wap_supplicant MACSEC add option to always include ICV Indicator
Martínek Petr
petr.martinek at elvac.eu
Mon Dec 2 21:10:52 PST 2024
Hello,
CISCO C3560CX (SW version 15.2(7)E8, SW image C3560CX-UNIVERSALK9-M) requires ICV Indicator to be present even when ICV is 16bytes.
Therefore I would like to ask, if it is possible to add config option to always send ICV Indicator. (I've include my patch that adds macsec_icv_indicator config option)
Thanks
Petr
diff -Naur a/src/ap/ap_config.h b/src/ap/ap_config.h
--- a/src/ap/ap_config.h 2024-07-20 20:04:37.000000000 +0200
+++ b/src/ap/ap_config.h 2024-12-02 10:11:55.470226000 +0100
@@ -906,6 +906,13 @@
int macsec_csindex;
/**
+ * macsec_icv_indicator - Always include ICV Indicator
+ * (for compatibility with older MACSEC switches)
+ *
+ * Range: 0-1 (default: 0)
+ */
+ int macsec_icv_indicator;
+ /**
* mka_ckn - MKA pre-shared CKN
*/
#define MACSEC_CKN_MAX_LEN 32
diff -Naur a/src/ap/wpa_auth_kay.c b/src/ap/wpa_auth_kay.c
--- a/src/ap/wpa_auth_kay.c 2024-07-20 20:04:37.000000000 +0200
+++ b/src/ap/wpa_auth_kay.c 2024-12-02 10:10:27.603235000 +0100
@@ -331,6 +331,7 @@
hapd->conf->macsec_port,
hapd->conf->mka_priority,
hapd->conf->macsec_csindex,
+ hapd->conf->macsec_icv_indicator,
hapd->conf->iface,
hapd->own_addr);
/* ieee802_1x_kay_init() frees kay_ctx on failure */
diff -Naur a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
--- a/src/pae/ieee802_1x_kay.c 2024-07-20 20:04:37.000000000 +0200
+++ b/src/pae/ieee802_1x_kay.c 2024-12-02 10:08:38.580487000 +0100
@@ -1871,7 +1871,7 @@
/* Determine if we need space for the ICV Indicator */
if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
- DEFAULT_ICV_LEN)
+ DEFAULT_ICV_LEN || participant->kay->include_icv_indicator)
length = sizeof(struct ieee802_1x_mka_icv_body);
else
length = 0;
@@ -1894,7 +1894,7 @@
length = ieee802_1x_mka_get_icv_length(participant);
if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
- DEFAULT_ICV_LEN) {
+ DEFAULT_ICV_LEN || participant->kay->include_icv_indicator) {
wpa_printf(MSG_DEBUG, "KaY: ICV Indicator");
body = wpabuf_put(buf, MKA_HDR_LEN);
body->type = MKA_ICV_INDICATOR;
@@ -3495,7 +3495,8 @@
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
bool macsec_replay_protect, u32 macsec_replay_window,
u8 macsec_offload, u16 port, u8 priority,
- u32 macsec_csindex, const char *ifname, const u8 *addr)
+ u32 macsec_csindex, bool include_icv_indicator,
+ const char *ifname, const u8 *addr)
{
struct ieee802_1x_kay *kay;
@@ -3533,6 +3534,7 @@
kay->pn_exhaustion = PENDING_PN_EXHAUSTION;
kay->macsec_csindex = macsec_csindex;
+ kay->include_icv_indicator = include_icv_indicator;
kay->mka_algindex = DEFAULT_MKA_ALG_INDEX;
kay->mka_version = MKA_VERSION_ID;
diff -Naur a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
--- a/src/pae/ieee802_1x_kay.h 2024-07-20 20:04:37.000000000 +0200
+++ b/src/pae/ieee802_1x_kay.h 2024-12-02 10:07:47.261076000 +0100
@@ -206,6 +206,7 @@
struct ieee802_1x_kay_ctx *ctx;
bool is_key_server;
bool is_obliged_key_server;
+ bool include_icv_indicator; /* Always include ICV Indicator */
char if_name[IFNAMSIZ];
u8 macsec_offload;
@@ -243,7 +244,8 @@
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
bool macsec_replay_protect, u32 macsec_replay_window,
u8 macsec_offload, u16 port, u8 priority,
- u32 macsec_csindex, const char *ifname, const u8 *addr);
+ u32 macsec_csindex, bool include_icv_indicator,
+ const char *ifname, const u8 *addr);
void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
struct ieee802_1x_mka_participant *
diff -Naur a/wpa_supplicant/config.c b/wpa_supplicant/config.c
--- a/wpa_supplicant/config.c 2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/config.c 2024-12-02 09:55:39.717430000 +0100
@@ -2721,6 +2721,7 @@
{ INT_RANGE(macsec_port, 1, 65534) },
{ INT_RANGE(mka_priority, 0, 255) },
{ INT_RANGE(macsec_csindex, 0, 1) },
+ { INT_RANGE(macsec_icv_indicator, 0, 1) },
{ FUNC_KEY(mka_cak) },
{ FUNC_KEY(mka_ckn) },
#endif /* CONFIG_MACSEC */
diff -Naur a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
--- a/wpa_supplicant/config_file.c 2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/config_file.c 2024-12-02 09:55:28.949554000 +0100
@@ -818,6 +818,7 @@
INT(macsec_port);
INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
INT(macsec_csindex);
+ INT(macsec_icv_indicator);
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
INT(update_identifier);
diff -Naur a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
--- a/wpa_supplicant/config_ssid.h 2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/config_ssid.h 2024-12-02 10:07:54.668991000 +0100
@@ -964,6 +964,14 @@
int macsec_csindex;
/**
+ * macsec_icv_indicator - Always include ICV Indicator
+ * (for compatibility with older MACSEC switches)
+ *
+ * Range: 0-1 (default: 0)
+ */
+ int macsec_icv_indicator;
+
+ /**
* mka_ckn - MKA pre-shared CKN
*/
#define MACSEC_CKN_MAX_LEN 32
diff -Naur a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
--- a/wpa_supplicant/wpas_kay.c 2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/wpas_kay.c 2024-12-02 09:57:59.939820000 +0100
@@ -249,7 +249,7 @@
ssid->macsec_replay_window,
ssid->macsec_offload, ssid->macsec_port,
ssid->mka_priority, ssid->macsec_csindex,
- wpa_s->ifname, wpa_s->own_addr);
+ ssid->macsec_icv_indicator, wpa_s->ifname, wpa_s->own_addr);
/* ieee802_1x_kay_init() frees kay_ctx on failure */
if (res == NULL)
return -1;
diff -Naur a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
--- a/wpa_supplicant/wpa_supplicant.conf 2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/wpa_supplicant.conf 2024-12-02 10:14:35.752386000 +0100
@@ -1173,6 +1173,10 @@
# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
# default priority
#
+# macsec_icv_indicator: always include ICV indicator
+# 0 = ICV Indicator is not included when ICV has default length (default)
+# 1 = ICV Indicator is always included (compatibility mode)
+#
# mixed_cell: This option can be used to configure whether so called mixed
# cells, i.e., networks that use both plaintext and encryption in the same
# SSID, are allowed when selecting a BSS from scan results.
More information about the Hostap
mailing list