hostapd: Expose the tdls_prohibit option to UCI
authorTimo Sigurdsson <public_timo.s@silentcreek.de>
Tue, 14 Nov 2017 20:41:29 +0000 (21:41 +0100)
committerRISCi_ATOM <bob@bobcall.me>
Mon, 11 Dec 2017 18:23:49 +0000 (13:23 -0500)
commita2c34fc57599fece97f034e37fca4d73248c265f
treef5a902aebbc22746e921b68ec2d788f3c3cf1ef5
parent026f2935075760dbc46bae2ccf4baa682777499b
hostapd: Expose the tdls_prohibit option to UCI

wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.

Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.

Make this option configurable via UCI, but disabled by default.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
(cherry picked from commit 6515887ed9b3f312635409702113dca7c14043e5)
package/network/services/hostapd/files/hostapd.sh