mka: Add more debug print details
This makes it a bit easier to try to figure out what is going on with KaY operations and MKA setup. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
27859f5203
commit
4060cb272b
2 changed files with 263 additions and 121 deletions
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* IEEE 802.1X-2010 Key Agree Protocol of PAE state machine
|
* IEEE 802.1X-2010 Key Agreement Protocol of PAE state machine
|
||||||
* Copyright (c) 2013, Qualcomm Atheros, Inc.
|
* Copyright (c) 2013, Qualcomm Atheros, Inc.
|
||||||
*
|
*
|
||||||
* This software may be distributed under the terms of the BSD license.
|
* This software may be distributed under the terms of the BSD license.
|
||||||
|
|
@ -104,6 +104,34 @@ static u8 get_mka_param_body_type(const void *body)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static const char * mi_txt(const u8 *mi)
|
||||||
|
{
|
||||||
|
static char txt[MI_LEN * 2 + 1];
|
||||||
|
|
||||||
|
wpa_snprintf_hex(txt, sizeof(txt), mi, MI_LEN);
|
||||||
|
return txt;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static const char * sci_txt(const struct ieee802_1x_mka_sci *sci)
|
||||||
|
{
|
||||||
|
static char txt[ETH_ALEN * 3 + 1 + 5 + 1];
|
||||||
|
|
||||||
|
os_snprintf(txt, sizeof(txt), MACSTR "@%u",
|
||||||
|
MAC2STR(sci->addr), be_to_host16(sci->port));
|
||||||
|
return txt;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static const char * algo_agility_txt(const u8 *algo_agility)
|
||||||
|
{
|
||||||
|
static char txt[4 * 2 + 1];
|
||||||
|
|
||||||
|
wpa_snprintf_hex(txt, sizeof(txt), algo_agility, 4);
|
||||||
|
return txt;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ieee802_1x_mka_dump_basic_body -
|
* ieee802_1x_mka_dump_basic_body -
|
||||||
*/
|
*/
|
||||||
|
|
@ -115,26 +143,25 @@ ieee802_1x_mka_dump_basic_body(struct ieee802_1x_mka_basic_body *body)
|
||||||
if (!body)
|
if (!body)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
/* IEEE Std 802.1X-2010, Figure 11-8 */
|
||||||
body_len = get_mka_param_body_len(body);
|
body_len = get_mka_param_body_len(body);
|
||||||
wpa_printf(MSG_DEBUG, "*** MKA Basic Parameter set ***");
|
wpa_printf(MSG_DEBUG, "MKA Basic Parameter Set");
|
||||||
wpa_printf(MSG_DEBUG, "\tVersion.......: %d", body->version);
|
wpa_printf(MSG_DEBUG, "\tMKA Version Identifier: %d", body->version);
|
||||||
wpa_printf(MSG_DEBUG, "\tPriority......: %d", body->priority);
|
wpa_printf(MSG_DEBUG, "\tKey Server Priority: %d", body->priority);
|
||||||
wpa_printf(MSG_DEBUG, "\tKeySvr........: %d", body->key_server);
|
wpa_printf(MSG_DEBUG, "\tKey Server: %d", body->key_server);
|
||||||
wpa_printf(MSG_DEBUG, "\tMACSecDesired.: %d", body->macsec_desired);
|
wpa_printf(MSG_DEBUG, "\tMACsec Desired: %d", body->macsec_desired);
|
||||||
wpa_printf(MSG_DEBUG, "\tMACSecCapable.: %d", body->macsec_capability);
|
wpa_printf(MSG_DEBUG, "\tMACsec Capability: %d",
|
||||||
wpa_printf(MSG_DEBUG, "\tBody Length...: %zu", body_len);
|
body->macsec_capability);
|
||||||
wpa_printf(MSG_DEBUG, "\tSCI MAC.......: " MACSTR,
|
wpa_printf(MSG_DEBUG, "\tParameter set body length: %zu", body_len);
|
||||||
MAC2STR(body->actor_sci.addr));
|
wpa_printf(MSG_DEBUG, "\tSCI: %s", sci_txt(&body->actor_sci));
|
||||||
wpa_printf(MSG_DEBUG, "\tSCI Port .....: %d",
|
wpa_printf(MSG_DEBUG, "\tActor's Member Identifier: %s",
|
||||||
be_to_host16(body->actor_sci.port));
|
mi_txt(body->actor_mi));
|
||||||
wpa_hexdump(MSG_DEBUG, "\tMember Id.....:",
|
wpa_printf(MSG_DEBUG, "\tActor's Message Number: %d",
|
||||||
body->actor_mi, sizeof(body->actor_mi));
|
|
||||||
wpa_printf(MSG_DEBUG, "\tMessage Number: %d",
|
|
||||||
be_to_host32(body->actor_mn));
|
be_to_host32(body->actor_mn));
|
||||||
wpa_hexdump(MSG_DEBUG, "\tAlgo Agility..:",
|
wpa_printf(MSG_DEBUG, "\tAlgorithm Agility: %s",
|
||||||
body->algo_agility, sizeof(body->algo_agility));
|
algo_agility_txt(body->algo_agility));
|
||||||
wpa_hexdump_ascii(MSG_DEBUG, "\tCAK Name......:", body->ckn,
|
wpa_hexdump(MSG_DEBUG, "\tCAK Name", body->ckn,
|
||||||
body_len + MKA_HDR_LEN - sizeof(*body));
|
body_len + MKA_HDR_LEN - sizeof(*body));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -152,20 +179,21 @@ ieee802_1x_mka_dump_peer_body(struct ieee802_1x_mka_peer_body *body)
|
||||||
if (body == NULL)
|
if (body == NULL)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
/* IEEE Std 802.1X-2010, Figure 11-9 */
|
||||||
body_len = get_mka_param_body_len(body);
|
body_len = get_mka_param_body_len(body);
|
||||||
if (body->type == MKA_LIVE_PEER_LIST) {
|
if (body->type == MKA_LIVE_PEER_LIST) {
|
||||||
wpa_printf(MSG_DEBUG, "*** Live Peer List ***");
|
wpa_printf(MSG_DEBUG, "Live Peer List parameter set");
|
||||||
wpa_printf(MSG_DEBUG, "\tBody Length...: %zu", body_len);
|
wpa_printf(MSG_DEBUG, "\tBody Length: %zu", body_len);
|
||||||
} else if (body->type == MKA_POTENTIAL_PEER_LIST) {
|
} else if (body->type == MKA_POTENTIAL_PEER_LIST) {
|
||||||
wpa_printf(MSG_DEBUG, "*** Potential Live Peer List ***");
|
wpa_printf(MSG_DEBUG, "Potential Peer List parameter set");
|
||||||
wpa_printf(MSG_DEBUG, "\tBody Length...: %zu", body_len);
|
wpa_printf(MSG_DEBUG, "\tBody Length: %zu", body_len);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < body_len; i += MI_LEN + sizeof(mn)) {
|
for (i = 0; i < body_len; i += MI_LEN + sizeof(mn)) {
|
||||||
mi = body->peer + i;
|
mi = body->peer + i;
|
||||||
os_memcpy(&mn, mi + MI_LEN, sizeof(mn));
|
os_memcpy(&mn, mi + MI_LEN, sizeof(mn));
|
||||||
wpa_hexdump(MSG_DEBUG, "\tMember Id.....:", mi, MI_LEN);
|
wpa_printf(MSG_DEBUG, "\tMember Id: %s Message Number: %d",
|
||||||
wpa_printf(MSG_DEBUG, "\tMessage Number: %d", be_to_host32(mn));
|
mi_txt(mi), be_to_host32(mn));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -181,18 +209,20 @@ ieee802_1x_mka_dump_dist_sak_body(struct ieee802_1x_mka_dist_sak_body *body)
|
||||||
if (body == NULL)
|
if (body == NULL)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
/* IEEE Std 802.1X-2010, Figure 11-11 and 11-12 */
|
||||||
body_len = get_mka_param_body_len(body);
|
body_len = get_mka_param_body_len(body);
|
||||||
wpa_printf(MSG_INFO, "*** Distributed SAK ***");
|
wpa_printf(MSG_DEBUG, "Distributed SAK parameter set");
|
||||||
wpa_printf(MSG_INFO, "\tDistributed AN........: %d", body->dan);
|
wpa_printf(MSG_DEBUG, "\tDistributed AN........: %d", body->dan);
|
||||||
wpa_printf(MSG_INFO, "\tConfidentiality Offset: %d",
|
wpa_printf(MSG_DEBUG, "\tConfidentiality Offset: %d",
|
||||||
body->confid_offset);
|
body->confid_offset);
|
||||||
wpa_printf(MSG_INFO, "\tBody Length...........: %zu", body_len);
|
wpa_printf(MSG_DEBUG, "\tBody Length...........: %zu", body_len);
|
||||||
if (!body_len)
|
if (!body_len)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
wpa_printf(MSG_INFO, "\tKey Number............: %d",
|
wpa_printf(MSG_DEBUG, "\tKey Number............: %d",
|
||||||
be_to_host32(body->kn));
|
be_to_host32(body->kn));
|
||||||
wpa_hexdump(MSG_INFO, "\tAES Key Wrap of SAK...:", body->sak, 24);
|
/* TODO: Other than GCM-AES-128 case: MACsec Cipher Suite */
|
||||||
|
wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", body->sak, 24);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -213,30 +243,29 @@ ieee802_1x_mka_dump_sak_use_body(struct ieee802_1x_mka_sak_use_body *body)
|
||||||
if (body == NULL)
|
if (body == NULL)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
/* IEEE Std 802.1X-2010, Figure 11-10 */
|
||||||
body_len = get_mka_param_body_len(body);
|
body_len = get_mka_param_body_len(body);
|
||||||
wpa_printf(MSG_DEBUG, "*** MACsec SAK Use ***");
|
wpa_printf(MSG_DEBUG, "MACsec SAK Use parameter set");
|
||||||
wpa_printf(MSG_DEBUG, "\tLatest Key AN....: %d", body->lan);
|
wpa_printf(MSG_DEBUG, "\tLatest Key AN....: %d", body->lan);
|
||||||
wpa_printf(MSG_DEBUG, "\tLatest Key Tx....: %s", yes_no(body->ltx));
|
wpa_printf(MSG_DEBUG, "\tLatest Key Tx....: %s", yes_no(body->ltx));
|
||||||
wpa_printf(MSG_DEBUG, "\tLatest Key Rx....: %s", yes_no(body->lrx));
|
wpa_printf(MSG_DEBUG, "\tLatest Key Rx....: %s", yes_no(body->lrx));
|
||||||
wpa_printf(MSG_DEBUG, "\tOld Key AN.......: %d", body->oan);
|
wpa_printf(MSG_DEBUG, "\tOld Key AN.......: %d", body->oan);
|
||||||
wpa_printf(MSG_DEBUG, "\tOld Key Tx.......: %s", yes_no(body->otx));
|
wpa_printf(MSG_DEBUG, "\tOld Key Tx.......: %s", yes_no(body->otx));
|
||||||
wpa_printf(MSG_DEBUG, "\tOld Key Rx.......: %s", yes_no(body->orx));
|
wpa_printf(MSG_DEBUG, "\tOld Key Rx.......: %s", yes_no(body->orx));
|
||||||
wpa_printf(MSG_DEBUG, "\tPlain Key Tx.....: %s", yes_no(body->ptx));
|
wpa_printf(MSG_DEBUG, "\tPlain Tx.........: %s", yes_no(body->ptx));
|
||||||
wpa_printf(MSG_DEBUG, "\tPlain Key Rx.....: %s", yes_no(body->prx));
|
wpa_printf(MSG_DEBUG, "\tPlain Rx.........: %s", yes_no(body->prx));
|
||||||
wpa_printf(MSG_DEBUG, "\tDelay Protect....: %s",
|
wpa_printf(MSG_DEBUG, "\tDelay Protect....: %s",
|
||||||
yes_no(body->delay_protect));
|
yes_no(body->delay_protect));
|
||||||
wpa_printf(MSG_DEBUG, "\tBody Length......: %d", body_len);
|
wpa_printf(MSG_DEBUG, "\tBody Length......: %d", body_len);
|
||||||
if (!body_len)
|
if (!body_len)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
wpa_hexdump(MSG_DEBUG, "\tKey Server MI....:",
|
wpa_printf(MSG_DEBUG, "\tKey Server MI....: %s", mi_txt(body->lsrv_mi));
|
||||||
body->lsrv_mi, sizeof(body->lsrv_mi));
|
|
||||||
wpa_printf(MSG_DEBUG, "\tKey Number.......: %u",
|
wpa_printf(MSG_DEBUG, "\tKey Number.......: %u",
|
||||||
be_to_host32(body->lkn));
|
be_to_host32(body->lkn));
|
||||||
wpa_printf(MSG_DEBUG, "\tLowest PN........: %u",
|
wpa_printf(MSG_DEBUG, "\tLowest PN........: %u",
|
||||||
be_to_host32(body->llpn));
|
be_to_host32(body->llpn));
|
||||||
wpa_hexdump(MSG_DEBUG, "\tOld Key Server MI:",
|
wpa_printf(MSG_DEBUG, "\tOld Key Server MI: %s", mi_txt(body->osrv_mi));
|
||||||
body->osrv_mi, sizeof(body->osrv_mi));
|
|
||||||
wpa_printf(MSG_DEBUG, "\tOld Key Number...: %u",
|
wpa_printf(MSG_DEBUG, "\tOld Key Number...: %u",
|
||||||
be_to_host32(body->okn));
|
be_to_host32(body->okn));
|
||||||
wpa_printf(MSG_DEBUG, "\tOld Lowest PN....: %u",
|
wpa_printf(MSG_DEBUG, "\tOld Lowest PN....: %u",
|
||||||
|
|
@ -508,8 +537,8 @@ ieee802_1x_kay_init_receive_sc(const struct ieee802_1x_mka_sci *psci)
|
||||||
psc->receiving = FALSE;
|
psc->receiving = FALSE;
|
||||||
|
|
||||||
dl_list_init(&psc->sa_list);
|
dl_list_init(&psc->sa_list);
|
||||||
wpa_printf(MSG_DEBUG, "KaY: Create receive SC");
|
wpa_printf(MSG_DEBUG, "KaY: Create receive SC: SCI %s",
|
||||||
wpa_hexdump(MSG_DEBUG, "SCI: ", (u8 *)psci, sizeof(*psci));
|
sci_txt(&psc->sci));
|
||||||
|
|
||||||
return psc;
|
return psc;
|
||||||
}
|
}
|
||||||
|
|
@ -546,12 +575,8 @@ ieee802_1x_kay_deinit_receive_sc(
|
||||||
|
|
||||||
static void ieee802_1x_kay_dump_peer(struct ieee802_1x_kay_peer *peer)
|
static void ieee802_1x_kay_dump_peer(struct ieee802_1x_kay_peer *peer)
|
||||||
{
|
{
|
||||||
wpa_hexdump(MSG_DEBUG, "\tMI......: ", peer->mi, sizeof(peer->mi));
|
wpa_printf(MSG_DEBUG, "\tMI: %s MN: %d SCI: %s",
|
||||||
wpa_printf(MSG_DEBUG, "\tMN......: %d", peer->mn);
|
mi_txt(peer->mi), peer->mn, sci_txt(&peer->sci));
|
||||||
wpa_printf(MSG_DEBUG, "\tSCI MAC.: " MACSTR,
|
|
||||||
MAC2STR(peer->sci.addr));
|
|
||||||
wpa_printf(MSG_DEBUG, "\tSCI Port: %d",
|
|
||||||
be_to_host16(peer->sci.port));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -629,7 +654,7 @@ ieee802_1x_kay_create_potential_peer(
|
||||||
|
|
||||||
dl_list_add(&participant->potential_peers, &peer->list);
|
dl_list_add(&participant->potential_peers, &peer->list);
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "KaY: potential peer created");
|
wpa_printf(MSG_DEBUG, "KaY: Potential peer created");
|
||||||
ieee802_1x_kay_dump_peer(peer);
|
ieee802_1x_kay_dump_peer(peer);
|
||||||
|
|
||||||
return peer;
|
return peer;
|
||||||
|
|
@ -659,7 +684,7 @@ ieee802_1x_kay_move_live_peer(struct ieee802_1x_mka_participant *participant,
|
||||||
peer->mn = mn;
|
peer->mn = mn;
|
||||||
peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
|
peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "KaY: move potential peer to live peer");
|
wpa_printf(MSG_DEBUG, "KaY: Move potential peer to live peer");
|
||||||
ieee802_1x_kay_dump_peer(peer);
|
ieee802_1x_kay_dump_peer(peer);
|
||||||
|
|
||||||
dl_list_del(&peer->list);
|
dl_list_del(&peer->list);
|
||||||
|
|
@ -720,6 +745,8 @@ ieee802_1x_mka_encode_basic_body(
|
||||||
|
|
||||||
body->version = kay->mka_version;
|
body->version = kay->mka_version;
|
||||||
body->priority = kay->actor_priority;
|
body->priority = kay->actor_priority;
|
||||||
|
/* The Key Server flag is set if and only if the participant has not
|
||||||
|
* decided that another participant is or will be the Key Server. */
|
||||||
if (participant->is_elected)
|
if (participant->is_elected)
|
||||||
body->key_server = participant->is_key_server;
|
body->key_server = participant->is_key_server;
|
||||||
else
|
else
|
||||||
|
|
@ -775,11 +802,11 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
|
||||||
|
|
||||||
if (body->version > MKA_VERSION_ID) {
|
if (body->version > MKA_VERSION_ID) {
|
||||||
wpa_printf(MSG_DEBUG,
|
wpa_printf(MSG_DEBUG,
|
||||||
"KaY: peer's version(%d) greater than mka current version(%d)",
|
"KaY: Peer's version(%d) greater than MKA current version(%d)",
|
||||||
body->version, MKA_VERSION_ID);
|
body->version, MKA_VERSION_ID);
|
||||||
}
|
}
|
||||||
if (kay->is_obliged_key_server && body->key_server) {
|
if (kay->is_obliged_key_server && body->key_server) {
|
||||||
wpa_printf(MSG_DEBUG, "I must be key server");
|
wpa_printf(MSG_DEBUG, "KaY: I must be key server - ignore MKPDU claiming to be from a key server");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -793,7 +820,8 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
|
||||||
(sizeof(struct ieee802_1x_mka_basic_body) - MKA_HDR_LEN);
|
(sizeof(struct ieee802_1x_mka_basic_body) - MKA_HDR_LEN);
|
||||||
participant = ieee802_1x_kay_get_participant(kay, body->ckn, ckn_len);
|
participant = ieee802_1x_kay_get_participant(kay, body->ckn, ckn_len);
|
||||||
if (!participant) {
|
if (!participant) {
|
||||||
wpa_printf(MSG_DEBUG, "Peer is not included in my CA");
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: Peer is not included in my CA - ignore MKPDU");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -801,6 +829,9 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
|
||||||
if (os_memcmp(body->actor_mi, participant->mi, MI_LEN) == 0) {
|
if (os_memcmp(body->actor_mi, participant->mi, MI_LEN) == 0) {
|
||||||
if (!reset_participant_mi(participant))
|
if (!reset_participant_mi(participant))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: Peer using my MI - selected a new random MI: %s",
|
||||||
|
mi_txt(participant->mi));
|
||||||
}
|
}
|
||||||
|
|
||||||
os_memcpy(participant->current_peer_id.mi, body->actor_mi, MI_LEN);
|
os_memcpy(participant->current_peer_id.mi, body->actor_mi, MI_LEN);
|
||||||
|
|
@ -849,8 +880,11 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
|
||||||
peer = ieee802_1x_kay_create_potential_peer(
|
peer = ieee802_1x_kay_create_potential_peer(
|
||||||
participant, body->actor_mi,
|
participant, body->actor_mi,
|
||||||
be_to_host32(body->actor_mn));
|
be_to_host32(body->actor_mn));
|
||||||
if (!peer)
|
if (!peer) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: No potential peer entry found - ignore MKPDU");
|
||||||
return NULL;
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
peer->macsec_desired = body->macsec_desired;
|
peer->macsec_desired = body->macsec_desired;
|
||||||
peer->macsec_capability = body->macsec_capability;
|
peer->macsec_capability = body->macsec_capability;
|
||||||
|
|
@ -863,7 +897,8 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
|
||||||
peer->is_key_server = (Boolean) body->key_server;
|
peer->is_key_server = (Boolean) body->key_server;
|
||||||
peer->key_server_priority = body->priority;
|
peer->key_server_priority = body->priority;
|
||||||
} else {
|
} else {
|
||||||
wpa_printf(MSG_WARNING, "KaY: The peer MN have received");
|
wpa_printf(MSG_WARNING,
|
||||||
|
"KaY: The peer MN did not increase - ignore MKPDU");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1044,9 +1079,15 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant,
|
||||||
peer_mi = (const struct ieee802_1x_mka_peer_id *)
|
peer_mi = (const struct ieee802_1x_mka_peer_id *)
|
||||||
(pos + MKA_HDR_LEN + i);
|
(pos + MKA_HDR_LEN + i);
|
||||||
if (os_memcmp(peer_mi->mi, participant->mi,
|
if (os_memcmp(peer_mi->mi, participant->mi,
|
||||||
MI_LEN) == 0 &&
|
MI_LEN) == 0) {
|
||||||
be_to_host32(peer_mi->mn) == participant->mn)
|
u32 mn = be_to_host32(peer_mi->mn);
|
||||||
return TRUE;
|
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: My MI - received MN %u, most recently transmitted MN %u",
|
||||||
|
mn, participant->mn);
|
||||||
|
if (mn == participant->mn)
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1334,7 +1375,9 @@ ieee802_1x_mka_decode_sak_use_body(
|
||||||
peer = ieee802_1x_kay_get_live_peer(participant,
|
peer = ieee802_1x_kay_get_live_peer(participant,
|
||||||
participant->current_peer_id.mi);
|
participant->current_peer_id.mi);
|
||||||
if (!peer) {
|
if (!peer) {
|
||||||
wpa_printf(MSG_WARNING, "KaY: the peer is not my live peer");
|
wpa_printf(MSG_WARNING,
|
||||||
|
"KaY: The peer (%s) is not my live peer - ignore MACsec SAK Use parameter set",
|
||||||
|
mi_txt(participant->current_peer_id.mi));
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1617,7 +1660,7 @@ ieee802_1x_mka_decode_dist_sak_body(
|
||||||
}
|
}
|
||||||
if (participant->is_key_server) {
|
if (participant->is_key_server) {
|
||||||
wpa_printf(MSG_ERROR,
|
wpa_printf(MSG_ERROR,
|
||||||
"KaY: I can't accept the distributed SAK as myself is key server");
|
"KaY: Reject distributed SAK since I'm a key server");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (!kay->macsec_desired ||
|
if (!kay->macsec_desired ||
|
||||||
|
|
@ -1665,7 +1708,8 @@ ieee802_1x_mka_decode_dist_sak_body(
|
||||||
if (os_memcmp(sa_key->key_identifier.mi,
|
if (os_memcmp(sa_key->key_identifier.mi,
|
||||||
participant->current_peer_id.mi, MI_LEN) == 0 &&
|
participant->current_peer_id.mi, MI_LEN) == 0 &&
|
||||||
sa_key->key_identifier.kn == be_to_host32(body->kn)) {
|
sa_key->key_identifier.kn == be_to_host32(body->kn)) {
|
||||||
wpa_printf(MSG_WARNING, "KaY: The Key has installed");
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: SAK has already been installed - do not set it again");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -1778,6 +1822,7 @@ ieee802_1x_mka_encode_icv_body(struct ieee802_1x_mka_participant *participant,
|
||||||
|
|
||||||
length = ieee802_1x_mka_get_icv_length(participant);
|
length = ieee802_1x_mka_get_icv_length(participant);
|
||||||
if (length != DEFAULT_ICV_LEN) {
|
if (length != DEFAULT_ICV_LEN) {
|
||||||
|
wpa_printf(MSG_DEBUG, "KaY: ICV Indicator");
|
||||||
body = wpabuf_put(buf, MKA_HDR_LEN);
|
body = wpabuf_put(buf, MKA_HDR_LEN);
|
||||||
body->type = MKA_ICV_INDICATOR;
|
body->type = MKA_ICV_INDICATOR;
|
||||||
set_mka_param_body_len(body, length - MKA_HDR_LEN);
|
set_mka_param_body_len(body, length - MKA_HDR_LEN);
|
||||||
|
|
@ -1789,6 +1834,7 @@ ieee802_1x_mka_encode_icv_body(struct ieee802_1x_mka_participant *participant,
|
||||||
wpa_printf(MSG_ERROR, "KaY: failed to calculate ICV");
|
wpa_printf(MSG_ERROR, "KaY: failed to calculate ICV");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
wpa_hexdump(MSG_DEBUG, "KaY: ICV", cmac, length);
|
||||||
|
|
||||||
if (length != DEFAULT_ICV_LEN)
|
if (length != DEFAULT_ICV_LEN)
|
||||||
length -= MKA_HDR_LEN;
|
length -= MKA_HDR_LEN;
|
||||||
|
|
@ -1800,12 +1846,12 @@ ieee802_1x_mka_encode_icv_body(struct ieee802_1x_mka_participant *participant,
|
||||||
/**
|
/**
|
||||||
* ieee802_1x_mka_decode_icv_body -
|
* ieee802_1x_mka_decode_icv_body -
|
||||||
*/
|
*/
|
||||||
static u8 *
|
static const u8 *
|
||||||
ieee802_1x_mka_decode_icv_body(struct ieee802_1x_mka_participant *participant,
|
ieee802_1x_mka_decode_icv_body(struct ieee802_1x_mka_participant *participant,
|
||||||
const u8 *mka_msg, size_t msg_len)
|
const u8 *mka_msg, size_t msg_len)
|
||||||
{
|
{
|
||||||
struct ieee802_1x_mka_hdr *hdr;
|
const struct ieee802_1x_mka_hdr *hdr;
|
||||||
struct ieee802_1x_mka_icv_body *body;
|
const struct ieee802_1x_mka_icv_body *body;
|
||||||
size_t body_len;
|
size_t body_len;
|
||||||
size_t left_len;
|
size_t left_len;
|
||||||
u8 body_type;
|
u8 body_type;
|
||||||
|
|
@ -1813,12 +1859,12 @@ ieee802_1x_mka_decode_icv_body(struct ieee802_1x_mka_participant *participant,
|
||||||
|
|
||||||
pos = mka_msg;
|
pos = mka_msg;
|
||||||
left_len = msg_len;
|
left_len = msg_len;
|
||||||
while (left_len > (MKA_HDR_LEN + DEFAULT_ICV_LEN)) {
|
while (left_len > MKA_HDR_LEN + DEFAULT_ICV_LEN) {
|
||||||
hdr = (struct ieee802_1x_mka_hdr *) pos;
|
hdr = (const struct ieee802_1x_mka_hdr *) pos;
|
||||||
body_len = MKA_ALIGN_LENGTH(get_mka_param_body_len(hdr));
|
body_len = MKA_ALIGN_LENGTH(get_mka_param_body_len(hdr));
|
||||||
body_type = get_mka_param_body_type(hdr);
|
body_type = get_mka_param_body_type(hdr);
|
||||||
|
|
||||||
if (left_len < (body_len + MKA_HDR_LEN))
|
if (left_len < body_len + MKA_HDR_LEN)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
if (body_type != MKA_ICV_INDICATOR) {
|
if (body_type != MKA_ICV_INDICATOR) {
|
||||||
|
|
@ -1827,16 +1873,15 @@ ieee802_1x_mka_decode_icv_body(struct ieee802_1x_mka_participant *participant,
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
body = (struct ieee802_1x_mka_icv_body *)pos;
|
body = (const struct ieee802_1x_mka_icv_body *) pos;
|
||||||
if (body_len
|
if (body_len
|
||||||
< mka_alg_tbl[participant->kay->mka_algindex].icv_len) {
|
< mka_alg_tbl[participant->kay->mka_algindex].icv_len)
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
|
||||||
|
|
||||||
return body->icv;
|
return body->icv;
|
||||||
}
|
}
|
||||||
|
|
||||||
return (u8 *) (mka_msg + msg_len - DEFAULT_ICV_LEN);
|
return mka_msg + msg_len - DEFAULT_ICV_LEN;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1910,7 +1955,7 @@ struct mka_param_body_handler {
|
||||||
|
|
||||||
|
|
||||||
static struct mka_param_body_handler mka_body_handler[] = {
|
static struct mka_param_body_handler mka_body_handler[] = {
|
||||||
/* basic parameter set */
|
/* Basic parameter set */
|
||||||
{
|
{
|
||||||
.body_tx = ieee802_1x_mka_encode_basic_body,
|
.body_tx = ieee802_1x_mka_encode_basic_body,
|
||||||
.body_rx = NULL,
|
.body_rx = NULL,
|
||||||
|
|
@ -1918,7 +1963,7 @@ static struct mka_param_body_handler mka_body_handler[] = {
|
||||||
.body_present = ieee802_1x_mka_basic_body_present
|
.body_present = ieee802_1x_mka_basic_body_present
|
||||||
},
|
},
|
||||||
|
|
||||||
/* live peer list parameter set */
|
/* Live Peer List parameter set */
|
||||||
{
|
{
|
||||||
.body_tx = ieee802_1x_mka_encode_live_peer_body,
|
.body_tx = ieee802_1x_mka_encode_live_peer_body,
|
||||||
.body_rx = ieee802_1x_mka_decode_live_peer_body,
|
.body_rx = ieee802_1x_mka_decode_live_peer_body,
|
||||||
|
|
@ -1926,7 +1971,7 @@ static struct mka_param_body_handler mka_body_handler[] = {
|
||||||
.body_present = ieee802_1x_mka_live_peer_body_present
|
.body_present = ieee802_1x_mka_live_peer_body_present
|
||||||
},
|
},
|
||||||
|
|
||||||
/* potential peer list parameter set */
|
/* Potential Peer List parameter set */
|
||||||
{
|
{
|
||||||
.body_tx = ieee802_1x_mka_encode_potential_peer_body,
|
.body_tx = ieee802_1x_mka_encode_potential_peer_body,
|
||||||
.body_rx = ieee802_1x_mka_decode_potential_peer_body,
|
.body_rx = ieee802_1x_mka_decode_potential_peer_body,
|
||||||
|
|
@ -1934,7 +1979,7 @@ static struct mka_param_body_handler mka_body_handler[] = {
|
||||||
.body_present = ieee802_1x_mka_potential_peer_body_present
|
.body_present = ieee802_1x_mka_potential_peer_body_present
|
||||||
},
|
},
|
||||||
|
|
||||||
/* sak use parameter set */
|
/* MACsec SAK Use parameter set */
|
||||||
{
|
{
|
||||||
.body_tx = ieee802_1x_mka_encode_sak_use_body,
|
.body_tx = ieee802_1x_mka_encode_sak_use_body,
|
||||||
.body_rx = ieee802_1x_mka_decode_sak_use_body,
|
.body_rx = ieee802_1x_mka_decode_sak_use_body,
|
||||||
|
|
@ -1942,7 +1987,7 @@ static struct mka_param_body_handler mka_body_handler[] = {
|
||||||
.body_present = ieee802_1x_mka_sak_use_body_present
|
.body_present = ieee802_1x_mka_sak_use_body_present
|
||||||
},
|
},
|
||||||
|
|
||||||
/* distribute sak parameter set */
|
/* Distributed SAK parameter set */
|
||||||
{
|
{
|
||||||
.body_tx = ieee802_1x_mka_encode_dist_sak_body,
|
.body_tx = ieee802_1x_mka_encode_dist_sak_body,
|
||||||
.body_rx = ieee802_1x_mka_decode_dist_sak_body,
|
.body_rx = ieee802_1x_mka_decode_dist_sak_body,
|
||||||
|
|
@ -1950,7 +1995,7 @@ static struct mka_param_body_handler mka_body_handler[] = {
|
||||||
.body_present = ieee802_1x_mka_dist_sak_body_present
|
.body_present = ieee802_1x_mka_dist_sak_body_present
|
||||||
},
|
},
|
||||||
|
|
||||||
/* distribute cak parameter set */
|
/* Distribute CAK parameter set */
|
||||||
{
|
{
|
||||||
.body_tx = NULL,
|
.body_tx = NULL,
|
||||||
.body_rx = ieee802_1x_mka_decode_dist_cak_body,
|
.body_rx = ieee802_1x_mka_decode_dist_cak_body,
|
||||||
|
|
@ -1958,7 +2003,7 @@ static struct mka_param_body_handler mka_body_handler[] = {
|
||||||
.body_present = NULL
|
.body_present = NULL
|
||||||
},
|
},
|
||||||
|
|
||||||
/* kmd parameter set */
|
/* KMD parameter set */
|
||||||
{
|
{
|
||||||
.body_tx = NULL,
|
.body_tx = NULL,
|
||||||
.body_rx = ieee802_1x_mka_decode_kmd_body,
|
.body_rx = ieee802_1x_mka_decode_kmd_body,
|
||||||
|
|
@ -1966,7 +2011,7 @@ static struct mka_param_body_handler mka_body_handler[] = {
|
||||||
.body_present = NULL
|
.body_present = NULL
|
||||||
},
|
},
|
||||||
|
|
||||||
/* announce parameter set */
|
/* Announcement parameter set */
|
||||||
{
|
{
|
||||||
.body_tx = NULL,
|
.body_tx = NULL,
|
||||||
.body_rx = ieee802_1x_mka_decode_announce_body,
|
.body_rx = ieee802_1x_mka_decode_announce_body,
|
||||||
|
|
@ -1974,7 +2019,7 @@ static struct mka_param_body_handler mka_body_handler[] = {
|
||||||
.body_present = NULL
|
.body_present = NULL
|
||||||
},
|
},
|
||||||
|
|
||||||
/* icv parameter set */
|
/* ICV Indicator parameter set */
|
||||||
{
|
{
|
||||||
.body_tx = ieee802_1x_mka_encode_icv_body,
|
.body_tx = ieee802_1x_mka_encode_icv_body,
|
||||||
.body_rx = NULL,
|
.body_rx = NULL,
|
||||||
|
|
@ -2234,6 +2279,9 @@ ieee802_1x_kay_elect_key_server(struct ieee802_1x_mka_participant *participant)
|
||||||
sizeof(kay->key_server_sci));
|
sizeof(kay->key_server_sci));
|
||||||
kay->key_server_priority = kay->actor_priority;
|
kay->key_server_priority = kay->actor_priority;
|
||||||
} else if (key_server) {
|
} else if (key_server) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: Peer %s was elected as the key server",
|
||||||
|
mi_txt(key_server->mi));
|
||||||
ieee802_1x_cp_set_electedself(kay->cp, FALSE);
|
ieee802_1x_cp_set_electedself(kay->cp, FALSE);
|
||||||
if (!sci_equal(&kay->key_server_sci, &key_server->sci)) {
|
if (!sci_equal(&kay->key_server_sci, &key_server->sci)) {
|
||||||
ieee802_1x_cp_signal_chgdserver(kay->cp);
|
ieee802_1x_cp_signal_chgdserver(kay->cp);
|
||||||
|
|
@ -2352,11 +2400,19 @@ ieee802_1x_kay_encode_mkpdu(struct ieee802_1x_mka_participant *participant,
|
||||||
os_memcpy(ether_hdr->src, participant->kay->actor_sci.addr,
|
os_memcpy(ether_hdr->src, participant->kay->actor_sci.addr,
|
||||||
sizeof(ether_hdr->dest));
|
sizeof(ether_hdr->dest));
|
||||||
ether_hdr->ethertype = host_to_be16(ETH_P_EAPOL);
|
ether_hdr->ethertype = host_to_be16(ETH_P_EAPOL);
|
||||||
|
wpa_printf(MSG_DEBUG, "KaY: Ethernet header: DA=" MACSTR " SA=" MACSTR
|
||||||
|
" Ethertype=0x%x",
|
||||||
|
MAC2STR(ether_hdr->dest), MAC2STR(ether_hdr->src),
|
||||||
|
be_to_host16(ether_hdr->ethertype));
|
||||||
|
|
||||||
eapol_hdr = wpabuf_put(pbuf, sizeof(*eapol_hdr));
|
eapol_hdr = wpabuf_put(pbuf, sizeof(*eapol_hdr));
|
||||||
eapol_hdr->version = EAPOL_VERSION;
|
eapol_hdr->version = EAPOL_VERSION;
|
||||||
eapol_hdr->type = IEEE802_1X_TYPE_EAPOL_MKA;
|
eapol_hdr->type = IEEE802_1X_TYPE_EAPOL_MKA;
|
||||||
eapol_hdr->length = host_to_be16(pbuf->size - pbuf->used);
|
eapol_hdr->length = host_to_be16(wpabuf_tailroom(pbuf));
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: Common EAPOL PDU structure: Protocol Version=%u Packet Type=%u Packet Body Length=%u",
|
||||||
|
eapol_hdr->version, eapol_hdr->type,
|
||||||
|
be_to_host16(eapol_hdr->length));
|
||||||
|
|
||||||
for (i = 0; i < ARRAY_SIZE(mka_body_handler); i++) {
|
for (i = 0; i < ARRAY_SIZE(mka_body_handler); i++) {
|
||||||
if (mka_body_handler[i].body_present &&
|
if (mka_body_handler[i].body_present &&
|
||||||
|
|
@ -2369,6 +2425,7 @@ ieee802_1x_kay_encode_mkpdu(struct ieee802_1x_mka_participant *participant,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ieee802_1x_participant_send_mkpdu -
|
* ieee802_1x_participant_send_mkpdu -
|
||||||
*/
|
*/
|
||||||
|
|
@ -2381,7 +2438,8 @@ ieee802_1x_participant_send_mkpdu(
|
||||||
size_t length = 0;
|
size_t length = 0;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "KaY: to enpacket and send the MKPDU");
|
wpa_printf(MSG_DEBUG, "KaY: Encode and send an MKPDU (ifname=%s)",
|
||||||
|
kay->if_name);
|
||||||
length += sizeof(struct ieee802_1x_hdr) + sizeof(struct ieee8023_hdr);
|
length += sizeof(struct ieee802_1x_hdr) + sizeof(struct ieee8023_hdr);
|
||||||
for (i = 0; i < ARRAY_SIZE(mka_body_handler); i++) {
|
for (i = 0; i < ARRAY_SIZE(mka_body_handler); i++) {
|
||||||
if (mka_body_handler[i].body_present &&
|
if (mka_body_handler[i].body_present &&
|
||||||
|
|
@ -2400,6 +2458,7 @@ ieee802_1x_participant_send_mkpdu(
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
wpa_hexdump_buf(MSG_MSGDUMP, "KaY: Outgoing MKPDU", buf);
|
||||||
l2_packet_send(kay->l2_mka, NULL, 0, wpabuf_head(buf), wpabuf_len(buf));
|
l2_packet_send(kay->l2_mka, NULL, 0, wpabuf_head(buf), wpabuf_len(buf));
|
||||||
wpabuf_free(buf);
|
wpabuf_free(buf);
|
||||||
|
|
||||||
|
|
@ -2436,6 +2495,8 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
|
||||||
|
|
||||||
participant = (struct ieee802_1x_mka_participant *)eloop_ctx;
|
participant = (struct ieee802_1x_mka_participant *)eloop_ctx;
|
||||||
kay = participant->kay;
|
kay = participant->kay;
|
||||||
|
wpa_printf(MSG_DEBUG, "KaY: Participant timer (ifname=%s)",
|
||||||
|
kay->if_name);
|
||||||
if (participant->cak_life) {
|
if (participant->cak_life) {
|
||||||
if (now > participant->cak_life)
|
if (now > participant->cak_life)
|
||||||
goto delete_mka;
|
goto delete_mka;
|
||||||
|
|
@ -2628,8 +2689,8 @@ ieee802_1x_kay_init_transmit_sc(const struct ieee802_1x_mka_sci *sci)
|
||||||
psc->enciphering_sa = FALSE;
|
psc->enciphering_sa = FALSE;
|
||||||
|
|
||||||
dl_list_init(&psc->sa_list);
|
dl_list_init(&psc->sa_list);
|
||||||
wpa_printf(MSG_DEBUG, "KaY: Create transmit SC");
|
wpa_printf(MSG_DEBUG, "KaY: Create transmit SC - SCI: %s",
|
||||||
wpa_hexdump(MSG_DEBUG, "SCI: ", (u8 *)sci , sizeof(*sci));
|
sci_txt(&psc->sci));
|
||||||
|
|
||||||
return psc;
|
return psc;
|
||||||
}
|
}
|
||||||
|
|
@ -2945,7 +3006,8 @@ int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ieee802_1x_kay_mkpdu_sanity_check -
|
* ieee802_1x_kay_mkpdu_sanity_check -
|
||||||
* sanity check specified in clause 11.11.2 of IEEE802.1X-2010
|
* Sanity checks specified in IEEE Std 802.1X-2010, 11.11.2 (Validation of
|
||||||
|
* MKPDUs)
|
||||||
*/
|
*/
|
||||||
static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay,
|
static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay,
|
||||||
const u8 *buf, size_t len)
|
const u8 *buf, size_t len)
|
||||||
|
|
@ -2959,34 +3021,49 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay,
|
||||||
size_t body_len;
|
size_t body_len;
|
||||||
size_t ckn_len;
|
size_t ckn_len;
|
||||||
u8 icv[MAX_ICV_LEN];
|
u8 icv[MAX_ICV_LEN];
|
||||||
u8 *msg_icv;
|
const u8 *msg_icv;
|
||||||
|
|
||||||
|
/* len > eth+eapol header already verified in kay_l2_receive();
|
||||||
|
* likewise, eapol_hdr->length validated there */
|
||||||
eth_hdr = (struct ieee8023_hdr *) buf;
|
eth_hdr = (struct ieee8023_hdr *) buf;
|
||||||
eapol_hdr = (struct ieee802_1x_hdr *) (eth_hdr + 1);
|
eapol_hdr = (struct ieee802_1x_hdr *) (eth_hdr + 1);
|
||||||
mka_hdr = (struct ieee802_1x_mka_hdr *) (eapol_hdr + 1);
|
mka_hdr = (struct ieee802_1x_mka_hdr *) (eapol_hdr + 1);
|
||||||
|
|
||||||
/* destination address should be not individual address */
|
wpa_printf(MSG_DEBUG, "KaY: Ethernet header: DA=" MACSTR " SA=" MACSTR
|
||||||
|
" Ethertype=0x%x",
|
||||||
|
MAC2STR(eth_hdr->dest), MAC2STR(eth_hdr->src),
|
||||||
|
be_to_host16(eth_hdr->ethertype));
|
||||||
|
|
||||||
|
/* the destination address shall not be an individual address */
|
||||||
if (os_memcmp(eth_hdr->dest, pae_group_addr, ETH_ALEN) != 0) {
|
if (os_memcmp(eth_hdr->dest, pae_group_addr, ETH_ALEN) != 0) {
|
||||||
wpa_printf(MSG_MSGDUMP,
|
wpa_printf(MSG_DEBUG,
|
||||||
"KaY: ethernet destination address is not PAE group address");
|
"KaY: ethernet destination address is not PAE group address");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* MKPDU should not be less than 32 octets */
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: Common EAPOL PDU structure: Protocol Version=%u Packet Type=%u Packet Body Length=%u",
|
||||||
|
eapol_hdr->version, eapol_hdr->type,
|
||||||
|
be_to_host16(eapol_hdr->length));
|
||||||
|
|
||||||
|
/* MKPDU shall not be less than 32 octets */
|
||||||
mka_msg_len = be_to_host16(eapol_hdr->length);
|
mka_msg_len = be_to_host16(eapol_hdr->length);
|
||||||
if (mka_msg_len < 32) {
|
if (mka_msg_len < 32) {
|
||||||
wpa_printf(MSG_MSGDUMP, "KaY: MKPDU is less than 32 octets");
|
wpa_printf(MSG_DEBUG, "KaY: MKPDU is less than 32 octets");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
/* MKPDU should be a multiple of 4 octets */
|
/* MKPDU shall be a multiple of 4 octets */
|
||||||
if ((mka_msg_len % 4) != 0) {
|
if ((mka_msg_len % 4) != 0) {
|
||||||
wpa_printf(MSG_MSGDUMP,
|
wpa_printf(MSG_DEBUG,
|
||||||
"KaY: MKPDU is not multiple of 4 octets");
|
"KaY: MKPDU is not multiple of 4 octets");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
wpa_hexdump(MSG_MSGDUMP, "KaY: EAPOL-MKA Packet Body (MKPDU)",
|
||||||
|
mka_hdr, mka_msg_len);
|
||||||
|
|
||||||
|
/* Room for body_len already verified in kay_l2_receive() */
|
||||||
body = (struct ieee802_1x_mka_basic_body *) mka_hdr;
|
body = (struct ieee802_1x_mka_basic_body *) mka_hdr;
|
||||||
ieee802_1x_mka_dump_basic_body(body);
|
|
||||||
body_len = get_mka_param_body_len(body);
|
body_len = get_mka_param_body_len(body);
|
||||||
/* EAPOL-MKA body should comprise basic parameter set and ICV */
|
/* EAPOL-MKA body should comprise basic parameter set and ICV */
|
||||||
if (mka_msg_len < MKA_HDR_LEN + body_len + DEFAULT_ICV_LEN) {
|
if (mka_msg_len < MKA_HDR_LEN + body_len + DEFAULT_ICV_LEN) {
|
||||||
|
|
@ -3005,24 +3082,27 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay,
|
||||||
ckn_len = body_len -
|
ckn_len = body_len -
|
||||||
(sizeof(struct ieee802_1x_mka_basic_body) - MKA_HDR_LEN);
|
(sizeof(struct ieee802_1x_mka_basic_body) - MKA_HDR_LEN);
|
||||||
if (ckn_len < 1 || ckn_len > MAX_CKN_LEN) {
|
if (ckn_len < 1 || ckn_len > MAX_CKN_LEN) {
|
||||||
wpa_printf(MSG_ERROR,
|
wpa_printf(MSG_WARNING,
|
||||||
"KaY: Received EAPOL-MKA CKN Length (%zu bytes) is out of range (<= %u bytes)",
|
"KaY: Received EAPOL-MKA CKN Length (%zu bytes) is out of range (<= %u bytes)",
|
||||||
ckn_len, MAX_CKN_LEN);
|
ckn_len, MAX_CKN_LEN);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ieee802_1x_mka_dump_basic_body(body);
|
||||||
|
|
||||||
/* CKN should be owned by I */
|
/* CKN should be owned by I */
|
||||||
participant = ieee802_1x_kay_get_participant(kay, body->ckn, ckn_len);
|
participant = ieee802_1x_kay_get_participant(kay, body->ckn, ckn_len);
|
||||||
if (!participant) {
|
if (!participant) {
|
||||||
wpa_printf(MSG_DEBUG, "CKN is not included in my CA");
|
wpa_printf(MSG_DEBUG, "KaY: CKN is not included in my CA");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* algorithm agility check */
|
/* algorithm agility check */
|
||||||
if (os_memcmp(body->algo_agility, mka_algo_agility,
|
if (os_memcmp(body->algo_agility, mka_algo_agility,
|
||||||
sizeof(body->algo_agility)) != 0) {
|
sizeof(body->algo_agility)) != 0) {
|
||||||
wpa_printf(MSG_ERROR,
|
wpa_printf(MSG_INFO,
|
||||||
"KaY: peer's algorithm agility not supported for me");
|
"KaY: Peer's algorithm agility (%s) not supported",
|
||||||
|
algo_agility_txt(body->algo_agility));
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -3032,23 +3112,29 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay,
|
||||||
* its size, not the fixed length 16 octets, indicated by the EAPOL
|
* its size, not the fixed length 16 octets, indicated by the EAPOL
|
||||||
* packet body length.
|
* packet body length.
|
||||||
*/
|
*/
|
||||||
if (mka_alg_tbl[kay->mka_algindex].icv_hash(
|
if (len < mka_alg_tbl[kay->mka_algindex].icv_len ||
|
||||||
|
mka_alg_tbl[kay->mka_algindex].icv_hash(
|
||||||
participant->ick.key, participant->ick.len,
|
participant->ick.key, participant->ick.len,
|
||||||
buf, len - mka_alg_tbl[kay->mka_algindex].icv_len, icv)) {
|
buf, len - mka_alg_tbl[kay->mka_algindex].icv_len, icv)) {
|
||||||
wpa_printf(MSG_ERROR, "KaY: failed to calculate ICV");
|
wpa_printf(MSG_ERROR, "KaY: Failed to calculate ICV");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
msg_icv = ieee802_1x_mka_decode_icv_body(participant, (u8 *) mka_hdr,
|
msg_icv = ieee802_1x_mka_decode_icv_body(participant,
|
||||||
|
(const u8 *) mka_hdr,
|
||||||
mka_msg_len);
|
mka_msg_len);
|
||||||
if (!msg_icv) {
|
if (!msg_icv) {
|
||||||
wpa_printf(MSG_ERROR, "KaY: No ICV");
|
wpa_printf(MSG_WARNING, "KaY: No ICV in MKPDU - ignore it");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
wpa_hexdump(MSG_DEBUG, "KaY: Received ICV",
|
||||||
|
msg_icv, mka_alg_tbl[kay->mka_algindex].icv_len);
|
||||||
if (os_memcmp_const(msg_icv, icv,
|
if (os_memcmp_const(msg_icv, icv,
|
||||||
mka_alg_tbl[kay->mka_algindex].icv_len) != 0) {
|
mka_alg_tbl[kay->mka_algindex].icv_len) != 0) {
|
||||||
wpa_printf(MSG_ERROR,
|
wpa_printf(MSG_WARNING,
|
||||||
"KaY: Computed ICV is not equal to Received ICV");
|
"KaY: Computed ICV is not equal to Received ICV");
|
||||||
|
wpa_hexdump(MSG_DEBUG, "KaY: Calculated ICV",
|
||||||
|
icv, mka_alg_tbl[kay->mka_algindex].icv_len);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -3073,7 +3159,10 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
|
||||||
Boolean handled[256];
|
Boolean handled[256];
|
||||||
Boolean bad_sak_use = FALSE; /* Error detected while processing SAK Use
|
Boolean bad_sak_use = FALSE; /* Error detected while processing SAK Use
|
||||||
* parameter set */
|
* parameter set */
|
||||||
|
Boolean i_in_peerlist, is_in_live_peer, is_in_potential_peer;
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG, "KaY: Decode received MKPDU (ifname=%s)",
|
||||||
|
kay->if_name);
|
||||||
if (ieee802_1x_kay_mkpdu_sanity_check(kay, buf, len))
|
if (ieee802_1x_kay_mkpdu_sanity_check(kay, buf, len))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
|
@ -3088,16 +3177,23 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
|
||||||
/* to skip basic parameter set */
|
/* to skip basic parameter set */
|
||||||
hdr = (struct ieee802_1x_mka_hdr *) pos;
|
hdr = (struct ieee802_1x_mka_hdr *) pos;
|
||||||
body_len = MKA_ALIGN_LENGTH(get_mka_param_body_len(hdr));
|
body_len = MKA_ALIGN_LENGTH(get_mka_param_body_len(hdr));
|
||||||
|
if (left_len < body_len + MKA_HDR_LEN)
|
||||||
|
return -1;
|
||||||
pos += body_len + MKA_HDR_LEN;
|
pos += body_len + MKA_HDR_LEN;
|
||||||
left_len -= body_len + MKA_HDR_LEN;
|
left_len -= body_len + MKA_HDR_LEN;
|
||||||
|
|
||||||
/* check i am in the peer's peer list */
|
/* check i am in the peer's peer list */
|
||||||
if (ieee802_1x_mka_i_in_peerlist(participant, pos, left_len) &&
|
i_in_peerlist = ieee802_1x_mka_i_in_peerlist(participant, pos,
|
||||||
!ieee802_1x_kay_is_in_live_peer(participant,
|
left_len);
|
||||||
participant->current_peer_id.mi)) {
|
is_in_live_peer = ieee802_1x_kay_is_in_live_peer(
|
||||||
|
participant, participant->current_peer_id.mi);
|
||||||
|
wpa_printf(MSG_DEBUG, "KaY: i_in_peerlist=%s is_in_live_peer=%s",
|
||||||
|
yes_no(i_in_peerlist), yes_no(is_in_live_peer));
|
||||||
|
if (i_in_peerlist && !is_in_live_peer) {
|
||||||
/* accept the peer as live peer */
|
/* accept the peer as live peer */
|
||||||
if (ieee802_1x_kay_is_in_potential_peer(
|
is_in_potential_peer = ieee802_1x_kay_is_in_potential_peer(
|
||||||
participant, participant->current_peer_id.mi)) {
|
participant, participant->current_peer_id.mi);
|
||||||
|
if (is_in_potential_peer) {
|
||||||
if (!ieee802_1x_kay_move_live_peer(
|
if (!ieee802_1x_kay_move_live_peer(
|
||||||
participant,
|
participant,
|
||||||
participant->current_peer_id.mi,
|
participant->current_peer_id.mi,
|
||||||
|
|
@ -3141,8 +3237,12 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (handled[body_type])
|
if (handled[body_type]) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: Ignore duplicated body type %u",
|
||||||
|
body_type);
|
||||||
continue;
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
handled[body_type] = TRUE;
|
handled[body_type] = TRUE;
|
||||||
if (body_type < ARRAY_SIZE(mka_body_handler) &&
|
if (body_type < ARRAY_SIZE(mka_body_handler) &&
|
||||||
|
|
@ -3169,7 +3269,7 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
wpa_printf(MSG_ERROR,
|
wpa_printf(MSG_ERROR,
|
||||||
"The type %d is not supported in this MKA version %d",
|
"KaY: The body type %d is not supported in this MKA version %d",
|
||||||
body_type, MKA_VERSION_ID);
|
body_type, MKA_VERSION_ID);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -3215,8 +3315,10 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
|
||||||
/* MKPDU is from new or potential peer */
|
/* MKPDU is from new or potential peer */
|
||||||
peer = ieee802_1x_kay_get_peer(participant,
|
peer = ieee802_1x_kay_get_peer(participant,
|
||||||
participant->current_peer_id.mi);
|
participant->current_peer_id.mi);
|
||||||
if (!peer)
|
if (!peer) {
|
||||||
|
wpa_printf(MSG_DEBUG, "KaY: No peer entry found");
|
||||||
return -1;
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
/* Do not update potential peer watchdog. Per IEEE Std
|
/* Do not update potential peer watchdog. Per IEEE Std
|
||||||
* 802.1X-2010, 9.4.3, potential peers need to show liveness by
|
* 802.1X-2010, 9.4.3, potential peers need to show liveness by
|
||||||
|
|
@ -3241,6 +3343,9 @@ static void kay_l2_receive(void *ctx, const u8 *src_addr, const u8 *buf,
|
||||||
struct ieee802_1x_kay *kay = ctx;
|
struct ieee802_1x_kay *kay = ctx;
|
||||||
struct ieee8023_hdr *eth_hdr;
|
struct ieee8023_hdr *eth_hdr;
|
||||||
struct ieee802_1x_hdr *eapol_hdr;
|
struct ieee802_1x_hdr *eapol_hdr;
|
||||||
|
size_t calc_len;
|
||||||
|
|
||||||
|
/* IEEE Std 802.1X-2010, 11.4 (Validation of received EAPOL PDUs) */
|
||||||
|
|
||||||
/* must contain at least ieee8023_hdr + ieee802_1x_hdr */
|
/* must contain at least ieee8023_hdr + ieee802_1x_hdr */
|
||||||
if (len < sizeof(*eth_hdr) + sizeof(*eapol_hdr)) {
|
if (len < sizeof(*eth_hdr) + sizeof(*eapol_hdr)) {
|
||||||
|
|
@ -3251,13 +3356,21 @@ static void kay_l2_receive(void *ctx, const u8 *src_addr, const u8 *buf,
|
||||||
|
|
||||||
eth_hdr = (struct ieee8023_hdr *) buf;
|
eth_hdr = (struct ieee8023_hdr *) buf;
|
||||||
eapol_hdr = (struct ieee802_1x_hdr *) (eth_hdr + 1);
|
eapol_hdr = (struct ieee802_1x_hdr *) (eth_hdr + 1);
|
||||||
if (len != sizeof(*eth_hdr) + sizeof(*eapol_hdr) +
|
calc_len = sizeof(*eth_hdr) + sizeof(*eapol_hdr) +
|
||||||
be_to_host16(eapol_hdr->length)) {
|
be_to_host16(eapol_hdr->length);
|
||||||
wpa_printf(MSG_MSGDUMP, "KaY: EAPOL MPDU is invalid: (%lu-%lu)",
|
if (len < calc_len) {
|
||||||
|
wpa_printf(MSG_MSGDUMP, "KaY: EAPOL MPDU is invalid: (received len %lu, calculated len %lu, EAPOL length %u)",
|
||||||
(unsigned long) len,
|
(unsigned long) len,
|
||||||
(unsigned long) be_to_host16(eapol_hdr->length));
|
(unsigned long) calc_len,
|
||||||
|
be_to_host16(eapol_hdr->length));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if (len > calc_len) {
|
||||||
|
wpa_hexdump(MSG_DEBUG,
|
||||||
|
"KaY: Ignore extra octets following the Packey Body field",
|
||||||
|
&buf[calc_len], len - calc_len);
|
||||||
|
len = calc_len;
|
||||||
|
}
|
||||||
|
|
||||||
if (eapol_hdr->version < EAPOL_VERSION) {
|
if (eapol_hdr->version < EAPOL_VERSION) {
|
||||||
wpa_printf(MSG_MSGDUMP, "KaY: version %d does not support MKA",
|
wpa_printf(MSG_MSGDUMP, "KaY: version %d does not support MKA",
|
||||||
|
|
@ -3266,11 +3379,12 @@ static void kay_l2_receive(void *ctx, const u8 *src_addr, const u8 *buf,
|
||||||
}
|
}
|
||||||
if (be_to_host16(eth_hdr->ethertype) != ETH_P_PAE ||
|
if (be_to_host16(eth_hdr->ethertype) != ETH_P_PAE ||
|
||||||
eapol_hdr->type != IEEE802_1X_TYPE_EAPOL_MKA)
|
eapol_hdr->type != IEEE802_1X_TYPE_EAPOL_MKA)
|
||||||
return;
|
return; /* ignore other EAPOL types silently here */
|
||||||
|
|
||||||
wpa_hexdump(MSG_DEBUG, "RX EAPOL-MKA: ", buf, len);
|
wpa_hexdump(MSG_DEBUG, "KaY: RX EAPOL-MKA", buf, len);
|
||||||
if (dl_list_empty(&kay->participant_list)) {
|
if (dl_list_empty(&kay->participant_list)) {
|
||||||
wpa_printf(MSG_ERROR, "KaY: no MKA participant instance");
|
wpa_printf(MSG_ERROR,
|
||||||
|
"KaY: No MKA participant instance - ignore EAPOL-MKA");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -3288,6 +3402,9 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||||
{
|
{
|
||||||
struct ieee802_1x_kay *kay;
|
struct ieee802_1x_kay *kay;
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG, "KaY: Initialize - ifname=%s addr=" MACSTR
|
||||||
|
" port=%u priority=%u",
|
||||||
|
ifname, MAC2STR(addr), port, priority);
|
||||||
kay = os_zalloc(sizeof(*kay));
|
kay = os_zalloc(sizeof(*kay));
|
||||||
if (!kay) {
|
if (!kay) {
|
||||||
wpa_printf(MSG_ERROR, "KaY-%s: out of memory", __func__);
|
wpa_printf(MSG_ERROR, "KaY-%s: out of memory", __func__);
|
||||||
|
|
@ -3308,6 +3425,8 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
|
||||||
os_strlcpy(kay->if_name, ifname, IFNAMSIZ);
|
os_strlcpy(kay->if_name, ifname, IFNAMSIZ);
|
||||||
os_memcpy(kay->actor_sci.addr, addr, ETH_ALEN);
|
os_memcpy(kay->actor_sci.addr, addr, ETH_ALEN);
|
||||||
kay->actor_sci.port = host_to_be16(port ? port : 0x0001);
|
kay->actor_sci.port = host_to_be16(port ? port : 0x0001);
|
||||||
|
wpa_printf(MSG_DEBUG, "KaY: Generated SCI: %s",
|
||||||
|
sci_txt(&kay->actor_sci));
|
||||||
kay->actor_priority = priority;
|
kay->actor_priority = priority;
|
||||||
|
|
||||||
/* While actor acts as a key server, shall distribute sakey */
|
/* While actor acts as a key server, shall distribute sakey */
|
||||||
|
|
@ -3426,6 +3545,19 @@ ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static const char * mode_txt(enum mka_created_mode mode)
|
||||||
|
{
|
||||||
|
switch (mode) {
|
||||||
|
case PSK:
|
||||||
|
return "PSK";
|
||||||
|
case EAP_EXCHANGE:
|
||||||
|
return "EAP";
|
||||||
|
}
|
||||||
|
|
||||||
|
return "?";
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ieee802_1x_kay_create_mka -
|
* ieee802_1x_kay_create_mka -
|
||||||
*/
|
*/
|
||||||
|
|
@ -3438,6 +3570,10 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
|
||||||
struct ieee802_1x_mka_participant *participant;
|
struct ieee802_1x_mka_participant *participant;
|
||||||
unsigned int usecs;
|
unsigned int usecs;
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"KaY: Create MKA (ifname=%s mode=%s authenticator=%s)",
|
||||||
|
kay->if_name, mode_txt(mode), yes_no(is_authenticator));
|
||||||
|
|
||||||
if (!kay || !ckn || !cak) {
|
if (!kay || !ckn || !cak) {
|
||||||
wpa_printf(MSG_ERROR, "KaY: ckn or cak is null");
|
wpa_printf(MSG_ERROR, "KaY: ckn or cak is null");
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
@ -3449,7 +3585,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
if (ckn->len > MAX_CKN_LEN) {
|
if (ckn->len > MAX_CKN_LEN) {
|
||||||
wpa_printf(MSG_ERROR, "KaY: CKN is out of range(<=32 bytes)");
|
wpa_printf(MSG_ERROR, "KaY: CKN is out of range (>32 bytes)");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
if (!kay->enable) {
|
if (!kay->enable) {
|
||||||
|
|
@ -3465,8 +3601,12 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
|
||||||
|
|
||||||
participant->ckn.len = ckn->len;
|
participant->ckn.len = ckn->len;
|
||||||
os_memcpy(participant->ckn.name, ckn->name, ckn->len);
|
os_memcpy(participant->ckn.name, ckn->name, ckn->len);
|
||||||
|
wpa_hexdump(MSG_DEBUG, "KaY: CKN", participant->ckn.name,
|
||||||
|
participant->ckn.len);
|
||||||
participant->cak.len = cak->len;
|
participant->cak.len = cak->len;
|
||||||
os_memcpy(participant->cak.key, cak->key, cak->len);
|
os_memcpy(participant->cak.key, cak->key, cak->len);
|
||||||
|
wpa_hexdump_key(MSG_DEBUG, "KaY: CAK", participant->cak.key,
|
||||||
|
participant->cak.len);
|
||||||
if (life)
|
if (life)
|
||||||
participant->cak_life = life + time(NULL);
|
participant->cak_life = life + time(NULL);
|
||||||
|
|
||||||
|
|
@ -3516,6 +3656,8 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
|
||||||
|
|
||||||
if (!reset_participant_mi(participant))
|
if (!reset_participant_mi(participant))
|
||||||
goto fail;
|
goto fail;
|
||||||
|
wpa_printf(MSG_DEBUG, "KaY: Selected random MI: %s",
|
||||||
|
mi_txt(participant->mi));
|
||||||
|
|
||||||
participant->lrx = FALSE;
|
participant->lrx = FALSE;
|
||||||
participant->ltx = FALSE;
|
participant->ltx = FALSE;
|
||||||
|
|
@ -3542,7 +3684,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
|
||||||
participant->ckn.len,
|
participant->ckn.len,
|
||||||
participant->kek.key,
|
participant->kek.key,
|
||||||
participant->kek.len)) {
|
participant->kek.len)) {
|
||||||
wpa_printf(MSG_ERROR, "KaY: Derived KEK failed");
|
wpa_printf(MSG_ERROR, "KaY: KEK derivation failed");
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
wpa_hexdump_key(MSG_DEBUG, "KaY: Derived KEK",
|
wpa_hexdump_key(MSG_DEBUG, "KaY: Derived KEK",
|
||||||
|
|
@ -3556,15 +3698,13 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
|
||||||
participant->ckn.len,
|
participant->ckn.len,
|
||||||
participant->ick.key,
|
participant->ick.key,
|
||||||
participant->ick.len)) {
|
participant->ick.len)) {
|
||||||
wpa_printf(MSG_ERROR, "KaY: Derived ICK failed");
|
wpa_printf(MSG_ERROR, "KaY: ICK derivation failed");
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
wpa_hexdump_key(MSG_DEBUG, "KaY: Derived ICK",
|
wpa_hexdump_key(MSG_DEBUG, "KaY: Derived ICK",
|
||||||
participant->ick.key, participant->ick.len);
|
participant->ick.key, participant->ick.len);
|
||||||
|
|
||||||
dl_list_add(&kay->participant_list, &participant->list);
|
dl_list_add(&kay->participant_list, &participant->list);
|
||||||
wpa_hexdump(MSG_DEBUG, "KaY: Participant created:",
|
|
||||||
ckn->name, ckn->len);
|
|
||||||
|
|
||||||
usecs = os_random() % (kay->mka_hello_time * 1000);
|
usecs = os_random() % (kay->mka_hello_time * 1000);
|
||||||
eloop_register_timeout(0, usecs, ieee802_1x_participant_timer,
|
eloop_register_timeout(0, usecs, ieee802_1x_participant_timer,
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@
|
||||||
|
|
||||||
#define MKA_VERSION_ID 1
|
#define MKA_VERSION_ID 1
|
||||||
|
|
||||||
/* IEEE Std 802.1X-2010, 11.11.1, Table 11-7 */
|
/* IEEE Std 802.1X-2010, 11.11.1, Table 11-7 (MKPDU parameter sets) */
|
||||||
enum mka_packet_type {
|
enum mka_packet_type {
|
||||||
MKA_BASIC_PARAMETER_SET = MKA_VERSION_ID,
|
MKA_BASIC_PARAMETER_SET = MKA_VERSION_ID,
|
||||||
MKA_LIVE_PEER_LIST = 1,
|
MKA_LIVE_PEER_LIST = 1,
|
||||||
|
|
@ -131,8 +131,10 @@ struct ieee802_1x_mka_participant {
|
||||||
u8 mi[MI_LEN];
|
u8 mi[MI_LEN];
|
||||||
u32 mn;
|
u32 mn;
|
||||||
|
|
||||||
|
/* Current peer MI and SCI during MKPDU processing */
|
||||||
struct ieee802_1x_mka_peer_id current_peer_id;
|
struct ieee802_1x_mka_peer_id current_peer_id;
|
||||||
struct ieee802_1x_mka_sci current_peer_sci;
|
struct ieee802_1x_mka_sci current_peer_sci;
|
||||||
|
|
||||||
time_t cak_life;
|
time_t cak_life;
|
||||||
time_t mka_life;
|
time_t mka_life;
|
||||||
Boolean to_dist_sak;
|
Boolean to_dist_sak;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue