rpms / wpa_supplicant

Clone
Source Code
GIT

Blame SOURCES/macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   41389ac197f405de674bd7794fb1309f9de10e2f
  2.   SOURCES
  3.   macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch
Blob History Raw
41389a 
From a25e4efc9e428d968e83398bd8c9c94698ba5851 Mon Sep 17 00:00:00 2001
41389a 
Message-Id: <a25e4efc9e428d968e83398bd8c9c94698ba5851.1488376601.git.dcaratti@redhat.com>
41389a 
From: Sabrina Dubroca <sd@queasysnail.net>
41389a 
Date: Fri, 7 Oct 2016 12:08:12 +0200
41389a 
Subject: [PATCH] mka: Add driver op to get macsec capabilities
41389a
41389a 
This also implements the macsec_get_capability for the macsec_qca
41389a 
driver to maintain the existing behavior.
41389a
41389a 
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
41389a 
---
41389a 
 src/drivers/driver.h            |  8 ++++++++
41389a 
 src/drivers/driver_macsec_qca.c | 11 +++++++++++
41389a 
 src/pae/ieee802_1x_kay.c        | 18 ++++++++++++++++--
41389a 
 src/pae/ieee802_1x_kay.h        |  1 +
41389a 
 src/pae/ieee802_1x_secy_ops.c   | 20 ++++++++++++++++++++
41389a 
 src/pae/ieee802_1x_secy_ops.h   |  1 +
41389a 
 wpa_supplicant/driver_i.h       |  8 ++++++++
41389a 
 wpa_supplicant/wpas_kay.c       |  7 +++++++
41389a 
 8 files changed, 72 insertions(+), 2 deletions(-)
41389a
41389a 
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
41389a 
index a57aa53..ea4a41f 100644
41389a 
--- a/src/drivers/driver.h
41389a 
+++ b/src/drivers/driver.h
41389a 
@@ -3298,6 +3298,14 @@ struct wpa_driver_ops {
41389a 
 	int (*macsec_deinit)(void *priv);
41389a
41389a 
 	/**
41389a 
+	 * macsec_get_capability - Inform MKA of this driver's capability
41389a 
+	 * @priv: Private driver interface data
41389a 
+	 * @cap: Driver's capability
41389a 
+	 * Returns: 0 on success, -1 on failure
41389a 
+	 */
41389a 
+	int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
41389a 
+
41389a 
+	/**
41389a 
 	 * enable_protect_frames - Set protect frames status
41389a 
 	 * @priv: Private driver interface data
41389a 
 	 * @enabled: TRUE = protect frames enabled
41389a 
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
41389a 
index 385f7c5..041bcf5 100644
41389a 
--- a/src/drivers/driver_macsec_qca.c
41389a 
+++ b/src/drivers/driver_macsec_qca.c
41389a 
@@ -458,6 +458,16 @@ static int macsec_qca_macsec_deinit(void *priv)
41389a 
 }
41389a
41389a
41389a 
+static int macsec_qca_get_capability(void *priv, enum macsec_cap *cap)
41389a 
+{
41389a 
+	wpa_printf(MSG_DEBUG, "%s", __func__);
41389a 
+
41389a 
+	*cap = MACSEC_CAP_INTEG_AND_CONF_0_30_50;
41389a 
+
41389a 
+	return 0;
41389a 
+}
41389a 
+
41389a 
+
41389a 
 static int macsec_qca_enable_protect_frames(void *priv, Boolean enabled)
41389a 
 {
41389a 
 	struct macsec_qca_data *drv = priv;
41389a 
@@ -889,6 +899,7 @@ const struct wpa_driver_ops wpa_driver_macsec_qca_ops = {
41389a
41389a 
 	.macsec_init = macsec_qca_macsec_init,
41389a 
 	.macsec_deinit = macsec_qca_macsec_deinit,
41389a 
+	.macsec_get_capability = macsec_qca_get_capability,
41389a 
 	.enable_protect_frames = macsec_qca_enable_protect_frames,
41389a 
 	.set_replay_protect = macsec_qca_set_replay_protect,
41389a 
 	.set_current_cipher_suite = macsec_qca_set_current_cipher_suite,
41389a 
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
41389a 
index a8e7efc..52eeeff 100644
41389a 
--- a/src/pae/ieee802_1x_kay.c
41389a 
+++ b/src/pae/ieee802_1x_kay.c
41389a 
@@ -3069,13 +3069,20 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
41389a 
 		kay->macsec_replay_window = 0;
41389a 
 		kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
41389a 
 	} else {
41389a 
-		kay->macsec_capable = MACSEC_CAP_INTEG_AND_CONF_0_30_50;
41389a 
+		if (secy_get_capability(kay, &kay->macsec_capable) < 0) {
41389a 
+			os_free(kay);
41389a 
+			return NULL;
41389a 
+		}
41389a 
+
41389a 
 		kay->macsec_desired = TRUE;
41389a 
 		kay->macsec_protect = TRUE;
41389a 
 		kay->macsec_validate = Strict;
41389a 
 		kay->macsec_replay_protect = FALSE;
41389a 
 		kay->macsec_replay_window = 0;
41389a 
-		kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
41389a 
+		if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
41389a 
+			kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
41389a 
+		else
41389a 
+			kay->macsec_confidentiality = MACSEC_CAP_INTEGRITY;
41389a 
 	}
41389a
41389a 
 	wpa_printf(MSG_DEBUG, "KaY: state machine created");
41389a 
@@ -3409,6 +3416,7 @@ ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
41389a 
 				   unsigned int cs_index)
41389a 
 {
41389a 
 	struct ieee802_1x_mka_participant *participant;
41389a 
+	enum macsec_cap secy_cap;
41389a
41389a 
 	if (!kay)
41389a 
 		return -1;
41389a 
@@ -3427,6 +3435,12 @@ ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
41389a 
 	kay->macsec_csindex = cs_index;
41389a 
 	kay->macsec_capable = cipher_suite_tbl[kay->macsec_csindex].capable;
41389a
41389a 
+	if (secy_get_capability(kay, &secy_cap) < 0)
41389a 
+		return -3;
41389a 
+
41389a 
+	if (kay->macsec_capable > secy_cap)
41389a 
+		kay->macsec_capable = secy_cap;
41389a 
+
41389a 
 	participant = ieee802_1x_kay_get_principal_participant(kay);
41389a 
 	if (participant) {
41389a 
 		wpa_printf(MSG_INFO, "KaY: Cipher Suite changed");
41389a 
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
41389a 
index 144ee90..bf6fbe5 100644
41389a 
--- a/src/pae/ieee802_1x_kay.h
41389a 
+++ b/src/pae/ieee802_1x_kay.h
41389a 
@@ -138,6 +138,7 @@ struct ieee802_1x_kay_ctx {
41389a 
 	/* abstract wpa driver interface */
41389a 
 	int (*macsec_init)(void *ctx, struct macsec_init_params *params);
41389a 
 	int (*macsec_deinit)(void *ctx);
41389a 
+	int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
41389a 
 	int (*enable_protect_frames)(void *ctx, Boolean enabled);
41389a 
 	int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
41389a 
 	int (*set_current_cipher_suite)(void *ctx, u64 cs);
41389a 
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
41389a 
index b8fcf05..32ee816 100644
41389a 
--- a/src/pae/ieee802_1x_secy_ops.c
41389a 
+++ b/src/pae/ieee802_1x_secy_ops.c
41389a 
@@ -113,6 +113,26 @@ int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean enabled)
41389a 
 }
41389a
41389a
41389a 
+int secy_get_capability(struct ieee802_1x_kay *kay, enum macsec_cap *cap)
41389a 
+{
41389a 
+	struct ieee802_1x_kay_ctx *ops;
41389a 
+
41389a 
+	if (!kay) {
41389a 
+		wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
41389a 
+		return -1;
41389a 
+	}
41389a 
+
41389a 
+	ops = kay->ctx;
41389a 
+	if (!ops || !ops->macsec_get_capability) {
41389a 
+		wpa_printf(MSG_ERROR,
41389a 
+			   "KaY: secy macsec_get_capability operation not supported");
41389a 
+		return -1;
41389a 
+	}
41389a 
+
41389a 
+	return ops->macsec_get_capability(ops->ctx, cap);
41389a 
+}
41389a 
+
41389a 
+
41389a 
 int secy_get_receive_lowest_pn(struct ieee802_1x_kay *kay,
41389a 
 			       struct receive_sa *rxsa)
41389a 
 {
41389a 
diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h
41389a 
index 120ca3c..bfd5737 100644
41389a 
--- a/src/pae/ieee802_1x_secy_ops.h
41389a 
+++ b/src/pae/ieee802_1x_secy_ops.h
41389a 
@@ -28,6 +28,7 @@ int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
41389a 
 int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);
41389a
41389a 
 /****** KaY -> SecY *******/
41389a 
+int secy_get_capability(struct ieee802_1x_kay *kay, enum macsec_cap *cap);
41389a 
 int secy_get_receive_lowest_pn(struct ieee802_1x_kay *kay,
41389a 
 			       struct receive_sa *rxsa);
41389a 
 int secy_get_transmit_next_pn(struct ieee802_1x_kay *kay,
41389a 
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
41389a 
index d47395c..5d5dcf0 100644
41389a 
--- a/wpa_supplicant/driver_i.h
41389a 
+++ b/wpa_supplicant/driver_i.h
41389a 
@@ -715,6 +715,14 @@ static inline int wpa_drv_macsec_deinit(struct wpa_supplicant *wpa_s)
41389a 
 	return wpa_s->driver->macsec_deinit(wpa_s->drv_priv);
41389a 
 }
41389a
41389a 
+static inline int wpa_drv_macsec_get_capability(struct wpa_supplicant *wpa_s,
41389a 
+						enum macsec_cap *cap)
41389a 
+{
41389a 
+	if (!wpa_s->driver->macsec_get_capability)
41389a 
+		return -1;
41389a 
+	return wpa_s->driver->macsec_get_capability(wpa_s->drv_priv, cap);
41389a 
+}
41389a 
+
41389a 
 static inline int wpa_drv_enable_protect_frames(struct wpa_supplicant *wpa_s,
41389a 
 						Boolean enabled)
41389a 
 {
41389a 
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
41389a 
index 4163b61..29b7b56 100644
41389a 
--- a/wpa_supplicant/wpas_kay.c
41389a 
+++ b/wpa_supplicant/wpas_kay.c
41389a 
@@ -38,6 +38,12 @@ static int wpas_macsec_deinit(void *priv)
41389a 
 }
41389a
41389a
41389a 
+static int wpas_macsec_get_capability(void *priv, enum macsec_cap *cap)
41389a 
+{
41389a 
+	return wpa_drv_macsec_get_capability(priv, cap);
41389a 
+}
41389a 
+
41389a 
+
41389a 
 static int wpas_enable_protect_frames(void *wpa_s, Boolean enabled)
41389a 
 {
41389a 
 	return wpa_drv_enable_protect_frames(wpa_s, enabled);
41389a 
@@ -191,6 +197,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
41389a
41389a 
 	kay_ctx->macsec_init = wpas_macsec_init;
41389a 
 	kay_ctx->macsec_deinit = wpas_macsec_deinit;
41389a 
+	kay_ctx->macsec_get_capability = wpas_macsec_get_capability;
41389a 
 	kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
41389a 
 	kay_ctx->set_replay_protect = wpas_set_replay_protect;
41389a 
 	kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
41389a 
--
41389a 
2.7.4
41389a

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation