[PATCH v2 00/20] Support base Pre association Security Negotiation (PASN)
Ilan Peer
ilan.peer at intel.com
Wed Dec 16 06:00:13 EST 2020
The following series of patches adds support for the basic
Pre Association Security Negotiation (PASN) as defined in Draft
802.11az_D2.6. In short, PASN is a mechanism to establish
security association and allow Management Frame Protection (MFP)
prior to association.
The first patches in the set include needed changes to nl80211
and some WPA components. The following patches introduce building
block functions to compute the keys etc. and build/validate the
PASN authentication frames.
Since PASN intended to be used to establish a PTKSA between an non-AP
station and an AP in an infrastructure networks, that can
later be used for secure LTF measurement exchange, an implementation
of a PTKSA is added to both wpa_supplicant and hostapd.
Once all the prerequisites are in place, the patch set adds support for
PASN to the wpa_supplicant and hostapd, based on either the existence
of a PMKSA for a base AKM (SAE or FILS), or key establishment using
PASN authentication
Ilan Peer (20):
nl80211: Allow off-channel of authentication frames in send_mlme()
nl80211: Always register for Rx authentication frames with PASN
common: Allow WPA_CIPHER_GTK_NOT_USED as a valid group management
cipher
WPA: Extend the wpa_pmk_to_ptk() function to also derive KDK
FT: Extend the wpa_pmk_r1_to_ptk() function to also derive KDK
WPA: Extend the fils_pmk_to_ptk() function to also derive KDK
PASN: Add some specification definitions
PASN: Add functions to compute PTK, MIC and hash
PASN: Add common authentication frame build/validation functions
tests: Add module tests for PASN PTK derivation
common: Add PASN parsing to ieee802_11_parse_extension()
WPA: Add a function to get PMKSA cache entry
WPA: Add PTKSA cache implementation
WPA: Add PTKSA cache to wpa_supplicant for PASN
PASN: Add support for PASN processing to the wpa_supplicant
ctrl_iface: Add support for PASN authentication
AP: Add support for configuring PASN
WPA_AUTH: Add PTKSA cache to hostapd
AP: Add support for PASN processing to the SME
tests: Add PASN test coverage
hostapd/Makefile | 10 +
hostapd/config_file.c | 17 +
hostapd/ctrl_iface.c | 4 +
hostapd/defconfig | 4 +
hostapd/hostapd.conf | 8 +
src/ap/ap_config.c | 4 +
src/ap/ap_config.h | 12 +
src/ap/hostapd.h | 3 +
src/ap/ieee802_11.c | 517 ++++++++++++-
src/ap/sta_info.c | 20 +
src/ap/sta_info.h | 20 +
src/ap/wpa_auth.c | 41 +-
src/ap/wpa_auth.h | 9 +
src/ap/wpa_auth_ft.c | 7 +-
src/ap/wpa_auth_glue.c | 39 +
src/ap/wpa_auth_ie.c | 7 +
src/common/Makefile | 4 +-
src/common/common_module_tests.c | 171 ++++-
src/common/defs.h | 2 +
src/common/ieee802_11_common.c | 4 +
src/common/ieee802_11_common.h | 2 +
src/common/ieee802_11_defs.h | 3 +
src/common/ptksa_cache.c | 321 ++++++++
src/common/ptksa_cache.h | 84 ++
src/common/wpa_common.c | 748 +++++++++++++++++-
src/common/wpa_common.h | 79 +-
src/common/wpa_ctrl.h | 3 +
src/drivers/driver_nl80211.c | 35 +-
src/rsn_supp/wpa.c | 28 +-
src/rsn_supp/wpa.h | 17 +
src/rsn_supp/wpa_ft.c | 8 +-
src/rsn_supp/wpa_i.h | 14 +
tests/hwsim/example-hostapd.config | 2 +
tests/hwsim/example-wpa_supplicant.config | 1 +
tests/hwsim/hostapd.py | 17 +
tests/hwsim/test_pasn.py | 344 +++++++++
tests/hwsim/wpasupplicant.py | 20 +
wlantest/Makefile | 1 +
wlantest/rx_eapol.c | 4 +-
wlantest/rx_mgmt.c | 7 +-
wpa_supplicant/Makefile | 11 +
wpa_supplicant/config.c | 5 +
wpa_supplicant/config.h | 10 +
wpa_supplicant/ctrl_iface.c | 95 +++
wpa_supplicant/defconfig | 3 +
wpa_supplicant/events.c | 19 +
wpa_supplicant/pasn_supplicant.c | 893 ++++++++++++++++++++++
wpa_supplicant/wpa_cli.c | 36 +
wpa_supplicant/wpa_supplicant.c | 11 +
wpa_supplicant/wpa_supplicant_i.h | 43 ++
wpa_supplicant/wpas_glue.c | 34 +-
51 files changed, 3759 insertions(+), 42 deletions(-)
create mode 100644 src/common/ptksa_cache.c
create mode 100644 src/common/ptksa_cache.h
create mode 100644 tests/hwsim/test_pasn.py
create mode 100644 wpa_supplicant/pasn_supplicant.c
--
2.17.1
More information about the Hostap
mailing list