[5/8] mka: Remember LowestPN for each key server

Message ID 20181102180220.20948-5-a.s.kartashev@gmail.com
State New
Headers show
Series
  • [1/8] wpa_debug: Support hexdump_ascii outputting into syslog
Related show

Commit Message

Andrey Kartashev Nov. 2, 2018, 6:02 p.m.
From: Andrey Kartashev <andrey.kartashev@afconsult.com>

According IEEE 802.1X-2010 section 9.8 each participant shall record the
values of NextPN for last SAK accepted from each Key Server to use it in
case of switch from one Key Server to another and back.
This patch adds LPN recording and set saved value as initial PN for the
created channel.
Also this patch improve behavior of ieee802_1x_mka_decode_sak_use_body()
in case of received LowestPN greater than our NextPN.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
---
 src/pae/ieee802_1x_kay.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

Patch

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 6703531e4..a4771b792 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1408,6 +1408,8 @@  ieee802_1x_mka_decode_sak_use_body(
 		}
 	}
 
+	if (sa_key)
+		sa_key->next_pn = lpn;
 	found = FALSE;
 	dl_list_for_each(txsa, &participant->txsc->sa_list,
 			 struct transmit_sa, list) {
@@ -1421,11 +1423,17 @@  ieee802_1x_mka_decode_sak_use_body(
 		return -1;
 	}
 
-	/* FIXME: Secy creates txsa with default npn. If MKA detected Latest Key
-	 * npn is larger than txsa's npn, set it to txsa.
+	/* FIXME: KaY should update Tx SA NextPN in case of new participant
+	 * connected to the CA and we are not Key Server. Refer 802.1X-2010
+	 * section 12.2 for details.
+	 * Note that we should not modify txsa->next_pn as it is read-only.
+	 * Also not any of MACsec implementations support on-the-fly changing of
+	 * Tx NextPN as it could be dangerous (how much packets was sent during
+	 * the function execution?).
 	 */
 	secy_get_transmit_next_pn(kay, txsa);
 	if (lpn > txsa->next_pn) {
+		txsa->next_pn = lpn;
 		secy_set_transmit_next_pn(kay, txsa);
 		wpa_printf(MSG_INFO, "KaY: update lpn =0x%x", lpn);
 	}
@@ -1528,6 +1536,7 @@  static void ieee802_1x_kay_init_data_key(struct data_key *pkey)
 	pkey->receives = TRUE;
 	os_get_time(&pkey->created_time);
 
+	pkey->next_pn = 1;
 	pkey->user = 1;
 }
 
@@ -2744,7 +2753,7 @@  int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
 		ieee802_1x_delete_transmit_sa(kay, txsa);
 
 	txsa = ieee802_1x_kay_init_transmit_sa(principal->txsc, latest_sak->an,
-					       1, latest_sak);
+					latest_sak->next_pn ? latest_sak->next_pn : 1, latest_sak);
 	if (!txsa)
 		return -1;