2 * IEEE 802.1X-2010 KaY Interface
3 * Copyright (c) 2013-2014, Qualcomm Atheros, Inc.
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
8 #include <openssl/ssl.h>
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "eap_peer/eap.h"
13 #include "eap_peer/eap_i.h"
14 #include "eapol_supp/eapol_supp_sm.h"
15 #include "pae/ieee802_1x_key.h"
16 #include "pae/ieee802_1x_kay.h"
17 #include "wpa_supplicant_i.h"
19 #include "config_ssid.h"
24 #define DEFAULT_KEY_LEN 16
25 /* secure Connectivity Association Key Name (CKN) */
26 #define DEFAULT_CKN_LEN 16
29 static int wpas_macsec_init(void *priv, struct macsec_init_params *params)
31 return wpa_drv_macsec_init(priv, params);
35 static int wpas_macsec_deinit(void *priv)
37 return wpa_drv_macsec_deinit(priv);
41 static int wpas_enable_protect_frames(void *wpa_s, Boolean enabled)
43 return wpa_drv_enable_protect_frames(wpa_s, enabled);
47 static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
49 return wpa_drv_set_replay_protect(wpa_s, enabled, window);
53 static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs,
56 return wpa_drv_set_current_cipher_suite(wpa_s, cs, cs_len);
60 static int wpas_enable_controlled_port(void *wpa_s, Boolean enabled)
62 return wpa_drv_enable_controlled_port(wpa_s, enabled);
66 static int wpas_get_receive_lowest_pn(void *wpa_s, u32 channel,
67 u8 an, u32 *lowest_pn)
69 return wpa_drv_get_receive_lowest_pn(wpa_s, channel, an, lowest_pn);
73 static int wpas_get_transmit_next_pn(void *wpa_s, u32 channel,
76 return wpa_drv_get_transmit_next_pn(wpa_s, channel, an, next_pn);
80 static int wpas_set_transmit_next_pn(void *wpa_s, u32 channel,
83 return wpa_drv_set_transmit_next_pn(wpa_s, channel, an, next_pn);
87 static int wpas_get_available_receive_sc(void *wpa_s, u32 *channel)
89 return wpa_drv_get_available_receive_sc(wpa_s, channel);
93 static unsigned int conf_offset_val(enum confidentiality_offset co)
96 case CONFIDENTIALITY_OFFSET_30:
99 case CONFIDENTIALITY_OFFSET_50:
107 static int wpas_create_receive_sc(void *wpa_s, u32 channel,
108 struct ieee802_1x_mka_sci *sci,
109 enum validate_frames vf,
110 enum confidentiality_offset co)
112 return wpa_drv_create_receive_sc(wpa_s, channel, sci->addr,
113 be_to_host16(sci->port),
114 conf_offset_val(co), vf);
118 static int wpas_delete_receive_sc(void *wpa_s, u32 channel)
120 return wpa_drv_delete_receive_sc(wpa_s, channel);
124 static int wpas_create_receive_sa(void *wpa_s, u32 channel, u8 an,
125 u32 lowest_pn, const u8 *sak)
127 return wpa_drv_create_receive_sa(wpa_s, channel, an, lowest_pn, sak);
131 static int wpas_enable_receive_sa(void *wpa_s, u32 channel, u8 an)
133 return wpa_drv_enable_receive_sa(wpa_s, channel, an);
137 static int wpas_disable_receive_sa(void *wpa_s, u32 channel, u8 an)
139 return wpa_drv_disable_receive_sa(wpa_s, channel, an);
143 static int wpas_get_available_transmit_sc(void *wpa_s, u32 *channel)
145 return wpa_drv_get_available_transmit_sc(wpa_s, channel);
150 wpas_create_transmit_sc(void *wpa_s, u32 channel,
151 const struct ieee802_1x_mka_sci *sci,
152 enum confidentiality_offset co)
154 return wpa_drv_create_transmit_sc(wpa_s, channel, sci->addr,
155 be_to_host16(sci->port),
156 conf_offset_val(co));
160 static int wpas_delete_transmit_sc(void *wpa_s, u32 channel)
162 return wpa_drv_delete_transmit_sc(wpa_s, channel);
166 static int wpas_create_transmit_sa(void *wpa_s, u32 channel, u8 an,
167 u32 next_pn, Boolean confidentiality,
170 return wpa_drv_create_transmit_sa(wpa_s, channel, an, next_pn,
171 confidentiality, sak);
175 static int wpas_enable_transmit_sa(void *wpa_s, u32 channel, u8 an)
177 return wpa_drv_enable_transmit_sa(wpa_s, channel, an);
181 static int wpas_disable_transmit_sa(void *wpa_s, u32 channel, u8 an)
183 return wpa_drv_disable_transmit_sa(wpa_s, channel, an);
187 int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
189 struct ieee802_1x_kay_ctx *kay_ctx;
190 struct ieee802_1x_kay *res = NULL;
191 enum macsec_policy policy;
193 ieee802_1x_dealloc_kay_sm(wpa_s);
195 if (!ssid || ssid->macsec_policy == 0)
198 policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE;
200 kay_ctx = os_zalloc(sizeof(*kay_ctx));
204 kay_ctx->ctx = wpa_s;
206 kay_ctx->macsec_init = wpas_macsec_init;
207 kay_ctx->macsec_deinit = wpas_macsec_deinit;
208 kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
209 kay_ctx->set_replay_protect = wpas_set_replay_protect;
210 kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
211 kay_ctx->enable_controlled_port = wpas_enable_controlled_port;
212 kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn;
213 kay_ctx->get_transmit_next_pn = wpas_get_transmit_next_pn;
214 kay_ctx->set_transmit_next_pn = wpas_set_transmit_next_pn;
215 kay_ctx->get_available_receive_sc = wpas_get_available_receive_sc;
216 kay_ctx->create_receive_sc = wpas_create_receive_sc;
217 kay_ctx->delete_receive_sc = wpas_delete_receive_sc;
218 kay_ctx->create_receive_sa = wpas_create_receive_sa;
219 kay_ctx->enable_receive_sa = wpas_enable_receive_sa;
220 kay_ctx->disable_receive_sa = wpas_disable_receive_sa;
221 kay_ctx->get_available_transmit_sc = wpas_get_available_transmit_sc;
222 kay_ctx->create_transmit_sc = wpas_create_transmit_sc;
223 kay_ctx->delete_transmit_sc = wpas_delete_transmit_sc;
224 kay_ctx->create_transmit_sa = wpas_create_transmit_sa;
225 kay_ctx->enable_transmit_sa = wpas_enable_transmit_sa;
226 kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
228 res = ieee802_1x_kay_init(kay_ctx, policy, wpa_s->ifname,
241 void ieee802_1x_dealloc_kay_sm(struct wpa_supplicant *wpa_s)
246 ieee802_1x_kay_deinit(wpa_s->kay);
251 static int ieee802_1x_auth_get_session_id(struct wpa_supplicant *wpa_s,
252 const u8 *addr, u8 *sid, size_t *len)
254 const u8 *session_id;
255 size_t id_len, need_len;
257 session_id = eapol_sm_get_session_id(wpa_s->eapol, &id_len);
258 if (session_id == NULL) {
259 wpa_printf(MSG_DEBUG,
260 "Failed to get SessionID from EAPOL state machines");
264 need_len = 1 + 2 * SSL3_RANDOM_SIZE;
265 if (need_len > id_len) {
266 wpa_printf(MSG_DEBUG, "EAP Session-Id not long enough");
270 os_memcpy(sid, session_id, need_len);
277 static int ieee802_1x_auth_get_msk(struct wpa_supplicant *wpa_s, const u8 *addr,
278 u8 *msk, size_t *len)
289 keylen = EAP_MSK_LEN;
290 res = eapol_sm_get_key(sm, key, keylen);
292 wpa_printf(MSG_DEBUG,
293 "Failed to get MSK from EAPOL state machines");
299 os_memcpy(msk, key, keylen);
306 void * ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s,
310 size_t sid_len = 128;
311 struct mka_key_name *ckn;
316 if (!wpa_s->kay || wpa_s->kay->policy == DO_NOT_SECURE)
319 wpa_printf(MSG_DEBUG,
320 "IEEE 802.1X: External notification - Create MKA for "
321 MACSTR, MAC2STR(peer_addr));
323 msk = os_zalloc(sizeof(*msk));
324 sid = os_zalloc(sid_len);
325 ckn = os_zalloc(sizeof(*ckn));
326 cak = os_zalloc(sizeof(*cak));
327 if (!msk || !sid || !ckn || !cak)
330 msk->len = DEFAULT_KEY_LEN;
331 if (ieee802_1x_auth_get_msk(wpa_s, wpa_s->bssid, msk->key, &msk->len)) {
332 wpa_printf(MSG_ERROR, "IEEE 802.1X: Could not get MSK");
336 if (ieee802_1x_auth_get_session_id(wpa_s, wpa_s->bssid, sid, &sid_len))
338 wpa_printf(MSG_ERROR,
339 "IEEE 802.1X: Could not get EAP Session Id");
343 /* Derive CAK from MSK */
344 cak->len = DEFAULT_KEY_LEN;
345 if (ieee802_1x_cak_128bits_aes_cmac(msk->key, wpa_s->own_addr,
346 peer_addr, cak->key)) {
347 wpa_printf(MSG_ERROR,
348 "IEEE 802.1X: Deriving CAK failed");
351 wpa_hexdump_key(MSG_DEBUG, "Derived CAK", cak->key, cak->len);
353 /* Derive CKN from MSK */
354 ckn->len = DEFAULT_CKN_LEN;
355 if (ieee802_1x_ckn_128bits_aes_cmac(msk->key, wpa_s->own_addr,
356 peer_addr, sid, sid_len,
358 wpa_printf(MSG_ERROR,
359 "IEEE 802.1X: Deriving CKN failed");
362 wpa_hexdump(MSG_DEBUG, "Derived CKN", ckn->name, ckn->len);
364 res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0,
365 EAP_EXCHANGE, FALSE);
369 os_memset(msk, 0, sizeof(*msk));
375 os_memset(cak, 0, sizeof(*cak));