From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: Make ifconfig scan display wpa3
To: Kevin Lo <kevlo@kevlo.org>
Cc: tech@openbsd.org
Date: Fri, 21 Mar 2025 23:35:43 +0100

On Fri, 21 Mar 2025 02:39:50 +0100,
Kevin Lo <kevlo@kevlo.org> wrote:
> 
> Hi,
> 
> The diff below makes ifconfig scan display wpa3.  If WPA3 APs support
> WPA3-Personal only mode, 'ifconfig scan' will mistakenly show all those as
> wpa2 ones.  Diff also adds SAE AKMP to define support for SAE.
> If the suite type is set to 8, it indicates the use of SAE.
>

Tested against WPA2, WPA2/WPA3 and WPA3 network based on unifi solution, and
WPA2/WPA3 network from FRITZ!Box.

Works well.

> Index: sbin/ifconfig/ifconfig.c
> ===================================================================
> RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
> diff -u -p -u -p -r1.475 ifconfig.c
> --- sbin/ifconfig/ifconfig.c	6 Jan 2025 17:49:29 -0000	1.475
> +++ sbin/ifconfig/ifconfig.c	20 Mar 2025 09:01:27 -0000
> @@ -727,6 +727,7 @@ void	ieee80211_listnodes(void);
>  void	ieee80211_printnode(struct ieee80211_nodereq *);
>  u_int	getwpacipher(const char *);
>  void	print_cipherset(u_int32_t);
> +void	print_rsnprotocol(u_int, u_int);
> 
>  void	spppauthinfo(struct sauthreq *, int);
>  void	spppdnsinfo(struct sdnsreq *);
> @@ -2398,6 +2399,22 @@ print_cipherset(u_int32_t cipherset)
>  	}
>  }
> 
> +void
> +print_rsnprotocol(u_int proto, u_int akm)
> +{
> +	if (proto & IEEE80211_WPA_PROTO_WPA2) {
> +		if (akm & IEEE80211_WPA_AKM_SAE) {
> +			if (akm == IEEE80211_WPA_AKM_SAE)
> +				fputs(",wpa3", stdout);
> +			else
> +				fputs(",wpa3,wpa2", stdout);
> +		} else
> +			fputs(",wpa2", stdout);
> +	}
> +	if (proto & IEEE80211_WPA_PROTO_WPA1)
> +		fputs(",wpa1", stdout);
> +}
> +
>  static void
>  print_assoc_failures(uint32_t assoc_fail)
>  {
> @@ -2803,12 +2820,10 @@ ieee80211_printnode(struct ieee80211_nod
>  	if (nr->nr_capinfo) {
>  		printb_status(nr->nr_capinfo, IEEE80211_CAPINFO_BITS);
>  		if (nr->nr_capinfo & IEEE80211_CAPINFO_PRIVACY) {
> -			if (nr->nr_rsnprotos) {
> -				if (nr->nr_rsnprotos & IEEE80211_WPA_PROTO_WPA2)
> -					fputs(",wpa2", stdout);
> -				if (nr->nr_rsnprotos & IEEE80211_WPA_PROTO_WPA1)
> -					fputs(",wpa1", stdout);
> -			} else
> +			if (nr->nr_rsnprotos)
> +				print_rsnprotocol(nr->nr_rsnprotos,
> +				    nr->nr_rsnakms);
> +			else
>  				fputs(",wep", stdout);
> 
>  			if (nr->nr_rsnakms & IEEE80211_WPA_AKM_8021X ||
> Index: sys/net80211/ieee80211_crypto.h
> ===================================================================
> RCS file: /cvs/src/sys/net80211/ieee80211_crypto.h,v
> diff -u -p -u -p -r1.27 ieee80211_crypto.h
> --- sys/net80211/ieee80211_crypto.h	15 May 2020 14:21:09 -0000	1.27
> +++ sys/net80211/ieee80211_crypto.h	20 Mar 2025 09:01:34 -0000
> @@ -44,7 +44,8 @@ enum ieee80211_akm {
>  	IEEE80211_AKM_8021X		= 0x00000001,
>  	IEEE80211_AKM_PSK		= 0x00000002,
>  	IEEE80211_AKM_SHA256_8021X	= 0x00000004,	/* 11w */
> -	IEEE80211_AKM_SHA256_PSK	= 0x00000008	/* 11w */
> +	IEEE80211_AKM_SHA256_PSK	= 0x00000008,	/* 11w */
> +	IEEE80211_AKM_SAE		= 0x00000010
>  };
> 
>  #define IEEE80211_TKIP_HDRLEN	8
> Index: sys/net80211/ieee80211_input.c
> ===================================================================
> RCS file: /cvs/src/sys/net80211/ieee80211_input.c,v
> diff -u -p -u -p -r1.254 ieee80211_input.c
> --- sys/net80211/ieee80211_input.c	23 May 2024 11:19:13 -0000	1.254
> +++ sys/net80211/ieee80211_input.c	20 Mar 2025 09:01:34 -0000
> @@ -1429,6 +1429,8 @@ ieee80211_parse_rsn_akm(const u_int8_t s
>  			return IEEE80211_AKM_SHA256_8021X;
>  		case 6:	/* PSK with SHA256 KDF */
>  			return IEEE80211_AKM_SHA256_PSK;
> +		case 8:	/* SAE */
> +			return IEEE80211_AKM_SAE;
>  		}
>  	}
>  	return IEEE80211_AKM_NONE;	/* ignore unknown AKMs */
> Index: sys/net80211/ieee80211_ioctl.c
> ===================================================================
> RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.c,v
> diff -u -p -u -p -r1.81 ieee80211_ioctl.c
> --- sys/net80211/ieee80211_ioctl.c	7 Mar 2022 08:13:13 -0000	1.81
> +++ sys/net80211/ieee80211_ioctl.c	20 Mar 2025 09:01:34 -0000
> @@ -126,6 +126,8 @@ ieee80211_node2req(struct ieee80211com *
>  		nr->nr_rsnakms |= IEEE80211_WPA_AKM_SHA256_8021X;
>  	if (ni->ni_supported_rsnakms & IEEE80211_AKM_SHA256_PSK)
>  		nr->nr_rsnakms |= IEEE80211_WPA_AKM_SHA256_PSK;
> +	if (ni->ni_supported_rsnakms & IEEE80211_AKM_SAE)
> +		nr->nr_rsnakms |= IEEE80211_WPA_AKM_SAE;
> 
>  	/* Node flags */
>  	nr->nr_flags = 0;
> Index: sys/net80211/ieee80211_ioctl.h
> ===================================================================
> RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.h,v
> diff -u -p -u -p -r1.43 ieee80211_ioctl.h
> --- sys/net80211/ieee80211_ioctl.h	14 Mar 2022 15:07:24 -0000	1.43
> +++ sys/net80211/ieee80211_ioctl.h	20 Mar 2025 09:01:34 -0000
> @@ -237,6 +237,7 @@ struct ieee80211_wpapsk {
>  #define IEEE80211_WPA_AKM_8021X		0x02
>  #define IEEE80211_WPA_AKM_SHA256_PSK	0x04
>  #define IEEE80211_WPA_AKM_SHA256_8021X	0x08
> +#define IEEE80211_WPA_AKM_SAE		0x10
> 
>  struct ieee80211_wpaparams {
>  	char	i_name[IFNAMSIZ];		/* if_name, e.g. "wi0" */
> Index: sys/net80211/ieee80211_node.c
> ===================================================================
> RCS file: /cvs/src/sys/net80211/ieee80211_node.c,v
> diff -u -p -u -p -r1.199 ieee80211_node.c
> --- sys/net80211/ieee80211_node.c	4 Sep 2024 07:54:52 -0000	1.199
> +++ sys/net80211/ieee80211_node.c	20 Mar 2025 09:01:34 -0000
> @@ -295,6 +295,8 @@ ieee80211_ess_setwpaparms(struct ieee802
>  		ess->rsnakms |= IEEE80211_AKM_8021X;
>  	if (wpa->i_akms & IEEE80211_WPA_AKM_SHA256_8021X)
>  		ess->rsnakms |= IEEE80211_AKM_SHA256_8021X;
> +	if (wpa->i_akms & IEEE80211_WPA_AKM_SAE)
> +		ess->rsnakms |= IEEE80211_AKM_SAE;
>  	if (ess->rsnakms == 0)	/* set to default (PSK) */
>  		ess->rsnakms = IEEE80211_AKM_PSK;
> 

-- 
wbr, Kirill