mka: Fix conf_offset value in MKPDU when in policy mode SHOULD_SECURE

Commit 7b4d546e ("wpa_supplicant: Add macsec_integ_only setting for
MKA") introduced policy setting SHOULD_ENCRYPT (MACsec provides
integrity+confidentiality) in addition to SHOULD_SECURE (MACsec provides
integrity only). In both cases the KaY is populating the
"Confidentiality Offset" parameter within the "Distributed SAK parameter
set" with CONFIDENTIALITY_OFFSET_0=1. In the case of SHOULD_SECURE the
parameter should be populated with CONFIDENTIALITY_NONE=0.

IEEE Std 802.1X-2010, Table 11-6 and Figure 11-11 define how the two
Confidentiality Offset bits in the "Distributed SAK parameter set" must
be set: "0 if confidentiality not used" and "1 if confidentiality with
no offset". When policy is SHOULD_SECURE KaY should to send the former,
and when policy is SHOULD_ENCRYPT KaY should send the latter.

Fixes: 7b4d546e3dae ("wpa_supplicant: Add macsec_integ_only setting for MKA")
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index b3357c26be01643b5c1bfe1962d902725d707264..d756b75cb8aebae2ad7cc510d570ebf46b5d5af3 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3188,6 +3188,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
                kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED;
                kay->macsec_desired = FALSE;
                kay->macsec_protect = FALSE;
+               kay->macsec_encrypt = FALSE;
                kay->macsec_validate = Disabled;
                kay->macsec_replay_protect = FALSE;
                kay->macsec_replay_window = 0;
@@ -3195,14 +3196,17 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
        } else {
                kay->macsec_desired = TRUE;
                kay->macsec_protect = TRUE;
-               kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
+               if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF &&
+                   policy == SHOULD_ENCRYPT) {
+                       kay->macsec_encrypt = TRUE;
+                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
+               } else { /* SHOULD_SECURE */
+                       kay->macsec_encrypt = FALSE;
+                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
+               }
                kay->macsec_validate = Strict;
                kay->macsec_replay_protect = FALSE;
                kay->macsec_replay_window = 0;
-               if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
-                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
-               else
-                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
        }
 
        wpa_printf(MSG_DEBUG, "KaY: state machine created");