mka: Fix conf_offset value in MKPDU when in policy mode SHOULD_SECURE
Commit7b4d546e
("wpa_supplicant: Add macsec_integ_only setting for MKA") introduced policy setting SHOULD_ENCRYPT (MACsec provides integrity+confidentiality) in addition to SHOULD_SECURE (MACsec provides integrity only). In both cases the KaY is populating the "Confidentiality Offset" parameter within the "Distributed SAK parameter set" with CONFIDENTIALITY_OFFSET_0=1. In the case of SHOULD_SECURE the parameter should be populated with CONFIDENTIALITY_NONE=0. IEEE Std 802.1X-2010, Table 11-6 and Figure 11-11 define how the two Confidentiality Offset bits in the "Distributed SAK parameter set" must be set: "0 if confidentiality not used" and "1 if confidentiality with no offset". When policy is SHOULD_SECURE KaY should to send the former, and when policy is SHOULD_ENCRYPT KaY should send the latter. Fixes:7b4d546e3d
("wpa_supplicant: Add macsec_integ_only setting for MKA") Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
This commit is contained in:
parent
b678ed1efc
commit
5864545492
1 changed files with 9 additions and 5 deletions
|
@ -3188,6 +3188,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
|||
kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED;
|
||||
kay->macsec_desired = FALSE;
|
||||
kay->macsec_protect = FALSE;
|
||||
kay->macsec_encrypt = FALSE;
|
||||
kay->macsec_validate = Disabled;
|
||||
kay->macsec_replay_protect = FALSE;
|
||||
kay->macsec_replay_window = 0;
|
||||
|
@ -3195,14 +3196,17 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
|||
} else {
|
||||
kay->macsec_desired = TRUE;
|
||||
kay->macsec_protect = TRUE;
|
||||
kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
|
||||
if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF &&
|
||||
policy == SHOULD_ENCRYPT) {
|
||||
kay->macsec_encrypt = TRUE;
|
||||
kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
|
||||
} else { /* SHOULD_SECURE */
|
||||
kay->macsec_encrypt = FALSE;
|
||||
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
|
||||
}
|
||||
kay->macsec_validate = Strict;
|
||||
kay->macsec_replay_protect = FALSE;
|
||||
kay->macsec_replay_window = 0;
|
||||
if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
|
||||
kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
|
||||
else
|
||||
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
|
||||
}
|
||||
|
||||
wpa_printf(MSG_DEBUG, "KaY: state machine created");
|
||||
|
|
Loading…
Reference in a new issue