[PATCH] mka: New MI should only be generated when peer's key is invalid

<msiedzik@xxxxxxxxxxxxxxxxxxx> · Mon, 7 Jan 2019 22:49:54 -0500

From: Mike Siedzik <msiedzik@xxxxxxxxxxxxxxxxxxx>

Two recent changes to MKA create a situation where a new MI is generated
every time a SAK Use parameter set is decoded.  The first change moved
invalid key detection from ieee802_1x_decode_basic_body() to
ieee802_1x_kay_decode_mpkdu():

  https://w1.fi/cgit/hostap/commit/?id=db9ca18bbff101da67c0cd7f482fe29ae694dc04

The second change forces the KaY to generate a new MI when an invalid
key is detected:

  https://w1.fi/cgit/hostap/commit/?id=a8aeaf41df95ac6f979eb9014d0e2d17c46c671e

The fix is to move generation of a new MI from the old invalid key detection
location to the new location.

Signed-off-by: Michael Siedzik <msiedzik@xxxxxxxxxxxxxxxxxxx>
---
 src/pae/ieee802_1x_kay.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index c9948b7..b4455c8 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1422,12 +1422,6 @@ ieee802_1x_mka_decode_sak_use_body(
                }
                if (!found) {
                        wpa_printf(MSG_INFO, "KaY: Latest key is invalid");
-                       if (!reset_participant_mi(participant))
-                               wpa_printf(MSG_DEBUG, "KaY: Could not update mi");
-                       else
-                               wpa_printf(MSG_DEBUG,
-                                          "KaY: Selected a new random MI: %s",
-                                          mi_txt(participant->mi));
                        return -1;
                }
                if (os_memcmp(participant->lki.mi, body->lsrv_mi,
@@ -3289,6 +3283,12 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
                wpa_printf(MSG_INFO,
                           "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
                           MKA_SAK_USE);
+               if (!reset_participant_mi(participant))
+                       wpa_printf(MSG_DEBUG, "KaY: Could not update mi");
+               else
+                       wpa_printf(MSG_DEBUG,
+                                  "KaY: Selected a new random MI: %s",
+                                  mi_txt(participant->mi));
                return -1;
        }

--
1.8.3.1


________________________________

DISCLAIMER:
This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap






