| Message ID | 20250512085223.411606-1-michael@amarulasolutions.com |
|---|---|
| State | New |
| Headers | show |
| Series |
|
| Related | show |
Hi Michael, On 5/12/25 3:52 AM, Michael Trimarchi wrote: > From: "Dembianny, Sven (GDE-EDSD5)" <sven.dembianny@bshg.com> > > Previous MFP support was restricted to WPA3, however it is also possible > to set MFP to mandatory on APs with WPA2. Yes, assuming your device supports it. But I'm not quite sure how this description corresponds to the actual patch? It looks like the intent is to always set ieee80211w=1 (MFP Capable set, MFP Required not set) which enables the use of MFP by wpa_supplicant even on WPA2 networks. > > wpa_supplicant config: > > * WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1 > > It is important that the default value of MFPC bit is 1 on the final-commercial > version of the device. It is a mandatory WFA requirement. Which 'device'? I think you may be referring to something specific to your use case here. > --- > gsupplicant/supplicant.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c > index f3be9e7b..2ebfa2c6 100644 > --- a/gsupplicant/supplicant.c > +++ b/gsupplicant/supplicant.c > @@ -4955,6 +4955,7 @@ static void add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid) > add_network_security_ciphers(dict, ssid); > break; > case G_SUPPLICANT_SECURITY_PSK: > + ieee80211w = G_SUPPLICANT_MFP_OPTIONAL; > if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_SAE) { doc/coding-style.txt item M1 > if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_WPA_PSK) { > /* > @@ -4962,15 +4963,16 @@ static void add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid) > * WPA2-Personal (PSK) and WPA3-Personal (SAE) > */ > key_mgmt = "SAE WPA-PSK"; > - ieee80211w = G_SUPPLICANT_MFP_OPTIONAL; > } else { > key_mgmt = "SAE"; > ieee80211w = G_SUPPLICANT_MFP_REQUIRED; > } > - add_network_ieee80211w(dict, ssid, ieee80211w); > + } else if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_WPA_PSK_256) { > + key_mgmt = "WPA-PSK-SHA256"; This part seems to be unrelated to the commit description and has nothing to do with MFP? Also, you might also want to enable SHA256 in WPA3 Transition mode? > } else { > key_mgmt = "WPA-PSK"; > } > + add_network_ieee80211w(dict, ssid, ieee80211w); Ditto item M1. > add_network_security_psk(dict, ssid); > add_network_security_ciphers(dict, ssid); > add_network_security_proto(dict, ssid); Regards, -Denis To unsubscribe from this group and stop receiving emails from it, send an email to linux-amarula+unsubscribe@amarulasolutions.com.
Hi Denis, > -----Ursprüngliche Nachricht----- > Von: Denis Kenzior <denkenz@gmail.com> > Gesendet: Montag, 12. Mai 2025 21:22 > An: Michael Trimarchi <michael@amarulasolutions.com>; connman@lists.linux.dev > Cc: linux-amarula@amarulasolutions.com; Dembianny Sven (BSH GDE-EDSD7) > <sven.dembianny@bshg.com> > Betreff: Re: [PATCH] gsupplicant: MFP optional for WPA2-Personal > > Hi Michael, > > On 5/12/25 3:52 AM, Michael Trimarchi wrote: > > From: "Dembianny, Sven (GDE-EDSD5)" <sven.dembianny@bshg.com> > > > > Previous MFP support was restricted to WPA3, however it is also > > possible to set MFP to mandatory on APs with WPA2. > > Yes, assuming your device supports it. But I'm not quite sure how this description corresponds to the > actual patch? It looks like the intent is to always set ieee80211w=1 (MFP Capable set, MFP Required > not set) which enables the use of MFP by wpa_supplicant even on WPA2 networks. > Yes, MFPC hast to be set always also on WPA2 networks in terms of security requirements by WFA, independent from AP configuration. See "Wi-Fi CERTIFIED Protected Management Frames Test Plan v1.9.pdf", 3.3.2 "STAUT requirements". > > > > wpa_supplicant config: > > > > * WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1 > > > > It is important that the default value of MFPC bit is 1 on the final-commercial > > version of the device. It is a mandatory WFA requirement. > > Which 'device'? I think you may be referring to something specific to your use > case here. > See above statement, "device" was referring to any device under test for current WFA certification. > > --- > > gsupplicant/supplicant.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c > > index f3be9e7b..2ebfa2c6 100644 > > --- a/gsupplicant/supplicant.c > > +++ b/gsupplicant/supplicant.c > > @@ -4955,6 +4955,7 @@ static void add_network_security(DBusMessageIter *dict, GSupplicantSSID > *ssid) > > add_network_security_ciphers(dict, ssid); > > break; > > case G_SUPPLICANT_SECURITY_PSK: > > + ieee80211w = G_SUPPLICANT_MFP_OPTIONAL; > > if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_SAE) { > > doc/coding-style.txt item M1 > > > if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_WPA_PSK) { > > /* > > @@ -4962,15 +4963,16 @@ static void add_network_security(DBusMessageIter *dict, > GSupplicantSSID *ssid) > > * WPA2-Personal (PSK) and WPA3-Personal (SAE) > > */ > > key_mgmt = "SAE WPA-PSK"; > > - ieee80211w = G_SUPPLICANT_MFP_OPTIONAL; > > } else { > > key_mgmt = "SAE"; > > ieee80211w = G_SUPPLICANT_MFP_REQUIRED; > > } > > - add_network_ieee80211w(dict, ssid, ieee80211w); > > + } else if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_WPA_PSK_256) { > > + key_mgmt = "WPA-PSK-SHA256"; > > This part seems to be unrelated to the commit description and has nothing to do > with MFP? Also, you might also want to enable SHA256 in WPA3 Transition mode? > You are right, my AP changed PSK to PSK-SHA256 when setting MFPC, so this change was needed to be able to connect. I will provide an update and add PSK-SHA256 also in WPA3 Transition mode. > > } else { > > key_mgmt = "WPA-PSK"; > > } > > + add_network_ieee80211w(dict, ssid, ieee80211w); > > Ditto item M1. > > > add_network_security_psk(dict, ssid); > > add_network_security_ciphers(dict, ssid); > > add_network_security_proto(dict, ssid); > > Regards, > -Denis Best regards, Sven To unsubscribe from this group and stop receiving emails from it, send an email to linux-amarula+unsubscribe@amarulasolutions.com.
Hi Sven, On 5/13/25 6:42 AM, Dembianny Sven (BSH GDE-EDSD7) wrote: > Hi Denis, > >> -----Ursprüngliche Nachricht----- >> Von: Denis Kenzior <denkenz@gmail.com> >> Gesendet: Montag, 12. Mai 2025 21:22 >> An: Michael Trimarchi <michael@amarulasolutions.com>; connman@lists.linux.dev >> Cc: linux-amarula@amarulasolutions.com; Dembianny Sven (BSH GDE-EDSD7) >> <sven.dembianny@bshg.com> >> Betreff: Re: [PATCH] gsupplicant: MFP optional for WPA2-Personal >> >> Hi Michael, >> >> On 5/12/25 3:52 AM, Michael Trimarchi wrote: >>> From: "Dembianny, Sven (GDE-EDSD5)" <sven.dembianny@bshg.com> >>> >>> Previous MFP support was restricted to WPA3, however it is also >>> possible to set MFP to mandatory on APs with WPA2. >> >> Yes, assuming your device supports it. But I'm not quite sure how this description corresponds to the >> actual patch? It looks like the intent is to always set ieee80211w=1 (MFP Capable set, MFP Required >> not set) which enables the use of MFP by wpa_supplicant even on WPA2 networks. >> > Yes, MFPC hast to be set always also on WPA2 networks in terms of security requirements by WFA, independent from AP configuration. > See "Wi-Fi CERTIFIED Protected Management Frames Test Plan v1.9.pdf", 3.3.2 "STAUT requirements". Okay, thanks for confirming that this is indeed about setting MFPC. When I read the original, the verbiage '... set MFP to mandatory ...' made me think that MFPR was somehow involved. Lets make this clearer in the commit description for v2. >>> >>> wpa_supplicant config: >>> >>> * WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1 >>> >>> It is important that the default value of MFPC bit is 1 on the final-commercial >>> version of the device. It is a mandatory WFA requirement. >> >> Which 'device'? I think you may be referring to something specific to your use >> case here. >> > See above statement, "device" was referring to any device under test for current WFA certification. Okay, thanks for that explanation. Makes sense now. For the next version's commit description, could you make it clearer that you're quoting an external document? Also, have you checked that wpa_supplicant will accept 'ieee80211w=1' for legacy devices that do not support MFP at all? Regards, -Denis To unsubscribe from this group and stop receiving emails from it, send an email to linux-amarula+unsubscribe@amarulasolutions.com.
diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c index f3be9e7b..2ebfa2c6 100644 --- a/gsupplicant/supplicant.c +++ b/gsupplicant/supplicant.c @@ -4955,6 +4955,7 @@ static void add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid) add_network_security_ciphers(dict, ssid); break; case G_SUPPLICANT_SECURITY_PSK: + ieee80211w = G_SUPPLICANT_MFP_OPTIONAL; if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_SAE) { if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_WPA_PSK) { /* @@ -4962,15 +4963,16 @@ static void add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid) * WPA2-Personal (PSK) and WPA3-Personal (SAE) */ key_mgmt = "SAE WPA-PSK"; - ieee80211w = G_SUPPLICANT_MFP_OPTIONAL; } else { key_mgmt = "SAE"; ieee80211w = G_SUPPLICANT_MFP_REQUIRED; } - add_network_ieee80211w(dict, ssid, ieee80211w); + } else if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_WPA_PSK_256) { + key_mgmt = "WPA-PSK-SHA256"; } else { key_mgmt = "WPA-PSK"; } + add_network_ieee80211w(dict, ssid, ieee80211w); add_network_security_psk(dict, ssid); add_network_security_ciphers(dict, ssid); add_network_security_proto(dict, ssid);
From: "Dembianny, Sven (GDE-EDSD5)" <sven.dembianny@bshg.com> Previous MFP support was restricted to WPA3, however it is also possible to set MFP to mandatory on APs with WPA2. wpa_supplicant config: * WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1 It is important that the default value of MFPC bit is 1 on the final-commercial version of the device. It is a mandatory WFA requirement. --- gsupplicant/supplicant.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)