diff options
| author | Timo Sigurdsson <public_timo.s@silentcreek.de> | 2017-11-14 21:41:29 +0100 |
|---|---|---|
| committer | Stijn Tintel <stijn@linux-ipv6.be> | 2017-12-07 19:42:30 +0100 |
| commit | 19ebc19f545c7f96bcf5a6437b405cb849be453c (patch) | |
| tree | cbea225bb937e54e44df48e616aa84cdd9ed0973 | |
| parent | 3590316121ac48b16e6a61d2022fd2a90d20ed57 (diff) | |
| download | mtk-20170518-19ebc19f545c7f96bcf5a6437b405cb849be453c.zip mtk-20170518-19ebc19f545c7f96bcf5a6437b405cb849be453c.tar.gz mtk-20170518-19ebc19f545c7f96bcf5a6437b405cb849be453c.tar.bz2 | |
hostapd: Expose the tdls_prohibit option to UCI
wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.
Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.
Make this option configurable via UCI, but disabled by default.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
(cherry picked from commit 6515887ed9b3f312635409702113dca7c14043e5)
| -rw-r--r-- | package/network/services/hostapd/files/hostapd.sh | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index 68f84c5..e3fc036 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -141,6 +141,8 @@ hostapd_common_add_bss_config() { wpa_group_rekey wpa_pair_rekey wpa_master_rekey config_add_boolean wpa_disable_eapol_key_retries + config_add_boolean tdls_prohibit + config_add_boolean rsn_preauth auth_cache config_add_int ieee80211w config_add_int eapol_version @@ -204,7 +206,7 @@ hostapd_set_bss_options() { json_get_vars \ wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \ - wpa_disable_eapol_key_retries \ + wpa_disable_eapol_key_retries tdls_prohibit \ maxassoc max_inactivity disassoc_low_ack isolate auth_cache \ wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \ wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \ @@ -221,6 +223,7 @@ hostapd_set_bss_options() { set_default wmm 1 set_default uapsd 1 set_default wpa_disable_eapol_key_retries 0 + set_default tdls_prohibit 0 set_default eapol_version 0 set_default acct_port 1813 @@ -241,6 +244,8 @@ hostapd_set_bss_options() { append bss_conf "ignore_broadcast_ssid=$hidden" "$N" append bss_conf "uapsd_advertisement_enabled=$uapsd" "$N" + [ "$tdls_prohibit" -gt 0 ] && append bss_conf "tdls_prohibit=$tdls_prohibit" "$N" + [ "$wpa" -gt 0 ] && { [ -n "$wpa_group_rekey" ] && append bss_conf "wpa_group_rekey=$wpa_group_rekey" "$N" [ -n "$wpa_pair_rekey" ] && append bss_conf "wpa_ptk_rekey=$wpa_pair_rekey" "$N" |