Accueil Explorer Aide
S'inscrire Connexion
wareck
/
krackattacks
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

mka: Store cipher suite ID in a u64 instead of u8 pointer

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Sabrina Dubroca il y a 8 ans
Parent
535a8b8712
commit
07a6bfe1d2
12 fichiers modifiés avec 36 ajouts et 42 suppressions
Vue séparée Afficher les stats Diff
  1. 1 1
      src/common/ieee802_1x_defs.h
  2. 1 1
      src/drivers/driver.h
  3. 6 6
      src/drivers/driver_macsec_qca.c
  4. 10 22
      src/pae/ieee802_1x_cp.c
  5. 1 1
      src/pae/ieee802_1x_cp.h
  6. 11 3
      src/pae/ieee802_1x_kay.c
  7. 1 1
      src/pae/ieee802_1x_kay.h
  8. 1 1
      src/pae/ieee802_1x_kay_i.h
  9. 1 2
      src/pae/ieee802_1x_secy_ops.c
  10. 1 2
      src/pae/ieee802_1x_secy_ops.h
  11. 1 1
      wpa_supplicant/driver_i.h
  12. 1 1
      wpa_supplicant/wpas_kay.c

+ 1 - 1
src/common/ieee802_1x_defs.h
Voir le fichier 

@@ -10,7 +10,7 @@
 
 #define IEEE802_1X_DEFS_H
 
 
 #define CS_ID_LEN		8
 
-#define CS_ID_GCM_AES_128	{0x00, 0x80, 0x02, 0x00, 0x01, 0x00, 0x00, 0x01}
 
+#define CS_ID_GCM_AES_128	0x0080020001000001ULL
 
 #define CS_NAME_GCM_AES_128	"GCM-AES-128"
 
 
 enum macsec_policy {

+ 1 - 1
src/drivers/driver.h
Voir le fichier 

@@ -3319,7 +3319,7 @@ struct wpa_driver_ops {
 
 	 * @cs: EUI64 identifier
 
 	 * Returns: 0 on success, -1 on failure (or if not supported)
 
 	 */
 
-	int (*set_current_cipher_suite)(void *priv, const u8 *cs);
 
+	int (*set_current_cipher_suite)(void *priv, u64 cs);
 
 
 	/**
 
 	 * enable_controlled_port - Set controlled port status

+ 6 - 6
src/drivers/driver_macsec_qca.c
Voir le fichier 

@@ -11,6 +11,7 @@
 
 #include "includes.h"
 
 #include <sys/ioctl.h>
 
 #include <net/if.h>
 
+#include <inttypes.h>
 
 #ifdef __linux__
 
 #include <netpacket/packet.h>
 
 #include <net/if_arp.h>
 
@@ -485,13 +486,12 @@ static int macsec_qca_set_replay_protect(void *priv, Boolean enabled,
 
 }
 
 
 
-static int macsec_qca_set_current_cipher_suite(void *priv, const u8 *cs)
 
+static int macsec_qca_set_current_cipher_suite(void *priv, u64 cs)
 
 {
 
-	u8 default_cs_id[] = CS_ID_GCM_AES_128;
 
-
 
-	if (os_memcmp(cs, default_cs_id, CS_ID_LEN) != 0) {
 
-		wpa_hexdump(MSG_ERROR, "macsec: NOT supported CipherSuite",
 
-			    cs, CS_ID_LEN);
 
+	if (cs != CS_ID_GCM_AES_128) {
 
+		wpa_printf(MSG_ERROR,
 
+			   "%s: NOT supported CipherSuite: %016" PRIx64,
 
+			   __func__, cs);
 
 		return -1;
 
 	}

+ 10 - 22
src/pae/ieee802_1x_cp.c
Voir le fichier 

@@ -20,7 +20,7 @@
 
 #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
 
 #define STATE_MACHINE_DEBUG_PREFIX "CP"
 
 
-static u8 default_cs_id[] = CS_ID_GCM_AES_128;
 
+static u64 default_cs_id = CS_ID_GCM_AES_128;
 
 
 /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
 
 enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
 
@@ -45,7 +45,7 @@ struct ieee802_1x_cp_sm {
 
 	Boolean elected_self;
 
 	u8 *authorization_data1;
 
 	enum confidentiality_offset cipher_offset;
 
-	u8 *cipher_suite;
 
+	u64 cipher_suite;
 
 	Boolean new_sak; /* clear by CP */
 
 	struct ieee802_1x_mka_ki distributed_ki;
 
 	u8 distributed_an;
 
@@ -71,7 +71,7 @@ struct ieee802_1x_cp_sm {
 
 	Boolean replay_protect;
 
 	u32 replay_window;
 
 
-	u8 *current_cipher_suite;
 
+	u64 current_cipher_suite;
 
 	enum confidentiality_offset confidentiality_offset;
 
 	Boolean controlled_port_enabled;
 
 
@@ -97,8 +97,7 @@ static void ieee802_1x_cp_transmit_when_timeout(void *eloop_ctx,
 
 static int changed_cipher(struct ieee802_1x_cp_sm *sm)
 
 {
 
 	return sm->confidentiality_offset != sm->cipher_offset ||
 
-		os_memcmp(sm->current_cipher_suite, sm->cipher_suite,
 
-			  CS_ID_LEN) != 0;
 
+		sm->current_cipher_suite != sm->cipher_suite;
 
 }
 
 
 
@@ -196,8 +195,8 @@ SM_STATE(CP, SECURED)
 
 	sm->replay_protect = conf.replay_protect;
 
 	sm->validate_frames = conf.validate;
 
 
-	/* NOTE: now no other than default cipher suiter(AES-GCM-128) */
 
-	os_memcpy(sm->current_cipher_suite, sm->cipher_suite, CS_ID_LEN);
 
+	/* NOTE: now no other than default cipher suite (AES-GCM-128) */
 
+	sm->current_cipher_suite = sm->cipher_suite;
 
 	secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
 
 
 	sm->confidentiality_offset = sm->cipher_offset;
 
@@ -459,17 +458,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(
 
 	sm->orx = FALSE;
 
 	sm->otx = FALSE;
 
 
-	sm->cipher_suite = os_zalloc(CS_ID_LEN);
 
-	sm->current_cipher_suite = os_zalloc(CS_ID_LEN);
 
-	if (!sm->cipher_suite || !sm->current_cipher_suite) {
 
-		wpa_printf(MSG_ERROR, "CP-%s: out of memory", __func__);
 
-		os_free(sm->cipher_suite);
 
-		os_free(sm->current_cipher_suite);
 
-		os_free(sm);
 
-		return NULL;
 
-	}
 
-	os_memcpy(sm->current_cipher_suite, default_cs_id, CS_ID_LEN);
 
-	os_memcpy(sm->cipher_suite, default_cs_id, CS_ID_LEN);
 
+	sm->current_cipher_suite = default_cs_id;
 
+	sm->cipher_suite = default_cs_id;
 
 	sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
 
 	sm->confidentiality_offset = sm->cipher_offset;
 
 	sm->transmit_delay = MKA_LIFE_TIME;
 
@@ -529,8 +519,6 @@ void ieee802_1x_cp_sm_deinit(struct ieee802_1x_cp_sm *sm)
 
 	eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL);
 
 	os_free(sm->lki);
 
 	os_free(sm->oki);
 
-	os_free(sm->cipher_suite);
 
-	os_free(sm->current_cipher_suite);
 
 	os_free(sm->authorization_data);
 
 	os_free(sm);
 
 }
 
@@ -617,10 +605,10 @@ void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len)
 
 /**
 
  * ieee802_1x_cp_set_ciphersuite -
 
  */
 
-void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid)
 
+void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs)
 
 {
 
 	struct ieee802_1x_cp_sm *sm = cp_ctx;
 
-	os_memcpy(sm->cipher_suite, pid, CS_ID_LEN);
 
+	sm->cipher_suite = cs;
 
 }

+ 1 - 1
src/pae/ieee802_1x_cp.h
Voir le fichier 

@@ -36,7 +36,7 @@ void ieee802_1x_cp_connect_secure(void *cp_ctx);
 
 void ieee802_1x_cp_signal_chgdserver(void *cp_ctx);
 
 void ieee802_1x_cp_set_electedself(void *cp_ctx, Boolean status);
 
 void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len);
 
-void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid);
 
+void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs);
 
 void ieee802_1x_cp_set_offset(void *cp_ctx, enum confidentiality_offset offset);
 
 void ieee802_1x_cp_signal_newsak(void *cp_ctx);
 
 void ieee802_1x_cp_set_distributedki(void *cp_ctx,

+ 11 - 3
src/pae/ieee802_1x_kay.c
Voir le fichier 

@@ -361,12 +361,17 @@ ieee802_1x_kay_get_peer(struct ieee802_1x_mka_participant *participant,
 
  */
 
 static struct macsec_ciphersuite *
 
 ieee802_1x_kay_get_cipher_suite(struct ieee802_1x_mka_participant *participant,
 
-				u8 *cs_id)
 
+				const u8 *cs_id)
 
 {
 
 	unsigned int i;
 
+	u64 cs;
 
+	be64 _cs;
 
+
 
+	os_memcpy(&_cs, cs_id, CS_ID_LEN);
 
+	cs = be_to_host64(_cs);
 
 
 	for (i = 0; i < CS_TABLE_SIZE; i++) {
 
-		if (os_memcmp(cipher_suite_tbl[i].id, cs_id, CS_ID_LEN) == 0)
 
+		if (cipher_suite_tbl[i].id == cs)
 
 			return &cipher_suite_tbl[i];
 
 	}
 
 
@@ -1440,7 +1445,10 @@ ieee802_1x_mka_encode_dist_sak_body(
 
 	cs_index = participant->kay->macsec_csindex;
 
 	sak_pos = 0;
 
 	if (cs_index != DEFAULT_CS_INDEX) {
 
-		os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN);
 
+		be64 cs;
 
+
 
+		cs = host_to_be64(cipher_suite_tbl[cs_index].id);
 
+		os_memcpy(body->sak, &cs, CS_ID_LEN);
 
 		sak_pos = CS_ID_LEN;
 
 	}
 
 	if (aes_wrap(participant->kek.key, 16,

+ 1 - 1
src/pae/ieee802_1x_kay.h
Voir le fichier 

@@ -59,7 +59,7 @@ struct ieee802_1x_kay_ctx {
 
 	int (*macsec_deinit)(void *ctx);
 
 	int (*enable_protect_frames)(void *ctx, Boolean enabled);
 
 	int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
 
-	int (*set_current_cipher_suite)(void *ctx, const u8 *cs);
 
+	int (*set_current_cipher_suite)(void *ctx, u64 cs);
 
 	int (*enable_controlled_port)(void *ctx, Boolean enabled);
 
 	int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an,
 
 				     u32 *lowest_pn);

+ 1 - 1
src/pae/ieee802_1x_kay_i.h
Voir le fichier 

@@ -147,7 +147,7 @@ struct receive_sa {
 
 };
 
 
 struct macsec_ciphersuite {
 
-	u8 id[CS_ID_LEN];
 
+	u64 id;
 
 	char name[32];
 
 	enum macsec_cap capable;
 
 	int sak_len; /* unit: byte */

+ 1 - 2
src/pae/ieee802_1x_secy_ops.c
Voir le fichier 

@@ -65,8 +65,7 @@ int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean enabled, u32 win)
 
 }
 
 
 
-int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
 
-					 const u8 *cs)
 
+int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs)
 
 {
 
 	struct ieee802_1x_kay_ctx *ops;

+ 1 - 2
src/pae/ieee802_1x_secy_ops.h
Voir le fichier 

@@ -26,8 +26,7 @@ int secy_cp_control_validate_frames(struct ieee802_1x_kay *kay,
 
 				    enum validate_frames vf);
 
 int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, Boolean flag);
 
 int secy_cp_control_replay(struct ieee802_1x_kay *kay, Boolean flag, u32 win);
 
-int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay,
 
-					 const u8 *cs);
 
+int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
 
 int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
 
 					   enum confidentiality_offset co);
 
 int secy_cp_control_enable_port(struct ieee802_1x_kay *kay, Boolean flag);

+ 1 - 1
wpa_supplicant/driver_i.h
Voir le fichier 

@@ -733,7 +733,7 @@ static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s,
 
 }
 
 
 static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
 
-						   const u8 *cs)
 
+						   u64 cs)
 
 {
 
 	if (!wpa_s->driver->set_current_cipher_suite)
 
 		return -1;

+ 1 - 1
wpa_supplicant/wpas_kay.c
Voir le fichier 

@@ -50,7 +50,7 @@ static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
 
 }
 
 
 
-static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs)
 
+static int wpas_set_current_cipher_suite(void *wpa_s, u64 cs)
 
 {
 
 	return wpa_drv_set_current_cipher_suite(wpa_s, cs);
 
 }