[LEDE-DEV] [PATCH 3/3] hostapd/wpa_supplicant: require SHA256-based algorithms for ieee80211w=2

Tue Dec 27 03:57:27 PST 2016

While the standard does not require SHA256-based algorithms when PFM is
mandatory, there's not much of a point in keeping the old algorithms
enabled.

See http://lists.shmoo.com/pipermail/hostap/2014-November/031283.html

Signed-off-by: Stijn Tintel <stijn at linux-ipv6.be>
---
 package/network/services/hostapd/files/netifd.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/network/services/hostapd/files/netifd.sh b/package/network/services/hostapd/files/netifd.sh
index a6049fd..359a264 100644
--- a/package/network/services/hostapd/files/netifd.sh
+++ b/package/network/services/hostapd/files/netifd.sh
@@ -257,7 +257,7 @@ hostapd_set_bss_options() {
 
 			wps_possible=1
 			[ "$ieee80211w" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
-			append wpa_key_mgmt "WPA-PSK"
+			[ "$ieee80211w" -lt 2 ] && append wpa_key_mgmt "WPA-PSK"
 		;;
 		eap)
 			json_get_vars \
@@ -293,7 +293,7 @@ hostapd_set_bss_options() {
 			append bss_conf "eapol_key_index_workaround=1" "$N"
 			append bss_conf "ieee8021x=1" "$N"
 			[ "$ieee80211w" -gt 1 ] && append wpa_key_mgmt "WPA-EAP-SHA256"
-			append wpa_key_mgmt "WPA-EAP"
+			[ "$ieee80211w" -lt 2 ] && append wpa_key_mgmt "WPA-EAP"
 
 			[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
 		;;
@@ -617,7 +617,7 @@ wpa_supplicant_add_network() {
 			local passphrase
 
 			[ "$ieee80211w" -gt 1 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
-			append wpa_key_mgmt "WPA-PSK"
+			[ "$ieee80211w" -lt 2 ] && append wpa_key_mgmt "WPA-PSK"
 			[ "$ieee80211r" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
 			key_mgmt="$wpa_key_mgmt"
 
@@ -630,7 +630,7 @@ wpa_supplicant_add_network() {
 		;;
 		eap)
 			[ "$ieee80211w" -gt 1 ] && append wpa_key_mgmt "WPA-EAP-SHA256"
-			append wpa_key_mgmt "WPA-EAP"
+			[ "$ieee80211w" -lt 2 ] && append wpa_key_mgmt "WPA-EAP"
 		        [ "$ieee80211r" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
 			key_mgmt="$wpa_key_mgmt"
 
-- 
2.10.2


