jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

mka: Make ICV Indicator dependant on ICV length

Browse source 
IEEE Std 802.1X-2010, 11.11 describes that the ICV is separate from the
parameter sets before it. Due to its convenient layout the ICV Indicator
'body part' is used to encode the ICV as well.

IEEE Std 802.1X-2010, 11.11.3 describes the encoding of MKPDUs. In
bullet e) is desribed that the ICV Indicator itself is encoded when the
ICV is not 16 octets in length. IEEE Std 802.1Xbx-2014, Table 11-7 note
e) states that it will not be encoded unless the Algorithm Agility
parameter specifies the use of an ICV that is not 16 octets in length.

Therefore the length calculation for the ICV indicator body part must
take into account if the ICV Indicator is to be encoded or not. The
actual encoder of the ICV body already takes care of the rest.

In practice, this change will remove the ICV Indicator parameter set (4
octets before the ICV value itself) since the only defined algorithm
agility value uses an ICV of 16 octets. IEEE Std 802.1X-2010 MKPDU
validation and decoding rules in 11.11.2 and 11.11.4 require the
receipient to handle both cases of ICV Indicator being included or not.

Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
This commit is contained in:
Jaap Keuter 2017-04-07 23:39:23 +02:00 committed by Jouni Malinen
parent cd803b6ccd
commit 23693c9dac
1 changed files with 10 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/pae/ieee802_1x_kay.c
View file

@ -1803,7 +1803,12 @@ ieee802_1x_mka_get_icv_length(struct ieee802_1x_mka_participant *participant)
{
int length;
length = sizeof(struct ieee802_1x_mka_icv_body);
/* Determine if we need space for the ICV Indicator */
if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
DEFAULT_ICV_LEN)
length = sizeof(struct ieee802_1x_mka_icv_body);
else
length = 0;
length += mka_alg_tbl[participant->kay->mka_algindex].icv_len;
return MKA_ALIGN_LENGTH(length);
@ -1822,11 +1827,13 @@ ieee802_1x_mka_encode_icv_body(struct ieee802_1x_mka_participant *participant,
u8 cmac[MAX_ICV_LEN];
length = ieee802_1x_mka_get_icv_length(participant);
if (length != DEFAULT_ICV_LEN) {
if (mka_alg_tbl[participant->kay->mka_algindex].icv_len !=
DEFAULT_ICV_LEN) {
wpa_printf(MSG_DEBUG, "KaY: ICV Indicator");
body = wpabuf_put(buf, MKA_HDR_LEN);
body->type = MKA_ICV_INDICATOR;
set_mka_param_body_len(body, length - MKA_HDR_LEN);
length -= MKA_HDR_LEN;
set_mka_param_body_len(body, length);
}
if (mka_alg_tbl[participant->kay->mka_algindex].icv_hash(
@ -1837,8 +1844,6 @@ ieee802_1x_mka_encode_icv_body(struct ieee802_1x_mka_participant *participant,
}
wpa_hexdump(MSG_DEBUG, "KaY: ICV", cmac, length);
if (length != DEFAULT_ICV_LEN)
length -= MKA_HDR_LEN;
os_memcpy(wpabuf_put(buf, length), cmac, length);
return 0;