mka: Allow 256-bit CAK to be configured for PSK mode
This allows 256-bit CAK to be used as the root key in the MKA key hierarchy. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
7a29984888
commit
871439b5d5
4 changed files with 18 additions and 11 deletions
|
|
@ -2002,16 +2002,21 @@ static int wpa_config_parse_mka_cak(const struct parse_data *data,
|
|||
struct wpa_ssid *ssid, int line,
|
||||
const char *value)
|
||||
{
|
||||
if (hexstr2bin(value, ssid->mka_cak, MACSEC_CAK_LEN) ||
|
||||
value[MACSEC_CAK_LEN * 2] != '\0') {
|
||||
size_t len;
|
||||
|
||||
len = os_strlen(value);
|
||||
if (len > 2 * MACSEC_CAK_MAX_LEN ||
|
||||
(len != 2 * 16 && len != 2 * 32) ||
|
||||
hexstr2bin(value, ssid->mka_cak, len / 2)) {
|
||||
wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.",
|
||||
line, value);
|
||||
return -1;
|
||||
}
|
||||
|
||||
ssid->mka_cak_len = len / 2;
|
||||
ssid->mka_psk_set |= MKA_PSK_SET_CAK;
|
||||
|
||||
wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak, MACSEC_CAK_LEN);
|
||||
wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak,
|
||||
ssid->mka_cak_len);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -2053,7 +2058,7 @@ static char * wpa_config_write_mka_cak(const struct parse_data *data,
|
|||
if (!(ssid->mka_psk_set & MKA_PSK_SET_CAK))
|
||||
return NULL;
|
||||
|
||||
return wpa_config_write_string_hex(ssid->mka_cak, MACSEC_CAK_LEN);
|
||||
return wpa_config_write_string_hex(ssid->mka_cak, ssid->mka_cak_len);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -855,8 +855,9 @@ struct wpa_ssid {
|
|||
/**
|
||||
* mka_cak - MKA pre-shared CAK
|
||||
*/
|
||||
#define MACSEC_CAK_LEN 16
|
||||
u8 mka_cak[MACSEC_CAK_LEN];
|
||||
#define MACSEC_CAK_MAX_LEN 32
|
||||
size_t mka_cak_len;
|
||||
u8 mka_cak[MACSEC_CAK_MAX_LEN];
|
||||
|
||||
#define MKA_PSK_SET_CKN BIT(0)
|
||||
#define MKA_PSK_SET_CAK BIT(1)
|
||||
|
|
|
|||
|
|
@ -1018,9 +1018,10 @@ fast_reauth=1
|
|||
# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
|
||||
# In this mode, instances of wpa_supplicant can act as MACsec peers. The peer
|
||||
# with lower priority will become the key server and start distributing SAKs.
|
||||
# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-bytes (128 bit)
|
||||
# hex-string (32 hex-digits)
|
||||
# mka_ckn (CKN = CAK Name) takes a 32-bytes (256 bit) hex-string (64 hex-digits)
|
||||
# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
|
||||
# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
|
||||
# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
|
||||
# (2..64 hex-digits)
|
||||
# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
|
||||
# default priority
|
||||
#
|
||||
|
|
|
|||
|
|
@ -419,7 +419,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
|
|||
if (wpa_s->kay->policy == DO_NOT_SECURE)
|
||||
goto dealloc;
|
||||
|
||||
cak->len = MACSEC_CAK_LEN;
|
||||
cak->len = ssid->mka_cak_len;
|
||||
os_memcpy(cak->key, ssid->mka_cak, cak->len);
|
||||
|
||||
ckn->len = ssid->mka_ckn_len;
|
||||
|
|
|
|||
Loading…
Reference in a new issue