[7/8] mka: Fix handling duplicated SCI

Message ID	20181102180220.20948-7-a.s.kartashev@gmail.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Andrey Kartashev <a.s.kartashev@gmail.com> To: hostap@lists.infradead.org Subject: [PATCH 7/8] mka: Fix handling duplicated SCI Date: Fri, 2 Nov 2018 19:02:19 +0100 Message-Id: <20181102180220.20948-7-a.s.kartashev@gmail.com> In-Reply-To: <20181102180220.20948-1-a.s.kartashev@gmail.com> References: <20181102180220.20948-1-a.s.kartashev@gmail.com> summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:242 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (a.s.kartashev[at]gmail.com) -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Precedence: list Cc: Andrey Kartashev <andrey.kartashev@afconsult.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	[1/8] wpa_debug: Support hexdump_ascii outputting into syslog \| expand [1/8] wpa_debug: Support hexdump_ascii outputting into syslog [2/8] mka: Allow to setup MACsec replay protection [3/8] mka: Debug output cleanup/fix [4/8] mka: Check for errors on create Secure Channel [5/8] mka: Remember LowestPN for each key server [6/8] mka: Support for AES-256 key generation [7/8] mka: Fix handling duplicated SCI [8/8] mka: Change MI if key invalid

Message ID

20181102180220.20948-7-a.s.kartashev@gmail.com

State

Accepted

Headers

From: Andrey Kartashev <a.s.kartashev@gmail.com>
To: hostap@lists.infradead.org
Subject: [PATCH 7/8] mka: Fix handling duplicated SCI
Date: Fri,  2 Nov 2018 19:02:19 +0100
Message-Id: <20181102180220.20948-7-a.s.kartashev@gmail.com>
In-Reply-To: <20181102180220.20948-1-a.s.kartashev@gmail.com>
References: <20181102180220.20948-1-a.s.kartashev@gmail.com>
Precedence: list
Cc: Andrey Kartashev <andrey.kartashev@afconsult.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

[1/8] wpa_debug: Support hexdump_ascii outputting into syslog | expand

Commit Message

Andrey Kartashev Nov. 2, 2018, 6:02 p.m. UTC

From: Andrey Kartashev <andrey.kartashev@afconsult.com>

If it was detected valid peer with same Secure Channel Id but different
Member Id as already registered, KaY just remove old one and work with
new. However thare is no trigger to delete old SC/SAs which can cause
situation when there are two active channels with same SCI.
This patch change the logic. It now discard new duplicated peer and wait
while old one would be removed by timeout. Such behaviour also prevent
somebody to disconnect working peer. This patch also decrese this peer's
timeout to speedup process in case of it is valid peer after MI change.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
---
 src/pae/ieee802_1x_kay.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 3a31bdf93..eac908415 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -773,6 +773,7 @@  ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
 	struct ieee802_1x_kay_peer *peer;
 	size_t ckn_len;
 	size_t body_len;
+	time_t new_expire;
 
 	body = (const struct ieee802_1x_mka_basic_body *) mka_msg;
 
@@ -816,16 +817,20 @@  ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
 	peer = ieee802_1x_kay_get_peer(participant, body->actor_mi);
 	if (!peer) {
 		/* Check duplicated SCI */
-		/* TODO: What policy should be applied to detect duplicated SCI
-		 * is active attacker or a valid peer whose MI is be changed?
-		 */
 		peer = ieee802_1x_kay_get_peer_sci(participant,
 						   &body->actor_sci);
 		if (peer) {
 			wpa_printf(MSG_WARNING,
 				   "KaY: duplicated SCI detected, Maybe active attacker");
-			dl_list_del(&peer->list);
-			os_free(peer);
+			/* Ignore this request. If it is valid peer whose MI is be changed
+			 * just wait until the active one would be removed by timeout.
+			 * Reduce timeout to speed up this process but left the chance for
+			 * old one to prove aliveness.
+			 */
+			new_expire = time(NULL) + MKA_HELLO_TIME * 1.5 / 1000;
+			if (peer->expire > new_expire)
+				peer->expire = new_expire;
+			return NULL;
 		}
 
 		peer = ieee802_1x_kay_create_potential_peer(

[7/8] mka: Fix handling duplicated SCI

Commit Message

Patch