hostapd: SAE - Enable hunting-and-pecking and H2E

Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.

Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.

The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.

For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.

For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 157a7ad3e0b860cf6381346d95974addd3c84b74..f7c21a151339b0cac781b7988ff736d503e83b0b 100644 (file)
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -620,10 +620,12 @@ hostapd_set_bss_options() {
                sae|owe|eap192|eap-eap192)
                        set_default ieee80211w 2
                        set_default sae_require_mfp 1
+                       set_default sae_pwe 2
                ;;
                psk-sae)
                        set_default ieee80211w 1
                        set_default sae_require_mfp 1
+                       set_default sae_pwe 2
                ;;
        esac
        [ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"