Hello, CISCO C3560CX (SW version 15.2(7)E8, SW image C3560CX-UNIVERSALK9-M) requires ICV Indicator to be present even when ICV is 16bytes. Therefore I would like to ask, if it is possible to add config option to always send ICV Indicator. (I've include my patch that adds macsec_icv_indicator config option) Thanks Petr diff -Naur a/src/ap/ap_config.h b/src/ap/ap_config.h --- a/src/ap/ap_config.h 2024-07-20 20:04:37.000000000 +0200 +++ b/src/ap/ap_config.h 2024-12-02 10:11:55.470226000 +0100 @@ -906,6 +906,13 @@ int macsec_csindex; /** + * macsec_icv_indicator - Always include ICV Indicator + * (for compatibility with older MACSEC switches) + * + * Range: 0-1 (default: 0) + */ + int macsec_icv_indicator; + /** * mka_ckn - MKA pre-shared CKN */ #define MACSEC_CKN_MAX_LEN 32 diff -Naur a/src/ap/wpa_auth_kay.c b/src/ap/wpa_auth_kay.c --- a/src/ap/wpa_auth_kay.c 2024-07-20 20:04:37.000000000 +0200 +++ b/src/ap/wpa_auth_kay.c 2024-12-02 10:10:27.603235000 +0100 @@ -331,6 +331,7 @@ hapd->conf->macsec_port, hapd->conf->mka_priority, hapd->conf->macsec_csindex, + hapd->conf->macsec_icv_indicator, hapd->conf->iface, hapd->own_addr); /* ieee802_1x_kay_init() frees kay_ctx on failure */ diff -Naur a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c --- a/src/pae/ieee802_1x_kay.c 2024-07-20 20:04:37.000000000 +0200 +++ b/src/pae/ieee802_1x_kay.c 2024-12-02 10:08:38.580487000 +0100 @@ -1871,7 +1871,7 @@ /* Determine if we need space for the ICV Indicator */ if (mka_alg_tbl[participant->kay->mka_algindex].icv_len != - DEFAULT_ICV_LEN) + DEFAULT_ICV_LEN || participant->kay->include_icv_indicator) length = sizeof(struct ieee802_1x_mka_icv_body); else length = 0; @@ -1894,7 +1894,7 @@ length = ieee802_1x_mka_get_icv_length(participant); if (mka_alg_tbl[participant->kay->mka_algindex].icv_len != - DEFAULT_ICV_LEN) { + DEFAULT_ICV_LEN || participant->kay->include_icv_indicator) { wpa_printf(MSG_DEBUG, "KaY: ICV Indicator"); body = wpabuf_put(buf, MKA_HDR_LEN); body->type = MKA_ICV_INDICATOR; @@ -3495,7 +3495,8 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, bool macsec_replay_protect, u32 macsec_replay_window, u8 macsec_offload, u16 port, u8 priority, - u32 macsec_csindex, const char *ifname, const u8 *addr) + u32 macsec_csindex, bool include_icv_indicator, + const char *ifname, const u8 *addr) { struct ieee802_1x_kay *kay; @@ -3533,6 +3534,7 @@ kay->pn_exhaustion = PENDING_PN_EXHAUSTION; kay->macsec_csindex = macsec_csindex; + kay->include_icv_indicator = include_icv_indicator; kay->mka_algindex = DEFAULT_MKA_ALG_INDEX; kay->mka_version = MKA_VERSION_ID; diff -Naur a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h --- a/src/pae/ieee802_1x_kay.h 2024-07-20 20:04:37.000000000 +0200 +++ b/src/pae/ieee802_1x_kay.h 2024-12-02 10:07:47.261076000 +0100 @@ -206,6 +206,7 @@ struct ieee802_1x_kay_ctx *ctx; bool is_key_server; bool is_obliged_key_server; + bool include_icv_indicator; /* Always include ICV Indicator */ char if_name[IFNAMSIZ]; u8 macsec_offload; @@ -243,7 +244,8 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, bool macsec_replay_protect, u32 macsec_replay_window, u8 macsec_offload, u16 port, u8 priority, - u32 macsec_csindex, const char *ifname, const u8 *addr); + u32 macsec_csindex, bool include_icv_indicator, + const char *ifname, const u8 *addr); void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); struct ieee802_1x_mka_participant * diff -Naur a/wpa_supplicant/config.c b/wpa_supplicant/config.c --- a/wpa_supplicant/config.c 2024-07-20 20:04:37.000000000 +0200 +++ b/wpa_supplicant/config.c 2024-12-02 09:55:39.717430000 +0100 @@ -2721,6 +2721,7 @@ { INT_RANGE(macsec_port, 1, 65534) }, { INT_RANGE(mka_priority, 0, 255) }, { INT_RANGE(macsec_csindex, 0, 1) }, + { INT_RANGE(macsec_icv_indicator, 0, 1) }, { FUNC_KEY(mka_cak) }, { FUNC_KEY(mka_ckn) }, #endif /* CONFIG_MACSEC */ diff -Naur a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c --- a/wpa_supplicant/config_file.c 2024-07-20 20:04:37.000000000 +0200 +++ b/wpa_supplicant/config_file.c 2024-12-02 09:55:28.949554000 +0100 @@ -818,6 +818,7 @@ INT(macsec_port); INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER); INT(macsec_csindex); + INT(macsec_icv_indicator); #endif /* CONFIG_MACSEC */ #ifdef CONFIG_HS20 INT(update_identifier); diff -Naur a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h --- a/wpa_supplicant/config_ssid.h 2024-07-20 20:04:37.000000000 +0200 +++ b/wpa_supplicant/config_ssid.h 2024-12-02 10:07:54.668991000 +0100 @@ -964,6 +964,14 @@ int macsec_csindex; /** + * macsec_icv_indicator - Always include ICV Indicator + * (for compatibility with older MACSEC switches) + * + * Range: 0-1 (default: 0) + */ + int macsec_icv_indicator; + + /** * mka_ckn - MKA pre-shared CKN */ #define MACSEC_CKN_MAX_LEN 32 diff -Naur a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c --- a/wpa_supplicant/wpas_kay.c 2024-07-20 20:04:37.000000000 +0200 +++ b/wpa_supplicant/wpas_kay.c 2024-12-02 09:57:59.939820000 +0100 @@ -249,7 +249,7 @@ ssid->macsec_replay_window, ssid->macsec_offload, ssid->macsec_port, ssid->mka_priority, ssid->macsec_csindex, - wpa_s->ifname, wpa_s->own_addr); + ssid->macsec_icv_indicator, wpa_s->ifname, wpa_s->own_addr); /* ieee802_1x_kay_init() frees kay_ctx on failure */ if (res == NULL) return -1; diff -Naur a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf --- a/wpa_supplicant/wpa_supplicant.conf 2024-07-20 20:04:37.000000000 +0200 +++ b/wpa_supplicant/wpa_supplicant.conf 2024-12-02 10:14:35.752386000 +0100 @@ -1173,6 +1173,10 @@ # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being # default priority # +# macsec_icv_indicator: always include ICV indicator +# 0 = ICV Indicator is not included when ICV has default length (default) +# 1 = ICV Indicator is always included (compatibility mode) +# # mixed_cell: This option can be used to configure whether so called mixed # cells, i.e., networks that use both plaintext and encryption in the same # SSID, are allowed when selecting a BSS from scan results. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap