diff mbox series

mka: New MI should only be generated when peer's key is invalid

Message ID 1546906703-8529-1-git-send-email-msiedzik@extremenetworks.com
State Changes Requested
Headers show
Series mka: New MI should only be generated when peer's key is invalid | expand

Commit Message

Michael Siedzik Jan. 8, 2019, 12:18 a.m. UTC 
From: Mike Siedzik <msiedzik@extremenetworks.com>

Two recent changes to MKA create a situation where a new MI is generated
every time a SAK Use parameter set is decoded.  The first change moved
invalid key detection from ieee802_1x_decode_basic_body() to
ieee802_1x_kay_decode_mpkdu():

  https://w1.fi/cgit/hostap/commit/?id=db9ca18bbff101da67c0cd7f482fe29ae694dc04

The second change forces the KaY to generate a new MI when an invalid
key is detected:

  https://w1.fi/cgit/hostap/commit/?id=a8aeaf41df95ac6f979eb9014d0e2d17c46c671e

The fix is to move generation of a new MI from the old invalid key detection
location to the new location.
---
 src/pae/ieee802_1x_kay.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--
1.8.3.1

Comments

Jouni Malinen Jan. 7, 2019, 10:39 p.m. UTC | #1 
On Mon, Jan 07, 2019 at 07:18:23PM -0500, msiedzik@extremenetworks.com wrote:
> From: Mike Siedzik <msiedzik@extremenetworks.com>
> 
> Two recent changes to MKA create a situation where a new MI is generated
> every time a SAK Use parameter set is decoded.  The first change moved
> invalid key detection from ieee802_1x_decode_basic_body() to
> ieee802_1x_kay_decode_mpkdu():
> 
>   https://w1.fi/cgit/hostap/commit/?id=db9ca18bbff101da67c0cd7f482fe29ae694dc04
> 
> The second change forces the KaY to generate a new MI when an invalid
> key is detected:
> 
>   https://w1.fi/cgit/hostap/commit/?id=a8aeaf41df95ac6f979eb9014d0e2d17c46c671e
> 
> The fix is to move generation of a new MI from the old invalid key detection
> location to the new location.
> ---

Thanks! Could you please send this again with the Signed-off-by: line
added at the end of the commit message as described in the CONTRIBUTIONS
file so that I can apply this?
diff mbox series

Patch

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index c9948b7..b4455c8 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1422,12 +1422,6 @@  ieee802_1x_mka_decode_sak_use_body(
                }
                if (!found) {
                        wpa_printf(MSG_INFO, "KaY: Latest key is invalid");
-                       if (!reset_participant_mi(participant))
-                               wpa_printf(MSG_DEBUG, "KaY: Could not update mi");
-                       else
-                               wpa_printf(MSG_DEBUG,
-                                          "KaY: Selected a new random MI: %s",
-                                          mi_txt(participant->mi));
                        return -1;
                }
                if (os_memcmp(participant->lki.mi, body->lsrv_mi,
@@ -3289,6 +3283,12 @@  static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
                wpa_printf(MSG_INFO,
                           "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
                           MKA_SAK_USE);
+               if (!reset_participant_mi(participant))
+                       wpa_printf(MSG_DEBUG, "KaY: Could not update mi");
+               else
+                       wpa_printf(MSG_DEBUG,
+                                  "KaY: Selected a new random MI: %s",
+                                  mi_txt(participant->mi));
                return -1;
        }