2032539 – [NMCI] wpa_supplicant breaks nmci tests simwifi_ap_wpa_psk_method_shared and simwifi_ap_in_bridge_wpa_psk_method_manual

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2032539 - [NMCI] wpa_supplicant breaks nmci tests simwifi_ap_wpa_psk_method_shared and simwifi_ap_in_bridge_wpa_psk_method_manual

Summary: [NMCI] wpa_supplicant breaks nmci tests simwifi_ap_wpa_psk_method_shared and ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	wpa_supplicant
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Davide Caratti
QA Contact:	Ken Benoit
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2062785
TreeView+	depends on / blocked

Reported:	2021-12-14 16:53 UTC by David Jaša
Modified:	2022-05-17 16:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:	wpa_supplicant-2.10-2.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2062785 (view as bug list)
Environment:
Last Closed:	2022-05-17 15:59:05 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-105791	0	None	None	None	2021-12-14 17:03:43 UTC
Red Hat Product Errata	RHBA-2022:3991	0	None	None	None	2022-05-17 15:59:16 UTC

Description David Jaša 2021-12-14 16:53:43 UTC

Description of problem:
wpa_supplicant breaks nmci tests simwifi_ap_wpa_psk_method_shared and simwifi_ap_in_bridge_wpa_psk_method_manual

Version-Release number of selected component (if applicable):
wpa_supplicant-2.9-17.20211112.gitc8b94bc7b347.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. run wifi_hwsim feature of NMCI on RHEL 9.0 or said tests directly
2.
3.

Actual results:
FAIL_report_NetworkManager-ci_Test0038_simwifi_ap_wpa_psk_method_shared.html
FAIL_report_NetworkManager-ci_Test0039_simwifi_ap_in_bridge_wpa_psk_method_manual.html

Expected results:
all tests pass

Additional info:
Previous version of wpa_supplicant runs just fine (wpa_supplicant-2.9-17.el9.x86_64.rpm).

Comment 1 David Jaša 2021-12-14 16:58:20 UTC

Addendum: both scenarios fail with ‘Secrets were required, but not provided’ error:

Then Bring " up " connection " wifi-client " (3.276s)              features/steps/connection.py:61
Error Message

Assertion Failed: Got an Error while uping connection wifi-client
Error: Connection activation failed: Secrets were required, but not provided
Hint: use 'journalctl -xe NM_CONNECTION=36e4ac0b-a072-468e-8199-e66404700f83 + NM_DEVICE=wlan0' to get more details.


Commands

--------------------------------------------------
'pexpect:</usr/bin/nmcli connection up id wifi-client>' returned 1024
STDOUT:
Passwords or encryption keys are required to access the wireless network 'AP_test'.
Warning: password for '802-11-wireless-security.psk' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.
Error: Connection activation failed: Secrets were required, but not provided
Hint: use 'journalctl -xe NM_CONNECTION=36e4ac0b-a072-468e-8199-e66404700f83 + NM_DEVICE=wlan0' to get more details.

Comment 2 David Jaša 2021-12-15 10:20:12 UTC

As per yesterday conversation with Davide Caratti, the likely cause is that wpa_supplicant when connecting to WPA network that supports both TKIP (WEP) and CCMP (AES) chooses TKIP even though it's built without WEP support. If it is indeed this case, then the fix would be that CCMP-only supplicant chooses CCMP and only errors out when connecting to TKIP-only AP.

Comment 3 Davide Caratti 2022-01-31 08:26:30 UTC

(In reply to David Jaša from comment #2)
> As per yesterday conversation with Davide Caratti, the likely cause is that
> wpa_supplicant when connecting to WPA network that supports both TKIP (WEP)
> and CCMP (AES) chooses TKIP even though it's built without WEP support. If
> it is indeed this case, then the fix would be that CCMP-only supplicant
> chooses CCMP and only errors out when connecting to TKIP-only AP.

hi, is this problem still present with version 2.10 ?

Comment 4 Vladimir Benes 2022-01-31 15:08:30 UTC

(In reply to Davide Caratti from comment #3)
> (In reply to David Jaša from comment #2)
> > As per yesterday conversation with Davide Caratti, the likely cause is that
> > wpa_supplicant when connecting to WPA network that supports both TKIP (WEP)
> > and CCMP (AES) chooses TKIP even though it's built without WEP support. If
> > it is indeed this case, then the fix would be that CCMP-only supplicant
> > chooses CCMP and only errors out when connecting to TKIP-only AP.
> 
> hi, is this problem still present with version 2.10 ?

yes, it is.

Comment 5 Davide Caratti 2022-02-02 17:13:44 UTC

the problem is caused by the implicit enablement of BSS Fast-Transition (IEEE802.11r), that happened with the update to version 2.10.

Looking at the logs, we observed that the AP and STA PMK match; however, the derived PTK (and the KCK, obtained from the PTK with a truncation) don't match. As a consequence, the AP detects a wrong MIC in EAPOL 2/4 and then refuses to proceed to the 4-way handshake. It seems that the supplicant tries to connect using FT-PSK-SHA256, while the AP assumes that key management is WPA-PSK-SHA256.

Rebuilding wpa_supplicant with CONFIG_IEEE80211R=y commented in wpa_supplicant/defconfig proved to fix the reported issue.

Comment 6 Davide Caratti 2022-02-04 13:46:43 UTC

marking as 'Regression' as per comment #0. CONFIG_IEEE80211R got implicitly enabled with the snapshot build and the subsequent update to 2.10.

Comment 7 Ken Benoit 2022-02-09 15:40:10 UTC

My wireless regression testing against wpa_supplicant-2.10-2.el9 passed without issue. David, can you rerun the NMCI testing against the updated wpa_supplicant to make sure it fixes the issue? Thanks.

Comment 8 Vladimir Benes 2022-02-10 08:28:40 UTC

(In reply to Ken Benoit from comment #7)
> My wireless regression testing against wpa_supplicant-2.10-2.el9 passed
> without issue. David, can you rerun the NMCI testing against the updated
> wpa_supplicant to make sure it fixes the issue? Thanks.

with updated packages tests are running happily again!
+ logger -t ./test_run.sh 'Test simwifi_ap_wpa_psk_method_shared finished with result PASS: 0'
+ logger -t ./test_run.sh 'Test simwifi_ap_in_bridge_wpa_psk_method_manual finished with result PASS: 0'

Comment 9 Ken Benoit 2022-02-10 11:43:29 UTC

Given the testing from comment 8 and my regression testing, marking this as Verified:Tested.

Comment 12 Ken Benoit 2022-02-17 15:53:33 UTC

Ran wireless regression testing against RHEL-9.0.0-20220216.0 (wpa_supplicant-2.10-2.el9) against recent wireless cards (AX201, AX211, QCA6390). Testing passed without issue. Vladimir, have you had successful testing against RHEL-9.0.0-20220216.0 or later? If so, I'll get this marked as verified.

Comment 13 Vladimir Benes 2022-02-22 07:51:58 UTC

(In reply to Ken Benoit from comment #12)
> Ran wireless regression testing against RHEL-9.0.0-20220216.0
> (wpa_supplicant-2.10-2.el9) against recent wireless cards (AX201, AX211,
> QCA6390). Testing passed without issue. Vladimir, have you had successful
> testing against RHEL-9.0.0-20220216.0 or later? If so, I'll get this marked
> as verified.

We are all good now! Feel free to move to verified! Thank you.

Comment 14 Ken Benoit 2022-02-22 11:45:36 UTC

Given the results from comment 12 and comment 13, moving this to verified.

Comment 16 errata-xmlrpc 2022-05-17 15:59:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: wpa_supplicant), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3991

Note You need to log in before you can comment on or make changes to this bug.