[LEDE-DEV] [PATCH 0/3] hostapd: Address some limitations of wpa_disable_eapol_key_retries

Timo Sigurdsson public_timo.s at silentcreek.de
Tue Oct 24 15:58:13 PDT 2017


in a discussion on the hostap mailing list about the limitations of the
new hostapd parameter wpa_disable_eapol_key_retries as an AP side
workaround for the Key Reinstallation Attacks (KRACK), two corner cases
were mentioned along with suggestions how to address them [1][2].

The changes are fairly simple and may help users to further narrow the
attack surface from the AP side (in case there are clients that are
still vulnerable).

The first allows to prohibit the use of TDLS on the network via an
already existing hostapd parameter that just needs to be made
configurable via UCI.

The second is an upstream patch to ensure WNM Sleep Mode requests are
ignored unless WNM Sleep Mode is enabled (which it isn't by default).

I'm planning to post patches backporting these changes to the v17.01
branch as well.



[1] http://lists.infradead.org/pipermail/hostap/2017-October/038005.html
[2] http://lists.infradead.org/pipermail/hostap/2017-October/038007.html

Timo Sigurdsson (3):
  hostapd: Expose the tdls_prohibit option to UCI
  hostapd: Backport Ignore WNM-Sleep Mode Request in wnm_sleep_mode=0
  hostapd: bump PKG_RELEASE

 package/network/services/hostapd/Makefile          |  2 +-
 package/network/services/hostapd/files/hostapd.sh  |  7 ++++-
 ...WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch | 35 ++++++++++++++++++++++
 3 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 package/network/services/hostapd/patches/013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch


More information about the Lede-dev mailing list