wlan-ap-Telecominfraproject/feeds/wifi-ax/hostapd/patches/k00-001-hostapd-macsec-support-gcmaes256-cipher-suite-when-participant-act-as-key-server.patch

From cd028d950808096de588d99ef5a082a33d4965db Mon Sep 17 00:00:00 2001
From: leiwei <leiwei@codeaurora.org>
Date: Fri, 23 Apr 2021 19:54:24 +0800
Subject: [PATCH] hostap:Support GCM-AES-256 cipher suite select when
 participant act as key server

Signed-off-by: leiwei <leiwei@codeaurora.org>
---
 hostapd/config_file.c        | 10 ++++++++++
 src/ap/ap_config.h           |  7 +++++++
 src/ap/wpa_auth_kay.c        |  3 ++-
 src/pae/ieee802_1x_cp.c      |  6 +++---
 src/pae/ieee802_1x_kay.c     | 13 ++++++++++---
 src/pae/ieee802_1x_kay.h     |  2 +-
 wpa_supplicant/config.c      |  1 +
 wpa_supplicant/config_ssid.h |  7 +++++++
 wpa_supplicant/wpas_kay.c    |  4 ++--
 9 files changed, 43 insertions(+), 10 deletions(-)

--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -4554,6 +4554,16 @@ static int hostapd_config_fill(struct ho
 			return 1;
 		}
 		bss->mka_priority = mka_priority;
+	} else if (os_strcmp(buf, "macsec_csindex") == 0) {
+		int macsec_csindex = atoi(pos);
+
+		if (macsec_csindex < 0 || macsec_csindex > 1) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: invalid macsec_csindex (%d): '%s'.",
+				   line, macsec_csindex, pos);
+			return 1;
+		}
+		bss->macsec_csindex = macsec_csindex;
 	} else if (os_strcmp(buf, "mka_cak") == 0) {
 		size_t len = os_strlen(pos);
 
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -859,6 +859,13 @@ struct hostapd_bss_config {
 	int mka_priority;
 
 	/**
+	 * macsec_csindex - chipher suite index of macsec
+	 *
+	 * Range: 0-1 (default: 0)
+	 */
+	int macsec_csindex;
+
+	/**
 	 * mka_ckn - MKA pre-shared CKN
 	 */
 #define MACSEC_CKN_MAX_LEN 32
--- a/src/ap/wpa_auth_kay.c
+++ b/src/ap/wpa_auth_kay.c
@@ -329,7 +329,8 @@ int ieee802_1x_alloc_kay_sm_hapd(struct
 				  hapd->conf->macsec_replay_protect,
 				  hapd->conf->macsec_replay_window,
 				  hapd->conf->macsec_port,
-				  hapd->conf->mka_priority, hapd->conf->iface,
+				  hapd->conf->mka_priority,
+				  hapd->conf->macsec_csindex, hapd->conf->iface,
 				  hapd->own_addr);
 	/* ieee802_1x_kay_init() frees kay_ctx on failure */
 	if (!res)
--- a/src/pae/ieee802_1x_cp.c
+++ b/src/pae/ieee802_1x_cp.c
@@ -20,7 +20,7 @@
 #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
 #define STATE_MACHINE_DEBUG_PREFIX "CP"
 
-static u64 default_cs_id = CS_ID_GCM_AES_128;
+static u64 cs_id[]={CS_ID_GCM_AES_128, CS_ID_GCM_AES_256};
 
 /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
 enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
@@ -473,8 +473,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
 	sm->orx = false;
 	sm->otx = false;
 
-	sm->current_cipher_suite = default_cs_id;
-	sm->cipher_suite = default_cs_id;
+	sm->current_cipher_suite = cs_id[kay->macsec_csindex];
+	sm->cipher_suite = cs_id[kay->macsec_csindex];
 	sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
 	sm->confidentiality_offset = sm->cipher_offset;
 	sm->transmit_delay = MKA_LIFE_TIME;
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -222,7 +222,14 @@ ieee802_1x_mka_dump_dist_sak_body(struct
 	wpa_printf(MSG_DEBUG, "\tKey Number............: %d",
 		   be_to_host32(body->kn));
 	/* TODO: Other than GCM-AES-128 case: MACsec Cipher Suite */
-	wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", body->sak, 24);
+	if(body_len == 28){
+		wpa_hexdump(MSG_INFO, "\tAES Key Wrap of SAK...:", body->sak, 24);
+	}
+	else{
+		wpa_hexdump(MSG_INFO, "\tMacsec Cipher Suite...:", body->sak, CS_ID_LEN);
+		wpa_hexdump(MSG_INFO, "\tAES Key Wrap of SAK...:", body->sak + CS_ID_LEN,
+							body_len - CS_ID_LEN - sizeof(body->kn));
+	}
 }
 
 
@@ -3456,7 +3463,7 @@ static void kay_l2_receive(void *ctx, co
 struct ieee802_1x_kay *
 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 		    bool macsec_replay_protect, u32 macsec_replay_window,
-		    u16 port, u8 priority, const char *ifname, const u8 *addr)
+		    u16 port, u8 priority, u32 macsec_csindex, const char *ifname, const u8 *addr)
 {
 	struct ieee802_1x_kay *kay;
 
@@ -3493,7 +3500,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka
 	kay->dist_time = 0;
 
 	kay->pn_exhaustion = PENDING_PN_EXHAUSTION;
-	kay->macsec_csindex = DEFAULT_CS_INDEX;
+	kay->macsec_csindex = macsec_csindex;
 	kay->mka_algindex = DEFAULT_MKA_ALG_INDEX;
 	kay->mka_version = MKA_VERSION_ID;
 
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -240,7 +240,7 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc
 struct ieee802_1x_kay *
 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 		    bool macsec_replay_protect, u32 macsec_replay_window,
-		    u16 port, u8 priority, const char *ifname, const u8 *addr);
+		    u16 port, u8 priority, u32 macsec_csindex, const char *ifname, const u8 *addr);
 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
 
 struct ieee802_1x_mka_participant *
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2712,6 +2712,7 @@ static const struct parse_data ssid_fiel
 	{ INT(macsec_replay_window) },
 	{ INT_RANGE(macsec_port, 1, 65534) },
 	{ INT_RANGE(mka_priority, 0, 255) },
+	{ INT_RANGE(macsec_csindex, 0, 1) },
 	{ FUNC_KEY(mka_cak) },
 	{ FUNC_KEY(mka_ckn) },
 #endif /* CONFIG_MACSEC */
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -920,6 +920,13 @@ struct wpa_ssid {
 	int mka_priority;
 
 	/**
+	 * macsec_csindex - chipher suite index of macsec
+	 *
+	 * Range: 0-1 (default: 0)
+	 */
+	int macsec_csindex;
+
+	/**
 	 * mka_ckn - MKA pre-shared CKN
 	 */
 #define MACSEC_CKN_MAX_LEN 32
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -241,8 +241,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s
 
 	res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,
 				  ssid->macsec_replay_window, ssid->macsec_port,
-				  ssid->mka_priority, wpa_s->ifname,
-				  wpa_s->own_addr);
+				  ssid->mka_priority, ssid->macsec_csindex,
+				  wpa_s->ifname, wpa_s->own_addr);
 	/* ieee802_1x_kay_init() frees kay_ctx on failure */
 	if (res == NULL)
 		return -1;