aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2018-12-26 10:27:39 (GMT)
committerJouni Malinen <j@w1.fi>2018-12-26 14:44:58 (GMT)
commit871439b5d5079ec88d60cc23c30d44138271bec0 (patch)
tree87f02f9fcad9818af44106ede975f12fc9fb29d3 /wpa_supplicant
parent7a29984888f80e6c92d88fc4a4096e560ab6fd75 (diff)
downloadhostap-871439b5d5079ec88d60cc23c30d44138271bec0.zip
hostap-871439b5d5079ec88d60cc23c30d44138271bec0.tar.gz
hostap-871439b5d5079ec88d60cc23c30d44138271bec0.tar.bz2
mka: Allow 256-bit CAK to be configured for PSK mode
This allows 256-bit CAK to be used as the root key in the MKA key hierarchy. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant')
-rw-r--r--wpa_supplicant/config.c15
-rw-r--r--wpa_supplicant/config_ssid.h5
-rw-r--r--wpa_supplicant/wpa_supplicant.conf7
-rw-r--r--wpa_supplicant/wpas_kay.c2
4 files changed, 18 insertions, 11 deletions
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 2fd9e85..7a95ea4 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2002,16 +2002,21 @@ static int wpa_config_parse_mka_cak(const struct parse_data *data,
struct wpa_ssid *ssid, int line,
const char *value)
{
- if (hexstr2bin(value, ssid->mka_cak, MACSEC_CAK_LEN) ||
- value[MACSEC_CAK_LEN * 2] != '\0') {
+ size_t len;
+
+ len = os_strlen(value);
+ if (len > 2 * MACSEC_CAK_MAX_LEN ||
+ (len != 2 * 16 && len != 2 * 32) ||
+ hexstr2bin(value, ssid->mka_cak, len / 2)) {
wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.",
line, value);
return -1;
}
-
+ ssid->mka_cak_len = len / 2;
ssid->mka_psk_set |= MKA_PSK_SET_CAK;
- wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak, MACSEC_CAK_LEN);
+ wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak,
+ ssid->mka_cak_len);
return 0;
}
@@ -2053,7 +2058,7 @@ static char * wpa_config_write_mka_cak(const struct parse_data *data,
if (!(ssid->mka_psk_set & MKA_PSK_SET_CAK))
return NULL;
- return wpa_config_write_string_hex(ssid->mka_cak, MACSEC_CAK_LEN);
+ return wpa_config_write_string_hex(ssid->mka_cak, ssid->mka_cak_len);
}
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 3da3ed4..6cf6557 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -855,8 +855,9 @@ struct wpa_ssid {
/**
* mka_cak - MKA pre-shared CAK
*/
-#define MACSEC_CAK_LEN 16
- u8 mka_cak[MACSEC_CAK_LEN];
+#define MACSEC_CAK_MAX_LEN 32
+ size_t mka_cak_len;
+ u8 mka_cak[MACSEC_CAK_MAX_LEN];
#define MKA_PSK_SET_CKN BIT(0)
#define MKA_PSK_SET_CAK BIT(1)
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 58dbf04..2bc3fda 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1018,9 +1018,10 @@ fast_reauth=1
# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
# In this mode, instances of wpa_supplicant can act as MACsec peers. The peer
# with lower priority will become the key server and start distributing SAKs.
-# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-bytes (128 bit)
-# hex-string (32 hex-digits)
-# mka_ckn (CKN = CAK Name) takes a 32-bytes (256 bit) hex-string (64 hex-digits)
+# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
+# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
+# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
+# (2..64 hex-digits)
# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
# default priority
#
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 39ed677..707e5bb 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -419,7 +419,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
if (wpa_s->kay->policy == DO_NOT_SECURE)
goto dealloc;
- cak->len = MACSEC_CAK_LEN;
+ cak->len = ssid->mka_cak_len;
os_memcpy(cak->key, ssid->mka_cak, cak->len);
ckn->len = ssid->mka_ckn_len;