mka: Allow configuration of MACsec replay protection
Add new configuration parameters macsec_replay_protect and macsec_replay_window to allow user to set up MACsec replay protection feature. Note that according to IEEE Std 802.1X-2010 replay protection and delay protection are different features: replay protection is related only to SecY and does not appear on MKA level while delay protection is something that KaY can use to manage SecY state. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
This commit is contained in:
parent
e47c5227bd
commit
e49b78c0d5
8 changed files with 57 additions and 4 deletions
|
@ -1242,8 +1242,9 @@ ieee802_1x_mka_encode_sak_use_body(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* data protect, lowest accept packet number */
|
/* data delay protect */
|
||||||
body->delay_protect = kay->mka_hello_time <= MKA_BOUNDED_HELLO_TIME;
|
body->delay_protect = kay->mka_hello_time <= MKA_BOUNDED_HELLO_TIME;
|
||||||
|
/* lowest accept packet number */
|
||||||
pn = ieee802_1x_mka_get_lpn(participant, &participant->lki);
|
pn = ieee802_1x_mka_get_lpn(participant, &participant->lki);
|
||||||
if (pn > kay->pn_exhaustion) {
|
if (pn > kay->pn_exhaustion) {
|
||||||
wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion");
|
wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion");
|
||||||
|
@ -3252,6 +3253,7 @@ static void kay_l2_receive(void *ctx, const u8 *src_addr, const u8 *buf,
|
||||||
*/
|
*/
|
||||||
struct ieee802_1x_kay *
|
struct ieee802_1x_kay *
|
||||||
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||||
|
Boolean macsec_replay_protect, u32 macsec_replay_window,
|
||||||
u16 port, u8 priority, const char *ifname, const u8 *addr)
|
u16 port, u8 priority, const char *ifname, const u8 *addr)
|
||||||
{
|
{
|
||||||
struct ieee802_1x_kay *kay;
|
struct ieee802_1x_kay *kay;
|
||||||
|
@ -3320,8 +3322,8 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||||
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
|
kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
|
||||||
}
|
}
|
||||||
kay->macsec_validate = Strict;
|
kay->macsec_validate = Strict;
|
||||||
kay->macsec_replay_protect = FALSE;
|
kay->macsec_replay_protect = macsec_replay_protect;
|
||||||
kay->macsec_replay_window = 0;
|
kay->macsec_replay_window = macsec_replay_window;
|
||||||
kay->mka_hello_time = MKA_HELLO_TIME;
|
kay->mka_hello_time = MKA_HELLO_TIME;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -239,6 +239,7 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci);
|
||||||
|
|
||||||
struct ieee802_1x_kay *
|
struct ieee802_1x_kay *
|
||||||
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||||
|
Boolean macsec_replay_protect, u32 macsec_replay_window,
|
||||||
u16 port, u8 priority, const char *ifname, const u8 *addr);
|
u16 port, u8 priority, const char *ifname, const u8 *addr);
|
||||||
void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
|
void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
|
||||||
|
|
||||||
|
|
|
@ -2376,6 +2376,8 @@ static const struct parse_data ssid_fields[] = {
|
||||||
#ifdef CONFIG_MACSEC
|
#ifdef CONFIG_MACSEC
|
||||||
{ INT_RANGE(macsec_policy, 0, 1) },
|
{ INT_RANGE(macsec_policy, 0, 1) },
|
||||||
{ INT_RANGE(macsec_integ_only, 0, 1) },
|
{ INT_RANGE(macsec_integ_only, 0, 1) },
|
||||||
|
{ INT_RANGE(macsec_replay_protect, 0, 1) },
|
||||||
|
{ INT(macsec_replay_window) },
|
||||||
{ INT_RANGE(macsec_port, 1, 65534) },
|
{ INT_RANGE(macsec_port, 1, 65534) },
|
||||||
{ INT_RANGE(mka_priority, 0, 255) },
|
{ INT_RANGE(mka_priority, 0, 255) },
|
||||||
{ FUNC_KEY(mka_cak) },
|
{ FUNC_KEY(mka_cak) },
|
||||||
|
|
|
@ -862,6 +862,8 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
|
||||||
write_mka_cak(f, ssid);
|
write_mka_cak(f, ssid);
|
||||||
write_mka_ckn(f, ssid);
|
write_mka_ckn(f, ssid);
|
||||||
INT(macsec_integ_only);
|
INT(macsec_integ_only);
|
||||||
|
INT(macsec_replay_protect);
|
||||||
|
INT(macsec_replay_window);
|
||||||
INT(macsec_port);
|
INT(macsec_port);
|
||||||
INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
|
INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
|
||||||
#endif /* CONFIG_MACSEC */
|
#endif /* CONFIG_MACSEC */
|
||||||
|
|
|
@ -802,6 +802,33 @@ struct wpa_ssid {
|
||||||
*/
|
*/
|
||||||
int macsec_integ_only;
|
int macsec_integ_only;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* macsec_replay_protect - Enable MACsec replay protection
|
||||||
|
*
|
||||||
|
* This setting applies only when MACsec is in use, i.e.,
|
||||||
|
* - macsec_policy is enabled
|
||||||
|
* - the key server has decided to enable MACsec
|
||||||
|
*
|
||||||
|
* 0: Replay protection disabled (default)
|
||||||
|
* 1: Replay protection enabled
|
||||||
|
*/
|
||||||
|
int macsec_replay_protect;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* macsec_replay_window - MACsec replay protection window
|
||||||
|
*
|
||||||
|
* A window in which replay is tolerated, to allow receipt of frames
|
||||||
|
* that have been misordered by the network.
|
||||||
|
*
|
||||||
|
* This setting applies only when MACsec replay protection active, i.e.,
|
||||||
|
* - macsec_replay_protect is enabled
|
||||||
|
* - the key server has decided to enable MACsec
|
||||||
|
*
|
||||||
|
* 0: No replay window, strict check (default)
|
||||||
|
* 1..2^32-1: number of packets that could be misordered
|
||||||
|
*/
|
||||||
|
u32 macsec_replay_window;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* macsec_port - MACsec port (in SCI)
|
* macsec_port - MACsec port (in SCI)
|
||||||
*
|
*
|
||||||
|
|
|
@ -1426,6 +1426,8 @@ static const char *network_fields[] = {
|
||||||
#ifdef CONFIG_MACSEC
|
#ifdef CONFIG_MACSEC
|
||||||
"macsec_policy",
|
"macsec_policy",
|
||||||
"macsec_integ_only",
|
"macsec_integ_only",
|
||||||
|
"macsec_replay_protect",
|
||||||
|
"macsec_replay_window",
|
||||||
"macsec_port",
|
"macsec_port",
|
||||||
"mka_priority",
|
"mka_priority",
|
||||||
#endif /* CONFIG_MACSEC */
|
#endif /* CONFIG_MACSEC */
|
||||||
|
|
|
@ -994,6 +994,22 @@ fast_reauth=1
|
||||||
# 0: Encrypt traffic (default)
|
# 0: Encrypt traffic (default)
|
||||||
# 1: Integrity only
|
# 1: Integrity only
|
||||||
#
|
#
|
||||||
|
# macsec_replay_protect: IEEE 802.1X/MACsec replay protection
|
||||||
|
# This setting applies only when MACsec is in use, i.e.,
|
||||||
|
# - macsec_policy is enabled
|
||||||
|
# - the key server has decided to enable MACsec
|
||||||
|
# 0: Replay protection disabled (default)
|
||||||
|
# 1: Replay protection enabled
|
||||||
|
#
|
||||||
|
# macsec_replay_window: IEEE 802.1X/MACsec replay protection window
|
||||||
|
# This determines a window in which replay is tolerated, to allow receipt
|
||||||
|
# of frames that have been misordered by the network.
|
||||||
|
# This setting applies only when MACsec replay protection active, i.e.,
|
||||||
|
# - macsec_replay_protect is enabled
|
||||||
|
# - the key server has decided to enable MACsec
|
||||||
|
# 0: No replay window, strict check (default)
|
||||||
|
# 1..2^32-1: number of packets that could be misordered
|
||||||
|
#
|
||||||
# macsec_port: IEEE 802.1X/MACsec port
|
# macsec_port: IEEE 802.1X/MACsec port
|
||||||
# Port component of the SCI
|
# Port component of the SCI
|
||||||
# Range: 1-65534 (default: 1)
|
# Range: 1-65534 (default: 1)
|
||||||
|
|
|
@ -239,7 +239,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
|
||||||
kay_ctx->enable_transmit_sa = wpas_enable_transmit_sa;
|
kay_ctx->enable_transmit_sa = wpas_enable_transmit_sa;
|
||||||
kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
|
kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
|
||||||
|
|
||||||
res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_port,
|
res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,
|
||||||
|
ssid->macsec_replay_window, ssid->macsec_port,
|
||||||
ssid->mka_priority, wpa_s->ifname,
|
ssid->mka_priority, wpa_s->ifname,
|
||||||
wpa_s->own_addr);
|
wpa_s->own_addr);
|
||||||
/* ieee802_1x_kay_init() frees kay_ctx on failure */
|
/* ieee802_1x_kay_init() frees kay_ctx on failure */
|
||||||
|
|
Loading…
Reference in a new issue