mka: Allow CAK length 32 (256-bit) to be initialized

The CAK length is not hardcoded in the algorithm agility parameter, so
remove that from the table. Instead, allow both 16 (128-bit) and 32
(256-bit) CAK to be used so that the following key derivations use
appropriate key lengths based on the configured/derived CAK.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2018-12-26 16:28:27 +02:00
parent 73111a63cc
commit 7a29984888
2 changed files with 3 additions and 4 deletions

View file

@ -64,7 +64,6 @@ static struct mka_alg mka_alg_tbl[] = {
{ {
.parameter = MKA_ALGO_AGILITY_2009, .parameter = MKA_ALGO_AGILITY_2009,
.cak_len = DEFAULT_ICV_LEN,
.icv_len = DEFAULT_ICV_LEN, .icv_len = DEFAULT_ICV_LEN,
.cak_trfm = ieee802_1x_cak_128bits_aes_cmac, .cak_trfm = ieee802_1x_cak_128bits_aes_cmac,
@ -3437,8 +3436,9 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
return NULL; return NULL;
} }
if (cak->len != mka_alg_tbl[kay->mka_algindex].cak_len) { if (cak->len != 16 && cak->len != 32) {
wpa_printf(MSG_ERROR, "KaY: CAK length not follow key schema"); wpa_printf(MSG_ERROR, "KaY: Unexpected CAK length %u",
(unsigned int) cak->len);
return NULL; return NULL;
} }
if (ckn->len > MAX_CKN_LEN) { if (ckn->len > MAX_CKN_LEN) {

View file

@ -66,7 +66,6 @@ struct macsec_ciphersuite {
struct mka_alg { struct mka_alg {
u8 parameter[4]; u8 parameter[4];
size_t cak_len;
size_t icv_len; size_t icv_len;
int (*cak_trfm)(const u8 *msk, const u8 *mac1, const u8 *mac2, u8 *cak); int (*cak_trfm)(const u8 *msk, const u8 *mac1, const u8 *mac2, u8 *cak);