AP: Allow PTK rekeying without Ext KeyID to be disabled as a workaround
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new hostapd configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with disconnection. This requires the station to reassociate to get connected again and as such, can result in connectivity issues as well. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
This commit is contained in:
Alexander Wetzel
Jouni Malinen
parent
35da7c20ac
commit
1a7963e36f
8 changed files with 83 additions and 2 deletions
|
|
@ -445,4 +445,10 @@ enum key_flag {
|
|||
KEY_FLAG_MODIFY,
|
||||
};
|
||||
|
||||
enum ptk0_rekey_handling {
|
||||
PTK0_REKEY_ALLOW_ALWAYS,
|
||||
PTK0_REKEY_ALLOW_LOCAL_OK,
|
||||
PTK0_REKEY_ALLOW_NEVER
|
||||
};
|
||||
|
||||
#endif /* DEFS_H */
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue