mka: Store cipher suite ID in a u64 instead of u8 pointer
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This commit is contained in:
Sabrina Dubroca
Jouni Malinen
parent
535a8b8712
commit
07a6bfe1d2
12 changed files with 36 additions and 42 deletions
|
|
@ -10,7 +10,7 @@
|
|||
#define IEEE802_1X_DEFS_H
|
||||
|
||||
#define CS_ID_LEN 8
|
||||
#define CS_ID_GCM_AES_128 {0x00, 0x80, 0x02, 0x00, 0x01, 0x00, 0x00, 0x01}
|
||||
#define CS_ID_GCM_AES_128 0x0080020001000001ULL
|
||||
#define CS_NAME_GCM_AES_128 "GCM-AES-128"
|
||||
|
||||
enum macsec_policy {
|
||||
|
|
|
|||
|
|
@ -3319,7 +3319,7 @@ struct wpa_driver_ops {
|
|||
* @cs: EUI64 identifier
|
||||
* Returns: 0 on success, -1 on failure (or if not supported)
|
||||
*/
|
||||
int (*set_current_cipher_suite)(void *priv, const u8 *cs);
|
||||
int (*set_current_cipher_suite)(void *priv, u64 cs);
|
||||
|
||||
/**
|
||||
* enable_controlled_port - Set controlled port status
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@
|
|||
#include "includes.h"
|
||||
#include <sys/ioctl.h>
|
||||
#include <net/if.h>
|
||||
#include <inttypes.h>
|
||||
#ifdef __linux__
|
||||
#include <netpacket/packet.h>
|
||||
#include <net/if_arp.h>
|
||||
|
|
@ -485,13 +486,12 @@ static int macsec_qca_set_replay_protect(void *priv, Boolean enabled,
|
|||
}
|
||||
|
||||
|
||||
static int macsec_qca_set_current_cipher_suite(void *priv, const u8 *cs)
|
||||
static int macsec_qca_set_current_cipher_suite(void *priv, u64 cs)
|
||||
{
|
||||
u8 default_cs_id[] = CS_ID_GCM_AES_128;
|
||||
|
||||
if (os_memcmp(cs, default_cs_id, CS_ID_LEN) != 0) {
|
||||
wpa_hexdump(MSG_ERROR, "macsec: NOT supported CipherSuite",
|
||||
cs, CS_ID_LEN);
|
||||
if (cs != CS_ID_GCM_AES_128) {
|
||||
wpa_printf(MSG_ERROR,
|
||||
"%s: NOT supported CipherSuite: %016" PRIx64,
|
||||
__func__, cs);
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
#define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
|
||||
#define STATE_MACHINE_DEBUG_PREFIX "CP"
|
||||
|
||||
static u8 default_cs_id[] = CS_ID_GCM_AES_128;
|
||||
static u64 default_cs_id = CS_ID_GCM_AES_128;
|
||||
|
||||
/* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
|
||||
enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
|
||||
|
|
@ -45,7 +45,7 @@ struct ieee802_1x_cp_sm {
|
|||
Boolean elected_self;
|
||||
u8 *authorization_data1;
|
||||
enum confidentiality_offset cipher_offset;
|
||||
u8 *cipher_suite;
|
||||
u64 cipher_suite;
|
||||
Boolean new_sak; /* clear by CP */
|
||||
struct ieee802_1x_mka_ki distributed_ki;
|
||||
u8 distributed_an;
|
||||
|
|
@ -71,7 +71,7 @@ struct ieee802_1x_cp_sm {
|
|||
Boolean replay_protect;
|
||||
u32 replay_window;
|
||||
|
||||
u8 *current_cipher_suite;
|
||||
u64 current_cipher_suite;
|
||||
enum confidentiality_offset confidentiality_offset;
|
||||
Boolean controlled_port_enabled;
|
||||
|
||||
|
|
@ -97,8 +97,7 @@ static void ieee802_1x_cp_transmit_when_timeout(void *eloop_ctx,
|
|||
static int changed_cipher(struct ieee802_1x_cp_sm *sm)
|
||||
{
|
||||
return sm->confidentiality_offset != sm->cipher_offset ||
|
||||
os_memcmp(sm->current_cipher_suite, sm->cipher_suite,
|
||||
CS_ID_LEN) != 0;
|
||||
sm->current_cipher_suite != sm->cipher_suite;
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -196,8 +195,8 @@ SM_STATE(CP, SECURED)
|
|||
sm->replay_protect = conf.replay_protect;
|
||||
sm->validate_frames = conf.validate;
|
||||
|
||||
/* NOTE: now no other than default cipher suiter(AES-GCM-128) */
|
||||
os_memcpy(sm->current_cipher_suite, sm->cipher_suite, CS_ID_LEN);
|
||||
/* NOTE: now no other than default cipher suite (AES-GCM-128) */
|
||||
sm->current_cipher_suite = sm->cipher_suite;
|
||||
secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
|
||||
|
||||
sm->confidentiality_offset = sm->cipher_offset;
|
||||
|
|
@ -459,17 +458,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(
|
|||
sm->orx = FALSE;
|
||||
sm->otx = FALSE;
|
||||
|
||||
sm->cipher_suite = os_zalloc(CS_ID_LEN);
|
||||
sm->current_cipher_suite = os_zalloc(CS_ID_LEN);
|
||||
if (!sm->cipher_suite || !sm->current_cipher_suite) {
|
||||
wpa_printf(MSG_ERROR, "CP-%s: out of memory", __func__);
|
||||
os_free(sm->cipher_suite);
|
||||
os_free(sm->current_cipher_suite);
|
||||
os_free(sm);
|
||||
return NULL;
|
||||
}
|
||||
os_memcpy(sm->current_cipher_suite, default_cs_id, CS_ID_LEN);
|
||||
os_memcpy(sm->cipher_suite, default_cs_id, CS_ID_LEN);
|
||||
sm->current_cipher_suite = default_cs_id;
|
||||
sm->cipher_suite = default_cs_id;
|
||||
sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
|
||||
sm->confidentiality_offset = sm->cipher_offset;
|
||||
sm->transmit_delay = MKA_LIFE_TIME;
|
||||
|
|
@ -529,8 +519,6 @@ void ieee802_1x_cp_sm_deinit(struct ieee802_1x_cp_sm *sm)
|
|||
eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL);
|
||||
os_free(sm->lki);
|
||||
os_free(sm->oki);
|
||||
os_free(sm->cipher_suite);
|
||||
os_free(sm->current_cipher_suite);
|
||||
os_free(sm->authorization_data);
|
||||
os_free(sm);
|
||||
}
|
||||
|
|
@ -617,10 +605,10 @@ void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len)
|
|||
/**
|
||||
* ieee802_1x_cp_set_ciphersuite -
|
||||
*/
|
||||
void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid)
|
||||
void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs)
|
||||
{
|
||||
struct ieee802_1x_cp_sm *sm = cp_ctx;
|
||||
os_memcpy(sm->cipher_suite, pid, CS_ID_LEN);
|
||||
sm->cipher_suite = cs;
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ void ieee802_1x_cp_connect_secure(void *cp_ctx);
|
|||
void ieee802_1x_cp_signal_chgdserver(void *cp_ctx);
|
||||
void ieee802_1x_cp_set_electedself(void *cp_ctx, Boolean status);
|
||||
void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len);
|
||||
void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid);
|
||||
void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs);
|
||||
void ieee802_1x_cp_set_offset(void *cp_ctx, enum confidentiality_offset offset);
|
||||
void ieee802_1x_cp_signal_newsak(void *cp_ctx);
|
||||
void ieee802_1x_cp_set_distributedki(void *cp_ctx,
|
||||
|
|
|
|||
|
|
@ -361,12 +361,17 @@ ieee802_1x_kay_get_peer(struct ieee802_1x_mka_participant *participant,
|
|||
*/
|
||||
static struct macsec_ciphersuite *
|
||||
ieee802_1x_kay_get_cipher_suite(struct ieee802_1x_mka_participant *participant,
|
||||
u8 *cs_id)
|
||||
const u8 *cs_id)
|
||||
{
|
||||
unsigned int i;
|
||||
u64 cs;
|
||||
be64 _cs;
|
||||
|
||||
os_memcpy(&_cs, cs_id, CS_ID_LEN);
|
||||
cs = be_to_host64(_cs);
|
||||
|
||||
for (i = 0; i < CS_TABLE_SIZE; i++) {
|
||||
if (os_memcmp(cipher_suite_tbl[i].id, cs_id, CS_ID_LEN) == 0)
|
||||
if (cipher_suite_tbl[i].id == cs)
|
||||
return &cipher_suite_tbl[i];
|
||||
}
|
||||
|
||||
|
|
@ -1440,7 +1445,10 @@ ieee802_1x_mka_encode_dist_sak_body(
|
|||
cs_index = participant->kay->macsec_csindex;
|
||||
sak_pos = 0;
|
||||
if (cs_index != DEFAULT_CS_INDEX) {
|
||||
os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN);
|
||||
be64 cs;
|
||||
|
||||
cs = host_to_be64(cipher_suite_tbl[cs_index].id);
|
||||
os_memcpy(body->sak, &cs, CS_ID_LEN);
|
||||
sak_pos = CS_ID_LEN;
|
||||
}
|
||||
if (aes_wrap(participant->kek.key, 16,
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ struct ieee802_1x_kay_ctx {
|
|||
int (*macsec_deinit)(void *ctx);
|
||||
int (*enable_protect_frames)(void *ctx, Boolean enabled);
|
||||
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
|
||||
int (*set_current_cipher_suite)(void *ctx, const u8 *cs);
|
||||
int (*set_current_cipher_suite)(void *ctx, u64 cs);
|
||||
int (*enable_controlled_port)(void *ctx, Boolean enabled);
|
||||
int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an,
|
||||
u32 *lowest_pn);
|
||||
|
|
|
|||
|
|
@ -147,7 +147,7 @@ struct receive_sa {
|
|||
};
|
||||
|
||||
struct macsec_ciphersuite {
|
||||
u8 id[CS_ID_LEN];
|
||||
u64 id;
|
||||
char name[32];
|
||||
enum macsec_cap capable;
|
||||
int sak_len; /* unit: byte */
|
||||
|
|
|
|||
|
|
@ -65,8 +65,7 @@ int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean enabled, u32 win)
|
|||
}
|
||||
|
||||
|
||||
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
|
||||
const u8 *cs)
|
||||
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs)
|
||||
{
|
||||
struct ieee802_1x_kay_ctx *ops;
|
||||
|
||||
|
|
|
|||
|
|
@ -26,8 +26,7 @@ int secy_cp_control_validate_frames(struct ieee802_1x_kay *kay,
|
|||
enum validate_frames vf);
|
||||
int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag);
|
||||
int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win);
|
||||
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
|
||||
const u8 *cs);
|
||||
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
|
||||
int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
|
||||
enum confidentiality_offset co);
|
||||
int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);
|
||||
|
|
|
|||
|
|
@ -733,7 +733,7 @@ static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s,
|
|||
}
|
||||
|
||||
static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
|
||||
const u8 *cs)
|
||||
u64 cs)
|
||||
{
|
||||
if (!wpa_s->driver->set_current_cipher_suite)
|
||||
return -1;
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
|
|||
}
|
||||
|
||||
|
||||
static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs)
|
||||
static int wpas_set_current_cipher_suite(void *wpa_s, u64 cs)
|
||||
{
|
||||
return wpa_drv_set_current_cipher_suite(wpa_s, cs);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue