On Fri, Mar 02, 2018 at 03:11:01PM -0500, msiedzik@xxxxxxxxxxxxxxxxxxx wrote: > The status values returned by mka_param_body_handler.body_rx functions > are currently ignored by ieee802_1x_kay_decode_mkpdu(). If a failure is > detected the KaY should (a) stop processing the MKDPU and (b) do not > update the associated peer's liveliness. > > IEEE802.1X-2010's Table 11-7 MKPDU Parameter sets and Clause 11.11.3 > Encoding MKPDUs dictate that MKA_SAK_USE (set type 3) will always be > encoded before MKA_DISTRIBUTED_SAK (set type 4) in MKPDUs. Due to > hostap's implementation of mka_param_body_handler, the code will always > decode MKA_SAK_USE before MKA_DISTRIBUTED_SAK. When MKA_DISTRUBUTED_SAK > contains a new SAK the code should decode MKA_DISTRUBUTED_SAK first so > that the lastest SAK is in known before decoding MKA_SAK_USE. > > The ideal solution would be to make two passes at MKDPU decoding: the > first pass decodes MKA_DISTRIBUTED_SAK, the second pass decodes all > other parameter sets. > > A simpler and less risky solution is presented here: ignore MKA_SAK_USE > failures if MKA_DISTRIBUTED_SAK is also present. The new SAK will be > saved so that the next MKPDU's MKA_SAK_USE can be properly decoded. > This is basically what the code prior to this commit was doing (by > ignoring all errors). > > Also, the only real recourse the KaY has when detecting any bad > parameter set is to ignore the MKPDU by not updating the corresponding > peer's liveliness timer, 'peer->expire'. Thanks, applied. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
