[12/15] mka: resources leaked when duplicated SCI detected

Message ID	20180302201103.16264-13-msiedzik@extremenetworks.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: <msiedzik@extremenetworks.com> To: <hostap@lists.infradead.org> Subject: [PATCH 12/15] mka: resources leaked when duplicated SCI detected Date: Fri, 2 Mar 2018 15:11:00 -0500 Message-ID: <20180302201103.16264-13-msiedzik@extremenetworks.com> In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Precedence: list Cc: Mike Siedzik <msiedzik@extremenetworks.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	MKA bugfixes and enhancements \| expand [00/15] MKA bugfixes and enhancements [01/15] mka: When matching CKNs ensure that lengths are identical [02/15] mka: Ignore MACsec SAK Use Old Key parameter if we don't remember our old key [03/15] mka: Incorrect conf_offset sent in MKPDU when in policy mode "SHOULD_SECURE" [04/15] mka: Loss of live peers should result in connect PENDING not AUTHENTICATED [05/15] mka: finish implementation of CP state machine "port_enabled" parameter [06/15] mka: KaY setting Parameter Set Body Length incorrectly [07/15] mka: Detect duplicate MAC addresses during key server election [08/15] mka: MKPDU SAK Use Body's Delay Protect bit set incorrectly [09/15] mka: Lowest acceptable Packet Number (LPN) calculated and used incorrectly [10/15] mka: Do not print contents of SAK to debug log [11/15] mka: Fix a few minor bugs in CP state machine [12/15] mka: resources leaked when duplicated SCI detected [13/15] mka: do not ignore MKPDU parameter set decoding failures [14/15] mka: consider missing MKPDU parameter sets a failure [15/15] mka: do not update potential peer liveness timer

Message ID

20180302201103.16264-13-msiedzik@extremenetworks.com

State

Accepted

Headers

From: <msiedzik@extremenetworks.com>
To: <hostap@lists.infradead.org>
Subject: [PATCH 12/15] mka: resources leaked when duplicated SCI detected
Date: Fri, 2 Mar 2018 15:11:00 -0500
Message-ID: <20180302201103.16264-13-msiedzik@extremenetworks.com>
In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com>
References: <20180302201103.16264-1-msiedzik@extremenetworks.com>
MIME-Version: 1.0
Precedence: list
Cc: Mike Siedzik <msiedzik@extremenetworks.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

MKA bugfixes and enhancements | expand

Commit Message

Michael Siedzik March 2, 2018, 8:11 p.m. UTC

From: Mike Siedzik <msiedzik@extremenetworks.com>

If a live peer ever changes its Member Identifier (MI), the KaY
correctly detects a "duplicated SCI" but then proceeds to delete the
peer without deleting the peer's resources (i.e., RxSC, RxSAs, TxSAs).

Note that a remote peer's MI will change if and when a
ieee8021XPaePortInitialize is executed on the remote port.

The solution here is to ignore all MKPDUs containing the new MI until
after the peer (that corresponds to the old MI) expires and cleans up
its resources.  After the old peer is removed reception of the next
MKPDU containing the new MI will result in the creation of a new peer
with the new MI.

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
---
 src/pae/ieee802_1x_kay.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

--
2.11.1

Comments

Jouni Malinen Dec. 26, 2018, 11:15 p.m. UTC | #1

On Fri, Mar 02, 2018 at 03:11:00PM -0500, msiedzik@extremenetworks.com wrote:
> If a live peer ever changes its Member Identifier (MI), the KaY
> correctly detects a "duplicated SCI" but then proceeds to delete the
> peer without deleting the peer's resources (i.e., RxSC, RxSAs, TxSAs).
> 
> Note that a remote peer's MI will change if and when a
> ieee8021XPaePortInitialize is executed on the remote port.
> 
> The solution here is to ignore all MKPDUs containing the new MI until
> after the peer (that corresponds to the old MI) expires and cleans up
> its resources.  After the old peer is removed reception of the next
> MKPDU containing the new MI will result in the creation of a new peer
> with the new MI.

Thanks, applied.

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 27022d994..4d61cb32b 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -792,17 +792,31 @@  ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
        /* handler peer */
        peer = ieee802_1x_kay_get_peer(participant, body->actor_mi);
        if (!peer) {
-               /* Check duplicated SCI */
-               /* TODO: What policy should be applied to detect duplicated SCI
-                * is active attacker or a valid peer whose MI is be changed?
+               /* Check duplicated SCI
+                *
+                * A duplicated SCI indicates either an active attacker or
+                * a valid peer whose MI is be changed.  The latter scenario is
+                * more likely because to have gotten this far the received
+                * MKPDU must have had a valid ICV, indicating the peer holds
+                * the same CAK our participant.
+                *
+                * Before creating a new peer object for the new MI we must
+                * clean up the resources (SCs and SAs) associated with the
+                * old peer.  An easy way to do this is to ignore MKPDUs with
+                * the new MI's for now and just wait for the old peer to
+                * timeout and clean itself up (within MKA_LIFE_TIME).
+                *
+                * This method is peferable to deleting the old peer here
+                * and now and continuing on with processing because if this
+                * MKPDU is from an attacker it's better to ignore the MKPDU
+                * than to process it (and delete a valid peer as well).
                 */
                peer = ieee802_1x_kay_get_peer_sci(participant,
                                                   &body->actor_sci);
                if (peer) {
                        wpa_printf(MSG_WARNING,
-                                  "KaY: duplicated SCI detected, Maybe active attacker");
-                       dl_list_del(&peer->list);
-                       os_free(peer);
+                                  "KaY: duplicated SCI detected, Maybe active attacker or peer selected new MI");
+                       return NULL;
                }

                peer = ieee802_1x_kay_create_potential_peer(

[12/15] mka: resources leaked when duplicated SCI detected

Commit Message

Comments

Patch