From patchwork Fri Mar 2 20:10:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880857 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="mNdSKVTu"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLCF0BnFz9s3v for ; Sat, 3 Mar 2018 07:15:37 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=OKP44aJk8saIlvH8j8dhr0aJ269kleBt535YnOgK7Dg=; b=mNdSKVTuwbyo5A yF3RGh1M2sp/AlXWG7RFasqZ48RPfZmuB7znMxE++qiMYMhiUUtH321m4DmzfVkwnF1ZYf7QlHEbC zynCF9EdqXT9yjX1p76Jk62/PFRQKvzs8/92wQBCaTMEgslMuDkgrihMyIlMOfutPnh9TFJ9DemuJ d2DNfvclB+OntKXYRvHKkwIVAhD3CIOFAiioYcq6OpGiELWGm9Hx9KyplKj95fAlNZMl2+v35PW73 3Rc6DubXrLHQWa/M7ULWMteRUO+6gA5Ch2c/viP3JRcQdN8T4R3px7Y9kY5iDrI8KmbJaUTf3p34q uvf9tPgwzefE1xYEZr/w==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err5P-0003Rf-PL; Fri, 02 Mar 2018 20:15:23 +0000 Received: from us-smtp-delivery-183.mimecast.com ([63.128.21.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001Iz-Sz for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:25 +0000 Received: from USNC-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.9.1]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-104-Qm0qrWiwN9GXuyUSTWvAOg-5; Fri, 02 Mar 2018 15:11:01 -0500 Received: from USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:58 -0500 Received: from smtp1.extremenetworks.com (10.6.24.34) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:58 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAw6M032596; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id C5FAC2C03F8; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB9eB016342; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 08/15] mka: MKPDU SAK Use Body's Delay Protect bit set incorrectly Date: Fri, 2 Mar 2018 15:10:56 -0500 Message-ID: <20180302201103.16264-9-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: Qm0qrWiwN9GXuyUSTWvAOg-5 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_467598_89BB81A4 X-CRM114-Status: UNSURE ( 9.90 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik Delay Protect and Replay Protect are two separate and distinct features of MKA. Per IEEE802.1X-2010 Clause 9.10.1 "Delay Protect, TRUE if LPNs are being reported sufficiently frequently to allow the receipt to provide data delay protection. If FALSE, the LPN can be reported as zero", and per Clause 9.10 "NOTE - Enforcement of bounded received delay necessitates transmission of MKPDUs at frequency (0.5 s) intervals, to meet a maximum data delay of 2 s while minimizing connectivity interruption due to the possibility of lost or delayed MKPDUs." This means ieee802_1x_mka_sak_use_body.delay_protect should only be set TRUE when MKPDUs are being transmitted every 0.5 s (or faster). By default the KaY sends MKPDUs every MKA_HELLO_TIME (2.0s), so by default delay_protect should be FALSE. A new 'u32 mka_hello_time' parameter to has been added to the 'ieee802_1x_kay' data structure. If delay protection is desired, the KaY initialization code should set kay->mka_hello_time to MKA_BOUNDED_HELLO_TIME (500ms). Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 14 +++++++++----- src/pae/ieee802_1x_kay.h | 2 ++ 2 files changed, 11 insertions(+), 5 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 0c3101cd8..ba2636ad6 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1205,7 +1205,7 @@ ieee802_1x_mka_encode_sak_use_body( } /* data protect, lowest accept packet number */ - body->delay_protect = kay->macsec_replay_protect; + body->delay_protect = (kay->mka_hello_time <= MKA_BOUNDED_HELLO_TIME); pn = ieee802_1x_mka_get_lpn(participant, &participant->lki); if (pn > kay->pn_exhaustion) { wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion"); @@ -2487,7 +2487,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) participant->retry_count++; } - eloop_register_timeout(MKA_HELLO_TIME / 1000, 0, + eloop_register_timeout(kay->mka_hello_time / 1000, 0, ieee802_1x_participant_timer, participant, NULL); @@ -3208,6 +3208,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; kay->macsec_confidentiality = CONFIDENTIALITY_NONE; + kay->mka_hello_time = MKA_HELLO_TIME; } else { kay->macsec_desired = TRUE; kay->macsec_protect = TRUE; @@ -3221,6 +3222,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->macsec_validate = Strict; kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; + kay->mka_hello_time = MKA_HELLO_TIME; } wpa_printf(MSG_DEBUG, "KaY: state machine created"); @@ -3425,7 +3427,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn, wpa_hexdump(MSG_DEBUG, "KaY: Participant created:", ckn->name, ckn->len); - usecs = os_random() % (MKA_HELLO_TIME * 1000); + usecs = os_random() % (kay->mka_hello_time * 1000); eloop_register_timeout(0, usecs, ieee802_1x_participant_timer, participant, NULL); @@ -3575,7 +3577,7 @@ void ieee802_1x_kay_notify_port_enabled(struct ieee802_1x_kay *kay, dl_list_for_each(participant, &kay->participant_list, struct ieee802_1x_mka_participant, list) { if (participant->participant) { - usecs = os_random() % (MKA_HELLO_TIME * 1000); + usecs = os_random() % (kay->mka_hello_time * 1000); eloop_register_timeout(0, usecs, ieee802_1x_participant_timer, participant, NULL); } @@ -3681,6 +3683,7 @@ int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf, "Is Key Server=%s\n" "Number of Keys Distributed=%u\n" "Number of Keys Received=%u\n", + "MKA Hello Time=%u\n", kay->port_enable ? "Enabled" : "Disabled", kay->active ? "Active" : "Not-Active", kay->authenticated ? "Yes" : "No", @@ -3690,7 +3693,8 @@ int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf, kay->key_server_priority, kay->is_key_server ? "Yes" : "No", kay->dist_kn - 1, - kay->rcvd_keys); + kay->rcvd_keys, + kay->mka_hello_time); if (os_snprintf_error(buflen, len)) return 0; diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h index 8c1a3b2fa..7031c1a83 100644 --- a/src/pae/ieee802_1x_kay.h +++ b/src/pae/ieee802_1x_kay.h @@ -21,6 +21,7 @@ struct macsec_init_params; /* MKA timer, unit: millisecond */ #define MKA_HELLO_TIME 2000 +#define MKA_BOUNDED_HELLO_TIME 500 #define MKA_LIFE_TIME 6000 #define MKA_SAK_RETIRE_TIME 3000 @@ -187,6 +188,7 @@ struct ieee802_1x_kay { u32 macsec_replay_window; enum validate_frames macsec_validate; enum confidentiality_offset macsec_confidentiality; + u32 mka_hello_time; u32 ltx_kn; u8 ltx_an;