mka: Add driver op to get macsec capabilities
This also implements the macsec_get_capability for the macsec_qca driver to maintain the existing behavior. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This commit is contained in:
parent
53b2555f67
commit
a25e4efc9e
8 changed files with 72 additions and 2 deletions
|
@ -3297,6 +3297,14 @@ struct wpa_driver_ops {
|
||||||
|
|
||||||
int (*macsec_deinit)(void *priv);
|
int (*macsec_deinit)(void *priv);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* macsec_get_capability - Inform MKA of this driver's capability
|
||||||
|
* @priv: Private driver interface data
|
||||||
|
* @cap: Driver's capability
|
||||||
|
* Returns: 0 on success, -1 on failure
|
||||||
|
*/
|
||||||
|
int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* enable_protect_frames - Set protect frames status
|
* enable_protect_frames - Set protect frames status
|
||||||
* @priv: Private driver interface data
|
* @priv: Private driver interface data
|
||||||
|
|
|
@ -458,6 +458,16 @@ static int macsec_qca_macsec_deinit(void *priv)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int macsec_qca_get_capability(void *priv, enum macsec_cap *cap)
|
||||||
|
{
|
||||||
|
wpa_printf(MSG_DEBUG, "%s", __func__);
|
||||||
|
|
||||||
|
*cap = MACSEC_CAP_INTEG_AND_CONF_0_30_50;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int macsec_qca_enable_protect_frames(void *priv, Boolean enabled)
|
static int macsec_qca_enable_protect_frames(void *priv, Boolean enabled)
|
||||||
{
|
{
|
||||||
struct macsec_qca_data *drv = priv;
|
struct macsec_qca_data *drv = priv;
|
||||||
|
@ -889,6 +899,7 @@ const struct wpa_driver_ops wpa_driver_macsec_qca_ops = {
|
||||||
|
|
||||||
.macsec_init = macsec_qca_macsec_init,
|
.macsec_init = macsec_qca_macsec_init,
|
||||||
.macsec_deinit = macsec_qca_macsec_deinit,
|
.macsec_deinit = macsec_qca_macsec_deinit,
|
||||||
|
.macsec_get_capability = macsec_qca_get_capability,
|
||||||
.enable_protect_frames = macsec_qca_enable_protect_frames,
|
.enable_protect_frames = macsec_qca_enable_protect_frames,
|
||||||
.set_replay_protect = macsec_qca_set_replay_protect,
|
.set_replay_protect = macsec_qca_set_replay_protect,
|
||||||
.set_current_cipher_suite = macsec_qca_set_current_cipher_suite,
|
.set_current_cipher_suite = macsec_qca_set_current_cipher_suite,
|
||||||
|
|
|
@ -3069,13 +3069,20 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||||
kay->macsec_replay_window = 0;
|
kay->macsec_replay_window = 0;
|
||||||
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
|
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
|
||||||
} else {
|
} else {
|
||||||
kay->macsec_capable = MACSEC_CAP_INTEG_AND_CONF_0_30_50;
|
if (secy_get_capability(kay, &kay->macsec_capable) < 0) {
|
||||||
|
os_free(kay);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
kay->macsec_desired = TRUE;
|
kay->macsec_desired = TRUE;
|
||||||
kay->macsec_protect = TRUE;
|
kay->macsec_protect = TRUE;
|
||||||
kay->macsec_validate = Strict;
|
kay->macsec_validate = Strict;
|
||||||
kay->macsec_replay_protect = FALSE;
|
kay->macsec_replay_protect = FALSE;
|
||||||
kay->macsec_replay_window = 0;
|
kay->macsec_replay_window = 0;
|
||||||
|
if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
|
||||||
kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
|
kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
|
||||||
|
else
|
||||||
|
kay->macsec_confidentiality = MACSEC_CAP_INTEGRITY;
|
||||||
}
|
}
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "KaY: state machine created");
|
wpa_printf(MSG_DEBUG, "KaY: state machine created");
|
||||||
|
@ -3409,6 +3416,7 @@ ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
|
||||||
unsigned int cs_index)
|
unsigned int cs_index)
|
||||||
{
|
{
|
||||||
struct ieee802_1x_mka_participant *participant;
|
struct ieee802_1x_mka_participant *participant;
|
||||||
|
enum macsec_cap secy_cap;
|
||||||
|
|
||||||
if (!kay)
|
if (!kay)
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -3427,6 +3435,12 @@ ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
|
||||||
kay->macsec_csindex = cs_index;
|
kay->macsec_csindex = cs_index;
|
||||||
kay->macsec_capable = cipher_suite_tbl[kay->macsec_csindex].capable;
|
kay->macsec_capable = cipher_suite_tbl[kay->macsec_csindex].capable;
|
||||||
|
|
||||||
|
if (secy_get_capability(kay, &secy_cap) < 0)
|
||||||
|
return -3;
|
||||||
|
|
||||||
|
if (kay->macsec_capable > secy_cap)
|
||||||
|
kay->macsec_capable = secy_cap;
|
||||||
|
|
||||||
participant = ieee802_1x_kay_get_principal_participant(kay);
|
participant = ieee802_1x_kay_get_principal_participant(kay);
|
||||||
if (participant) {
|
if (participant) {
|
||||||
wpa_printf(MSG_INFO, "KaY: Cipher Suite changed");
|
wpa_printf(MSG_INFO, "KaY: Cipher Suite changed");
|
||||||
|
|
|
@ -138,6 +138,7 @@ struct ieee802_1x_kay_ctx {
|
||||||
/* abstract wpa driver interface */
|
/* abstract wpa driver interface */
|
||||||
int (*macsec_init)(void *ctx, struct macsec_init_params *params);
|
int (*macsec_init)(void *ctx, struct macsec_init_params *params);
|
||||||
int (*macsec_deinit)(void *ctx);
|
int (*macsec_deinit)(void *ctx);
|
||||||
|
int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
|
||||||
int (*enable_protect_frames)(void *ctx, Boolean enabled);
|
int (*enable_protect_frames)(void *ctx, Boolean enabled);
|
||||||
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
|
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
|
||||||
int (*set_current_cipher_suite)(void *ctx, u64 cs);
|
int (*set_current_cipher_suite)(void *ctx, u64 cs);
|
||||||
|
|
|
@ -113,6 +113,26 @@ int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean enabled)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int secy_get_capability(struct ieee802_1x_kay *kay, enum macsec_cap *cap)
|
||||||
|
{
|
||||||
|
struct ieee802_1x_kay_ctx *ops;
|
||||||
|
|
||||||
|
if (!kay) {
|
||||||
|
wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
ops = kay->ctx;
|
||||||
|
if (!ops || !ops->macsec_get_capability) {
|
||||||
|
wpa_printf(MSG_ERROR,
|
||||||
|
"KaY: secy macsec_get_capability operation not supported");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return ops->macsec_get_capability(ops->ctx, cap);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int secy_get_receive_lowest_pn(struct ieee802_1x_kay *kay,
|
int secy_get_receive_lowest_pn(struct ieee802_1x_kay *kay,
|
||||||
struct receive_sa *rxsa)
|
struct receive_sa *rxsa)
|
||||||
{
|
{
|
||||||
|
|
|
@ -28,6 +28,7 @@ int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
|
||||||
int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);
|
int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);
|
||||||
|
|
||||||
/****** KaY -> SecY *******/
|
/****** KaY -> SecY *******/
|
||||||
|
int secy_get_capability(struct ieee802_1x_kay *kay, enum macsec_cap *cap);
|
||||||
int secy_get_receive_lowest_pn(struct ieee802_1x_kay *kay,
|
int secy_get_receive_lowest_pn(struct ieee802_1x_kay *kay,
|
||||||
struct receive_sa *rxsa);
|
struct receive_sa *rxsa);
|
||||||
int secy_get_transmit_next_pn(struct ieee802_1x_kay *kay,
|
int secy_get_transmit_next_pn(struct ieee802_1x_kay *kay,
|
||||||
|
|
|
@ -715,6 +715,14 @@ static inline int wpa_drv_macsec_deinit(struct wpa_supplicant *wpa_s)
|
||||||
return wpa_s->driver->macsec_deinit(wpa_s->drv_priv);
|
return wpa_s->driver->macsec_deinit(wpa_s->drv_priv);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline int wpa_drv_macsec_get_capability(struct wpa_supplicant *wpa_s,
|
||||||
|
enum macsec_cap *cap)
|
||||||
|
{
|
||||||
|
if (!wpa_s->driver->macsec_get_capability)
|
||||||
|
return -1;
|
||||||
|
return wpa_s->driver->macsec_get_capability(wpa_s->drv_priv, cap);
|
||||||
|
}
|
||||||
|
|
||||||
static inline int wpa_drv_enable_protect_frames(struct wpa_supplicant *wpa_s,
|
static inline int wpa_drv_enable_protect_frames(struct wpa_supplicant *wpa_s,
|
||||||
Boolean enabled)
|
Boolean enabled)
|
||||||
{
|
{
|
||||||
|
|
|
@ -38,6 +38,12 @@ static int wpas_macsec_deinit(void *priv)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_macsec_get_capability(void *priv, enum macsec_cap *cap)
|
||||||
|
{
|
||||||
|
return wpa_drv_macsec_get_capability(priv, cap);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int wpas_enable_protect_frames(void *wpa_s, Boolean enabled)
|
static int wpas_enable_protect_frames(void *wpa_s, Boolean enabled)
|
||||||
{
|
{
|
||||||
return wpa_drv_enable_protect_frames(wpa_s, enabled);
|
return wpa_drv_enable_protect_frames(wpa_s, enabled);
|
||||||
|
@ -191,6 +197,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
|
||||||
|
|
||||||
kay_ctx->macsec_init = wpas_macsec_init;
|
kay_ctx->macsec_init = wpas_macsec_init;
|
||||||
kay_ctx->macsec_deinit = wpas_macsec_deinit;
|
kay_ctx->macsec_deinit = wpas_macsec_deinit;
|
||||||
|
kay_ctx->macsec_get_capability = wpas_macsec_get_capability;
|
||||||
kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
|
kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
|
||||||
kay_ctx->set_replay_protect = wpas_set_replay_protect;
|
kay_ctx->set_replay_protect = wpas_set_replay_protect;
|
||||||
kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
|
kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
|
||||||
|
|
Loading…
Reference in a new issue