- Adding sae support to wpa_supplicant
- All paths lead to hostap
- Building lineageos
- Entering kernel space in 3, 2, 1
- Flashing lineageos
- Lineageos (android)
- Obtaining wpa_supplicant that supports sae
- Wpa3 is great
- В чем отличие wpa3 от wpa2?
- Как изменить шифрование wi-fi?
- Обновление до стандарта wpa3 для всей линейки устройств
Adding sae support to wpa_supplicant
At the branch history of the LineagOS wpa_supplicant fork, the latest
commit that looks like a backported one is this
one. And indeed, there is an analogon of the commit in the upstream hostap
project, which is this.
That’s from October 2021, but full SAE support arrived only in March/April 2021.
Android 9 (pie) had been released a few days ago and maybe it bases on a newer wpa_supplicant,
so updating that one to add SAE support might be easier.
So, let’s try to just use the Android 9 version of wpa_supplicant:
All paths lead to hostap
On my private WiFi, there are three devices:
- The WiFi AP, using OpenWRT 18.06
- My netbook, using Kubuntu 18.04
- My phone, using LineageOS 14.1 (Android)
All of them use some Linux distro.
Even though these distros are highly different from each other (Busybox/musl on OpenWRT,
GNU/glibc/systemd on Kubuntu, Android/bionic on LineageOS),
they all base their WiFi implementations on the hostap project.
The hostap project is split in two components:
- hostapd, which lets you run a WiFi access point, and
- wpa_supplicant, which lets you connect to an existing WiFi network
The two components do share code together.
So, does hostap support WPA3 yet? This question has, in fact, been asked twice already
on the mailing list: first in March,
then again in June.
According to the E-Mails, hostap from the master branch should support WPA3.
The last release of hostap was version 2.6 in 2021, which
is almost 2 years ago. We don’t want to wait for a release of hostap in order to start to use SAE.
Mostly I was following the device-specific (but auto generated) official build guide.
I’ll mostly point out things I did or ran into that weren’t mentioned in the guide.
First of all, I fortunately didn’t have to obtain the tools adb and repo manually,
but could just use their official Ubuntu packages by doing sudo apt install adb repo.
During running the brunch i9100 step, I got this error:
build/core/base_rules.mk:183: *** vendor/samsung/galaxys2-common/proprietary: MODULE.TARGET.SHARED_LIBRARIES.libUMP already defined by hardware/samsung/exynos4/hal/libUMP.
After a bit of googling I found this post.
The instructions were a bit outdated, as the entire fimp stuff was gone.
I only had to remove the i9100 from the line in device/samsung/galaxys2-common/extract-files.sh,
as described in the post.
I also got this error:
flex-2.5.39: loadlocale.c:130: _nl_intern_locale_data: Assertion `cnt < (sizeof (_nl_value_type_LC_TIME) / sizeof (_nl_value_type_LC_TIME))' failed.
This was probably because of me having a german locale on my computer.
StackOverflow had a solution for my problem.
All I had to do was:
Once the build is done, it populates the out/target/product/i9100 directory.
Entering kernel space in 3, 2, 1
After getting the modified wpa_supplicant to compile successfully,
I flashed it to my phone and tried to connect it to my WiFi network,
hoping that it would build up this connection using SAE.
However, the phone always chose WPA-PSK.
After adding some log output, it seemed that this code erased
the SAE from the protocol list again:
So apparently some «driver» flags weren’t set. In this context,
driver just means the back end side of wpa_supplicant, aka the
way it talks to the kernel/OS/etc. Each driver implements a different
On modern Linuxes, the used driver is NL80211, which talks to the
kernel via the header with the same name.
This driver contains the following code:
And NL80211_FEATURE_SAE is defined in Linux’s nl80211.h.
Running git blame in Linux git for the file gives us this
commit that introduced the value to the header.
The first kernel release that included this commit was 3.8.
But unfortunately, my phone uses kernel version 3.0.
So, it seems that not just wpa_supplicant needs SAE support, but also the kernel itself.
Android has a rich «alternative kernels» culture, where people create modified kernels
and publish them for others in the community to use them.
So maybe there are kernels that have updated the kernel version to something newer than 3.0.
An online search turned up a modded kernel called dorimanx
which includes, as it claims, an update to Linux 3.15.
But it seems that the nl80211.h header doesn’t live up to this claim: in dorimanx’s version of that header there is no trace of NL80211_FEATURE_SAE, neither in the enum where it’d normally live, nor the entire file.
Given the experience with wpa_supplicant,
backporting the patches seems the better solution compared to updating the entire kernel.
The commit that introduced this NL80211_FEATURE_SAE value is surrounded
by other wifi related commits. This is probably due to the nature of how the Linux kernel
is being developed: an individual developer proposes a patch and sends it to the
maintainer of that specific part of the kernel.
Out of this group of wifi related commits, there are three commits that seem to be relevant enough to motivate a backport:
Backporting the first two patches was more or less easy, but the third patch is a bit bigger
and it’s also been changing code that was modified quite a bit by a refactor
that happened since the kernel that my phone was based on, and the kernel
that the patch was based on. After a bit of figuring it was possible
to backport the third commit as well.
I’ve uploaded the resulting kernel source to a branch on github.
But for some reason, even though the code seems to be actually enabling the NL80211_FEATURE_SAE feature,
wpa_supplicant is not receiving that info. I ran out of time before I could find out why this is the case.
So I gave up, and flashed back the official Lineage OS image. Due to my change to always add SAE during config file
parsing if WPA-PSK was present, wpa_supplicant apparently added SAE to all WPA-PSK networks during saving.
But the wpa_supplicant copy from official Lineage OS couldn’t cope with that value and just deleted
all networks with SAE in their name and thus I would have lost all saved WPA-PSK networks,
but fortunately, I could just apply the backup :). This is precisely why you should do backups!
First, remember to always do your backups! Without wanting to spoil things, they turned out to
be very useful down the line.
How to flash LineageOS is described on this page.
In principle, if LineageOS is already present on the phone,
flashing is as easy as:
- copying the zip file to the phone via something like
adb push out/target/product/i9100/lineage-14.1-*-UNOFFICIAL-i9100.zip /sdcard0
- rebooting to the TWRP recovery image e.g. via
adb reboot recovery
- and selecting and installing the zip file via the GUI
However, the LineageOS install that was present on my phone had been using official signing keys. This gave me an «error 7» during installation with an error message like:
Can't install this package on top of incompatible data. Please try another package or run a factory reset
The solution was to run a migration script provided by LineageOS, as described here.
During the process, I also updated my TWRP from 3.1.0-0 to 3.2.3-0 but then
ran into an error of the form:
sysutil: mmap(292396813, R, PRIVATE, 21, 0) failed: Out of memory sysutil: Map of '/sdcard0/lineage-14.1-20210814-UNOFFICIAL-i9100.zip' failed Failed to map file '/sdcard0/lineage-14.1-20210814-UNOFFICIAL-i9100.zip' Error installing zip file '/sdcard0/lineage-14.1-20210814-UNOFFICIAL-i9100.zip'
The problem is known. The workaround I applied was to revert to version 3.1.0-0.
The last (and probably hardest) device to be migrated is my phone, the Galaxy S2.
Android uses wpa_supplicant as well, as observable by this search.
Thus, we might be able to use a similar trick as above to update wpa_supplicant and then
patch it to parse WPA-PSK just like SAE.
According to this
default.xml entry, this fork of wpa_supplicant is being used.
The wpa_supplicant fork seems to have been started some long time ago with a fixed version of hostapd and then
patches by upstream got happily happily cherry picked on top.
Seems like it’s one of those ugly Android forks you keep hearing about.
But first things first. Before we can update wpa_supplicant, we need to find out how to compile it and
get our modified version onto the Android device in the first place.
Android, in embedded tradition, doesn’t allow you to recompile individual system packages
and exchange them with modified versions.
Obtaining wpa_supplicant that supports sae
The Ubuntu 18.04 wpa_supplicant package is pointing to 2.6,
the last stable release. Therefore we need to update the package locally to a more recent git version.
Debian provides utilities/scripts for compiling existing packages locally and changing the source if desired.
As preparation, one needs to obtain the required build dependencies via sudo apt build-dep wpasupplicant.
Then, you obtain the source code of the current package via the apt source wpasupplicant command.
You should probably do this in a dedicated subdirectory because it’ll create a lot of files in your pwd.
Fortunately, the maintainers of the wpa package have helped us a bit with
their debian/get-orig-source script.
If the top entry in debian/changelog has a version formatted like:
then the script will automatically download the specified revision from hostapd’s
git. As of writing this document the latest hostapd git commit is c773c7d5ddbc8ca031614e1c999b05bec43778aa.
Let’s try it out by adding a version to debian/changelog:
In preparation for switching my WiFi to WPA3, I have updated my router from OpenWRT 15.05.01 to the brand-new 18.06
(released on July 30, 2021). It’s the first release since the reunification of the OpenWRT project.
According to the file package/network/services/hostapd/Makefile, OpenWRT 18.06 uses hostapd commit fa617ee6a from April 2021.
The E-Mail by the hostap maintainer saying that WPA3 was supported on master was from March.
So OpenWRT 18.06 should theoretically have a recent enough hostapd.
hostapd’s configuration is controlled by a config file with the default name hostapd.conf.
This commit added
documentation on how SAE support can be added: you’ll have to add SAE to the wpa_key_mgmt key.
Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.
The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.
There are two approaches to verify on the client whether a successful SAE connection has been established.
The first way is to use wpa_cli, similar to above. To my surprise, LineageOS actually
does ship with wpa_cli per default.
But attempts to use it end in wpa_cli not being able to communicate with the wpa_supplicant daemon:
$ adb shell i9100:/ # wpa_cli wpa_cli v2.6-devel-7.1.2 Copyright (c) 2004-2021, Jouni Malinen <email@example.com> and contributors This software may be distributed under the terms of the BSD license. See README for more details. Using interface 'wlan0' Interactive mode Could not connect to wpa_supplicant: wlan0 - re-trying
My guess is that the problem is an overzealous security policy or something like that.
I found this
patch for a different device, but when I tried to apply the patch to my device, the
patch didn’t have any effect.
So I tried a different approach: logcat. It’s Android’s unified logging utility.
The Android fork of wpa_supplicant has been patched to output its log through this utility,
including a log level translation. Really sophisticated :).
We can patch wpa_supplicant to change the log level of any output we desire,
to appear in logcat output.
One can search logcat output for wpa_supplicant by doing adb logcat wpa_supplicant:I *:S (without adb at the front if you are on-device).
However, with default settings this command stays suspiciously silent and only reports some entries of the form:
Wpa3 is great
First, a few notes on WPA3.
WPA3 replaces WPA2-PSK with a key agreement protocol called
«SAE» which stands for «Simultaneous Authentication of Equals».
This mode is much better than WPA2-PSK because it:
The first advantage is great because it means that even if an attacker gets your password,
they can’t use it to decrypt any passively recorded communication of yours. With WPA2, such decryption
is always possible.
As for the second advantage, most passwords used in WiFi networks
(let’s be honest, most passwords anywhere) are simple enough that they
can be cracked using offline brute force attacks with low cost.
Forcing an attack to be online (either via a MITM or via a client trying different passwords)
dramatically reduces attacker capabilities.
WPA3 also adds other modes like DPP or OWE. This blog post provides
some technical info on how the WPA3 modes work.
But in this project, I didn’t put any focus on these two.
В чем отличие wpa3 от wpa2?
Стандарт WPA3 добавляет четыре функции, которых нет в WPA2. Производители должны полностью реализовать эти четыре функции для продвижения своих устройств как «Wi-Fi CERTIFIED ™ WPA3 ™». В широком смысле понятны назначения этих функций, хотя Wi-Fi Alliance — отраслевая группа, которая определяет эти стандарты — еще не объяснила их в технических деталях.
Как изменить шифрование wi-fi?
Вы можете просто переключиться на более надежный стандарт шифрования. Это и поможет защитить информацию, и уберет предупреждение в iOS. Вот только перед тем, как осуществить следующие настройки, убедитесь, что вы точно сможете вернуться к прежним, если вдруг это понадобится.
1. В браузере введите адрес вашего роутера. Обычно это 192.168.0.1 или 192.168.1.1 (бывает и 192.168.100.1).
Обновление до стандарта wpa3 для всей линейки устройств
В 2021 году стандарт WPA3 приходит на множество устройств как программное обновление. По сравнению со служащим почти 15 лет предшественником WPA2, он обладает более высоким уровнем безопасности и устраняет концептуальные недоработки, в частности, предусмотрена дополнительная защита от атак с перебором (брутфорс) и переустановкой ключа (Key Reinstallation Attacks, KRACK). При этом в использовании настолько же прост и не влечет снижения скорости или удобства.
3 сентября вышла операционная система Android 10, и получившие ее смартфоны теперь поддерживают WPA3. Среди них, например, Samsung Galaxy S10, S10 и S10e, а также Google Pixel 3a. А 19 сентября официально выйдет iOS 13, с обновлением на которую поддержку WPA3 получат все популярные модели iPhone последних лет, включая iPhone XS и XS Max, XR и X, 8 и 8 Plus, 7 и 7 Plus. Аналогичное обновление ожидается и для планшетов под управлением iPadOS 13.
В то время как большинство производителей сетевого оборудования предлагает покупать для WPA3 новые отдельные и ограниченно совместимые между собой дорогие устройства следующего поколения, Keenetic предлагает обновление операционной системы KeeneticOS 3.1 с алгоритмами WPA3, WPA3 Enterprise и OWE для всех моделей Wi-Fi 4 (802.11n) и Wi-Fi 5 (802.11ac). Ни один другой производитель не предложил эту новую функцию для всей активной линейки, а Keenetic защищает ваши инвестиции в уже построенные сети и Wi-Fi-системы.
Для удобства и совместимости с текущими устройствами также предусмотрен смешанный режим WPA2/WPA3. Новые протоколы защиты работают не только на отдельных интернет-центрах, но и в рамках Wi-Fi-системы с бесшовным роумингом, чем особенно гордятся наши разработчики. Уже сейчас в журналах интернет-центров можно видеть, по какому стандарту подключаются клиенты (сами они показывают это далеко не всегда), а в ближайшем будущем мы собираемся сделать эту информацию видимой в веб-интерфейсе и мобильном приложении.
Обновляйтесь и защищайтесь!