[PATCH] wpa_supplicant: Do not associate on 6GHz with invalid AP

Thu Mar 3 14:53:39 PST 2022

From: Ilan Peer <ilan.peer at intel.com>

On the 6GHz band the following is not allowed, so do not
allow association with an AP that advertises support for
these:

- Pairwise or group cipher that include WEP/TKIP
- Support for WPA PSK AKMs
- Support for SAE AKM without H2E

In addition do not allow association if the AP does not
advertise a matching RSN IE or does not declare that
it is MFP capable.

Change-Id: I9e12bc329c665571af4b6ce0a8442e83fee26ea4
Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
 wpa_supplicant/events.c | 43 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 603ac33d1b..a8e1f35403 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -566,6 +566,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 #ifdef CONFIG_WEP
 	int wep_ok;
 #endif /* CONFIG_WEP */
+	u8 is_6ghz_bss = is_6ghz_freq(bss->freq);
 
 	ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss);
 	if (ret >= 0)
@@ -580,6 +581,11 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 #endif /* CONFIG_WEP */
 
 	rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN);
+	if (is_6ghz_bss && !rsn_ie) {
+		wpa_dbg(wpa_s, MSG_DEBUG, "   skip - 6GHz BSS RSN IE");
+		return 0;
+	}
+
 	while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) {
 		proto_match++;
 
@@ -595,6 +601,18 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 			ie.group_cipher = wpa_default_rsn_cipher(bss->freq);
 
 #ifdef CONFIG_WEP
+		if (is_6ghz_bss &&
+		    ((ie.pairwise_cipher & (WPA_CIPHER_WEP40 |
+					    WPA_CIPHER_WEP104 |
+					    WPA_CIPHER_TKIP)) ||
+		     (ie.group_cipher & (WPA_CIPHER_WEP40 |
+					 WPA_CIPHER_WEP104 |
+					 WPA_CIPHER_TKIP)))) {
+			wpa_dbg(wpa_s, MSG_DEBUG,
+				"   skip - legacy cipher not allowed on 6GHz");
+			return 0;
+		}
+
 		if (wep_ok &&
 		    (ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104)))
 		{
@@ -635,6 +653,21 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 			break;
 		}
 
+		if (is_6ghz_bss) {
+			/* MFPC must be supported on 6GHz */
+			if (!(ie.capabilities & WPA_CAPABILITY_MFPC)) {
+				if (debug_print)
+					wpa_dbg(wpa_s, MSG_DEBUG,
+						"   skip RSN IE - 6GHz without MFPC");
+				break;
+			}
+
+			/* WPA PSK is not allowed on the 6GHz band */
+			ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK |
+					 WPA_KEY_MGMT_FT_PSK |
+					 WPA_KEY_MGMT_PSK_SHA256);
+		}
+
 		if (!(ie.key_mgmt & ssid->key_mgmt)) {
 			if (debug_print)
 				wpa_dbg(wpa_s, MSG_DEBUG,
@@ -665,6 +698,12 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 		return 1;
 	}
 
+	if (is_6ghz_bss) {
+		wpa_dbg(wpa_s, MSG_DEBUG,
+			"   skip - 6GHz BSS without matching RSN IE");
+		return 0;
+	}
+
 	if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED &&
 	    (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) {
 		if (debug_print)
@@ -1316,7 +1355,9 @@ static bool wpa_scan_res_ok(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid,
 	}
 
 #ifdef CONFIG_SAE
-	if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
+	/* On 6GHz band, only H2E is allowed */
+	if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) ||
+	     ssid->sae_password_id) &&
 	    wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) &&
 	    !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
 		if (debug_print)
-- 
2.25.1


