mka: Allow 256-bit CAK to be configured for PSK mode

This allows 256-bit CAK to be used as the root key in the MKA key
hierarchy.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 2fd9e8592cbd8f2a3b34785da554f6ba3690e4a2..7a95ea49e7e08446d6ed369affb0c5dd9742047d 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2002,16 +2002,21 @@ static int wpa_config_parse_mka_cak(const struct parse_data *data,
                                    struct wpa_ssid *ssid, int line,
                                    const char *value)
 {
-       if (hexstr2bin(value, ssid->mka_cak, MACSEC_CAK_LEN) ||
-           value[MACSEC_CAK_LEN * 2] != '\0') {
+       size_t len;
+
+       len = os_strlen(value);
+       if (len > 2 * MACSEC_CAK_MAX_LEN ||
+           (len != 2 * 16 && len != 2 * 32) ||
+           hexstr2bin(value, ssid->mka_cak, len / 2)) {
                wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.",
                           line, value);
                return -1;
        }
-
+       ssid->mka_cak_len = len / 2;
        ssid->mka_psk_set |= MKA_PSK_SET_CAK;
 
-       wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak, MACSEC_CAK_LEN);
+       wpa_hexdump_key(MSG_MSGDUMP, "MKA-CAK", ssid->mka_cak,
+                       ssid->mka_cak_len);
        return 0;
 }
 
@@ -2053,7 +2058,7 @@ static char * wpa_config_write_mka_cak(const struct parse_data *data,
        if (!(ssid->mka_psk_set & MKA_PSK_SET_CAK))
                return NULL;
 
-       return wpa_config_write_string_hex(ssid->mka_cak, MACSEC_CAK_LEN);
+       return wpa_config_write_string_hex(ssid->mka_cak, ssid->mka_cak_len);
 }
 
 

diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 3da3ed47208fb7274cc0c9049b23e1d40f6df7f5..6cf655785625a2257d31efbe692a5bd7fbf05658 100644 (file)
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -855,8 +855,9 @@ struct wpa_ssid {
        /**
         * mka_cak - MKA pre-shared CAK
         */
-#define MACSEC_CAK_LEN 16
-       u8 mka_cak[MACSEC_CAK_LEN];
+#define MACSEC_CAK_MAX_LEN 32
+       size_t mka_cak_len;
+       u8 mka_cak[MACSEC_CAK_MAX_LEN];
 
 #define MKA_PSK_SET_CKN BIT(0)
 #define MKA_PSK_SET_CAK BIT(1)

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 58dbf0409798f65769c9cfff4006bd05e4f0b3f3..2bc3fda94667826b683f3a8b4c99b35be36ea750 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1018,9 +1018,10 @@ fast_reauth=1
 # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
 # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer
 # with lower priority will become the key server and start distributing SAKs.
-# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-bytes (128 bit)
-# hex-string (32 hex-digits)
-# mka_ckn (CKN = CAK Name) takes a 32-bytes (256 bit) hex-string (64 hex-digits)
+# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
+# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
+# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
+# (2..64 hex-digits)
 # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
 # default priority
 #

diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index 39ed6774bd2ba955bbeecc1495c206e6002b40ed..707e5bb6d6a4022bd211995375cf199d16717124 100644 (file)
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -419,7 +419,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
        if (wpa_s->kay->policy == DO_NOT_SECURE)
                goto dealloc;
 
-       cak->len = MACSEC_CAK_LEN;
+       cak->len = ssid->mka_cak_len;
        os_memcpy(cak->key, ssid->mka_cak, cak->len);
 
        ckn->len = ssid->mka_ckn_len;