From 442708dfe2f599796b87eb113b03ab6cc42e0292 Mon Sep 17 00:00:00 2001
From: Michael Yartys <michael.yartys@protonmail.com>
Date: Sun, 13 Feb 2022 15:17:54 +0100
Subject: wpa_supplicant: compile with OCV support

Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile -basic and
-full variants with support for OCV. This feature can be configured in the
wireless config by setting ocv equal to one of the following values:

0 = disabled (hostapd/wpa_supplicant default)
1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the
    driver indicates support for operating channel validation.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
---
 package/network/services/hostapd/files/hostapd.sh                  | 4 +++-
 package/network/services/hostapd/files/wpa_supplicant-basic.config | 2 +-
 package/network/services/hostapd/files/wpa_supplicant-full.config  | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'package')

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 831c562b47..f11b40702c 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -1272,7 +1272,7 @@ wpa_supplicant_add_network() {
 	json_get_vars \
 		ssid bssid key \
 		basic_rate mcast_rate \
-		ieee80211w ieee80211r fils \
+		ieee80211w ieee80211r fils ocv \
 		multi_ap \
 		default_disabled
 
@@ -1324,6 +1324,8 @@ wpa_supplicant_add_network() {
 		[ "$default_disabled" = 1 ] && append network_data "disabled=1" "$N$T"
 	}
 
+	[ -n "$ocv" ] && append network_data "ocv=$ocv" "$N$T"
+
 	case "$auth_type" in
 		none) ;;
 		owe)
diff --git a/package/network/services/hostapd/files/wpa_supplicant-basic.config b/package/network/services/hostapd/files/wpa_supplicant-basic.config
index c550b37b21..6abd8e2331 100644
--- a/package/network/services/hostapd/files/wpa_supplicant-basic.config
+++ b/package/network/services/hostapd/files/wpa_supplicant-basic.config
@@ -315,7 +315,7 @@ CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 #CONFIG_IEEE80211W=y
 
 # Support Operating Channel Validation
-#CONFIG_OCV=y
+CONFIG_OCV=y
 
 # Select TLS implementation
 # openssl = OpenSSL (default)
diff --git a/package/network/services/hostapd/files/wpa_supplicant-full.config b/package/network/services/hostapd/files/wpa_supplicant-full.config
index de3302c875..d24fbbb01f 100644
--- a/package/network/services/hostapd/files/wpa_supplicant-full.config
+++ b/package/network/services/hostapd/files/wpa_supplicant-full.config
@@ -315,7 +315,7 @@ CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 #CONFIG_IEEE80211W=y
 
 # Support Operating Channel Validation
-#CONFIG_OCV=y
+CONFIG_OCV=y
 
 # Select TLS implementation
 # openssl = OpenSSL (default)
-- 
cgit v1.2.3