Message ID | 20180302201103.16264-3-msiedzik@extremenetworks.com |
---|---|
State | Accepted |
Headers | show |
Series | MKA bugfixes and enhancements | expand |
On Fri, Mar 02, 2018 at 03:10:50PM -0500, msiedzik@extremenetworks.com wrote: > Upon receipt of the "MACsec MKPDU SAK Use parameter set" the KaY verifies > that both the latest key and the old key are valid. If the local system > reboots or is reinitalizied, the KaY won't have a copy of it's old key. > Therefore if the KaY does not have a copy of it's old key it should not > reject MKPDUs that contain old key data in the MACsec SAK Use parameter. Thanks, applied.
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index beaae58f0..d77f81b7b 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1336,8 +1336,9 @@ ieee802_1x_mka_decode_sak_use_body( } } - /* check old key is valid */ - if (body->otx || body->orx) { + /* check old key is valid (but only if we remember our old key) */ + if ((participant->oki.kn != 0) && + (body->otx || body->orx)) { if (os_memcmp(participant->oki.mi, body->osrv_mi, sizeof(participant->oki.mi)) != 0 || be_to_host32(body->okn) != participant->oki.kn ||