DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

mka: Allow configuration of MACsec replay protection

Browse source 
Add new configuration parameters macsec_replay_protect and
macsec_replay_window to allow user to set up MACsec replay protection
feature. Note that according to IEEE Std 802.1X-2010 replay protection
and delay protection are different features: replay protection is
related only to SecY and does not appear on MKA level while delay
protection is something that KaY can use to manage SecY state.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
This commit is contained in:
Andrey Kartashev 2018-11-02 19:02:14 +01:00 committed by Jouni Malinen
parent e47c5227bd
commit e49b78c0d5
8 changed files with 57 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/pae/ieee802_1x_kay.c
View file

@ -1242,8 +1242,9 @@ ieee802_1x_mka_encode_sak_use_body(
return 0;
}
/* data protect, lowest accept packet number */
/* data delay protect */
body->delay_protect = kay->mka_hello_time <= MKA_BOUNDED_HELLO_TIME;
/* lowest accept packet number */
pn = ieee802_1x_mka_get_lpn(participant, &participant->lki);
if (pn > kay->pn_exhaustion) {
wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion");
@ -3252,6 +3253,7 @@ static void kay_l2_receive(void *ctx, const u8 *src_addr, const u8 *buf,
*/
struct ieee802_1x_kay *
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
Boolean macsec_replay_protect, u32 macsec_replay_window,
u16 port, u8 priority, const char *ifname, const u8 *addr)
{
struct ieee802_1x_kay *kay;
@ -3320,8 +3322,8 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
}
kay->macsec_validate = Strict;
kay->macsec_replay_protect = FALSE;
kay->macsec_replay_window = 0;
kay->macsec_replay_protect = macsec_replay_protect;
kay->macsec_replay_window = macsec_replay_window;
kay->mka_hello_time = MKA_HELLO_TIME;
}

1
src/pae/ieee802_1x_kay.h
View file

@ -239,6 +239,7 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci);
struct ieee802_1x_kay *
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
Boolean macsec_replay_protect, u32 macsec_replay_window,
u16 port, u8 priority, const char *ifname, const u8 *addr);
void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);