path: root/hostapd/config_file.c
diff options
authorJouni Malinen <j@w1.fi>2017-10-16 15:37:43 (GMT)
committerJouni Malinen <j@w1.fi>2017-10-16 21:06:26 (GMT)
commit6f234c1e2ee1ede29f2412b7012b3345ed8e52d3 (patch)
tree2563bc2cba9c5c2a951705697f38c29ba2dcd141 /hostapd/config_file.c
parent3bcc52473328c88677b7c07e0bdd8e685c262c12 (diff)
Optional AP side workaround for key reinstallation attacks
This adds a new hostapd configuration parameter wpa_disable_eapol_key_retries=1 that can be used to disable retransmission of EAPOL-Key frames that are used to install keys (EAPOL-Key message 3/4 and group message 1/2). This is similar to setting wpa_group_update_count=1 and wpa_pairwise_update_count=1, but with no impact to message 1/4 retries and with extended timeout for messages 4/4 and group message 2/2 to avoid causing issues with stations that may use aggressive power saving have very long time in replying to the EAPOL-Key messages. This option can be used to work around key reinstallation attacks on the station (supplicant) side in cases those station devices cannot be updated for some reason. By removing the retransmissions the attacker cannot cause key reinstallation with a delayed frame transmission. This is related to the station side vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, and CVE-2017-13081. This workaround might cause interoperability issues and reduced robustness of key negotiation especially in environments with heavy traffic load due to the number of attempts to perform the key exchange is reduced significantly. As such, this workaround is disabled by default (unless overridden in build configuration). To enable this, set the parameter to 1. It is also possible to enable this in the build by default by adding the following to the build configuration: CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'hostapd/config_file.c')
1 files changed, 2 insertions, 0 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index d6b1a65..e2a470c 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2570,6 +2570,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
return 1;
bss->wpa_pairwise_update_count = (u32) val;
+ } else if (os_strcmp(buf, "wpa_disable_eapol_key_retries") == 0) {
+ bss->wpa_disable_eapol_key_retries = atoi(pos);
} else if (os_strcmp(buf, "wpa_passphrase") == 0) {
int len = os_strlen(pos);
if (len < 8 || len > 63) {