set ieee80211w to optional in hostapd config

set ieee80211w=1 config item in the hostapd config file.
This is to enable IEEE 802.11 management frame protection
feature optional on SoftAp interface. This is mainly to
prevent denial of service when an attacker sends deauthentication
frames to the clients connected to the SoftAp.

Bug: 197874458
Test: Connected STAs to Pixel SofAp and confirmed from the
sniffer logs that PMF capabilities are exchanged and the required
management frames are protected.

Change-Id: Ia773b79a65771a7b53c561ed2601f02aee82f0ea

2 files changed, 7 insertions, 0 deletions

diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index 8449d161..54548aa0 100644
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -42,6 +42,10 @@ ifeq ($(BOARD_HOSTAPD_PRIVATE_LIB),)
 L_CFLAGS += -DANDROID_LIB_STUB
 endif
 
+ifeq ($(BOARD_HOSTAPD_CONFIG_80211W_MFP_OPTIONAL),true)
+L_CFLAGS += -DENABLE_HOSTAPD_CONFIG_80211W_MFP_OPTIONAL
+endif
+
 # Use Android specific directory for control interface sockets
 L_CFLAGS += -DCONFIG_CTRL_IFACE_CLIENT_DIR=\"/data/vendor/wifi/hostapd/sockets\"
 L_CFLAGS += -DCONFIG_CTRL_IFACE_DIR=\"/data/vendor/wifi/hostapd/ctrl\"
diff --git a/hostapd/aidl/hostapd.cpp b/hostapd/aidl/hostapd.cpp
index 78747852..9e23247b 100644
--- a/hostapd/aidl/hostapd.cpp
+++ b/hostapd/aidl/hostapd.cpp
@@ -355,6 +355,9 @@ std::string CreateHostapdConfig(
 		encryption_config_as_string = StringPrintf(
 			"wpa=2\n"
 			"rsn_pairwise=%s\n"
+#ifdef ENABLE_HOSTAPD_CONFIG_80211W_MFP_OPTIONAL
+			"ieee80211w=1\n"
+#endif
 			"wpa_passphrase=%s",
 			is_60Ghz_band_only ? "GCMP" : "CCMP",
 			nw_params.passphrase.c_str());