Hostap's implemented an interpretation of the CP state machine and PN exhaustion in IEEE 802.1X-2010 that is incorrect. A proposed amendment describes this interpretation and why it is wrong: http://grouper.ieee.org/groups/802/1/files/public/docs2017/xck-seaman-mka-pn-exhaustion-0917-v1.pdf This amendment was included into IEEE 802.1Xck-2018 To abide by this, the RECEIVE and RETIRE states are changed to match Figure 12-2. Then the correct PN needs to be inspected to determine exhaustion. This could be the "latest" or "old" key depending on where we are in the CP state machine. As stated in the amendment, the method implemented should maintain backwards compatibility. This also includes a couple of other fixes: * The ABANDON->RECEIVE state change was impossible. * Key values are cleared out on CHANGE. Thomas Winter (5): mka: Change RECEIVE and RETIRE states to standard mka: Don't set newSAK to FALSE on ABANDON mka: Clear out old/latest key values on CHANGE mka: Check OLPN for exhaustion on SAKuse encode mka: Check OLPN for exhaustion on SAKuse decode src/pae/ieee802_1x_cp.c | 45 +++++--- src/pae/ieee802_1x_kay.c | 227 ++++++++++++++++++++++----------------- 2 files changed, 157 insertions(+), 115 deletions(-) -- 2.23.0 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
