From: Peter Hessler Subject: Re: wifi protected management frame (PMF) support To: tech@openbsd.org, stsp@openbsd.org Date: Wed, 3 Dec 2025 19:52:15 +0100 On 2025 Dec 02 (Tue) at 14:30:53 +0100 (+0100), Stefan Sperling wrote: :On Fri, Nov 28, 2025 at 10:41:16AM +0100, Stefan Sperling wrote: :> On Fri, Nov 28, 2025 at 09:29:06AM +0100, Remi Locherer wrote: :> > Yes it connects whrn I disable PMF for the SSID. :> > --> openbsd-arista_pmf-disabled_r-optional.pcap :> :> Thanks, that is good to know. Nothing seems wrong in this case. :> :> > > Are there any obvious AP settings for enabling the AKM "PSK"? :> > > Could you try disabling fast-transition roaming (11k / 11r) in AP settings? :> > > Perhaps this will switch "FT using PSK" to regular "PSK"? :> > :> > No success when I disable 11r but keep 11w required. Also not with the :> > patch below applied on top of the PMF patches. :> > --> openbsd-arista_pmf-required_r-disabled.pcap :> :> Now this AP is only advertising PSK 256, no PSK anymore. : :Turns out I also have an AP which switches to only PSK SHA256 once :PMF is set to "required". The two patches below make it work. : :The first patch is for /usr/src/sbin/ifconfig. You can apply this and :rebuild just ifconfig to enable use of sha256-psk, even on an unpatched :kernel: : : cd /usr/src/sbin/ifconfig; make obj; make; make install : : ifconfig iwx0 nwid A-LAB-PSK wpaakms "psk,sha256-psk" wpakey ... : :This should give you a working connection. : : :The second patch enables SHA256-PSK by default in the kernel if the driver :supports PMF. With this, the extra ifconfig wpaakms parameter is not needed :and the interface should be able to connect to your AP setup out of the box. : :Ok for both diffs? : belated tested on iwx0 AX211, OK However, there is a buglet when using with join. : : :enable 802.11 AKM SHA256-PSK by default if the driver supports PMF : :M sys/net80211/ieee80211_crypto.c | 2+ 0- :M sys/net80211/ieee80211_ioctl.c | 4+ 1- :M sys/net80211/ieee80211_node.c | 11+ 3- : :3 files changed, 17 insertions(+), 4 deletions(-) : :blob - dec464f269c66186021c6de4e15cc13d2b71ef2d :blob + dbf6d091fe9455b189852082b3e848750bc7bfd3 :--- sys/net80211/ieee80211_node.c :+++ sys/net80211/ieee80211_node.c :@@ -264,7 +269,7 @@ ieee80211_ess_setnwkeys(struct ieee80211_ess *ess, : : /* Keep in sync with ieee80211_ioctl.c:ieee80211_ioctl_setwpaparms() */ : static int :-ieee80211_ess_setwpaparms(struct ieee80211_ess *ess, :+ieee80211_ess_setwpaparms(struct ieee80211com *ic, struct ieee80211_ess *ess, : const struct ieee80211_wpaparams *wpa) : { : if (!wpa->i_enabled) { :@@ -297,8 +302,11 @@ ieee80211_ess_setwpaparms(struct ieee80211_ess *ess, : ess->rsnakms |= IEEE80211_AKM_SHA256_8021X; : if (wpa->i_akms & IEEE80211_WPA_AKM_SAE) : ess->rsnakms |= IEEE80211_AKM_SAE; :- if (ess->rsnakms == 0) /* set to default (PSK) */ :+ if (ess->rsnakms == 0) { /* set to default (PSK) */ : ess->rsnakms = IEEE80211_AKM_PSK; :+ if (ic->ic_caps & IEEE80211_C_MFP) :+ ess->rsnakms = IEEE80211_AKM_SHA256_PSK; ^^^^ We need to fold in IEEE80211_AKM_SHA256_PSK rather than overwriting the value. This buglet prevents me from connecting to my TP-Link wifi router at home while using join. However, I could connect when using nwid. :+ } : : if (wpa->i_groupcipher == IEEE80211_WPA_CIPHER_WEP40) : ess->rsngroupcipher = IEEE80211_CIPHER_WEP40; While there, I strictly didn't need to change the default IEEE80211_AKM_PSK line, but now it matches how we always fold it in from above. OK for the below patch? Index: sys/net80211/ieee80211_node.c =================================================================== RCS file: /cvs/openbsd/src/sys/net80211/ieee80211_node.c,v diff -u -p -u -p -r1.206 ieee80211_node.c --- sys/net80211/ieee80211_node.c 3 Dec 2025 10:21:12 -0000 1.206 +++ sys/net80211/ieee80211_node.c 3 Dec 2025 18:32:11 -0000 @@ -303,9 +303,9 @@ ieee80211_ess_setwpaparms(struct ieee802 if (wpa->i_akms & IEEE80211_WPA_AKM_SAE) ess->rsnakms |= IEEE80211_AKM_SAE; if (ess->rsnakms == 0) { /* set to default (PSK) */ - ess->rsnakms = IEEE80211_AKM_PSK; + ess->rsnakms |= IEEE80211_AKM_PSK; if (ic->ic_caps & IEEE80211_C_MFP) - ess->rsnakms = IEEE80211_AKM_SHA256_PSK; + ess->rsnakms |= IEEE80211_AKM_SHA256_PSK; } if (wpa->i_groupcipher == IEEE80211_WPA_CIPHER_WEP40) -- Utility is when you have one telephone, luxury is when you have two, opulence is when you have three -- and paradise is when you have none. -- Doug Larson