hostapd: enable compilation of OCV and add build feature discovery

Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile the -basic and
-full variants of hostapd with this feature, and enable discovery of this
feature for future luci integration. OCV can be configured by setting ocv
equal to one of the following values in the wireless config:

0 = disabled (hostapd/wpa_supplicant default)
1 = enabled
2 = enabled in workaround mode - Allow STA that claims OCV capability to
    connect even if the STA doesn't send OCI or negotiate PMF.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>

diff --git a/package/network/services/hostapd/files/hostapd-basic.config b/package/network/services/hostapd/files/hostapd-basic.config
index 1f52546d5779089b024d4b60df422986be1dcb19..3d19d8f902f08afc4de6a7d3e8d4708c5d092283 100644 (file)
--- a/package/network/services/hostapd/files/hostapd-basic.config
+++ b/package/network/services/hostapd/files/hostapd-basic.config
@@ -54,7 +54,7 @@ CONFIG_RSN_PREAUTH=y
 #CONFIG_IEEE80211W=y
 
 # Support Operating Channel Validation
-#CONFIG_OCV=y
+CONFIG_OCV=y
 
 # Integrated EAP server
 #CONFIG_EAP=y

diff --git a/package/network/services/hostapd/files/hostapd-full.config b/package/network/services/hostapd/files/hostapd-full.config
index 4e942a60b2b9a957f9532427c64bbf59f74c4f51..b92f9a25b865f09547984d26d8b4a4b2a59a9ae1 100644 (file)
--- a/package/network/services/hostapd/files/hostapd-full.config
+++ b/package/network/services/hostapd/files/hostapd-full.config
@@ -54,7 +54,7 @@ CONFIG_RSN_PREAUTH=y
 #CONFIG_IEEE80211W=y
 
 # Support Operating Channel Validation
-#CONFIG_OCV=y
+CONFIG_OCV=y
 
 # Integrated EAP server
 CONFIG_EAP=y

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 760b3ff7921e4c6f297928811bd392aa15300826..831c562b4708a699408d0da69a35f735c1673fa4 100644 (file)
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -372,6 +372,8 @@ hostapd_common_add_bss_config() {
 
        config_add_boolean fils
        config_add_string fils_dhcp
+
+       config_add_int ocv
 }
 
 hostapd_set_vlan_file() {
@@ -544,7 +546,7 @@ hostapd_set_bss_options() {
                airtime_bss_weight airtime_bss_limit airtime_sta_weight \
                multicast_to_unicast proxy_arp per_sta_vif \
                eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \
-               vendor_elements fils
+               vendor_elements fils ocv
 
        set_default fils 0
        set_default isolate 0
@@ -617,6 +619,8 @@ hostapd_set_bss_options() {
                json_for_each_item append_radius_acct_req_attr radius_acct_req_attr
        }
 
+       [ -n "$ocv" ] && append bss_conf "ocv=$ocv" "$N"
+
        case "$auth_type" in
                sae|owe|eap192|eap-eap192)
                        set_default ieee80211w 2

diff --git a/package/network/services/hostapd/src/src/utils/build_features.h b/package/network/services/hostapd/src/src/utils/build_features.h
index cb7cb7273168d8124cfbf164beb84c704b32634a..642a35836e4e547b6b8b1b9e943d69832a63aa12 100644 (file)
--- a/package/network/services/hostapd/src/src/utils/build_features.h
+++ b/package/network/services/hostapd/src/src/utils/build_features.h
@@ -54,6 +54,10 @@ static inline int has_feature(const char *feat)
 #ifdef CONFIG_FILS
        if (!strcmp(feat, "fils"))
                return 1;
+#endif
+#ifdef CONFIG_OCV
+       if (!strcmp(feat, "ocv"))
+               return 1;
 #endif
        return 0;
 }