mka: Support GCM-AES-256
GCM-AES-256 cipher suite is defined in IEEE Std 802.1AEbn-2011. If authenticator configured as GCM-AES-256, the distributed SAK will be 256 bits indicated by the GCM-AES-256 ID in the MKA packet. This patch will make AES Key Unwrap to 32 bytes of SAK when identify the ID. Signed-off-by: xiaofeis <xiaofeis@codeaurora.org>
This commit is contained in:
parent
1d9babdaa0
commit
1ff8605775
3 changed files with 54 additions and 8 deletions
|
@ -12,6 +12,8 @@
|
|||
#define CS_ID_LEN 8
|
||||
#define CS_ID_GCM_AES_128 0x0080020001000001ULL
|
||||
#define CS_NAME_GCM_AES_128 "GCM-AES-128"
|
||||
#define CS_ID_GCM_AES_256 0x0080c20001000002ULL
|
||||
#define CS_NAME_GCM_AES_256 "GCM-AES-256"
|
||||
|
||||
enum macsec_policy {
|
||||
/**
|
||||
|
|
|
@ -39,6 +39,9 @@
|
|||
|
||||
#define MAXSC 16
|
||||
|
||||
#define SAK_128_LEN 16
|
||||
#define SAK_256_LEN 32
|
||||
|
||||
/* TCI field definition */
|
||||
#define TCI_ES 0x40
|
||||
#define TCI_SC 0x20
|
||||
|
@ -226,19 +229,32 @@ static int macsec_qca_set_replay_protect(void *priv, Boolean enabled,
|
|||
}
|
||||
|
||||
|
||||
static fal_cipher_suite_e macsec_qca_cs_type_get(u64 cs)
|
||||
{
|
||||
if (cs == CS_ID_GCM_AES_128)
|
||||
return FAL_CIPHER_SUITE_AES_GCM_128;
|
||||
if (cs == CS_ID_GCM_AES_256)
|
||||
return FAL_CIPHER_SUITE_AES_GCM_256;
|
||||
return FAL_CIPHER_SUITE_MAX;
|
||||
}
|
||||
|
||||
|
||||
static int macsec_qca_set_current_cipher_suite(void *priv, u64 cs)
|
||||
{
|
||||
if (cs != CS_ID_GCM_AES_128) {
|
||||
struct macsec_qca_data *drv = priv;
|
||||
fal_cipher_suite_e cs_type;
|
||||
|
||||
if (cs != CS_ID_GCM_AES_128 && cs != CS_ID_GCM_AES_256) {
|
||||
wpa_printf(MSG_ERROR,
|
||||
"%s: NOT supported CipherSuite: %016" PRIx64,
|
||||
__func__, cs);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Support default Cipher Suite 0080020001000001 (GCM-AES-128) */
|
||||
wpa_printf(MSG_DEBUG, "%s: default support aes-gcm-128", __func__);
|
||||
wpa_printf(MSG_DEBUG, "%s: CipherSuite: %016" PRIx64, __func__, cs);
|
||||
|
||||
return 0;
|
||||
cs_type = macsec_qca_cs_type_get(cs);
|
||||
return nss_macsec_secy_cipher_suite_set(drv->secy_id, cs_type);
|
||||
}
|
||||
|
||||
|
||||
|
@ -508,8 +524,18 @@ static int macsec_qca_create_receive_sa(void *priv, struct receive_sa *sa)
|
|||
__func__, channel, sa->an, sa->lowest_pn);
|
||||
|
||||
os_memset(&rx_sak, 0, sizeof(rx_sak));
|
||||
rx_sak.sak_len = sa->pkey->key_len;
|
||||
if (sa->pkey->key_len == SAK_128_LEN) {
|
||||
for (i = 0; i < 16; i++)
|
||||
rx_sak.sak[i] = sa->pkey->key[15 - i];
|
||||
} else if (sa->pkey->key_len == SAK_256_LEN) {
|
||||
for (i = 0; i < 16; i++) {
|
||||
rx_sak.sak1[i] = sa->pkey->key[15 - i];
|
||||
rx_sak.sak[i] = sa->pkey->key[31 - i];
|
||||
}
|
||||
} else {
|
||||
return -1;
|
||||
}
|
||||
|
||||
ret += nss_macsec_secy_rx_sa_create(drv->secy_id, channel, sa->an);
|
||||
ret += nss_macsec_secy_rx_sak_set(drv->secy_id, channel, sa->an,
|
||||
|
@ -676,8 +702,18 @@ static int macsec_qca_create_transmit_sa(void *priv, struct transmit_sa *sa)
|
|||
tci |= TCI_E | TCI_C;
|
||||
|
||||
os_memset(&tx_sak, 0, sizeof(tx_sak));
|
||||
tx_sak.sak_len = sa->pkey->key_len;
|
||||
if (sa->pkey->key_len == SAK_128_LEN) {
|
||||
for (i = 0; i < 16; i++)
|
||||
tx_sak.sak[i] = sa->pkey->key[15 - i];
|
||||
} else if (sa->pkey->key_len == SAK_256_LEN) {
|
||||
for (i = 0; i < 16; i++) {
|
||||
tx_sak.sak1[i] = sa->pkey->key[15 - i];
|
||||
tx_sak.sak[i] = sa->pkey->key[31 - i];
|
||||
}
|
||||
} else {
|
||||
return -1;
|
||||
}
|
||||
|
||||
ret += nss_macsec_secy_tx_sa_next_pn_set(drv->secy_id, channel, sa->an,
|
||||
sa->next_pn);
|
||||
|
|
|
@ -45,6 +45,14 @@ static struct macsec_ciphersuite cipher_suite_tbl[] = {
|
|||
.sak_len = DEFAULT_SA_KEY_LEN,
|
||||
.index = 0,
|
||||
},
|
||||
/* GCM-AES-256 */
|
||||
{
|
||||
.id = CS_ID_GCM_AES_256,
|
||||
.name = CS_NAME_GCM_AES_256,
|
||||
.capable = MACSEC_CAP_INTEG_AND_CONF_0_30_50,
|
||||
.sak_len = 32,
|
||||
.index = 1 /* index */
|
||||
},
|
||||
};
|
||||
#define CS_TABLE_SIZE (ARRAY_SIZE(cipher_suite_tbl))
|
||||
#define DEFAULT_CS_INDEX 0
|
||||
|
|
Loading…
Reference in a new issue