14 Replies Latest reply on Oct 18, 2020 7:19 PM by AxLi_1746341

    Joining fails to some APs which have Fast Roaming enabled

    StBa_721356

      We have a device based on a CYW43907 with a firmware acting as a WiFi client using WICED SDK 6.4.0.

       

      We see that joining to some Access Points just fails. After investigating this issue we found that the APs in question have Fast Roaming enabled. Due to this the auth_type of the AP has the following flags set:

      WPA2_SECURITY

      TKIP_ENABLED

      AES_ENABLED

      FBT_ENABLED

       

      Unfortunately the Cypress SDK has several code places where the auth_type of the AP gets compared against pre-defined values of the enum wiced_security_t. In this enum there is no combination of these 4 flags. Thus some code places (like for example wwd_wifi_prepare_join() in wwd_wifi.c) fail because they get a combination of flags not being supported by wiced_security_t and therefore treat the auth_type as WPA_AUTH_DISABLED. So a join is not possible.

       

      The problem is that this issue occurs with for example all TP-Link Deco APs which are quite popular on consumer level.

       

      Our interim fix is to add the following value to the enum wiced_security_t:

       

          WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED )

       

      and treat this value the same way as WICED_SECURITY_WPA2_MIXED_PSK.

       

      This indeed fixes the issue but we are not sure if this is the right approach and if this might cause side-effects on other code places. We added WICED_SECURITY_WPA2_MIXED_FBT_PSK whereever WICED_SECURITY_WPA2_MIXED_PSK was present as well.

       

      Any thoughts on this?

       

      Stefan

        • 1. Re: Joining fails to some APs which have Fast Roaming enabled
          ZhengbaoZ_96

          Hello:

           

          We have a default setting which indicates FBT_ENABLED can be set with the security together:

           

          WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED )

           

          and AES, TKIP can be set together also , so I think the solution is ok .

          1 of 1 people found this helpful
          • 2. Re: Joining fails to some APs which have Fast Roaming enabled
            AxLi_1746341

            Do you think if enterprise security needs similar fix as well for FBT_ENABLED case?

            • 3. Re: Joining fails to some APs which have Fast Roaming enabled
              StBa_721356

              Well, yes, Enterprise has the same issue: there is no AES/TKIP/FBT combination for it.

               

              So one should add the following to wiced_security_t:

               

                  WICED_SECURITY_WPA2_MIXED_FBT_ENT = ( ENTERPRISE_ENABLED | WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED ), /**< WPA2 Enterprise Security with AES & TKIP & FBT              */

               

              and of course add WICED_SECURITY_WPA2_MIXED_FBT_ENT at the correct places in the various code files.

              • 4. Re: Joining fails to some APs which have Fast Roaming enabled
                StBa_721356

                But one question remains: where should the new value of wiced_security_t be used? There are quite some code places which deal with auth_type and if you forget to add it to a relevant place then it might not work correctly.

                Just adding a new entry to wiced_security_t is not enough.

                 

                It would be good if someone at Cypress would do an 'official' fix for the FBT issue so that the SDK works correctly without hand-made modifications by users of it.

                • 5. Re: Joining fails to some APs which have Fast Roaming enabled
                  AxLi_1746341

                  StBa_721356 wrote:

                   

                  But one question remains: where should the new value of wiced_security_t be used? There are quite some code places which deal with auth_type and if you forget to add it to a relevant place then it might not work correctly.

                  Just adding a new entry to wiced_security_t is not enough.

                   

                  It would be good if someone at Cypress would do an 'official' fix for the FBT issue so that the SDK works correctly without hand-made modifications by users of it.

                  ZhengbaoZ_96

                  Can you post a patch for the complete fix of the issue?

                  • 6. Re: Joining fails to some APs which have Fast Roaming enabled
                    ZhengbaoZ_96

                    thanks, I will have a detailed look about the wiced_security_t  usage .

                    • 7. Re: Joining fails to some APs which have Fast Roaming enabled
                      StBa_721356

                      Here is our patch:

                       

                       

                      Date: Thu, 7 Nov 2019 11:35:53 +0100

                      Subject: [PATCH] add support for Fast Roaming in WPA2 Personal

                       

                       

                      ---

                      WICED/WWD/include/wwd_constants.h          |  5 +++++

                      WICED/WWD/internal/wwd_wifi.c              | 11 ++++++++++-

                      WICED/internal/wifi.c                      |  3 +++

                      WICED/security/BESL/host/WICED/wiced_wps.c |  3 +++

                      include/wiced_defaults.h                   |  4 ++++

                      5 files changed, 25 insertions(+), 1 deletion(-)

                       

                       

                      diff --git WICED/WWD/include/wwd_constants.h WICED/WWD/include/wwd_constants.h

                      index a147288bd..9ef9a3a9c 100644

                      --- WICED/WWD/include/wwd_constants.h

                      +++ WICED/WWD/include/wwd_constants.h

                      @@ -45,6 +45,8 @@

                      #include <string.h>

                      #endif

                       

                      +#include "wiced_defaults.h"

                      +

                      #ifdef __cplusplus

                      extern "C"

                      {

                      @@ -492,6 +494,9 @@ typedef enum

                           WICED_SECURITY_WPA2_AES_PSK   = ( WPA2_SECURITY | AES_ENABLED ),                                     /**< WPA2 PSK Security with AES                            */

                           WICED_SECURITY_WPA2_TKIP_PSK  = ( WPA2_SECURITY | TKIP_ENABLED ),                                    /**< WPA2 PSK Security with TKIP                           */

                           WICED_SECURITY_WPA2_MIXED_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED ),                      /**< WPA2 PSK Security with AES & TKIP                     */

                      +#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

                      +    WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED ),    /**< WPA2 PSK Security with AES & TKIP & FBT                     */

                      +#endif

                           WICED_SECURITY_WPA2_FBT_PSK   = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED),                        /**< WPA2 FBT PSK Security with AES & TKIP */

                           WICED_SECURITY_WPA3_SAE       = ( WPA3_SECURITY | AES_ENABLED ),                                     /**< WPA3 Security with AES */

                           WICED_SECURITY_WPA3_WPA2_PSK  = ( WPA3_SECURITY | WPA2_SECURITY | AES_ENABLED ),                     /**< WPA3 WPA2 PSK Security with AES */

                      diff --git WICED/WWD/internal/wwd_wifi.c WICED/WWD/internal/wwd_wifi.c

                      index 43423f18e..8a7e088f1 100644

                      --- WICED/WWD/internal/wwd_wifi.c

                      +++ WICED/WWD/internal/wwd_wifi.c

                      @@ -1213,7 +1213,10 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu

                                    ( auth_type == WICED_SECURITY_WPA_AES_PSK ) ||

                                    ( auth_type == WICED_SECURITY_WPA2_AES_PSK ) ||

                                    ( auth_type == WICED_SECURITY_WPA2_TKIP_PSK ) ||

                      -             ( auth_type == WICED_SECURITY_WPA2_MIXED_PSK ) ) ) ||

                      +#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

                      +             ( auth_type == WICED_SECURITY_WPA2_MIXED_FBT_PSK ) ||

                      +#endif

                      +     ( auth_type == WICED_SECURITY_WPA2_MIXED_PSK ) ) ) ||

                                  ( (key_length > (uint8_t) WSEC_MAX_SAE_PASSWORD_LEN) &&

                                    ( ( auth_type == WICED_SECURITY_WPA3_SAE) ||

                                      ( auth_type == WICED_SECURITY_WPA3_WPA2_PSK ) ) ) )

                      @@ -1271,6 +1274,9 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu

                               case WICED_SECURITY_WPA2_AES_PSK:

                               case WICED_SECURITY_WPA2_TKIP_PSK:

                               case WICED_SECURITY_WPA2_MIXED_PSK:

                      +#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

                      +        case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

                      +#endif

                               case WICED_SECURITY_WPA2_FBT_PSK:

                                   /* Set the EAPOL key packet timeout value, otherwise unsuccessful supplicant events aren't reported. If the IOVAR is unsupported then continue. */

                                   CHECK_RETURN_UNSUPPORTED_CONTINUE( wwd_wifi_set_supplicant_eapol_key_timeout( interface, DEFAULT_EAPOL_KEY_PACKET_TIMEOUT ) );

                      @@ -1407,6 +1413,9 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu

                               case WICED_SECURITY_WPA2_MIXED_PSK:

                                   *wpa_auth = (uint32_t) WPA2_AUTH_PSK;

                                   break;

                      +#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

                      +        case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

                      +#endif

                               case WICED_SECURITY_WPA2_FBT_PSK:

                                   *wpa_auth = (uint32_t) (WPA2_AUTH_PSK | WPA2_AUTH_FT);

                                   break;

                      diff --git WICED/internal/wifi.c WICED/internal/wifi.c

                      index 3342c1484..745359dd1 100644

                      --- WICED/internal/wifi.c

                      +++ WICED/internal/wifi.c

                      @@ -1254,6 +1254,9 @@ static void* wiced_link_events_handler( const wwd_event_header_t* event_header,

                                           case WICED_SECURITY_WPA2_AES_PSK:

                                           case WICED_SECURITY_WPA2_TKIP_PSK:

                                           case WICED_SECURITY_WPA2_MIXED_PSK:

                      +#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

                      +                    case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

                      +#endif

                                           case WICED_SECURITY_WPA_TKIP_ENT:

                                           case WICED_SECURITY_WPA_AES_ENT:

                                           case WICED_SECURITY_WPA_MIXED_ENT:

                      diff --git WICED/security/BESL/host/WICED/wiced_wps.c WICED/security/BESL/host/WICED/wiced_wps.c

                      index ecf2c5ccf..0e5b67ca1 100644

                      --- WICED/security/BESL/host/WICED/wiced_wps.c

                      +++ WICED/security/BESL/host/WICED/wiced_wps.c

                      @@ -1119,6 +1119,9 @@ void wps_host_retrieve_credential( void* workspace, wps_credential_t* credential

                                   credential->authentication_type = WPS_WPA2_PSK_AUTHENTICATION;

                                   break;

                               case WICED_SECURITY_WPA2_MIXED_PSK:

                      +#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

                      +        case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

                      +#endif

                                   credential->encryption_type     = WPS_MIXED_ENCRYPTION;

                                   credential->authentication_type = WPS_WPA2_PSK_AUTHENTICATION;

                                   break;

                      diff --git include/wiced_defaults.h include/wiced_defaults.h

                      index 62c28c902..b9a1e44cf 100644

                      --- include/wiced_defaults.h

                      +++ include/wiced_defaults.h

                      @@ -44,6 +44,10 @@ extern "C"

                        *  a lot of memory (including dynamic memory)

                        */

                       

                      +/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */

                      +#define WICED_ALLOW_FBT_ON_WPA2_PERSONAL /* allow FBT within WPA2 Personal */

                      +/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */

                      +

                      /* Select which group of functions are allowed to print */

                      /* WPRINT_ENABLE_<MODULE>_ERROR - Enable print messages in the respective <MODULE> that are present

                        * as WPRINT_<MODULE>_ERROR.

                      --

                      2.21.0 (Apple Git-122.2)

                       

                      We use a new #define WICED_ALLOW_FBT_ON_WPA2_PERSONAL to be able to turn this off for testing purpose.

                      • 8. Re: Joining fails to some APs which have Fast Roaming enabled
                        StBa_721356

                        IMHO it is not a good idea to check for specific combinations of the flags in wiced_security_t because one can easily miss a combination and then have a case where the auth_type is invalid. This is already the case for several combinations like FBT+TKIP without AES and such. So it would be better to check against individual flags instead.

                        • 9. Re: Joining fails to some APs which have Fast Roaming enabled
                          AxLi_1746341

                          The comment of WICED_SECURITY_WPA2_FBT_PSK says /**< WPA2 FBT PSK Security with AES & TKIP */,

                          however according to the code it actually is for WPA2 FBT PSK Security with AES only.

                          So not sure which part is correct.

                          • 10. Re: Joining fails to some APs which have Fast Roaming enabled
                            ZhengbaoZ_96

                            Hello:

                             

                              We have an internal ticket which is for the review of your patch,  once finished , I will have a test and post it here, thanks.

                            • 11. Re: Joining fails to some APs which have Fast Roaming enabled
                              AxLi_1746341

                              ZhengbaoZ_96 wrote:

                               

                              Hello:

                               

                              We have a default setting which indicates FBT_ENABLED can be set with the security together:

                               

                              WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED )

                               

                              and AES, TKIP can be set together also , so I think the solution is ok .

                              Can you explain why I don't find WICED_SECURITY_WPA2_MIXED_FBT_PSK in wiced-6.6.0?

                              • 12. Re: Joining fails to some APs which have Fast Roaming enabled
                                AxLi_1746341

                                ZhengbaoZ_96 wrote:

                                 

                                Hello:

                                 

                                  We have an internal ticket which is for the review of your patch,  once finished , I will have a test and post it here, thanks.

                                Hi ZhengbaoZ_96

                                 

                                It's difficult to understand the status of this issue since you don't update it.

                                StBa_721356's patch is not included in wiced-6.6.0.

                                Is there something wrong in StBa_721356's patch or is it fixed it in different way? confused.

                                • 13. Re: Joining fails to some APs which have Fast Roaming enabled
                                  ZhengbaoZ_96

                                  Hello:

                                     I checked the internal review comments, the patch is ok.

                                  • 14. Re: Joining fails to some APs which have Fast Roaming enabled
                                    AxLi_1746341

                                    ZhengbaoZ_96 wrote:

                                     

                                    Hello:

                                       I checked the internal review comments, the patch is ok.

                                    Since this patch is not applied to sdk-6.6, the users will still hit the same problem in latest sdk.

                                    So why not apply the patch since the patch is reviewed and consider it is ok.