wpa_supplicant: Add macsec_integ_only setting for MKA
So that the user can turn encryption on (MACsec provides confidentiality+integrity) or off (MACsec provides integrity only). This commit adds the configuration parameter while the actual behavior change to disable encryption in the driver is handled in the following commit. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This commit is contained in:
		
							parent
							
								
									008e224dbb
								
							
						
					
					
						commit
						7b4d546e3d
					
				
					 9 changed files with 38 additions and 1 deletions
				
			
		|  | @ -25,6 +25,12 @@ enum macsec_policy { | |||
| 	 * Disabled MACsec - do not secure sessions. | ||||
| 	 */ | ||||
| 	DO_NOT_SECURE, | ||||
| 
 | ||||
| 	/**
 | ||||
| 	 * Should secure sessions, and try to use encryption. | ||||
| 	 * Like @SHOULD_SECURE, this follows the key server's decision. | ||||
| 	 */ | ||||
| 	SHOULD_ENCRYPT, | ||||
| }; | ||||
| 
 | ||||
| 
 | ||||
|  |  | |||
|  | @ -3129,6 +3129,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, | |||
| 	} else { | ||||
| 		kay->macsec_desired = TRUE; | ||||
| 		kay->macsec_protect = TRUE; | ||||
| 		kay->macsec_encrypt = policy == SHOULD_ENCRYPT; | ||||
| 		kay->macsec_validate = Strict; | ||||
| 		kay->macsec_replay_protect = FALSE; | ||||
| 		kay->macsec_replay_window = 0; | ||||
|  |  | |||
|  | @ -181,6 +181,7 @@ struct ieee802_1x_kay { | |||
| 	enum macsec_cap macsec_capable; | ||||
| 	Boolean macsec_desired; | ||||
| 	Boolean macsec_protect; | ||||
| 	Boolean macsec_encrypt; | ||||
| 	Boolean macsec_replay_protect; | ||||
| 	u32 macsec_replay_window; | ||||
| 	enum validate_frames macsec_validate; | ||||
|  |  | |||
|  | @ -2125,6 +2125,7 @@ static const struct parse_data ssid_fields[] = { | |||
| 	{ INT(beacon_int) }, | ||||
| #ifdef CONFIG_MACSEC | ||||
| 	{ INT_RANGE(macsec_policy, 0, 1) }, | ||||
| 	{ INT_RANGE(macsec_integ_only, 0, 1) }, | ||||
| 	{ FUNC_KEY(mka_cak) }, | ||||
| 	{ FUNC_KEY(mka_ckn) }, | ||||
| #endif /* CONFIG_MACSEC */ | ||||
|  |  | |||
|  | @ -808,6 +808,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) | |||
| 	INT(macsec_policy); | ||||
| 	write_mka_cak(f, ssid); | ||||
| 	write_mka_ckn(f, ssid); | ||||
| 	INT(macsec_integ_only); | ||||
| #endif /* CONFIG_MACSEC */ | ||||
| #ifdef CONFIG_HS20 | ||||
| 	INT(update_identifier); | ||||
|  |  | |||
|  | @ -729,6 +729,18 @@ struct wpa_ssid { | |||
| 	 */ | ||||
| 	int macsec_policy; | ||||
| 
 | ||||
| 	/**
 | ||||
| 	 * macsec_integ_only - Determines how MACsec are transmitted | ||||
| 	 * | ||||
| 	 * This setting applies only when MACsec is in use, i.e., | ||||
| 	 *  - macsec_policy is enabled | ||||
| 	 *  - the key server has decided to enable MACsec | ||||
| 	 * | ||||
| 	 * 0: Encrypt traffic (default) | ||||
| 	 * 1: Integrity only | ||||
| 	 */ | ||||
| 	int macsec_integ_only; | ||||
| 
 | ||||
| 	/**
 | ||||
| 	 * mka_ckn - MKA pre-shared CKN | ||||
| 	 */ | ||||
|  |  | |||
|  | @ -1390,6 +1390,7 @@ static const char *network_fields[] = { | |||
| 	"ap_max_inactivity", "dtim_period", "beacon_int", | ||||
| #ifdef CONFIG_MACSEC | ||||
| 	"macsec_policy", | ||||
| 	"macsec_integ_only", | ||||
| #endif /* CONFIG_MACSEC */ | ||||
| #ifdef CONFIG_HS20 | ||||
| 	"update_identifier", | ||||
|  |  | |||
|  | @ -892,6 +892,13 @@ fast_reauth=1 | |||
| # 1: MACsec enabled - Should secure, accept key server's advice to | ||||
| #    determine whether to use a secure session or not. | ||||
| # | ||||
| # macsec_integ_only: IEEE 802.1X/MACsec transmit mode | ||||
| # This setting applies only when MACsec is in use, i.e., | ||||
| #  - macsec_policy is enabled | ||||
| #  - the key server has decided to enable MACsec | ||||
| # 0: Encrypt traffic (default) | ||||
| # 1: Integrity only | ||||
| # | ||||
| # mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode | ||||
| # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. | ||||
| # In this mode, instances of wpa_supplicant can act as peers, one of | ||||
|  |  | |||
|  | @ -187,7 +187,14 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) | |||
| 	if (!ssid || ssid->macsec_policy == 0) | ||||
| 		return 0; | ||||
| 
 | ||||
| 	policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE; | ||||
| 	if (ssid->macsec_policy == 1) { | ||||
| 		if (ssid->macsec_integ_only == 1) | ||||
| 			policy = SHOULD_SECURE; | ||||
| 		else | ||||
| 			policy = SHOULD_ENCRYPT; | ||||
| 	} else { | ||||
| 		policy = DO_NOT_SECURE; | ||||
| 	} | ||||
| 
 | ||||
| 	kay_ctx = os_zalloc(sizeof(*kay_ctx)); | ||||
| 	if (!kay_ctx) | ||||
|  |  | |||
		Loading…
	
		Reference in a new issue
	
	 Sabrina Dubroca
						Sabrina Dubroca