qcacld-3.0: Add logic to ignore 6Ghz AP if security is not valid

Add logic to
- Check if connect req freq is 6Ghz and security
  is not allowed for 6Ghz, reject connect.
- Ignore 6Ghz APs if connect req security is invalid
  for 6Ghz

Also added user config key_mgmt_mask_6ghz mask
to allow specific AKMs, by default all are allowed.

Add added user config check_6Ghz_security to enable
security checks as per spec.

Change-Id: Iada7bb685b272e26cff7e89cf64d181ed6eb48a4
CRs-Fixed: 2820358

components/mlme/core/src/wlan_mlme_main.c

@@ -1180,8 +1180,6 @@ static void mlme_init_he_cap_in_cfg(struct wlan_objmgr_psoc *psoc,
 		QDF_GET_BITS(mcs_12_13,
 			     HE_MCS12_13_5G_INDEX * HE_MCS12_13_BITS,
 			     HE_MCS12_13_BITS);
-
-	mlme_cfg->he_caps.enable_6g_sec_check = false;
 }
 #else
 static void mlme_init_he_cap_in_cfg(struct wlan_objmgr_psoc *psoc,

components/mlme/dispatcher/inc/wlan_mlme_public_struct.h

@@ -1024,7 +1024,6 @@ struct wlan_mlme_he_caps {
 	uint32_t he_sta_obsspd;
 	uint16_t he_mcs_12_13_supp_2g;
 	uint16_t he_mcs_12_13_supp_5g;
-	bool enable_6g_sec_check;
 };
 #endif
 

core/mac/src/pe/lim/lim_process_sme_req_messages.c

@@ -477,86 +477,11 @@ void lim_strip_he_ies_from_add_ies(struct mac_context *mac_ctx,
 	if (status != QDF_STATUS_SUCCESS)
 		pe_debug("Failed to strip HE op IE status: %d", status);
 }
-
-static bool lim_is_6g_allowed_sec(struct mac_context *mac,
-				  struct pe_session *session)
-{
-	struct wlan_objmgr_vdev *vdev;
-	uint32_t keymgmt;
-	uint16_t ie_len;
-	bool status = false;
-
-	if (!mac->mlme_cfg->he_caps.enable_6g_sec_check)
-		return true;
-
-	vdev = wlan_objmgr_get_vdev_by_id_from_psoc(mac->psoc,
-						    session->vdev_id,
-						    WLAN_LEGACY_SME_ID);
-	if (!vdev) {
-		pe_err("Invalid vdev");
-		return false;
-	}
-	if (wlan_crypto_check_open_none(mac->psoc, session->vdev_id)) {
-		pe_err("open mode sec not allowed for 6G conn");
-		return false;
-	}
-
-	if (!session->limRmfEnabled) {
-		pe_err("rmf enabled is false");
-		return false;
-	}
-
-	keymgmt = wlan_crypto_get_param(vdev, WLAN_CRYPTO_PARAM_KEY_MGMT);
-	if (!keymgmt ||
-	    (keymgmt & (1 << WLAN_CRYPTO_KEY_MGMT_NONE |
-			1 << WLAN_CRYPTO_KEY_MGMT_SAE |
-			1 << WLAN_CRYPTO_KEY_MGMT_FT_SAE |
-			1 << WLAN_CRYPTO_KEY_MGMT_FILS_SHA256 |
-			1 << WLAN_CRYPTO_KEY_MGMT_FILS_SHA384 |
-			1 << WLAN_CRYPTO_KEY_MGMT_FT_FILS_SHA256 |
-			1 << WLAN_CRYPTO_KEY_MGMT_FT_FILS_SHA384 |
-			1 << WLAN_CRYPTO_KEY_MGMT_IEEE8021X_SUITE_B |
-			1 << WLAN_CRYPTO_KEY_MGMT_IEEE8021X_SUITE_B_192 |
-			1 << WLAN_CRYPTO_KEY_MGMT_OWE)))
-		status = true;
-	else
-		pe_err("Invalid key_mgmt %0X for 6G connection, vdev %d",
-		       keymgmt, session->vdev_id);
-
-	if (!(keymgmt & (1 << WLAN_CRYPTO_KEY_MGMT_SAE |
-			 1 << WLAN_CRYPTO_KEY_MGMT_FT_SAE)))
-		return status;
-
-	ie_len = lim_get_ielen_from_bss_description(
-			&session->lim_join_req->bssDescription);
-	if (!wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE,
-		(uint8_t *)session->lim_join_req->bssDescription.ieFields,
-		ie_len)) {
-		pe_err("RSNXE IE not present in beacon for 6G conn");
-		return false;
-	}
-
-	if (!wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE,
-				session->lim_join_req->addIEAssoc.addIEdata,
-				session->lim_join_req->addIEAssoc.length)) {
-		pe_err("RSNXE IE not present in assoc add IE data for 6G conn");
-		return false;
-	}
-
-	return status;
-}
-
 #else
 void lim_strip_he_ies_from_add_ies(struct mac_context *mac_ctx,
 				   struct pe_session *session)
 {
 }
-
-static inline bool lim_is_6g_allowed_sec(struct mac_context *mac,
-					 struct pe_session *session)
-{
-	return false;
-}
 #endif
 
 /**
@@ -1872,8 +1797,7 @@ __lim_process_sme_join_req(struct mac_context *mac_ctx, void *msg_buf)
 
 		session->encryptType = sme_join_req->UCEncryptionType;
 		if (wlan_reg_is_6ghz_chan_freq(session->curr_op_freq)) {
-			if (!lim_is_session_he_capable(session) ||
+			if (!lim_is_session_he_capable(session)) {
-			    !lim_is_6g_allowed_sec(mac_ctx, session)) {
 				pe_err("JOIN_REQ with invalid 6G security");
 				ret_code = eSIR_SME_INVALID_PARAMETERS;
 				goto end;

core/sme/src/common/sme_api.c

@@ -15252,7 +15252,7 @@ void sme_set_he_testbed_def(mac_handle_t mac_handle, uint8_t vdev_id)
 	mac_ctx->mlme_cfg->he_caps.dot11_he_cap.dl_mu_mimo_part_bw = 0;
 	csr_update_session_he_cap(mac_ctx, session);
 
-	mac_ctx->mlme_cfg->he_caps.enable_6g_sec_check = true;
+	wlan_cm_set_check_6ghz_security(mac_ctx->psoc, true);
 	status = ucfg_mlme_set_enable_bcast_probe_rsp(mac_ctx->psoc, false);
 	if (QDF_IS_STATUS_ERROR(status))
 		sme_err("Failed not set enable bcast probe resp info, %d",
@@ -15285,7 +15285,7 @@ void sme_reset_he_caps(mac_handle_t mac_handle, uint8_t vdev_id)
 		mac_ctx->mlme_cfg->he_caps.he_cap_orig;
 	csr_update_session_he_cap(mac_ctx, session);
 
-	mac_ctx->mlme_cfg->he_caps.enable_6g_sec_check = true;
+	wlan_cm_reset_check_6ghz_security(mac_ctx->psoc);
 	status = ucfg_mlme_set_enable_bcast_probe_rsp(mac_ctx->psoc, true);
 	if (QDF_IS_STATUS_ERROR(status))
 		sme_err("Failed not set enable bcast probe resp info, %d",

core/sme/src/csr/csr_api_roam.c

@@ -8281,6 +8281,36 @@ void csr_set_open_mode_in_scan_filter(struct scan_filter *filter)
 	QDF_SET_PARAM(filter->authmodeset, WLAN_CRYPTO_AUTH_OPEN);
 }
 
+#ifdef CONFIG_BAND_6GHZ
+bool csr_connect_security_valid_for_6ghz(struct wlan_objmgr_psoc *psoc,
+					 uint8_t vdev_id,
+					 struct csr_roam_profile *profile)
+{
+	const uint8_t *rsnxe;
+	uint16_t rsn_caps;
+	uint32_t key_mgmt;
+	struct wlan_objmgr_vdev *vdev;
+
+	vdev = wlan_objmgr_get_vdev_by_id_from_psoc(psoc, vdev_id,
+						    WLAN_LEGACY_SME_ID);
+	if (!vdev) {
+		sme_err("vdev not found for id %d", vdev_id);
+		return false;
+	}
+	key_mgmt = wlan_crypto_get_param(vdev, WLAN_CRYPTO_PARAM_KEY_MGMT);
+	rsn_caps = wlan_crypto_get_param(vdev, WLAN_CRYPTO_PARAM_RSN_CAP);
+
+	wlan_objmgr_vdev_release_ref(vdev, WLAN_LEGACY_SME_ID);
+
+	rsnxe = wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE,
+					 profile->pAddIEAssoc,
+					 profile->nAddIEAssocLength);
+
+	return wlan_cm_6ghz_allowed_for_akm(psoc, key_mgmt, rsn_caps,
+					    rsnxe, 0);
+}
+#endif
+
 QDF_STATUS csr_roam_connect(struct mac_context *mac, uint32_t sessionId,
 		struct csr_roam_profile *pProfile,
 		uint32_t *pRoamId)
@@ -8377,6 +8407,12 @@ QDF_STATUS csr_roam_connect(struct mac_context *mac, uint32_t sessionId,
 		qdf_mem_free(filter);
 		goto error;
 	}
+
+	if (opmode == QDF_STA_MODE || opmode == QDF_P2P_CLIENT_MODE)
+		if (!csr_connect_security_valid_for_6ghz(mac->psoc, sessionId,
+							 pProfile))
+			filter->ignore_6ghz_channel = true;
+
 	status = csr_scan_get_result(mac, filter, &hBSSList,
 				     opmode == QDF_STA_MODE ? true : false);
 	qdf_mem_free(filter);
@@ -11109,7 +11145,6 @@ csr_roam_get_scan_filter_from_profile(struct mac_context *mac_ctx,
 	if (QDF_IS_STATUS_ERROR(status))
 		return status;
 
-
 	if (profile->bWPSAssociation || profile->bOSENAssociation)
 		filter->ignore_auth_enc_type = true;
 

core/sme/src/csr/csr_api_scan.c

@@ -165,6 +165,9 @@ QDF_STATUS csr_scan_handle_search_for_ssid(struct mac_context *mac_ctx,
 			qdf_mem_free(filter);
 			break;
 		}
+		if (!csr_connect_security_valid_for_6ghz(mac_ctx->psoc,
+							 session_id, profile))
+			filter->ignore_6ghz_channel = true;
 		status = csr_scan_get_result(mac_ctx, filter, &hBSSList, true);
 		qdf_mem_free(filter);
 		if (!QDF_IS_STATUS_SUCCESS(status))

core/sme/src/csr/csr_inside_api.h

@@ -671,6 +671,28 @@ QDF_STATUS csr_scan_result_purge(struct mac_context *mac,
 
 /* /////////////////////////////////////////Common Scan ends */
 
+/*
+ * csr_connect_security_valid_for_6ghz() - check if profile is vlid fro 6Ghz
+ * @psoc: psoc pointer
+ * @vdev_id: vdev id
+ * @profile: connect profile
+ *
+ * Return bool
+ */
+#ifdef CONFIG_BAND_6GHZ
+bool csr_connect_security_valid_for_6ghz(struct wlan_objmgr_psoc *psoc,
+					 uint8_t vdev_id,
+					 struct csr_roam_profile *profile);
+#else
+static inline bool
+csr_connect_security_valid_for_6ghz(struct wlan_objmgr_psoc *psoc,
+				    uint8_t vdev_id,
+				    struct csr_roam_profile *profile)
+{
+	return true;
+}
+#endif
+
 /*
  * csr_roam_connect() -
  * To inititiate an association