macsec: T4537: add missing macsec_csindex option to support GCM-AES-256

(cherry picked from commit 258e6873b60531fe70d868d2e53ce2f921fe7f13)

1 files changed, 17 insertions, 1 deletions

diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl
index 5b353def8..04f3700fc 100644
--- a/data/templates/macsec/wpa_supplicant.conf.tmpl
+++ b/data/templates/macsec/wpa_supplicant.conf.tmpl
@@ -47,6 +47,12 @@ network={
     # 1: Integrity only
     macsec_integ_only={{ '0' if security is defined and security.encrypt is defined else '1' }}
 
+    # macsec_csindex: IEEE 802.1X/MACsec cipher suite
+    # 0 = GCM-AES-128
+    # 1 = GCM-AES-256
+{# security.cipher is a mandatory key #}
+    macsec_csindex={{ '1' if security.cipher is defined and security.cipher == 'gcm-aes-256' else '0' }}
+
 {% if security is defined %}
 {%   if security.encrypt is defined %}
     # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
@@ -63,7 +69,13 @@ network={
     # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
     # default priority
     mka_priority={{ security.mka.priority }}
-{%   endif %}
+
+    # macsec_csindex: IEEE 802.1X/MACsec cipher suite
+    # 0 = GCM-AES-128
+    # 1 = GCM-AES-256
+{# security.cipher is a mandatory key #}
+    macsec_csindex={{ '1' if security.cipher is vyos_defined('gcm-aes-256') else '0' }}
+{% endif %}
 
 {%   if security.replay_window is defined %}
     # macsec_replay_protect: IEEE 802.1X/MACsec replay protection
@@ -85,5 +97,9 @@ network={
     macsec_replay_window={{ security.replay_window }}
 {%   endif %}
 {% endif %}
+
+    # macsec_port: IEEE 802.1X/MACsec port - Port component of the SCI
+    # Range: 1-65534 (default: 1)
+    macsec_port=1
 }