RE: [PATCH 03/15] mka: Incorrect conf_offset sent in MKPDU when in policy mode "SHOULD_SECURE"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jouni,

You are correct.  In the case where policy is set to SHOULD_ENCRYPT but MACsec capability is only MACSEC_CAP_INTEGRITY (i.e., integrity without confidentiality), my patch would have attempted to encrypt with offset 0.  The patch should have retained the macsec_capable comparison.  Something like this:

                if ((kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF) &&
                    (policy == SHOULD_ENCRYPT)) {
                        kay->macsec_encrypt = TRUE;
                        kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
                } else {  /* SHOULD_SECURE */
                        kay->macsec_encrypt = FALSE;
                        kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
                }

Thanks,
- Mike


-----Original Message-----
From: Jouni Malinen [mailto:j@xxxxx]
Sent: Sunday, March 11, 2018 10:37 AM
To: Michael Siedzik <msiedzik@xxxxxxxxxxxxxxxxxxx>
Cc: hostap@xxxxxxxxxxxxxxxxxxx
Subject: Re: [PATCH 03/15] mka: Incorrect conf_offset sent in MKPDU when in policy mode "SHOULD_SECURE"

On Fri, Mar 02, 2018 at 03:10:51PM -0500, msiedzik@xxxxxxxxxxxxxxxxxxx wrote:

> diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c @@
> -3166,14 +3167,16 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
>         } else {
>                 kay->macsec_desired = TRUE;
>                 kay->macsec_protect = TRUE;
> -               kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
> +               if (policy == SHOULD_SECURE) {
> +                       kay->macsec_encrypt = FALSE;
> +                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
> +               } else {  /* SHOULD_ENCRYPT */
> +                       kay->macsec_encrypt = TRUE;
> +                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
> +               }
>                 kay->macsec_validate = Strict;
>                 kay->macsec_replay_protect = FALSE;
>                 kay->macsec_replay_window = 0;
> -               if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
> -                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
> -               else
> -                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
>         }

Is this change dropping the kay->macsec_capable check on purpose for SHOULD_ENCRYPT case? The new SHOULD_SECURE case looks fine, but should the SHOULD_ENCRYPT case still use this kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF before setting CONFIDENTIALITY_OFFSET_0?

--
Jouni Malinen                                            PGP id EFC895FA


________________________________

DISCLAIMER:
This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux