hostapd: add wpa_disable_eapol_key_retries option
Commit 2127425434
introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.
Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This commit is contained in:
parent
2127425434
commit
c5f97c9372
1 changed files with 5 additions and 0 deletions
|
@ -149,6 +149,7 @@ hostapd_common_add_bss_config() {
|
||||||
config_add_int \
|
config_add_int \
|
||||||
wep_rekey eap_reauth_period \
|
wep_rekey eap_reauth_period \
|
||||||
wpa_group_rekey wpa_pair_rekey wpa_master_rekey
|
wpa_group_rekey wpa_pair_rekey wpa_master_rekey
|
||||||
|
config_add_boolean wpa_disable_eapol_key_retries
|
||||||
|
|
||||||
config_add_boolean rsn_preauth auth_cache
|
config_add_boolean rsn_preauth auth_cache
|
||||||
config_add_int ieee80211w
|
config_add_int ieee80211w
|
||||||
|
@ -214,6 +215,7 @@ hostapd_set_bss_options() {
|
||||||
|
|
||||||
json_get_vars \
|
json_get_vars \
|
||||||
wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \
|
wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \
|
||||||
|
wpa_disable_eapol_key_retries \
|
||||||
maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
|
maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
|
||||||
wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
|
wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
|
||||||
wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
|
wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
|
||||||
|
@ -229,6 +231,7 @@ hostapd_set_bss_options() {
|
||||||
set_default hidden 0
|
set_default hidden 0
|
||||||
set_default wmm 1
|
set_default wmm 1
|
||||||
set_default uapsd 1
|
set_default uapsd 1
|
||||||
|
set_default wpa_disable_eapol_key_retries 0
|
||||||
set_default eapol_version 0
|
set_default eapol_version 0
|
||||||
set_default acct_port 1813
|
set_default acct_port 1813
|
||||||
|
|
||||||
|
@ -416,6 +419,8 @@ hostapd_set_bss_options() {
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
|
||||||
|
|
||||||
hostapd_append_wpa_key_mgmt
|
hostapd_append_wpa_key_mgmt
|
||||||
[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
|
[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in a new issue