qcacmn: Update the security check mask for 6GHz AP (2cfc1dab) · Commits · e / devices / android_kernel_fairphone_FP5

umac/cmn_services/crypto/inc/wlan_crypto_global_def.h

+4 −2

Original line number	Diff line number	Diff line
		@@ -220,6 +220,8 @@ typedef enum wlan_crypto_key_mgmt {
		WLAN_CRYPTO_KEY_MGMT_OWE = 22,
		WLAN_CRYPTO_KEY_MGMT_DPP = 23,
		WLAN_CRYPTO_KEY_MGMT_FT_IEEE8021X_SHA384 = 24,
		WLAN_CRYPTO_KEY_MGMT_FT_PSK_SHA384 = 25,
		WLAN_CRYPTO_KEY_MGMT_PSK_SHA384 = 26,
		/** Keep WLAN_CRYPTO_KEY_MGMT_MAX at the end. */
		WLAN_CRYPTO_KEY_MGMT_MAX = WLAN_CRYPTO_KEY_MGMT_FT_IEEE8021X_SHA384,
		} wlan_crypto_key_mgmt;
		@@ -235,8 +237,8 @@ enum wlan_crypto_key_type {

		#define DEFAULT_KEYMGMT_6G_MASK 0xFFFFFFFF

		/* AKM wlan_crypto_key_mgmt 0-8, 12-15 and 24 are not allowed. */
		#define ALLOWED_KEYMGMT_6G_MASK 0xFEFF0E00
		/* AKM wlan_crypto_key_mgmt 1, 6, 8, 25 and 26 are not allowed. */
		#define ALLOWED_KEYMGMT_6G_MASK 0x01FFFEBD

		/*
		* enum fils_erp_cryptosuite: this enum defines the cryptosuites used

+3 −1

Original line number	Diff line number	Diff line
		/*
		* Copyright (c) 2017-2020 The Linux Foundation. All rights reserved.
		* Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.
		*
		* Permission to use, copy, modify, and/or distribute this software for
		* any purpose with or without fee is hereby granted, provided that the
		@@ -266,6 +266,8 @@ static inline void wlan_crypto_put_be64(u8 *a, u64 val)
		#define RSN_AUTH_KEY_MGMT_FT_FILS_SHA384\
		WLAN_RSN_SEL(17)
		#define RSN_AUTH_KEY_MGMT_OWE WLAN_RSN_SEL(18)
		#define RSN_AUTH_KEY_MGMT_FT_PSK_SHA384 WLAN_RSN_SEL(19)
		#define RSN_AUTH_KEY_MGMT_PSK_SHA384 WLAN_RSN_SEL(20)

		#define RSN_AUTH_KEY_MGMT_CCKM (WLAN_RSN_CCKM_AKM)
		#define RSN_AUTH_KEY_MGMT_OSEN (0x019a6f50)

+4 −0

Original line number	Diff line number	Diff line
		@@ -2627,6 +2627,10 @@ static int32_t wlan_crypto_rsn_suite_to_keymgmt(const uint8_t *sel)
		return WLAN_CRYPTO_KEY_MGMT_DPP;
		case RSN_AUTH_KEY_MGMT_FT_802_1X_SUITE_B_384:
		return WLAN_CRYPTO_KEY_MGMT_FT_IEEE8021X_SHA384;
		case RSN_AUTH_KEY_MGMT_FT_PSK_SHA384:
		return WLAN_CRYPTO_KEY_MGMT_FT_PSK_SHA384;
		case RSN_AUTH_KEY_MGMT_PSK_SHA384:
		return WLAN_CRYPTO_KEY_MGMT_PSK_SHA384;
		}

		return status;

+3 −1

Original line number	Diff line number	Diff line
		@@ -1848,8 +1848,10 @@ bool wlan_cm_6ghz_allowed_for_akm(struct wlan_objmgr_psoc *psoc,
		return false;

		/* if check_6ghz_security is set validate all checks for 6Ghz */
		if (!(rsn_caps & WLAN_CRYPTO_RSN_CAP_MFP_ENABLED))
		if (!(rsn_caps & WLAN_CRYPTO_RSN_CAP_MFP_ENABLED)) {
		mlme_debug("PMF not enabled for 6GHz AP");
		return false;
		}

		/* for SAE we need to check H2E support */
		if (!(QDF_HAS_PARAM(key_mgmt, WLAN_CRYPTO_KEY_MGMT_SAE) \|\|

+18 −2

Original line number	Diff line number	Diff line
		@@ -1038,15 +1038,31 @@ QDF_STATUS __scm_handle_bcn_probe(struct scan_bcn_probe_event *bcn)
		qdf_mem_free(scan_node);
		continue;
		}
		if ((QDF_HAS_PARAM(sec_params.ucastcipherset,
		WLAN_CRYPTO_CIPHER_NONE)) \|\|
		(QDF_HAS_PARAM(sec_params.ucastcipherset,
		WLAN_CRYPTO_CIPHER_TKIP)) \|\|
		(QDF_HAS_PARAM(sec_params.ucastcipherset,
		WLAN_CRYPTO_CIPHER_WEP_40)) \|\|
		(QDF_HAS_PARAM(sec_params.ucastcipherset,
		WLAN_CRYPTO_CIPHER_WEP_104))) {
		scm_info("Drop frame from "QDF_MAC_ADDR_FMT
		": Invalid sec type %0X for 6GHz AP",
		QDF_MAC_ADDR_REF(
		scan_entry->bssid.bytes),
		sec_params.ucastcipherset);
		continue;
		}
		if (!wlan_cm_6ghz_allowed_for_akm(psoc,
		sec_params.key_mgmt,
		sec_params.rsn_caps,
		util_scan_entry_rsnxe(scan_entry),
		0, false)) {
		scm_info("Drop frame from "QDF_MAC_ADDR_FMT
		": Security check failed for 6GHz AP",
		": Invalid AKM suite %0X for 6GHz AP",
		QDF_MAC_ADDR_REF(
		scan_entry->bssid.bytes));
		scan_entry->bssid.bytes),
		sec_params.key_mgmt);
		util_scan_free_cache_entry(scan_entry);
		qdf_mem_free(scan_node);
		continue;