Re: [PATCH v2] wpa_supplicant: Do not associate on 6GHz with forbidden configurations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm not sure I agree with the execution here. In particular, I don't
think we should be modifying the IEs of the AP to prevent association.
Rather, there are places (e.g. wpa_supplicant_set_suites) where we
determine the correct suite based on the network configuration and the
AP IEs, and it makes more sense to do the 6ghz check there. In the
case of the WEP check, that can be easily accomplished by checking for
6ghz when we define wep_ok, with the additional benefit of not
exposing more WEP specific things outside of CONFIG_WEP.

On Sun, Mar 6, 2022 at 7:50 AM Andrei Otcheretianski
<andrei.otcheretianski@xxxxxxxxx> wrote:
>
> From: Ilan Peer <ilan.peer@xxxxxxxxx>
>
> On the 6GHz band the following is not allowed, so do not
> allow association with an AP using these configurations:
>
> - WEP/TKIP pairwise or group ciphers
> - WPA PSK AKMs
> - SAE AKM without H2E
>
> In addition do not allow association if the AP does not
> advertise a matching RSN IE or does not declare that
> it is MFP capable.
>
> Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@xxxxxxxxx>
> ---
>  wpa_supplicant/events.c | 41 ++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 40 insertions(+), 1 deletion(-)
>
> diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
> index 603ac33d1b..0b54f7e8b5 100644
> --- a/wpa_supplicant/events.c
> +++ b/wpa_supplicant/events.c
> @@ -566,6 +566,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
>  #ifdef CONFIG_WEP
>         int wep_ok;
>  #endif /* CONFIG_WEP */
> +       u8 is_6ghz_bss = is_6ghz_freq(bss->freq);
>
>         ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss);
>         if (ret >= 0)
> @@ -580,6 +581,11 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
>  #endif /* CONFIG_WEP */
>
>         rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN);
> +       if (is_6ghz_bss && !rsn_ie) {
> +               wpa_dbg(wpa_s, MSG_DEBUG, "   skip - 6GHz BSS RSN IE");
> +               return 0;
> +       }
> +
>         while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) {
>                 proto_match++;
>
> @@ -594,6 +600,16 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
>                 if (!ie.has_group)
>                         ie.group_cipher = wpa_default_rsn_cipher(bss->freq);
>
> +               if (is_6ghz_bss) {
> +                       /* WEP and TKIP are not allowed on 6GHZ */
> +                       ie.pairwise_cipher &= ~(WPA_CIPHER_WEP40 |
> +                                               WPA_CIPHER_WEP104 |
> +                                               WPA_CIPHER_TKIP);
> +                       ie.group_cipher &= ~(WPA_CIPHER_WEP40 |
> +                                            WPA_CIPHER_WEP104 |
> +                                            WPA_CIPHER_TKIP);
> +               }
> +
>  #ifdef CONFIG_WEP
>                 if (wep_ok &&
>                     (ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104)))
> @@ -635,6 +651,21 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
>                         break;
>                 }
>
> +               if (is_6ghz_bss) {
> +                       /* MFPC must be supported on 6GHz */
> +                       if (!(ie.capabilities & WPA_CAPABILITY_MFPC)) {
> +                               if (debug_print)
> +                                       wpa_dbg(wpa_s, MSG_DEBUG,
> +                                               "   skip RSN IE - 6GHz without MFPC");
> +                               break;
> +                       }
> +
> +                       /* WPA PSK is not allowed on the 6GHz band */
> +                       ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK |
> +                                        WPA_KEY_MGMT_FT_PSK |
> +                                        WPA_KEY_MGMT_PSK_SHA256);
> +               }
> +
>                 if (!(ie.key_mgmt & ssid->key_mgmt)) {
>                         if (debug_print)
>                                 wpa_dbg(wpa_s, MSG_DEBUG,
> @@ -665,6 +696,12 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
>                 return 1;
>         }
>
> +       if (is_6ghz_bss) {
> +               wpa_dbg(wpa_s, MSG_DEBUG,
> +                       "   skip - 6GHz BSS without matching RSN IE");
> +               return 0;
> +       }
> +
>         if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED &&
>             (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) {
>                 if (debug_print)
> @@ -1316,7 +1353,9 @@ static bool wpa_scan_res_ok(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid,
>         }
>
>  #ifdef CONFIG_SAE
> -       if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
> +       /* On 6GHz band, only H2E is allowed */
> +       if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) ||
> +            ssid->sae_password_id) &&
>             wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) &&
>             !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
>                 if (debug_print)
> --
> 2.25.1
>
>
> _______________________________________________
> Hostap mailing list
> Hostap@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/hostap

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux