[PATCH 7/8] mka: Fix handling duplicated SCI

Andrey Kartashev <a.s.kartashev@xxxxxxxxx> · Fri, 2 Nov 2018 19:02:19 +0100

From: Andrey Kartashev <andrey.kartashev@xxxxxxxxxxxxx>

If it was detected valid peer with same Secure Channel Id but different
Member Id as already registered, KaY just remove old one and work with
new. However thare is no trigger to delete old SC/SAs which can cause
situation when there are two active channels with same SCI.
This patch change the logic. It now discard new duplicated peer and wait
while old one would be removed by timeout. Such behaviour also prevent
somebody to disconnect working peer. This patch also decrese this peer's
timeout to speedup process in case of it is valid peer after MI change.

Signed-off-by: Andrey Kartashev <andrey.kartashev@xxxxxxxxxxxxx>
---
 src/pae/ieee802_1x_kay.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 3a31bdf93..eac908415 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -773,6 +773,7 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
 	struct ieee802_1x_kay_peer *peer;
 	size_t ckn_len;
 	size_t body_len;
+	time_t new_expire;
 
 	body = (const struct ieee802_1x_mka_basic_body *) mka_msg;
 
@@ -816,16 +817,20 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
 	peer = ieee802_1x_kay_get_peer(participant, body->actor_mi);
 	if (!peer) {
 		/* Check duplicated SCI */
-		/* TODO: What policy should be applied to detect duplicated SCI
-		 * is active attacker or a valid peer whose MI is be changed?
-		 */
 		peer = ieee802_1x_kay_get_peer_sci(participant,
 						   &body->actor_sci);
 		if (peer) {
 			wpa_printf(MSG_WARNING,
 				   "KaY: duplicated SCI detected, Maybe active attacker");
-			dl_list_del(&peer->list);
-			os_free(peer);
+			/* Ignore this request. If it is valid peer whose MI is be changed
+			 * just wait until the active one would be removed by timeout.
+			 * Reduce timeout to speed up this process but left the chance for
+			 * old one to prove aliveness.
+			 */
+			new_expire = time(NULL) + MKA_HELLO_TIME * 1.5 / 1000;
+			if (peer->expire > new_expire)
+				peer->expire = new_expire;
+			return NULL;
 		}
 
 		peer = ieee802_1x_kay_create_potential_peer(
-- 
2.17.1


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap






