DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

mka: Store cipher suite ID in a u64 instead of u8 pointer

Browse source 
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This commit is contained in:
Sabrina Dubroca 2016-08-12 15:07:35 +02:00 committed by Jouni Malinen
parent 535a8b8712
commit 07a6bfe1d2
12 changed files with 36 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/common/ieee802_1x_defs.h
View file

@ -10,7 +10,7 @@
#define IEEE802_1X_DEFS_H #define IEEE802_1X_DEFS_H
#define CS_ID_LEN 8 #define CS_ID_LEN 8
#define CS_ID_GCM_AES_128 {0x00, 0x80, 0x02, 0x00, 0x01, 0x00, 0x00, 0x01} #define CS_ID_GCM_AES_128 0x0080020001000001ULL
#define CS_NAME_GCM_AES_128 "GCM-AES-128" #define CS_NAME_GCM_AES_128 "GCM-AES-128"
enum macsec_policy { enum macsec_policy {

2
src/drivers/driver.h
View file

@ -3319,7 +3319,7 @@ struct wpa_driver_ops {
* @cs: EUI64 identifier * @cs: EUI64 identifier
* Returns: 0 on success, -1 on failure (or if not supported) * Returns: 0 on success, -1 on failure (or if not supported)
*/ */
int (*set_current_cipher_suite)(void *priv, const u8 *cs); int (*set_current_cipher_suite)(void *priv, u64 cs);
/** /**
* enable_controlled_port - Set controlled port status * enable_controlled_port - Set controlled port status

12
src/drivers/driver_macsec_qca.c
View file

@ -11,6 +11,7 @@
#include "includes.h" #include "includes.h"
#include <sys/ioctl.h> #include <sys/ioctl.h>
#include <net/if.h> #include <net/if.h>
#include <inttypes.h>
#ifdef __linux__ #ifdef __linux__
#include <netpacket/packet.h> #include <netpacket/packet.h>
#include <net/if_arp.h> #include <net/if_arp.h>
@ -485,13 +486,12 @@ static int macsec_qca_set_replay_protect(void *priv, Boolean enabled,
} }
static int macsec_qca_set_current_cipher_suite(void *priv, const u8 *cs) static int macsec_qca_set_current_cipher_suite(void *priv, u64 cs)
{ {
u8 default_cs_id[] = CS_ID_GCM_AES_128; if (cs != CS_ID_GCM_AES_128) {
wpa_printf(MSG_ERROR,
if (os_memcmp(cs, default_cs_id, CS_ID_LEN) != 0) { "%s: NOT supported CipherSuite: %016" PRIx64,
wpa_hexdump(MSG_ERROR, "macsec: NOT supported CipherSuite", __func__, cs);
cs, CS_ID_LEN);
return -1; return -1;
} }

32
src/pae/ieee802_1x_cp.c
View file

@ -20,7 +20,7 @@
#define STATE_MACHINE_DATA struct ieee802_1x_cp_sm #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
#define STATE_MACHINE_DEBUG_PREFIX "CP" #define STATE_MACHINE_DEBUG_PREFIX "CP"
static u8 default_cs_id[] = CS_ID_GCM_AES_128; static u64 default_cs_id = CS_ID_GCM_AES_128;
/* The variable defined in clause 12 in IEEE Std 802.1X-2010 */ /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE }; enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
@ -45,7 +45,7 @@ struct ieee802_1x_cp_sm {
Boolean elected_self; Boolean elected_self;
u8 *authorization_data1; u8 *authorization_data1;
enum confidentiality_offset cipher_offset; enum confidentiality_offset cipher_offset;
u8 *cipher_suite; u64 cipher_suite;
Boolean new_sak; /* clear by CP */ Boolean new_sak; /* clear by CP */
struct ieee802_1x_mka_ki distributed_ki; struct ieee802_1x_mka_ki distributed_ki;
u8 distributed_an; u8 distributed_an;
@ -71,7 +71,7 @@ struct ieee802_1x_cp_sm {
Boolean replay_protect; Boolean replay_protect;
u32 replay_window; u32 replay_window;
u8 *current_cipher_suite; u64 current_cipher_suite;
enum confidentiality_offset confidentiality_offset; enum confidentiality_offset confidentiality_offset;
Boolean controlled_port_enabled; Boolean controlled_port_enabled;
@ -97,8 +97,7 @@ static void ieee802_1x_cp_transmit_when_timeout(void *eloop_ctx,
static int changed_cipher(struct ieee802_1x_cp_sm *sm) static int changed_cipher(struct ieee802_1x_cp_sm *sm)
{ {
return sm->confidentiality_offset != sm->cipher_offset || return sm->confidentiality_offset != sm->cipher_offset ||
os_memcmp(sm->current_cipher_suite, sm->cipher_suite, sm->current_cipher_suite != sm->cipher_suite;
CS_ID_LEN) != 0;
} }
@ -196,8 +195,8 @@ SM_STATE(CP, SECURED)
sm->replay_protect = conf.replay_protect; sm->replay_protect = conf.replay_protect;
sm->validate_frames = conf.validate; sm->validate_frames = conf.validate;
/* NOTE: now no other than default cipher suiter(AES-GCM-128) */ /* NOTE: now no other than default cipher suite (AES-GCM-128) */
os_memcpy(sm->current_cipher_suite, sm->cipher_suite, CS_ID_LEN); sm->current_cipher_suite = sm->cipher_suite;
secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
sm->confidentiality_offset = sm->cipher_offset; sm->confidentiality_offset = sm->cipher_offset;
@ -459,17 +458,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(
sm->orx = FALSE; sm->orx = FALSE;
sm->otx = FALSE; sm->otx = FALSE;
sm->cipher_suite = os_zalloc(CS_ID_LEN); sm->current_cipher_suite = default_cs_id;
sm->current_cipher_suite = os_zalloc(CS_ID_LEN); sm->cipher_suite = default_cs_id;
if (!sm->cipher_suite || !sm->current_cipher_suite) {
wpa_printf(MSG_ERROR, "CP-%s: out of memory", __func__);
os_free(sm->cipher_suite);
os_free(sm->current_cipher_suite);
os_free(sm);
return NULL;
}
os_memcpy(sm->current_cipher_suite, default_cs_id, CS_ID_LEN);
os_memcpy(sm->cipher_suite, default_cs_id, CS_ID_LEN);
sm->cipher_offset = CONFIDENTIALITY_OFFSET_0; sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
sm->confidentiality_offset = sm->cipher_offset; sm->confidentiality_offset = sm->cipher_offset;
sm->transmit_delay = MKA_LIFE_TIME; sm->transmit_delay = MKA_LIFE_TIME;
@ -529,8 +519,6 @@ void ieee802_1x_cp_sm_deinit(struct ieee802_1x_cp_sm *sm)
eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL); eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL);
os_free(sm->lki); os_free(sm->lki);
os_free(sm->oki); os_free(sm->oki);
os_free(sm->cipher_suite);
os_free(sm->current_cipher_suite);
os_free(sm->authorization_data); os_free(sm->authorization_data);
os_free(sm); os_free(sm);
} }
@ -617,10 +605,10 @@ void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len)
/** /**
* ieee802_1x_cp_set_ciphersuite - * ieee802_1x_cp_set_ciphersuite -
*/ */
void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid) void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs)
{ {
struct ieee802_1x_cp_sm *sm = cp_ctx; struct ieee802_1x_cp_sm *sm = cp_ctx;
os_memcpy(sm->cipher_suite, pid, CS_ID_LEN); sm->cipher_suite = cs;
} }

2
src/pae/ieee802_1x_cp.h
View file

@ -36,7 +36,7 @@ void ieee802_1x_cp_connect_secure(void *cp_ctx);
void ieee802_1x_cp_signal_chgdserver(void *cp_ctx); void ieee802_1x_cp_signal_chgdserver(void *cp_ctx);
void ieee802_1x_cp_set_electedself(void *cp_ctx, Boolean status); void ieee802_1x_cp_set_electedself(void *cp_ctx, Boolean status);
void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len); void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len);
void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid); void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs);
void ieee802_1x_cp_set_offset(void *cp_ctx, enum confidentiality_offset offset); void ieee802_1x_cp_set_offset(void *cp_ctx, enum confidentiality_offset offset);
void ieee802_1x_cp_signal_newsak(void *cp_ctx); void ieee802_1x_cp_signal_newsak(void *cp_ctx);
void ieee802_1x_cp_set_distributedki(void *cp_ctx, void ieee802_1x_cp_set_distributedki(void *cp_ctx,

14
src/pae/ieee802_1x_kay.c
View file

@ -361,12 +361,17 @@ ieee802_1x_kay_get_peer(struct ieee802_1x_mka_participant *participant,
*/ */
static struct macsec_ciphersuite * static struct macsec_ciphersuite *
ieee802_1x_kay_get_cipher_suite(struct ieee802_1x_mka_participant *participant, ieee802_1x_kay_get_cipher_suite(struct ieee802_1x_mka_participant *participant,
u8 *cs_id) const u8 *cs_id)
{ {
unsigned int i; unsigned int i;
u64 cs;
be64 _cs;
os_memcpy(&_cs, cs_id, CS_ID_LEN);
cs = be_to_host64(_cs);
for (i = 0; i < CS_TABLE_SIZE; i++) { for (i = 0; i < CS_TABLE_SIZE; i++) {
if (os_memcmp(cipher_suite_tbl[i].id, cs_id, CS_ID_LEN) == 0) if (cipher_suite_tbl[i].id == cs)
return &cipher_suite_tbl[i]; return &cipher_suite_tbl[i];
} }
@ -1440,7 +1445,10 @@ ieee802_1x_mka_encode_dist_sak_body(
cs_index = participant->kay->macsec_csindex; cs_index = participant->kay->macsec_csindex;
sak_pos = 0; sak_pos = 0;
if (cs_index != DEFAULT_CS_INDEX) { if (cs_index != DEFAULT_CS_INDEX) {
os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN); be64 cs;
cs = host_to_be64(cipher_suite_tbl[cs_index].id);
os_memcpy(body->sak, &cs, CS_ID_LEN);
sak_pos = CS_ID_LEN; sak_pos = CS_ID_LEN;
} }
if (aes_wrap(participant->kek.key, 16, if (aes_wrap(participant->kek.key, 16,

2
src/pae/ieee802_1x_kay.h
View file

@ -59,7 +59,7 @@ struct ieee802_1x_kay_ctx {
int (*macsec_deinit)(void *ctx); int (*macsec_deinit)(void *ctx);
int (*enable_protect_frames)(void *ctx, Boolean enabled); int (*enable_protect_frames)(void *ctx, Boolean enabled);
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window); int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
int (*set_current_cipher_suite)(void *ctx, const u8 *cs); int (*set_current_cipher_suite)(void *ctx, u64 cs);
int (*enable_controlled_port)(void *ctx, Boolean enabled); int (*enable_controlled_port)(void *ctx, Boolean enabled);
int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an, int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an,
u32 *lowest_pn); u32 *lowest_pn);

2
src/pae/ieee802_1x_kay_i.h
View file

@ -147,7 +147,7 @@ struct receive_sa {
}; };
struct macsec_ciphersuite { struct macsec_ciphersuite {
u8 id[CS_ID_LEN]; u64 id;
char name[32]; char name[32];
enum macsec_cap capable; enum macsec_cap capable;
int sak_len; /* unit: byte */ int sak_len; /* unit: byte */

3
src/pae/ieee802_1x_secy_ops.c
View file

@ -65,8 +65,7 @@ int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean enabled, u32 win)
} }
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs)
const u8 *cs)
{ {
struct ieee802_1x_kay_ctx *ops; struct ieee802_1x_kay_ctx *ops;

3
src/pae/ieee802_1x_secy_ops.h
View file

@ -26,8 +26,7 @@ int secy_cp_control_validate_frames(struct ieee802_1x_kay *kay,
enum validate_frames vf); enum validate_frames vf);
int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag); int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag);
int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win); int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win);
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
const u8 *cs);
int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay, int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
enum confidentiality_offset co); enum confidentiality_offset co);
int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag); int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);

2
wpa_supplicant/driver_i.h
View file

@ -733,7 +733,7 @@ static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s,
} }
static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s, static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
const u8 *cs) u64 cs)
{ {
if (!wpa_s->driver->set_current_cipher_suite) if (!wpa_s->driver->set_current_cipher_suite)
return -1; return -1;

2
wpa_supplicant/wpas_kay.c
View file

@ -50,7 +50,7 @@ static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
} }
static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs) static int wpas_set_current_cipher_suite(void *wpa_s, u64 cs)
{ {
return wpa_drv_set_current_cipher_suite(wpa_s, cs); return wpa_drv_set_current_cipher_suite(wpa_s, cs);
} }