mka: fix getting capabilities from the driver

Message ID	8e1530df62379dc63f86950431060f8d81b7c861.1479229448.git.sd@queasysnail.net
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> sender: sd@queasysnail.net) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 9CD41A810C; Tue, 15 Nov 2016 18:06:29 +0100 (CET) From: Sabrina Dubroca <sd@queasysnail.net> To: hostap@lists.infradead.org Subject: [PATCH] mka: fix getting capabilities from the driver Date: Tue, 15 Nov 2016 18:06:23 +0100 Message-Id: <8e1530df62379dc63f86950431060f8d81b7c861.1479229448.git.sd@queasysnail.net> In-Reply-To: <20161115122628.GA17511@bistromath.localdomain> References: <20161115122628.GA17511@bistromath.localdomain> summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2001:4b98:c:538:0:0:0:195 listed in] [list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Precedence: list Cc: Sabrina Dubroca <sd@queasysnail.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Message ID

8e1530df62379dc63f86950431060f8d81b7c861.1479229448.git.sd@queasysnail.net

State

Accepted

Headers

From: Sabrina Dubroca <sd@queasysnail.net>
To: hostap@lists.infradead.org
Subject: [PATCH] mka: fix getting capabilities from the driver
Date: Tue, 15 Nov 2016 18:06:23 +0100
Message-Id: <8e1530df62379dc63f86950431060f8d81b7c861.1479229448.git.sd@queasysnail.net>
In-Reply-To: <20161115122628.GA17511@bistromath.localdomain>
References: <20161115122628.GA17511@bistromath.localdomain>
Precedence: list
Cc: Sabrina Dubroca <sd@queasysnail.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Commit Message

Sabrina Dubroca Nov. 15, 2016, 5:06 p.m. UTC

In commit a25e4efc9e42 ("mka: Add driver op to get macsec capabilities")
I added some code to check the driver's capabilites. This commit has two
problems:
 - wrong enum type set in kay->macsec_confidentiality
 - ignores that drivers could report MACSEC_CAP_NOT_IMPLEMENTED, in
   which case the MKA would claim that MACsec is supported.

Fix this by interpreting MACSEC_CAP_NOT_IMPLEMENTED in the same way as a
DO_NOT_SECURE policy, and set the correct value in
kay->macsec_confidentiality.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
 src/pae/ieee802_1x_kay.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

Comments

Jouni Malinen Nov. 19, 2016, 10:41 p.m. UTC | #1

On Tue, Nov 15, 2016 at 06:06:23PM +0100, Sabrina Dubroca wrote:
> In commit a25e4efc9e42 ("mka: Add driver op to get macsec capabilities")
> I added some code to check the driver's capabilites. This commit has two
> problems:
>  - wrong enum type set in kay->macsec_confidentiality
>  - ignores that drivers could report MACSEC_CAP_NOT_IMPLEMENTED, in
>    which case the MKA would claim that MACsec is supported.
> 
> Fix this by interpreting MACSEC_CAP_NOT_IMPLEMENTED in the same way as a
> DO_NOT_SECURE policy, and set the correct value in
> kay->macsec_confidentiality.

Thanks, applied.

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 63bbd135213a..99bc3f2c24a5 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3111,7 +3111,15 @@  ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 
 	dl_list_init(&kay->participant_list);
 
-	if (policy == DO_NOT_SECURE) {
+	if (policy != DO_NOT_SECURE) {
+		if (secy_get_capability(kay, &kay->macsec_capable) < 0) {
+			os_free(kay);
+			return NULL;
+		}
+	}
+
+	if (policy == DO_NOT_SECURE ||
+	    kay->macsec_capable == MACSEC_CAP_NOT_IMPLEMENTED) {
 		kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED;
 		kay->macsec_desired = FALSE;
 		kay->macsec_protect = FALSE;
@@ -3120,11 +3128,6 @@  ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 		kay->macsec_replay_window = 0;
 		kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
 	} else {
-		if (secy_get_capability(kay, &kay->macsec_capable) < 0) {
-			os_free(kay);
-			return NULL;
-		}
-
 		kay->macsec_desired = TRUE;
 		kay->macsec_protect = TRUE;
 		kay->macsec_validate = Strict;
@@ -3133,7 +3136,7 @@  ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 		if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
 			kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
 		else
-			kay->macsec_confidentiality = MACSEC_CAP_INTEGRITY;
+			kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
 	}
 
 	wpa_printf(MSG_DEBUG, "KaY: state machine created");

mka: fix getting capabilities from the driver

Commit Message

Comments

Patch