|
 |
6c9f0c |
From 1d3d0666a6ed345da39886426c4416a4debfd094 Mon Sep 17 00:00:00 2001
|
|
|
6c9f0c |
Message-Id: <1d3d0666a6ed345da39886426c4416a4debfd094.1488376602.git.dcaratti@redhat.com>
|
|
|
6c9f0c |
From: Sabrina Dubroca <sd@queasysnail.net>
|
|
|
6c9f0c |
Date: Wed, 2 Nov 2016 16:38:38 +0100
|
|
|
6c9f0c |
Subject: [PATCH] mka: Add enable_encrypt op and call it from CP state machine
|
|
|
6c9f0c |
|
|
|
6c9f0c |
This allows MKA to turn encryption on/off down to the driver.
|
|
|
6c9f0c |
|
|
|
6c9f0c |
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
|
|
|
6c9f0c |
---
|
|
|
6c9f0c |
src/drivers/driver.h | 9 +++++++++
|
|
|
6c9f0c |
src/pae/ieee802_1x_cp.c | 4 ++++
|
|
|
6c9f0c |
src/pae/ieee802_1x_kay.h | 1 +
|
|
|
6c9f0c |
src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++
|
|
|
6c9f0c |
src/pae/ieee802_1x_secy_ops.h | 1 +
|
|
|
6c9f0c |
wpa_supplicant/driver_i.h | 8 ++++++++
|
|
|
6c9f0c |
wpa_supplicant/wpas_kay.c | 7 +++++++
|
|
|
6c9f0c |
7 files changed, 50 insertions(+)
|
|
|
6c9f0c |
|
|
|
6c9f0c |
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
|
|
|
6c9f0c |
index 9a6db90..0cb68ba 100644
|
|
|
6c9f0c |
--- a/src/drivers/driver.h
|
|
|
6c9f0c |
+++ b/src/drivers/driver.h
|
|
|
6c9f0c |
@@ -3339,6 +3339,15 @@ struct wpa_driver_ops {
|
|
|
6c9f0c |
int (*enable_protect_frames)(void *priv, Boolean enabled);
|
|
|
6c9f0c |
|
|
|
6c9f0c |
/**
|
|
|
6c9f0c |
+ * enable_encrypt - Set encryption status
|
|
|
6c9f0c |
+ * @priv: Private driver interface data
|
|
|
6c9f0c |
+ * @enabled: TRUE = encrypt outgoing traffic
|
|
|
6c9f0c |
+ * FALSE = integrity-only protection on outgoing traffic
|
|
|
6c9f0c |
+ * Returns: 0 on success, -1 on failure (or if not supported)
|
|
|
6c9f0c |
+ */
|
|
|
6c9f0c |
+ int (*enable_encrypt)(void *priv, Boolean enabled);
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+ /**
|
|
|
6c9f0c |
* set_replay_protect - Set replay protect status and window size
|
|
|
6c9f0c |
* @priv: Private driver interface data
|
|
|
6c9f0c |
* @enabled: TRUE = replay protect enabled
|
|
|
6c9f0c |
diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c
|
|
|
6c9f0c |
index e294e64..360fcd3 100644
|
|
|
6c9f0c |
--- a/src/pae/ieee802_1x_cp.c
|
|
|
6c9f0c |
+++ b/src/pae/ieee802_1x_cp.c
|
|
|
6c9f0c |
@@ -159,6 +159,7 @@ SM_STATE(CP, ALLOWED)
|
|
|
6c9f0c |
|
|
|
6c9f0c |
secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
|
|
|
6c9f0c |
secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
|
|
|
6c9f0c |
+ secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
|
|
|
6c9f0c |
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
|
|
|
6c9f0c |
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
|
|
|
6c9f0c |
}
|
|
|
6c9f0c |
@@ -177,6 +178,7 @@ SM_STATE(CP, AUTHENTICATED)
|
|
|
6c9f0c |
|
|
|
6c9f0c |
secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
|
|
|
6c9f0c |
secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
|
|
|
6c9f0c |
+ secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
|
|
|
6c9f0c |
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
|
|
|
6c9f0c |
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
|
|
|
6c9f0c |
}
|
|
|
6c9f0c |
@@ -203,6 +205,7 @@ SM_STATE(CP, SECURED)
|
|
|
6c9f0c |
secy_cp_control_confidentiality_offset(sm->kay,
|
|
|
6c9f0c |
sm->confidentiality_offset);
|
|
|
6c9f0c |
secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
|
|
|
6c9f0c |
+ secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
|
|
|
6c9f0c |
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
|
|
|
6c9f0c |
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
|
|
|
6c9f0c |
}
|
|
|
6c9f0c |
@@ -466,6 +469,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(struct ieee802_1x_kay *kay)
|
|
|
6c9f0c |
wpa_printf(MSG_DEBUG, "CP: state machine created");
|
|
|
6c9f0c |
|
|
|
6c9f0c |
secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
|
|
|
6c9f0c |
+ secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
|
|
|
6c9f0c |
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
|
|
|
6c9f0c |
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
|
|
|
6c9f0c |
secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
|
|
|
6c9f0c |
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
|
|
|
6c9f0c |
index 618e45b..fb49f62 100644
|
|
|
6c9f0c |
--- a/src/pae/ieee802_1x_kay.h
|
|
|
6c9f0c |
+++ b/src/pae/ieee802_1x_kay.h
|
|
|
6c9f0c |
@@ -142,6 +142,7 @@ struct ieee802_1x_kay_ctx {
|
|
|
6c9f0c |
int (*macsec_deinit)(void *ctx);
|
|
|
6c9f0c |
int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
|
|
|
6c9f0c |
int (*enable_protect_frames)(void *ctx, Boolean enabled);
|
|
|
6c9f0c |
+ int (*enable_encrypt)(void *ctx, Boolean enabled);
|
|
|
6c9f0c |
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
|
|
|
6c9f0c |
int (*set_current_cipher_suite)(void *ctx, u64 cs);
|
|
|
6c9f0c |
int (*enable_controlled_port)(void *ctx, Boolean enabled);
|
|
|
6c9f0c |
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
|
|
|
6c9f0c |
index b1a9d22..ab5339b 100644
|
|
|
6c9f0c |
--- a/src/pae/ieee802_1x_secy_ops.c
|
|
|
6c9f0c |
+++ b/src/pae/ieee802_1x_secy_ops.c
|
|
|
6c9f0c |
@@ -45,6 +45,26 @@ int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean enabled)
|
|
|
6c9f0c |
}
|
|
|
6c9f0c |
|
|
|
6c9f0c |
|
|
|
6c9f0c |
+int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, Boolean enabled)
|
|
|
6c9f0c |
+{
|
|
|
6c9f0c |
+ struct ieee802_1x_kay_ctx *ops;
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+ if (!kay) {
|
|
|
6c9f0c |
+ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
|
|
|
6c9f0c |
+ return -1;
|
|
|
6c9f0c |
+ }
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+ ops = kay->ctx;
|
|
|
6c9f0c |
+ if (!ops || !ops->enable_encrypt) {
|
|
|
6c9f0c |
+ wpa_printf(MSG_ERROR,
|
|
|
6c9f0c |
+ "KaY: secy enable_encrypt operation not supported");
|
|
|
6c9f0c |
+ return -1;
|
|
|
6c9f0c |
+ }
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+ return ops->enable_encrypt(ops->ctx, enabled);
|
|
|
6c9f0c |
+}
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean enabled, u32 win)
|
|
|
6c9f0c |
{
|
|
|
6c9f0c |
struct ieee802_1x_kay_ctx *ops;
|
|
|
6c9f0c |
diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h
|
|
|
6c9f0c |
index 477120b..9fb29c3 100644
|
|
|
6c9f0c |
--- a/src/pae/ieee802_1x_secy_ops.h
|
|
|
6c9f0c |
+++ b/src/pae/ieee802_1x_secy_ops.h
|
|
|
6c9f0c |
@@ -21,6 +21,7 @@ int secy_deinit_macsec(struct ieee802_1x_kay *kay);
|
|
|
6c9f0c |
int secy_cp_control_validate_frames(struct ieee802_1x_kay *kay,
|
|
|
6c9f0c |
enum validate_frames vf);
|
|
|
6c9f0c |
int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag);
|
|
|
6c9f0c |
+int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, Boolean enabled);
|
|
|
6c9f0c |
int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win);
|
|
|
6c9f0c |
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
|
|
|
6c9f0c |
int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
|
|
|
6c9f0c |
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
|
|
|
6c9f0c |
index c9bb20d..cf08556 100644
|
|
|
6c9f0c |
--- a/wpa_supplicant/driver_i.h
|
|
|
6c9f0c |
+++ b/wpa_supplicant/driver_i.h
|
|
|
6c9f0c |
@@ -731,6 +731,14 @@ static inline int wpa_drv_enable_protect_frames(struct wpa_supplicant *wpa_s,
|
|
|
6c9f0c |
return wpa_s->driver->enable_protect_frames(wpa_s->drv_priv, enabled);
|
|
|
6c9f0c |
}
|
|
|
6c9f0c |
|
|
|
6c9f0c |
+static inline int wpa_drv_enable_encrypt(struct wpa_supplicant *wpa_s,
|
|
|
6c9f0c |
+ Boolean enabled)
|
|
|
6c9f0c |
+{
|
|
|
6c9f0c |
+ if (!wpa_s->driver->enable_encrypt)
|
|
|
6c9f0c |
+ return -1;
|
|
|
6c9f0c |
+ return wpa_s->driver->enable_encrypt(wpa_s->drv_priv, enabled);
|
|
|
6c9f0c |
+}
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s,
|
|
|
6c9f0c |
Boolean enabled, u32 window)
|
|
|
6c9f0c |
{
|
|
|
6c9f0c |
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
|
|
|
6c9f0c |
index 6343154..2ff4895 100644
|
|
|
6c9f0c |
--- a/wpa_supplicant/wpas_kay.c
|
|
|
6c9f0c |
+++ b/wpa_supplicant/wpas_kay.c
|
|
|
6c9f0c |
@@ -50,6 +50,12 @@ static int wpas_enable_protect_frames(void *wpa_s, Boolean enabled)
|
|
|
6c9f0c |
}
|
|
|
6c9f0c |
|
|
|
6c9f0c |
|
|
|
6c9f0c |
+static int wpas_enable_encrypt(void *wpa_s, Boolean enabled)
|
|
|
6c9f0c |
+{
|
|
|
6c9f0c |
+ return wpa_drv_enable_encrypt(wpa_s, enabled);
|
|
|
6c9f0c |
+}
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
|
|
|
6c9f0c |
{
|
|
|
6c9f0c |
return wpa_drv_set_replay_protect(wpa_s, enabled, window);
|
|
|
6c9f0c |
@@ -206,6 +212,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
|
|
|
6c9f0c |
kay_ctx->macsec_deinit = wpas_macsec_deinit;
|
|
|
6c9f0c |
kay_ctx->macsec_get_capability = wpas_macsec_get_capability;
|
|
|
6c9f0c |
kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
|
|
|
6c9f0c |
+ kay_ctx->enable_encrypt = wpas_enable_encrypt;
|
|
|
6c9f0c |
kay_ctx->set_replay_protect = wpas_set_replay_protect;
|
|
|
6c9f0c |
kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
|
|
|
6c9f0c |
kay_ctx->enable_controlled_port = wpas_enable_controlled_port;
|
|
|
6c9f0c |
--
|
|
|
6c9f0c |
2.7.4
|
|
|
6c9f0c |
|