aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
diff options
context:
space:
mode:
authorAndrey Kartashev <andrey.kartashev@afconsult.com>2018-11-02 18:02:14 (GMT)
committerJouni Malinen <j@w1.fi>2018-12-26 14:42:25 (GMT)
commite49b78c0d584dcc3b9d6811e702e6c32fa7011cb (patch)
tree3b690b975c23273b0982bca574b0c6bfe11c837a /wpa_supplicant
parente47c5227bdc1696d537588af1f3b654952570835 (diff)
downloadhostap-e49b78c0d584dcc3b9d6811e702e6c32fa7011cb.zip
hostap-e49b78c0d584dcc3b9d6811e702e6c32fa7011cb.tar.gz
hostap-e49b78c0d584dcc3b9d6811e702e6c32fa7011cb.tar.bz2
mka: Allow configuration of MACsec replay protection
Add new configuration parameters macsec_replay_protect and macsec_replay_window to allow user to set up MACsec replay protection feature. Note that according to IEEE Std 802.1X-2010 replay protection and delay protection are different features: replay protection is related only to SecY and does not appear on MKA level while delay protection is something that KaY can use to manage SecY state. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
Diffstat (limited to 'wpa_supplicant')
-rw-r--r--wpa_supplicant/config.c2
-rw-r--r--wpa_supplicant/config_file.c2
-rw-r--r--wpa_supplicant/config_ssid.h27
-rw-r--r--wpa_supplicant/wpa_cli.c2
-rw-r--r--wpa_supplicant/wpa_supplicant.conf16
-rw-r--r--wpa_supplicant/wpas_kay.c3
6 files changed, 51 insertions, 1 deletions
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index a0293d2..2fd9e85 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2376,6 +2376,8 @@ static const struct parse_data ssid_fields[] = {
#ifdef CONFIG_MACSEC
{ INT_RANGE(macsec_policy, 0, 1) },
{ INT_RANGE(macsec_integ_only, 0, 1) },
+ { INT_RANGE(macsec_replay_protect, 0, 1) },
+ { INT(macsec_replay_window) },
{ INT_RANGE(macsec_port, 1, 65534) },
{ INT_RANGE(mka_priority, 0, 255) },
{ FUNC_KEY(mka_cak) },
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 91cb448..98aae87 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -862,6 +862,8 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
write_mka_cak(f, ssid);
write_mka_ckn(f, ssid);
INT(macsec_integ_only);
+ INT(macsec_replay_protect);
+ INT(macsec_replay_window);
INT(macsec_port);
INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
#endif /* CONFIG_MACSEC */
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 665437d..3da3ed4 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -803,6 +803,33 @@ struct wpa_ssid {
int macsec_integ_only;
/**
+ * macsec_replay_protect - Enable MACsec replay protection
+ *
+ * This setting applies only when MACsec is in use, i.e.,
+ * - macsec_policy is enabled
+ * - the key server has decided to enable MACsec
+ *
+ * 0: Replay protection disabled (default)
+ * 1: Replay protection enabled
+ */
+ int macsec_replay_protect;
+
+ /**
+ * macsec_replay_window - MACsec replay protection window
+ *
+ * A window in which replay is tolerated, to allow receipt of frames
+ * that have been misordered by the network.
+ *
+ * This setting applies only when MACsec replay protection active, i.e.,
+ * - macsec_replay_protect is enabled
+ * - the key server has decided to enable MACsec
+ *
+ * 0: No replay window, strict check (default)
+ * 1..2^32-1: number of packets that could be misordered
+ */
+ u32 macsec_replay_window;
+
+ /**
* macsec_port - MACsec port (in SCI)
*
* Port component of the SCI.
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 8e64d0d..983a149 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1426,6 +1426,8 @@ static const char *network_fields[] = {
#ifdef CONFIG_MACSEC
"macsec_policy",
"macsec_integ_only",
+ "macsec_replay_protect",
+ "macsec_replay_window",
"macsec_port",
"mka_priority",
#endif /* CONFIG_MACSEC */
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 57d6cbf..58dbf04 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -994,6 +994,22 @@ fast_reauth=1
# 0: Encrypt traffic (default)
# 1: Integrity only
#
+# macsec_replay_protect: IEEE 802.1X/MACsec replay protection
+# This setting applies only when MACsec is in use, i.e.,
+# - macsec_policy is enabled
+# - the key server has decided to enable MACsec
+# 0: Replay protection disabled (default)
+# 1: Replay protection enabled
+#
+# macsec_replay_window: IEEE 802.1X/MACsec replay protection window
+# This determines a window in which replay is tolerated, to allow receipt
+# of frames that have been misordered by the network.
+# This setting applies only when MACsec replay protection active, i.e.,
+# - macsec_replay_protect is enabled
+# - the key server has decided to enable MACsec
+# 0: No replay window, strict check (default)
+# 1..2^32-1: number of packets that could be misordered
+#
# macsec_port: IEEE 802.1X/MACsec port
# Port component of the SCI
# Range: 1-65534 (default: 1)
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 99599da..39ed677 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -239,7 +239,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
kay_ctx->enable_transmit_sa = wpas_enable_transmit_sa;
kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
- res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_port,
+ res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,
+ ssid->macsec_replay_window, ssid->macsec_port,
ssid->mka_priority, wpa_s->ifname,
wpa_s->own_addr);
/* ieee802_1x_kay_init() frees kay_ctx on failure */