AP: Add support for configuring PASN

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index 6c9561778d6d2b2b4fdc82ddfac19fb6f084fe05..54fafe1803b9a39f5fe659da8f8eb7e3953fbcb2 100644 (file)
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -565,6 +565,14 @@ L_CFLAGS += -DCONFIG_DPP2
 endif
 endif
 
+ifdef CONFIG_PASN
+L_CFLAGS += -DCONFIG_PASN
+NEED_HMAC_SHA256_KDF=y
+NEED_HMAC_SHA384_KDF=y
+NEED_SHA256=y
+NEED_SHA384=y
+endif
+
 ifdef CONFIG_EAP_IKEV2
 L_CFLAGS += -DEAP_SERVER_IKEV2
 OBJS += src/eap_server/eap_server_ikev2.c src/eap_server/ikev2.c

diff --git a/hostapd/Makefile b/hostapd/Makefile
index 456fb184f6420f7e3622d3878595d8e4acdc4480..cfd6495c488a6a792eaf2d21b2cad8e50534ba13 100644 (file)
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -595,6 +595,14 @@ CFLAGS += -DCONFIG_DPP2
 endif
 endif
 
+ifdef CONFIG_PASN
+CFLAGS += -DCONFIG_PASN
+NEED_HMAC_SHA256_KDF=y
+NEED_HMAC_SHA384_KDF=y
+NEED_SHA256=y
+NEED_SHA384=y
+endif
+
 ifdef CONFIG_EAP_IKEV2
 CFLAGS += -DEAP_SERVER_IKEV2
 OBJS += ../src/eap_server/eap_server_ikev2.o ../src/eap_server/ikev2.o

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 05dc96736e1f553aa8a07ddb29d005cb2e68e5f1..cf0853bfdcc7fb75c6cb7673957318f825f0a6d6 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -754,6 +754,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
                else if (os_strcmp(start, "OSEN") == 0)
                        val |= WPA_KEY_MGMT_OSEN;
 #endif /* CONFIG_HS20 */
+#ifdef CONFIG_PASN
+               else if (os_strcmp(start, "PASN") == 0)
+                       val |= WPA_KEY_MGMT_PASN;
+#endif /* CONFIG_PASN */
                else {
                        wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
                                   line, start);
@@ -4582,6 +4586,13 @@ static int hostapd_config_fill(struct hostapd_config *conf,
        } else if (os_strcmp(buf, "force_kdk_derivation") == 0) {
                bss->force_kdk_derivation = atoi(pos);
 #endif /* CONFIG_TESTING_OPTIONS */
+       } else if (os_strcmp(buf, "pasn_groups") == 0) {
+               if (hostapd_parse_intlist(&bss->pasn_groups, pos)) {
+                       wpa_printf(MSG_ERROR,
+                                  "Line %d: Invalid pasn_groups value '%s'",
+                                  line, pos);
+                       return 1;
+               }
 #endif /* CONFIG_PASN */
        } else {
                wpa_printf(MSG_ERROR,

diff --git a/hostapd/defconfig b/hostapd/defconfig
index e9f5de77541068204bffd741c08183ec35dab07e..cbdd2a55cde399fafa48a472e0cc13ac0ba7bd42 100644 (file)
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -395,3 +395,10 @@ CONFIG_IPV6=y
 # build includes this to allow mixed mode WPA+WPA2 networks to be enabled, but
 # that functionality is subject to be removed in the future.
 #CONFIG_NO_TKIP=y
+
+# Pre-Association Security Negotiation (PASN)
+# Experimental implementation based on IEEE P802.11z/D2.6 and the protocol
+# design is still subject to change. As such, this should not yet be enabled in
+# production use.
+# This requires CONFIG_IEEE80211W=y to be enabled, too.
+#CONFIG_PASN=y

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 3ac64a75e96333e166ecde5066a9cfafce846fda..666c4e133625a19eb35bafc1c0e31dbfc2e49ad6 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1947,6 +1947,14 @@ own_ip_addr=127.0.0.1
 # (default: 0 = do not include Transition Disable KDE)
 #transition_disable=0x01
 
+# PASN ECDH groups
+# PASN implementations are required to support group 19 (NIST P-256). If this
+# parameter is not set, only group 19 is supported by default. This
+# configuration parameter can be used to specify a limited set of allowed
+# groups. The group values are listed in the IANA registry:
+# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-10
+#pasn_groups=19 20 21
+
 ##### IEEE 802.11r configuration ##############################################
 
 # Mobility Domain identifier (dot11FTMobilityDomainID, MDID)

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index f82468ac802c1ce9e2a84e0669bb77cc16d727bb..84d13512bd7c786fa3846b8e4194cb19e54b495c 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -955,6 +955,10 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
        }
 #endif /* CONFIG_AIRTIME_POLICY */
 
+#ifdef CONFIG_PASN
+       os_free(conf->pasn_groups);
+#endif /* CONFIG_PASN */
+
        os_free(conf);
 }
 

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 4eb4ee2729d64730fac3c88b338c5c720c7b02a2..e6913258459553afac28ac22f878f18145e4d033 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -871,6 +871,8 @@ struct hostapd_bss_config {
         */
        int force_kdk_derivation;
 #endif /* CONFIG_TESTING_OPTIONS */
+
+       int *pasn_groups;
 #endif /* CONFIG_PASN */
 };
 

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 3704fc05eb72858d12f2b54833f694826fbe8ae2..972ca84b6e1b1a224c559691b81d3d81ca9cc09c 100644 (file)
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -260,6 +260,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
                num_suites++;
        }
 #endif /* CONFIG_HS20 */
+#ifdef CONFIG_PASN
+       if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) {
+               RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PASN);
+               pos += RSN_SELECTOR_LEN;
+               num_suites++;
+       }
+#endif /* CONFIG_PASN */
 
 #ifdef CONFIG_RSN_TESTING
        if (rsn_testing) {