OCV: Add wpa_supplicant config parameter

author Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>

Mon, 6 Aug 2018 19:46:25 +0000 (15:46 -0400)

committer Jouni Malinen <j@w1.fi>

Sun, 16 Dec 2018 18:31:21 +0000 (20:31 +0200)
author Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Mon, 6 Aug 2018 19:46:25 +0000 (15:46 -0400)
committer Jouni Malinen <j@w1.fi>
Sun, 16 Dec 2018 18:31:21 +0000 (20:31 +0200)
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c

index 90eef9cf1fcc95c2691d2f1be41970d1b7925bc5..78da98de342f1aef1f2fb5135a5e9eca0405ea9f 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2059,6 +2059,43 @@ static char * wpa_config_write_mka_ckn(const struct parse_data *data,
  #endif /* CONFIG_MACSEC */
  
  
+#ifdef CONFIG_OCV
+
+static int wpa_config_parse_ocv(const struct parse_data *data,
+                               struct wpa_ssid *ssid, int line,
+                               const char *value)
+{
+       char *end;
+
+       ssid->ocv = strtol(value, &end, 0);
+       if (*end || ssid->ocv < 0 || ssid->ocv > 1) {
+               wpa_printf(MSG_ERROR, "Line %d: Invalid ocv value '%s'.",
+                          line, value);
+               return -1;
+       }
+       if (ssid->ocv && ssid->ieee80211w == NO_MGMT_FRAME_PROTECTION)
+               ssid->ieee80211w = MGMT_FRAME_PROTECTION_OPTIONAL;
+       return 0;
+}
+
+
+#ifndef NO_CONFIG_WRITE
+static char * wpa_config_write_ocv(const struct parse_data *data,
+                                  struct wpa_ssid *ssid)
+{
+       char *value = os_malloc(20);
+
+       if (!value)
+               return NULL;
+       os_snprintf(value, 20, "%d", ssid->ocv);
+       value[20 - 1] = '\0';
+       return value;
+}
+#endif /* NO_CONFIG_WRITE */
+
+#endif /* CONFIG_OCV */
+
+
  static int wpa_config_parse_peerkey(const struct parse_data *data,
                                     struct wpa_ssid *ssid, int line,
                                     const char *value)
@@ -2262,6 +2299,9 @@ static const struct parse_data ssid_fields[] = {
  #ifdef CONFIG_IEEE80211W
         { INT_RANGE(ieee80211w, 0, 2) },
  #endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_OCV
+       { FUNC(ocv) },
+#endif /* CONFIG_OCV */
         { FUNC(peerkey) /* obsolete - removed */ },
         { INT_RANGE(mixed_cell, 0, 1) },
         { INT_RANGE(frequency, 0, 65000) },
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c

index 09115e19dc2d405b752708e4ca65aaa085129622..8bc7a35fdbbce194f8557bfc33b8734441190294 100644 (file)
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -160,6 +160,15 @@ static int wpa_config_validate_network(struct wpa_ssid *ssid, int line)
                 errors++;
         }
  
+#ifdef CONFIG_OCV
+       if (ssid->ocv && ssid->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
+               wpa_printf(MSG_ERROR,
+                          "Line %d: PMF needs to be enabled whenever using OCV",
+                          line);
+               errors++;
+       }
+#endif /* CONFIG_OCV */
+
         return errors;
  }
  
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h

index d2a52d760089efa09cf0234405c40cb4d471df7f..6427fbb01055a7a7ce6ce71781d0369e226af9b4 100644 (file)
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -457,6 +457,17 @@ struct wpa_ssid {
         enum mfp_options ieee80211w;
  #endif /* CONFIG_IEEE80211W */
  
+#ifdef CONFIG_OCV
+       /**
+        * ocv - Enable/disable operating channel validation
+        *
+        * If this parameter is set to 1, stations will exchange OCI element
+        * to cryptographically verify the operating channel. Setting this
+        * parameter to 0 disables this option. Default value: 0.
+        */
+       int ocv;
+#endif /* CONFIG_OCV */
+
         /**
          * frequency - Channel frequency in megahertz (MHz) for IBSS
          *
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf

index 4f5916025aab3210318ba2f235defe08d8fc7d8a..b93990004ef837fbab039f172f978c157829b7d1 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -907,6 +907,13 @@ fast_reauth=1
  # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
  # (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
  #
+# ocv: whether operating channel validation is enabled
+# This is a countermeasure against multi-channel man-in-the-middle attacks.
+# Enabling this automatically also enables ieee80211w, if not yet enabled.
+# 0 = disabled (default)
+# 1 = enabled
+#ocv=1
+#
  # auth_alg: list of allowed IEEE 802.11 authentication algorithms
  # OPEN = Open System authentication (required for WPA/WPA2)
  # SHARED = Shared Key authentication (requires static WEP keys)
author	Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
	Mon, 6 Aug 2018 19:46:25 +0000 (15:46 -0400)
committer	Jouni Malinen <j@w1.fi>
	Sun, 16 Dec 2018 18:31:21 +0000 (20:31 +0200)
wpa_supplicant/config.c		patch \| blob \| blame \| history
wpa_supplicant/config_file.c		patch \| blob \| blame \| history
wpa_supplicant/config_ssid.h		patch \| blob \| blame \| history
wpa_supplicant/wpa_supplicant.conf		patch \| blob \| blame \| history