From: Mike Siedzik <msiedzik@xxxxxxxxxxxxxxxxxxx> Commit 7b4d546e introduced policy setting SHOULD_ENCRYPT (MACsec provides integrity+confidentiality) in addition to SHOULD_SECURE (MACsec provides integrity only). In both cases the KaY is populating the "Confidentiality Offset" parameter within the "Distributed SAK parameter set" with CONFIDENTIALITY_OFFSET_0=1. In the case of SHOULD_SECURE the parameter should be populated with CONFIDENTIALITY_NONE=0. IEEE802.1X-2010 Table 11-6 and Figure 11-11 define how the two Confidentiality Offset bits in the "Distributed SAK parameter set" must be set: "0 if confidentiality not used" and "1 if confidentiality with no offset". When policy is SHOULD_SECURE KaY should to send the former, and when policy is SHOULD_ENCRYPT KaY should send the latter. Signed-off-by: Michael Siedzik <msiedzik@xxxxxxxxxxxxxxxxxxx> --- src/pae/ieee802_1x_kay.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index d77f81b7b..41e5a07e6 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -3159,6 +3159,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED; kay->macsec_desired = FALSE; kay->macsec_protect = FALSE; + kay->macsec_encrypt = FALSE; kay->macsec_validate = Disabled; kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; @@ -3166,14 +3167,16 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, } else { kay->macsec_desired = TRUE; kay->macsec_protect = TRUE; - kay->macsec_encrypt = policy == SHOULD_ENCRYPT; + if (policy == SHOULD_SECURE) { + kay->macsec_encrypt = FALSE; + kay->macsec_confidentiality = CONFIDENTIALITY_NONE; + } else { /* SHOULD_ENCRYPT */ + kay->macsec_encrypt = TRUE; + kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0; + } kay->macsec_validate = Strict; kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; - if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF) - kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0; - else - kay->macsec_confidentiality = CONFIDENTIALITY_NONE; } wpa_printf(MSG_DEBUG, "KaY: state machine created"); -- 2.11.1 ________________________________ DISCLAIMER: This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap