OCV: Add wpa_supplicant config parameter

Add wpa_supplicant network profile parameter ocv to disable or enable
Operating Channel Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
This commit is contained in:
Mathy Vanhoef 2018-08-06 15:46:25 -04:00 committed by Jouni Malinen
parent 9c55fdb023
commit ce6829c284
4 changed files with 67 additions and 0 deletions

View file

@ -2059,6 +2059,43 @@ static char * wpa_config_write_mka_ckn(const struct parse_data *data,
#endif /* CONFIG_MACSEC */ #endif /* CONFIG_MACSEC */
#ifdef CONFIG_OCV
static int wpa_config_parse_ocv(const struct parse_data *data,
struct wpa_ssid *ssid, int line,
const char *value)
{
char *end;
ssid->ocv = strtol(value, &end, 0);
if (*end || ssid->ocv < 0 || ssid->ocv > 1) {
wpa_printf(MSG_ERROR, "Line %d: Invalid ocv value '%s'.",
line, value);
return -1;
}
if (ssid->ocv && ssid->ieee80211w == NO_MGMT_FRAME_PROTECTION)
ssid->ieee80211w = MGMT_FRAME_PROTECTION_OPTIONAL;
return 0;
}
#ifndef NO_CONFIG_WRITE
static char * wpa_config_write_ocv(const struct parse_data *data,
struct wpa_ssid *ssid)
{
char *value = os_malloc(20);
if (!value)
return NULL;
os_snprintf(value, 20, "%d", ssid->ocv);
value[20 - 1] = '\0';
return value;
}
#endif /* NO_CONFIG_WRITE */
#endif /* CONFIG_OCV */
static int wpa_config_parse_peerkey(const struct parse_data *data, static int wpa_config_parse_peerkey(const struct parse_data *data,
struct wpa_ssid *ssid, int line, struct wpa_ssid *ssid, int line,
const char *value) const char *value)
@ -2262,6 +2299,9 @@ static const struct parse_data ssid_fields[] = {
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
{ INT_RANGE(ieee80211w, 0, 2) }, { INT_RANGE(ieee80211w, 0, 2) },
#endif /* CONFIG_IEEE80211W */ #endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_OCV
{ FUNC(ocv) },
#endif /* CONFIG_OCV */
{ FUNC(peerkey) /* obsolete - removed */ }, { FUNC(peerkey) /* obsolete - removed */ },
{ INT_RANGE(mixed_cell, 0, 1) }, { INT_RANGE(mixed_cell, 0, 1) },
{ INT_RANGE(frequency, 0, 65000) }, { INT_RANGE(frequency, 0, 65000) },

View file

@ -160,6 +160,15 @@ static int wpa_config_validate_network(struct wpa_ssid *ssid, int line)
errors++; errors++;
} }
#ifdef CONFIG_OCV
if (ssid->ocv && ssid->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
wpa_printf(MSG_ERROR,
"Line %d: PMF needs to be enabled whenever using OCV",
line);
errors++;
}
#endif /* CONFIG_OCV */
return errors; return errors;
} }

View file

@ -457,6 +457,17 @@ struct wpa_ssid {
enum mfp_options ieee80211w; enum mfp_options ieee80211w;
#endif /* CONFIG_IEEE80211W */ #endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_OCV
/**
* ocv - Enable/disable operating channel validation
*
* If this parameter is set to 1, stations will exchange OCI element
* to cryptographically verify the operating channel. Setting this
* parameter to 0 disables this option. Default value: 0.
*/
int ocv;
#endif /* CONFIG_OCV */
/** /**
* frequency - Channel frequency in megahertz (MHz) for IBSS * frequency - Channel frequency in megahertz (MHz) for IBSS
* *

View file

@ -907,6 +907,13 @@ fast_reauth=1
# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) # (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
# #
# ocv: whether operating channel validation is enabled
# This is a countermeasure against multi-channel man-in-the-middle attacks.
# Enabling this automatically also enables ieee80211w, if not yet enabled.
# 0 = disabled (default)
# 1 = enabled
#ocv=1
#
# auth_alg: list of allowed IEEE 802.11 authentication algorithms # auth_alg: list of allowed IEEE 802.11 authentication algorithms
# OPEN = Open System authentication (required for WPA/WPA2) # OPEN = Open System authentication (required for WPA/WPA2)
# SHARED = Shared Key authentication (requires static WEP keys) # SHARED = Shared Key authentication (requires static WEP keys)