[source] hostapd: Expose the tdls_prohibit option to UCI

LEDE Commits lede-commits at lists.infradead.org
Wed Dec 6 16:32:00 PST 2017


stintel pushed a commit to source.git, branch master:
https://git.lede-project.org/6515887ed9b3f312635409702113dca7c14043e5

commit 6515887ed9b3f312635409702113dca7c14043e5
Author: Timo Sigurdsson <public_timo.s at silentcreek.de>
AuthorDate: Tue Nov 14 21:41:29 2017 +0100

    hostapd: Expose the tdls_prohibit option to UCI
    
    wpa_disable_eapol_key_retries can't prevent attacks against the
    Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
    that the existing hostapd option tdls_prohibit can be used to further
    complicate this possibility at the AP side. tdls_prohibit=1 makes
    hostapd advertise that use of TDLS is not allowed in the BSS.
    
    Note: If an attacker manages to lure both TDLS peers into a fake
    AP, hiding the tdls_prohibit advertisement from them, it might be
    possible to bypass this protection.
    
    Make this option configurable via UCI, but disabled by default.
    
    Signed-off-by: Timo Sigurdsson <public_timo.s at silentcreek.de>
---
 package/network/services/hostapd/files/hostapd.sh | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index d3a8ad1..4970874 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -151,6 +151,8 @@ hostapd_common_add_bss_config() {
 		wpa_group_rekey wpa_pair_rekey wpa_master_rekey
 	config_add_boolean wpa_disable_eapol_key_retries
 
+	config_add_boolean tdls_prohibit
+
 	config_add_boolean rsn_preauth auth_cache
 	config_add_int ieee80211w
 	config_add_int eapol_version
@@ -215,7 +217,7 @@ hostapd_set_bss_options() {
 
 	json_get_vars \
 		wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \
-		wpa_disable_eapol_key_retries \
+		wpa_disable_eapol_key_retries tdls_prohibit \
 		maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
 		wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
 		wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
@@ -232,6 +234,7 @@ hostapd_set_bss_options() {
 	set_default wmm 1
 	set_default uapsd 1
 	set_default wpa_disable_eapol_key_retries 0
+	set_default tdls_prohibit 0
 	set_default eapol_version 0
 	set_default acct_port 1813
 
@@ -252,6 +255,8 @@ hostapd_set_bss_options() {
 	append bss_conf "ignore_broadcast_ssid=$hidden" "$N"
 	append bss_conf "uapsd_advertisement_enabled=$uapsd" "$N"
 
+	[ "$tdls_prohibit" -gt 0 ] && append bss_conf "tdls_prohibit=$tdls_prohibit" "$N"
+
 	[ "$wpa" -gt 0 ] && {
 		[ -n "$wpa_group_rekey"  ] && append bss_conf "wpa_group_rekey=$wpa_group_rekey" "$N"
 		[ -n "$wpa_pair_rekey"   ] && append bss_conf "wpa_ptk_rekey=$wpa_pair_rekey"    "$N"



More information about the lede-commits mailing list