aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStijn Tintel <stijn@linux-ipv6.be>2017-10-17 16:35:03 +0300
committerStijn Tintel <stijn@linux-ipv6.be>2017-10-17 17:59:45 +0300
commitd501786ff25684208d22b7c93ce60c194327c771 (patch)
treea4ff57c3886279693d22393486e5eacd06ca31f6
parentb6c3931ad6554357a108127797c8d7097a93f18f (diff)
downloadupstream-d501786ff25684208d22b7c93ce60c194327c771.tar.gz
upstream-d501786ff25684208d22b7c93ce60c194327c771.tar.bz2
upstream-d501786ff25684208d22b7c93ce60c194327c771.zip
hostapd: add wpa_disable_eapol_key_retries option
Commit b6c3931ad6554357a108127797c8d7097a93f18f introduced an AP-side workaround for key reinstallation attacks. This option can be used to mitigate KRACK on the station side, in case those stations cannot be updated. Since many devices are out there will not receive an update anytime soon (if at all), it makes sense to include this workaround. Unfortunately this can cause interoperability issues and reduced robustness of key negotiation, so disable the workaround by default, and add an option to allow the user to enable it if he deems necessary. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit c5f97c9372da3229350184fb263c97d9ea8944c5)
-rw-r--r--package/network/services/hostapd/Makefile2
-rw-r--r--package/network/services/hostapd/files/hostapd.sh5
2 files changed, 6 insertions, 1 deletions
diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile
index 0e729a83e8..3337f46208 100644
--- a/package/network/services/hostapd/Makefile
+++ b/package/network/services/hostapd/Makefile
@@ -7,7 +7,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd
-PKG_RELEASE:=5
+PKG_RELEASE:=6
PKG_SOURCE_URL:=http://w1.fi/hostap.git
PKG_SOURCE_PROTO:=git
diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 5340b568e0..68f84c5e8b 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -139,6 +139,7 @@ hostapd_common_add_bss_config() {
config_add_int \
wep_rekey eap_reauth_period \
wpa_group_rekey wpa_pair_rekey wpa_master_rekey
+ config_add_boolean wpa_disable_eapol_key_retries
config_add_boolean rsn_preauth auth_cache
config_add_int ieee80211w
@@ -203,6 +204,7 @@ hostapd_set_bss_options() {
json_get_vars \
wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \
+ wpa_disable_eapol_key_retries \
maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
@@ -218,6 +220,7 @@ hostapd_set_bss_options() {
set_default hidden 0
set_default wmm 1
set_default uapsd 1
+ set_default wpa_disable_eapol_key_retries 0
set_default eapol_version 0
set_default acct_port 1813
@@ -399,6 +402,8 @@ hostapd_set_bss_options() {
done
fi
+ append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
+
hostapd_append_wpa_key_mgmt
[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
fi