Bug 1595319

Summary: wpa_supplicant throws "Failed to configure IGTK" error
Product: [Fedora] Fedora Reporter: Tom Brikowski <brikowi>
Component: wpa_supplicantAssignee: Davide Caratti <dcaratti>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: bgalvani, blueowl, brikowi, dcaratti, dcbw, izzy, john.j5live, juhani.jaakola, lkundrak, rbu
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-04 07:31:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output from command 'journalctl --since=today | egrep "NetworkManager|IGTK|WPA|kernel|wpa" '
none
wpa_supplicant packets, failed connection, captured by WireShark
none
Output of iw while wireless connection failing
none
iw phy0 info none

Description Tom Brikowski 2018-06-26 15:31:30 UTC 
Created attachment 1454696 [details]
output from command 'journalctl --since=today | egrep "NetworkManager|IGTK|WPA|kernel|wpa" '

Description of problem:

After NetworkManager upgrade to deal with DHCP vulnerability (see https://fedoramagazine.org/protect-fedora-system-dhcp-flaw/) NetworkManager fails to connect to some wireless routers, ultimately triggering wpa_supplicant "Failed to configure IGTK" messages.


Version-Release number of selected component (if applicable):
NetworkManager 1.10.10-1
wpa_supplicant 2.6-15


How reproducible:  Always on particular routers.  Same computer connects fine to those routers when booted to Win10, and to workplace routers (i.e. software error, unrelated to computer hardware).


Steps to Reproduce:
1. enable wifi connection to offending routers (e.g. technicolor-tc8717t)
2.
3.

Actual results:
Brief connection to router, no internet access, then fail

Expected results:
Full connection


Additional info:
See attached logs.  Appears related to bug 1586211 (https://bugzilla.redhat.com/show_bug.cgi?id=1586211), diagnosis greatly aided by IGTK discussion at https://kwagjj.wordpress.com/2017/08/08/failed-to-configure-igtk-error-fixes-in-aosp/.  As in that case, wpa_supplicant appears to be unable to handle RSN capability signal.  So far I've been unable to disable RSN/PMF in FC27 or 28.  That is probably the easiest potential solution to this problem though.

Attachments: 
1. output from command 'journalctl --since=today | egrep "NetworkManager|IGTK|WPA|kernel|wpa" ' (the offending router is SpectrumRouta*, successful router is Comet
2. WireShark capture of failed wpa_supplicant connect (to Technicolor router)
3. WireShark capture of successful wpa_supplicant connect (to router not broadcasting RSN capability)
Comment 1 Tom Brikowski 2018-06-26 15:33:14 UTC 
Created attachment 1454700 [details]
wpa_supplicant packets, failed connection, captured by WireShark
Comment 2 Davide Caratti 2018-06-26 15:53:14 UTC 
(In reply to Tom Brikowski from comment #0)
> Created attachment 1454696 [details]
> output from command 'journalctl --since=today | egrep
> "NetworkManager|IGTK|WPA|kernel|wpa" '
> 
> Description of problem:
> 
> After NetworkManager upgrade to deal with DHCP vulnerability (see
> https://fedoramagazine.org/protect-fedora-system-dhcp-flaw/) NetworkManager
> fails to connect to some wireless routers, ultimately triggering
> wpa_supplicant "Failed to configure IGTK" messages.
>
please provide the output of

# iw phy0 info 

?



BTW, it's possible to disable PMF with nmcli. For details, see bz1582407 (this bugzilla looks like a duplicate of bz1582407, but I would like to understand, like Beniamino, if you have swcrypto turned on on your card).

thank you in advance!
--
davide
Comment 3 Tom Brikowski 2018-06-27 01:50:31 UTC 
Created attachment 1454884 [details]
Output of iw while wireless connection failing

Disable PMF using nmcli worked fine (after rather long delay).  The offending router is standard issue for VOIP from Time-Warner (now Specturm), so there may be many others with similar problem.  Maybe raise awareness in the documentation of nmcli solution ?
Comment 4 Robert Buchholz 2018-06-29 15:30:31 UTC 
Seeing the same issue with an AVM FritzBox router and Centrino Advanced-N 6205 WiFi. The workaround of disabling PMF on the connection helps,
Comment 5 Davide Caratti 2018-06-29 15:41:09 UTC 
(In reply to Robert Buchholz from comment #4)
> Seeing the same issue with an AVM FritzBox router and Centrino Advanced-N
> 6205 WiFi. The workaround of disabling PMF on the connection helps,

can you please provide the output of 
# iw phy0 info? 

thanks!
--
davide
Comment 6 Juhani Jaakola 2018-07-03 19:12:01 UTC 
Created attachment 1456320 [details]
iw phy0 info
Comment 7 Juhani Jaakola 2018-07-03 19:13:30 UTC 
I share my mobile connection via a Fedora 28 box. I can connect to that wi-fi with several other devices, but not any more with my Samsung RV720, which has BCM4313 network card. Even that machine could connect with the Fedora 28 LXDE Live CD, but after I installed it to hard disk and updated it, it can't connect any more. wpa_supplicant gives errors:

WPA: Failed to configure IGTK to the driver
RSN: Failed to configure IGTK

But when I disable PMF the connection works!

My versions:
kernel-4.17.3-200.fc28.x86_64
wpa_supplicant-2.6-16.fc28.x86_64

# lspci -vnn -d 14e4:
02:00.0 Network controller [0280]: Broadcom Limited BCM4313 802.11bgn Wireless Network Adapter [14e4:4727] (rev 01)
	Subsystem: Wistron NeWeb Corp. Device [185f:051a]
	Flags: bus master, fast devsel, latency 0, IRQ 16
	Memory at f3200000 (64-bit, non-prefetchable) [size=16K]
	Capabilities: [40] Power Management version 3
	Capabilities: [58] Vendor Specific Information: Len=78 <?>
	Capabilities: [48] MSI: Enable- Count=1/1 Maskable- 64bit+
	Capabilities: [d0] Express Endpoint, MSI 00
	Capabilities: [100] Advanced Error Reporting
	Capabilities: [13c] Virtual Channel
	Capabilities: [160] Device Serial Number 00-00-de-ff-ff-77-90-a4
	Capabilities: [16c] Power Budgeting <?>
	Kernel driver in use: bcma-pci-bridge
	Kernel modules: bcma
Comment 8 Davide Caratti 2018-07-04 07:31:15 UTC 
(In reply to Juhani Jaakola from comment #7)
> I share my mobile connection via a Fedora 28 box. I can connect to that
> wi-fi with several other devices, but not any more with my Samsung RV720,
> which has BCM4313 network card. Even that machine could connect with the
> Fedora 28 LXDE Live CD, but after I installed it to hard disk and updated
> it, it can't connect any more. wpa_supplicant gives errors:
> 
> WPA: Failed to configure IGTK to the driver
> RSN: Failed to configure IGTK
> 
> But when I disable PMF the connection works!
> 
> My versions:
> kernel-4.17.3-200.fc28.x86_64
> wpa_supplicant-2.6-16.fc28.x86_64
> 
> # lspci -vnn -d 14e4:
> 02:00.0 Network controller [0280]: Broadcom Limited BCM4313 802.11bgn
> Wireless Network Adapter [14e4:4727] (rev 01)
> 	Subsystem: Wistron NeWeb Corp. Device [185f:051a]
> 	Flags: bus master, fast devsel, latency 0, IRQ 16
> 	Memory at f3200000 (64-bit, non-prefetchable) [size=16K]
> 	Capabilities: [40] Power Management version 3
> 	Capabilities: [58] Vendor Specific Information: Len=78 <?>
> 	Capabilities: [48] MSI: Enable- Count=1/1 Maskable- 64bit+
> 	Capabilities: [d0] Express Endpoint, MSI 00
> 	Capabilities: [100] Advanced Error Reporting
> 	Capabilities: [13c] Virtual Channel
> 	Capabilities: [160] Device Serial Number 00-00-de-ff-ff-77-90-a4
> 	Capabilities: [16c] Power Budgeting <?>
> 	Kernel driver in use: bcma-pci-bridge
> 	Kernel modules: bcma

hi Juhani,

thanks for following up!

According to the output of 'iw phy0 info' on your laptop, your wireless NIC does not seem to support PMF:

Supported Ciphers:
		* WEP40 (00-0f-ac:1)
		* WEP104 (00-0f-ac:5)
		* TKIP (00-0f-ac:2)
		* CCMP-128 (00-0f-ac:4)
		* CCMP-256 (00-0f-ac:10)
		* GCMP-128 (00-0f-ac:8)
		* GCMP-256 (00-0f-ac:9)


as 'AES_CMAC' and 'BIP_GMAC' suites are missing: so, disabling PMF here is the correct thing to do. I know (from bz1582407) that NetworkManager is going to introduce a check on the suppported ciphers before enabling PMF.

-- 
davide

*** This bug has been marked as a duplicate of bug 1582407 ***
Comment 9 Davide Caratti 2018-07-04 07:43:04 UTC 
yet this does not explain the attachment in comment #3, where at least AES_CMAC is supported and the still the driver refuses to install the key:

nl80211: set_key failed; err=-22 Invalid argument

Unfortunately, -EINVAL should be disambiguated in cfg80211 to understand where it fails. I will try to do a test kernel for that.
Comment 10 Davide Caratti 2018-08-28 13:13:14 UTC 
*** Bug 1586211 has been marked as a duplicate of this bug. ***