backport support for macsec HW offload
Related: RHEL-22440 Signed-off-by: Davide Caratti <dcaratti@redhat.com>
This commit is contained in:
parent
62ab4bd374
commit
b501d6acc1
192
wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch
Normal file
192
wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch
Normal file
@ -0,0 +1,192 @@
|
||||
From 46c635910a724ed14ee9ace549fed9790ed5980b Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <46c635910a724ed14ee9ace549fed9790ed5980b.1706279119.git.davide.caratti@gmail.com>
|
||||
From: leiwei <quic_leiwei@quicinc.com>
|
||||
Date: Mon, 15 Nov 2021 18:22:19 +0800
|
||||
Subject: [PATCH] MACsec: Support GCM-AES-256 cipher suite
|
||||
|
||||
Allow macsec_csindex to be configured and select the cipher suite when
|
||||
the participant acts as a key server.
|
||||
|
||||
Signed-off-by: leiwei <quic_leiwei@quicinc.com>
|
||||
---
|
||||
hostapd/config_file.c | 10 ++++++++++
|
||||
hostapd/hostapd.conf | 4 ++++
|
||||
src/ap/ap_config.h | 7 +++++++
|
||||
src/ap/wpa_auth_kay.c | 4 +++-
|
||||
src/pae/ieee802_1x_cp.c | 8 ++++----
|
||||
src/pae/ieee802_1x_kay.c | 17 +++++++++++++----
|
||||
src/pae/ieee802_1x_kay.h | 3 ++-
|
||||
wpa_supplicant/config.c | 1 +
|
||||
wpa_supplicant/config_file.c | 1 +
|
||||
wpa_supplicant/config_ssid.h | 7 +++++++
|
||||
wpa_supplicant/wpas_kay.c | 4 ++--
|
||||
11 files changed, 54 insertions(+), 12 deletions(-)
|
||||
|
||||
--- a/src/ap/ap_config.h
|
||||
+++ b/src/ap/ap_config.h
|
||||
@@ -849,6 +849,13 @@ struct hostapd_bss_config {
|
||||
int mka_priority;
|
||||
|
||||
/**
|
||||
+ * macsec_csindex - Cipher suite index for MACsec
|
||||
+ *
|
||||
+ * Range: 0-1 (default: 0)
|
||||
+ */
|
||||
+ int macsec_csindex;
|
||||
+
|
||||
+ /**
|
||||
* mka_ckn - MKA pre-shared CKN
|
||||
*/
|
||||
#define MACSEC_CKN_MAX_LEN 32
|
||||
--- a/src/ap/wpa_auth_kay.c
|
||||
+++ b/src/ap/wpa_auth_kay.c
|
||||
@@ -329,7 +329,9 @@ int ieee802_1x_alloc_kay_sm_hapd(struct
|
||||
hapd->conf->macsec_replay_protect,
|
||||
hapd->conf->macsec_replay_window,
|
||||
hapd->conf->macsec_port,
|
||||
- hapd->conf->mka_priority, hapd->conf->iface,
|
||||
+ hapd->conf->mka_priority,
|
||||
+ hapd->conf->macsec_csindex,
|
||||
+ hapd->conf->iface,
|
||||
hapd->own_addr);
|
||||
/* ieee802_1x_kay_init() frees kay_ctx on failure */
|
||||
if (!res)
|
||||
--- a/src/pae/ieee802_1x_cp.c
|
||||
+++ b/src/pae/ieee802_1x_cp.c
|
||||
@@ -20,7 +20,7 @@
|
||||
#define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
|
||||
#define STATE_MACHINE_DEBUG_PREFIX "CP"
|
||||
|
||||
-static u64 default_cs_id = CS_ID_GCM_AES_128;
|
||||
+static u64 cs_id[] = { CS_ID_GCM_AES_128, CS_ID_GCM_AES_256 };
|
||||
|
||||
/* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
|
||||
enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
|
||||
@@ -210,7 +210,6 @@ SM_STATE(CP, SECURED)
|
||||
sm->replay_protect = sm->kay->macsec_replay_protect;
|
||||
sm->validate_frames = sm->kay->macsec_validate;
|
||||
|
||||
- /* NOTE: now no other than default cipher suite (AES-GCM-128) */
|
||||
sm->current_cipher_suite = sm->cipher_suite;
|
||||
secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
|
||||
|
||||
@@ -473,8 +472,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
|
||||
sm->orx = false;
|
||||
sm->otx = false;
|
||||
|
||||
- sm->current_cipher_suite = default_cs_id;
|
||||
- sm->cipher_suite = default_cs_id;
|
||||
+ sm->current_cipher_suite = cs_id[kay->macsec_csindex];
|
||||
+ sm->cipher_suite = cs_id[kay->macsec_csindex];
|
||||
sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
|
||||
sm->confidentiality_offset = sm->cipher_offset;
|
||||
sm->transmit_delay = MKA_LIFE_TIME;
|
||||
@@ -491,6 +490,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
|
||||
secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
|
||||
secy_cp_control_confidentiality_offset(sm->kay,
|
||||
sm->confidentiality_offset);
|
||||
+ secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
|
||||
|
||||
SM_STEP_RUN(CP);
|
||||
|
||||
--- a/src/pae/ieee802_1x_kay.c
|
||||
+++ b/src/pae/ieee802_1x_kay.c
|
||||
@@ -221,8 +221,16 @@ ieee802_1x_mka_dump_dist_sak_body(struct
|
||||
|
||||
wpa_printf(MSG_DEBUG, "\tKey Number............: %d",
|
||||
be_to_host32(body->kn));
|
||||
- /* TODO: Other than GCM-AES-128 case: MACsec Cipher Suite */
|
||||
- wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", body->sak, 24);
|
||||
+ if (body_len == 28) {
|
||||
+ wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:",
|
||||
+ body->sak, 24);
|
||||
+ } else if (body_len > CS_ID_LEN - sizeof(body->kn)) {
|
||||
+ wpa_hexdump(MSG_DEBUG, "\tMACsec Cipher Suite...:",
|
||||
+ body->sak, CS_ID_LEN);
|
||||
+ wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:",
|
||||
+ body->sak + CS_ID_LEN,
|
||||
+ body_len - CS_ID_LEN - sizeof(body->kn));
|
||||
+ }
|
||||
}
|
||||
|
||||
|
||||
@@ -3456,7 +3464,8 @@ static void kay_l2_receive(void *ctx, co
|
||||
struct ieee802_1x_kay *
|
||||
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||
bool macsec_replay_protect, u32 macsec_replay_window,
|
||||
- u16 port, u8 priority, const char *ifname, const u8 *addr)
|
||||
+ u16 port, u8 priority, u32 macsec_csindex,
|
||||
+ const char *ifname, const u8 *addr)
|
||||
{
|
||||
struct ieee802_1x_kay *kay;
|
||||
|
||||
@@ -3493,7 +3502,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka
|
||||
kay->dist_time = 0;
|
||||
|
||||
kay->pn_exhaustion = PENDING_PN_EXHAUSTION;
|
||||
- kay->macsec_csindex = DEFAULT_CS_INDEX;
|
||||
+ kay->macsec_csindex = macsec_csindex;
|
||||
kay->mka_algindex = DEFAULT_MKA_ALG_INDEX;
|
||||
kay->mka_version = MKA_VERSION_ID;
|
||||
|
||||
--- a/src/pae/ieee802_1x_kay.h
|
||||
+++ b/src/pae/ieee802_1x_kay.h
|
||||
@@ -240,7 +240,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc
|
||||
struct ieee802_1x_kay *
|
||||
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||
bool macsec_replay_protect, u32 macsec_replay_window,
|
||||
- u16 port, u8 priority, const char *ifname, const u8 *addr);
|
||||
+ u16 port, u8 priority, u32 macsec_csindex,
|
||||
+ const char *ifname, const u8 *addr);
|
||||
void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
|
||||
|
||||
struct ieee802_1x_mka_participant *
|
||||
--- a/wpa_supplicant/config.c
|
||||
+++ b/wpa_supplicant/config.c
|
||||
@@ -2612,6 +2612,7 @@ static const struct parse_data ssid_fiel
|
||||
{ INT(macsec_replay_window) },
|
||||
{ INT_RANGE(macsec_port, 1, 65534) },
|
||||
{ INT_RANGE(mka_priority, 0, 255) },
|
||||
+ { INT_RANGE(macsec_csindex, 0, 1) },
|
||||
{ FUNC_KEY(mka_cak) },
|
||||
{ FUNC_KEY(mka_ckn) },
|
||||
#endif /* CONFIG_MACSEC */
|
||||
--- a/wpa_supplicant/config_file.c
|
||||
+++ b/wpa_supplicant/config_file.c
|
||||
@@ -810,6 +810,7 @@ static void wpa_config_write_network(FIL
|
||||
INT(macsec_replay_window);
|
||||
INT(macsec_port);
|
||||
INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
|
||||
+ INT(macsec_csindex);
|
||||
#endif /* CONFIG_MACSEC */
|
||||
#ifdef CONFIG_HS20
|
||||
INT(update_identifier);
|
||||
--- a/wpa_supplicant/config_ssid.h
|
||||
+++ b/wpa_supplicant/config_ssid.h
|
||||
@@ -912,6 +912,13 @@ struct wpa_ssid {
|
||||
int mka_priority;
|
||||
|
||||
/**
|
||||
+ * macsec_csindex - Cipher suite index for MACsec
|
||||
+ *
|
||||
+ * Range: 0-1 (default: 0)
|
||||
+ */
|
||||
+ int macsec_csindex;
|
||||
+
|
||||
+ /**
|
||||
* mka_ckn - MKA pre-shared CKN
|
||||
*/
|
||||
#define MACSEC_CKN_MAX_LEN 32
|
||||
--- a/wpa_supplicant/wpas_kay.c
|
||||
+++ b/wpa_supplicant/wpas_kay.c
|
||||
@@ -241,8 +241,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s
|
||||
|
||||
res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,
|
||||
ssid->macsec_replay_window, ssid->macsec_port,
|
||||
- ssid->mka_priority, wpa_s->ifname,
|
||||
- wpa_s->own_addr);
|
||||
+ ssid->mka_priority, ssid->macsec_csindex,
|
||||
+ wpa_s->ifname, wpa_s->own_addr);
|
||||
/* ieee802_1x_kay_init() frees kay_ctx on failure */
|
||||
if (res == NULL)
|
||||
return -1;
|
@ -0,0 +1,106 @@
|
||||
From 40c139664439b2576e1506fbca14a7b79425a9dd Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <40c139664439b2576e1506fbca14a7b79425a9dd.1706279171.git.davide.caratti@gmail.com>
|
||||
From: Emeel Hakim <ehakim@nvidia.com>
|
||||
Date: Tue, 14 Feb 2023 10:26:57 +0200
|
||||
Subject: [PATCH] macsec_linux: Add support for MACsec hardware offload
|
||||
|
||||
This uses libnl3 to communicate with the macsec module available on
|
||||
Linux. A recent enough version of libnl is needed for the hardware
|
||||
offload support.
|
||||
|
||||
Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
|
||||
---
|
||||
src/drivers/driver_macsec_linux.c | 49 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 49 insertions(+)
|
||||
|
||||
diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c
|
||||
index b609bbf38..c79e8733a 100644
|
||||
--- a/src/drivers/driver_macsec_linux.c
|
||||
+++ b/src/drivers/driver_macsec_linux.c
|
||||
@@ -32,6 +32,10 @@
|
||||
|
||||
#define UNUSED_SCI 0xffffffffffffffff
|
||||
|
||||
+#if LIBNL_VER_NUM >= LIBNL_VER(3, 6)
|
||||
+#define LIBNL_HAS_OFFLOAD
|
||||
+#endif
|
||||
+
|
||||
struct cb_arg {
|
||||
struct macsec_drv_data *drv;
|
||||
u32 *pn;
|
||||
@@ -73,6 +77,11 @@ struct macsec_drv_data {
|
||||
bool replay_protect;
|
||||
bool replay_protect_set;
|
||||
|
||||
+#ifdef LIBNL_HAS_OFFLOAD
|
||||
+ enum macsec_offload offload;
|
||||
+ bool offload_set;
|
||||
+#endif /* LIBNL_HAS_OFFLOAD */
|
||||
+
|
||||
u32 replay_window;
|
||||
|
||||
u8 encoding_sa;
|
||||
@@ -228,6 +237,15 @@ static int try_commit(struct macsec_drv_data *drv)
|
||||
drv->replay_window);
|
||||
}
|
||||
|
||||
+#ifdef LIBNL_HAS_OFFLOAD
|
||||
+ if (drv->offload_set) {
|
||||
+ wpa_printf(MSG_DEBUG, DRV_PREFIX
|
||||
+ "%s: try_commit offload=%d",
|
||||
+ drv->ifname, drv->offload);
|
||||
+ rtnl_link_macsec_set_offload(drv->link, drv->offload);
|
||||
+ }
|
||||
+#endif /* LIBNL_HAS_OFFLOAD */
|
||||
+
|
||||
if (drv->encoding_sa_set) {
|
||||
wpa_printf(MSG_DEBUG, DRV_PREFIX
|
||||
"%s: try_commit encoding_sa=%d",
|
||||
@@ -455,6 +473,36 @@ static int macsec_drv_set_replay_protect(void *priv, bool enabled,
|
||||
}
|
||||
|
||||
|
||||
+/**
|
||||
+ * macsec_drv_set_offload - Set offload status
|
||||
+ * @priv: Private driver interface data
|
||||
+ * @offload: 0 = MACSEC_OFFLOAD_OFF
|
||||
+ * 1 = MACSEC_OFFLOAD_PHY
|
||||
+ * 2 = MACSEC_OFFLOAD_MAC
|
||||
+ * Returns: 0 on success, -1 on failure (or if not supported)
|
||||
+ */
|
||||
+static int macsec_drv_set_offload(void *priv, u8 offload)
|
||||
+{
|
||||
+#ifdef LIBNL_HAS_OFFLOAD
|
||||
+ struct macsec_drv_data *drv = priv;
|
||||
+
|
||||
+ wpa_printf(MSG_DEBUG, "%s -> %02" PRIx8, __func__, offload);
|
||||
+
|
||||
+ drv->offload_set = true;
|
||||
+ drv->offload = offload;
|
||||
+
|
||||
+ return try_commit(drv);
|
||||
+#else /* LIBNL_HAS_OFFLOAD */
|
||||
+ if (offload == 0)
|
||||
+ return 0;
|
||||
+ wpa_printf(MSG_INFO,
|
||||
+ "%s: libnl version does not include support for MACsec offload",
|
||||
+ __func__);
|
||||
+ return -1;
|
||||
+#endif /* LIBNL_HAS_OFFLOAD */
|
||||
+}
|
||||
+
|
||||
+
|
||||
/**
|
||||
* macsec_drv_set_current_cipher_suite - Set current cipher suite
|
||||
* @priv: Private driver interface data
|
||||
@@ -1648,6 +1696,7 @@ const struct wpa_driver_ops wpa_driver_macsec_linux_ops = {
|
||||
.enable_protect_frames = macsec_drv_enable_protect_frames,
|
||||
.enable_encrypt = macsec_drv_enable_encrypt,
|
||||
.set_replay_protect = macsec_drv_set_replay_protect,
|
||||
+ .set_offload = macsec_drv_set_offload,
|
||||
.set_current_cipher_suite = macsec_drv_set_current_cipher_suite,
|
||||
.enable_controlled_port = macsec_drv_enable_controlled_port,
|
||||
.get_receive_lowest_pn = macsec_drv_get_receive_lowest_pn,
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,93 @@
|
||||
From 7e941e7a1560699a18c5890cb6e1309161bc01af Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <7e941e7a1560699a18c5890cb6e1309161bc01af.1706279136.git.davide.caratti@gmail.com>
|
||||
From: leiwei <quic_leiwei@quicinc.com>
|
||||
Date: Mon, 15 Nov 2021 18:43:33 +0800
|
||||
Subject: [PATCH] macsec_linux: Support cipher suite configuration
|
||||
|
||||
Set the cipher suite for the link. Unlike the other parameters, this
|
||||
needs to be done with the first rtnl_link_add() call (NLM_F_CREATE))
|
||||
instead of the update in try_commit() since the kernel is rejecting
|
||||
changes to the cipher suite after the link is first added.
|
||||
|
||||
Signed-off-by: leiwei <quic_leiwei@quicinc.com>
|
||||
---
|
||||
src/drivers/driver_macsec_linux.c | 25 ++++++++++++++++++++++---
|
||||
1 file changed, 22 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/src/drivers/driver_macsec_linux.c
|
||||
+++ b/src/drivers/driver_macsec_linux.c
|
||||
@@ -77,6 +77,9 @@ struct macsec_drv_data {
|
||||
|
||||
u8 encoding_sa;
|
||||
bool encoding_sa_set;
|
||||
+
|
||||
+ u64 cipher_suite;
|
||||
+ bool cipher_suite_set;
|
||||
};
|
||||
|
||||
|
||||
@@ -460,8 +463,14 @@ static int macsec_drv_set_replay_protect
|
||||
*/
|
||||
static int macsec_drv_set_current_cipher_suite(void *priv, u64 cs)
|
||||
{
|
||||
+ struct macsec_drv_data *drv = priv;
|
||||
+
|
||||
wpa_printf(MSG_DEBUG, "%s -> %016" PRIx64, __func__, cs);
|
||||
- return 0;
|
||||
+
|
||||
+ drv->cipher_suite_set = true;
|
||||
+ drv->cipher_suite = cs;
|
||||
+
|
||||
+ return try_commit(drv);
|
||||
}
|
||||
|
||||
|
||||
@@ -1063,7 +1072,8 @@ static int macsec_drv_disable_receive_sa
|
||||
}
|
||||
|
||||
|
||||
-static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci)
|
||||
+static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci,
|
||||
+ u64 cs)
|
||||
{
|
||||
struct rtnl_link *needle;
|
||||
void *match;
|
||||
@@ -1074,6 +1084,8 @@ static struct rtnl_link * lookup_sc(stru
|
||||
|
||||
rtnl_link_set_link(needle, parent);
|
||||
rtnl_link_macsec_set_sci(needle, sci);
|
||||
+ if (cs)
|
||||
+ rtnl_link_macsec_set_cipher_suite(needle, cs);
|
||||
|
||||
match = nl_cache_find(cache, (struct nl_object *) needle);
|
||||
rtnl_link_put(needle);
|
||||
@@ -1098,6 +1110,7 @@ static int macsec_drv_create_transmit_sc
|
||||
char *ifname;
|
||||
u64 sci;
|
||||
int err;
|
||||
+ u64 cs = 0;
|
||||
|
||||
wpa_printf(MSG_DEBUG, DRV_PREFIX
|
||||
"%s: create_transmit_sc -> " SCISTR " (conf_offset=%d)",
|
||||
@@ -1122,6 +1135,12 @@ static int macsec_drv_create_transmit_sc
|
||||
|
||||
drv->created_link = true;
|
||||
|
||||
+ if (drv->cipher_suite_set) {
|
||||
+ cs = drv->cipher_suite;
|
||||
+ drv->cipher_suite_set = false;
|
||||
+ rtnl_link_macsec_set_cipher_suite(link, cs);
|
||||
+ }
|
||||
+
|
||||
err = rtnl_link_add(drv->sk, link, NLM_F_CREATE);
|
||||
if (err == -NLE_BUSY) {
|
||||
wpa_printf(MSG_INFO,
|
||||
@@ -1137,7 +1156,7 @@ static int macsec_drv_create_transmit_sc
|
||||
rtnl_link_put(link);
|
||||
|
||||
nl_cache_refill(drv->sk, drv->link_cache);
|
||||
- link = lookup_sc(drv->link_cache, drv->parent_ifi, sci);
|
||||
+ link = lookup_sc(drv->link_cache, drv->parent_ifi, sci, cs);
|
||||
if (!link) {
|
||||
wpa_printf(MSG_ERROR, DRV_PREFIX "couldn't find link");
|
||||
return -1;
|
@ -0,0 +1,363 @@
|
||||
From 6d24673ab89d9002990ee51e7c87d308ca07cd01 Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <6d24673ab89d9002990ee51e7c87d308ca07cd01.1706279162.git.davide.caratti@gmail.com>
|
||||
From: Emeel Hakim <ehakim@nvidia.com>
|
||||
Date: Tue, 14 Feb 2023 10:26:56 +0200
|
||||
Subject: [PATCH] mka: Allow configuration of MACsec hardware offload
|
||||
|
||||
Add new configuration parameter macsec_offload to allow user to set up
|
||||
MACsec hardware offload feature.
|
||||
|
||||
Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
|
||||
---
|
||||
hostapd/config_file.c | 10 ++++++++++
|
||||
hostapd/hostapd.conf | 8 ++++++++
|
||||
src/ap/ap_config.h | 13 +++++++++++++
|
||||
src/ap/wpa_auth_kay.c | 1 +
|
||||
src/drivers/driver.h | 10 ++++++++++
|
||||
src/pae/ieee802_1x_cp.c | 7 +++++++
|
||||
src/pae/ieee802_1x_kay.c | 7 +++++--
|
||||
src/pae/ieee802_1x_kay.h | 6 ++++--
|
||||
src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++
|
||||
src/pae/ieee802_1x_secy_ops.h | 1 +
|
||||
wpa_supplicant/config.c | 1 +
|
||||
wpa_supplicant/config_file.c | 1 +
|
||||
wpa_supplicant/config_ssid.h | 12 ++++++++++++
|
||||
wpa_supplicant/driver_i.h | 8 ++++++++
|
||||
wpa_supplicant/wpa_cli.c | 1 +
|
||||
wpa_supplicant/wpa_supplicant.conf | 9 +++++++++
|
||||
wpa_supplicant/wpas_kay.c | 10 +++++++++-
|
||||
17 files changed, 120 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/src/ap/ap_config.h
|
||||
+++ b/src/ap/ap_config.h
|
||||
@@ -833,6 +833,19 @@ struct hostapd_bss_config {
|
||||
u32 macsec_replay_window;
|
||||
|
||||
/**
|
||||
+ * macsec_offload - Enable MACsec offload
|
||||
+ *
|
||||
+ * This setting applies only when MACsec is in use, i.e.,
|
||||
+ * - macsec_policy is enabled
|
||||
+ * - the key server has decided to enable MACsec
|
||||
+ *
|
||||
+ * 0 = MACSEC_OFFLOAD_OFF (default)
|
||||
+ * 1 = MACSEC_OFFLOAD_PHY
|
||||
+ * 2 = MACSEC_OFFLOAD_MAC
|
||||
+ */
|
||||
+ int macsec_offload;
|
||||
+
|
||||
+ /**
|
||||
* macsec_port - MACsec port (in SCI)
|
||||
*
|
||||
* Port component of the SCI.
|
||||
--- a/src/ap/wpa_auth_kay.c
|
||||
+++ b/src/ap/wpa_auth_kay.c
|
||||
@@ -328,6 +328,7 @@ int ieee802_1x_alloc_kay_sm_hapd(struct
|
||||
res = ieee802_1x_kay_init(kay_ctx, policy,
|
||||
hapd->conf->macsec_replay_protect,
|
||||
hapd->conf->macsec_replay_window,
|
||||
+ hapd->conf->macsec_offload,
|
||||
hapd->conf->macsec_port,
|
||||
hapd->conf->mka_priority,
|
||||
hapd->conf->macsec_csindex,
|
||||
--- a/src/drivers/driver.h
|
||||
+++ b/src/drivers/driver.h
|
||||
@@ -4168,6 +4168,16 @@ struct wpa_driver_ops {
|
||||
int (*set_replay_protect)(void *priv, bool enabled, u32 window);
|
||||
|
||||
/**
|
||||
+ * set_offload - Set MACsec hardware offload
|
||||
+ * @priv: Private driver interface data
|
||||
+ * @offload: 0 = MACSEC_OFFLOAD_OFF
|
||||
+ * 1 = MACSEC_OFFLOAD_PHY
|
||||
+ * 2 = MACSEC_OFFLOAD_MAC
|
||||
+ * Returns: 0 on success, -1 on failure (or if not supported)
|
||||
+ */
|
||||
+ int (*set_offload)(void *priv, u8 offload);
|
||||
+
|
||||
+ /**
|
||||
* set_current_cipher_suite - Set current cipher suite
|
||||
* @priv: Private driver interface data
|
||||
* @cs: EUI64 identifier
|
||||
--- a/src/pae/ieee802_1x_cp.c
|
||||
+++ b/src/pae/ieee802_1x_cp.c
|
||||
@@ -84,6 +84,7 @@ struct ieee802_1x_cp_sm {
|
||||
|
||||
/* not defined IEEE Std 802.1X-2010 */
|
||||
struct ieee802_1x_kay *kay;
|
||||
+ u8 offload;
|
||||
};
|
||||
|
||||
static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx,
|
||||
@@ -188,6 +189,7 @@ SM_STATE(CP, AUTHENTICATED)
|
||||
sm->protect_frames = false;
|
||||
sm->replay_protect = false;
|
||||
sm->validate_frames = Checked;
|
||||
+ sm->offload = sm->kay->macsec_offload;
|
||||
|
||||
sm->port_valid = false;
|
||||
sm->controlled_port_enabled = true;
|
||||
@@ -197,6 +199,7 @@ SM_STATE(CP, AUTHENTICATED)
|
||||
secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
|
||||
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
|
||||
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
|
||||
+ secy_cp_control_offload(sm->kay, sm->offload);
|
||||
}
|
||||
|
||||
|
||||
@@ -208,6 +211,7 @@ SM_STATE(CP, SECURED)
|
||||
|
||||
sm->protect_frames = sm->kay->macsec_protect;
|
||||
sm->replay_protect = sm->kay->macsec_replay_protect;
|
||||
+ sm->offload = sm->kay->macsec_offload;
|
||||
sm->validate_frames = sm->kay->macsec_validate;
|
||||
|
||||
sm->current_cipher_suite = sm->cipher_suite;
|
||||
@@ -223,6 +227,7 @@ SM_STATE(CP, SECURED)
|
||||
secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
|
||||
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
|
||||
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
|
||||
+ secy_cp_control_offload(sm->kay, sm->offload);
|
||||
}
|
||||
|
||||
|
||||
@@ -462,6 +467,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
|
||||
sm->validate_frames = kay->macsec_validate;
|
||||
sm->replay_protect = kay->macsec_replay_protect;
|
||||
sm->replay_window = kay->macsec_replay_window;
|
||||
+ sm->offload = kay->macsec_offload;
|
||||
|
||||
sm->controlled_port_enabled = false;
|
||||
|
||||
@@ -491,6 +497,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
|
||||
secy_cp_control_confidentiality_offset(sm->kay,
|
||||
sm->confidentiality_offset);
|
||||
secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
|
||||
+ secy_cp_control_offload(sm->kay, sm->offload);
|
||||
|
||||
SM_STEP_RUN(CP);
|
||||
|
||||
--- a/src/pae/ieee802_1x_kay.c
|
||||
+++ b/src/pae/ieee802_1x_kay.c
|
||||
@@ -3464,8 +3464,8 @@ static void kay_l2_receive(void *ctx, co
|
||||
struct ieee802_1x_kay *
|
||||
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||
bool macsec_replay_protect, u32 macsec_replay_window,
|
||||
- u16 port, u8 priority, u32 macsec_csindex,
|
||||
- const char *ifname, const u8 *addr)
|
||||
+ u8 macsec_offload, u16 port, u8 priority,
|
||||
+ u32 macsec_csindex, const char *ifname, const u8 *addr)
|
||||
{
|
||||
struct ieee802_1x_kay *kay;
|
||||
|
||||
@@ -3524,6 +3524,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka
|
||||
kay->macsec_validate = Disabled;
|
||||
kay->macsec_replay_protect = false;
|
||||
kay->macsec_replay_window = 0;
|
||||
+ kay->macsec_offload = 0;
|
||||
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
|
||||
kay->mka_hello_time = MKA_HELLO_TIME;
|
||||
} else {
|
||||
@@ -3540,6 +3541,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka
|
||||
kay->macsec_validate = Strict;
|
||||
kay->macsec_replay_protect = macsec_replay_protect;
|
||||
kay->macsec_replay_window = macsec_replay_window;
|
||||
+ kay->macsec_offload = macsec_offload;
|
||||
kay->mka_hello_time = MKA_HELLO_TIME;
|
||||
}
|
||||
|
||||
@@ -3740,6 +3742,7 @@ ieee802_1x_kay_create_mka(struct ieee802
|
||||
secy_cp_control_protect_frames(kay, kay->macsec_protect);
|
||||
secy_cp_control_replay(kay, kay->macsec_replay_protect,
|
||||
kay->macsec_replay_window);
|
||||
+ secy_cp_control_offload(kay, kay->macsec_offload);
|
||||
if (secy_create_transmit_sc(kay, participant->txsc))
|
||||
goto fail;
|
||||
|
||||
--- a/src/pae/ieee802_1x_kay.h
|
||||
+++ b/src/pae/ieee802_1x_kay.h
|
||||
@@ -166,6 +166,7 @@ struct ieee802_1x_kay_ctx {
|
||||
int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa);
|
||||
int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
|
||||
int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
|
||||
+ int (*set_offload)(void *ctx, u8 offload);
|
||||
};
|
||||
|
||||
struct ieee802_1x_kay {
|
||||
@@ -206,6 +207,7 @@ struct ieee802_1x_kay {
|
||||
bool is_key_server;
|
||||
bool is_obliged_key_server;
|
||||
char if_name[IFNAMSIZ];
|
||||
+ u8 macsec_offload;
|
||||
|
||||
unsigned int macsec_csindex; /* MACsec cipher suite table index */
|
||||
int mka_algindex; /* MKA alg table index */
|
||||
@@ -240,8 +242,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc
|
||||
struct ieee802_1x_kay *
|
||||
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||
bool macsec_replay_protect, u32 macsec_replay_window,
|
||||
- u16 port, u8 priority, u32 macsec_csindex,
|
||||
- const char *ifname, const u8 *addr);
|
||||
+ u8 macsec_offload, u16 port, u8 priority,
|
||||
+ u32 macsec_csindex, const char *ifname, const u8 *addr);
|
||||
void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
|
||||
|
||||
struct ieee802_1x_mka_participant *
|
||||
--- a/src/pae/ieee802_1x_secy_ops.c
|
||||
+++ b/src/pae/ieee802_1x_secy_ops.c
|
||||
@@ -85,6 +85,26 @@ int secy_cp_control_replay(struct ieee80
|
||||
}
|
||||
|
||||
|
||||
+int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload)
|
||||
+{
|
||||
+ struct ieee802_1x_kay_ctx *ops;
|
||||
+
|
||||
+ if (!kay) {
|
||||
+ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ ops = kay->ctx;
|
||||
+ if (!ops || !ops->set_offload) {
|
||||
+ wpa_printf(MSG_ERROR,
|
||||
+ "KaY: secy set_offload operation not supported");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return ops->set_offload(ops->ctx, offload);
|
||||
+}
|
||||
+
|
||||
+
|
||||
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs)
|
||||
{
|
||||
struct ieee802_1x_kay_ctx *ops;
|
||||
--- a/src/pae/ieee802_1x_secy_ops.h
|
||||
+++ b/src/pae/ieee802_1x_secy_ops.h
|
||||
@@ -23,6 +23,7 @@ int secy_cp_control_validate_frames(stru
|
||||
int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, bool flag);
|
||||
int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, bool enabled);
|
||||
int secy_cp_control_replay(struct ieee802_1x_kay *kay, bool flag, u32 win);
|
||||
+int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload);
|
||||
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
|
||||
int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
|
||||
enum confidentiality_offset co);
|
||||
--- a/wpa_supplicant/config.c
|
||||
+++ b/wpa_supplicant/config.c
|
||||
@@ -2610,6 +2610,7 @@ static const struct parse_data ssid_fiel
|
||||
{ INT_RANGE(macsec_integ_only, 0, 1) },
|
||||
{ INT_RANGE(macsec_replay_protect, 0, 1) },
|
||||
{ INT(macsec_replay_window) },
|
||||
+ { INT_RANGE(macsec_offload, 0, 2) },
|
||||
{ INT_RANGE(macsec_port, 1, 65534) },
|
||||
{ INT_RANGE(mka_priority, 0, 255) },
|
||||
{ INT_RANGE(macsec_csindex, 0, 1) },
|
||||
--- a/wpa_supplicant/config_file.c
|
||||
+++ b/wpa_supplicant/config_file.c
|
||||
@@ -808,6 +808,7 @@ static void wpa_config_write_network(FIL
|
||||
INT(macsec_integ_only);
|
||||
INT(macsec_replay_protect);
|
||||
INT(macsec_replay_window);
|
||||
+ INT(macsec_offload);
|
||||
INT(macsec_port);
|
||||
INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
|
||||
INT(macsec_csindex);
|
||||
--- a/wpa_supplicant/config_ssid.h
|
||||
+++ b/wpa_supplicant/config_ssid.h
|
||||
@@ -896,6 +896,18 @@ struct wpa_ssid {
|
||||
u32 macsec_replay_window;
|
||||
|
||||
/**
|
||||
+ * macsec_offload - Enable MACsec hardware offload
|
||||
+ *
|
||||
+ * This setting applies only when MACsec is in use, i.e.,
|
||||
+ * - the key server has decided to enable MACsec
|
||||
+ *
|
||||
+ * 0 = MACSEC_OFFLOAD_OFF (default)
|
||||
+ * 1 = MACSEC_OFFLOAD_PHY
|
||||
+ * 2 = MACSEC_OFFLOAD_MAC
|
||||
+ */
|
||||
+ int macsec_offload;
|
||||
+
|
||||
+ /**
|
||||
* macsec_port - MACsec port (in SCI)
|
||||
*
|
||||
* Port component of the SCI.
|
||||
--- a/wpa_supplicant/driver_i.h
|
||||
+++ b/wpa_supplicant/driver_i.h
|
||||
@@ -804,6 +804,14 @@ static inline int wpa_drv_set_replay_pro
|
||||
window);
|
||||
}
|
||||
|
||||
+static inline int wpa_drv_set_offload(struct wpa_supplicant *wpa_s, u8 offload)
|
||||
+{
|
||||
+ if (!wpa_s->driver->set_offload)
|
||||
+ return -1;
|
||||
+ return wpa_s->driver->set_offload(wpa_s->drv_priv, offload);
|
||||
+
|
||||
+}
|
||||
+
|
||||
static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
|
||||
u64 cs)
|
||||
{
|
||||
--- a/wpa_supplicant/wpa_cli.c
|
||||
+++ b/wpa_supplicant/wpa_cli.c
|
||||
@@ -1473,6 +1473,7 @@ static const char *network_fields[] = {
|
||||
"macsec_integ_only",
|
||||
"macsec_replay_protect",
|
||||
"macsec_replay_window",
|
||||
+ "macsec_offload",
|
||||
"macsec_port",
|
||||
"mka_priority",
|
||||
#endif /* CONFIG_MACSEC */
|
||||
--- a/wpa_supplicant/wpa_supplicant.conf
|
||||
+++ b/wpa_supplicant/wpa_supplicant.conf
|
||||
@@ -1094,6 +1094,15 @@ fast_reauth=1
|
||||
# 0: No replay window, strict check (default)
|
||||
# 1..2^32-1: number of packets that could be misordered
|
||||
#
|
||||
+# macsec_offload - Enable MACsec hardware offload
|
||||
+#
|
||||
+# This setting applies only when MACsec is in use, i.e.,
|
||||
+# - the key server has decided to enable MACsec
|
||||
+#
|
||||
+# 0 = MACSEC_OFFLOAD_OFF (default)
|
||||
+# 1 = MACSEC_OFFLOAD_PHY
|
||||
+# 2 = MACSEC_OFFLOAD_MAC
|
||||
+#
|
||||
# macsec_port: IEEE 802.1X/MACsec port
|
||||
# Port component of the SCI
|
||||
# Range: 1-65534 (default: 1)
|
||||
--- a/wpa_supplicant/wpas_kay.c
|
||||
+++ b/wpa_supplicant/wpas_kay.c
|
||||
@@ -98,6 +98,12 @@ static int wpas_set_receive_lowest_pn(vo
|
||||
}
|
||||
|
||||
|
||||
+static int wpas_set_offload(void *wpa_s, u8 offload)
|
||||
+{
|
||||
+ return wpa_drv_set_offload(wpa_s, offload);
|
||||
+}
|
||||
+
|
||||
+
|
||||
static unsigned int conf_offset_val(enum confidentiality_offset co)
|
||||
{
|
||||
switch (co) {
|
||||
@@ -220,6 +226,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s
|
||||
kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
|
||||
kay_ctx->enable_encrypt = wpas_enable_encrypt;
|
||||
kay_ctx->set_replay_protect = wpas_set_replay_protect;
|
||||
+ kay_ctx->set_offload = wpas_set_offload;
|
||||
kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
|
||||
kay_ctx->enable_controlled_port = wpas_enable_controlled_port;
|
||||
kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn;
|
||||
@@ -240,7 +247,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s
|
||||
kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
|
||||
|
||||
res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,
|
||||
- ssid->macsec_replay_window, ssid->macsec_port,
|
||||
+ ssid->macsec_replay_window,
|
||||
+ ssid->macsec_offload, ssid->macsec_port,
|
||||
ssid->mka_priority, ssid->macsec_csindex,
|
||||
wpa_s->ifname, wpa_s->own_addr);
|
||||
/* ieee802_1x_kay_init() frees kay_ctx on failure */
|
@ -9,7 +9,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
|
||||
Name: wpa_supplicant
|
||||
Epoch: 1
|
||||
Version: 2.10
|
||||
Release: 4%{?dist}
|
||||
Release: 4%{?dist}.rhel22440
|
||||
License: BSD
|
||||
Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz
|
||||
Source1: wpa_supplicant.conf
|
||||
@ -34,6 +34,12 @@ Patch5: 0001-D-Bus-Add-wep_disabled-capability.patch
|
||||
# backport fix for bz2077973
|
||||
Patch6: 0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch
|
||||
Patch7: 0001-EAP-peer-status-notification-for-server-not-supporti.patch
|
||||
# support macsec HW offload
|
||||
Patch8: wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch
|
||||
Patch9: wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch
|
||||
Patch10: wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch
|
||||
Patch11: wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch
|
||||
|
||||
|
||||
URL: http://w1.fi/wpa_supplicant/
|
||||
|
||||
@ -194,6 +200,9 @@ chmod -R 0644 wpa_supplicant/examples/*.py
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Feb 1 2024 Davide Caratti <dcaratti@redhat.com> - 1:2.10-4.rhel22440
|
||||
- support macsec HW offload. Resolves: RHEL-22440
|
||||
|
||||
* Fri May 13 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-4
|
||||
- Explicitly allow/disallow unsafe legacy renegotiation on configuration base.
|
||||
Resolves: rhbz#2077973
|
||||
|
Loading…
Reference in New Issue
Block a user