1 /* 2 * IEEE 802.1X-2010 KaY Interface 3 * Copyright (c) 2019, The Linux Foundation 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "pae/ieee802_1x_key.h" 13 #include "pae/ieee802_1x_kay.h" 14 #include "hostapd.h" 15 #include "sta_info.h" 16 #include "wpa_auth_kay.h" 17 #include "ieee802_1x.h" 18 19 20 #define DEFAULT_KEY_LEN 16 21 /* secure Connectivity Association Key Name (CKN) */ 22 #define DEFAULT_CKN_LEN 16 23 24 25 static int hapd_macsec_init(void *priv, struct macsec_init_params *params) 26 { 27 struct hostapd_data *hapd = priv; 28 29 if (!hapd->driver->macsec_init) 30 return -1; 31 return hapd->driver->macsec_init(hapd->drv_priv, params); 32 } 33 34 35 static int hapd_macsec_deinit(void *priv) 36 { 37 struct hostapd_data *hapd = priv; 38 39 if (!hapd->driver->macsec_deinit) 40 return -1; 41 return hapd->driver->macsec_deinit(hapd->drv_priv); 42 } 43 44 45 static int hapd_macsec_get_capability(void *priv, enum macsec_cap *cap) 46 { 47 struct hostapd_data *hapd = priv; 48 49 if (!hapd->driver->macsec_get_capability) 50 return -1; 51 return hapd->driver->macsec_get_capability(hapd->drv_priv, cap); 52 } 53 54 55 static int hapd_enable_protect_frames(void *priv, bool enabled) 56 { 57 struct hostapd_data *hapd = priv; 58 59 if (!hapd->driver->enable_protect_frames) 60 return -1; 61 return hapd->driver->enable_protect_frames(hapd->drv_priv, enabled); 62 } 63 64 65 static int hapd_enable_encrypt(void *priv, bool enabled) 66 { 67 struct hostapd_data *hapd = priv; 68 69 if (!hapd->driver->enable_encrypt) 70 return -1; 71 return hapd->driver->enable_encrypt(hapd->drv_priv, enabled); 72 } 73 74 75 static int hapd_set_replay_protect(void *priv, bool enabled, u32 window) 76 { 77 struct hostapd_data *hapd = priv; 78 79 if (!hapd->driver->set_replay_protect) 80 return -1; 81 return hapd->driver->set_replay_protect(hapd->drv_priv, enabled, 82 window); 83 } 84 85 86 static int hapd_set_current_cipher_suite(void *priv, u64 cs) 87 { 88 struct hostapd_data *hapd = priv; 89 90 if (!hapd->driver->set_current_cipher_suite) 91 return -1; 92 return hapd->driver->set_current_cipher_suite(hapd->drv_priv, cs); 93 } 94 95 96 static int hapd_enable_controlled_port(void *priv, bool enabled) 97 { 98 struct hostapd_data *hapd = priv; 99 100 if (!hapd->driver->enable_controlled_port) 101 return -1; 102 return hapd->driver->enable_controlled_port(hapd->drv_priv, enabled); 103 } 104 105 106 static int hapd_get_receive_lowest_pn(void *priv, struct receive_sa *sa) 107 { 108 struct hostapd_data *hapd = priv; 109 110 if (!hapd->driver->get_receive_lowest_pn) 111 return -1; 112 return hapd->driver->get_receive_lowest_pn(hapd->drv_priv, sa); 113 } 114 115 116 static int hapd_get_transmit_next_pn(void *priv, struct transmit_sa *sa) 117 { 118 struct hostapd_data *hapd = priv; 119 120 if (!hapd->driver->get_transmit_next_pn) 121 return -1; 122 return hapd->driver->get_transmit_next_pn(hapd->drv_priv, sa); 123 } 124 125 126 static int hapd_set_transmit_next_pn(void *priv, struct transmit_sa *sa) 127 { 128 struct hostapd_data *hapd = priv; 129 130 if (!hapd->driver->set_transmit_next_pn) 131 return -1; 132 return hapd->driver->set_transmit_next_pn(hapd->drv_priv, sa); 133 } 134 135 136 static unsigned int conf_offset_val(enum confidentiality_offset co) 137 { 138 switch (co) { 139 case CONFIDENTIALITY_OFFSET_30: 140 return 30; 141 case CONFIDENTIALITY_OFFSET_50: 142 return 50; 143 default: 144 return 0; 145 } 146 } 147 148 149 static int hapd_create_receive_sc(void *priv, struct receive_sc *sc, 150 enum validate_frames vf, 151 enum confidentiality_offset co) 152 { 153 struct hostapd_data *hapd = priv; 154 155 if (!hapd->driver->create_receive_sc) 156 return -1; 157 return hapd->driver->create_receive_sc(hapd->drv_priv, sc, 158 conf_offset_val(co), vf); 159 } 160 161 162 static int hapd_delete_receive_sc(void *priv, struct receive_sc *sc) 163 { 164 struct hostapd_data *hapd = priv; 165 166 if (!hapd->driver->delete_receive_sc) 167 return -1; 168 return hapd->driver->delete_receive_sc(hapd->drv_priv, sc); 169 } 170 171 172 static int hapd_create_receive_sa(void *priv, struct receive_sa *sa) 173 { 174 struct hostapd_data *hapd = priv; 175 176 if (!hapd->driver->create_receive_sa) 177 return -1; 178 return hapd->driver->create_receive_sa(hapd->drv_priv, sa); 179 } 180 181 182 static int hapd_delete_receive_sa(void *priv, struct receive_sa *sa) 183 { 184 struct hostapd_data *hapd = priv; 185 186 if (!hapd->driver->delete_receive_sa) 187 return -1; 188 return hapd->driver->delete_receive_sa(hapd->drv_priv, sa); 189 } 190 191 192 static int hapd_enable_receive_sa(void *priv, struct receive_sa *sa) 193 { 194 struct hostapd_data *hapd = priv; 195 196 if (!hapd->driver->enable_receive_sa) 197 return -1; 198 return hapd->driver->enable_receive_sa(hapd->drv_priv, sa); 199 } 200 201 202 static int hapd_disable_receive_sa(void *priv, struct receive_sa *sa) 203 { 204 struct hostapd_data *hapd = priv; 205 206 if (!hapd->driver->disable_receive_sa) 207 return -1; 208 return hapd->driver->disable_receive_sa(hapd->drv_priv, sa); 209 } 210 211 212 static int 213 hapd_create_transmit_sc(void *priv, struct transmit_sc *sc, 214 enum confidentiality_offset co) 215 { 216 struct hostapd_data *hapd = priv; 217 218 if (!hapd->driver->create_transmit_sc) 219 return -1; 220 return hapd->driver->create_transmit_sc(hapd->drv_priv, sc, 221 conf_offset_val(co)); 222 } 223 224 225 static int hapd_delete_transmit_sc(void *priv, struct transmit_sc *sc) 226 { 227 struct hostapd_data *hapd = priv; 228 229 if (!hapd->driver->delete_transmit_sc) 230 return -1; 231 return hapd->driver->delete_transmit_sc(hapd->drv_priv, sc); 232 } 233 234 235 static int hapd_create_transmit_sa(void *priv, struct transmit_sa *sa) 236 { 237 struct hostapd_data *hapd = priv; 238 239 if (!hapd->driver->create_transmit_sa) 240 return -1; 241 return hapd->driver->create_transmit_sa(hapd->drv_priv, sa); 242 } 243 244 245 static int hapd_delete_transmit_sa(void *priv, struct transmit_sa *sa) 246 { 247 struct hostapd_data *hapd = priv; 248 249 if (!hapd->driver->delete_transmit_sa) 250 return -1; 251 return hapd->driver->delete_transmit_sa(hapd->drv_priv, sa); 252 } 253 254 255 static int hapd_enable_transmit_sa(void *priv, struct transmit_sa *sa) 256 { 257 struct hostapd_data *hapd = priv; 258 259 if (!hapd->driver->enable_transmit_sa) 260 return -1; 261 return hapd->driver->enable_transmit_sa(hapd->drv_priv, sa); 262 } 263 264 265 static int hapd_disable_transmit_sa(void *priv, struct transmit_sa *sa) 266 { 267 struct hostapd_data *hapd = priv; 268 269 if (!hapd->driver->disable_transmit_sa) 270 return -1; 271 return hapd->driver->disable_transmit_sa(hapd->drv_priv, sa); 272 } 273 274 275 int ieee802_1x_alloc_kay_sm_hapd(struct hostapd_data *hapd, 276 struct sta_info *sta) 277 { 278 struct ieee802_1x_kay_ctx *kay_ctx; 279 struct ieee802_1x_kay *res = NULL; 280 enum macsec_policy policy; 281 282 ieee802_1x_dealloc_kay_sm_hapd(hapd); 283 284 if (!hapd->conf || hapd->conf->macsec_policy == 0) 285 return 0; 286 287 if (hapd->conf->macsec_policy == 1) { 288 if (hapd->conf->macsec_integ_only == 1) 289 policy = SHOULD_SECURE; 290 else 291 policy = SHOULD_ENCRYPT; 292 } else { 293 policy = DO_NOT_SECURE; 294 } 295 296 wpa_printf(MSG_DEBUG, "%s: if_name=%s", __func__, hapd->conf->iface); 297 kay_ctx = os_zalloc(sizeof(*kay_ctx)); 298 if (!kay_ctx) 299 return -1; 300 301 kay_ctx->ctx = hapd; 302 303 kay_ctx->macsec_init = hapd_macsec_init; 304 kay_ctx->macsec_deinit = hapd_macsec_deinit; 305 kay_ctx->macsec_get_capability = hapd_macsec_get_capability; 306 kay_ctx->enable_protect_frames = hapd_enable_protect_frames; 307 kay_ctx->enable_encrypt = hapd_enable_encrypt; 308 kay_ctx->set_replay_protect = hapd_set_replay_protect; 309 kay_ctx->set_current_cipher_suite = hapd_set_current_cipher_suite; 310 kay_ctx->enable_controlled_port = hapd_enable_controlled_port; 311 kay_ctx->get_receive_lowest_pn = hapd_get_receive_lowest_pn; 312 kay_ctx->get_transmit_next_pn = hapd_get_transmit_next_pn; 313 kay_ctx->set_transmit_next_pn = hapd_set_transmit_next_pn; 314 kay_ctx->create_receive_sc = hapd_create_receive_sc; 315 kay_ctx->delete_receive_sc = hapd_delete_receive_sc; 316 kay_ctx->create_receive_sa = hapd_create_receive_sa; 317 kay_ctx->delete_receive_sa = hapd_delete_receive_sa; 318 kay_ctx->enable_receive_sa = hapd_enable_receive_sa; 319 kay_ctx->disable_receive_sa = hapd_disable_receive_sa; 320 kay_ctx->create_transmit_sc = hapd_create_transmit_sc; 321 kay_ctx->delete_transmit_sc = hapd_delete_transmit_sc; 322 kay_ctx->create_transmit_sa = hapd_create_transmit_sa; 323 kay_ctx->delete_transmit_sa = hapd_delete_transmit_sa; 324 kay_ctx->enable_transmit_sa = hapd_enable_transmit_sa; 325 kay_ctx->disable_transmit_sa = hapd_disable_transmit_sa; 326 327 res = ieee802_1x_kay_init(kay_ctx, policy, 328 hapd->conf->macsec_replay_protect, 329 hapd->conf->macsec_replay_window, 330 hapd->conf->macsec_offload, 331 hapd->conf->macsec_port, 332 hapd->conf->mka_priority, 333 hapd->conf->macsec_csindex, 334 hapd->conf->iface, 335 hapd->own_addr); 336 /* ieee802_1x_kay_init() frees kay_ctx on failure */ 337 if (!res) 338 return -1; 339 340 hapd->kay = res; 341 342 return 0; 343 } 344 345 346 void ieee802_1x_dealloc_kay_sm_hapd(struct hostapd_data *hapd) 347 { 348 if (!hapd->kay) 349 return; 350 351 ieee802_1x_kay_deinit(hapd->kay); 352 hapd->kay = NULL; 353 } 354 355 356 static int ieee802_1x_auth_get_msk(struct hostapd_data *hapd, 357 struct sta_info *sta, u8 *msk, size_t *len) 358 { 359 const u8 *key; 360 size_t keylen; 361 362 if (!sta->eapol_sm) 363 return -1; 364 365 key = ieee802_1x_get_key(sta->eapol_sm, &keylen); 366 if (key == NULL) { 367 wpa_printf(MSG_DEBUG, 368 "MACsec: Failed to get MSK from EAPOL state machines"); 369 return -1; 370 } 371 wpa_printf(MSG_DEBUG, "MACsec: Successfully fetched key (len=%lu)", 372 (unsigned long) keylen); 373 wpa_hexdump_key(MSG_DEBUG, "MSK: ", key, keylen); 374 375 if (keylen > *len) 376 keylen = *len; 377 os_memcpy(msk, key, keylen); 378 *len = keylen; 379 380 return 0; 381 } 382 383 384 void * ieee802_1x_notify_create_actor_hapd(struct hostapd_data *hapd, 385 struct sta_info *sta) 386 { 387 const u8 *sid; 388 size_t sid_len; 389 struct mka_key_name *ckn; 390 struct mka_key *cak; 391 struct mka_key *msk; 392 void *res = NULL; 393 394 if (!hapd->kay || hapd->kay->policy == DO_NOT_SECURE) 395 return NULL; 396 397 wpa_printf(MSG_DEBUG, 398 "IEEE 802.1X: External notification - Create MKA for " 399 MACSTR, MAC2STR(sta->addr)); 400 401 msk = os_zalloc(sizeof(*msk)); 402 ckn = os_zalloc(sizeof(*ckn)); 403 cak = os_zalloc(sizeof(*cak)); 404 if (!msk || !ckn || !cak) 405 goto fail; 406 407 msk->len = DEFAULT_KEY_LEN; 408 if (ieee802_1x_auth_get_msk(hapd, sta, msk->key, &msk->len)) { 409 wpa_printf(MSG_ERROR, "IEEE 802.1X: Could not get MSK"); 410 goto fail; 411 } 412 413 sid = ieee802_1x_get_session_id(sta->eapol_sm, &sid_len); 414 if (!sid) { 415 wpa_printf(MSG_ERROR, 416 "IEEE 802.1X: Could not get EAP Session Id"); 417 goto fail; 418 } 419 420 wpa_hexdump(MSG_DEBUG, "own_addr", hapd->own_addr, ETH_ALEN); 421 wpa_hexdump(MSG_DEBUG, "sta_addr", sta->addr, ETH_ALEN); 422 423 /* Derive CAK from MSK */ 424 cak->len = DEFAULT_KEY_LEN; 425 if (ieee802_1x_cak_aes_cmac(msk->key, msk->len, hapd->own_addr, 426 sta->addr, cak->key, cak->len)) { 427 wpa_printf(MSG_ERROR, "IEEE 802.1X: Deriving CAK failed"); 428 goto fail; 429 } 430 wpa_hexdump_key(MSG_DEBUG, "Derived CAK", cak->key, cak->len); 431 432 /* Derive CKN from MSK */ 433 ckn->len = DEFAULT_CKN_LEN; 434 if (ieee802_1x_ckn_aes_cmac(msk->key, msk->len, hapd->own_addr, 435 sta->addr, sid, sid_len, ckn->name)) { 436 wpa_printf(MSG_ERROR, "IEEE 802.1X: Deriving CKN failed"); 437 goto fail; 438 } 439 wpa_hexdump(MSG_DEBUG, "Derived CKN", ckn->name, ckn->len); 440 441 res = ieee802_1x_kay_create_mka(hapd->kay, ckn, cak, 0, EAP_EXCHANGE, 442 true); 443 444 fail: 445 bin_clear_free(msk, sizeof(*msk)); 446 os_free(ckn); 447 bin_clear_free(cak, sizeof(*cak)); 448 449 return res; 450 } 451 452 453 void * ieee802_1x_create_preshared_mka_hapd(struct hostapd_data *hapd, 454 struct sta_info *sta) 455 { 456 struct mka_key *cak; 457 struct mka_key_name *ckn; 458 void *res = NULL; 459 460 if ((hapd->conf->mka_psk_set & MKA_PSK_SET) != MKA_PSK_SET) 461 goto end; 462 463 ckn = os_zalloc(sizeof(*ckn)); 464 if (!ckn) 465 goto end; 466 467 cak = os_zalloc(sizeof(*cak)); 468 if (!cak) 469 goto free_ckn; 470 471 if (ieee802_1x_alloc_kay_sm_hapd(hapd, sta) < 0 || !hapd->kay) 472 goto free_cak; 473 474 if (hapd->kay->policy == DO_NOT_SECURE) 475 goto dealloc; 476 477 cak->len = hapd->conf->mka_cak_len; 478 os_memcpy(cak->key, hapd->conf->mka_cak, cak->len); 479 480 ckn->len = hapd->conf->mka_ckn_len;; 481 os_memcpy(ckn->name, hapd->conf->mka_ckn, ckn->len); 482 483 res = ieee802_1x_kay_create_mka(hapd->kay, ckn, cak, 0, PSK, true); 484 if (res) 485 goto free_cak; 486 487 dealloc: 488 /* Failed to create MKA */ 489 ieee802_1x_dealloc_kay_sm_hapd(hapd); 490 free_cak: 491 os_free(cak); 492 free_ckn: 493 os_free(ckn); 494 end: 495 return res; 496 } 497