From: Sai Pratyusha Magam Date: Wed, 17 May 2023 04:50:38 +0000 (+0530) Subject: PASN: Introduce configuration option to allow/deny PASN-UNAUTH X-Git-Tag: hostap_2_11~1164 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4120f9d7ab12660364ca4c9dd6e6e4cb66f5342a;p=thirdparty%2Fhostap.git PASN: Introduce configuration option to allow/deny PASN-UNAUTH Per IEEE P802.11az/D7.0, 12.12.3.2 (PASN Frame Construction and Processing), responder should REFUSE PASN authentication frame 1 with Base AKM as PASN AKM if dot11NoAuthPASNActivated is false. That configuration was not previously available and hostapd was hardcoded with dot11NoAuthPASNActivated being true. Allow this to be configured and reject PASN authentication frame 1 from initiator if pasn_noauth=0 and Base AKM in RSNE of this frame is PASN. The default value for pasn_noauth is 1 to maintain previous functionality even though the dot11NoAuthPASNActivated is defined to have default value of false. Signed-off-by: Sai Pratyusha Magam --- diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 8e179d151..2c29971b3 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -4734,6 +4734,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, } } else if (os_strcmp(buf, "pasn_comeback_after") == 0) { bss->pasn_comeback_after = atoi(pos); + } else if (os_strcmp(buf, "pasn_noauth") == 0) { + bss->pasn_noauth = atoi(pos); #endif /* CONFIG_PASN */ } else if (os_strcmp(buf, "ext_capa_mask") == 0) { if (get_hex_config(bss->ext_capa_mask, EXT_CAPA_MAX_LEN, diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index bc4a0f6ef..5868bfde4 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -2170,6 +2170,11 @@ own_ip_addr=127.0.0.1 # (default: 10 TUs) #pasn_comeback_after=10 +# Unauthenticated PASN activated (dot11NoAuthPASNActivated) +# This indicates whether PASN without mutual authentication is allowed. +# (default: 1 = activated) +#pasn_noauth=1 + ##### IEEE 802.11r configuration ############################################## # Mobility Domain identifier (dot11FTMobilityDomainID, MDID) diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 2b1041de8..298216a47 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -169,6 +169,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) #ifdef CONFIG_PASN /* comeback after 10 TUs */ bss->pasn_comeback_after = 10; + bss->pasn_noauth = 1; #endif /* CONFIG_PASN */ } diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 8598602b1..63b9ef701 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -906,6 +906,9 @@ struct hostapd_bss_config { #endif /* CONFIG_MACSEC */ #ifdef CONFIG_PASN + /* Whether to allow PASN-UNAUTH */ + int pasn_noauth; + #ifdef CONFIG_TESTING_OPTIONS /* * Normally, KDK should be derived if and only if both sides support diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 48b0219f3..93a6b4f56 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -2527,6 +2527,7 @@ static void hapd_initialize_pasn(struct hostapd_data *hapd, pasn->cb_ctx = hapd; pasn->send_mgmt = hapd_pasn_send_mlme; pasn->pasn_groups = hapd->conf->pasn_groups; + pasn->noauth = hapd->conf->pasn_noauth; pasn->wpa_key_mgmt = hapd->conf->wpa_key_mgmt; pasn->rsn_pairwise = hapd->conf->rsn_pairwise; pasn->derive_kdk = hapd->iface->drv_flags2 & diff --git a/src/pasn/pasn_common.h b/src/pasn/pasn_common.h index 9c2f397e7..a4850a284 100644 --- a/src/pasn/pasn_common.h +++ b/src/pasn/pasn_common.h @@ -95,7 +95,8 @@ struct pasn_data { u8 wrapped_data_format; struct wpabuf *secret; - /* Reponder */ + /* Responder */ + bool noauth; /* Whether PASN without mutual authentication is enabled */ int wpa_key_mgmt; int rsn_pairwise; bool derive_kdk; diff --git a/src/pasn/pasn_responder.c b/src/pasn/pasn_responder.c index 3b1912df3..78a9dd7da 100644 --- a/src/pasn/pasn_responder.c +++ b/src/pasn/pasn_responder.c @@ -743,6 +743,12 @@ int handle_auth_pasn_1(struct pasn_data *pasn, goto send_resp; } + if (!pasn->noauth && pasn->akmp == WPA_KEY_MGMT_PASN) { + wpa_printf(MSG_DEBUG, "PASN: Refuse PASN-UNAUTH"); + status = WLAN_STATUS_UNSPECIFIED_FAILURE; + goto send_resp; + } + derive_keys = true; if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) { wrapped_data = ieee802_11_defrag(&elems,