/**
- * ieee802_1x_kay_is_in_peer
- */
-static Boolean
-ieee802_1x_kay_is_in_peer(struct ieee802_1x_mka_participant *participant,
- const u8 *mi)
-{
- return ieee802_1x_kay_is_in_live_peer(participant, mi) ||
- ieee802_1x_kay_is_in_potential_peer(participant, mi);
-}
-
-
-/**
* ieee802_1x_kay_get_peer
*/
static struct ieee802_1x_kay_peer *
*/
static struct macsec_ciphersuite *
ieee802_1x_kay_get_cipher_suite(struct ieee802_1x_mka_participant *participant,
- u8 *cs_id)
+ const u8 *cs_id)
{
unsigned int i;
+ u64 cs;
+ be64 _cs;
+
+ os_memcpy(&_cs, cs_id, CS_ID_LEN);
+ cs = be_to_host64(_cs);
for (i = 0; i < CS_TABLE_SIZE; i++) {
- if (os_memcmp(cipher_suite_tbl[i].id, cs_id, CS_ID_LEN) == 0)
+ if (cipher_suite_tbl[i].id == cs)
return &cipher_suite_tbl[i];
}
ieee802_1x_mka_dist_sak_body_present(
struct ieee802_1x_mka_participant *participant)
{
- if (!participant->to_dist_sak || !participant->new_key)
- return FALSE;
-
- return TRUE;
+ return participant->to_dist_sak && participant->new_key;
}
struct ieee802_1x_mka_participant *participant)
{
int length = MKA_HDR_LEN;
- int cs_index = participant->kay->macsec_csindex;
+ unsigned int cs_index = participant->kay->macsec_csindex;
if (participant->advised_desired) {
length = sizeof(struct ieee802_1x_mka_dist_sak_body);
struct ieee802_1x_mka_dist_sak_body *body;
struct data_key *sak;
unsigned int length;
- int cs_index;
+ unsigned int cs_index;
int sak_pos;
length = ieee802_1x_mka_get_dist_sak_length(participant);
cs_index = participant->kay->macsec_csindex;
sak_pos = 0;
if (cs_index != DEFAULT_CS_INDEX) {
- os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN);
+ be64 cs;
+
+ cs = host_to_be64(cipher_suite_tbl[cs_index].id);
+ os_memcpy(body->sak, &cs, CS_ID_LEN);
sak_pos = CS_ID_LEN;
}
if (aes_wrap(participant->kek.key, 16,
}
+static int compare_priorities(const struct ieee802_1x_kay_peer *peer,
+ const struct ieee802_1x_kay_peer *other)
+{
+ if (peer->key_server_priority < other->key_server_priority)
+ return -1;
+ if (other->key_server_priority < peer->key_server_priority)
+ return 1;
+
+ return os_memcmp(peer->sci.addr, other->sci.addr, ETH_ALEN);
+}
+
+
/**
* ieee802_1x_kay_elect_key_server - elect the key server
* when to elect: whenever the live peers list changes
continue;
}
- if (peer->key_server_priority <
- key_server->key_server_priority) {
+ if (compare_priorities(peer, key_server) < 0)
key_server = peer;
- } else if (peer->key_server_priority ==
- key_server->key_server_priority) {
- if (os_memcmp(peer->sci.addr, key_server->sci.addr,
- ETH_ALEN) < 0)
- key_server = peer;
- }
}
/* elect the key server between me and the above elected peer */
i_is_key_server = FALSE;
if (key_server && participant->can_be_key_server) {
- if (kay->actor_priority
- < key_server->key_server_priority) {
+ struct ieee802_1x_kay_peer tmp;
+
+ tmp.key_server_priority = kay->actor_priority;
+ os_memcpy(&tmp.sci, &kay->actor_sci, sizeof(tmp.sci));
+ if (compare_priorities(&tmp, key_server) < 0)
i_is_key_server = TRUE;
- } else if (kay->actor_priority
- == key_server->key_server_priority) {
- if (os_memcmp(kay->actor_sci.addr, key_server->sci.addr,
- ETH_ALEN) < 0)
- i_is_key_server = TRUE;
- }
} else if (participant->can_be_key_server) {
i_is_key_server = TRUE;
}
participant = (struct ieee802_1x_mka_participant *)eloop_ctx;
kay = participant->kay;
if (participant->cak_life) {
- if (now > participant->cak_life) {
- kay->authenticated = FALSE;
- kay->secured = FALSE;
- kay->failed = TRUE;
- ieee802_1x_kay_delete_mka(kay, &participant->ckn);
- return;
- }
+ if (now > participant->cak_life)
+ goto delete_mka;
}
/* should delete MKA instance if there are not live peers
* when the MKA life elapsed since its creating */
if (participant->mka_life) {
if (dl_list_empty(&participant->live_peers)) {
- if (now > participant->mka_life) {
- kay->authenticated = FALSE;
- kay->secured = FALSE;
- kay->failed = TRUE;
- ieee802_1x_kay_delete_mka(kay,
- &participant->ckn);
- return;
- }
+ if (now > participant->mka_life)
+ goto delete_mka;
} else {
participant->mka_life = 0;
}
eloop_register_timeout(MKA_HELLO_TIME / 1000, 0,
ieee802_1x_participant_timer,
participant, NULL);
+
+ return;
+
+delete_mka:
+ kay->authenticated = FALSE;
+ kay->secured = FALSE;
+ kay->failed = TRUE;
+ ieee802_1x_kay_delete_mka(kay, &participant->ckn);
}
/**
- * ieee802_1x_kay_cp_conf -
- */
-int ieee802_1x_kay_cp_conf(struct ieee802_1x_kay *kay,
- struct ieee802_1x_cp_conf *pconf)
-{
- pconf->protect = kay->macsec_protect;
- pconf->replay_protect = kay->macsec_replay_protect;
- pconf->validate = kay->macsec_validate;
-
- return 0;
-}
-
-
-/**
- * ieee802_1x_kay_alloc_cp_sm -
- */
-static struct ieee802_1x_cp_sm *
-ieee802_1x_kay_alloc_cp_sm(struct ieee802_1x_kay *kay)
-{
- struct ieee802_1x_cp_conf conf;
-
- os_memset(&conf, 0, sizeof(conf));
- conf.protect = kay->macsec_protect;
- conf.replay_protect = kay->macsec_replay_protect;
- conf.validate = kay->macsec_validate;
- conf.replay_window = kay->macsec_replay_window;
-
- return ieee802_1x_cp_sm_init(kay, &conf);
-}
-
-
-/**
* ieee802_1x_kay_mkpdu_sanity_check -
* sanity check specified in clause 11.11.2 of IEEE802.1X-2010
*/
wpa_printf(MSG_ERROR, "KaY: omac1_aes_128 failed");
return -1;
}
+
msg_icv = ieee802_1x_mka_decode_icv_body(participant, (u8 *) mka_hdr,
mka_msg_len);
-
- if (msg_icv) {
- if (os_memcmp_const(msg_icv, icv,
- mka_alg_tbl[kay->mka_algindex].icv_len) !=
- 0) {
- wpa_printf(MSG_ERROR,
- "KaY: Computed ICV is not equal to Received ICV");
- return -1;
- }
- } else {
+ if (!msg_icv) {
wpa_printf(MSG_ERROR, "KaY: No ICV");
return -1;
}
+ if (os_memcmp_const(msg_icv, icv,
+ mka_alg_tbl[kay->mka_algindex].icv_len) != 0) {
+ wpa_printf(MSG_ERROR,
+ "KaY: Computed ICV is not equal to Received ICV");
+ return -1;
+ }
return 0;
}
u8 body_type;
int i;
const u8 *pos;
- Boolean my_included;
Boolean handled[256];
if (ieee802_1x_kay_mkpdu_sanity_check(kay, buf, len))
left_len -= body_len + MKA_HDR_LEN;
/* check i am in the peer's peer list */
- my_included = ieee802_1x_mka_i_in_peerlist(participant, pos, left_len);
- if (my_included) {
+ if (ieee802_1x_mka_i_in_peerlist(participant, pos, left_len) &&
+ !ieee802_1x_kay_is_in_live_peer(participant,
+ participant->current_peer_id.mi)) {
/* accept the peer as live peer */
- if (!ieee802_1x_kay_is_in_peer(
- participant,
- participant->current_peer_id.mi)) {
- if (!ieee802_1x_kay_create_live_peer(
- participant,
- participant->current_peer_id.mi,
- be_to_host32(
- participant->current_peer_id.mn)))
- return -1;
- ieee802_1x_kay_elect_key_server(participant);
- ieee802_1x_kay_decide_macsec_use(participant);
- }
if (ieee802_1x_kay_is_in_potential_peer(
participant, participant->current_peer_id.mi)) {
if (!ieee802_1x_kay_move_live_peer(
be_to_host32(participant->
current_peer_id.mn)))
return -1;
- ieee802_1x_kay_elect_key_server(participant);
- ieee802_1x_kay_decide_macsec_use(participant);
+ } else if (!ieee802_1x_kay_create_live_peer(
+ participant, participant->current_peer_id.mi,
+ be_to_host32(participant->
+ current_peer_id.mn))) {
+ return -1;
}
+
+ ieee802_1x_kay_elect_key_server(participant);
+ ieee802_1x_kay_decide_macsec_use(participant);
}
/*
wpa_printf(MSG_DEBUG, "KaY: secy init macsec done");
/* init CP */
- kay->cp = ieee802_1x_kay_alloc_cp_sm(kay);
+ kay->cp = ieee802_1x_cp_sm_init(kay);
if (kay->cp == NULL) {
ieee802_1x_kay_deinit(kay);
return NULL;
* ieee802_1x_kay_change_cipher_suite -
*/
int
-ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay, int cs_index)
+ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
+ unsigned int cs_index)
{
struct ieee802_1x_mka_participant *participant;
if (!kay)
return -1;
- if ((unsigned int) cs_index >= CS_TABLE_SIZE) {
+ if (cs_index >= CS_TABLE_SIZE) {
wpa_printf(MSG_ERROR,
"KaY: Configured cipher suite index is out of range");
return -1;