* [PATCH 0/1] Add WPA2-MFP Support
@ 2022-04-25 15:08 Dembianny, Sven (GDE-EDSO)
2022-04-25 15:08 ` [PATCH 1/1] gsupplicant: Add MFP support for WPA2 Dembianny, Sven (GDE-EDSO)
0 siblings, 1 reply; 8+ messages in thread
From: Dembianny, Sven (GDE-EDSO) @ 2022-04-25 15:08 UTC (permalink / raw)
To: connman; +Cc: ariel.dalessandro, Dembianny, Sven (GDE-EDSO)
Hi,
this expands MFP handling added by Ariel to support WPA2 & MFP required. It
was tested on Linksys WRT1200AC with OpenWrt 21.02.2
Best regards, Sven
Sven Dembianny (1):
gsupplicant: Add MFP support for WPA2
gsupplicant/supplicant.c | 4 ++++
1 file changed, 4 insertions(+)
--
2.25.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/1] gsupplicant: Add MFP support for WPA2
2022-04-25 15:08 [PATCH 0/1] Add WPA2-MFP Support Dembianny, Sven (GDE-EDSO)
@ 2022-04-25 15:08 ` Dembianny, Sven (GDE-EDSO)
2022-04-26 14:19 ` Ariel D'Alessandro
0 siblings, 1 reply; 8+ messages in thread
From: Dembianny, Sven (GDE-EDSO) @ 2022-04-25 15:08 UTC (permalink / raw)
To: connman; +Cc: ariel.dalessandro, Dembianny, Sven (GDE-EDSO)
Previous MFP support was restricted to WPA3, however it is also possible
to set MFP to mandatory on APs with WPA2.
wpa_supplicant config:
* WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1
Signed-off-by: Sven Dembianny <sven.dembianny@bshg.com>
---
gsupplicant/supplicant.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index 1b92ec44..e9152632 100644
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -4969,6 +4969,10 @@ static void add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid)
ieee80211w = G_SUPPLICANT_MFP_REQUIRED;
}
add_network_ieee80211w(dict, ssid, ieee80211w);
+ } else if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_WPA_PSK_256) {
+ key_mgmt = "WPA-PSK-SHA256";
+ ieee80211w = G_SUPPLICANT_MFP_OPTIONAL;
+ add_network_ieee80211w(dict, ssid, ieee80211w);
} else {
key_mgmt = "WPA-PSK";
}
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/1] gsupplicant: Add MFP support for WPA2
2022-04-25 15:08 ` [PATCH 1/1] gsupplicant: Add MFP support for WPA2 Dembianny, Sven (GDE-EDSO)
@ 2022-04-26 14:19 ` Ariel D'Alessandro
2022-04-26 14:46 ` Marcel Holtmann
0 siblings, 1 reply; 8+ messages in thread
From: Ariel D'Alessandro @ 2022-04-26 14:19 UTC (permalink / raw)
To: Dembianny, Sven (GDE-EDSO), connman
Hi Sven,
On 4/25/22 12:08, Dembianny, Sven (GDE-EDSO) wrote:
> Previous MFP support was restricted to WPA3, however it is also possible
> to set MFP to mandatory on APs with WPA2.
>
> wpa_supplicant config:
>
> * WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1
>
> Signed-off-by: Sven Dembianny <sven.dembianny@bshg.com>
> ---
> gsupplicant/supplicant.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
> index 1b92ec44..e9152632 100644
> --- a/gsupplicant/supplicant.c
> +++ b/gsupplicant/supplicant.c
> @@ -4969,6 +4969,10 @@ static void add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid)
> ieee80211w = G_SUPPLICANT_MFP_REQUIRED;
> }
> add_network_ieee80211w(dict, ssid, ieee80211w);
> + } else if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_WPA_PSK_256) {
> + key_mgmt = "WPA-PSK-SHA256";
> + ieee80211w = G_SUPPLICANT_MFP_OPTIONAL;
> + add_network_ieee80211w(dict, ssid, ieee80211w);
> } else {
> key_mgmt = "WPA-PSK";
Shall we also consider the "WPA-PSK" case in the same way?
> }
Thanks,
Ariel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/1] gsupplicant: Add MFP support for WPA2
2022-04-26 14:19 ` Ariel D'Alessandro
@ 2022-04-26 14:46 ` Marcel Holtmann
2022-04-27 7:20 ` Dembianny, Sven (GDE-EDSO)
0 siblings, 1 reply; 8+ messages in thread
From: Marcel Holtmann @ 2022-04-26 14:46 UTC (permalink / raw)
To: Ariel D'Alessandro; +Cc: Dembianny, Sven (GDE-EDSO), connman
Hi Ariel,
>> Previous MFP support was restricted to WPA3, however it is also possible
>> to set MFP to mandatory on APs with WPA2.
>>
>> wpa_supplicant config:
>>
>> * WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1
>>
>> Signed-off-by: Sven Dembianny <sven.dembianny@bshg.com>
>> ---
>> gsupplicant/supplicant.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
>> index 1b92ec44..e9152632 100644
>> --- a/gsupplicant/supplicant.c
>> +++ b/gsupplicant/supplicant.c
>> @@ -4969,6 +4969,10 @@ static void add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid)
>> ieee80211w = G_SUPPLICANT_MFP_REQUIRED;
>> }
>> add_network_ieee80211w(dict, ssid, ieee80211w);
>> + } else if (ssid->keymgmt & G_SUPPLICANT_KEYMGMT_WPA_PSK_256) {
>> + key_mgmt = "WPA-PSK-SHA256";
>> + ieee80211w = G_SUPPLICANT_MFP_OPTIONAL;
>> + add_network_ieee80211w(dict, ssid, ieee80211w);
>> } else {
>> key_mgmt = "WPA-PSK";
>
> Shall we also consider the "WPA-PSK" case in the same way?
I prefer we remove wpa_supplicant support from ConnMan and you start using iwd ;)
And I am only half joking since this part of wpa_supplicant is such a mess. Whatever key management they introduce next will turn into your next problem and compatibility issues. I am running independent SSIDs in my home network to deal with end consumer device since they use a wpa_supplicant and management software that is too dumb.
With iwd the WiFi protocol is in one daemon and not split between two daemons.
Regards
Marcel
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [PATCH 1/1] gsupplicant: Add MFP support for WPA2
2022-04-26 14:46 ` Marcel Holtmann
@ 2022-04-27 7:20 ` Dembianny, Sven (GDE-EDSO)
2022-04-27 12:45 ` Marcel Holtmann
0 siblings, 1 reply; 8+ messages in thread
From: Dembianny, Sven (GDE-EDSO) @ 2022-04-27 7:20 UTC (permalink / raw)
To: Marcel Holtmann, Ariel D'Alessandro; +Cc: connman
Hi Ariel,
hi Marcel,
> Hi Ariel,
>
> >> Previous MFP support was restricted to WPA3, however it is also
> >> possible to set MFP to mandatory on APs with WPA2.
> >>
> >> wpa_supplicant config:
> >>
> >> * WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1
> >>
> >> Signed-off-by: Sven Dembianny <sven.dembianny@bshg.com>
> >> ---
> >> gsupplicant/supplicant.c | 4 ++++
> >> 1 file changed, 4 insertions(+)
> >>
> >> diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
> >> index 1b92ec44..e9152632 100644
> >> --- a/gsupplicant/supplicant.c
> >> +++ b/gsupplicant/supplicant.c
> >> @@ -4969,6 +4969,10 @@ static void
> add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid)
> >> ieee80211w = G_SUPPLICANT_MFP_REQUIRED;
> >> }
> >> add_network_ieee80211w(dict, ssid, ieee80211w);
> >> + } else if (ssid->keymgmt &
> G_SUPPLICANT_KEYMGMT_WPA_PSK_256) {
> >> + key_mgmt = "WPA-PSK-SHA256";
> >> + ieee80211w = G_SUPPLICANT_MFP_OPTIONAL;
> >> + add_network_ieee80211w(dict, ssid, ieee80211w);
> >> } else {
> >> key_mgmt = "WPA-PSK";
> >
> > Shall we also consider the "WPA-PSK" case in the same way?
As to my understanding, MFP requires SHA256.
>
> I prefer we remove wpa_supplicant support from ConnMan and you start using
> iwd ;)
>
> And I am only half joking since this part of wpa_supplicant is such a mess.
> Whatever key management they introduce next will turn into your next
> problem and compatibility issues. I am running independent SSIDs in my home
> network to deal with end consumer device since they use a wpa_supplicant and
> management software that is too dumb.
>
> With iwd the WiFi protocol is in one daemon and not split between two
> daemons.
Unfortunately in our case we are tied to wpa_supplicant because of chip vendor specifications.
Best regards, Sven
>
> Regards
>
> Marcel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/1] gsupplicant: Add MFP support for WPA2
2022-04-27 7:20 ` Dembianny, Sven (GDE-EDSO)
@ 2022-04-27 12:45 ` Marcel Holtmann
2022-05-09 7:46 ` Dembianny, Sven (GDE-EDSO)
0 siblings, 1 reply; 8+ messages in thread
From: Marcel Holtmann @ 2022-04-27 12:45 UTC (permalink / raw)
To: Dembianny, Sven (GDE-EDSO); +Cc: Ariel D'Alessandro, connman
Hi Sven,
>>>> Previous MFP support was restricted to WPA3, however it is also
>>>> possible to set MFP to mandatory on APs with WPA2.
>>>>
>>>> wpa_supplicant config:
>>>>
>>>> * WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1
>>>>
>>>> Signed-off-by: Sven Dembianny <sven.dembianny@bshg.com>
>>>> ---
>>>> gsupplicant/supplicant.c | 4 ++++
>>>> 1 file changed, 4 insertions(+)
>>>>
>>>> diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
>>>> index 1b92ec44..e9152632 100644
>>>> --- a/gsupplicant/supplicant.c
>>>> +++ b/gsupplicant/supplicant.c
>>>> @@ -4969,6 +4969,10 @@ static void
>> add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid)
>>>> ieee80211w = G_SUPPLICANT_MFP_REQUIRED;
>>>> }
>>>> add_network_ieee80211w(dict, ssid, ieee80211w);
>>>> + } else if (ssid->keymgmt &
>> G_SUPPLICANT_KEYMGMT_WPA_PSK_256) {
>>>> + key_mgmt = "WPA-PSK-SHA256";
>>>> + ieee80211w = G_SUPPLICANT_MFP_OPTIONAL;
>>>> + add_network_ieee80211w(dict, ssid, ieee80211w);
>>>> } else {
>>>> key_mgmt = "WPA-PSK";
>>>
>>> Shall we also consider the "WPA-PSK" case in the same way?
>
> As to my understanding, MFP requires SHA256.
>
>>
>> I prefer we remove wpa_supplicant support from ConnMan and you start using
>> iwd ;)
>>
>> And I am only half joking since this part of wpa_supplicant is such a mess.
>> Whatever key management they introduce next will turn into your next
>> problem and compatibility issues. I am running independent SSIDs in my home
>> network to deal with end consumer device since they use a wpa_supplicant and
>> management software that is too dumb.
>>
>> With iwd the WiFi protocol is in one daemon and not split between two
>> daemons.
>
> Unfortunately in our case we are tied to wpa_supplicant because of chip vendor specifications.
that is horrible. What is missing in nl80211 that you need wpa_supplicant? I am really curious about that.
Regards
Marcel
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [PATCH 1/1] gsupplicant: Add MFP support for WPA2
2022-04-27 12:45 ` Marcel Holtmann
@ 2022-05-09 7:46 ` Dembianny, Sven (GDE-EDSO)
2023-05-16 10:40 ` Dembianny, Sven (GDE-EDSO)
0 siblings, 1 reply; 8+ messages in thread
From: Dembianny, Sven (GDE-EDSO) @ 2022-05-09 7:46 UTC (permalink / raw)
To: Marcel Holtmann; +Cc: Ariel D'Alessandro, connman
Hi Marcel,
sorry for the late reply.
> -----Original Message-----
> From: Marcel Holtmann <marcel@holtmann.org>
> Sent: Wednesday, April 27, 2022 2:46 PM
> To: Dembianny, Sven (GDE-EDSO) <Sven.Dembianny@bshg.com>
> Cc: Ariel D'Alessandro <ariel.dalessandro@collabora.com>;
> connman@lists.linux.dev
> Subject: Re: [PATCH 1/1] gsupplicant: Add MFP support for WPA2
>
> Hi Sven,
>
> >>>> Previous MFP support was restricted to WPA3, however it is also
> >>>> possible to set MFP to mandatory on APs with WPA2.
> >>>>
> >>>> wpa_supplicant config:
> >>>>
> >>>> * WPA2-Personal: key_mgmt="WPA-PSK-SHA256" ; iee80211w=1
> >>>>
> >>>> Signed-off-by: Sven Dembianny <sven.dembianny@bshg.com>
> >>>> ---
> >>>> gsupplicant/supplicant.c | 4 ++++
> >>>> 1 file changed, 4 insertions(+)
> >>>>
> >>>> diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
> >>>> index 1b92ec44..e9152632 100644
> >>>> --- a/gsupplicant/supplicant.c
> >>>> +++ b/gsupplicant/supplicant.c
> >>>> @@ -4969,6 +4969,10 @@ static void
> >> add_network_security(DBusMessageIter *dict, GSupplicantSSID *ssid)
> >>>> ieee80211w = G_SUPPLICANT_MFP_REQUIRED;
> >>>> }
> >>>> add_network_ieee80211w(dict, ssid, ieee80211w);
> >>>> + } else if (ssid->keymgmt &
> >> G_SUPPLICANT_KEYMGMT_WPA_PSK_256) {
> >>>> + key_mgmt = "WPA-PSK-SHA256";
> >>>> + ieee80211w = G_SUPPLICANT_MFP_OPTIONAL;
> >>>> + add_network_ieee80211w(dict, ssid, ieee80211w);
> >>>> } else {
> >>>> key_mgmt = "WPA-PSK";
> >>>
> >>> Shall we also consider the "WPA-PSK" case in the same way?
> >
> > As to my understanding, MFP requires SHA256.
> >
> >>
> >> I prefer we remove wpa_supplicant support from ConnMan and you start
> >> using iwd ;)
> >>
> >> And I am only half joking since this part of wpa_supplicant is such a mess.
> >> Whatever key management they introduce next will turn into your next
> >> problem and compatibility issues. I am running independent SSIDs in
> >> my home network to deal with end consumer device since they use a
> >> wpa_supplicant and management software that is too dumb.
> >>
> >> With iwd the WiFi protocol is in one daemon and not split between two
> >> daemons.
> >
> > Unfortunately in our case we are tied to wpa_supplicant because of chip
> vendor specifications.
>
> that is horrible. What is missing in nl80211 that you need wpa_supplicant? I am
> really curious about that.
You can find the patches on wpa_supplicant from chip vendor in cypress-hostap_2_9-1-2022_0321.tar.gz, included in driver package:
https://community.infineon.com/gfawx74859/attachments/gfawx74859/WiFiBluetoothLinux/2314/4/cypress-fmac-v5.10.9-2022_0331.zip
No idea, if Wi-Fi chip will also work with iwd without adaptions.
Best regards, Sven
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/1] gsupplicant: Add MFP support for WPA2
2022-05-09 7:46 ` Dembianny, Sven (GDE-EDSO)
@ 2023-05-16 10:40 ` Dembianny, Sven (GDE-EDSO)
0 siblings, 0 replies; 8+ messages in thread
From: Dembianny, Sven (GDE-EDSO) @ 2023-05-16 10:40 UTC (permalink / raw)
To: Marcel Holtmann; +Cc: Ariel D'Alessandro, connman
> > >>>
> > >>> Shall we also consider the "WPA-PSK" case in the same way?
> > >
> > > As to my understanding, MFP requires SHA256.
> > >
> > >>
> > >> I prefer we remove wpa_supplicant support from ConnMan and you start
> > >> using iwd ;)
> > >>
> > >> And I am only half joking since this part of wpa_supplicant is such a mess.
> > >> Whatever key management they introduce next will turn into your next
> > >> problem and compatibility issues. I am running independent SSIDs in
> > >> my home network to deal with end consumer device since they use a
> > >> wpa_supplicant and management software that is too dumb.
> > >>
> > >> With iwd the WiFi protocol is in one daemon and not split between two
> > >> daemons.
> > >
> > > Unfortunately in our case we are tied to wpa_supplicant because of chip
> > vendor specifications.
> >
> > that is horrible. What is missing in nl80211 that you need wpa_supplicant? I am
> > really curious about that.
>
> You can find the patches on wpa_supplicant from chip vendor in cypress-hostap_2_9-1-2022_0321.tar.gz, included in driver package:
>
> https://community.infineon.com/gfawx74859/attachments/gfawx74859/WiFiBluetoothLinux/2314/4/cypress-fmac-v5.10.9-2022_0331.zip
>
> No idea, if Wi-Fi chip will also work with iwd without adaptions.
>
> Best regards, Sven
Hi Marcel,
sorry there was connman@lists.linux.dev missing in first mail.
any update here?
Unfortunately we can't solve the vendor dependencies, but I want to get
rid of
manual updates of the patch for every connman release.
Asking chip vendor for iwd support is all I could do at the moment. We
are planning to switch to iwd, but this needs alignment with supplier.
Best regards, Sven
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-05-16 10:40 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-25 15:08 [PATCH 0/1] Add WPA2-MFP Support Dembianny, Sven (GDE-EDSO)
2022-04-25 15:08 ` [PATCH 1/1] gsupplicant: Add MFP support for WPA2 Dembianny, Sven (GDE-EDSO)
2022-04-26 14:19 ` Ariel D'Alessandro
2022-04-26 14:46 ` Marcel Holtmann
2022-04-27 7:20 ` Dembianny, Sven (GDE-EDSO)
2022-04-27 12:45 ` Marcel Holtmann
2022-05-09 7:46 ` Dembianny, Sven (GDE-EDSO)
2023-05-16 10:40 ` Dembianny, Sven (GDE-EDSO)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.