mka: ICV calculation using 256-bit ICK
Add support for using AES-CMAC with 256-bit key (ICK) to calculate ICV. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
7c3d1cc040
commit
b452a76e54
|
|
@ -74,7 +74,7 @@ static struct mka_alg mka_alg_tbl[] = {
|
|||
.ckn_trfm = ieee802_1x_ckn_128bits_aes_cmac,
|
||||
.kek_trfm = ieee802_1x_kek_aes_cmac,
|
||||
.ick_trfm = ieee802_1x_ick_aes_cmac,
|
||||
.icv_hash = ieee802_1x_icv_128bits_aes_cmac,
|
||||
.icv_hash = ieee802_1x_icv_aes_cmac,
|
||||
|
||||
.index = 1,
|
||||
},
|
||||
|
|
@ -1782,8 +1782,9 @@ ieee802_1x_mka_encode_icv_body(struct ieee802_1x_mka_participant *participant,
|
|||
}
|
||||
|
||||
if (mka_alg_tbl[participant->kay->mka_algindex].icv_hash(
|
||||
participant->ick.key, wpabuf_head(buf), buf->used, cmac)) {
|
||||
wpa_printf(MSG_ERROR, "KaY, omac1_aes_128 failed");
|
||||
participant->ick.key, participant->ick.len,
|
||||
wpabuf_head(buf), wpabuf_len(buf), cmac)) {
|
||||
wpa_printf(MSG_ERROR, "KaY: failed to calculate ICV");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
@ -3029,9 +3030,9 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay,
|
|||
* packet body length.
|
||||
*/
|
||||
if (mka_alg_tbl[kay->mka_algindex].icv_hash(
|
||||
participant->ick.key,
|
||||
participant->ick.key, participant->ick.len,
|
||||
buf, len - mka_alg_tbl[kay->mka_algindex].icv_len, icv)) {
|
||||
wpa_printf(MSG_ERROR, "KaY: omac1_aes_128 failed");
|
||||
wpa_printf(MSG_ERROR, "KaY: failed to calculate ICV");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -80,7 +80,8 @@ struct mka_alg {
|
|||
int (*ick_trfm)(const u8 *cak, size_t cak_bytes,
|
||||
const u8 *ckn, size_t ckn_len,
|
||||
u8 *ick, size_t ick_bytes);
|
||||
int (*icv_hash)(const u8 *ick, const u8 *msg, size_t msg_len, u8 *icv);
|
||||
int (*icv_hash)(const u8 *ick, size_t ick_bytes,
|
||||
const u8 *msg, size_t msg_len, u8 *icv);
|
||||
|
||||
int index; /* index for configuring */
|
||||
};
|
||||
|
|
|
|||
|
|
@ -172,16 +172,25 @@ int ieee802_1x_ick_aes_cmac(const u8 *cak, size_t cak_bytes, const u8 *ckn,
|
|||
|
||||
|
||||
/**
|
||||
* ieee802_1x_icv_128bits_aes_cmac
|
||||
* ieee802_1x_icv_aes_cmac
|
||||
*
|
||||
* IEEE Std 802.1X-2010, 9.4.1
|
||||
* ICV = AES-CMAC(ICK, M, 128)
|
||||
*/
|
||||
int ieee802_1x_icv_128bits_aes_cmac(const u8 *ick, const u8 *msg,
|
||||
size_t msg_bytes, u8 *icv)
|
||||
int ieee802_1x_icv_aes_cmac(const u8 *ick, size_t ick_bytes, const u8 *msg,
|
||||
size_t msg_bytes, u8 *icv)
|
||||
{
|
||||
if (omac1_aes_128(ick, msg, msg_bytes, icv)) {
|
||||
wpa_printf(MSG_ERROR, "MKA: omac1_aes_128 failed");
|
||||
int res;
|
||||
|
||||
if (ick_bytes == 16)
|
||||
res = omac1_aes_128(ick, msg, msg_bytes, icv);
|
||||
else if (ick_bytes == 32)
|
||||
res = omac1_aes_256(ick, msg, msg_bytes, icv);
|
||||
else
|
||||
return -1;
|
||||
if (res) {
|
||||
wpa_printf(MSG_ERROR,
|
||||
"MKA: AES-CMAC failed for ICV calculation");
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -18,8 +18,8 @@ int ieee802_1x_kek_aes_cmac(const u8 *cak, size_t cak_bytes, const u8 *ckn,
|
|||
size_t ckn_bytes, u8 *kek, size_t kek_bytes);
|
||||
int ieee802_1x_ick_aes_cmac(const u8 *cak, size_t cak_bytes, const u8 *ckn,
|
||||
size_t ckn_bytes, u8 *ick, size_t ick_bytes);
|
||||
int ieee802_1x_icv_128bits_aes_cmac(const u8 *ick, const u8 *msg,
|
||||
size_t msg_bytes, u8 *icv);
|
||||
int ieee802_1x_icv_aes_cmac(const u8 *ick, size_t ick_bytes, const u8 *msg,
|
||||
size_t msg_bytes, u8 *icv);
|
||||
int ieee802_1x_sak_aes_cmac(const u8 *cak, size_t cak_bytes, const u8 *ctx,
|
||||
size_t ctx_bytes, u8 *sak, size_t sak_bytes);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue