From patchwork Fri Mar 2 20:11:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880862 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="OZSI2KkQ"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLDf1gFBz9s3v for ; Sat, 3 Mar 2018 07:16:50 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=cy64HPSCwTxxR0SkWcFX/yQREvV4VV4cfYZXLhd24Ms=; b=OZSI2KkQxr327S qQGu3OnKmXkkhmbWEEPya9LR+fdcszweXZOR8yaI/WktrMWhCzRUexZURV3MiIic/bwkw05vwHfmH Kg7DTu4W8rMlT/zvbqlvxwrpqpiNdfp3+zMnn6dz5Iey9Hpt+sO2+onztyAMPgmP4sGZ0kOYfD7q/ h1PLP8rV3smOJ+vOJkzdaYi2bAXxOst3RqgelckIgFvLTEFhSs7UrrwhVFL33ZAxxCN0HILmcU7k+ 0n+Nk+LCU/UHTogSqvBcYYdEOrMHF1nZwu37rghOP6clJjqnxnI+uURUvYCLTrqtxE1vpUkbuAwsg 5ugipUrp8sw6lU/MKRCw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err6b-0004lF-8e; Fri, 02 Mar 2018 20:16:37 +0000 Received: from us-smtp-delivery-183.mimecast.com ([216.205.24.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001JC-T6 for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:35 +0000 Received: from USNH-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.4.38]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-166-O0U85gbmNH-lCetHd19Agw-5; Fri, 02 Mar 2018 15:11:03 -0500 Received: from usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) by USNH-CASHT-P2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp2.extremenetworks.com (10.6.25.34) by usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp2.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwAn004957; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 107712C0322; Fri, 2 Mar 2018 15:11:10 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KBAij016350; Fri, 2 Mar 2018 15:11:10 -0500 From: To: Subject: [PATCH 13/15] mka: do not ignore MKPDU parameter set decoding failures Date: Fri, 2 Mar 2018 15:11:01 -0500 Message-ID: <20180302201103.16264-14-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: O0U85gbmNH-lCetHd19Agw-5 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_666324_2903A45C X-CRM114-Status: GOOD ( 13.20 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [216.205.24.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik The status values returned by mka_param_body_handler.body_rx functions are currently ignored by ieee802_1x_kay_decode_mkpdu(). If a failure is detected the KaY should (a) stop processing the MKDPU and (b) do not update the associated peer's liveliness. IEEE802.1X-2010's Table 11-7 MKPDU Parameter sets and Clause 11.11.3 Encoding MKPDUs dictate that MKA_SAK_USE (set type 3) will always be encoded before MKA_DISTRIBUTED_SAK (set type 4) in MKPDUs. Due to hostap's implementation of mka_param_body_handler, the code will always decode MKA_SAK_USE before MKA_DISTRIBUTED_SAK. When MKA_DISTRUBUTED_SAK contains a new SAK the code should decode MKA_DISTRUBUTED_SAK first so that the lastest SAK is in known before decoding MKA_SAK_USE. The ideal solution would be to make two passes at MKDPU decoding: the first pass decodes MKA_DISTRIBUTED_SAK, the second pass decodes all other parameter sets. A simpler and less risky solution is presented here: ignore MKA_SAK_USE failures if MKA_DISTRIBUTED_SAK is also present. The new SAK will be saved so that the next MKPDU's MKA_SAK_USE can be properly decoded. This is basically what the code prior to this commit was doing (by ignoring all errors). Also, the only real recourse the KaY has when detecting any bad parameter set is to ignore the MKPDU by not updating the corresponding peer's liveliness timer, 'peer->expire'. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 40 +++++++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 4d61cb32b..7945cc898 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -831,7 +831,6 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg, peer->key_server_priority = body->priority; } else if (peer->mn < be_to_host32(body->actor_mn)) { peer->mn = be_to_host32(body->actor_mn); - peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; peer->macsec_desired = body->macsec_desired; peer->macsec_capability = body->macsec_capability; peer->is_key_server = (Boolean) body->key_server; @@ -1076,7 +1075,6 @@ static int ieee802_1x_mka_decode_live_peer_body( peer = ieee802_1x_kay_get_peer(participant, peer_mi->mi); if (peer) { peer->mn = peer_mn; - peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; } else if (!ieee802_1x_kay_create_potential_peer( participant, peer_mi->mi, peer_mn)) { return -1; @@ -1350,7 +1348,7 @@ ieee802_1x_mka_decode_sak_use_body( } } if (!found) { - wpa_printf(MSG_WARNING, "KaY: Latest key is invalid"); + wpa_printf(MSG_INFO, "KaY: Latest key is invalid"); return -1; } if (os_memcmp(participant->lki.mi, body->lsrv_mi, @@ -3041,12 +3039,14 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, { struct ieee802_1x_mka_participant *participant; struct ieee802_1x_mka_hdr *hdr; + struct ieee802_1x_kay_peer *peer; size_t body_len; size_t left_len; u8 body_type; int i; const u8 *pos; Boolean handled[256]; + Boolean bad_sak_use = FALSE; /* Error detected while processing SAK Use parameter set */ if (ieee802_1x_kay_mkpdu_sanity_check(kay, buf, len)) return -1; @@ -3121,8 +3121,26 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, handled[body_type] = TRUE; if (body_type < ARRAY_SIZE(mka_body_handler) && mka_body_handler[body_type].body_rx) { - mka_body_handler[body_type].body_rx - (participant, pos, left_len); + if (mka_body_handler[body_type].body_rx + (participant, pos, left_len) != 0) { + /* Handle parameter set failure */ + if (body_type == MKA_SAK_USE) { + /* Ideally DIST-SAK should be processed before + * SAK-USE. Unfortunately IEEE8021X-2010 Clause + * 11.11.3 Encoding MKPDUs states SAK-USE(3) + * must always be encoded before DIST-SAK(4). + * Rather than redesigning mka_body_handler so + * that it somehow processes DIST-SAK before + * SAK-USE, just ignore SAK-USE failures if + * DIST-SAK is also present in this MKPDU. */ + bad_sak_use = TRUE; + } else { + wpa_printf(MSG_INFO, + "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", + body_type); + return -1; + } + } } else { wpa_printf(MSG_ERROR, "The type %d is not supported in this MKA version %d", @@ -3130,6 +3148,18 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, } } + if (bad_sak_use && !handled[MKA_DISTRIBUTED_SAK]) { + wpa_printf(MSG_INFO, + "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", + MKA_SAK_USE); + return -1; + } + + /* Only update live peer watchdog after successful decode of all parameter sets */ + peer = ieee802_1x_kay_get_peer(participant, participant->current_peer_id.mi); + if (peer) + peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; + kay->active = TRUE; participant->retry_count = 0; participant->active = TRUE;