network: add 6GHz restrictions to network_can_connect_bss

The 802.11ax standards adds some restrictions for the 6GHz band. In short stations must use SAE, OWE, or 8021x on this band and frame protection is required.
2022-02-25 17:06:39 -08:00 · 2022-02-25 17:06:39 -08:00 · d38b7f2406
parent 1024384ffd
commit d38b7f2406
1 changed files with 46 additions and 14 deletions
--- a/src/network.c
+++ b/src/network.c
@ -55,6 +55,7 @@
 #include "src/util.h"
 #include "src/erp.h"
 #include "src/handshake.h"
+#include "src/band.h"

 #define SAE_PT_SETTING "SAE-PT-Group%u"

@ -774,6 +775,7 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 	struct network_config *config = info ? &info->config : NULL;
 	bool can_transition_disable = wiphy_can_transition_disable(wiphy);
 	struct ie_rsn_info rsn;
+	enum band_freq band;
 	int ret;

 	switch (security) {
@ -785,6 +787,9 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		return -ENOSYS;
 	}

+	if (!band_freq_to_channel(bss->frequency, &band))
+		return -ENOTSUP;
+
 	memset(&rsn, 0, sizeof(rsn));
 	ret = scan_bss_get_rsn_info(bss, &rsn);
 	if (ret < 0) {
@ -797,6 +802,13 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		 * We assume the spec means us to check bit 3 here
 		 */
 		if (ret == -ENOENT && security == SECURITY_NONE) {
+			/*
+			 * 802.11ax 12.12.2 - STA shall not use Open System
+			 * authentication without encryption
+			 */
+			if (band == BAND_FREQ_6_GHZ)
+				return -EPERM;
+
 			if (!config)
 				return 0;

@ -814,25 +826,20 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		return ret;
 	}

-	if (!config || !config->have_transition_disable)
-		goto no_transition_disable;
+	if (!config || !config->have_transition_disable) {
+		if (band == BAND_FREQ_6_GHZ)
+			goto mfp_no_tkip;

-	if (!can_transition_disable) {
-		l_debug("HW not capable of Transition Disable, skip");
 		goto no_transition_disable;
 	}

-	/*
-	 * WPA3 Specification, v3, Section 8:
-	 * - Disable use of WEP and TKIP
-	 * - Disallow association without negotiation of PMF
-	 */
-	rsn.pairwise_ciphers &= ~IE_RSN_CIPHER_SUITE_TKIP;
+	if (!can_transition_disable) {
+		if (band == BAND_FREQ_6_GHZ)
+			return -EPERM;

-	if (!rsn.group_management_cipher)
-		return -EPERM;
-
-	rsn.mfpr = true;
+		l_debug("HW not capable of Transition Disable, skip");
+		goto no_transition_disable;
+	}

 	/* WPA3-Personal */
 	if (test_bit(&config->transition_disable, 0)) {
@ -851,6 +858,31 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 			return -EPERM;
 	}

+mfp_no_tkip:
+	/*
+	 * WPA3 Specification, v3, Section 8:
+	 * - Disable use of WEP and TKIP
+	 * - Disallow association without negotiation of PMF
+	 */
+	rsn.pairwise_ciphers &= ~IE_RSN_CIPHER_SUITE_TKIP;
+
+	if (!rsn.group_management_cipher)
+		return -EPERM;
+
+	rsn.mfpr = true;
+
+	/* 802.11ax Section 12.12.2 */
+	if (band == BAND_FREQ_6_GHZ) {
+		/* STA shall not use the following cipher suite selectors */
+		rsn.pairwise_ciphers &= ~IE_RSN_CIPHER_SUITE_USE_GROUP_CIPHER;
+
+		/* Basically the STA must use OWE, SAE, or 8021x */
+		if (!IE_AKM_IS_SAE(rsn.akm_suites) &&
+				!IE_AKM_IS_8021X(rsn.akm_suites) &&
+				(!(rsn.akm_suites & IE_RSN_AKM_SUITE_OWE)))
+			return -EPERM;
+	}
+
 no_transition_disable:
 	if (!wiphy_select_cipher(wiphy, rsn.pairwise_ciphers))
 		return -ENOTSUP;