PASN: Introduce configuration option to allow/deny PASN-UNAUTH

Per IEEE P802.11az/D7.0, 12.12.3.2 (PASN Frame Construction and
Processing), responder should REFUSE PASN authentication frame 1 with
Base AKM as PASN AKM if dot11NoAuthPASNActivated is false. That
configuration was not previously available and hostapd was hardcoded
with dot11NoAuthPASNActivated being true.

Allow this to be configured and reject PASN authentication frame 1 from
initiator if pasn_noauth=0 and Base AKM in RSNE of this frame is PASN.
The default value for pasn_noauth is 1 to maintain previous
functionality even though the dot11NoAuthPASNActivated is defined to
have default value of false.

Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 8e179d1519d4a8890cc2500216c29de3d7db6962..2c29971b32b43be6b95ca28f268486875ae20b97 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -4734,6 +4734,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
                }
        } else if (os_strcmp(buf, "pasn_comeback_after") == 0) {
                bss->pasn_comeback_after = atoi(pos);
+       } else if (os_strcmp(buf, "pasn_noauth") == 0) {
+               bss->pasn_noauth = atoi(pos);
 #endif /* CONFIG_PASN */
        } else if (os_strcmp(buf, "ext_capa_mask") == 0) {
                if (get_hex_config(bss->ext_capa_mask, EXT_CAPA_MAX_LEN,

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index bc4a0f6ef7a59f1ea5e61b0cbbccd2a93f68957a..5868bfde44de6bb84812a5638da2353268e0d9ae 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -2170,6 +2170,11 @@ own_ip_addr=127.0.0.1
 # (default: 10 TUs)
 #pasn_comeback_after=10
 
+# Unauthenticated PASN activated (dot11NoAuthPASNActivated)
+# This indicates whether PASN without mutual authentication is allowed.
+# (default: 1 = activated)
+#pasn_noauth=1
+
 ##### IEEE 802.11r configuration ##############################################
 
 # Mobility Domain identifier (dot11FTMobilityDomainID, MDID)

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 2b1041de806324bf9c1077287a66390b4d38323f..298216a4746d85fe35f10b40cd6c79a98c57c17d 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -169,6 +169,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 #ifdef CONFIG_PASN
        /* comeback after 10 TUs */
        bss->pasn_comeback_after = 10;
+       bss->pasn_noauth = 1;
 #endif /* CONFIG_PASN */
 }
 

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 8598602b164a6304eee39c3e3ae6f386eabb9a8a..63b9ef701a1fce8f8ca131c12162c6389b2f9be0 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -906,6 +906,9 @@ struct hostapd_bss_config {
 #endif /* CONFIG_MACSEC */
 
 #ifdef CONFIG_PASN
+       /* Whether to allow PASN-UNAUTH */
+       int pasn_noauth;
+
 #ifdef CONFIG_TESTING_OPTIONS
        /*
         * Normally, KDK should be derived if and only if both sides support

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 48b0219f3d6236febd9c26ccbbaafc5fd1a4b023..93a6b4f56d10dc6536eae07fcc88588b04c525a2 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2527,6 +2527,7 @@ static void hapd_initialize_pasn(struct hostapd_data *hapd,
        pasn->cb_ctx = hapd;
        pasn->send_mgmt = hapd_pasn_send_mlme;
        pasn->pasn_groups = hapd->conf->pasn_groups;
+       pasn->noauth = hapd->conf->pasn_noauth;
        pasn->wpa_key_mgmt = hapd->conf->wpa_key_mgmt;
        pasn->rsn_pairwise = hapd->conf->rsn_pairwise;
        pasn->derive_kdk = hapd->iface->drv_flags2 &

diff --git a/src/pasn/pasn_common.h b/src/pasn/pasn_common.h
index 9c2f397e72306e889c42ad395fdb58325147353e..a4850a284ddc322aed0c021ae98d8b8531cdb419 100644 (file)
--- a/src/pasn/pasn_common.h
+++ b/src/pasn/pasn_common.h
@@ -95,7 +95,8 @@ struct pasn_data {
        u8 wrapped_data_format;
        struct wpabuf *secret;
 
-       /* Reponder */
+       /* Responder */
+       bool noauth; /* Whether PASN without mutual authentication is enabled */
        int wpa_key_mgmt;
        int rsn_pairwise;
        bool derive_kdk;

diff --git a/src/pasn/pasn_responder.c b/src/pasn/pasn_responder.c
index 3b1912df3e38d3e1af5941e5dfc2ff29e5539dbf..78a9dd7da8a9c389340fec8919d320bf224b7fa7 100644 (file)
--- a/src/pasn/pasn_responder.c
+++ b/src/pasn/pasn_responder.c
@@ -743,6 +743,12 @@ int handle_auth_pasn_1(struct pasn_data *pasn,
                goto send_resp;
        }
 
+       if (!pasn->noauth && pasn->akmp == WPA_KEY_MGMT_PASN) {
+               wpa_printf(MSG_DEBUG, "PASN: Refuse PASN-UNAUTH");
+               status = WLAN_STATUS_UNSPECIFIED_FAILURE;
+               goto send_resp;
+       }
+
        derive_keys = true;
        if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
                wrapped_data = ieee802_11_defrag(&elems,