jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

mka: Allow 256-bit CAK to be configured for PSK mode

Browse source 
This allows 256-bit CAK to be used as the root key in the MKA key
hierarchy.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2018-12-26 12:27:39 +02:00
parent 7a29984888
commit 871439b5d5
4 changed files with 18 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
wpa_supplicant/config.c
View file

@ -2002,16 +2002,21 @@ static int wpa_config_parse_mka_cak(const struct parse_data *data,
struct wpa_ssid *ssid, int line, struct wpa_ssid *ssid, int line,
const char *value) const char *value)
{ {
if (hexstr2bin(value, ssid->mka_cak, MACSEC_CAK_LEN) || size_t len;
value[MACSEC_CAK_LEN * 2] != '\0') {
len = os_strlen(value);
if (len > 2 * MACSEC_CAK_MAX_LEN ||
(len != 2 * 16 && len != 2 * 32) ||
hexstr2bin(value, ssid->mka_cak, len / 2)) {
wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.", wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.",
line, value); line, value);
return -1; return -1;
} }
ssid->mka_cak_len = len / 2;
ssid->mka_psk_set |= MKA_PSK_SET_CAK; ssid->mka_psk_set |= MKA_PSK_SET_CAK;
wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak, MACSEC_CAK_LEN); wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak,
ssid->mka_cak_len);
return 0; return 0;
} }
@ -2053,7 +2058,7 @@ static char * wpa_config_write_mka_cak(const struct parse_data *data,
if (!(ssid->mka_psk_set & MKA_PSK_SET_CAK)) if (!(ssid->mka_psk_set & MKA_PSK_SET_CAK))
return NULL; return NULL;
return wpa_config_write_string_hex(ssid->mka_cak, MACSEC_CAK_LEN); return wpa_config_write_string_hex(ssid->mka_cak, ssid->mka_cak_len);
} }

5
wpa_supplicant/config_ssid.h
View file

@ -855,8 +855,9 @@ struct wpa_ssid {
/** /**
* mka_cak - MKA pre-shared CAK * mka_cak - MKA pre-shared CAK
*/ */
#define MACSEC_CAK_LEN 16 #define MACSEC_CAK_MAX_LEN 32
u8 mka_cak[MACSEC_CAK_LEN]; size_t mka_cak_len;
u8 mka_cak[MACSEC_CAK_MAX_LEN];
#define MKA_PSK_SET_CKN BIT(0) #define MKA_PSK_SET_CKN BIT(0)
#define MKA_PSK_SET_CAK BIT(1) #define MKA_PSK_SET_CAK BIT(1)

7
wpa_supplicant/wpa_supplicant.conf
View file

@ -1018,9 +1018,10 @@ fast_reauth=1
# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
# In this mode, instances of wpa_supplicant can act as MACsec peers. The peer # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer
# with lower priority will become the key server and start distributing SAKs. # with lower priority will become the key server and start distributing SAKs.
# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-bytes (128 bit) # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
# hex-string (32 hex-digits) # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
# mka_ckn (CKN = CAK Name) takes a 32-bytes (256 bit) hex-string (64 hex-digits) # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
# (2..64 hex-digits)
# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
# default priority # default priority
# #

2
wpa_supplicant/wpas_kay.c
View file

@ -419,7 +419,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
if (wpa_s->kay->policy == DO_NOT_SECURE) if (wpa_s->kay->policy == DO_NOT_SECURE)
goto dealloc; goto dealloc;
cak->len = MACSEC_CAK_LEN; cak->len = ssid->mka_cak_len;
os_memcpy(cak->key, ssid->mka_cak, cak->len); os_memcpy(cak->key, ssid->mka_cak, cak->len);
ckn->len = ssid->mka_ckn_len; ckn->len = ssid->mka_ckn_len;