On Tue, Aug 27, 2019 at 03:55:33PM +1200, Thomas Winter wrote: > Hostap's implemented an interpretation of the CP state > machine and PN exhaustion in IEEE 802.1X-2010 that is incorrect. > A proposed amendment describes this interpretation > and why it is wrong: > http://grouper.ieee.org/groups/802/1/files/public/docs2017/xck-seaman-mka-pn-exhaustion-0917-v1.pdf > This amendment was included into IEEE 802.1Xck-2018 > > To abide by this, the RECEIVE and RETIRE states are > changed to match Figure 12-2. Then the correct PN needs > to be inspected to determine exhaustion. This could be > the "latest" or "old" key depending on where we are in > the CP state machine. As stated in the amendment, the > method implemented should maintain backwards compatibility. > > This also includes a couple of other fixes: > * The ABANDON->RECEIVE state change was impossible. > * Key values are cleared out on CHANGE. > > Thomas Winter (5): > mka: Change RECEIVE and RETIRE states to standard > mka: Don't set newSAK to FALSE on ABANDON > mka: Clear out old/latest key values on CHANGE > mka: Check OLPN for exhaustion on SAKuse encode > mka: Check OLPN for exhaustion on SAKuse decode Thanks, applied with some cleanup. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
