qcacmn: Update the security check mask for 6GHz AP

Update the security check mask value for 6GHz AP.

Change-Id: I8d9637a95c6191124372a7bdba119837e6553ed4
CRs-Fixed: 2930941

umac/cmn_services/crypto/inc/wlan_crypto_global_def.h

@@ -220,6 +220,8 @@ typedef enum wlan_crypto_key_mgmt {
 	WLAN_CRYPTO_KEY_MGMT_OWE                   = 22,
 	WLAN_CRYPTO_KEY_MGMT_DPP                   = 23,
 	WLAN_CRYPTO_KEY_MGMT_FT_IEEE8021X_SHA384   = 24,
+	WLAN_CRYPTO_KEY_MGMT_FT_PSK_SHA384         = 25,
+	WLAN_CRYPTO_KEY_MGMT_PSK_SHA384            = 26,
 	/** Keep WLAN_CRYPTO_KEY_MGMT_MAX at the end. */
 	WLAN_CRYPTO_KEY_MGMT_MAX   = WLAN_CRYPTO_KEY_MGMT_FT_IEEE8021X_SHA384,
 } wlan_crypto_key_mgmt;
@@ -235,8 +237,8 @@ enum wlan_crypto_key_type {
 
 #define DEFAULT_KEYMGMT_6G_MASK 0xFFFFFFFF
 
-/* AKM wlan_crypto_key_mgmt 0-8, 12-15 and 24 are not allowed. */
-#define ALLOWED_KEYMGMT_6G_MASK 0xFEFF0E00
+/* AKM wlan_crypto_key_mgmt 1, 6, 8, 25 and 26 are not allowed. */
+#define ALLOWED_KEYMGMT_6G_MASK 0x01FFFEBD
 
 /*
  * enum fils_erp_cryptosuite: this enum defines the cryptosuites used

umac/cmn_services/crypto/src/wlan_crypto_def_i.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -266,6 +266,8 @@ static inline void wlan_crypto_put_be64(u8 *a, u64 val)
 #define RSN_AUTH_KEY_MGMT_FT_FILS_SHA384\
 					WLAN_RSN_SEL(17)
 #define RSN_AUTH_KEY_MGMT_OWE           WLAN_RSN_SEL(18)
+#define RSN_AUTH_KEY_MGMT_FT_PSK_SHA384 WLAN_RSN_SEL(19)
+#define RSN_AUTH_KEY_MGMT_PSK_SHA384    WLAN_RSN_SEL(20)
 
 #define RSN_AUTH_KEY_MGMT_CCKM          (WLAN_RSN_CCKM_AKM)
 #define RSN_AUTH_KEY_MGMT_OSEN          (0x019a6f50)

umac/cmn_services/crypto/src/wlan_crypto_global_api.c

@@ -2647,6 +2647,10 @@ static int32_t wlan_crypto_rsn_suite_to_keymgmt(const uint8_t *sel)
 		return WLAN_CRYPTO_KEY_MGMT_DPP;
 	case RSN_AUTH_KEY_MGMT_FT_802_1X_SUITE_B_384:
 		return WLAN_CRYPTO_KEY_MGMT_FT_IEEE8021X_SHA384;
+	case RSN_AUTH_KEY_MGMT_FT_PSK_SHA384:
+		return WLAN_CRYPTO_KEY_MGMT_FT_PSK_SHA384;
+	case RSN_AUTH_KEY_MGMT_PSK_SHA384:
+		return WLAN_CRYPTO_KEY_MGMT_PSK_SHA384;
 	}
 
 	return status;

umac/mlme/connection_mgr/core/src/wlan_cm_bss_scoring.c

@@ -1859,8 +1859,10 @@ bool wlan_cm_6ghz_allowed_for_akm(struct wlan_objmgr_psoc *psoc,
 		return false;
 
 	/* if check_6ghz_security is set validate all checks for 6Ghz */
-	if (!(rsn_caps & WLAN_CRYPTO_RSN_CAP_MFP_ENABLED))
+	if (!(rsn_caps & WLAN_CRYPTO_RSN_CAP_MFP_ENABLED)) {
+		mlme_debug("PMF not enabled for 6GHz AP");
 		return false;
+	}
 
 	/* for SAE we need to check H2E support */
 	if (!(QDF_HAS_PARAM(key_mgmt, WLAN_CRYPTO_KEY_MGMT_SAE) ||

umac/scan/core/src/wlan_scan_cache_db.c

@@ -1045,15 +1045,31 @@ QDF_STATUS __scm_handle_bcn_probe(struct scan_bcn_probe_event *bcn)
 				qdf_mem_free(scan_node);
 				continue;
 			}
+			if ((QDF_HAS_PARAM(sec_params.ucastcipherset,
+					   WLAN_CRYPTO_CIPHER_NONE)) ||
+			    (QDF_HAS_PARAM(sec_params.ucastcipherset,
+					   WLAN_CRYPTO_CIPHER_TKIP)) ||
+			    (QDF_HAS_PARAM(sec_params.ucastcipherset,
+					   WLAN_CRYPTO_CIPHER_WEP_40)) ||
+			    (QDF_HAS_PARAM(sec_params.ucastcipherset,
+					   WLAN_CRYPTO_CIPHER_WEP_104))) {
+				scm_info("Drop frame from "QDF_MAC_ADDR_FMT
+					 ": Invalid sec type %0X for 6GHz AP",
+					 QDF_MAC_ADDR_REF(
+						 scan_entry->bssid.bytes),
+					 sec_params.ucastcipherset);
+				continue;
+			}
 			if (!wlan_cm_6ghz_allowed_for_akm(psoc,
 					sec_params.key_mgmt,
 					sec_params.rsn_caps,
 					util_scan_entry_rsnxe(scan_entry),
 					0, false)) {
 				scm_info("Drop frame from "QDF_MAC_ADDR_FMT
-					 ": Security check failed for 6GHz AP",
+					 ": Invalid AKM suite %0X for 6GHz AP",
 					 QDF_MAC_ADDR_REF(
-						scan_entry->bssid.bytes));
+						scan_entry->bssid.bytes),
+					 sec_params.key_mgmt);
 				util_scan_free_cache_entry(scan_entry);
 				qdf_mem_free(scan_node);
 				continue;