diff options
| author | Damien Bergamini <damien@cvs.openbsd.org> | 2008-09-27 15:16:10 +0000 |
|---|---|---|
| committer | Damien Bergamini <damien@cvs.openbsd.org> | 2008-09-27 15:16:10 +0000 |
| commit | b065efd30adfe94123c1b52f0767f407ce44033b (patch) | |
| tree | 03b134eef33bed19b360c566708dc791c3141240 /sys/net80211/ieee80211_pae_output.c | |
| parent | 5f302c06db0af70022a22dff119bab0838242f86 (diff) | |
Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.
Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.
Diffstat (limited to 'sys/net80211/ieee80211_pae_output.c')
| -rw-r--r-- | sys/net80211/ieee80211_pae_output.c | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/sys/net80211/ieee80211_pae_output.c b/sys/net80211/ieee80211_pae_output.c index cf5f4af2614..b6f27393d5b 100644 --- a/sys/net80211/ieee80211_pae_output.c +++ b/sys/net80211/ieee80211_pae_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_pae_output.c,v 1.13 2008/08/27 09:05:04 damien Exp $ */ +/* $OpenBSD: ieee80211_pae_output.c,v 1.14 2008/09/27 15:16:09 damien Exp $ */ /*- * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr> @@ -91,8 +91,7 @@ ieee80211_send_eapol_key(struct ieee80211com *ic, struct mbuf *m, info = BE_READ_2(key->info); /* use V3 descriptor if KDF is SHA256-based */ - if (ni->ni_rsnakms == IEEE80211_AKM_SHA256_8021X || - ni->ni_rsnakms == IEEE80211_AKM_SHA256_PSK) + if (ieee80211_is_sha256_akm(ni->ni_rsnakms)) info |= EAPOL_KEY_DESC_V3; /* use V2 descriptor if pairwise or group cipher is CCMP */ else if (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP || @@ -296,13 +295,10 @@ ieee80211_send_4way_msg1(struct ieee80211com *ic, struct ieee80211_node *ni) BE_WRITE_2(key->keylen, keylen); frm = (u_int8_t *)&key[1]; - /* WPA does not have PMKID KDE */ + /* NB: WPA does not have PMKID KDE */ if (ni->ni_rsnprotos == IEEE80211_PROTO_RSN && - (ni->ni_rsnakms == IEEE80211_AKM_8021X || - ni->ni_rsnakms == IEEE80211_AKM_SHA256_8021X)) { - /* XXX retrieve PMKID from the PMKSA cache */ - /* frm = ieee80211_add_pmkid_kde(frm, pmkid); */ - } + ieee80211_is_8021x_akm(ni->ni_rsnakms)) + frm = ieee80211_add_pmkid_kde(frm, ni->ni_pmkid); m->m_pkthdr.len = m->m_len = frm - (u_int8_t *)key; |