| Message ID | ba2e70a023c03551b3735ca6fd510301e18250e2.1478090228.git.sd@queasysnail.net |
|---|---|
| State | Accepted |
| Headers | show |
On Wed, Nov 02, 2016 at 04:38:39PM +0100, Sabrina Dubroca wrote: > Currently, wpa_supplicant only supports port == 1 in the SCI, but > users may want to choose a different port. > +# macsec_port: IEEE 802.1X/MACsec port > +# Port component of the SCI > +# Range: 1-65534 (default: 1) Where does this range 1-65534 come from? IEEE Std 802.1X-2010, 12.7 seems to imply that values 1-65535 should be allow and 65534 of those values (i.e., 2-65535) are "virtual ports" while 1 identifies the "common port".
2016-11-19, 23:40:42 +0200, Jouni Malinen wrote: > On Wed, Nov 02, 2016 at 04:38:39PM +0100, Sabrina Dubroca wrote: > > Currently, wpa_supplicant only supports port == 1 in the SCI, but > > users may want to choose a different port. > > > +# macsec_port: IEEE 802.1X/MACsec port > > +# Port component of the SCI > > +# Range: 1-65534 (default: 1) > > Where does this range 1-65534 come from? IEEE Std 802.1X-2010, 12.7 > seems to imply that values 1-65535 should be allow and 65534 Seems you're right. I think I was trying to make sure we don't accidentally get the FF-FF-FF-FF-FF-FF-FF-FF SCI, or I mixed this up with the end of range for port numbers. Do you want me to send a patch, or do you prefer to fix it up directly yourself? > of those > values (i.e., 2-65535) are "virtual ports" while 1 identifies the > "common port". Not exactly. These are all "controlled ports". The "common port" is the lower insecure device for all the controlled ports (with port numbers 1-65535), also shared with the "uncontrolled port". This is all a bit confusing.
On Fri, Nov 25, 2016 at 03:18:17PM +0100, Sabrina Dubroca wrote: > 2016-11-19, 23:40:42 +0200, Jouni Malinen wrote: > > On Wed, Nov 02, 2016 at 04:38:39PM +0100, Sabrina Dubroca wrote: > > > Currently, wpa_supplicant only supports port == 1 in the SCI, but > > > users may want to choose a different port. > > > > > +# macsec_port: IEEE 802.1X/MACsec port > > > +# Port component of the SCI > > > +# Range: 1-65534 (default: 1) > > > > Where does this range 1-65534 come from? IEEE Std 802.1X-2010, 12.7 > > seems to imply that values 1-65535 should be allow and 65534 > > Seems you're right. I think I was trying to make sure we don't > accidentally get the FF-FF-FF-FF-FF-FF-FF-FF SCI, or I mixed this up > with the end of range for port numbers. > > Do you want me to send a patch, or do you prefer to fix it up directly > yourself? Please send a patch to update this.
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 9a8fd87ee9c7..e755e3df4674 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -3071,7 +3071,7 @@ static void kay_l2_receive(void *ctx, const u8 *src_addr, const u8 *buf, */ struct ieee802_1x_kay * ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, - const char *ifname, const u8 *addr) + u16 port, const char *ifname, const u8 *addr) { struct ieee802_1x_kay *kay; @@ -3093,7 +3093,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, os_strlcpy(kay->if_name, ifname, IFNAMSIZ); os_memcpy(kay->actor_sci.addr, addr, ETH_ALEN); - kay->actor_sci.port = host_to_be16(0x0001); + kay->actor_sci.port = host_to_be16(port ? : 0x0001); kay->actor_priority = DEFAULT_PRIO_NOT_KEY_SERVER; /* While actor acts as a key server, shall distribute sakey */ diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h index fb49f6206f99..ea5a0ddcff5d 100644 --- a/src/pae/ieee802_1x_kay.h +++ b/src/pae/ieee802_1x_kay.h @@ -233,7 +233,7 @@ struct ieee802_1x_kay { struct ieee802_1x_kay * ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, - const char *ifname, const u8 *addr); + u16 port, const char *ifname, const u8 *addr); void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); struct ieee802_1x_mka_participant * diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index a226b74612b2..c509af3404cd 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2121,6 +2121,7 @@ static const struct parse_data ssid_fields[] = { #ifdef CONFIG_MACSEC { INT_RANGE(macsec_policy, 0, 1) }, { INT_RANGE(macsec_integ_only, 0, 1) }, + { INT_RANGE(macsec_port, 1, 65534) }, { FUNC_KEY(mka_cak) }, { FUNC_KEY(mka_ckn) }, #endif /* CONFIG_MACSEC */ diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 81457021a9d6..7afd41b6125b 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -773,6 +773,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) #ifdef CONFIG_MACSEC INT(macsec_policy); INT(macsec_integ_only); + INT(macsec_port); #endif /* CONFIG_MACSEC */ #ifdef CONFIG_HS20 INT(update_identifier); diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index 457b31340399..2cafad9e761a 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -742,6 +742,15 @@ struct wpa_ssid { int macsec_integ_only; /** + * macsec_port - MACsec port (in SCI) + * + * Port component of the SCI. + * + * Range: 1-65534 (default: 1) + */ + int macsec_port; + + /** * mka_ckn - MKA pre-shared CKN */ #define MACSEC_CKN_LEN 32 diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index aed95e66a7d4..f11028a9ea1b 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -1391,6 +1391,7 @@ static const char *network_fields[] = { #ifdef CONFIG_MACSEC "macsec_policy", "macsec_integ_only", + "macsec_port", #endif /* CONFIG_MACSEC */ #ifdef CONFIG_HS20 "update_identifier", diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 77972448134d..c7675775cfd2 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -899,6 +899,10 @@ fast_reauth=1 # 0: Encrypt traffic (default) # 1: Integrity only # +# macsec_port: IEEE 802.1X/MACsec port +# Port component of the SCI +# Range: 1-65534 (default: 1) +# # mka_cak and mka_ckn: IEEE 802.1X/MACsec pre-shared authentication mode # This allows to configure MACsec with a pre-shared (CAK,CKN) pair. # In this mode, instances of wpa_supplicant can act as peers, one of diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c index 17f485ab01e0..9b292a688cc8 100644 --- a/wpa_supplicant/wpas_kay.c +++ b/wpa_supplicant/wpas_kay.c @@ -232,7 +232,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) kay_ctx->enable_transmit_sa = wpas_enable_transmit_sa; kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa; - res = ieee802_1x_kay_init(kay_ctx, policy, wpa_s->ifname, + res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_port, wpa_s->ifname, wpa_s->own_addr); if (res == NULL) { os_free(kay_ctx);
Currently, wpa_supplicant only supports port == 1 in the SCI, but users may want to choose a different port. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> --- src/pae/ieee802_1x_kay.c | 4 ++-- src/pae/ieee802_1x_kay.h | 2 +- wpa_supplicant/config.c | 1 + wpa_supplicant/config_file.c | 1 + wpa_supplicant/config_ssid.h | 9 +++++++++ wpa_supplicant/wpa_cli.c | 1 + wpa_supplicant/wpa_supplicant.conf | 4 ++++ wpa_supplicant/wpas_kay.c | 2 +- 8 files changed, 20 insertions(+), 4 deletions(-)