[PATCH 3/6] mka: cleanups, part 3
Sabrina Dubroca
sd at queasysnail.net
Mon Aug 15 02:43:42 PDT 2016
- use named initializers
- reorganize mkpdu_sanity_check, live peer creation, key server
election, mka deletion
- small whitespace and logical operation cleanups
- remove cs_len argument from the set_current_cipher_suite
functions (known constant value)
- replace participant->kay with a local kay variable
Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
---
src/drivers/driver.h | 4 +-
src/drivers/driver_macsec_qca.c | 8 +-
src/pae/ieee802_1x_cp.c | 3 +-
src/pae/ieee802_1x_kay.c | 349 ++++++++++++++++++----------------------
src/pae/ieee802_1x_kay.h | 4 +-
src/pae/ieee802_1x_secy_ops.c | 4 +-
src/pae/ieee802_1x_secy_ops.h | 2 +-
wpa_supplicant/driver_i.h | 5 +-
wpa_supplicant/wpas_kay.c | 5 +-
9 files changed, 169 insertions(+), 215 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index cf4984777418..a1360093d4bf 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -3312,11 +3312,9 @@ struct wpa_driver_ops {
* set_current_cipher_suite - Set current cipher suite
* @priv: Private driver interface data
* @cs: EUI64 identifier
- * @cs_len: Length of the cs buffer in octets
* Returns: 0 on success, -1 on failure (or if not supported)
*/
- int (*set_current_cipher_suite)(void *priv, const u8 *cs,
- size_t cs_len);
+ int (*set_current_cipher_suite)(void *priv, const u8 *cs);
/**
* enable_controlled_port - Set controlled port status
diff --git a/src/drivers/driver_macsec_qca.c b/src/drivers/driver_macsec_qca.c
index 3eae2f89d20e..0c9c7274693e 100644
--- a/src/drivers/driver_macsec_qca.c
+++ b/src/drivers/driver_macsec_qca.c
@@ -485,15 +485,13 @@ static int macsec_qca_set_replay_protect(void *priv, Boolean enabled,
}
-static int macsec_qca_set_current_cipher_suite(void *priv, const u8 *cs,
- size_t cs_len)
+static int macsec_qca_set_current_cipher_suite(void *priv, const u8 *cs)
{
u8 default_cs_id[] = CS_ID_GCM_AES_128;
- if (cs_len != CS_ID_LEN ||
- os_memcmp(cs, default_cs_id, cs_len) != 0) {
+ if (os_memcmp(cs, default_cs_id, CS_ID_LEN) != 0) {
wpa_hexdump(MSG_ERROR, "macsec: NOT supported CipherSuite",
- cs, cs_len);
+ cs, CS_ID_LEN);
return -1;
}
diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c
index cf43c594c402..83fd5ed73953 100644
--- a/src/pae/ieee802_1x_cp.c
+++ b/src/pae/ieee802_1x_cp.c
@@ -198,8 +198,7 @@ SM_STATE(CP, SECURED)
/* NOTE: now no other than default cipher suiter(AES-GCM-128) */
os_memcpy(sm->current_cipher_suite, sm->cipher_suite, CS_ID_LEN);
- secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite,
- CS_ID_LEN);
+ secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
sm->confidentiality_offset = sm->cipher_offset;
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index d10eb9fa1e16..11cc6be33ef6 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -79,16 +79,6 @@ static int is_ki_equal(struct ieee802_1x_mka_ki *ki1,
}
-struct mka_param_body_handler {
- int (*body_tx)(struct ieee802_1x_mka_participant *participant,
- struct wpabuf *buf);
- int (*body_rx)(struct ieee802_1x_mka_participant *participant,
- const u8 *mka_msg, size_t msg_len);
- int (*body_length)(struct ieee802_1x_mka_participant *participant);
- Boolean (*body_present)(struct ieee802_1x_mka_participant *participant);
-};
-
-
static void set_mka_param_body_len(void *body, unsigned int len)
{
struct ieee802_1x_mka_hdr *hdr = body;
@@ -350,18 +340,6 @@ ieee802_1x_kay_is_in_live_peer(
/**
- * ieee802_1x_kay_is_in_peer
- */
-static Boolean
-ieee802_1x_kay_is_in_peer(struct ieee802_1x_mka_participant *participant,
- const u8 *mi)
-{
- return ieee802_1x_kay_is_in_live_peer(participant, mi) ||
- ieee802_1x_kay_is_in_potential_peer(participant, mi);
-}
-
-
-/**
* ieee802_1x_kay_get_peer
*/
static struct ieee802_1x_kay_peer *
@@ -706,7 +684,7 @@ ieee802_1x_mka_encode_basic_body(
os_memcpy(body->actor_mi, participant->mi, sizeof(body->actor_mi));
participant->mn = participant->mn + 1;
body->actor_mn = host_to_be32(participant->mn);
- os_memcpy(body->algo_agility, participant->kay->algo_agility,
+ os_memcpy(body->algo_agility, kay->algo_agility,
sizeof(body->algo_agility));
os_memcpy(body->ckn, participant->ckn.name, participant->ckn.len);
@@ -1154,6 +1132,7 @@ ieee802_1x_mka_encode_sak_use_body(
struct wpabuf *buf)
{
struct ieee802_1x_mka_sak_use_body *body;
+ struct ieee802_1x_kay *kay = participant->kay;
unsigned int length;
u32 pn = 1;
@@ -1174,9 +1153,9 @@ ieee802_1x_mka_encode_sak_use_body(
}
/* data protect, lowest accept packet number */
- body->delay_protect = participant->kay->macsec_replay_protect;
+ body->delay_protect = kay->macsec_replay_protect;
pn = ieee802_1x_mka_get_lpn(participant, &participant->lki);
- if (pn > participant->kay->pn_exhaustion) {
+ if (pn > kay->pn_exhaustion) {
wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion");
if (participant->is_key_server)
participant->new_sak = TRUE;
@@ -1187,20 +1166,12 @@ ieee802_1x_mka_encode_sak_use_body(
body->olpn = host_to_be32(pn);
/* plain tx, plain rx */
- if (participant->kay->macsec_protect)
- body->ptx = FALSE;
- else
- body->ptx = TRUE;
-
- if (participant->kay->macsec_validate == Strict)
- body->prx = FALSE;
- else
- body->prx = TRUE;
+ body->ptx = !kay->macsec_protect;
+ body->prx = !(kay->macsec_validate == Strict);
/* latest key: rx, tx, key server member identifier key number */
body->lan = participant->lan;
- os_memcpy(body->lsrv_mi, participant->lki.mi,
- sizeof(body->lsrv_mi));
+ os_memcpy(body->lsrv_mi, participant->lki.mi, sizeof(body->lsrv_mi));
body->lkn = host_to_be32(participant->lki.kn);
body->lrx = participant->lrx;
body->ltx = participant->ltx;
@@ -1221,16 +1192,11 @@ ieee802_1x_mka_encode_sak_use_body(
/* set CP's variable */
if (body->ltx) {
- if (!participant->kay->tx_enable)
- participant->kay->tx_enable = TRUE;
-
- if (!participant->kay->port_enable)
- participant->kay->port_enable = TRUE;
- }
- if (body->lrx) {
- if (!participant->kay->rx_enable)
- participant->kay->rx_enable = TRUE;
+ kay->tx_enable = TRUE;
+ kay->port_enable = TRUE;
}
+ if (body->lrx)
+ kay->rx_enable = TRUE;
ieee802_1x_mka_dump_sak_use_body(body);
return 0;
@@ -1254,7 +1220,8 @@ ieee802_1x_mka_decode_sak_use_body(
struct ieee802_1x_mka_ki ki;
u32 lpn;
Boolean all_receiving;
- Boolean founded;
+ Boolean found;
+ struct ieee802_1x_kay *kay = participant->kay;
if (!participant->principal) {
wpa_printf(MSG_WARNING, "KaY: Participant is not principal");
@@ -1296,17 +1263,17 @@ ieee802_1x_mka_decode_sak_use_body(
/* check latest key is valid */
if (body->ltx || body->lrx) {
- founded = FALSE;
+ found = FALSE;
os_memcpy(ki.mi, body->lsrv_mi, sizeof(ki.mi));
ki.kn = be_to_host32(body->lkn);
dl_list_for_each(sa_key, &participant->sak_list,
struct data_key, list) {
if (is_ki_equal(&sa_key->key_identifier, &ki)) {
- founded = TRUE;
+ found = TRUE;
break;
}
}
- if (!founded) {
+ if (!found) {
wpa_printf(MSG_WARNING, "KaY: Latest key is invalid");
return -1;
}
@@ -1317,9 +1284,8 @@ ieee802_1x_mka_decode_sak_use_body(
peer->sak_used = TRUE;
}
if (body->ltx && peer->is_key_server) {
- ieee802_1x_cp_set_servertransmitting(
- participant->kay->cp, TRUE);
- ieee802_1x_cp_sm_step(participant->kay->cp);
+ ieee802_1x_cp_set_servertransmitting(kay->cp, TRUE);
+ ieee802_1x_cp_sm_step(kay->cp);
}
}
@@ -1353,28 +1319,28 @@ ieee802_1x_mka_decode_sak_use_body(
}
if (all_receiving) {
participant->to_dist_sak = FALSE;
- ieee802_1x_cp_set_allreceiving(participant->kay->cp, TRUE);
- ieee802_1x_cp_sm_step(participant->kay->cp);
+ ieee802_1x_cp_set_allreceiving(kay->cp, TRUE);
+ ieee802_1x_cp_sm_step(kay->cp);
}
/* if i'm key server, and detects peer member pn exhaustion, rekey.*/
lpn = be_to_host32(body->llpn);
- if (lpn > participant->kay->pn_exhaustion) {
+ if (lpn > kay->pn_exhaustion) {
if (participant->is_key_server) {
participant->new_sak = TRUE;
wpa_printf(MSG_WARNING, "KaY: Peer LPN exhaustion");
}
}
- founded = FALSE;
+ found = FALSE;
dl_list_for_each(txsa, &participant->txsc->sa_list,
struct transmit_sa, list) {
if (sa_key != NULL && txsa->pkey == sa_key) {
- founded = TRUE;
+ found = TRUE;
break;
}
}
- if (!founded) {
+ if (!found) {
wpa_printf(MSG_WARNING, "KaY: Can't find txsa");
return -1;
}
@@ -1382,9 +1348,9 @@ ieee802_1x_mka_decode_sak_use_body(
/* FIXME: Secy creates txsa with default npn. If MKA detected Latest Key
* npn is larger than txsa's npn, set it to txsa.
*/
- secy_get_transmit_next_pn(participant->kay, txsa);
+ secy_get_transmit_next_pn(kay, txsa);
if (lpn > txsa->next_pn) {
- secy_set_transmit_next_pn(participant->kay, txsa);
+ secy_set_transmit_next_pn(kay, txsa);
wpa_printf(MSG_INFO, "KaY: update lpn =0x%x", lpn);
}
@@ -1399,10 +1365,7 @@ static Boolean
ieee802_1x_mka_dist_sak_body_present(
struct ieee802_1x_mka_participant *participant)
{
- if (!participant->to_dist_sak || !participant->new_key)
- return FALSE;
-
- return TRUE;
+ return participant->to_dist_sak && participant->new_key;
}
@@ -1533,6 +1496,7 @@ ieee802_1x_mka_decode_dist_sak_body(
int sak_len;
u8 *wrap_sak;
u8 *unwrap_sak;
+ struct ieee802_1x_kay *kay = participant->kay;
hdr = (struct ieee802_1x_mka_hdr *) mka_msg;
body_len = get_mka_param_body_len(hdr);
@@ -1553,8 +1517,8 @@ ieee802_1x_mka_decode_dist_sak_body(
"KaY: I can't accept the distributed SAK as myself is key server ");
return -1;
}
- if (!participant->kay->macsec_desired ||
- participant->kay->macsec_capable == MACSEC_CAP_NOT_IMPLEMENTED) {
+ if (!kay->macsec_desired ||
+ kay->macsec_capable == MACSEC_CAP_NOT_IMPLEMENTED) {
wpa_printf(MSG_ERROR,
"KaY: I am not MACsec-desired or without MACsec capable");
return -1;
@@ -1567,27 +1531,29 @@ ieee802_1x_mka_decode_dist_sak_body(
"KaY: The key server is not in my live peers list");
return -1;
}
- if (!sci_equal(&participant->kay->key_server_sci, &peer->sci)) {
+ if (!sci_equal(&kay->key_server_sci, &peer->sci)) {
wpa_printf(MSG_ERROR, "KaY: The key server is not elected");
return -1;
}
+
if (body_len == 0) {
- participant->kay->authenticated = TRUE;
- participant->kay->secured = FALSE;
- participant->kay->failed = FALSE;
+ kay->authenticated = TRUE;
+ kay->secured = FALSE;
+ kay->failed = FALSE;
participant->advised_desired = FALSE;
- ieee802_1x_cp_connect_authenticated(participant->kay->cp);
- ieee802_1x_cp_sm_step(participant->kay->cp);
+ ieee802_1x_cp_connect_authenticated(kay->cp);
+ ieee802_1x_cp_sm_step(kay->cp);
wpa_printf(MSG_WARNING, "KaY:The Key server advise no MACsec");
participant->to_use_sak = TRUE;
return 0;
}
+
participant->advised_desired = TRUE;
- participant->kay->authenticated = FALSE;
- participant->kay->secured = TRUE;
- participant->kay->failed = FALSE;
- ieee802_1x_cp_connect_secure(participant->kay->cp);
- ieee802_1x_cp_sm_step(participant->kay->cp);
+ kay->authenticated = FALSE;
+ kay->secured = TRUE;
+ kay->failed = FALSE;
+ ieee802_1x_cp_connect_secure(kay->cp);
+ ieee802_1x_cp_sm_step(kay->cp);
body = (struct ieee802_1x_mka_dist_sak_body *)mka_msg;
ieee802_1x_mka_dump_dist_sak_body(body);
@@ -1600,10 +1566,11 @@ ieee802_1x_mka_decode_dist_sak_body(
return 0;
}
}
+
if (body_len == 28) {
sak_len = DEFAULT_SA_KEY_LEN;
wrap_sak = body->sak;
- participant->kay->macsec_csindex = DEFAULT_CS_INDEX;
+ kay->macsec_csindex = DEFAULT_CS_INDEX;
} else {
cs = ieee802_1x_kay_get_cipher_suite(participant, body->sak);
if (!cs) {
@@ -1613,7 +1580,7 @@ ieee802_1x_mka_decode_dist_sak_body(
}
sak_len = cs->sak_len;
wrap_sak = body->sak + CS_ID_LEN;
- participant->kay->macsec_csindex = cs->index;
+ kay->macsec_csindex = cs->index;
}
unwrap_sak = os_zalloc(sak_len);
@@ -1668,16 +1635,15 @@ ieee802_1x_mka_decode_dist_sak_body(
dl_list_add(&participant->sak_list, &sa_key->list);
- ieee802_1x_cp_set_ciphersuite(
- participant->kay->cp,
- cipher_suite_tbl[participant->kay->macsec_csindex].id);
- ieee802_1x_cp_sm_step(participant->kay->cp);
- ieee802_1x_cp_set_offset(participant->kay->cp, body->confid_offset);
- ieee802_1x_cp_sm_step(participant->kay->cp);
- ieee802_1x_cp_set_distributedki(participant->kay->cp, &sak_ki);
- ieee802_1x_cp_set_distributedan(participant->kay->cp, body->dan);
- ieee802_1x_cp_signal_newsak(participant->kay->cp);
- ieee802_1x_cp_sm_step(participant->kay->cp);
+ ieee802_1x_cp_set_ciphersuite(kay->cp,
+ cipher_suite_tbl[kay->macsec_csindex].id);
+ ieee802_1x_cp_sm_step(kay->cp);
+ ieee802_1x_cp_set_offset(kay->cp, body->confid_offset);
+ ieee802_1x_cp_sm_step(kay->cp);
+ ieee802_1x_cp_set_distributedki(kay->cp, &sak_ki);
+ ieee802_1x_cp_set_distributedan(kay->cp, body->dan);
+ ieee802_1x_cp_signal_newsak(kay->cp);
+ ieee802_1x_cp_sm_step(kay->cp);
participant->to_use_sak = TRUE;
@@ -1845,77 +1811,87 @@ static int ieee802_1x_mka_decode_announce_body(
}
+struct mka_param_body_handler {
+ int (*body_tx)(struct ieee802_1x_mka_participant *participant,
+ struct wpabuf *buf);
+ int (*body_rx)(struct ieee802_1x_mka_participant *participant,
+ const u8 *mka_msg, size_t msg_len);
+ int (*body_length)(struct ieee802_1x_mka_participant *participant);
+ Boolean (*body_present)(struct ieee802_1x_mka_participant *participant);
+};
+
+
static struct mka_param_body_handler mka_body_handler[] = {
/* basic parameter set */
{
- ieee802_1x_mka_encode_basic_body,
- NULL,
- ieee802_1x_mka_basic_body_length,
- ieee802_1x_mka_basic_body_present
+ .body_tx = ieee802_1x_mka_encode_basic_body,
+ .body_rx = NULL,
+ .body_length = ieee802_1x_mka_basic_body_length,
+ .body_present = ieee802_1x_mka_basic_body_present
},
/* live peer list parameter set */
{
- ieee802_1x_mka_encode_live_peer_body,
- ieee802_1x_mka_decode_live_peer_body,
- ieee802_1x_mka_get_live_peer_length,
- ieee802_1x_mka_live_peer_body_present
+ .body_tx = ieee802_1x_mka_encode_live_peer_body,
+ .body_rx = ieee802_1x_mka_decode_live_peer_body,
+ .body_length = ieee802_1x_mka_get_live_peer_length,
+ .body_present = ieee802_1x_mka_live_peer_body_present
},
/* potential peer list parameter set */
{
- ieee802_1x_mka_encode_potential_peer_body,
- ieee802_1x_mka_decode_potential_peer_body,
- ieee802_1x_mka_get_potential_peer_length,
- ieee802_1x_mka_potential_peer_body_present
+ .body_tx = ieee802_1x_mka_encode_potential_peer_body,
+ .body_rx = ieee802_1x_mka_decode_potential_peer_body,
+ .body_length = ieee802_1x_mka_get_potential_peer_length,
+ .body_present = ieee802_1x_mka_potential_peer_body_present
},
/* sak use parameter set */
{
- ieee802_1x_mka_encode_sak_use_body,
- ieee802_1x_mka_decode_sak_use_body,
- ieee802_1x_mka_get_sak_use_length,
- ieee802_1x_mka_sak_use_body_present
+ .body_tx = ieee802_1x_mka_encode_sak_use_body,
+ .body_rx = ieee802_1x_mka_decode_sak_use_body,
+ .body_length = ieee802_1x_mka_get_sak_use_length,
+ .body_present = ieee802_1x_mka_sak_use_body_present
},
/* distribute sak parameter set */
{
- ieee802_1x_mka_encode_dist_sak_body,
- ieee802_1x_mka_decode_dist_sak_body,
- ieee802_1x_mka_get_dist_sak_length,
- ieee802_1x_mka_dist_sak_body_present
+ .body_tx = ieee802_1x_mka_encode_dist_sak_body,
+ .body_rx = ieee802_1x_mka_decode_dist_sak_body,
+ .body_length = ieee802_1x_mka_get_dist_sak_length,
+ .body_present = ieee802_1x_mka_dist_sak_body_present
},
/* distribute cak parameter set */
{
- NULL,
- ieee802_1x_mka_decode_dist_cak_body,
- NULL,
- NULL
+ .body_tx = NULL,
+ .body_rx = ieee802_1x_mka_decode_dist_cak_body,
+ .body_length = NULL,
+ .body_present = NULL
},
/* kmd parameter set */
{
- NULL,
- ieee802_1x_mka_decode_kmd_body,
- NULL,
- NULL
+ .body_tx = NULL,
+ .body_rx = ieee802_1x_mka_decode_kmd_body,
+ .body_length = NULL,
+ .body_present = NULL
},
/* announce parameter set */
{
- NULL,
- ieee802_1x_mka_decode_announce_body,
- NULL,
- NULL
+ .body_tx = NULL,
+ .body_rx = ieee802_1x_mka_decode_announce_body,
+ .body_length = NULL,
+ .body_present = NULL
},
/* icv parameter set */
{
- ieee802_1x_mka_encode_icv_body,
- NULL,
- ieee802_1x_mka_get_icv_length,
- ieee802_1x_mka_icv_body_present
+ .body_tx = ieee802_1x_mka_encode_icv_body,
+ .body_rx = NULL,
+ .body_length = ieee802_1x_mka_get_icv_length,
+ .body_present = ieee802_1x_mka_icv_body_present
},
};
@@ -2067,12 +2043,12 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
struct ieee802_1x_kay_peer, list)
peer->sak_used = FALSE;
- participant->kay->dist_kn++;
- participant->kay->dist_an++;
- if (participant->kay->dist_an > 3)
- participant->kay->dist_an = 0;
+ kay->dist_kn++;
+ kay->dist_an++;
+ if (kay->dist_an > 3)
+ kay->dist_an = 0;
- participant->kay->dist_time = time(NULL);
+ kay->dist_time = time(NULL);
os_free(conf->key);
os_free(conf);
@@ -2081,6 +2057,16 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
}
+static int compare_priorities(struct ieee802_1x_kay_peer *peer, struct ieee802_1x_kay_peer *other)
+{
+ if (peer->key_server_priority < other->key_server_priority)
+ return -1;
+ if (other->key_server_priority < peer->key_server_priority)
+ return 1;
+
+ return memcmp(peer->sci.addr, other->sci.addr, ETH_ALEN);
+}
+
/**
* ieee802_1x_kay_elect_key_server - elect the key server
* when to elect: whenever the live peers list changes
@@ -2111,29 +2097,19 @@ ieee802_1x_kay_elect_key_server(struct ieee802_1x_mka_participant *participant)
continue;
}
- if (peer->key_server_priority <
- key_server->key_server_priority) {
+ if (compare_priorities(peer, key_server) < 0)
key_server = peer;
- } else if (peer->key_server_priority ==
- key_server->key_server_priority) {
- if (os_memcmp(peer->sci.addr, key_server->sci.addr,
- ETH_ALEN) < 0)
- key_server = peer;
- }
}
/* elect the key server between me and the above elected peer */
i_is_key_server = FALSE;
if (key_server && participant->can_be_key_server) {
- if (kay->actor_priority
- < key_server->key_server_priority) {
+ struct ieee802_1x_kay_peer tmp;
+
+ tmp.key_server_priority = kay->actor_priority;
+ os_memcpy(&tmp.sci, &kay->actor_sci, sizeof(tmp.sci));
+ if (compare_priorities(&tmp, key_server) < 0)
i_is_key_server = TRUE;
- } else if (kay->actor_priority
- == key_server->key_server_priority) {
- if (os_memcmp(kay->actor_sci.addr, key_server->sci.addr,
- ETH_ALEN) < 0)
- i_is_key_server = TRUE;
- }
} else if (participant->can_be_key_server) {
i_is_key_server = TRUE;
}
@@ -2349,27 +2325,16 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
participant = (struct ieee802_1x_mka_participant *)eloop_ctx;
kay = participant->kay;
if (participant->cak_life) {
- if (now > participant->cak_life) {
- kay->authenticated = FALSE;
- kay->secured = FALSE;
- kay->failed = TRUE;
- ieee802_1x_kay_delete_mka(kay, &participant->ckn);
- return;
- }
+ if (now > participant->cak_life)
+ goto delete_mka;
}
/* should delete MKA instance if there are not live peers
* when the MKA life elapsed since its creating */
if (participant->mka_life) {
if (dl_list_empty(&participant->live_peers)) {
- if (now > participant->mka_life) {
- kay->authenticated = FALSE;
- kay->secured = FALSE;
- kay->failed = TRUE;
- ieee802_1x_kay_delete_mka(kay,
- &participant->ckn);
- return;
- }
+ if (now > participant->mka_life)
+ goto delete_mka;
} else {
participant->mka_life = 0;
}
@@ -2457,6 +2422,14 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
eloop_register_timeout(MKA_HELLO_TIME / 1000, 0,
ieee802_1x_participant_timer,
participant, NULL);
+
+ return;
+
+delete_mka:
+ kay->authenticated = FALSE;
+ kay->secured = FALSE;
+ kay->failed = TRUE;
+ ieee802_1x_kay_delete_mka(kay, &participant->ckn);
}
@@ -2884,13 +2857,13 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay,
return -1;
}
- /* MKPDU should not less than 32 octets */
+ /* MKPDU should not be less than 32 octets */
mka_msg_len = be_to_host16(eapol_hdr->length);
if (mka_msg_len < 32) {
wpa_printf(MSG_MSGDUMP, "KaY: MKPDU is less than 32 octets");
return -1;
}
- /* MKPDU should multiple 4 octets */
+ /* MKPDU should be a multiple of 4 octets */
if ((mka_msg_len % 4) != 0) {
wpa_printf(MSG_MSGDUMP,
"KaY: MKPDU is not multiple of 4 octets");
@@ -2939,19 +2912,17 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay,
msg_icv = ieee802_1x_mka_decode_icv_body(participant, (u8 *) mka_hdr,
mka_msg_len);
- if (msg_icv) {
- if (os_memcmp_const(msg_icv, icv,
- mka_alg_tbl[kay->mka_algindex].icv_len) !=
- 0) {
- wpa_printf(MSG_ERROR,
- "KaY: Computed ICV is not equal to Received ICV");
- return -1;
- }
- } else {
+ if (!msg_icv) {
wpa_printf(MSG_ERROR, "KaY: No ICV");
return -1;
}
+ if (os_memcmp_const(msg_icv, icv,
+ mka_alg_tbl[kay->mka_algindex].icv_len) != 0) {
+ wpa_printf(MSG_ERROR, "KaY: Computed ICV is not equal to Received ICV");
+ return -1;
+ }
+
return 0;
}
@@ -2991,31 +2962,23 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
/* check i am in the peer's peer list */
my_included = ieee802_1x_mka_i_in_peerlist(participant, pos, left_len);
- if (my_included) {
+ if (my_included && !ieee802_1x_kay_is_in_live_peer(participant,
+ participant->current_peer_id.mi)) {
/* accept the peer as live peer */
- if (!ieee802_1x_kay_is_in_peer(
- participant,
- participant->current_peer_id.mi)) {
- if (!ieee802_1x_kay_create_live_peer(
- participant,
- participant->current_peer_id.mi,
- be_to_host32(
- participant->current_peer_id.mn)))
+ if (ieee802_1x_kay_is_in_potential_peer(participant,
+ participant->current_peer_id.mi)) {
+ if (!ieee802_1x_kay_move_live_peer(participant,
+ participant->current_peer_id.mi,
+ be_to_host32(participant->current_peer_id.mn)))
return -1;
- ieee802_1x_kay_elect_key_server(participant);
- ieee802_1x_kay_decide_macsec_use(participant);
- }
- if (ieee802_1x_kay_is_in_potential_peer(
- participant, participant->current_peer_id.mi)) {
- if (!ieee802_1x_kay_move_live_peer(
- participant,
- participant->current_peer_id.mi,
- be_to_host32(participant->
- current_peer_id.mn)))
+ } else if (!ieee802_1x_kay_create_live_peer(participant,
+ participant->current_peer_id.mi,
+ be_to_host32(participant->current_peer_id.mn))) {
return -1;
- ieee802_1x_kay_elect_key_server(participant);
- ieee802_1x_kay_decide_macsec_use(participant);
}
+
+ ieee802_1x_kay_elect_key_server(participant);
+ ieee802_1x_kay_decide_macsec_use(participant);
}
/*
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index ea15335fa3db..763be68d585a 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -48,8 +48,6 @@ struct mka_key_name {
enum mka_created_mode {
PSK,
EAP_EXCHANGE,
- DISTRIBUTED,
- CACHED,
};
struct ieee802_1x_kay_ctx {
@@ -61,7 +59,7 @@ struct ieee802_1x_kay_ctx {
int (*macsec_deinit)(void *ctx);
int (*enable_protect_frames)(void *ctx, Boolean enabled);
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
- int (*set_current_cipher_suite)(void *ctx, const u8 *cs, size_t cs_len);
+ int (*set_current_cipher_suite)(void *ctx, const u8 *cs);
int (*enable_controlled_port)(void *ctx, Boolean enabled);
int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an,
u32 *lowest_pn);
diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c
index fbe05dc35d7c..8a6f05ae6ba1 100644
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -66,7 +66,7 @@ int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean enabled, u32 win)
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
- const u8 *cs, size_t cs_len)
+ const u8 *cs)
{
struct ieee802_1x_kay_ctx *ops;
@@ -82,7 +82,7 @@ int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
return -1;
}
- return ops->set_current_cipher_suite(ops->ctx, cs, cs_len);
+ return ops->set_current_cipher_suite(ops->ctx, cs);
}
diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h
index 295b823a9d7f..c9fd33f545e8 100644
--- a/src/pae/ieee802_1x_secy_ops.h
+++ b/src/pae/ieee802_1x_secy_ops.h
@@ -27,7 +27,7 @@ int secy_cp_control_validate_frames(struct ieee802_1x_kay *kay,
int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag);
int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win);
int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
- const u8 *cs, size_t cs_len);
+ const u8 *cs);
int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
enum confidentiality_offset co);
int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index 7a16b7aa39c1..63b225a1911b 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -733,12 +733,11 @@ static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s,
}
static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
- const u8 *cs, size_t cs_len)
+ const u8 *cs)
{
if (!wpa_s->driver->set_current_cipher_suite)
return -1;
- return wpa_s->driver->set_current_cipher_suite(wpa_s->drv_priv, cs,
- cs_len);
+ return wpa_s->driver->set_current_cipher_suite(wpa_s->drv_priv, cs);
}
static inline int wpa_drv_enable_controlled_port(struct wpa_supplicant *wpa_s,
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 788710a94da2..21a201092f90 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -50,10 +50,9 @@ static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
}
-static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs,
- size_t cs_len)
+static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs)
{
- return wpa_drv_set_current_cipher_suite(wpa_s, cs, cs_len);
+ return wpa_drv_set_current_cipher_suite(wpa_s, cs);
}
--
2.9.2
More information about the Hostap
mailing list