PASN: Introduce configuration option to allow/deny PASN-UNAUTH

Per IEEE P802.11az/D7.0, 12.12.3.2 (PASN Frame Construction and Processing), responder should REFUSE PASN authentication frame 1 with Base AKM as PASN AKM if dot11NoAuthPASNActivated is false. That configuration was not previously available and hostapd was hardcoded with dot11NoAuthPASNActivated being true. Allow this to be configured and reject PASN authentication frame 1 from initiator if pasn_noauth=0 and Base AKM in RSNE of this frame is PASN. The default value for pasn_noauth is 1 to maintain previous functionality even though the dot11NoAuthPASNActivated is defined to have default value of false. Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
2023-05-17 10:20:38 +05:30 · 2023-05-17 10:20:38 +05:30 · 4120f9d7ab
commit 4120f9d7ab
parent fc681995cf
7 changed files with 20 additions and 1 deletions
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@ -4734,6 +4734,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		}
 	} else if (os_strcmp(buf, "pasn_comeback_after") == 0) {
 		bss->pasn_comeback_after = atoi(pos);
+	} else if (os_strcmp(buf, "pasn_noauth") == 0) {
+		bss->pasn_noauth = atoi(pos);
 #endif /* CONFIG_PASN */
 	} else if (os_strcmp(buf, "ext_capa_mask") == 0) {
 		if (get_hex_config(bss->ext_capa_mask, EXT_CAPA_MAX_LEN,
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@ -2170,6 +2170,11 @@ own_ip_addr=127.0.0.1
 # (default: 10 TUs)
 #pasn_comeback_after=10

+# Unauthenticated PASN activated (dot11NoAuthPASNActivated)
+# This indicates whether PASN without mutual authentication is allowed.
+# (default: 1 = activated)
+#pasn_noauth=1
+
 ##### IEEE 802.11r configuration ##############################################

 # Mobility Domain identifier (dot11FTMobilityDomainID, MDID)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@ -169,6 +169,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 #ifdef CONFIG_PASN
 	/* comeback after 10 TUs */
 	bss->pasn_comeback_after = 10;
+	bss->pasn_noauth = 1;
 #endif /* CONFIG_PASN */
 }

--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@ -906,6 +906,9 @@ struct hostapd_bss_config {
 #endif /* CONFIG_MACSEC */

 #ifdef CONFIG_PASN
+	/* Whether to allow PASN-UNAUTH */
+	int pasn_noauth;
+
 #ifdef CONFIG_TESTING_OPTIONS
 	/*
 	 * Normally, KDK should be derived if and only if both sides support
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@ -2527,6 +2527,7 @@ static void hapd_initialize_pasn(struct hostapd_data *hapd,
 	pasn->cb_ctx = hapd;
 	pasn->send_mgmt = hapd_pasn_send_mlme;
 	pasn->pasn_groups = hapd->conf->pasn_groups;
+	pasn->noauth = hapd->conf->pasn_noauth;
 	pasn->wpa_key_mgmt = hapd->conf->wpa_key_mgmt;
 	pasn->rsn_pairwise = hapd->conf->rsn_pairwise;
 	pasn->derive_kdk = hapd->iface->drv_flags2 &
--- a/src/pasn/pasn_common.h
+++ b/src/pasn/pasn_common.h
@ -95,7 +95,8 @@ struct pasn_data {
 	u8 wrapped_data_format;
 	struct wpabuf *secret;

-	/* Reponder */
+	/* Responder */
+	bool noauth; /* Whether PASN without mutual authentication is enabled */
 	int wpa_key_mgmt;
 	int rsn_pairwise;
 	bool derive_kdk;
--- a/src/pasn/pasn_responder.c
+++ b/src/pasn/pasn_responder.c
@ -743,6 +743,12 @@ int handle_auth_pasn_1(struct pasn_data *pasn,
 		goto send_resp;
 	}

+	if (!pasn->noauth && pasn->akmp == WPA_KEY_MGMT_PASN) {
+		wpa_printf(MSG_DEBUG, "PASN: Refuse PASN-UNAUTH");
+		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
+		goto send_resp;
+	}
+
 	derive_keys = true;
 	if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
 		wrapped_data = ieee802_11_defrag(&elems,