From 2005b6e98d66756eabd163d047e3ce4b365d4c30 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 22 May 2020 11:06:37 +0200
Subject: macsec: T2491: add replay window protection

---
 data/templates/macsec/wpa_supplicant.conf.tmpl | 19 +++++++++++++++++++
 interface-definitions/interfaces-macsec.xml.in | 16 ++++++++++++++++
 src/conf_mode/interfaces-macsec.py             |  6 ++++++
 3 files changed, 41 insertions(+)

diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl
index c3a8d9686..a614d23f5 100644
--- a/data/templates/macsec/wpa_supplicant.conf.tmpl
+++ b/data/templates/macsec/wpa_supplicant.conf.tmpl
@@ -63,5 +63,24 @@ network={
     # default priority
     mka_priority={{ security_mka_priority }}
 {% endif %}
+{% if security_replay_window %}
+    # macsec_replay_protect: IEEE 802.1X/MACsec replay protection
+    # This setting applies only when MACsec is in use, i.e.,
+    #  - macsec_policy is enabled
+    #  - the key server has decided to enable MACsec
+    # 0: Replay protection disabled (default)
+    # 1: Replay protection enabled
+    macsec_replay_protect={{ '1' if security_replay_window else '0' }}
+
+    # macsec_replay_window: IEEE 802.1X/MACsec replay protection window
+    # This determines a window in which replay is tolerated, to allow receipt
+    # of frames that have been misordered by the network.
+    # This setting applies only when MACsec replay protection active, i.e.,
+    #  - macsec_replay_protect is enabled
+    #  - the key server has decided to enable MACsec
+    # 0: No replay window, strict check (default)
+    # 1..2^32-1: number of packets that could be misordered
+    macsec_replay_window={{ security_replay_window }}
+{% endif %}
 }
 
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index 3bd0a6fd5..36605ab59 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -86,6 +86,22 @@
                   </leafNode>
                 </children>
               </node>
+              <leafNode name="replay-window">
+                <properties>
+                  <help>IEEE 802.1X/MACsec replay protection window</help>
+                  <valueHelp>
+                    <format>0</format>
+                    <description>No replay window, strict check</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>1-4294967295</format>
+                    <description>Number of packets that could be misordered</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 0-4294967295" />
+                  </constraint>
+                </properties>
+              </leafNode>
             </children>
           </node>
           #include <include/interface-description.xml.i>
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 690c9b745..7d6f238f3 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -39,6 +39,7 @@ default_config_data = {
     'security_mka_cak': '',
     'security_mka_ckn': '',
     'security_mka_priority': '255',
+    'security_replay_window': '',
     'intf': '',
     'source_interface': '',
     'is_bridge_member': False,
@@ -112,6 +113,11 @@ def get_config():
         macsec['security_mka_priority'] = conf.return_value(
             ['security', 'mka', 'priority'])
 
+    # IEEE 802.1X/MACsec replay protection
+    if conf.exists(['security', 'replay-window']):
+        macsec['security_replay_window'] = conf.return_value(
+            ['security', 'replay-window'])
+
     # Physical interface
     if conf.exists(['source-interface']):
         macsec['source_interface'] = conf.return_value(['source-interface'])
-- 
cgit v1.2.3