From patchwork Fri Mar 2 20:10:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880850 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="Ao8IZ4MX"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztL9M046tz9s33 for ; Sat, 3 Mar 2018 07:13:59 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=7kz71w5uh8lhITmbSNqDtBBfW7Vit3I+4wV1+imCX8M=; b=Ao8IZ4MXJBDzlb cXV51zf01iAlxSYtmbQfju7DglFbX9iH33WFB1TDv71fxf+MNxhxQjT2GTdK+0Re66c4ZNmm/WX9L zLMplirwkLDWuusS1Gfqi9ISIu0DxPRzAzBF0R8yq+juiuZLUmN0SuAW60HL/2e6gFphcvggioNdf fDvJAs+fQ1R3O58GyUL1Uz2G1Xa5ctXMxSkiV1/61xr2quKgyrqAQlvSMMv1NByPvAhKzHmeNQkkN 1fkstG2scj1XpHUG4jB4NP6hgWBOh4duVYdGCehVNw/5hR3eoXq7WQbptSqY32+d5k7e8pxbzRYsM KeBqYBh5bQ18kaYKd7uQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err3i-0001WX-KK; Fri, 02 Mar 2018 20:13:38 +0000 Received: from us-smtp-delivery-183.mimecast.com ([63.128.21.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001J5-QA for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:20 +0000 Received: from USNH-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.4.38]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-166-ZWY9wQMwPb626FksWwW7JQ-1; Fri, 02 Mar 2018 15:10:59 -0500 Received: from usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) by USNH-CASHT-P2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:58 -0500 Received: from smtp2.extremenetworks.com (10.6.25.34) by usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:58 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp2.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwVo004940; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 4E8482C03CF; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB9iU016329; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 01/15] mka: When matching CKNs ensure that lengths are identical Date: Fri, 2 Mar 2018 15:10:49 -0500 Message-ID: <20180302201103.16264-2-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: ZWY9wQMwPb626FksWwW7JQ-1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_117405_1FA63E34 X-CRM114-Status: GOOD ( 10.52 ) X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik KaY looks up participants using CAK Name (CKN). Per IEEE802.1X-2010 Clause 9.3.1 CAK identification, the CKN is an integral number of octets, between 1 and 32 (inclusive). This fix will ensure that the KaY does not inadvertently match CKNs such as 'myCakNamedFoo' and 'myCakNamedFooBar'. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index cad0292ec..beaae58f0 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -245,14 +245,15 @@ ieee802_1x_mka_dump_sak_use_body(struct ieee802_1x_mka_sak_use_body *body) * ieee802_1x_kay_get_participant - */ static struct ieee802_1x_mka_participant * -ieee802_1x_kay_get_participant(struct ieee802_1x_kay *kay, const u8 *ckn) +ieee802_1x_kay_get_participant(struct ieee802_1x_kay *kay, const u8 *ckn, size_t len) { struct ieee802_1x_mka_participant *participant; dl_list_for_each(participant, &kay->participant_list, struct ieee802_1x_mka_participant, list) { - if (os_memcmp(participant->ckn.name, ckn, - participant->ckn.len) == 0) + if ((participant->ckn.len == len) && + (os_memcmp(participant->ckn.name, ckn, + participant->ckn.len) == 0)) return participant; } @@ -748,6 +749,8 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg, struct ieee802_1x_mka_participant *participant; const struct ieee802_1x_mka_basic_body *body; struct ieee802_1x_kay_peer *peer; + size_t ckn_len; + size_t body_len; body = (const struct ieee802_1x_mka_basic_body *) mka_msg; @@ -761,7 +764,9 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg, return NULL; } - participant = ieee802_1x_kay_get_participant(kay, body->ckn); + body_len = get_mka_param_body_len(body); + ckn_len = body_len - (sizeof(struct ieee802_1x_mka_basic_body) - MKA_HDR_LEN); + participant = ieee802_1x_kay_get_participant(kay, body->ckn, ckn_len); if (!participant) { wpa_printf(MSG_DEBUG, "Peer is not included in my CA"); return NULL; @@ -2856,6 +2861,7 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay, size_t mka_msg_len; struct ieee802_1x_mka_participant *participant; size_t body_len; + size_t ckn_len; u8 icv[MAX_ICV_LEN]; u8 *msg_icv; @@ -2895,8 +2901,16 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay, return -1; } + ckn_len = body_len - (sizeof(struct ieee802_1x_mka_basic_body) - MKA_HDR_LEN); + if ((ckn_len < 1) || (ckn_len > MAX_CKN_LEN)) { + wpa_printf(MSG_ERROR, + "KaY: Received EAPOL-MKA CKN Length (%zu bytes) is out of range (<=%u bytes)", + ckn_len, MAX_CKN_LEN); + return -1; + } + /* CKN should be owned by I */ - participant = ieee802_1x_kay_get_participant(kay, body->ckn); + participant = ieee802_1x_kay_get_participant(kay, body->ckn, ckn_len); if (!participant) { wpa_printf(MSG_DEBUG, "CKN is not included in my CA"); return -1; @@ -3403,7 +3417,7 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn) wpa_printf(MSG_DEBUG, "KaY: participant removed"); /* get the participant */ - participant = ieee802_1x_kay_get_participant(kay, ckn->name); + participant = ieee802_1x_kay_get_participant(kay, ckn->name, ckn->len); if (!participant) { wpa_hexdump(MSG_DEBUG, "KaY: participant is not found", ckn->name, ckn->len); @@ -3462,7 +3476,7 @@ void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay, if (!kay || !ckn) return; - participant = ieee802_1x_kay_get_participant(kay, ckn->name); + participant = ieee802_1x_kay_get_participant(kay, ckn->name, ckn->len); if (!participant) return; From patchwork Fri Mar 2 20:10:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880849 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="IHuSrkbz"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztL922jjmz9s33 for ; Sat, 3 Mar 2018 07:13:42 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=4DOyl00KFScRmM69kMSvjIos5o02YtiyWhOPxHBmGrY=; b=IHuSrkbzbt4TNo DFMkmvGKLoL5dqKLTdIZMPrS8X0uoiTLqnftsuz93JatGVarAS2/BFnGPKqSmPrE+x30WeeZzhfqP 8ZGKfw0ZTHnE32I7H6PEKlyeVQtrhZovu2A5f93QDBxrA0WiJlBd3veCIgtnD6DVFKhbntAphHEk7 6zjnIYB8rDEVqyVJZaTO/yXXXPrWUCUYmE7GJKsc0BP6kH3pk0br6tIsiPk3NeqoUgxdPunbCI5eA yRws4MAm1ZY49sWgQ5z/zyqFjrpxHr1O4boQPBZ88Q3wSATAJ2S9JCXJpIVWYSU7QSgBeFx/BCxQB Px7kYMrGnnm46+z2qVaw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err3S-0001OM-TE; Fri, 02 Mar 2018 20:13:22 +0000 Received: from us-smtp-delivery-183.mimecast.com ([63.128.21.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001JO-P4 for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:19 +0000 Received: from USNC-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.9.1]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-104-lJaZKkNENjele2d6FK6-Ew-2; Fri, 02 Mar 2018 15:10:59 -0500 Received: from USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:58 -0500 Received: from smtp1.extremenetworks.com (10.6.24.34) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:58 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwUr032591; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 614D62C03F8; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB9BB016330; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 02/15] mka: Ignore MACsec SAK Use Old Key parameter if we don't remember our old key Date: Fri, 2 Mar 2018 15:10:50 -0500 Message-ID: <20180302201103.16264-3-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: lJaZKkNENjele2d6FK6-Ew-2 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_293582_3CB4E2F5 X-CRM114-Status: UNSURE ( 8.19 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik Upon receipt of the "MACsec MKPDU SAK Use parameter set" the KaY verifies that both the latest key and the old key are valid. If the local system reboots or is reinitalizied, the KaY won't have a copy of it's old key. Therefore if the KaY does not have a copy of it's old key it should not reject MKPDUs that contain old key data in the MACsec SAK Use parameter. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index beaae58f0..d77f81b7b 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1336,8 +1336,9 @@ ieee802_1x_mka_decode_sak_use_body( } } - /* check old key is valid */ - if (body->otx || body->orx) { + /* check old key is valid (but only if we remember our old key) */ + if ((participant->oki.kn != 0) && + (body->otx || body->orx)) { if (os_memcmp(participant->oki.mi, body->osrv_mi, sizeof(participant->oki.mi)) != 0 || be_to_host32(body->okn) != participant->oki.kn || From patchwork Fri Mar 2 20:10:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880859 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="X2Y+XJ2+"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLCl4SGyz9s3v for ; Sat, 3 Mar 2018 07:16:03 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=0kZjtm4EihY4LJfaUqLCscx4pO7BvMQ1Z3GHxb5Sgzw=; b=X2Y+XJ2+V0uymY F8QPm1bz5EH0gAYGiWQ9KuMvj+KZfyLg6dQxK/ipYZVz+gjI+NDJkR/Y3GEkkH7FTJi92HOZZNzCC oBQ+aoSCnRjYC7JH2cANJ87wRym3smgnUp8l8QtqpyiPNprOOch8XeXpqvjOyZltspyaz+KL96zei woKbflHfhlRoDpy8aE18VJtRMgVWfWFSFXKFks3VGQDUb3AkCquzXAoG8J7fk52MZDMM8tOVwH0hN e6uh9GEe8HronfExQ8RFeIia2Yn8r+UDg5lUbj/j5g8uR18y1JAjclXYuhy8qr9vFU1ETvNgs4HBZ AW8LLV51Hpd/5NLUNbCg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err5r-0004Ha-U0; Fri, 02 Mar 2018 20:15:51 +0000 Received: from us-smtp-delivery-183.mimecast.com ([63.128.21.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001J2-T2 for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:30 +0000 Received: from USNH-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.4.38]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-166-FlZADxGSPSWRLpoUy4gT2A-2; Fri, 02 Mar 2018 15:11:00 -0500 Received: from usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) by USNH-CASHT-P2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:58 -0500 Received: from smtp2.extremenetworks.com (10.6.25.34) by usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:58 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp2.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwo9004941; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 709042C0416; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB99v016332; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 03/15] mka: Incorrect conf_offset sent in MKPDU when in policy mode "SHOULD_SECURE" Date: Fri, 2 Mar 2018 15:10:51 -0500 Message-ID: <20180302201103.16264-4-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: FlZADxGSPSWRLpoUy4gT2A-2 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_560597_696569F8 X-CRM114-Status: UNSURE ( 8.20 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik Commit 7b4d546e introduced policy setting SHOULD_ENCRYPT (MACsec provides integrity+confidentiality) in addition to SHOULD_SECURE (MACsec provides integrity only). In both cases the KaY is populating the "Confidentiality Offset" parameter within the "Distributed SAK parameter set" with CONFIDENTIALITY_OFFSET_0=1. In the case of SHOULD_SECURE the parameter should be populated with CONFIDENTIALITY_NONE=0. IEEE802.1X-2010 Table 11-6 and Figure 11-11 define how the two Confidentiality Offset bits in the "Distributed SAK parameter set" must be set: "0 if confidentiality not used" and "1 if confidentiality with no offset". When policy is SHOULD_SECURE KaY should to send the former, and when policy is SHOULD_ENCRYPT KaY should send the latter. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index d77f81b7b..41e5a07e6 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -3159,6 +3159,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED; kay->macsec_desired = FALSE; kay->macsec_protect = FALSE; + kay->macsec_encrypt = FALSE; kay->macsec_validate = Disabled; kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; @@ -3166,14 +3167,16 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, } else { kay->macsec_desired = TRUE; kay->macsec_protect = TRUE; - kay->macsec_encrypt = policy == SHOULD_ENCRYPT; + if (policy == SHOULD_SECURE) { + kay->macsec_encrypt = FALSE; + kay->macsec_confidentiality = CONFIDENTIALITY_NONE; + } else { /* SHOULD_ENCRYPT */ + kay->macsec_encrypt = TRUE; + kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0; + } kay->macsec_validate = Strict; kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; - if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF) - kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0; - else - kay->macsec_confidentiality = CONFIDENTIALITY_NONE; } wpa_printf(MSG_DEBUG, "KaY: state machine created"); From patchwork Fri Mar 2 20:10:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880854 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="VpU7w6ja"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLBQ43bGz9s33 for ; Sat, 3 Mar 2018 07:14:54 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=klCnr09HbDG2ltdtFMDUKjFE4PESLn9hDC01aMRCpKI=; b=VpU7w6jaIsImNi puDh9sttCudOn9yDiToUJxZoUvO58QrSDspLNzSySO8f2NtRhbMXgYU5LpR7FR41zl3DumX4SVs3Q OPN+/GP15iFlUtZqxVDBgUR2yJdoSYEz2R+wiN8ghdirE+vb0zmpoEpfbL4DjZcccyD/8xjq3WFe4 cwssD95NXdMPv4azyziqhh0zYA0OLpVtVbaNkykeQppVrfYbYbLQOSGJF10K6JOmy2kGxUXOLWzvt dku3I/OW3Brlw+pMh6o7rZu0gINdHA1hldgZRIni4KscICVI/8nh/ZDKrI70iIey9945QedWeTPHk kTXRuIXG17yuwyLkrguw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err4j-0002GE-Ft; Fri, 02 Mar 2018 20:14:41 +0000 Received: from us-smtp-delivery-183.mimecast.com ([216.205.24.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3M-0001J1-0d for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:23 +0000 Received: from USNC-CASHT-P1.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.9.1]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-166-JNl4qr4SPGqCYKTy6gJCag-1; Fri, 02 Mar 2018 15:10:59 -0500 Received: from USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.62) by USNC-CASHT-P1.corp.extremenetworks.com (10.6.17.63) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:58 -0500 Received: from smtp1.extremenetworks.com (10.6.24.34) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:58 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwRg032592; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 7FF332C0211; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB9Wd016334; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 04/15] mka: Loss of live peers should result in connect PENDING not AUTHENTICATED Date: Fri, 2 Mar 2018 15:10:52 -0500 Message-ID: <20180302201103.16264-5-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: JNl4qr4SPGqCYKTy6gJCag-1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_630777_1992D339 X-CRM114-Status: UNSURE ( 7.88 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [216.205.24.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik When the number of live peers becomes 0 the KaY is setting 'kay->authenticated' true and telling the CP to connect AUTHENTICATED. Per IEEE802.1X-2010 Clause 12.2, MKA.authenticated means "the Key Sever has proved mutual authentication but has determiend that Controlled Port communication should proceed without the use of MACsec", which means port traffic will be passed in the clear. When the number of live peers becomes 0 the KaY must instead set 'kay->authenticated' false and tell the CP to connect PENDING. Per Clause 12.3 connect PENDING will "prevent connectivity by clearing the controlledPortEnabled parameter." Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 41e5a07e6..fd329e610 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -2393,7 +2393,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) participant->orx = FALSE; participant->is_key_server = FALSE; participant->is_elected = FALSE; - kay->authenticated = TRUE; + kay->authenticated = FALSE; kay->secured = FALSE; kay->failed = FALSE; kay->ltx_kn = 0; @@ -2410,7 +2410,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) ieee802_1x_delete_transmit_sa(kay, txsa); } - ieee802_1x_cp_connect_authenticated(kay->cp); + ieee802_1x_cp_connect_pending(kay->cp); ieee802_1x_cp_sm_step(kay->cp); } else { ieee802_1x_kay_elect_key_server(participant); From patchwork Fri Mar 2 20:10:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880864 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="gVlrH/3L"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLFd1vL1z9s3v for ; Sat, 3 Mar 2018 07:17:41 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=vQ2acxKBBU6lvyeE8H35buVm5s7dU0QfqBE3RX6g3T8=; b=gVlrH/3LnNkyV4 IeTyxmfXY8Yj0WGYKDM/NHPqO7xbIF4/URNlIFRYqwdsApajkUbAYOzh91dBPIhI6e1HHNGgIbaLt K6D9RzvTHAJmyXEUL4mtLbiJSHes0M5qhg+ZyipqU3NKVx/F+aViunB6Q6i+g3N1whZu2tWFUBdaK uPOHG29P1PqmEsqZhBlo57FBEw0IH4v9VtDIpjH81faIkOVwUsRi81aoZFl1F4AceUs+ixEb6/ZRL n30KLIp+YqETVrd2p8ALk3DSJ8YnSU1ttXGe7ao6zHKTLXiZFUxX9M6sbAarKN/6WZtZJ24SJgFUI u9tMHpWQGiRxwdg5EEHg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err7P-0005Kh-Hh; Fri, 02 Mar 2018 20:17:27 +0000 Received: from us-smtp-delivery-183.mimecast.com ([63.128.21.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3M-0001J3-1h for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:45 +0000 Received: from USNH-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.4.38]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-166-hzNJre-CPUqB35nxGVFLbg-4; Fri, 02 Mar 2018 15:11:01 -0500 Received: from usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) by USNH-CASHT-P2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp2.extremenetworks.com (10.6.25.34) by usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp2.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAw5K004946; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 881FC2C0421; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB9q1016335; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 05/15] mka: finish implementation of CP state machine "port_enabled" parameter Date: Fri, 2 Mar 2018 15:10:53 -0500 Message-ID: <20180302201103.16264-6-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: hzNJre-CPUqB35nxGVFLbg-4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_750619_9868A51B X-CRM114-Status: GOOD ( 17.91 ) X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik KaY's controlled port (CP) state machine contains a 'port_enabled' parameter, but the current implementation is incomplete. There is no way to set the value, and it is ignored by the CP state machine. A new function, ieee802_1x_kay_notify_port_enabled(), has been added that allows the system to notify KaY and CP of changes to the common port's MAC_Operational state. When port_enabled is set FALSE, the KaY will stop transmitting MKPDUs and delete all secure associations as well as all receive secure channels. When port_enabled is set TRUE, the KaY will resume MKA for all participants. The KaY will also notify the CP whenever port_enabled changes state. When port_enabled is FALSE the CP state machine will be forced back to the INIT state, as perscribed by IEEE802.1X-2010 Figure 12-2 - CP state machine. Additionally fixed the setting of ieee802_1x_mka_participant.active, which is used to calculate ieee802_1x_kay.active, which corresponds to ieee8021XKayMkaActive in IEEE8021X-PAE-MIB. Additionally fixed the behavior of ieee802_1x_kay_mka_participate(), which now sets/clears ieee802_1x_mka_participant.participant. I assume this parameter is supposed to correspond to MKA.participate, which is defined in IEEE802.1X-2010 Clause 12.2 Kay Interfaces. "- MKA.participate: Set by the Logon Process to request the actor's active participation in MKA. Cleared by the Logon process to request the actor to cease participation." Currently no process in hostap calls ieee802_1x_kay_mka_particiate(), but if one ever does in the future the function should now work. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_cp.c | 13 +++++- src/pae/ieee802_1x_cp.h | 1 + src/pae/ieee802_1x_kay.c | 103 ++++++++++++++++++++++++++++++++++++++++++--- src/pae/ieee802_1x_kay.h | 2 + src/pae/ieee802_1x_kay_i.h | 4 +- 5 files changed, 114 insertions(+), 9 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c index 360fcd3f5..e6b2767e2 100644 --- a/src/pae/ieee802_1x_cp.c +++ b/src/pae/ieee802_1x_cp.c @@ -126,7 +126,6 @@ SM_STATE(CP, INIT) sm->otx = FALSE; sm->orx = FALSE; - sm->port_enabled = TRUE; sm->chgd_server = FALSE; } @@ -448,6 +447,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(struct ieee802_1x_kay *kay) sm->replay_window = kay->macsec_replay_window; sm->controlled_port_enabled = FALSE; + sm->port_enabled = TRUE; sm->lki = NULL; sm->lrx = FALSE; @@ -693,6 +693,17 @@ void ieee802_1x_cp_set_usingtransmitas(void *cp_ctx, Boolean status) /** + * ieee802_1x_cp_set_portenabled - + * @status: indicates MAC_Operational status of the common port + */ +void ieee802_1x_cp_set_portenabled(void *cp_ctx, Boolean status) +{ + struct ieee802_1x_cp_sm *sm = cp_ctx; + sm->port_enabled = status; +} + + +/** * ieee802_1x_cp_sm_step - Advance EAPOL state machines * @sm: EAPOL state machine * diff --git a/src/pae/ieee802_1x_cp.h b/src/pae/ieee802_1x_cp.h index 695629e5c..0d5358666 100644 --- a/src/pae/ieee802_1x_cp.h +++ b/src/pae/ieee802_1x_cp.h @@ -36,5 +36,6 @@ void ieee802_1x_cp_set_usingreceivesas(void *cp_ctx, Boolean status); void ieee802_1x_cp_set_allreceiving(void *cp_ctx, Boolean status); void ieee802_1x_cp_set_servertransmitting(void *cp_ctx, Boolean status); void ieee802_1x_cp_set_usingtransmitas(void *cp_ctx, Boolean status); +void ieee802_1x_cp_set_portenabled(void *cp_ctx, Boolean status); #endif /* IEEE802_1X_CP_H */ diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index fd329e610..17519ae69 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -772,6 +772,11 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg, return NULL; } + if (!participant->participant) { + wpa_printf(MSG_MSGDUMP, "KaY: MKA participation disabled"); + return NULL; + } + /* If the peer's MI is my MI, I will choose new MI */ if (os_memcmp(body->actor_mi, participant->mi, MI_LEN) == 0) { if (!reset_participant_mi(participant)) @@ -1240,7 +1245,6 @@ ieee802_1x_mka_encode_sak_use_body( /* set CP's variable */ if (body->ltx) { kay->tx_enable = TRUE; - kay->port_enable = TRUE; } if (body->lrx) kay->rx_enable = TRUE; @@ -2329,6 +2333,28 @@ static void ieee802_1x_delete_transmit_sa(struct ieee802_1x_kay *kay, /** + * ieee802_1x_kay_recalc_mka_active - + */ +static void +ieee802_1x_kay_recalc_mka_active(struct ieee802_1x_kay *kay) +{ + struct ieee802_1x_mka_participant *participant; + Boolean active = FALSE; + + /* Recalculate KaY active (ieee8021XKayMkaActive) */ + dl_list_for_each(participant, &kay->participant_list, + struct ieee802_1x_mka_participant, list) { + if (participant->active) { + active = TRUE; + break; + } + } + + kay->active = active; +} + + +/** * ieee802_1x_participant_timer - */ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) @@ -2338,6 +2364,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) struct ieee802_1x_kay_peer *peer, *pre_peer; time_t now = time(NULL); Boolean lp_changed; + Boolean participate; struct receive_sc *rxsc, *pre_rxsc; struct transmit_sa *txsa, *pre_txsa; @@ -2348,6 +2375,10 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) goto delete_mka; } + /* only participate in MKA (i.e., transmit MKPDUs) if port + * is enabled and participant has not been disabled */ + participate = kay->port_enable && participant->participant; + /* should delete MKA instance if there are not live peers * when the MKA life elapsed since its creating */ if (participant->mka_life) { @@ -2362,7 +2393,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) lp_changed = FALSE; dl_list_for_each_safe(peer, pre_peer, &participant->live_peers, struct ieee802_1x_kay_peer, list) { - if (now > peer->expire) { + if (!participate || (now > peer->expire)) { wpa_printf(MSG_DEBUG, "KaY: Live peer removed"); wpa_hexdump(MSG_DEBUG, "\tMI: ", peer->mi, sizeof(peer->mi)); @@ -2420,7 +2451,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) dl_list_for_each_safe(peer, pre_peer, &participant->potential_peers, struct ieee802_1x_kay_peer, list) { - if (now > peer->expire) { + if (!participate || (now > peer->expire)) { wpa_printf(MSG_DEBUG, "KaY: Potential peer removed"); wpa_hexdump(MSG_DEBUG, "\tMI: ", peer->mi, sizeof(peer->mi)); @@ -2430,6 +2461,12 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) } } + if (!participate) { + participant->active = FALSE; + ieee802_1x_kay_recalc_mka_active(kay); + return; + } + if (participant->new_sak) { if (!ieee802_1x_kay_generate_new_sak(participant)) participant->to_dist_sak = TRUE; @@ -2836,7 +2873,7 @@ int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay) struct ieee802_1x_mka_participant *principal; principal = ieee802_1x_kay_get_principal_participant(kay); - if (!principal) + if (!principal || !principal->participant) return -1; if (principal->retry_count < MAX_RETRY_CNT || principal->mode == PSK) { @@ -3321,7 +3358,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn, participant->cached = FALSE; participant->active = FALSE; - participant->participant = FALSE; + participant->participant = TRUE; participant->retain = FALSE; participant->activate = DEFAULT; @@ -3465,6 +3502,8 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn) os_memset(&participant->kek, 0, sizeof(participant->kek)); os_memset(&participant->ick, 0, sizeof(participant->ick)); os_free(participant); + + ieee802_1x_kay_recalc_mka_active(kay); } @@ -3484,7 +3523,57 @@ void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay, if (!participant) return; - participant->active = status; + if (participant->participant == status) + return; + + participant->participant = status; + + if (status) { + /* Restart timer immediately if both port and participant are enabled */ + if (kay->port_enable) { + eloop_register_timeout(0, 0, ieee802_1x_participant_timer, + participant, NULL); + } + } else { + participant->active = FALSE; + ieee802_1x_kay_recalc_mka_active(kay); + } +} + + +/** + * ieee802_1x_kay_notify_port_enabled - + */ +void ieee802_1x_kay_notify_port_enabled(struct ieee802_1x_kay *kay, + Boolean enabled) +{ + struct ieee802_1x_mka_participant *participant; + unsigned int usecs; + + if (kay->port_enable == enabled) + return; + + wpa_printf(MSG_DEBUG, "KaY: External notification - " + "portEnabled=%d", enabled); + + kay->port_enable = enabled; + + ieee802_1x_cp_set_portenabled(kay->cp, enabled); + + if (!enabled) { + /* Existing participants will be cleaned up next time their timers expire */ + kay->active = FALSE; + } else { + /* Staggered restart of participant timers */ + dl_list_for_each(participant, &kay->participant_list, + struct ieee802_1x_mka_participant, list) { + if (participant->participant) { + usecs = os_random() % (MKA_HELLO_TIME * 1000); + eloop_register_timeout(0, usecs, ieee802_1x_participant_timer, + participant, NULL); + } + } + } } @@ -3575,6 +3664,7 @@ int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf, return 0; len = os_snprintf(buf, buflen, + "Port status=%s\n" "PAE KaY status=%s\n" "Authenticated=%s\n" "Secured=%s\n" @@ -3584,6 +3674,7 @@ int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf, "Is Key Server=%s\n" "Number of Keys Distributed=%u\n" "Number of Keys Received=%u\n", + kay->port_enable ? "Enabled" : "Disabled", kay->active ? "Active" : "Not-Active", kay->authenticated ? "Yes" : "No", kay->secured ? "Yes" : "No", diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h index 8f394fd96..8c1a3b2fa 100644 --- a/src/pae/ieee802_1x_kay.h +++ b/src/pae/ieee802_1x_kay.h @@ -249,6 +249,8 @@ void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay, struct mka_key_name *ckn, Boolean status); +void ieee802_1x_kay_notify_port_enabled(struct ieee802_1x_kay *kay, + Boolean enabled); int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay); int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay, unsigned int cs_index); diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h index bc522d898..c10851d2d 100644 --- a/src/pae/ieee802_1x_kay_i.h +++ b/src/pae/ieee802_1x_kay_i.h @@ -90,8 +90,8 @@ struct ieee802_1x_mka_participant { Boolean cached; /* used by management to monitor and control activation */ - Boolean active; - Boolean participant; + Boolean active; /* used to calculate ieee8021XKayMkaActive (IEEE8021X-PAE-MIB) */ + Boolean participant; /* MKA.participate, from IEEE802.1X-2010, Clause 12.2 */ Boolean retain; enum mka_created_mode mode; From patchwork Fri Mar 2 20:10:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880863 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="jZ/vVQ8n"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLFG5R6Xz9s5H for ; Sat, 3 Mar 2018 07:17:22 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=3VRvCfwGwniDXjxv6SFd8+9qXl3iF1zuKw+cAEKugm0=; b=jZ/vVQ8nzHtaoD 5RUsRrfTTGxIdvt4yloCbvt4a+BA+VRNaM9N2mXt4A1+rxHl9lxratIZDDojXEjXssFePnlfhuOxz 2hddwO9bpiwkqB2MrmYRCjZCCH0aZ04W7m34/DKr9VvNXjvVqc18wspFhfcv4LzZuhrk7BQVYEdRO aGqchT0GQvAx/4656XYr1Wridx8OvkJBwK0c9DtEO97oEi8ZLJfZspHmb2nI2ttgGGY+4BpxfnX2c GUZ2U+F1Aypzqh/QPIOn5vz0yRWBan40ZE7g8Cosgc7slfxAlGj4kT3kS0wfiVnArNhuOiwzQzuS9 mLlNSBpmamIYfy4YZYWg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err79-0005AX-E0; Fri, 02 Mar 2018 20:17:11 +0000 Received: from us-smtp-delivery-183.mimecast.com ([216.205.24.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3M-0001Jm-1x for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:41 +0000 Received: from USNH-CASHT-P1.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.4.38]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-195-qh4E9kDZMEC__5vb8rZOyQ-1; Fri, 02 Mar 2018 15:10:59 -0500 Received: from usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) by USNH-CASHT-P1.corp.extremenetworks.com (134.141.77.26) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp1.extremenetworks.com (10.6.24.34) by usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAw0s032595; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 9E63F2C0417; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB9Zb016337; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 06/15] mka: KaY setting Parameter Set Body Length incorrectly Date: Fri, 2 Mar 2018 15:10:54 -0500 Message-ID: <20180302201103.16264-7-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: qh4E9kDZMEC__5vb8rZOyQ-1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_774230_87F58B44 X-CRM114-Status: GOOD ( 11.13 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [216.205.24.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik Per IEEE802.1X-2010 Clause 11.11 EAPOL-MKA, each parameter set must be padded to a multiple of 4 octets. In order for the length of variable length parameters, such as CAK Name, to be correctly decoded the parameter set body length must not include the length of null padding octets. When allocating buffer space for the parameter set (e.g., wpabuf_put()) the padded length must be used. When setting the 'Parameter set body length' within the parameter set the unpadded length must be used. Consider the case were the length of a PSK's CKN is not a multiple of 4 octets. Currently ieee802_1x_mka_encode_basic_body() will correctly reserve the padded number buffer bytes. However it will incorrectly set ieee8021_x_mka_hdr->length and ->length1 to the padded number of bytes. The receiver will not be able to recover the original CKN length. Note that the hostap will successfully interoperate with itself because both sides incorrectly calculate CKN length. The problem is only seen when interoperating with non-hostap KaY's. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 17519ae69..70fda1f2d 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -681,7 +681,7 @@ ieee802_1x_mka_basic_body_length(struct ieee802_1x_mka_participant *participant) length = sizeof(struct ieee802_1x_mka_basic_body); length += participant->ckn.len; - return MKA_ALIGN_LENGTH(length); + return length; } @@ -697,7 +697,7 @@ ieee802_1x_mka_encode_basic_body( struct ieee802_1x_kay *kay = participant->kay; unsigned int length = ieee802_1x_mka_basic_body_length(participant); - body = wpabuf_put(buf, length); + body = wpabuf_put(buf, MKA_ALIGN_LENGTH(length)); body->version = kay->mka_version; body->priority = kay->actor_priority; @@ -856,7 +856,7 @@ ieee802_1x_mka_get_live_peer_length( struct ieee802_1x_kay_peer, list) len += sizeof(struct ieee802_1x_mka_peer_id); - return MKA_ALIGN_LENGTH(len); + return len; } @@ -916,7 +916,7 @@ ieee802_1x_mka_get_potential_peer_length( struct ieee802_1x_kay_peer, list) len += sizeof(struct ieee802_1x_mka_peer_id); - return MKA_ALIGN_LENGTH(len); + return len; } @@ -1139,7 +1139,7 @@ ieee802_1x_mka_get_sak_use_length( if (participant->kay->macsec_desired && participant->advised_desired) length = sizeof(struct ieee802_1x_mka_sak_use_body); - return MKA_ALIGN_LENGTH(length); + return length; } @@ -1189,7 +1189,7 @@ ieee802_1x_mka_encode_sak_use_body( u32 pn = 1; length = ieee802_1x_mka_get_sak_use_length(participant); - body = wpabuf_put(buf, length); + body = wpabuf_put(buf, MKA_ALIGN_LENGTH(length)); body->type = MKA_SAK_USE; set_mka_param_body_len(body, length - MKA_HDR_LEN); @@ -1439,7 +1439,7 @@ ieee802_1x_mka_get_dist_sak_length( length += cipher_suite_tbl[cs_index].sak_len + 8; } - return MKA_ALIGN_LENGTH(length); + return length; } @@ -1458,7 +1458,7 @@ ieee802_1x_mka_encode_dist_sak_body( int sak_pos; length = ieee802_1x_mka_get_dist_sak_length(participant); - body = wpabuf_put(buf, length); + body = wpabuf_put(buf, MKA_ALIGN_LENGTH(length)); body->type = MKA_DISTRIBUTED_SAK; set_mka_param_body_len(body, length - MKA_HDR_LEN); if (length == MKA_HDR_LEN) { @@ -1683,7 +1683,7 @@ ieee802_1x_mka_get_icv_length(struct ieee802_1x_mka_participant *participant) length = sizeof(struct ieee802_1x_mka_icv_body); length += mka_alg_tbl[participant->kay->mka_algindex].icv_len; - return MKA_ALIGN_LENGTH(length); + return length; } @@ -1713,7 +1713,7 @@ ieee802_1x_mka_encode_icv_body(struct ieee802_1x_mka_participant *participant, if (length != DEFAULT_ICV_LEN) length -= MKA_HDR_LEN; - os_memcpy(wpabuf_put(buf, length), cmac, length); + os_memcpy(wpabuf_put(buf, MKA_ALIGN_LENGTH(length - MKA_HDR_LEN)), cmac, length - MKA_HDR_LEN); return 0; } @@ -2297,7 +2297,7 @@ ieee802_1x_participant_send_mkpdu( for (i = 0; i < ARRAY_SIZE(mka_body_handler); i++) { if (mka_body_handler[i].body_present && mka_body_handler[i].body_present(participant)) - length += mka_body_handler[i].body_length(participant); + length += MKA_ALIGN_LENGTH(mka_body_handler[i].body_length(participant)); } buf = wpabuf_alloc(length); @@ -2931,7 +2931,7 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay, ieee802_1x_mka_dump_basic_body(body); body_len = get_mka_param_body_len(body); /* EAPOL-MKA body should comprise basic parameter set and ICV */ - if (mka_msg_len < MKA_HDR_LEN + body_len + DEFAULT_ICV_LEN) { + if (mka_msg_len < MKA_HDR_LEN + MKA_ALIGN_LENGTH(body_len) + DEFAULT_ICV_LEN) { wpa_printf(MSG_ERROR, "KaY: Received EAPOL-MKA Packet Body Length (%zu bytes) is less than the Basic Parameter Set Header Length (%zu bytes) + the Basic Parameter Set Body Length (%zu bytes) + %d bytes of ICV", mka_msg_len, MKA_HDR_LEN, @@ -3020,7 +3020,7 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, /* to skip basic parameter set */ hdr = (struct ieee802_1x_mka_hdr *) pos; - body_len = get_mka_param_body_len(hdr); + body_len = MKA_ALIGN_LENGTH(get_mka_param_body_len(hdr)); pos += body_len + MKA_HDR_LEN; left_len -= body_len + MKA_HDR_LEN; @@ -3060,7 +3060,7 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, pos += body_len + MKA_HDR_LEN, left_len -= body_len + MKA_HDR_LEN) { hdr = (struct ieee802_1x_mka_hdr *) pos; - body_len = get_mka_param_body_len(hdr); + body_len = MKA_ALIGN_LENGTH(get_mka_param_body_len(hdr)); body_type = get_mka_param_body_type(hdr); if (body_type == MKA_ICV_INDICATOR) From patchwork Fri Mar 2 20:10:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880856 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="EJjINwST"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLBx6HDSz9s33 for ; Sat, 3 Mar 2018 07:15:21 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=TJAuVs2Wx3zuKdgGy114UNwyTRQJo8FiPERmWDZV0RU=; b=EJjINwSTYYgj1u b0H2n5sKJiOc+Yu4bL8HKEr2n7flLzXqtDRWkchrxyXM+qtam5jij+d/zjzDOoLGw3Gc4rSHmj11L RcoccmfGdmirtxXgSXRXANsDZjHxZqHY5jRe5OKHKTLzzoayZxTpC08ytu2YMCpvVb+MyIxXwQbtK wiC9aQxGnQOLLG1sgQd2P2lWIudCf8WtMi7OGBZhb+iNgFPh0qWRYE5tD6XIMJGGRVL5i6rCsKui5 TtSzYsR5A4gcu350aRzAge4lpQdbea2GL3UwFbc9r+VYuevfDVb7fzSKOVTQbwnSYyNk1kTsFwieq xtE1ZxidPHXmyNqF+Jgg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err5C-0002ro-QS; Fri, 02 Mar 2018 20:15:10 +0000 Received: from us-smtp-delivery-183.mimecast.com ([63.128.21.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001J9-Rp for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:24 +0000 Received: from USNC-CASHT-P1.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.9.1]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-166-MVNVNvQGOyeGRqIA3zKoVQ-2; Fri, 02 Mar 2018 15:11:01 -0500 Received: from USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.62) by USNC-CASHT-P1.corp.extremenetworks.com (10.6.17.63) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:58 -0500 Received: from smtp2.extremenetworks.com (10.6.25.34) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:58 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp2.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAw1T004948; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id B6FBA2C043C; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB9tj016339; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 07/15] mka: Detect duplicate MAC addresses during key server election Date: Fri, 2 Mar 2018 15:10:55 -0500 Message-ID: <20180302201103.16264-8-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: MVNVNvQGOyeGRqIA3zKoVQ-2 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_509964_CC8B3110 X-CRM114-Status: UNSURE ( 8.38 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik In the unlikely event the local KaY and the elected peer have the same actor priority as well as the same MAC address, log a warning message and do not elect a key server. Resolution is for network administrator to reconfigure MAC address. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 70fda1f2d..0c3101cd8 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -2091,6 +2091,7 @@ ieee802_1x_kay_elect_key_server(struct ieee802_1x_mka_participant *participant) struct ieee802_1x_kay_peer *key_server = NULL; struct ieee802_1x_kay *kay = participant->kay; Boolean i_is_key_server; + int priority_comparison; if (participant->is_obliged_key_server) { participant->new_sak = TRUE; @@ -2121,8 +2122,14 @@ ieee802_1x_kay_elect_key_server(struct ieee802_1x_mka_participant *participant) tmp.key_server_priority = kay->actor_priority; os_memcpy(&tmp.sci, &kay->actor_sci, sizeof(tmp.sci)); - if (compare_priorities(&tmp, key_server) < 0) + priority_comparison = compare_priorities(&tmp, key_server); + if (priority_comparison < 0) { i_is_key_server = TRUE; + } else if (priority_comparison == 0) { + wpa_printf(MSG_WARNING, + "KaY: Cannot elect key server between me and peer, duplicate MAC detected"); + key_server = NULL; + } } else if (participant->can_be_key_server) { i_is_key_server = TRUE; } From patchwork Fri Mar 2 20:10:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880857 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="mNdSKVTu"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLCF0BnFz9s3v for ; Sat, 3 Mar 2018 07:15:37 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=OKP44aJk8saIlvH8j8dhr0aJ269kleBt535YnOgK7Dg=; b=mNdSKVTuwbyo5A yF3RGh1M2sp/AlXWG7RFasqZ48RPfZmuB7znMxE++qiMYMhiUUtH321m4DmzfVkwnF1ZYf7QlHEbC zynCF9EdqXT9yjX1p76Jk62/PFRQKvzs8/92wQBCaTMEgslMuDkgrihMyIlMOfutPnh9TFJ9DemuJ d2DNfvclB+OntKXYRvHKkwIVAhD3CIOFAiioYcq6OpGiELWGm9Hx9KyplKj95fAlNZMl2+v35PW73 3Rc6DubXrLHQWa/M7ULWMteRUO+6gA5Ch2c/viP3JRcQdN8T4R3px7Y9kY5iDrI8KmbJaUTf3p34q uvf9tPgwzefE1xYEZr/w==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err5P-0003Rf-PL; Fri, 02 Mar 2018 20:15:23 +0000 Received: from us-smtp-delivery-183.mimecast.com ([63.128.21.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001Iz-Sz for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:25 +0000 Received: from USNC-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.9.1]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-104-Qm0qrWiwN9GXuyUSTWvAOg-5; Fri, 02 Mar 2018 15:11:01 -0500 Received: from USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:58 -0500 Received: from smtp1.extremenetworks.com (10.6.24.34) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:58 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAw6M032596; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id C5FAC2C03F8; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB9eB016342; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 08/15] mka: MKPDU SAK Use Body's Delay Protect bit set incorrectly Date: Fri, 2 Mar 2018 15:10:56 -0500 Message-ID: <20180302201103.16264-9-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: Qm0qrWiwN9GXuyUSTWvAOg-5 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_467598_89BB81A4 X-CRM114-Status: UNSURE ( 9.90 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik Delay Protect and Replay Protect are two separate and distinct features of MKA. Per IEEE802.1X-2010 Clause 9.10.1 "Delay Protect, TRUE if LPNs are being reported sufficiently frequently to allow the receipt to provide data delay protection. If FALSE, the LPN can be reported as zero", and per Clause 9.10 "NOTE - Enforcement of bounded received delay necessitates transmission of MKPDUs at frequency (0.5 s) intervals, to meet a maximum data delay of 2 s while minimizing connectivity interruption due to the possibility of lost or delayed MKPDUs." This means ieee802_1x_mka_sak_use_body.delay_protect should only be set TRUE when MKPDUs are being transmitted every 0.5 s (or faster). By default the KaY sends MKPDUs every MKA_HELLO_TIME (2.0s), so by default delay_protect should be FALSE. A new 'u32 mka_hello_time' parameter to has been added to the 'ieee802_1x_kay' data structure. If delay protection is desired, the KaY initialization code should set kay->mka_hello_time to MKA_BOUNDED_HELLO_TIME (500ms). Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 14 +++++++++----- src/pae/ieee802_1x_kay.h | 2 ++ 2 files changed, 11 insertions(+), 5 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 0c3101cd8..ba2636ad6 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1205,7 +1205,7 @@ ieee802_1x_mka_encode_sak_use_body( } /* data protect, lowest accept packet number */ - body->delay_protect = kay->macsec_replay_protect; + body->delay_protect = (kay->mka_hello_time <= MKA_BOUNDED_HELLO_TIME); pn = ieee802_1x_mka_get_lpn(participant, &participant->lki); if (pn > kay->pn_exhaustion) { wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion"); @@ -2487,7 +2487,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) participant->retry_count++; } - eloop_register_timeout(MKA_HELLO_TIME / 1000, 0, + eloop_register_timeout(kay->mka_hello_time / 1000, 0, ieee802_1x_participant_timer, participant, NULL); @@ -3208,6 +3208,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; kay->macsec_confidentiality = CONFIDENTIALITY_NONE; + kay->mka_hello_time = MKA_HELLO_TIME; } else { kay->macsec_desired = TRUE; kay->macsec_protect = TRUE; @@ -3221,6 +3222,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->macsec_validate = Strict; kay->macsec_replay_protect = FALSE; kay->macsec_replay_window = 0; + kay->mka_hello_time = MKA_HELLO_TIME; } wpa_printf(MSG_DEBUG, "KaY: state machine created"); @@ -3425,7 +3427,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn, wpa_hexdump(MSG_DEBUG, "KaY: Participant created:", ckn->name, ckn->len); - usecs = os_random() % (MKA_HELLO_TIME * 1000); + usecs = os_random() % (kay->mka_hello_time * 1000); eloop_register_timeout(0, usecs, ieee802_1x_participant_timer, participant, NULL); @@ -3575,7 +3577,7 @@ void ieee802_1x_kay_notify_port_enabled(struct ieee802_1x_kay *kay, dl_list_for_each(participant, &kay->participant_list, struct ieee802_1x_mka_participant, list) { if (participant->participant) { - usecs = os_random() % (MKA_HELLO_TIME * 1000); + usecs = os_random() % (kay->mka_hello_time * 1000); eloop_register_timeout(0, usecs, ieee802_1x_participant_timer, participant, NULL); } @@ -3681,6 +3683,7 @@ int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf, "Is Key Server=%s\n" "Number of Keys Distributed=%u\n" "Number of Keys Received=%u\n", + "MKA Hello Time=%u\n", kay->port_enable ? "Enabled" : "Disabled", kay->active ? "Active" : "Not-Active", kay->authenticated ? "Yes" : "No", @@ -3690,7 +3693,8 @@ int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf, kay->key_server_priority, kay->is_key_server ? "Yes" : "No", kay->dist_kn - 1, - kay->rcvd_keys); + kay->rcvd_keys, + kay->mka_hello_time); if (os_snprintf_error(buflen, len)) return 0; diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h index 8c1a3b2fa..7031c1a83 100644 --- a/src/pae/ieee802_1x_kay.h +++ b/src/pae/ieee802_1x_kay.h @@ -21,6 +21,7 @@ struct macsec_init_params; /* MKA timer, unit: millisecond */ #define MKA_HELLO_TIME 2000 +#define MKA_BOUNDED_HELLO_TIME 500 #define MKA_LIFE_TIME 6000 #define MKA_SAK_RETIRE_TIME 3000 @@ -187,6 +188,7 @@ struct ieee802_1x_kay { u32 macsec_replay_window; enum validate_frames macsec_validate; enum confidentiality_offset macsec_confidentiality; + u32 mka_hello_time; u32 ltx_kn; u8 ltx_an; From patchwork Fri Mar 2 20:10:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880858 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="fbN6zFhO"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLCW523Yz9s3v for ; Sat, 3 Mar 2018 07:15:51 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=frH3rQp0LwXVIj9ThBhAOJOcPC0AFmLraQR40K3Cmfw=; b=fbN6zFhO0uXeP1 Bp8B94WiV0+URPwOoWt6zQIh1+SAEVkAC3wo3BLWZeU/0GrQls40SIMJsAQMH0wxcZWfbQX+dSqm1 NzYqJqyIdxbtraxs/Cxhl2ljDGDspJ/n60ZtkFFtqnVAC2v4mKlRcy8l+Ey8z5CxWE/25Rn0/1lXE qQnm6dKV/RIlFIGNm+z/kD2175t1K//LRgZcR9/xRBkNrRUeOHfT8Q7Gws4k/UUq2QbICxZkc86yd l3hZY77EOSa50GSs1PE4Zprq6pWwvNtKop2ac+5XnOrrgo1J1Oum/2KMvDdj9GFpIf0wSGUOlM16s TDjeScsD1+DazFat3QBA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err5d-00040B-4q; Fri, 02 Mar 2018 20:15:37 +0000 Received: from us-smtp-delivery-183.mimecast.com ([216.205.24.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3M-0001JR-1u for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:29 +0000 Received: from USNC-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.9.1]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-104-w4XxGmLROUqjBZsdKvymXw-4; Fri, 02 Mar 2018 15:11:00 -0500 Received: from USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp2.extremenetworks.com (10.6.25.34) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp2.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwKK004951; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id D97732C0468; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB9Zi016343; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 09/15] mka: Lowest acceptable Packet Number (LPN) calculated and used incorrectly Date: Fri, 2 Mar 2018 15:10:57 -0500 Message-ID: <20180302201103.16264-10-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: w4XxGmLROUqjBZsdKvymXw-4 X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [216.205.24.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik The purpose of the Lowest Acceptable PN (lpn) parameters in the MACsec SAK Use parameter set is to enforce delay protection. Per IEEE802.1X-2010 Clause 9, "Each SecY uses MKA to communicate the lowest PN used for transmission with the SAK within the last two seconds, allowing receivers to bound transmission delays." When encoding the SAK Use parameter set the KaY should set llpn and olpn to the lowest PN transmitted by the latest SAK and oldest SAK (if active) within the last two seconds. Because MKPDU's are transmitted every 2 seconds (MKA_HELLO_TIME), the solution implemented here calculates lpn based on the txsc->next_pn read during the previous MKPDU transmit. Upon receiving and decoding a SAK Use parameter set with delay protection enabled, the KaY will update the SecY's lpn if the delay protect lpn is greater than the SecY's current lpn (which is a product of last PN received and replay protection and window size). Signed-off-by: Michael Siedzik --- src/drivers/driver.h | 8 +++++ src/drivers/driver_macsec_linux.c | 43 ++++++++++++++++++++++ src/pae/ieee802_1x_kay.c | 76 ++++++++++++++++++++++++--------------- src/pae/ieee802_1x_kay.h | 1 + src/pae/ieee802_1x_secy_ops.c | 21 +++++++++++ src/pae/ieee802_1x_secy_ops.h | 2 ++ wpa_supplicant/driver_i.h | 8 +++++ wpa_supplicant/wpas_kay.c | 7 ++++ 8 files changed, 138 insertions(+), 28 deletions(-) -- 2.11.1 diff --git a/src/drivers/driver.h b/src/drivers/driver.h index 92a58b2f2..7c15e9bc8 100644 --- a/src/drivers/driver.h +++ b/src/drivers/driver.h @@ -3744,6 +3744,14 @@ struct wpa_driver_ops { int (*set_transmit_next_pn)(void *priv, struct transmit_sa *sa); /** + * set_receive_lowest_pn - Set receive lowest pn + * @priv: Private driver interface data + * @sa: secure association + * Returns: 0 on success, -1 on failure (or if not supported) + */ + int (*set_receive_lowest_pn)(void *priv, struct receive_sa *sa); + + /** * create_receive_sc - create secure channel for receiving * @priv: Private driver interface data * @sc: secure channel diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c index e89b3ba14..ee0f64de3 100644 --- a/src/drivers/driver_macsec_linux.c +++ b/src/drivers/driver_macsec_linux.c @@ -670,6 +670,48 @@ static int macsec_drv_get_receive_lowest_pn(void *priv, struct receive_sa *sa) /** + * macsec_drv_set_receive_lowest_pn - Set receive lowest pn + * @priv: Private driver interface data + * @sa: secure association + * Returns: 0 on success, -1 on failure (or if not supported) + */ +static int macsec_drv_set_receive_lowest_pn(void *priv, struct receive_sa *sa) +{ + struct macsec_drv_data *drv = priv; + struct macsec_genl_ctx *ctx = &drv->ctx; + struct nl_msg *msg; + struct nlattr *nest; + int ret = -1; + + wpa_printf(MSG_DEBUG, "%s -> %d: %d", __func__, sa->an, sa->next_pn); + + msg = msg_prepare(MACSEC_CMD_UPD_RXSA, ctx, drv->ifi); + if (!msg) + return ret; + + nest = nla_nest_start(msg, MACSEC_ATTR_SA_CONFIG); + if (!nest) + goto nla_put_failure; + + NLA_PUT_U8(msg, MACSEC_SA_ATTR_AN, sa->an); + NLA_PUT_U32(msg, MACSEC_SA_ATTR_PN, sa->next_pn); + + nla_nest_end(msg, nest); + + ret = nl_send_recv(ctx->sk, msg); + if (ret < 0) { + wpa_printf(MSG_ERROR, + DRV_PREFIX "failed to communicate: %d (%s)", + ret, nl_geterror(-ret)); + } + +nla_put_failure: + nlmsg_free(msg); + return ret; +} + + +/** * macsec_drv_get_transmit_next_pn - Get transmit next PN * @priv: Private driver interface data * @sa: secure association @@ -1293,6 +1335,7 @@ const struct wpa_driver_ops wpa_driver_macsec_linux_ops = { .set_current_cipher_suite = macsec_drv_set_current_cipher_suite, .enable_controlled_port = macsec_drv_enable_controlled_port, .get_receive_lowest_pn = macsec_drv_get_receive_lowest_pn, + .set_receive_lowest_pn = macsec_drv_set_receive_lowest_pn, .get_transmit_next_pn = macsec_drv_get_transmit_next_pn, .set_transmit_next_pn = macsec_drv_set_transmit_next_pn, .create_receive_sc = macsec_drv_create_receive_sc, diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index ba2636ad6..4ac4fdc15 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1144,27 +1144,37 @@ ieee802_1x_mka_get_sak_use_length( /** - * + * ieee802_1x_mka_get_lpn */ static u32 ieee802_1x_mka_get_lpn(struct ieee802_1x_mka_participant *principal, struct ieee802_1x_mka_ki *ki) { - struct receive_sa *rxsa; - struct receive_sc *rxsc; + struct transmit_sa *txsa; u32 lpn = 0; - dl_list_for_each(rxsc, &principal->rxsc_list, struct receive_sc, list) { - dl_list_for_each(rxsa, &rxsc->sa_list, struct receive_sa, list) - { - if (is_ki_equal(&rxsa->pkey->key_identifier, ki)) { - secy_get_receive_lowest_pn(principal->kay, - rxsa); - - lpn = lpn > rxsa->lowest_pn ? - lpn : rxsa->lowest_pn; - break; - } + dl_list_for_each(txsa, &principal->txsc->sa_list, + struct transmit_sa, list) { + if (is_ki_equal(&txsa->pkey->key_identifier, ki)) { + /* Per IEEE802.1X-2010 Clase 9, "Eacy SecY uses MKA to + * communicate the lowest PN used for transmission with + * the SAK within the last two seconds". Achive this + * 2 second delay by setting the lpn using the transmit + * next PN (i.e., txsa->next_pn) that was read last + * time here (i.e., mka_hello_time 2 seconds ago). + * The lowest acceptable PN is the same as the last + * transmitted PN, which is one less than the next + * transmit PN. + * + * NOTE: this method only works if mka_hello_time is 2s. + */ + lpn = (txsa->next_pn > 0) ? (txsa->next_pn - 1) : 0; + + /* Now read the current transmit next PN for use next + * time through. */ + secy_get_transmit_next_pn(principal->kay, + txsa); + break; } } @@ -1265,7 +1275,8 @@ ieee802_1x_mka_decode_sak_use_body( struct ieee802_1x_mka_hdr *hdr; struct ieee802_1x_mka_sak_use_body *body; struct ieee802_1x_kay_peer *peer; - struct transmit_sa *txsa; + struct receive_sc *rxsc; + struct receive_sa *rxsa; struct data_key *sa_key = NULL; size_t body_len; struct ieee802_1x_mka_ki ki; @@ -1385,25 +1396,34 @@ ieee802_1x_mka_decode_sak_use_body( } found = FALSE; - dl_list_for_each(txsa, &participant->txsc->sa_list, - struct transmit_sa, list) { - if (sa_key != NULL && txsa->pkey == sa_key) { - found = TRUE; - break; + dl_list_for_each(rxsc, &participant->rxsc_list, struct receive_sc, list) { + dl_list_for_each(rxsa, &rxsc->sa_list, struct receive_sa, list) { + if (sa_key != NULL && rxsa->pkey == sa_key) { + found = TRUE; + break; + } } } if (!found) { - wpa_printf(MSG_WARNING, "KaY: Can't find txsa"); + wpa_printf(MSG_WARNING, "KaY: Can't find rxsa"); return -1; } - /* FIXME: Secy creates txsa with default npn. If MKA detected Latest Key - * npn is larger than txsa's npn, set it to txsa. - */ - secy_get_transmit_next_pn(kay, txsa); - if (lpn > txsa->next_pn) { - secy_set_transmit_next_pn(kay, txsa); - wpa_printf(MSG_INFO, "KaY: update lpn =0x%x", lpn); + if (body->delay_protect) { + secy_get_receive_lowest_pn(participant->kay, rxsa); + if (lpn > rxsa->lowest_pn) { + /* Delay protect window (communicated via MKA) is + * tighter than SecY's current replay protect window, + * so tell SecY the new (and higher) lpn. */ + rxsa->lowest_pn = lpn; + secy_set_receive_lowest_pn(participant->kay, rxsa); + wpa_printf(MSG_DEBUG, "KaY: update lpn =0x%x", lpn); + } + /* FIXME: Delay protection for olpn not implemented. + * Note that Old Key is only active for MKA_SAK_RETIRE_TIME + * (3 seconds) and delay protection does allow PN's within + * a 2 seconds window, so olpn would be a lot of work for + * just 1 second's worth of protection. */ } return 0; diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h index 7031c1a83..01af578fc 100644 --- a/src/pae/ieee802_1x_kay.h +++ b/src/pae/ieee802_1x_kay.h @@ -150,6 +150,7 @@ struct ieee802_1x_kay_ctx { int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa); int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa); int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa); + int (*set_receive_lowest_pn)(void *ctx, struct receive_sa *sa); int (*create_receive_sc)(void *ctx, struct receive_sc *sc, enum validate_frames vf, enum confidentiality_offset co); diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c index ab5339bb2..4e5379ff7 100644 --- a/src/pae/ieee802_1x_secy_ops.c +++ b/src/pae/ieee802_1x_secy_ops.c @@ -216,6 +216,27 @@ int secy_set_transmit_next_pn(struct ieee802_1x_kay *kay, } +int secy_set_receive_lowest_pn(struct ieee802_1x_kay *kay, + struct receive_sa *rxsa) +{ + struct ieee802_1x_kay_ctx *ops; + + if (!kay || !rxsa) { + wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__); + return -1; + } + + ops = kay->ctx; + if (!ops || !ops->set_receive_lowest_pn) { + wpa_printf(MSG_ERROR, + "KaY: secy set_receive_lowest_pn operation not supported"); + return -1; + } + + return ops->set_receive_lowest_pn(ops->ctx, rxsa); +} + + int secy_create_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc) { struct ieee802_1x_kay_ctx *ops; diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h index 9fb29c3dd..2d112ba7c 100644 --- a/src/pae/ieee802_1x_secy_ops.h +++ b/src/pae/ieee802_1x_secy_ops.h @@ -36,6 +36,8 @@ int secy_get_transmit_next_pn(struct ieee802_1x_kay *kay, struct transmit_sa *txsa); int secy_set_transmit_next_pn(struct ieee802_1x_kay *kay, struct transmit_sa *txsa); +int secy_set_receive_lowest_pn(struct ieee802_1x_kay *kay, + struct receive_sa *txsa); int secy_create_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc); int secy_delete_receive_sc(struct ieee802_1x_kay *kay, struct receive_sc *rxsc); int secy_create_receive_sa(struct ieee802_1x_kay *kay, struct receive_sa *rxsa); diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h index 078de23f7..92a0a8fda 100644 --- a/wpa_supplicant/driver_i.h +++ b/wpa_supplicant/driver_i.h @@ -796,6 +796,14 @@ static inline int wpa_drv_set_transmit_next_pn(struct wpa_supplicant *wpa_s, return wpa_s->driver->set_transmit_next_pn(wpa_s->drv_priv, sa); } +static inline int wpa_drv_set_receive_lowest_pn(struct wpa_supplicant *wpa_s, + struct receive_sa *sa) +{ + if (!wpa_s->driver->set_receive_lowest_pn) + return -1; + return wpa_s->driver->set_receive_lowest_pn(wpa_s->drv_priv, sa); +} + static inline int wpa_drv_create_receive_sc(struct wpa_supplicant *wpa_s, struct receive_sc *sc, unsigned int conf_offset, int validation) diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c index 11708b8a6..5235af77a 100644 --- a/wpa_supplicant/wpas_kay.c +++ b/wpa_supplicant/wpas_kay.c @@ -92,6 +92,12 @@ static int wpas_set_transmit_next_pn(void *wpa_s, struct transmit_sa *sa) } +static int wpas_set_receive_lowest_pn(void *wpa_s, struct receive_sa *sa) +{ + return wpa_drv_set_receive_lowest_pn(wpa_s, sa); +} + + static unsigned int conf_offset_val(enum confidentiality_offset co) { switch (co) { @@ -219,6 +225,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn; kay_ctx->get_transmit_next_pn = wpas_get_transmit_next_pn; kay_ctx->set_transmit_next_pn = wpas_set_transmit_next_pn; + kay_ctx->set_receive_lowest_pn = wpas_set_receive_lowest_pn; kay_ctx->create_receive_sc = wpas_create_receive_sc; kay_ctx->delete_receive_sc = wpas_delete_receive_sc; kay_ctx->create_receive_sa = wpas_create_receive_sa; From patchwork Fri Mar 2 20:10:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880855 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="hsFhgK3A"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLBh3855z9s33 for ; Sat, 3 Mar 2018 07:15:08 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=57NnTz9sGVLWt+D0vLCy6iAD760MNy+yFx/5MudpnYw=; b=hsFhgK3AI6aNGu QxnWVZ7MJT6BKY2L6GA4OEgG4wqYMahs3XsP6ZbGrMxpzKVjJmW4YTzQoH2FujMBuqkIvsf3pVCXH 2FLL/nz8ezSwtn4QoGfAu8IHXo8Ye/D0DibdBFqmmcXR0flwdjZrCSL94x9plzeP8vmMDp83ZS16Y G72JDy96GEcSyZQqAngpiFOG4FQ2lZAcUSCrRhqSECvSOj6TKf43xJJqz92mr6Y7L4N5xGt65IIVx xgyx9Cv4hr0tz55l0wcf3j2vTjJgthtsOj2Co1HNSx8JChD6mSReEH1gVCej2X0d35oCCTVfec1px Brzv5pp/IpJaBAZvGdpA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err4y-0002RR-H6; Fri, 02 Mar 2018 20:14:56 +0000 Received: from us-smtp-delivery-183.mimecast.com ([63.128.21.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001J0-Sx for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:23 +0000 Received: from USNH-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.4.38]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-166-LlZnD3g8MxKaDBVugHF82Q-3; Fri, 02 Mar 2018 15:11:00 -0500 Received: from usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) by USNH-CASHT-P2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp1.extremenetworks.com (10.6.24.34) by usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwTX032599; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id F08F52C03CF; Fri, 2 Mar 2018 15:11:09 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KB94Z016345; Fri, 2 Mar 2018 15:11:09 -0500 From: To: Subject: [PATCH 10/15] mka: Do not print contents of SAK to debug log Date: Fri, 2 Mar 2018 15:10:58 -0500 Message-ID: <20180302201103.16264-11-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: LlZnD3g8MxKaDBVugHF82Q-3 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_557395_A916287D X-CRM114-Status: UNSURE ( 7.08 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik Log newly generated SAKs as well as unwrapped SAKs with wpa_hexdump_key() rather than wpa_hexdump(). By default, the wpa_hexdump_key() function will not display sensitive key data. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 4ac4fdc15..27022d994 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1644,7 +1644,7 @@ ieee802_1x_mka_decode_dist_sak_body( os_free(unwrap_sak); return -1; } - wpa_hexdump(MSG_DEBUG, "\tAES Key Unwrap of SAK:", unwrap_sak, sak_len); + wpa_hexdump_key(MSG_DEBUG, "\tAES Key Unwrap of SAK:", unwrap_sak, sak_len); sa_key = os_zalloc(sizeof(*sa_key)); if (!sa_key) { @@ -2035,7 +2035,7 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant) wpa_printf(MSG_ERROR, "KaY: SAK Length not support"); goto fail; } - wpa_hexdump(MSG_DEBUG, "KaY: generated new SAK", key, key_len); + wpa_hexdump_key(MSG_DEBUG, "KaY: generated new SAK", key, key_len); os_free(context); context = NULL; From patchwork Fri Mar 2 20:10:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880851 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="t3jOPvDF"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztL9b57JDz9s33 for ; Sat, 3 Mar 2018 07:14:11 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=B544EYTtrphtWeO3uCbXOFDUn++8ghm9kiAhQmsKiCc=; b=t3jOPvDFAWULt1 YAMIPvNZAPJXmfbmdaetuzzaVaMTnuBqo76/ZbBUcqh5Ub5FNyIuKQ2bU8E7ldNvdfBn/Gj8CUH25 JocJ9C4OCEbimqWI8OzIfP1tcHDX+jmPnp6KXfIpgiY8+1JTszhgwCIdsSU1Tsyjrhri4Y9QF3Zdp vDvPgcJX0r98WcUMVsJJjPMHiFCynXwytg5PudXXgsuL/NLdVw8JhPZCeBd/41j9YwekZqCz7ug1t Ozl//iUT2E0K2KRcLxBdUq+4wHkRBO+ZV9Riqp8LQ1Rn+sB1D4ZeTlEnxtvfhMD0N4dwQkU81vfRI 2KIEsViKQgTDmzylPvUA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err40-0001ii-EG; Fri, 02 Mar 2018 20:13:56 +0000 Received: from us-smtp-delivery-183.mimecast.com ([216.205.24.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3M-0001Jn-0v for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:20 +0000 Received: from USNC-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.9.1]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-104-QH8IcgjlPaGEAbB2PiLkYA-3; Fri, 02 Mar 2018 15:11:00 -0500 Received: from USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp2.extremenetworks.com (10.6.25.34) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp2.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwon004955; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 0480C2C0416; Fri, 2 Mar 2018 15:11:10 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KBASP016346; Fri, 2 Mar 2018 15:11:10 -0500 From: To: Subject: [PATCH 11/15] mka: Fix a few minor bugs in CP state machine Date: Fri, 2 Mar 2018 15:10:59 -0500 Message-ID: <20180302201103.16264-12-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: QH8IcgjlPaGEAbB2PiLkYA-3 X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [216.205.24.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik All fixes per IEEE802.1X-2010 Figure 12-2 - CP state machine. 1) Upon entering RETIRE, deleteSAs(oki) 2) RECEIVING to TRANSMIT, add !controlledPortEnabled to branching logic 3) READY should move to ABANDON (not RECEIVE) when new_sak or changed_connect is true. 4) READY to TRANSMIT, add !controlledPortEnabled to branching logic Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_cp.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c index e6b2767e2..05eab7e4b 100644 --- a/src/pae/ieee802_1x_cp.c +++ b/src/pae/ieee802_1x_cp.c @@ -319,8 +319,11 @@ SM_STATE(CP, RETIRE) SM_ENTRY(CP, RETIRE); /* RETIRE state machine not keep with Figure 12-2 in * IEEE Std 802.1X-2010 */ - os_free(sm->oki); - sm->oki = NULL; + if (sm->oki) { + ieee802_1x_kay_delete_sas(sm->kay, sm->oki); + os_free(sm->oki); + sm->oki = NULL; + } sm->orx = FALSE; sm->otx = FALSE; ieee802_1x_kay_set_old_sa_attr(sm->kay, sm->oki, sm->oan, @@ -382,7 +385,7 @@ SM_STEP(CP) if (!sm->elected_self) SM_ENTER(CP, READY); if (sm->elected_self && - (sm->all_receiving || !sm->transmit_when)) + (sm->all_receiving || !sm->controlled_port_enabled || !sm->transmit_when)) SM_ENTER(CP, TRANSMIT); break; @@ -405,8 +408,8 @@ SM_STEP(CP) case CP_READY: if (sm->new_sak || changed_connect(sm)) - SM_ENTER(CP, RECEIVE); - if (sm->server_transmitting) + SM_ENTER(CP, ABANDON); + if (sm->server_transmitting || !sm->controlled_port_enabled) SM_ENTER(CP, TRANSMIT); break; case CP_ABANDON: From patchwork Fri Mar 2 20:11:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880861 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="ZKcMa+xH"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLDM5YBqz9s3v for ; Sat, 3 Mar 2018 07:16:35 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=uQjWxXNwZXxR3+M3jWYpqvugphTsDNLtIgzmiuYLd5I=; b=ZKcMa+xHGkmhU+ n4HYhC7u2C4mB6ZATnTiq//4+bOEYPrL2RlASOTdK8KBIEIjlKZA0fS1XPJA0uD9uG+134jWO5gQD VHQZNPPWoJA1h7jdkcVvO64Qrv4zvh8FDXlPbB4iN5P6H5uApzhcUO+B2xLbwQcFHJqVtDtxOAZMo fWJU5YNLWOF7bP1A2/mM0G7xkWZCd3pVMjkeOLGyNVbkjZXLmQIqhVXApt/YVav5N+MQ0Rk5RKFTm 4rza4AXLOlUCdQXWoGlcPIvt4oGCi84nypdR14qPhBnMK5MJdCdoqnWaYLJQzNuis51jLE8/XWq1d VWPPv3AOK4/yfRT0yF2g==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err6M-0004ag-FU; Fri, 02 Mar 2018 20:16:22 +0000 Received: from us-smtp-delivery-183.mimecast.com ([63.128.21.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001JN-Tg for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:32 +0000 Received: from USNH-CASHT-P1.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.4.38]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-195-J5MEsmNTPsConowqAEZicw-2; Fri, 02 Mar 2018 15:11:00 -0500 Received: from usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) by USNH-CASHT-P1.corp.extremenetworks.com (134.141.77.26) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp1.extremenetworks.com (10.6.24.34) by usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwJB032604; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 0A9872C0472; Fri, 2 Mar 2018 15:11:10 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KBAaI016347; Fri, 2 Mar 2018 15:11:10 -0500 From: To: Subject: [PATCH 12/15] mka: resources leaked when duplicated SCI detected Date: Fri, 2 Mar 2018 15:11:00 -0500 Message-ID: <20180302201103.16264-13-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: J5MEsmNTPsConowqAEZicw-2 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_554627_BCFDC55A X-CRM114-Status: GOOD ( 10.86 ) X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik If a live peer ever changes its Member Identifier (MI), the KaY correctly detects a "duplicated SCI" but then proceeds to delete the peer without deleting the peer's resources (i.e., RxSC, RxSAs, TxSAs). Note that a remote peer's MI will change if and when a ieee8021XPaePortInitialize is executed on the remote port. The solution here is to ignore all MKPDUs containing the new MI until after the peer (that corresponds to the old MI) expires and cleans up its resources. After the old peer is removed reception of the next MKPDU containing the new MI will result in the creation of a new peer with the new MI. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 27022d994..4d61cb32b 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -792,17 +792,31 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg, /* handler peer */ peer = ieee802_1x_kay_get_peer(participant, body->actor_mi); if (!peer) { - /* Check duplicated SCI */ - /* TODO: What policy should be applied to detect duplicated SCI - * is active attacker or a valid peer whose MI is be changed? + /* Check duplicated SCI + * + * A duplicated SCI indicates either an active attacker or + * a valid peer whose MI is be changed. The latter scenario is + * more likely because to have gotten this far the received + * MKPDU must have had a valid ICV, indicating the peer holds + * the same CAK our participant. + * + * Before creating a new peer object for the new MI we must + * clean up the resources (SCs and SAs) associated with the + * old peer. An easy way to do this is to ignore MKPDUs with + * the new MI's for now and just wait for the old peer to + * timeout and clean itself up (within MKA_LIFE_TIME). + * + * This method is peferable to deleting the old peer here + * and now and continuing on with processing because if this + * MKPDU is from an attacker it's better to ignore the MKPDU + * than to process it (and delete a valid peer as well). */ peer = ieee802_1x_kay_get_peer_sci(participant, &body->actor_sci); if (peer) { wpa_printf(MSG_WARNING, - "KaY: duplicated SCI detected, Maybe active attacker"); - dl_list_del(&peer->list); - os_free(peer); + "KaY: duplicated SCI detected, Maybe active attacker or peer selected new MI"); + return NULL; } peer = ieee802_1x_kay_create_potential_peer( From patchwork Fri Mar 2 20:11:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880862 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="OZSI2KkQ"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLDf1gFBz9s3v for ; Sat, 3 Mar 2018 07:16:50 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=cy64HPSCwTxxR0SkWcFX/yQREvV4VV4cfYZXLhd24Ms=; b=OZSI2KkQxr327S qQGu3OnKmXkkhmbWEEPya9LR+fdcszweXZOR8yaI/WktrMWhCzRUexZURV3MiIic/bwkw05vwHfmH Kg7DTu4W8rMlT/zvbqlvxwrpqpiNdfp3+zMnn6dz5Iey9Hpt+sO2+onztyAMPgmP4sGZ0kOYfD7q/ h1PLP8rV3smOJ+vOJkzdaYi2bAXxOst3RqgelckIgFvLTEFhSs7UrrwhVFL33ZAxxCN0HILmcU7k+ 0n+Nk+LCU/UHTogSqvBcYYdEOrMHF1nZwu37rghOP6clJjqnxnI+uURUvYCLTrqtxE1vpUkbuAwsg 5ugipUrp8sw6lU/MKRCw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err6b-0004lF-8e; Fri, 02 Mar 2018 20:16:37 +0000 Received: from us-smtp-delivery-183.mimecast.com ([216.205.24.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3L-0001JC-T6 for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:35 +0000 Received: from USNH-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.4.38]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-166-O0U85gbmNH-lCetHd19Agw-5; Fri, 02 Mar 2018 15:11:03 -0500 Received: from usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) by USNH-CASHT-P2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp2.extremenetworks.com (10.6.25.34) by usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp2.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAwAn004957; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 107712C0322; Fri, 2 Mar 2018 15:11:10 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KBAij016350; Fri, 2 Mar 2018 15:11:10 -0500 From: To: Subject: [PATCH 13/15] mka: do not ignore MKPDU parameter set decoding failures Date: Fri, 2 Mar 2018 15:11:01 -0500 Message-ID: <20180302201103.16264-14-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: O0U85gbmNH-lCetHd19Agw-5 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_666324_2903A45C X-CRM114-Status: GOOD ( 13.20 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [216.205.24.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik The status values returned by mka_param_body_handler.body_rx functions are currently ignored by ieee802_1x_kay_decode_mkpdu(). If a failure is detected the KaY should (a) stop processing the MKDPU and (b) do not update the associated peer's liveliness. IEEE802.1X-2010's Table 11-7 MKPDU Parameter sets and Clause 11.11.3 Encoding MKPDUs dictate that MKA_SAK_USE (set type 3) will always be encoded before MKA_DISTRIBUTED_SAK (set type 4) in MKPDUs. Due to hostap's implementation of mka_param_body_handler, the code will always decode MKA_SAK_USE before MKA_DISTRIBUTED_SAK. When MKA_DISTRUBUTED_SAK contains a new SAK the code should decode MKA_DISTRUBUTED_SAK first so that the lastest SAK is in known before decoding MKA_SAK_USE. The ideal solution would be to make two passes at MKDPU decoding: the first pass decodes MKA_DISTRIBUTED_SAK, the second pass decodes all other parameter sets. A simpler and less risky solution is presented here: ignore MKA_SAK_USE failures if MKA_DISTRIBUTED_SAK is also present. The new SAK will be saved so that the next MKPDU's MKA_SAK_USE can be properly decoded. This is basically what the code prior to this commit was doing (by ignoring all errors). Also, the only real recourse the KaY has when detecting any bad parameter set is to ignore the MKPDU by not updating the corresponding peer's liveliness timer, 'peer->expire'. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 40 +++++++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 4d61cb32b..7945cc898 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -831,7 +831,6 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg, peer->key_server_priority = body->priority; } else if (peer->mn < be_to_host32(body->actor_mn)) { peer->mn = be_to_host32(body->actor_mn); - peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; peer->macsec_desired = body->macsec_desired; peer->macsec_capability = body->macsec_capability; peer->is_key_server = (Boolean) body->key_server; @@ -1076,7 +1075,6 @@ static int ieee802_1x_mka_decode_live_peer_body( peer = ieee802_1x_kay_get_peer(participant, peer_mi->mi); if (peer) { peer->mn = peer_mn; - peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; } else if (!ieee802_1x_kay_create_potential_peer( participant, peer_mi->mi, peer_mn)) { return -1; @@ -1350,7 +1348,7 @@ ieee802_1x_mka_decode_sak_use_body( } } if (!found) { - wpa_printf(MSG_WARNING, "KaY: Latest key is invalid"); + wpa_printf(MSG_INFO, "KaY: Latest key is invalid"); return -1; } if (os_memcmp(participant->lki.mi, body->lsrv_mi, @@ -3041,12 +3039,14 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, { struct ieee802_1x_mka_participant *participant; struct ieee802_1x_mka_hdr *hdr; + struct ieee802_1x_kay_peer *peer; size_t body_len; size_t left_len; u8 body_type; int i; const u8 *pos; Boolean handled[256]; + Boolean bad_sak_use = FALSE; /* Error detected while processing SAK Use parameter set */ if (ieee802_1x_kay_mkpdu_sanity_check(kay, buf, len)) return -1; @@ -3121,8 +3121,26 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, handled[body_type] = TRUE; if (body_type < ARRAY_SIZE(mka_body_handler) && mka_body_handler[body_type].body_rx) { - mka_body_handler[body_type].body_rx - (participant, pos, left_len); + if (mka_body_handler[body_type].body_rx + (participant, pos, left_len) != 0) { + /* Handle parameter set failure */ + if (body_type == MKA_SAK_USE) { + /* Ideally DIST-SAK should be processed before + * SAK-USE. Unfortunately IEEE8021X-2010 Clause + * 11.11.3 Encoding MKPDUs states SAK-USE(3) + * must always be encoded before DIST-SAK(4). + * Rather than redesigning mka_body_handler so + * that it somehow processes DIST-SAK before + * SAK-USE, just ignore SAK-USE failures if + * DIST-SAK is also present in this MKPDU. */ + bad_sak_use = TRUE; + } else { + wpa_printf(MSG_INFO, + "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", + body_type); + return -1; + } + } } else { wpa_printf(MSG_ERROR, "The type %d is not supported in this MKA version %d", @@ -3130,6 +3148,18 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, } } + if (bad_sak_use && !handled[MKA_DISTRIBUTED_SAK]) { + wpa_printf(MSG_INFO, + "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", + MKA_SAK_USE); + return -1; + } + + /* Only update live peer watchdog after successful decode of all parameter sets */ + peer = ieee802_1x_kay_get_peer(participant, participant->current_peer_id.mi); + if (peer) + peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; + kay->active = TRUE; participant->retry_count = 0; participant->active = TRUE; From patchwork Fri Mar 2 20:11:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880860 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="hfK0hLgo"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLD42Sfwz9s3v for ; Sat, 3 Mar 2018 07:16:20 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=jtffjif+1xzd6qq/fPiD5BPw2qjn7upsuWFYscFimsA=; b=hfK0hLgorn62t2 zOwEmddgmxzy0FP3i3Ww1ZZl/uqwKXv+S6LUqFvA46tXZHXBaPYecGoDmp3hs3MS5kUKVwrayXEpv 4je/zF6nC1m5BtANvO5lP+fgo9gB8g3/qIf9wsXw102XbJOzxGs3QSEZvT7+kSdq5X8MHs5wbzsZX x6NLcW50EpD8Uz5673n1sJGsORW3XeCoWrxIPZ1NNjRScAY8c5YSiQEofpJaFVffLJHhNIn0Tb7yX nb3jXZWIqgXt7mlElzL0SkIeKDvviqJ8MR4X+gSrR4VnG869L0jghUiYbTahpn1GXRdaCfbp+QpNg oY4t5KUAIn1VIT5xw9Dw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err67-0004Qw-PM; Fri, 02 Mar 2018 20:16:07 +0000 Received: from us-smtp-delivery-183.mimecast.com ([216.205.24.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3M-0001J4-0k for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:31 +0000 Received: from USNC-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.9.1]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-104-uhl2AjKTNnue07uwR7QpOw-6; Fri, 02 Mar 2018 15:11:02 -0500 Received: from USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp1.extremenetworks.com (10.6.24.34) by USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAw0u032595; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 22B7A2C0473; Fri, 2 Mar 2018 15:11:10 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KBAxp016351; Fri, 2 Mar 2018 15:11:10 -0500 From: To: Subject: [PATCH 14/15] mka: consider missing MKPDU parameter sets a failure Date: Fri, 2 Mar 2018 15:11:02 -0500 Message-ID: <20180302201103.16264-15-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: uhl2AjKTNnue07uwR7QpOw-6 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180302_121316_577359_71980B86 X-CRM114-Status: GOOD ( 11.81 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [216.205.24.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik The previous commit introduced parameter set error checking. This commit extends upon that by considering missing parameter sets a failure. Two checks are added by this commit. First, verify that live peers start encoding MKA_SAK_USE within a reasonable amount of time after going live (10 MKPDUs). Second, verify that once a live peer starts encoding MKA_SAK_USE it continues to do so indefinitely. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 31 ++++++++++++++++++++++++++++++- src/pae/ieee802_1x_kay_i.h | 1 + 2 files changed, 31 insertions(+), 1 deletion(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 7945cc898..4323b6dc0 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -27,6 +27,8 @@ #define DEFAULT_ICV_LEN 16 #define MAX_ICV_LEN 32 /* 32 bytes, 256 bits */ +#define MAX_MISSING_SAK_USE 10 /* Accept up to 10 inbound MKPDU's w/o SAK-USE before dropping */ + #define PENDING_PN_EXHAUSTION 0xC0000000 #define MKA_ALIGN_LENGTH(len) (((len) + 0x3) & ~0x3) @@ -562,6 +564,7 @@ ieee802_1x_kay_create_peer(const u8 *mi, u32 mn) peer->mn = mn; peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; peer->sak_used = FALSE; + peer->missing_sak_use_count = 0; return peer; } @@ -3155,8 +3158,34 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, return -1; } + /* Detect missing parameter sets */ + peer = ieee802_1x_kay_get_live_peer(participant, participant->current_peer_id.mi); + if (peer) { + /* MKPDU is from live peer */ + if (!handled[MKA_SAK_USE]) { + /* Once a live peer starts sending SAK-USE, it should be sent + * every time. */ + if (peer->sak_used) { + wpa_printf(MSG_INFO, "KaY: Discarding Rx MKPDU: Live Peer stopped sending SAK-USE"); + return -1; + } + + /* Live peer is probably hung if it hasn't sent SAK-USE + * after a reasonable number of MKPDU's. Drop the MKPDU, + * which will eventually force an timeout. */ + if (++peer->missing_sak_use_count > MAX_MISSING_SAK_USE) { + wpa_printf(MSG_INFO, "KaY: Discarding Rx MKPDU: Live Peer not sending SAK-USE"); + return -1; + } + } else { + peer->missing_sak_use_count = 0; + } + } else { + /* MKPDU is from new or potential peer */ + peer = ieee802_1x_kay_get_peer(participant, participant->current_peer_id.mi); + } + /* Only update live peer watchdog after successful decode of all parameter sets */ - peer = ieee802_1x_kay_get_peer(participant, participant->current_peer_id.mi); if (peer) peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h index c10851d2d..33c5b721b 100644 --- a/src/pae/ieee802_1x_kay_i.h +++ b/src/pae/ieee802_1x_kay_i.h @@ -51,6 +51,7 @@ struct ieee802_1x_kay_peer { Boolean macsec_desired; enum macsec_cap macsec_capability; Boolean sak_used; + int missing_sak_use_count; struct dl_list list; }; From patchwork Fri Mar 2 20:11:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Siedzik X-Patchwork-Id: 880853 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=extremenetworks.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="W1+ASrD2"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztLBJ17VVz9s33 for ; Sat, 3 Mar 2018 07:14:48 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ZyWIQzL7mKDGUHEsa7b+Ih9e9hJfD+/ELsLvkEiSeJY=; b=W1+ASrD2+aUAlT 2lhE/nEUGGNZRJc2mgqsn8P7NfsISSFcItveFPdLZ4zlgEOFMvhJ/aB5O+NjJOgUZ1WGGZ5yy+c0S MkXPJ29JxEl1Gn1w0S27Oy3hnxrRScZiMsEBkWfBiDq9b1doc/h7N3EPUsbucECqDcP2d83106RiW tcoCSHRUtQEvZGm0AXBg2xTIi7QM8b4MGr8fzPrZVReKgOLIoGjcM6WUfJHKMEvIlHJoZWPtEQ4IO pvbUbuaJhAsTtA76PLa6MBqvZgnFSurIM7FXJuf0AsWjYwGDOPKUQ8DOTeE+7/ovkNiysfDOftU3i YaTc6Fjhz4U3vnbClfKQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1err4S-00023r-MS; Fri, 02 Mar 2018 20:14:24 +0000 Received: from us-smtp-delivery-183.mimecast.com ([216.205.24.183]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1err3M-0001JQ-1u for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:20 +0000 Received: from USNH-CASHT-P2.corp.extremenetworks.com (owamail.extremenetworks.com [134.141.4.38]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-166-rR82tpoFNHu2xzd80HNb4A-6; Fri, 02 Mar 2018 15:11:05 -0500 Received: from usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) by USNH-CASHT-P2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:59 -0500 Received: from smtp1.extremenetworks.com (10.6.24.34) by usnh-casht-p2.corp.extremenetworks.com (134.141.77.27) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 2 Mar 2018 15:10:59 -0500 Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com [10.6.24.14]) by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id w22KAw6O032596; Fri, 2 Mar 2018 12:10:58 -0800 Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1]) by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 322B92C0417; Fri, 2 Mar 2018 15:11:10 -0500 (EST) Received: (from msiedzik@localhost) by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id w22KBAnC016353; Fri, 2 Mar 2018 15:11:10 -0500 From: To: Subject: [PATCH 15/15] mka: do not update potential peer liveness timer Date: Fri, 2 Mar 2018 15:11:03 -0500 Message-ID: <20180302201103.16264-16-msiedzik@extremenetworks.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 X-MC-Unique: rR82tpoFNHu2xzd80HNb4A-6 X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [216.205.24.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mike Siedzik Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Mike Siedzik To prevent a remote peer from getting stuck in a perpetual 'potential peer' state, only update the peer liveness timer 'peer->expire' for live peers and not for potential peers. Per IEEE802.1X-2010 9.4.3 Determining liveness, potential peers need to show liveness by including our MI/MN in their transmitted MKPDU (within potential or live parameter sets). When a potential peer does include our MI/MN in an MKPDU, we respond by moving the peer from 'potential_peers' to 'live_peers'. If a potential peer does not include our MI/MN in an MKPDU within MKPDU_LIFE_TIME, then let the peer expire to facilitate getting back in sync with the remote peer. Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) -- 2.11.1 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 4323b6dc0..6ac7d02d1 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -3180,14 +3180,21 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, } else { peer->missing_sak_use_count = 0; } + + /* Only update live peer watchdog after successful decode of all parameter sets */ + peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; } else { /* MKPDU is from new or potential peer */ peer = ieee802_1x_kay_get_peer(participant, participant->current_peer_id.mi); - } + if (!peer) + return -1; - /* Only update live peer watchdog after successful decode of all parameter sets */ - if (peer) - peer->expire = time(NULL) + MKA_LIFE_TIME / 1000; + /* Do not update potential peer watchdog. Per IEEE802.1X-2010 9.4.3, + * potential peers need to show liveness by including our MI/MN in their + * transmitted MKPDU (within potential or live parameter sets). When + * a potential peer does include our MI/MN in an MKPDU, we respond by + * moving the peer from 'potential_peers' to 'live_peers'. */ + } kay->active = TRUE; participant->retry_count = 0;