[PATCH 4/6] mka: cleanups, part 4

Sabrina Dubroca sd at queasysnail.net
Fri Aug 12 06:07:35 PDT 2016


 - store cipher suite ID in a u64
 - get rid of struct ieee802_1x_cp_conf: Instead of copying from kay to
   a temporary struct, and then from the struct to the sm, just copy
   from kay to cp.
 - assign cs in ieee802_1x_mka_decode_dist_sak_body and reuse it
 - cleanup of key allocation: ieee802_1x_kay_generate_new_sak and
   ieee802_1x_mka_decode_dist_sak_body both allocate a struct key_conf,
   fill it, and ask ieee802_1x_kay_init_data_key to allocate and set up
   a struct data_key.  They also allocate multiple key buffers and copy
   the same data around.  Stop moving data from buffer to buffer, and
   just allocate what we really need.

Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
---
 src/common/ieee802_1x_defs.h    |   2 +-
 src/drivers/driver.h            |   2 +-
 src/drivers/driver_macsec_qca.c |  10 +-
 src/pae/ieee802_1x_cp.c         |  51 +++------
 src/pae/ieee802_1x_cp.h         |  14 +--
 src/pae/ieee802_1x_kay.c        | 230 +++++++++++++---------------------------
 src/pae/ieee802_1x_kay.h        |   5 +-
 src/pae/ieee802_1x_kay_i.h      |  12 +--
 src/pae/ieee802_1x_secy_ops.c   |   3 +-
 src/pae/ieee802_1x_secy_ops.h   |   3 +-
 wpa_supplicant/driver_i.h       |   2 +-
 wpa_supplicant/wpas_kay.c       |   2 +-
 12 files changed, 103 insertions(+), 233 deletions(-)

diff --git a/src/common/ieee802_1x_defs.h b/src/common/ieee802_1x_defs.h
index cc88caa8d2f3..a0c1d1bfafc4 100644
--- a/src/common/ieee802_1x_defs.h
+++ b/src/common/ieee802_1x_defs.h
@@ -10,7 +10,7 @@
 #define IEEE802_1X_DEFS_H
 
 #define CS_ID_LEN		8
-#define CS_ID_GCM_AES_128	{0x00, 0x80, 0x02, 0x00, 0x01, 0x00, 0x00, 0x01}
+#define CS_ID_GCM_AES_128	0x0080020001000001ULL
 #define CS_NAME_GCM_AES_128	"GCM-AES-128"
 
 enum macsec_policy {
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index a1360093d4bf..8edbf5b24043 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3314,7 +3314,7 @@ struct wpa_driver_ops {
 	 * @cs: EUI64 identifier
 	 * Returns: 0 on success, -1 on failure (or if not supported)
 	 */
-	int (*set_current_cipher_suite)(void *priv, const u8 *cs);
+	int (*set_current_cipher_suite)(void *priv, u64 cs);
 
 	/**
 	 * enable_controlled_port - Set controlled port status
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 0c9c7274693e..c6874a98691e 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -11,6 +11,7 @@
 #include "includes.h"
 #include <sys/ioctl.h>
 #include <net/if.h>
+#include <inttypes.h>
 #ifdef __linux__
 #include <netpacket/packet.h>
 #include <net/if_arp.h>
@@ -485,13 +486,10 @@ static int macsec_qca_set_replay_protect(void *priv, Boolean enabled,
 }
 
 
-static int macsec_qca_set_current_cipher_suite(void *priv, const u8 *cs)
+static int macsec_qca_set_current_cipher_suite(void *priv, u64 cs)
 {
-	u8 default_cs_id[] = CS_ID_GCM_AES_128;
-
-	if (os_memcmp(cs, default_cs_id, CS_ID_LEN) != 0) {
-		wpa_hexdump(MSG_ERROR, "macsec: NOT supported CipherSuite",
-			    cs, CS_ID_LEN);
+	if (cs != CS_ID_GCM_AES_128) {
+		wpa_printf(MSG_ERROR, "%s: NOT supported CipherSuite: %016" PRIx64, __func__, cs);
 		return -1;
 	}
 
diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c
index 83fd5ed73953..aa432e93f7d0 100644
--- a/src/pae/ieee802_1x_cp.c
+++ b/src/pae/ieee802_1x_cp.c
@@ -20,7 +20,7 @@
 #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
 #define STATE_MACHINE_DEBUG_PREFIX "CP"
 
-static u8 default_cs_id[] = CS_ID_GCM_AES_128;
+static u64 default_cs_id = CS_ID_GCM_AES_128;
 
 /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
 enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
@@ -45,7 +45,7 @@ struct ieee802_1x_cp_sm {
 	Boolean elected_self;
 	u8 *authorization_data1;
 	enum confidentiality_offset cipher_offset;
-	u8 *cipher_suite;
+	u64 cipher_suite;
 	Boolean new_sak; /* clear by CP */
 	struct ieee802_1x_mka_ki distributed_ki;
 	u8 distributed_an;
@@ -71,7 +71,7 @@ struct ieee802_1x_cp_sm {
 	Boolean replay_protect;
 	u32 replay_window;
 
-	u8 *current_cipher_suite;
+	u64 current_cipher_suite;
 	enum confidentiality_offset confidentiality_offset;
 	Boolean controlled_port_enabled;
 
@@ -97,8 +97,7 @@ static void ieee802_1x_cp_transmit_when_timeout(void *eloop_ctx,
 static int changed_cipher(struct ieee802_1x_cp_sm *sm)
 {
 	return sm->confidentiality_offset != sm->cipher_offset ||
-		os_memcmp(sm->current_cipher_suite, sm->cipher_suite,
-			  CS_ID_LEN) != 0;
+	       sm->current_cipher_suite != sm->cipher_suite;
 }
 
 
@@ -185,19 +184,16 @@ SM_STATE(CP, AUTHENTICATED)
 
 SM_STATE(CP, SECURED)
 {
-	struct ieee802_1x_cp_conf conf;
-
 	SM_ENTRY(CP, SECURED);
 
 	sm->chgd_server = FALSE;
 
-	ieee802_1x_kay_cp_conf(sm->kay, &conf);
-	sm->protect_frames = conf.protect;
-	sm->replay_protect = conf.replay_protect;
-	sm->validate_frames = conf.validate;
+	sm->protect_frames = sm->kay->macsec_protect;
+	sm->replay_protect = sm->kay->macsec_replay_protect;
+	sm->validate_frames = sm->kay->macsec_validate;
 
 	/* NOTE: now no other than default cipher suiter(AES-GCM-128) */
-	os_memcpy(sm->current_cipher_suite, sm->cipher_suite, CS_ID_LEN);
+	sm->current_cipher_suite = sm->cipher_suite;
 	secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
 
 	sm->confidentiality_offset = sm->cipher_offset;
@@ -427,9 +423,7 @@ SM_STEP(CP)
 /**
  * ieee802_1x_cp_sm_init -
  */
-struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(
-	struct ieee802_1x_kay *kay,
-	struct ieee802_1x_cp_conf *pcp_conf)
+struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(struct ieee802_1x_kay *kay)
 {
 	struct ieee802_1x_cp_sm *sm;
 
@@ -445,10 +439,10 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(
 
 	sm->chgd_server = FALSE;
 
-	sm->protect_frames = pcp_conf->protect;
-	sm->validate_frames = pcp_conf->validate;
-	sm->replay_protect = pcp_conf->replay_protect;
-	sm->replay_window = pcp_conf->replay_window;
+	sm->protect_frames = kay->macsec_protect;
+	sm->validate_frames = kay->macsec_validate;
+	sm->replay_protect = kay->macsec_replay_protect;
+	sm->replay_window = kay->macsec_replay_window;
 
 	sm->controlled_port_enabled = FALSE;
 
@@ -459,17 +453,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(
 	sm->orx = FALSE;
 	sm->otx = FALSE;
 
-	sm->cipher_suite = os_zalloc(CS_ID_LEN);
-	sm->current_cipher_suite = os_zalloc(CS_ID_LEN);
-	if (!sm->cipher_suite || !sm->current_cipher_suite) {
-		wpa_printf(MSG_ERROR, "CP-%s: out of memory", __func__);
-		os_free(sm->cipher_suite);
-		os_free(sm->current_cipher_suite);
-		os_free(sm);
-		return NULL;
-	}
-	os_memcpy(sm->current_cipher_suite, default_cs_id, CS_ID_LEN);
-	os_memcpy(sm->cipher_suite, default_cs_id, CS_ID_LEN);
+	sm->current_cipher_suite = default_cs_id;
+	sm->cipher_suite = default_cs_id;
 	sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
 	sm->confidentiality_offset = sm->cipher_offset;
 	sm->transmit_delay = MKA_LIFE_TIME;
@@ -529,8 +514,6 @@ void ieee802_1x_cp_sm_deinit(struct ieee802_1x_cp_sm *sm)
 	eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL);
 	os_free(sm->lki);
 	os_free(sm->oki);
-	os_free(sm->cipher_suite);
-	os_free(sm->current_cipher_suite);
 	os_free(sm->authorization_data);
 	os_free(sm);
 }
@@ -617,10 +600,10 @@ void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len)
 /**
  * ieee802_1x_cp_set_ciphersuite -
  */
-void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid)
+void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs)
 {
 	struct ieee802_1x_cp_sm *sm = cp_ctx;
-	os_memcpy(sm->cipher_suite, pid, CS_ID_LEN);
+	sm->cipher_suite = cs;
 }
 
 
diff --git a/src/pae/ieee802_1x_cp.h b/src/pae/ieee802_1x_cp.h
index 773c93052bf6..5ff5f9ff1a40 100644
--- a/src/pae/ieee802_1x_cp.h
+++ b/src/pae/ieee802_1x_cp.h
@@ -16,17 +16,7 @@ struct ieee802_1x_cp_sm;
 struct ieee802_1x_kay;
 struct ieee802_1x_mka_ki;
 
-struct ieee802_1x_cp_conf {
-	Boolean protect;
-	Boolean replay_protect;
-	enum validate_frames validate;
-	u32 replay_window;
-};
-
-
-struct ieee802_1x_cp_sm *
-ieee802_1x_cp_sm_init(struct ieee802_1x_kay *kay,
-		      struct ieee802_1x_cp_conf *pcp_conf);
+struct ieee802_1x_cp_sm *ieee802_1x_cp_sm_init(struct ieee802_1x_kay *kay);
 void ieee802_1x_cp_sm_deinit(struct ieee802_1x_cp_sm *sm);
 void ieee802_1x_cp_sm_step(void *cp_ctx);
 void ieee802_1x_cp_connect_pending(void *cp_ctx);
@@ -36,7 +26,7 @@ void ieee802_1x_cp_connect_secure(void *cp_ctx);
 void ieee802_1x_cp_signal_chgdserver(void *cp_ctx);
 void ieee802_1x_cp_set_electedself(void *cp_ctx, Boolean status);
 void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len);
-void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid);
+void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs);
 void ieee802_1x_cp_set_offset(void *cp_ctx, enum confidentiality_offset offset);
 void ieee802_1x_cp_signal_newsak(void *cp_ctx);
 void ieee802_1x_cp_set_distributedki(void *cp_ctx,
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 11cc6be33ef6..03bf68fdd74e 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -364,9 +364,14 @@ ieee802_1x_kay_get_cipher_suite(struct ieee802_1x_mka_participant *participant,
 				u8 *cs_id)
 {
 	unsigned int i;
+	u64 cs;
+	be64 _cs;
+
+	os_memcpy(&_cs, cs_id, CS_ID_LEN);
+	cs = be_to_host64(_cs);
 
 	for (i = 0; i < CS_TABLE_SIZE; i++) {
-		if (os_memcmp(cipher_suite_tbl[i].id, cs_id, CS_ID_LEN) == 0)
+		if (cipher_suite_tbl[i].id == cs)
 			return &cipher_suite_tbl[i];
 	}
 
@@ -1421,8 +1426,11 @@ ieee802_1x_mka_encode_dist_sak_body(
 	body->kn = host_to_be32(sak->key_identifier.kn);
 	cs_index = participant->kay->macsec_csindex;
 	sak_pos = 0;
-	if (cs_index != DEFAULT_CS_INDEX) {
-		os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN);
+	if (cs_index >= CS_TABLE_SIZE) {
+		return -1;
+	} else if (cs_index != DEFAULT_CS_INDEX) {
+		be64 cs = host_to_be64(cipher_suite_tbl[cs_index].id);
+		os_memcpy(body->sak, &cs, CS_ID_LEN);
 		sak_pos = CS_ID_LEN;
 	}
 	if (aes_wrap(participant->kek.key, 16,
@@ -1441,39 +1449,13 @@ ieee802_1x_mka_encode_dist_sak_body(
 /**
  * ieee802_1x_kay_init_data_key -
  */
-static struct data_key *
-ieee802_1x_kay_init_data_key(const struct key_conf *conf)
+static void ieee802_1x_kay_init_data_key(struct data_key *pkey)
 {
-	struct data_key *pkey;
-
-	if (!conf)
-		return NULL;
-
-	pkey = os_zalloc(sizeof(*pkey));
-	if (pkey == NULL) {
-		wpa_printf(MSG_ERROR, "%s: out of memory", __func__);
-		return NULL;
-	}
-
-	pkey->key = os_zalloc(conf->key_len);
-	if (pkey->key == NULL) {
-		wpa_printf(MSG_ERROR, "%s: out of memory", __func__);
-		os_free(pkey);
-		return NULL;
-	}
-
-	os_memcpy(pkey->key, conf->key, conf->key_len);
-	os_memcpy(&pkey->key_identifier, &conf->ki,
-		  sizeof(pkey->key_identifier));
-	pkey->confidentiality_offset = conf->offset;
-	pkey->an = conf->an;
-	pkey->transmits = conf->tx;
-	pkey->receives = conf->rx;
+	pkey->transmits = TRUE;
+	pkey->receives = TRUE;
 	os_get_time(&pkey->created_time);
 
 	pkey->user = 1;
-
-	return pkey;
 }
 
 
@@ -1490,9 +1472,7 @@ ieee802_1x_mka_decode_dist_sak_body(
 	struct ieee802_1x_kay_peer *peer;
 	struct macsec_ciphersuite *cs;
 	size_t body_len;
-	struct key_conf *conf;
 	struct data_key *sa_key = NULL;
-	struct ieee802_1x_mka_ki sak_ki;
 	int sak_len;
 	u8 *wrap_sak;
 	u8 *unwrap_sak;
@@ -1571,6 +1551,7 @@ ieee802_1x_mka_decode_dist_sak_body(
 		sak_len = DEFAULT_SA_KEY_LEN;
 		wrap_sak =  body->sak;
 		kay->macsec_csindex = DEFAULT_CS_INDEX;
+		cs = &cipher_suite_tbl[kay->macsec_csindex];
 	} else {
 		cs = ieee802_1x_kay_get_cipher_suite(participant, body->sak);
 		if (!cs) {
@@ -1596,61 +1577,35 @@ ieee802_1x_mka_decode_dist_sak_body(
 	}
 	wpa_hexdump(MSG_DEBUG, "\tAES Key Unwrap of SAK:", unwrap_sak, sak_len);
 
-	conf = os_zalloc(sizeof(*conf));
-	if (!conf) {
-		wpa_printf(MSG_ERROR, "KaY-%s: Out of memory", __func__);
-		os_free(unwrap_sak);
-		return -1;
-	}
-	conf->key_len = sak_len;
-
-	conf->key = os_zalloc(conf->key_len);
-	if (!conf->key) {
-		wpa_printf(MSG_ERROR, "KaY-%s: Out of memory", __func__);
+	sa_key = os_zalloc(sizeof(*sa_key));
+	if (!sa_key) {
 		os_free(unwrap_sak);
-		os_free(conf);
 		return -1;
 	}
 
-	os_memcpy(conf->key, unwrap_sak, conf->key_len);
+	os_memcpy(&sa_key->key_identifier.mi, &participant->current_peer_id.mi, MI_LEN);
+	sa_key->key_identifier.kn = be_to_host32(body->kn);
 
-	os_memcpy(&sak_ki.mi, &participant->current_peer_id.mi,
-		  sizeof(sak_ki.mi));
-	sak_ki.kn = be_to_host32(body->kn);
+	sa_key->key = unwrap_sak;
+	sa_key->key_len = sak_len;
 
-	os_memcpy(conf->ki.mi, sak_ki.mi, MI_LEN);
-	conf->ki.kn = sak_ki.kn;
-	conf->an = body->dan;
-	conf->offset = body->confid_offset;
-	conf->rx = TRUE;
-	conf->tx = TRUE;
-
-	sa_key = ieee802_1x_kay_init_data_key(conf);
-	if (!sa_key) {
-		os_free(unwrap_sak);
-		os_free(conf->key);
-		os_free(conf);
-		return -1;
-	}
+	sa_key->confidentiality_offset = body->confid_offset;
+	sa_key->an = body->dan;
+	ieee802_1x_kay_init_data_key(sa_key);
 
 	dl_list_add(&participant->sak_list, &sa_key->list);
 
-	ieee802_1x_cp_set_ciphersuite(kay->cp,
-		cipher_suite_tbl[kay->macsec_csindex].id);
+	ieee802_1x_cp_set_ciphersuite(kay->cp, cs->id);
 	ieee802_1x_cp_sm_step(kay->cp);
 	ieee802_1x_cp_set_offset(kay->cp, body->confid_offset);
 	ieee802_1x_cp_sm_step(kay->cp);
-	ieee802_1x_cp_set_distributedki(kay->cp, &sak_ki);
+	ieee802_1x_cp_set_distributedki(kay->cp, &sa_key->key_identifier);
 	ieee802_1x_cp_set_distributedan(kay->cp, body->dan);
 	ieee802_1x_cp_signal_newsak(kay->cp);
 	ieee802_1x_cp_sm_step(kay->cp);
 
 	participant->to_use_sak = TRUE;
 
-	os_free(unwrap_sak);
-	os_free(conf->key);
-	os_free(conf);
-
 	return 0;
 }
 
@@ -1921,11 +1876,13 @@ static int
 ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
 {
 	struct data_key *sa_key = NULL;
-	struct key_conf *conf;
 	struct ieee802_1x_kay_peer *peer;
 	struct ieee802_1x_kay *kay = participant->kay;
 	int ctx_len, ctx_offset;
 	u8 *context;
+	unsigned int key_len;
+	u8 *key;
+	struct macsec_ciphersuite *cs;
 
 	/* check condition for generating a fresh SAK:
 	 * must have one live peer
@@ -1952,40 +1909,29 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
 		return -1;
 	}
 
-	conf = os_zalloc(sizeof(*conf));
-	if (!conf) {
-		wpa_printf(MSG_ERROR, "KaY-%s: Out of memory", __func__);
-		return -1;
-	}
-	conf->key_len = cipher_suite_tbl[kay->macsec_csindex].sak_len;
-
-	conf->key = os_zalloc(conf->key_len);
-	if (!conf->key) {
-		os_free(conf);
+	cs = &cipher_suite_tbl[kay->macsec_csindex];
+	key_len = cs->sak_len;
+	key = os_zalloc(key_len);
+	if (!key) {
 		wpa_printf(MSG_ERROR, "KaY-%s: Out of memory", __func__);
 		return -1;
 	}
 
-	ctx_len = conf->key_len + sizeof(kay->dist_kn);
+	ctx_len = key_len + sizeof(kay->dist_kn);
 	dl_list_for_each(peer, &participant->live_peers,
 			 struct ieee802_1x_kay_peer, list)
 		ctx_len += sizeof(peer->mi);
 	ctx_len += sizeof(participant->mi);
 
 	context = os_zalloc(ctx_len);
-	if (!context) {
-		os_free(conf->key);
-		os_free(conf);
-		return -1;
-	}
+	if (!context)
+		goto fail;
+
 	ctx_offset = 0;
-	if (os_get_random(context + ctx_offset, conf->key_len) < 0) {
-		os_free(context);
-		os_free(conf->key);
-		os_free(conf);
-		return -1;
-	}
-	ctx_offset += conf->key_len;
+	if (os_get_random(context + ctx_offset, key_len) < 0)
+		goto fail;
+
+	ctx_offset += key_len;
 	dl_list_for_each(peer, &participant->live_peers,
 			 struct ieee802_1x_kay_peer, list) {
 		os_memcpy(context + ctx_offset, peer->mi, sizeof(peer->mi));
@@ -1996,46 +1942,44 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
 	ctx_offset += sizeof(participant->mi);
 	os_memcpy(context + ctx_offset, &kay->dist_kn, sizeof(kay->dist_kn));
 
-	if (conf->key_len == 16) {
+	if (key_len == 16) {
 		ieee802_1x_sak_128bits_aes_cmac(participant->cak.key,
-						context, ctx_len, conf->key);
-	} else if (conf->key_len == 32) {
+						context, ctx_len, key);
+	} else if (key_len == 32) {
 		ieee802_1x_sak_128bits_aes_cmac(participant->cak.key,
-						context, ctx_len, conf->key);
+						context, ctx_len, key);
 	} else {
 		wpa_printf(MSG_ERROR, "KaY: SAK Length not support");
-		os_free(conf->key);
-		os_free(conf);
-		os_free(context);
-		return -1;
+		goto fail;
 	}
-	wpa_hexdump(MSG_DEBUG, "KaY: generated new SAK",
-		    conf->key, conf->key_len);
-
-	os_memcpy(conf->ki.mi, participant->mi, MI_LEN);
-	conf->ki.kn = participant->kay->dist_kn;
-	conf->an = participant->kay->dist_an;
-	conf->offset = kay->macsec_confidentiality;
-	conf->rx = TRUE;
-	conf->tx = TRUE;
+	wpa_hexdump(MSG_DEBUG, "KaY: generated new SAK", key, key_len);
+	os_free(context);
 
-	sa_key = ieee802_1x_kay_init_data_key(conf);
-	if (!sa_key) {
-		os_free(conf->key);
-		os_free(conf);
-		os_free(context);
+	sa_key = os_zalloc(sizeof(*sa_key));
+	if (sa_key == NULL) {
+		wpa_printf(MSG_ERROR, "KaY-%s: Out of memory", __func__);
+		os_free(key);
 		return -1;
 	}
+
+	sa_key->key = key;
+	sa_key->key_len = key_len;
+	os_memcpy(sa_key->key_identifier.mi, participant->mi, MI_LEN);
+	sa_key->key_identifier.kn = kay->dist_kn;
+
+	sa_key->confidentiality_offset = kay->macsec_confidentiality;
+	sa_key->an = kay->dist_an;
+	ieee802_1x_kay_init_data_key(sa_key);
+
 	participant->new_key = sa_key;
 
 	dl_list_add(&participant->sak_list, &sa_key->list);
-	ieee802_1x_cp_set_ciphersuite(participant->kay->cp,
-				      cipher_suite_tbl[kay->macsec_csindex].id);
+	ieee802_1x_cp_set_ciphersuite(kay->cp, cs->id);
 	ieee802_1x_cp_sm_step(kay->cp);
-	ieee802_1x_cp_set_offset(kay->cp, conf->offset);
+	ieee802_1x_cp_set_offset(kay->cp, kay->macsec_confidentiality);
 	ieee802_1x_cp_sm_step(kay->cp);
-	ieee802_1x_cp_set_distributedki(kay->cp, &conf->ki);
-	ieee802_1x_cp_set_distributedan(kay->cp, conf->an);
+	ieee802_1x_cp_set_distributedki(kay->cp, &sa_key->key_identifier);
+	ieee802_1x_cp_set_distributedan(kay->cp, sa_key->an);
 	ieee802_1x_cp_signal_newsak(kay->cp);
 	ieee802_1x_cp_sm_step(kay->cp);
 
@@ -2050,10 +1994,12 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
 
 	kay->dist_time = time(NULL);
 
-	os_free(conf->key);
-	os_free(conf);
-	os_free(context);
 	return 0;
+
+fail:
+	os_free(key);
+	os_free(context);
+	return -1;
 }
 
 
@@ -2798,38 +2744,6 @@ int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay)
 
 
 /**
- * ieee802_1x_kay_cp_conf -
- */
-int ieee802_1x_kay_cp_conf(struct ieee802_1x_kay *kay,
-			   struct ieee802_1x_cp_conf *pconf)
-{
-	pconf->protect = kay->macsec_protect;
-	pconf->replay_protect = kay->macsec_replay_protect;
-	pconf->validate = kay->macsec_validate;
-
-	return 0;
-}
-
-
-/**
- * ieee802_1x_kay_alloc_cp_sm -
- */
-static struct ieee802_1x_cp_sm *
-ieee802_1x_kay_alloc_cp_sm(struct ieee802_1x_kay *kay)
-{
-	struct ieee802_1x_cp_conf conf;
-
-	os_memset(&conf, 0, sizeof(conf));
-	conf.protect = kay->macsec_protect;
-	conf.replay_protect = kay->macsec_replay_protect;
-	conf.validate = kay->macsec_validate;
-	conf.replay_window = kay->macsec_replay_window;
-
-	return ieee802_1x_cp_sm_init(kay, &conf);
-}
-
-
-/**
  * ieee802_1x_kay_mkpdu_sanity_check -
  *     sanity check specified in clause 11.11.2 of IEEE802.1X-2010
  */
@@ -3146,7 +3060,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 	wpa_printf(MSG_DEBUG, "KaY: secy init macsec done");
 
 	/* init CP */
-	kay->cp = ieee802_1x_kay_alloc_cp_sm(kay);
+	kay->cp = ieee802_1x_cp_sm_init(kay);
 	if (kay->cp == NULL) {
 		ieee802_1x_kay_deinit(kay);
 		return NULL;
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 763be68d585a..c339d6d66334 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -14,7 +14,6 @@
 #include "common/ieee802_1x_defs.h"
 
 struct macsec_init_params;
-struct ieee802_1x_cp_conf;
 
 #define MI_LEN			12
 #define MAX_KEY_LEN		32  /* 32 bytes, 256 bits */
@@ -59,7 +58,7 @@ struct ieee802_1x_kay_ctx {
 	int (*macsec_deinit)(void *ctx);
 	int (*enable_protect_frames)(void *ctx, Boolean enabled);
 	int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
-	int (*set_current_cipher_suite)(void *ctx, const u8 *cs);
+	int (*set_current_cipher_suite)(void *ctx, u64 cs);
 	int (*enable_controlled_port)(void *ctx, Boolean enabled);
 	int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an,
 				     u32 *lowest_pn);
@@ -186,7 +185,5 @@ int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay,
 int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay,
 				 struct ieee802_1x_mka_ki *lki);
 int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay);
-int ieee802_1x_kay_cp_conf(struct ieee802_1x_kay *kay,
-			   struct ieee802_1x_cp_conf *pconf);
 
 #endif /* IEEE802_1X_KAY_H */
diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h
index 558bad9f4795..622282e97c51 100644
--- a/src/pae/ieee802_1x_kay_i.h
+++ b/src/pae/ieee802_1x_kay_i.h
@@ -54,16 +54,6 @@ struct ieee802_1x_kay_peer {
 	struct dl_list list;
 };
 
-struct key_conf {
-	u8 *key;
-	struct ieee802_1x_mka_ki ki;
-	enum confidentiality_offset offset;
-	u8 an;
-	Boolean tx;
-	Boolean rx;
-	int key_len; /* unit: byte */
-};
-
 struct data_key {
 	u8 *key;
 	int key_len;
@@ -147,7 +137,7 @@ struct receive_sa {
 };
 
 struct macsec_ciphersuite {
-	u8 id[CS_ID_LEN];
+	u64 id;
 	char name[32];
 	enum macsec_cap capable;
 	int sak_len; /* unit: byte */
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index 8a6f05ae6ba1..2d12911dbfcf 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -65,8 +65,7 @@ int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean enabled, u32 win)
 }
 
 
-int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
-					 const u8 *cs)
+int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs)
 {
 	struct ieee802_1x_kay_ctx *ops;
 
diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h
index c9fd33f545e8..f5057ee11958 100644
--- a/src/pae/ieee802_1x_secy_ops.h
+++ b/src/pae/ieee802_1x_secy_ops.h
@@ -26,8 +26,7 @@ int secy_cp_control_validate_frames(struct ieee802_1x_kay *kay,
 				    enum validate_frames vf);
 int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag);
 int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win);
-int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
-					 const u8 *cs);
+int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
 int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
 					   enum confidentiality_offset co);
 int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index 63b225a1911b..220b7ba3ddca 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -733,7 +733,7 @@ static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s,
 }
 
 static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
-						   const u8 *cs)
+						   u64 cs)
 {
 	if (!wpa_s->driver->set_current_cipher_suite)
 		return -1;
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 21a201092f90..1cb301ff180b 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -50,7 +50,7 @@ static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
 }
 
 
-static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs)
+static int wpas_set_current_cipher_suite(void *wpa_s, u64 cs)
 {
 	return wpa_drv_set_current_cipher_suite(wpa_s, cs);
 }
-- 
2.9.2




More information about the Hostap mailing list