wpa_supplicant: Do not associate on 6 GHz with forbidden configurations

On the 6 GHz band the following is not allowed (see IEEE Std
802.11ax-2021, 12.12.2), so do not allow association with an AP using
these configurations:

- WEP/TKIP pairwise or group ciphers
- WPA PSK AKMs
- SAE AKM without H2E

In addition, do not allow association if the AP does not advertise a
matching RSNE or does not declare that it is MFP capable.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 8cf8aa51bc3bfd5dee1d3d7d9ed8069cdebd11ab..a977bca76a1db9db2a80506daf7a7c473a3feae0 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -569,6 +569,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 #ifdef CONFIG_WEP
        int wep_ok;
 #endif /* CONFIG_WEP */
+       bool is_6ghz_bss = is_6ghz_freq(bss->freq);
 
        ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss);
        if (ret >= 0)
@@ -583,6 +584,13 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 #endif /* CONFIG_WEP */
 
        rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN);
+       if (is_6ghz_bss && !rsn_ie) {
+               if (debug_print)
+                       wpa_dbg(wpa_s, MSG_DEBUG,
+                               "   skip - 6 GHz BSS without RSNE");
+               return 0;
+       }
+
        while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) {
                proto_match++;
 
@@ -597,6 +605,16 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
                if (!ie.has_group)
                        ie.group_cipher = wpa_default_rsn_cipher(bss->freq);
 
+               if (is_6ghz_bss) {
+                       /* WEP and TKIP are not allowed on 6 GHz */
+                       ie.pairwise_cipher &= ~(WPA_CIPHER_WEP40 |
+                                               WPA_CIPHER_WEP104 |
+                                               WPA_CIPHER_TKIP);
+                       ie.group_cipher &= ~(WPA_CIPHER_WEP40 |
+                                            WPA_CIPHER_WEP104 |
+                                            WPA_CIPHER_TKIP);
+               }
+
 #ifdef CONFIG_WEP
                if (wep_ok &&
                    (ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104)))
@@ -638,6 +656,21 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
                        break;
                }
 
+               if (is_6ghz_bss) {
+                       /* MFPC must be supported on 6 GHz */
+                       if (!(ie.capabilities & WPA_CAPABILITY_MFPC)) {
+                               if (debug_print)
+                                       wpa_dbg(wpa_s, MSG_DEBUG,
+                                               "   skip RSNE - 6 GHz without MFPC");
+                               break;
+                       }
+
+                       /* WPA PSK is not allowed on the 6 GHz band */
+                       ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK |
+                                        WPA_KEY_MGMT_FT_PSK |
+                                        WPA_KEY_MGMT_PSK_SHA256);
+               }
+
                if (!(ie.key_mgmt & ssid->key_mgmt)) {
                        if (debug_print)
                                wpa_dbg(wpa_s, MSG_DEBUG,
@@ -668,6 +701,13 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
                return 1;
        }
 
+       if (is_6ghz_bss) {
+               if (debug_print)
+                       wpa_dbg(wpa_s, MSG_DEBUG,
+                               "   skip - 6 GHz BSS without matching RSNE");
+               return 0;
+       }
+
        if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED &&
            (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) {
                if (debug_print)
@@ -1319,7 +1359,10 @@ static bool wpa_scan_res_ok(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid,
        }
 
 #ifdef CONFIG_SAE
-       if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
+       /* When using SAE Password Identifier and when operationg on the 6 GHz
+        * band, only H2E is allowed. */
+       if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) ||
+            ssid->sae_password_id) &&
            wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) &&
            !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
                if (debug_print)