diff mbox series

wap_supplicant MACSEC add option to always include ICV Indicator

Message ID f76d50a27deb45128b34ba11a29a1979@elvac.eu
State Changes Requested
Headers show
Series wap_supplicant MACSEC add option to always include ICV Indicator | expand

Commit Message

Martínek Petr Dec. 3, 2024, 5:10 a.m. UTC
Hello,

CISCO C3560CX (SW version 15.2(7)E8, SW image  C3560CX-UNIVERSALK9-M)  requires ICV Indicator to be present even when ICV is 16bytes.
Therefore I would like to ask, if it is possible to add config option to  always send ICV Indicator. (I've include my patch that adds macsec_icv_indicator config option)

Thanks

Petr

Comments

Jouni Malinen Dec. 26, 2024, 10:05 p.m. UTC | #1
On Tue, Dec 03, 2024 at 05:10:52AM +0000, Martínek Petr wrote:
> CISCO C3560CX (SW version 15.2(7)E8, SW image  C3560CX-UNIVERSALK9-M)  requires ICV Indicator to be present even when ICV is 16bytes.
> Therefore I would like to ask, if it is possible to add config option to  always send ICV Indicator. (I've include my patch that adds macsec_icv_indicator config option)

That seems to be against the requirements of the IEEE 802.1X standard..
Would you happen to have any references that would describe this special
need for that device (or wider set of devices, if applicable).

A quick search seemed to find some comments on this from Cisco
documentation of the include-icv-indicator configuration parameter ("is
configuration is necessary for MACsec to interoperate with routers that
run software prior to IOS XR version 6.1.3. This configuration is also
important in a service provider WAN setup where MACsec interoperates
with other vendor MACsec implementations that expect ICV indicator to be
present in the MKPDU."). That seems to imply that is quite a bit wider
issue that just what might be implied by this description.

> diff -Naur a/src/ap/ap_config.h b/src/ap/ap_config.h

For me to be able to consider applying the proposed changes, this needs
to come with a commit message that includes a Signed-off-by: line as
described in the top level CONTRIBUTIONS file.

>      /**
> +     * macsec_icv_indicator - Always include ICV Indicator
> +     * (for compatibility with older MACSEC switches)
> +     *
> +     * Range: 0-1 (default: 0)
> +     */
> +    int macsec_icv_indicator;

This needs matching changes in hostapd/config_file.c and
hostapd/hostapd.conf.
diff mbox series

Patch

diff -Naur a/src/ap/ap_config.h b/src/ap/ap_config.h
--- a/src/ap/ap_config.h    2024-07-20 20:04:37.000000000 +0200
+++ b/src/ap/ap_config.h    2024-12-02 10:11:55.470226000 +0100
@@ -906,6 +906,13 @@ 
     int macsec_csindex;
 
     /**
+     * macsec_icv_indicator - Always include ICV Indicator
+     * (for compatibility with older MACSEC switches)
+     *
+     * Range: 0-1 (default: 0)
+     */
+    int macsec_icv_indicator;
+    /**
      * mka_ckn - MKA pre-shared CKN
      */
 #define MACSEC_CKN_MAX_LEN 32
diff -Naur a/src/ap/wpa_auth_kay.c b/src/ap/wpa_auth_kay.c
--- a/src/ap/wpa_auth_kay.c    2024-07-20 20:04:37.000000000 +0200
+++ b/src/ap/wpa_auth_kay.c    2024-12-02 10:10:27.603235000 +0100
@@ -331,6 +331,7 @@ 
                   hapd->conf->macsec_port,
                   hapd->conf->mka_priority,
                   hapd->conf->macsec_csindex,
+                  hapd->conf->macsec_icv_indicator,
                   hapd->conf->iface,
                   hapd->own_addr);
     /* ieee802_1x_kay_init() frees kay_ctx on failure */
diff -Naur a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
--- a/src/pae/ieee802_1x_kay.c    2024-07-20 20:04:37.000000000 +0200
+++ b/src/pae/ieee802_1x_kay.c    2024-12-02 10:08:38.580487000 +0100
@@ -1871,7 +1871,7 @@ 
 
     /* Determine if we need space for the ICV Indicator */
     if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
-        DEFAULT_ICV_LEN)
+        DEFAULT_ICV_LEN || participant->kay->include_icv_indicator)
         length = sizeof(struct ieee802_1x_mka_icv_body);
     else
         length = 0;
@@ -1894,7 +1894,7 @@ 
 
     length = ieee802_1x_mka_get_icv_length(participant);
     if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
-        DEFAULT_ICV_LEN)  {
+        DEFAULT_ICV_LEN || participant->kay->include_icv_indicator)  {
         wpa_printf(MSG_DEBUG, "KaY: ICV Indicator");
         body = wpabuf_put(buf, MKA_HDR_LEN);
         body->type = MKA_ICV_INDICATOR;
@@ -3495,7 +3495,8 @@ 
 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
             bool macsec_replay_protect, u32 macsec_replay_window,
             u8 macsec_offload, u16 port, u8 priority,
-            u32 macsec_csindex, const char *ifname, const u8 *addr)
+            u32 macsec_csindex, bool include_icv_indicator, 
+            const char *ifname, const u8 *addr)
 {
     struct ieee802_1x_kay *kay;
 
@@ -3533,6 +3534,7 @@ 
 
     kay->pn_exhaustion = PENDING_PN_EXHAUSTION;
     kay->macsec_csindex = macsec_csindex;
+    kay->include_icv_indicator = include_icv_indicator;
     kay->mka_algindex = DEFAULT_MKA_ALG_INDEX;
     kay->mka_version = MKA_VERSION_ID;
 
diff -Naur a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
--- a/src/pae/ieee802_1x_kay.h    2024-07-20 20:04:37.000000000 +0200
+++ b/src/pae/ieee802_1x_kay.h    2024-12-02 10:07:47.261076000 +0100
@@ -206,6 +206,7 @@ 
     struct ieee802_1x_kay_ctx *ctx;
     bool is_key_server;
     bool is_obliged_key_server;
+    bool include_icv_indicator;  /* Always include ICV Indicator */
     char if_name[IFNAMSIZ];
     u8 macsec_offload;
 
@@ -243,7 +244,8 @@ 
 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
             bool macsec_replay_protect, u32 macsec_replay_window,
             u8 macsec_offload, u16 port, u8 priority,
-            u32 macsec_csindex, const char *ifname, const u8 *addr);
+            u32 macsec_csindex, bool include_icv_indicator,
+            const char *ifname, const u8 *addr);
 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
 
 struct ieee802_1x_mka_participant *
diff -Naur a/wpa_supplicant/config.c b/wpa_supplicant/config.c
--- a/wpa_supplicant/config.c    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/config.c    2024-12-02 09:55:39.717430000 +0100
@@ -2721,6 +2721,7 @@ 
     { INT_RANGE(macsec_port, 1, 65534) },
     { INT_RANGE(mka_priority, 0, 255) },
     { INT_RANGE(macsec_csindex, 0, 1) },
+    { INT_RANGE(macsec_icv_indicator, 0, 1) },
     { FUNC_KEY(mka_cak) },
     { FUNC_KEY(mka_ckn) },
 #endif /* CONFIG_MACSEC */
diff -Naur a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
--- a/wpa_supplicant/config_file.c    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/config_file.c    2024-12-02 09:55:28.949554000 +0100
@@ -818,6 +818,7 @@ 
     INT(macsec_port);
     INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
     INT(macsec_csindex);
+    INT(macsec_icv_indicator);
 #endif /* CONFIG_MACSEC */
 #ifdef CONFIG_HS20
     INT(update_identifier);
diff -Naur a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
--- a/wpa_supplicant/config_ssid.h    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/config_ssid.h    2024-12-02 10:07:54.668991000 +0100
@@ -964,6 +964,14 @@ 
     int macsec_csindex;
 
     /**
+     * macsec_icv_indicator - Always include ICV Indicator
+     * (for compatibility with older MACSEC switches)
+     *
+     * Range: 0-1 (default: 0)
+     */
+    int macsec_icv_indicator;
+
+    /**
      * mka_ckn - MKA pre-shared CKN
      */
 #define MACSEC_CKN_MAX_LEN 32
diff -Naur a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
--- a/wpa_supplicant/wpas_kay.c    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/wpas_kay.c    2024-12-02 09:57:59.939820000 +0100
@@ -249,7 +249,7 @@ 
                   ssid->macsec_replay_window,
                   ssid->macsec_offload, ssid->macsec_port,
                   ssid->mka_priority, ssid->macsec_csindex,
-                  wpa_s->ifname, wpa_s->own_addr);
+                  ssid->macsec_icv_indicator, wpa_s->ifname, wpa_s->own_addr);
     /* ieee802_1x_kay_init() frees kay_ctx on failure */
     if (res == NULL)
         return -1;
diff -Naur a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
--- a/wpa_supplicant/wpa_supplicant.conf    2024-07-20 20:04:37.000000000 +0200
+++ b/wpa_supplicant/wpa_supplicant.conf    2024-12-02 10:14:35.752386000 +0100
@@ -1173,6 +1173,10 @@ 
 # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
 # default priority
 #
+# macsec_icv_indicator: always include ICV indicator
+# 0 = ICV Indicator is not included when ICV has default length (default)
+# 1 = ICV Indicator is always included (compatibility mode)
+#
 # mixed_cell: This option can be used to configure whether so called mixed
 # cells, i.e., networks that use both plaintext and encryption in the same
 # SSID, are allowed when selecting a BSS from scan results.