wpa_supplicant: Add macsec_integ_only setting for MKA

So that the user can turn encryption on (MACsec provides
confidentiality+integrity) or off (MACsec provides integrity only). This
commit adds the configuration parameter while the actual behavior change
to disable encryption in the driver is handled in the following commit.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>

diff --git a/src/common/ieee802_1x_defs.h b/src/common/ieee802_1x_defs.h
index a0c1d1bfafc4c684fa05b8a54407915efbb3fb6f..280c439a0c390adafae88bb95e4d0f19e3a1ec99 100644 (file)
--- a/src/common/ieee802_1x_defs.h
+++ b/src/common/ieee802_1x_defs.h
@@ -25,6 +25,12 @@ enum macsec_policy {
         * Disabled MACsec - do not secure sessions.
         */
        DO_NOT_SECURE,
+
+       /**
+        * Should secure sessions, and try to use encryption.
+        * Like @SHOULD_SECURE, this follows the key server's decision.
+        */
+       SHOULD_ENCRYPT,
 };
 
 

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 19b2c2f5b10c8114c606c2ca1ac8378c71667025..7664e2d5a7e52e21b683c1526c2cce3e73e6ba4d 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3129,6 +3129,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
        } else {
                kay->macsec_desired = TRUE;
                kay->macsec_protect = TRUE;
+               kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
                kay->macsec_validate = Strict;
                kay->macsec_replay_protect = FALSE;
                kay->macsec_replay_window = 0;

diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 576a8a0857092a9c1122e583df8cd31127f49c48..618e45b81957476c25da51019920fbb8000bd29a 100644 (file)
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -181,6 +181,7 @@ struct ieee802_1x_kay {
        enum macsec_cap macsec_capable;
        Boolean macsec_desired;
        Boolean macsec_protect;
+       Boolean macsec_encrypt;
        Boolean macsec_replay_protect;
        u32 macsec_replay_window;
        enum validate_frames macsec_validate;

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 9011389ead2850d62fbaabe47dfa76d53e56c056..afb631ec5758196f6416d0fa7db53f2826a10df2 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2125,6 +2125,7 @@ static const struct parse_data ssid_fields[] = {
        { INT(beacon_int) },
 #ifdef CONFIG_MACSEC
        { INT_RANGE(macsec_policy, 0, 1) },
+       { INT_RANGE(macsec_integ_only, 0, 1) },
        { FUNC_KEY(mka_cak) },
        { FUNC_KEY(mka_ckn) },
 #endif /* CONFIG_MACSEC */

diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 172508e855169b6a0aa5a10d13de33dc7347e569..f605fa9a66ca3616e763bcfaf797d0036b88ad1a 100644 (file)
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -808,6 +808,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
        INT(macsec_policy);
        write_mka_cak(f, ssid);
        write_mka_ckn(f, ssid);
+       INT(macsec_integ_only);
 #endif /* CONFIG_MACSEC */
 #ifdef CONFIG_HS20
        INT(update_identifier);

diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index a530cda6a7bbd369bf0787f725307023461e466b..b8c3192c52e1f3158e16c0f9cb16cf4abe3be68d 100644 (file)
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -729,6 +729,18 @@ struct wpa_ssid {
         */
        int macsec_policy;
 
+       /**
+        * macsec_integ_only - Determines how MACsec are transmitted
+        *
+        * This setting applies only when MACsec is in use, i.e.,
+        *  - macsec_policy is enabled
+        *  - the key server has decided to enable MACsec
+        *
+        * 0: Encrypt traffic (default)
+        * 1: Integrity only
+        */
+       int macsec_integ_only;
+
        /**
         * mka_ckn - MKA pre-shared CKN
         */

diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 487798918a4f65aaed9a2bb0fc0789893f3ce73d..aed95e66a7d46659da9c9244315a6f2d59a9bb53 100644 (file)
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1390,6 +1390,7 @@ static const char *network_fields[] = {
        "ap_max_inactivity", "dtim_period", "beacon_int",
 #ifdef CONFIG_MACSEC
        "macsec_policy",
+       "macsec_integ_only",
 #endif /* CONFIG_MACSEC */
 #ifdef CONFIG_HS20
        "update_identifier",

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 8fa740b19de6a5adfca0dfec3e13a32d4730055d..b23c5e6de8c14fb9df21ea1dd410a07481145814 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -892,6 +892,13 @@ fast_reauth=1
 # 1: MACsec enabled - Should secure, accept key server's advice to
 #    determine whether to use a secure session or not.
 #
+# macsec_integ_only: IEEE 802.1X/MACsec transmit mode
+# This setting applies only when MACsec is in use, i.e.,
+#  - macsec_policy is enabled
+#  - the key server has decided to enable MACsec
+# 0: Encrypt traffic (default)
+# 1: Integrity only
+#
 # mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode
 # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
 # In this mode, instances of wpa_supplicant can act as peers, one of

diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 80b98d995070188a14a0056360e347ed275e56b6..6343154dd168dc808d06b8b7ca2561479930e900 100644 (file)
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -187,7 +187,14 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
        if (!ssid || ssid->macsec_policy == 0)
                return 0;
 
-       policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE;
+       if (ssid->macsec_policy == 1) {
+               if (ssid->macsec_integ_only == 1)
+                       policy = SHOULD_SECURE;
+               else
+                       policy = SHOULD_ENCRYPT;
+       } else {
+               policy = DO_NOT_SECURE;
+       }
 
        kay_ctx = os_zalloc(sizeof(*kay_ctx));
        if (!kay_ctx)