The following series of patches is an implementation of the Pre Association Security Negotiation (PASN) as defined in Draft 802.11az_D1.5. In short, PASN is a mechanism to establish security association and allow Management Frame Protection (MFP) prior to association. To support the PASN authentication flows while associated, the 3-way authentication handshake is performed from the wpa_supplicant, without the low level kernel driver being aware of the authentication exchange, using the send_mlme() API which was extended to also allow support for a wait option. In addition, some changes are introduced in nl80211 driver to allow sending/receiving authentication frames. To support processing of authentication frames in user space, the following change in mac80211 is also required: - https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/backport-iwlwifi.git/commit/?id=2020ea4a16e35b28d50a77d883e2396995583f81 Since the PASN authentication relies on support for wrapped data and element fragmentation/defragmentation, the patch set includes changes that introduce support for the missing parts. As one of the primary goals of PASN is to establish a PTKSA between an non-AP station and an AP in an infrastructure networks, that can later be used for secure LTF measurement exchange, an implementation of a PTKSA is added to both wpa_supplicant and hostapd. Finally, note that since the specification definitions are incomplete, e.g., information element Ids etc. are missing, the implementation uses internally set values, that should be updated once the specification is complete. Andrei Otcheretianski (1): driver_nl80211: Register for SAE AUTH frames more strictly Ilan Peer (39): driver: Extend send_mlme() with wait option nl80211: Allow off-channel in send_mlme() nl80211: Allow Tx status for authentication frames nl80211: Always register for Rx authentication frames with PASN WPA: Extend the wpa_pmk_to_ptk() function to also derive HLTK FT: Extend the wpa_pmk_r1_to_ptk() function to also derive HLTK WPA: Extend the fils_pmk_to_ptk() function to also derive HLTK PASN: Add functions to compute PTK, MIC and hash crypto: Add a function to get the ECDH prime len WPA: Rename FILS wrapped data common: Add support for element defragmentation PASN: Add some specification definitions PASN: Add common authentication frame build/validation functions common: Add PASN parsing to ieee802_11_parse_extension() common: Allow WPA_CIPHER_GTK_NOT_USED in RSNE parsing WPA: Add a function to get PMKSA cache entry WPA: Add PTKSA cache implementation WPA: Add PTKSA cache to wpa_supplicant for PASN PASN: Add support for PASN processing to the wpa_supplicant ctrl_iface: Add support for PASN authentication AP: Add support for configuring PASN WPA_AUTH: Add PTKSA cache to hostapd AP: Add support for PASN processing to the SME tests: Add PASN test coverage PASN: Support PASN with SAE key derivation AP: Support PASN with SAE key derivation tests: Add PASN tests with SAE PASN: Support PASN with FILS key derivation AP: Support PASN with FILS key derivation tests: Add PASN with FILS tests AP: Rename SAE anti clogging variables and functions AP: Move anti clogging handling code AP: Add support for PASN comeback flow PASN: Add support for comeback flow to the wpa_supplicant tests: Add PASN test with comeback flow PASN: Support PASN with FT key derivation AP: Support PASN with FT key derivation tests: Add PASN tests with FT key derivation tests: Add module tests for PASN PTK derivation hostapd/Makefile | 10 + hostapd/config_file.c | 21 +- hostapd/ctrl_iface.c | 4 + hostapd/defconfig | 5 + hostapd/hostapd.conf | 8 + src/ap/ap_config.c | 6 +- src/ap/ap_config.h | 14 +- src/ap/ap_drv_ops.c | 4 +- src/ap/hostapd.h | 11 +- src/ap/ieee802_11.c | 1544 +++++++++++++++++--- src/ap/ieee802_1x.c | 3 +- src/ap/sta_info.c | 34 + src/ap/sta_info.h | 46 + src/ap/wpa_auth.c | 40 +- src/ap/wpa_auth.h | 17 + src/ap/wpa_auth_ft.c | 21 +- src/ap/wpa_auth_glue.c | 39 + src/ap/wpa_auth_ie.c | 7 + src/common/Makefile | 4 +- src/common/common_module_tests.c | 171 ++- src/common/defs.h | 3 + src/common/ieee802_11_common.c | 124 +- src/common/ieee802_11_common.h | 30 +- src/common/ieee802_11_defs.h | 8 +- src/common/ptksa_cache.c | 321 +++++ src/common/ptksa_cache.h | 84 ++ src/common/wpa_common.c | 748 +++++++++- src/common/wpa_common.h | 80 +- src/common/wpa_ctrl.h | 3 + src/crypto/crypto.h | 1 + src/crypto/crypto_openssl.c | 4 + src/crypto/crypto_wolfssl.c | 4 + src/drivers/driver.h | 4 +- src/drivers/driver_hostap.c | 11 +- src/drivers/driver_nl80211.c | 42 +- src/drivers/driver_nl80211_event.c | 39 +- src/rsn_supp/wpa.c | 52 +- src/rsn_supp/wpa.h | 36 + src/rsn_supp/wpa_ft.c | 105 +- src/rsn_supp/wpa_i.h | 30 + tests/hwsim/example-hostapd.config | 2 + tests/hwsim/example-wpa_supplicant.config | 2 + tests/hwsim/hostapd.py | 17 + tests/hwsim/test_pasn.py | 624 +++++++++ tests/hwsim/test_sae.py | 8 +- tests/hwsim/wpasupplicant.py | 20 + wlantest/rx_eapol.c | 4 +- wlantest/rx_mgmt.c | 6 +- wpa_supplicant/Makefile | 11 + wpa_supplicant/config.c | 5 + wpa_supplicant/config.h | 10 + wpa_supplicant/ctrl_iface.c | 109 ++ wpa_supplicant/defconfig | 3 + wpa_supplicant/driver_i.h | 4 +- wpa_supplicant/events.c | 19 + wpa_supplicant/p2p_supplicant.c | 2 +- wpa_supplicant/pasn_supplicant.c | 1555 +++++++++++++++++++++ wpa_supplicant/sme.c | 4 +- wpa_supplicant/wpa_cli.c | 36 + wpa_supplicant/wpa_supplicant.c | 11 + wpa_supplicant/wpa_supplicant_i.h | 78 ++ wpa_supplicant/wpas_glue.c | 34 +- 62 files changed, 6025 insertions(+), 277 deletions(-) create mode 100644 src/common/ptksa_cache.c create mode 100644 src/common/ptksa_cache.h create mode 100644 tests/hwsim/test_pasn.py create mode 100644 wpa_supplicant/pasn_supplicant.c -- 2.17.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
