[PATCH 4/5] mka: Check OLPN for exhaustion on SAKuse encode

[Thomas Winter <Thomas.Winter@xxxxxxxxxxxxxxxxxxx>]

Most of the time is spent in the RETIRE state where
LKI is not set and OKI is the currently used SAK
so OLPN needs to be checked for PN exhaustion.

Hostap implemented an interpretation of the standard
as described in a proposed amendment titled "MKA pending
PN exhastion" which was deemed to be wrong.
This amendment was included in IEEE 802.1Xck-2018.

Signed-off-by: Thomas Winter <Thomas.Winter@xxxxxxxxxxxxxxxxxxx>
---
 src/pae/ieee802_1x_kay.c | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index a330d0cf4..db292df24 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1287,7 +1287,8 @@ ieee802_1x_mka_encode_sak_use_body(
 	struct ieee802_1x_mka_sak_use_body *body;
 	struct ieee802_1x_kay *kay = participant->kay;
 	unsigned int length;
-	u32 pn = 1;
+	u32 olpn = 1;
+	u32 llpn = 1;
 
 	length = ieee802_1x_mka_get_sak_use_length(participant);
 	body = wpabuf_put(buf, length);
@@ -1307,18 +1308,29 @@ ieee802_1x_mka_encode_sak_use_body(
 
 	/* data delay protect */
 	body->delay_protect = kay->mka_hello_time <= MKA_BOUNDED_HELLO_TIME;
-	/* lowest accept packet number */
-	pn = ieee802_1x_mka_get_lpn(participant, &participant->lki);
-	if (pn > kay->pn_exhaustion) {
-		wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion");
-		if (participant->is_key_server)
-			participant->new_sak = TRUE;
+	/* lowest accept packet numbers */
+	olpn = ieee802_1x_mka_get_lpn(participant, &participant->oki);
+	body->olpn = host_to_be32(olpn);
+	llpn = ieee802_1x_mka_get_lpn(participant, &participant->lki);
+	body->llpn = host_to_be32(llpn);
+	if (participant->is_key_server) {
+		/* The CP will spend most of it's time in RETIRE where only
+		 * the old key is populated. Therefore we should be checking
+		 * the OLPN most of the time.
+		 */
+		if (participant->lrx) {
+			if (llpn > kay->pn_exhaustion) {
+				wpa_printf(MSG_WARNING, "KaY: My LLPN exhaustion");
+				participant->new_sak = TRUE;
+			}
+		} else {
+			if (olpn > kay->pn_exhaustion) {
+				wpa_printf(MSG_WARNING, "KaY: My OLPN exhaustion");
+				participant->new_sak = TRUE;
+			}
+		}
 	}
 
-	body->llpn = host_to_be32(pn);
-	pn = ieee802_1x_mka_get_lpn(participant, &participant->oki);
-	body->olpn = host_to_be32(pn);
-
 	/* plain tx, plain rx */
 	body->ptx = !kay->macsec_protect;
 	body->prx = kay->macsec_validate != Strict;
-- 
2.23.0


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap