[PATCH] mka: fix getting capabilities from the driver

Sabrina Dubroca <sd@xxxxxxxxxxxxxxx> · Tue, 15 Nov 2016 18:06:23 +0100

In commit a25e4efc9e42 ("mka: Add driver op to get macsec capabilities")
I added some code to check the driver's capabilites. This commit has two
problems:
 - wrong enum type set in kay->macsec_confidentiality
 - ignores that drivers could report MACSEC_CAP_NOT_IMPLEMENTED, in
   which case the MKA would claim that MACsec is supported.

Fix this by interpreting MACSEC_CAP_NOT_IMPLEMENTED in the same way as a
DO_NOT_SECURE policy, and set the correct value in
kay->macsec_confidentiality.

Signed-off-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
---
 src/pae/ieee802_1x_kay.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 63bbd135213a..99bc3f2c24a5 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3111,7 +3111,15 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 
 	dl_list_init(&kay->participant_list);
 
-	if (policy == DO_NOT_SECURE) {
+	if (policy != DO_NOT_SECURE) {
+		if (secy_get_capability(kay, &kay->macsec_capable) < 0) {
+			os_free(kay);
+			return NULL;
+		}
+	}
+
+	if (policy == DO_NOT_SECURE ||
+	    kay->macsec_capable == MACSEC_CAP_NOT_IMPLEMENTED) {
 		kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED;
 		kay->macsec_desired = FALSE;
 		kay->macsec_protect = FALSE;
@@ -3120,11 +3128,6 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 		kay->macsec_replay_window = 0;
 		kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
 	} else {
-		if (secy_get_capability(kay, &kay->macsec_capable) < 0) {
-			os_free(kay);
-			return NULL;
-		}
-
 		kay->macsec_desired = TRUE;
 		kay->macsec_protect = TRUE;
 		kay->macsec_validate = Strict;
@@ -3133,7 +3136,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 		if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
 			kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
 		else
-			kay->macsec_confidentiality = MACSEC_CAP_INTEGRITY;
+			kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
 	}
 
 	wpa_printf(MSG_DEBUG, "KaY: state machine created");
-- 
2.10.2


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap






