Disable HE capabilities when using unacceptable security config

Add HE configuration check similar to HT/VHT.

Signed-off-by: Shay Bar <shay.bar@celeno.com>

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 767321a7b012d3ee8a8f5123a71120b78a31014c..35c0fe577f6727bcd9a7fa927e038f9de53fa84d 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -1323,6 +1323,27 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
        }
 #endif /* CONFIG_IEEE80211AC */
 
+#ifdef CONFIG_IEEE80211AX
+#ifdef CONFIG_WEP
+       if (full_config && conf->ieee80211ax &&
+           bss->ssid.security_policy == SECURITY_STATIC_WEP) {
+               bss->disable_11ax = true;
+               wpa_printf(MSG_ERROR,
+                          "HE (IEEE 802.11ax) with WEP is not allowed, disabling HE capabilities");
+       }
+#endif /* CONFIG_WEP */
+
+       if (full_config && conf->ieee80211ax && bss->wpa &&
+           !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
+           !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
+                                  WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
+       {
+               bss->disable_11ax = true;
+               wpa_printf(MSG_ERROR,
+                          "HE (IEEE 802.11ax) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling HE capabilities");
+       }
+#endif /* CONFIG_IEEE80211AX */
+
 #ifdef CONFIG_WPS
        if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) {
                wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid "