[OpenWrt-Devel] hostap commit 6c9543fcb breaks MESH-SAE with wolfssl

Daniel Golle daniel at makrotopia.org
Wed May 13 06:46:03 EDT 2020 

Hi Jouni,

thanks for the quick reply!

On Wed, May 13, 2020 at 11:38:17AM +0300, Jouni Malinen wrote:
> On Tue, May 12, 2020 at 10:46:12PM +0100, Daniel Golle wrote:
> > After hours of bisecting which change between hostapd_2_8 and
> > hostapd_2_9 broke SAE in mesh mode with WolfSSL we got a result:
> > 
> > > commit 6c9543fcb7962e26c2a91c43089abe171d073b44
> > > Author: Jouni Malinen <jouni at codeaurora.org>
> > > Date:   Thu Apr 25 20:18:27 2019 +0300
> > > 
> > > Share common SAE and EAP-pwd functionality: random qr/qnr creation
> > > 
> > > Use a shared helper function to create random qr/qnr values.
> > > 
> > > Signed-off-by: Jouni Malinen <jouni at codeaurora.org>
> > 
> > While when building against OpenSSL, things keep working also after
> > the above commit, when building against WolfSSL, the node hangs in
> > LISTEN state for a long time and then ends up BLOCKED.
> > I've tried with WolfSSL 3.14.4 and WolfSSL 4.3.0-stable-1 with
> > identical results.
> 
> This works fine in my tests with 4.3.0. All the mac80211_hwsim test
> cases for mesh pass with the current wpa_supplicant snapshot built with
> WolfSSL 4.3.0.

Odd, but could be endian or sizeof(int) related differences. I assume
you are testing on x86_64 glibc while I'm testing this on MIPS24kc
(big endian!) with musl libc running on QCA SoCs.

> 
> > Going back to commit 2b84ca4dd
> > ("Share common SAE and EAP-pwd functionality: suitable groups") makes
> > things working again also with WolfSSL.
> > 
> > On first sight there seems nothing wrong with that commit to me, but
> > apparently it does break things :(
> > 
> > Any ideas helping to fix this would be highly appreciated!
> 
> Can you please share some more details on how you are testing this and
> ideally, debug logs from two devices for a case that fails with WolfSSL,
> but works with OpenSSL? I'd like to also get a confirmation that you are
> seeing the issue with the current snapshot of the master branch in
> hostap.git since that is the version I would be using for any debugging
> of the issue.

I've tried plain wpa_supplicant as well as with OpenWrt's patches, all
build against WolfSSL 4.3.0-stable.


using git revision 2b84ca4d :

root at OpenWrt:~# wpa_supplicant -ddd -P /var/run/wpa_supplicant-wlan1-mesh.pid -D nl80211 -i wlan1-mesh -c /var/run/wpa_supplicant-wlan1-mesh.conf
Successfully initialized wpa_supplicant
Using interface wlan1-mesh with hwaddr 64:70:02:xx:xx:xx and ssid ""
wlan1-mesh: interface state UNINITIALIZED->ENABLED
wlan1-mesh: AP-ENABLED 
wlan1-mesh: joining mesh LiMe
wlan1-mesh: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=]
wlan1-mesh: MESH-GROUP-STARTED ssid="LiMe" id=0
wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx
wlan1-mesh: mesh plink with 04:18:d6:xx:xx:xx established
wlan1-mesh: MESH-PEER-CONNECTED 04:18:d6:xx:xx:xx


using git revision 6c9543fc :

root at OpenWrt:~# wpa_supplicant -ddd -P /var/run/wpa_supplicant-wlan1-mesh.pid -D nl80211 -i wlan1-mesh -c /var/run/wpa_supplicant-wlan1-mesh.conf
Successfully initialized wpa_supplicant
Using interface wlan1-mesh with hwaddr 64:70:02:xx:xx:xx and ssid ""
wlan1-mesh: interface state UNINITIALIZED->ENABLED
wlan1-mesh: AP-ENABLED 
wlan1-mesh: joining mesh LiMe
wlan1-mesh: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=]
wlan1-mesh: MESH-GROUP-STARTED ssid="LiMe" id=0
wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx
wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx
wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx
wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx
wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx
wlan1-mesh: MESH-SAE-AUTH-BLOCKED addr=04:18:d6:xx:xx:xx duration=300
...(after a minute or two)


using git revision 0f58c88f :

root at OpenWrt:~# wpa_supplicant -ddd -P /var/run/wpa_supplicant-wlan1-mesh.pid -D nl80211 -i wlan1-mesh -c /var/run/wpa_supplicant-wlan1-mesh.conf
Successfully initialized wpa_supplicant
wlan1-mesh: interface state UNINITIALIZED->ENABLED
wlan1-mesh: AP-ENABLED 
wlan1-mesh: joining mesh LiMe
wlan1-mesh: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=]
wlan1-mesh: MESH-GROUP-STARTED ssid="LiMe" id=0
wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx
wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx
wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx
wlan1-mesh: MESH-SAE-AUTH-FAILURE addr=04:18:d6:xx:xx:xx
wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx
... (takes VERY long for each line)


using git revision 0f58c88f, but build against OpenSSL 1.1.1g:

root at OpenWrt:~# wpa_supplicant -ddd -P /var/run/wpa_supplicant-wlan1-mesh.pid -D nl80211 -i wlan1-mesh -c /var/run/wpa_supplicant-wlan1-mesh.conf
Successfully initialized wpa_supplicant
wlan1-mesh: interface state UNINITIALIZED->ENABLED
wlan1-mesh: AP-ENABLED 
wlan1-mesh: joining mesh LiMe
wlan1-mesh: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=]
wlan1-mesh: MESH-GROUP-STARTED ssid="LiMe" id=0
wlan1-mesh: new peer notification for 04:18:d6:xx:xx:xx
Mesh RSN: frame verification failed!
wlan1-mesh: mesh plink with 04:18:d6:xx:xx:xx established
wlan1-mesh: MESH-PEER-CONNECTED 04:18:d6:xx:xx:xx


configuration is identical for all those tests:

network={
        ssid="LiMe"
        key_mgmt=SAE
        mode=5
        fixed_freq=1
        frequency=5765
        ht40=1
        max_oper_chwidth=0
        sae_password="XXXXXXXX"
        beacon_int=100
        mcast_rate=6
}


The build environment is currently on an otherwise unused system wired
up to the two QCA devices for testing. We could arrange remote access
remote access via SSH or you can tell me to build/test whatever you'd
like me to and I'll report back.
If you'd like to reproduce this locally or even include in your CI,
I guess that building Linux and wpa_supplicant for MIPS Malta (BE) and
running that in qemu-system-mips will show similar results as my
testing on real hardware.


Best regards


Daniel

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list