network: add 6GHz restrictions to network_can_connect_bss

The 802.11ax standards adds some restrictions for the 6GHz band. In short stations must use SAE, OWE, or 8021x on this band and frame protection is required.
2025-01-03 10:32:33 +01:00 · 2022-02-25 17:06:39 -08:00 · 2022-02-25 17:06:39 -08:00 · d38b7f2406
commit d38b7f2406
parent 1024384ffd
1 changed files with 46 additions and 14 deletions
--- a/src/network.c
+++ b/src/network.c
@ -55,6 +55,7 @@
 #include "src/util.h"
 #include "src/erp.h"
 #include "src/handshake.h"
 #include "src/band.h"
 #define SAE_PT_SETTING "SAE-PT-Group%u"
@ -774,6 +775,7 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 	struct network_config *config = info ? &info->config : NULL;
 	bool can_transition_disable = wiphy_can_transition_disable(wiphy);
 	struct ie_rsn_info rsn;
 	enum band_freq band;
 	int ret;
 	switch (security) {
@ -785,6 +787,9 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		return -ENOSYS;
 	}
 	if (!band_freq_to_channel(bss->frequency, &band))
 		return -ENOTSUP;
 	memset(&rsn, 0, sizeof(rsn));
 	ret = scan_bss_get_rsn_info(bss, &rsn);
 	if (ret < 0) {
@ -797,6 +802,13 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		 * We assume the spec means us to check bit 3 here
 		 */
 		if (ret == -ENOENT && security == SECURITY_NONE) {
 			/*
 			 * 802.11ax 12.12.2 - STA shall not use Open System
 			 * authentication without encryption
 			 */
 			if (band == BAND_FREQ_6_GHZ)
 				return -EPERM;
 			if (!config)
 				return 0;
@ -814,25 +826,20 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		return ret;
 	}
-	if (!config || !config->have_transition_disable)
+	if (!config || !config->have_transition_disable) {
-		goto no_transition_disable;
+		if (band == BAND_FREQ_6_GHZ)
 			goto mfp_no_tkip;
 	if (!can_transition_disable) {
 		l_debug("HW not capable of Transition Disable, skip");
 		goto no_transition_disable;
 	}
-	/*
+	if (!can_transition_disable) {
-	 * WPA3 Specification, v3, Section 8:
+		if (band == BAND_FREQ_6_GHZ)
-	 * - Disable use of WEP and TKIP
+			return -EPERM;
 	 * - Disallow association without negotiation of PMF
 	 */
 	rsn.pairwise_ciphers &= ~IE_RSN_CIPHER_SUITE_TKIP;
-	if (!rsn.group_management_cipher)
+		l_debug("HW not capable of Transition Disable, skip");
-		return -EPERM;
+		goto no_transition_disable;
-
+	}
 	rsn.mfpr = true;
 	/* WPA3-Personal */
 	if (test_bit(&config->transition_disable, 0)) {
@ -851,6 +858,31 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 			return -EPERM;
 	}
 mfp_no_tkip:
 	/*
 	 * WPA3 Specification, v3, Section 8:
 	 * - Disable use of WEP and TKIP
 	 * - Disallow association without negotiation of PMF
 	 */
 	rsn.pairwise_ciphers &= ~IE_RSN_CIPHER_SUITE_TKIP;
 	if (!rsn.group_management_cipher)
 		return -EPERM;
 	rsn.mfpr = true;
 	/* 802.11ax Section 12.12.2 */
 	if (band == BAND_FREQ_6_GHZ) {
 		/* STA shall not use the following cipher suite selectors */
 		rsn.pairwise_ciphers &= ~IE_RSN_CIPHER_SUITE_USE_GROUP_CIPHER;
 		/* Basically the STA must use OWE, SAE, or 8021x */
 		if (!IE_AKM_IS_SAE(rsn.akm_suites) &&
 				!IE_AKM_IS_8021X(rsn.akm_suites) &&
 				(!(rsn.akm_suites & IE_RSN_AKM_SUITE_OWE)))
 			return -EPERM;
 	}
 no_transition_disable:
 	if (!wiphy_select_cipher(wiphy, rsn.pairwise_ciphers))
 		return -ENOTSUP;