Re: [PATCH 03/15] mka: Incorrect conf_offset sent in MKPDU when in policy mode "SHOULD_SECURE"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 02, 2018 at 03:10:51PM -0500, msiedzik@xxxxxxxxxxxxxxxxxxx wrote:

> diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
> @@ -3166,14 +3167,16 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
>         } else {
>                 kay->macsec_desired = TRUE;
>                 kay->macsec_protect = TRUE;
> -               kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
> +               if (policy == SHOULD_SECURE) {
> +                       kay->macsec_encrypt = FALSE;
> +                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
> +               } else {  /* SHOULD_ENCRYPT */
> +                       kay->macsec_encrypt = TRUE;
> +                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
> +               }
>                 kay->macsec_validate = Strict;
>                 kay->macsec_replay_protect = FALSE;
>                 kay->macsec_replay_window = 0;
> -               if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
> -                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
> -               else
> -                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
>         }

Is this change dropping the kay->macsec_capable check on purpose for
SHOULD_ENCRYPT case? The new SHOULD_SECURE case looks fine, but should
the SHOULD_ENCRYPT case still use this kay->macsec_capable >=
MACSEC_CAP_INTEG_AND_CONF before setting CONFIDENTIALITY_OFFSET_0?

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux