[PATCH v2] wpa_supplicant: Do not associate on 6GHz with forbidden configurations
Andrei Otcheretianski
andrei.otcheretianski at intel.com
Sun Mar 6 07:49:34 PST 2022
From: Ilan Peer <ilan.peer at intel.com>
On the 6GHz band the following is not allowed, so do not
allow association with an AP using these configurations:
- WEP/TKIP pairwise or group ciphers
- WPA PSK AKMs
- SAE AKM without H2E
In addition do not allow association if the AP does not
advertise a matching RSN IE or does not declare that
it is MFP capable.
Signed-off-by: Ilan Peer <ilan.peer at intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
---
wpa_supplicant/events.c | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 603ac33d1b..0b54f7e8b5 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -566,6 +566,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
#ifdef CONFIG_WEP
int wep_ok;
#endif /* CONFIG_WEP */
+ u8 is_6ghz_bss = is_6ghz_freq(bss->freq);
ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss);
if (ret >= 0)
@@ -580,6 +581,11 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
#endif /* CONFIG_WEP */
rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN);
+ if (is_6ghz_bss && !rsn_ie) {
+ wpa_dbg(wpa_s, MSG_DEBUG, " skip - 6GHz BSS RSN IE");
+ return 0;
+ }
+
while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) {
proto_match++;
@@ -594,6 +600,16 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
if (!ie.has_group)
ie.group_cipher = wpa_default_rsn_cipher(bss->freq);
+ if (is_6ghz_bss) {
+ /* WEP and TKIP are not allowed on 6GHZ */
+ ie.pairwise_cipher &= ~(WPA_CIPHER_WEP40 |
+ WPA_CIPHER_WEP104 |
+ WPA_CIPHER_TKIP);
+ ie.group_cipher &= ~(WPA_CIPHER_WEP40 |
+ WPA_CIPHER_WEP104 |
+ WPA_CIPHER_TKIP);
+ }
+
#ifdef CONFIG_WEP
if (wep_ok &&
(ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104)))
@@ -635,6 +651,21 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
break;
}
+ if (is_6ghz_bss) {
+ /* MFPC must be supported on 6GHz */
+ if (!(ie.capabilities & WPA_CAPABILITY_MFPC)) {
+ if (debug_print)
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ " skip RSN IE - 6GHz without MFPC");
+ break;
+ }
+
+ /* WPA PSK is not allowed on the 6GHz band */
+ ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK |
+ WPA_KEY_MGMT_FT_PSK |
+ WPA_KEY_MGMT_PSK_SHA256);
+ }
+
if (!(ie.key_mgmt & ssid->key_mgmt)) {
if (debug_print)
wpa_dbg(wpa_s, MSG_DEBUG,
@@ -665,6 +696,12 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
return 1;
}
+ if (is_6ghz_bss) {
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ " skip - 6GHz BSS without matching RSN IE");
+ return 0;
+ }
+
if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED &&
(!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) {
if (debug_print)
@@ -1316,7 +1353,9 @@ static bool wpa_scan_res_ok(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid,
}
#ifdef CONFIG_SAE
- if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
+ /* On 6GHz band, only H2E is allowed */
+ if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) ||
+ ssid->sae_password_id) &&
wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) &&
!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
if (debug_print)
--
2.25.1
More information about the Hostap
mailing list