[openwrt/openwrt] hostapd: SAE - Enable hunting-and-pecking and H2E

LEDE Commits lede-commits at lists.infradead.org
Thu Feb 24 09:04:10 PST 2022 

aparcar pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/e8d048c5e0ad0807a0362fe31c68c8f5eb228bff

commit e8d048c5e0ad0807a0362fe31c68c8f5eb228bff
Author: Nick Lowe <nick.lowe at gmail.com>
AuthorDate: Mon Feb 21 17:51:48 2022 +0000

    hostapd: SAE - Enable hunting-and-pecking and H2E
    
    Enable both the hunting-and-pecking loop and hash-to-element mechanisms
    by default in OpenWRT with SAE.
    
    Commercial Wi-Fi solutions increasingly frequently now ship with both
    hunting-and-pecking and hash-to-element (H2E) enabled by default as this
    is more secure and more performant than offering hunting-and-pecking
    alone for H2E capable clients.
    
    The hunting and pecking loop mechanism is inherently fragile and prone to
    timing-based side channels in its design and is more computationally
    intensive to perform. Hash-to-element (H2E) is its long-term
    replacement to address these concerns.
    
    For clients that only support the hunting-and-pecking loop mechanism,
    this is still available to use by default.
    
    For clients that in addition support, or were to require, the
    hash-to-element (H2E) mechanism, this is then available for use.
    
    Signed-off-by: Nick Lowe <nick.lowe at gmail.com>
---
 package/network/services/hostapd/files/hostapd.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 157a7ad3e0..f7c21a1513 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -620,10 +620,12 @@ hostapd_set_bss_options() {
 		sae|owe|eap192|eap-eap192)
 			set_default ieee80211w 2
 			set_default sae_require_mfp 1
+			set_default sae_pwe 2
 		;;
 		psk-sae)
 			set_default ieee80211w 1
 			set_default sae_require_mfp 1
+			set_default sae_pwe 2
 		;;
 	esac
 	[ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"

More information about the lede-commits mailing list