wpa_supplicant: Do not associate on 6GHz with invalid AP

Message ID	20220303225339.2759127-1-andrei.otcheretianski@intel.com
State	Changes Requested
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Andrei Otcheretianski <andrei.otcheretianski@intel.com> To: hostap@lists.infradead.org Cc: Ilan Peer <ilan.peer@intel.com> Subject: [PATCH] wpa_supplicant: Do not associate on 6GHz with invalid AP Date: Fri, 4 Mar 2022 00:53:39 +0200 Message-Id: <20220303225339.2759127-1-andrei.otcheretianski@intel.com> MIME-Version: 1.0 preview: From: Ilan Peer <ilan.peer@intel.com> On the 6GHz band the following is not allowed, so do not allow association with an AP that advertises support for these: - Pairwise or group cipher that include WEP/TKIP - Support for WPA PSK AKMs - Support for SAE AKM without H2E Content analysis details: (-5.4 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [192.55.52.115 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	wpa_supplicant: Do not associate on 6GHz with invalid AP \| expand wpa_supplicant: Do not associate on 6GHz with invalid AP

Message ID

20220303225339.2759127-1-andrei.otcheretianski@intel.com

State

Changes Requested

Headers

From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
To: hostap@lists.infradead.org
Cc: Ilan Peer <ilan.peer@intel.com>
Subject: [PATCH] wpa_supplicant: Do not associate on 6GHz with invalid AP
Date: Fri,  4 Mar 2022 00:53:39 +0200
Message-Id: <20220303225339.2759127-1-andrei.otcheretianski@intel.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

wpa_supplicant: Do not associate on 6GHz with invalid AP | expand

Commit Message

Andrei Otcheretianski March 3, 2022, 10:53 p.m. UTC

From: Ilan Peer <ilan.peer@intel.com>

On the 6GHz band the following is not allowed, so do not
allow association with an AP that advertises support for
these:

- Pairwise or group cipher that include WEP/TKIP
- Support for WPA PSK AKMs
- Support for SAE AKM without H2E

In addition do not allow association if the AP does not
advertise a matching RSN IE or does not declare that
it is MFP capable.

Change-Id: I9e12bc329c665571af4b6ce0a8442e83fee26ea4
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
---
 wpa_supplicant/events.c | 43 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

Comments

Jouni Malinen March 3, 2022, 11 p.m. UTC | #1

On Fri, Mar 04, 2022 at 12:53:39AM +0200, Andrei Otcheretianski wrote:
> On the 6GHz band the following is not allowed, so do not
> allow association with an AP that advertises support for
> these:
> 
> - Pairwise or group cipher that include WEP/TKIP
> - Support for WPA PSK AKMs
> - Support for SAE AKM without H2E
> 
> In addition do not allow association if the AP does not
> advertise a matching RSN IE or does not declare that
> it is MFP capable.

I can understand the part about rejecting an AP if a mandatory security
option is not available (RSN, SAE without H2E, or WEP/TKIP as the group
cipher), but why would the station need to enforce protocol compliance
for the AP for things like PSK AKMs or pairwise cipher suites that are
enabled on top of the required features? That sounds more like protocol
testing for AP than normal station functionality.

Andrei Otcheretianski March 3, 2022, 11:53 p.m. UTC | #2

> I can understand the part about rejecting an AP if a mandatory security
> option is not available (RSN, SAE without H2E, or WEP/TKIP as the group
> cipher), but why would the station need to enforce protocol compliance for
> the AP for things like PSK AKMs or pairwise cipher suites that are enabled on
> top of the required features? That sounds more like protocol testing for AP
> than normal station functionality.

I tend to agree. This part can be removed, I'll send a fixed version.

Thanks,
Andrei

> 
> --
> Jouni Malinen                                            PGP id EFC895FA

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 603ac33d1b..a8e1f35403 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -566,6 +566,7 @@  static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 #ifdef CONFIG_WEP
 	int wep_ok;
 #endif /* CONFIG_WEP */
+	u8 is_6ghz_bss = is_6ghz_freq(bss->freq);
 
 	ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss);
 	if (ret >= 0)
@@ -580,6 +581,11 @@  static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 #endif /* CONFIG_WEP */
 
 	rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN);
+	if (is_6ghz_bss && !rsn_ie) {
+		wpa_dbg(wpa_s, MSG_DEBUG, "   skip - 6GHz BSS RSN IE");
+		return 0;
+	}
+
 	while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) {
 		proto_match++;
 
@@ -595,6 +601,18 @@  static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 			ie.group_cipher = wpa_default_rsn_cipher(bss->freq);
 
 #ifdef CONFIG_WEP
+		if (is_6ghz_bss &&
+		    ((ie.pairwise_cipher & (WPA_CIPHER_WEP40 |
+					    WPA_CIPHER_WEP104 |
+					    WPA_CIPHER_TKIP)) ||
+		     (ie.group_cipher & (WPA_CIPHER_WEP40 |
+					 WPA_CIPHER_WEP104 |
+					 WPA_CIPHER_TKIP)))) {
+			wpa_dbg(wpa_s, MSG_DEBUG,
+				"   skip - legacy cipher not allowed on 6GHz");
+			return 0;
+		}
+
 		if (wep_ok &&
 		    (ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104)))
 		{
@@ -635,6 +653,21 @@  static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 			break;
 		}
 
+		if (is_6ghz_bss) {
+			/* MFPC must be supported on 6GHz */
+			if (!(ie.capabilities & WPA_CAPABILITY_MFPC)) {
+				if (debug_print)
+					wpa_dbg(wpa_s, MSG_DEBUG,
+						"   skip RSN IE - 6GHz without MFPC");
+				break;
+			}
+
+			/* WPA PSK is not allowed on the 6GHz band */
+			ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK |
+					 WPA_KEY_MGMT_FT_PSK |
+					 WPA_KEY_MGMT_PSK_SHA256);
+		}
+
 		if (!(ie.key_mgmt & ssid->key_mgmt)) {
 			if (debug_print)
 				wpa_dbg(wpa_s, MSG_DEBUG,
@@ -665,6 +698,12 @@  static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
 		return 1;
 	}
 
+	if (is_6ghz_bss) {
+		wpa_dbg(wpa_s, MSG_DEBUG,
+			"   skip - 6GHz BSS without matching RSN IE");
+		return 0;
+	}
+
 	if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED &&
 	    (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) {
 		if (debug_print)
@@ -1316,7 +1355,9 @@  static bool wpa_scan_res_ok(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid,
 	}
 
 #ifdef CONFIG_SAE
-	if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
+	/* On 6GHz band, only H2E is allowed */
+	if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) ||
+	     ssid->sae_password_id) &&
 	    wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) &&
 	    !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
 		if (debug_print)

wpa_supplicant: Do not associate on 6GHz with invalid AP

Commit Message

Comments

Patch