Bug#1057494: marked as done (wpasupplicant: AP doesn't show that it's MFP-capable for WPA2+WPA3 mixed security setup by NM)

[Debian Bug Tracking System]

Your message dated Sun, 10 Dec 2023 16:14:31 +0000
with message-id <e1rcmrr-00ahee...@fasolo.debian.org>
and subject line Bug#1057494: fixed in wpa 2:2.10-20
has caused the Debian Bug report #1057494,
regarding wpasupplicant: AP doesn't show that it's MFP-capable for WPA2+WPA3 
mixed security setup by NM
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057494
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: wpasupplicant
Version: 2:2.10-15
Severity: normal
Tags: patch upstream

Dear Maintainer,

I'm using Freedombox as main router and wireless access point.
Freedombox uses NetworkManager to setup wireless AP. NetworkManager
sets mixed-security WPA2+WPA3 SAE.

```
WLAN.nmconnection

...
[wifi-security]
key-mgmt=wpa-psk
pairwise=ccmp
group=ccmp
wps-method=1
pmf=2
proto=rsn
...

```


In this case MFP (management frame protection) is optional and NetworkManager 
sets it by default
using pmf in wpa_supplicant, but it doesn't set ieee80211w to the
corresponding value for particular network and default value is set.

As a result AP is up, but it doesn't broadcast that MFP is supported
(MFP-capable in capabilities field). Some wireless clients (probably Broadcom 
based) don't report
such network in scan results at all in this case, probably considering this 
network as broken (WPA3
SAE reported, but AP isn't MFP-capable).

This problem is fixed upstream already by commit "Override ieee80211w
from pmf for AP mode in wpa_supplicant" 
(5f3cdc06489ff1ec16d75c3ff41f5ac7c2f62c7c) [1]

I've built Debian package with that patch and it solves the problem.


1. 
https://www.w1.fi/cgit/hostap/commit/?id=5f3cdc06489ff1ec16d75c3ff41f5ac7c2f62c7c


*** End of the template - remove these template lines ***


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wpasupplicant depends on:
ii  adduser            3.137
ii  libc6              2.37-12
ii  libdbus-1-3        1.14.10-3
ii  libnl-3-200        3.7.0-0.2+b1
ii  libnl-genl-3-200   3.7.0-0.2+b1
ii  libnl-route-3-200  3.7.0-0.2+b1
ii  libpcsclite1       2.0.0-1
ii  libreadline8       8.2-3
ii  libssl3            3.0.11-1

wpasupplicant recommends no packages.

Versions of packages wpasupplicant suggests:
pn  libengine-pkcs11-openssl  <none>
ii  wpagui                    2:2.10-15

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: wpa
Source-Version: 2:2.10-20
Done: Andrej Shadura <andre...@debian.org>

We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1057...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrej Shadura <andre...@debian.org> (supplier of updated wpa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 10 Dec 2023 17:03:00 +0100
Source: wpa
Architecture: source
Version: 2:2.10-20
Distribution: unstable
Urgency: medium
Maintainer: Debian wpasupplicant Maintainers <w...@packages.debian.org>
Changed-By: Andrej Shadura <andre...@debian.org>
Closes: 1057494
Changes:
 wpa (2:2.10-20) unstable; urgency=medium
 .
   * Add a trailing newline to the patch series file.
 .
 wpa (2:2.10-19) unstable; urgency=medium
 .
   [ Andrey Skvortsov ]
   * Override ieee80211w from pmf for AP mode in wpa_supplicant
     (Closes: #1057494)
Checksums-Sha1:
 a0f971264607e46bfa5f52f565539b66febb90f7 2184 wpa_2.10-20.dsc
 ca2cd4f9a0e7ebeac419dd3763c185967b923e9b 90252 wpa_2.10-20.debian.tar.xz
Checksums-Sha256:
 743227f90cf7cc2e8c0b92f43074cddff169047f1f719e3660333ec9970db2cf 2184 
wpa_2.10-20.dsc
 d98057c00bd94d7fe129d70a00ec7f4c1edf20801774642dda398f6abd789034 90252 
wpa_2.10-20.debian.tar.xz
Files:
 377af959450a8e32973ebd1ff0a6a4d3 2184 net optional wpa_2.10-20.dsc
 4f8e81c8f6c7885cb104df3c1864138b 90252 net optional wpa_2.10-20.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZXXhUAAKCRDoRGtKyMdy
YfGBAP9uA6vzAiS4Y9HT664aJjpX1EJQqP5455qaYZRtV4KXSgEAsR714HH9awmA
AhXWcIfZgNXts1iOCzAqruJ9U2YQpwo=
=Iept
-----END PGP SIGNATURE-----

--- End Message ---