rpms/wpa_supplicant
7
0
Fork 0
Code Issues Pull Requests Releases Activity

backport support for IEEE 802.1AE (macsec)

Browse Source
This commit is contained in:
Davide Caratti 2017-02-28 15:39:41 +01:00
parent e0ed12b18c
commit fb7f6658b8
38 changed files with 8453 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build-config
View File

@ -6,6 +6,7 @@ CONFIG_DRIVER_WEXT=y
CONFIG_LIBNL32=y CONFIG_LIBNL32=y
CONFIG_DRIVER_NL80211=y CONFIG_DRIVER_NL80211=y
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
CONFIG_DRIVER_MACSEC_LINUX=y
CONFIG_IEEE8021X_EAPOL=y CONFIG_IEEE8021X_EAPOL=y
CONFIG_EAP_MD5=y CONFIG_EAP_MD5=y
CONFIG_EAP_MSCHAPV2=y CONFIG_EAP_MSCHAPV2=y
@ -37,3 +38,4 @@ CONFIG_P2P=y
CONFIG_IBSS_RSN=y CONFIG_IBSS_RSN=y
CONFIG_IEEE80211N=y CONFIG_IEEE80211N=y
CONFIG_WIFI_DISPLAY=y CONFIG_WIFI_DISPLAY=y
CONFIG_MACSEC=y

237
macsec-0001-mka-Move-structs-transmit-receive-_-sa-sc-to-a-commo.patch Normal file
View File

@ -0,0 +1,237 @@
From f75f6e2b03fa5e807142a37039b0b613565eafa7 Mon Sep 17 00:00:00 2001
Message-Id: <f75f6e2b03fa5e807142a37039b0b613565eafa7.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Tue, 20 Sep 2016 09:43:04 +0200
Subject: [PATCH] mka: Move structs {transmit,receive}_{sa,sc} to a common
header
These structs will be passed down to macsec drivers in a coming patch to
make the driver interface cleaner, so they need to be shared between the
core MKA implementation and the drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 3 ++
src/pae/ieee802_1x_kay.h | 82 +++++++++++++++++++++++++++++++++++++++++++
src/pae/ieee802_1x_kay_i.h | 82 -------------------------------------------
src/pae/ieee802_1x_secy_ops.h | 4 ---
4 files changed, 85 insertions(+), 86 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index a449cc9..073219e 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -21,6 +21,9 @@
#include "common/defs.h"
#include "common/ieee802_11_defs.h"
+#ifdef CONFIG_MACSEC
+#include "pae/ieee802_1x_kay.h"
+#endif /* CONFIG_MACSEC */
#include "utils/list.h"
#define HOSTAPD_CHAN_DISABLED 0x00000001
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index afbaa33..0361e1a 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -49,6 +49,88 @@ enum mka_created_mode {
EAP_EXCHANGE,
};
+struct data_key {
+ u8 *key;
+ int key_len;
+ struct ieee802_1x_mka_ki key_identifier;
+ enum confidentiality_offset confidentiality_offset;
+ u8 an;
+ Boolean transmits;
+ Boolean receives;
+ struct os_time created_time;
+ u32 next_pn;
+
+ /* not defined data */
+ Boolean rx_latest;
+ Boolean tx_latest;
+
+ int user; /* FIXME: to indicate if it can be delete safely */
+
+ struct dl_list list;
+};
+
+/* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */
+struct transmit_sc {
+ struct ieee802_1x_mka_sci sci; /* const SCI sci */
+ Boolean transmitting; /* bool transmitting (read only) */
+
+ struct os_time created_time; /* Time createdTime */
+
+ u8 encoding_sa; /* AN encodingSA (read only) */
+ u8 enciphering_sa; /* AN encipheringSA (read only) */
+
+ /* not defined data */
+ unsigned int channel;
+
+ struct dl_list list;
+ struct dl_list sa_list;
+};
+
+/* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */
+struct transmit_sa {
+ Boolean in_use; /* bool inUse (read only) */
+ u32 next_pn; /* PN nextPN (read only) */
+ struct os_time created_time; /* Time createdTime */
+
+ Boolean enable_transmit; /* bool EnableTransmit */
+
+ u8 an;
+ Boolean confidentiality;
+ struct data_key *pkey;
+
+ struct transmit_sc *sc;
+ struct dl_list list; /* list entry in struct transmit_sc::sa_list */
+};
+
+/* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */
+struct receive_sc {
+ struct ieee802_1x_mka_sci sci; /* const SCI sci */
+ Boolean receiving; /* bool receiving (read only) */
+
+ struct os_time created_time; /* Time createdTime */
+
+ unsigned int channel;
+
+ struct dl_list list;
+ struct dl_list sa_list;
+};
+
+/* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */
+struct receive_sa {
+ Boolean enable_receive; /* bool enableReceive */
+ Boolean in_use; /* bool inUse (read only) */
+
+ u32 next_pn; /* PN nextPN (read only) */
+ u32 lowest_pn; /* PN lowestPN (read only) */
+ u8 an;
+ struct os_time created_time;
+
+ struct data_key *pkey;
+ struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */
+
+ struct dl_list list;
+};
+
struct ieee802_1x_kay_ctx {
/* pointer to arbitrary upper level context */
void *ctx;
diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h
index 622282e..e3d7db4 100644
--- a/src/pae/ieee802_1x_kay_i.h
+++ b/src/pae/ieee802_1x_kay_i.h
@@ -54,88 +54,6 @@ struct ieee802_1x_kay_peer {
struct dl_list list;
};
-struct data_key {
- u8 *key;
- int key_len;
- struct ieee802_1x_mka_ki key_identifier;
- enum confidentiality_offset confidentiality_offset;
- u8 an;
- Boolean transmits;
- Boolean receives;
- struct os_time created_time;
- u32 next_pn;
-
- /* not defined data */
- Boolean rx_latest;
- Boolean tx_latest;
-
- int user; /* FIXME: to indicate if it can be delete safely */
-
- struct dl_list list;
-};
-
-/* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */
-struct transmit_sc {
- struct ieee802_1x_mka_sci sci; /* const SCI sci */
- Boolean transmitting; /* bool transmitting (read only) */
-
- struct os_time created_time; /* Time createdTime */
-
- u8 encoding_sa; /* AN encodingSA (read only) */
- u8 enciphering_sa; /* AN encipheringSA (read only) */
-
- /* not defined data */
- unsigned int channel;
-
- struct dl_list list;
- struct dl_list sa_list;
-};
-
-/* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */
-struct transmit_sa {
- Boolean in_use; /* bool inUse (read only) */
- u32 next_pn; /* PN nextPN (read only) */
- struct os_time created_time; /* Time createdTime */
-
- Boolean enable_transmit; /* bool EnableTransmit */
-
- u8 an;
- Boolean confidentiality;
- struct data_key *pkey;
-
- struct transmit_sc *sc;
- struct dl_list list; /* list entry in struct transmit_sc::sa_list */
-};
-
-/* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */
-struct receive_sc {
- struct ieee802_1x_mka_sci sci; /* const SCI sci */
- Boolean receiving; /* bool receiving (read only) */
-
- struct os_time created_time; /* Time createdTime */
-
- unsigned int channel;
-
- struct dl_list list;
- struct dl_list sa_list;
-};
-
-/* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */
-struct receive_sa {
- Boolean enable_receive; /* bool enableReceive */
- Boolean in_use; /* bool inUse (read only) */
-
- u32 next_pn; /* PN nextPN (read only) */
- u32 lowest_pn; /* PN lowestPN (read only) */
- u8 an;
- struct os_time created_time;
-
- struct data_key *pkey;
- struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */
-
- struct dl_list list;
-};
-
struct macsec_ciphersuite {
u64 id;
char name[32];
diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h
index f5057ee..120ca3c 100644
--- a/src/pae/ieee802_1x_secy_ops.h
+++ b/src/pae/ieee802_1x_secy_ops.h
@@ -13,10 +13,6 @@
#include "common/ieee802_1x_defs.h"
struct ieee802_1x_kay_conf;
-struct receive_sa;
-struct transmit_sa;
-struct receive_sc;
-struct transmit_sc;
int secy_init_macsec(struct ieee802_1x_kay *kay);
int secy_deinit_macsec(struct ieee802_1x_kay *kay);
--
2.7.4

296
macsec-0002-mka-Pass-full-structures-down-to-macsec-drivers-pack.patch Normal file
View File

@ -0,0 +1,296 @@
From 7fa5eff8abbbff4f3385932175b080aad40bf211 Mon Sep 17 00:00:00 2001
Message-Id: <7fa5eff8abbbff4f3385932175b080aad40bf211.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Tue, 20 Sep 2016 09:43:05 +0200
Subject: [PATCH] mka: Pass full structures down to macsec drivers' packet
number ops
Clean up the driver interface by passing pointers to structs transmit_sa
and receive_sa down the stack to get_receive_lowest_pn(),
get_transmit_next_pn(), and set_transmit_next_pn() ops, instead of
passing the individual arguments.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 21 ++++++---------------
src/drivers/driver_macsec_qca.c | 33 ++++++++++++++++++---------------
src/pae/ieee802_1x_kay.h | 8 +++-----
src/pae/ieee802_1x_secy_ops.c | 15 +++------------
wpa_supplicant/driver_i.h | 18 ++++++------------
wpa_supplicant/wpas_kay.c | 15 ++++++---------
6 files changed, 42 insertions(+), 68 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index 073219e..2c7ce6c 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3336,35 +3336,26 @@ struct wpa_driver_ops {
/**
* get_receive_lowest_pn - Get receive lowest pn
* @priv: Private driver interface data
- * @channel: secure channel
- * @an: association number
- * @lowest_pn: lowest accept pn
+ * @sa: secure association
* Returns: 0 on success, -1 on failure (or if not supported)
*/
- int (*get_receive_lowest_pn)(void *priv, u32 channel, u8 an,
- u32 *lowest_pn);
+ int (*get_receive_lowest_pn)(void *priv, struct receive_sa *sa);
/**
* get_transmit_next_pn - Get transmit next pn
* @priv: Private driver interface data
- * @channel: secure channel
- * @an: association number
- * @next_pn: next pn
+ * @sa: secure association
* Returns: 0 on success, -1 on failure (or if not supported)
*/
- int (*get_transmit_next_pn)(void *priv, u32 channel, u8 an,
- u32 *next_pn);
+ int (*get_transmit_next_pn)(void *priv, struct transmit_sa *sa);
/**
* set_transmit_next_pn - Set transmit next pn
* @priv: Private driver interface data
- * @channel: secure channel
- * @an: association number
- * @next_pn: next pn
+ * @sa: secure association
* Returns: 0 on success, -1 on failure (or if not supported)
*/
- int (*set_transmit_next_pn)(void *priv, u32 channel, u8 an,
- u32 next_pn);
+ int (*set_transmit_next_pn)(void *priv, struct transmit_sa *sa);
/**
* get_available_receive_sc - get available receive channel
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 826d3cc..95f1e27 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -29,6 +29,7 @@
#include "utils/eloop.h"
#include "common/defs.h"
#include "common/ieee802_1x_defs.h"
+#include "pae/ieee802_1x_kay.h"
#include "driver.h"
#include "nss_macsec_secy.h"
@@ -515,16 +516,16 @@ static int macsec_qca_enable_controlled_port(void *priv, Boolean enabled)
}
-static int macsec_qca_get_receive_lowest_pn(void *priv, u32 channel, u8 an,
- u32 *lowest_pn)
+static int macsec_qca_get_receive_lowest_pn(void *priv, struct receive_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
u32 next_pn = 0;
bool enabled = FALSE;
u32 win;
+ u32 channel = sa->sc->channel;
- ret += nss_macsec_secy_rx_sa_next_pn_get(drv->secy_id, channel, an,
+ ret += nss_macsec_secy_rx_sa_next_pn_get(drv->secy_id, channel, sa->an,
&next_pn);
ret += nss_macsec_secy_rx_sc_replay_protect_get(drv->secy_id, channel,
&enabled);
@@ -532,40 +533,42 @@ static int macsec_qca_get_receive_lowest_pn(void *priv, u32 channel, u8 an,
channel, &win);
if (enabled)
- *lowest_pn = (next_pn > win) ? (next_pn - win) : 1;
+ sa->lowest_pn = (next_pn > win) ? (next_pn - win) : 1;
else
- *lowest_pn = next_pn;
+ sa->lowest_pn = next_pn;
- wpa_printf(MSG_DEBUG, "%s: lpn=0x%x", __func__, *lowest_pn);
+ wpa_printf(MSG_DEBUG, "%s: lpn=0x%x", __func__, sa->lowest_pn);
return ret;
}
-static int macsec_qca_get_transmit_next_pn(void *priv, u32 channel, u8 an,
- u32 *next_pn)
+static int macsec_qca_get_transmit_next_pn(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
+ u32 channel = sa->sc->channel;
- ret += nss_macsec_secy_tx_sa_next_pn_get(drv->secy_id, channel, an,
- next_pn);
+ ret += nss_macsec_secy_tx_sa_next_pn_get(drv->secy_id, channel, sa->an,
+ &sa->next_pn);
- wpa_printf(MSG_DEBUG, "%s: npn=0x%x", __func__, *next_pn);
+ wpa_printf(MSG_DEBUG, "%s: npn=0x%x", __func__, sa->next_pn);
return ret;
}
-int macsec_qca_set_transmit_next_pn(void *priv, u32 channel, u8 an, u32 next_pn)
+int macsec_qca_set_transmit_next_pn(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
+ u32 channel = sa->sc->channel;
- ret += nss_macsec_secy_tx_sa_next_pn_set(drv->secy_id, channel, an,
- next_pn);
- wpa_printf(MSG_INFO, "%s: npn=0x%x", __func__, next_pn);
+ ret += nss_macsec_secy_tx_sa_next_pn_set(drv->secy_id, channel, sa->an,
+ sa->next_pn);
+
+ wpa_printf(MSG_INFO, "%s: npn=0x%x", __func__, sa->next_pn);
return ret;
}
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 0361e1a..a747b11 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -142,11 +142,9 @@ struct ieee802_1x_kay_ctx {
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
int (*set_current_cipher_suite)(void *ctx, u64 cs);
int (*enable_controlled_port)(void *ctx, Boolean enabled);
- int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an,
- u32 *lowest_pn);
- int (*get_transmit_next_pn)(void *ctx, u32 channel, u8 an,
- u32 *next_pn);
- int (*set_transmit_next_pn)(void *ctx, u32 channel, u8 an, u32 next_pn);
+ int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
+ int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
+ int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
int (*get_available_receive_sc)(void *ctx, u32 *channel);
int (*create_receive_sc)(void *ctx, u32 channel,
struct ieee802_1x_mka_sci *sci,
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index 2d12911..d05e00f 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -130,10 +130,7 @@ int secy_get_receive_lowest_pn(struct ieee802_1x_kay *kay,
return -1;
}
- return ops->get_receive_lowest_pn(ops->ctx,
- rxsa->sc->channel,
- rxsa->an,
- &rxsa->lowest_pn);
+ return ops->get_receive_lowest_pn(ops->ctx, rxsa);
}
@@ -154,10 +151,7 @@ int secy_get_transmit_next_pn(struct ieee802_1x_kay *kay,
return -1;
}
- return ops->get_transmit_next_pn(ops->ctx,
- txsa->sc->channel,
- txsa->an,
- &txsa->next_pn);
+ return ops->get_transmit_next_pn(ops->ctx, txsa);
}
@@ -178,10 +172,7 @@ int secy_set_transmit_next_pn(struct ieee802_1x_kay *kay,
return -1;
}
- return ops->set_transmit_next_pn(ops->ctx,
- txsa->sc->channel,
- txsa->an,
- txsa->next_pn);
+ return ops->set_transmit_next_pn(ops->ctx, txsa);
}
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index 220b7ba..639bb83 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -749,33 +749,27 @@ static inline int wpa_drv_enable_controlled_port(struct wpa_supplicant *wpa_s,
}
static inline int wpa_drv_get_receive_lowest_pn(struct wpa_supplicant *wpa_s,
- u32 channel, u8 an,
- u32 *lowest_pn)
+ struct receive_sa *sa)
{
if (!wpa_s->driver->get_receive_lowest_pn)
return -1;
- return wpa_s->driver->get_receive_lowest_pn(wpa_s->drv_priv, channel,
- an, lowest_pn);
+ return wpa_s->driver->get_receive_lowest_pn(wpa_s->drv_priv, sa);
}
static inline int wpa_drv_get_transmit_next_pn(struct wpa_supplicant *wpa_s,
- u32 channel, u8 an,
- u32 *next_pn)
+ struct transmit_sa *sa)
{
if (!wpa_s->driver->get_transmit_next_pn)
return -1;
- return wpa_s->driver->get_transmit_next_pn(wpa_s->drv_priv, channel,
- an, next_pn);
+ return wpa_s->driver->get_transmit_next_pn(wpa_s->drv_priv, sa);
}
static inline int wpa_drv_set_transmit_next_pn(struct wpa_supplicant *wpa_s,
- u32 channel, u8 an,
- u32 next_pn)
+ struct transmit_sa *sa)
{
if (!wpa_s->driver->set_transmit_next_pn)
return -1;
- return wpa_s->driver->set_transmit_next_pn(wpa_s->drv_priv, channel,
- an, next_pn);
+ return wpa_s->driver->set_transmit_next_pn(wpa_s->drv_priv, sa);
}
static inline int wpa_drv_get_available_receive_sc(struct wpa_supplicant *wpa_s,
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index d6ec8c5..306d9f1 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -62,24 +62,21 @@ static int wpas_enable_controlled_port(void *wpa_s, Boolean enabled)
}
-static int wpas_get_receive_lowest_pn(void *wpa_s, u32 channel,
- u8 an, u32 *lowest_pn)
+static int wpas_get_receive_lowest_pn(void *wpa_s, struct receive_sa *sa)
{
- return wpa_drv_get_receive_lowest_pn(wpa_s, channel, an, lowest_pn);
+ return wpa_drv_get_receive_lowest_pn(wpa_s, sa);
}
-static int wpas_get_transmit_next_pn(void *wpa_s, u32 channel,
- u8 an, u32 *next_pn)
+static int wpas_get_transmit_next_pn(void *wpa_s, struct transmit_sa *sa)
{
- return wpa_drv_get_transmit_next_pn(wpa_s, channel, an, next_pn);
+ return wpa_drv_get_transmit_next_pn(wpa_s, sa);
}
-static int wpas_set_transmit_next_pn(void *wpa_s, u32 channel,
- u8 an, u32 next_pn)
+static int wpas_set_transmit_next_pn(void *wpa_s, struct transmit_sa *sa)
{
- return wpa_drv_set_transmit_next_pn(wpa_s, channel, an, next_pn);
+ return wpa_drv_set_transmit_next_pn(wpa_s, sa);
}
--
2.7.4

290
macsec-0003-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch Normal file
View File

@ -0,0 +1,290 @@
From 909c1b9835ecc9c115980e9827a9313c17dab22b Mon Sep 17 00:00:00 2001
Message-Id: <909c1b9835ecc9c115980e9827a9313c17dab22b.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Tue, 20 Sep 2016 09:43:07 +0200
Subject: [PATCH] mka: Pass full structures down to macsec drivers' transmit SA
ops
Clean up the driver interface by passing pointers to struct transmit_sa
down the stack to the {create,enable,disable}_transmit_sa ops, instead
of passing the individual properties of the SA.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 20 ++++++--------------
src/drivers/driver_macsec_qca.c | 39 +++++++++++++++++++++++----------------
src/pae/ieee802_1x_kay.h | 7 +++----
src/pae/ieee802_1x_secy_ops.c | 8 +++-----
wpa_supplicant/driver_i.h | 16 ++++++----------
wpa_supplicant/wpas_kay.c | 15 ++++++---------
6 files changed, 47 insertions(+), 58 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index 2c7ce6c..bb2d1d2 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3448,34 +3448,26 @@ struct wpa_driver_ops {
/**
* create_transmit_sa - create secure association for transmit
* @priv: private driver interface data from init()
- * @channel: secure channel index
- * @an: association number
- * @next_pn: the packet number used as next transmit packet
- * @confidentiality: True if the SA is to provide confidentiality
- * as well as integrity
- * @sak: the secure association key
+ * @sa: secure association
* Returns: 0 on success, -1 on failure
*/
- int (*create_transmit_sa)(void *priv, u32 channel, u8 an, u32 next_pn,
- Boolean confidentiality, const u8 *sak);
+ int (*create_transmit_sa)(void *priv, struct transmit_sa *sa);
/**
* enable_transmit_sa - enable SA for transmit
* @priv: private driver interface data from init()
- * @channel: secure channel
- * @an: association number
+ * @sa: secure association
* Returns: 0 on success, -1 on failure
*/
- int (*enable_transmit_sa)(void *priv, u32 channel, u8 an);
+ int (*enable_transmit_sa)(void *priv, struct transmit_sa *sa);
/**
* disable_transmit_sa - disable SA for transmit
* @priv: private driver interface data from init()
- * @channel: secure channel
- * @an: association number
+ * @sa: secure association
* Returns: 0 on success, -1 on failure
*/
- int (*disable_transmit_sa)(void *priv, u32 channel, u8 an);
+ int (*disable_transmit_sa)(void *priv, struct transmit_sa *sa);
#endif /* CONFIG_MACSEC */
/**
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 95f1e27..9bfc9a4 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -794,19 +794,18 @@ static int macsec_qca_delete_transmit_sc(void *priv, u32 channel)
}
-static int macsec_qca_create_transmit_sa(void *priv, u32 channel, u8 an,
- u32 next_pn, Boolean confidentiality,
- const u8 *sak)
+static int macsec_qca_create_transmit_sa(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
u8 tci = 0;
fal_tx_sak_t tx_sak;
int i;
+ u32 channel = sa->sc->channel;
wpa_printf(MSG_DEBUG,
"%s: channel=%d, an=%d, next_pn=0x%x, confidentiality=%d",
- __func__, channel, an, next_pn, confidentiality);
+ __func__, channel, sa->an, sa->next_pn, sa->confidentiality);
if (drv->always_include_sci)
tci |= TCI_SC;
@@ -815,45 +814,53 @@ static int macsec_qca_create_transmit_sa(void *priv, u32 channel, u8 an,
else if (drv->use_scb)
tci |= TCI_SCB;
- if (confidentiality)
+ if (sa->confidentiality)
tci |= TCI_E | TCI_C;
os_memset(&tx_sak, 0, sizeof(tx_sak));
for (i = 0; i < 16; i++)
- tx_sak.sak[i] = sak[15 - i];
+ tx_sak.sak[i] = sa->pkey->key[15 - i];
- ret += nss_macsec_secy_tx_sa_next_pn_set(drv->secy_id, channel, an,
- next_pn);
- ret += nss_macsec_secy_tx_sak_set(drv->secy_id, channel, an, &tx_sak);
+ ret += nss_macsec_secy_tx_sa_next_pn_set(drv->secy_id, channel, sa->an,
+ sa->next_pn);
+ ret += nss_macsec_secy_tx_sak_set(drv->secy_id, channel, sa->an,
+ &tx_sak);
ret += nss_macsec_secy_tx_sc_tci_7_2_set(drv->secy_id, channel,
(tci >> 2));
- ret += nss_macsec_secy_tx_sc_an_set(drv->secy_id, channel, an);
+ ret += nss_macsec_secy_tx_sc_an_set(drv->secy_id, channel, sa->an);
return ret;
}
-static int macsec_qca_enable_transmit_sa(void *priv, u32 channel, u8 an)
+static int macsec_qca_enable_transmit_sa(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
+ u32 channel = sa->sc->channel;
- wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel, an);
- ret += nss_macsec_secy_tx_sa_en_set(drv->secy_id, channel, an, TRUE);
+ wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel,
+ sa->an);
+
+ ret += nss_macsec_secy_tx_sa_en_set(drv->secy_id, channel, sa->an,
+ TRUE);
return ret;
}
-static int macsec_qca_disable_transmit_sa(void *priv, u32 channel, u8 an)
+static int macsec_qca_disable_transmit_sa(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
+ u32 channel = sa->sc->channel;
- wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel, an);
+ wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel,
+ sa->an);
- ret += nss_macsec_secy_tx_sa_en_set(drv->secy_id, channel, an, FALSE);
+ ret += nss_macsec_secy_tx_sa_en_set(drv->secy_id, channel, sa->an,
+ FALSE);
return ret;
}
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index a747b11..36a7bd6 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -160,10 +160,9 @@ struct ieee802_1x_kay_ctx {
const struct ieee802_1x_mka_sci *sci,
enum confidentiality_offset co);
int (*delete_transmit_sc)(void *ctx, u32 channel);
- int (*create_transmit_sa)(void *ctx, u32 channel, u8 an, u32 next_pn,
- Boolean confidentiality, const u8 *sak);
- int (*enable_transmit_sa)(void *ctx, u32 channel, u8 an);
- int (*disable_transmit_sa)(void *ctx, u32 channel, u8 an);
+ int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa);
+ int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
+ int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
};
struct ieee802_1x_kay {
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index d05e00f..8c31ca9 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -382,9 +382,7 @@ int secy_create_transmit_sa(struct ieee802_1x_kay *kay,
return -1;
}
- return ops->create_transmit_sa(ops->ctx, txsa->sc->channel, txsa->an,
- txsa->next_pn, txsa->confidentiality,
- txsa->pkey->key);
+ return ops->create_transmit_sa(ops->ctx, txsa);
}
@@ -407,7 +405,7 @@ int secy_enable_transmit_sa(struct ieee802_1x_kay *kay,
txsa->enable_transmit = TRUE;
- return ops->enable_transmit_sa(ops->ctx, txsa->sc->channel, txsa->an);
+ return ops->enable_transmit_sa(ops->ctx, txsa);
}
@@ -430,7 +428,7 @@ int secy_disable_transmit_sa(struct ieee802_1x_kay *kay,
txsa->enable_transmit = FALSE;
- return ops->disable_transmit_sa(ops->ctx, txsa->sc->channel, txsa->an);
+ return ops->disable_transmit_sa(ops->ctx, txsa);
}
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index 639bb83..e2c2bd7 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -857,31 +857,27 @@ static inline int wpa_drv_delete_transmit_sc(struct wpa_supplicant *wpa_s,
}
static inline int wpa_drv_create_transmit_sa(struct wpa_supplicant *wpa_s,
- u32 channel, u8 an,
- u32 next_pn,
- Boolean confidentiality,
- const u8 *sak)
+ struct transmit_sa *sa)
{
if (!wpa_s->driver->create_transmit_sa)
return -1;
- return wpa_s->driver->create_transmit_sa(wpa_s->drv_priv, channel, an,
- next_pn, confidentiality, sak);
+ return wpa_s->driver->create_transmit_sa(wpa_s->drv_priv, sa);
}
static inline int wpa_drv_enable_transmit_sa(struct wpa_supplicant *wpa_s,
- u32 channel, u8 an)
+ struct transmit_sa *sa)
{
if (!wpa_s->driver->enable_transmit_sa)
return -1;
- return wpa_s->driver->enable_transmit_sa(wpa_s->drv_priv, channel, an);
+ return wpa_s->driver->enable_transmit_sa(wpa_s->drv_priv, sa);
}
static inline int wpa_drv_disable_transmit_sa(struct wpa_supplicant *wpa_s,
- u32 channel, u8 an)
+ struct transmit_sa *sa)
{
if (!wpa_s->driver->disable_transmit_sa)
return -1;
- return wpa_s->driver->disable_transmit_sa(wpa_s->drv_priv, channel, an);
+ return wpa_s->driver->disable_transmit_sa(wpa_s->drv_priv, sa);
}
#endif /* CONFIG_MACSEC */
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 306d9f1..4b74112 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -159,24 +159,21 @@ static int wpas_delete_transmit_sc(void *wpa_s, u32 channel)
}
-static int wpas_create_transmit_sa(void *wpa_s, u32 channel, u8 an,
- u32 next_pn, Boolean confidentiality,
- const u8 *sak)
+static int wpas_create_transmit_sa(void *wpa_s, struct transmit_sa *sa)
{
- return wpa_drv_create_transmit_sa(wpa_s, channel, an, next_pn,
- confidentiality, sak);
+ return wpa_drv_create_transmit_sa(wpa_s, sa);
}
-static int wpas_enable_transmit_sa(void *wpa_s, u32 channel, u8 an)
+static int wpas_enable_transmit_sa(void *wpa_s, struct transmit_sa *sa)
{
- return wpa_drv_enable_transmit_sa(wpa_s, channel, an);
+ return wpa_drv_enable_transmit_sa(wpa_s, sa);
}
-static int wpas_disable_transmit_sa(void *wpa_s, u32 channel, u8 an)
+static int wpas_disable_transmit_sa(void *wpa_s, struct transmit_sa *sa)
{
- return wpa_drv_disable_transmit_sa(wpa_s, channel, an);
+ return wpa_drv_disable_transmit_sa(wpa_s, sa);
}
--
2.7.4

264
macsec-0004-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch Normal file
View File

@ -0,0 +1,264 @@
From cecdecdbe81c9ca86127413c6559be2d3ffcabd3 Mon Sep 17 00:00:00 2001
Message-Id: <cecdecdbe81c9ca86127413c6559be2d3ffcabd3.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Tue, 20 Sep 2016 09:43:09 +0200
Subject: [PATCH] mka: Pass full structures down to macsec drivers' receive SA
ops
Clean up the driver interface by passing pointers to struct receive_sa
down the stack to the {create,enable,disable}_receive_sa() ops, instead
of passing the individual properties of the SA.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 18 ++++++------------
src/drivers/driver_macsec_qca.c | 32 ++++++++++++++++++++------------
src/pae/ieee802_1x_kay.h | 7 +++----
src/pae/ieee802_1x_secy_ops.c | 7 +++----
wpa_supplicant/driver_i.h | 14 ++++++--------
wpa_supplicant/wpas_kay.c | 13 ++++++-------
6 files changed, 44 insertions(+), 47 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index bb2d1d2..f1915fc 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3391,32 +3391,26 @@ struct wpa_driver_ops {
/**
* create_receive_sa - create secure association for receive
* @priv: private driver interface data from init()
- * @channel: secure channel
- * @an: association number
- * @lowest_pn: the lowest packet number can be received
- * @sak: the secure association key
+ * @sa: secure association
* Returns: 0 on success, -1 on failure
*/
- int (*create_receive_sa)(void *priv, u32 channel, u8 an,
- u32 lowest_pn, const u8 *sak);
+ int (*create_receive_sa)(void *priv, struct receive_sa *sa);
/**
* enable_receive_sa - enable the SA for receive
* @priv: private driver interface data from init()
- * @channel: secure channel
- * @an: association number
+ * @sa: secure association
* Returns: 0 on success, -1 on failure
*/
- int (*enable_receive_sa)(void *priv, u32 channel, u8 an);
+ int (*enable_receive_sa)(void *priv, struct receive_sa *sa);
/**
* disable_receive_sa - disable SA for receive
* @priv: private driver interface data from init()
- * @channel: secure channel index
- * @an: association number
+ * @sa: secure association
* Returns: 0 on success, -1 on failure
*/
- int (*disable_receive_sa)(void *priv, u32 channel, u8 an);
+ int (*disable_receive_sa)(void *priv, struct receive_sa *sa);
/**
* get_available_transmit_sc - get available transmit channel
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 9bfc9a4..2867c31 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -667,49 +667,57 @@ static int macsec_qca_delete_receive_sc(void *priv, u32 channel)
}
-static int macsec_qca_create_receive_sa(void *priv, u32 channel, u8 an,
- u32 lowest_pn, const u8 *sak)
+static int macsec_qca_create_receive_sa(void *priv, struct receive_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
fal_rx_sak_t rx_sak;
int i = 0;
+ u32 channel = sa->sc->channel;
wpa_printf(MSG_DEBUG, "%s, channel=%d, an=%d, lpn=0x%x",
- __func__, channel, an, lowest_pn);
+ __func__, channel, sa->an, sa->lowest_pn);
os_memset(&rx_sak, 0, sizeof(rx_sak));
for (i = 0; i < 16; i++)
- rx_sak.sak[i] = sak[15 - i];
+ rx_sak.sak[i] = sa->pkey->key[15 - i];
- ret += nss_macsec_secy_rx_sa_create(drv->secy_id, channel, an);
- ret += nss_macsec_secy_rx_sak_set(drv->secy_id, channel, an, &rx_sak);
+ ret += nss_macsec_secy_rx_sa_create(drv->secy_id, channel, sa->an);
+ ret += nss_macsec_secy_rx_sak_set(drv->secy_id, channel, sa->an,
+ &rx_sak);
return ret;
}
-static int macsec_qca_enable_receive_sa(void *priv, u32 channel, u8 an)
+static int macsec_qca_enable_receive_sa(void *priv, struct receive_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
+ u32 channel = sa->sc->channel;
+
- wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel, an);
+ wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel,
+ sa->an);
- ret += nss_macsec_secy_rx_sa_en_set(drv->secy_id, channel, an, TRUE);
+ ret += nss_macsec_secy_rx_sa_en_set(drv->secy_id, channel, sa->an,
+ TRUE);
return ret;
}
-static int macsec_qca_disable_receive_sa(void *priv, u32 channel, u8 an)
+static int macsec_qca_disable_receive_sa(void *priv, struct receive_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
+ u32 channel = sa->sc->channel;
- wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel, an);
+ wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel,
+ sa->an);
- ret += nss_macsec_secy_rx_sa_en_set(drv->secy_id, channel, an, FALSE);
+ ret += nss_macsec_secy_rx_sa_en_set(drv->secy_id, channel, sa->an,
+ FALSE);
return ret;
}
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 36a7bd6..8ee5860 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -151,10 +151,9 @@ struct ieee802_1x_kay_ctx {
enum validate_frames vf,
enum confidentiality_offset co);
int (*delete_receive_sc)(void *ctx, u32 channel);
- int (*create_receive_sa)(void *ctx, u32 channel, u8 an, u32 lowest_pn,
- const u8 *sak);
- int (*enable_receive_sa)(void *ctx, u32 channel, u8 an);
- int (*disable_receive_sa)(void *ctx, u32 channel, u8 an);
+ int (*create_receive_sa)(void *ctx, struct receive_sa *sa);
+ int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
+ int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
int (*get_available_transmit_sc)(void *ctx, u32 *channel);
int (*create_transmit_sc)(void *ctx, u32 channel,
const struct ieee802_1x_mka_sci *sci,
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index 8c31ca9..fb376df 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -253,8 +253,7 @@ int secy_create_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa)
return -1;
}
- return ops->create_receive_sa(ops->ctx, rxsa->sc->channel, rxsa->an,
- rxsa->lowest_pn, rxsa->pkey->key);
+ return ops->create_receive_sa(ops->ctx, rxsa);
}
@@ -276,7 +275,7 @@ int secy_enable_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa)
rxsa->enable_receive = TRUE;
- return ops->enable_receive_sa(ops->ctx, rxsa->sc->channel, rxsa->an);
+ return ops->enable_receive_sa(ops->ctx, rxsa);
}
@@ -298,7 +297,7 @@ int secy_disable_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa)
rxsa->enable_receive = FALSE;
- return ops->disable_receive_sa(ops->ctx, rxsa->sc->channel, rxsa->an);
+ return ops->disable_receive_sa(ops->ctx, rxsa);
}
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index e2c2bd7..666798b 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -802,29 +802,27 @@ static inline int wpa_drv_delete_receive_sc(struct wpa_supplicant *wpa_s,
}
static inline int wpa_drv_create_receive_sa(struct wpa_supplicant *wpa_s,
- u32 channel, u8 an,
- u32 lowest_pn, const u8 *sak)
+ struct receive_sa *sa)
{
if (!wpa_s->driver->create_receive_sa)
return -1;
- return wpa_s->driver->create_receive_sa(wpa_s->drv_priv, channel, an,
- lowest_pn, sak);
+ return wpa_s->driver->create_receive_sa(wpa_s->drv_priv, sa);
}
static inline int wpa_drv_enable_receive_sa(struct wpa_supplicant *wpa_s,
- u32 channel, u8 an)
+ struct receive_sa *sa)
{
if (!wpa_s->driver->enable_receive_sa)
return -1;
- return wpa_s->driver->enable_receive_sa(wpa_s->drv_priv, channel, an);
+ return wpa_s->driver->enable_receive_sa(wpa_s->drv_priv, sa);
}
static inline int wpa_drv_disable_receive_sa(struct wpa_supplicant *wpa_s,
- u32 channel, u8 an)
+ struct receive_sa *sa)
{
if (!wpa_s->driver->disable_receive_sa)
return -1;
- return wpa_s->driver->disable_receive_sa(wpa_s->drv_priv, channel, an);
+ return wpa_s->driver->disable_receive_sa(wpa_s->drv_priv, sa);
}
static inline int
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 4b74112..344c59e 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -117,22 +117,21 @@ static int wpas_delete_receive_sc(void *wpa_s, u32 channel)
}
-static int wpas_create_receive_sa(void *wpa_s, u32 channel, u8 an,
- u32 lowest_pn, const u8 *sak)
+static int wpas_create_receive_sa(void *wpa_s, struct receive_sa *sa)
{
- return wpa_drv_create_receive_sa(wpa_s, channel, an, lowest_pn, sak);
+ return wpa_drv_create_receive_sa(wpa_s, sa);
}
-static int wpas_enable_receive_sa(void *wpa_s, u32 channel, u8 an)
+static int wpas_enable_receive_sa(void *wpa_s, struct receive_sa *sa)
{
- return wpa_drv_enable_receive_sa(wpa_s, channel, an);
+ return wpa_drv_enable_receive_sa(wpa_s, sa);
}
-static int wpas_disable_receive_sa(void *wpa_s, u32 channel, u8 an)
+static int wpas_disable_receive_sa(void *wpa_s, struct receive_sa *sa)
{
- return wpa_drv_disable_receive_sa(wpa_s, channel, an);
+ return wpa_drv_disable_receive_sa(wpa_s, sa);
}
--
2.7.4

204
macsec-0005-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch Normal file
View File

@ -0,0 +1,204 @@
From 8ebfc7c2ba77ac1f71577b3ddc46a050d9fb1103 Mon Sep 17 00:00:00 2001
Message-Id: <8ebfc7c2ba77ac1f71577b3ddc46a050d9fb1103.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Fri, 7 Oct 2016 12:08:09 +0200
Subject: [PATCH] mka: Pass full structures down to macsec drivers' transmit SC
ops
Clean up the driver interface by passing pointers to struct transmit_sc
down the stack to the {create,delete}_transmit_sc() ops, instead of
passing the individual arguments.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 13 ++++++-------
src/drivers/driver_macsec_qca.c | 13 +++++++------
src/pae/ieee802_1x_kay.h | 5 ++---
src/pae/ieee802_1x_secy_ops.c | 5 ++---
wpa_supplicant/driver_i.h | 10 ++++------
wpa_supplicant/wpas_kay.c | 11 ++++-------
6 files changed, 25 insertions(+), 32 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index f1915fc..1e2d623 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3423,21 +3423,20 @@ struct wpa_driver_ops {
/**
* create_transmit_sc - create secure connection for transmit
* @priv: private driver interface data from init()
- * @channel: secure channel
- * @sci_addr: secure channel identifier - address
- * @sci_port: secure channel identifier - port
+ * @sc: secure channel
+ * @conf_offset: confidentiality offset (0, 30, or 50)
* Returns: 0 on success, -1 on failure
*/
- int (*create_transmit_sc)(void *priv, u32 channel, const u8 *sci_addr,
- u16 sci_port, unsigned int conf_offset);
+ int (*create_transmit_sc)(void *priv, struct transmit_sc *sc,
+ unsigned int conf_offset);
/**
* delete_transmit_sc - delete secure connection for transmit
* @priv: private driver interface data from init()
- * @channel: secure channel
+ * @sc: secure channel
* Returns: 0 on success, -1 on failure
*/
- int (*delete_transmit_sc)(void *priv, u32 channel);
+ int (*delete_transmit_sc)(void *priv, struct transmit_sc *sc);
/**
* create_transmit_sa - create secure association for transmit
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 2867c31..fef93df 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -750,14 +750,14 @@ static int macsec_qca_get_available_transmit_sc(void *priv, u32 *channel)
}
-static int macsec_qca_create_transmit_sc(void *priv, u32 channel,
- const u8 *sci_addr, u16 sci_port,
+static int macsec_qca_create_transmit_sc(void *priv, struct transmit_sc *sc,
unsigned int conf_offset)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
fal_tx_class_lut_t entry;
u8 psci[ETH_ALEN + 2];
+ u32 channel = sc->channel;
wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel);
@@ -768,9 +768,9 @@ static int macsec_qca_create_transmit_sc(void *priv, u32 channel,
entry.action = FAL_TX_CLASS_ACTION_FORWARD;
entry.channel = channel;
- os_memcpy(psci, sci_addr, ETH_ALEN);
- psci[6] = (sci_port >> 8) & 0xf;
- psci[7] = sci_port & 0xf;
+ os_memcpy(psci, sc->sci.addr, ETH_ALEN);
+ psci[6] = (sc->sci.port >> 8) & 0xf;
+ psci[7] = sc->sci.port & 0xf;
ret += nss_macsec_secy_tx_class_lut_set(drv->secy_id, channel, &entry);
ret += nss_macsec_secy_tx_sc_create(drv->secy_id, channel, psci, 8);
@@ -784,11 +784,12 @@ static int macsec_qca_create_transmit_sc(void *priv, u32 channel,
}
-static int macsec_qca_delete_transmit_sc(void *priv, u32 channel)
+static int macsec_qca_delete_transmit_sc(void *priv, struct transmit_sc *sc)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
fal_tx_class_lut_t entry;
+ u32 channel = sc->channel;
wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel);
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 8ee5860..8cd5fa6 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -155,10 +155,9 @@ struct ieee802_1x_kay_ctx {
int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
int (*get_available_transmit_sc)(void *ctx, u32 *channel);
- int (*create_transmit_sc)(void *ctx, u32 channel,
- const struct ieee802_1x_mka_sci *sci,
+ int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc,
enum confidentiality_offset co);
- int (*delete_transmit_sc)(void *ctx, u32 channel);
+ int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc);
int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa);
int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index fb376df..669dc98 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -338,8 +338,7 @@ int secy_create_transmit_sc(struct ieee802_1x_kay *kay,
return -1;
}
- return ops->create_transmit_sc(ops->ctx, txsc->channel, &txsc->sci,
- kay->co);
+ return ops->create_transmit_sc(ops->ctx, txsc, kay->co);
}
@@ -360,7 +359,7 @@ int secy_delete_transmit_sc(struct ieee802_1x_kay *kay,
return -1;
}
- return ops->delete_transmit_sc(ops->ctx, txsc->channel);
+ return ops->delete_transmit_sc(ops->ctx, txsc);
}
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index 666798b..2dc74bf 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -835,23 +835,21 @@ wpa_drv_get_available_transmit_sc(struct wpa_supplicant *wpa_s, u32 *channel)
}
static inline int
-wpa_drv_create_transmit_sc(struct wpa_supplicant *wpa_s, u32 channel,
- const u8 *sci_addr, u16 sci_port,
+wpa_drv_create_transmit_sc(struct wpa_supplicant *wpa_s, struct transmit_sc *sc,
unsigned int conf_offset)
{
if (!wpa_s->driver->create_transmit_sc)
return -1;
- return wpa_s->driver->create_transmit_sc(wpa_s->drv_priv, channel,
- sci_addr, sci_port,
+ return wpa_s->driver->create_transmit_sc(wpa_s->drv_priv, sc,
conf_offset);
}
static inline int wpa_drv_delete_transmit_sc(struct wpa_supplicant *wpa_s,
- u32 channel)
+ struct transmit_sc *sc)
{
if (!wpa_s->driver->delete_transmit_sc)
return -1;
- return wpa_s->driver->delete_transmit_sc(wpa_s->drv_priv, channel);
+ return wpa_s->driver->delete_transmit_sc(wpa_s->drv_priv, sc);
}
static inline int wpa_drv_create_transmit_sa(struct wpa_supplicant *wpa_s,
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 344c59e..e0f8e28 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -142,19 +142,16 @@ static int wpas_get_available_transmit_sc(void *wpa_s, u32 *channel)
static int
-wpas_create_transmit_sc(void *wpa_s, u32 channel,
- const struct ieee802_1x_mka_sci *sci,
+wpas_create_transmit_sc(void *wpa_s, struct transmit_sc *sc,
enum confidentiality_offset co)
{
- return wpa_drv_create_transmit_sc(wpa_s, channel, sci->addr,
- be_to_host16(sci->port),
- conf_offset_val(co));
+ return wpa_drv_create_transmit_sc(wpa_s, sc, conf_offset_val(co));
}
-static int wpas_delete_transmit_sc(void *wpa_s, u32 channel)
+static int wpas_delete_transmit_sc(void *wpa_s, struct transmit_sc *sc)
{
- return wpa_drv_delete_transmit_sc(wpa_s, channel);
+ return wpa_drv_delete_transmit_sc(wpa_s, sc);
}
--
2.7.4

200
macsec-0006-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch Normal file
View File

@ -0,0 +1,200 @@
From 5f5ca28414de7ae0b86d4c2aa09c3e67b697dd56 Mon Sep 17 00:00:00 2001
Message-Id: <5f5ca28414de7ae0b86d4c2aa09c3e67b697dd56.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Fri, 7 Oct 2016 12:08:10 +0200
Subject: [PATCH] mka: Pass full structures down to macsec drivers' receive SC
ops
Clean up the driver interface by passing pointers to struct receive_sc
down the stack to the {create,delete}_recevie_sc() ops, instead of
passing the individual properties of the SC.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 12 +++++-------
src/drivers/driver_macsec_qca.c | 9 ++++++---
src/pae/ieee802_1x_kay.h | 5 ++---
src/pae/ieee802_1x_secy_ops.c | 5 ++---
wpa_supplicant/driver_i.h | 12 +++++-------
wpa_supplicant/wpas_kay.c | 11 ++++-------
6 files changed, 24 insertions(+), 30 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index 1e2d623..a57aa53 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3368,25 +3368,23 @@ struct wpa_driver_ops {
/**
* create_receive_sc - create secure channel for receiving
* @priv: Private driver interface data
- * @channel: secure channel
- * @sci_addr: secure channel identifier - address
- * @sci_port: secure channel identifier - port
+ * @sc: secure channel
* @conf_offset: confidentiality offset (0, 30, or 50)
* @validation: frame validation policy (0 = Disabled, 1 = Checked,
* 2 = Strict)
* Returns: 0 on success, -1 on failure (or if not supported)
*/
- int (*create_receive_sc)(void *priv, u32 channel, const u8 *sci_addr,
- u16 sci_port, unsigned int conf_offset,
+ int (*create_receive_sc)(void *priv, struct receive_sc *sc,
+ unsigned int conf_offset,
int validation);
/**
* delete_receive_sc - delete secure connection for receiving
* @priv: private driver interface data from init()
- * @channel: secure channel
+ * @sc: secure channel
* Returns: 0 on success, -1 on failure
*/
- int (*delete_receive_sc)(void *priv, u32 channel);
+ int (*delete_receive_sc)(void *priv, struct receive_sc *sc);
/**
* create_receive_sa - create secure association for receive
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index fef93df..385f7c5 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -601,8 +601,7 @@ static int macsec_qca_get_available_receive_sc(void *priv, u32 *channel)
}
-static int macsec_qca_create_receive_sc(void *priv, u32 channel,
- const u8 *sci_addr, u16 sci_port,
+static int macsec_qca_create_receive_sc(void *priv, struct receive_sc *sc,
unsigned int conf_offset,
int validation)
{
@@ -611,6 +610,9 @@ static int macsec_qca_create_receive_sc(void *priv, u32 channel,
fal_rx_prc_lut_t entry;
fal_rx_sc_validate_frame_e vf;
enum validate_frames validate_frames = validation;
+ u32 channel = sc->channel;
+ const u8 *sci_addr = sc->sci.addr;
+ u16 sci_port = be_to_host16(sc->sci.port);
wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel);
@@ -649,11 +651,12 @@ static int macsec_qca_create_receive_sc(void *priv, u32 channel,
}
-static int macsec_qca_delete_receive_sc(void *priv, u32 channel)
+static int macsec_qca_delete_receive_sc(void *priv, struct receive_sc *sc)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
fal_rx_prc_lut_t entry;
+ u32 channel = sc->channel;
wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel);
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 8cd5fa6..144ee90 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -146,11 +146,10 @@ struct ieee802_1x_kay_ctx {
int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
int (*get_available_receive_sc)(void *ctx, u32 *channel);
- int (*create_receive_sc)(void *ctx, u32 channel,
- struct ieee802_1x_mka_sci *sci,
+ int (*create_receive_sc)(void *ctx, struct receive_sc *sc,
enum validate_frames vf,
enum confidentiality_offset co);
- int (*delete_receive_sc)(void *ctx, u32 channel);
+ int (*delete_receive_sc)(void *ctx, struct receive_sc *sc);
int (*create_receive_sa)(void *ctx, struct receive_sa *sa);
int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index 669dc98..b8fcf05 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -212,8 +212,7 @@ int secy_create_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc)
return -1;
}
- return ops->create_receive_sc(ops->ctx, rxsc->channel, &rxsc->sci,
- kay->vf, kay->co);
+ return ops->create_receive_sc(ops->ctx, rxsc, kay->vf, kay->co);
}
@@ -233,7 +232,7 @@ int secy_delete_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc)
return -1;
}
- return ops->delete_receive_sc(ops->ctx, rxsc->channel);
+ return ops->delete_receive_sc(ops->ctx, rxsc);
}
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index 2dc74bf..d47395c 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -782,23 +782,21 @@ static inline int wpa_drv_get_available_receive_sc(struct wpa_supplicant *wpa_s,
}
static inline int
-wpa_drv_create_receive_sc(struct wpa_supplicant *wpa_s, u32 channel,
- const u8 *sci_addr, u16 sci_port,
+wpa_drv_create_receive_sc(struct wpa_supplicant *wpa_s, struct receive_sc *sc,
unsigned int conf_offset, int validation)
{
if (!wpa_s->driver->create_receive_sc)
return -1;
- return wpa_s->driver->create_receive_sc(wpa_s->drv_priv, channel,
- sci_addr, sci_port, conf_offset,
- validation);
+ return wpa_s->driver->create_receive_sc(wpa_s->drv_priv, sc,
+ conf_offset, validation);
}
static inline int wpa_drv_delete_receive_sc(struct wpa_supplicant *wpa_s,
- u32 channel)
+ struct receive_sc *sc)
{
if (!wpa_s->driver->delete_receive_sc)
return -1;
- return wpa_s->driver->delete_receive_sc(wpa_s->drv_priv, channel);
+ return wpa_s->driver->delete_receive_sc(wpa_s->drv_priv, sc);
}
static inline int wpa_drv_create_receive_sa(struct wpa_supplicant *wpa_s,
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index e0f8e28..4163b61 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -100,20 +100,17 @@ static unsigned int conf_offset_val(enum confidentiality_offset co)
}
-static int wpas_create_receive_sc(void *wpa_s, u32 channel,
- struct ieee802_1x_mka_sci *sci,
+static int wpas_create_receive_sc(void *wpa_s, struct receive_sc *sc,
enum validate_frames vf,
enum confidentiality_offset co)
{
- return wpa_drv_create_receive_sc(wpa_s, channel, sci->addr,
- be_to_host16(sci->port),
- conf_offset_val(co), vf);
+ return wpa_drv_create_receive_sc(wpa_s, sc, conf_offset_val(co), vf);
}
-static int wpas_delete_receive_sc(void *wpa_s, u32 channel)
+static int wpas_delete_receive_sc(void *wpa_s, struct receive_sc *sc)
{
- return wpa_drv_delete_receive_sc(wpa_s, channel);
+ return wpa_drv_delete_receive_sc(wpa_s, sc);
}
--
2.7.4

219
macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch Normal file
View File

@ -0,0 +1,219 @@
From a25e4efc9e428d968e83398bd8c9c94698ba5851 Mon Sep 17 00:00:00 2001
Message-Id: <a25e4efc9e428d968e83398bd8c9c94698ba5851.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Fri, 7 Oct 2016 12:08:12 +0200
Subject: [PATCH] mka: Add driver op to get macsec capabilities
This also implements the macsec_get_capability for the macsec_qca
driver to maintain the existing behavior.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 8 ++++++++
src/drivers/driver_macsec_qca.c | 11 +++++++++++
src/pae/ieee802_1x_kay.c | 18 ++++++++++++++++--
src/pae/ieee802_1x_kay.h | 1 +
src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++
src/pae/ieee802_1x_secy_ops.h | 1 +
wpa_supplicant/driver_i.h | 8 ++++++++
wpa_supplicant/wpas_kay.c | 7 +++++++
8 files changed, 72 insertions(+), 2 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index a57aa53..ea4a41f 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3298,6 +3298,14 @@ struct wpa_driver_ops {
int (*macsec_deinit)(void *priv);
/**
+ * macsec_get_capability - Inform MKA of this driver's capability
+ * @priv: Private driver interface data
+ * @cap: Driver's capability
+ * Returns: 0 on success, -1 on failure
+ */
+ int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
+
+ /**
* enable_protect_frames - Set protect frames status
* @priv: Private driver interface data
* @enabled: TRUE = protect frames enabled
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 385f7c5..041bcf5 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -458,6 +458,16 @@ static int macsec_qca_macsec_deinit(void *priv)
}
+static int macsec_qca_get_capability(void *priv, enum macsec_cap *cap)
+{
+ wpa_printf(MSG_DEBUG, "%s", __func__);
+
+ *cap = MACSEC_CAP_INTEG_AND_CONF_0_30_50;
+
+ return 0;
+}
+
+
static int macsec_qca_enable_protect_frames(void *priv, Boolean enabled)
{
struct macsec_qca_data *drv = priv;
@@ -889,6 +899,7 @@ const struct wpa_driver_ops wpa_driver_macsec_qca_ops = {
.macsec_init = macsec_qca_macsec_init,
.macsec_deinit = macsec_qca_macsec_deinit,
+ .macsec_get_capability = macsec_qca_get_capability,
.enable_protect_frames = macsec_qca_enable_protect_frames,
.set_replay_protect = macsec_qca_set_replay_protect,
.set_current_cipher_suite = macsec_qca_set_current_cipher_suite,
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index a8e7efc..52eeeff 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3069,13 +3069,20 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
kay->macsec_replay_window = 0;
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
} else {
- kay->macsec_capable = MACSEC_CAP_INTEG_AND_CONF_0_30_50;
+ if (secy_get_capability(kay, &kay->macsec_capable) < 0) {
+ os_free(kay);
+ return NULL;
+ }
+
kay->macsec_desired = TRUE;
kay->macsec_protect = TRUE;
kay->macsec_validate = Strict;
kay->macsec_replay_protect = FALSE;
kay->macsec_replay_window = 0;
- kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
+ if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
+ kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
+ else
+ kay->macsec_confidentiality = MACSEC_CAP_INTEGRITY;
}
wpa_printf(MSG_DEBUG, "KaY: state machine created");
@@ -3409,6 +3416,7 @@ ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
unsigned int cs_index)
{
struct ieee802_1x_mka_participant *participant;
+ enum macsec_cap secy_cap;
if (!kay)
return -1;
@@ -3427,6 +3435,12 @@ ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
kay->macsec_csindex = cs_index;
kay->macsec_capable = cipher_suite_tbl[kay->macsec_csindex].capable;
+ if (secy_get_capability(kay, &secy_cap) < 0)
+ return -3;
+
+ if (kay->macsec_capable > secy_cap)
+ kay->macsec_capable = secy_cap;
+
participant = ieee802_1x_kay_get_principal_participant(kay);
if (participant) {
wpa_printf(MSG_INFO, "KaY: Cipher Suite changed");
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 144ee90..bf6fbe5 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -138,6 +138,7 @@ struct ieee802_1x_kay_ctx {
/* abstract wpa driver interface */
int (*macsec_init)(void *ctx, struct macsec_init_params *params);
int (*macsec_deinit)(void *ctx);
+ int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
int (*enable_protect_frames)(void *ctx, Boolean enabled);
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
int (*set_current_cipher_suite)(void *ctx, u64 cs);
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index b8fcf05..32ee816 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -113,6 +113,26 @@ int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean enabled)
}
+int secy_get_capability(struct ieee802_1x_kay *kay, enum macsec_cap *cap)
+{
+ struct ieee802_1x_kay_ctx *ops;
+
+ if (!kay) {
+ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
+ return -1;
+ }
+
+ ops = kay->ctx;
+ if (!ops || !ops->macsec_get_capability) {
+ wpa_printf(MSG_ERROR,
+ "KaY: secy macsec_get_capability operation not supported");
+ return -1;
+ }
+
+ return ops->macsec_get_capability(ops->ctx, cap);
+}
+
+
int secy_get_receive_lowest_pn(struct ieee802_1x_kay *kay,
struct receive_sa *rxsa)
{
diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h
index 120ca3c..bfd5737 100644
--- a/src/pae/ieee802_1x_secy_ops.h
+++ b/src/pae/ieee802_1x_secy_ops.h
@@ -28,6 +28,7 @@ int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);
/****** KaY -> SecY *******/
+int secy_get_capability(struct ieee802_1x_kay *kay, enum macsec_cap *cap);
int secy_get_receive_lowest_pn(struct ieee802_1x_kay *kay,
struct receive_sa *rxsa);
int secy_get_transmit_next_pn(struct ieee802_1x_kay *kay,
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index d47395c..5d5dcf0 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -715,6 +715,14 @@ static inline int wpa_drv_macsec_deinit(struct wpa_supplicant *wpa_s)
return wpa_s->driver->macsec_deinit(wpa_s->drv_priv);
}
+static inline int wpa_drv_macsec_get_capability(struct wpa_supplicant *wpa_s,
+ enum macsec_cap *cap)
+{
+ if (!wpa_s->driver->macsec_get_capability)
+ return -1;
+ return wpa_s->driver->macsec_get_capability(wpa_s->drv_priv, cap);
+}
+
static inline int wpa_drv_enable_protect_frames(struct wpa_supplicant *wpa_s,
Boolean enabled)
{
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 4163b61..29b7b56 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -38,6 +38,12 @@ static int wpas_macsec_deinit(void *priv)
}
+static int wpas_macsec_get_capability(void *priv, enum macsec_cap *cap)
+{
+ return wpa_drv_macsec_get_capability(priv, cap);
+}
+
+
static int wpas_enable_protect_frames(void *wpa_s, Boolean enabled)
{
return wpa_drv_enable_protect_frames(wpa_s, enabled);
@@ -191,6 +197,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
kay_ctx->macsec_init = wpas_macsec_init;
kay_ctx->macsec_deinit = wpas_macsec_deinit;
+ kay_ctx->macsec_get_capability = wpas_macsec_get_capability;
kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
kay_ctx->set_replay_protect = wpas_set_replay_protect;
kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
--
2.7.4

774
macsec-0008-mka-Remove-channel-hacks-from-the-stack-and-the-macs.patch Normal file
View File

@ -0,0 +1,774 @@
From 6f551abdfca16021e7cd9d4ac891e3eb27010a90 Mon Sep 17 00:00:00 2001
Message-Id: <6f551abdfca16021e7cd9d4ac891e3eb27010a90.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Fri, 21 Oct 2016 14:45:26 +0200
Subject: [PATCH] mka: Remove "channel" hacks from the stack and the macsec_qca
driver
This is specific to the macsec_qca driver. The core implementation
shouldn't care about this, and only deal with the complete secure
channel, and pass this down to the driver.
Drivers that have such limitations should take care of these in their
->create functions and throw an error.
Since the core MKA no longer saves the channel number, the macsec_qca
driver must be able to recover it. Add a map (which is just an array
since it's quite short) to match SCIs to channel numbers, and lookup
functions that will be called in every place where functions would get
the channel from the core code. Getting an available channel should be
part of channel creation, instead of being a preparation step.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 16 ----
src/drivers/driver_macsec_qca.c | 174 +++++++++++++++++++++++++++++++++-------
src/pae/ieee802_1x_kay.c | 41 +++-------
src/pae/ieee802_1x_kay.h | 7 --
src/pae/ieee802_1x_secy_ops.c | 40 ---------
src/pae/ieee802_1x_secy_ops.h | 2 -
wpa_supplicant/driver_i.h | 18 -----
wpa_supplicant/wpas_kay.c | 14 ----
8 files changed, 159 insertions(+), 153 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index aeb9694..54ae6b7 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3390,14 +3390,6 @@ struct wpa_driver_ops {
int (*set_transmit_next_pn)(void *priv, struct transmit_sa *sa);
/**
- * get_available_receive_sc - get available receive channel
- * @priv: Private driver interface data
- * @channel: secure channel
- * Returns: 0 on success, -1 on failure (or if not supported)
- */
- int (*get_available_receive_sc)(void *priv, u32 *channel);
-
- /**
* create_receive_sc - create secure channel for receiving
* @priv: Private driver interface data
* @sc: secure channel
@@ -3443,14 +3435,6 @@ struct wpa_driver_ops {
int (*disable_receive_sa)(void *priv, struct receive_sa *sa);
/**
- * get_available_transmit_sc - get available transmit channel
- * @priv: Private driver interface data
- * @channel: secure channel
- * Returns: 0 on success, -1 on failure (or if not supported)
- */
- int (*get_available_transmit_sc)(void *priv, u32 *channel);
-
- /**
* create_transmit_sc - create secure connection for transmit
* @priv: private driver interface data from init()
* @sc: secure channel
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 041bcf5..22d414c 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -56,6 +56,10 @@
static const u8 pae_group_addr[ETH_ALEN] =
{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 };
+struct channel_map {
+ struct ieee802_1x_mka_sci sci;
+};
+
struct macsec_qca_data {
char ifname[IFNAMSIZ + 1];
u32 secy_id;
@@ -72,6 +76,9 @@ struct macsec_qca_data {
Boolean protect_frames;
Boolean replay_protect;
u32 replay_window;
+
+ struct channel_map receive_channel_map[MAXSC];
+ struct channel_map transmit_channel_map[MAXSC];
};
@@ -526,6 +533,68 @@ static int macsec_qca_enable_controlled_port(void *priv, Boolean enabled)
}
+static int macsec_qca_lookup_channel(struct channel_map *map,
+ struct ieee802_1x_mka_sci *sci,
+ u32 *channel)
+{
+ u32 i;
+
+ for (i = 0; i < MAXSC; i++) {
+ if (os_memcmp(&map[i].sci, sci,
+ sizeof(struct ieee802_1x_mka_sci)) == 0) {
+ *channel = i;
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
+
+static void macsec_qca_register_channel(struct channel_map *map,
+ struct ieee802_1x_mka_sci *sci,
+ u32 channel)
+{
+ os_memcpy(&map[channel].sci, sci, sizeof(struct ieee802_1x_mka_sci));
+}
+
+
+static int macsec_qca_lookup_receive_channel(struct macsec_qca_data *drv,
+ struct receive_sc *sc,
+ u32 *channel)
+{
+ return macsec_qca_lookup_channel(drv->receive_channel_map, &sc->sci,
+ channel);
+}
+
+
+static void macsec_qca_register_receive_channel(struct macsec_qca_data *drv,
+ struct receive_sc *sc,
+ u32 channel)
+{
+ macsec_qca_register_channel(drv->receive_channel_map, &sc->sci,
+ channel);
+}
+
+
+static int macsec_qca_lookup_transmit_channel(struct macsec_qca_data *drv,
+ struct transmit_sc *sc,
+ u32 *channel)
+{
+ return macsec_qca_lookup_channel(drv->transmit_channel_map, &sc->sci,
+ channel);
+}
+
+
+static void macsec_qca_register_transmit_channel(struct macsec_qca_data *drv,
+ struct transmit_sc *sc,
+ u32 channel)
+{
+ macsec_qca_register_channel(drv->transmit_channel_map, &sc->sci,
+ channel);
+}
+
+
static int macsec_qca_get_receive_lowest_pn(void *priv, struct receive_sa *sa)
{
struct macsec_qca_data *drv = priv;
@@ -533,7 +602,11 @@ static int macsec_qca_get_receive_lowest_pn(void *priv, struct receive_sa *sa)
u32 next_pn = 0;
bool enabled = FALSE;
u32 win;
- u32 channel = sa->sc->channel;
+ u32 channel;
+
+ ret = macsec_qca_lookup_receive_channel(priv, sa->sc, &channel);
+ if (ret != 0)
+ return ret;
ret += nss_macsec_secy_rx_sa_next_pn_get(drv->secy_id, channel, sa->an,
&next_pn);
@@ -557,7 +630,11 @@ static int macsec_qca_get_transmit_next_pn(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
- u32 channel = sa->sc->channel;
+ u32 channel;
+
+ ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel);
+ if (ret != 0)
+ return ret;
ret += nss_macsec_secy_tx_sa_next_pn_get(drv->secy_id, channel, sa->an,
&sa->next_pn);
@@ -572,8 +649,11 @@ int macsec_qca_set_transmit_next_pn(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
int ret = 0;
- u32 channel = sa->sc->channel;
+ u32 channel;
+ ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel);
+ if (ret != 0)
+ return ret;
ret += nss_macsec_secy_tx_sa_next_pn_set(drv->secy_id, channel, sa->an,
sa->next_pn);
@@ -620,10 +700,14 @@ static int macsec_qca_create_receive_sc(void *priv, struct receive_sc *sc,
fal_rx_prc_lut_t entry;
fal_rx_sc_validate_frame_e vf;
enum validate_frames validate_frames = validation;
- u32 channel = sc->channel;
+ u32 channel;
const u8 *sci_addr = sc->sci.addr;
u16 sci_port = be_to_host16(sc->sci.port);
+ ret = macsec_qca_get_available_receive_sc(priv, &channel);
+ if (ret != 0)
+ return ret;
+
wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel);
/* rx prc lut */
@@ -657,6 +741,8 @@ static int macsec_qca_create_receive_sc(void *priv, struct receive_sc *sc,
channel,
drv->replay_window);
+ macsec_qca_register_receive_channel(drv, sc, channel);
+
return ret;
}
@@ -664,9 +750,13 @@ static int macsec_qca_create_receive_sc(void *priv, struct receive_sc *sc,
static int macsec_qca_delete_receive_sc(void *priv, struct receive_sc *sc)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
+ int ret;
fal_rx_prc_lut_t entry;
- u32 channel = sc->channel;
+ u32 channel;
+
+ ret = macsec_qca_lookup_receive_channel(priv, sc, &channel);
+ if (ret != 0)
+ return ret;
wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel);
@@ -683,10 +773,14 @@ static int macsec_qca_delete_receive_sc(void *priv, struct receive_sc *sc)
static int macsec_qca_create_receive_sa(void *priv, struct receive_sa *sa)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
+ int ret;
fal_rx_sak_t rx_sak;
int i = 0;
- u32 channel = sa->sc->channel;
+ u32 channel;
+
+ ret = macsec_qca_lookup_receive_channel(priv, sa->sc, &channel);
+ if (ret != 0)
+ return ret;
wpa_printf(MSG_DEBUG, "%s, channel=%d, an=%d, lpn=0x%x",
__func__, channel, sa->an, sa->lowest_pn);
@@ -706,9 +800,12 @@ static int macsec_qca_create_receive_sa(void *priv, struct receive_sa *sa)
static int macsec_qca_enable_receive_sa(void *priv, struct receive_sa *sa)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
- u32 channel = sa->sc->channel;
+ int ret;
+ u32 channel;
+ ret = macsec_qca_lookup_receive_channel(priv, sa->sc, &channel);
+ if (ret != 0)
+ return ret;
wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel,
sa->an);
@@ -723,8 +820,12 @@ static int macsec_qca_enable_receive_sa(void *priv, struct receive_sa *sa)
static int macsec_qca_disable_receive_sa(void *priv, struct receive_sa *sa)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
- u32 channel = sa->sc->channel;
+ int ret;
+ u32 channel;
+
+ ret = macsec_qca_lookup_receive_channel(priv, sa->sc, &channel);
+ if (ret != 0)
+ return ret;
wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel,
sa->an);
@@ -739,14 +840,12 @@ static int macsec_qca_disable_receive_sa(void *priv, struct receive_sa *sa)
static int macsec_qca_get_available_transmit_sc(void *priv, u32 *channel)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
u32 sc_ch = 0;
bool in_use = FALSE;
for (sc_ch = 0; sc_ch < MAXSC; sc_ch++) {
- ret = nss_macsec_secy_tx_sc_in_used_get(drv->secy_id, sc_ch,
- &in_use);
- if (ret)
+ if (nss_macsec_secy_tx_sc_in_used_get(drv->secy_id, sc_ch,
+ &in_use))
continue;
if (!in_use) {
@@ -767,10 +866,14 @@ static int macsec_qca_create_transmit_sc(void *priv, struct transmit_sc *sc,
unsigned int conf_offset)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
+ int ret;
fal_tx_class_lut_t entry;
u8 psci[ETH_ALEN + 2];
- u32 channel = sc->channel;
+ u32 channel;
+
+ ret = macsec_qca_get_available_transmit_sc(priv, &channel);
+ if (ret != 0)
+ return ret;
wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel);
@@ -793,6 +896,8 @@ static int macsec_qca_create_transmit_sc(void *priv, struct transmit_sc *sc,
channel,
conf_offset);
+ macsec_qca_register_transmit_channel(drv, sc, channel);
+
return ret;
}
@@ -800,9 +905,13 @@ static int macsec_qca_create_transmit_sc(void *priv, struct transmit_sc *sc,
static int macsec_qca_delete_transmit_sc(void *priv, struct transmit_sc *sc)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
+ int ret;
fal_tx_class_lut_t entry;
- u32 channel = sc->channel;
+ u32 channel;
+
+ ret = macsec_qca_lookup_transmit_channel(priv, sc, &channel);
+ if (ret != 0)
+ return ret;
wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel);
@@ -819,11 +928,15 @@ static int macsec_qca_delete_transmit_sc(void *priv, struct transmit_sc *sc)
static int macsec_qca_create_transmit_sa(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
+ int ret;
u8 tci = 0;
fal_tx_sak_t tx_sak;
int i;
- u32 channel = sa->sc->channel;
+ u32 channel;
+
+ ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel);
+ if (ret != 0)
+ return ret;
wpa_printf(MSG_DEBUG,
"%s: channel=%d, an=%d, next_pn=0x%x, confidentiality=%d",
@@ -858,9 +971,12 @@ static int macsec_qca_create_transmit_sa(void *priv, struct transmit_sa *sa)
static int macsec_qca_enable_transmit_sa(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
- u32 channel = sa->sc->channel;
+ int ret;
+ u32 channel;
+ ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel);
+ if (ret != 0)
+ return ret;
wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel,
sa->an);
@@ -875,8 +991,12 @@ static int macsec_qca_enable_transmit_sa(void *priv, struct transmit_sa *sa)
static int macsec_qca_disable_transmit_sa(void *priv, struct transmit_sa *sa)
{
struct macsec_qca_data *drv = priv;
- int ret = 0;
- u32 channel = sa->sc->channel;
+ int ret;
+ u32 channel;
+
+ ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel);
+ if (ret != 0)
+ return ret;
wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel,
sa->an);
@@ -907,13 +1027,11 @@ const struct wpa_driver_ops wpa_driver_macsec_qca_ops = {
.get_receive_lowest_pn = macsec_qca_get_receive_lowest_pn,
.get_transmit_next_pn = macsec_qca_get_transmit_next_pn,
.set_transmit_next_pn = macsec_qca_set_transmit_next_pn,
- .get_available_receive_sc = macsec_qca_get_available_receive_sc,
.create_receive_sc = macsec_qca_create_receive_sc,
.delete_receive_sc = macsec_qca_delete_receive_sc,
.create_receive_sa = macsec_qca_create_receive_sa,
.enable_receive_sa = macsec_qca_enable_receive_sa,
.disable_receive_sa = macsec_qca_disable_receive_sa,
- .get_available_transmit_sc = macsec_qca_get_available_transmit_sc,
.create_transmit_sc = macsec_qca_create_transmit_sc,
.delete_transmit_sc = macsec_qca_delete_transmit_sc,
.create_transmit_sa = macsec_qca_create_transmit_sa,
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 52eeeff..38a8293 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -440,8 +440,8 @@ ieee802_1x_kay_init_receive_sa(struct receive_sc *psc, u8 an, u32 lowest_pn,
dl_list_add(&psc->sa_list, &psa->list);
wpa_printf(MSG_DEBUG,
- "KaY: Create receive SA(AN: %hhu lowest_pn: %u of SC(channel: %d)",
- an, lowest_pn, psc->channel);
+ "KaY: Create receive SA(AN: %hhu lowest_pn: %u of SC",
+ an, lowest_pn);
return psa;
}
@@ -465,8 +465,7 @@ static void ieee802_1x_kay_deinit_receive_sa(struct receive_sa *psa)
* ieee802_1x_kay_init_receive_sc -
*/
static struct receive_sc *
-ieee802_1x_kay_init_receive_sc(const struct ieee802_1x_mka_sci *psci,
- int channel)
+ieee802_1x_kay_init_receive_sc(const struct ieee802_1x_mka_sci *psci)
{
struct receive_sc *psc;
@@ -480,13 +479,12 @@ ieee802_1x_kay_init_receive_sc(const struct ieee802_1x_mka_sci *psci,
}
os_memcpy(&psc->sci, psci, sizeof(psc->sci));
- psc->channel = channel;
os_get_time(&psc->created_time);
psc->receiving = FALSE;
dl_list_init(&psc->sa_list);
- wpa_printf(MSG_DEBUG, "KaY: Create receive SC(channel: %d)", channel);
+ wpa_printf(MSG_DEBUG, "KaY: Create receive SC");
wpa_hexdump(MSG_DEBUG, "SCI: ", (u8 *)psci, sizeof(*psci));
return psc;
@@ -502,8 +500,7 @@ ieee802_1x_kay_deinit_receive_sc(
{
struct receive_sa *psa, *pre_sa;
- wpa_printf(MSG_DEBUG, "KaY: Delete receive SC(channel: %d)",
- psc->channel);
+ wpa_printf(MSG_DEBUG, "KaY: Delete receive SC");
dl_list_for_each_safe(psa, pre_sa, &psc->sa_list, struct receive_sa,
list) {
secy_disable_receive_sa(participant->kay, psa);
@@ -552,7 +549,6 @@ ieee802_1x_kay_create_live_peer(struct ieee802_1x_mka_participant *participant,
{
struct ieee802_1x_kay_peer *peer;
struct receive_sc *rxsc;
- u32 sc_ch = 0;
peer = ieee802_1x_kay_create_peer(mi, mn);
if (!peer)
@@ -561,9 +557,7 @@ ieee802_1x_kay_create_live_peer(struct ieee802_1x_mka_participant *participant,
os_memcpy(&peer->sci, &participant->current_peer_sci,
sizeof(peer->sci));
- secy_get_available_receive_sc(participant->kay, &sc_ch);
-
- rxsc = ieee802_1x_kay_init_receive_sc(&peer->sci, sc_ch);
+ rxsc = ieee802_1x_kay_init_receive_sc(&peer->sci);
if (!rxsc) {
os_free(peer);
return NULL;
@@ -611,12 +605,10 @@ ieee802_1x_kay_move_live_peer(struct ieee802_1x_mka_participant *participant,
{
struct ieee802_1x_kay_peer *peer;
struct receive_sc *rxsc;
- u32 sc_ch = 0;
peer = ieee802_1x_kay_get_potential_peer(participant, mi);
- rxsc = ieee802_1x_kay_init_receive_sc(&participant->current_peer_sci,
- sc_ch);
+ rxsc = ieee802_1x_kay_init_receive_sc(&participant->current_peer_sci);
if (!rxsc)
return NULL;
@@ -631,8 +623,6 @@ ieee802_1x_kay_move_live_peer(struct ieee802_1x_mka_participant *participant,
dl_list_del(&peer->list);
dl_list_add_tail(&participant->live_peers, &peer->list);
- secy_get_available_receive_sc(participant->kay, &sc_ch);
-
dl_list_add(&participant->rxsc_list, &rxsc->list);
secy_create_receive_sc(participant->kay, rxsc);
@@ -2438,8 +2428,8 @@ ieee802_1x_kay_init_transmit_sa(struct transmit_sc *psc, u8 an, u32 next_PN,
dl_list_add(&psc->sa_list, &psa->list);
wpa_printf(MSG_DEBUG,
- "KaY: Create transmit SA(an: %hhu, next_PN: %u) of SC(channel: %d)",
- an, next_PN, psc->channel);
+ "KaY: Create transmit SA(an: %hhu, next_PN: %u) of SC",
+ an, next_PN);
return psa;
}
@@ -2463,8 +2453,7 @@ static void ieee802_1x_kay_deinit_transmit_sa(struct transmit_sa *psa)
* init_transmit_sc -
*/
static struct transmit_sc *
-ieee802_1x_kay_init_transmit_sc(const struct ieee802_1x_mka_sci *sci,
- int channel)
+ieee802_1x_kay_init_transmit_sc(const struct ieee802_1x_mka_sci *sci)
{
struct transmit_sc *psc;
@@ -2474,7 +2463,6 @@ ieee802_1x_kay_init_transmit_sc(const struct ieee802_1x_mka_sci *sci,
return NULL;
}
os_memcpy(&psc->sci, sci, sizeof(psc->sci));
- psc->channel = channel;
os_get_time(&psc->created_time);
psc->transmitting = FALSE;
@@ -2482,7 +2470,7 @@ ieee802_1x_kay_init_transmit_sc(const struct ieee802_1x_mka_sci *sci,
psc->enciphering_sa = FALSE;
dl_list_init(&psc->sa_list);
- wpa_printf(MSG_DEBUG, "KaY: Create transmit SC(channel: %d)", channel);
+ wpa_printf(MSG_DEBUG, "KaY: Create transmit SC");
wpa_hexdump(MSG_DEBUG, "SCI: ", (u8 *)sci , sizeof(*sci));
return psc;
@@ -2498,8 +2486,7 @@ ieee802_1x_kay_deinit_transmit_sc(
{
struct transmit_sa *psa, *tmp;
- wpa_printf(MSG_DEBUG, "KaY: Delete transmit SC(channel: %d)",
- psc->channel);
+ wpa_printf(MSG_DEBUG, "KaY: Delete transmit SC");
dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa,
list) {
secy_disable_transmit_sa(participant->kay, psa);
@@ -3089,7 +3076,6 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
/* Initialize the SecY must be prio to CP, as CP will control SecY */
secy_init_macsec(kay);
- secy_get_available_transmit_sc(kay, &kay->sc_ch);
wpa_printf(MSG_DEBUG, "KaY: secy init macsec done");
@@ -3250,8 +3236,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn,
dl_list_init(&participant->sak_list);
participant->new_key = NULL;
dl_list_init(&participant->rxsc_list);
- participant->txsc = ieee802_1x_kay_init_transmit_sc(&kay->actor_sci,
- kay->sc_ch);
+ participant->txsc = ieee802_1x_kay_init_transmit_sc(&kay->actor_sci);
secy_cp_control_protect_frames(kay, kay->macsec_protect);
secy_cp_control_replay(kay, kay->macsec_replay_protect,
kay->macsec_replay_window);
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index bf6fbe5..c6fa387 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -80,8 +80,6 @@ struct transmit_sc {
u8 enciphering_sa; /* AN encipheringSA (read only) */
/* not defined data */
- unsigned int channel;
-
struct dl_list list;
struct dl_list sa_list;
};
@@ -109,8 +107,6 @@ struct receive_sc {
struct os_time created_time; /* Time createdTime */
- unsigned int channel;
-
struct dl_list list;
struct dl_list sa_list;
};
@@ -146,7 +142,6 @@ struct ieee802_1x_kay_ctx {
int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
- int (*get_available_receive_sc)(void *ctx, u32 *channel);
int (*create_receive_sc)(void *ctx, struct receive_sc *sc,
enum validate_frames vf,
enum confidentiality_offset co);
@@ -154,7 +149,6 @@ struct ieee802_1x_kay_ctx {
int (*create_receive_sa)(void *ctx, struct receive_sa *sa);
int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
- int (*get_available_transmit_sc)(void *ctx, u32 *channel);
int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc,
enum confidentiality_offset co);
int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc);
@@ -209,7 +203,6 @@ struct ieee802_1x_kay {
u8 mka_version;
u8 algo_agility[4];
- u32 sc_ch;
u32 pn_exhaustion;
Boolean port_enable;
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index 32ee816..b57c670 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -196,26 +196,6 @@ int secy_set_transmit_next_pn(struct ieee802_1x_kay *kay,
}
-int secy_get_available_receive_sc(struct ieee802_1x_kay *kay, u32 *channel)
-{
- struct ieee802_1x_kay_ctx *ops;
-
- if (!kay) {
- wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
- return -1;
- }
-
- ops = kay->ctx;
- if (!ops || !ops->get_available_receive_sc) {
- wpa_printf(MSG_ERROR,
- "KaY: secy get_available_receive_sc operation not supported");
- return -1;
- }
-
- return ops->get_available_receive_sc(ops->ctx, channel);
-}
-
-
int secy_create_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc)
{
struct ieee802_1x_kay_ctx *ops;
@@ -320,26 +300,6 @@ int secy_disable_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa)
}
-int secy_get_available_transmit_sc(struct ieee802_1x_kay *kay, u32 *channel)
-{
- struct ieee802_1x_kay_ctx *ops;
-
- if (!kay) {
- wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
- return -1;
- }
-
- ops = kay->ctx;
- if (!ops || !ops->get_available_transmit_sc) {
- wpa_printf(MSG_ERROR,
- "KaY: secy get_available_transmit_sc operation not supported");
- return -1;
- }
-
- return ops->get_available_transmit_sc(ops->ctx, channel);
-}
-
-
int secy_create_transmit_sc(struct ieee802_1x_kay *kay,
struct transmit_sc *txsc)
{
diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h
index bfd5737..59f0baa 100644
--- a/src/pae/ieee802_1x_secy_ops.h
+++ b/src/pae/ieee802_1x_secy_ops.h
@@ -35,7 +35,6 @@ int secy_get_transmit_next_pn(struct ieee802_1x_kay *kay,
struct transmit_sa *txsa);
int secy_set_transmit_next_pn(struct ieee802_1x_kay *kay,
struct transmit_sa *txsa);
-int secy_get_available_receive_sc(struct ieee802_1x_kay *kay, u32 *channel);
int secy_create_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc);
int secy_delete_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc);
int secy_create_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa);
@@ -43,7 +42,6 @@ int secy_enable_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa);
int secy_disable_receive_sa(struct ieee802_1x_kay *kay,
struct receive_sa *rxsa);
-int secy_get_available_transmit_sc(struct ieee802_1x_kay *kay, u32 *channel);
int secy_create_transmit_sc(struct ieee802_1x_kay *kay,
struct transmit_sc *txsc);
int secy_delete_transmit_sc(struct ieee802_1x_kay *kay,
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index f8efddc..244e386 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -780,15 +780,6 @@ static inline int wpa_drv_set_transmit_next_pn(struct wpa_supplicant *wpa_s,
return wpa_s->driver->set_transmit_next_pn(wpa_s->drv_priv, sa);
}
-static inline int wpa_drv_get_available_receive_sc(struct wpa_supplicant *wpa_s,
- u32 *channel)
-{
- if (!wpa_s->driver->get_available_receive_sc)
- return -1;
- return wpa_s->driver->get_available_receive_sc(wpa_s->drv_priv,
- channel);
-}
-
static inline int
wpa_drv_create_receive_sc(struct wpa_supplicant *wpa_s, struct receive_sc *sc,
unsigned int conf_offset, int validation)
@@ -832,15 +823,6 @@ static inline int wpa_drv_disable_receive_sa(struct wpa_supplicant *wpa_s,
}
static inline int
-wpa_drv_get_available_transmit_sc(struct wpa_supplicant *wpa_s, u32 *channel)
-{
- if (!wpa_s->driver->get_available_transmit_sc)
- return -1;
- return wpa_s->driver->get_available_transmit_sc(wpa_s->drv_priv,
- channel);
-}
-
-static inline int
wpa_drv_create_transmit_sc(struct wpa_supplicant *wpa_s, struct transmit_sc *sc,
unsigned int conf_offset)
{
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 29b7b56..64364f7 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -86,12 +86,6 @@ static int wpas_set_transmit_next_pn(void *wpa_s, struct transmit_sa *sa)
}
-static int wpas_get_available_receive_sc(void *wpa_s, u32 *channel)
-{
- return wpa_drv_get_available_receive_sc(wpa_s, channel);
-}
-
-
static unsigned int conf_offset_val(enum confidentiality_offset co)
{
switch (co) {
@@ -138,12 +132,6 @@ static int wpas_disable_receive_sa(void *wpa_s, struct receive_sa *sa)
}
-static int wpas_get_available_transmit_sc(void *wpa_s, u32 *channel)
-{
- return wpa_drv_get_available_transmit_sc(wpa_s, channel);
-}
-
-
static int
wpas_create_transmit_sc(void *wpa_s, struct transmit_sc *sc,
enum confidentiality_offset co)
@@ -205,13 +193,11 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn;
kay_ctx->get_transmit_next_pn = wpas_get_transmit_next_pn;
kay_ctx->set_transmit_next_pn = wpas_set_transmit_next_pn;
- kay_ctx->get_available_receive_sc = wpas_get_available_receive_sc;
kay_ctx->create_receive_sc = wpas_create_receive_sc;
kay_ctx->delete_receive_sc = wpas_delete_receive_sc;
kay_ctx->create_receive_sa = wpas_create_receive_sa;
kay_ctx->enable_receive_sa = wpas_enable_receive_sa;
kay_ctx->disable_receive_sa = wpas_disable_receive_sa;
- kay_ctx->get_available_transmit_sc = wpas_get_available_transmit_sc;
kay_ctx->create_transmit_sc = wpas_create_transmit_sc;
kay_ctx->delete_transmit_sc = wpas_delete_transmit_sc;
kay_ctx->create_transmit_sa = wpas_create_transmit_sa;
--
2.7.4

180
macsec-0009-mka-Sync-structs-definitions-with-IEEE-Std-802.1X-20.patch Normal file
View File

@ -0,0 +1,180 @@
From 6b6175b788c5f44ff40f61003cbdb315dfabe0a2 Mon Sep 17 00:00:00 2001
Message-Id: <6b6175b788c5f44ff40f61003cbdb315dfabe0a2.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Fri, 21 Oct 2016 14:45:27 +0200
Subject: [PATCH] mka: Sync structs definitions with IEEE Std 802.1X-2010
Document some data structures from IEEE Std 802.1X-2010, and add the
(not used yet) struct ieee802_1x_mka_dist_cak_body.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/pae/ieee802_1x_kay.h | 8 +++-
src/pae/ieee802_1x_kay_i.h | 97 +++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 103 insertions(+), 2 deletions(-)
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index c6fa387..e2ba180 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -15,7 +15,7 @@
struct macsec_init_params;
-#define MI_LEN 12
+#define MI_LEN 12 /* 96-bit Member Identifier */
#define MAX_KEY_LEN 32 /* 32 bytes, 256 bits */
#define MAX_CKN_LEN 32 /* 32 bytes, 256 bits */
@@ -24,6 +24,12 @@ struct macsec_init_params;
#define MKA_LIFE_TIME 6000
#define MKA_SAK_RETIRE_TIME 3000
+/**
+ * struct ieee802_1x_mka_ki - Key Identifier (KI)
+ * @mi: Key Server's Member Identifier
+ * @kn: Key Number, assigned by the Key Server
+ * IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection
+ */
struct ieee802_1x_mka_ki {
u8 mi[MI_LEN];
u32 kn;
diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h
index e3d7db4..0c4bb8e 100644
--- a/src/pae/ieee802_1x_kay_i.h
+++ b/src/pae/ieee802_1x_kay_i.h
@@ -168,6 +168,22 @@ struct ieee802_1x_mka_hdr {
#define MKA_HDR_LEN sizeof(struct ieee802_1x_mka_hdr)
+/**
+ * struct ieee802_1x_mka_basic_body - Basic Parameter Set (Figure 11-8)
+ * @version: MKA Version Identifier
+ * @priority: Key Server Priority
+ * @length: Parameter set body length
+ * @macsec_capability: MACsec capability, as defined in ieee802_1x_defs.h
+ * @macsec_desired: the participant wants MACsec to be used to protect frames
+ * (9.6.1)
+ * @key_server: the participant has not decided that another participant is or
+ * will be the key server (9.5.1)
+ * @length1: Parameter set body length (cont)
+ * @actor_mi: Actor's Member Identifier
+ * @actor_mn: Actor's Message Number
+ * @algo_agility: Algorithm Agility parameter
+ * @ckn: CAK Name
+ */
struct ieee802_1x_mka_basic_body {
/* octet 1 */
u8 version;
@@ -197,6 +213,14 @@ struct ieee802_1x_mka_basic_body {
u8 ckn[0];
};
+/**
+ * struct ieee802_1x_mka_peer_body - Live Peer List and Potential Peer List
+ * parameter sets (Figure 11-9)
+ * @type: Parameter set type (1 or 2)
+ * @length: Parameter set body length
+ * @length1: Parameter set body length (cont)
+ * @peer: array of (MI, MN) pairs
+ */
struct ieee802_1x_mka_peer_body {
/* octet 1 */
u8 type;
@@ -217,6 +241,28 @@ struct ieee802_1x_mka_peer_body {
/* followed by Peers */
};
+/**
+ * struct ieee802_1x_mka_sak_use_body - MACsec SAK Use parameter set (Figure
+ * 11-10)
+ * @type: MKA message type
+ * @lan: latest key AN
+ * @ltx: latest key TX
+ * @lrx: latest key RX
+ * @oan: old key AN
+ * @otx: old key TX
+ * @orx: old key RX
+ * @ptx: plain TX, ie protectFrames is False
+ * @prx: plain RX, ie validateFrames is not Strict
+ * @delay_protect: True if LPNs are being reported sufficiently frequently to
+ * allow the recipient to provide data delay protection. If False, the LPN
+ * can be reported as zero.
+ * @lsrv_mi: latest key server MI
+ * @lkn: latest key number (together with MI, form the KI)
+ * @llpn: latest lowest acceptable PN (LPN)
+ * @osrv_mi: old key server MI
+ * @okn: old key number (together with MI, form the KI)
+ * @olpn: old lowest acceptable PN (LPN)
+ */
struct ieee802_1x_mka_sak_use_body {
/* octet 1 */
u8 type;
@@ -270,7 +316,21 @@ struct ieee802_1x_mka_sak_use_body {
be32 olpn;
};
-
+/**
+ * struct ieee802_1x_mka_dist_sak_body - Distributed SAK parameter set
+ * (GCM-AES-128, Figure 11-11)
+ * @type: Parameter set type (4)
+ * @length: Parameter set body length
+ * @length1: Parameter set body length (cont)
+ * Total parameter body length values:
+ * - 0 for plain text
+ * - 28 for GCM-AES-128
+ * - 36 or more for other cipher suites
+ * @confid_offset: confidentiality offset, as defined in ieee802_1x_defs.h
+ * @dan: distributed AN (0 for plain text)
+ * @kn: Key Number
+ * @sak: AES Key Wrap of SAK (see 9.8)
+ */
struct ieee802_1x_mka_dist_sak_body {
/* octet 1 */
u8 type;
@@ -303,6 +363,41 @@ struct ieee802_1x_mka_dist_sak_body {
u8 sak[0];
};
+/**
+ * struct ieee802_1x_mka_dist_cak_body - Distributed CAK parameter set (Figure
+ * 11-13)
+ * @type: Parameter set type (5)
+ * @length: Parameter set body length
+ * @length1: Parameter set body length (cont)
+ * Total parameter body length values:
+ * - 0 for plain text
+ * - 28 for GCM-AES-128
+ * - 36 or more for other cipher suites
+ * @cak: AES Key Wrap of CAK (see 9.8)
+ * @ckn: CAK Name
+ */
+struct ieee802_1x_mka_dist_cak_body {
+ /* octet 1 */
+ u8 type;
+ /* octet 2 */
+ u8 reserve;
+ /* octet 3 */
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ u8 length:4;
+ u8 reserve1:4;
+#elif __BYTE_ORDER == __BIG_ENDIAN
+ u8 reserve1:4;
+ u8 length:4;
+#endif
+ /* octet 4 */
+ u8 length1;
+
+ /* octet 5 - 28 */
+ u8 cak[24];
+
+ /* followed by CAK Name, 29- */
+ u8 ckn[0];
+};
struct ieee802_1x_mka_icv_body {
/* octet 1 */
--
2.7.4

388
macsec-0010-mka-Add-support-for-removing-SAs.patch Normal file
View File

@ -0,0 +1,388 @@
From 23c3528a8461681b23c94ed441cd94c8d528bebe Mon Sep 17 00:00:00 2001
Message-Id: <23c3528a8461681b23c94ed441cd94c8d528bebe.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Fri, 21 Oct 2016 14:45:28 +0200
Subject: [PATCH] mka: Add support for removing SAs
So that the core can notify drivers that need to perform some operations
when an SA is deleted.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 16 +++++++++
src/pae/ieee802_1x_kay.c | 81 +++++++++++++++++++++++++++++++++----------
src/pae/ieee802_1x_kay.h | 2 ++
src/pae/ieee802_1x_secy_ops.c | 41 ++++++++++++++++++++++
src/pae/ieee802_1x_secy_ops.h | 3 ++
wpa_supplicant/driver_i.h | 16 +++++++++
wpa_supplicant/wpas_kay.c | 14 ++++++++
7 files changed, 154 insertions(+), 19 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index 54ae6b7..9a6db90 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3419,6 +3419,14 @@ struct wpa_driver_ops {
int (*create_receive_sa)(void *priv, struct receive_sa *sa);
/**
+ * delete_receive_sa - Delete secure association for receive
+ * @priv: Private driver interface data from init()
+ * @sa: Secure association
+ * Returns: 0 on success, -1 on failure
+ */
+ int (*delete_receive_sa)(void *priv, struct receive_sa *sa);
+
+ /**
* enable_receive_sa - enable the SA for receive
* @priv: private driver interface data from init()
* @sa: secure association
@@ -3461,6 +3469,14 @@ struct wpa_driver_ops {
int (*create_transmit_sa)(void *priv, struct transmit_sa *sa);
/**
+ * delete_transmit_sa - Delete secure association for transmit
+ * @priv: Private driver interface data from init()
+ * @sa: Secure association
+ * Returns: 0 on success, -1 on failure
+ */
+ int (*delete_transmit_sa)(void *priv, struct transmit_sa *sa);
+
+ /**
* enable_transmit_sa - enable SA for transmit
* @priv: private driver interface data from init()
* @sa: secure association
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 38a8293..e312d04 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -491,6 +491,15 @@ ieee802_1x_kay_init_receive_sc(const struct ieee802_1x_mka_sci *psci)
}
+static void ieee802_1x_delete_receive_sa(struct ieee802_1x_kay *kay,
+ struct receive_sa *sa)
+{
+ secy_disable_receive_sa(kay, sa);
+ secy_delete_receive_sa(kay, sa);
+ ieee802_1x_kay_deinit_receive_sa(sa);
+}
+
+
/**
* ieee802_1x_kay_deinit_receive_sc -
**/
@@ -502,10 +511,9 @@ ieee802_1x_kay_deinit_receive_sc(
wpa_printf(MSG_DEBUG, "KaY: Delete receive SC");
dl_list_for_each_safe(psa, pre_sa, &psc->sa_list, struct receive_sa,
- list) {
- secy_disable_receive_sa(participant->kay, psa);
- ieee802_1x_kay_deinit_receive_sa(psa);
- }
+ list)
+ ieee802_1x_delete_receive_sa(participant->kay, psa);
+
dl_list_del(&psc->list);
os_free(psc);
}
@@ -2270,6 +2278,16 @@ ieee802_1x_participant_send_mkpdu(
static void ieee802_1x_kay_deinit_transmit_sa(struct transmit_sa *psa);
+
+static void ieee802_1x_delete_transmit_sa(struct ieee802_1x_kay *kay,
+ struct transmit_sa *sa)
+{
+ secy_disable_transmit_sa(kay, sa);
+ secy_delete_transmit_sa(kay, sa);
+ ieee802_1x_kay_deinit_transmit_sa(sa);
+}
+
+
/**
* ieee802_1x_participant_timer -
*/
@@ -2344,8 +2362,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
dl_list_for_each_safe(txsa, pre_txsa,
&participant->txsc->sa_list,
struct transmit_sa, list) {
- secy_disable_transmit_sa(kay, txsa);
- ieee802_1x_kay_deinit_transmit_sa(txsa);
+ ieee802_1x_delete_transmit_sa(kay, txsa);
}
ieee802_1x_cp_connect_authenticated(kay->cp);
@@ -2487,11 +2504,8 @@ ieee802_1x_kay_deinit_transmit_sc(
struct transmit_sa *psa, *tmp;
wpa_printf(MSG_DEBUG, "KaY: Delete transmit SC");
- dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa,
- list) {
- secy_disable_transmit_sa(participant->kay, psa);
- ieee802_1x_kay_deinit_transmit_sa(psa);
- }
+ dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa, list)
+ ieee802_1x_delete_transmit_sa(participant->kay, psa);
os_free(psc);
}
@@ -2569,6 +2583,32 @@ int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay,
}
+static struct transmit_sa * lookup_txsa_by_an(struct transmit_sc *txsc, u8 an)
+{
+ struct transmit_sa *txsa;
+
+ dl_list_for_each(txsa, &txsc->sa_list, struct transmit_sa, list) {
+ if (txsa->an == an)
+ return txsa;
+ }
+
+ return NULL;
+}
+
+
+static struct receive_sa * lookup_rxsa_by_an(struct receive_sc *rxsc, u8 an)
+{
+ struct receive_sa *rxsa;
+
+ dl_list_for_each(rxsa, &rxsc->sa_list, struct receive_sa, list) {
+ if (rxsa->an == an)
+ return rxsa;
+ }
+
+ return NULL;
+}
+
+
/**
* ieee802_1x_kay_create_sas -
*/
@@ -2603,6 +2643,9 @@ int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
}
dl_list_for_each(rxsc, &principal->rxsc_list, struct receive_sc, list) {
+ while ((rxsa = lookup_rxsa_by_an(rxsc, latest_sak->an)) != NULL)
+ ieee802_1x_delete_receive_sa(kay, rxsa);
+
rxsa = ieee802_1x_kay_init_receive_sa(rxsc, latest_sak->an, 1,
latest_sak);
if (!rxsa)
@@ -2611,6 +2654,10 @@ int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
secy_create_receive_sa(kay, rxsa);
}
+ while ((txsa = lookup_txsa_by_an(principal->txsc, latest_sak->an)) !=
+ NULL)
+ ieee802_1x_delete_transmit_sa(kay, txsa);
+
txsa = ieee802_1x_kay_init_transmit_sa(principal->txsc, latest_sak->an,
1, latest_sak);
if (!txsa)
@@ -2644,20 +2691,16 @@ int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
/* remove the transmit sa */
dl_list_for_each_safe(txsa, pre_txsa, &principal->txsc->sa_list,
struct transmit_sa, list) {
- if (is_ki_equal(&txsa->pkey->key_identifier, ki)) {
- secy_disable_transmit_sa(kay, txsa);
- ieee802_1x_kay_deinit_transmit_sa(txsa);
- }
+ if (is_ki_equal(&txsa->pkey->key_identifier, ki))
+ ieee802_1x_delete_transmit_sa(kay, txsa);
}
/* remove the receive sa */
dl_list_for_each(rxsc, &principal->rxsc_list, struct receive_sc, list) {
dl_list_for_each_safe(rxsa, pre_rxsa, &rxsc->sa_list,
struct receive_sa, list) {
- if (is_ki_equal(&rxsa->pkey->key_identifier, ki)) {
- secy_disable_receive_sa(kay, rxsa);
- ieee802_1x_kay_deinit_receive_sa(rxsa);
- }
+ if (is_ki_equal(&rxsa->pkey->key_identifier, ki))
+ ieee802_1x_delete_receive_sa(kay, rxsa);
}
}
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index e2ba180..5233cb2 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -153,12 +153,14 @@ struct ieee802_1x_kay_ctx {
enum confidentiality_offset co);
int (*delete_receive_sc)(void *ctx, struct receive_sc *sc);
int (*create_receive_sa)(void *ctx, struct receive_sa *sa);
+ int (*delete_receive_sa)(void *ctx, struct receive_sa *sa);
int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc,
enum confidentiality_offset co);
int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc);
int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa);
+ int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa);
int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
};
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index b57c670..b1a9d22 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -256,6 +256,26 @@ int secy_create_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa)
}
+int secy_delete_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa)
+{
+ struct ieee802_1x_kay_ctx *ops;
+
+ if (!kay || !rxsa) {
+ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
+ return -1;
+ }
+
+ ops = kay->ctx;
+ if (!ops || !ops->delete_receive_sa) {
+ wpa_printf(MSG_ERROR,
+ "KaY: secy delete_receive_sa operation not supported");
+ return -1;
+ }
+
+ return ops->delete_receive_sa(ops->ctx, rxsa);
+}
+
+
int secy_enable_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa)
{
struct ieee802_1x_kay_ctx *ops;
@@ -363,6 +383,27 @@ int secy_create_transmit_sa(struct ieee802_1x_kay *kay,
}
+int secy_delete_transmit_sa(struct ieee802_1x_kay *kay,
+ struct transmit_sa *txsa)
+{
+ struct ieee802_1x_kay_ctx *ops;
+
+ if (!kay || !txsa) {
+ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
+ return -1;
+ }
+
+ ops = kay->ctx;
+ if (!ops || !ops->delete_transmit_sa) {
+ wpa_printf(MSG_ERROR,
+ "KaY: secy delete_transmit_sa operation not supported");
+ return -1;
+ }
+
+ return ops->delete_transmit_sa(ops->ctx, txsa);
+}
+
+
int secy_enable_transmit_sa(struct ieee802_1x_kay *kay,
struct transmit_sa *txsa)
{
diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h
index 59f0baa..477120b 100644
--- a/src/pae/ieee802_1x_secy_ops.h
+++ b/src/pae/ieee802_1x_secy_ops.h
@@ -38,6 +38,7 @@ int secy_set_transmit_next_pn(struct ieee802_1x_kay *kay,
int secy_create_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc);
int secy_delete_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc);
int secy_create_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa);
+int secy_delete_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa);
int secy_enable_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa);
int secy_disable_receive_sa(struct ieee802_1x_kay *kay,
struct receive_sa *rxsa);
@@ -48,6 +49,8 @@ int secy_delete_transmit_sc(struct ieee802_1x_kay *kay,
struct transmit_sc *txsc);
int secy_create_transmit_sa(struct ieee802_1x_kay *kay,
struct transmit_sa *txsa);
+int secy_delete_transmit_sa(struct ieee802_1x_kay *kay,
+ struct transmit_sa *txsa);
int secy_enable_transmit_sa(struct ieee802_1x_kay *kay,
struct transmit_sa *txsa);
int secy_disable_transmit_sa(struct ieee802_1x_kay *kay,
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index 244e386..c9bb20d 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -806,6 +806,14 @@ static inline int wpa_drv_create_receive_sa(struct wpa_supplicant *wpa_s,
return wpa_s->driver->create_receive_sa(wpa_s->drv_priv, sa);
}
+static inline int wpa_drv_delete_receive_sa(struct wpa_supplicant *wpa_s,
+ struct receive_sa *sa)
+{
+ if (!wpa_s->driver->delete_receive_sa)
+ return -1;
+ return wpa_s->driver->delete_receive_sa(wpa_s->drv_priv, sa);
+}
+
static inline int wpa_drv_enable_receive_sa(struct wpa_supplicant *wpa_s,
struct receive_sa *sa)
{
@@ -848,6 +856,14 @@ static inline int wpa_drv_create_transmit_sa(struct wpa_supplicant *wpa_s,
return wpa_s->driver->create_transmit_sa(wpa_s->drv_priv, sa);
}
+static inline int wpa_drv_delete_transmit_sa(struct wpa_supplicant *wpa_s,
+ struct transmit_sa *sa)
+{
+ if (!wpa_s->driver->delete_transmit_sa)
+ return -1;
+ return wpa_s->driver->delete_transmit_sa(wpa_s->drv_priv, sa);
+}
+
static inline int wpa_drv_enable_transmit_sa(struct wpa_supplicant *wpa_s,
struct transmit_sa *sa)
{
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 64364f7..e032330 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -120,6 +120,12 @@ static int wpas_create_receive_sa(void *wpa_s, struct receive_sa *sa)
}
+static int wpas_delete_receive_sa(void *wpa_s, struct receive_sa *sa)
+{
+ return wpa_drv_delete_receive_sa(wpa_s, sa);
+}
+
+
static int wpas_enable_receive_sa(void *wpa_s, struct receive_sa *sa)
{
return wpa_drv_enable_receive_sa(wpa_s, sa);
@@ -152,6 +158,12 @@ static int wpas_create_transmit_sa(void *wpa_s, struct transmit_sa *sa)
}
+static int wpas_delete_transmit_sa(void *wpa_s, struct transmit_sa *sa)
+{
+ return wpa_drv_delete_transmit_sa(wpa_s, sa);
+}
+
+
static int wpas_enable_transmit_sa(void *wpa_s, struct transmit_sa *sa)
{
return wpa_drv_enable_transmit_sa(wpa_s, sa);
@@ -196,11 +208,13 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
kay_ctx->create_receive_sc = wpas_create_receive_sc;
kay_ctx->delete_receive_sc = wpas_delete_receive_sc;
kay_ctx->create_receive_sa = wpas_create_receive_sa;
+ kay_ctx->delete_receive_sa = wpas_delete_receive_sa;
kay_ctx->enable_receive_sa = wpas_enable_receive_sa;
kay_ctx->disable_receive_sa = wpas_disable_receive_sa;
kay_ctx->create_transmit_sc = wpas_create_transmit_sc;
kay_ctx->delete_transmit_sc = wpas_delete_transmit_sc;
kay_ctx->create_transmit_sa = wpas_create_transmit_sa;
+ kay_ctx->delete_transmit_sa = wpas_delete_transmit_sa;
kay_ctx->enable_transmit_sa = wpas_enable_transmit_sa;
kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
--
2.7.4

149
macsec-0011-mka-Implement-reference-counting-on-data_key.patch Normal file
View File

@ -0,0 +1,149 @@
From 99b82bf53792d48b5d0c3f9edcccc6e53c9510fe Mon Sep 17 00:00:00 2001
Message-Id: <99b82bf53792d48b5d0c3f9edcccc6e53c9510fe.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Fri, 21 Oct 2016 14:45:29 +0200
Subject: [PATCH] mka: Implement reference counting on data_key
struct data_key already had a 'user' field for reference counting, but
it was basically unused.
Add an ieee802_1x_kay_use_data_key() function to take a reference on a
key, and use ieee802_1x_kay_deinit_data_key() to release the reference.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/pae/ieee802_1x_kay.c | 28 ++++++++++++++++++++++++----
src/pae/ieee802_1x_kay.h | 2 +-
2 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index e312d04..63bbd13 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -411,6 +411,8 @@ ieee802_1x_kay_get_peer_sci(struct ieee802_1x_mka_participant *participant,
}
+static void ieee802_1x_kay_use_data_key(struct data_key *pkey);
+
/**
* ieee802_1x_kay_init_receive_sa -
*/
@@ -429,6 +431,7 @@ ieee802_1x_kay_init_receive_sa(struct receive_sc *psc, u8 an, u32 lowest_pn,
return NULL;
}
+ ieee802_1x_kay_use_data_key(key);
psa->pkey = key;
psa->lowest_pn = lowest_pn;
psa->next_pn = lowest_pn;
@@ -447,11 +450,14 @@ ieee802_1x_kay_init_receive_sa(struct receive_sc *psc, u8 an, u32 lowest_pn,
}
+static void ieee802_1x_kay_deinit_data_key(struct data_key *pkey);
+
/**
* ieee802_1x_kay_deinit_receive_sa -
*/
static void ieee802_1x_kay_deinit_receive_sa(struct receive_sa *psa)
{
+ ieee802_1x_kay_deinit_data_key(psa->pkey);
psa->pkey = NULL;
wpa_printf(MSG_DEBUG,
"KaY: Delete receive SA(an: %hhu) of SC",
@@ -1612,6 +1618,7 @@ ieee802_1x_mka_decode_dist_sak_body(
sa_key->an = body->dan;
ieee802_1x_kay_init_data_key(sa_key);
+ ieee802_1x_kay_use_data_key(sa_key);
dl_list_add(&participant->sak_list, &sa_key->list);
ieee802_1x_cp_set_ciphersuite(kay->cp, cs->id);
@@ -1873,7 +1880,17 @@ static struct mka_param_body_handler mka_body_handler[] = {
/**
- * ieee802_1x_kay_deinit_data_key -
+ * ieee802_1x_kay_use_data_key - Take reference on a key
+ */
+static void ieee802_1x_kay_use_data_key(struct data_key *pkey)
+{
+ pkey->user++;
+}
+
+
+/**
+ * ieee802_1x_kay_deinit_data_key - Release reference on a key and
+ * free if there are no remaining users
*/
static void ieee802_1x_kay_deinit_data_key(struct data_key *pkey)
{
@@ -1884,7 +1901,6 @@ static void ieee802_1x_kay_deinit_data_key(struct data_key *pkey)
if (pkey->user > 1)
return;
- dl_list_del(&pkey->list);
os_free(pkey->key);
os_free(pkey);
}
@@ -1994,7 +2010,9 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
participant->new_key = sa_key;
+ ieee802_1x_kay_use_data_key(sa_key);
dl_list_add(&participant->sak_list, &sa_key->list);
+
ieee802_1x_cp_set_ciphersuite(kay->cp, cs->id);
ieee802_1x_cp_sm_step(kay->cp);
ieee802_1x_cp_set_offset(kay->cp, kay->macsec_confidentiality);
@@ -2436,6 +2454,7 @@ ieee802_1x_kay_init_transmit_sa(struct transmit_sc *psc, u8 an, u32 next_PN,
psa->confidentiality = FALSE;
psa->an = an;
+ ieee802_1x_kay_use_data_key(key);
psa->pkey = key;
psa->next_pn = next_PN;
psa->sc = psc;
@@ -2457,6 +2476,7 @@ ieee802_1x_kay_init_transmit_sa(struct transmit_sc *psc, u8 an, u32 next_PN,
*/
static void ieee802_1x_kay_deinit_transmit_sa(struct transmit_sa *psa)
{
+ ieee802_1x_kay_deinit_data_key(psa->pkey);
psa->pkey = NULL;
wpa_printf(MSG_DEBUG,
"KaY: Delete transmit SA(an: %hhu) of SC",
@@ -2708,6 +2728,7 @@ int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
dl_list_for_each_safe(sa_key, pre_key, &principal->sak_list,
struct data_key, list) {
if (is_ki_equal(&sa_key->key_identifier, ki)) {
+ dl_list_del(&sa_key->list);
ieee802_1x_kay_deinit_data_key(sa_key);
break;
}
@@ -3375,8 +3396,7 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
sak = dl_list_entry(participant->sak_list.next,
struct data_key, list);
dl_list_del(&sak->list);
- os_free(sak->key);
- os_free(sak);
+ ieee802_1x_kay_deinit_data_key(sak);
}
while (!dl_list_empty(&participant->rxsc_list)) {
rxsc = dl_list_entry(participant->rxsc_list.next,
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 5233cb2..576a8a0 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -70,7 +70,7 @@ struct data_key {
Boolean rx_latest;
Boolean tx_latest;
- int user; /* FIXME: to indicate if it can be delete safely */
+ int user;
struct dl_list list;
};
--
2.7.4

66
macsec-0012-mka-Fix-getting-capabilities-from-the-driver.patch Normal file
View File

@ -0,0 +1,66 @@
From 088d53dd15b14a1868b70fd0b8d695ac6b68f642 Mon Sep 17 00:00:00 2001
Message-Id: <088d53dd15b14a1868b70fd0b8d695ac6b68f642.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Tue, 15 Nov 2016 18:06:23 +0100
Subject: [PATCH] mka: Fix getting capabilities from the driver
In commit a25e4efc9e428d968e83398bd8c9c94698ba5851 ('mka: Add driver op
to get macsec capabilities') I added some code to check the driver's
capabilities. This commit has two problems:
- wrong enum type set in kay->macsec_confidentiality
- ignores that drivers could report MACSEC_CAP_NOT_IMPLEMENTED, in
which case the MKA would claim that MACsec is supported.
Fix this by interpreting MACSEC_CAP_NOT_IMPLEMENTED in the same way as a
DO_NOT_SECURE policy, and set the correct value in
kay->macsec_confidentiality.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/pae/ieee802_1x_kay.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 63bbd13..2841b10 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3111,7 +3111,14 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
dl_list_init(&kay->participant_list);
- if (policy == DO_NOT_SECURE) {
+ if (policy != DO_NOT_SECURE &&
+ secy_get_capability(kay, &kay->macsec_capable) < 0) {
+ os_free(kay);
+ return NULL;
+ }
+
+ if (policy == DO_NOT_SECURE ||
+ kay->macsec_capable == MACSEC_CAP_NOT_IMPLEMENTED) {
kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED;
kay->macsec_desired = FALSE;
kay->macsec_protect = FALSE;
@@ -3120,11 +3127,6 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
kay->macsec_replay_window = 0;
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
} else {
- if (secy_get_capability(kay, &kay->macsec_capable) < 0) {
- os_free(kay);
- return NULL;
- }
-
kay->macsec_desired = TRUE;
kay->macsec_protect = TRUE;
kay->macsec_validate = Strict;
@@ -3133,7 +3135,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
else
- kay->macsec_confidentiality = MACSEC_CAP_INTEGRITY;
+ kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
}
wpa_printf(MSG_DEBUG, "KaY: state machine created");
--
2.7.4

317
macsec-0013-wpa_supplicant-Allow-pre-shared-CAK-CKN-pair-for-MKA.patch Normal file
View File

@ -0,0 +1,317 @@
From ad51731abf06efb284d020578eb34e7b1daeb23e Mon Sep 17 00:00:00 2001
Message-Id: <ad51731abf06efb284d020578eb34e7b1daeb23e.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed, 2 Nov 2016 16:38:35 +0100
Subject: [PATCH] wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKA
This enables configuring key_mgmt=NONE + mka_ckn + mka_cak.
This allows wpa_supplicant to work in a peer-to-peer mode, where peers
are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers
can act as key server to distribute keys for the MACsec instances.
This is what some MACsec switches support, and even without HW
support, it's a convenient way to setup a network.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
wpa_supplicant/config.c | 65 ++++++++++++++++++++++++++++++++++++++
wpa_supplicant/config_file.c | 36 +++++++++++++++++++++
wpa_supplicant/config_ssid.h | 20 ++++++++++++
wpa_supplicant/wpa_supplicant.c | 7 +++-
wpa_supplicant/wpa_supplicant.conf | 8 +++++
wpa_supplicant/wpas_kay.c | 48 ++++++++++++++++++++++++++++
wpa_supplicant/wpas_kay.h | 10 ++++++
7 files changed, 193 insertions(+), 1 deletion(-)
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index a0b64b2..9011389 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1828,6 +1828,69 @@ static char * wpa_config_write_mesh_basic_rates(const struct parse_data *data,
#endif /* CONFIG_MESH */
+#ifdef CONFIG_MACSEC
+
+static int wpa_config_parse_mka_cak(const struct parse_data *data,
+ struct wpa_ssid *ssid, int line,
+ const char *value)
+{
+ if (hexstr2bin(value, ssid->mka_cak, MACSEC_CAK_LEN) ||
+ value[MACSEC_CAK_LEN * 2] != '\0') {
+ wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.",
+ line, value);
+ return -1;
+ }
+
+ ssid->mka_psk_set |= MKA_PSK_SET_CAK;
+
+ wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak, MACSEC_CAK_LEN);
+ return 0;
+}
+
+
+static int wpa_config_parse_mka_ckn(const struct parse_data *data,
+ struct wpa_ssid *ssid, int line,
+ const char *value)
+{
+ if (hexstr2bin(value, ssid->mka_ckn, MACSEC_CKN_LEN) ||
+ value[MACSEC_CKN_LEN * 2] != '\0') {
+ wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
+ line, value);
+ return -1;
+ }
+
+ ssid->mka_psk_set |= MKA_PSK_SET_CKN;
+
+ wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn, MACSEC_CKN_LEN);
+ return 0;
+}
+
+
+#ifndef NO_CONFIG_WRITE
+
+static char * wpa_config_write_mka_cak(const struct parse_data *data,
+ struct wpa_ssid *ssid)
+{
+ if (!(ssid->mka_psk_set & MKA_PSK_SET_CAK))
+ return NULL;
+
+ return wpa_config_write_string_hex(ssid->mka_cak, MACSEC_CAK_LEN);
+}
+
+
+static char * wpa_config_write_mka_ckn(const struct parse_data *data,
+ struct wpa_ssid *ssid)
+{
+ if (!(ssid->mka_psk_set & MKA_PSK_SET_CKN))
+ return NULL;
+ return wpa_config_write_string_hex(ssid->mka_ckn, MACSEC_CKN_LEN);
+}
+
+#endif /* NO_CONFIG_WRITE */
+
+#endif /* CONFIG_MACSEC */
+
+
/* Helper macros for network block parser */
#ifdef OFFSET
@@ -2062,6 +2125,8 @@ static const struct parse_data ssid_fields[] = {
{ INT(beacon_int) },
#ifdef CONFIG_MACSEC
{ INT_RANGE(macsec_policy, 0, 1) },
+ { FUNC_KEY(mka_cak) },
+ { FUNC_KEY(mka_ckn) },
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
{ INT(update_identifier) },
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 7ae1654..172508e 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -662,6 +662,40 @@ static void write_psk_list(FILE *f, struct wpa_ssid *ssid)
#endif /* CONFIG_P2P */
+#ifdef CONFIG_MACSEC
+
+static void write_mka_cak(FILE *f, struct wpa_ssid *ssid)
+{
+ char *value;
+
+ if (!(ssid->mka_psk_set & MKA_PSK_SET_CAK))
+ return;
+
+ value = wpa_config_get(ssid, "mka_cak");
+ if (!value)
+ return;
+ fprintf(f, "\tmka_cak=%s\n", value);
+ os_free(value);
+}
+
+
+static void write_mka_ckn(FILE *f, struct wpa_ssid *ssid)
+{
+ char *value;
+
+ if (!(ssid->mka_psk_set & MKA_PSK_SET_CKN))
+ return;
+
+ value = wpa_config_get(ssid, "mka_ckn");
+ if (!value)
+ return;
+ fprintf(f, "\tmka_ckn=%s\n", value);
+ os_free(value);
+}
+
+#endif /* CONFIG_MACSEC */
+
+
static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
{
int i;
@@ -772,6 +806,8 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INT(beacon_int);
#ifdef CONFIG_MACSEC
INT(macsec_policy);
+ write_mka_cak(f, ssid);
+ write_mka_ckn(f, ssid);
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
INT(update_identifier);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 010b594..a530cda 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -728,6 +728,26 @@ struct wpa_ssid {
* determine whether to use a secure session or not.
*/
int macsec_policy;
+
+ /**
+ * mka_ckn - MKA pre-shared CKN
+ */
+#define MACSEC_CKN_LEN 32
+ u8 mka_ckn[MACSEC_CKN_LEN];
+
+ /**
+ * mka_cak - MKA pre-shared CAK
+ */
+#define MACSEC_CAK_LEN 16
+ u8 mka_cak[MACSEC_CAK_LEN];
+
+#define MKA_PSK_SET_CKN BIT(0)
+#define MKA_PSK_SET_CAK BIT(1)
+#define MKA_PSK_SET (MKA_PSK_SET_CKN | MKA_PSK_SET_CAK)
+ /**
+ * mka_psk_set - Whether mka_ckn and mka_cak are set
+ */
+ u8 mka_psk_set;
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 5d6326a..0bfc39d 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -329,7 +329,12 @@ void wpa_supplicant_initiate_eapol(struct wpa_supplicant *wpa_s)
eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf);
- ieee802_1x_alloc_kay_sm(wpa_s, ssid);
+#ifdef CONFIG_MACSEC
+ if (wpa_s->key_mgmt == WPA_KEY_MGMT_NONE && ssid->mka_psk_set)
+ ieee802_1x_create_preshared_mka(wpa_s, ssid);
+ else
+ ieee802_1x_alloc_kay_sm(wpa_s, ssid);
+#endif /* CONFIG_MACSEC */
#endif /* IEEE8021X_EAPOL */
}
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 047ca90..8fa740b 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -892,6 +892,14 @@ fast_reauth=1
# 1: MACsec enabled - Should secure, accept key server's advice to
# determine whether to use a secure session or not.
#
+# mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode
+# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
+# In this mode, instances of wpa_supplicant can act as peers, one of
+# which will become the key server and start distributing SAKs.
+# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-bytes (128 bit)
+# hex-string (32 hex-digits)
+# mka_ckn (CKN = CAK Name) takes a 32-bytes (256 bit) hex-string (64 hex-digits)
+#
# mixed_cell: This option can be used to configure whether so called mixed
# cells, i.e., networks that use both plaintext and encryption in the same
# SSID, are allowed when selecting a BSS from scan results.
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index e032330..80b98d9 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -371,3 +371,51 @@ fail:
return res;
}
+
+
+void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
+ struct wpa_ssid *ssid)
+{
+ struct mka_key *cak;
+ struct mka_key_name *ckn;
+ void *res;
+
+ if ((ssid->mka_psk_set & MKA_PSK_SET) != MKA_PSK_SET)
+ return NULL;
+
+ if (ieee802_1x_alloc_kay_sm(wpa_s, ssid) < 0)
+ return NULL;
+
+ if (!wpa_s->kay || wpa_s->kay->policy == DO_NOT_SECURE)
+ return NULL;
+
+ ckn = os_zalloc(sizeof(*ckn));
+ if (!ckn)
+ goto dealloc;
+
+ cak = os_zalloc(sizeof(*cak));
+ if (!cak)
+ goto free_ckn;
+
+ cak->len = MACSEC_CAK_LEN;
+ os_memcpy(cak->key, ssid->mka_cak, cak->len);
+
+ ckn->len = MACSEC_CKN_LEN;
+ os_memcpy(ckn->name, ssid->mka_ckn, ckn->len);
+
+ res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE);
+ if (res)
+ return res;
+
+ /* Failed to create MKA */
+ os_free(cak);
+
+ /* fallthrough */
+
+free_ckn:
+ os_free(ckn);
+dealloc:
+ ieee802_1x_dealloc_kay_sm(wpa_s);
+
+ return NULL;
+}
diff --git a/wpa_supplicant/wpas_kay.h b/wpa_supplicant/wpas_kay.h
index b7236d0..81f8e0c 100644
--- a/wpa_supplicant/wpas_kay.h
+++ b/wpa_supplicant/wpas_kay.h
@@ -17,6 +17,9 @@ void * ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s,
const u8 *peer_addr);
void ieee802_1x_dealloc_kay_sm(struct wpa_supplicant *wpa_s);
+void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
+ struct wpa_ssid *ssid);
+
#else /* CONFIG_MACSEC */
static inline int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s,
@@ -36,6 +39,13 @@ static inline void ieee802_1x_dealloc_kay_sm(struct wpa_supplicant *wpa_s)
{
}
+static inline void *
+ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
+ struct wpa_ssid *ssid)
+{
+ return 0;
+}
+
#endif /* CONFIG_MACSEC */
#endif /* WPAS_KAY_H */
--
2.7.4

42
macsec-0014-mka-Disable-peer-detection-timeout-for-PSK-mode.patch Normal file
View File

@ -0,0 +1,42 @@
From 008e224dbb518f44aac46b0c8e55448bd907e43d Mon Sep 17 00:00:00 2001
Message-Id: <008e224dbb518f44aac46b0c8e55448bd907e43d.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed, 2 Nov 2016 16:38:36 +0100
Subject: [PATCH] mka: Disable peer detection timeout for PSK mode
The first peer may take a long time to come up. In PSK mode we are
basically in a p2p system, and we cannot know when a peer will join the
key exchange. Wait indefinitely, and let the administrator decide if
they want to abort.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/pae/ieee802_1x_kay.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 2841b10..19b2c2f 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3339,8 +3339,16 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn,
usecs = os_random() % (MKA_HELLO_TIME * 1000);
eloop_register_timeout(0, usecs, ieee802_1x_participant_timer,
participant, NULL);
- participant->mka_life = MKA_LIFE_TIME / 1000 + time(NULL) +
- usecs / 1000000;
+
+ /* Disable MKA lifetime for PSK mode.
+ * The peer(s) can take a long time to come up, because we
+ * create a "standby" MKA, and we need it to remain live until
+ * some peer appears.
+ */
+ if (mode != PSK) {
+ participant->mka_life = MKA_LIFE_TIME / 1000 + time(NULL) +
+ usecs / 1000000;
+ }
return participant;
--
2.7.4

165
macsec-0015-wpa_supplicant-Add-macsec_integ_only-setting-for-MKA.patch Normal file
View File

@ -0,0 +1,165 @@
From 7b4d546e3dae57a39e50a91e47b8fcf3447b4978 Mon Sep 17 00:00:00 2001
Message-Id: <7b4d546e3dae57a39e50a91e47b8fcf3447b4978.1488376601.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed, 2 Nov 2016 16:38:37 +0100
Subject: [PATCH] wpa_supplicant: Add macsec_integ_only setting for MKA
So that the user can turn encryption on (MACsec provides
confidentiality+integrity) or off (MACsec provides integrity only). This
commit adds the configuration parameter while the actual behavior change
to disable encryption in the driver is handled in the following commit.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/common/ieee802_1x_defs.h | 6 ++++++
src/pae/ieee802_1x_kay.c | 1 +
src/pae/ieee802_1x_kay.h | 1 +
wpa_supplicant/config.c | 1 +
wpa_supplicant/config_file.c | 1 +
wpa_supplicant/config_ssid.h | 12 ++++++++++++
wpa_supplicant/wpa_cli.c | 1 +
wpa_supplicant/wpa_supplicant.conf | 7 +++++++
wpa_supplicant/wpas_kay.c | 9 ++++++++-
9 files changed, 38 insertions(+), 1 deletion(-)
diff --git a/src/common/ieee802_1x_defs.h b/src/common/ieee802_1x_defs.h
index a0c1d1b..280c439 100644
--- a/src/common/ieee802_1x_defs.h
+++ b/src/common/ieee802_1x_defs.h
@@ -25,6 +25,12 @@ enum macsec_policy {
* Disabled MACsec - do not secure sessions.
*/
DO_NOT_SECURE,
+
+ /**
+ * Should secure sessions, and try to use encryption.
+ * Like @SHOULD_SECURE, this follows the key server's decision.
+ */
+ SHOULD_ENCRYPT,
};
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 19b2c2f..7664e2d 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3129,6 +3129,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
} else {
kay->macsec_desired = TRUE;
kay->macsec_protect = TRUE;
+ kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
kay->macsec_validate = Strict;
kay->macsec_replay_protect = FALSE;
kay->macsec_replay_window = 0;
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 576a8a0..618e45b 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -181,6 +181,7 @@ struct ieee802_1x_kay {
enum macsec_cap macsec_capable;
Boolean macsec_desired;
Boolean macsec_protect;
+ Boolean macsec_encrypt;
Boolean macsec_replay_protect;
u32 macsec_replay_window;
enum validate_frames macsec_validate;
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 9011389..afb631e 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2125,6 +2125,7 @@ static const struct parse_data ssid_fields[] = {
{ INT(beacon_int) },
#ifdef CONFIG_MACSEC
{ INT_RANGE(macsec_policy, 0, 1) },
+ { INT_RANGE(macsec_integ_only, 0, 1) },
{ FUNC_KEY(mka_cak) },
{ FUNC_KEY(mka_ckn) },
#endif /* CONFIG_MACSEC */
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 172508e..f605fa9 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -808,6 +808,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INT(macsec_policy);
write_mka_cak(f, ssid);
write_mka_ckn(f, ssid);
+ INT(macsec_integ_only);
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
INT(update_identifier);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index a530cda..b8c3192 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -730,6 +730,18 @@ struct wpa_ssid {
int macsec_policy;
/**
+ * macsec_integ_only - Determines how MACsec are transmitted
+ *
+ * This setting applies only when MACsec is in use, i.e.,
+ * - macsec_policy is enabled
+ * - the key server has decided to enable MACsec
+ *
+ * 0: Encrypt traffic (default)
+ * 1: Integrity only
+ */
+ int macsec_integ_only;
+
+ /**
* mka_ckn - MKA pre-shared CKN
*/
#define MACSEC_CKN_LEN 32
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 4877989..aed95e6 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1390,6 +1390,7 @@ static const char *network_fields[] = {
"ap_max_inactivity", "dtim_period", "beacon_int",
#ifdef CONFIG_MACSEC
"macsec_policy",
+ "macsec_integ_only",
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
"update_identifier",
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 8fa740b..b23c5e6 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -892,6 +892,13 @@ fast_reauth=1
# 1: MACsec enabled - Should secure, accept key server's advice to
# determine whether to use a secure session or not.
#
+# macsec_integ_only: IEEE 802.1X/MACsec transmit mode
+# This setting applies only when MACsec is in use, i.e.,
+# - macsec_policy is enabled
+# - the key server has decided to enable MACsec
+# 0: Encrypt traffic (default)
+# 1: Integrity only
+#
# mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode
# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
# In this mode, instances of wpa_supplicant can act as peers, one of
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 80b98d9..6343154 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -187,7 +187,14 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
if (!ssid || ssid->macsec_policy == 0)
return 0;
- policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE;
+ if (ssid->macsec_policy == 1) {
+ if (ssid->macsec_integ_only == 1)
+ policy = SHOULD_SECURE;
+ else
+ policy = SHOULD_ENCRYPT;
+ } else {
+ policy = DO_NOT_SECURE;
+ }
kay_ctx = os_zalloc(sizeof(*kay_ctx));
if (!kay_ctx)
--
2.7.4

177
macsec-0016-mka-Add-enable_encrypt-op-and-call-it-from-CP-state-.patch Normal file
View File

@ -0,0 +1,177 @@
From 1d3d0666a6ed345da39886426c4416a4debfd094 Mon Sep 17 00:00:00 2001
Message-Id: <1d3d0666a6ed345da39886426c4416a4debfd094.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed, 2 Nov 2016 16:38:38 +0100
Subject: [PATCH] mka: Add enable_encrypt op and call it from CP state machine
This allows MKA to turn encryption on/off down to the driver.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver.h | 9 +++++++++
src/pae/ieee802_1x_cp.c | 4 ++++
src/pae/ieee802_1x_kay.h | 1 +
src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++
src/pae/ieee802_1x_secy_ops.h | 1 +
wpa_supplicant/driver_i.h | 8 ++++++++
wpa_supplicant/wpas_kay.c | 7 +++++++
7 files changed, 50 insertions(+)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index 9a6db90..0cb68ba 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3339,6 +3339,15 @@ struct wpa_driver_ops {
int (*enable_protect_frames)(void *priv, Boolean enabled);
/**
+ * enable_encrypt - Set encryption status
+ * @priv: Private driver interface data
+ * @enabled: TRUE = encrypt outgoing traffic
+ * FALSE = integrity-only protection on outgoing traffic
+ * Returns: 0 on success, -1 on failure (or if not supported)
+ */
+ int (*enable_encrypt)(void *priv, Boolean enabled);
+
+ /**
* set_replay_protect - Set replay protect status and window size
* @priv: Private driver interface data
* @enabled: TRUE = replay protect enabled
diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c
index e294e64..360fcd3 100644
--- a/src/pae/ieee802_1x_cp.c
+++ b/src/pae/ieee802_1x_cp.c
@@ -159,6 +159,7 @@ SM_STATE(CP, ALLOWED)
secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
+ secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
}
@@ -177,6 +178,7 @@ SM_STATE(CP, AUTHENTICATED)
secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
+ secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
}
@@ -203,6 +205,7 @@ SM_STATE(CP, SECURED)
secy_cp_control_confidentiality_offset(sm->kay,
sm->confidentiality_offset);
secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
+ secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
}
@@ -466,6 +469,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(struct ieee802_1x_kay *kay)
wpa_printf(MSG_DEBUG, "CP: state machine created");
secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
+ secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 618e45b..fb49f62 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -142,6 +142,7 @@ struct ieee802_1x_kay_ctx {
int (*macsec_deinit)(void *ctx);
int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
int (*enable_protect_frames)(void *ctx, Boolean enabled);
+ int (*enable_encrypt)(void *ctx, Boolean enabled);
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
int (*set_current_cipher_suite)(void *ctx, u64 cs);
int (*enable_controlled_port)(void *ctx, Boolean enabled);
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index b1a9d22..ab5339b 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -45,6 +45,26 @@ int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean enabled)
}
+int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, Boolean enabled)
+{
+ struct ieee802_1x_kay_ctx *ops;
+
+ if (!kay) {
+ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
+ return -1;
+ }
+
+ ops = kay->ctx;
+ if (!ops || !ops->enable_encrypt) {
+ wpa_printf(MSG_ERROR,
+ "KaY: secy enable_encrypt operation not supported");
+ return -1;
+ }
+
+ return ops->enable_encrypt(ops->ctx, enabled);
+}
+
+
int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean enabled, u32 win)
{
struct ieee802_1x_kay_ctx *ops;
diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h
index 477120b..9fb29c3 100644
--- a/src/pae/ieee802_1x_secy_ops.h
+++ b/src/pae/ieee802_1x_secy_ops.h
@@ -21,6 +21,7 @@ int secy_deinit_macsec(struct ieee802_1x_kay *kay);
int secy_cp_control_validate_frames(struct ieee802_1x_kay *kay,
enum validate_frames vf);
int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag);
+int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, Boolean enabled);
int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win);
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index c9bb20d..cf08556 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -731,6 +731,14 @@ static inline int wpa_drv_enable_protect_frames(struct wpa_supplicant *wpa_s,
return wpa_s->driver->enable_protect_frames(wpa_s->drv_priv, enabled);
}
+static inline int wpa_drv_enable_encrypt(struct wpa_supplicant *wpa_s,
+ Boolean enabled)
+{
+ if (!wpa_s->driver->enable_encrypt)
+ return -1;
+ return wpa_s->driver->enable_encrypt(wpa_s->drv_priv, enabled);
+}
+
static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s,
Boolean enabled, u32 window)
{
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 6343154..2ff4895 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -50,6 +50,12 @@ static int wpas_enable_protect_frames(void *wpa_s, Boolean enabled)
}
+static int wpas_enable_encrypt(void *wpa_s, Boolean enabled)
+{
+ return wpa_drv_enable_encrypt(wpa_s, enabled);
+}
+
+
static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
{
return wpa_drv_set_replay_protect(wpa_s, enabled, window);
@@ -206,6 +212,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
kay_ctx->macsec_deinit = wpas_macsec_deinit;
kay_ctx->macsec_get_capability = wpas_macsec_get_capability;
kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
+ kay_ctx->enable_encrypt = wpas_enable_encrypt;
kay_ctx->set_replay_protect = wpas_set_replay_protect;
kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
kay_ctx->enable_controlled_port = wpas_enable_controlled_port;
--
2.7.4

145
macsec-0017-wpa_supplicant-Allow-configuring-the-MACsec-port-for.patch Normal file
View File

@ -0,0 +1,145 @@
From e0d9fd344d20bb35efcd5c37ece0a5d67632439d Mon Sep 17 00:00:00 2001
Message-Id: <e0d9fd344d20bb35efcd5c37ece0a5d67632439d.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed, 2 Nov 2016 16:38:39 +0100
Subject: [PATCH] wpa_supplicant: Allow configuring the MACsec port for MKA
Previously, wpa_supplicant only supported hardcoded port == 1 in the
SCI, but users may want to choose a different port.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/pae/ieee802_1x_kay.c | 4 ++--
src/pae/ieee802_1x_kay.h | 2 +-
wpa_supplicant/config.c | 1 +
wpa_supplicant/config_file.c | 1 +
wpa_supplicant/config_ssid.h | 9 +++++++++
wpa_supplicant/wpa_cli.c | 1 +
wpa_supplicant/wpa_supplicant.conf | 4 ++++
wpa_supplicant/wpas_kay.c | 4 ++--
8 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 7664e2d..3a495ca 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3071,7 +3071,7 @@ static void kay_l2_receive(void *ctx, const u8 *src_addr, const u8 *buf,
*/
struct ieee802_1x_kay *
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
- const char *ifname, const u8 *addr)
+ u16 port, const char *ifname, const u8 *addr)
{
struct ieee802_1x_kay *kay;
@@ -3093,7 +3093,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
os_strlcpy(kay->if_name, ifname, IFNAMSIZ);
os_memcpy(kay->actor_sci.addr, addr, ETH_ALEN);
- kay->actor_sci.port = host_to_be16(0x0001);
+ kay->actor_sci.port = host_to_be16(port ? port : 0x0001);
kay->actor_priority = DEFAULT_PRIO_NOT_KEY_SERVER;
/* While actor acts as a key server, shall distribute sakey */
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index fb49f62..ea5a0dd 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -233,7 +233,7 @@ struct ieee802_1x_kay {
struct ieee802_1x_kay *
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
- const char *ifname, const u8 *addr);
+ u16 port, const char *ifname, const u8 *addr);
void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
struct ieee802_1x_mka_participant *
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index afb631e..2120a6e 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2126,6 +2126,7 @@ static const struct parse_data ssid_fields[] = {
#ifdef CONFIG_MACSEC
{ INT_RANGE(macsec_policy, 0, 1) },
{ INT_RANGE(macsec_integ_only, 0, 1) },
+ { INT_RANGE(macsec_port, 1, 65534) },
{ FUNC_KEY(mka_cak) },
{ FUNC_KEY(mka_ckn) },
#endif /* CONFIG_MACSEC */
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index f605fa9..2e3d57e 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -809,6 +809,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
write_mka_cak(f, ssid);
write_mka_ckn(f, ssid);
INT(macsec_integ_only);
+ INT(macsec_port);
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
INT(update_identifier);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index b8c3192..fe0f7fa 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -742,6 +742,15 @@ struct wpa_ssid {
int macsec_integ_only;
/**
+ * macsec_port - MACsec port (in SCI)
+ *
+ * Port component of the SCI.
+ *
+ * Range: 1-65534 (default: 1)
+ */
+ int macsec_port;
+
+ /**
* mka_ckn - MKA pre-shared CKN
*/
#define MACSEC_CKN_LEN 32
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index aed95e6..f11028a 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1391,6 +1391,7 @@ static const char *network_fields[] = {
#ifdef CONFIG_MACSEC
"macsec_policy",
"macsec_integ_only",
+ "macsec_port",
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
"update_identifier",
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index b23c5e6..82aa24e 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -899,6 +899,10 @@ fast_reauth=1
# 0: Encrypt traffic (default)
# 1: Integrity only
#
+# macsec_port: IEEE 802.1X/MACsec port
+# Port component of the SCI
+# Range: 1-65534 (default: 1)
+#
# mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode
# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
# In this mode, instances of wpa_supplicant can act as peers, one of
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 2ff4895..d3fefda 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -232,8 +232,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
kay_ctx->enable_transmit_sa = wpas_enable_transmit_sa;
kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
- res = ieee802_1x_kay_init(kay_ctx, policy, wpa_s->ifname,
- wpa_s->own_addr);
+ res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_port,
+ wpa_s->ifname, wpa_s->own_addr);
if (res == NULL) {
os_free(kay_ctx);
return -1;
--
2.7.4

459
macsec-0018-drivers-Move-common-definitions-for-wired-drivers-ou.patch Normal file
View File

@ -0,0 +1,459 @@
From 0abc8d10cc357d71fff74470c613442f9070ae93 Mon Sep 17 00:00:00 2001
Message-Id: <0abc8d10cc357d71fff74470c613442f9070ae93.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:44 +0100
Subject: [PATCH] drivers: Move common definitions for wired drivers out
Refactor the common parts of wired drivers code into a shared file, so
that they can be reused by other drivers. The macsec_qca driver already
contains a lot of code duplication from the wired driver, and the
macsec_linux driver would do the same. A structure to hold data common
to all wired drivers is added and used in all these drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 65 ++++++++++++-------------
src/drivers/driver_wired.c | 99 +++++++++++++++++++--------------------
src/drivers/driver_wired_common.h | 25 ++++++++++
3 files changed, 103 insertions(+), 86 deletions(-)
create mode 100644 src/drivers/driver_wired_common.h
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 22d414c..6391e08 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -31,6 +31,7 @@
#include "common/ieee802_1x_defs.h"
#include "pae/ieee802_1x_kay.h"
#include "driver.h"
+#include "driver_wired_common.h"
#include "nss_macsec_secy.h"
#include "nss_macsec_secy_rx.h"
@@ -53,21 +54,14 @@
#pragma pack(pop)
#endif /* _MSC_VER */
-static const u8 pae_group_addr[ETH_ALEN] =
-{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 };
-
struct channel_map {
struct ieee802_1x_mka_sci sci;
};
struct macsec_qca_data {
- char ifname[IFNAMSIZ + 1];
- u32 secy_id;
- void *ctx;
+ struct driver_wired_common_data common;
- int sock; /* raw packet socket for driver access */
- int pf_sock;
- int membership, multi, iff_allmulti, iff_up;
+ u32 secy_id;
/* shadow */
Boolean always_include_sci;
@@ -322,43 +316,43 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
drv = os_zalloc(sizeof(*drv));
if (drv == NULL)
return NULL;
- os_strlcpy(drv->ifname, ifname, sizeof(drv->ifname));
- drv->ctx = ctx;
+ os_strlcpy(drv->common.ifname, ifname, sizeof(drv->common.ifname));
+ drv->common.ctx = ctx;
/* Board specific settings */
- if (os_memcmp("eth2", drv->ifname, 4) == 0)
+ if (os_memcmp("eth2", drv->common.ifname, 4) == 0)
drv->secy_id = 1;
- else if (os_memcmp("eth3", drv->ifname, 4) == 0)
+ else if (os_memcmp("eth3", drv->common.ifname, 4) == 0)
drv->secy_id = 2;
else
drv->secy_id = -1;
#ifdef __linux__
- drv->pf_sock = socket(PF_PACKET, SOCK_DGRAM, 0);
- if (drv->pf_sock < 0)
+ drv->common.pf_sock = socket(PF_PACKET, SOCK_DGRAM, 0);
+ if (drv->common.pf_sock < 0)
wpa_printf(MSG_ERROR, "socket(PF_PACKET): %s", strerror(errno));
#else /* __linux__ */
- drv->pf_sock = -1;
+ drv->common.pf_sock = -1;
#endif /* __linux__ */
if (macsec_qca_get_ifflags(ifname, &flags) == 0 &&
!(flags & IFF_UP) &&
macsec_qca_set_ifflags(ifname, flags | IFF_UP) == 0) {
- drv->iff_up = 1;
+ drv->common.iff_up = 1;
}
- if (macsec_qca_multicast_membership(drv->pf_sock,
- if_nametoindex(drv->ifname),
+ if (macsec_qca_multicast_membership(drv->common.pf_sock,
+ if_nametoindex(drv->common.ifname),
pae_group_addr, 1) == 0) {
wpa_printf(MSG_DEBUG,
"%s: Added multicast membership with packet socket",
__func__);
- drv->membership = 1;
+ drv->common.membership = 1;
} else if (macsec_qca_multi(ifname, pae_group_addr, 1) == 0) {
wpa_printf(MSG_DEBUG,
"%s: Added multicast membership with SIOCADDMULTI",
__func__);
- drv->multi = 1;
+ drv->common.multi = 1;
} else if (macsec_qca_get_ifflags(ifname, &flags) < 0) {
wpa_printf(MSG_INFO, "%s: Could not get interface flags",
__func__);
@@ -375,7 +369,7 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
return NULL;
} else {
wpa_printf(MSG_DEBUG, "%s: Enabled allmulti mode", __func__);
- drv->iff_allmulti = 1;
+ drv->common.iff_allmulti = 1;
}
#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
{
@@ -397,39 +391,40 @@ static void macsec_qca_deinit(void *priv)
struct macsec_qca_data *drv = priv;
int flags;
- if (drv->membership &&
- macsec_qca_multicast_membership(drv->pf_sock,
- if_nametoindex(drv->ifname),
+ if (drv->common.membership &&
+ macsec_qca_multicast_membership(drv->common.pf_sock,
+ if_nametoindex(drv->common.ifname),
pae_group_addr, 0) < 0) {
wpa_printf(MSG_DEBUG,
"%s: Failed to remove PAE multicast group (PACKET)",
__func__);
}
- if (drv->multi &&
- macsec_qca_multi(drv->ifname, pae_group_addr, 0) < 0) {
+ if (drv->common.multi &&
+ macsec_qca_multi(drv->common.ifname, pae_group_addr, 0) < 0) {
wpa_printf(MSG_DEBUG,
"%s: Failed to remove PAE multicast group (SIOCDELMULTI)",
__func__);
}
- if (drv->iff_allmulti &&
- (macsec_qca_get_ifflags(drv->ifname, &flags) < 0 ||
- macsec_qca_set_ifflags(drv->ifname, flags & ~IFF_ALLMULTI) < 0)) {
+ if (drv->common.iff_allmulti &&
+ (macsec_qca_get_ifflags(drv->common.ifname, &flags) < 0 ||
+ macsec_qca_set_ifflags(drv->common.ifname,
+ flags & ~IFF_ALLMULTI) < 0)) {
wpa_printf(MSG_DEBUG, "%s: Failed to disable allmulti mode",
__func__);
}
- if (drv->iff_up &&
- macsec_qca_get_ifflags(drv->ifname, &flags) == 0 &&
+ if (drv->common.iff_up &&
+ macsec_qca_get_ifflags(drv->common.ifname, &flags) == 0 &&
(flags & IFF_UP) &&
- macsec_qca_set_ifflags(drv->ifname, flags & ~IFF_UP) < 0) {
+ macsec_qca_set_ifflags(drv->common.ifname, flags & ~IFF_UP) < 0) {
wpa_printf(MSG_DEBUG, "%s: Failed to set the interface down",
__func__);
}
- if (drv->pf_sock != -1)
- close(drv->pf_sock);
+ if (drv->common.pf_sock != -1)
+ close(drv->common.pf_sock);
os_free(drv);
}
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index 422a220..b6f79e3 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -12,6 +12,7 @@
#include "common.h"
#include "eloop.h"
#include "driver.h"
+#include "driver_wired_common.h"
#include <sys/ioctl.h>
#undef IFNAMSIZ
@@ -42,20 +43,12 @@ struct ieee8023_hdr {
#pragma pack(pop)
#endif /* _MSC_VER */
-static const u8 pae_group_addr[ETH_ALEN] =
-{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 };
-
struct wpa_driver_wired_data {
- char ifname[IFNAMSIZ + 1];
- void *ctx;
+ struct driver_wired_common_data common;
- int sock; /* raw packet socket for driver access */
int dhcp_sock; /* socket for dhcp packets */
int use_pae_group_addr;
-
- int pf_sock;
- int membership, multi, iff_allmulti, iff_up;
};
@@ -208,21 +201,22 @@ static int wired_init_sockets(struct wpa_driver_wired_data *drv, u8 *own_addr)
struct sockaddr_in addr2;
int n = 1;
- drv->sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_PAE));
- if (drv->sock < 0) {
+ drv->common.sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_PAE));
+ if (drv->common.sock < 0) {
wpa_printf(MSG_ERROR, "socket[PF_PACKET,SOCK_RAW]: %s",
strerror(errno));
return -1;
}
- if (eloop_register_read_sock(drv->sock, handle_read, drv->ctx, NULL)) {
+ if (eloop_register_read_sock(drv->common.sock, handle_read,
+ drv->common.ctx, NULL)) {
wpa_printf(MSG_INFO, "Could not register read socket");
return -1;
}
os_memset(&ifr, 0, sizeof(ifr));
- os_strlcpy(ifr.ifr_name, drv->ifname, sizeof(ifr.ifr_name));
- if (ioctl(drv->sock, SIOCGIFINDEX, &ifr) != 0) {
+ os_strlcpy(ifr.ifr_name, drv->common.ifname, sizeof(ifr.ifr_name));
+ if (ioctl(drv->common.sock, SIOCGIFINDEX, &ifr) != 0) {
wpa_printf(MSG_ERROR, "ioctl(SIOCGIFINDEX): %s",
strerror(errno));
return -1;
@@ -234,13 +228,14 @@ static int wired_init_sockets(struct wpa_driver_wired_data *drv, u8 *own_addr)
wpa_printf(MSG_DEBUG, "Opening raw packet socket for ifindex %d",
addr.sll_ifindex);
- if (bind(drv->sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
+ if (bind(drv->common.sock, (struct sockaddr *) &addr, sizeof(addr)) < 0)
+ {
wpa_printf(MSG_ERROR, "bind: %s", strerror(errno));
return -1;
}
/* filter multicast address */
- if (wired_multicast_membership(drv->sock, ifr.ifr_ifindex,
+ if (wired_multicast_membership(drv->common.sock, ifr.ifr_ifindex,
pae_group_addr, 1) < 0) {
wpa_printf(MSG_ERROR, "wired: Failed to add multicast group "
"membership");
@@ -248,8 +243,8 @@ static int wired_init_sockets(struct wpa_driver_wired_data *drv, u8 *own_addr)
}
os_memset(&ifr, 0, sizeof(ifr));
- os_strlcpy(ifr.ifr_name, drv->ifname, sizeof(ifr.ifr_name));
- if (ioctl(drv->sock, SIOCGIFHWADDR, &ifr) != 0) {
+ os_strlcpy(ifr.ifr_name, drv->common.ifname, sizeof(ifr.ifr_name));
+ if (ioctl(drv->common.sock, SIOCGIFHWADDR, &ifr) != 0) {
wpa_printf(MSG_ERROR, "ioctl(SIOCGIFHWADDR): %s",
strerror(errno));
return -1;
@@ -269,8 +264,8 @@ static int wired_init_sockets(struct wpa_driver_wired_data *drv, u8 *own_addr)
return -1;
}
- if (eloop_register_read_sock(drv->dhcp_sock, handle_dhcp, drv->ctx,
- NULL)) {
+ if (eloop_register_read_sock(drv->dhcp_sock, handle_dhcp,
+ drv->common.ctx, NULL)) {
wpa_printf(MSG_INFO, "Could not register read socket");
return -1;
}
@@ -294,7 +289,7 @@ static int wired_init_sockets(struct wpa_driver_wired_data *drv, u8 *own_addr)
}
os_memset(&ifr, 0, sizeof(ifr));
- os_strlcpy(ifr.ifr_ifrn.ifrn_name, drv->ifname, IFNAMSIZ);
+ os_strlcpy(ifr.ifr_ifrn.ifrn_name, drv->common.ifname, IFNAMSIZ);
if (setsockopt(drv->dhcp_sock, SOL_SOCKET, SO_BINDTODEVICE,
(char *) &ifr, sizeof(ifr)) < 0) {
wpa_printf(MSG_ERROR,
@@ -343,7 +338,7 @@ static int wired_send_eapol(void *priv, const u8 *addr,
pos = (u8 *) (hdr + 1);
os_memcpy(pos, data, data_len);
- res = send(drv->sock, (u8 *) hdr, len, 0);
+ res = send(drv->common.sock, (u8 *) hdr, len, 0);
os_free(hdr);
if (res < 0) {
@@ -368,8 +363,9 @@ static void * wired_driver_hapd_init(struct hostapd_data *hapd,
return NULL;
}
- drv->ctx = hapd;
- os_strlcpy(drv->ifname, params->ifname, sizeof(drv->ifname));
+ drv->common.ctx = hapd;
+ os_strlcpy(drv->common.ifname, params->ifname,
+ sizeof(drv->common.ifname));
drv->use_pae_group_addr = params->use_pae_group_addr;
if (wired_init_sockets(drv, params->own_addr)) {
@@ -385,9 +381,9 @@ static void wired_driver_hapd_deinit(void *priv)
{
struct wpa_driver_wired_data *drv = priv;
- if (drv->sock >= 0) {
- eloop_unregister_read_sock(drv->sock);
- close(drv->sock);
+ if (drv->common.sock >= 0) {
+ eloop_unregister_read_sock(drv->common.sock);
+ close(drv->common.sock);
}
if (drv->dhcp_sock >= 0) {
@@ -564,33 +560,33 @@ static void * wpa_driver_wired_init(void *ctx, const char *ifname)
drv = os_zalloc(sizeof(*drv));
if (drv == NULL)
return NULL;
- os_strlcpy(drv->ifname, ifname, sizeof(drv->ifname));
- drv->ctx = ctx;
+ os_strlcpy(drv->common.ifname, ifname, sizeof(drv->common.ifname));
+ drv->common.ctx = ctx;
#ifdef __linux__
- drv->pf_sock = socket(PF_PACKET, SOCK_DGRAM, 0);
- if (drv->pf_sock < 0)
+ drv->common.pf_sock = socket(PF_PACKET, SOCK_DGRAM, 0);
+ if (drv->common.pf_sock < 0)
wpa_printf(MSG_ERROR, "socket(PF_PACKET): %s", strerror(errno));
#else /* __linux__ */
- drv->pf_sock = -1;
+ drv->common.pf_sock = -1;
#endif /* __linux__ */
if (wpa_driver_wired_get_ifflags(ifname, &flags) == 0 &&
!(flags & IFF_UP) &&
wpa_driver_wired_set_ifflags(ifname, flags | IFF_UP) == 0) {
- drv->iff_up = 1;
+ drv->common.iff_up = 1;
}
- if (wired_multicast_membership(drv->pf_sock,
- if_nametoindex(drv->ifname),
+ if (wired_multicast_membership(drv->common.pf_sock,
+ if_nametoindex(drv->common.ifname),
pae_group_addr, 1) == 0) {
wpa_printf(MSG_DEBUG, "%s: Added multicast membership with "
"packet socket", __func__);
- drv->membership = 1;
+ drv->common.membership = 1;
} else if (wpa_driver_wired_multi(ifname, pae_group_addr, 1) == 0) {
wpa_printf(MSG_DEBUG, "%s: Added multicast membership with "
"SIOCADDMULTI", __func__);
- drv->multi = 1;
+ drv->common.multi = 1;
} else if (wpa_driver_wired_get_ifflags(ifname, &flags) < 0) {
wpa_printf(MSG_INFO, "%s: Could not get interface "
"flags", __func__);
@@ -608,7 +604,7 @@ static void * wpa_driver_wired_init(void *ctx, const char *ifname)
} else {
wpa_printf(MSG_DEBUG, "%s: Enabled allmulti mode",
__func__);
- drv->iff_allmulti = 1;
+ drv->common.iff_allmulti = 1;
}
#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
{
@@ -630,38 +626,39 @@ static void wpa_driver_wired_deinit(void *priv)
struct wpa_driver_wired_data *drv = priv;
int flags;
- if (drv->membership &&
- wired_multicast_membership(drv->pf_sock,
- if_nametoindex(drv->ifname),
+ if (drv->common.membership &&
+ wired_multicast_membership(drv->common.pf_sock,
+ if_nametoindex(drv->common.ifname),
pae_group_addr, 0) < 0) {
wpa_printf(MSG_DEBUG, "%s: Failed to remove PAE multicast "
"group (PACKET)", __func__);
}
- if (drv->multi &&
- wpa_driver_wired_multi(drv->ifname, pae_group_addr, 0) < 0) {
+ if (drv->common.multi &&
+ wpa_driver_wired_multi(drv->common.ifname, pae_group_addr, 0) < 0) {
wpa_printf(MSG_DEBUG, "%s: Failed to remove PAE multicast "
"group (SIOCDELMULTI)", __func__);
}
- if (drv->iff_allmulti &&
- (wpa_driver_wired_get_ifflags(drv->ifname, &flags) < 0 ||
- wpa_driver_wired_set_ifflags(drv->ifname,
+ if (drv->common.iff_allmulti &&
+ (wpa_driver_wired_get_ifflags(drv->common.ifname, &flags) < 0 ||
+ wpa_driver_wired_set_ifflags(drv->common.ifname,
flags & ~IFF_ALLMULTI) < 0)) {
wpa_printf(MSG_DEBUG, "%s: Failed to disable allmulti mode",
__func__);
}
- if (drv->iff_up &&
- wpa_driver_wired_get_ifflags(drv->ifname, &flags) == 0 &&
+ if (drv->common.iff_up &&
+ wpa_driver_wired_get_ifflags(drv->common.ifname, &flags) == 0 &&
(flags & IFF_UP) &&
- wpa_driver_wired_set_ifflags(drv->ifname, flags & ~IFF_UP) < 0) {
+ wpa_driver_wired_set_ifflags(drv->common.ifname,
+ flags & ~IFF_UP) < 0) {
wpa_printf(MSG_DEBUG, "%s: Failed to set the interface down",
__func__);
}
- if (drv->pf_sock != -1)
- close(drv->pf_sock);
+ if (drv->common.pf_sock != -1)
+ close(drv->common.pf_sock);
os_free(drv);
}
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
new file mode 100644
index 0000000..8d9dd37
--- /dev/null
+++ b/src/drivers/driver_wired_common.h
@@ -0,0 +1,25 @@
+/*
+ * Common definitions for Wired Ethernet driver interfaces
+ * Copyright (c) 2005-2009, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004, Gunter Burchardt <tira@isx.de>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#ifndef DRIVER_WIRED_COMMON_H
+#define DRIVER_WIRED_COMMON_H
+
+struct driver_wired_common_data {
+ char ifname[IFNAMSIZ + 1];
+ void *ctx;
+
+ int sock; /* raw packet socket for driver access */
+ int pf_sock;
+ int membership, multi, iff_allmulti, iff_up;
+};
+
+static const u8 pae_group_addr[ETH_ALEN] =
+{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 };
+
+#endif /* DRIVER_WIRED_COMMON_H */
--
2.7.4

239
macsec-0019-drivers-Move-wired_multicast_membership-to-a-common-.patch Normal file
View File

@ -0,0 +1,239 @@
From b0906ef770ec5a74221bcb4e63dbbc8682f49d5a Mon Sep 17 00:00:00 2001
Message-Id: <b0906ef770ec5a74221bcb4e63dbbc8682f49d5a.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:45 +0100
Subject: [PATCH] drivers: Move wired_multicast_membership() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 40 +++++----------------------
src/drivers/driver_wired.c | 28 -------------------
src/drivers/driver_wired_common.c | 57 +++++++++++++++++++++++++++++++++++++++
src/drivers/driver_wired_common.h | 2 ++
src/drivers/drivers.mak | 6 +++++
src/drivers/drivers.mk | 5 ++++
6 files changed, 76 insertions(+), 62 deletions(-)
create mode 100644 src/drivers/driver_wired_common.c
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 6391e08..e04fb0f 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -76,34 +76,6 @@ struct macsec_qca_data {
};
-static int macsec_qca_multicast_membership(int sock, int ifindex,
- const u8 *addr, int add)
-{
-#ifdef __linux__
- struct packet_mreq mreq;
-
- if (sock < 0)
- return -1;
-
- os_memset(&mreq, 0, sizeof(mreq));
- mreq.mr_ifindex = ifindex;
- mreq.mr_type = PACKET_MR_MULTICAST;
- mreq.mr_alen = ETH_ALEN;
- os_memcpy(mreq.mr_address, addr, ETH_ALEN);
-
- if (setsockopt(sock, SOL_PACKET,
- add ? PACKET_ADD_MEMBERSHIP : PACKET_DROP_MEMBERSHIP,
- &mreq, sizeof(mreq)) < 0) {
- wpa_printf(MSG_ERROR, "setsockopt: %s", strerror(errno));
- return -1;
- }
- return 0;
-#else /* __linux__ */
- return -1;
-#endif /* __linux__ */
-}
-
-
static int macsec_qca_get_ssid(void *priv, u8 *ssid)
{
ssid[0] = 0;
@@ -341,9 +313,9 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
drv->common.iff_up = 1;
}
- if (macsec_qca_multicast_membership(drv->common.pf_sock,
- if_nametoindex(drv->common.ifname),
- pae_group_addr, 1) == 0) {
+ if (wired_multicast_membership(drv->common.pf_sock,
+ if_nametoindex(drv->common.ifname),
+ pae_group_addr, 1) == 0) {
wpa_printf(MSG_DEBUG,
"%s: Added multicast membership with packet socket",
__func__);
@@ -392,9 +364,9 @@ static void macsec_qca_deinit(void *priv)
int flags;
if (drv->common.membership &&
- macsec_qca_multicast_membership(drv->common.pf_sock,
- if_nametoindex(drv->common.ifname),
- pae_group_addr, 0) < 0) {
+ wired_multicast_membership(drv->common.pf_sock,
+ if_nametoindex(drv->common.ifname),
+ pae_group_addr, 0) < 0) {
wpa_printf(MSG_DEBUG,
"%s: Failed to remove PAE multicast group (PACKET)",
__func__);
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index b6f79e3..68c55fd 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -76,34 +76,6 @@ struct dhcp_message {
};
-static int wired_multicast_membership(int sock, int ifindex,
- const u8 *addr, int add)
-{
-#ifdef __linux__
- struct packet_mreq mreq;
-
- if (sock < 0)
- return -1;
-
- os_memset(&mreq, 0, sizeof(mreq));
- mreq.mr_ifindex = ifindex;
- mreq.mr_type = PACKET_MR_MULTICAST;
- mreq.mr_alen = ETH_ALEN;
- os_memcpy(mreq.mr_address, addr, ETH_ALEN);
-
- if (setsockopt(sock, SOL_PACKET,
- add ? PACKET_ADD_MEMBERSHIP : PACKET_DROP_MEMBERSHIP,
- &mreq, sizeof(mreq)) < 0) {
- wpa_printf(MSG_ERROR, "setsockopt: %s", strerror(errno));
- return -1;
- }
- return 0;
-#else /* __linux__ */
- return -1;
-#endif /* __linux__ */
-}
-
-
#ifdef __linux__
static void handle_data(void *ctx, unsigned char *buf, size_t len)
{
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
new file mode 100644
index 0000000..3969880
--- /dev/null
+++ b/src/drivers/driver_wired_common.c
@@ -0,0 +1,57 @@
+/*
+ * Common functions for Wired Ethernet driver interfaces
+ * Copyright (c) 2005-2009, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004, Gunter Burchardt <tira@isx.de>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "includes.h"
+
+#include "common.h"
+#include "eloop.h"
+#include "driver.h"
+#include "driver_wired_common.h"
+
+#include <sys/ioctl.h>
+#include <net/if.h>
+#ifdef __linux__
+#include <netpacket/packet.h>
+#include <net/if_arp.h>
+#include <net/if.h>
+#endif /* __linux__ */
+#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
+#include <net/if_dl.h>
+#include <net/if_media.h>
+#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__) */
+#ifdef __sun__
+#include <sys/sockio.h>
+#endif /* __sun__ */
+
+
+int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add)
+{
+#ifdef __linux__
+ struct packet_mreq mreq;
+
+ if (sock < 0)
+ return -1;
+
+ os_memset(&mreq, 0, sizeof(mreq));
+ mreq.mr_ifindex = ifindex;
+ mreq.mr_type = PACKET_MR_MULTICAST;
+ mreq.mr_alen = ETH_ALEN;
+ os_memcpy(mreq.mr_address, addr, ETH_ALEN);
+
+ if (setsockopt(sock, SOL_PACKET,
+ add ? PACKET_ADD_MEMBERSHIP : PACKET_DROP_MEMBERSHIP,
+ &mreq, sizeof(mreq)) < 0) {
+ wpa_printf(MSG_ERROR, "setsockopt: %s", strerror(errno));
+ return -1;
+ }
+ return 0;
+#else /* __linux__ */
+ return -1;
+#endif /* __linux__ */
+}
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index 8d9dd37..39a57a6 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -22,4 +22,6 @@ struct driver_wired_common_data {
static const u8 pae_group_addr[ETH_ALEN] =
{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 };
+int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add);
+
#endif /* DRIVER_WIRED_COMMON_H */
diff --git a/src/drivers/drivers.mak b/src/drivers/drivers.mak
index c6d3f81..282da50 100644
--- a/src/drivers/drivers.mak
+++ b/src/drivers/drivers.mak
@@ -15,11 +15,17 @@ DRV_AP_LIBS =
ifdef CONFIG_DRIVER_WIRED
DRV_CFLAGS += -DCONFIG_DRIVER_WIRED
DRV_OBJS += ../src/drivers/driver_wired.o
+NEED_DRV_WIRED_COMMON=1
endif
ifdef CONFIG_DRIVER_MACSEC_QCA
DRV_CFLAGS += -DCONFIG_DRIVER_MACSEC_QCA
DRV_OBJS += ../src/drivers/driver_macsec_qca.o
+NEED_DRV_WIRED_COMMON=1
+endif
+
+ifdef NEED_DRV_WIRED_COMMON
+DRV_OBJS += ../src/drivers/driver_wired_common.o
endif
ifdef CONFIG_DRIVER_NL80211
diff --git a/src/drivers/drivers.mk b/src/drivers/drivers.mk
index c6fe4c2..508f834 100644
--- a/src/drivers/drivers.mk
+++ b/src/drivers/drivers.mk
@@ -15,6 +15,11 @@ DRV_AP_LIBS =
ifdef CONFIG_DRIVER_WIRED
DRV_CFLAGS += -DCONFIG_DRIVER_WIRED
DRV_OBJS += src/drivers/driver_wired.c
+NEED_DRV_WIRED_COMMON=1
+endif
+
+ifdef NEED_DRV_WIRED_COMMON
+DRV_OBJS += src/drivers/driver_wired_common.c
endif
ifdef CONFIG_DRIVER_NL80211
--
2.7.4

268
macsec-0020-drivers-Move-driver_wired_multi-to-a-common-file.patch Normal file
View File

@ -0,0 +1,268 @@
From 693124a1e4f1c2be5ee67f412eb511c3b5b808bd Mon Sep 17 00:00:00 2001
Message-Id: <693124a1e4f1c2be5ee67f412eb511c3b5b808bd.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:46 +0100
Subject: [PATCH] drivers: Move driver_wired_multi() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 59 ++-------------------------------------
src/drivers/driver_wired.c | 59 ++-------------------------------------
src/drivers/driver_wired_common.c | 57 +++++++++++++++++++++++++++++++++++++
src/drivers/driver_wired_common.h | 1 +
4 files changed, 62 insertions(+), 114 deletions(-)
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index e04fb0f..6c07e01 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -178,61 +178,6 @@ static int macsec_qca_get_ifstatus(const char *ifname, int *status)
#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
-static int macsec_qca_multi(const char *ifname, const u8 *addr, int add)
-{
- struct ifreq ifr;
- int s;
-
-#ifdef __sun__
- return -1;
-#endif /* __sun__ */
-
- s = socket(PF_INET, SOCK_DGRAM, 0);
- if (s < 0) {
- wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
- return -1;
- }
-
- os_memset(&ifr, 0, sizeof(ifr));
- os_strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
-#ifdef __linux__
- ifr.ifr_hwaddr.sa_family = AF_UNSPEC;
- os_memcpy(ifr.ifr_hwaddr.sa_data, addr, ETH_ALEN);
-#endif /* __linux__ */
-#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
- {
- struct sockaddr_dl *dlp;
- dlp = (struct sockaddr_dl *) &ifr.ifr_addr;
- dlp->sdl_len = sizeof(struct sockaddr_dl);
- dlp->sdl_family = AF_LINK;
- dlp->sdl_index = 0;
- dlp->sdl_nlen = 0;
- dlp->sdl_alen = ETH_ALEN;
- dlp->sdl_slen = 0;
- os_memcpy(LLADDR(dlp), addr, ETH_ALEN);
- }
-#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__)
- {
- struct sockaddr *sap;
- sap = (struct sockaddr *) &ifr.ifr_addr;
- sap->sa_len = sizeof(struct sockaddr);
- sap->sa_family = AF_UNSPEC;
- os_memcpy(sap->sa_data, addr, ETH_ALEN);
- }
-#endif /* defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__) */
-
- if (ioctl(s, add ? SIOCADDMULTI : SIOCDELMULTI, (caddr_t) &ifr) < 0) {
- wpa_printf(MSG_ERROR, "ioctl[SIOC{ADD/DEL}MULTI]: %s",
- strerror(errno));
- close(s);
- return -1;
- }
- close(s);
- return 0;
-}
-
-
static void __macsec_drv_init(struct macsec_qca_data *drv)
{
int ret = 0;
@@ -320,7 +265,7 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
"%s: Added multicast membership with packet socket",
__func__);
drv->common.membership = 1;
- } else if (macsec_qca_multi(ifname, pae_group_addr, 1) == 0) {
+ } else if (driver_wired_multi(ifname, pae_group_addr, 1) == 0) {
wpa_printf(MSG_DEBUG,
"%s: Added multicast membership with SIOCADDMULTI",
__func__);
@@ -373,7 +318,7 @@ static void macsec_qca_deinit(void *priv)
}
if (drv->common.multi &&
- macsec_qca_multi(drv->common.ifname, pae_group_addr, 0) < 0) {
+ driver_wired_multi(drv->common.ifname, pae_group_addr, 0) < 0) {
wpa_printf(MSG_DEBUG,
"%s: Failed to remove PAE multicast group (SIOCDELMULTI)",
__func__);
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index 68c55fd..20c66e3 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -469,61 +469,6 @@ static int wpa_driver_wired_get_ifstatus(const char *ifname, int *status)
#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
-static int wpa_driver_wired_multi(const char *ifname, const u8 *addr, int add)
-{
- struct ifreq ifr;
- int s;
-
-#ifdef __sun__
- return -1;
-#endif /* __sun__ */
-
- s = socket(PF_INET, SOCK_DGRAM, 0);
- if (s < 0) {
- wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
- return -1;
- }
-
- os_memset(&ifr, 0, sizeof(ifr));
- os_strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
-#ifdef __linux__
- ifr.ifr_hwaddr.sa_family = AF_UNSPEC;
- os_memcpy(ifr.ifr_hwaddr.sa_data, addr, ETH_ALEN);
-#endif /* __linux__ */
-#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
- {
- struct sockaddr_dl *dlp;
- dlp = (struct sockaddr_dl *) &ifr.ifr_addr;
- dlp->sdl_len = sizeof(struct sockaddr_dl);
- dlp->sdl_family = AF_LINK;
- dlp->sdl_index = 0;
- dlp->sdl_nlen = 0;
- dlp->sdl_alen = ETH_ALEN;
- dlp->sdl_slen = 0;
- os_memcpy(LLADDR(dlp), addr, ETH_ALEN);
- }
-#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__)
- {
- struct sockaddr *sap;
- sap = (struct sockaddr *) &ifr.ifr_addr;
- sap->sa_len = sizeof(struct sockaddr);
- sap->sa_family = AF_UNSPEC;
- os_memcpy(sap->sa_data, addr, ETH_ALEN);
- }
-#endif /* defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__) */
-
- if (ioctl(s, add ? SIOCADDMULTI : SIOCDELMULTI, (caddr_t) &ifr) < 0) {
- wpa_printf(MSG_ERROR, "ioctl[SIOC{ADD/DEL}MULTI]: %s",
- strerror(errno));
- close(s);
- return -1;
- }
- close(s);
- return 0;
-}
-
-
static void * wpa_driver_wired_init(void *ctx, const char *ifname)
{
struct wpa_driver_wired_data *drv;
@@ -555,7 +500,7 @@ static void * wpa_driver_wired_init(void *ctx, const char *ifname)
wpa_printf(MSG_DEBUG, "%s: Added multicast membership with "
"packet socket", __func__);
drv->common.membership = 1;
- } else if (wpa_driver_wired_multi(ifname, pae_group_addr, 1) == 0) {
+ } else if (driver_wired_multi(ifname, pae_group_addr, 1) == 0) {
wpa_printf(MSG_DEBUG, "%s: Added multicast membership with "
"SIOCADDMULTI", __func__);
drv->common.multi = 1;
@@ -607,7 +552,7 @@ static void wpa_driver_wired_deinit(void *priv)
}
if (drv->common.multi &&
- wpa_driver_wired_multi(drv->common.ifname, pae_group_addr, 0) < 0) {
+ driver_wired_multi(drv->common.ifname, pae_group_addr, 0) < 0) {
wpa_printf(MSG_DEBUG, "%s: Failed to remove PAE multicast "
"group (SIOCDELMULTI)", __func__);
}
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
index 3969880..4cb04da 100644
--- a/src/drivers/driver_wired_common.c
+++ b/src/drivers/driver_wired_common.c
@@ -30,6 +30,63 @@
#endif /* __sun__ */
+int driver_wired_multi(const char *ifname, const u8 *addr, int add)
+{
+ struct ifreq ifr;
+ int s;
+
+#ifdef __sun__
+ return -1;
+#endif /* __sun__ */
+
+ s = socket(PF_INET, SOCK_DGRAM, 0);
+ if (s < 0) {
+ wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
+ return -1;
+ }
+
+ os_memset(&ifr, 0, sizeof(ifr));
+ os_strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
+#ifdef __linux__
+ ifr.ifr_hwaddr.sa_family = AF_UNSPEC;
+ os_memcpy(ifr.ifr_hwaddr.sa_data, addr, ETH_ALEN);
+#endif /* __linux__ */
+#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
+ {
+ struct sockaddr_dl *dlp;
+
+ dlp = (struct sockaddr_dl *) &ifr.ifr_addr;
+ dlp->sdl_len = sizeof(struct sockaddr_dl);
+ dlp->sdl_family = AF_LINK;
+ dlp->sdl_index = 0;
+ dlp->sdl_nlen = 0;
+ dlp->sdl_alen = ETH_ALEN;
+ dlp->sdl_slen = 0;
+ os_memcpy(LLADDR(dlp), addr, ETH_ALEN);
+ }
+#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
+#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__)
+ {
+ struct sockaddr *sap;
+
+ sap = (struct sockaddr *) &ifr.ifr_addr;
+ sap->sa_len = sizeof(struct sockaddr);
+ sap->sa_family = AF_UNSPEC;
+ os_memcpy(sap->sa_data, addr, ETH_ALEN);
+ }
+#endif /* defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__) */
+
+ if (ioctl(s, add ? SIOCADDMULTI : SIOCDELMULTI, (caddr_t) &ifr) < 0) {
+ wpa_printf(MSG_ERROR, "ioctl[SIOC{ADD/DEL}MULTI]: %s",
+ strerror(errno));
+ close(s);
+ return -1;
+ }
+ close(s);
+ return 0;
+}
+
+
int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add)
{
#ifdef __linux__
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index 39a57a6..9bbe94f 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -22,6 +22,7 @@ struct driver_wired_common_data {
static const u8 pae_group_addr[ETH_ALEN] =
{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 };
+int driver_wired_multi(const char *ifname, const u8 *addr, int add);
int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add);
#endif /* DRIVER_WIRED_COMMON_H */
--
2.7.4

212
macsec-0021-drivers-Move-driver_wired_get_ifflags-to-a-common-fi.patch Normal file
View File

@ -0,0 +1,212 @@
From 567b7d4ec29cd5b97b00703b5afb03d023abb532 Mon Sep 17 00:00:00 2001
Message-Id: <567b7d4ec29cd5b97b00703b5afb03d023abb532.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:47 +0100
Subject: [PATCH] drivers: Move driver_wired_get_ifflags() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 33 ++++-----------------------------
src/drivers/driver_wired.c | 33 ++++-----------------------------
src/drivers/driver_wired_common.c | 25 +++++++++++++++++++++++++
src/drivers/driver_wired_common.h | 1 +
4 files changed, 34 insertions(+), 58 deletions(-)
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 6c07e01..d0d4611 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -99,31 +99,6 @@ static int macsec_qca_get_capa(void *priv, struct wpa_driver_capa *capa)
}
-static int macsec_qca_get_ifflags(const char *ifname, int *flags)
-{
- struct ifreq ifr;
- int s;
-
- s = socket(PF_INET, SOCK_DGRAM, 0);
- if (s < 0) {
- wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
- return -1;
- }
-
- os_memset(&ifr, 0, sizeof(ifr));
- os_strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
- if (ioctl(s, SIOCGIFFLAGS, (caddr_t) &ifr) < 0) {
- wpa_printf(MSG_ERROR, "ioctl[SIOCGIFFLAGS]: %s",
- strerror(errno));
- close(s);
- return -1;
- }
- close(s);
- *flags = ifr.ifr_flags & 0xffff;
- return 0;
-}
-
-
static int macsec_qca_set_ifflags(const char *ifname, int flags)
{
struct ifreq ifr;
@@ -252,7 +227,7 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
drv->common.pf_sock = -1;
#endif /* __linux__ */
- if (macsec_qca_get_ifflags(ifname, &flags) == 0 &&
+ if (driver_wired_get_ifflags(ifname, &flags) == 0 &&
!(flags & IFF_UP) &&
macsec_qca_set_ifflags(ifname, flags | IFF_UP) == 0) {
drv->common.iff_up = 1;
@@ -270,7 +245,7 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
"%s: Added multicast membership with SIOCADDMULTI",
__func__);
drv->common.multi = 1;
- } else if (macsec_qca_get_ifflags(ifname, &flags) < 0) {
+ } else if (driver_wired_get_ifflags(ifname, &flags) < 0) {
wpa_printf(MSG_INFO, "%s: Could not get interface flags",
__func__);
os_free(drv);
@@ -325,7 +300,7 @@ static void macsec_qca_deinit(void *priv)
}
if (drv->common.iff_allmulti &&
- (macsec_qca_get_ifflags(drv->common.ifname, &flags) < 0 ||
+ (driver_wired_get_ifflags(drv->common.ifname, &flags) < 0 ||
macsec_qca_set_ifflags(drv->common.ifname,
flags & ~IFF_ALLMULTI) < 0)) {
wpa_printf(MSG_DEBUG, "%s: Failed to disable allmulti mode",
@@ -333,7 +308,7 @@ static void macsec_qca_deinit(void *priv)
}
if (drv->common.iff_up &&
- macsec_qca_get_ifflags(drv->common.ifname, &flags) == 0 &&
+ driver_wired_get_ifflags(drv->common.ifname, &flags) == 0 &&
(flags & IFF_UP) &&
macsec_qca_set_ifflags(drv->common.ifname, flags & ~IFF_UP) < 0) {
wpa_printf(MSG_DEBUG, "%s: Failed to set the interface down",
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index 20c66e3..ad49eaf 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -390,31 +390,6 @@ static int wpa_driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa)
}
-static int wpa_driver_wired_get_ifflags(const char *ifname, int *flags)
-{
- struct ifreq ifr;
- int s;
-
- s = socket(PF_INET, SOCK_DGRAM, 0);
- if (s < 0) {
- wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
- return -1;
- }
-
- os_memset(&ifr, 0, sizeof(ifr));
- os_strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
- if (ioctl(s, SIOCGIFFLAGS, (caddr_t) &ifr) < 0) {
- wpa_printf(MSG_ERROR, "ioctl[SIOCGIFFLAGS]: %s",
- strerror(errno));
- close(s);
- return -1;
- }
- close(s);
- *flags = ifr.ifr_flags & 0xffff;
- return 0;
-}
-
-
static int wpa_driver_wired_set_ifflags(const char *ifname, int flags)
{
struct ifreq ifr;
@@ -488,7 +463,7 @@ static void * wpa_driver_wired_init(void *ctx, const char *ifname)
drv->common.pf_sock = -1;
#endif /* __linux__ */
- if (wpa_driver_wired_get_ifflags(ifname, &flags) == 0 &&
+ if (driver_wired_get_ifflags(ifname, &flags) == 0 &&
!(flags & IFF_UP) &&
wpa_driver_wired_set_ifflags(ifname, flags | IFF_UP) == 0) {
drv->common.iff_up = 1;
@@ -504,7 +479,7 @@ static void * wpa_driver_wired_init(void *ctx, const char *ifname)
wpa_printf(MSG_DEBUG, "%s: Added multicast membership with "
"SIOCADDMULTI", __func__);
drv->common.multi = 1;
- } else if (wpa_driver_wired_get_ifflags(ifname, &flags) < 0) {
+ } else if (driver_wired_get_ifflags(ifname, &flags) < 0) {
wpa_printf(MSG_INFO, "%s: Could not get interface "
"flags", __func__);
os_free(drv);
@@ -558,7 +533,7 @@ static void wpa_driver_wired_deinit(void *priv)
}
if (drv->common.iff_allmulti &&
- (wpa_driver_wired_get_ifflags(drv->common.ifname, &flags) < 0 ||
+ (driver_wired_get_ifflags(drv->common.ifname, &flags) < 0 ||
wpa_driver_wired_set_ifflags(drv->common.ifname,
flags & ~IFF_ALLMULTI) < 0)) {
wpa_printf(MSG_DEBUG, "%s: Failed to disable allmulti mode",
@@ -566,7 +541,7 @@ static void wpa_driver_wired_deinit(void *priv)
}
if (drv->common.iff_up &&
- wpa_driver_wired_get_ifflags(drv->common.ifname, &flags) == 0 &&
+ driver_wired_get_ifflags(drv->common.ifname, &flags) == 0 &&
(flags & IFF_UP) &&
wpa_driver_wired_set_ifflags(drv->common.ifname,
flags & ~IFF_UP) < 0) {
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
index 4cb04da..a84dcc7 100644
--- a/src/drivers/driver_wired_common.c
+++ b/src/drivers/driver_wired_common.c
@@ -30,6 +30,31 @@
#endif /* __sun__ */
+int driver_wired_get_ifflags(const char *ifname, int *flags)
+{
+ struct ifreq ifr;
+ int s;
+
+ s = socket(PF_INET, SOCK_DGRAM, 0);
+ if (s < 0) {
+ wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
+ return -1;
+ }
+
+ os_memset(&ifr, 0, sizeof(ifr));
+ os_strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ if (ioctl(s, SIOCGIFFLAGS, (caddr_t) &ifr) < 0) {
+ wpa_printf(MSG_ERROR, "ioctl[SIOCGIFFLAGS]: %s",
+ strerror(errno));
+ close(s);
+ return -1;
+ }
+ close(s);
+ *flags = ifr.ifr_flags & 0xffff;
+ return 0;
+}
+
+
int driver_wired_multi(const char *ifname, const u8 *addr, int add)
{
struct ifreq ifr;
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index 9bbe94f..b8ed0e0 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -22,6 +22,7 @@ struct driver_wired_common_data {
static const u8 pae_group_addr[ETH_ALEN] =
{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 };
+int driver_wired_get_ifflags(const char *ifname, int *flags);
int driver_wired_multi(const char *ifname, const u8 *addr, int add);
int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add);
--
2.7.4

218
macsec-0022-drivers-Move-driver_wired_set_ifflags-to-a-common-fi.patch Normal file
View File

@ -0,0 +1,218 @@
From d718a5d975de2309dc4478a62f3475cb0726f2a1 Mon Sep 17 00:00:00 2001
Message-Id: <d718a5d975de2309dc4478a62f3475cb0726f2a1.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:48 +0100
Subject: [PATCH] drivers: Move driver_wired_set_ifflags() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 35 +++++------------------------------
src/drivers/driver_wired.c | 37 +++++--------------------------------
src/drivers/driver_wired_common.c | 25 +++++++++++++++++++++++++
src/drivers/driver_wired_common.h | 1 +
4 files changed, 36 insertions(+), 62 deletions(-)
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index d0d4611..31cb0dc 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -99,31 +99,6 @@ static int macsec_qca_get_capa(void *priv, struct wpa_driver_capa *capa)
}
-static int macsec_qca_set_ifflags(const char *ifname, int flags)
-{
- struct ifreq ifr;
- int s;
-
- s = socket(PF_INET, SOCK_DGRAM, 0);
- if (s < 0) {
- wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
- return -1;
- }
-
- os_memset(&ifr, 0, sizeof(ifr));
- os_strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
- ifr.ifr_flags = flags & 0xffff;
- if (ioctl(s, SIOCSIFFLAGS, (caddr_t) &ifr) < 0) {
- wpa_printf(MSG_ERROR, "ioctl[SIOCSIFFLAGS]: %s",
- strerror(errno));
- close(s);
- return -1;
- }
- close(s);
- return 0;
-}
-
-
#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
static int macsec_qca_get_ifstatus(const char *ifname, int *status)
{
@@ -229,7 +204,7 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
if (driver_wired_get_ifflags(ifname, &flags) == 0 &&
!(flags & IFF_UP) &&
- macsec_qca_set_ifflags(ifname, flags | IFF_UP) == 0) {
+ driver_wired_set_ifflags(ifname, flags | IFF_UP) == 0) {
drv->common.iff_up = 1;
}
@@ -254,7 +229,7 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
wpa_printf(MSG_DEBUG,
"%s: Interface is already configured for multicast",
__func__);
- } else if (macsec_qca_set_ifflags(ifname, flags | IFF_ALLMULTI) < 0) {
+ } else if (driver_wired_set_ifflags(ifname, flags | IFF_ALLMULTI) < 0) {
wpa_printf(MSG_INFO, "%s: Failed to enable allmulti",
__func__);
os_free(drv);
@@ -301,8 +276,8 @@ static void macsec_qca_deinit(void *priv)
if (drv->common.iff_allmulti &&
(driver_wired_get_ifflags(drv->common.ifname, &flags) < 0 ||
- macsec_qca_set_ifflags(drv->common.ifname,
- flags & ~IFF_ALLMULTI) < 0)) {
+ driver_wired_set_ifflags(drv->common.ifname,
+ flags & ~IFF_ALLMULTI) < 0)) {
wpa_printf(MSG_DEBUG, "%s: Failed to disable allmulti mode",
__func__);
}
@@ -310,7 +285,7 @@ static void macsec_qca_deinit(void *priv)
if (drv->common.iff_up &&
driver_wired_get_ifflags(drv->common.ifname, &flags) == 0 &&
(flags & IFF_UP) &&
- macsec_qca_set_ifflags(drv->common.ifname, flags & ~IFF_UP) < 0) {
+ driver_wired_set_ifflags(drv->common.ifname, flags & ~IFF_UP) < 0) {
wpa_printf(MSG_DEBUG, "%s: Failed to set the interface down",
__func__);
}
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index ad49eaf..953fa3d 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -390,31 +390,6 @@ static int wpa_driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa)
}
-static int wpa_driver_wired_set_ifflags(const char *ifname, int flags)
-{
- struct ifreq ifr;
- int s;
-
- s = socket(PF_INET, SOCK_DGRAM, 0);
- if (s < 0) {
- wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
- return -1;
- }
-
- os_memset(&ifr, 0, sizeof(ifr));
- os_strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
- ifr.ifr_flags = flags & 0xffff;
- if (ioctl(s, SIOCSIFFLAGS, (caddr_t) &ifr) < 0) {
- wpa_printf(MSG_ERROR, "ioctl[SIOCSIFFLAGS]: %s",
- strerror(errno));
- close(s);
- return -1;
- }
- close(s);
- return 0;
-}
-
-
#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
static int wpa_driver_wired_get_ifstatus(const char *ifname, int *status)
{
@@ -465,7 +440,7 @@ static void * wpa_driver_wired_init(void *ctx, const char *ifname)
if (driver_wired_get_ifflags(ifname, &flags) == 0 &&
!(flags & IFF_UP) &&
- wpa_driver_wired_set_ifflags(ifname, flags | IFF_UP) == 0) {
+ driver_wired_set_ifflags(ifname, flags | IFF_UP) == 0) {
drv->common.iff_up = 1;
}
@@ -487,8 +462,7 @@ static void * wpa_driver_wired_init(void *ctx, const char *ifname)
} else if (flags & IFF_ALLMULTI) {
wpa_printf(MSG_DEBUG, "%s: Interface is already configured "
"for multicast", __func__);
- } else if (wpa_driver_wired_set_ifflags(ifname,
- flags | IFF_ALLMULTI) < 0) {
+ } else if (driver_wired_set_ifflags(ifname, flags | IFF_ALLMULTI) < 0) {
wpa_printf(MSG_INFO, "%s: Failed to enable allmulti",
__func__);
os_free(drv);
@@ -534,8 +508,8 @@ static void wpa_driver_wired_deinit(void *priv)
if (drv->common.iff_allmulti &&
(driver_wired_get_ifflags(drv->common.ifname, &flags) < 0 ||
- wpa_driver_wired_set_ifflags(drv->common.ifname,
- flags & ~IFF_ALLMULTI) < 0)) {
+ driver_wired_set_ifflags(drv->common.ifname,
+ flags & ~IFF_ALLMULTI) < 0)) {
wpa_printf(MSG_DEBUG, "%s: Failed to disable allmulti mode",
__func__);
}
@@ -543,8 +517,7 @@ static void wpa_driver_wired_deinit(void *priv)
if (drv->common.iff_up &&
driver_wired_get_ifflags(drv->common.ifname, &flags) == 0 &&
(flags & IFF_UP) &&
- wpa_driver_wired_set_ifflags(drv->common.ifname,
- flags & ~IFF_UP) < 0) {
+ driver_wired_set_ifflags(drv->common.ifname, flags & ~IFF_UP) < 0) {
wpa_printf(MSG_DEBUG, "%s: Failed to set the interface down",
__func__);
}
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
index a84dcc7..52f22de 100644
--- a/src/drivers/driver_wired_common.c
+++ b/src/drivers/driver_wired_common.c
@@ -55,6 +55,31 @@ int driver_wired_get_ifflags(const char *ifname, int *flags)
}
+int driver_wired_set_ifflags(const char *ifname, int flags)
+{
+ struct ifreq ifr;
+ int s;
+
+ s = socket(PF_INET, SOCK_DGRAM, 0);
+ if (s < 0) {
+ wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
+ return -1;
+ }
+
+ os_memset(&ifr, 0, sizeof(ifr));
+ os_strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ ifr.ifr_flags = flags & 0xffff;
+ if (ioctl(s, SIOCSIFFLAGS, (caddr_t) &ifr) < 0) {
+ wpa_printf(MSG_ERROR, "ioctl[SIOCSIFFLAGS]: %s",
+ strerror(errno));
+ close(s);
+ return -1;
+ }
+ close(s);
+ return 0;
+}
+
+
int driver_wired_multi(const char *ifname, const u8 *addr, int add)
{
struct ifreq ifr;
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index b8ed0e0..e2d8bbe 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -23,6 +23,7 @@ static const u8 pae_group_addr[ETH_ALEN] =
{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 };
int driver_wired_get_ifflags(const char *ifname, int *flags);
+int driver_wired_set_ifflags(const char *ifname, int flags);
int driver_wired_multi(const char *ifname, const u8 *addr, int add);
int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add);
--
2.7.4

166
macsec-0023-drivers-Move-driver_wired_get_ifstatus-to-a-common-f.patch Normal file
View File

@ -0,0 +1,166 @@
From 5a55ec38edd875fc6dc54c0483e1f96ad9cf8cf9 Mon Sep 17 00:00:00 2001
Message-Id: <5a55ec38edd875fc6dc54c0483e1f96ad9cf8cf9.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:49 +0100
Subject: [PATCH] drivers: Move driver_wired_get_ifstatus() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 31 +------------------------------
src/drivers/driver_wired.c | 31 +------------------------------
src/drivers/driver_wired_common.c | 29 +++++++++++++++++++++++++++++
src/drivers/driver_wired_common.h | 1 +
4 files changed, 32 insertions(+), 60 deletions(-)
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 31cb0dc..786e2e8 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -99,35 +99,6 @@ static int macsec_qca_get_capa(void *priv, struct wpa_driver_capa *capa)
}
-#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
-static int macsec_qca_get_ifstatus(const char *ifname, int *status)
-{
- struct ifmediareq ifmr;
- int s;
-
- s = socket(PF_INET, SOCK_DGRAM, 0);
- if (s < 0) {
- wpa_print(MSG_ERROR, "socket: %s", strerror(errno));
- return -1;
- }
-
- os_memset(&ifmr, 0, sizeof(ifmr));
- os_strlcpy(ifmr.ifm_name, ifname, IFNAMSIZ);
- if (ioctl(s, SIOCGIFMEDIA, (caddr_t) &ifmr) < 0) {
- wpa_printf(MSG_ERROR, "ioctl[SIOCGIFMEDIA]: %s",
- strerror(errno));
- close(s);
- return -1;
- }
- close(s);
- *status = (ifmr.ifm_status & (IFM_ACTIVE | IFM_AVALID)) ==
- (IFM_ACTIVE | IFM_AVALID);
-
- return 0;
-}
-#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
-
-
static void __macsec_drv_init(struct macsec_qca_data *drv)
{
int ret = 0;
@@ -243,7 +214,7 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
int status;
wpa_printf(MSG_DEBUG, "%s: waiting for link to become active",
__func__);
- while (macsec_qca_get_ifstatus(ifname, &status) == 0 &&
+ while (driver_wired_get_ifstatus(ifname, &status) == 0 &&
status == 0)
sleep(1);
}
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index 953fa3d..db83683 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -390,35 +390,6 @@ static int wpa_driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa)
}
-#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
-static int wpa_driver_wired_get_ifstatus(const char *ifname, int *status)
-{
- struct ifmediareq ifmr;
- int s;
-
- s = socket(PF_INET, SOCK_DGRAM, 0);
- if (s < 0) {
- wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
- return -1;
- }
-
- os_memset(&ifmr, 0, sizeof(ifmr));
- os_strlcpy(ifmr.ifm_name, ifname, IFNAMSIZ);
- if (ioctl(s, SIOCGIFMEDIA, (caddr_t) &ifmr) < 0) {
- wpa_printf(MSG_ERROR, "ioctl[SIOCGIFMEDIA]: %s",
- strerror(errno));
- close(s);
- return -1;
- }
- close(s);
- *status = (ifmr.ifm_status & (IFM_ACTIVE | IFM_AVALID)) ==
- (IFM_ACTIVE | IFM_AVALID);
-
- return 0;
-}
-#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
-
-
static void * wpa_driver_wired_init(void *ctx, const char *ifname)
{
struct wpa_driver_wired_data *drv;
@@ -477,7 +448,7 @@ static void * wpa_driver_wired_init(void *ctx, const char *ifname)
int status;
wpa_printf(MSG_DEBUG, "%s: waiting for link to become active",
__func__);
- while (wpa_driver_wired_get_ifstatus(ifname, &status) == 0 &&
+ while (driver_wired_get_ifstatus(ifname, &status) == 0 &&
status == 0)
sleep(1);
}
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
index 52f22de..e55e2c7 100644
--- a/src/drivers/driver_wired_common.c
+++ b/src/drivers/driver_wired_common.c
@@ -162,3 +162,32 @@ int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add)
return -1;
#endif /* __linux__ */
}
+
+
+#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
+int driver_wired_get_ifstatus(const char *ifname, int *status)
+{
+ struct ifmediareq ifmr;
+ int s;
+
+ s = socket(PF_INET, SOCK_DGRAM, 0);
+ if (s < 0) {
+ wpa_printf(MSG_ERROR, "socket: %s", strerror(errno));
+ return -1;
+ }
+
+ os_memset(&ifmr, 0, sizeof(ifmr));
+ os_strlcpy(ifmr.ifm_name, ifname, IFNAMSIZ);
+ if (ioctl(s, SIOCGIFMEDIA, (caddr_t) &ifmr) < 0) {
+ wpa_printf(MSG_ERROR, "ioctl[SIOCGIFMEDIA]: %s",
+ strerror(errno));
+ close(s);
+ return -1;
+ }
+ close(s);
+ *status = (ifmr.ifm_status & (IFM_ACTIVE | IFM_AVALID)) ==
+ (IFM_ACTIVE | IFM_AVALID);
+
+ return 0;
+}
+#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index e2d8bbe..c8e347a 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -26,5 +26,6 @@ int driver_wired_get_ifflags(const char *ifname, int *flags);
int driver_wired_set_ifflags(const char *ifname, int flags);
int driver_wired_multi(const char *ifname, const u8 *addr, int add);
int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add);
+int driver_wired_get_ifstatus(const char *ifname, int *status);
#endif /* DRIVER_WIRED_COMMON_H */
--
2.7.4

261
macsec-0024-drivers-Move-driver_wired_init_common-to-a-common-fi.patch Normal file
View File

@ -0,0 +1,261 @@
From ed5ae6119307b981eb9d0eaff3fa2ca53e79e629 Mon Sep 17 00:00:00 2001
Message-Id: <ed5ae6119307b981eb9d0eaff3fa2ca53e79e629.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:50 +0100
Subject: [PATCH] drivers: Move driver_wired_init_common() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 59 ++---------------------------------
src/drivers/driver_wired.c | 53 +------------------------------
src/drivers/driver_wired_common.c | 65 +++++++++++++++++++++++++++++++++++++++
src/drivers/driver_wired_common.h | 3 ++
4 files changed, 72 insertions(+), 108 deletions(-)
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 786e2e8..26003b0 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -149,76 +149,23 @@ static void __macsec_drv_deinit(struct macsec_qca_data *drv)
static void * macsec_qca_init(void *ctx, const char *ifname)
{
struct macsec_qca_data *drv;
- int flags;
drv = os_zalloc(sizeof(*drv));
if (drv == NULL)
return NULL;
- os_strlcpy(drv->common.ifname, ifname, sizeof(drv->common.ifname));
- drv->common.ctx = ctx;
/* Board specific settings */
- if (os_memcmp("eth2", drv->common.ifname, 4) == 0)
+ if (os_memcmp("eth2", ifname, 4) == 0)
drv->secy_id = 1;
- else if (os_memcmp("eth3", drv->common.ifname, 4) == 0)
+ else if (os_memcmp("eth3", ifname, 4) == 0)
drv->secy_id = 2;
else
drv->secy_id = -1;
-#ifdef __linux__
- drv->common.pf_sock = socket(PF_PACKET, SOCK_DGRAM, 0);
- if (drv->common.pf_sock < 0)
- wpa_printf(MSG_ERROR, "socket(PF_PACKET): %s", strerror(errno));
-#else /* __linux__ */
- drv->common.pf_sock = -1;
-#endif /* __linux__ */
-
- if (driver_wired_get_ifflags(ifname, &flags) == 0 &&
- !(flags & IFF_UP) &&
- driver_wired_set_ifflags(ifname, flags | IFF_UP) == 0) {
- drv->common.iff_up = 1;
- }
-
- if (wired_multicast_membership(drv->common.pf_sock,
- if_nametoindex(drv->common.ifname),
- pae_group_addr, 1) == 0) {
- wpa_printf(MSG_DEBUG,
- "%s: Added multicast membership with packet socket",
- __func__);
- drv->common.membership = 1;
- } else if (driver_wired_multi(ifname, pae_group_addr, 1) == 0) {
- wpa_printf(MSG_DEBUG,
- "%s: Added multicast membership with SIOCADDMULTI",
- __func__);
- drv->common.multi = 1;
- } else if (driver_wired_get_ifflags(ifname, &flags) < 0) {
- wpa_printf(MSG_INFO, "%s: Could not get interface flags",
- __func__);
- os_free(drv);
- return NULL;
- } else if (flags & IFF_ALLMULTI) {
- wpa_printf(MSG_DEBUG,
- "%s: Interface is already configured for multicast",
- __func__);
- } else if (driver_wired_set_ifflags(ifname, flags | IFF_ALLMULTI) < 0) {
- wpa_printf(MSG_INFO, "%s: Failed to enable allmulti",
- __func__);
+ if (driver_wired_init_common(&drv->common, ifname, ctx) < 0) {
os_free(drv);
return NULL;
- } else {
- wpa_printf(MSG_DEBUG, "%s: Enabled allmulti mode", __func__);
- drv->common.iff_allmulti = 1;
- }
-#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
- {
- int status;
- wpa_printf(MSG_DEBUG, "%s: waiting for link to become active",
- __func__);
- while (driver_wired_get_ifstatus(ifname, &status) == 0 &&
- status == 0)
- sleep(1);
}
-#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
return drv;
}
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index db83683..38476af 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -393,66 +393,15 @@ static int wpa_driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa)
static void * wpa_driver_wired_init(void *ctx, const char *ifname)
{
struct wpa_driver_wired_data *drv;
- int flags;
drv = os_zalloc(sizeof(*drv));
if (drv == NULL)
return NULL;
- os_strlcpy(drv->common.ifname, ifname, sizeof(drv->common.ifname));
- drv->common.ctx = ctx;
-
-#ifdef __linux__
- drv->common.pf_sock = socket(PF_PACKET, SOCK_DGRAM, 0);
- if (drv->common.pf_sock < 0)
- wpa_printf(MSG_ERROR, "socket(PF_PACKET): %s", strerror(errno));
-#else /* __linux__ */
- drv->common.pf_sock = -1;
-#endif /* __linux__ */
-
- if (driver_wired_get_ifflags(ifname, &flags) == 0 &&
- !(flags & IFF_UP) &&
- driver_wired_set_ifflags(ifname, flags | IFF_UP) == 0) {
- drv->common.iff_up = 1;
- }
- if (wired_multicast_membership(drv->common.pf_sock,
- if_nametoindex(drv->common.ifname),
- pae_group_addr, 1) == 0) {
- wpa_printf(MSG_DEBUG, "%s: Added multicast membership with "
- "packet socket", __func__);
- drv->common.membership = 1;
- } else if (driver_wired_multi(ifname, pae_group_addr, 1) == 0) {
- wpa_printf(MSG_DEBUG, "%s: Added multicast membership with "
- "SIOCADDMULTI", __func__);
- drv->common.multi = 1;
- } else if (driver_wired_get_ifflags(ifname, &flags) < 0) {
- wpa_printf(MSG_INFO, "%s: Could not get interface "
- "flags", __func__);
+ if (driver_wired_init_common(&drv->common, ifname, ctx) < 0) {
os_free(drv);
return NULL;
- } else if (flags & IFF_ALLMULTI) {
- wpa_printf(MSG_DEBUG, "%s: Interface is already configured "
- "for multicast", __func__);
- } else if (driver_wired_set_ifflags(ifname, flags | IFF_ALLMULTI) < 0) {
- wpa_printf(MSG_INFO, "%s: Failed to enable allmulti",
- __func__);
- os_free(drv);
- return NULL;
- } else {
- wpa_printf(MSG_DEBUG, "%s: Enabled allmulti mode",
- __func__);
- drv->common.iff_allmulti = 1;
- }
-#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
- {
- int status;
- wpa_printf(MSG_DEBUG, "%s: waiting for link to become active",
- __func__);
- while (driver_wired_get_ifstatus(ifname, &status) == 0 &&
- status == 0)
- sleep(1);
}
-#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
return drv;
}
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
index e55e2c7..6f782c2 100644
--- a/src/drivers/driver_wired_common.c
+++ b/src/drivers/driver_wired_common.c
@@ -191,3 +191,68 @@ int driver_wired_get_ifstatus(const char *ifname, int *status)
return 0;
}
#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
+
+
+int driver_wired_init_common(struct driver_wired_common_data *common,
+ const char *ifname, void *ctx)
+{
+ int flags;
+
+ os_strlcpy(common->ifname, ifname, sizeof(common->ifname));
+ common->ctx = ctx;
+
+#ifdef __linux__
+ common->pf_sock = socket(PF_PACKET, SOCK_DGRAM, 0);
+ if (common->pf_sock < 0)
+ wpa_printf(MSG_ERROR, "socket(PF_PACKET): %s", strerror(errno));
+#else /* __linux__ */
+ common->pf_sock = -1;
+#endif /* __linux__ */
+
+ if (driver_wired_get_ifflags(ifname, &flags) == 0 &&
+ !(flags & IFF_UP) &&
+ driver_wired_set_ifflags(ifname, flags | IFF_UP) == 0)
+ common->iff_up = 1;
+
+ if (wired_multicast_membership(common->pf_sock,
+ if_nametoindex(common->ifname),
+ pae_group_addr, 1) == 0) {
+ wpa_printf(MSG_DEBUG,
+ "%s: Added multicast membership with packet socket",
+ __func__);
+ common->membership = 1;
+ } else if (driver_wired_multi(ifname, pae_group_addr, 1) == 0) {
+ wpa_printf(MSG_DEBUG,
+ "%s: Added multicast membership with SIOCADDMULTI",
+ __func__);
+ common->multi = 1;
+ } else if (driver_wired_get_ifflags(ifname, &flags) < 0) {
+ wpa_printf(MSG_INFO, "%s: Could not get interface flags",
+ __func__);
+ return -1;
+ } else if (flags & IFF_ALLMULTI) {
+ wpa_printf(MSG_DEBUG,
+ "%s: Interface is already configured for multicast",
+ __func__);
+ } else if (driver_wired_set_ifflags(ifname,
+ flags | IFF_ALLMULTI) < 0) {
+ wpa_printf(MSG_INFO, "%s: Failed to enable allmulti", __func__);
+ return -1;
+ } else {
+ wpa_printf(MSG_DEBUG, "%s: Enabled allmulti mode", __func__);
+ common->iff_allmulti = 1;
+ }
+#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
+ {
+ int status;
+
+ wpa_printf(MSG_DEBUG, "%s: waiting for link to become active",
+ __func__);
+ while (driver_wired_get_ifstatus(ifname, &status) == 0 &&
+ status == 0)
+ sleep(1);
+ }
+#endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(FreeBSD_kernel__) */
+
+ return 0;
+}
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index c8e347a..e4f54b9 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -28,4 +28,7 @@ int driver_wired_multi(const char *ifname, const u8 *addr, int add);
int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add);
int driver_wired_get_ifstatus(const char *ifname, int *status);
+int driver_wired_init_common(struct driver_wired_common_data *common,
+ const char *ifname, void *ctx);
+
#endif /* DRIVER_WIRED_COMMON_H */
--
2.7.4

176
macsec-0025-drivers-Move-driver_wired_deinit_common-to-a-common-.patch Normal file
View File

@ -0,0 +1,176 @@
From ec9cfb96c2db746f26ceaa577953cfc2dc9d0f49 Mon Sep 17 00:00:00 2001
Message-Id: <ec9cfb96c2db746f26ceaa577953cfc2dc9d0f49.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:51 +0100
Subject: [PATCH] drivers: Move driver_wired_deinit_common() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 37 +----------------------------------
src/drivers/driver_wired.c | 35 +--------------------------------
src/drivers/driver_wired_common.c | 41 +++++++++++++++++++++++++++++++++++++++
src/drivers/driver_wired_common.h | 1 +
4 files changed, 44 insertions(+), 70 deletions(-)
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 26003b0..30bf31c 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -174,43 +174,8 @@ static void * macsec_qca_init(void *ctx, const char *ifname)
static void macsec_qca_deinit(void *priv)
{
struct macsec_qca_data *drv = priv;
- int flags;
-
- if (drv->common.membership &&
- wired_multicast_membership(drv->common.pf_sock,
- if_nametoindex(drv->common.ifname),
- pae_group_addr, 0) < 0) {
- wpa_printf(MSG_DEBUG,
- "%s: Failed to remove PAE multicast group (PACKET)",
- __func__);
- }
-
- if (drv->common.multi &&
- driver_wired_multi(drv->common.ifname, pae_group_addr, 0) < 0) {
- wpa_printf(MSG_DEBUG,
- "%s: Failed to remove PAE multicast group (SIOCDELMULTI)",
- __func__);
- }
-
- if (drv->common.iff_allmulti &&
- (driver_wired_get_ifflags(drv->common.ifname, &flags) < 0 ||
- driver_wired_set_ifflags(drv->common.ifname,
- flags & ~IFF_ALLMULTI) < 0)) {
- wpa_printf(MSG_DEBUG, "%s: Failed to disable allmulti mode",
- __func__);
- }
-
- if (drv->common.iff_up &&
- driver_wired_get_ifflags(drv->common.ifname, &flags) == 0 &&
- (flags & IFF_UP) &&
- driver_wired_set_ifflags(drv->common.ifname, flags & ~IFF_UP) < 0) {
- wpa_printf(MSG_DEBUG, "%s: Failed to set the interface down",
- __func__);
- }
-
- if (drv->common.pf_sock != -1)
- close(drv->common.pf_sock);
+ driver_wired_deinit_common(&drv->common);
os_free(drv);
}
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index 38476af..54217bc 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -410,41 +410,8 @@ static void * wpa_driver_wired_init(void *ctx, const char *ifname)
static void wpa_driver_wired_deinit(void *priv)
{
struct wpa_driver_wired_data *drv = priv;
- int flags;
-
- if (drv->common.membership &&
- wired_multicast_membership(drv->common.pf_sock,
- if_nametoindex(drv->common.ifname),
- pae_group_addr, 0) < 0) {
- wpa_printf(MSG_DEBUG, "%s: Failed to remove PAE multicast "
- "group (PACKET)", __func__);
- }
-
- if (drv->common.multi &&
- driver_wired_multi(drv->common.ifname, pae_group_addr, 0) < 0) {
- wpa_printf(MSG_DEBUG, "%s: Failed to remove PAE multicast "
- "group (SIOCDELMULTI)", __func__);
- }
-
- if (drv->common.iff_allmulti &&
- (driver_wired_get_ifflags(drv->common.ifname, &flags) < 0 ||
- driver_wired_set_ifflags(drv->common.ifname,
- flags & ~IFF_ALLMULTI) < 0)) {
- wpa_printf(MSG_DEBUG, "%s: Failed to disable allmulti mode",
- __func__);
- }
-
- if (drv->common.iff_up &&
- driver_wired_get_ifflags(drv->common.ifname, &flags) == 0 &&
- (flags & IFF_UP) &&
- driver_wired_set_ifflags(drv->common.ifname, flags & ~IFF_UP) < 0) {
- wpa_printf(MSG_DEBUG, "%s: Failed to set the interface down",
- __func__);
- }
-
- if (drv->common.pf_sock != -1)
- close(drv->common.pf_sock);
+ driver_wired_deinit_common(&drv->common);
os_free(drv);
}
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
index 6f782c2..73c2b1b 100644
--- a/src/drivers/driver_wired_common.c
+++ b/src/drivers/driver_wired_common.c
@@ -256,3 +256,44 @@ int driver_wired_init_common(struct driver_wired_common_data *common,
return 0;
}
+
+
+void driver_wired_deinit_common(struct driver_wired_common_data *common)
+{
+ int flags;
+
+ if (common->membership &&
+ wired_multicast_membership(common->pf_sock,
+ if_nametoindex(common->ifname),
+ pae_group_addr, 0) < 0) {
+ wpa_printf(MSG_DEBUG,
+ "%s: Failed to remove PAE multicast group (PACKET)",
+ __func__);
+ }
+
+ if (common->multi &&
+ driver_wired_multi(common->ifname, pae_group_addr, 0) < 0) {
+ wpa_printf(MSG_DEBUG,
+ "%s: Failed to remove PAE multicast group (SIOCDELMULTI)",
+ __func__);
+ }
+
+ if (common->iff_allmulti &&
+ (driver_wired_get_ifflags(common->ifname, &flags) < 0 ||
+ driver_wired_set_ifflags(common->ifname,
+ flags & ~IFF_ALLMULTI) < 0)) {
+ wpa_printf(MSG_DEBUG, "%s: Failed to disable allmulti mode",
+ __func__);
+ }
+
+ if (common->iff_up &&
+ driver_wired_get_ifflags(common->ifname, &flags) == 0 &&
+ (flags & IFF_UP) &&
+ driver_wired_set_ifflags(common->ifname, flags & ~IFF_UP) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: Failed to set the interface down",
+ __func__);
+ }
+
+ if (common->pf_sock != -1)
+ close(common->pf_sock);
+}
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index e4f54b9..f362dbd 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -30,5 +30,6 @@ int driver_wired_get_ifstatus(const char *ifname, int *status);
int driver_wired_init_common(struct driver_wired_common_data *common,
const char *ifname, void *ctx);
+void driver_wired_deinit_common(struct driver_wired_common_data *common);
#endif /* DRIVER_WIRED_COMMON_H */
--
2.7.4

107
macsec-0026-drivers-Move-driver_wired_get_capa-to-a-common-file.patch Normal file
View File

@ -0,0 +1,107 @@
From 9281e5c5ce83648d344808e08f213f4e11a44573 Mon Sep 17 00:00:00 2001
Message-Id: <9281e5c5ce83648d344808e08f213f4e11a44573.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:52 +0100
Subject: [PATCH] drivers: Move driver_wired_get_capa() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 10 +---------
src/drivers/driver_wired.c | 10 +---------
src/drivers/driver_wired_common.c | 8 ++++++++
src/drivers/driver_wired_common.h | 1 +
4 files changed, 11 insertions(+), 18 deletions(-)
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 30bf31c..15ea4bd 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -91,14 +91,6 @@ static int macsec_qca_get_bssid(void *priv, u8 *bssid)
}
-static int macsec_qca_get_capa(void *priv, struct wpa_driver_capa *capa)
-{
- os_memset(capa, 0, sizeof(*capa));
- capa->flags = WPA_DRIVER_FLAGS_WIRED;
- return 0;
-}
-
-
static void __macsec_drv_init(struct macsec_qca_data *drv)
{
int ret = 0;
@@ -758,7 +750,7 @@ const struct wpa_driver_ops wpa_driver_macsec_qca_ops = {
.desc = "QCA MACsec Ethernet driver",
.get_ssid = macsec_qca_get_ssid,
.get_bssid = macsec_qca_get_bssid,
- .get_capa = macsec_qca_get_capa,
+ .get_capa = driver_wired_get_capa,
.init = macsec_qca_init,
.deinit = macsec_qca_deinit,
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index 54217bc..fd8a7e3 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -382,14 +382,6 @@ static int wpa_driver_wired_get_bssid(void *priv, u8 *bssid)
}
-static int wpa_driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa)
-{
- os_memset(capa, 0, sizeof(*capa));
- capa->flags = WPA_DRIVER_FLAGS_WIRED;
- return 0;
-}
-
-
static void * wpa_driver_wired_init(void *ctx, const char *ifname)
{
struct wpa_driver_wired_data *drv;
@@ -424,7 +416,7 @@ const struct wpa_driver_ops wpa_driver_wired_ops = {
.hapd_send_eapol = wired_send_eapol,
.get_ssid = wpa_driver_wired_get_ssid,
.get_bssid = wpa_driver_wired_get_bssid,
- .get_capa = wpa_driver_wired_get_capa,
+ .get_capa = driver_wired_get_capa,
.init = wpa_driver_wired_init,
.deinit = wpa_driver_wired_deinit,
};
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
index 73c2b1b..b31474d 100644
--- a/src/drivers/driver_wired_common.c
+++ b/src/drivers/driver_wired_common.c
@@ -164,6 +164,14 @@ int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add)
}
+int driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa)
+{
+ os_memset(capa, 0, sizeof(*capa));
+ capa->flags = WPA_DRIVER_FLAGS_WIRED;
+ return 0;
+}
+
+
#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
int driver_wired_get_ifstatus(const char *ifname, int *status)
{
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index f362dbd..b926d83 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -26,6 +26,7 @@ int driver_wired_get_ifflags(const char *ifname, int *flags);
int driver_wired_set_ifflags(const char *ifname, int flags);
int driver_wired_multi(const char *ifname, const u8 *addr, int add);
int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add);
+int driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa);
int driver_wired_get_ifstatus(const char *ifname, int *status);
int driver_wired_init_common(struct driver_wired_common_data *common,
--
2.7.4

107
macsec-0027-drivers-Move-driver_wired_get_bssid-to-a-common-file.patch Normal file
View File

@ -0,0 +1,107 @@
From d27c42baea5d52f3f4fdc36ed98c7d10289ad973 Mon Sep 17 00:00:00 2001
Message-Id: <d27c42baea5d52f3f4fdc36ed98c7d10289ad973.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:53 +0100
Subject: [PATCH] drivers: Move driver_wired_get_bssid() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 10 +---------
src/drivers/driver_wired.c | 10 +---------
src/drivers/driver_wired_common.c | 8 ++++++++
src/drivers/driver_wired_common.h | 1 +
4 files changed, 11 insertions(+), 18 deletions(-)
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 15ea4bd..4bbc59f 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -83,14 +83,6 @@ static int macsec_qca_get_ssid(void *priv, u8 *ssid)
}
-static int macsec_qca_get_bssid(void *priv, u8 *bssid)
-{
- /* Report PAE group address as the "BSSID" for macsec connection. */
- os_memcpy(bssid, pae_group_addr, ETH_ALEN);
- return 0;
-}
-
-
static void __macsec_drv_init(struct macsec_qca_data *drv)
{
int ret = 0;
@@ -749,7 +741,7 @@ const struct wpa_driver_ops wpa_driver_macsec_qca_ops = {
.name = "macsec_qca",
.desc = "QCA MACsec Ethernet driver",
.get_ssid = macsec_qca_get_ssid,
- .get_bssid = macsec_qca_get_bssid,
+ .get_bssid = driver_wired_get_bssid,
.get_capa = driver_wired_get_capa,
.init = macsec_qca_init,
.deinit = macsec_qca_deinit,
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index fd8a7e3..ad34627 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -374,14 +374,6 @@ static int wpa_driver_wired_get_ssid(void *priv, u8 *ssid)
}
-static int wpa_driver_wired_get_bssid(void *priv, u8 *bssid)
-{
- /* Report PAE group address as the "BSSID" for wired connection. */
- os_memcpy(bssid, pae_group_addr, ETH_ALEN);
- return 0;
-}
-
-
static void * wpa_driver_wired_init(void *ctx, const char *ifname)
{
struct wpa_driver_wired_data *drv;
@@ -415,7 +407,7 @@ const struct wpa_driver_ops wpa_driver_wired_ops = {
.hapd_deinit = wired_driver_hapd_deinit,
.hapd_send_eapol = wired_send_eapol,
.get_ssid = wpa_driver_wired_get_ssid,
- .get_bssid = wpa_driver_wired_get_bssid,
+ .get_bssid = driver_wired_get_bssid,
.get_capa = driver_wired_get_capa,
.init = wpa_driver_wired_init,
.deinit = wpa_driver_wired_deinit,
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
index b31474d..d30d3a4 100644
--- a/src/drivers/driver_wired_common.c
+++ b/src/drivers/driver_wired_common.c
@@ -164,6 +164,14 @@ int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add)
}
+int driver_wired_get_bssid(void *priv, u8 *bssid)
+{
+ /* Report PAE group address as the "BSSID" for wired connection. */
+ os_memcpy(bssid, pae_group_addr, ETH_ALEN);
+ return 0;
+}
+
+
int driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa)
{
os_memset(capa, 0, sizeof(*capa));
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index b926d83..493987a 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -26,6 +26,7 @@ int driver_wired_get_ifflags(const char *ifname, int *flags);
int driver_wired_set_ifflags(const char *ifname, int flags);
int driver_wired_multi(const char *ifname, const u8 *addr, int add);
int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add);
+int driver_wired_get_bssid(void *priv, u8 *bssid);
int driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa);
int driver_wired_get_ifstatus(const char *ifname, int *status);
--
2.7.4

104
macsec-0028-drivers-Move-driver_wired_get_ssid-to-a-common-file.patch Normal file
View File

@ -0,0 +1,104 @@
From 8618313b6ef1c40002836ffc56d70466ea80d44e Mon Sep 17 00:00:00 2001
Message-Id: <8618313b6ef1c40002836ffc56d70466ea80d44e.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:54 +0100
Subject: [PATCH] drivers: Move driver_wired_get_ssid() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
src/drivers/driver_macsec_qca.c | 9 +--------
src/drivers/driver_wired.c | 9 +--------
src/drivers/driver_wired_common.c | 7 +++++++
src/drivers/driver_wired_common.h | 1 +
4 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 4bbc59f..d3be19c 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -76,13 +76,6 @@ struct macsec_qca_data {
};
-static int macsec_qca_get_ssid(void *priv, u8 *ssid)
-{
- ssid[0] = 0;
- return 0;
-}
-
-
static void __macsec_drv_init(struct macsec_qca_data *drv)
{
int ret = 0;
@@ -740,7 +733,7 @@ static int macsec_qca_disable_transmit_sa(void *priv, struct transmit_sa *sa)
const struct wpa_driver_ops wpa_driver_macsec_qca_ops = {
.name = "macsec_qca",
.desc = "QCA MACsec Ethernet driver",
- .get_ssid = macsec_qca_get_ssid,
+ .get_ssid = driver_wired_get_ssid,
.get_bssid = driver_wired_get_bssid,
.get_capa = driver_wired_get_capa,
.init = macsec_qca_init,
diff --git a/src/drivers/driver_wired.c b/src/drivers/driver_wired.c
index ad34627..7e09dcf 100644
--- a/src/drivers/driver_wired.c
+++ b/src/drivers/driver_wired.c
@@ -367,13 +367,6 @@ static void wired_driver_hapd_deinit(void *priv)
}
-static int wpa_driver_wired_get_ssid(void *priv, u8 *ssid)
-{
- ssid[0] = 0;
- return 0;
-}
-
-
static void * wpa_driver_wired_init(void *ctx, const char *ifname)
{
struct wpa_driver_wired_data *drv;
@@ -406,7 +399,7 @@ const struct wpa_driver_ops wpa_driver_wired_ops = {
.hapd_init = wired_driver_hapd_init,
.hapd_deinit = wired_driver_hapd_deinit,
.hapd_send_eapol = wired_send_eapol,
- .get_ssid = wpa_driver_wired_get_ssid,
+ .get_ssid = driver_wired_get_ssid,
.get_bssid = driver_wired_get_bssid,
.get_capa = driver_wired_get_capa,
.init = wpa_driver_wired_init,
diff --git a/src/drivers/driver_wired_common.c b/src/drivers/driver_wired_common.c
index d30d3a4..2e169d7 100644
--- a/src/drivers/driver_wired_common.c
+++ b/src/drivers/driver_wired_common.c
@@ -164,6 +164,13 @@ int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add)
}
+int driver_wired_get_ssid(void *priv, u8 *ssid)
+{
+ ssid[0] = 0;
+ return 0;
+}
+
+
int driver_wired_get_bssid(void *priv, u8 *bssid)
{
/* Report PAE group address as the "BSSID" for wired connection. */
diff --git a/src/drivers/driver_wired_common.h b/src/drivers/driver_wired_common.h
index 493987a..7e1a4ae 100644
--- a/src/drivers/driver_wired_common.h
+++ b/src/drivers/driver_wired_common.h
@@ -26,6 +26,7 @@ int driver_wired_get_ifflags(const char *ifname, int *flags);
int driver_wired_set_ifflags(const char *ifname, int flags);
int driver_wired_multi(const char *ifname, const u8 *addr, int add);
int wired_multicast_membership(int sock, int ifindex, const u8 *addr, int add);
+int driver_wired_get_ssid(void *priv, u8 *ssid);
int driver_wired_get_bssid(void *priv, u8 *bssid);
int driver_wired_get_capa(void *priv, struct wpa_driver_capa *capa);
int driver_wired_get_ifstatus(const char *ifname, int *status);
--
2.7.4

1397
macsec-0029-macsec_linux-Add-a-driver-for-macsec-on-Linux-kernel.patch Normal file
View File

File diff suppressed because it is too large Load Diff

49
macsec-0030-mka-Remove-references-to-macsec_qca-from-wpa_supplic.patch Normal file
View File

@ -0,0 +1,49 @@
From ba5ea116873a2f4046e4d3f37ab8215a3846f614 Mon Sep 17 00:00:00 2001
Message-Id: <ba5ea116873a2f4046e4d3f37ab8215a3846f614.1488376602.git.dcaratti@redhat.com>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Sun, 27 Nov 2016 20:08:56 +0100
Subject: [PATCH] mka: Remove references to macsec_qca from wpa_supplicant.conf
Make the documentation generic, as this is no longer the only macsec
driver.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
wpa_supplicant/wpa_supplicant.conf | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 82aa24e..edb230d 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -98,9 +98,7 @@ eapol_version=1
# parameters (e.g., WPA IE generation); this mode can also be used with
# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
# APs (i.e., external program needs to control association). This mode must
-# also be used when using wired Ethernet drivers.
-# Note: macsec_qca driver is one type of Ethernet driver which implements
-# macsec feature.
+# also be used when using wired Ethernet drivers (including MACsec).
# 2: like 0, but associate with APs using security policy and SSID (but not
# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
# enable operation with hidden SSIDs and optimized roaming; in this mode,
@@ -881,13 +879,13 @@ fast_reauth=1
# bit0 (1): require dynamically generated unicast WEP key
# bit1 (2): require dynamically generated broadcast WEP key
# (3 = require both keys; default)
-# Note: When using wired authentication (including macsec_qca driver),
+# Note: When using wired authentication (including MACsec drivers),
# eapol_flags must be set to 0 for the authentication to be completed
# successfully.
#
# macsec_policy: IEEE 802.1X/MACsec options
-# This determines how sessions are secured with MACsec. It is currently
-# applicable only when using the macsec_qca driver interface.
+# This determines how sessions are secured with MACsec (only for MACsec
+# drivers).
# 0: MACsec not in use (default)
# 1: MACsec enabled - Should secure, accept key server's advice to
# determine whether to use a secure session or not.
--
2.7.4

120
macsec-0031-PAE-Make-KaY-specific-details-available-via-control-.patch Normal file
View File

@ -0,0 +1,120 @@
From 7508c2ad99cef6d0691190063ec7735b7759f836 Mon Sep 17 00:00:00 2001
Message-Id: <7508c2ad99cef6d0691190063ec7735b7759f836.1488376602.git.dcaratti@redhat.com>
From: Badrish Adiga H R <badrish.adigahr@gmail.com>
Date: Fri, 16 Dec 2016 01:40:53 +0530
Subject: [PATCH] PAE: Make KaY specific details available via control
interface
Add KaY details to the STATUS command output.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@hpe.com>
---
src/pae/ieee802_1x_kay.c | 49 +++++++++++++++++++++++++++++++++++++++++++++
src/pae/ieee802_1x_kay.h | 3 +++
wpa_supplicant/ctrl_iface.c | 6 ++++++
3 files changed, 58 insertions(+)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 1d6d9a9..cf5782a 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1641,6 +1641,7 @@ ieee802_1x_mka_decode_dist_sak_body(
ieee802_1x_cp_signal_newsak(kay->cp);
ieee802_1x_cp_sm_step(kay->cp);
+ kay->rcvd_keys++;
participant->to_use_sak = TRUE;
return 0;
@@ -3519,3 +3520,51 @@ ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
return 0;
}
+
+
+#ifdef CONFIG_CTRL_IFACE
+/**
+ * ieee802_1x_kay_get_status - Get IEEE 802.1X KaY status details
+ * @sm: Pointer to KaY allocated with ieee802_1x_kay_init()
+ * @buf: Buffer for status information
+ * @buflen: Maximum buffer length
+ * @verbose: Whether to include verbose status information
+ * Returns: Number of bytes written to buf.
+ *
+ * Query KAY status information. This function fills in a text area with current
+ * status information. If the buffer (buf) is not large enough, status
+ * information will be truncated to fit the buffer.
+ */
+int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf,
+ size_t buflen)
+{
+ int len;
+
+ if (!kay)
+ return 0;
+
+ len = os_snprintf(buf, buflen,
+ "PAE KaY status=%s\n"
+ "Authenticated=%s\n"
+ "Secured=%s\n"
+ "Failed=%s\n"
+ "Actor Priority=%u\n"
+ "Key Server Priority=%u\n"
+ "Is Key Server=%s\n"
+ "Number of Keys Distributed=%u\n"
+ "Number of Keys Received=%u\n",
+ kay->active ? "Active" : "Not-Active",
+ kay->authenticated ? "Yes" : "No",
+ kay->secured ? "Yes" : "No",
+ kay->failed ? "Yes" : "No",
+ kay->actor_priority,
+ kay->key_server_priority,
+ kay->is_key_server ? "Yes" : "No",
+ kay->dist_kn - 1,
+ kay->rcvd_keys);
+ if (os_snprintf_error(buflen, len))
+ return 0;
+
+ return len;
+}
+#endif /* CONFIG_CTRL_IFACE */
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 9a92d1c..b38e814 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -208,6 +208,7 @@ struct ieee802_1x_kay {
int mka_algindex; /* MKA alg table index */
u32 dist_kn;
+ u32 rcvd_keys;
u8 dist_an;
time_t dist_time;
@@ -267,5 +268,7 @@ int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay,
int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay,
struct ieee802_1x_mka_ki *lki);
int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay);
+int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf,
+ size_t buflen);
#endif /* IEEE802_1X_KAY_H */
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index c943dee..624e894 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -2050,6 +2050,12 @@ static int wpa_supplicant_ctrl_iface_status(struct wpa_supplicant *wpa_s,
pos += res;
}
+#ifdef CONFIG_MACSEC
+ res = ieee802_1x_kay_get_status(wpa_s->kay, pos, end - pos);
+ if (res > 0)
+ pos += res;
+#endif /* CONFIG_MACSEC */
+
sess_id = eapol_sm_get_session_id(wpa_s->eapol, &sess_id_len);
if (sess_id) {
char *start = pos;
--
2.7.4

176
macsec-0032-mka-Make-MKA-actor-priority-configurable.patch Normal file
View File

@ -0,0 +1,176 @@
From 65dfa872862641c17e4f6276c56fad0a6c18d219 Mon Sep 17 00:00:00 2001
Message-Id: <65dfa872862641c17e4f6276c56fad0a6c18d219.1488376602.git.dcaratti@redhat.com>
From: Badrish Adiga H R <badrish.adigahr@gmail.com>
Date: Mon, 5 Dec 2016 06:53:55 -0800
Subject: [PATCH] mka: Make MKA actor priority configurable
This adds a new wpa_supplicant network profile parameter
mka_priority=0..255 to set the priority of the MKA Actor.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
---
src/pae/ieee802_1x_kay.c | 4 ++--
src/pae/ieee802_1x_kay.h | 2 +-
wpa_supplicant/config.c | 5 +++++
wpa_supplicant/config_file.c | 2 ++
wpa_supplicant/config_ssid.h | 7 +++++++
wpa_supplicant/wpa_cli.c | 1 +
wpa_supplicant/wpa_supplicant.conf | 8 +++++---
wpa_supplicant/wpas_kay.c | 3 ++-
8 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index cf5782a..1004b32 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3083,7 +3083,7 @@ static void kay_l2_receive(void *ctx, const u8 *src_addr, const u8 *buf,
*/
struct ieee802_1x_kay *
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
- u16 port, const char *ifname, const u8 *addr)
+ u16 port, u8 priority, const char *ifname, const u8 *addr)
{
struct ieee802_1x_kay *kay;
@@ -3106,7 +3106,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
os_strlcpy(kay->if_name, ifname, IFNAMSIZ);
os_memcpy(kay->actor_sci.addr, addr, ETH_ALEN);
kay->actor_sci.port = host_to_be16(port ? port : 0x0001);
- kay->actor_priority = DEFAULT_PRIO_NOT_KEY_SERVER;
+ kay->actor_priority = priority;
/* While actor acts as a key server, shall distribute sakey */
kay->dist_kn = 1;
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index b38e814..8f394fd 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -236,7 +236,7 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci);
struct ieee802_1x_kay *
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
- u16 port, const char *ifname, const u8 *addr);
+ u16 port, u8 priority, const char *ifname, const u8 *addr);
void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
struct ieee802_1x_mka_participant *
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 2120a6e..2a26d2d 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -11,6 +11,7 @@
#include "common.h"
#include "utils/uuid.h"
#include "utils/ip_addr.h"
+#include "common/ieee802_1x_defs.h"
#include "crypto/sha1.h"
#include "rsn_supp/wpa.h"
#include "eap_peer/eap.h"
@@ -2127,6 +2128,7 @@ static const struct parse_data ssid_fields[] = {
{ INT_RANGE(macsec_policy, 0, 1) },
{ INT_RANGE(macsec_integ_only, 0, 1) },
{ INT_RANGE(macsec_port, 1, 65534) },
+ { INT_RANGE(mka_priority, 0, 255) },
{ FUNC_KEY(mka_cak) },
{ FUNC_KEY(mka_ckn) },
#endif /* CONFIG_MACSEC */
@@ -2617,6 +2619,9 @@ void wpa_config_set_network_defaults(struct wpa_ssid *ssid)
#ifdef CONFIG_IEEE80211W
ssid->ieee80211w = MGMT_FRAME_PROTECTION_DEFAULT;
#endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_MACSEC
+ ssid->mka_priority = DEFAULT_PRIO_NOT_KEY_SERVER;
+#endif /* CONFIG_MACSEC */
ssid->mac_addr = -1;
}
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index b9b1d4d..98e3591 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -19,6 +19,7 @@
#include "config.h"
#include "base64.h"
#include "uuid.h"
+#include "common/ieee802_1x_defs.h"
#include "p2p/p2p.h"
#include "eap_peer/eap_methods.h"
#include "eap_peer/eap.h"
@@ -813,6 +814,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
write_mka_ckn(f, ssid);
INT(macsec_integ_only);
INT(macsec_port);
+ INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
INT(update_identifier);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index fe0f7fa..69ace37 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -751,6 +751,13 @@ struct wpa_ssid {
int macsec_port;
/**
+ * mka_priority - Priority of MKA Actor
+ *
+ * Range: 0-255 (default: 255)
+ */
+ int mka_priority;
+
+ /**
* mka_ckn - MKA pre-shared CKN
*/
#define MACSEC_CKN_LEN 32
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index f11028a..21adc17 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1392,6 +1392,7 @@ static const char *network_fields[] = {
"macsec_policy",
"macsec_integ_only",
"macsec_port",
+ "mka_priority",
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
"update_identifier",
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index edb230d..94cef4a 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -901,13 +901,15 @@ fast_reauth=1
# Port component of the SCI
# Range: 1-65534 (default: 1)
#
-# mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode
+# mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
-# In this mode, instances of wpa_supplicant can act as peers, one of
-# which will become the key server and start distributing SAKs.
+# In this mode, instances of wpa_supplicant can act as MACsec peers. The peer
+# with lower priority will become the key server and start distributing SAKs.
# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-bytes (128 bit)
# hex-string (32 hex-digits)
# mka_ckn (CKN = CAK Name) takes a 32-bytes (256 bit) hex-string (64 hex-digits)
+# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
+# default priority
#
# mixed_cell: This option can be used to configure whether so called mixed
# cells, i.e., networks that use both plaintext and encryption in the same
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index d3fefda..d087e00 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -233,7 +233,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_port,
- wpa_s->ifname, wpa_s->own_addr);
+ ssid->mka_priority, wpa_s->ifname,
+ wpa_s->own_addr);
if (res == NULL) {
os_free(kay_ctx);
return -1;
--
2.7.4

34
macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch Normal file
View File

@ -0,0 +1,34 @@
From 7faf403f9fb39fea9a0545025cc284ef05e022a7 Mon Sep 17 00:00:00 2001
Message-Id: <7faf403f9fb39fea9a0545025cc284ef05e022a7.1488376602.git.dcaratti@redhat.com>
From: Badrish Adiga H R <badrish.adigahr@gmail.com>
Date: Fri, 6 Jan 2017 17:47:51 +0530
Subject: [PATCH] mka: Fix an incorrect update of participant->to_use_sak
API ieee802_1x_mka_decode_dist_sak_body() wrongly puts
participant->to_use_sak to TRUE, if Distributed SAK Parameter Set of
length 0 is received. In MACsec PSK mode, this stale incorrect value can
create problems while re-establishing CA. In MACsec PSK mode, CA goes
down if interface goes down and ideally we should be able to
re-establish the CA once interface comes up.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
---
src/pae/ieee802_1x_kay.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 1004b32..79a6878 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1559,7 +1559,7 @@ ieee802_1x_mka_decode_dist_sak_body(
ieee802_1x_cp_connect_authenticated(kay->cp);
ieee802_1x_cp_sm_step(kay->cp);
wpa_printf(MSG_WARNING, "KaY:The Key server advise no MACsec");
- participant->to_use_sak = TRUE;
+ participant->to_use_sak = FALSE;
return 0;
}
--
2.7.4

51
macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch Normal file
View File

@ -0,0 +1,51 @@
From e54691106b29f41aa3081b00eb4f48e411cebc72 Mon Sep 17 00:00:00 2001
Message-Id: <e54691106b29f41aa3081b00eb4f48e411cebc72.1488376602.git.dcaratti@redhat.com>
From: Badrish Adiga H R <badrish.adigahr@gmail.com>
Date: Fri, 6 Jan 2017 15:27:10 +0530
Subject: [PATCH] mka: Some bug fixes for MACsec in PSK mode
Issue:
------
The test setup has 2 peers running MACsec in PSK mode, Peer A with
MAC address higher than MAC Address of peer B. Test sequence is
1. Peer B starts with actor_priority 255
2. Peer A starts with priority 16, becomes key server.
3. Peer A stops..
4. Peer A restarts with priority 255, but because of the stale values
participant->is_key_server(=TRUE) and participant->is_elected(=TRUE)
it continues to remain as Key Server.
5. For peer B, key server election happens and since it has lower MAC
address as compared to MAC address of A, it becomes the key server.
Now we have 2 key servers in CA and is not correct.
Root-cause & fix:
-----------------
When number of live peers become 0, the flags such lrx, ltx, orx,
otx, etc. need to be cleared. In MACsec PSK mode, these stale values
create problems while re-establishing CA.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
---
src/pae/ieee802_1x_kay.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 79a6878..92fd7ba 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2378,6 +2378,12 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
participant->advised_capability =
MACSEC_CAP_NOT_IMPLEMENTED;
participant->to_use_sak = FALSE;
+ participant->ltx = FALSE;
+ participant->lrx = FALSE;
+ participant->otx = FALSE;
+ participant->orx = FALSE;
+ participant->is_key_server = FALSE;
+ participant->is_elected = FALSE;
kay->authenticated = TRUE;
kay->secured = FALSE;
kay->failed = FALSE;
--
2.7.4

70
macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch Normal file
View File

@ -0,0 +1,70 @@
From 37e9f511eb0072dbce190cb21e2d48f022173b03 Mon Sep 17 00:00:00 2001
Message-Id: <37e9f511eb0072dbce190cb21e2d48f022173b03.1488376602.git.dcaratti@redhat.com>
From: Badrish Adiga H R <badrish.adigahr@gmail.com>
Date: Tue, 7 Feb 2017 14:28:31 +0530
Subject: [PATCH] mka: Send MKPDUs forever if mode is PSK
Issue: When 2 peers are running MACsec in PSK mode with CA
established, if the interface goes down and comes up after
time > 10 seconds, CA does not get re-established.
Root cause: This is because retry_count of both the peers
would have reached MAX_RETRY_CNT and stays idle for other to
respond. This is clear deadlock situation where peer A waits
for MKA packets from peer B to wake up and vice-versa.
Fix: If MACsec is running in PSK mode, we should send MKPDUs
forever for every 2 seconds.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
---
src/pae/ieee802_1x_kay.c | 6 ++++--
src/pae/ieee802_1x_kay_i.h | 1 +
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 92fd7ba..e420fc1 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2428,7 +2428,8 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
participant->new_sak = FALSE;
}
- if (participant->retry_count < MAX_RETRY_CNT) {
+ if (participant->retry_count < MAX_RETRY_CNT ||
+ participant->mode == PSK) {
ieee802_1x_participant_send_mkpdu(participant);
participant->retry_count++;
}
@@ -2828,7 +2829,7 @@ int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay)
if (!principal)
return -1;
- if (principal->retry_count < MAX_RETRY_CNT) {
+ if (principal->retry_count < MAX_RETRY_CNT || principal->mode == PSK) {
ieee802_1x_participant_send_mkpdu(principal);
principal->retry_count++;
}
@@ -3368,6 +3369,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn,
participant->mka_life = MKA_LIFE_TIME / 1000 + time(NULL) +
usecs / 1000000;
}
+ participant->mode = mode;
return participant;
diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h
index 0c4bb8e..bc522d8 100644
--- a/src/pae/ieee802_1x_kay_i.h
+++ b/src/pae/ieee802_1x_kay_i.h
@@ -93,6 +93,7 @@ struct ieee802_1x_mka_participant {
Boolean active;
Boolean participant;
Boolean retain;
+ enum mka_created_mode mode;
enum { DEFAULT, DISABLED, ON_OPER_UP, ALWAYS } activate;
--
2.7.4

47
macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch Normal file
View File

@ -0,0 +1,47 @@
From 128f6a98b3d4d6ed103db759707309f451db9682 Mon Sep 17 00:00:00 2001
Message-Id: <128f6a98b3d4d6ed103db759707309f451db9682.1488376602.git.dcaratti@redhat.com>
From: Badrish Adiga H R <badrish.adigahr@gmail.com>
Date: Sat, 18 Feb 2017 05:14:15 -0800
Subject: [PATCH] mka: Fix the order of operations in secure channel deletion
The correct order of deleting a secure channel is to purge all the
secure associations in the channel before actually deleting the secure
channel.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
---
src/pae/ieee802_1x_kay.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index e420fc1..3f9e53d 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2361,9 +2361,9 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
&participant->rxsc_list,
struct receive_sc, list) {
if (sci_equal(&rxsc->sci, &peer->sci)) {
- secy_delete_receive_sc(kay, rxsc);
ieee802_1x_kay_deinit_receive_sc(
participant, rxsc);
+ secy_delete_receive_sc(kay, rxsc);
}
}
dl_list_del(&peer->list);
@@ -3432,11 +3432,11 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
while (!dl_list_empty(&participant->rxsc_list)) {
rxsc = dl_list_entry(participant->rxsc_list.next,
struct receive_sc, list);
- secy_delete_receive_sc(kay, rxsc);
ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
+ secy_delete_receive_sc(kay, rxsc);
}
- secy_delete_transmit_sc(kay, participant->txsc);
ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
+ secy_delete_transmit_sc(kay, participant->txsc);
os_memset(&participant->cak, 0, sizeof(participant->cak));
os_memset(&participant->kek, 0, sizeof(participant->kek));
--
2.7.4

78
wpa_supplicant.spec
View File

@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
Name: wpa_supplicant Name: wpa_supplicant
Epoch: 1 Epoch: 1
Version: 2.6 Version: 2.6
Release: 3%{?dist} Release: 4%{?dist}
License: BSD License: BSD
Group: System Environment/Base Group: System Environment/Base
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@ -35,6 +35,43 @@ Patch6: wpa_supplicant-gui-qt4.patch
# dcbw states (2015-04): # dcbw states (2015-04):
# "upstream doesn't like that patch so it's been discussed and I think rejected" # "upstream doesn't like that patch so it's been discussed and I think rejected"
Patch8: rh837402-less-aggressive-roaming.patch Patch8: rh837402-less-aggressive-roaming.patch
# backport of macsec series
Patch9: macsec-0001-mka-Move-structs-transmit-receive-_-sa-sc-to-a-commo.patch
Patch10: macsec-0002-mka-Pass-full-structures-down-to-macsec-drivers-pack.patch
Patch11: macsec-0003-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
Patch12: macsec-0004-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
Patch13: macsec-0005-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
Patch14: macsec-0006-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
Patch15: macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch
Patch16: macsec-0008-mka-Remove-channel-hacks-from-the-stack-and-the-macs.patch
Patch17: macsec-0009-mka-Sync-structs-definitions-with-IEEE-Std-802.1X-20.patch
Patch18: macsec-0010-mka-Add-support-for-removing-SAs.patch
Patch19: macsec-0011-mka-Implement-reference-counting-on-data_key.patch
Patch20: macsec-0012-mka-Fix-getting-capabilities-from-the-driver.patch
Patch21: macsec-0013-wpa_supplicant-Allow-pre-shared-CAK-CKN-pair-for-MKA.patch
Patch22: macsec-0014-mka-Disable-peer-detection-timeout-for-PSK-mode.patch
Patch23: macsec-0015-wpa_supplicant-Add-macsec_integ_only-setting-for-MKA.patch
Patch24: macsec-0016-mka-Add-enable_encrypt-op-and-call-it-from-CP-state-.patch
Patch25: macsec-0017-wpa_supplicant-Allow-configuring-the-MACsec-port-for.patch
Patch26: macsec-0018-drivers-Move-common-definitions-for-wired-drivers-ou.patch
Patch27: macsec-0019-drivers-Move-wired_multicast_membership-to-a-common-.patch
Patch28: macsec-0020-drivers-Move-driver_wired_multi-to-a-common-file.patch
Patch29: macsec-0021-drivers-Move-driver_wired_get_ifflags-to-a-common-fi.patch
Patch30: macsec-0022-drivers-Move-driver_wired_set_ifflags-to-a-common-fi.patch
Patch31: macsec-0023-drivers-Move-driver_wired_get_ifstatus-to-a-common-f.patch
Patch32: macsec-0024-drivers-Move-driver_wired_init_common-to-a-common-fi.patch
Patch33: macsec-0025-drivers-Move-driver_wired_deinit_common-to-a-common-.patch
Patch34: macsec-0026-drivers-Move-driver_wired_get_capa-to-a-common-file.patch
Patch35: macsec-0027-drivers-Move-driver_wired_get_bssid-to-a-common-file.patch
Patch36: macsec-0028-drivers-Move-driver_wired_get_ssid-to-a-common-file.patch
Patch37: macsec-0029-macsec_linux-Add-a-driver-for-macsec-on-Linux-kernel.patch
Patch38: macsec-0030-mka-Remove-references-to-macsec_qca-from-wpa_supplic.patch
Patch39: macsec-0031-PAE-Make-KaY-specific-details-available-via-control-.patch
Patch40: macsec-0032-mka-Make-MKA-actor-priority-configurable.patch
Patch41: macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch
Patch42: macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
Patch43: macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
Patch44: macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
URL: http://w1.fi/wpa_supplicant/ URL: http://w1.fi/wpa_supplicant/
@ -85,6 +122,42 @@ Graphical User Interface for wpa_supplicant written using QT
%patch3 -p1 -b .quiet-scan-results-msg %patch3 -p1 -b .quiet-scan-results-msg
%patch6 -p1 -b .qt4 %patch6 -p1 -b .qt4
%patch8 -p1 -b .rh837402-less-aggressive-roaming %patch8 -p1 -b .rh837402-less-aggressive-roaming
%patch9 -p1 -b .macsec-0001
%patch10 -p1 -b .macsec-0002
%patch11 -p1 -b .macsec-0003
%patch12 -p1 -b .macsec-0004
%patch13 -p1 -b .macsec-0005
%patch14 -p1 -b .macsec-0006
%patch15 -p1 -b .macsec-0007
%patch16 -p1 -b .macsec-0008
%patch17 -p1 -b .macsec-0009
%patch18 -p1 -b .macsec-0010
%patch19 -p1 -b .macsec-0011
%patch20 -p1 -b .macsec-0012
%patch21 -p1 -b .macsec-0013
%patch22 -p1 -b .macsec-0014
%patch23 -p1 -b .macsec-0015
%patch24 -p1 -b .macsec-0016
%patch25 -p1 -b .macsec-0017
%patch26 -p1 -b .macsec-0018
%patch27 -p1 -b .macsec-0019
%patch28 -p1 -b .macsec-0020
%patch29 -p1 -b .macsec-0021
%patch30 -p1 -b .macsec-0022
%patch31 -p1 -b .macsec-0023
%patch32 -p1 -b .macsec-0024
%patch33 -p1 -b .macsec-0025
%patch34 -p1 -b .macsec-0026
%patch35 -p1 -b .macsec-0027
%patch36 -p1 -b .macsec-0028
%patch37 -p1 -b .macsec-0029
%patch38 -p1 -b .macsec-0030
%patch39 -p1 -b .macsec-0031
%patch40 -p1 -b .macsec-0032
%patch41 -p1 -b .macsec-0033
%patch42 -p1 -b .macsec-0034
%patch43 -p1 -b .macsec-0035
%patch44 -p1 -b .macsec-0036
%build %build
pushd wpa_supplicant pushd wpa_supplicant
@ -185,6 +258,9 @@ chmod -R 0644 %{name}/examples/*.py
%endif %endif
%changelog %changelog
* Thu Mar 2 2017 Davide Caratti <dcaratti@redhat.com> - 1:2.6-4
- Backport support for IEEE 802.1AE (macsec)
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.6-3 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild