cancel
Showing results for 
Search instead for 
Did you mean: 

WICED Studio Wi-Fi Combo

Contributor

We have a device based on a CYW43907 with a firmware acting as a WiFi client using WICED SDK 6.4.0.

We see that joining to some Access Points just fails. After investigating this issue we found that the APs in question have Fast Roaming enabled. Due to this the auth_type of the AP has the following flags set:

WPA2_SECURITY

TKIP_ENABLED

AES_ENABLED

FBT_ENABLED

Unfortunately the Cypress SDK has several code places where the auth_type of the AP gets compared against pre-defined values of the enum wiced_security_t. In this enum there is no combination of these 4 flags. Thus some code places (like for example wwd_wifi_prepare_join() in wwd_wifi.c) fail because they get a combination of flags not being supported by wiced_security_t and therefore treat the auth_type as WPA_AUTH_DISABLED. So a join is not possible.

The problem is that this issue occurs with for example all TP-Link Deco APs which are quite popular on consumer level.

Our interim fix is to add the following value to the enum wiced_security_t:

    WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED )

and treat this value the same way as WICED_SECURITY_WPA2_MIXED_PSK.

This indeed fixes the issue but we are not sure if this is the right approach and if this might cause side-effects on other code places. We added WICED_SECURITY_WPA2_MIXED_FBT_PSK whereever WICED_SECURITY_WPA2_MIXED_PSK was present as well.

Any thoughts on this?

Stefan

14 Replies
Moderator
Moderator

Hello:

We have a default setting which indicates FBT_ENABLED can be set with the security together:

WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED )

and AES, TKIP can be set together also , so I think the solution is ok .

Honored Contributor

Do you think if enterprise security needs similar fix as well for FBT_ENABLED case?

0 Likes
Reply
Contributor

Well, yes, Enterprise has the same issue: there is no AES/TKIP/FBT combination for it.

So one should add the following to wiced_security_t:

    WICED_SECURITY_WPA2_MIXED_FBT_ENT = ( ENTERPRISE_ENABLED | WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED ), /**< WPA2 Enterprise Security with AES & TKIP & FBT              */

and of course add WICED_SECURITY_WPA2_MIXED_FBT_ENT at the correct places in the various code files.

0 Likes
Reply
Contributor

But one question remains: where should the new value of wiced_security_t be used? There are quite some code places which deal with auth_type and if you forget to add it to a relevant place then it might not work correctly.

Just adding a new entry to wiced_security_t is not enough.

It would be good if someone at Cypress would do an 'official' fix for the FBT issue so that the SDK works correctly without hand-made modifications by users of it.

0 Likes
Reply
Honored Contributor

StBa_721356 wrote:

But one question remains: where should the new value of wiced_security_t be used? There are quite some code places which deal with auth_type and if you forget to add it to a relevant place then it might not work correctly.

Just adding a new entry to wiced_security_t is not enough.

It would be good if someone at Cypress would do an 'official' fix for the FBT issue so that the SDK works correctly without hand-made modifications by users of it.

ZhengbaoZ_96

Can you post a patch for the complete fix of the issue?

0 Likes
Reply
Moderator
Moderator

thanks, I will have a detailed look about the wiced_security_t  usage .

0 Likes
Reply
Contributor

IMHO it is not a good idea to check for specific combinations of the flags in wiced_security_t because one can easily miss a combination and then have a case where the auth_type is invalid. This is already the case for several combinations like FBT+TKIP without AES and such. So it would be better to check against individual flags instead.

0 Likes
Reply
Honored Contributor

The comment of WICED_SECURITY_WPA2_FBT_PSK says /**< WPA2 FBT PSK Security with AES & TKIP */,

however according to the code it actually is for WPA2 FBT PSK Security with AES only.

So not sure which part is correct.

0 Likes
Reply
Contributor

Here is our patch:

Date: Thu, 7 Nov 2019 11:35:53 +0100

Subject: [PATCH] add support for Fast Roaming in WPA2 Personal

---

WICED/WWD/include/wwd_constants.h          |  5 +++++

WICED/WWD/internal/wwd_wifi.c              | 11 ++++++++++-

WICED/internal/wifi.c                      |  3 +++

WICED/security/BESL/host/WICED/wiced_wps.c |  3 +++

include/wiced_defaults.h                   |  4 ++++

5 files changed, 25 insertions(+), 1 deletion(-)

diff --git WICED/WWD/include/wwd_constants.h WICED/WWD/include/wwd_constants.h

index a147288bd..9ef9a3a9c 100644

--- WICED/WWD/include/wwd_constants.h

+++ WICED/WWD/include/wwd_constants.h

@@ -45,6 +45,8 @@

#include <string.h>

#endif

+#include "wiced_defaults.h"

+

#ifdef __cplusplus

extern "C"

{

@@ -492,6 +494,9 @@ typedef enum

     WICED_SECURITY_WPA2_AES_PSK   = ( WPA2_SECURITY | AES_ENABLED ),                                     /**< WPA2 PSK Security with AES                            */

     WICED_SECURITY_WPA2_TKIP_PSK  = ( WPA2_SECURITY | TKIP_ENABLED ),                                    /**< WPA2 PSK Security with TKIP                           */

     WICED_SECURITY_WPA2_MIXED_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED ),                      /**< WPA2 PSK Security with AES & TKIP                     */

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+    WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED ),    /**< WPA2 PSK Security with AES & TKIP & FBT                     */

+#endif

     WICED_SECURITY_WPA2_FBT_PSK   = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED),                        /**< WPA2 FBT PSK Security with AES & TKIP */

     WICED_SECURITY_WPA3_SAE       = ( WPA3_SECURITY | AES_ENABLED ),                                     /**< WPA3 Security with AES */

     WICED_SECURITY_WPA3_WPA2_PSK  = ( WPA3_SECURITY | WPA2_SECURITY | AES_ENABLED ),                     /**< WPA3 WPA2 PSK Security with AES */

diff --git WICED/WWD/internal/wwd_wifi.c WICED/WWD/internal/wwd_wifi.c

index 43423f18e..8a7e088f1 100644

--- WICED/WWD/internal/wwd_wifi.c

+++ WICED/WWD/internal/wwd_wifi.c

@@ -1213,7 +1213,10 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu

              ( auth_type == WICED_SECURITY_WPA_AES_PSK ) ||

              ( auth_type == WICED_SECURITY_WPA2_AES_PSK ) ||

              ( auth_type == WICED_SECURITY_WPA2_TKIP_PSK ) ||

-             ( auth_type == WICED_SECURITY_WPA2_MIXED_PSK ) ) ) ||

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+             ( auth_type == WICED_SECURITY_WPA2_MIXED_FBT_PSK ) ||

+#endif

+     ( auth_type == WICED_SECURITY_WPA2_MIXED_PSK ) ) ) ||

            ( (key_length > (uint8_t) WSEC_MAX_SAE_PASSWORD_LEN) &&

              ( ( auth_type == WICED_SECURITY_WPA3_SAE) ||

                ( auth_type == WICED_SECURITY_WPA3_WPA2_PSK ) ) ) )

@@ -1271,6 +1274,9 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu

         case WICED_SECURITY_WPA2_AES_PSK:

         case WICED_SECURITY_WPA2_TKIP_PSK:

         case WICED_SECURITY_WPA2_MIXED_PSK:

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+        case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

+#endif

         case WICED_SECURITY_WPA2_FBT_PSK:

             /* Set the EAPOL key packet timeout value, otherwise unsuccessful supplicant events aren't reported. If the IOVAR is unsupported then continue. */

             CHECK_RETURN_UNSUPPORTED_CONTINUE( wwd_wifi_set_supplicant_eapol_key_timeout( interface, DEFAULT_EAPOL_KEY_PACKET_TIMEOUT ) );

@@ -1407,6 +1413,9 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu

         case WICED_SECURITY_WPA2_MIXED_PSK:

             *wpa_auth = (uint32_t) WPA2_AUTH_PSK;

             break;

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+        case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

+#endif

         case WICED_SECURITY_WPA2_FBT_PSK:

             *wpa_auth = (uint32_t) (WPA2_AUTH_PSK | WPA2_AUTH_FT);

             break;

diff --git WICED/internal/wifi.c WICED/internal/wifi.c

index 3342c1484..745359dd1 100644

--- WICED/internal/wifi.c

+++ WICED/internal/wifi.c

@@ -1254,6 +1254,9 @@ static void* wiced_link_events_handler( const wwd_event_header_t* event_header,

                     case WICED_SECURITY_WPA2_AES_PSK:

                     case WICED_SECURITY_WPA2_TKIP_PSK:

                     case WICED_SECURITY_WPA2_MIXED_PSK:

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+                    case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

+#endif

                     case WICED_SECURITY_WPA_TKIP_ENT:

                     case WICED_SECURITY_WPA_AES_ENT:

                     case WICED_SECURITY_WPA_MIXED_ENT:

diff --git WICED/security/BESL/host/WICED/wiced_wps.c WICED/security/BESL/host/WICED/wiced_wps.c

index ecf2c5ccf..0e5b67ca1 100644

--- WICED/security/BESL/host/WICED/wiced_wps.c

+++ WICED/security/BESL/host/WICED/wiced_wps.c

@@ -1119,6 +1119,9 @@ void wps_host_retrieve_credential( void* workspace, wps_credential_t* credential

             credential->authentication_type = WPS_WPA2_PSK_AUTHENTICATION;

             break;

         case WICED_SECURITY_WPA2_MIXED_PSK:

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+        case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

+#endif

             credential->encryption_type     = WPS_MIXED_ENCRYPTION;

             credential->authentication_type = WPS_WPA2_PSK_AUTHENTICATION;

             break;

diff --git include/wiced_defaults.h include/wiced_defaults.h

index 62c28c902..b9a1e44cf 100644

--- include/wiced_defaults.h

+++ include/wiced_defaults.h

@@ -44,6 +44,10 @@ extern "C"

  *  a lot of memory (including dynamic memory)

  */

+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */

+#define WICED_ALLOW_FBT_ON_WPA2_PERSONAL /* allow FBT within WPA2 Personal */

+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */

+

/* Select which group of functions are allowed to print */

/* WPRINT_ENABLE_<MODULE>_ERROR - Enable print messages in the respective <MODULE> that are present

  * as WPRINT_<MODULE>_ERROR.

--

2.21.0 (Apple Git-122.2)

We use a new #define WICED_ALLOW_FBT_ON_WPA2_PERSONAL to be able to turn this off for testing purpose.

0 Likes
Reply
Moderator
Moderator

Hello:

  We have an internal ticket which is for the review of your patch,  once finished , I will have a test and post it here, thanks.

0 Likes
Reply
Honored Contributor

ZhengbaoZ_96 wrote:

Hello:

  We have an internal ticket which is for the review of your patch,  once finished , I will have a test and post it here, thanks.

Hi ZhengbaoZ_96

It's difficult to understand the status of this issue since you don't update it.

StBa_721356​'s patch is not included in wiced-6.6.0.

Is there something wrong in StBa_721356​'s patch or is it fixed it in different way? confused.

0 Likes
Reply
Moderator
Moderator

Hello:

   I checked the internal review comments, the patch is ok.

0 Likes
Reply
Honored Contributor

ZhengbaoZ_96 wrote:

Hello:

   I checked the internal review comments, the patch is ok.

Since this patch is not applied to sdk-6.6, the users will still hit the same problem in latest sdk.

So why not apply the patch since the patch is reviewed and consider it is ok.

0 Likes
Reply
Honored Contributor

ZhengbaoZ_96 wrote:

Hello:

We have a default setting which indicates FBT_ENABLED can be set with the security together:

WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED )

and AES, TKIP can be set together also , so I think the solution is ok .

Can you explain why I don't find WICED_SECURITY_WPA2_MIXED_FBT_PSK in wiced-6.6.0?

0 Likes
Reply