|
 |
6c9f0c |
From 7b4d546e3dae57a39e50a91e47b8fcf3447b4978 Mon Sep 17 00:00:00 2001
|
|
|
6c9f0c |
Message-Id: <7b4d546e3dae57a39e50a91e47b8fcf3447b4978.1488376601.git.dcaratti@redhat.com>
|
|
|
6c9f0c |
From: Sabrina Dubroca <sd@queasysnail.net>
|
|
|
6c9f0c |
Date: Wed, 2 Nov 2016 16:38:37 +0100
|
|
|
6c9f0c |
Subject: [PATCH] wpa_supplicant: Add macsec_integ_only setting for MKA
|
|
|
6c9f0c |
|
|
|
6c9f0c |
So that the user can turn encryption on (MACsec provides
|
|
|
6c9f0c |
confidentiality+integrity) or off (MACsec provides integrity only). This
|
|
|
6c9f0c |
commit adds the configuration parameter while the actual behavior change
|
|
|
6c9f0c |
to disable encryption in the driver is handled in the following commit.
|
|
|
6c9f0c |
|
|
|
6c9f0c |
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
|
|
|
6c9f0c |
---
|
|
|
6c9f0c |
src/common/ieee802_1x_defs.h | 6 ++++++
|
|
|
6c9f0c |
src/pae/ieee802_1x_kay.c | 1 +
|
|
|
6c9f0c |
src/pae/ieee802_1x_kay.h | 1 +
|
|
|
6c9f0c |
wpa_supplicant/config.c | 1 +
|
|
|
6c9f0c |
wpa_supplicant/config_file.c | 1 +
|
|
|
6c9f0c |
wpa_supplicant/config_ssid.h | 12 ++++++++++++
|
|
|
6c9f0c |
wpa_supplicant/wpa_cli.c | 1 +
|
|
|
6c9f0c |
wpa_supplicant/wpa_supplicant.conf | 7 +++++++
|
|
|
6c9f0c |
wpa_supplicant/wpas_kay.c | 9 ++++++++-
|
|
|
6c9f0c |
9 files changed, 38 insertions(+), 1 deletion(-)
|
|
|
6c9f0c |
|
|
|
6c9f0c |
diff --git a/src/common/ieee802_1x_defs.h b/src/common/ieee802_1x_defs.h
|
|
|
6c9f0c |
index a0c1d1b..280c439 100644
|
|
|
6c9f0c |
--- a/src/common/ieee802_1x_defs.h
|
|
|
6c9f0c |
+++ b/src/common/ieee802_1x_defs.h
|
|
|
6c9f0c |
@@ -25,6 +25,12 @@ enum macsec_policy {
|
|
|
6c9f0c |
* Disabled MACsec - do not secure sessions.
|
|
|
6c9f0c |
*/
|
|
|
6c9f0c |
DO_NOT_SECURE,
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+ /**
|
|
|
6c9f0c |
+ * Should secure sessions, and try to use encryption.
|
|
|
6c9f0c |
+ * Like @SHOULD_SECURE, this follows the key server's decision.
|
|
|
6c9f0c |
+ */
|
|
|
6c9f0c |
+ SHOULD_ENCRYPT,
|
|
|
6c9f0c |
};
|
|
|
6c9f0c |
|
|
|
6c9f0c |
|
|
|
6c9f0c |
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
|
|
|
6c9f0c |
index 19b2c2f..7664e2d 100644
|
|
|
6c9f0c |
--- a/src/pae/ieee802_1x_kay.c
|
|
|
6c9f0c |
+++ b/src/pae/ieee802_1x_kay.c
|
|
|
6c9f0c |
@@ -3129,6 +3129,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
|
|
6c9f0c |
} else {
|
|
|
6c9f0c |
kay->macsec_desired = TRUE;
|
|
|
6c9f0c |
kay->macsec_protect = TRUE;
|
|
|
6c9f0c |
+ kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
|
|
|
6c9f0c |
kay->macsec_validate = Strict;
|
|
|
6c9f0c |
kay->macsec_replay_protect = FALSE;
|
|
|
6c9f0c |
kay->macsec_replay_window = 0;
|
|
|
6c9f0c |
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
|
|
|
6c9f0c |
index 576a8a0..618e45b 100644
|
|
|
6c9f0c |
--- a/src/pae/ieee802_1x_kay.h
|
|
|
6c9f0c |
+++ b/src/pae/ieee802_1x_kay.h
|
|
|
6c9f0c |
@@ -181,6 +181,7 @@ struct ieee802_1x_kay {
|
|
|
6c9f0c |
enum macsec_cap macsec_capable;
|
|
|
6c9f0c |
Boolean macsec_desired;
|
|
|
6c9f0c |
Boolean macsec_protect;
|
|
|
6c9f0c |
+ Boolean macsec_encrypt;
|
|
|
6c9f0c |
Boolean macsec_replay_protect;
|
|
|
6c9f0c |
u32 macsec_replay_window;
|
|
|
6c9f0c |
enum validate_frames macsec_validate;
|
|
|
6c9f0c |
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
|
|
|
6c9f0c |
index 9011389..afb631e 100644
|
|
|
6c9f0c |
--- a/wpa_supplicant/config.c
|
|
|
6c9f0c |
+++ b/wpa_supplicant/config.c
|
|
|
6c9f0c |
@@ -2125,6 +2125,7 @@ static const struct parse_data ssid_fields[] = {
|
|
|
6c9f0c |
{ INT(beacon_int) },
|
|
|
6c9f0c |
#ifdef CONFIG_MACSEC
|
|
|
6c9f0c |
{ INT_RANGE(macsec_policy, 0, 1) },
|
|
|
6c9f0c |
+ { INT_RANGE(macsec_integ_only, 0, 1) },
|
|
|
6c9f0c |
{ FUNC_KEY(mka_cak) },
|
|
|
6c9f0c |
{ FUNC_KEY(mka_ckn) },
|
|
|
6c9f0c |
#endif /* CONFIG_MACSEC */
|
|
|
6c9f0c |
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
|
|
|
6c9f0c |
index 172508e..f605fa9 100644
|
|
|
6c9f0c |
--- a/wpa_supplicant/config_file.c
|
|
|
6c9f0c |
+++ b/wpa_supplicant/config_file.c
|
|
|
6c9f0c |
@@ -808,6 +808,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
|
|
|
6c9f0c |
INT(macsec_policy);
|
|
|
6c9f0c |
write_mka_cak(f, ssid);
|
|
|
6c9f0c |
write_mka_ckn(f, ssid);
|
|
|
6c9f0c |
+ INT(macsec_integ_only);
|
|
|
6c9f0c |
#endif /* CONFIG_MACSEC */
|
|
|
6c9f0c |
#ifdef CONFIG_HS20
|
|
|
6c9f0c |
INT(update_identifier);
|
|
|
6c9f0c |
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
|
|
|
6c9f0c |
index a530cda..b8c3192 100644
|
|
|
6c9f0c |
--- a/wpa_supplicant/config_ssid.h
|
|
|
6c9f0c |
+++ b/wpa_supplicant/config_ssid.h
|
|
|
6c9f0c |
@@ -730,6 +730,18 @@ struct wpa_ssid {
|
|
|
6c9f0c |
int macsec_policy;
|
|
|
6c9f0c |
|
|
|
6c9f0c |
/**
|
|
|
6c9f0c |
+ * macsec_integ_only - Determines how MACsec are transmitted
|
|
|
6c9f0c |
+ *
|
|
|
6c9f0c |
+ * This setting applies only when MACsec is in use, i.e.,
|
|
|
6c9f0c |
+ * - macsec_policy is enabled
|
|
|
6c9f0c |
+ * - the key server has decided to enable MACsec
|
|
|
6c9f0c |
+ *
|
|
|
6c9f0c |
+ * 0: Encrypt traffic (default)
|
|
|
6c9f0c |
+ * 1: Integrity only
|
|
|
6c9f0c |
+ */
|
|
|
6c9f0c |
+ int macsec_integ_only;
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+ /**
|
|
|
6c9f0c |
* mka_ckn - MKA pre-shared CKN
|
|
|
6c9f0c |
*/
|
|
|
6c9f0c |
#define MACSEC_CKN_LEN 32
|
|
|
6c9f0c |
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
|
|
|
6c9f0c |
index 4877989..aed95e6 100644
|
|
|
6c9f0c |
--- a/wpa_supplicant/wpa_cli.c
|
|
|
6c9f0c |
+++ b/wpa_supplicant/wpa_cli.c
|
|
|
6c9f0c |
@@ -1390,6 +1390,7 @@ static const char *network_fields[] = {
|
|
|
6c9f0c |
"ap_max_inactivity", "dtim_period", "beacon_int",
|
|
|
6c9f0c |
#ifdef CONFIG_MACSEC
|
|
|
6c9f0c |
"macsec_policy",
|
|
|
6c9f0c |
+ "macsec_integ_only",
|
|
|
6c9f0c |
#endif /* CONFIG_MACSEC */
|
|
|
6c9f0c |
#ifdef CONFIG_HS20
|
|
|
6c9f0c |
"update_identifier",
|
|
|
6c9f0c |
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
|
|
|
6c9f0c |
index 8fa740b..b23c5e6 100644
|
|
|
6c9f0c |
--- a/wpa_supplicant/wpa_supplicant.conf
|
|
|
6c9f0c |
+++ b/wpa_supplicant/wpa_supplicant.conf
|
|
|
6c9f0c |
@@ -892,6 +892,13 @@ fast_reauth=1
|
|
|
6c9f0c |
# 1: MACsec enabled - Should secure, accept key server's advice to
|
|
|
6c9f0c |
# determine whether to use a secure session or not.
|
|
|
6c9f0c |
#
|
|
|
6c9f0c |
+# macsec_integ_only: IEEE 802.1X/MACsec transmit mode
|
|
|
6c9f0c |
+# This setting applies only when MACsec is in use, i.e.,
|
|
|
6c9f0c |
+# - macsec_policy is enabled
|
|
|
6c9f0c |
+# - the key server has decided to enable MACsec
|
|
|
6c9f0c |
+# 0: Encrypt traffic (default)
|
|
|
6c9f0c |
+# 1: Integrity only
|
|
|
6c9f0c |
+#
|
|
|
6c9f0c |
# mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode
|
|
|
6c9f0c |
# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
|
|
|
6c9f0c |
# In this mode, instances of wpa_supplicant can act as peers, one of
|
|
|
6c9f0c |
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
|
|
|
6c9f0c |
index 80b98d9..6343154 100644
|
|
|
6c9f0c |
--- a/wpa_supplicant/wpas_kay.c
|
|
|
6c9f0c |
+++ b/wpa_supplicant/wpas_kay.c
|
|
|
6c9f0c |
@@ -187,7 +187,14 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
|
|
|
6c9f0c |
if (!ssid || ssid->macsec_policy == 0)
|
|
|
6c9f0c |
return 0;
|
|
|
6c9f0c |
|
|
|
6c9f0c |
- policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE;
|
|
|
6c9f0c |
+ if (ssid->macsec_policy == 1) {
|
|
|
6c9f0c |
+ if (ssid->macsec_integ_only == 1)
|
|
|
6c9f0c |
+ policy = SHOULD_SECURE;
|
|
|
6c9f0c |
+ else
|
|
|
6c9f0c |
+ policy = SHOULD_ENCRYPT;
|
|
|
6c9f0c |
+ } else {
|
|
|
6c9f0c |
+ policy = DO_NOT_SECURE;
|
|
|
6c9f0c |
+ }
|
|
|
6c9f0c |
|
|
|
6c9f0c |
kay_ctx = os_zalloc(sizeof(*kay_ctx));
|
|
|
6c9f0c |
if (!kay_ctx)
|
|
|
6c9f0c |
--
|
|
|
6c9f0c |
2.7.4
|
|
|
6c9f0c |
|