[6/8] mka: Support for AES-256 key generation

Message ID 20181102180220.20948-6-a.s.kartashev@gmail.com
State Accepted
Headers show
Series
  • [1/8] wpa_debug: Support hexdump_ascii outputting into syslog
Related show

Commit Message

Andrey Kartashev Nov. 2, 2018, 6:02 p.m.
From: Andrey Kartashev <andrey.kartashev@afconsult.com>

There is already partial support of GCM-AES-256. It is possible to
enable this mode by setting 'kay->macsec_csindex = 1;' in
ieee802_1x_kay_init() function, but generated key contain only 128 bits
of data while other 128 bits are in 0.
This patch enables KaY to generate full 256bit key from same 128bit CAK.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
---
 src/pae/ieee802_1x_kay.c | 12 ++++++------
 src/pae/ieee802_1x_key.c |  6 ++++--
 src/pae/ieee802_1x_key.h |  2 +-
 3 files changed, 11 insertions(+), 9 deletions(-)

Comments

Jouni Malinen Dec. 26, 2018, 11:20 p.m. | #1
On Fri, Nov 02, 2018 at 07:02:18PM +0100, Andrey Kartashev wrote:
> There is already partial support of GCM-AES-256. It is possible to
> enable this mode by setting 'kay->macsec_csindex = 1;' in
> ieee802_1x_kay_init() function, but generated key contain only 128 bits
> of data while other 128 bits are in 0.
> This patch enables KaY to generate full 256bit key from same 128bit CAK.

This does not correct to me, i.e., I would expect GCM-AES-256 to use
256-bit keys throughout the key hierarchy. In other words, also CAK
would be 256 bits in that case.. Anyway, I did apply this and then added
number of other changes to extend the key derivation functions to
support both key lengths. The PSK case can now configure a 256-bit CAK.
For EAP, an additional configuration parameter might be needed unless
the CAK length is indicated somewhere (did not find it yet based on a
quick search through the standard).

Patch

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index a4771b792..3a31bdf93 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2039,12 +2039,12 @@  ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
 	ctx_offset += sizeof(participant->mi);
 	os_memcpy(context + ctx_offset, &kay->dist_kn, sizeof(kay->dist_kn));
 
-	if (key_len == 16) {
-		ieee802_1x_sak_128bits_aes_cmac(participant->cak.key,
-						context, ctx_len, key);
-	} else if (key_len == 32) {
-		ieee802_1x_sak_128bits_aes_cmac(participant->cak.key,
-						context, ctx_len, key);
+	if ((key_len == 16)||(key_len == 32)) {
+		if (ieee802_1x_sak_128bits_aes_cmac(participant->cak.key,
+						context, ctx_len, key, key_len)) {
+			wpa_printf(MSG_ERROR, "KaY: Failed to generate SAK");
+			goto fail;
+		}
 	} else {
 		wpa_printf(MSG_ERROR, "KaY: SAK Length not support");
 		goto fail;
diff --git a/src/pae/ieee802_1x_key.c b/src/pae/ieee802_1x_key.c
index 9a8d923d1..3ed9d1645 100644
--- a/src/pae/ieee802_1x_key.c
+++ b/src/pae/ieee802_1x_key.c
@@ -183,7 +183,9 @@  int ieee802_1x_icv_128bits_aes_cmac(const u8 *ick, const u8 *msg,
  * SAK = KDF(Key, Label, KS-nonce | MI-value list | KN, SAKLength)
  */
 int ieee802_1x_sak_128bits_aes_cmac(const u8 *cak, const u8 *ctx,
-				    size_t ctx_bytes, u8 *sak)
+				    size_t ctx_bytes, u8 *sak, size_t sak_bytes)
 {
-	return aes_kdf_128(cak, "IEEE8021 SAK", ctx, ctx_bytes * 8, 128, sak);
+	return aes_kdf_128(cak, "IEEE8021 SAK", ctx, ctx_bytes * 8,
+                                            sak_bytes * 8, sak);
 }
+
diff --git a/src/pae/ieee802_1x_key.h b/src/pae/ieee802_1x_key.h
index ea318ea4d..1be5df07e 100644
--- a/src/pae/ieee802_1x_key.h
+++ b/src/pae/ieee802_1x_key.h
@@ -21,6 +21,6 @@  int ieee802_1x_ick_128bits_aes_cmac(const u8 *cak, const u8 *ckn,
 int ieee802_1x_icv_128bits_aes_cmac(const u8 *ick, const u8 *msg,
 				    size_t msg_bytes, u8 *icv);
 int ieee802_1x_sak_128bits_aes_cmac(const u8 *cak, const u8 *ctx,
-				    size_t ctx_bytes, u8 *sak);
+				    size_t ctx_bytes, u8 *sak, size_t sak_bytes);
 
 #endif /* IEEE802_1X_KEY_H */