Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
---
hostapd/Makefile | 8 ++++++++
hostapd/config_file.c | 11 +++++++++++
hostapd/defconfig | 5 +++++
hostapd/hostapd.conf | 8 ++++++++
src/ap/ap_config.c | 4 ++++
src/ap/ap_config.h | 2 ++
src/ap/wpa_auth_ie.c | 7 +++++++
7 files changed, 45 insertions(+)
diff --git a/hostapd/Makefile b/hostapd/Makefile
index dbe0403a1b..b194624d9b 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -585,6 +585,14 @@ CFLAGS += -DCONFIG_DPP2
endif
endif
+ifdef CONFIG_PASN
+CFLAGS += -DCONFIG_PASN
+NEED_HMAC_SHA256_KDF=y
+NEED_HMAC_SHA384_KDF=y
+NEED_SHA256=y
+NEED_SHA384=y
+endif
+
ifdef CONFIG_EAP_IKEV2
CFLAGS += -DEAP_SERVER_IKEV2
OBJS += ../src/eap_server/eap_server_ikev2.o ../src/eap_server/ikev2.o
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 83fdacf42b..66d40b669d 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -753,6 +753,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
else if (os_strcmp(start, "OSEN") == 0)
val |= WPA_KEY_MGMT_OSEN;
#endif /* CONFIG_HS20 */
+#ifdef CONFIG_PASN
+ else if (os_strcmp(start, "PASN") == 0)
+ val |= WPA_KEY_MGMT_PASN;
+#endif /* CONFIG_PASN */
else {
wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
line, start);
@@ -4555,6 +4559,13 @@ static int hostapd_config_fill(struct hostapd_config *conf,
} else if (os_strcmp(buf, "force_hltk_derivation") == 0) {
bss->force_hltk_derivation = atoi(pos);
#endif /* CONFIG_TESTING_OPTIONS */
+ } else if (os_strcmp(buf, "pasn_groups") == 0) {
+ if (hostapd_parse_intlist(&bss->pasn_groups, pos)) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: Invalid psan_groups value '%s'",
+ line, pos);
+ return 1;
+ }
#endif /* CONFIG_PASN */
} else {
wpa_printf(MSG_ERROR,
diff --git a/hostapd/defconfig b/hostapd/defconfig
index e12260f4a9..4156fee094 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -380,3 +380,8 @@ CONFIG_IPV6=y
# Override default value for the wpa_disable_eapol_key_retries configuration
# parameter. See that parameter in hostapd.conf for more details.
#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
+
+# Pre Association Security Negotiation (PASN)
+# This requires CONFIG_IEEE80211W=y to be enabled, too.
+#CONFIG_PASN=y
+
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index bc5d1a7f69..0e6cbdc614 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1894,6 +1894,14 @@ own_ip_addr=127.0.0.1
# default: 30 TUs (= 30.72 milliseconds)
#fils_hlp_wait_time=30
+# PASN ECDH groups
+# PASN implementations are required to support group 19 (NIST P-256). If not
+# defined, only group 19 is supported by default. This configuration parameter
+# can be used to specify a limited set of allowed groups. The group values are
+# listed in the IANA registry:
+# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-10
+#pasn_groups=19 20 21
+
##### IEEE 802.11r configuration ##############################################
# Mobility Domain identifier (dot11FTMobilityDomainID, MDID)
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index fddc8ca446..b1bbd0bc62 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -931,6 +931,10 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
}
#endif /* CONFIG_AIRTIME_POLICY */
+#ifdef CONFIG_PASN
+ os_free(conf->pasn_groups);
+#endif /* CONFIG_PASN */
+
os_free(conf);
}
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 5a60785c20..0ceccccdc6 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -849,6 +849,8 @@ struct hostapd_bss_config {
*/
int force_hltk_derivation;
#endif /* CONFIG_TESTING_OPTIONS */
+
+ int *pasn_groups;
#endif /* CONFIG_PASN */
};
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 2e6d059104..d84f349971 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -260,6 +260,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
num_suites++;
}
#endif /* CONFIG_HS20 */
+#ifdef CONFIG_PASN
+ if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) {
+ RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PASN);
+ pos += RSN_SELECTOR_LEN;
+ num_suites++;
+ }
+#endif /* CONFIG_PASN */
#ifdef CONFIG_RSN_TESTING
if (rsn_testing) {
--
2.17.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
