Joining fails to some APs which have Fast Roaming enabled

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
StBa_721356
Level 5
Level 5
50 likes received 25 likes received 10 likes received

We have a device based on a CYW43907 with a firmware acting as a WiFi client using WICED SDK 6.4.0.

We see that joining to some Access Points just fails. After investigating this issue we found that the APs in question have Fast Roaming enabled. Due to this the auth_type of the AP has the following flags set:

WPA2_SECURITY

TKIP_ENABLED

AES_ENABLED

FBT_ENABLED

Unfortunately the Cypress SDK has several code places where the auth_type of the AP gets compared against pre-defined values of the enum wiced_security_t. In this enum there is no combination of these 4 flags. Thus some code places (like for example wwd_wifi_prepare_join() in wwd_wifi.c) fail because they get a combination of flags not being supported by wiced_security_t and therefore treat the auth_type as WPA_AUTH_DISABLED. So a join is not possible.

The problem is that this issue occurs with for example all TP-Link Deco APs which are quite popular on consumer level.

Our interim fix is to add the following value to the enum wiced_security_t:

    WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED )

and treat this value the same way as WICED_SECURITY_WPA2_MIXED_PSK.

This indeed fixes the issue but we are not sure if this is the right approach and if this might cause side-effects on other code places. We added WICED_SECURITY_WPA2_MIXED_FBT_PSK whereever WICED_SECURITY_WPA2_MIXED_PSK was present as well.

Any thoughts on this?

Stefan

15 Replies
Zhengbao_Zhang
Moderator
Moderator
Moderator
250 sign-ins First comment on KBA 10 questions asked

Hello:

We have a default setting which indicates FBT_ENABLED can be set with the security together:

WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED )

and AES, TKIP can be set together also , so I think the solution is ok .

Do you think if enterprise security needs similar fix as well for FBT_ENABLED case?

0 Likes

Well, yes, Enterprise has the same issue: there is no AES/TKIP/FBT combination for it.

So one should add the following to wiced_security_t:

    WICED_SECURITY_WPA2_MIXED_FBT_ENT = ( ENTERPRISE_ENABLED | WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED ), /**< WPA2 Enterprise Security with AES & TKIP & FBT              */

and of course add WICED_SECURITY_WPA2_MIXED_FBT_ENT at the correct places in the various code files.

0 Likes

But one question remains: where should the new value of wiced_security_t be used? There are quite some code places which deal with auth_type and if you forget to add it to a relevant place then it might not work correctly.

Just adding a new entry to wiced_security_t is not enough.

It would be good if someone at Cypress would do an 'official' fix for the FBT issue so that the SDK works correctly without hand-made modifications by users of it.

0 Likes

StBa_721356 wrote:

But one question remains: where should the new value of wiced_security_t be used? There are quite some code places which deal with auth_type and if you forget to add it to a relevant place then it might not work correctly.

Just adding a new entry to wiced_security_t is not enough.

It would be good if someone at Cypress would do an 'official' fix for the FBT issue so that the SDK works correctly without hand-made modifications by users of it.

ZhengbaoZ_96

Can you post a patch for the complete fix of the issue?

0 Likes

thanks, I will have a detailed look about the wiced_security_t  usage .

0 Likes

IMHO it is not a good idea to check for specific combinations of the flags in wiced_security_t because one can easily miss a combination and then have a case where the auth_type is invalid. This is already the case for several combinations like FBT+TKIP without AES and such. So it would be better to check against individual flags instead.

0 Likes

The comment of WICED_SECURITY_WPA2_FBT_PSK says /**< WPA2 FBT PSK Security with AES & TKIP */,

however according to the code it actually is for WPA2 FBT PSK Security with AES only.

So not sure which part is correct.

0 Likes

Here is our patch:

Date: Thu, 7 Nov 2019 11:35:53 +0100

Subject: [PATCH] add support for Fast Roaming in WPA2 Personal

---

WICED/WWD/include/wwd_constants.h          |  5 +++++

WICED/WWD/internal/wwd_wifi.c              | 11 ++++++++++-

WICED/internal/wifi.c                      |  3 +++

WICED/security/BESL/host/WICED/wiced_wps.c |  3 +++

include/wiced_defaults.h                   |  4 ++++

5 files changed, 25 insertions(+), 1 deletion(-)

diff --git WICED/WWD/include/wwd_constants.h WICED/WWD/include/wwd_constants.h

index a147288bd..9ef9a3a9c 100644

--- WICED/WWD/include/wwd_constants.h

+++ WICED/WWD/include/wwd_constants.h

@@ -45,6 +45,8 @@

#include <string.h>

#endif

+#include "wiced_defaults.h"

+

#ifdef __cplusplus

extern "C"

{

@@ -492,6 +494,9 @@ typedef enum

     WICED_SECURITY_WPA2_AES_PSK   = ( WPA2_SECURITY | AES_ENABLED ),                                     /**< WPA2 PSK Security with AES                            */

     WICED_SECURITY_WPA2_TKIP_PSK  = ( WPA2_SECURITY | TKIP_ENABLED ),                                    /**< WPA2 PSK Security with TKIP                           */

     WICED_SECURITY_WPA2_MIXED_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED ),                      /**< WPA2 PSK Security with AES & TKIP                     */

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+    WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED ),    /**< WPA2 PSK Security with AES & TKIP & FBT                     */

+#endif

     WICED_SECURITY_WPA2_FBT_PSK   = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED),                        /**< WPA2 FBT PSK Security with AES & TKIP */

     WICED_SECURITY_WPA3_SAE       = ( WPA3_SECURITY | AES_ENABLED ),                                     /**< WPA3 Security with AES */

     WICED_SECURITY_WPA3_WPA2_PSK  = ( WPA3_SECURITY | WPA2_SECURITY | AES_ENABLED ),                     /**< WPA3 WPA2 PSK Security with AES */

diff --git WICED/WWD/internal/wwd_wifi.c WICED/WWD/internal/wwd_wifi.c

index 43423f18e..8a7e088f1 100644

--- WICED/WWD/internal/wwd_wifi.c

+++ WICED/WWD/internal/wwd_wifi.c

@@ -1213,7 +1213,10 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu

              ( auth_type == WICED_SECURITY_WPA_AES_PSK ) ||

              ( auth_type == WICED_SECURITY_WPA2_AES_PSK ) ||

              ( auth_type == WICED_SECURITY_WPA2_TKIP_PSK ) ||

-             ( auth_type == WICED_SECURITY_WPA2_MIXED_PSK ) ) ) ||

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+             ( auth_type == WICED_SECURITY_WPA2_MIXED_FBT_PSK ) ||

+#endif

+     ( auth_type == WICED_SECURITY_WPA2_MIXED_PSK ) ) ) ||

            ( (key_length > (uint8_t) WSEC_MAX_SAE_PASSWORD_LEN) &&

              ( ( auth_type == WICED_SECURITY_WPA3_SAE) ||

                ( auth_type == WICED_SECURITY_WPA3_WPA2_PSK ) ) ) )

@@ -1271,6 +1274,9 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu

         case WICED_SECURITY_WPA2_AES_PSK:

         case WICED_SECURITY_WPA2_TKIP_PSK:

         case WICED_SECURITY_WPA2_MIXED_PSK:

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+        case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

+#endif

         case WICED_SECURITY_WPA2_FBT_PSK:

             /* Set the EAPOL key packet timeout value, otherwise unsuccessful supplicant events aren't reported. If the IOVAR is unsupported then continue. */

             CHECK_RETURN_UNSUPPORTED_CONTINUE( wwd_wifi_set_supplicant_eapol_key_timeout( interface, DEFAULT_EAPOL_KEY_PACKET_TIMEOUT ) );

@@ -1407,6 +1413,9 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu

         case WICED_SECURITY_WPA2_MIXED_PSK:

             *wpa_auth = (uint32_t) WPA2_AUTH_PSK;

             break;

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+        case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

+#endif

         case WICED_SECURITY_WPA2_FBT_PSK:

             *wpa_auth = (uint32_t) (WPA2_AUTH_PSK | WPA2_AUTH_FT);

             break;

diff --git WICED/internal/wifi.c WICED/internal/wifi.c

index 3342c1484..745359dd1 100644

--- WICED/internal/wifi.c

+++ WICED/internal/wifi.c

@@ -1254,6 +1254,9 @@ static void* wiced_link_events_handler( const wwd_event_header_t* event_header,

                     case WICED_SECURITY_WPA2_AES_PSK:

                     case WICED_SECURITY_WPA2_TKIP_PSK:

                     case WICED_SECURITY_WPA2_MIXED_PSK:

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+                    case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

+#endif

                     case WICED_SECURITY_WPA_TKIP_ENT:

                     case WICED_SECURITY_WPA_AES_ENT:

                     case WICED_SECURITY_WPA_MIXED_ENT:

diff --git WICED/security/BESL/host/WICED/wiced_wps.c WICED/security/BESL/host/WICED/wiced_wps.c

index ecf2c5ccf..0e5b67ca1 100644

--- WICED/security/BESL/host/WICED/wiced_wps.c

+++ WICED/security/BESL/host/WICED/wiced_wps.c

@@ -1119,6 +1119,9 @@ void wps_host_retrieve_credential( void* workspace, wps_credential_t* credential

             credential->authentication_type = WPS_WPA2_PSK_AUTHENTICATION;

             break;

         case WICED_SECURITY_WPA2_MIXED_PSK:

+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL

+        case WICED_SECURITY_WPA2_MIXED_FBT_PSK:

+#endif

             credential->encryption_type     = WPS_MIXED_ENCRYPTION;

             credential->authentication_type = WPS_WPA2_PSK_AUTHENTICATION;

             break;

diff --git include/wiced_defaults.h include/wiced_defaults.h

index 62c28c902..b9a1e44cf 100644

--- include/wiced_defaults.h

+++ include/wiced_defaults.h

@@ -44,6 +44,10 @@ extern "C"

  *  a lot of memory (including dynamic memory)

  */

+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */

+#define WICED_ALLOW_FBT_ON_WPA2_PERSONAL /* allow FBT within WPA2 Personal */

+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */

+

/* Select which group of functions are allowed to print */

/* WPRINT_ENABLE_<MODULE>_ERROR - Enable print messages in the respective <MODULE> that are present

  * as WPRINT_<MODULE>_ERROR.

--

2.21.0 (Apple Git-122.2)

We use a new #define WICED_ALLOW_FBT_ON_WPA2_PERSONAL to be able to turn this off for testing purpose.

0 Likes

Hello:

  We have an internal ticket which is for the review of your patch,  once finished , I will have a test and post it here, thanks.

0 Likes

ZhengbaoZ_96 wrote:

Hello:

  We have an internal ticket which is for the review of your patch,  once finished , I will have a test and post it here, thanks.

Hi ZhengbaoZ_96

It's difficult to understand the status of this issue since you don't update it.

StBa_721356​'s patch is not included in wiced-6.6.0.

Is there something wrong in StBa_721356​'s patch or is it fixed it in different way? confused.

0 Likes

Hello:

   I checked the internal review comments, the patch is ok.

0 Likes

ZhengbaoZ_96 wrote:

Hello:

   I checked the internal review comments, the patch is ok.

Since this patch is not applied to sdk-6.6, the users will still hit the same problem in latest sdk.

So why not apply the patch since the patch is reviewed and consider it is ok.

0 Likes

ZhengbaoZ_96 wrote:

Hello:

We have a default setting which indicates FBT_ENABLED can be set with the security together:

WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED )

and AES, TKIP can be set together also , so I think the solution is ok .

Can you explain why I don't find WICED_SECURITY_WPA2_MIXED_FBT_PSK in wiced-6.6.0?

0 Likes
AxLi_1746341
Level 7
Level 7
10 comments on KBA 5 comments on KBA First comment on KBA

This is not fixed in 6.6.1. Why?

0 Likes