wap_supplicant MACSEC add option to always include ICV Indicator

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

CISCO C3560CX (SW version 15.2(7)E8, SW image  C3560CX-UNIVERSALK9-M)  requires ICV Indicator to be present even when ICV is 16bytes.
Therefore I would like to ask, if it is possible to add config option to  always send ICV Indicator. (I've include my patch that adds macsec_icv_indicator config option)

Thanks

Petr


diff -Naur a/src/ap/ap_config.h b/src/ap/ap_config.h
--- a/src/ap/ap_config.h    2024-07-20 20:04:37.000000000 +0200
+++ b/src/ap/ap_config.h    2024-12-02 10:11:55.470226000 +0100
@@ -906,6 +906,13 @@
     int macsec_csindex;
 
     /**
+     * macsec_icv_indicator - Always include ICV Indicator
+     * (for compatibility with older MACSEC switches)
+     *
+     * Range: 0-1 (default: 0)
+     */
+    int macsec_icv_indicator;
+    /**
      * mka_ckn - MKA pre-shared CKN
      */
 #define MACSEC_CKN_MAX_LEN 32
diff -Naur a/src/ap/wpa_auth_kay.c b/src/ap/wpa_auth_kay.c
--- a/src/ap/wpa_auth_kay.c    2024-07-20 20:04:37.000000000 +0200
+++ b/src/ap/wpa_auth_kay.c    2024-12-02 10:10:27.603235000 +0100
@@ -331,6 +331,7 @@
                   hapd->conf->macsec_port,
                   hapd->conf->mka_priority,
                   hapd->conf->macsec_csindex,
+                  hapd->conf->macsec_icv_indicator,
                   hapd->conf->iface,
                   hapd->own_addr);
     /* ieee802_1x_kay_init() frees kay_ctx on failure */
diff -Naur a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
--- a/src/pae/ieee802_1x_kay.c    2024-07-20 20:04:37.000000000 +0200
+++ b/src/pae/ieee802_1x_kay.c    2024-12-02 10:08:38.580487000 +0100
@@ -1871,7 +1871,7 @@
 
     /* Determine if we need space for the ICV Indicator */
     if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
-        DEFAULT_ICV_LEN)
+        DEFAULT_ICV_LEN || participant->kay->include_icv_indicator)
         length = sizeof(struct ieee802_1x_mka_icv_body);
     else
         length = 0;
@@ -1894,7 +1894,7 @@
 
     length = ieee802_1x_mka_get_icv_length(participant);
     if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
-        DEFAULT_ICV_LEN)  {
+        DEFAULT_ICV_LEN || participant->kay->include_icv_indicator)  {
         wpa_printf(MSG_DEBUG, "KaY: ICV Indicator");
         body = wpabuf_put(buf, MKA_HDR_LEN);
         body->type = MKA_ICV_INDICATOR;
@@ -3495,7 +3495,8 @@
 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
             bool macsec_replay_protect, u32 macsec_replay_window,
             u8 macsec_offload, u16 port, u8 priority,
-            u32 macsec_csindex, const char *ifname, const u8 *addr)
+            u32 macsec_csindex, bool include_icv_indicator, 
+            const char *ifname, const u8 *addr)
 {
     struct ieee802_1x_kay *kay;
 
@@ -3533,6 +3534,7 @@
 
     kay->pn_exhaustion = PENDING_PN_EXHAUSTION;
     kay->macsec_csindex = macsec_csindex;
+    kay->include_icv_indicator = include_icv_indicator;
     kay->mka_algindex = DEFAULT_MKA_ALG_INDEX;
     kay->mka_version = MKA_VERSION_ID;
 
diff -Naur a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
--- a/src/pae/ieee802_1x_kay.h    2024-07-20 20:04:37.000000000 +0200
+++ b/src/pae/ieee802_1x_kay.h    2024-12-02 10:07:47.261076000 +0100
@@ -206,6 +206,7 @@
     struct ieee802_1x_kay_ctx *ctx;
     bool is_key_server;
     bool is_obliged_key_server;
+    bool include_icv_indicator;  /* Always include ICV Indicator */
     char if_name[IFNAMSIZ];
     u8 macsec_offload;
 
@@ -243,7 +244,8 @@
 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
             bool macsec_replay_protect, u32 macsec_replay_window,
             u8 macsec_offload, u16 port, u8 priority,
-            u32 macsec_csindex, const char *ifname, const u8 *addr);
+            u32 macsec_csindex, bool include_icv_indicator,
+            const char *ifname, const u8 *addr);
 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
 
 struct ieee802_1x_mka_participant *
diff -Naur a/wpa_supplicant/config.c b/wpa_supplicant/config.c
--- a/wpa_supplicant/config.c    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/config.c    2024-12-02 09:55:39.717430000 +0100
@@ -2721,6 +2721,7 @@
     { INT_RANGE(macsec_port, 1, 65534) },
     { INT_RANGE(mka_priority, 0, 255) },
     { INT_RANGE(macsec_csindex, 0, 1) },
+    { INT_RANGE(macsec_icv_indicator, 0, 1) },
     { FUNC_KEY(mka_cak) },
     { FUNC_KEY(mka_ckn) },
 #endif /* CONFIG_MACSEC */
diff -Naur a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
--- a/wpa_supplicant/config_file.c    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/config_file.c    2024-12-02 09:55:28.949554000 +0100
@@ -818,6 +818,7 @@
     INT(macsec_port);
     INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
     INT(macsec_csindex);
+    INT(macsec_icv_indicator);
 #endif /* CONFIG_MACSEC */
 #ifdef CONFIG_HS20
     INT(update_identifier);
diff -Naur a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
--- a/wpa_supplicant/config_ssid.h    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/config_ssid.h    2024-12-02 10:07:54.668991000 +0100
@@ -964,6 +964,14 @@
     int macsec_csindex;
 
     /**
+     * macsec_icv_indicator - Always include ICV Indicator
+     * (for compatibility with older MACSEC switches)
+     *
+     * Range: 0-1 (default: 0)
+     */
+    int macsec_icv_indicator;
+
+    /**
      * mka_ckn - MKA pre-shared CKN
      */
 #define MACSEC_CKN_MAX_LEN 32
diff -Naur a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
--- a/wpa_supplicant/wpas_kay.c    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/wpas_kay.c    2024-12-02 09:57:59.939820000 +0100
@@ -249,7 +249,7 @@
                   ssid->macsec_replay_window,
                   ssid->macsec_offload, ssid->macsec_port,
                   ssid->mka_priority, ssid->macsec_csindex,
-                  wpa_s->ifname, wpa_s->own_addr);
+                  ssid->macsec_icv_indicator, wpa_s->ifname, wpa_s->own_addr);
     /* ieee802_1x_kay_init() frees kay_ctx on failure */
     if (res == NULL)
         return -1;
diff -Naur a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
--- a/wpa_supplicant/wpa_supplicant.conf    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/wpa_supplicant.conf    2024-12-02 10:14:35.752386000 +0100
@@ -1173,6 +1173,10 @@
 # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
 # default priority
 #
+# macsec_icv_indicator: always include ICV indicator
+# 0 = ICV Indicator is not included when ICV has default length (default)
+# 1 = ICV Indicator is always included (compatibility mode)
+#
 # mixed_cell: This option can be used to configure whether so called mixed
 # cells, i.e., networks that use both plaintext and encryption in the same
 # SSID, are allowed when selecting a BSS from scan results.

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap




[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux