Message ID | 1546906703-8529-1-git-send-email-msiedzik@extremenetworks.com |
---|---|
State | Changes Requested |
Headers | show |
Series | mka: New MI should only be generated when peer's key is invalid | expand |
On Mon, Jan 07, 2019 at 07:18:23PM -0500, msiedzik@extremenetworks.com wrote: > From: Mike Siedzik <msiedzik@extremenetworks.com> > > Two recent changes to MKA create a situation where a new MI is generated > every time a SAK Use parameter set is decoded. The first change moved > invalid key detection from ieee802_1x_decode_basic_body() to > ieee802_1x_kay_decode_mpkdu(): > > https://w1.fi/cgit/hostap/commit/?id=db9ca18bbff101da67c0cd7f482fe29ae694dc04 > > The second change forces the KaY to generate a new MI when an invalid > key is detected: > > https://w1.fi/cgit/hostap/commit/?id=a8aeaf41df95ac6f979eb9014d0e2d17c46c671e > > The fix is to move generation of a new MI from the old invalid key detection > location to the new location. > --- Thanks! Could you please send this again with the Signed-off-by: line added at the end of the commit message as described in the CONTRIBUTIONS file so that I can apply this?
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index c9948b7..b4455c8 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1422,12 +1422,6 @@ ieee802_1x_mka_decode_sak_use_body( } if (!found) { wpa_printf(MSG_INFO, "KaY: Latest key is invalid"); - if (!reset_participant_mi(participant)) - wpa_printf(MSG_DEBUG, "KaY: Could not update mi"); - else - wpa_printf(MSG_DEBUG, - "KaY: Selected a new random MI: %s", - mi_txt(participant->mi)); return -1; } if (os_memcmp(participant->lki.mi, body->lsrv_mi, @@ -3289,6 +3283,12 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, wpa_printf(MSG_INFO, "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", MKA_SAK_USE); + if (!reset_participant_mi(participant)) + wpa_printf(MSG_DEBUG, "KaY: Could not update mi"); + else + wpa_printf(MSG_DEBUG, + "KaY: Selected a new random MI: %s", + mi_txt(participant->mi)); return -1; }
From: Mike Siedzik <msiedzik@extremenetworks.com> Two recent changes to MKA create a situation where a new MI is generated every time a SAK Use parameter set is decoded. The first change moved invalid key detection from ieee802_1x_decode_basic_body() to ieee802_1x_kay_decode_mpkdu(): https://w1.fi/cgit/hostap/commit/?id=db9ca18bbff101da67c0cd7f482fe29ae694dc04 The second change forces the KaY to generate a new MI when an invalid key is detected: https://w1.fi/cgit/hostap/commit/?id=a8aeaf41df95ac6f979eb9014d0e2d17c46c671e The fix is to move generation of a new MI from the old invalid key detection location to the new location. --- src/pae/ieee802_1x_kay.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) -- 1.8.3.1