WPA3 Implementation for OpenBSD

brynet1 pts0 comments

'add WPA3 support' - MARC

[prev in list] [next in list] [prev in thread] [next in thread]

List: openbsd-tech<br>Subject: add WPA3 support<br>From: Stefan Sperling<br>Date: 2026-07-18 11:40:08<br>Message-ID: altmGGN9mVtJ1Eqd () yumyan ! stsp ! name<br>[Download RAW message or body]

The patch below adds support for WPA3 to the net80211 subsystem.

This effort is supported by the NLnet Foundation's NGI0 Commons Fund.<br>Without such support, I would not have been able to invest the time<br>required to work on this. I am very grateful to be given this opportunity.

More review will be needed to ensure that this implementation of WPA3<br>is free of bugs. Please keep this in mind while running this patch.<br>NLnet will arrange an independent security audit once we consider our<br>part of this work complete.

All drivers which support PMF can use WPA3, which are: iwm, iwx, and qwx<br>So far, I have tested this patch on iwx AX200 only. I will roll out<br>this patch to more of my devices now. Help with testing is welcome.

There are both userland and kernel changes involved.

First, rebuild ifconfig:

cd /usr/src/<br>make obj<br>doas make includes<br>cd sbin/ifconfig<br>make<br>doas make install

Now rebuild the kernel and install it as usual, and reboot.

Configuring WPA3 network with ifconfig works just like WPA2 does.<br>The SAE handshake is suitable for password authentication only.<br>"WPA3 Enterprise" setups are out of scope.

Snapshot test builds on all supported platforms would be welcome.<br>This patch adds WPA3 support to all net80211-enabled kernels, so they<br>will all grow a bit. I don't expect huge growth since the code is kept<br>as small as possible. It's a cost we will have to carry unless we want<br>this to be under infdef SMALL. But I would prefer to be always present.

However, the patch only adds WPA3 support to ifconfig in an installed<br>system. The ramdisk/bsd.rd version of ifconfig will not support WPA3 yet.<br>The ifconfig binary grows a lot (ifconfig now links to libcrypto) and could<br>cause trouble for building snapshots. I am postponing this part for now,<br>and would prefer to work this problem out in-tree.

WPA3 has a complicated history. There are two versions of WPA3.<br>The initially standardized version suffered from side-channel leaks<br>found by Mathy Vanhoef and dubbed "Dragonblood". For details, see<br>https://wpa3.mathyvanhoef.com/ A revised and fixed version has been<br>standardized and is mandatory in the 6 GHz band as of Wifi 6e (11ax) and<br>mandatory on all bands as of Wifi 7 (11be).

The password-derivation strategy used in the initial version of WPA3 is<br>known as "hunting-and-pecking". The revised version uses a "hash to element"<br>strategy instead. For details about the differences, see:<br>https://wizardfi.com/security/2024/03/29/hash-to-curve.html

I am only adding support for the revised version. Access points which<br>use the initial version of WPA3 will remain incompatible with OpenBSD.

Apart from being side-channel-free, the revised version has the advantage<br>that some computations required for the SAE handshake can be done ahead<br>of time, provided the network name and password are known. Which is the<br>case in our version of ifconfig, just like it was with WPA2.

The initial WPA3 version required knowledge of the peer's MAC address before<br>anything could be computed. This pushes all the work to the point in time<br>when a connection attempt is made. For us, this is inside the kernel.

Since we handle the WPA handshake in the kernel, being able to pre-compute<br>values in ifconfig is a huge simplification for us. It avoids adding a lot<br>more crypto code to the kernel, and keeps the kernel code's complexity low.

The kernel-side crypto used in this implementation is based on stripped<br>down code lifted from BearSSL. Several alternatives were evaluated with<br>help from Theo Buehler (tb@) and we ended up settling on this approach.

ifconfig uses code that calls into libcrypto, and most of this was modeled<br>on code found in the well-known w1.fi hostapd/wpa_supplicant implementation.

I don't expect that requiring "hash-to-element" will be a huge problem<br>because we are now late enough in the history of WPA3. Supporting the<br>initial version would have downsides for us. The "hunting-and-pecking"<br>approach is known to be vulnerable. The workarounds for this problem are<br>costly and we would have to carry these workarounds in the kernel as an<br>entirely separate implementation of the SAE handshake. Adding such<br>complexity only to support known-broken devices is not worth it to me.<br>Broken access points should either be patched (reasaonable vendors should<br>be providing software upgrades) or be run in WPA3/WPA2 mixed mode, such<br>that we can connect with WPA2.

Diff follows:

M sbin/ifconfig/Makefile | 3+ 3-<br>A sbin/ifconfig/const_time.h | 113+ 0-<br>M sbin/ifconfig/ifconfig.8 | 30+ 10-<br>M sbin/ifconfig/ifconfig.c | 59+ 9-<br>M sbin/ifconfig/ifconfig.h | 3+ 0-<br>A sbin/ifconfig/sae.c | 727+ 0-<br>M sys/conf/files | 3+ 0-<br>A sys/crypto/ec_p256_m31.c | 1541+ 0-<br>A sys/crypto/ec_p256_m31.h | 301+ 0-<br>A...

wpa3 ifconfig version support kernel sbin

Related Articles