LibreELEC / LibreELEC.tv

Just enough OS for KODI
http://libreelec.tv
2.31k stars 1.13k forks source link

Raspberry Pi's Incapable of WPA3 Attempt to Connect Via WPA3 and Fail if Network in Mixed Mode. #7353

Closed Steve-Cooley closed 1 year ago

Steve-Cooley commented 1 year ago

Describe the bug

Here are some links that are related:

https://github.com/raspberrypi/linux/issues/3619 https://forums.raspberrypi.com/viewtopic.php?t=318958

And a link to an issue that sounds similar, but I think is unrelated: https://github.com/LibreELEC/LibreELEC.tv/issues/7166

Raspberry Pi 3 (and possibly other RPIs) attempt to use WPA3, even though WPA3 is not supported by these devices (I'm not sure if this lack of support is due to hardware or software). This can be mitigated by either disabling PFM(MFP?) in the AP, or by completely disabling WPA3 (which also disables PFM). The problems with this mitigation are:

  1. If PFM is disabled, but WPA3 is enabled, then this allows the raspberry pi running Libreelec to connect, however some other WPA3 capable devices will not be able to connect to the network. (I think that technically WPA3 requires PFM, even though some routers allow PFM to be disabled while using WPA3)
  2. If WPA3 is completely disabled, then everything works, but WPA2 is insecure and the network is vulnerable to attack.

I've read elsewhere that there are significant changes to the network stack in Libreelec 11, so this might not affect that version. I have not tried Libreelec 11.

I had hoped that this bug would have been fixed in LE10.0.3, but it apparently has not, which is why I'm speaking up now.

To Reproduce

Steps to reproduce the behavior (in 10.0.2 and 10.0.3)

  1. Run a wireless network in mixed WPA2/WPA3 mode with Management Frame Protection enabled.
  2. Attempt to connect to network with correct credentials
  3. Connection attempt fails with "Invalid Key". (This is where the error occurs)
  4. Disable WPA3 and Management Frame Protection completely in network
  5. Attempt to connect to network with correct credentials
  6. Connection completes successfully (This is how home network admin can "fix" the problem by compromising the security of their network)

Information

I've used the search feature here on GH, on DDG, and Google, but haven't seen a bug report that I believe is specific to this problem in this project. I could have gotten this wrong though, as I'm new to bug reporting.

HiassofT commented 1 year ago

Yes, this is well known - not much we can do about that, it needs to be fixed by RPi folks (wifi firmware and probably kernel changes)

Steve-Cooley commented 1 year ago

Is there a possible software fix that will prevent attempts at WPA3 connections on these devices? I don't think this was an issue in versions of LE prior to 10. I think that version 9 was simply incapable of WPA3, which is a big win for home WiFi users.

HiassofT commented 1 year ago

sorry, no idea. Please post your question on the RPi and LE forums

Steve-Cooley commented 1 year ago

I don't mean to pester you. :)

...But I think there's a way that LE devs could fix this, and not have to wait for changes from upstream. That's what I meant by "software fix". Some simple logic like this:

If raspberry pi:
  Disable WPA3

Done.

This would allow the device to join a network that has WPA3/2 mixed mode. I could be wrong about this, but I think this would work. I don't know where this logic would need to be run or anything, if it would be trivial, or a major pain. Maybe if a dev doesn't want to do it, but doesn't mind pointing me in the right direction... I can take a whack at it. No promises though, as I've never collaborated on any project. (I do have some coding and admin skills though)

If you just happen to know that everything I'm saying is wrong... please let me know that too, so I can just drop the issue.

Thanks.

HiassofT commented 1 year ago

PRs with solutions are always welcome, then we can have a look if the solution is feasible to be included in LE.

BTW: I'm not running WPA3 here so I can't help with development