Bug 2032539

Summary: [NMCI] wpa_supplicant breaks nmci tests simwifi_ap_wpa_psk_method_shared and simwifi_ap_in_bridge_wpa_psk_method_manual
Product: Red Hat Enterprise Linux 9 Reporter: David Jaša <djasa>
Component: wpa_supplicantAssignee: Davide Caratti <dcaratti>
Status: CLOSED ERRATA QA Contact: Ken Benoit <kbenoit>
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.0CC: kbenoit, sukulkar, vbenes
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: wpa_supplicant-2.10-2.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2062785 (view as bug list) Environment:
Last Closed: 2022-05-17 15:59:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2062785    

Description David Jaša 2021-12-14 16:53:43 UTC 
Description of problem:
wpa_supplicant breaks nmci tests simwifi_ap_wpa_psk_method_shared and simwifi_ap_in_bridge_wpa_psk_method_manual

Version-Release number of selected component (if applicable):
wpa_supplicant-2.9-17.20211112.gitc8b94bc7b347.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. run wifi_hwsim feature of NMCI on RHEL 9.0 or said tests directly
2.
3.

Actual results:
FAIL_report_NetworkManager-ci_Test0038_simwifi_ap_wpa_psk_method_shared.html
FAIL_report_NetworkManager-ci_Test0039_simwifi_ap_in_bridge_wpa_psk_method_manual.html

Expected results:
all tests pass

Additional info:
Previous version of wpa_supplicant runs just fine (wpa_supplicant-2.9-17.el9.x86_64.rpm).
Comment 1 David Jaša 2021-12-14 16:58:20 UTC 
Addendum: both scenarios fail with ‘Secrets were required, but not provided’ error:

Then Bring " up " connection " wifi-client " (3.276s)              features/steps/connection.py:61
Error Message

Assertion Failed: Got an Error while uping connection wifi-client
Error: Connection activation failed: Secrets were required, but not provided
Hint: use 'journalctl -xe NM_CONNECTION=36e4ac0b-a072-468e-8199-e66404700f83 + NM_DEVICE=wlan0' to get more details.


Commands

--------------------------------------------------
'pexpect:</usr/bin/nmcli connection up id wifi-client>' returned 1024
STDOUT:
Passwords or encryption keys are required to access the wireless network 'AP_test'.
Warning: password for '802-11-wireless-security.psk' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.
Error: Connection activation failed: Secrets were required, but not provided
Hint: use 'journalctl -xe NM_CONNECTION=36e4ac0b-a072-468e-8199-e66404700f83 + NM_DEVICE=wlan0' to get more details.
Comment 2 David Jaša 2021-12-15 10:20:12 UTC 
As per yesterday conversation with Davide Caratti, the likely cause is that wpa_supplicant when connecting to WPA network that supports both TKIP (WEP) and CCMP (AES) chooses TKIP even though it's built without WEP support. If it is indeed this case, then the fix would be that CCMP-only supplicant chooses CCMP and only errors out when connecting to TKIP-only AP.
Comment 3 Davide Caratti 2022-01-31 08:26:30 UTC 
(In reply to David Jaša from comment #2)
> As per yesterday conversation with Davide Caratti, the likely cause is that
> wpa_supplicant when connecting to WPA network that supports both TKIP (WEP)
> and CCMP (AES) chooses TKIP even though it's built without WEP support. If
> it is indeed this case, then the fix would be that CCMP-only supplicant
> chooses CCMP and only errors out when connecting to TKIP-only AP.

hi, is this problem still present with version 2.10 ?
Comment 4 Vladimir Benes 2022-01-31 15:08:30 UTC 
(In reply to Davide Caratti from comment #3)
> (In reply to David Jaša from comment #2)
> > As per yesterday conversation with Davide Caratti, the likely cause is that
> > wpa_supplicant when connecting to WPA network that supports both TKIP (WEP)
> > and CCMP (AES) chooses TKIP even though it's built without WEP support. If
> > it is indeed this case, then the fix would be that CCMP-only supplicant
> > chooses CCMP and only errors out when connecting to TKIP-only AP.
> 
> hi, is this problem still present with version 2.10 ?

yes, it is.
Comment 5 Davide Caratti 2022-02-02 17:13:44 UTC 
the problem is caused by the implicit enablement of BSS Fast-Transition (IEEE802.11r), that happened with the update to version 2.10.

Looking at the logs, we observed that the AP and STA PMK match; however, the derived PTK (and the KCK, obtained from the PTK with a truncation) don't match. As a consequence, the AP detects a wrong MIC in EAPOL 2/4 and then refuses to proceed to the 4-way handshake. It seems that the supplicant tries to connect using FT-PSK-SHA256, while the AP assumes that key management is WPA-PSK-SHA256.

Rebuilding wpa_supplicant with CONFIG_IEEE80211R=y commented in wpa_supplicant/defconfig proved to fix the reported issue.
Comment 6 Davide Caratti 2022-02-04 13:46:43 UTC 
marking as 'Regression' as per comment #0. CONFIG_IEEE80211R got implicitly enabled with the snapshot build and the subsequent update to 2.10.
Comment 7 Ken Benoit 2022-02-09 15:40:10 UTC 
My wireless regression testing against wpa_supplicant-2.10-2.el9 passed without issue. David, can you rerun the NMCI testing against the updated wpa_supplicant to make sure it fixes the issue? Thanks.
Comment 8 Vladimir Benes 2022-02-10 08:28:40 UTC 
(In reply to Ken Benoit from comment #7)
> My wireless regression testing against wpa_supplicant-2.10-2.el9 passed
> without issue. David, can you rerun the NMCI testing against the updated
> wpa_supplicant to make sure it fixes the issue? Thanks.

with updated packages tests are running happily again!
+ logger -t ./test_run.sh 'Test simwifi_ap_wpa_psk_method_shared finished with result PASS: 0'
+ logger -t ./test_run.sh 'Test simwifi_ap_in_bridge_wpa_psk_method_manual finished with result PASS: 0'
Comment 9 Ken Benoit 2022-02-10 11:43:29 UTC 
Given the testing from comment 8 and my regression testing, marking this as Verified:Tested.
Comment 12 Ken Benoit 2022-02-17 15:53:33 UTC 
Ran wireless regression testing against RHEL-9.0.0-20220216.0 (wpa_supplicant-2.10-2.el9) against recent wireless cards (AX201, AX211, QCA6390). Testing passed without issue. Vladimir, have you had successful testing against RHEL-9.0.0-20220216.0 or later? If so, I'll get this marked as verified.
Comment 13 Vladimir Benes 2022-02-22 07:51:58 UTC 
(In reply to Ken Benoit from comment #12)
> Ran wireless regression testing against RHEL-9.0.0-20220216.0
> (wpa_supplicant-2.10-2.el9) against recent wireless cards (AX201, AX211,
> QCA6390). Testing passed without issue. Vladimir, have you had successful
> testing against RHEL-9.0.0-20220216.0 or later? If so, I'll get this marked
> as verified.

We are all good now! Feel free to move to verified! Thank you.
Comment 14 Ken Benoit 2022-02-22 11:45:36 UTC 
Given the results from comment 12 and comment 13, moving this to verified.
Comment 16 errata-xmlrpc 2022-05-17 15:59:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: wpa_supplicant), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3991