path: root/src
diff options
authorJaap Keuter <jaap.keuter@xs4all.nl>2017-04-07 21:39:23 (GMT)
committerJouni Malinen <j@w1.fi>2018-12-29 23:03:30 (GMT)
commit23693c9dac1fde8b669a018708e2ac6ff8d7666b (patch)
tree7626617fed328e714f2fc2f36c0482fe3f4236bc /src
parentcd803b6ccd9d120347246f70293cd25c7cca406e (diff)
mka: Make ICV Indicator dependant on ICV length
IEEE Std 802.1X-2010, 11.11 describes that the ICV is separate from the parameter sets before it. Due to its convenient layout the ICV Indicator 'body part' is used to encode the ICV as well. IEEE Std 802.1X-2010, 11.11.3 describes the encoding of MKPDUs. In bullet e) is desribed that the ICV Indicator itself is encoded when the ICV is not 16 octets in length. IEEE Std 802.1Xbx-2014, Table 11-7 note e) states that it will not be encoded unless the Algorithm Agility parameter specifies the use of an ICV that is not 16 octets in length. Therefore the length calculation for the ICV indicator body part must take into account if the ICV Indicator is to be encoded or not. The actual encoder of the ICV body already takes care of the rest. In practice, this change will remove the ICV Indicator parameter set (4 octets before the ICV value itself) since the only defined algorithm agility value uses an ICV of 16 octets. IEEE Std 802.1X-2010 MKPDU validation and decoding rules in 11.11.2 and 11.11.4 require the receipient to handle both cases of ICV Indicator being included or not. Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Diffstat (limited to 'src')
1 files changed, 10 insertions, 5 deletions
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 016260c..a16f3d3 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1803,7 +1803,12 @@ ieee802_1x_mka_get_icv_length(struct ieee802_1x_mka_participant *participant)
int length;
- length = sizeof(struct ieee802_1x_mka_icv_body);
+ /* Determine if we need space for the ICV Indicator */
+ if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
+ length = sizeof(struct ieee802_1x_mka_icv_body);
+ else
+ length = 0;
length += mka_alg_tbl[participant->kay->mka_algindex].icv_len;
return MKA_ALIGN_LENGTH(length);
@@ -1822,11 +1827,13 @@ ieee802_1x_mka_encode_icv_body(struct ieee802_1x_mka_participant *participant,
u8 cmac[MAX_ICV_LEN];
length = ieee802_1x_mka_get_icv_length(participant);
- if (length != DEFAULT_ICV_LEN) {
+ if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
wpa_printf(MSG_DEBUG, "KaY: ICV Indicator");
body = wpabuf_put(buf, MKA_HDR_LEN);
body->type = MKA_ICV_INDICATOR;
- set_mka_param_body_len(body, length - MKA_HDR_LEN);
+ length -= MKA_HDR_LEN;
+ set_mka_param_body_len(body, length);
if (mka_alg_tbl[participant->kay->mka_algindex].icv_hash(
@@ -1837,8 +1844,6 @@ ieee802_1x_mka_encode_icv_body(struct ieee802_1x_mka_participant *participant,
wpa_hexdump(MSG_DEBUG, "KaY: ICV", cmac, length);
- if (length != DEFAULT_ICV_LEN)
- length -= MKA_HDR_LEN;
os_memcpy(wpabuf_put(buf, length), cmac, length);
return 0;