Bladeren bron

qcacmn: Modify the checks to validate security for 11be connection

In present scenario, if AP advertises multiple AKMs(wpa2 PSK + wpa3)
validation of security happens on wpa2 AKMs before validation
on wpa3 AKM and driver downgrades the connection to 11AX even
though the selected AKM is wpa3.
This is due to the negotiated security info in scan entry is updated
with intersected value only after peer create but this variable may
contain multiple AKMs before peer create.

Modify the checks to validate security for 11be connection.

Change-Id: If0c7886062fcf0c483145641e9c3cbf972f1ef13
CRs-Fixed: 3599053
Aravind Kishore Sukla 1 jaar geleden
bovenliggende
commit
8cd8d47be1

+ 11 - 5
umac/cmn_services/crypto/inc/wlan_crypto_global_def.h

@@ -681,11 +681,17 @@ struct wlan_lmac_if_crypto_rx_ops {
 	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_SAE_EXT_KEY) || \
 	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_SAE_EXT_KEY))
 
-#define WLAN_CRYPTO_IS_AKM_WPA2_PSK(akm) \
-	(QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_PSK) || \
-	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_PSK_SHA256) || \
-	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_PSK) || \
-	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_PSK_SHA384))
+#define WLAN_CRYPTO_IS_AKM_ENTERPRISE(akm) \
+	(QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_IEEE8021X) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_IEEE8021X_SHA256) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_IEEE8021X_SUITE_B) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_IEEE8021X) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_IEEE8021X_SHA384) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_IEEE8021X_SUITE_B_192) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FILS_SHA256) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FILS_SHA384) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_FILS_SHA256) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_FILS_SHA384))
 
 #define WLAN_CRYPTO_IS_AKM_SAE(akm) \
 	(QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_SAE) || \

+ 14 - 4
umac/mlme/connection_mgr/core/src/wlan_cm_bss_scoring.c

@@ -1450,11 +1450,21 @@ bool wlan_cm_is_eht_allowed_for_current_security(
 		return false;
 	}
 
-	/* check AKM chosen for connection is PSK */
-	if (WLAN_CRYPTO_IS_AKM_WPA2_PSK(scan_entry->neg_sec_info.key_mgmt)) {
+	if (!(scan_entry->neg_sec_info.rsn_caps &
+	      WLAN_CRYPTO_RSN_CAP_MFP_ENABLED)) {
+		mlme_debug(QDF_MAC_ADDR_FMT " MFPC bit of RSN IE not present",
+			   QDF_MAC_ADDR_REF(scan_entry->bssid.bytes));
+		return false;
+	}
+
+	if (WLAN_CRYPTO_IS_AKM_ENTERPRISE(scan_entry->neg_sec_info.key_mgmt))
+		return true;
+
+	/* Return from here if atleast one AKM in list is not WPA3 AKM */
+	if (!WLAN_CRYPTO_IS_WPA3(scan_entry->neg_sec_info.key_mgmt)) {
 		mlme_debug(QDF_MAC_ADDR_FMT ": AKM 0x%x not valid",
 			   QDF_MAC_ADDR_REF(scan_entry->bssid.bytes),
-					    scan_entry->neg_sec_info.key_mgmt);
+			   scan_entry->neg_sec_info.key_mgmt);
 		return false;
 	}
 
@@ -1467,7 +1477,7 @@ bool wlan_cm_is_eht_allowed_for_current_security(
 
 	rsnxe = util_scan_entry_rsnxe(scan_entry);
 	if (!rsnxe) {
-		mlme_debug(QDF_MAC_ADDR_FMT ": AKM 0x%x not valid",
+		mlme_debug(QDF_MAC_ADDR_FMT ":RSNXE not present, AKM 0x%x",
 			   QDF_MAC_ADDR_REF(scan_entry->bssid.bytes),
 					    scan_entry->neg_sec_info.key_mgmt);
 		return false;