hostapd: Expose the tdls_prohibit option to UCI
wpa_disable_eapol_key_retries can't prevent attacks against the Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested that the existing hostapd option tdls_prohibit can be used to further complicate this possibility at the AP side. tdls_prohibit=1 makes hostapd advertise that use of TDLS is not allowed in the BSS. Note: If an attacker manages to lure both TDLS peers into a fake AP, hiding the tdls_prohibit advertisement from them, it might be possible to bypass this protection. Make this option configurable via UCI, but disabled by default. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
This commit is contained in:
parent
f997478655
commit
6515887ed9
@ -151,6 +151,8 @@ hostapd_common_add_bss_config() {
|
|||||||
wpa_group_rekey wpa_pair_rekey wpa_master_rekey
|
wpa_group_rekey wpa_pair_rekey wpa_master_rekey
|
||||||
config_add_boolean wpa_disable_eapol_key_retries
|
config_add_boolean wpa_disable_eapol_key_retries
|
||||||
|
|
||||||
|
config_add_boolean tdls_prohibit
|
||||||
|
|
||||||
config_add_boolean rsn_preauth auth_cache
|
config_add_boolean rsn_preauth auth_cache
|
||||||
config_add_int ieee80211w
|
config_add_int ieee80211w
|
||||||
config_add_int eapol_version
|
config_add_int eapol_version
|
||||||
@ -215,7 +217,7 @@ hostapd_set_bss_options() {
|
|||||||
|
|
||||||
json_get_vars \
|
json_get_vars \
|
||||||
wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \
|
wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \
|
||||||
wpa_disable_eapol_key_retries \
|
wpa_disable_eapol_key_retries tdls_prohibit \
|
||||||
maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
|
maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
|
||||||
wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
|
wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
|
||||||
wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
|
wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
|
||||||
@ -232,6 +234,7 @@ hostapd_set_bss_options() {
|
|||||||
set_default wmm 1
|
set_default wmm 1
|
||||||
set_default uapsd 1
|
set_default uapsd 1
|
||||||
set_default wpa_disable_eapol_key_retries 0
|
set_default wpa_disable_eapol_key_retries 0
|
||||||
|
set_default tdls_prohibit 0
|
||||||
set_default eapol_version 0
|
set_default eapol_version 0
|
||||||
set_default acct_port 1813
|
set_default acct_port 1813
|
||||||
|
|
||||||
@ -252,6 +255,8 @@ hostapd_set_bss_options() {
|
|||||||
append bss_conf "ignore_broadcast_ssid=$hidden" "$N"
|
append bss_conf "ignore_broadcast_ssid=$hidden" "$N"
|
||||||
append bss_conf "uapsd_advertisement_enabled=$uapsd" "$N"
|
append bss_conf "uapsd_advertisement_enabled=$uapsd" "$N"
|
||||||
|
|
||||||
|
[ "$tdls_prohibit" -gt 0 ] && append bss_conf "tdls_prohibit=$tdls_prohibit" "$N"
|
||||||
|
|
||||||
[ "$wpa" -gt 0 ] && {
|
[ "$wpa" -gt 0 ] && {
|
||||||
[ -n "$wpa_group_rekey" ] && append bss_conf "wpa_group_rekey=$wpa_group_rekey" "$N"
|
[ -n "$wpa_group_rekey" ] && append bss_conf "wpa_group_rekey=$wpa_group_rekey" "$N"
|
||||||
[ -n "$wpa_pair_rekey" ] && append bss_conf "wpa_ptk_rekey=$wpa_pair_rekey" "$N"
|
[ -n "$wpa_pair_rekey" ] && append bss_conf "wpa_ptk_rekey=$wpa_pair_rekey" "$N"
|
||||||
|
Loading…
Reference in New Issue
Block a user