2016-10-03, 13:32:10 +0300, Jouni Malinen wrote: > On Tue, Sep 20, 2016 at 09:43:11AM +0200, Sabrina Dubroca wrote: > > > src/drivers/driver.h | 2 ++ > > src/pae/ieee802_1x_kay.c | 15 +++++++++++++-- > > src/pae/ieee802_1x_kay.h | 1 + > > src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++ > > src/pae/ieee802_1x_secy_ops.h | 1 + > > wpa_supplicant/driver_i.h | 9 +++++++++ > > wpa_supplicant/wpas_kay.c | 7 +++++++ > > 7 files changed, 53 insertions(+), 2 deletions(-) > > So no changes to src/drivers/driver_macsec_qca.c? > > > * enable_protect_frames - Set protect frames status > > * @priv: Private driver interface data > > diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c > > @@ -3412,6 +3417,12 @@ ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay, > > kay->macsec_csindex = cs_index; > > kay->macsec_capable = cipher_suite_tbl[kay->macsec_csindex].capable; > > > > + if (secy_get_capability(kay, &secy_cap) < 0) > > + return -3; > > Wouldn't this call to secy_get_capability() return -1 for unmodified > driver_macsec_qca.c and as such, this patch would break that driver > wrapper? Not really, because (luckily?) this function (ieee802_1x_kay_change_cipher_suite) is never called. In ieee802_1x_kay_init I added a fallback so that if a driver doesn't tell us its capability, we assume it can do everything. But, yes, this is broken. I see a few options here: 1) fallback in both ieee802_1x_kay_init and ieee802_1x_kay_change_cipher_suite. 2) fallback, and implement macsec_get_capability op in driver_macsec_qca.c. 3) no fallback, just implement macsec_get_capability op in driver_macsec_qca.c. I'd lean towards option 3 and will update the patch, unless you prefer something else? Thanks, -- Sabrina _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
