aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
diff options
context:
space:
mode:
Diffstat (limited to 'hostapd')
-rw-r--r--hostapd/config_file.c2
-rw-r--r--hostapd/defconfig4
-rw-r--r--hostapd/hostapd.conf24
3 files changed, 30 insertions, 0 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index d6b1a65..e2a470c 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2570,6 +2570,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
return 1;
}
bss->wpa_pairwise_update_count = (u32) val;
+ } else if (os_strcmp(buf, "wpa_disable_eapol_key_retries") == 0) {
+ bss->wpa_disable_eapol_key_retries = atoi(pos);
} else if (os_strcmp(buf, "wpa_passphrase") == 0) {
int len = os_strlen(pos);
if (len < 8 || len > 63) {
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 9e7c480..c67c662 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -369,3 +369,7 @@ CONFIG_IPV6=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y
+
+# Override default value for the wpa_disable_eapol_key_retries configuration
+# parameter. See that parameter in hostapd.conf for more details.
+#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index c664df6..f558855 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1315,6 +1315,30 @@ own_ip_addr=127.0.0.1
# Range 1..4294967295; default: 4
#wpa_pairwise_update_count=4
+# Workaround for key reinstallation attacks
+#
+# This parameter can be used to disable retransmission of EAPOL-Key frames that
+# are used to install keys (EAPOL-Key message 3/4 and group message 1/2). This
+# is similar to setting wpa_group_update_count=1 and
+# wpa_pairwise_update_count=1, but with no impact to message 1/4 and with
+# extended timeout on the response to avoid causing issues with stations that
+# may use aggressive power saving have very long time in replying to the
+# EAPOL-Key messages.
+#
+# This option can be used to work around key reinstallation attacks on the
+# station (supplicant) side in cases those station devices cannot be updated
+# for some reason. By removing the retransmissions the attacker cannot cause
+# key reinstallation with a delayed frame transmission. This is related to the
+# station side vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
+# CVE-2017-13080, and CVE-2017-13081.
+#
+# This workaround might cause interoperability issues and reduced robustness of
+# key negotiation especially in environments with heavy traffic load due to the
+# number of attempts to perform the key exchange is reduced significantly. As
+# such, this workaround is disabled by default (unless overridden in build
+# configuration). To enable this, set the parameter to 1.
+#wpa_disable_eapol_key_retries=1
+
# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
# authentication and key handshake before actually associating with a new AP.