Skip to content

wpa_supplicant: enable WPA3 (SAE), PMF, and OWE#17786

Open
sindhu-karri wants to merge 1 commit into
3.0-devfrom
sindhu/wpa-supplicant-sae
Open

wpa_supplicant: enable WPA3 (SAE), PMF, and OWE#17786
sindhu-karri wants to merge 1 commit into
3.0-devfrom
sindhu/wpa-supplicant-sae

Conversation

@sindhu-karri

@sindhu-karri sindhu-karri commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Enables WPA3-Personal (SAE), Protected Management Frames (PMF / IEEE 802.11w), and Opportunistic Wireless Encryption (OWE) in the wpa_supplicant build config. Removes the obsolete CONFIG_PEERKEY symbol (removed from upstream in 2.10).

Motivation

  • ADO #62728349 — netplan generates Wi-Fi configurations with key-mgmt=sae per the modern WPA3 standard, but the current Azure Linux wpa_supplicant package rejects them because SAE is not compiled in. Users have to hand-edit generated configs to downgrade to WPA2.
  • Aligns Azure Linux with Fedora, Debian, and Ubuntu defaults (all enable SAE/PMF/OWE since ~2018–2019).

Changes

  • CONFIG_SAE=y — WPA3-Personal (SAE / Dragonfly handshake).
  • CONFIG_IEEE80211W=y — Protected Management Frames (prerequisite for WPA3; also independently mitigates deauth/disassoc spoofing on WPA2).
  • CONFIG_OWE=y — Opportunistic Wireless Encryption for open networks (RFC 8110).
  • Remove CONFIG_PEERKEY=y — symbol no longer exists in upstream wpa_supplicant 2.10.
  • Release: 3 -> 4, changelog entry.

Compatibility / Safety

  • Strictly additive for existing WPA2/EAP/802.1X configs — new code paths only activate when the AP advertises WPA3/PMF/OWE.
  • No new BuildRequires / Requires — all new features use the already-linked OpenSSL + libnl3.
  • Source0 and signatures.json unchanged.
  • Existing CVE patches (CVE-2023-52160, CVE-2025-24912) untouched.
  • CONFIG_PEERKEY removal is a no-op (upstream already deleted the symbol).
  • Dragonblood-class SAE CVEs (CVE-2019-9494/95/96, CVE-2019-13377) were fixed in wpa_supplicant 2.9; we ship 2.10.

Validation

  • Buddy build 1144931 (amd64 + arm64, both check stages enabled) — ✅ succeeded.

Linked issue

ADO #62728349

@sindhu-karri
wpa_supplicant: enable WPA3 (SAE), PMF, and OWE
61ce859 
Enable CONFIG_SAE, CONFIG_IEEE80211W, and CONFIG_OWE so that wpa_supplicant

can negotiate WPA3-Personal, Protected Management Frames, and Opportunistic

Wireless Encryption. This unblocks netplan-generated configurations that

specify key-mgmt=sae and aligns Azure Linux with Fedora/Debian/Ubuntu

defaults.

Remove the obsolete CONFIG_PEERKEY symbol, which was removed from upstream

wpa_supplicant in 2.10.

No new BuildRequires or Requires; all new features use the already-linked

OpenSSL. Source0 unchanged, signatures.json untouched.

ADO #62728349
@sindhu-karri sindhu-karri requested a review from a team as a code owner June 23, 2026 08:03
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sindhu-karri