Re: [PATCH 06/15] mka: KaY setting Parameter Set Body Length incorrectly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 02, 2018 at 03:10:54PM -0500, msiedzik@xxxxxxxxxxxxxxxxxxx wrote:
> Per IEEE802.1X-2010 Clause 11.11 EAPOL-MKA, each parameter set must be
> padded to a multiple of 4 octets.  In order for the length of variable
> length parameters, such as CAK Name, to be correctly decoded the
> parameter set body length must not include the length of null padding
> octets.
> 
> When allocating buffer space for the parameter set (e.g., wpabuf_put())
> the padded length must be used.  When setting the 'Parameter set body
> length' within the parameter set the unpadded length must be used.
> 
> Consider the case were the length of a PSK's CKN is not a multiple of 4
> octets.  Currently ieee802_1x_mka_encode_basic_body() will correctly
> reserve the padded number buffer bytes.  However it will incorrectly
> set ieee8021_x_mka_hdr->length and ->length1 to the padded number of
> bytes.  The receiver will not be able to recover the original CKN
> length.
> 
> Note that the hostap will successfully interoperate with itself because
> both sides incorrectly calculate CKN length.  The problem is only seen
> when interoperating with non-hostap KaY's.

This conflicts with an earlier proposed patch that covers at least some
of these cases:
https://w1.fi/cgit/hostap/commit/?id=61127f162a3fdbe3b284d4c32a8352493e43036b

Some of the changes are identical, but I'm not sure how exactly this
patch 6/15 or the followup patches 1/2 (mka: ICV not encoded correctly,
causing receive side to drop MKPDU) and 2/2 (mka: Optional ICV indicator
encoded when not necessary) should be handled.

I do now have automated test cases for testing MACsec with MKA PSK mode
using the hwsim test framework (tests/hwsim/test_macsec.py). This allows
testing between two wpa_supplicant instances (including option to test
two different hostap.git snaphots for checking against some
regressions). However, I do not have any other implementations available
to test for interoperability, so I'm a bit hesitant on doing this type
of merges of patches without someone else clearly indicating that the
changes look fine and that they have been tested with other
implementations. In other words, I'd prefer to get an updated version of
this patch and the followup 1/2 that fixes an issue here and all the
changes rebased on top of the current hostap.git master branch snapshot.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux