hostapd: Expose the tdls_prohibit option to UCI
authorTimo Sigurdsson <public_timo.s@silentcreek.de>
Tue, 14 Nov 2017 20:41:29 +0000 (21:41 +0100)
committerStijn Tintel <stijn@linux-ipv6.be>
Thu, 7 Dec 2017 18:42:30 +0000 (19:42 +0100)
wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.

Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.

Make this option configurable via UCI, but disabled by default.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
(cherry picked from commit 6515887ed9b3f312635409702113dca7c14043e5)

package/network/services/hostapd/files/hostapd.sh

index 68f84c5..e3fc036 100644 (file)
@@ -141,6 +141,8 @@ hostapd_common_add_bss_config() {
                wpa_group_rekey wpa_pair_rekey wpa_master_rekey
        config_add_boolean wpa_disable_eapol_key_retries
 
+       config_add_boolean tdls_prohibit
+
        config_add_boolean rsn_preauth auth_cache
        config_add_int ieee80211w
        config_add_int eapol_version
@@ -204,7 +206,7 @@ hostapd_set_bss_options() {
 
        json_get_vars \
                wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \
-               wpa_disable_eapol_key_retries \
+               wpa_disable_eapol_key_retries tdls_prohibit \
                maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
                wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
                wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
@@ -221,6 +223,7 @@ hostapd_set_bss_options() {
        set_default wmm 1
        set_default uapsd 1
        set_default wpa_disable_eapol_key_retries 0
+       set_default tdls_prohibit 0
        set_default eapol_version 0
        set_default acct_port 1813
 
@@ -241,6 +244,8 @@ hostapd_set_bss_options() {
        append bss_conf "ignore_broadcast_ssid=$hidden" "$N"
        append bss_conf "uapsd_advertisement_enabled=$uapsd" "$N"
 
+       [ "$tdls_prohibit" -gt 0 ] && append bss_conf "tdls_prohibit=$tdls_prohibit" "$N"
+
        [ "$wpa" -gt 0 ] && {
                [ -n "$wpa_group_rekey"  ] && append bss_conf "wpa_group_rekey=$wpa_group_rekey" "$N"
                [ -n "$wpa_pair_rekey"   ] && append bss_conf "wpa_ptk_rekey=$wpa_pair_rekey"    "$N"