wpa_supplicant: Add macsec_integ_only setting for MKA

So that the user can turn encryption on (MACsec provides
confidentiality+integrity) or off (MACsec provides integrity only). This
commit adds the configuration parameter while the actual behavior change
to disable encryption in the driver is handled in the following commit.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This commit is contained in:
Sabrina Dubroca 2016-11-02 16:38:37 +01:00 committed by Jouni Malinen
parent 008e224dbb
commit 7b4d546e3d
9 changed files with 38 additions and 1 deletions

View file

@ -25,6 +25,12 @@ enum macsec_policy {
* Disabled MACsec - do not secure sessions. * Disabled MACsec - do not secure sessions.
*/ */
DO_NOT_SECURE, DO_NOT_SECURE,
/**
* Should secure sessions, and try to use encryption.
* Like @SHOULD_SECURE, this follows the key server's decision.
*/
SHOULD_ENCRYPT,
}; };

View file

@ -3129,6 +3129,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
} else { } else {
kay->macsec_desired = TRUE; kay->macsec_desired = TRUE;
kay->macsec_protect = TRUE; kay->macsec_protect = TRUE;
kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
kay->macsec_validate = Strict; kay->macsec_validate = Strict;
kay->macsec_replay_protect = FALSE; kay->macsec_replay_protect = FALSE;
kay->macsec_replay_window = 0; kay->macsec_replay_window = 0;

View file

@ -181,6 +181,7 @@ struct ieee802_1x_kay {
enum macsec_cap macsec_capable; enum macsec_cap macsec_capable;
Boolean macsec_desired; Boolean macsec_desired;
Boolean macsec_protect; Boolean macsec_protect;
Boolean macsec_encrypt;
Boolean macsec_replay_protect; Boolean macsec_replay_protect;
u32 macsec_replay_window; u32 macsec_replay_window;
enum validate_frames macsec_validate; enum validate_frames macsec_validate;

View file

@ -2125,6 +2125,7 @@ static const struct parse_data ssid_fields[] = {
{ INT(beacon_int) }, { INT(beacon_int) },
#ifdef CONFIG_MACSEC #ifdef CONFIG_MACSEC
{ INT_RANGE(macsec_policy, 0, 1) }, { INT_RANGE(macsec_policy, 0, 1) },
{ INT_RANGE(macsec_integ_only, 0, 1) },
{ FUNC_KEY(mka_cak) }, { FUNC_KEY(mka_cak) },
{ FUNC_KEY(mka_ckn) }, { FUNC_KEY(mka_ckn) },
#endif /* CONFIG_MACSEC */ #endif /* CONFIG_MACSEC */

View file

@ -808,6 +808,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INT(macsec_policy); INT(macsec_policy);
write_mka_cak(f, ssid); write_mka_cak(f, ssid);
write_mka_ckn(f, ssid); write_mka_ckn(f, ssid);
INT(macsec_integ_only);
#endif /* CONFIG_MACSEC */ #endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20 #ifdef CONFIG_HS20
INT(update_identifier); INT(update_identifier);

View file

@ -729,6 +729,18 @@ struct wpa_ssid {
*/ */
int macsec_policy; int macsec_policy;
/**
* macsec_integ_only - Determines how MACsec are transmitted
*
* This setting applies only when MACsec is in use, i.e.,
* - macsec_policy is enabled
* - the key server has decided to enable MACsec
*
* 0: Encrypt traffic (default)
* 1: Integrity only
*/
int macsec_integ_only;
/** /**
* mka_ckn - MKA pre-shared CKN * mka_ckn - MKA pre-shared CKN
*/ */

View file

@ -1390,6 +1390,7 @@ static const char *network_fields[] = {
"ap_max_inactivity", "dtim_period", "beacon_int", "ap_max_inactivity", "dtim_period", "beacon_int",
#ifdef CONFIG_MACSEC #ifdef CONFIG_MACSEC
"macsec_policy", "macsec_policy",
"macsec_integ_only",
#endif /* CONFIG_MACSEC */ #endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20 #ifdef CONFIG_HS20
"update_identifier", "update_identifier",

View file

@ -892,6 +892,13 @@ fast_reauth=1
# 1: MACsec enabled - Should secure, accept key server's advice to # 1: MACsec enabled - Should secure, accept key server's advice to
# determine whether to use a secure session or not. # determine whether to use a secure session or not.
# #
# macsec_integ_only: IEEE 802.1X/MACsec transmit mode
# This setting applies only when MACsec is in use, i.e.,
# - macsec_policy is enabled
# - the key server has decided to enable MACsec
# 0: Encrypt traffic (default)
# 1: Integrity only
#
# mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode # mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode
# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
# In this mode, instances of wpa_supplicant can act as peers, one of # In this mode, instances of wpa_supplicant can act as peers, one of

View file

@ -187,7 +187,14 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
if (!ssid || ssid->macsec_policy == 0) if (!ssid || ssid->macsec_policy == 0)
return 0; return 0;
policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE; if (ssid->macsec_policy == 1) {
if (ssid->macsec_integ_only == 1)
policy = SHOULD_SECURE;
else
policy = SHOULD_ENCRYPT;
} else {
policy = DO_NOT_SECURE;
}
kay_ctx = os_zalloc(sizeof(*kay_ctx)); kay_ctx = os_zalloc(sizeof(*kay_ctx));
if (!kay_ctx) if (!kay_ctx)