From 5864545492b7f35c0d74a19494e987538be92501 Mon Sep 17 00:00:00 2001 From: Mike Siedzik Date: Fri, 2 Mar 2018 15:10:51 -0500 Subject: [PATCH] mka: Fix conf_offset value in MKPDU when in policy mode SHOULD_SECURE Commit 7b4d546e ("wpa_supplicant: Add macsec_integ_only setting for MKA") introduced policy setting SHOULD_ENCRYPT (MACsec provides integrity+confidentiality) in addition to SHOULD_SECURE (MACsec provides integrity only). In both cases the KaY is populating the "Confidentiality Offset" parameter within the "Distributed SAK parameter set" with CONFIDENTIALITY_OFFSET_0=1. In the case of SHOULD_SECURE the parameter should be populated with CONFIDENTIALITY_NONE=0. IEEE Std 802.1X-2010, Table 11-6 and Figure 11-11 define how the two Confidentiality Offset bits in the "Distributed SAK parameter set" must be set: "0 if confidentiality not used" and "1 if confidentiality with no offset". When policy is SHOULD_SECURE KaY should to send the former, and when policy is SHOULD_ENCRYPT KaY should send the latter. Fixes: 7b4d546e3dae ("wpa_supplicant: Add macsec_integ_only setting for MKA") Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index b3357c26b..d756b75cb 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -3188,6 +3188,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED; kay->macsec_desired = FALSE; kay->macsec_protect = FALSE; + kay->macsec_encrypt = FALSE; kay->macsec_validate = Disabled; kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; @@ -3195,14 +3196,17 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, } else { kay->macsec_desired = TRUE; kay->macsec_protect = TRUE; - kay->macsec_encrypt = policy == SHOULD_ENCRYPT; + if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF && + policy == SHOULD_ENCRYPT) { + kay->macsec_encrypt = TRUE; + kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0; + } else { /* SHOULD_SECURE */ + kay->macsec_encrypt = FALSE; + kay->macsec_confidentiality = CONFIDENTIALITY_NONE; + } kay->macsec_validate = Strict; kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; - if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF) - kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0; - else - kay->macsec_confidentiality = CONFIDENTIALITY_NONE; } wpa_printf(MSG_DEBUG, "KaY: state machine created");