#define IEEE802_1X_DEFS_H
#define CS_ID_LEN 8
-#define CS_ID_GCM_AES_128 {0x00, 0x80, 0x02, 0x00, 0x01, 0x00, 0x00, 0x01}
+#define CS_ID_GCM_AES_128 0x0080020001000001ULL
#define CS_NAME_GCM_AES_128 "GCM-AES-128"
enum macsec_policy {
* @cs: EUI64 identifier
* Returns: 0 on success, -1 on failure (or if not supported)
*/
- int (*set_current_cipher_suite)(void *priv, const u8 *cs);
+ int (*set_current_cipher_suite)(void *priv, u64 cs);
/**
* enable_controlled_port - Set controlled port status
#include "includes.h"
#include <sys/ioctl.h>
#include <net/if.h>
+#include <inttypes.h>
#ifdef __linux__
#include <netpacket/packet.h>
#include <net/if_arp.h>
}
-static int macsec_qca_set_current_cipher_suite(void *priv, const u8 *cs)
+static int macsec_qca_set_current_cipher_suite(void *priv, u64 cs)
{
- u8 default_cs_id[] = CS_ID_GCM_AES_128;
-
- if (os_memcmp(cs, default_cs_id, CS_ID_LEN) != 0) {
- wpa_hexdump(MSG_ERROR, "macsec: NOT supported CipherSuite",
- cs, CS_ID_LEN);
+ if (cs != CS_ID_GCM_AES_128) {
+ wpa_printf(MSG_ERROR,
+ "%s: NOT supported CipherSuite: %016" PRIx64,
+ __func__, cs);
return -1;
}
#define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
#define STATE_MACHINE_DEBUG_PREFIX "CP"
-static u8 default_cs_id[] = CS_ID_GCM_AES_128;
+static u64 default_cs_id = CS_ID_GCM_AES_128;
/* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
Boolean elected_self;
u8 *authorization_data1;
enum confidentiality_offset cipher_offset;
- u8 *cipher_suite;
+ u64 cipher_suite;
Boolean new_sak; /* clear by CP */
struct ieee802_1x_mka_ki distributed_ki;
u8 distributed_an;
Boolean replay_protect;
u32 replay_window;
- u8 *current_cipher_suite;
+ u64 current_cipher_suite;
enum confidentiality_offset confidentiality_offset;
Boolean controlled_port_enabled;
static int changed_cipher(struct ieee802_1x_cp_sm *sm)
{
return sm->confidentiality_offset != sm->cipher_offset ||
- os_memcmp(sm->current_cipher_suite, sm->cipher_suite,
- CS_ID_LEN) != 0;
+ sm->current_cipher_suite != sm->cipher_suite;
}
sm->replay_protect = conf.replay_protect;
sm->validate_frames = conf.validate;
- /* NOTE: now no other than default cipher suiter(AES-GCM-128) */
- os_memcpy(sm->current_cipher_suite, sm->cipher_suite, CS_ID_LEN);
+ /* NOTE: now no other than default cipher suite (AES-GCM-128) */
+ sm->current_cipher_suite = sm->cipher_suite;
secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
sm->confidentiality_offset = sm->cipher_offset;
sm->orx = FALSE;
sm->otx = FALSE;
- sm->cipher_suite = os_zalloc(CS_ID_LEN);
- sm->current_cipher_suite = os_zalloc(CS_ID_LEN);
- if (!sm->cipher_suite || !sm->current_cipher_suite) {
- wpa_printf(MSG_ERROR, "CP-%s: out of memory", __func__);
- os_free(sm->cipher_suite);
- os_free(sm->current_cipher_suite);
- os_free(sm);
- return NULL;
- }
- os_memcpy(sm->current_cipher_suite, default_cs_id, CS_ID_LEN);
- os_memcpy(sm->cipher_suite, default_cs_id, CS_ID_LEN);
+ sm->current_cipher_suite = default_cs_id;
+ sm->cipher_suite = default_cs_id;
sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
sm->confidentiality_offset = sm->cipher_offset;
sm->transmit_delay = MKA_LIFE_TIME;
eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL);
os_free(sm->lki);
os_free(sm->oki);
- os_free(sm->cipher_suite);
- os_free(sm->current_cipher_suite);
os_free(sm->authorization_data);
os_free(sm);
}
/**
* ieee802_1x_cp_set_ciphersuite -
*/
-void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid)
+void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs)
{
struct ieee802_1x_cp_sm *sm = cp_ctx;
- os_memcpy(sm->cipher_suite, pid, CS_ID_LEN);
+ sm->cipher_suite = cs;
}
void ieee802_1x_cp_signal_chgdserver(void *cp_ctx);
void ieee802_1x_cp_set_electedself(void *cp_ctx, Boolean status);
void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len);
-void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid);
+void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs);
void ieee802_1x_cp_set_offset(void *cp_ctx, enum confidentiality_offset offset);
void ieee802_1x_cp_signal_newsak(void *cp_ctx);
void ieee802_1x_cp_set_distributedki(void *cp_ctx,
*/
static struct macsec_ciphersuite *
ieee802_1x_kay_get_cipher_suite(struct ieee802_1x_mka_participant *participant,
- u8 *cs_id)
+ const u8 *cs_id)
{
unsigned int i;
+ u64 cs;
+ be64 _cs;
+
+ os_memcpy(&_cs, cs_id, CS_ID_LEN);
+ cs = be_to_host64(_cs);
for (i = 0; i < CS_TABLE_SIZE; i++) {
- if (os_memcmp(cipher_suite_tbl[i].id, cs_id, CS_ID_LEN) == 0)
+ if (cipher_suite_tbl[i].id == cs)
return &cipher_suite_tbl[i];
}
cs_index = participant->kay->macsec_csindex;
sak_pos = 0;
if (cs_index != DEFAULT_CS_INDEX) {
- os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN);
+ be64 cs;
+
+ cs = host_to_be64(cipher_suite_tbl[cs_index].id);
+ os_memcpy(body->sak, &cs, CS_ID_LEN);
sak_pos = CS_ID_LEN;
}
if (aes_wrap(participant->kek.key, 16,
int (*macsec_deinit)(void *ctx);
int (*enable_protect_frames)(void *ctx, Boolean enabled);
int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
- int (*set_current_cipher_suite)(void *ctx, const u8 *cs);
+ int (*set_current_cipher_suite)(void *ctx, u64 cs);
int (*enable_controlled_port)(void *ctx, Boolean enabled);
int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an,
u32 *lowest_pn);
};
struct macsec_ciphersuite {
- u8 id[CS_ID_LEN];
+ u64 id;
char name[32];
enum macsec_cap capable;
int sak_len; /* unit: byte */
}
-int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
- const u8 *cs)
+int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs)
{
struct ieee802_1x_kay_ctx *ops;
enum validate_frames vf);
int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag);
int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win);
-int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
- const u8 *cs);
+int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
enum confidentiality_offset co);
int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);
}
static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
- const u8 *cs)
+ u64 cs)
{
if (!wpa_s->driver->set_current_cipher_suite)
return -1;
}
-static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs)
+static int wpas_set_current_cipher_suite(void *wpa_s, u64 cs)
{
return wpa_drv_set_current_cipher_suite(wpa_s, cs);
}