[4/8] mka: Check for errors on create Secure Channel

Message ID	20181102180220.20948-4-a.s.kartashev@gmail.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Andrey Kartashev <a.s.kartashev@gmail.com> To: hostap@lists.infradead.org Subject: [PATCH 4/8] mka: Check for errors on create Secure Channel Date: Fri, 2 Nov 2018 19:02:16 +0100 Message-Id: <20181102180220.20948-4-a.s.kartashev@gmail.com> In-Reply-To: <20181102180220.20948-1-a.s.kartashev@gmail.com> References: <20181102180220.20948-1-a.s.kartashev@gmail.com> summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:241 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (a.s.kartashev[at]gmail.com) -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Precedence: list Cc: Andrey Kartashev <andrey.kartashev@afconsult.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	[1/8] wpa_debug: Support hexdump_ascii outputting into syslog \| expand [1/8] wpa_debug: Support hexdump_ascii outputting into syslog [2/8] mka: Allow to setup MACsec replay protection [3/8] mka: Debug output cleanup/fix [4/8] mka: Check for errors on create Secure Channel [5/8] mka: Remember LowestPN for each key server [6/8] mka: Support for AES-256 key generation [7/8] mka: Fix handling duplicated SCI [8/8] mka: Change MI if key invalid

Message ID

20181102180220.20948-4-a.s.kartashev@gmail.com

State

Accepted

Headers

From: Andrey Kartashev <a.s.kartashev@gmail.com>
To: hostap@lists.infradead.org
Subject: [PATCH 4/8] mka: Check for errors on create Secure Channel
Date: Fri,  2 Nov 2018 19:02:16 +0100
Message-Id: <20181102180220.20948-4-a.s.kartashev@gmail.com>
In-Reply-To: <20181102180220.20948-1-a.s.kartashev@gmail.com>
References: <20181102180220.20948-1-a.s.kartashev@gmail.com>
Precedence: list
Cc: Andrey Kartashev <andrey.kartashev@afconsult.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

[1/8] wpa_debug: Support hexdump_ascii outputting into syslog | expand

Commit Message

Andrey Kartashev Nov. 2, 2018, 6:02 p.m. UTC

From: Andrey Kartashev <andrey.kartashev@afconsult.com>

It is possible that driver fails to create Secure Channel (due to
hardware limitations for example).
This patch adds check of create_*_sc result code and breaks procedure in
case of fail.
Also this patch fix minor memory leak in ieee802_1x_kay_create_mka() in
case of derive KEK/ICK fail.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
---
 src/pae/ieee802_1x_kay.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index e508b38de..6703531e4 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -601,9 +601,14 @@  ieee802_1x_kay_create_live_peer(struct ieee802_1x_mka_participant *participant,
 		return NULL;
 	}
 
+	if (secy_create_receive_sc(participant->kay, rxsc))
+	{
+		os_free(rxsc);
+		os_free(peer);
+		return NULL;
+	}
 	dl_list_add(&participant->live_peers, &peer->list);
 	dl_list_add(&participant->rxsc_list, &rxsc->list);
-	secy_create_receive_sc(participant->kay, rxsc);
 
 	wpa_printf(MSG_DEBUG, "KaY: Live peer created");
 	ieee802_1x_kay_dump_peer(peer);
@@ -661,10 +666,16 @@  ieee802_1x_kay_move_live_peer(struct ieee802_1x_mka_participant *participant,
 	ieee802_1x_kay_dump_peer(peer);
 
 	dl_list_del(&peer->list);
+	if (secy_create_receive_sc(participant->kay, rxsc))
+	{
+		wpa_printf(MSG_ERROR, "KaY: Can't create SC, discard peer");
+		os_free(rxsc);
+		os_free(peer);
+		return NULL;
+	}
 	dl_list_add_tail(&participant->live_peers, &peer->list);
 
 	dl_list_add(&participant->rxsc_list, &rxsc->list);
-	secy_create_receive_sc(participant->kay, rxsc);
 
 	return peer;
 }
@@ -3381,7 +3392,8 @@  ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
 	secy_cp_control_protect_frames(kay, kay->macsec_protect);
 	secy_cp_control_replay(kay, kay->macsec_replay_protect,
 			       kay->macsec_replay_window);
-	secy_create_transmit_sc(kay, participant->txsc);
+	if (secy_create_transmit_sc(kay, participant->txsc))
+		goto fail;
 
 	/* to derive KEK from CAK and CKN */
 	participant->kek.len = mka_alg_tbl[kay->mka_algindex].kek_len;
@@ -3429,6 +3441,7 @@  ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
 	return participant;
 
 fail:
+	os_free(participant->txsc);
 	os_free(participant);
 	return NULL;
 }

[4/8] mka: Check for errors on create Secure Channel

Commit Message

Patch