| Message ID | 20220306154934.6726-1-andrei.otcheretianski@intel.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v2] wpa_supplicant: Do not associate on 6GHz with forbidden configurations | expand |
I'm not sure I agree with the execution here. In particular, I don't think we should be modifying the IEs of the AP to prevent association. Rather, there are places (e.g. wpa_supplicant_set_suites) where we determine the correct suite based on the network configuration and the AP IEs, and it makes more sense to do the 6ghz check there. In the case of the WEP check, that can be easily accomplished by checking for 6ghz when we define wep_ok, with the additional benefit of not exposing more WEP specific things outside of CONFIG_WEP. On Sun, Mar 6, 2022 at 7:50 AM Andrei Otcheretianski <andrei.otcheretianski@intel.com> wrote: > > From: Ilan Peer <ilan.peer@intel.com> > > On the 6GHz band the following is not allowed, so do not > allow association with an AP using these configurations: > > - WEP/TKIP pairwise or group ciphers > - WPA PSK AKMs > - SAE AKM without H2E > > In addition do not allow association if the AP does not > advertise a matching RSN IE or does not declare that > it is MFP capable. > > Signed-off-by: Ilan Peer <ilan.peer@intel.com> > Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> > --- > wpa_supplicant/events.c | 41 ++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 40 insertions(+), 1 deletion(-) > > diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c > index 603ac33d1b..0b54f7e8b5 100644 > --- a/wpa_supplicant/events.c > +++ b/wpa_supplicant/events.c > @@ -566,6 +566,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, > #ifdef CONFIG_WEP > int wep_ok; > #endif /* CONFIG_WEP */ > + u8 is_6ghz_bss = is_6ghz_freq(bss->freq); > > ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss); > if (ret >= 0) > @@ -580,6 +581,11 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, > #endif /* CONFIG_WEP */ > > rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN); > + if (is_6ghz_bss && !rsn_ie) { > + wpa_dbg(wpa_s, MSG_DEBUG, " skip - 6GHz BSS RSN IE"); > + return 0; > + } > + > while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) { > proto_match++; > > @@ -594,6 +600,16 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, > if (!ie.has_group) > ie.group_cipher = wpa_default_rsn_cipher(bss->freq); > > + if (is_6ghz_bss) { > + /* WEP and TKIP are not allowed on 6GHZ */ > + ie.pairwise_cipher &= ~(WPA_CIPHER_WEP40 | > + WPA_CIPHER_WEP104 | > + WPA_CIPHER_TKIP); > + ie.group_cipher &= ~(WPA_CIPHER_WEP40 | > + WPA_CIPHER_WEP104 | > + WPA_CIPHER_TKIP); > + } > + > #ifdef CONFIG_WEP > if (wep_ok && > (ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104))) > @@ -635,6 +651,21 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, > break; > } > > + if (is_6ghz_bss) { > + /* MFPC must be supported on 6GHz */ > + if (!(ie.capabilities & WPA_CAPABILITY_MFPC)) { > + if (debug_print) > + wpa_dbg(wpa_s, MSG_DEBUG, > + " skip RSN IE - 6GHz without MFPC"); > + break; > + } > + > + /* WPA PSK is not allowed on the 6GHz band */ > + ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK | > + WPA_KEY_MGMT_FT_PSK | > + WPA_KEY_MGMT_PSK_SHA256); > + } > + > if (!(ie.key_mgmt & ssid->key_mgmt)) { > if (debug_print) > wpa_dbg(wpa_s, MSG_DEBUG, > @@ -665,6 +696,12 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, > return 1; > } > > + if (is_6ghz_bss) { > + wpa_dbg(wpa_s, MSG_DEBUG, > + " skip - 6GHz BSS without matching RSN IE"); > + return 0; > + } > + > if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED && > (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) { > if (debug_print) > @@ -1316,7 +1353,9 @@ static bool wpa_scan_res_ok(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid, > } > > #ifdef CONFIG_SAE > - if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) && > + /* On 6GHz band, only H2E is allowed */ > + if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) || > + ssid->sae_password_id) && > wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) && > !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) { > if (debug_print) > -- > 2.25.1 > > > _______________________________________________ > Hostap mailing list > Hostap@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/hostap
Hi, > -----Original Message----- > From: Matthew Wang <matthewmwang@chromium.org> > Sent: Sunday, March 13, 2022 06:43 > To: Otcheretianski, Andrei <andrei.otcheretianski@intel.com> > Cc: hostap@lists.infradead.org; Peer, Ilan <ilan.peer@intel.com> > Subject: Re: [PATCH v2] wpa_supplicant: Do not associate on 6GHz with > forbidden configurations > > I'm not sure I agree with the execution here. In particular, I don't think we > should be modifying the IEs of the AP to prevent association. > Rather, there are places (e.g. wpa_supplicant_set_suites) where we > determine the correct suite based on the network configuration and the AP > IEs, and it makes more sense to do the 6ghz check there. In the case of the > WEP check, that can be easily accomplished by checking for 6ghz when we > define wep_ok, with the additional benefit of not exposing more WEP > specific things outside of CONFIG_WEP. > This change does not really modify the AP elements. Instead, it removes configurations that are no allowed on 6GHz to prevent starting a connection flow with invalid AKMs/ciphers/configuration. I think that it is preferrable to do this early during the candidate selection for association. Regards, Ilan.
Ah, you're right, I slightly misinterpreted, thanks! On Tue, Mar 15, 2022 at 9:53 AM Peer, Ilan <ilan.peer@intel.com> wrote: > > Hi, > > > -----Original Message----- > > From: Matthew Wang <matthewmwang@chromium.org> > > Sent: Sunday, March 13, 2022 06:43 > > To: Otcheretianski, Andrei <andrei.otcheretianski@intel.com> > > Cc: hostap@lists.infradead.org; Peer, Ilan <ilan.peer@intel.com> > > Subject: Re: [PATCH v2] wpa_supplicant: Do not associate on 6GHz with > > forbidden configurations > > > > I'm not sure I agree with the execution here. In particular, I don't think we > > should be modifying the IEs of the AP to prevent association. > > Rather, there are places (e.g. wpa_supplicant_set_suites) where we > > determine the correct suite based on the network configuration and the AP > > IEs, and it makes more sense to do the 6ghz check there. In the case of the > > WEP check, that can be easily accomplished by checking for 6ghz when we > > define wep_ok, with the additional benefit of not exposing more WEP > > specific things outside of CONFIG_WEP. > > > > This change does not really modify the AP elements. Instead, it removes configurations that are no allowed on 6GHz to prevent starting a connection flow with invalid AKMs/ciphers/configuration. I think that it is preferrable to do this early during the candidate selection for association. > > Regards, > > Ilan.
On Sun, Mar 06, 2022 at 05:49:34PM +0200, Andrei Otcheretianski wrote: > On the 6GHz band the following is not allowed, so do not > allow association with an AP using these configurations: > > - WEP/TKIP pairwise or group ciphers > - WPA PSK AKMs > - SAE AKM without H2E > > In addition do not allow association if the AP does not > advertise a matching RSN IE or does not declare that > it is MFP capable. Thanks, applied.
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index 603ac33d1b..0b54f7e8b5 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -566,6 +566,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, #ifdef CONFIG_WEP int wep_ok; #endif /* CONFIG_WEP */ + u8 is_6ghz_bss = is_6ghz_freq(bss->freq); ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss); if (ret >= 0) @@ -580,6 +581,11 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, #endif /* CONFIG_WEP */ rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN); + if (is_6ghz_bss && !rsn_ie) { + wpa_dbg(wpa_s, MSG_DEBUG, " skip - 6GHz BSS RSN IE"); + return 0; + } + while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) { proto_match++; @@ -594,6 +600,16 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, if (!ie.has_group) ie.group_cipher = wpa_default_rsn_cipher(bss->freq); + if (is_6ghz_bss) { + /* WEP and TKIP are not allowed on 6GHZ */ + ie.pairwise_cipher &= ~(WPA_CIPHER_WEP40 | + WPA_CIPHER_WEP104 | + WPA_CIPHER_TKIP); + ie.group_cipher &= ~(WPA_CIPHER_WEP40 | + WPA_CIPHER_WEP104 | + WPA_CIPHER_TKIP); + } + #ifdef CONFIG_WEP if (wep_ok && (ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104))) @@ -635,6 +651,21 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, break; } + if (is_6ghz_bss) { + /* MFPC must be supported on 6GHz */ + if (!(ie.capabilities & WPA_CAPABILITY_MFPC)) { + if (debug_print) + wpa_dbg(wpa_s, MSG_DEBUG, + " skip RSN IE - 6GHz without MFPC"); + break; + } + + /* WPA PSK is not allowed on the 6GHz band */ + ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK | + WPA_KEY_MGMT_FT_PSK | + WPA_KEY_MGMT_PSK_SHA256); + } + if (!(ie.key_mgmt & ssid->key_mgmt)) { if (debug_print) wpa_dbg(wpa_s, MSG_DEBUG, @@ -665,6 +696,12 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, return 1; } + if (is_6ghz_bss) { + wpa_dbg(wpa_s, MSG_DEBUG, + " skip - 6GHz BSS without matching RSN IE"); + return 0; + } + if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED && (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) { if (debug_print) @@ -1316,7 +1353,9 @@ static bool wpa_scan_res_ok(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid, } #ifdef CONFIG_SAE - if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) && + /* On 6GHz band, only H2E is allowed */ + if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) || + ssid->sae_password_id) && wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) && !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) { if (debug_print)