From patchwork Sun Mar 6 15:49:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Otcheretianski, Andrei" X-Patchwork-Id: 1601767 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=2Gu8j+FT; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256 header.s=Intel header.b=ikA6QzJU; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KBR0K5q9hz9sCD for ; Mon, 7 Mar 2022 02:51:27 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=bYVkLX2PsHBsFZnj/uGRwuEozYb3cq34aN9p7U7Sb74=; b=2Gu8j+FTW+EFCX tq97QgeaibBUVMEtD7JIj8je7dyrHp6r0W3OjSRzCwFLwccnrcXc8HU+o4148k0LAv+wl71z+Jn+5 H6m5rvYBVOwz9PHRWlMFDgY+u8FWcDkPppjQeJQGqA5R1JSOQlnWTvZYJ5L42Eu503Z+2guxPri9p /7vPUb9aHhQSA1MjgPZxgawoohysulfg8ZkjBepQyPv+bGCjmqN2gkonzIJfoz6V2hKSdKKXNsa2M nleVAQmf8AmrhGM3xVgojQEgMoTDhSEAiJRWhwu3QVkfBaXCOdlR545E/I8KzavAmp6s8YED73hMU Wr2OMn1mYzD5LDgQL3Cg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nQt92-00EvvK-3T; Sun, 06 Mar 2022 15:50:04 +0000 Received: from mga02.intel.com ([134.134.136.20]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nQt8m-00Evt7-Lj for hostap@lists.infradead.org; Sun, 06 Mar 2022 15:49:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1646581788; x=1678117788; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=vzx6MH7TaSjBS9CIU2KAbTVL9xIldHPNKJlxs1VKwLY=; b=ikA6QzJUlNnidnyUhbrNc0EJwPtAlDq993C6nlbzlkyqAUL08p04gga0 0O0CQbQpBTJZ8LIgodq6LdI3CGjeQwkmvwbJtXJzyfpk9gkP2IWR/Yn67 ADXCmsnW1qPKjxELyBSLYS3qmrcQJ1ny3gt8a3b72iI5I/ycJT9Aw4J6+ 6khClB5V80xxAuNF6QGSw2PxSV1bDRjg/xXeY0pEExefzSPjQFavZzP5/ YCTTCj3Ciuy7TJDzlJyLsPIoxzlIui1k7F24zYUCwfhHAC7Echx4xB9R2 nOA9BOPYiOQhdGF5hPPKNUWf/qx7vUnHRRamT4kHJznItKfthsw62Hs7T w==; X-IronPort-AV: E=McAfee;i="6200,9189,10278"; a="241668653" X-IronPort-AV: E=Sophos;i="5.90,160,1643702400"; d="scan'208";a="241668653" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Mar 2022 07:49:46 -0800 X-IronPort-AV: E=Sophos;i="5.90,160,1643702400"; d="scan'208";a="552837544" Received: from gdafna-mobl.ger.corp.intel.com (HELO aotchere-desk.intel.com) ([10.254.148.143]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Mar 2022 07:49:44 -0800 From: Andrei Otcheretianski To: hostap@lists.infradead.org Cc: Ilan Peer , Andrei Otcheretianski Subject: [PATCH v2] wpa_supplicant: Do not associate on 6GHz with forbidden configurations Date: Sun, 6 Mar 2022 17:49:34 +0200 Message-Id: <20220306154934.6726-1-andrei.otcheretianski@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220306_074948_790354_BBEA9847 X-CRM114-Status: GOOD ( 15.09 ) X-Spam-Score: -2.7 (--) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Ilan Peer On the 6GHz band the following is not allowed, so do not allow association with an AP using these configurations: - WEP/TKIP pairwise or group ciphers - WPA PSK AKMs - SAE AKM without H2E Content analysis details: (-2.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [134.134.136.20 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [134.134.136.20 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Ilan Peer On the 6GHz band the following is not allowed, so do not allow association with an AP using these configurations: - WEP/TKIP pairwise or group ciphers - WPA PSK AKMs - SAE AKM without H2E In addition do not allow association if the AP does not advertise a matching RSN IE or does not declare that it is MFP capable. Signed-off-by: Ilan Peer Signed-off-by: Andrei Otcheretianski --- wpa_supplicant/events.c | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index 603ac33d1b..0b54f7e8b5 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -566,6 +566,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, #ifdef CONFIG_WEP int wep_ok; #endif /* CONFIG_WEP */ + u8 is_6ghz_bss = is_6ghz_freq(bss->freq); ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss); if (ret >= 0) @@ -580,6 +581,11 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, #endif /* CONFIG_WEP */ rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN); + if (is_6ghz_bss && !rsn_ie) { + wpa_dbg(wpa_s, MSG_DEBUG, " skip - 6GHz BSS RSN IE"); + return 0; + } + while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) { proto_match++; @@ -594,6 +600,16 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, if (!ie.has_group) ie.group_cipher = wpa_default_rsn_cipher(bss->freq); + if (is_6ghz_bss) { + /* WEP and TKIP are not allowed on 6GHZ */ + ie.pairwise_cipher &= ~(WPA_CIPHER_WEP40 | + WPA_CIPHER_WEP104 | + WPA_CIPHER_TKIP); + ie.group_cipher &= ~(WPA_CIPHER_WEP40 | + WPA_CIPHER_WEP104 | + WPA_CIPHER_TKIP); + } + #ifdef CONFIG_WEP if (wep_ok && (ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104))) @@ -635,6 +651,21 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, break; } + if (is_6ghz_bss) { + /* MFPC must be supported on 6GHz */ + if (!(ie.capabilities & WPA_CAPABILITY_MFPC)) { + if (debug_print) + wpa_dbg(wpa_s, MSG_DEBUG, + " skip RSN IE - 6GHz without MFPC"); + break; + } + + /* WPA PSK is not allowed on the 6GHz band */ + ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK | + WPA_KEY_MGMT_FT_PSK | + WPA_KEY_MGMT_PSK_SHA256); + } + if (!(ie.key_mgmt & ssid->key_mgmt)) { if (debug_print) wpa_dbg(wpa_s, MSG_DEBUG, @@ -665,6 +696,12 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, return 1; } + if (is_6ghz_bss) { + wpa_dbg(wpa_s, MSG_DEBUG, + " skip - 6GHz BSS without matching RSN IE"); + return 0; + } + if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED && (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) { if (debug_print) @@ -1316,7 +1353,9 @@ static bool wpa_scan_res_ok(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid, } #ifdef CONFIG_SAE - if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) && + /* On 6GHz band, only H2E is allowed */ + if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) || + ssid->sae_password_id) && wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) && !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) { if (debug_print)