Cumulative patch from commit f4626235de4b6d19c7399a2522241f7c43e0caf6
f462623 EAP-pwd server: Allow fragment_size to be configured
c876dcd EAP-IKEv2: Allow frag ack without integrity checksum
0f73c64 EAP-pwd: Fix processing of group setup failure
13e2574 EAP-pwd peer: Export Session-Id through getSessionId callback
cfdb32e eapol_test: Check EAP-Key-Name
251c53e RADIUS: Define EAP-Key-Name
04cad50 EAP-SIM peer: Fix counter-too-small message building
270c9a4 Interworking: Allow FT to be used for connection
81ed499 Remove duplicated ibss_rsn_deinit() call
144f104 X.509: Fix v3 parsing with issuerUniqueID/subjectUniqueID present
0f1034e P2P: Refrain from performing extended listen during P2P connection
8d0dd4e Add macsec_qca driver wrapper
dd10abc MACsec: wpa_supplicant integration
887d9d0 MACsec: Add PAE implementation
7baec80 MACsec: Add driver_ops
4e9528c MACsec: Add common IEEE 802.1X definitions
3bcfab8 MACsec: Add define for EAPOL type MKA
0836c04 MACsec: Allow EAPOL version 3 to be configured
49be483 Add function to fetch EAP Session-Id from EAPOL supplicant
ea40a57 nl80211: Use max associated STAs information in AP mode
Change-Id: I0e37a10ca58d0dc1be95a0088d6a4c37b2505ad4
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index f74d516..48eb28a 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -748,6 +748,19 @@
endif
endif
+ifdef CONFIG_MACSEC
+CFLAGS += -DCONFIG_MACSEC
+NEED_AES_ENCBLOCK=y
+NEED_AES_UNWRAP=y
+NEED_AES_WRAP=y
+NEED_AES_OMAC1=y
+OBJS += wpas_kay.o
+OBJS += ../src/pae/ieee802_1x_cp.o
+OBJS += ../src/pae/ieee802_1x_kay.o
+OBJS += ../src/pae/ieee802_1x_key.o
+OBJS += ../src/pae/ieee802_1x_secy_ops.o
+endif
+
ifdef CONFIG_AP
NEED_80211_COMMON=y
NEED_EAP_COMMON=y
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index b5a5d78..e60bc05 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1733,6 +1733,9 @@
{ INT(ap_max_inactivity) },
{ INT(dtim_period) },
{ INT(beacon_int) },
+#ifdef CONFIG_MACSEC
+ { INT_RANGE(macsec_policy, 0, 1) },
+#endif /* CONFIG_MACSEC */
};
#undef OFFSET
@@ -3784,7 +3787,11 @@
{ FUNC_NO_VAR(no_ctrl_interface), 0 },
{ STR(ctrl_interface_group), 0 } /* deprecated */,
#endif /* CONFIG_CTRL_IFACE */
+#ifdef CONFIG_MACSEC
+ { INT_RANGE(eapol_version, 1, 3), 0 },
+#else /* CONFIG_MACSEC */
{ INT_RANGE(eapol_version, 1, 2), 0 },
+#endif /* CONFIG_MACSEC */
{ INT(ap_scan), 0 },
{ FUNC(bgscan), 0 },
{ INT(disable_scan_offload), 0 },
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 3cfe5ba..4dc4d12 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -736,6 +736,9 @@
#endif /* CONFIG_P2P */
INT(dtim_period);
INT(beacon_int);
+#ifdef CONFIG_MACSEC
+ INT(macsec_policy);
+#endif /* CONFIG_MACSEC */
#undef STR
#undef INT
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 18fb65b..76b0632 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -636,6 +636,17 @@
* dereferences since it may not be updated in all cases.
*/
void *parent_cred;
+
+#ifdef CONFIG_MACSEC
+ /**
+ * macsec_policy - Determines the policy for MACsec secure session
+ *
+ * 0: MACsec not in use (default)
+ * 1: MACsec enabled - Should secure, accept key server's advice to
+ * determine whether to use a secure session or not.
+ */
+ int macsec_policy;
+#endif /* CONFIG_MACSEC */
};
#endif /* CONFIG_SSID_H */
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index beeb059..00703d9 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -632,4 +632,199 @@
data, data_len, buf);
}
+
+#ifdef CONFIG_MACSEC
+
+static inline int wpa_drv_macsec_init(struct wpa_supplicant *wpa_s,
+ struct macsec_init_params *params)
+{
+ if (!wpa_s->driver->macsec_init)
+ return -1;
+ return wpa_s->driver->macsec_init(wpa_s->drv_priv, params);
+}
+
+static inline int wpa_drv_macsec_deinit(struct wpa_supplicant *wpa_s)
+{
+ if (!wpa_s->driver->macsec_deinit)
+ return -1;
+ return wpa_s->driver->macsec_deinit(wpa_s->drv_priv);
+}
+
+static inline int wpa_drv_enable_protect_frames(struct wpa_supplicant *wpa_s,
+ Boolean enabled)
+{
+ if (!wpa_s->driver->enable_protect_frames)
+ return -1;
+ return wpa_s->driver->enable_protect_frames(wpa_s->drv_priv, enabled);
+}
+
+static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s,
+ Boolean enabled, u32 window)
+{
+ if (!wpa_s->driver->set_replay_protect)
+ return -1;
+ return wpa_s->driver->set_replay_protect(wpa_s->drv_priv, enabled,
+ window);
+}
+
+static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
+ const u8 *cs, size_t cs_len)
+{
+ if (!wpa_s->driver->set_current_cipher_suite)
+ return -1;
+ return wpa_s->driver->set_current_cipher_suite(wpa_s->drv_priv, cs,
+ cs_len);
+}
+
+static inline int wpa_drv_enable_controlled_port(struct wpa_supplicant *wpa_s,
+ Boolean enabled)
+{
+ if (!wpa_s->driver->enable_controlled_port)
+ return -1;
+ return wpa_s->driver->enable_controlled_port(wpa_s->drv_priv, enabled);
+}
+
+static inline int wpa_drv_get_receive_lowest_pn(struct wpa_supplicant *wpa_s,
+ u32 channel, u8 an,
+ u32 *lowest_pn)
+{
+ if (!wpa_s->driver->get_receive_lowest_pn)
+ return -1;
+ return wpa_s->driver->get_receive_lowest_pn(wpa_s->drv_priv, channel,
+ an, lowest_pn);
+}
+
+static inline int wpa_drv_get_transmit_next_pn(struct wpa_supplicant *wpa_s,
+ u32 channel, u8 an,
+ u32 *next_pn)
+{
+ if (!wpa_s->driver->get_transmit_next_pn)
+ return -1;
+ return wpa_s->driver->get_transmit_next_pn(wpa_s->drv_priv, channel,
+ an, next_pn);
+}
+
+static inline int wpa_drv_set_transmit_next_pn(struct wpa_supplicant *wpa_s,
+ u32 channel, u8 an,
+ u32 next_pn)
+{
+ if (!wpa_s->driver->set_transmit_next_pn)
+ return -1;
+ return wpa_s->driver->set_transmit_next_pn(wpa_s->drv_priv, channel,
+ an, next_pn);
+}
+
+static inline int wpa_drv_get_available_receive_sc(struct wpa_supplicant *wpa_s,
+ u32 *channel)
+{
+ if (!wpa_s->driver->get_available_receive_sc)
+ return -1;
+ return wpa_s->driver->get_available_receive_sc(wpa_s->drv_priv,
+ channel);
+}
+
+static inline int
+wpa_drv_create_receive_sc(struct wpa_supplicant *wpa_s, u32 channel,
+ const u8 *sci_addr, u16 sci_port,
+ unsigned int conf_offset, int validation)
+{
+ if (!wpa_s->driver->create_receive_sc)
+ return -1;
+ return wpa_s->driver->create_receive_sc(wpa_s->drv_priv, channel,
+ sci_addr, sci_port, conf_offset,
+ validation);
+}
+
+static inline int wpa_drv_delete_receive_sc(struct wpa_supplicant *wpa_s,
+ u32 channel)
+{
+ if (!wpa_s->driver->delete_receive_sc)
+ return -1;
+ return wpa_s->driver->delete_receive_sc(wpa_s->drv_priv, channel);
+}
+
+static inline int wpa_drv_create_receive_sa(struct wpa_supplicant *wpa_s,
+ u32 channel, u8 an,
+ u32 lowest_pn, const u8 *sak)
+{
+ if (!wpa_s->driver->create_receive_sa)
+ return -1;
+ return wpa_s->driver->create_receive_sa(wpa_s->drv_priv, channel, an,
+ lowest_pn, sak);
+}
+
+static inline int wpa_drv_enable_receive_sa(struct wpa_supplicant *wpa_s,
+ u32 channel, u8 an)
+{
+ if (!wpa_s->driver->enable_receive_sa)
+ return -1;
+ return wpa_s->driver->enable_receive_sa(wpa_s->drv_priv, channel, an);
+}
+
+static inline int wpa_drv_disable_receive_sa(struct wpa_supplicant *wpa_s,
+ u32 channel, u8 an)
+{
+ if (!wpa_s->driver->disable_receive_sa)
+ return -1;
+ return wpa_s->driver->disable_receive_sa(wpa_s->drv_priv, channel, an);
+}
+
+static inline int
+wpa_drv_get_available_transmit_sc(struct wpa_supplicant *wpa_s, u32 *channel)
+{
+ if (!wpa_s->driver->get_available_transmit_sc)
+ return -1;
+ return wpa_s->driver->get_available_transmit_sc(wpa_s->drv_priv,
+ channel);
+}
+
+static inline int
+wpa_drv_create_transmit_sc(struct wpa_supplicant *wpa_s, u32 channel,
+ const u8 *sci_addr, u16 sci_port,
+ unsigned int conf_offset)
+{
+ if (!wpa_s->driver->create_transmit_sc)
+ return -1;
+ return wpa_s->driver->create_transmit_sc(wpa_s->drv_priv, channel,
+ sci_addr, sci_port,
+ conf_offset);
+}
+
+static inline int wpa_drv_delete_transmit_sc(struct wpa_supplicant *wpa_s,
+ u32 channel)
+{
+ if (!wpa_s->driver->delete_transmit_sc)
+ return -1;
+ return wpa_s->driver->delete_transmit_sc(wpa_s->drv_priv, channel);
+}
+
+static inline int wpa_drv_create_transmit_sa(struct wpa_supplicant *wpa_s,
+ u32 channel, u8 an,
+ u32 next_pn,
+ Boolean confidentiality,
+ const u8 *sak)
+{
+ if (!wpa_s->driver->create_transmit_sa)
+ return -1;
+ return wpa_s->driver->create_transmit_sa(wpa_s->drv_priv, channel, an,
+ next_pn, confidentiality, sak);
+}
+
+static inline int wpa_drv_enable_transmit_sa(struct wpa_supplicant *wpa_s,
+ u32 channel, u8 an)
+{
+ if (!wpa_s->driver->enable_transmit_sa)
+ return -1;
+ return wpa_s->driver->enable_transmit_sa(wpa_s->drv_priv, channel, an);
+}
+
+static inline int wpa_drv_disable_transmit_sa(struct wpa_supplicant *wpa_s,
+ u32 channel, u8 an)
+{
+ if (!wpa_s->driver->disable_transmit_sa)
+ return -1;
+ return wpa_s->driver->disable_transmit_sa(wpa_s->drv_priv, channel, an);
+}
+#endif /* CONFIG_MACSEC */
+
#endif /* DRIVER_I_H */
diff --git a/wpa_supplicant/eapol_test.c b/wpa_supplicant/eapol_test.c
index ac0ab0b..88d4241 100644
--- a/wpa_supplicant/eapol_test.c
+++ b/wpa_supplicant/eapol_test.c
@@ -46,6 +46,7 @@
int eapol_test_num_reauths;
int no_mppe_keys;
int num_mppe_ok, num_mppe_mismatch;
+ int req_eap_key_name;
u8 radius_identifier;
struct radius_msg *last_recv_radius;
@@ -58,6 +59,8 @@
u8 authenticator_pmk[PMK_LEN];
size_t authenticator_pmk_len;
+ u8 authenticator_eap_key_name[256];
+ size_t authenticator_eap_key_name_len;
int radius_access_accept_received;
int radius_access_reject_received;
int auth_timed_out;
@@ -208,6 +211,13 @@
goto fail;
}
+ if (e->req_eap_key_name &&
+ !radius_msg_add_attr(msg, RADIUS_ATTR_EAP_KEY_NAME, (u8 *) "\0",
+ 1)) {
+ printf("Could not add EAP-Key-Name\n");
+ goto fail;
+ }
+
if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_NAS_IP_ADDRESS) &&
!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
(u8 *) &e->own_ip_addr, 4)) {
@@ -333,6 +343,8 @@
{
u8 pmk[PMK_LEN];
int ret = 1;
+ const u8 *sess_id;
+ size_t sess_id_len;
if (eapol_sm_get_key(e->wpa_s->eapol, pmk, PMK_LEN) == 0) {
wpa_hexdump(MSG_DEBUG, "PMK from EAPOL", pmk, PMK_LEN);
@@ -361,6 +373,28 @@
else if (!e->no_mppe_keys)
e->num_mppe_ok++;
+ sess_id = eapol_sm_get_session_id(e->wpa_s->eapol, &sess_id_len);
+ if (!sess_id)
+ return ret;
+ if (e->authenticator_eap_key_name_len == 0) {
+ wpa_printf(MSG_INFO, "No EAP-Key-Name received from server");
+ return ret;
+ }
+
+ if (e->authenticator_eap_key_name_len != sess_id_len ||
+ os_memcmp(e->authenticator_eap_key_name, sess_id, sess_id_len) != 0)
+ {
+ wpa_printf(MSG_INFO,
+ "Locally derived EAP Session-Id does not match EAP-Key-Name from server");
+ wpa_hexdump(MSG_DEBUG, "EAP Session-Id", sess_id, sess_id_len);
+ wpa_hexdump(MSG_DEBUG, "EAP-Key-Name from server",
+ e->authenticator_eap_key_name,
+ e->authenticator_eap_key_name_len);
+ } else {
+ wpa_printf(MSG_INFO,
+ "Locally derived EAP Session-Id matches EAP-Key-Name from server");
+ }
+
return ret;
}
@@ -749,6 +783,8 @@
size_t shared_secret_len)
{
struct radius_ms_mppe_keys *keys;
+ u8 *buf;
+ size_t len;
keys = radius_msg_get_ms_keys(msg, req, shared_secret,
shared_secret_len);
@@ -787,6 +823,14 @@
os_free(keys->recv);
os_free(keys);
}
+
+ if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_EAP_KEY_NAME, &buf, &len,
+ NULL) == 0) {
+ os_memcpy(e->authenticator_eap_key_name, buf, len);
+ e->authenticator_eap_key_name_len = len;
+ } else {
+ e->authenticator_eap_key_name_len = 0;
+ }
}
@@ -1095,7 +1139,7 @@
static void usage(void)
{
printf("usage:\n"
- "eapol_test [-nWS] -c<conf> [-a<AS IP>] [-p<AS port>] "
+ "eapol_test [-enWS] -c<conf> [-a<AS IP>] [-p<AS port>] "
"[-s<AS secret>]\\\n"
" [-r<count>] [-t<timeout>] [-C<Connect-Info>] \\\n"
" [-M<client MAC address>] [-o<server cert file] \\\n"
@@ -1115,6 +1159,7 @@
" -A<client IP> = IP address of the client, default: select "
"automatically\n"
" -r<count> = number of re-authentications\n"
+ " -e = Request EAP-Key-Name\n"
" -W = wait for a control interface monitor before starting\n"
" -S = save configuration after authentication\n"
" -n = no MPPE keys expected\n"
@@ -1168,7 +1213,7 @@
wpa_debug_show_keys = 1;
for (;;) {
- c = getopt(argc, argv, "a:A:c:C:M:nN:o:p:r:s:St:W");
+ c = getopt(argc, argv, "a:A:c:C:eM:nN:o:p:r:s:St:W");
if (c < 0)
break;
switch (c) {
@@ -1184,6 +1229,9 @@
case 'C':
eapol_test.connect_info = optarg;
break;
+ case 'e':
+ eapol_test.req_eap_key_name = 1;
+ break;
case 'M':
if (hwaddr_aton(optarg, eapol_test.own_addr)) {
usage();
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 9b7323b..8e865b4 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -2383,10 +2383,6 @@
wpa_supplicant_set_state(wpa_s, WPA_INTERFACE_DISABLED);
l2_packet_deinit(wpa_s->l2);
wpa_s->l2 = NULL;
-#ifdef CONFIG_IBSS_RSN
- ibss_rsn_deinit(wpa_s->ibss_rsn);
- wpa_s->ibss_rsn = NULL;
-#endif /* CONFIG_IBSS_RSN */
#ifdef CONFIG_TERMINATE_ONLASTIF
/* check if last interface */
if (!any_interfaces(wpa_s->global->ifaces))
diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index f46c4cf..a8ecb8c 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -27,6 +27,7 @@
#include "bss.h"
#include "scan.h"
#include "notify.h"
+#include "driver_i.h"
#include "gas_query.h"
#include "hs20_supplicant.h"
#include "interworking.h"
@@ -875,9 +876,23 @@
static int interworking_set_hs20_params(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid)
{
- if (wpa_config_set(ssid, "key_mgmt",
- wpa_s->conf->pmf != NO_MGMT_FRAME_PROTECTION ?
- "WPA-EAP WPA-EAP-SHA256" : "WPA-EAP", 0) < 0)
+ const char *key_mgmt = NULL;
+#ifdef CONFIG_IEEE80211R
+ int res;
+ struct wpa_driver_capa capa;
+
+ res = wpa_drv_get_capa(wpa_s, &capa);
+ if (res == 0 && capa.key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT) {
+ key_mgmt = wpa_s->conf->pmf != NO_MGMT_FRAME_PROTECTION ?
+ "WPA-EAP WPA-EAP-SHA256 FT-EAP" :
+ "WPA-EAP FT-EAP";
+ }
+#endif /* CONFIG_IEEE80211R */
+
+ if (!key_mgmt)
+ key_mgmt = wpa_s->conf->pmf != NO_MGMT_FRAME_PROTECTION ?
+ "WPA-EAP WPA-EAP-SHA256" : "WPA-EAP";
+ if (wpa_config_set(ssid, "key_mgmt", key_mgmt, 0) < 0)
return -1;
if (wpa_config_set(ssid, "proto", "RSN", 0) < 0)
return -1;
diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
index 522d277..be160c0 100644
--- a/wpa_supplicant/p2p_supplicant.c
+++ b/wpa_supplicant/p2p_supplicant.c
@@ -3748,6 +3748,13 @@
}
+static int _wpas_p2p_in_progress(void *ctx)
+{
+ struct wpa_supplicant *wpa_s = ctx;
+ return wpas_p2p_in_progress(wpa_s);
+}
+
+
/**
* wpas_p2p_init - Initialize P2P module for %wpa_supplicant
* @global: Pointer to global data from wpa_supplicant_init()
@@ -3795,6 +3802,7 @@
p2p.go_connected = wpas_go_connected;
p2p.presence_resp = wpas_presence_resp;
p2p.is_concurrent_session_active = wpas_is_concurrent_session_active;
+ p2p.is_p2p_in_progress = _wpas_p2p_in_progress;
os_memcpy(wpa_s->global->p2p_dev_addr, wpa_s->own_addr, ETH_ALEN);
os_memcpy(p2p.dev_addr, wpa_s->global->p2p_dev_addr, ETH_ALEN);
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index f56b198..8ba816b 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -51,6 +51,7 @@
#include "offchannel.h"
#include "hs20_supplicant.h"
#include "wnm_sta.h"
+#include "wpas_kay.h"
const char *wpa_supplicant_version =
"wpa_supplicant v" VERSION_STR "\n"
@@ -298,6 +299,8 @@
eapol_conf.external_sim = wpa_s->conf->external_sim;
eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf);
#endif /* IEEE8021X_EAPOL */
+
+ ieee802_1x_alloc_kay_sm(wpa_s, ssid);
}
@@ -468,6 +471,8 @@
free_hw_features(wpa_s);
+ ieee802_1x_dealloc_kay_sm(wpa_s);
+
os_free(wpa_s->bssid_filter);
wpa_s->bssid_filter = NULL;
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 81fbdfb..243787f 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -81,6 +81,8 @@
# to make wpa_supplicant interoperate with these APs, the version number is set
# to 1 by default. This configuration value can be used to set it to the new
# version (2).
+# Note: When using MACsec, eapol_version shall be set to 3, which is
+# defined in IEEE Std 802.1X-2010.
eapol_version=1
# AP scanning/selection
@@ -97,6 +99,8 @@
# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
# APs (i.e., external program needs to control association). This mode must
# also be used when using wired Ethernet drivers.
+# Note: macsec_qca driver is one type of Ethernet driver which implements
+# macsec feature.
# 2: like 0, but associate with APs using security policy and SSID (but not
# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
# enable operation with hidden SSIDs and optimized roaming; in this mode,
@@ -675,8 +679,16 @@
# bit0 (1): require dynamically generated unicast WEP key
# bit1 (2): require dynamically generated broadcast WEP key
# (3 = require both keys; default)
-# Note: When using wired authentication, eapol_flags must be set to 0 for the
-# authentication to be completed successfully.
+# Note: When using wired authentication (including macsec_qca driver),
+# eapol_flags must be set to 0 for the authentication to be completed
+# successfully.
+#
+# macsec_policy: IEEE 802.1X/MACsec options
+# This determines how sessions are secured with MACsec. It is currently
+# applicable only when using the macsec_qca driver interface.
+# 0: MACsec not in use (default)
+# 1: MACsec enabled - Should secure, accept key server's advice to
+# determine whether to use a secure session or not.
#
# mixed_cell: This option can be used to configure whether so called mixed
# cells, i.e., networks that use both plaintext and encryption in the same
@@ -1341,3 +1353,17 @@
network={
key_mgmt=NONE
}
+
+
+# Example MACsec configuration
+#network={
+# key_mgmt=IEEE8021X
+# eap=TTLS
+# phase2="auth=PAP"
+# anonymous_identity="anonymous@example.com"
+# identity="user@example.com"
+# password="secretr"
+# ca_cert="/etc/cert/ca.pem"
+# eapol_flags=0
+# macsec_policy=1
+#}
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index b5e137c..a57f962 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -808,6 +808,9 @@
u16 num_modes;
u16 flags;
} hw;
+#ifdef CONFIG_MACSEC
+ struct ieee802_1x_kay *kay;
+#endif /* CONFIG_MACSEC */
int pno;
int pno_sched_pending;
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index b2a330c..350b122 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -26,6 +26,7 @@
#include "bss.h"
#include "scan.h"
#include "notify.h"
+#include "wpas_kay.h"
#ifndef CONFIG_NO_CONFIG_BLOBS
@@ -254,6 +255,8 @@
* authentication failure.
*/
wpa_supplicant_req_auth_timeout(wpa_s, 2, 0);
+ } else {
+ ieee802_1x_notify_create_actor(wpa_s, wpa_s->last_eapol_src);
}
if (result != EAPOL_SUPP_RESULT_SUCCESS ||
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
new file mode 100644
index 0000000..354decf
--- /dev/null
+++ b/wpa_supplicant/wpas_kay.c
@@ -0,0 +1,378 @@
+/*
+ * IEEE 802.1X-2010 KaY Interface
+ * Copyright (c) 2013-2014, Qualcomm Atheros, Inc.
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+#include <openssl/ssl.h>
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "eap_peer/eap.h"
+#include "eap_peer/eap_i.h"
+#include "eapol_supp/eapol_supp_sm.h"
+#include "pae/ieee802_1x_key.h"
+#include "pae/ieee802_1x_kay.h"
+#include "wpa_supplicant_i.h"
+#include "config.h"
+#include "config_ssid.h"
+#include "driver_i.h"
+#include "wpas_kay.h"
+
+
+#define DEFAULT_KEY_LEN 16
+/* secure Connectivity Association Key Name (CKN) */
+#define DEFAULT_CKN_LEN 16
+
+
+static int wpas_macsec_init(void *priv, struct macsec_init_params *params)
+{
+ return wpa_drv_macsec_init(priv, params);
+}
+
+
+static int wpas_macsec_deinit(void *priv)
+{
+ return wpa_drv_macsec_deinit(priv);
+}
+
+
+static int wpas_enable_protect_frames(void *wpa_s, Boolean enabled)
+{
+ return wpa_drv_enable_protect_frames(wpa_s, enabled);
+}
+
+
+static int wpas_set_replay_protect(void *wpa_s, Boolean enabled, u32 window)
+{
+ return wpa_drv_set_replay_protect(wpa_s, enabled, window);
+}
+
+
+static int wpas_set_current_cipher_suite(void *wpa_s, const u8 *cs,
+ size_t cs_len)
+{
+ return wpa_drv_set_current_cipher_suite(wpa_s, cs, cs_len);
+}
+
+
+static int wpas_enable_controlled_port(void *wpa_s, Boolean enabled)
+{
+ return wpa_drv_enable_controlled_port(wpa_s, enabled);
+}
+
+
+static int wpas_get_receive_lowest_pn(void *wpa_s, u32 channel,
+ u8 an, u32 *lowest_pn)
+{
+ return wpa_drv_get_receive_lowest_pn(wpa_s, channel, an, lowest_pn);
+}
+
+
+static int wpas_get_transmit_next_pn(void *wpa_s, u32 channel,
+ u8 an, u32 *next_pn)
+{
+ return wpa_drv_get_transmit_next_pn(wpa_s, channel, an, next_pn);
+}
+
+
+static int wpas_set_transmit_next_pn(void *wpa_s, u32 channel,
+ u8 an, u32 next_pn)
+{
+ return wpa_drv_set_transmit_next_pn(wpa_s, channel, an, next_pn);
+}
+
+
+static int wpas_get_available_receive_sc(void *wpa_s, u32 *channel)
+{
+ return wpa_drv_get_available_receive_sc(wpa_s, channel);
+}
+
+
+static unsigned int conf_offset_val(enum confidentiality_offset co)
+{
+ switch (co) {
+ case CONFIDENTIALITY_OFFSET_30:
+ return 30;
+ break;
+ case CONFIDENTIALITY_OFFSET_50:
+ return 50;
+ default:
+ return 0;
+ }
+}
+
+
+static int wpas_create_receive_sc(void *wpa_s, u32 channel,
+ struct ieee802_1x_mka_sci *sci,
+ enum validate_frames vf,
+ enum confidentiality_offset co)
+{
+ return wpa_drv_create_receive_sc(wpa_s, channel, sci->addr, sci->port,
+ conf_offset_val(co), vf);
+}
+
+
+static int wpas_delete_receive_sc(void *wpa_s, u32 channel)
+{
+ return wpa_drv_delete_receive_sc(wpa_s, channel);
+}
+
+
+static int wpas_create_receive_sa(void *wpa_s, u32 channel, u8 an,
+ u32 lowest_pn, const u8 *sak)
+{
+ return wpa_drv_create_receive_sa(wpa_s, channel, an, lowest_pn, sak);
+}
+
+
+static int wpas_enable_receive_sa(void *wpa_s, u32 channel, u8 an)
+{
+ return wpa_drv_enable_receive_sa(wpa_s, channel, an);
+}
+
+
+static int wpas_disable_receive_sa(void *wpa_s, u32 channel, u8 an)
+{
+ return wpa_drv_disable_receive_sa(wpa_s, channel, an);
+}
+
+
+static int wpas_get_available_transmit_sc(void *wpa_s, u32 *channel)
+{
+ return wpa_drv_get_available_transmit_sc(wpa_s, channel);
+}
+
+
+static int
+wpas_create_transmit_sc(void *wpa_s, u32 channel,
+ const struct ieee802_1x_mka_sci *sci,
+ enum confidentiality_offset co)
+{
+ return wpa_drv_create_transmit_sc(wpa_s, channel, sci->addr, sci->port,
+ conf_offset_val(co));
+}
+
+
+static int wpas_delete_transmit_sc(void *wpa_s, u32 channel)
+{
+ return wpa_drv_delete_transmit_sc(wpa_s, channel);
+}
+
+
+static int wpas_create_transmit_sa(void *wpa_s, u32 channel, u8 an,
+ u32 next_pn, Boolean confidentiality,
+ const u8 *sak)
+{
+ return wpa_drv_create_transmit_sa(wpa_s, channel, an, next_pn,
+ confidentiality, sak);
+}
+
+
+static int wpas_enable_transmit_sa(void *wpa_s, u32 channel, u8 an)
+{
+ return wpa_drv_enable_transmit_sa(wpa_s, channel, an);
+}
+
+
+static int wpas_disable_transmit_sa(void *wpa_s, u32 channel, u8 an)
+{
+ return wpa_drv_disable_transmit_sa(wpa_s, channel, an);
+}
+
+
+int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
+{
+ struct ieee802_1x_kay_ctx *kay_ctx;
+ struct ieee802_1x_kay *res = NULL;
+ enum macsec_policy policy;
+
+ ieee802_1x_dealloc_kay_sm(wpa_s);
+
+ if (!ssid || ssid->macsec_policy == 0)
+ return 0;
+
+ policy = ssid->macsec_policy == 1 ? SHOULD_SECURE : DO_NOT_SECURE;
+
+ kay_ctx = os_zalloc(sizeof(*kay_ctx));
+ if (!kay_ctx)
+ return -1;
+
+ kay_ctx->ctx = wpa_s;
+
+ kay_ctx->macsec_init = wpas_macsec_init;
+ kay_ctx->macsec_deinit = wpas_macsec_deinit;
+ kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
+ kay_ctx->set_replay_protect = wpas_set_replay_protect;
+ kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
+ kay_ctx->enable_controlled_port = wpas_enable_controlled_port;
+ kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn;
+ kay_ctx->get_transmit_next_pn = wpas_get_transmit_next_pn;
+ kay_ctx->set_transmit_next_pn = wpas_set_transmit_next_pn;
+ kay_ctx->get_available_receive_sc = wpas_get_available_receive_sc;
+ kay_ctx->create_receive_sc = wpas_create_receive_sc;
+ kay_ctx->delete_receive_sc = wpas_delete_receive_sc;
+ kay_ctx->create_receive_sa = wpas_create_receive_sa;
+ kay_ctx->enable_receive_sa = wpas_enable_receive_sa;
+ kay_ctx->disable_receive_sa = wpas_disable_receive_sa;
+ kay_ctx->get_available_transmit_sc = wpas_get_available_transmit_sc;
+ kay_ctx->create_transmit_sc = wpas_create_transmit_sc;
+ kay_ctx->delete_transmit_sc = wpas_delete_transmit_sc;
+ kay_ctx->create_transmit_sa = wpas_create_transmit_sa;
+ kay_ctx->enable_transmit_sa = wpas_enable_transmit_sa;
+ kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
+
+ res = ieee802_1x_kay_init(kay_ctx, policy, wpa_s->ifname,
+ wpa_s->own_addr);
+ if (res == NULL) {
+ os_free(kay_ctx);
+ return -1;
+ }
+
+ wpa_s->kay = res;
+
+ return 0;
+}
+
+
+void ieee802_1x_dealloc_kay_sm(struct wpa_supplicant *wpa_s)
+{
+ if (!wpa_s->kay)
+ return;
+
+ ieee802_1x_kay_deinit(wpa_s->kay);
+ wpa_s->kay = NULL;
+}
+
+
+static int ieee802_1x_auth_get_session_id(struct wpa_supplicant *wpa_s,
+ const u8 *addr, u8 *sid, size_t *len)
+{
+ const u8 *session_id;
+ size_t id_len, need_len;
+
+ session_id = eapol_sm_get_session_id(wpa_s->eapol, &id_len);
+ if (session_id == NULL) {
+ wpa_printf(MSG_DEBUG,
+ "Failed to get SessionID from EAPOL state machines");
+ return -1;
+ }
+
+ need_len = 1 + 2 * SSL3_RANDOM_SIZE;
+ if (need_len > id_len) {
+ wpa_printf(MSG_DEBUG, "EAP Session-Id not long enough");
+ return -1;
+ }
+
+ os_memcpy(sid, session_id, need_len);
+ *len = need_len;
+
+ return 0;
+}
+
+
+static int ieee802_1x_auth_get_msk(struct wpa_supplicant *wpa_s, const u8 *addr,
+ u8 *msk, size_t *len)
+{
+ u8 key[EAP_MSK_LEN];
+ size_t keylen;
+ struct eapol_sm *sm;
+ int res;
+
+ sm = wpa_s->eapol;
+ if (sm == NULL)
+ return -1;
+
+ keylen = EAP_MSK_LEN;
+ res = eapol_sm_get_key(sm, key, keylen);
+ if (res) {
+ wpa_printf(MSG_DEBUG,
+ "Failed to get MSK from EAPOL state machines");
+ return -1;
+ }
+
+ if (keylen > *len)
+ keylen = *len;
+ os_memcpy(msk, key, keylen);
+ *len = keylen;
+
+ return 0;
+}
+
+
+void * ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s,
+ const u8 *peer_addr)
+{
+ u8 *sid;
+ size_t sid_len = 128;
+ struct mka_key_name *ckn;
+ struct mka_key *cak;
+ struct mka_key *msk;
+ void *res = NULL;
+
+ if (!wpa_s->kay || wpa_s->kay->policy == DO_NOT_SECURE)
+ return NULL;
+
+ wpa_printf(MSG_DEBUG,
+ "IEEE 802.1X: External notification - Create MKA for "
+ MACSTR, MAC2STR(peer_addr));
+
+ msk = os_zalloc(sizeof(*msk));
+ sid = os_zalloc(sid_len);
+ ckn = os_zalloc(sizeof(*ckn));
+ cak = os_zalloc(sizeof(*cak));
+ if (!msk || !sid || !ckn || !cak)
+ goto fail;
+
+ msk->len = DEFAULT_KEY_LEN;
+ if (ieee802_1x_auth_get_msk(wpa_s, wpa_s->bssid, msk->key, &msk->len)) {
+ wpa_printf(MSG_ERROR, "IEEE 802.1X: Could not get MSK");
+ goto fail;
+ }
+
+ if (ieee802_1x_auth_get_session_id(wpa_s, wpa_s->bssid, sid, &sid_len))
+ {
+ wpa_printf(MSG_ERROR,
+ "IEEE 802.1X: Could not get EAP Session Id");
+ goto fail;
+ }
+
+ /* Derive CAK from MSK */
+ cak->len = DEFAULT_KEY_LEN;
+ if (ieee802_1x_cak_128bits_aes_cmac(msk->key, wpa_s->own_addr,
+ peer_addr, cak->key)) {
+ wpa_printf(MSG_ERROR,
+ "IEEE 802.1X: Deriving CAK failed");
+ goto fail;
+ }
+ wpa_hexdump_key(MSG_DEBUG, "Derived CAK", cak->key, cak->len);
+
+ /* Derive CKN from MSK */
+ ckn->len = DEFAULT_CKN_LEN;
+ if (ieee802_1x_ckn_128bits_aes_cmac(msk->key, wpa_s->own_addr,
+ peer_addr, sid, sid_len,
+ ckn->name)) {
+ wpa_printf(MSG_ERROR,
+ "IEEE 802.1X: Deriving CKN failed");
+ goto fail;
+ }
+ wpa_hexdump(MSG_DEBUG, "Derived CKN", ckn->name, ckn->len);
+
+ res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0,
+ EAP_EXCHANGE, FALSE);
+
+fail:
+ if (msk) {
+ os_memset(msk, 0, sizeof(*msk));
+ os_free(msk);
+ }
+ os_free(sid);
+ os_free(ckn);
+ if (cak) {
+ os_memset(cak, 0, sizeof(*cak));
+ os_free(cak);
+ }
+
+ return res;
+}
diff --git a/wpa_supplicant/wpas_kay.h b/wpa_supplicant/wpas_kay.h
new file mode 100644
index 0000000..b7236d0
--- /dev/null
+++ b/wpa_supplicant/wpas_kay.h
@@ -0,0 +1,41 @@
+/*
+ * IEEE 802.1X-2010 KaY Interface
+ * Copyright (c) 2013-2014, Qualcomm Atheros, Inc.
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#ifndef WPAS_KAY_H
+#define WPAS_KAY_H
+
+#ifdef CONFIG_MACSEC
+
+int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s,
+ struct wpa_ssid *ssid);
+void * ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s,
+ const u8 *peer_addr);
+void ieee802_1x_dealloc_kay_sm(struct wpa_supplicant *wpa_s);
+
+#else /* CONFIG_MACSEC */
+
+static inline int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s,
+ struct wpa_ssid *ssid)
+{
+ return 0;
+}
+
+static inline void *
+ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s,
+ const u8 *peer_addr)
+{
+ return NULL;
+}
+
+static inline void ieee802_1x_dealloc_kay_sm(struct wpa_supplicant *wpa_s)
+{
+}
+
+#endif /* CONFIG_MACSEC */
+
+#endif /* WPAS_KAY_H */