From b501d6acc1528a1d1731fd6691fc80133b4aa117 Mon Sep 17 00:00:00 2001 From: Davide Caratti Date: Thu, 1 Feb 2024 18:27:58 +0100 Subject: [PATCH] backport support for macsec HW offload Related: RHEL-22440 Signed-off-by: Davide Caratti --- ...sec-Support-GCM-AES-256-cipher-suite.patch | 192 +++++++++ ...-support-for-MACsec-hardware-offload.patch | 106 +++++ ...x-Support-cipher-suite-configuration.patch | 93 +++++ ...iguration-of-MACsec-hardware-offload.patch | 363 ++++++++++++++++++ wpa_supplicant.spec | 11 +- 5 files changed, 764 insertions(+), 1 deletion(-) create mode 100644 wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch create mode 100644 wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch create mode 100644 wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch create mode 100644 wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch diff --git a/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch b/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch new file mode 100644 index 0000000..24956a9 --- /dev/null +++ b/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch @@ -0,0 +1,192 @@ +From 46c635910a724ed14ee9ace549fed9790ed5980b Mon Sep 17 00:00:00 2001 +Message-ID: <46c635910a724ed14ee9ace549fed9790ed5980b.1706279119.git.davide.caratti@gmail.com> +From: leiwei +Date: Mon, 15 Nov 2021 18:22:19 +0800 +Subject: [PATCH] MACsec: Support GCM-AES-256 cipher suite + +Allow macsec_csindex to be configured and select the cipher suite when +the participant acts as a key server. + +Signed-off-by: leiwei +--- + hostapd/config_file.c | 10 ++++++++++ + hostapd/hostapd.conf | 4 ++++ + src/ap/ap_config.h | 7 +++++++ + src/ap/wpa_auth_kay.c | 4 +++- + src/pae/ieee802_1x_cp.c | 8 ++++---- + src/pae/ieee802_1x_kay.c | 17 +++++++++++++---- + src/pae/ieee802_1x_kay.h | 3 ++- + wpa_supplicant/config.c | 1 + + wpa_supplicant/config_file.c | 1 + + wpa_supplicant/config_ssid.h | 7 +++++++ + wpa_supplicant/wpas_kay.c | 4 ++-- + 11 files changed, 54 insertions(+), 12 deletions(-) + +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -849,6 +849,13 @@ struct hostapd_bss_config { + int mka_priority; + + /** ++ * macsec_csindex - Cipher suite index for MACsec ++ * ++ * Range: 0-1 (default: 0) ++ */ ++ int macsec_csindex; ++ ++ /** + * mka_ckn - MKA pre-shared CKN + */ + #define MACSEC_CKN_MAX_LEN 32 +--- a/src/ap/wpa_auth_kay.c ++++ b/src/ap/wpa_auth_kay.c +@@ -329,7 +329,9 @@ int ieee802_1x_alloc_kay_sm_hapd(struct + hapd->conf->macsec_replay_protect, + hapd->conf->macsec_replay_window, + hapd->conf->macsec_port, +- hapd->conf->mka_priority, hapd->conf->iface, ++ hapd->conf->mka_priority, ++ hapd->conf->macsec_csindex, ++ hapd->conf->iface, + hapd->own_addr); + /* ieee802_1x_kay_init() frees kay_ctx on failure */ + if (!res) +--- a/src/pae/ieee802_1x_cp.c ++++ b/src/pae/ieee802_1x_cp.c +@@ -20,7 +20,7 @@ + #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm + #define STATE_MACHINE_DEBUG_PREFIX "CP" + +-static u64 default_cs_id = CS_ID_GCM_AES_128; ++static u64 cs_id[] = { CS_ID_GCM_AES_128, CS_ID_GCM_AES_256 }; + + /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */ + enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE }; +@@ -210,7 +210,6 @@ SM_STATE(CP, SECURED) + sm->replay_protect = sm->kay->macsec_replay_protect; + sm->validate_frames = sm->kay->macsec_validate; + +- /* NOTE: now no other than default cipher suite (AES-GCM-128) */ + sm->current_cipher_suite = sm->cipher_suite; + secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); + +@@ -473,8 +472,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ + sm->orx = false; + sm->otx = false; + +- sm->current_cipher_suite = default_cs_id; +- sm->cipher_suite = default_cs_id; ++ sm->current_cipher_suite = cs_id[kay->macsec_csindex]; ++ sm->cipher_suite = cs_id[kay->macsec_csindex]; + sm->cipher_offset = CONFIDENTIALITY_OFFSET_0; + sm->confidentiality_offset = sm->cipher_offset; + sm->transmit_delay = MKA_LIFE_TIME; +@@ -491,6 +490,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ + secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled); + secy_cp_control_confidentiality_offset(sm->kay, + sm->confidentiality_offset); ++ secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); + + SM_STEP_RUN(CP); + +--- a/src/pae/ieee802_1x_kay.c ++++ b/src/pae/ieee802_1x_kay.c +@@ -221,8 +221,16 @@ ieee802_1x_mka_dump_dist_sak_body(struct + + wpa_printf(MSG_DEBUG, "\tKey Number............: %d", + be_to_host32(body->kn)); +- /* TODO: Other than GCM-AES-128 case: MACsec Cipher Suite */ +- wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", body->sak, 24); ++ if (body_len == 28) { ++ wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", ++ body->sak, 24); ++ } else if (body_len > CS_ID_LEN - sizeof(body->kn)) { ++ wpa_hexdump(MSG_DEBUG, "\tMACsec Cipher Suite...:", ++ body->sak, CS_ID_LEN); ++ wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", ++ body->sak + CS_ID_LEN, ++ body_len - CS_ID_LEN - sizeof(body->kn)); ++ } + } + + +@@ -3456,7 +3464,8 @@ static void kay_l2_receive(void *ctx, co + struct ieee802_1x_kay * + ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, + bool macsec_replay_protect, u32 macsec_replay_window, +- u16 port, u8 priority, const char *ifname, const u8 *addr) ++ u16 port, u8 priority, u32 macsec_csindex, ++ const char *ifname, const u8 *addr) + { + struct ieee802_1x_kay *kay; + +@@ -3493,7 +3502,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka + kay->dist_time = 0; + + kay->pn_exhaustion = PENDING_PN_EXHAUSTION; +- kay->macsec_csindex = DEFAULT_CS_INDEX; ++ kay->macsec_csindex = macsec_csindex; + kay->mka_algindex = DEFAULT_MKA_ALG_INDEX; + kay->mka_version = MKA_VERSION_ID; + +--- a/src/pae/ieee802_1x_kay.h ++++ b/src/pae/ieee802_1x_kay.h +@@ -240,7 +240,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc + struct ieee802_1x_kay * + ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, + bool macsec_replay_protect, u32 macsec_replay_window, +- u16 port, u8 priority, const char *ifname, const u8 *addr); ++ u16 port, u8 priority, u32 macsec_csindex, ++ const char *ifname, const u8 *addr); + void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); + + struct ieee802_1x_mka_participant * +--- a/wpa_supplicant/config.c ++++ b/wpa_supplicant/config.c +@@ -2612,6 +2612,7 @@ static const struct parse_data ssid_fiel + { INT(macsec_replay_window) }, + { INT_RANGE(macsec_port, 1, 65534) }, + { INT_RANGE(mka_priority, 0, 255) }, ++ { INT_RANGE(macsec_csindex, 0, 1) }, + { FUNC_KEY(mka_cak) }, + { FUNC_KEY(mka_ckn) }, + #endif /* CONFIG_MACSEC */ +--- a/wpa_supplicant/config_file.c ++++ b/wpa_supplicant/config_file.c +@@ -810,6 +810,7 @@ static void wpa_config_write_network(FIL + INT(macsec_replay_window); + INT(macsec_port); + INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER); ++ INT(macsec_csindex); + #endif /* CONFIG_MACSEC */ + #ifdef CONFIG_HS20 + INT(update_identifier); +--- a/wpa_supplicant/config_ssid.h ++++ b/wpa_supplicant/config_ssid.h +@@ -912,6 +912,13 @@ struct wpa_ssid { + int mka_priority; + + /** ++ * macsec_csindex - Cipher suite index for MACsec ++ * ++ * Range: 0-1 (default: 0) ++ */ ++ int macsec_csindex; ++ ++ /** + * mka_ckn - MKA pre-shared CKN + */ + #define MACSEC_CKN_MAX_LEN 32 +--- a/wpa_supplicant/wpas_kay.c ++++ b/wpa_supplicant/wpas_kay.c +@@ -241,8 +241,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s + + res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect, + ssid->macsec_replay_window, ssid->macsec_port, +- ssid->mka_priority, wpa_s->ifname, +- wpa_s->own_addr); ++ ssid->mka_priority, ssid->macsec_csindex, ++ wpa_s->ifname, wpa_s->own_addr); + /* ieee802_1x_kay_init() frees kay_ctx on failure */ + if (res == NULL) + return -1; diff --git a/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch b/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch new file mode 100644 index 0000000..be32491 --- /dev/null +++ b/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch @@ -0,0 +1,106 @@ +From 40c139664439b2576e1506fbca14a7b79425a9dd Mon Sep 17 00:00:00 2001 +Message-ID: <40c139664439b2576e1506fbca14a7b79425a9dd.1706279171.git.davide.caratti@gmail.com> +From: Emeel Hakim +Date: Tue, 14 Feb 2023 10:26:57 +0200 +Subject: [PATCH] macsec_linux: Add support for MACsec hardware offload + +This uses libnl3 to communicate with the macsec module available on +Linux. A recent enough version of libnl is needed for the hardware +offload support. + +Signed-off-by: Emeel Hakim +--- + src/drivers/driver_macsec_linux.c | 49 +++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c +index b609bbf38..c79e8733a 100644 +--- a/src/drivers/driver_macsec_linux.c ++++ b/src/drivers/driver_macsec_linux.c +@@ -32,6 +32,10 @@ + + #define UNUSED_SCI 0xffffffffffffffff + ++#if LIBNL_VER_NUM >= LIBNL_VER(3, 6) ++#define LIBNL_HAS_OFFLOAD ++#endif ++ + struct cb_arg { + struct macsec_drv_data *drv; + u32 *pn; +@@ -73,6 +77,11 @@ struct macsec_drv_data { + bool replay_protect; + bool replay_protect_set; + ++#ifdef LIBNL_HAS_OFFLOAD ++ enum macsec_offload offload; ++ bool offload_set; ++#endif /* LIBNL_HAS_OFFLOAD */ ++ + u32 replay_window; + + u8 encoding_sa; +@@ -228,6 +237,15 @@ static int try_commit(struct macsec_drv_data *drv) + drv->replay_window); + } + ++#ifdef LIBNL_HAS_OFFLOAD ++ if (drv->offload_set) { ++ wpa_printf(MSG_DEBUG, DRV_PREFIX ++ "%s: try_commit offload=%d", ++ drv->ifname, drv->offload); ++ rtnl_link_macsec_set_offload(drv->link, drv->offload); ++ } ++#endif /* LIBNL_HAS_OFFLOAD */ ++ + if (drv->encoding_sa_set) { + wpa_printf(MSG_DEBUG, DRV_PREFIX + "%s: try_commit encoding_sa=%d", +@@ -455,6 +473,36 @@ static int macsec_drv_set_replay_protect(void *priv, bool enabled, + } + + ++/** ++ * macsec_drv_set_offload - Set offload status ++ * @priv: Private driver interface data ++ * @offload: 0 = MACSEC_OFFLOAD_OFF ++ * 1 = MACSEC_OFFLOAD_PHY ++ * 2 = MACSEC_OFFLOAD_MAC ++ * Returns: 0 on success, -1 on failure (or if not supported) ++ */ ++static int macsec_drv_set_offload(void *priv, u8 offload) ++{ ++#ifdef LIBNL_HAS_OFFLOAD ++ struct macsec_drv_data *drv = priv; ++ ++ wpa_printf(MSG_DEBUG, "%s -> %02" PRIx8, __func__, offload); ++ ++ drv->offload_set = true; ++ drv->offload = offload; ++ ++ return try_commit(drv); ++#else /* LIBNL_HAS_OFFLOAD */ ++ if (offload == 0) ++ return 0; ++ wpa_printf(MSG_INFO, ++ "%s: libnl version does not include support for MACsec offload", ++ __func__); ++ return -1; ++#endif /* LIBNL_HAS_OFFLOAD */ ++} ++ ++ + /** + * macsec_drv_set_current_cipher_suite - Set current cipher suite + * @priv: Private driver interface data +@@ -1648,6 +1696,7 @@ const struct wpa_driver_ops wpa_driver_macsec_linux_ops = { + .enable_protect_frames = macsec_drv_enable_protect_frames, + .enable_encrypt = macsec_drv_enable_encrypt, + .set_replay_protect = macsec_drv_set_replay_protect, ++ .set_offload = macsec_drv_set_offload, + .set_current_cipher_suite = macsec_drv_set_current_cipher_suite, + .enable_controlled_port = macsec_drv_enable_controlled_port, + .get_receive_lowest_pn = macsec_drv_get_receive_lowest_pn, +-- +2.43.0 + diff --git a/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch b/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch new file mode 100644 index 0000000..eef0aa9 --- /dev/null +++ b/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch @@ -0,0 +1,93 @@ +From 7e941e7a1560699a18c5890cb6e1309161bc01af Mon Sep 17 00:00:00 2001 +Message-ID: <7e941e7a1560699a18c5890cb6e1309161bc01af.1706279136.git.davide.caratti@gmail.com> +From: leiwei +Date: Mon, 15 Nov 2021 18:43:33 +0800 +Subject: [PATCH] macsec_linux: Support cipher suite configuration + +Set the cipher suite for the link. Unlike the other parameters, this +needs to be done with the first rtnl_link_add() call (NLM_F_CREATE)) +instead of the update in try_commit() since the kernel is rejecting +changes to the cipher suite after the link is first added. + +Signed-off-by: leiwei +--- + src/drivers/driver_macsec_linux.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +--- a/src/drivers/driver_macsec_linux.c ++++ b/src/drivers/driver_macsec_linux.c +@@ -77,6 +77,9 @@ struct macsec_drv_data { + + u8 encoding_sa; + bool encoding_sa_set; ++ ++ u64 cipher_suite; ++ bool cipher_suite_set; + }; + + +@@ -460,8 +463,14 @@ static int macsec_drv_set_replay_protect + */ + static int macsec_drv_set_current_cipher_suite(void *priv, u64 cs) + { ++ struct macsec_drv_data *drv = priv; ++ + wpa_printf(MSG_DEBUG, "%s -> %016" PRIx64, __func__, cs); +- return 0; ++ ++ drv->cipher_suite_set = true; ++ drv->cipher_suite = cs; ++ ++ return try_commit(drv); + } + + +@@ -1063,7 +1072,8 @@ static int macsec_drv_disable_receive_sa + } + + +-static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci) ++static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci, ++ u64 cs) + { + struct rtnl_link *needle; + void *match; +@@ -1074,6 +1084,8 @@ static struct rtnl_link * lookup_sc(stru + + rtnl_link_set_link(needle, parent); + rtnl_link_macsec_set_sci(needle, sci); ++ if (cs) ++ rtnl_link_macsec_set_cipher_suite(needle, cs); + + match = nl_cache_find(cache, (struct nl_object *) needle); + rtnl_link_put(needle); +@@ -1098,6 +1110,7 @@ static int macsec_drv_create_transmit_sc + char *ifname; + u64 sci; + int err; ++ u64 cs = 0; + + wpa_printf(MSG_DEBUG, DRV_PREFIX + "%s: create_transmit_sc -> " SCISTR " (conf_offset=%d)", +@@ -1122,6 +1135,12 @@ static int macsec_drv_create_transmit_sc + + drv->created_link = true; + ++ if (drv->cipher_suite_set) { ++ cs = drv->cipher_suite; ++ drv->cipher_suite_set = false; ++ rtnl_link_macsec_set_cipher_suite(link, cs); ++ } ++ + err = rtnl_link_add(drv->sk, link, NLM_F_CREATE); + if (err == -NLE_BUSY) { + wpa_printf(MSG_INFO, +@@ -1137,7 +1156,7 @@ static int macsec_drv_create_transmit_sc + rtnl_link_put(link); + + nl_cache_refill(drv->sk, drv->link_cache); +- link = lookup_sc(drv->link_cache, drv->parent_ifi, sci); ++ link = lookup_sc(drv->link_cache, drv->parent_ifi, sci, cs); + if (!link) { + wpa_printf(MSG_ERROR, DRV_PREFIX "couldn't find link"); + return -1; diff --git a/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch b/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch new file mode 100644 index 0000000..5755cd8 --- /dev/null +++ b/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch @@ -0,0 +1,363 @@ +From 6d24673ab89d9002990ee51e7c87d308ca07cd01 Mon Sep 17 00:00:00 2001 +Message-ID: <6d24673ab89d9002990ee51e7c87d308ca07cd01.1706279162.git.davide.caratti@gmail.com> +From: Emeel Hakim +Date: Tue, 14 Feb 2023 10:26:56 +0200 +Subject: [PATCH] mka: Allow configuration of MACsec hardware offload + +Add new configuration parameter macsec_offload to allow user to set up +MACsec hardware offload feature. + +Signed-off-by: Emeel Hakim +--- + hostapd/config_file.c | 10 ++++++++++ + hostapd/hostapd.conf | 8 ++++++++ + src/ap/ap_config.h | 13 +++++++++++++ + src/ap/wpa_auth_kay.c | 1 + + src/drivers/driver.h | 10 ++++++++++ + src/pae/ieee802_1x_cp.c | 7 +++++++ + src/pae/ieee802_1x_kay.c | 7 +++++-- + src/pae/ieee802_1x_kay.h | 6 ++++-- + src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++ + src/pae/ieee802_1x_secy_ops.h | 1 + + wpa_supplicant/config.c | 1 + + wpa_supplicant/config_file.c | 1 + + wpa_supplicant/config_ssid.h | 12 ++++++++++++ + wpa_supplicant/driver_i.h | 8 ++++++++ + wpa_supplicant/wpa_cli.c | 1 + + wpa_supplicant/wpa_supplicant.conf | 9 +++++++++ + wpa_supplicant/wpas_kay.c | 10 +++++++++- + 17 files changed, 120 insertions(+), 5 deletions(-) + +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -833,6 +833,19 @@ struct hostapd_bss_config { + u32 macsec_replay_window; + + /** ++ * macsec_offload - Enable MACsec offload ++ * ++ * This setting applies only when MACsec is in use, i.e., ++ * - macsec_policy is enabled ++ * - the key server has decided to enable MACsec ++ * ++ * 0 = MACSEC_OFFLOAD_OFF (default) ++ * 1 = MACSEC_OFFLOAD_PHY ++ * 2 = MACSEC_OFFLOAD_MAC ++ */ ++ int macsec_offload; ++ ++ /** + * macsec_port - MACsec port (in SCI) + * + * Port component of the SCI. +--- a/src/ap/wpa_auth_kay.c ++++ b/src/ap/wpa_auth_kay.c +@@ -328,6 +328,7 @@ int ieee802_1x_alloc_kay_sm_hapd(struct + res = ieee802_1x_kay_init(kay_ctx, policy, + hapd->conf->macsec_replay_protect, + hapd->conf->macsec_replay_window, ++ hapd->conf->macsec_offload, + hapd->conf->macsec_port, + hapd->conf->mka_priority, + hapd->conf->macsec_csindex, +--- a/src/drivers/driver.h ++++ b/src/drivers/driver.h +@@ -4168,6 +4168,16 @@ struct wpa_driver_ops { + int (*set_replay_protect)(void *priv, bool enabled, u32 window); + + /** ++ * set_offload - Set MACsec hardware offload ++ * @priv: Private driver interface data ++ * @offload: 0 = MACSEC_OFFLOAD_OFF ++ * 1 = MACSEC_OFFLOAD_PHY ++ * 2 = MACSEC_OFFLOAD_MAC ++ * Returns: 0 on success, -1 on failure (or if not supported) ++ */ ++ int (*set_offload)(void *priv, u8 offload); ++ ++ /** + * set_current_cipher_suite - Set current cipher suite + * @priv: Private driver interface data + * @cs: EUI64 identifier +--- a/src/pae/ieee802_1x_cp.c ++++ b/src/pae/ieee802_1x_cp.c +@@ -84,6 +84,7 @@ struct ieee802_1x_cp_sm { + + /* not defined IEEE Std 802.1X-2010 */ + struct ieee802_1x_kay *kay; ++ u8 offload; + }; + + static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx, +@@ -188,6 +189,7 @@ SM_STATE(CP, AUTHENTICATED) + sm->protect_frames = false; + sm->replay_protect = false; + sm->validate_frames = Checked; ++ sm->offload = sm->kay->macsec_offload; + + sm->port_valid = false; + sm->controlled_port_enabled = true; +@@ -197,6 +199,7 @@ SM_STATE(CP, AUTHENTICATED) + secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt); + secy_cp_control_validate_frames(sm->kay, sm->validate_frames); + secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window); ++ secy_cp_control_offload(sm->kay, sm->offload); + } + + +@@ -208,6 +211,7 @@ SM_STATE(CP, SECURED) + + sm->protect_frames = sm->kay->macsec_protect; + sm->replay_protect = sm->kay->macsec_replay_protect; ++ sm->offload = sm->kay->macsec_offload; + sm->validate_frames = sm->kay->macsec_validate; + + sm->current_cipher_suite = sm->cipher_suite; +@@ -223,6 +227,7 @@ SM_STATE(CP, SECURED) + secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt); + secy_cp_control_validate_frames(sm->kay, sm->validate_frames); + secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window); ++ secy_cp_control_offload(sm->kay, sm->offload); + } + + +@@ -462,6 +467,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ + sm->validate_frames = kay->macsec_validate; + sm->replay_protect = kay->macsec_replay_protect; + sm->replay_window = kay->macsec_replay_window; ++ sm->offload = kay->macsec_offload; + + sm->controlled_port_enabled = false; + +@@ -491,6 +497,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ + secy_cp_control_confidentiality_offset(sm->kay, + sm->confidentiality_offset); + secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); ++ secy_cp_control_offload(sm->kay, sm->offload); + + SM_STEP_RUN(CP); + +--- a/src/pae/ieee802_1x_kay.c ++++ b/src/pae/ieee802_1x_kay.c +@@ -3464,8 +3464,8 @@ static void kay_l2_receive(void *ctx, co + struct ieee802_1x_kay * + ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, + bool macsec_replay_protect, u32 macsec_replay_window, +- u16 port, u8 priority, u32 macsec_csindex, +- const char *ifname, const u8 *addr) ++ u8 macsec_offload, u16 port, u8 priority, ++ u32 macsec_csindex, const char *ifname, const u8 *addr) + { + struct ieee802_1x_kay *kay; + +@@ -3524,6 +3524,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka + kay->macsec_validate = Disabled; + kay->macsec_replay_protect = false; + kay->macsec_replay_window = 0; ++ kay->macsec_offload = 0; + kay->macsec_confidentiality = CONFIDENTIALITY_NONE; + kay->mka_hello_time = MKA_HELLO_TIME; + } else { +@@ -3540,6 +3541,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka + kay->macsec_validate = Strict; + kay->macsec_replay_protect = macsec_replay_protect; + kay->macsec_replay_window = macsec_replay_window; ++ kay->macsec_offload = macsec_offload; + kay->mka_hello_time = MKA_HELLO_TIME; + } + +@@ -3740,6 +3742,7 @@ ieee802_1x_kay_create_mka(struct ieee802 + secy_cp_control_protect_frames(kay, kay->macsec_protect); + secy_cp_control_replay(kay, kay->macsec_replay_protect, + kay->macsec_replay_window); ++ secy_cp_control_offload(kay, kay->macsec_offload); + if (secy_create_transmit_sc(kay, participant->txsc)) + goto fail; + +--- a/src/pae/ieee802_1x_kay.h ++++ b/src/pae/ieee802_1x_kay.h +@@ -166,6 +166,7 @@ struct ieee802_1x_kay_ctx { + int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa); + int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa); + int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa); ++ int (*set_offload)(void *ctx, u8 offload); + }; + + struct ieee802_1x_kay { +@@ -206,6 +207,7 @@ struct ieee802_1x_kay { + bool is_key_server; + bool is_obliged_key_server; + char if_name[IFNAMSIZ]; ++ u8 macsec_offload; + + unsigned int macsec_csindex; /* MACsec cipher suite table index */ + int mka_algindex; /* MKA alg table index */ +@@ -240,8 +242,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc + struct ieee802_1x_kay * + ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, + bool macsec_replay_protect, u32 macsec_replay_window, +- u16 port, u8 priority, u32 macsec_csindex, +- const char *ifname, const u8 *addr); ++ u8 macsec_offload, u16 port, u8 priority, ++ u32 macsec_csindex, const char *ifname, const u8 *addr); + void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); + + struct ieee802_1x_mka_participant * +--- a/src/pae/ieee802_1x_secy_ops.c ++++ b/src/pae/ieee802_1x_secy_ops.c +@@ -85,6 +85,26 @@ int secy_cp_control_replay(struct ieee80 + } + + ++int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload) ++{ ++ struct ieee802_1x_kay_ctx *ops; ++ ++ if (!kay) { ++ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__); ++ return -1; ++ } ++ ++ ops = kay->ctx; ++ if (!ops || !ops->set_offload) { ++ wpa_printf(MSG_ERROR, ++ "KaY: secy set_offload operation not supported"); ++ return -1; ++ } ++ ++ return ops->set_offload(ops->ctx, offload); ++} ++ ++ + int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs) + { + struct ieee802_1x_kay_ctx *ops; +--- a/src/pae/ieee802_1x_secy_ops.h ++++ b/src/pae/ieee802_1x_secy_ops.h +@@ -23,6 +23,7 @@ int secy_cp_control_validate_frames(stru + int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, bool flag); + int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, bool enabled); + int secy_cp_control_replay(struct ieee802_1x_kay *kay, bool flag, u32 win); ++int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload); + int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs); + int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay, + enum confidentiality_offset co); +--- a/wpa_supplicant/config.c ++++ b/wpa_supplicant/config.c +@@ -2610,6 +2610,7 @@ static const struct parse_data ssid_fiel + { INT_RANGE(macsec_integ_only, 0, 1) }, + { INT_RANGE(macsec_replay_protect, 0, 1) }, + { INT(macsec_replay_window) }, ++ { INT_RANGE(macsec_offload, 0, 2) }, + { INT_RANGE(macsec_port, 1, 65534) }, + { INT_RANGE(mka_priority, 0, 255) }, + { INT_RANGE(macsec_csindex, 0, 1) }, +--- a/wpa_supplicant/config_file.c ++++ b/wpa_supplicant/config_file.c +@@ -808,6 +808,7 @@ static void wpa_config_write_network(FIL + INT(macsec_integ_only); + INT(macsec_replay_protect); + INT(macsec_replay_window); ++ INT(macsec_offload); + INT(macsec_port); + INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER); + INT(macsec_csindex); +--- a/wpa_supplicant/config_ssid.h ++++ b/wpa_supplicant/config_ssid.h +@@ -896,6 +896,18 @@ struct wpa_ssid { + u32 macsec_replay_window; + + /** ++ * macsec_offload - Enable MACsec hardware offload ++ * ++ * This setting applies only when MACsec is in use, i.e., ++ * - the key server has decided to enable MACsec ++ * ++ * 0 = MACSEC_OFFLOAD_OFF (default) ++ * 1 = MACSEC_OFFLOAD_PHY ++ * 2 = MACSEC_OFFLOAD_MAC ++ */ ++ int macsec_offload; ++ ++ /** + * macsec_port - MACsec port (in SCI) + * + * Port component of the SCI. +--- a/wpa_supplicant/driver_i.h ++++ b/wpa_supplicant/driver_i.h +@@ -804,6 +804,14 @@ static inline int wpa_drv_set_replay_pro + window); + } + ++static inline int wpa_drv_set_offload(struct wpa_supplicant *wpa_s, u8 offload) ++{ ++ if (!wpa_s->driver->set_offload) ++ return -1; ++ return wpa_s->driver->set_offload(wpa_s->drv_priv, offload); ++ ++} ++ + static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s, + u64 cs) + { +--- a/wpa_supplicant/wpa_cli.c ++++ b/wpa_supplicant/wpa_cli.c +@@ -1473,6 +1473,7 @@ static const char *network_fields[] = { + "macsec_integ_only", + "macsec_replay_protect", + "macsec_replay_window", ++ "macsec_offload", + "macsec_port", + "mka_priority", + #endif /* CONFIG_MACSEC */ +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -1094,6 +1094,15 @@ fast_reauth=1 + # 0: No replay window, strict check (default) + # 1..2^32-1: number of packets that could be misordered + # ++# macsec_offload - Enable MACsec hardware offload ++# ++# This setting applies only when MACsec is in use, i.e., ++# - the key server has decided to enable MACsec ++# ++# 0 = MACSEC_OFFLOAD_OFF (default) ++# 1 = MACSEC_OFFLOAD_PHY ++# 2 = MACSEC_OFFLOAD_MAC ++# + # macsec_port: IEEE 802.1X/MACsec port + # Port component of the SCI + # Range: 1-65534 (default: 1) +--- a/wpa_supplicant/wpas_kay.c ++++ b/wpa_supplicant/wpas_kay.c +@@ -98,6 +98,12 @@ static int wpas_set_receive_lowest_pn(vo + } + + ++static int wpas_set_offload(void *wpa_s, u8 offload) ++{ ++ return wpa_drv_set_offload(wpa_s, offload); ++} ++ ++ + static unsigned int conf_offset_val(enum confidentiality_offset co) + { + switch (co) { +@@ -220,6 +226,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s + kay_ctx->enable_protect_frames = wpas_enable_protect_frames; + kay_ctx->enable_encrypt = wpas_enable_encrypt; + kay_ctx->set_replay_protect = wpas_set_replay_protect; ++ kay_ctx->set_offload = wpas_set_offload; + kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite; + kay_ctx->enable_controlled_port = wpas_enable_controlled_port; + kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn; +@@ -240,7 +247,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s + kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa; + + res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect, +- ssid->macsec_replay_window, ssid->macsec_port, ++ ssid->macsec_replay_window, ++ ssid->macsec_offload, ssid->macsec_port, + ssid->mka_priority, ssid->macsec_csindex, + wpa_s->ifname, wpa_s->own_addr); + /* ieee802_1x_kay_init() frees kay_ctx on failure */ diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index 1c0d907..8468266 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -9,7 +9,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 Version: 2.10 -Release: 4%{?dist} +Release: 4%{?dist}.rhel22440 License: BSD Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz Source1: wpa_supplicant.conf @@ -34,6 +34,12 @@ Patch5: 0001-D-Bus-Add-wep_disabled-capability.patch # backport fix for bz2077973 Patch6: 0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch Patch7: 0001-EAP-peer-status-notification-for-server-not-supporti.patch +# support macsec HW offload +Patch8: wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch +Patch9: wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch +Patch10: wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch +Patch11: wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch + URL: http://w1.fi/wpa_supplicant/ @@ -194,6 +200,9 @@ chmod -R 0644 wpa_supplicant/examples/*.py %changelog +* Thu Feb 1 2024 Davide Caratti - 1:2.10-4.rhel22440 +- support macsec HW offload. Resolves: RHEL-22440 + * Fri May 13 2022 Davide Caratti - 1:2.10-4 - Explicitly allow/disallow unsafe legacy renegotiation on configuration base. Resolves: rhbz#2077973