I think the way it used to work is that the full variant baked in the required SSL functions, and therefore had no external library required, but had the biggest size.
Looking now, it looks as though FULL is the parent variant, and then you select either OPENSSL or WOLFSSL as the child variants. Either of those will enable things like SAE and OWE (many reports of better success on openssl rather than wolfssl).
This is just my guess based on the makefile, which is a little hard to read given how many variants there are.
Earlier it was a dependency hell and plain wpad could require either openssl, mdedtls or wolfssl, depending on the compile time options used. That was clarified by declaring the SSL dependency already in the package name. Thus there is now wpad-openssl etc.
Functional wise it is also wpad, wpad-basic (without eap/radius), wpad-mini (without 80211r and w, thus no wpa3, without eap radius).
I suppose i misspoke, and should have said "crypto" rather than "ssl".
From hostap git:
* This file defines the cryptographic functions that need to be implemented
* for wpa_supplicant and hostapd. When TLS is not used, internal
* implementation of MD5, SHA1, and AES is used and no external libraries are
* required. When TLS is enabled (e.g., by enabling EAP-TLS or EAP-PEAP), the
* crypto library used by the TLS implementation is expected to be used for
* non-TLS needs, too, in order to save space by not implementing these
* functions twice.
Which is what i was referring to before. So if you don't include an SSL library, it reverts back to its own internal crypto functions (e.g. for hashing) and these all get linked in and make the resulting binary bigger. If you select an SSL library, these libraries provide the necessary crypto functions, and you get a smaller binary.
Looping back to the original question, as suggested, you need an SSL library to get WPA3 functionality. Additionally, the above explanation is why the binary is bigger when no SSL library is included (which may seem counter intuitive at first).
I have reported the WPA3 bug in iOS and iPadOS to Apple, and I think it would be a good idea if other people who have experienced the bug would report it as well. You can report iPhone bugs here, and iPad bugs here.
WPA3 in iOS is working for me on 2.4ghz if I manually add the network and choose WPA3, with no need for auth_cache. I can’t get it working on 5ghz, with or without manually adding the network or changing auth_cache. This is on an Archer C7v2
Got mixed results here using Fritzbox 4040 (ath10k) and wpad-openssl on both stable and snapshot. macOS doesn't want to connect in wpa3 or wpa2/wpa3 mode it says password wrong or some vague message about not being able to connect. Manually adding a connection shows it only seems to support wpa3 enterprise (see image). On iOS/iPadOS connections went ok in mixed mode but I think they fell back on wpa2.
Don't really know where to check in iOS or OpenWrt what the active encryption is. In wpa3 only mode iOS said the password was wrong. Windows10 also said the password was wrong in wpa3 only mode and in mixed mode it said it couldn't connect.
Same results on both 2.4 and 5ghz bands.
Not sure if trying wpad-wolfssl will yield any different results but I can try if anyone here thinks its useful. Any logs or info I can share or other things to test or try are welcomed. I'll also report this to Apple if this is due to them. Running iOS/iPadOS 13.3.1 and Catalina 10.15.3.
Some news here. With the release of iOS 13.4.1 and macOS 10.15.4 I decided to give WPA3 another go. Only my iPad can connect, which is kind of odd because iOS and iPadOS are pretty much the same. My MacBook was also unable to connect. Just like last time only the iPad can connect to it (running WPA3 mode only).
I also wanted to add that after removing wpad and installing wpad-OpenSSL and setting up a mixed and/or wpa3 only network on 19.07.2, my iPhone SE (iOS 13.3.1) would not connect, the error was “wrong password” too.
*I also found it strange that when trying to manually add a wireless network on the iPhone that wpa3 personal was not an option, only “enterprise” was listed. Apple’s claims of supporting wpa3 only seem to be for enterprise use for now ..
Apple seems to have made a partially wrong claim when they are talking about WPA3 compatibility. From my experience, WPA3 personal works from the iPhone 7 onwards, while the 6s does not connect.
On the MacBook side of things, a MacBook Pro from early 2016 was also not able to connect when 802.11w (required per spec) was enabled. This is kind of interesting, as for WiFi certification 802.11w is mandatory.
Is there a list somewhere of what devices should be able to support WPA3? Or could such a category be added on the wiki?
I have ea6350 but I'm experiencing unstability and inability of some devices to connect, this may be related to vlans (I'm still checking that) but knowing whether the device should be able to handle it would be cool.
I have a Surface device with one of those terrible Marvell AVASTAR radios, and it absolutely refuses to connect to an AP operating in WPA2-PSK/WPA3-SAE mixed mode. Even a random Realtek USB card had no issues connecting to the exact same AP (obviously it's WPA2 but at least it works). iOS 13.5 seems to work just fine with WPA2/WPA3 mixed mode though, which is good news at least. Older (802.11n) Intel cards didn't have any issues connecting to the same AP with WPA2 either.