From 871439b5d5079ec88d60cc23c30d44138271bec0 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 26 Dec 2018 12:27:39 +0200 Subject: [PATCH] mka: Allow 256-bit CAK to be configured for PSK mode This allows 256-bit CAK to be used as the root key in the MKA key hierarchy. Signed-off-by: Jouni Malinen --- wpa_supplicant/config.c | 15 ++++++++++----- wpa_supplicant/config_ssid.h | 5 +++-- wpa_supplicant/wpa_supplicant.conf | 7 ++++--- wpa_supplicant/wpas_kay.c | 2 +- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 2fd9e8592..7a95ea49e 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2002,16 +2002,21 @@ static int wpa_config_parse_mka_cak(const struct parse_data *data, struct wpa_ssid *ssid, int line, const char *value) { - if (hexstr2bin(value, ssid->mka_cak, MACSEC_CAK_LEN) || - value[MACSEC_CAK_LEN * 2] != '\0') { + size_t len; + + len = os_strlen(value); + if (len > 2 * MACSEC_CAK_MAX_LEN || + (len != 2 * 16 && len != 2 * 32) || + hexstr2bin(value, ssid->mka_cak, len / 2)) { wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.", line, value); return -1; } - + ssid->mka_cak_len = len / 2; ssid->mka_psk_set |= MKA_PSK_SET_CAK; - wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak, MACSEC_CAK_LEN); + wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak, + ssid->mka_cak_len); return 0; } @@ -2053,7 +2058,7 @@ static char * wpa_config_write_mka_cak(const struct parse_data *data, if (!(ssid->mka_psk_set & MKA_PSK_SET_CAK)) return NULL; - return wpa_config_write_string_hex(ssid->mka_cak, MACSEC_CAK_LEN); + return wpa_config_write_string_hex(ssid->mka_cak, ssid->mka_cak_len); } diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index 3da3ed472..6cf655785 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -855,8 +855,9 @@ struct wpa_ssid { /** * mka_cak - MKA pre-shared CAK */ -#define MACSEC_CAK_LEN 16 - u8 mka_cak[MACSEC_CAK_LEN]; +#define MACSEC_CAK_MAX_LEN 32 + size_t mka_cak_len; + u8 mka_cak[MACSEC_CAK_MAX_LEN]; #define MKA_PSK_SET_CKN BIT(0) #define MKA_PSK_SET_CAK BIT(1) diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 58dbf0409..2bc3fda94 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1018,9 +1018,10 @@ fast_reauth=1 # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer # with lower priority will become the key server and start distributing SAKs. -# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-bytes (128 bit) -# hex-string (32 hex-digits) -# mka_ckn (CKN = CAK Name) takes a 32-bytes (256 bit) hex-string (64 hex-digits) +# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) +# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) +# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string +# (2..64 hex-digits) # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being # default priority # diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c index 39ed6774b..707e5bb6d 100644 --- a/wpa_supplicant/wpas_kay.c +++ b/wpa_supplicant/wpas_kay.c @@ -419,7 +419,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s, if (wpa_s->kay->policy == DO_NOT_SECURE) goto dealloc; - cak->len = MACSEC_CAK_LEN; + cak->len = ssid->mka_cak_len; os_memcpy(cak->key, ssid->mka_cak, cak->len); ckn->len = ssid->mka_ckn_len;