MACsec: wpa_supplicant integration
Add MACsec to the wpa_supplicant build system and configuration file. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
887d9d01ab
commit
dd10abccc8
10 changed files with 488 additions and 2 deletions
|
@ -748,6 +748,19 @@ LIBS += -ldl -rdynamic
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifdef CONFIG_MACSEC
|
||||||
|
CFLAGS += -DCONFIG_MACSEC
|
||||||
|
NEED_AES_ENCBLOCK=y
|
||||||
|
NEED_AES_UNWRAP=y
|
||||||
|
NEED_AES_WRAP=y
|
||||||
|
NEED_AES_OMAC1=y
|
||||||
|
OBJS += wpas_kay.o
|
||||||
|
OBJS += ../src/pae/ieee802_1x_cp.o
|
||||||
|
OBJS += ../src/pae/ieee802_1x_kay.o
|
||||||
|
OBJS += ../src/pae/ieee802_1x_key.o
|
||||||
|
OBJS += ../src/pae/ieee802_1x_secy_ops.o
|
||||||
|
endif
|
||||||
|
|
||||||
ifdef CONFIG_AP
|
ifdef CONFIG_AP
|
||||||
NEED_80211_COMMON=y
|
NEED_80211_COMMON=y
|
||||||
NEED_EAP_COMMON=y
|
NEED_EAP_COMMON=y
|
||||||
|
|
|
@ -1733,6 +1733,9 @@ static const struct parse_data ssid_fields[] = {
|
||||||
{ INT(ap_max_inactivity) },
|
{ INT(ap_max_inactivity) },
|
||||||
{ INT(dtim_period) },
|
{ INT(dtim_period) },
|
||||||
{ INT(beacon_int) },
|
{ INT(beacon_int) },
|
||||||
|
#ifdef CONFIG_MACSEC
|
||||||
|
{ INT_RANGE(macsec_policy, 0, 1) },
|
||||||
|
#endif /* CONFIG_MACSEC */
|
||||||
};
|
};
|
||||||
|
|
||||||
#undef OFFSET
|
#undef OFFSET
|
||||||
|
|
|
@ -736,6 +736,9 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
|
||||||
#endif /* CONFIG_P2P */
|
#endif /* CONFIG_P2P */
|
||||||
INT(dtim_period);
|
INT(dtim_period);
|
||||||
INT(beacon_int);
|
INT(beacon_int);
|
||||||
|
#ifdef CONFIG_MACSEC
|
||||||
|
INT(macsec_policy);
|
||||||
|
#endif /* CONFIG_MACSEC */
|
||||||
|
|
||||||
#undef STR
|
#undef STR
|
||||||
#undef INT
|
#undef INT
|
||||||
|
|
|
@ -636,6 +636,17 @@ struct wpa_ssid {
|
||||||
* dereferences since it may not be updated in all cases.
|
* dereferences since it may not be updated in all cases.
|
||||||
*/
|
*/
|
||||||
void *parent_cred;
|
void *parent_cred;
|
||||||
|
|
||||||
|
#ifdef CONFIG_MACSEC
|
||||||
|
/**
|
||||||
|
* macsec_policy - Determines the policy for MACsec secure session
|
||||||
|
*
|
||||||
|
* 0: MACsec not in use (default)
|
||||||
|
* 1: MACsec enabled - Should secure, accept key server's advice to
|
||||||
|
* determine whether to use a secure session or not.
|
||||||
|
*/
|
||||||
|
int macsec_policy;
|
||||||
|
#endif /* CONFIG_MACSEC */
|
||||||
};
|
};
|
||||||
|
|
||||||
#endif /* CONFIG_SSID_H */
|
#endif /* CONFIG_SSID_H */
|
||||||
|
|
|
@ -51,6 +51,7 @@
|
||||||
#include "offchannel.h"
|
#include "offchannel.h"
|
||||||
#include "hs20_supplicant.h"
|
#include "hs20_supplicant.h"
|
||||||
#include "wnm_sta.h"
|
#include "wnm_sta.h"
|
||||||
|
#include "wpas_kay.h"
|
||||||
|
|
||||||
const char *wpa_supplicant_version =
|
const char *wpa_supplicant_version =
|
||||||
"wpa_supplicant v" VERSION_STR "\n"
|
"wpa_supplicant v" VERSION_STR "\n"
|
||||||
|
@ -298,6 +299,8 @@ void wpa_supplicant_initiate_eapol(struct wpa_supplicant *wpa_s)
|
||||||
eapol_conf.external_sim = wpa_s->conf->external_sim;
|
eapol_conf.external_sim = wpa_s->conf->external_sim;
|
||||||
eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf);
|
eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf);
|
||||||
#endif /* IEEE8021X_EAPOL */
|
#endif /* IEEE8021X_EAPOL */
|
||||||
|
|
||||||
|
ieee802_1x_alloc_kay_sm(wpa_s, ssid);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -468,6 +471,8 @@ static void wpa_supplicant_cleanup(struct wpa_supplicant *wpa_s)
|
||||||
|
|
||||||
free_hw_features(wpa_s);
|
free_hw_features(wpa_s);
|
||||||
|
|
||||||
|
ieee802_1x_dealloc_kay_sm(wpa_s);
|
||||||
|
|
||||||
os_free(wpa_s->bssid_filter);
|
os_free(wpa_s->bssid_filter);
|
||||||
wpa_s->bssid_filter = NULL;
|
wpa_s->bssid_filter = NULL;
|
||||||
|
|
||||||
|
|
|
@ -81,6 +81,8 @@ ctrl_interface=/var/run/wpa_supplicant
|
||||||
# to make wpa_supplicant interoperate with these APs, the version number is set
|
# to make wpa_supplicant interoperate with these APs, the version number is set
|
||||||
# to 1 by default. This configuration value can be used to set it to the new
|
# to 1 by default. This configuration value can be used to set it to the new
|
||||||
# version (2).
|
# version (2).
|
||||||
|
# Note: When using MACsec, eapol_version shall be set to 3, which is
|
||||||
|
# defined in IEEE Std 802.1X-2010.
|
||||||
eapol_version=1
|
eapol_version=1
|
||||||
|
|
||||||
# AP scanning/selection
|
# AP scanning/selection
|
||||||
|
@ -97,6 +99,8 @@ eapol_version=1
|
||||||
# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
|
# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
|
||||||
# APs (i.e., external program needs to control association). This mode must
|
# APs (i.e., external program needs to control association). This mode must
|
||||||
# also be used when using wired Ethernet drivers.
|
# also be used when using wired Ethernet drivers.
|
||||||
|
# Note: macsec_qca driver is one type of Ethernet driver which implements
|
||||||
|
# macsec feature.
|
||||||
# 2: like 0, but associate with APs using security policy and SSID (but not
|
# 2: like 0, but associate with APs using security policy and SSID (but not
|
||||||
# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
|
# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
|
||||||
# enable operation with hidden SSIDs and optimized roaming; in this mode,
|
# enable operation with hidden SSIDs and optimized roaming; in this mode,
|
||||||
|
@ -675,8 +679,16 @@ fast_reauth=1
|
||||||
# bit0 (1): require dynamically generated unicast WEP key
|
# bit0 (1): require dynamically generated unicast WEP key
|
||||||
# bit1 (2): require dynamically generated broadcast WEP key
|
# bit1 (2): require dynamically generated broadcast WEP key
|
||||||
# (3 = require both keys; default)
|
# (3 = require both keys; default)
|
||||||
# Note: When using wired authentication, eapol_flags must be set to 0 for the
|
# Note: When using wired authentication (including macsec_qca driver),
|
||||||
# authentication to be completed successfully.
|
# eapol_flags must be set to 0 for the authentication to be completed
|
||||||
|
# successfully.
|
||||||
|
#
|
||||||
|
# macsec_policy: IEEE 802.1X/MACsec options
|
||||||
|
# This determines how sessions are secured with MACsec. It is currently
|
||||||
|
# applicable only when using the macsec_qca driver interface.
|
||||||
|
# 0: MACsec not in use (default)
|
||||||
|
# 1: MACsec enabled - Should secure, accept key server's advice to
|
||||||
|
# determine whether to use a secure session or not.
|
||||||
#
|
#
|
||||||
# mixed_cell: This option can be used to configure whether so called mixed
|
# mixed_cell: This option can be used to configure whether so called mixed
|
||||||
# cells, i.e., networks that use both plaintext and encryption in the same
|
# cells, i.e., networks that use both plaintext and encryption in the same
|
||||||
|
@ -1341,3 +1353,17 @@ freq_list=5180
|
||||||
network={
|
network={
|
||||||
key_mgmt=NONE
|
key_mgmt=NONE
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Example MACsec configuration
|
||||||
|
#network={
|
||||||
|
# key_mgmt=IEEE8021X
|
||||||
|
# eap=TTLS
|
||||||
|
# phase2="auth=PAP"
|
||||||
|
# anonymous_identity="anonymous@example.com"
|
||||||
|
# identity="user@example.com"
|
||||||
|
# password="secretr"
|
||||||
|
# ca_cert="/etc/cert/ca.pem"
|
||||||
|
# eapol_flags=0
|
||||||
|
# macsec_policy=1
|
||||||
|
#}
|
||||||
|
|
|
@ -808,6 +808,9 @@ struct wpa_supplicant {
|
||||||
u16 num_modes;
|
u16 num_modes;
|
||||||
u16 flags;
|
u16 flags;
|
||||||
} hw;
|
} hw;
|
||||||
|
#ifdef CONFIG_MACSEC
|
||||||
|
struct ieee802_1x_kay *kay;
|
||||||
|
#endif /* CONFIG_MACSEC */
|
||||||
|
|
||||||
int pno;
|
int pno;
|
||||||
int pno_sched_pending;
|
int pno_sched_pending;
|
||||||
|
|
|
@ -26,6 +26,7 @@
|
||||||
#include "bss.h"
|
#include "bss.h"
|
||||||
#include "scan.h"
|
#include "scan.h"
|
||||||
#include "notify.h"
|
#include "notify.h"
|
||||||
|
#include "wpas_kay.h"
|
||||||
|
|
||||||
|
|
||||||
#ifndef CONFIG_NO_CONFIG_BLOBS
|
#ifndef CONFIG_NO_CONFIG_BLOBS
|
||||||
|
@ -254,6 +255,8 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
|
||||||
* authentication failure.
|
* authentication failure.
|
||||||
*/
|
*/
|
||||||
wpa_supplicant_req_auth_timeout(wpa_s, 2, 0);
|
wpa_supplicant_req_auth_timeout(wpa_s, 2, 0);
|
||||||
|
} else {
|
||||||
|
ieee802_1x_notify_create_actor(wpa_s, wpa_s->last_eapol_src);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (result != EAPOL_SUPP_RESULT_SUCCESS ||
|
if (result != EAPOL_SUPP_RESULT_SUCCESS ||
|
||||||
|
|
378
wpa_supplicant/wpas_kay.c
Normal file
378
wpa_supplicant/wpas_kay.c
Normal file
|
@ -0,0 +1,378 @@
|
||||||
|
/*
|
||||||
|
* IEEE 802.1X-2010 KaY Interface
|
||||||
|
* Copyright (c) 2013-2014, Qualcomm Atheros, Inc.
|
||||||
|
*
|
||||||
|
* This software may be distributed under the terms of the BSD license.
|
||||||
|
* See README for more details.
|
||||||
|
*/
|
||||||
|
#include <openssl/ssl.h>
|
||||||
|
#include "utils/includes.h"
|
||||||
|
|
||||||
|
#include "utils/common.h"
|
||||||
|
#include "eap_peer/eap.h"
|
||||||
|
#include "eap_peer/eap_i.h"
|
||||||
|
#include "eapol_supp/eapol_supp_sm.h"
|
||||||
|
#include "pae/ieee802_1x_key.h"
|
||||||
|
#include "pae/ieee802_1x_kay.h"
|
||||||
|
#include "wpa_supplicant_i.h"
|
||||||
|
#include "config.h"
|
||||||
|
#include "config_ssid.h"
|
||||||
|
#include "driver_i.h"
|
||||||
|
#include "wpas_kay.h"
|
||||||
|
|
||||||
|
|
||||||
|
#define DEFAULT_KEY_LEN 16
|
||||||
|
/* secure Connectivity Association Key Name (CKN) */
|
||||||
|
#define DEFAULT_CKN_LEN 16
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_macsec_init(void *priv, struct macsec_init_params *params)
|
||||||
|
{
|
||||||
|
return wpa_drv_macsec_init(priv, params);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_macsec_deinit(void *priv)
|
||||||
|
{
|
||||||
|
return wpa_drv_macsec_deinit(priv);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_enable_protect_frames(void *wpa_s, Boolean enabled)
|
||||||
|
{
|
||||||
|
return wpa_drv_enable_protect_frames(wpa_s, enabled);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
|
||||||
|
{
|
||||||
|
return wpa_drv_set_replay_protect(wpa_s, enabled, window);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs,
|
||||||
|
size_t cs_len)
|
||||||
|
{
|
||||||
|
return wpa_drv_set_current_cipher_suite(wpa_s, cs, cs_len);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_enable_controlled_port(void *wpa_s, Boolean enabled)
|
||||||
|
{
|
||||||
|
return wpa_drv_enable_controlled_port(wpa_s, enabled);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_get_receive_lowest_pn(void *wpa_s, u32 channel,
|
||||||
|
u8 an, u32 *lowest_pn)
|
||||||
|
{
|
||||||
|
return wpa_drv_get_receive_lowest_pn(wpa_s, channel, an, lowest_pn);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_get_transmit_next_pn(void *wpa_s, u32 channel,
|
||||||
|
u8 an, u32 *next_pn)
|
||||||
|
{
|
||||||
|
return wpa_drv_get_transmit_next_pn(wpa_s, channel, an, next_pn);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_set_transmit_next_pn(void *wpa_s, u32 channel,
|
||||||
|
u8 an, u32 next_pn)
|
||||||
|
{
|
||||||
|
return wpa_drv_set_transmit_next_pn(wpa_s, channel, an, next_pn);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_get_available_receive_sc(void *wpa_s, u32 *channel)
|
||||||
|
{
|
||||||
|
return wpa_drv_get_available_receive_sc(wpa_s, channel);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static unsigned int conf_offset_val(enum confidentiality_offset co)
|
||||||
|
{
|
||||||
|
switch (co) {
|
||||||
|
case CONFIDENTIALITY_OFFSET_30:
|
||||||
|
return 30;
|
||||||
|
break;
|
||||||
|
case CONFIDENTIALITY_OFFSET_50:
|
||||||
|
return 50;
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_create_receive_sc(void *wpa_s, u32 channel,
|
||||||
|
struct ieee802_1x_mka_sci *sci,
|
||||||
|
enum validate_frames vf,
|
||||||
|
enum confidentiality_offset co)
|
||||||
|
{
|
||||||
|
return wpa_drv_create_receive_sc(wpa_s, channel, sci->addr, sci->port,
|
||||||
|
conf_offset_val(co), vf);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_delete_receive_sc(void *wpa_s, u32 channel)
|
||||||
|
{
|
||||||
|
return wpa_drv_delete_receive_sc(wpa_s, channel);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_create_receive_sa(void *wpa_s, u32 channel, u8 an,
|
||||||
|
u32 lowest_pn, const u8 *sak)
|
||||||
|
{
|
||||||
|
return wpa_drv_create_receive_sa(wpa_s, channel, an, lowest_pn, sak);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_enable_receive_sa(void *wpa_s, u32 channel, u8 an)
|
||||||
|
{
|
||||||
|
return wpa_drv_enable_receive_sa(wpa_s, channel, an);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_disable_receive_sa(void *wpa_s, u32 channel, u8 an)
|
||||||
|
{
|
||||||
|
return wpa_drv_disable_receive_sa(wpa_s, channel, an);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_get_available_transmit_sc(void *wpa_s, u32 *channel)
|
||||||
|
{
|
||||||
|
return wpa_drv_get_available_transmit_sc(wpa_s, channel);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
wpas_create_transmit_sc(void *wpa_s, u32 channel,
|
||||||
|
const struct ieee802_1x_mka_sci *sci,
|
||||||
|
enum confidentiality_offset co)
|
||||||
|
{
|
||||||
|
return wpa_drv_create_transmit_sc(wpa_s, channel, sci->addr, sci->port,
|
||||||
|
conf_offset_val(co));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_delete_transmit_sc(void *wpa_s, u32 channel)
|
||||||
|
{
|
||||||
|
return wpa_drv_delete_transmit_sc(wpa_s, channel);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_create_transmit_sa(void *wpa_s, u32 channel, u8 an,
|
||||||
|
u32 next_pn, Boolean confidentiality,
|
||||||
|
const u8 *sak)
|
||||||
|
{
|
||||||
|
return wpa_drv_create_transmit_sa(wpa_s, channel, an, next_pn,
|
||||||
|
confidentiality, sak);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_enable_transmit_sa(void *wpa_s, u32 channel, u8 an)
|
||||||
|
{
|
||||||
|
return wpa_drv_enable_transmit_sa(wpa_s, channel, an);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int wpas_disable_transmit_sa(void *wpa_s, u32 channel, u8 an)
|
||||||
|
{
|
||||||
|
return wpa_drv_disable_transmit_sa(wpa_s, channel, an);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
|
||||||
|
{
|
||||||
|
struct ieee802_1x_kay_ctx *kay_ctx;
|
||||||
|
struct ieee802_1x_kay *res = NULL;
|
||||||
|
enum macsec_policy policy;
|
||||||
|
|
||||||
|
ieee802_1x_dealloc_kay_sm(wpa_s);
|
||||||
|
|
||||||
|
if (!ssid || ssid->macsec_policy == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE;
|
||||||
|
|
||||||
|
kay_ctx = os_zalloc(sizeof(*kay_ctx));
|
||||||
|
if (!kay_ctx)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
kay_ctx->ctx = wpa_s;
|
||||||
|
|
||||||
|
kay_ctx->macsec_init = wpas_macsec_init;
|
||||||
|
kay_ctx->macsec_deinit = wpas_macsec_deinit;
|
||||||
|
kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
|
||||||
|
kay_ctx->set_replay_protect = wpas_set_replay_protect;
|
||||||
|
kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
|
||||||
|
kay_ctx->enable_controlled_port = wpas_enable_controlled_port;
|
||||||
|
kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn;
|
||||||
|
kay_ctx->get_transmit_next_pn = wpas_get_transmit_next_pn;
|
||||||
|
kay_ctx->set_transmit_next_pn = wpas_set_transmit_next_pn;
|
||||||
|
kay_ctx->get_available_receive_sc = wpas_get_available_receive_sc;
|
||||||
|
kay_ctx->create_receive_sc = wpas_create_receive_sc;
|
||||||
|
kay_ctx->delete_receive_sc = wpas_delete_receive_sc;
|
||||||
|
kay_ctx->create_receive_sa = wpas_create_receive_sa;
|
||||||
|
kay_ctx->enable_receive_sa = wpas_enable_receive_sa;
|
||||||
|
kay_ctx->disable_receive_sa = wpas_disable_receive_sa;
|
||||||
|
kay_ctx->get_available_transmit_sc = wpas_get_available_transmit_sc;
|
||||||
|
kay_ctx->create_transmit_sc = wpas_create_transmit_sc;
|
||||||
|
kay_ctx->delete_transmit_sc = wpas_delete_transmit_sc;
|
||||||
|
kay_ctx->create_transmit_sa = wpas_create_transmit_sa;
|
||||||
|
kay_ctx->enable_transmit_sa = wpas_enable_transmit_sa;
|
||||||
|
kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
|
||||||
|
|
||||||
|
res = ieee802_1x_kay_init(kay_ctx, policy, wpa_s->ifname,
|
||||||
|
wpa_s->own_addr);
|
||||||
|
if (res == NULL) {
|
||||||
|
os_free(kay_ctx);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
wpa_s->kay = res;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void ieee802_1x_dealloc_kay_sm(struct wpa_supplicant *wpa_s)
|
||||||
|
{
|
||||||
|
if (!wpa_s->kay)
|
||||||
|
return;
|
||||||
|
|
||||||
|
ieee802_1x_kay_deinit(wpa_s->kay);
|
||||||
|
wpa_s->kay = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int ieee802_1x_auth_get_session_id(struct wpa_supplicant *wpa_s,
|
||||||
|
const u8 *addr, u8 *sid, size_t *len)
|
||||||
|
{
|
||||||
|
const u8 *session_id;
|
||||||
|
size_t id_len, need_len;
|
||||||
|
|
||||||
|
session_id = eapol_sm_get_session_id(wpa_s->eapol, &id_len);
|
||||||
|
if (session_id == NULL) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"Failed to get SessionID from EAPOL state machines");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
need_len = 1 + 2 * SSL3_RANDOM_SIZE;
|
||||||
|
if (need_len > id_len) {
|
||||||
|
wpa_printf(MSG_DEBUG, "EAP Session-Id not long enough");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
os_memcpy(sid, session_id, need_len);
|
||||||
|
*len = need_len;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int ieee802_1x_auth_get_msk(struct wpa_supplicant *wpa_s, const u8 *addr,
|
||||||
|
u8 *msk, size_t *len)
|
||||||
|
{
|
||||||
|
u8 key[EAP_MSK_LEN];
|
||||||
|
size_t keylen;
|
||||||
|
struct eapol_sm *sm;
|
||||||
|
int res;
|
||||||
|
|
||||||
|
sm = wpa_s->eapol;
|
||||||
|
if (sm == NULL)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
keylen = EAP_MSK_LEN;
|
||||||
|
res = eapol_sm_get_key(sm, key, keylen);
|
||||||
|
if (res) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"Failed to get MSK from EAPOL state machines");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (keylen > *len)
|
||||||
|
keylen = *len;
|
||||||
|
os_memcpy(msk, key, keylen);
|
||||||
|
*len = keylen;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void * ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s,
|
||||||
|
const u8 *peer_addr)
|
||||||
|
{
|
||||||
|
u8 *sid;
|
||||||
|
size_t sid_len = 128;
|
||||||
|
struct mka_key_name *ckn;
|
||||||
|
struct mka_key *cak;
|
||||||
|
struct mka_key *msk;
|
||||||
|
void *res = NULL;
|
||||||
|
|
||||||
|
if (!wpa_s->kay || wpa_s->kay->policy == DO_NOT_SECURE)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"IEEE 802.1X: External notification - Create MKA for "
|
||||||
|
MACSTR, MAC2STR(peer_addr));
|
||||||
|
|
||||||
|
msk = os_zalloc(sizeof(*msk));
|
||||||
|
sid = os_zalloc(sid_len);
|
||||||
|
ckn = os_zalloc(sizeof(*ckn));
|
||||||
|
cak = os_zalloc(sizeof(*cak));
|
||||||
|
if (!msk || !sid || !ckn || !cak)
|
||||||
|
goto fail;
|
||||||
|
|
||||||
|
msk->len = DEFAULT_KEY_LEN;
|
||||||
|
if (ieee802_1x_auth_get_msk(wpa_s, wpa_s->bssid, msk->key, &msk->len)) {
|
||||||
|
wpa_printf(MSG_ERROR, "IEEE 802.1X: Could not get MSK");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ieee802_1x_auth_get_session_id(wpa_s, wpa_s->bssid, sid, &sid_len))
|
||||||
|
{
|
||||||
|
wpa_printf(MSG_ERROR,
|
||||||
|
"IEEE 802.1X: Could not get EAP Session Id");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Derive CAK from MSK */
|
||||||
|
cak->len = DEFAULT_KEY_LEN;
|
||||||
|
if (ieee802_1x_cak_128bits_aes_cmac(msk->key, wpa_s->own_addr,
|
||||||
|
peer_addr, cak->key)) {
|
||||||
|
wpa_printf(MSG_ERROR,
|
||||||
|
"IEEE 802.1X: Deriving CAK failed");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
wpa_hexdump_key(MSG_DEBUG, "Derived CAK", cak->key, cak->len);
|
||||||
|
|
||||||
|
/* Derive CKN from MSK */
|
||||||
|
ckn->len = DEFAULT_CKN_LEN;
|
||||||
|
if (ieee802_1x_ckn_128bits_aes_cmac(msk->key, wpa_s->own_addr,
|
||||||
|
peer_addr, sid, sid_len,
|
||||||
|
ckn->name)) {
|
||||||
|
wpa_printf(MSG_ERROR,
|
||||||
|
"IEEE 802.1X: Deriving CKN failed");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
wpa_hexdump(MSG_DEBUG, "Derived CKN", ckn->name, ckn->len);
|
||||||
|
|
||||||
|
res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0,
|
||||||
|
EAP_EXCHANGE, FALSE);
|
||||||
|
|
||||||
|
fail:
|
||||||
|
if (msk) {
|
||||||
|
os_memset(msk, 0, sizeof(*msk));
|
||||||
|
os_free(msk);
|
||||||
|
}
|
||||||
|
os_free(sid);
|
||||||
|
os_free(ckn);
|
||||||
|
if (cak) {
|
||||||
|
os_memset(cak, 0, sizeof(*cak));
|
||||||
|
os_free(cak);
|
||||||
|
}
|
||||||
|
|
||||||
|
return res;
|
||||||
|
}
|
41
wpa_supplicant/wpas_kay.h
Normal file
41
wpa_supplicant/wpas_kay.h
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
/*
|
||||||
|
* IEEE 802.1X-2010 KaY Interface
|
||||||
|
* Copyright (c) 2013-2014, Qualcomm Atheros, Inc.
|
||||||
|
*
|
||||||
|
* This software may be distributed under the terms of the BSD license.
|
||||||
|
* See README for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef WPAS_KAY_H
|
||||||
|
#define WPAS_KAY_H
|
||||||
|
|
||||||
|
#ifdef CONFIG_MACSEC
|
||||||
|
|
||||||
|
int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s,
|
||||||
|
struct wpa_ssid *ssid);
|
||||||
|
void * ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s,
|
||||||
|
const u8 *peer_addr);
|
||||||
|
void ieee802_1x_dealloc_kay_sm(struct wpa_supplicant *wpa_s);
|
||||||
|
|
||||||
|
#else /* CONFIG_MACSEC */
|
||||||
|
|
||||||
|
static inline int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s,
|
||||||
|
struct wpa_ssid *ssid)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void *
|
||||||
|
ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s,
|
||||||
|
const u8 *peer_addr)
|
||||||
|
{
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void ieee802_1x_dealloc_kay_sm(struct wpa_supplicant *wpa_s)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* CONFIG_MACSEC */
|
||||||
|
|
||||||
|
#endif /* WPAS_KAY_H */
|
Loading…
Reference in a new issue