will not be selected if PMF will not be used
> >>>>>> # for the connection.
> >>>>>> # Scenarios where this check will limit SAE:
> >>>>>> #  1) ieee80211w=0 is set for the network
> >>>>>> #  2) The AP does not have PMF enabled.
> >>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> >>>>>> #     the device does not support the BIP cipher.
> >>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
> >>>>>> pmf=1 and a
> >>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> >>>>>> # In the example WPA-PSK will be used if the device does not support
> >>>>>> # the BIP cipher or the AP has PMF disabled.
> >>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
> >>>>>> # that is configured with sae_requires_mfp=1 if the device does
> >>>>>> # not support PMF due to lack of the BIP cipher.
> >>>>>>
> >>>>>> The default is not to check it and you wpa_supplicant.conf does not
> >>>>>> specify it.
> >>>>>>
> >>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>>>> update_config=1
> >>>>>> network={
> >>>>>> ssid="deskSAE"
> >>>>>> sae_password="secret123"
> >>>>>> proto=RSN
> >>>>>> key_mgmt=SAE
> >>>>>> pairwise=CCMP
> >>>>>> ieee80211w=2
> >>>>>> }
> >>>>>>
> >>>>>> $ cat /etc/hostapd/hostapd.conf
> >>>>>> # interface and driver
> >>>>>> interface=ap0
> >>>>>> driver=nl80211
> >>>>>>
> >>>>>> # WIFI-Config
> >>>>>> ssid=deskSAE
> >>>>>> channel=1
> >>>>>> hw_mode=g
> >>>>>>
> >>>>>> wpa=2
> >>>>>> wpa_key_mgmt=SAE
> >>>>>> wpa_pairwise=CCMP
> >>>>>> sae_password=secret123
> >>>>>> sae_groups=19
> >>>>>> ieee80211w=2
> >>>>>> sae_pwe=0
> >>>>>>
> >>>>>> Regards,
> >>>>>> Arend
> >>>>>>
> >>>>>>
> >>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> >>>>>>> management type
> >>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> >>>>>>> encryption suites
> >>>>>
> >>>>> Arend,
> >>>>>
> >>>>> I find the wpa_supplicant docs really hard to understand. I have read
> >>>>> through your response a few times and am still a bit confused. Does
> >>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
> >>>>
> >>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> >>>>
> >>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> >>>>> still cannot get a connection, so I must be doing something wrong.
> >>>>> I commented the ieee80211w line on both and it would not connect.
> >>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> >>>>> it still would not connect.
> >>>>>
> >>>>> What *should* the configurations be in the hostapd.conf and
> >>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> >>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
> >>>>> with the original hostapd setup, but I have no idea what it is doing
> >>>>
> >>>> As I mentioned in my previous email both config files listed above look
> >>>> okay to me (might be wrong though). The problem seems to be with
> >>>> wpas_is_sae_avoided(). For it to return true the config should have:
> >>>>
> >>>> sae_check_mfp=1
> >>>>
> >>>> But you don't have that and default is 0 so it should check for MFP. This
> >>>> is where my trail ends. To learn more I would add additional debug prints.
> >>>> Are you comfortable rebuilding wpa_supplicant from source?
> >>>>
> >>>> Regards,
> >>>> Arend
> >>>
> >>> Arend,
> >>>
> >>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> >>> source. This is on RPi, so debian *.debs which are a pain, but I think
> >>> I can do it.
> >>>
> >>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> >>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> >>> anything changes.
> >>
> >> Ok. We can try first to put following in wpa_supplicant.conf:
> >>
> >> sae_check_mfp=0
> >>
> >> Let me know if that makes any difference.
> >>
> >>> Why would I have to re-build wpa_supplicant?
> >>
> >> I would provide a patch with additional debug prints so I get better
> >> understanding what is going wrong. Would be great if you can apply that and
> >> rebuild.
> >>
> >> Regards,
> >> Arend
> > Arend,
> >
> > I was able to try it this afternoon.
> > My hostapd is still:
> > # interface and driver
> > interface=ap0
> > driver=nl80211
> >
> > # WIFI-Config
> > ssid=deskSAE
> > channel=1
> > hw_mode=g
> >
> > wpa=2
> > wpa_key_mgmt=SAE
> > wpa_pairwise=CCMP
> > sae_password=secret123
> > sae_groups=19
> > ieee80211w=2
> > sae_pwe=0
> >
> > and I can still connect from my phone to this AP.
> >
> > I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > update_config=1
> > network={
> >  ssid="deskSAE"
> >  sae_password="secret123"
> >  proto=RSN
> >  key_mgmt=SAE
> >  pairwise=CCMP
> >  ieee80211w=2
> >  sae_check_mfp=1
> > }
> >
> > and when I try to connect, I get:
> > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > Successfully initialized wpa_supplicant
> > Line 10: unknown network field 'sae_check_mfp'.
> > Line 11: failed to parse network block.
>
> Right. The setting sae_check_mfp is a global setting like update_config. So
> it should be moved outside the network block.
>
> Regards,
> Arend
>
Arend,

Thanks for the hand holding, I am out of my depth here!

I tried this config and get a similar result.
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
sae_check_mfp=1
 network={
  ssid="deskSAE"
  sae_password="secret123"
  proto=RSN
  key_mgmt=SAE
  pairwise=CCMP
  ieee80211w=2
}
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
Line 3: unknown global field 'sae_check_mfp=1'.
Line 3: Invalid configuration line 'sae_check_mfp=1'.
Failed to read or parse configuration
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
: CTRL-EVENT-DSCP-POLICY clear_all

seems it doesn't recognize this parameter.

Keith
KeithG June 27, 2024, 1:46 p.m. UTC | #22
On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@gmail.com> wrote:
>
> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
> <arend.vanspriel@broadcom.com> wrote:
> >
> > On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
> >
> > > On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> > > <arend.vanspriel@broadcom.com> wrote:
> > >>
> > >> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
> > >>
> > >>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> > >>> <arend.vanspriel@broadcom.com> wrote:
> > >>>>
> > >>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
> > >>>>
> > >>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> > >>>>> <arend.vanspriel@broadcom.com> wrote:
> > >>>>>>
> > >>>>>> + Jouni
> > >>>>>>
> > >>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> > >>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> > >>>>>>> 0x18; available group 0x10
> > >>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> > >>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> > >>>>>>> pairwise 0x10; available pairwise 0x10
> > >>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> > >>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> > >>>>>>> key_mgmt 0x400; available key_mgmt 0x0
> > >>>>>>
> > >>>>>>
> > >>>>>> I suspect the message above indicates the problem as there is no
> > >>>>>> available key_mgmt to select so looked it up in the code and here it is:
> > >>>>>>
> > >>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
> > >>>>>> #ifdef CONFIG_SAE
> > >>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> > >>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> > >>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> > >>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> > >>>>>> WPA_KEY_MGMT_FT_SAE |
> > >>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> > >>>>>> #endif /* CONFIG_SAE */
> > >>>>>> #ifdef CONFIG_IEEE80211R
> > >>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> > >>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> > >>>>>> sel &= ~WPA_KEY_MGMT_FT;
> > >>>>>> #endif /* CONFIG_IEEE80211R */
> > >>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> > >>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> > >>>>>> available key_mgmt 0x%x",
> > >>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
> > >>>>>>
> > >>>>>> So 0x400 matches the expectation:
> > >>>>>>
> > >>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> > >>>>>>
> > >>>>>> You already confirmed that the driver reports SAE and SAE offload
> > >>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
> > >>>>>> check whether the AP and network profile are setup to MFP. This seems to
> > >>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> > >>>>>> ieee80211w=2 defined. This function can only return true when
> > >>>>>> is enabled in configuration file:
> > >>>>>>
> > >>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> > >>>>>> # 0 = Do not check PMF for SAE (default)
> > >>>>>> # 1 = Limit SAE when PMF is not enabled
> > >>>>>> #
> > >>>>>> # When enabled SAE will not be selected if PMF will not be used
> > >>>>>> # for the connection.
> > >>>>>> # Scenarios where this check will limit SAE:
> > >>>>>> #  1) ieee80211w=0 is set for the network
> > >>>>>> #  2) The AP does not have PMF enabled.
> > >>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> > >>>>>> #     the device does not support the BIP cipher.
> > >>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
> > >>>>>> pmf=1 and a
> > >>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> > >>>>>> # In the example WPA-PSK will be used if the device does not support
> > >>>>>> # the BIP cipher or the AP has PMF disabled.
> > >>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
> > >>>>>> # that is configured with sae_requires_mfp=1 if the device does
> > >>>>>> # not support PMF due to lack of the BIP cipher.
> > >>>>>>
> > >>>>>> The default is not to check it and you wpa_supplicant.conf does not
> > >>>>>> specify it.
> > >>>>>>
> > >>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > >>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > >>>>>> update_config=1
> > >>>>>> network={
> > >>>>>> ssid="deskSAE"
> > >>>>>> sae_password="secret123"
> > >>>>>> proto=RSN
> > >>>>>> key_mgmt=SAE
> > >>>>>> pairwise=CCMP
> > >>>>>> ieee80211w=2
> > >>>>>> }
> > >>>>>>
> > >>>>>> $ cat /etc/hostapd/hostapd.conf
> > >>>>>> # interface and driver
> > >>>>>> interface=ap0
> > >>>>>> driver=nl80211
> > >>>>>>
> > >>>>>> # WIFI-Config
> > >>>>>> ssid=deskSAE
> > >>>>>> channel=1
> > >>>>>> hw_mode=g
> > >>>>>>
> > >>>>>> wpa=2
> > >>>>>> wpa_key_mgmt=SAE
> > >>>>>> wpa_pairwise=CCMP
> > >>>>>> sae_password=secret123
> > >>>>>> sae_groups=19
> > >>>>>> ieee80211w=2
> > >>>>>> sae_pwe=0
> > >>>>>>
> > >>>>>> Regards,
> > >>>>>> Arend
> > >>>>>>
> > >>>>>>
> > >>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> > >>>>>>> management type
> > >>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> > >>>>>>> encryption suites
> > >>>>>
> > >>>>> Arend,
> > >>>>>
> > >>>>> I find the wpa_supplicant docs really hard to understand. I have read
> > >>>>> through your response a few times and am still a bit confused. Does
> > >>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
> > >>>>
> > >>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> > >>>>
> > >>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> > >>>>> still cannot get a connection, so I must be doing something wrong.
> > >>>>> I commented the ieee80211w line on both and it would not connect.
> > >>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> > >>>>> it still would not connect.
> > >>>>>
> > >>>>> What *should* the configurations be in the hostapd.conf and
> > >>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> > >>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
> > >>>>> with the original hostapd setup, but I have no idea what it is doing
> > >>>>
> > >>>> As I mentioned in my previous email both config files listed above look
> > >>>> okay to me (might be wrong though). The problem seems to be with
> > >>>> wpas_is_sae_avoided(). For it to return true the config should have:
> > >>>>
> > >>>> sae_check_mfp=1
> > >>>>
> > >>>> But you don't have that and default is 0 so it should check for MFP. This
> > >>>> is where my trail ends. To learn more I would add additional debug prints.
> > >>>> Are you comfortable rebuilding wpa_supplicant from source?
> > >>>>
> > >>>> Regards,
> > >>>> Arend
> > >>>
> > >>> Arend,
> > >>>
> > >>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> > >>> source. This is on RPi, so debian *.debs which are a pain, but I think
> > >>> I can do it.
> > >>>
> > >>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> > >>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> > >>> anything changes.
> > >>
> > >> Ok. We can try first to put following in wpa_supplicant.conf:
> > >>
> > >> sae_check_mfp=0
> > >>
> > >> Let me know if that makes any difference.
> > >>
> > >>> Why would I have to re-build wpa_supplicant?
> > >>
> > >> I would provide a patch with additional debug prints so I get better
> > >> understanding what is going wrong. Would be great if you can apply that and
> > >> rebuild.
> > >>
> > >> Regards,
> > >> Arend
> > > Arend,
> > >
> > > I was able to try it this afternoon.
> > > My hostapd is still:
> > > # interface and driver
> > > interface=ap0
> > > driver=nl80211
> > >
> > > # WIFI-Config
> > > ssid=deskSAE
> > > channel=1
> > > hw_mode=g
> > >
> > > wpa=2
> > > wpa_key_mgmt=SAE
> > > wpa_pairwise=CCMP
> > > sae_password=secret123
> > > sae_groups=19
> > > ieee80211w=2
> > > sae_pwe=0
> > >
> > > and I can still connect from my phone to this AP.
> > >
> > > I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > > update_config=1
> > > network={
> > >  ssid="deskSAE"
> > >  sae_password="secret123"
> > >  proto=RSN
> > >  key_mgmt=SAE
> > >  pairwise=CCMP
> > >  ieee80211w=2
> > >  sae_check_mfp=1
> > > }
> > >
> > > and when I try to connect, I get:
> > > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > Successfully initialized wpa_supplicant
> > > Line 10: unknown network field 'sae_check_mfp'.
> > > Line 11: failed to parse network block.
> >
> > Right. The setting sae_check_mfp is a global setting like update_config. So
> > it should be moved outside the network block.
> >
> > Regards,
> > Arend
> >
> Arend,
>
> Thanks for the hand holding, I am out of my depth here!
>
> I tried this config and get a similar result.
> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> update_config=1
> sae_check_mfp=1
>  network={
>   ssid="deskSAE"
>   sae_password="secret123"
>   proto=RSN
>   key_mgmt=SAE
>   pairwise=CCMP
>   ieee80211w=2
> }
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> Successfully initialized wpa_supplicant
> Line 3: unknown global field 'sae_check_mfp=1'.
> Line 3: Invalid configuration line 'sae_check_mfp=1'.
> Failed to read or parse configuration
> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
> : CTRL-EVENT-DSCP-POLICY clear_all
>
> seems it doesn't recognize this parameter.
>
> Keith

Replying to my own post.
I re-built wpa_supplicant from the current git:
# wpa_supplicant -v
wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors

It now seems to recognize the 'sae_check_mfp' parameter, but still
does not connect:
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
auth_failures=1 duration=10 reason=CONN_FAILED
wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
ignoring for 10 seconds
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
auth_failures=2 duration=20 reason=CONN_FAILED
^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
p2p-dev-wlan0: CTRL-EVENT-TERMINATING
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
wlan0: CTRL-EVENT-TERMINATING

I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
connect with this 'current' version of wpa_supplicant.

Keith
Arend van Spriel June 27, 2024, 2:46 p.m. UTC | #23
On June 27, 2024 3:46:35 PM KeithG <ys3al35l@gmail.com> wrote:

> On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@gmail.com> wrote:
>>
>> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
>> <arend.vanspriel@broadcom.com> wrote:
>>>
>>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
>>>
>>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>
>>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
>>>>>
>>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>
>>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
>>>>>>>
>>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
>>>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>>>
>>>>>>>>> + Jouni
>>>>>>>>>
>>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
>>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
>>>>>>>>>> 0x18; available group 0x10
>>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
>>>>>>>>>> pairwise 0x10; available pairwise 0x10
>>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
>>>>>>>>>> key_mgmt 0x400; available key_mgmt 0x0
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I suspect the message above indicates the problem as there is no
>>>>>>>>> available key_mgmt to select so looked it up in the code and here it is:
>>>>>>>>>
>>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
>>>>>>>>> #ifdef CONFIG_SAE
>>>>>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
>>>>>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>>>>>>>> WPA_KEY_MGMT_FT_SAE |
>>>>>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
>>>>>>>>> #endif /* CONFIG_SAE */
>>>>>>>>> #ifdef CONFIG_IEEE80211R
>>>>>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
>>>>>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
>>>>>>>>> sel &= ~WPA_KEY_MGMT_FT;
>>>>>>>>> #endif /* CONFIG_IEEE80211R */
>>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
>>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>>>>>>>>> available key_mgmt 0x%x",
>>>>>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
>>>>>>>>>
>>>>>>>>> So 0x400 matches the expectation:
>>>>>>>>>
>>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
>>>>>>>>>
>>>>>>>>> You already confirmed that the driver reports SAE and SAE offload
>>>>>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
>>>>>>>>> check whether the AP and network profile are setup to MFP. This seems to
>>>>>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
>>>>>>>>> ieee80211w=2 defined. This function can only return true when
>>>>>>>>> is enabled in configuration file:
>>>>>>>>>
>>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
>>>>>>>>> # 0 = Do not check PMF for SAE (default)
>>>>>>>>> # 1 = Limit SAE when PMF is not enabled
>>>>>>>>> #
>>>>>>>>> # When enabled SAE will not be selected if PMF will not be used
>>>>>>>>> # for the connection.
>>>>>>>>> # Scenarios where this check will limit SAE:
>>>>>>>>> #  1) ieee80211w=0 is set for the network
>>>>>>>>> #  2) The AP does not have PMF enabled.
>>>>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>>>>>>>>> #     the device does not support the BIP cipher.
>>>>>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
>>>>>>>>> pmf=1 and a
>>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>>>>>>>>> # In the example WPA-PSK will be used if the device does not support
>>>>>>>>> # the BIP cipher or the AP has PMF disabled.
>>>>>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
>>>>>>>>> # that is configured with sae_requires_mfp=1 if the device does
>>>>>>>>> # not support PMF due to lack of the BIP cipher.
>>>>>>>>>
>>>>>>>>> The default is not to check it and you wpa_supplicant.conf does not
>>>>>>>>> specify it.
>>>>>>>>>
>>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>>>>>> update_config=1
>>>>>>>>> network={
>>>>>>>>> ssid="deskSAE"
>>>>>>>>> sae_password="secret123"
>>>>>>>>> proto=RSN
>>>>>>>>> key_mgmt=SAE
>>>>>>>>> pairwise=CCMP
>>>>>>>>> ieee80211w=2
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> $ cat /etc/hostapd/hostapd.conf
>>>>>>>>> # interface and driver
>>>>>>>>> interface=ap0
>>>>>>>>> driver=nl80211
>>>>>>>>>
>>>>>>>>> # WIFI-Config
>>>>>>>>> ssid=deskSAE
>>>>>>>>> channel=1
>>>>>>>>> hw_mode=g
>>>>>>>>>
>>>>>>>>> wpa=2
>>>>>>>>> wpa_key_mgmt=SAE
>>>>>>>>> wpa_pairwise=CCMP
>>>>>>>>> sae_password=secret123
>>>>>>>>> sae_groups=19
>>>>>>>>> ieee80211w=2
>>>>>>>>> sae_pwe=0
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Arend
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
>>>>>>>>>> management type
>>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
>>>>>>>>>> encryption suites
>>>>>>>>
>>>>>>>> Arend,
>>>>>>>>
>>>>>>>> I find the wpa_supplicant docs really hard to understand. I have read
>>>>>>>> through your response a few times and am still a bit confused. Does
>>>>>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
>>>>>>>
>>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>>>>>>>
>>>>>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
>>>>>>>> still cannot get a connection, so I must be doing something wrong.
>>>>>>>> I commented the ieee80211w line on both and it would not connect.
>>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
>>>>>>>> it still would not connect.
>>>>>>>>
>>>>>>>> What *should* the configurations be in the hostapd.conf and
>>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
>>>>>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
>>>>>>>> with the original hostapd setup, but I have no idea what it is doing
>>>>>>>
>>>>>>> As I mentioned in my previous email both config files listed above look
>>>>>>> okay to me (might be wrong though). The problem seems to be with
>>>>>>> wpas_is_sae_avoided(). For it to return true the config should have:
>>>>>>>
>>>>>>> sae_check_mfp=1
>>>>>>>
>>>>>>> But you don't have that and default is 0 so it should check for MFP. This
>>>>>>> is where my trail ends. To learn more I would add additional debug prints.
>>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
>>>>>>>
>>>>>>> Regards,
>>>>>>> Arend
>>>>>>
>>>>>> Arend,
>>>>>>
>>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
>>>>>> source. This is on RPi, so debian *.debs which are a pain, but I think
>>>>>> I can do it.
>>>>>>
>>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
>>>>>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
>>>>>> anything changes.
>>>>>
>>>>> Ok. We can try first to put following in wpa_supplicant.conf:
>>>>>
>>>>> sae_check_mfp=0
>>>>>
>>>>> Let me know if that makes any difference.
>>>>>
>>>>>> Why would I have to re-build wpa_supplicant?
>>>>>
>>>>> I would provide a patch with additional debug prints so I get better
>>>>> understanding what is going wrong. Would be great if you can apply that and
>>>>> rebuild.
>>>>>
>>>>> Regards,
>>>>> Arend
>>>> Arend,
>>>>
>>>> I was able to try it this afternoon.
>>>> My hostapd is still:
>>>> # interface and driver
>>>> interface=ap0
>>>> driver=nl80211
>>>>
>>>> # WIFI-Config
>>>> ssid=deskSAE
>>>> channel=1
>>>> hw_mode=g
>>>>
>>>> wpa=2
>>>> wpa_key_mgmt=SAE
>>>> wpa_pairwise=CCMP
>>>> sae_password=secret123
>>>> sae_groups=19
>>>> ieee80211w=2
>>>> sae_pwe=0
>>>>
>>>> and I can still connect from my phone to this AP.
>>>>
>>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>> update_config=1
>>>> network={
>>>> ssid="deskSAE"
>>>> sae_password="secret123"
>>>> proto=RSN
>>>> key_mgmt=SAE
>>>> pairwise=CCMP
>>>> ieee80211w=2
>>>> sae_check_mfp=1
>>>> }
>>>>
>>>> and when I try to connect, I get:
>>>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>> Successfully initialized wpa_supplicant
>>>> Line 10: unknown network field 'sae_check_mfp'.
>>>> Line 11: failed to parse network block.
>>>
>>> Right. The setting sae_check_mfp is a global setting like update_config. So
>>> it should be moved outside the network block.
>>>
>>> Regards,
>>> Arend
>> Arend,
>>
>> Thanks for the hand holding, I am out of my depth here!
>>
>> I tried this config and get a similar result.
>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>> update_config=1
>> sae_check_mfp=1
>> network={
>> ssid="deskSAE"
>> sae_password="secret123"
>> proto=RSN
>> key_mgmt=SAE
>> pairwise=CCMP
>> ieee80211w=2
>> }
>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>> Successfully initialized wpa_supplicant
>> Line 3: unknown global field 'sae_check_mfp=1'.
>> Line 3: Invalid configuration line 'sae_check_mfp=1'.
>> Failed to read or parse configuration
>> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
>> : CTRL-EVENT-DSCP-POLICY clear_all
>>
>> seems it doesn't recognize this parameter.
>>
>> Keith
>
> Replying to my own post.
> I re-built wpa_supplicant from the current git:
> # wpa_supplicant -v
> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
>
> It now seems to recognize the 'sae_check_mfp' parameter, but still
> does not connect:
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> Successfully initialized wpa_supplicant
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> auth_failures=1 duration=10 reason=CONN_FAILED
> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
> ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> auth_failures=2 duration=20 reason=CONN_FAILED
> ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
> p2p-dev-wlan0: CTRL-EVENT-TERMINATING
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> nl80211: deinit ifname=wlan0 disabled_11b_rates=0
> wlan0: CTRL-EVENT-TERMINATING
>
> I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
> connect with this 'current' version of wpa_supplicant.

Right. So I should have asked about the wpa_supplicant from the start. Let 
me work on patch for debugging this based on git version (SHA1: c9db4925f).

Regards,
Arend
KeithG July 1, 2024, 8:08 p.m. UTC | #24
On Thu, Jun 27, 2024 at 9:46 AM Arend Van Spriel
<arend.vanspriel@broadcom.com> wrote:
>
> On June 27, 2024 3:46:35 PM KeithG <ys3al35l@gmail.com> wrote:
>
> > On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@gmail.com> wrote:
> >>
> >> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
> >> <arend.vanspriel@broadcom.com> wrote:
> >>>
> >>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
> >>>
> >>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> >>>> <arend.vanspriel@broadcom.com> wrote:
> >>>>>
> >>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
> >>>>>
> >>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> >>>>>> <arend.vanspriel@broadcom.com> wrote:
> >>>>>>>
> >>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
> >>>>>>>
> >>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> >>>>>>>> <arend.vanspriel@broadcom.com> wrote:
> >>>>>>>>>
> >>>>>>>>> + Jouni
> >>>>>>>>>
> >>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> >>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> >>>>>>>>>> 0x18; available group 0x10
> >>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> >>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> >>>>>>>>>> pairwise 0x10; available pairwise 0x10
> >>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> >>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> >>>>>>>>>> key_mgmt 0x400; available key_mgmt 0x0
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> I suspect the message above indicates the problem as there is no
> >>>>>>>>> available key_mgmt to select so looked it up in the code and here it is:
> >>>>>>>>>
> >>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
> >>>>>>>>> #ifdef CONFIG_SAE
> >>>>>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> >>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> >>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> >>>>>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >>>>>>>>> WPA_KEY_MGMT_FT_SAE |
> >>>>>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> >>>>>>>>> #endif /* CONFIG_SAE */
> >>>>>>>>> #ifdef CONFIG_IEEE80211R
> >>>>>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> >>>>>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> >>>>>>>>> sel &= ~WPA_KEY_MGMT_FT;
> >>>>>>>>> #endif /* CONFIG_IEEE80211R */
> >>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> >>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> >>>>>>>>> available key_mgmt 0x%x",
> >>>>>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
> >>>>>>>>>
> >>>>>>>>> So 0x400 matches the expectation:
> >>>>>>>>>
> >>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> >>>>>>>>>
> >>>>>>>>> You already confirmed that the driver reports SAE and SAE offload
> >>>>>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
> >>>>>>>>> check whether the AP and network profile are setup to MFP. This seems to
> >>>>>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> >>>>>>>>> ieee80211w=2 defined. This function can only return true when
> >>>>>>>>> is enabled in configuration file:
> >>>>>>>>>
> >>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> >>>>>>>>> # 0 = Do not check PMF for SAE (default)
> >>>>>>>>> # 1 = Limit SAE when PMF is not enabled
> >>>>>>>>> #
> >>>>>>>>> # When enabled SAE will not be selected if PMF will not be used
> >>>>>>>>> # for the connection.
> >>>>>>>>> # Scenarios where this check will limit SAE:
> >>>>>>>>> #  1) ieee80211w=0 is set for the network
> >>>>>>>>> #  2) The AP does not have PMF enabled.
> >>>>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> >>>>>>>>> #     the device does not support the BIP cipher.
> >>>>>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
> >>>>>>>>> pmf=1 and a
> >>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> >>>>>>>>> # In the example WPA-PSK will be used if the device does not support
> >>>>>>>>> # the BIP cipher or the AP has PMF disabled.
> >>>>>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
> >>>>>>>>> # that is configured with sae_requires_mfp=1 if the device does
> >>>>>>>>> # not support PMF due to lack of the BIP cipher.
> >>>>>>>>>
> >>>>>>>>> The default is not to check it and you wpa_supplicant.conf does not
> >>>>>>>>> specify it.
> >>>>>>>>>
> >>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>>>>>>> update_config=1
> >>>>>>>>> network={
> >>>>>>>>> ssid="deskSAE"
> >>>>>>>>> sae_password="secret123"
> >>>>>>>>> proto=RSN
> >>>>>>>>> key_mgmt=SAE
> >>>>>>>>> pairwise=CCMP
> >>>>>>>>> ieee80211w=2
> >>>>>>>>> }
> >>>>>>>>>
> >>>>>>>>> $ cat /etc/hostapd/hostapd.conf
> >>>>>>>>> # interface and driver
> >>>>>>>>> interface=ap0
> >>>>>>>>> driver=nl80211
> >>>>>>>>>
> >>>>>>>>> # WIFI-Config
> >>>>>>>>> ssid=deskSAE
> >>>>>>>>> channel=1
> >>>>>>>>> hw_mode=g
> >>>>>>>>>
> >>>>>>>>> wpa=2
> >>>>>>>>> wpa_key_mgmt=SAE
> >>>>>>>>> wpa_pairwise=CCMP
> >>>>>>>>> sae_password=secret123
> >>>>>>>>> sae_groups=19
> >>>>>>>>> ieee80211w=2
> >>>>>>>>> sae_pwe=0
> >>>>>>>>>
> >>>>>>>>> Regards,
> >>>>>>>>> Arend
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> >>>>>>>>>> management type
> >>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> >>>>>>>>>> encryption suites
> >>>>>>>>
> >>>>>>>> Arend,
> >>>>>>>>
> >>>>>>>> I find the wpa_supplicant docs really hard to understand. I have read
> >>>>>>>> through your response a few times and am still a bit confused. Does
> >>>>>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
> >>>>>>>
> >>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> >>>>>>>
> >>>>>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> >>>>>>>> still cannot get a connection, so I must be doing something wrong.
> >>>>>>>> I commented the ieee80211w line on both and it would not connect.
> >>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> >>>>>>>> it still would not connect.
> >>>>>>>>
> >>>>>>>> What *should* the configurations be in the hostapd.conf and
> >>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> >>>>>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
> >>>>>>>> with the original hostapd setup, but I have no idea what it is doing
> >>>>>>>
> >>>>>>> As I mentioned in my previous email both config files listed above look
> >>>>>>> okay to me (might be wrong though). The problem seems to be with
> >>>>>>> wpas_is_sae_avoided(). For it to return true the config should have:
> >>>>>>>
> >>>>>>> sae_check_mfp=1
> >>>>>>>
> >>>>>>> But you don't have that and default is 0 so it should check for MFP. This
> >>>>>>> is where my trail ends. To learn more I would add additional debug prints.
> >>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>> Arend
> >>>>>>
> >>>>>> Arend,
> >>>>>>
> >>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> >>>>>> source. This is on RPi, so debian *.debs which are a pain, but I think
> >>>>>> I can do it.
> >>>>>>
> >>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> >>>>>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> >>>>>> anything changes.
> >>>>>
> >>>>> Ok. We can try first to put following in wpa_supplicant.conf:
> >>>>>
> >>>>> sae_check_mfp=0
> >>>>>
> >>>>> Let me know if that makes any difference.
> >>>>>
> >>>>>> Why would I have to re-build wpa_supplicant?
> >>>>>
> >>>>> I would provide a patch with additional debug prints so I get better
> >>>>> understanding what is going wrong. Would be great if you can apply that and
> >>>>> rebuild.
> >>>>>
> >>>>> Regards,
> >>>>> Arend
> >>>> Arend,
> >>>>
> >>>> I was able to try it this afternoon.
> >>>> My hostapd is still:
> >>>> # interface and driver
> >>>> interface=ap0
> >>>> driver=nl80211
> >>>>
> >>>> # WIFI-Config
> >>>> ssid=deskSAE
> >>>> channel=1
> >>>> hw_mode=g
> >>>>
> >>>> wpa=2
> >>>> wpa_key_mgmt=SAE
> >>>> wpa_pairwise=CCMP
> >>>> sae_password=secret123
> >>>> sae_groups=19
> >>>> ieee80211w=2
> >>>> sae_pwe=0
> >>>>
> >>>> and I can still connect from my phone to this AP.
> >>>>
> >>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>> update_config=1
> >>>> network={
> >>>> ssid="deskSAE"
> >>>> sae_password="secret123"
> >>>> proto=RSN
> >>>> key_mgmt=SAE
> >>>> pairwise=CCMP
> >>>> ieee80211w=2
> >>>> sae_check_mfp=1
> >>>> }
> >>>>
> >>>> and when I try to connect, I get:
> >>>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>> Successfully initialized wpa_supplicant
> >>>> Line 10: unknown network field 'sae_check_mfp'.
> >>>> Line 11: failed to parse network block.
> >>>
> >>> Right. The setting sae_check_mfp is a global setting like update_config. So
> >>> it should be moved outside the network block.
> >>>
> >>> Regards,
> >>> Arend
> >> Arend,
> >>
> >> Thanks for the hand holding, I am out of my depth here!
> >>
> >> I tried this config and get a similar result.
> >> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >> update_config=1
> >> sae_check_mfp=1
> >> network={
> >> ssid="deskSAE"
> >> sae_password="secret123"
> >> proto=RSN
> >> key_mgmt=SAE
> >> pairwise=CCMP
> >> ieee80211w=2
> >> }
> >> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >> Successfully initialized wpa_supplicant
> >> Line 3: unknown global field 'sae_check_mfp=1'.
> >> Line 3: Invalid configuration line 'sae_check_mfp=1'.
> >> Failed to read or parse configuration
> >> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
> >> : CTRL-EVENT-DSCP-POLICY clear_all
> >>
> >> seems it doesn't recognize this parameter.
> >>
> >> Keith
> >
> > Replying to my own post.
> > I re-built wpa_supplicant from the current git:
> > # wpa_supplicant -v
> > wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> > Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
> >
> > It now seems to recognize the 'sae_check_mfp' parameter, but still
> > does not connect:
> > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > Successfully initialized wpa_supplicant
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> > auth_failures=1 duration=10 reason=CONN_FAILED
> > wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
> > wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
> > ignoring for 10 seconds
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: Trying to associate with SSID 'deskSAE'
> > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> > auth_failures=2 duration=20 reason=CONN_FAILED
> > ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
> > p2p-dev-wlan0: CTRL-EVENT-TERMINATING
> > wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > nl80211: deinit ifname=wlan0 disabled_11b_rates=0
> > wlan0: CTRL-EVENT-TERMINATING
> >
> > I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
> > connect with this 'current' version of wpa_supplicant.
>
> Right. So I should have asked about the wpa_supplicant from the start. Let
> me work on patch for debugging this based on git version (SHA1: c9db4925f).
>
> Regards,
> Arend
>
Arend,

I ran across this note today and investigated it with the
wpa_supplicant I am now using:
https://github.com/raspberrypi/linux/pull/5945

It still will not connect with this firmware
# dmesg | grep brcmfm
[    1.995113] brcmfmac: F1 signature read @0x18000000=0x15264345
[    2.002317] brcmfmac: brcmf_fw_alloc_request: using
brcm/brcmfmac43455-sdio for chip BCM4345/6
[    2.002497] usbcore: registered new interface driver brcmfmac
[    2.223405] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob
available (err=-2)
[    2.224010] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6
wl0: Aug 29 2023 01:47:08 version 7.45.265 (28bca26 CY) FWID
01-b677b91b
[  109.454302] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save enabled
[  109.508572] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save disabled
[  113.543122] brcmfmac: brcmf_set_channel: set chanspec 0xd022 fail, reason -52

this config:
# cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
 network={
  ssid="deskSAE"
  sae_password="secret123"
  proto=RSN
  key_mgmt=SAE
  ieee80211w=2
}

# wpa_supplicant -v
wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors

# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
...
nl80211: kernel reports: Match already configured
wlan0: Authentication with d8:3a:dd:60:a3:0c timed out.
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
nl80211: send_event_marker failed: Source based routing not supported
wlan0: CTRL-EVENT-DISCONNECTED bssid=d8:3a:dd:60:a3:0c reason=3
locally_generated=1
wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
ignoring for 10 seconds
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlan0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
wlan0: Trying to associate with SSID 'deskSAE'
...
KeithG July 1, 2024, 8:54 p.m. UTC | #25
On Mon, Jul 1, 2024 at 3:08 PM KeithG <ys3al35l@gmail.com> wrote:
>
> On Thu, Jun 27, 2024 at 9:46 AM Arend Van Spriel
> <arend.vanspriel@broadcom.com> wrote:
> >
> > On June 27, 2024 3:46:35 PM KeithG <ys3al35l@gmail.com> wrote:
> >
> > > On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@gmail.com> wrote:
> > >>
> > >> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
> > >> <arend.vanspriel@broadcom.com> wrote:
> > >>>
> > >>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
> > >>>
> > >>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> > >>>> <arend.vanspriel@broadcom.com> wrote:
> > >>>>>
> > >>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
> > >>>>>
> > >>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> > >>>>>> <arend.vanspriel@broadcom.com> wrote:
> > >>>>>>>
> > >>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
> > >>>>>>>
> > >>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> > >>>>>>>> <arend.vanspriel@broadcom.com> wrote:
> > >>>>>>>>>
> > >>>>>>>>> + Jouni
> > >>>>>>>>>
> > >>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> > >>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> > >>>>>>>>>> 0x18; available group 0x10
> > >>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> > >>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> > >>>>>>>>>> pairwise 0x10; available pairwise 0x10
> > >>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> > >>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> > >>>>>>>>>> key_mgmt 0x400; available key_mgmt 0x0
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> I suspect the message above indicates the problem as there is no
> > >>>>>>>>> available key_mgmt to select so looked it up in the code and here it is:
> > >>>>>>>>>
> > >>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
> > >>>>>>>>> #ifdef CONFIG_SAE
> > >>>>>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> > >>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> > >>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> > >>>>>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> > >>>>>>>>> WPA_KEY_MGMT_FT_SAE |
> > >>>>>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> > >>>>>>>>> #endif /* CONFIG_SAE */
> > >>>>>>>>> #ifdef CONFIG_IEEE80211R
> > >>>>>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> > >>>>>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> > >>>>>>>>> sel &= ~WPA_KEY_MGMT_FT;
> > >>>>>>>>> #endif /* CONFIG_IEEE80211R */
> > >>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> > >>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> > >>>>>>>>> available key_mgmt 0x%x",
> > >>>>>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
> > >>>>>>>>>
> > >>>>>>>>> So 0x400 matches the expectation:
> > >>>>>>>>>
> > >>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> > >>>>>>>>>
> > >>>>>>>>> You already confirmed that the driver reports SAE and SAE offload
> > >>>>>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
> > >>>>>>>>> check whether the AP and network profile are setup to MFP. This seems to
> > >>>>>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> > >>>>>>>>> ieee80211w=2 defined. This function can only return true when
> > >>>>>>>>> is enabled in configuration file:
> > >>>>>>>>>
> > >>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> > >>>>>>>>> # 0 = Do not check PMF for SAE (default)
> > >>>>>>>>> # 1 = Limit SAE when PMF is not enabled
> > >>>>>>>>> #
> > >>>>>>>>> # When enabled SAE will not be selected if PMF will not be used
> > >>>>>>>>> # for the connection.
> > >>>>>>>>> # Scenarios where this check will limit SAE:
> > >>>>>>>>> #  1) ieee80211w=0 is set for the network
> > >>>>>>>>> #  2) The AP does not have PMF enabled.
> > >>>>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> > >>>>>>>>> #     the device does not support the BIP cipher.
> > >>>>>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
> > >>>>>>>>> pmf=1 and a
> > >>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> > >>>>>>>>> # In the example WPA-PSK will be used if the device does not support
> > >>>>>>>>> # the BIP cipher or the AP has PMF disabled.
> > >>>>>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
> > >>>>>>>>> # that is configured with sae_requires_mfp=1 if the device does
> > >>>>>>>>> # not support PMF due to lack of the BIP cipher.
> > >>>>>>>>>
> > >>>>>>>>> The default is not to check it and you wpa_supplicant.conf does not
> > >>>>>>>>> specify it.
> > >>>>>>>>>
> > >>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > >>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > >>>>>>>>> update_config=1
> > >>>>>>>>> network={
> > >>>>>>>>> ssid="deskSAE"
> > >>>>>>>>> sae_password="secret123"
> > >>>>>>>>> proto=RSN
> > >>>>>>>>> key_mgmt=SAE
> > >>>>>>>>> pairwise=CCMP
> > >>>>>>>>> ieee80211w=2
> > >>>>>>>>> }
> > >>>>>>>>>
> > >>>>>>>>> $ cat /etc/hostapd/hostapd.conf
> > >>>>>>>>> # interface and driver
> > >>>>>>>>> interface=ap0
> > >>>>>>>>> driver=nl80211
> > >>>>>>>>>
> > >>>>>>>>> # WIFI-Config
> > >>>>>>>>> ssid=deskSAE
> > >>>>>>>>> channel=1
> > >>>>>>>>> hw_mode=g
> > >>>>>>>>>
> > >>>>>>>>> wpa=2
> > >>>>>>>>> wpa_key_mgmt=SAE
> > >>>>>>>>> wpa_pairwise=CCMP
> > >>>>>>>>> sae_password=secret123
> > >>>>>>>>> sae_groups=19
> > >>>>>>>>> ieee80211w=2
> > >>>>>>>>> sae_pwe=0
> > >>>>>>>>>
> > >>>>>>>>> Regards,
> > >>>>>>>>> Arend
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> > >>>>>>>>>> management type
> > >>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> > >>>>>>>>>> encryption suites
> > >>>>>>>>
> > >>>>>>>> Arend,
> > >>>>>>>>
> > >>>>>>>> I find the wpa_supplicant docs really hard to understand. I have read
> > >>>>>>>> through your response a few times and am still a bit confused. Does
> > >>>>>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
> > >>>>>>>
> > >>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> > >>>>>>>
> > >>>>>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> > >>>>>>>> still cannot get a connection, so I must be doing something wrong.
> > >>>>>>>> I commented the ieee80211w line on both and it would not connect.
> > >>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> > >>>>>>>> it still would not connect.
> > >>>>>>>>
> > >>>>>>>> What *should* the configurations be in the hostapd.conf and
> > >>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> > >>>>>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
> > >>>>>>>> with the original hostapd setup, but I have no idea what it is doing
> > >>>>>>>
> > >>>>>>> As I mentioned in my previous email both config files listed above look
> > >>>>>>> okay to me (might be wrong though). The problem seems to be with
> > >>>>>>> wpas_is_sae_avoided(). For it to return true the config should have:
> > >>>>>>>
> > >>>>>>> sae_check_mfp=1
> > >>>>>>>
> > >>>>>>> But you don't have that and default is 0 so it should check for MFP. This
> > >>>>>>> is where my trail ends. To learn more I would add additional debug prints.
> > >>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
> > >>>>>>>
> > >>>>>>> Regards,
> > >>>>>>> Arend
> > >>>>>>
> > >>>>>> Arend,
> > >>>>>>
> > >>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> > >>>>>> source. This is on RPi, so debian *.debs which are a pain, but I think
> > >>>>>> I can do it.
> > >>>>>>
> > >>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> > >>>>>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> > >>>>>> anything changes.
> > >>>>>
> > >>>>> Ok. We can try first to put following in wpa_supplicant.conf:
> > >>>>>
> > >>>>> sae_check_mfp=0
> > >>>>>
> > >>>>> Let me know if that makes any difference.
> > >>>>>
> > >>>>>> Why would I have to re-build wpa_supplicant?
> > >>>>>
> > >>>>> I would provide a patch with additional debug prints so I get better
> > >>>>> understanding what is going wrong. Would be great if you can apply that and
> > >>>>> rebuild.
> > >>>>>
> > >>>>> Regards,
> > >>>>> Arend
> > >>>> Arend,
> > >>>>
> > >>>> I was able to try it this afternoon.
> > >>>> My hostapd is still:
> > >>>> # interface and driver
> > >>>> interface=ap0
> > >>>> driver=nl80211
> > >>>>
> > >>>> # WIFI-Config
> > >>>> ssid=deskSAE
> > >>>> channel=1
> > >>>> hw_mode=g
> > >>>>
> > >>>> wpa=2
> > >>>> wpa_key_mgmt=SAE
> > >>>> wpa_pairwise=CCMP
> > >>>> sae_password=secret123
> > >>>> sae_groups=19
> > >>>> ieee80211w=2
> > >>>> sae_pwe=0
> > >>>>
> > >>>> and I can still connect from my phone to this AP.
> > >>>>
> > >>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > >>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > >>>> update_config=1
> > >>>> network={
> > >>>> ssid="deskSAE"
> > >>>> sae_password="secret123"
> > >>>> proto=RSN
> > >>>> key_mgmt=SAE
> > >>>> pairwise=CCMP
> > >>>> ieee80211w=2
> > >>>> sae_check_mfp=1
> > >>>> }
> > >>>>
> > >>>> and when I try to connect, I get:
> > >>>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > >>>> Successfully initialized wpa_supplicant
> > >>>> Line 10: unknown network field 'sae_check_mfp'.
> > >>>> Line 11: failed to parse network block.
> > >>>
> > >>> Right. The setting sae_check_mfp is a global setting like update_config. So
> > >>> it should be moved outside the network block.
> > >>>
> > >>> Regards,
> > >>> Arend
> > >> Arend,
> > >>
> > >> Thanks for the hand holding, I am out of my depth here!
> > >>
> > >> I tried this config and get a similar result.
> > >> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > >> update_config=1
> > >> sae_check_mfp=1
> > >> network={
> > >> ssid="deskSAE"
> > >> sae_password="secret123"
> > >> proto=RSN
> > >> key_mgmt=SAE
> > >> pairwise=CCMP
> > >> ieee80211w=2
> > >> }
> > >> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > >> Successfully initialized wpa_supplicant
> > >> Line 3: unknown global field 'sae_check_mfp=1'.
> > >> Line 3: Invalid configuration line 'sae_check_mfp=1'.
> > >> Failed to read or parse configuration
> > >> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
> > >> : CTRL-EVENT-DSCP-POLICY clear_all
> > >>
> > >> seems it doesn't recognize this parameter.
> > >>
> > >> Keith
> > >
> > > Replying to my own post.
> > > I re-built wpa_supplicant from the current git:
> > > # wpa_supplicant -v
> > > wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> > > Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
> > >
> > > It now seems to recognize the 'sae_check_mfp' parameter, but still
> > > does not connect:
> > > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > Successfully initialized wpa_supplicant
> > > wlan0: Trying to associate with SSID 'deskSAE'
> > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > > wlan0: Trying to associate with SSID 'deskSAE'
> > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > > wlan0: Trying to associate with SSID 'deskSAE'
> > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > > wlan0: Trying to associate with SSID 'deskSAE'
> > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > > wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> > > auth_failures=1 duration=10 reason=CONN_FAILED
> > > wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
> > > wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
> > > ignoring for 10 seconds
> > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > > wlan0: Trying to associate with SSID 'deskSAE'
> > > wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> > > wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> > > wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> > > auth_failures=2 duration=20 reason=CONN_FAILED
> > > ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > > p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > > nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
> > > p2p-dev-wlan0: CTRL-EVENT-TERMINATING
> > > wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > > wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> > > wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> > > nl80211: deinit ifname=wlan0 disabled_11b_rates=0
> > > wlan0: CTRL-EVENT-TERMINATING
> > >
> > > I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
> > > connect with this 'current' version of wpa_supplicant.
> >
> > Right. So I should have asked about the wpa_supplicant from the start. Let
> > me work on patch for debugging this based on git version (SHA1: c9db4925f).
> >
> > Regards,
> > Arend
> >
> Arend,
>
> I ran across this note today and investigated it with the
> wpa_supplicant I am now using:
> https://github.com/raspberrypi/linux/pull/5945
>
> It still will not connect with this firmware
> # dmesg | grep brcmfm
> [    1.995113] brcmfmac: F1 signature read @0x18000000=0x15264345
> [    2.002317] brcmfmac: brcmf_fw_alloc_request: using
> brcm/brcmfmac43455-sdio for chip BCM4345/6
> [    2.002497] usbcore: registered new interface driver brcmfmac
> [    2.223405] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob
> available (err=-2)
> [    2.224010] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6
> wl0: Aug 29 2023 01:47:08 version 7.45.265 (28bca26 CY) FWID
> 01-b677b91b
> [  109.454302] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save enabled
> [  109.508572] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save disabled
> [  113.543122] brcmfmac: brcmf_set_channel: set chanspec 0xd022 fail, reason -52
>
> this config:
> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> update_config=1
>  network={
>   ssid="deskSAE"
>   sae_password="secret123"
>   proto=RSN
>   key_mgmt=SAE
>   ieee80211w=2
> }
>
> # wpa_supplicant -v
> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
>
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> ...
> nl80211: kernel reports: Match already configured
> wlan0: Authentication with d8:3a:dd:60:a3:0c timed out.
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> nl80211: send_event_marker failed: Source based routing not supported
> wlan0: CTRL-EVENT-DISCONNECTED bssid=d8:3a:dd:60:a3:0c reason=3
> locally_generated=1
> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
> ignoring for 10 seconds
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
> wlan0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
> wlan0: Trying to associate with SSID 'deskSAE'
> ...
Take that and reverse it...
I was having a conflict and figured out that:
wpa_supplicant.service was running and failed to connect as it did not
have the proper config for teh SSID in question.

Once I stopped the service and tried to connect via cli, I was able to
get it to do so and was able to verify the connection worked:

# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
nl80211: kernel reports: Registration to specific type not supported
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: PMKSA-CACHE-ADDED d8:3a:dd:60:a3:0c 0
wlan0: Authentication with d8:3a:dd:60:a3:0c timed out.
wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
nl80211: send_event_marker failed: Source based routing not supported
wlan0: CTRL-EVENT-DISCONNECTED bssid=d8:3a:dd:60:a3:0c reason=3
locally_generated=1
wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2,
ignoring for 10 seconds
wlan0: CTRL-EVENT-DSCP-POLICY clear_all
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlan0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
wlan0: Trying to associate with SSID 'deskSAE'
wlan0: Associated with d8:3a:dd:60:a3:0c
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: WPA: Key negotiation completed with d8:3a:dd:60:a3:0c [PTK=CCMP GTK=CCMP]
wlan0: CTRL-EVENT-CONNECTED - Connection to d8:3a:dd:60:a3:0c
completed [id=0 id_str=]
ctrl c to break and restart
# wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
nl80211: kernel reports: Registration to specific type not supported
# dhclient wlan0
# ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.5.177  netmask 255.255.255.0  broadcast 192.168.5.255
        inet6 fe80::da3a:ddff:fed2:ae3c  prefixlen 64  scopeid 0x20<link>
        ether d8:3a:dd:d2:ae:3c  txqueuelen 1000  (Ethernet)
        RX packets 46  bytes 8973 (8.7 KiB)
        RX errors 0  dropped 4  overruns 0  frame 0
        TX packets 107  bytes 20686 (20.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

so, it appears that SAE does work, but you need to have a newer
cyfmac.bin file than what is shipped on the RPis.
This is what is reported, currently:
# dmesg | grep brcmfm
[    1.995113] brcmfmac: F1 signature read @0x18000000=0x15264345
[    2.002317] brcmfmac: brcmf_fw_alloc_request: using
brcm/brcmfmac43455-sdio for chip BCM4345/6
[    2.002497] usbcore: registered new interface driver brcmfmac
[    2.223405] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob
available (err=-2)
[    2.224010] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6
wl0: Aug 29 2023 01:47:08 version 7.45.265 (28bca26 CY) FWID
01-b677b91b
[  109.454302] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save enabled
[  109.508572] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save disabled

I do get a ton of this in the log, though:
[  113.543122] brcmfmac: brcmf_set_channel: set chanspec 0xd022 fail, reason -52
...
Dembianny Sven (BSH GDE-EDSD5) July 8, 2024, 11:33 a.m. UTC | #26
> On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@gmail.com> wrote:
> >
> > On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
> > <arend.vanspriel@broadcom.com> wrote:
> > >
> > > On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
> > >
> > > > On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> > > > <arend.vanspriel@broadcom.com> wrote:
> > > >>
> > > >> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
> > > >>
> > > >>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> > > >>> <arend.vanspriel@broadcom.com> wrote:
> > > >>>>
> > > >>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
> > > >>>>
> > > >>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> > > >>>>> <arend.vanspriel@broadcom.com> wrote:
> > > >>>>>>
> > > >>>>>> + Jouni
> > > >>>>>>
> > > >>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> > > >>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile
> > > >>>>>>> group 0x18; available group 0x10
> > > >>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> > > >>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network
> > > >>>>>>> profile pairwise 0x10; available pairwise 0x10
> > > >>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> > > >>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network
> > > >>>>>>> profile key_mgmt 0x400; available key_mgmt 0x0
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> I suspect the message above indicates the problem as there is
> > > >>>>>> no available key_mgmt to select so looked it up in the code and here it is:
> > > >>>>>>
> > > >>>>>> sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if
> > > >>>>>> ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> > > >>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> > > >>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &=
> > > >>>>>> ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> > > >>>>>> WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /*
> > > >>>>>> CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags
> > > >>>>>> & (WPA_DRIVER_FLAGS_SME |
> > > >>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &=
> > > >>>>>> ~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */
> > > >>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> > > >>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> > > >>>>>> available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel);
> > > >>>>>>
> > > >>>>>> So 0x400 matches the expectation:
> > > >>>>>>
> > > >>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> > > >>>>>>
> > > >>>>>> You already confirmed that the driver reports SAE and SAE
> > > >>>>>> offload support. So it seems wpas_is_sae_avoided() must
> > > >>>>>> return true. That will check whether the AP and network
> > > >>>>>> profile are setup to MFP. This seems to be the fact as your
> > > >>>>>> hostapd.conf and wpa_supplicant.conf both have
> > > >>>>>> ieee80211w=2 defined. This function can only return true when
> > > >>>>>> is enabled in configuration file:
> > > >>>>>>
> > > >>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt #
> > > >>>>>> 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when
> > > >>>>>> PMF is not enabled # # When enabled SAE will not be selected
> > > >>>>>> if PMF will not be used # for the connection.
> > > >>>>>> # Scenarios where this check will limit SAE:
> > > >>>>>> #  1) ieee80211w=0 is set for the network #  2) The AP does
> > > >>>>>> not have PMF enabled.
> > > >>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> > > >>>>>> #     the device does not support the BIP cipher.
> > > >>>>>> # Consider the configuration of global parameterss
> > > >>>>>> sae_check_mfp=1,
> > > >>>>>> pmf=1 and a
> > > >>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> > > >>>>>> # In the example WPA-PSK will be used if the device does not
> > > >>>>>> support # the BIP cipher or the AP has PMF disabled.
> > > >>>>>> # Limiting SAE with this check can avoid failing to associate
> > > >>>>>> to an AP # that is configured with sae_requires_mfp=1 if the
> > > >>>>>> device does # not support PMF due to lack of the BIP cipher.
> > > >>>>>>
> > > >>>>>> The default is not to check it and you wpa_supplicant.conf
> > > >>>>>> does not specify it.
> > > >>>>>>
> > > >>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > >>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > > >>>>>> update_config=1
> > > >>>>>> network={
> > > >>>>>> ssid="deskSAE"
> > > >>>>>> sae_password="secret123"
> > > >>>>>> proto=RSN
> > > >>>>>> key_mgmt=SAE
> > > >>>>>> pairwise=CCMP
> > > >>>>>> ieee80211w=2
> > > >>>>>> }
> > > >>>>>>
> > > >>>>>> $ cat /etc/hostapd/hostapd.conf # interface and driver
> > > >>>>>> interface=ap0
> > > >>>>>> driver=nl80211
> > > >>>>>>
> > > >>>>>> # WIFI-Config
> > > >>>>>> ssid=deskSAE
> > > >>>>>> channel=1
> > > >>>>>> hw_mode=g
> > > >>>>>>
> > > >>>>>> wpa=2
> > > >>>>>> wpa_key_mgmt=SAE
> > > >>>>>> wpa_pairwise=CCMP
> > > >>>>>> sae_password=secret123
> > > >>>>>> sae_groups=19
> > > >>>>>> ieee80211w=2
> > > >>>>>> sae_pwe=0
> > > >>>>>>
> > > >>>>>> Regards,
> > > >>>>>> Arend
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>> 1718907734.308779: wlan0: WPA: Failed to select
> > > >>>>>>> authenticated key management type
> > > >>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key
> > > >>>>>>> management and encryption suites
> > > >>>>>
> > > >>>>> Arend,
> > > >>>>>
> > > >>>>> I find the wpa_supplicant docs really hard to understand. I
> > > >>>>> have read through your response a few times and am still a bit
> > > >>>>> confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?
> > > >>>>
> > > >>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> > > >>>>
> > > >>>>> I have tried editing my hostapd.conf and my
> > > >>>>> wpa_supplicant.conf and still cannot get a connection, so I must be doing something wrong.
> > > >>>>> I commented the ieee80211w line on both and it would not connect.
> > > >>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE
> > > >>>>> WPA_PSK' and it still would not connect.
> > > >>>>>
> > > >>>>> What *should* the configurations be in the hostapd.conf and
> > > >>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup?
> > > >>>>> What should it be to be a wpa2/3 setup? My phone worked fine
> > > >>>>> to connect with the original hostapd setup, but I have no idea
> > > >>>>> what it is doing
> > > >>>>
> > > >>>> As I mentioned in my previous email both config files listed
> > > >>>> above look okay to me (might be wrong though). The problem
> > > >>>> seems to be with wpas_is_sae_avoided(). For it to return true the config should have:
> > > >>>>
> > > >>>> sae_check_mfp=1
> > > >>>>
> > > >>>> But you don't have that and default is 0 so it should check for
> > > >>>> MFP. This is where my trail ends. To learn more I would add additional debug prints.
> > > >>>> Are you comfortable rebuilding wpa_supplicant from source?
> > > >>>>
> > > >>>> Regards,
> > > >>>> Arend
> > > >>>
> > > >>> Arend,
> > > >>>
> > > >>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> > > >>> source. This is on RPi, so debian *.debs which are a pain, but I
> > > >>> think I can do it.
> > > >>>
> > > >>> Do I understand correctly that 'sae_check_mfp=1' is supposed to
> > > >>> be in the hostapd.conf and wpa_supplicant.conf? I can try that
> > > >>> and see if anything changes.
> > > >>
> > > >> Ok. We can try first to put following in wpa_supplicant.conf:
> > > >>
> > > >> sae_check_mfp=0
> > > >>
> > > >> Let me know if that makes any difference.
> > > >>
> > > >>> Why would I have to re-build wpa_supplicant?
> > > >>
> > > >> I would provide a patch with additional debug prints so I get
> > > >> better understanding what is going wrong. Would be great if you
> > > >> can apply that and rebuild.
> > > >>
> > > >> Regards,
> > > >> Arend
> > > > Arend,
> > > >
> > > > I was able to try it this afternoon.
> > > > My hostapd is still:
> > > > # interface and driver
> > > > interface=ap0
> > > > driver=nl80211
> > > >
> > > > # WIFI-Config
> > > > ssid=deskSAE
> > > > channel=1
> > > > hw_mode=g
> > > >
> > > > wpa=2
> > > > wpa_key_mgmt=SAE
> > > > wpa_pairwise=CCMP
> > > > sae_password=secret123
> > > > sae_groups=19
> > > > ieee80211w=2
> > > > sae_pwe=0
> > > >
> > > > and I can still connect from my phone to this AP.
> > > >
> > > > I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > > > update_config=1
> > > > network={
> > > >  ssid="deskSAE"
> > > >  sae_password="secret123"
> > > >  proto=RSN
> > > >  key_mgmt=SAE
> > > >  pairwise=CCMP
> > > >  ieee80211w=2
> > > >  sae_check_mfp=1
> > > > }
> > > >
> > > > and when I try to connect, I get:
> > > > # wpa_supplicant -i wlan0 -c
> > > > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > > Successfully initialized wpa_supplicant Line 10: unknown network
> > > > field 'sae_check_mfp'.
> > > > Line 11: failed to parse network block.
> > >
> > > Right. The setting sae_check_mfp is a global setting like
> > > update_config. So it should be moved outside the network block.
> > >
> > > Regards,
> > > Arend
> > >
> > Arend,
> >
> > Thanks for the hand holding, I am out of my depth here!
> >
> > I tried this config and get a similar result.
> > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > update_config=1
> > sae_check_mfp=1
> >  network={
> >   ssid="deskSAE"
> >   sae_password="secret123"
> >   proto=RSN
> >   key_mgmt=SAE
> >   pairwise=CCMP
> >   ieee80211w=2
> > }
> > # wpa_supplicant -i wlan0 -c
> > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > Successfully initialized wpa_supplicant Line 3: unknown global field
> > 'sae_check_mfp=1'.
> > Line 3: Invalid configuration line 'sae_check_mfp=1'.
> > Failed to read or parse configuration
> > '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
> > : CTRL-EVENT-DSCP-POLICY clear_all
> >
> > seems it doesn't recognize this parameter.
> >
> > Keith
> 
> Replying to my own post.
> I re-built wpa_supplicant from the current git:
> # wpa_supplicant -v
> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
> 
> It now seems to recognize the 'sae_check_mfp' parameter, but still does not connect:
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> Successfully initialized wpa_supplicant
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> auth_failures=1 duration=10 reason=CONN_FAILED
> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> auth_failures=2 duration=20 reason=CONN_FAILED
> ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
> p2p-dev-wlan0: CTRL-EVENT-TERMINATING
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> nl80211: deinit ifname=wlan0 disabled_11b_rates=0
> wlan0: CTRL-EVENT-TERMINATING
> 
> I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot connect with this 'current' version of
> wpa_supplicant.
> 
> Keith
> 
Hi Keith,

maybe you are missing sae_pwe=2 in your wpa_supplicant.conf
At least in our setup it works.

Regards, Sven
Arend van Spriel July 13, 2024, 12:13 p.m. UTC | #27
On July 8, 2024 1:33:02 PM "Dembianny Sven (BSH GDE-EDSD5)" 
<Sven.Dembianny@bshg.com> wrote:

>> On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@gmail.com> wrote:
>>>
>>> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
>>> <arend.vanspriel@broadcom.com> wrote:
>>>>
>>>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
>>>>
>>>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>
>>>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
>>>>>>
>>>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
>>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>>
>>>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
>>>>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>>>>
>>>>>>>>>> + Jouni
>>>>>>>>>>
>>>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
>>>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile
>>>>>>>>>>> group 0x18; available group 0x10
>>>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network
>>>>>>>>>>> profile pairwise 0x10; available pairwise 0x10
>>>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network
>>>>>>>>>>> profile key_mgmt 0x400; available key_mgmt 0x0
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I suspect the message above indicates the problem as there is
>>>>>>>>>> no available key_mgmt to select so looked it up in the code and here it is:
>>>>>>>>>>
>>>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if
>>>>>>>>>> ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>>>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>>>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &=
>>>>>>>>>> ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>>>>>>>>> WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /*
>>>>>>>>>> CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags
>>>>>>>>>> & (WPA_DRIVER_FLAGS_SME |
>>>>>>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &=
>>>>>>>>>> ~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */
>>>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
>>>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>>>>>>>>>> available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel);
>>>>>>>>>>
>>>>>>>>>> So 0x400 matches the expectation:
>>>>>>>>>>
>>>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
>>>>>>>>>>
>>>>>>>>>> You already confirmed that the driver reports SAE and SAE
>>>>>>>>>> offload support. So it seems wpas_is_sae_avoided() must
>>>>>>>>>> return true. That will check whether the AP and network
>>>>>>>>>> profile are setup to MFP. This seems to be the fact as your
>>>>>>>>>> hostapd.conf and wpa_supplicant.conf both have
>>>>>>>>>> ieee80211w=2 defined. This function can only return true when
>>>>>>>>>> is enabled in configuration file:
>>>>>>>>>>
>>>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt #
>>>>>>>>>> 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when
>>>>>>>>>> PMF is not enabled # # When enabled SAE will not be selected
>>>>>>>>>> if PMF will not be used # for the connection.
>>>>>>>>>> # Scenarios where this check will limit SAE:
>>>>>>>>>> #  1) ieee80211w=0 is set for the network #  2) The AP does
>>>>>>>>>> not have PMF enabled.
>>>>>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>>>>>>>>>> #     the device does not support the BIP cipher.
>>>>>>>>>> # Consider the configuration of global parameterss
>>>>>>>>>> sae_check_mfp=1,
>>>>>>>>>> pmf=1 and a
>>>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>>>>>>>>>> # In the example WPA-PSK will be used if the device does not
>>>>>>>>>> support # the BIP cipher or the AP has PMF disabled.
>>>>>>>>>> # Limiting SAE with this check can avoid failing to associate
>>>>>>>>>> to an AP # that is configured with sae_requires_mfp=1 if the
>>>>>>>>>> device does # not support PMF due to lack of the BIP cipher.
>>>>>>>>>>
>>>>>>>>>> The default is not to check it and you wpa_supplicant.conf
>>>>>>>>>> does not specify it.
>>>>>>>>>>
>>>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>>>>>>> update_config=1
>>>>>>>>>> network={
>>>>>>>>>> ssid="deskSAE"
>>>>>>>>>> sae_password="secret123"
>>>>>>>>>> proto=RSN
>>>>>>>>>> key_mgmt=SAE
>>>>>>>>>> pairwise=CCMP
>>>>>>>>>> ieee80211w=2
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> $ cat /etc/hostapd/hostapd.conf # interface and driver
>>>>>>>>>> interface=ap0
>>>>>>>>>> driver=nl80211
>>>>>>>>>>
>>>>>>>>>> # WIFI-Config
>>>>>>>>>> ssid=deskSAE
>>>>>>>>>> channel=1
>>>>>>>>>> hw_mode=g
>>>>>>>>>>
>>>>>>>>>> wpa=2
>>>>>>>>>> wpa_key_mgmt=SAE
>>>>>>>>>> wpa_pairwise=CCMP
>>>>>>>>>> sae_password=secret123
>>>>>>>>>> sae_groups=19
>>>>>>>>>> ieee80211w=2
>>>>>>>>>> sae_pwe=0
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Arend
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select
>>>>>>>>>>> authenticated key management type
>>>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key
>>>>>>>>>>> management and encryption suites
>>>>>>>>>
>>>>>>>>> Arend,
>>>>>>>>>
>>>>>>>>> I find the wpa_supplicant docs really hard to understand. I
>>>>>>>>> have read through your response a few times and am still a bit
>>>>>>>>> confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?
>>>>>>>>
>>>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>>>>>>>>
>>>>>>>>> I have tried editing my hostapd.conf and my
>>>>>>>>> wpa_supplicant.conf and still cannot get a connection, so I must be doing 
>>>>>>>>> something wrong.
>>>>>>>>> I commented the ieee80211w line on both and it would not connect.
>>>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE
>>>>>>>>> WPA_PSK' and it still would not connect.
>>>>>>>>>
>>>>>>>>> What *should* the configurations be in the hostapd.conf and
>>>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup?
>>>>>>>>> What should it be to be a wpa2/3 setup? My phone worked fine
>>>>>>>>> to connect with the original hostapd setup, but I have no idea
>>>>>>>>> what it is doing
>>>>>>>>
>>>>>>>> As I mentioned in my previous email both config files listed
>>>>>>>> above look okay to me (might be wrong though). The problem
>>>>>>>> seems to be with wpas_is_sae_avoided(). For it to return true the config 
>>>>>>>> should have:
>>>>>>>>
>>>>>>>> sae_check_mfp=1
>>>>>>>>
>>>>>>>> But you don't have that and default is 0 so it should check for
>>>>>>>> MFP. This is where my trail ends. To learn more I would add additional 
>>>>>>>> debug prints.
>>>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Arend
>>>>>>>
>>>>>>> Arend,
>>>>>>>
>>>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
>>>>>>> source. This is on RPi, so debian *.debs which are a pain, but I
>>>>>>> think I can do it.
>>>>>>>
>>>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to
>>>>>>> be in the hostapd.conf and wpa_supplicant.conf? I can try that
>>>>>>> and see if anything changes.
>>>>>>
>>>>>> Ok. We can try first to put following in wpa_supplicant.conf:
>>>>>>
>>>>>> sae_check_mfp=0
>>>>>>
>>>>>> Let me know if that makes any difference.
>>>>>>
>>>>>>> Why would I have to re-build wpa_supplicant?
>>>>>>
>>>>>> I would provide a patch with additional debug prints so I get
>>>>>> better understanding what is going wrong. Would be great if you
>>>>>> can apply that and rebuild.
>>>>>>
>>>>>> Regards,
>>>>>> Arend
>>>>> Arend,
>>>>>
>>>>> I was able to try it this afternoon.
>>>>> My hostapd is still:
>>>>> # interface and driver
>>>>> interface=ap0
>>>>> driver=nl80211
>>>>>
>>>>> # WIFI-Config
>>>>> ssid=deskSAE
>>>>> channel=1
>>>>> hw_mode=g
>>>>>
>>>>> wpa=2
>>>>> wpa_key_mgmt=SAE
>>>>> wpa_pairwise=CCMP
>>>>> sae_password=secret123
>>>>> sae_groups=19
>>>>> ieee80211w=2
>>>>> sae_pwe=0
>>>>>
>>>>> and I can still connect from my phone to this AP.
>>>>>
>>>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>> update_config=1
>>>>> network={
>>>>> ssid="deskSAE"
>>>>> sae_password="secret123"
>>>>> proto=RSN
>>>>> key_mgmt=SAE
>>>>> pairwise=CCMP
>>>>> ieee80211w=2
>>>>> sae_check_mfp=1
>>>>> }
>>>>>
>>>>> and when I try to connect, I get:
>>>>> # wpa_supplicant -i wlan0 -c
>>>>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>> Successfully initialized wpa_supplicant Line 10: unknown network
>>>>> field 'sae_check_mfp'.
>>>>> Line 11: failed to parse network block.
>>>>
>>>> Right. The setting sae_check_mfp is a global setting like
>>>> update_config. So it should be moved outside the network block.
>>>>
>>>> Regards,
>>>> Arend
>>> Arend,
>>>
>>> Thanks for the hand holding, I am out of my depth here!
>>>
>>> I tried this config and get a similar result.
>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>> update_config=1
>>> sae_check_mfp=1
>>> network={
>>> ssid="deskSAE"
>>> sae_password="secret123"
>>> proto=RSN
>>> key_mgmt=SAE
>>> pairwise=CCMP
>>> ieee80211w=2
>>> }
>>> # wpa_supplicant -i wlan0 -c
>>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>> Successfully initialized wpa_supplicant Line 3: unknown global field
>>> 'sae_check_mfp=1'.
>>> Line 3: Invalid configuration line 'sae_check_mfp=1'.
>>> Failed to read or parse configuration
>>> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
>>> : CTRL-EVENT-DSCP-POLICY clear_all
>>>
>>> seems it doesn't recognize this parameter.
>>>
>>> Keith
>>
>> Replying to my own post.
>> I re-built wpa_supplicant from the current git:
>> # wpa_supplicant -v
>> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
>> Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
>>
>> It now seems to recognize the 'sae_check_mfp' parameter, but still does not 
>> connect:
>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>> Successfully initialized wpa_supplicant
>> wlan0: Trying to associate with SSID 'deskSAE'
>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>> wlan0: Trying to associate with SSID 'deskSAE'
>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>> wlan0: Trying to associate with SSID 'deskSAE'
>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>> wlan0: Trying to associate with SSID 'deskSAE'
>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
>> auth_failures=1 duration=10 reason=CONN_FAILED
>> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
>> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring 
>> for 10 seconds
>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>> wlan0: Trying to associate with SSID 'deskSAE'
>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
>> auth_failures=2 duration=20 reason=CONN_FAILED
>> ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>> p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>> nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
>> p2p-dev-wlan0: CTRL-EVENT-TERMINATING
>> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>> nl80211: deinit ifname=wlan0 disabled_11b_rates=0
>> wlan0: CTRL-EVENT-TERMINATING
>>
>> I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot 
>> connect with this 'current' version of
>> wpa_supplicant.
>>
>> Keith
> Hi Keith,
>
> maybe you are missing sae_pwe=2 in your wpa_supplicant.conf
> At least in our setup it works.

I think Keith already reported success in earlier email.

@Keith: If I am mistaken let me know.

Regards,
Arend
KeithG July 14, 2024, 6:42 p.m. UTC | #28
On Sat, Jul 13, 2024 at 7:13 AM Arend Van Spriel
<arend.vanspriel@broadcom.com> wrote:
>
> On July 8, 2024 1:33:02 PM "Dembianny Sven (BSH GDE-EDSD5)"
> <Sven.Dembianny@bshg.com> wrote:
>
> >> On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@gmail.com> wrote:
> >>>
> >>> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
> >>> <arend.vanspriel@broadcom.com> wrote:
> >>>>
> >>>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
> >>>>
> >>>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> >>>>> <arend.vanspriel@broadcom.com> wrote:
> >>>>>>
> >>>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
> >>>>>>
> >>>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> >>>>>>> <arend.vanspriel@broadcom.com> wrote:
> >>>>>>>>
> >>>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
> >>>>>>>>
> >>>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> >>>>>>>>> <arend.vanspriel@broadcom.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>> + Jouni
> >>>>>>>>>>
> >>>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> >>>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile
> >>>>>>>>>>> group 0x18; available group 0x10
> >>>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> >>>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network
> >>>>>>>>>>> profile pairwise 0x10; available pairwise 0x10
> >>>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> >>>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network
> >>>>>>>>>>> profile key_mgmt 0x400; available key_mgmt 0x0
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> I suspect the message above indicates the problem as there is
> >>>>>>>>>> no available key_mgmt to select so looked it up in the code and here it is:
> >>>>>>>>>>
> >>>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if
> >>>>>>>>>> ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> >>>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> >>>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &=
> >>>>>>>>>> ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >>>>>>>>>> WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /*
> >>>>>>>>>> CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags
> >>>>>>>>>> & (WPA_DRIVER_FLAGS_SME |
> >>>>>>>>>>         WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &=
> >>>>>>>>>> ~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */
> >>>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> >>>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> >>>>>>>>>> available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel);
> >>>>>>>>>>
> >>>>>>>>>> So 0x400 matches the expectation:
> >>>>>>>>>>
> >>>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> >>>>>>>>>>
> >>>>>>>>>> You already confirmed that the driver reports SAE and SAE
> >>>>>>>>>> offload support. So it seems wpas_is_sae_avoided() must
> >>>>>>>>>> return true. That will check whether the AP and network
> >>>>>>>>>> profile are setup to MFP. This seems to be the fact as your
> >>>>>>>>>> hostapd.conf and wpa_supplicant.conf both have
> >>>>>>>>>> ieee80211w=2 defined. This function can only return true when
> >>>>>>>>>> is enabled in configuration file:
> >>>>>>>>>>
> >>>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt #
> >>>>>>>>>> 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when
> >>>>>>>>>> PMF is not enabled # # When enabled SAE will not be selected
> >>>>>>>>>> if PMF will not be used # for the connection.
> >>>>>>>>>> # Scenarios where this check will limit SAE:
> >>>>>>>>>> #  1) ieee80211w=0 is set for the network #  2) The AP does
> >>>>>>>>>> not have PMF enabled.
> >>>>>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
> >>>>>>>>>> #     the device does not support the BIP cipher.
> >>>>>>>>>> # Consider the configuration of global parameterss
> >>>>>>>>>> sae_check_mfp=1,
> >>>>>>>>>> pmf=1 and a
> >>>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> >>>>>>>>>> # In the example WPA-PSK will be used if the device does not
> >>>>>>>>>> support # the BIP cipher or the AP has PMF disabled.
> >>>>>>>>>> # Limiting SAE with this check can avoid failing to associate
> >>>>>>>>>> to an AP # that is configured with sae_requires_mfp=1 if the
> >>>>>>>>>> device does # not support PMF due to lack of the BIP cipher.
> >>>>>>>>>>
> >>>>>>>>>> The default is not to check it and you wpa_supplicant.conf
> >>>>>>>>>> does not specify it.
> >>>>>>>>>>
> >>>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>>>>>>>> update_config=1
> >>>>>>>>>> network={
> >>>>>>>>>> ssid="deskSAE"
> >>>>>>>>>> sae_password="secret123"
> >>>>>>>>>> proto=RSN
> >>>>>>>>>> key_mgmt=SAE
> >>>>>>>>>> pairwise=CCMP
> >>>>>>>>>> ieee80211w=2
> >>>>>>>>>> }
> >>>>>>>>>>
> >>>>>>>>>> $ cat /etc/hostapd/hostapd.conf # interface and driver
> >>>>>>>>>> interface=ap0
> >>>>>>>>>> driver=nl80211
> >>>>>>>>>>
> >>>>>>>>>> # WIFI-Config
> >>>>>>>>>> ssid=deskSAE
> >>>>>>>>>> channel=1
> >>>>>>>>>> hw_mode=g
> >>>>>>>>>>
> >>>>>>>>>> wpa=2
> >>>>>>>>>> wpa_key_mgmt=SAE
> >>>>>>>>>> wpa_pairwise=CCMP
> >>>>>>>>>> sae_password=secret123
> >>>>>>>>>> sae_groups=19
> >>>>>>>>>> ieee80211w=2
> >>>>>>>>>> sae_pwe=0
> >>>>>>>>>>
> >>>>>>>>>> Regards,
> >>>>>>>>>> Arend
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select
> >>>>>>>>>>> authenticated key management type
> >>>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key
> >>>>>>>>>>> management and encryption suites
> >>>>>>>>>
> >>>>>>>>> Arend,
> >>>>>>>>>
> >>>>>>>>> I find the wpa_supplicant docs really hard to understand. I
> >>>>>>>>> have read through your response a few times and am still a bit
> >>>>>>>>> confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?
> >>>>>>>>
> >>>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> >>>>>>>>
> >>>>>>>>> I have tried editing my hostapd.conf and my
> >>>>>>>>> wpa_supplicant.conf and still cannot get a connection, so I must be doing
> >>>>>>>>> something wrong.
> >>>>>>>>> I commented the ieee80211w line on both and it would not connect.
> >>>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE
> >>>>>>>>> WPA_PSK' and it still would not connect.
> >>>>>>>>>
> >>>>>>>>> What *should* the configurations be in the hostapd.conf and
> >>>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup?
> >>>>>>>>> What should it be to be a wpa2/3 setup? My phone worked fine
> >>>>>>>>> to connect with the original hostapd setup, but I have no idea
> >>>>>>>>> what it is doing
> >>>>>>>>
> >>>>>>>> As I mentioned in my previous email both config files listed
> >>>>>>>> above look okay to me (might be wrong though). The problem
> >>>>>>>> seems to be with wpas_is_sae_avoided(). For it to return true the config
> >>>>>>>> should have:
> >>>>>>>>
> >>>>>>>> sae_check_mfp=1
> >>>>>>>>
> >>>>>>>> But you don't have that and default is 0 so it should check for
> >>>>>>>> MFP. This is where my trail ends. To learn more I would add additional
> >>>>>>>> debug prints.
> >>>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>> Arend
> >>>>>>>
> >>>>>>> Arend,
> >>>>>>>
> >>>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> >>>>>>> source. This is on RPi, so debian *.debs which are a pain, but I
> >>>>>>> think I can do it.
> >>>>>>>
> >>>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to
> >>>>>>> be in the hostapd.conf and wpa_supplicant.conf? I can try that
> >>>>>>> and see if anything changes.
> >>>>>>
> >>>>>> Ok. We can try first to put following in wpa_supplicant.conf:
> >>>>>>
> >>>>>> sae_check_mfp=0
> >>>>>>
> >>>>>> Let me know if that makes any difference.
> >>>>>>
> >>>>>>> Why would I have to re-build wpa_supplicant?
> >>>>>>
> >>>>>> I would provide a patch with additional debug prints so I get
> >>>>>> better understanding what is going wrong. Would be great if you
> >>>>>> can apply that and rebuild.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Arend
> >>>>> Arend,
> >>>>>
> >>>>> I was able to try it this afternoon.
> >>>>> My hostapd is still:
> >>>>> # interface and driver
> >>>>> interface=ap0
> >>>>> driver=nl80211
> >>>>>
> >>>>> # WIFI-Config
> >>>>> ssid=deskSAE
> >>>>> channel=1
> >>>>> hw_mode=g
> >>>>>
> >>>>> wpa=2
> >>>>> wpa_key_mgmt=SAE
> >>>>> wpa_pairwise=CCMP
> >>>>> sae_password=secret123
> >>>>> sae_groups=19
> >>>>> ieee80211w=2
> >>>>> sae_pwe=0
> >>>>>
> >>>>> and I can still connect from my phone to this AP.
> >>>>>
> >>>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>>> update_config=1
> >>>>> network={
> >>>>> ssid="deskSAE"
> >>>>> sae_password="secret123"
> >>>>> proto=RSN
> >>>>> key_mgmt=SAE
> >>>>> pairwise=CCMP
> >>>>> ieee80211w=2
> >>>>> sae_check_mfp=1
> >>>>> }
> >>>>>
> >>>>> and when I try to connect, I get:
> >>>>> # wpa_supplicant -i wlan0 -c
> >>>>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>> Successfully initialized wpa_supplicant Line 10: unknown network
> >>>>> field 'sae_check_mfp'.
> >>>>> Line 11: failed to parse network block.
> >>>>
> >>>> Right. The setting sae_check_mfp is a global setting like
> >>>> update_config. So it should be moved outside the network block.
> >>>>
> >>>> Regards,
> >>>> Arend
> >>> Arend,
> >>>
> >>> Thanks for the hand holding, I am out of my depth here!
> >>>
> >>> I tried this config and get a similar result.
> >>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>> update_config=1
> >>> sae_check_mfp=1
> >>> network={
> >>> ssid="deskSAE"
> >>> sae_password="secret123"
> >>> proto=RSN
> >>> key_mgmt=SAE
> >>> pairwise=CCMP
> >>> ieee80211w=2
> >>> }
> >>> # wpa_supplicant -i wlan0 -c
> >>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>> Successfully initialized wpa_supplicant Line 3: unknown global field
> >>> 'sae_check_mfp=1'.
> >>> Line 3: Invalid configuration line 'sae_check_mfp=1'.
> >>> Failed to read or parse configuration
> >>> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
> >>> : CTRL-EVENT-DSCP-POLICY clear_all
> >>>
> >>> seems it doesn't recognize this parameter.
> >>>
> >>> Keith
> >>
> >> Replying to my own post.
> >> I re-built wpa_supplicant from the current git:
> >> # wpa_supplicant -v
> >> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> >> Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
> >>
> >> It now seems to recognize the 'sae_check_mfp' parameter, but still does not
> >> connect:
> >> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >> Successfully initialized wpa_supplicant
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> >> auth_failures=1 duration=10 reason=CONN_FAILED
> >> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
> >> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring
> >> for 10 seconds
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: Trying to associate with SSID 'deskSAE'
> >> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> >> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> >> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> >> auth_failures=2 duration=20 reason=CONN_FAILED
> >> ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> >> p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> >> nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
> >> p2p-dev-wlan0: CTRL-EVENT-TERMINATING
> >> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> >> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> >> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> >> nl80211: deinit ifname=wlan0 disabled_11b_rates=0
> >> wlan0: CTRL-EVENT-TERMINATING
> >>
> >> I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
> >> connect with this 'current' version of
> >> wpa_supplicant.
> >>
> >> Keith
> > Hi Keith,
> >
> > maybe you are missing sae_pwe=2 in your wpa_supplicant.conf
> > At least in our setup it works.
>
> I think Keith already reported success in earlier email.
>
> @Keith: If I am mistaken let me know.
>
> Regards,
> Arend
>
Arend,

Yes, I figured it out. As per the link shared: I had to put the latest
firmware on and use the latest wpa_supplicant, but with these 2
changes, it did connect.
Arend van Spriel July 14, 2024, 6:47 p.m. UTC | #29
On 7/14/2024 8:42 PM, KeithG wrote:
> On Sat, Jul 13, 2024 at 7:13 AM Arend Van Spriel
> <arend.vanspriel@broadcom.com> wrote:
>>
>> On July 8, 2024 1:33:02 PM "Dembianny Sven (BSH GDE-EDSD5)"
>> <Sven.Dembianny@bshg.com> wrote:
>>
>>>> On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@gmail.com> wrote:
>>>>>
>>>>> On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>
>>>>>> On June 27, 2024 12:47:02 AM KeithG <ys3al35l@gmail.com> wrote:
>>>>>>
>>>>>>> On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
>>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>>
>>>>>>>> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
>>>>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>>>>
>>>>>>>>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
>>>>>>>>>>> <arend.vanspriel@broadcom.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> + Jouni
>>>>>>>>>>>>
>>>>>>>>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
>>>>>>>>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile
>>>>>>>>>>>>> group 0x18; available group 0x10
>>>>>>>>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
>>>>>>>>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network
>>>>>>>>>>>>> profile pairwise 0x10; available pairwise 0x10
>>>>>>>>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
>>>>>>>>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network
>>>>>>>>>>>>> profile key_mgmt 0x400; available key_mgmt 0x0
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I suspect the message above indicates the problem as there is
>>>>>>>>>>>> no available key_mgmt to select so looked it up in the code and here it is:
>>>>>>>>>>>>
>>>>>>>>>>>> sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if
>>>>>>>>>>>> ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
>>>>>>>>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
>>>>>>>>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &=
>>>>>>>>>>>> ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>>>>>>>>>>>> WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /*
>>>>>>>>>>>> CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags
>>>>>>>>>>>> & (WPA_DRIVER_FLAGS_SME |
>>>>>>>>>>>>          WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &=
>>>>>>>>>>>> ~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */
>>>>>>>>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
>>>>>>>>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
>>>>>>>>>>>> available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel);
>>>>>>>>>>>>
>>>>>>>>>>>> So 0x400 matches the expectation:
>>>>>>>>>>>>
>>>>>>>>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
>>>>>>>>>>>>
>>>>>>>>>>>> You already confirmed that the driver reports SAE and SAE
>>>>>>>>>>>> offload support. So it seems wpas_is_sae_avoided() must
>>>>>>>>>>>> return true. That will check whether the AP and network
>>>>>>>>>>>> profile are setup to MFP. This seems to be the fact as your
>>>>>>>>>>>> hostapd.conf and wpa_supplicant.conf both have
>>>>>>>>>>>> ieee80211w=2 defined. This function can only return true when
>>>>>>>>>>>> is enabled in configuration file:
>>>>>>>>>>>>
>>>>>>>>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt #
>>>>>>>>>>>> 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when
>>>>>>>>>>>> PMF is not enabled # # When enabled SAE will not be selected
>>>>>>>>>>>> if PMF will not be used # for the connection.
>>>>>>>>>>>> # Scenarios where this check will limit SAE:
>>>>>>>>>>>> #  1) ieee80211w=0 is set for the network #  2) The AP does
>>>>>>>>>>>> not have PMF enabled.
>>>>>>>>>>>> #  3) ieee80211w is unset, pmf=1 is enabled globally, and
>>>>>>>>>>>> #     the device does not support the BIP cipher.
>>>>>>>>>>>> # Consider the configuration of global parameterss
>>>>>>>>>>>> sae_check_mfp=1,
>>>>>>>>>>>> pmf=1 and a
>>>>>>>>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
>>>>>>>>>>>> # In the example WPA-PSK will be used if the device does not
>>>>>>>>>>>> support # the BIP cipher or the AP has PMF disabled.
>>>>>>>>>>>> # Limiting SAE with this check can avoid failing to associate
>>>>>>>>>>>> to an AP # that is configured with sae_requires_mfp=1 if the
>>>>>>>>>>>> device does # not support PMF due to lack of the BIP cipher.
>>>>>>>>>>>>
>>>>>>>>>>>> The default is not to check it and you wpa_supplicant.conf
>>>>>>>>>>>> does not specify it.
>>>>>>>>>>>>
>>>>>>>>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>>>>>>>>> update_config=1
>>>>>>>>>>>> network={
>>>>>>>>>>>> ssid="deskSAE"
>>>>>>>>>>>> sae_password="secret123"
>>>>>>>>>>>> proto=RSN
>>>>>>>>>>>> key_mgmt=SAE
>>>>>>>>>>>> pairwise=CCMP
>>>>>>>>>>>> ieee80211w=2
>>>>>>>>>>>> }
>>>>>>>>>>>>
>>>>>>>>>>>> $ cat /etc/hostapd/hostapd.conf # interface and driver
>>>>>>>>>>>> interface=ap0
>>>>>>>>>>>> driver=nl80211
>>>>>>>>>>>>
>>>>>>>>>>>> # WIFI-Config
>>>>>>>>>>>> ssid=deskSAE
>>>>>>>>>>>> channel=1
>>>>>>>>>>>> hw_mode=g
>>>>>>>>>>>>
>>>>>>>>>>>> wpa=2
>>>>>>>>>>>> wpa_key_mgmt=SAE
>>>>>>>>>>>> wpa_pairwise=CCMP
>>>>>>>>>>>> sae_password=secret123
>>>>>>>>>>>> sae_groups=19
>>>>>>>>>>>> ieee80211w=2
>>>>>>>>>>>> sae_pwe=0
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Arend
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> 1718907734.308779: wlan0: WPA: Failed to select
>>>>>>>>>>>>> authenticated key management type
>>>>>>>>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key
>>>>>>>>>>>>> management and encryption suites
>>>>>>>>>>>
>>>>>>>>>>> Arend,
>>>>>>>>>>>
>>>>>>>>>>> I find the wpa_supplicant docs really hard to understand. I
>>>>>>>>>>> have read through your response a few times and am still a bit
>>>>>>>>>>> confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?
>>>>>>>>>>
>>>>>>>>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
>>>>>>>>>>
>>>>>>>>>>> I have tried editing my hostapd.conf and my
>>>>>>>>>>> wpa_supplicant.conf and still cannot get a connection, so I must be doing
>>>>>>>>>>> something wrong.
>>>>>>>>>>> I commented the ieee80211w line on both and it would not connect.
>>>>>>>>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE
>>>>>>>>>>> WPA_PSK' and it still would not connect.
>>>>>>>>>>>
>>>>>>>>>>> What *should* the configurations be in the hostapd.conf and
>>>>>>>>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup?
>>>>>>>>>>> What should it be to be a wpa2/3 setup? My phone worked fine
>>>>>>>>>>> to connect with the original hostapd setup, but I have no idea
>>>>>>>>>>> what it is doing
>>>>>>>>>>
>>>>>>>>>> As I mentioned in my previous email both config files listed
>>>>>>>>>> above look okay to me (might be wrong though). The problem
>>>>>>>>>> seems to be with wpas_is_sae_avoided(). For it to return true the config
>>>>>>>>>> should have:
>>>>>>>>>>
>>>>>>>>>> sae_check_mfp=1
>>>>>>>>>>
>>>>>>>>>> But you don't have that and default is 0 so it should check for
>>>>>>>>>> MFP. This is where my trail ends. To learn more I would add additional
>>>>>>>>>> debug prints.
>>>>>>>>>> Are you comfortable rebuilding wpa_supplicant from source?
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Arend
>>>>>>>>>
>>>>>>>>> Arend,
>>>>>>>>>
>>>>>>>>> Thanks for the reply. I could try to rebuild wpa_supplicant from
>>>>>>>>> source. This is on RPi, so debian *.debs which are a pain, but I
>>>>>>>>> think I can do it.
>>>>>>>>>
>>>>>>>>> Do I understand correctly that 'sae_check_mfp=1' is supposed to
>>>>>>>>> be in the hostapd.conf and wpa_supplicant.conf? I can try that
>>>>>>>>> and see if anything changes.
>>>>>>>>
>>>>>>>> Ok. We can try first to put following in wpa_supplicant.conf:
>>>>>>>>
>>>>>>>> sae_check_mfp=0
>>>>>>>>
>>>>>>>> Let me know if that makes any difference.
>>>>>>>>
>>>>>>>>> Why would I have to re-build wpa_supplicant?
>>>>>>>>
>>>>>>>> I would provide a patch with additional debug prints so I get
>>>>>>>> better understanding what is going wrong. Would be great if you
>>>>>>>> can apply that and rebuild.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Arend
>>>>>>> Arend,
>>>>>>>
>>>>>>> I was able to try it this afternoon.
>>>>>>> My hostapd is still:
>>>>>>> # interface and driver
>>>>>>> interface=ap0
>>>>>>> driver=nl80211
>>>>>>>
>>>>>>> # WIFI-Config
>>>>>>> ssid=deskSAE
>>>>>>> channel=1
>>>>>>> hw_mode=g
>>>>>>>
>>>>>>> wpa=2
>>>>>>> wpa_key_mgmt=SAE
>>>>>>> wpa_pairwise=CCMP
>>>>>>> sae_password=secret123
>>>>>>> sae_groups=19
>>>>>>> ieee80211w=2
>>>>>>> sae_pwe=0
>>>>>>>
>>>>>>> and I can still connect from my phone to this AP.
>>>>>>>
>>>>>>> I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>>>> update_config=1
>>>>>>> network={
>>>>>>> ssid="deskSAE"
>>>>>>> sae_password="secret123"
>>>>>>> proto=RSN
>>>>>>> key_mgmt=SAE
>>>>>>> pairwise=CCMP
>>>>>>> ieee80211w=2
>>>>>>> sae_check_mfp=1
>>>>>>> }
>>>>>>>
>>>>>>> and when I try to connect, I get:
>>>>>>> # wpa_supplicant -i wlan0 -c
>>>>>>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>>>> Successfully initialized wpa_supplicant Line 10: unknown network
>>>>>>> field 'sae_check_mfp'.
>>>>>>> Line 11: failed to parse network block.
>>>>>>
>>>>>> Right. The setting sae_check_mfp is a global setting like
>>>>>> update_config. So it should be moved outside the network block.
>>>>>>
>>>>>> Regards,
>>>>>> Arend
>>>>> Arend,
>>>>>
>>>>> Thanks for the hand holding, I am out of my depth here!
>>>>>
>>>>> I tried this config and get a similar result.
>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
>>>>> update_config=1
>>>>> sae_check_mfp=1
>>>>> network={
>>>>> ssid="deskSAE"
>>>>> sae_password="secret123"
>>>>> proto=RSN
>>>>> key_mgmt=SAE
>>>>> pairwise=CCMP
>>>>> ieee80211w=2
>>>>> }
>>>>> # wpa_supplicant -i wlan0 -c
>>>>> /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>>> Successfully initialized wpa_supplicant Line 3: unknown global field
>>>>> 'sae_check_mfp=1'.
>>>>> Line 3: Invalid configuration line 'sae_check_mfp=1'.
>>>>> Failed to read or parse configuration
>>>>> '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
>>>>> : CTRL-EVENT-DSCP-POLICY clear_all
>>>>>
>>>>> seems it doesn't recognize this parameter.
>>>>>
>>>>> Keith
>>>>
>>>> Replying to my own post.
>>>> I re-built wpa_supplicant from the current git:
>>>> # wpa_supplicant -v
>>>> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
>>>> Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
>>>>
>>>> It now seems to recognize the 'sae_check_mfp' parameter, but still does not
>>>> connect:
>>>> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
>>>> Successfully initialized wpa_supplicant
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
>>>> auth_failures=1 duration=10 reason=CONN_FAILED
>>>> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
>>>> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring
>>>> for 10 seconds
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: Trying to associate with SSID 'deskSAE'
>>>> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
>>>> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
>>>> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
>>>> auth_failures=2 duration=20 reason=CONN_FAILED
>>>> ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>>>> p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>>>> nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
>>>> p2p-dev-wlan0: CTRL-EVENT-TERMINATING
>>>> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>>>> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
>>>> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>>>> nl80211: deinit ifname=wlan0 disabled_11b_rates=0
>>>> wlan0: CTRL-EVENT-TERMINATING
>>>>
>>>> I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot
>>>> connect with this 'current' version of
>>>> wpa_supplicant.
>>>>
>>>> Keith
>>> Hi Keith,
>>>
>>> maybe you are missing sae_pwe=2 in your wpa_supplicant.conf
>>> At least in our setup it works.
>>
>> I think Keith already reported success in earlier email.
>>
>> @Keith: If I am mistaken let me know.
>>
>> Regards,
>> Arend
>>
> Arend,
> 
> Yes, I figured it out. As per the link shared: I had to put the latest
> firmware on and use the latest wpa_supplicant, but with these 2
> changes, it did connect.

Good to know.

Regards,
Arend
Arend van Spriel July 15, 2024, 7:43 a.m. UTC | #30
On 7/1/2024 10:54 PM, KeithG wrote:
> I do get a ton of this in the log, though:
> [  113.543122] brcmfmac: brcmf_set_channel: set chanspec 0xd022 fail, reason -52
> ...

I suspect this is the same issue that Stefan Wahren reported a while 
ago. That thread dried up which is probably my bad. That chanspec 0xd022 
is encoded channel info translating to "band=5G bw=20MHz channel=34". As 
far as I know channel 34 is an old Japan channel. Not sure if it is 
valid today. So we can remove them probably. However, these messages are 
also reported on some channels that are valid in certain regions. Need 
to discuss with Johannes what the best option is. Will revive the 
original email thread [1].

Regards,
Arend

[1] 
https://lore.kernel.org/all/d9c9336a-6314-4de9-aead-8b865bb30f05@gmx.net/
diff mbox series

Patch

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
index 860ef9c11c46..a5aa58047d39 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
@@ -1090,6 +1090,7 @@  static int ieee_hw_init(struct ieee80211_hw *hw)
 	ieee80211_hw_set(hw, AMPDU_AGGREGATION);
 	ieee80211_hw_set(hw, SIGNAL_DBM);
 	ieee80211_hw_set(hw, REPORTS_TX_ACK_STATUS);
+	ieee80211_hw_set(hw, MFP_CAPABLE);
 
 	hw->extra_tx_headroom = brcms_c_get_header_len();
 	hw->queues = N_TX_QUEUES;