[PATCH 8/8] mka: add driver op to get macsec capabilities
Sabrina Dubroca
sd at queasysnail.net
Wed Oct 5 02:19:00 PDT 2016
2016-10-03, 13:32:10 +0300, Jouni Malinen wrote:
> On Tue, Sep 20, 2016 at 09:43:11AM +0200, Sabrina Dubroca wrote:
>
> > src/drivers/driver.h | 2 ++
> > src/pae/ieee802_1x_kay.c | 15 +++++++++++++--
> > src/pae/ieee802_1x_kay.h | 1 +
> > src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++
> > src/pae/ieee802_1x_secy_ops.h | 1 +
> > wpa_supplicant/driver_i.h | 9 +++++++++
> > wpa_supplicant/wpas_kay.c | 7 +++++++
> > 7 files changed, 53 insertions(+), 2 deletions(-)
>
> So no changes to src/drivers/driver_macsec_qca.c?
>
> > * enable_protect_frames - Set protect frames status
> > * @priv: Private driver interface data
> > diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
> > @@ -3412,6 +3417,12 @@ ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
> > kay->macsec_csindex = cs_index;
> > kay->macsec_capable = cipher_suite_tbl[kay->macsec_csindex].capable;
> >
> > + if (secy_get_capability(kay, &secy_cap) < 0)
> > + return -3;
>
> Wouldn't this call to secy_get_capability() return -1 for unmodified
> driver_macsec_qca.c and as such, this patch would break that driver
> wrapper?
Not really, because (luckily?) this function
(ieee802_1x_kay_change_cipher_suite) is never called. In
ieee802_1x_kay_init I added a fallback so that if a driver doesn't
tell us its capability, we assume it can do everything. But, yes,
this is broken.
I see a few options here:
1) fallback in both ieee802_1x_kay_init and
ieee802_1x_kay_change_cipher_suite.
2) fallback, and implement macsec_get_capability op in
driver_macsec_qca.c.
3) no fallback, just implement macsec_get_capability op in
driver_macsec_qca.c.
I'd lean towards option 3 and will update the patch, unless you prefer
something else?
Thanks,
--
Sabrina
More information about the Hostap
mailing list