- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a device based on a CYW43907 with a firmware acting as a WiFi client using WICED SDK 6.4.0.
We see that joining to some Access Points just fails. After investigating this issue we found that the APs in question have Fast Roaming enabled. Due to this the auth_type of the AP has the following flags set:
WPA2_SECURITY
TKIP_ENABLED
AES_ENABLED
FBT_ENABLED
Unfortunately the Cypress SDK has several code places where the auth_type of the AP gets compared against pre-defined values of the enum wiced_security_t. In this enum there is no combination of these 4 flags. Thus some code places (like for example wwd_wifi_prepare_join() in wwd_wifi.c) fail because they get a combination of flags not being supported by wiced_security_t and therefore treat the auth_type as WPA_AUTH_DISABLED. So a join is not possible.
The problem is that this issue occurs with for example all TP-Link Deco APs which are quite popular on consumer level.
Our interim fix is to add the following value to the enum wiced_security_t:
WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED )
and treat this value the same way as WICED_SECURITY_WPA2_MIXED_PSK.
This indeed fixes the issue but we are not sure if this is the right approach and if this might cause side-effects on other code places. We added WICED_SECURITY_WPA2_MIXED_FBT_PSK whereever WICED_SECURITY_WPA2_MIXED_PSK was present as well.
Any thoughts on this?
Stefan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello:
We have a default setting which indicates FBT_ENABLED can be set with the security together:
WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED )
and AES, TKIP can be set together also , so I think the solution is ok .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you think if enterprise security needs similar fix as well for FBT_ENABLED case?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, yes, Enterprise has the same issue: there is no AES/TKIP/FBT combination for it.
So one should add the following to wiced_security_t:
WICED_SECURITY_WPA2_MIXED_FBT_ENT = ( ENTERPRISE_ENABLED | WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED ), /**< WPA2 Enterprise Security with AES & TKIP & FBT */
and of course add WICED_SECURITY_WPA2_MIXED_FBT_ENT at the correct places in the various code files.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But one question remains: where should the new value of wiced_security_t be used? There are quite some code places which deal with auth_type and if you forget to add it to a relevant place then it might not work correctly.
Just adding a new entry to wiced_security_t is not enough.
It would be good if someone at Cypress would do an 'official' fix for the FBT issue so that the SDK works correctly without hand-made modifications by users of it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
StBa_721356 wrote:
But one question remains: where should the new value of wiced_security_t be used? There are quite some code places which deal with auth_type and if you forget to add it to a relevant place then it might not work correctly.
Just adding a new entry to wiced_security_t is not enough.
It would be good if someone at Cypress would do an 'official' fix for the FBT issue so that the SDK works correctly without hand-made modifications by users of it.
Can you post a patch for the complete fix of the issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, I will have a detailed look about the wiced_security_t usage .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IMHO it is not a good idea to check for specific combinations of the flags in wiced_security_t because one can easily miss a combination and then have a case where the auth_type is invalid. This is already the case for several combinations like FBT+TKIP without AES and such. So it would be better to check against individual flags instead.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The comment of WICED_SECURITY_WPA2_FBT_PSK says /**< WPA2 FBT PSK Security with AES & TKIP */,
however according to the code it actually is for WPA2 FBT PSK Security with AES only.
So not sure which part is correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is our patch:
Date: Thu, 7 Nov 2019 11:35:53 +0100
Subject: [PATCH] add support for Fast Roaming in WPA2 Personal
---
WICED/WWD/include/wwd_constants.h | 5 +++++
WICED/WWD/internal/wwd_wifi.c | 11 ++++++++++-
WICED/internal/wifi.c | 3 +++
WICED/security/BESL/host/WICED/wiced_wps.c | 3 +++
include/wiced_defaults.h | 4 ++++
5 files changed, 25 insertions(+), 1 deletion(-)
diff --git WICED/WWD/include/wwd_constants.h WICED/WWD/include/wwd_constants.h
index a147288bd..9ef9a3a9c 100644
--- WICED/WWD/include/wwd_constants.h
+++ WICED/WWD/include/wwd_constants.h
@@ -45,6 +45,8 @@
#include <string.h>
#endif
+#include "wiced_defaults.h"
+
#ifdef __cplusplus
extern "C"
{
@@ -492,6 +494,9 @@ typedef enum
WICED_SECURITY_WPA2_AES_PSK = ( WPA2_SECURITY | AES_ENABLED ), /**< WPA2 PSK Security with AES */
WICED_SECURITY_WPA2_TKIP_PSK = ( WPA2_SECURITY | TKIP_ENABLED ), /**< WPA2 PSK Security with TKIP */
WICED_SECURITY_WPA2_MIXED_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED ), /**< WPA2 PSK Security with AES & TKIP */
+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL
+ WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | TKIP_ENABLED | FBT_ENABLED ), /**< WPA2 PSK Security with AES & TKIP & FBT */
+#endif
WICED_SECURITY_WPA2_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED), /**< WPA2 FBT PSK Security with AES & TKIP */
WICED_SECURITY_WPA3_SAE = ( WPA3_SECURITY | AES_ENABLED ), /**< WPA3 Security with AES */
WICED_SECURITY_WPA3_WPA2_PSK = ( WPA3_SECURITY | WPA2_SECURITY | AES_ENABLED ), /**< WPA3 WPA2 PSK Security with AES */
diff --git WICED/WWD/internal/wwd_wifi.c WICED/WWD/internal/wwd_wifi.c
index 43423f18e..8a7e088f1 100644
--- WICED/WWD/internal/wwd_wifi.c
+++ WICED/WWD/internal/wwd_wifi.c
@@ -1213,7 +1213,10 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu
( auth_type == WICED_SECURITY_WPA_AES_PSK ) ||
( auth_type == WICED_SECURITY_WPA2_AES_PSK ) ||
( auth_type == WICED_SECURITY_WPA2_TKIP_PSK ) ||
- ( auth_type == WICED_SECURITY_WPA2_MIXED_PSK ) ) ) ||
+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL
+ ( auth_type == WICED_SECURITY_WPA2_MIXED_FBT_PSK ) ||
+#endif
+ ( auth_type == WICED_SECURITY_WPA2_MIXED_PSK ) ) ) ||
( (key_length > (uint8_t) WSEC_MAX_SAE_PASSWORD_LEN) &&
( ( auth_type == WICED_SECURITY_WPA3_SAE) ||
( auth_type == WICED_SECURITY_WPA3_WPA2_PSK ) ) ) )
@@ -1271,6 +1274,9 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu
case WICED_SECURITY_WPA2_AES_PSK:
case WICED_SECURITY_WPA2_TKIP_PSK:
case WICED_SECURITY_WPA2_MIXED_PSK:
+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL
+ case WICED_SECURITY_WPA2_MIXED_FBT_PSK:
+#endif
case WICED_SECURITY_WPA2_FBT_PSK:
/* Set the EAPOL key packet timeout value, otherwise unsuccessful supplicant events aren't reported. If the IOVAR is unsupported then continue. */
CHECK_RETURN_UNSUPPORTED_CONTINUE( wwd_wifi_set_supplicant_eapol_key_timeout( interface, DEFAULT_EAPOL_KEY_PACKET_TIMEOUT ) );
@@ -1407,6 +1413,9 @@ static wwd_result_t wwd_wifi_prepare_join( wwd_interface_t interface, wiced_secu
case WICED_SECURITY_WPA2_MIXED_PSK:
*wpa_auth = (uint32_t) WPA2_AUTH_PSK;
break;
+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL
+ case WICED_SECURITY_WPA2_MIXED_FBT_PSK:
+#endif
case WICED_SECURITY_WPA2_FBT_PSK:
*wpa_auth = (uint32_t) (WPA2_AUTH_PSK | WPA2_AUTH_FT);
break;
diff --git WICED/internal/wifi.c WICED/internal/wifi.c
index 3342c1484..745359dd1 100644
--- WICED/internal/wifi.c
+++ WICED/internal/wifi.c
@@ -1254,6 +1254,9 @@ static void* wiced_link_events_handler( const wwd_event_header_t* event_header,
case WICED_SECURITY_WPA2_AES_PSK:
case WICED_SECURITY_WPA2_TKIP_PSK:
case WICED_SECURITY_WPA2_MIXED_PSK:
+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL
+ case WICED_SECURITY_WPA2_MIXED_FBT_PSK:
+#endif
case WICED_SECURITY_WPA_TKIP_ENT:
case WICED_SECURITY_WPA_AES_ENT:
case WICED_SECURITY_WPA_MIXED_ENT:
diff --git WICED/security/BESL/host/WICED/wiced_wps.c WICED/security/BESL/host/WICED/wiced_wps.c
index ecf2c5ccf..0e5b67ca1 100644
--- WICED/security/BESL/host/WICED/wiced_wps.c
+++ WICED/security/BESL/host/WICED/wiced_wps.c
@@ -1119,6 +1119,9 @@ void wps_host_retrieve_credential( void* workspace, wps_credential_t* credential
credential->authentication_type = WPS_WPA2_PSK_AUTHENTICATION;
break;
case WICED_SECURITY_WPA2_MIXED_PSK:
+#ifdef WICED_ALLOW_FBT_ON_WPA2_PERSONAL
+ case WICED_SECURITY_WPA2_MIXED_FBT_PSK:
+#endif
credential->encryption_type = WPS_MIXED_ENCRYPTION;
credential->authentication_type = WPS_WPA2_PSK_AUTHENTICATION;
break;
diff --git include/wiced_defaults.h include/wiced_defaults.h
index 62c28c902..b9a1e44cf 100644
--- include/wiced_defaults.h
+++ include/wiced_defaults.h
@@ -44,6 +44,10 @@ extern "C"
* a lot of memory (including dynamic memory)
*/
+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
+#define WICED_ALLOW_FBT_ON_WPA2_PERSONAL /* allow FBT within WPA2 Personal */
+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
+
/* Select which group of functions are allowed to print */
/* WPRINT_ENABLE_<MODULE>_ERROR - Enable print messages in the respective <MODULE> that are present
* as WPRINT_<MODULE>_ERROR.
--
2.21.0 (Apple Git-122.2)
We use a new #define WICED_ALLOW_FBT_ON_WPA2_PERSONAL to be able to turn this off for testing purpose.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello:
We have an internal ticket which is for the review of your patch, once finished , I will have a test and post it here, thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ZhengbaoZ_96 wrote:
Hello:
We have an internal ticket which is for the review of your patch, once finished , I will have a test and post it here, thanks.
Hi ZhengbaoZ_96
It's difficult to understand the status of this issue since you don't update it.
StBa_721356's patch is not included in wiced-6.6.0.
Is there something wrong in StBa_721356's patch or is it fixed it in different way? confused.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello:
I checked the internal review comments, the patch is ok.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ZhengbaoZ_96 wrote:
Hello:
I checked the internal review comments, the patch is ok.
Since this patch is not applied to sdk-6.6, the users will still hit the same problem in latest sdk.
So why not apply the patch since the patch is reviewed and consider it is ok.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ZhengbaoZ_96 wrote:
Hello:
We have a default setting which indicates FBT_ENABLED can be set with the security together:
WICED_SECURITY_WPA2_MIXED_FBT_PSK = ( WPA2_SECURITY | AES_ENABLED | FBT_ENABLED )
and AES, TKIP can be set together also , so I think the solution is ok .
Can you explain why I don't find WICED_SECURITY_WPA2_MIXED_FBT_PSK in wiced-6.6.0?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not fixed in 6.6.1. Why?