On 21/03/2022 09:38, Andrej Shadura wrote:
Hi,
On Sun, 20 Mar 2022, at 00:23, Masashi Honma wrote:
In my opinion, this issue could be closed.
These are reasons.
1) It is not wpa_supplicant issue but AP issue.
2) Users affected by this issue have some workarounds.
It’s true, but I’m not quite happy about not being able to fix this.
Ľubomír (cc'ed), how did you deal with this issue in Fedora? I assume you must
also have received reports from Fritzbox users.
Details of the 1)
The investigation has revealed that the AP is in violation of "2.3
WPA3-Personal transition mode" of the "WPA3 Specification v3.0", which
is causing the issue. Specifically, the target AP is setting MFPR to 1
even though it implicitly requires IEEE 802.11w. By "implicitly" we
mean that the Assocation Request fails with WLAN_STATUS_INVALID_IE
when using a Wi-Fi NIC with IEEE 802.11w disabled.
(I assume Masashi meant "the target AP is setting MFPC to 0").
Details of the 2)
We know that users who meet the following conditions are affected by this issue.
- Using FRITZ!Box 7580/7590 with WPA2+WPA3 mode
- Using wpa_supplicant with wpa_key_mgmt=SAE WPA-PSK
- Local Wi-Fi NIC does not support IEEE802.11w
Users affected by this issue can work around the issue in one of the
following ways.
- Use wpa_supplicant with WPA2 only mode (specify wpa_key_mgmt=WPA-PSK)
- Use FRITZ!Box 7580/7590 with WPA2 only mode
- Use IEEE 802.11w supporting Wi-Fi NIC
The WPA3 spec also indicate that when a non-AP STA uses WPA3,
it must use 802.11w. A strict interpretation of this spec would indicate that
SAE should not be used by hardware without 802.11w support.
Complying to this spec could be a workaround: "if WPA-PSK and SAE are
advertised, MFPR is not set and local hardware does not support MFP, do not use
SAE".
This could however degrade security to APs that comply to the 802.11
specifications without complying to Wi-Fi specifications (i.e. which do not
advertise themselves as "Wi-Fi").
