From 07a6bfe1d2f13ac31cfc2c5b5e15db3feda52e9b Mon Sep 17 00:00:00 2001 From: Sabrina Dubroca Date: Fri, 12 Aug 2016 15:07:35 +0200 Subject: [PATCH] mka: Store cipher suite ID in a u64 instead of u8 pointer Signed-off-by: Sabrina Dubroca --- src/common/ieee802_1x_defs.h | 2 +- src/drivers/driver.h | 2 +- src/drivers/driver_macsec_qca.c | 12 ++++++------ src/pae/ieee802_1x_cp.c | 32 ++++++++++---------------------- src/pae/ieee802_1x_cp.h | 2 +- src/pae/ieee802_1x_kay.c | 14 +++++++++++--- src/pae/ieee802_1x_kay.h | 2 +- src/pae/ieee802_1x_kay_i.h | 2 +- src/pae/ieee802_1x_secy_ops.c | 3 +-- src/pae/ieee802_1x_secy_ops.h | 3 +-- wpa_supplicant/driver_i.h | 2 +- wpa_supplicant/wpas_kay.c | 2 +- 12 files changed, 36 insertions(+), 42 deletions(-) diff --git a/src/common/ieee802_1x_defs.h b/src/common/ieee802_1x_defs.h index cc88caa8d..a0c1d1bfa 100644 --- a/src/common/ieee802_1x_defs.h +++ b/src/common/ieee802_1x_defs.h @@ -10,7 +10,7 @@ #define IEEE802_1X_DEFS_H #define CS_ID_LEN 8 -#define CS_ID_GCM_AES_128 {0x00, 0x80, 0x02, 0x00, 0x01, 0x00, 0x00, 0x01} +#define CS_ID_GCM_AES_128 0x0080020001000001ULL #define CS_NAME_GCM_AES_128 "GCM-AES-128" enum macsec_policy { diff --git a/src/drivers/driver.h b/src/drivers/driver.h index 591943d18..a449cc934 100644 --- a/src/drivers/driver.h +++ b/src/drivers/driver.h @@ -3319,7 +3319,7 @@ struct wpa_driver_ops { * @cs: EUI64 identifier * Returns: 0 on success, -1 on failure (or if not supported) */ - int (*set_current_cipher_suite)(void *priv, const u8 *cs); + int (*set_current_cipher_suite)(void *priv, u64 cs); /** * enable_controlled_port - Set controlled port status diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c index 0c9c72746..826d3cc62 100644 --- a/src/drivers/driver_macsec_qca.c +++ b/src/drivers/driver_macsec_qca.c @@ -11,6 +11,7 @@ #include "includes.h" #include #include +#include #ifdef __linux__ #include #include @@ -485,13 +486,12 @@ static int macsec_qca_set_replay_protect(void *priv, Boolean enabled, } -static int macsec_qca_set_current_cipher_suite(void *priv, const u8 *cs) +static int macsec_qca_set_current_cipher_suite(void *priv, u64 cs) { - u8 default_cs_id[] = CS_ID_GCM_AES_128; - - if (os_memcmp(cs, default_cs_id, CS_ID_LEN) != 0) { - wpa_hexdump(MSG_ERROR, "macsec: NOT supported CipherSuite", - cs, CS_ID_LEN); + if (cs != CS_ID_GCM_AES_128) { + wpa_printf(MSG_ERROR, + "%s: NOT supported CipherSuite: %016" PRIx64, + __func__, cs); return -1; } diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c index 83fd5ed73..43046f5d9 100644 --- a/src/pae/ieee802_1x_cp.c +++ b/src/pae/ieee802_1x_cp.c @@ -20,7 +20,7 @@ #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm #define STATE_MACHINE_DEBUG_PREFIX "CP" -static u8 default_cs_id[] = CS_ID_GCM_AES_128; +static u64 default_cs_id = CS_ID_GCM_AES_128; /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */ enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE }; @@ -45,7 +45,7 @@ struct ieee802_1x_cp_sm { Boolean elected_self; u8 *authorization_data1; enum confidentiality_offset cipher_offset; - u8 *cipher_suite; + u64 cipher_suite; Boolean new_sak; /* clear by CP */ struct ieee802_1x_mka_ki distributed_ki; u8 distributed_an; @@ -71,7 +71,7 @@ struct ieee802_1x_cp_sm { Boolean replay_protect; u32 replay_window; - u8 *current_cipher_suite; + u64 current_cipher_suite; enum confidentiality_offset confidentiality_offset; Boolean controlled_port_enabled; @@ -97,8 +97,7 @@ static void ieee802_1x_cp_transmit_when_timeout(void *eloop_ctx, static int changed_cipher(struct ieee802_1x_cp_sm *sm) { return sm->confidentiality_offset != sm->cipher_offset || - os_memcmp(sm->current_cipher_suite, sm->cipher_suite, - CS_ID_LEN) != 0; + sm->current_cipher_suite != sm->cipher_suite; } @@ -196,8 +195,8 @@ SM_STATE(CP, SECURED) sm->replay_protect = conf.replay_protect; sm->validate_frames = conf.validate; - /* NOTE: now no other than default cipher suiter(AES-GCM-128) */ - os_memcpy(sm->current_cipher_suite, sm->cipher_suite, CS_ID_LEN); + /* NOTE: now no other than default cipher suite (AES-GCM-128) */ + sm->current_cipher_suite = sm->cipher_suite; secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); sm->confidentiality_offset = sm->cipher_offset; @@ -459,17 +458,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init( sm->orx = FALSE; sm->otx = FALSE; - sm->cipher_suite = os_zalloc(CS_ID_LEN); - sm->current_cipher_suite = os_zalloc(CS_ID_LEN); - if (!sm->cipher_suite || !sm->current_cipher_suite) { - wpa_printf(MSG_ERROR, "CP-%s: out of memory", __func__); - os_free(sm->cipher_suite); - os_free(sm->current_cipher_suite); - os_free(sm); - return NULL; - } - os_memcpy(sm->current_cipher_suite, default_cs_id, CS_ID_LEN); - os_memcpy(sm->cipher_suite, default_cs_id, CS_ID_LEN); + sm->current_cipher_suite = default_cs_id; + sm->cipher_suite = default_cs_id; sm->cipher_offset = CONFIDENTIALITY_OFFSET_0; sm->confidentiality_offset = sm->cipher_offset; sm->transmit_delay = MKA_LIFE_TIME; @@ -529,8 +519,6 @@ void ieee802_1x_cp_sm_deinit(struct ieee802_1x_cp_sm *sm) eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL); os_free(sm->lki); os_free(sm->oki); - os_free(sm->cipher_suite); - os_free(sm->current_cipher_suite); os_free(sm->authorization_data); os_free(sm); } @@ -617,10 +605,10 @@ void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len) /** * ieee802_1x_cp_set_ciphersuite - */ -void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid) +void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs) { struct ieee802_1x_cp_sm *sm = cp_ctx; - os_memcpy(sm->cipher_suite, pid, CS_ID_LEN); + sm->cipher_suite = cs; } diff --git a/src/pae/ieee802_1x_cp.h b/src/pae/ieee802_1x_cp.h index 773c93052..4ed63df6f 100644 --- a/src/pae/ieee802_1x_cp.h +++ b/src/pae/ieee802_1x_cp.h @@ -36,7 +36,7 @@ void ieee802_1x_cp_connect_secure(void *cp_ctx); void ieee802_1x_cp_signal_chgdserver(void *cp_ctx); void ieee802_1x_cp_set_electedself(void *cp_ctx, Boolean status); void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len); -void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid); +void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs); void ieee802_1x_cp_set_offset(void *cp_ctx, enum confidentiality_offset offset); void ieee802_1x_cp_signal_newsak(void *cp_ctx); void ieee802_1x_cp_set_distributedki(void *cp_ctx, diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index d7b76e0c3..9bb4a9494 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -361,12 +361,17 @@ ieee802_1x_kay_get_peer(struct ieee802_1x_mka_participant *participant, */ static struct macsec_ciphersuite * ieee802_1x_kay_get_cipher_suite(struct ieee802_1x_mka_participant *participant, - u8 *cs_id) + const u8 *cs_id) { unsigned int i; + u64 cs; + be64 _cs; + + os_memcpy(&_cs, cs_id, CS_ID_LEN); + cs = be_to_host64(_cs); for (i = 0; i < CS_TABLE_SIZE; i++) { - if (os_memcmp(cipher_suite_tbl[i].id, cs_id, CS_ID_LEN) == 0) + if (cipher_suite_tbl[i].id == cs) return &cipher_suite_tbl[i]; } @@ -1440,7 +1445,10 @@ ieee802_1x_mka_encode_dist_sak_body( cs_index = participant->kay->macsec_csindex; sak_pos = 0; if (cs_index != DEFAULT_CS_INDEX) { - os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN); + be64 cs; + + cs = host_to_be64(cipher_suite_tbl[cs_index].id); + os_memcpy(body->sak, &cs, CS_ID_LEN); sak_pos = CS_ID_LEN; } if (aes_wrap(participant->kek.key, 16, diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h index f8e4058da..3f918d64e 100644 --- a/src/pae/ieee802_1x_kay.h +++ b/src/pae/ieee802_1x_kay.h @@ -59,7 +59,7 @@ struct ieee802_1x_kay_ctx { int (*macsec_deinit)(void *ctx); int (*enable_protect_frames)(void *ctx, Boolean enabled); int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window); - int (*set_current_cipher_suite)(void *ctx, const u8 *cs); + int (*set_current_cipher_suite)(void *ctx, u64 cs); int (*enable_controlled_port)(void *ctx, Boolean enabled); int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an, u32 *lowest_pn); diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h index 558bad9f4..8907c082c 100644 --- a/src/pae/ieee802_1x_kay_i.h +++ b/src/pae/ieee802_1x_kay_i.h @@ -147,7 +147,7 @@ struct receive_sa { }; struct macsec_ciphersuite { - u8 id[CS_ID_LEN]; + u64 id; char name[32]; enum macsec_cap capable; int sak_len; /* unit: byte */ diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c index 8a6f05ae6..2d12911db 100644 --- a/src/pae/ieee802_1x_secy_ops.c +++ b/src/pae/ieee802_1x_secy_ops.c @@ -65,8 +65,7 @@ int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean enabled, u32 win) } -int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, - const u8 *cs) +int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs) { struct ieee802_1x_kay_ctx *ops; diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h index c9fd33f54..f5057ee11 100644 --- a/src/pae/ieee802_1x_secy_ops.h +++ b/src/pae/ieee802_1x_secy_ops.h @@ -26,8 +26,7 @@ int secy_cp_control_validate_frames(struct ieee802_1x_kay *kay, enum validate_frames vf); int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag); int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win); -int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, - const u8 *cs); +int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs); int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay, enum confidentiality_offset co); int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag); diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h index 63b225a19..220b7ba3d 100644 --- a/wpa_supplicant/driver_i.h +++ b/wpa_supplicant/driver_i.h @@ -733,7 +733,7 @@ static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s, } static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s, - const u8 *cs) + u64 cs) { if (!wpa_s->driver->set_current_cipher_suite) return -1; diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c index 7e1b51a61..d6ec8c509 100644 --- a/wpa_supplicant/wpas_kay.c +++ b/wpa_supplicant/wpas_kay.c @@ -50,7 +50,7 @@ static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window) } -static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs) +static int wpas_set_current_cipher_suite(void *wpa_s, u64 cs) { return wpa_drv_set_current_cipher_suite(wpa_s, cs); }