base/SOURCES/macsec-0015-wpa_supplicant-...

From 7b4d546e3dae57a39e50a91e47b8fcf3447b4978 Mon Sep 17 00:00:00 2001
Message-Id: <7b4d546e3dae57a39e50a91e47b8fcf3447b4978.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed, 2 Nov 2016 16:38:37 +0100
Subject: [PATCH] wpa_supplicant: Add macsec_integ_only setting for MKA

So that the user can turn encryption on (MACsec provides
confidentiality+integrity) or off (MACsec provides integrity only). This
commit adds the configuration parameter while the actual behavior change
to disable encryption in the driver is handled in the following commit.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
 src/common/ieee802_1x_defs.h       |  6 ++++++
 src/pae/ieee802_1x_kay.c           |  1 +
 src/pae/ieee802_1x_kay.h           |  1 +
 wpa_supplicant/config.c            |  1 +
 wpa_supplicant/config_file.c       |  1 +
 wpa_supplicant/config_ssid.h       | 12 ++++++++++++
 wpa_supplicant/wpa_cli.c           |  1 +
 wpa_supplicant/wpa_supplicant.conf |  7 +++++++
 wpa_supplicant/wpas_kay.c          |  9 ++++++++-
 9 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/src/common/ieee802_1x_defs.h b/src/common/ieee802_1x_defs.h
index a0c1d1b..280c439 100644
--- a/src/common/ieee802_1x_defs.h
+++ b/src/common/ieee802_1x_defs.h
@@ -25,6 +25,12 @@ enum macsec_policy {
 	 * Disabled MACsec - do not secure sessions.
 	 */
 	DO_NOT_SECURE,
+
+	/**
+	 * Should secure sessions, and try to use encryption.
+	 * Like @SHOULD_SECURE, this follows the key server's decision.
+	 */
+	SHOULD_ENCRYPT,
 };
 
 
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 19b2c2f..7664e2d 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3129,6 +3129,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 	} else {
 		kay->macsec_desired = TRUE;
 		kay->macsec_protect = TRUE;
+		kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
 		kay->macsec_validate = Strict;
 		kay->macsec_replay_protect = FALSE;
 		kay->macsec_replay_window = 0;
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 576a8a0..618e45b 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -181,6 +181,7 @@ struct ieee802_1x_kay {
 	enum macsec_cap macsec_capable;
 	Boolean macsec_desired;
 	Boolean macsec_protect;
+	Boolean macsec_encrypt;
 	Boolean macsec_replay_protect;
 	u32 macsec_replay_window;
 	enum validate_frames macsec_validate;
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 9011389..afb631e 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2125,6 +2125,7 @@ static const struct parse_data ssid_fields[] = {
 	{ INT(beacon_int) },
 #ifdef CONFIG_MACSEC
 	{ INT_RANGE(macsec_policy, 0, 1) },
+	{ INT_RANGE(macsec_integ_only, 0, 1) },
 	{ FUNC_KEY(mka_cak) },
 	{ FUNC_KEY(mka_ckn) },
 #endif /* CONFIG_MACSEC */
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 172508e..f605fa9 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -808,6 +808,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	INT(macsec_policy);
 	write_mka_cak(f, ssid);
 	write_mka_ckn(f, ssid);
+	INT(macsec_integ_only);
 #endif /* CONFIG_MACSEC */
 #ifdef CONFIG_HS20
 	INT(update_identifier);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index a530cda..b8c3192 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -730,6 +730,18 @@ struct wpa_ssid {
 	int macsec_policy;
 
 	/**
+	 * macsec_integ_only - Determines how MACsec are transmitted
+	 *
+	 * This setting applies only when MACsec is in use, i.e.,
+	 *  - macsec_policy is enabled
+	 *  - the key server has decided to enable MACsec
+	 *
+	 * 0: Encrypt traffic (default)
+	 * 1: Integrity only
+	 */
+	int macsec_integ_only;
+
+	/**
 	 * mka_ckn - MKA pre-shared CKN
 	 */
 #define MACSEC_CKN_LEN 32
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 4877989..aed95e6 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1390,6 +1390,7 @@ static const char *network_fields[] = {
 	"ap_max_inactivity", "dtim_period", "beacon_int",
 #ifdef CONFIG_MACSEC
 	"macsec_policy",
+	"macsec_integ_only",
 #endif /* CONFIG_MACSEC */
 #ifdef CONFIG_HS20
 	"update_identifier",
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 8fa740b..b23c5e6 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -892,6 +892,13 @@ fast_reauth=1
 # 1: MACsec enabled - Should secure, accept key server's advice to
 #    determine whether to use a secure session or not.
 #
+# macsec_integ_only: IEEE 802.1X/MACsec transmit mode
+# This setting applies only when MACsec is in use, i.e.,
+#  - macsec_policy is enabled
+#  - the key server has decided to enable MACsec
+# 0: Encrypt traffic (default)
+# 1: Integrity only
+#
 # mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode
 # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
 # In this mode, instances of wpa_supplicant can act as peers, one of
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 80b98d9..6343154 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -187,7 +187,14 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 	if (!ssid || ssid->macsec_policy == 0)
 		return 0;
 
-	policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE;
+	if (ssid->macsec_policy == 1) {
+		if (ssid->macsec_integ_only == 1)
+			policy = SHOULD_SECURE;
+		else
+			policy = SHOULD_ENCRYPT;
+	} else {
+		policy = DO_NOT_SECURE;
+	}
 
 	kay_ctx = os_zalloc(sizeof(*kay_ctx));
 	if (!kay_ctx)
-- 
2.7.4
wpa_supplicant package update Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org> 7 years ago			`From 7b4d546e3dae57a39e50a91e47b8fcf3447b4978 Mon Sep 17 00:00:00 2001`
			`Message-Id: <7b4d546e3dae57a39e50a91e47b8fcf3447b4978.1488376601.git.dcaratti@redhat.com>`
			`From: Sabrina Dubroca <sd@queasysnail.net>`
			`Date: Wed, 2 Nov 2016 16:38:37 +0100`
			`Subject: [PATCH] wpa_supplicant: Add macsec_integ_only setting for MKA`

			`So that the user can turn encryption on (MACsec provides`
			`confidentiality+integrity) or off (MACsec provides integrity only). This`
			`commit adds the configuration parameter while the actual behavior change`
			`to disable encryption in the driver is handled in the following commit.`

			`Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>`
			`---`
			`src/common/ieee802_1x_defs.h \| 6 ++++++`
			`src/pae/ieee802_1x_kay.c \| 1 +`
			`src/pae/ieee802_1x_kay.h \| 1 +`
			`wpa_supplicant/config.c \| 1 +`
			`wpa_supplicant/config_file.c \| 1 +`
			`wpa_supplicant/config_ssid.h \| 12 ++++++++++++`
			`wpa_supplicant/wpa_cli.c \| 1 +`
			`wpa_supplicant/wpa_supplicant.conf \| 7 +++++++`
			`wpa_supplicant/wpas_kay.c \| 9 ++++++++-`
			`9 files changed, 38 insertions(+), 1 deletion(-)`

			`diff --git a/src/common/ieee802_1x_defs.h b/src/common/ieee802_1x_defs.h`
			`index a0c1d1b..280c439 100644`
			`--- a/src/common/ieee802_1x_defs.h`
			`+++ b/src/common/ieee802_1x_defs.h`
			`@@ -25,6 +25,12 @@ enum macsec_policy {`
			`* Disabled MACsec - do not secure sessions.`
			`*/`
			`DO_NOT_SECURE,`
			`+`
			`+ /**`
			`+ * Should secure sessions, and try to use encryption.`
			`+ * Like @SHOULD_SECURE, this follows the key server's decision.`
			`+ */`
			`+ SHOULD_ENCRYPT,`
			`};`


			`diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c`
			`index 19b2c2f..7664e2d 100644`
			`--- a/src/pae/ieee802_1x_kay.c`
			`+++ b/src/pae/ieee802_1x_kay.c`
			`@@ -3129,6 +3129,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,`
			`} else {`
			`kay->macsec_desired = TRUE;`
			`kay->macsec_protect = TRUE;`
			`+ kay->macsec_encrypt = policy == SHOULD_ENCRYPT;`
			`kay->macsec_validate = Strict;`
			`kay->macsec_replay_protect = FALSE;`
			`kay->macsec_replay_window = 0;`
			`diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h`
			`index 576a8a0..618e45b 100644`
			`--- a/src/pae/ieee802_1x_kay.h`
			`+++ b/src/pae/ieee802_1x_kay.h`
			`@@ -181,6 +181,7 @@ struct ieee802_1x_kay {`
			`enum macsec_cap macsec_capable;`
			`Boolean macsec_desired;`
			`Boolean macsec_protect;`
			`+ Boolean macsec_encrypt;`
			`Boolean macsec_replay_protect;`
			`u32 macsec_replay_window;`
			`enum validate_frames macsec_validate;`
			`diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c`
			`index 9011389..afb631e 100644`
			`--- a/wpa_supplicant/config.c`
			`+++ b/wpa_supplicant/config.c`
			`@@ -2125,6 +2125,7 @@ static const struct parse_data ssid_fields[] = {`
			`{ INT(beacon_int) },`
			`#ifdef CONFIG_MACSEC`
			`{ INT_RANGE(macsec_policy, 0, 1) },`
			`+ { INT_RANGE(macsec_integ_only, 0, 1) },`
			`{ FUNC_KEY(mka_cak) },`
			`{ FUNC_KEY(mka_ckn) },`
			`#endif /* CONFIG_MACSEC */`
			`diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c`
			`index 172508e..f605fa9 100644`
			`--- a/wpa_supplicant/config_file.c`
			`+++ b/wpa_supplicant/config_file.c`
			`@@ -808,6 +808,7 @@ static void wpa_config_write_network(FILE f, struct wpa_ssid ssid)`
			`INT(macsec_policy);`
			`write_mka_cak(f, ssid);`
			`write_mka_ckn(f, ssid);`
			`+ INT(macsec_integ_only);`
			`#endif /* CONFIG_MACSEC */`
			`#ifdef CONFIG_HS20`
			`INT(update_identifier);`
			`diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h`
			`index a530cda..b8c3192 100644`
			`--- a/wpa_supplicant/config_ssid.h`
			`+++ b/wpa_supplicant/config_ssid.h`
			`@@ -730,6 +730,18 @@ struct wpa_ssid {`
			`int macsec_policy;`

			`/**`
			`+ * macsec_integ_only - Determines how MACsec are transmitted`
			`+ *`
			`+ * This setting applies only when MACsec is in use, i.e.,`
			`+ * - macsec_policy is enabled`
			`+ * - the key server has decided to enable MACsec`
			`+ *`
			`+ * 0: Encrypt traffic (default)`
			`+ * 1: Integrity only`
			`+ */`
			`+ int macsec_integ_only;`
			`+`
			`+ /**`
			`* mka_ckn - MKA pre-shared CKN`
			`*/`
			`#define MACSEC_CKN_LEN 32`
			`diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c`
			`index 4877989..aed95e6 100644`
			`--- a/wpa_supplicant/wpa_cli.c`
			`+++ b/wpa_supplicant/wpa_cli.c`
			`@@ -1390,6 +1390,7 @@ static const char *network_fields[] = {`
			`"ap_max_inactivity", "dtim_period", "beacon_int",`
			`#ifdef CONFIG_MACSEC`
			`"macsec_policy",`
			`+ "macsec_integ_only",`
			`#endif /* CONFIG_MACSEC */`
			`#ifdef CONFIG_HS20`
			`"update_identifier",`
			`diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf`
			`index 8fa740b..b23c5e6 100644`
			`--- a/wpa_supplicant/wpa_supplicant.conf`
			`+++ b/wpa_supplicant/wpa_supplicant.conf`
			`@@ -892,6 +892,13 @@ fast_reauth=1`
			`# 1: MACsec enabled - Should secure, accept key server's advice to`
			`# determine whether to use a secure session or not.`
			`#`
			`+# macsec_integ_only: IEEE 802.1X/MACsec transmit mode`
			`+# This setting applies only when MACsec is in use, i.e.,`
			`+# - macsec_policy is enabled`
			`+# - the key server has decided to enable MACsec`
			`+# 0: Encrypt traffic (default)`
			`+# 1: Integrity only`
			`+#`
			`# mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode`
			`# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.`
			`# In this mode, instances of wpa_supplicant can act as peers, one of`
			`diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c`
			`index 80b98d9..6343154 100644`
			`--- a/wpa_supplicant/wpas_kay.c`
			`+++ b/wpa_supplicant/wpas_kay.c`
			`@@ -187,7 +187,14 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant wpa_s, struct wpa_ssid ssid)`
			`if (!ssid \|\| ssid->macsec_policy == 0)`
			`return 0;`

			`- policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE;`
			`+ if (ssid->macsec_policy == 1) {`
			`+ if (ssid->macsec_integ_only == 1)`
			`+ policy = SHOULD_SECURE;`
			`+ else`
			`+ policy = SHOULD_ENCRYPT;`
			`+ } else {`
			`+ policy = DO_NOT_SECURE;`
			`+ }`

			`kay_ctx = os_zalloc(sizeof(*kay_ctx));`
			`if (!kay_ctx)`
			`--`
			`2.7.4`