From patchwork Tue Sep 21 08:46:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Samuel Varley X-Patchwork-Id: 1530643 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Y9YnSDbq; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=alliedtelesis.co.nz header.i=@alliedtelesis.co.nz header.a=rsa-sha256 header.s=mail181024 header.b=E7sdN8D7; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4HDFTG0LQYz9ssP for ; Tue, 21 Sep 2021 18:48:50 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=Cpl8geL0MF/z14XnQ1p4eAPrD3fMPZa9fw4np1vC4lU=; b=Y9YnSDbq7t8KH+ V5fS42/kbExUsGZGsTWjtrSvSAp7Jgipx9iZSedb7gcA8LD8+thlkXGoWLPrQrhS2VmvzSLJ9iPrN YgolxC7llFmlVwwt31FvCJ2G5eEtHEQvmVZ83FnpDLV2BzdtsZFkwSUG4qXApIRrovxcU/RVKhCGt iBItgoumyaZN2FgOaqg0yOU44h+QLwx7XpZt1RfXfbv3TQ9gOxxtAyGgrKBiXx3tmDGynW2aR5pcr u/guk53KO2t/LWh+O3saE9I88RVUNMr6IUddnpzOsyx+sYky8KGQav0Bdrx/NQB+yC9tWI6+Ub/4x H6T2wn+YiD7M+TBN/fBA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mSbR2-003yl7-Tq; Tue, 21 Sep 2021 08:47:28 +0000 Received: from gate2.alliedtelesis.co.nz ([202.36.163.20]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mSbQy-003yjv-Qi for hostap@lists.infradead.org; Tue, 21 Sep 2021 08:47:27 +0000 Received: from svr-chch-seg1.atlnz.lc (mmarshal3.atlnz.lc [10.32.18.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by gate2.alliedtelesis.co.nz (Postfix) with ESMTPS id E1919806AC for ; Tue, 21 Sep 2021 20:47:14 +1200 (NZST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alliedtelesis.co.nz; s=mail181024; t=1632214034; bh=UEyYpgF9iRhFVlyNrGxqW489I+/Xk0cDMfNYLP3bbt0=; h=From:To:Cc:Subject:Date; b=E7sdN8D7Ca3OCxpEv6jB4SNy+/9MW9IeMEKg1HA0slEzYob1nT5BDK58aZung04Dz 6YhMz1gy6YUqc4FumgPMqq2PzzR2ToJfmZkCihgvDKxzF33i4hSWD5Rlw/3Bkd75Jv 24Bcavl08xHN/wGBRxo7ods+sgpqS3pNOKkXfXAyF+GW4GvoiBsL1/XACmkCxnNnEf y+nNE1GGwJzUoHrL+4o2JnGDbYfErSKlOC5yeM53Yrk4QjCMxUOnpD2TpbH0ExdIuA WvD1Lo2ltbj2c3d1lN3X3SWILaR95cLoJ3PuWHf/vIGD/bJPGQ1sBs75VQZ7zualYn tDRl5TDPUo4PA== Received: from pat.atlnz.lc (Not Verified[10.32.16.33]) by svr-chch-seg1.atlnz.lc with Trustwave SEG (v8, 2, 6, 11305) id ; Tue, 21 Sep 2021 20:47:14 +1200 Received: from samuelv-dl.ws.atlnz.lc (samuelv-dl.ws.atlnz.lc [10.33.21.26]) by pat.atlnz.lc (Postfix) with ESMTP id 9F42513EE39; Tue, 21 Sep 2021 20:47:14 +1200 (NZST) Received: by samuelv-dl.ws.atlnz.lc (Postfix, from userid 1599) id 98FA21A03BB; Tue, 21 Sep 2021 20:47:14 +1200 (NZST) From: Samuel Varley To: hostap@lists.infradead.org Cc: Samuel Varley Subject: [PATCH] mka: Revert commits that break backwards compatibility Date: Tue, 21 Sep 2021 20:46:51 +1200 Message-Id: <20210921084651.1521-1-samuel.varley@alliedtelesis.co.nz> X-Mailer: git-send-email 2.33.0 MIME-Version: 1.0 X-SEG-SpamProfiler-Analysis: v=2.3 cv=AIwNeVlb c=1 sm=1 tr=0 a=KLBiSEs5mFS1a/PbTCJxuA==:117 a=7QKq2e-ADPsA:10 a=o83nqyVRAAAA:8 a=sqPv3XeXUQ2sbpNBAL4A:9 X-SEG-SpamProfiler-Score: 0 x-atlnz-ls: pat X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210921_014725_377195_A9688791 X-CRM114-Status: GOOD ( 24.77 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: There is a problem in IEEE Std 802.1X-2010 with how it says the key server should check for pending packet number exhaustion. It says, in section 9.8, that the key server should check the LLPN (Latest [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org There is a problem in IEEE Std 802.1X-2010 with how it says the key server should check for pending packet number exhaustion. It says, in section 9.8, that the key server should check the LLPN (Latest Lowest Acceptable Packet Number) that is sent by each device to see if it's getting too high. However, when the CP state machine is in RETIRE, the key in use is considered the "old" key and there is no "latest" key. Therefore, only looking at LLPN won't work. As described in [1], there is more than one way that a software developer might deal with that problem. It says the standard should have specified that the key server look at OLPN, rather than specifying that it look at LLPN. However, it also describes some alternative approaches that ensure the most recent key stays in the "latest" slot. The proposed resolution in [1] aims to increase interoperability between implementations that have already taken different approaches. It proposed changes to the standard's description of how the key server should look at packet numbers in "SAK Use". The new text lays out a procedure that will work regardless of whether the most recent key is in "latest" or "old". Those proposed changes were included in 802.1Xck-2018 (meaning 802.1X-2020 also contains the new procedure). In version 2.9 of this code, the CP state machine transferred the key from "latest" to "old" in a different place to that specified in 802.1X-2010. The standard says to do it in RETIRE but this code did it in RECEIVE. This is similar to one of the alternative approaches mentioned in [1]. Since then, patches have been delivered that do the following things: * Make the CP state machine match the standard with regard to where it transfers the key from "latest" to "old" [2]. * Ensure packet numbers on the local device are still monitored correctly after the change to the state machine [3]. * Implement the new procedure, that was specified in [1], for looking at packet numbers in "SAK Use" from peers [4]. I expect that the change to the state machine will break backwards compatibility with v2.9. If the key server runs v2.9 then it will only look at LLPN and if its peer uses the current code then it will not have a "latest" key when in the RETIRE state. Therefore, this commit reverts [2] and [3]. Commit [4] is retained. [1] M. Seaman. (2017, September 16) "MKA pending PN exhaustion" (revision 1.0) [Online]. Available: https://grouper.ieee.org/groups/802/1/files/public/docs2017/xck-seaman-mka-pn-exhaustion-0917-v1.pdf [2] commit 0fedfba2e209 ("mka: Change RECEIVE and RETIRE states to match the standard") [3] commit 84851007d9b5 ("mka: Check OLPN for exhaustion on SAKuse encode") [4] commit 6d3dc9ba1ee0 ("mka: Check OLPN for exhaustion on SAKuse decode") Signed-off-by: Samuel Varley --- src/pae/ieee802_1x_cp.c | 26 ++++++++++++++++---------- src/pae/ieee802_1x_kay.c | 35 +++++++++++------------------------ 2 files changed, 27 insertions(+), 34 deletions(-) diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c index cf41d8dbf2f9..91f5d877036f 100644 --- a/src/pae/ieee802_1x_cp.c +++ b/src/pae/ieee802_1x_cp.c @@ -230,6 +230,18 @@ SM_STATE(CP, SECURED) SM_STATE(CP, RECEIVE) { SM_ENTRY(CP, RECEIVE); + /* RECEIVE state machine not keep with Figure 12-2 in + * IEEE Std 802.1X-2010 */ + if (sm->oki) { + ieee802_1x_kay_delete_sas(sm->kay, sm->oki); + os_free(sm->oki); + } + sm->oki = sm->lki; + sm->oan = sm->lan; + sm->otx = sm->ltx; + sm->orx = sm->lrx; + ieee802_1x_kay_set_old_sa_attr(sm->kay, sm->oki, sm->oan, + sm->otx, sm->orx); sm->lki = os_malloc(sizeof(*sm->lki)); if (!sm->lki) { @@ -325,23 +337,17 @@ SM_STATE(CP, ABANDON) SM_STATE(CP, RETIRE) { SM_ENTRY(CP, RETIRE); + /* RETIRE state machine not keep with Figure 12-2 in + * IEEE Std 802.1X-2010 */ if (sm->oki) { ieee802_1x_kay_delete_sas(sm->kay, sm->oki); os_free(sm->oki); sm->oki = NULL; } - sm->oki = sm->lki; - sm->otx = sm->ltx; - sm->orx = sm->lrx; - sm->oan = sm->lan; + sm->orx = false; + sm->otx = false; ieee802_1x_kay_set_old_sa_attr(sm->kay, sm->oki, sm->oan, sm->otx, sm->orx); - sm->lki = NULL; - sm->ltx = false; - sm->lrx = false; - sm->lan = 0; - ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan, - sm->ltx, sm->lrx); } diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 2fe88ac0c5f2..542f71d1e33b 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1287,7 +1287,7 @@ ieee802_1x_mka_encode_sak_use_body( struct ieee802_1x_mka_sak_use_body *body; struct ieee802_1x_kay *kay = participant->kay; unsigned int length; - u32 olpn, llpn; + u32 pn = 1; length = ieee802_1x_mka_get_sak_use_length(participant); body = wpabuf_put(buf, length); @@ -1307,31 +1307,18 @@ ieee802_1x_mka_encode_sak_use_body( /* data delay protect */ body->delay_protect = kay->mka_hello_time <= MKA_BOUNDED_HELLO_TIME; - /* lowest accept packet numbers */ - olpn = ieee802_1x_mka_get_lpn(participant, &participant->oki); - body->olpn = host_to_be32(olpn); - llpn = ieee802_1x_mka_get_lpn(participant, &participant->lki); - body->llpn = host_to_be32(llpn); - if (participant->is_key_server) { - /* The CP will spend most of it's time in RETIRE where only - * the old key is populated. Therefore we should be checking - * the OLPN most of the time. - */ - if (participant->lrx) { - if (llpn > kay->pn_exhaustion) { - wpa_printf(MSG_WARNING, - "KaY: My LLPN exhaustion"); - participant->new_sak = true; - } - } else { - if (olpn > kay->pn_exhaustion) { - wpa_printf(MSG_WARNING, - "KaY: My OLPN exhaustion"); - participant->new_sak = true; - } - } + /* lowest accept packet number */ + pn = ieee802_1x_mka_get_lpn(participant, &participant->lki); + if (pn > kay->pn_exhaustion) { + wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion"); + if (participant->is_key_server) + participant->new_sak = true; } + body->llpn = host_to_be32(pn); + pn = ieee802_1x_mka_get_lpn(participant, &participant->oki); + body->olpn = host_to_be32(pn); + /* plain tx, plain rx */ body->ptx = !kay->macsec_protect; body->prx = kay->macsec_validate != Strict;