From 9c55fdb02397ff03797067314a2fb8814ac36fa7 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Date: Mon, 6 Aug 2018 15:46:25 -0400
Subject: [PATCH] OCV: Add hostapd config parameter

Add hostapd.conf parameter ocv to disable or enable Operating Channel
Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
---
 hostapd/config_file.c | 6 ++++++
 hostapd/hostapd.conf  | 7 +++++++
 src/ap/ap_config.c    | 9 +++++++++
 src/ap/ap_config.h    | 3 +++
 4 files changed, 25 insertions(+)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index fd2f4e9dd..5b577fefb 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3316,6 +3316,12 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 			return 1;
 		}
 #endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_OCV
+	} else if (os_strcmp(buf, "ocv") == 0) {
+		bss->ocv = atoi(pos);
+		if (bss->ocv && !bss->ieee80211w)
+			bss->ieee80211w = 1;
+#endif /* CONFIG_OCV */
 #ifdef CONFIG_IEEE80211N
 	} else if (os_strcmp(buf, "ieee80211n") == 0) {
 		conf->ieee80211n = atoi(pos);
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index a00521711..80da18cb3 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1418,6 +1418,13 @@ own_ip_addr=127.0.0.1
 # dot11AssociationSAQueryRetryTimeout, 1...4294967295
 #assoc_sa_query_retry_timeout=201
 
+# ocv: Operating Channel Validation
+# This is a countermeasure against multi-channel man-in-the-middle attacks.
+# Enabling this automatically also enables ieee80211w, if not yet enabled.
+# 0 = disabled (default)
+# 1 = enabled
+#ocv=1
+
 # disable_pmksa_caching: Disable PMKSA caching
 # This parameter can be used to disable caching of PMKSA created through EAP
 # authentication. RSN preauthentication may still end up using PMKSA caching if
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index d2482c8b6..5635a522b 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -1009,6 +1009,15 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
 	}
 #endif /* CONFIG_MBO */
 
+#ifdef CONFIG_OCV
+	if (full_config && bss->ieee80211w == NO_MGMT_FRAME_PROTECTION &&
+	    bss->ocv) {
+		wpa_printf(MSG_ERROR,
+			   "OCV: PMF needs to be enabled whenever using OCV");
+		return -1;
+	}
+#endif /* CONFIG_OCV */
+
 	return 0;
 }
 
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 555c3719c..c8280c106 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -335,6 +335,9 @@ struct hostapd_bss_config {
 	/* dot11AssociationSAQueryRetryTimeout (in TUs) */
 	int assoc_sa_query_retry_timeout;
 #endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_OCV
+	int ocv; /* Operating Channel Validation */
+#endif /* CONFIG_OCV */
 	enum {
 		PSK_RADIUS_IGNORED = 0,
 		PSK_RADIUS_ACCEPTED = 1,