From patchwork Fri Nov 2 18:02:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Kartashev X-Patchwork-Id: 992481 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="EOtRe23s"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="JfGikUiK"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42mqhL3ZFWzB4XK for ; Sat, 3 Nov 2018 05:04:02 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=aj/Xb2IgN0/uuEpEaHTyMohrhUELYk+UfSrS09kT1d0=; b=EOtRe23snd2IPsOYJGvg0VOXyc B1WWzdCASCVq2RTBAAGK1mJwb7gLTzvRgqHncF5wo3XSeQ0/exv8P0KVu3hDxu+k9XJ91uo1rq+wR /Bf1tjlDGKAB6mWe0s0IBIJqpatAMMC/vs/JiPpuBdz61xj9Q35NCgqkoGHd+7I4h/z7jXPUgPkCQ jWnxze+b14EUl+flb/Z9NdimmfqH6Y8nY7qqcAlwrK5Ra6QTmmm0jEFNizaPB1f5OylAk+zRM5oAr roXaua9Gp8M9UnyatRORx635I52BQ3lj2ux+558xgPaR77bbedfBbSfP730UbI6NEFRa/487Ys9FS 9JlX6JgA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gIdnV-0003Jm-ON; Fri, 02 Nov 2018 18:03:53 +0000 Received: from mail-lf1-x12b.google.com ([2a00:1450:4864:20::12b]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gIdmw-0002Ww-Re for hostap@lists.infradead.org; Fri, 02 Nov 2018 18:03:20 +0000 Received: by mail-lf1-x12b.google.com with SMTP id n26-v6so1938500lfl.1 for ; Fri, 02 Nov 2018 11:03:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=rXtUiKdZZQNO92zpnf9EuQpFozQ9qWB1TK05J3W3Qqk=; b=JfGikUiKaec5RsCuvdgAm4+Q3SKdJNJj4XHK/BrHJ3ZSs8AuCdFTb6eqXZLR8dwpEm lVrpSUq9LTxUqL3tgP2W47FqHvCsLPLvKfGZAmqZzCTw+Yf6oco9etLhDsOOmzUCkuPg meAhqyQ3NNdQkeAG7O4RZI7baoYdWBaxvmwzatkFm41gugcj0XrzQVEHgexa1ph3QB9f VuSSzPzi1/yD8LZ2qa2kMvsoLqHY3KjmQbXSVCaG7YbO+45bUB5uQzed+yoc23ikRW6s Jj05GSsy+oFP9bubtk75Wx8CWTejTrX2n2m/Dk/GCVGKwgfZvCGKze5YY5k9qDd9BcLk 3J0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=rXtUiKdZZQNO92zpnf9EuQpFozQ9qWB1TK05J3W3Qqk=; b=R/dEJOnh82SowYRGX6OGKNZlYe0Nusl9ljn7sRrJy80OA2sYKoX4IjMyrYU32bU4fe gAFkf9PjtPb+LTSAn3jCtsStv4ZPcabGREJ0TNwwiS5J4DqiVnpmuxWwCDZ0SqLe/6Oo US1V34ELzmoxLrUeblq6bkaEV9aDbMNYVD4fR4YLZ31H7q65pst7Y0bR/A0rXlWM135B w8NQwfzvOVwfZebedj0SyJGwzB8bAQaUyqx/333R7prj5CqLj/5AAkASXnH9gEJTvnUN OV+IbQOxJMZeYD9vYqRt1wG6LkEYzRLcA5vlORmv4/4+aGJjSSlgp+YhC8xkGqsRzuY8 XXbw== X-Gm-Message-State: AGRZ1gJgtFFX1NaXWlKwo14N/zOZMExwKDi2QIFTsmzzPvn++kkwMvMS STOszwpzJTLhFXPJ9HYs9zTY3HBn X-Google-Smtp-Source: AJdET5cHPMKtHsAff1+sXaq7qjTutM9iIpGPMBosQm5dOvZ+pZ6qSMDmdyqHlZB0a2eLfe1gjDswZA== X-Received: by 2002:a19:cfc6:: with SMTP id f189mr7951768lfg.102.1541181786520; Fri, 02 Nov 2018 11:03:06 -0700 (PDT) Received: from localhost.localdomain ([194.103.244.100]) by smtp.gmail.com with ESMTPSA id a9sm1002595lfa.19.2018.11.02.11.03.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Nov 2018 11:03:05 -0700 (PDT) From: Andrey Kartashev To: hostap@lists.infradead.org Subject: [PATCH 5/8] mka: Remember LowestPN for each key server Date: Fri, 2 Nov 2018 19:02:17 +0100 Message-Id: <20181102180220.20948-5-a.s.kartashev@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181102180220.20948-1-a.s.kartashev@gmail.com> References: <20181102180220.20948-1-a.s.kartashev@gmail.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181102_110318_892334_B909C19B X-CRM114-Status: GOOD ( 15.30 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:12b listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (a.s.kartashev[at]gmail.com) -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andrey Kartashev MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Andrey Kartashev According IEEE 802.1X-2010 section 9.8 each participant shall record the values of NextPN for last SAK accepted from each Key Server to use it in case of switch from one Key Server to another and back. This patch adds LPN recording and set saved value as initial PN for the created channel. Also this patch improve behavior of ieee802_1x_mka_decode_sak_use_body() in case of received LowestPN greater than our NextPN. Signed-off-by: Andrey Kartashev --- src/pae/ieee802_1x_kay.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 6703531e4..a4771b792 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1408,6 +1408,8 @@ ieee802_1x_mka_decode_sak_use_body( } } + if (sa_key) + sa_key->next_pn = lpn; found = FALSE; dl_list_for_each(txsa, &participant->txsc->sa_list, struct transmit_sa, list) { @@ -1421,11 +1423,17 @@ ieee802_1x_mka_decode_sak_use_body( return -1; } - /* FIXME: Secy creates txsa with default npn. If MKA detected Latest Key - * npn is larger than txsa's npn, set it to txsa. + /* FIXME: KaY should update Tx SA NextPN in case of new participant + * connected to the CA and we are not Key Server. Refer 802.1X-2010 + * section 12.2 for details. + * Note that we should not modify txsa->next_pn as it is read-only. + * Also not any of MACsec implementations support on-the-fly changing of + * Tx NextPN as it could be dangerous (how much packets was sent during + * the function execution?). */ secy_get_transmit_next_pn(kay, txsa); if (lpn > txsa->next_pn) { + txsa->next_pn = lpn; secy_set_transmit_next_pn(kay, txsa); wpa_printf(MSG_INFO, "KaY: update lpn =0x%x", lpn); } @@ -1528,6 +1536,7 @@ static void ieee802_1x_kay_init_data_key(struct data_key *pkey) pkey->receives = TRUE; os_get_time(&pkey->created_time); + pkey->next_pn = 1; pkey->user = 1; } @@ -2744,7 +2753,7 @@ int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay, ieee802_1x_delete_transmit_sa(kay, txsa); txsa = ieee802_1x_kay_init_transmit_sa(principal->txsc, latest_sak->an, - 1, latest_sak); + latest_sak->next_pn ? latest_sak->next_pn : 1, latest_sak); if (!txsa) return -1;