aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>2018-08-06 19:46:25 (GMT)
committerJouni Malinen <j@w1.fi>2018-12-16 18:31:21 (GMT)
commit9c55fdb02397ff03797067314a2fb8814ac36fa7 (patch)
tree1b9c88853d911950ec27de67c020a8a4ee466781
parent138205d6007b8b55b12bf96e8793ebd4c25462db (diff)
downloadhostap-9c55fdb02397ff03797067314a2fb8814ac36fa7.zip
hostap-9c55fdb02397ff03797067314a2fb8814ac36fa7.tar.gz
hostap-9c55fdb02397ff03797067314a2fb8814ac36fa7.tar.bz2
OCV: Add hostapd config parameter
Add hostapd.conf parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-rw-r--r--hostapd/config_file.c6
-rw-r--r--hostapd/hostapd.conf7
-rw-r--r--src/ap/ap_config.c9
-rw-r--r--src/ap/ap_config.h3
4 files changed, 25 insertions, 0 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index fd2f4e9..5b577fe 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3316,6 +3316,12 @@ static int hostapd_config_fill(struct hostapd_config *conf,
return 1;
}
#endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_OCV
+ } else if (os_strcmp(buf, "ocv") == 0) {
+ bss->ocv = atoi(pos);
+ if (bss->ocv && !bss->ieee80211w)
+ bss->ieee80211w = 1;
+#endif /* CONFIG_OCV */
#ifdef CONFIG_IEEE80211N
} else if (os_strcmp(buf, "ieee80211n") == 0) {
conf->ieee80211n = atoi(pos);
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index a005217..80da18c 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1418,6 +1418,13 @@ own_ip_addr=127.0.0.1
# dot11AssociationSAQueryRetryTimeout, 1...4294967295
#assoc_sa_query_retry_timeout=201
+# ocv: Operating Channel Validation
+# This is a countermeasure against multi-channel man-in-the-middle attacks.
+# Enabling this automatically also enables ieee80211w, if not yet enabled.
+# 0 = disabled (default)
+# 1 = enabled
+#ocv=1
+
# disable_pmksa_caching: Disable PMKSA caching
# This parameter can be used to disable caching of PMKSA created through EAP
# authentication. RSN preauthentication may still end up using PMKSA caching if
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index d2482c8..5635a52 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -1009,6 +1009,15 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
}
#endif /* CONFIG_MBO */
+#ifdef CONFIG_OCV
+ if (full_config && bss->ieee80211w == NO_MGMT_FRAME_PROTECTION &&
+ bss->ocv) {
+ wpa_printf(MSG_ERROR,
+ "OCV: PMF needs to be enabled whenever using OCV");
+ return -1;
+ }
+#endif /* CONFIG_OCV */
+
return 0;
}
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 555c371..c8280c1 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -335,6 +335,9 @@ struct hostapd_bss_config {
/* dot11AssociationSAQueryRetryTimeout (in TUs) */
int assoc_sa_query_retry_timeout;
#endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_OCV
+ int ocv; /* Operating Channel Validation */
+#endif /* CONFIG_OCV */
enum {
PSK_RADIUS_IGNORED = 0,
PSK_RADIUS_ACCEPTED = 1,