Key Server support for Group CAs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Greg Goblirsch <gregg@xxxxxxxxxxxxxxxx>

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index a1f8ae934..c9441b394 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1159,10 +1159,9 @@ static int ieee802_1x_mka_decode_live_peer_body(
                        continue;
 
                peer = ieee802_1x_kay_get_peer(participant, peer_mi->mi);
-               if (peer) {
-                       peer->mn = peer_mn;
-               } else if (!ieee802_1x_kay_create_potential_peer(
-                               participant, peer_mi->mi, peer_mn)) {
+               if (!peer) {
+                       if (!ieee802_1x_kay_create_potential_peer(
+                               participant, peer_mi->mi, peer_mn))
                        return -1;
                }
        }
@@ -1737,6 +1736,12 @@ ieee802_1x_mka_decode_dist_sak_body(
                return -1;
        }
 
+       if (!dl_list_empty(&participant->potential_peers)) {
+               wpa_printf(MSG_ERROR,
+                       "KaY: I can't accept the distributed SAK as potential peer list is not empty");
+               return -1;
+       }
+
        if (body_len == 0) {
                kay->authenticated = true;
                kay->secured = false;
@@ -2142,15 +2147,13 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
                return -1;
        }
 
-       /* FIXME: A fresh SAK not generated until
+       /* A fresh SAK not generated until
         * the live peer list contains at least one peer and
         * MKA life time has elapsed since the prior SAK was first distributed,
         * or the Key server's potential peer is empty
-        * but I can't understand the second item, so
-        * here only check first item and ingore
-        *   && (!dl_list_empty(&participant->potential_peers))) {
         */
-       if ((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) {
+       if (((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) &&
+           (!dl_list_empty(&participant->potential_peers))) {
                wpa_printf(MSG_ERROR,
                           "KaY: Life time has not elapsed since prior SAK distributed");
                return -1;
@@ -2290,9 +2293,6 @@ ieee802_1x_kay_elect_key_server(struct ieee802_1x_mka_participant *participant)
        /* elect the key server among the peers */
        dl_list_for_each(peer, &participant->live_peers,
                         struct ieee802_1x_kay_peer, list) {
-               if (!peer->is_key_server)
-                       continue;
-
                if (!key_server) {
                        key_server = peer;
                        continue;
@@ -2645,10 +2645,10 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
        }
 
        if (participant->new_sak && participant->is_key_server) {
-               if (!ieee802_1x_kay_generate_new_sak(participant))
+               if (!ieee802_1x_kay_generate_new_sak(participant)) {
                        participant->to_dist_sak = true;
-
-               participant->new_sak = false;
+                       participant->new_sak = false;
+        }
        }
 
        if (participant->retry_count < MAX_RETRY_CNT ||
@@ -3217,8 +3217,6 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
        int i;
        const u8 *pos;
        bool handled[256];
-       bool bad_sak_use = false; /* Error detected while processing SAK Use
-                                  * parameter set */
        bool i_in_peerlist, is_in_live_peer, is_in_potential_peer;
 
        wpa_printf(MSG_DEBUG, "KaY: Decode received MKPDU (ifname=%s)",
@@ -3310,22 +3308,10 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
                        if (mka_body_handler[body_type].body_rx
                                (participant, pos, left_len) != 0) {
                                /* Handle parameter set failure */
-                               if (body_type != MKA_SAK_USE) {
-                                       wpa_printf(MSG_INFO,
-                                                  "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
-                                                  body_type);
-                                       return -1;
-                               }
-
-                               /* Ideally DIST-SAK should be processed before
-                                * SAK-USE. Unfortunately IEEE Std 802.1X-2010,
-                                * 11.11.3 (Encoding MKPDUs) states SAK-USE(3)
-                                * must always be encoded before DIST-SAK(4).
-                                * Rather than redesigning mka_body_handler so
-                                * that it somehow processes DIST-SAK before
-                                * SAK-USE, just ignore SAK-USE failures if
-                                * DIST-SAK is also present in this MKPDU. */
-                               bad_sak_use = true;
+                               wpa_printf(MSG_INFO,
+                                          "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
+                                          body_type);
+                               return -1;
                        }
                } else {
                        wpa_printf(MSG_ERROR,
@@ -3334,19 +3320,6 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
                }
        }
 
-       if (bad_sak_use && !handled[MKA_DISTRIBUTED_SAK]) {
-               wpa_printf(MSG_INFO,
-                          "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
-                          MKA_SAK_USE);
-               if (!reset_participant_mi(participant))
-                       wpa_printf(MSG_DEBUG, "KaY: Could not update mi");
-               else
-                       wpa_printf(MSG_DEBUG,
-                                  "KaY: Selected a new random MI: %s",
-                                  mi_txt(participant->mi));
-               return -1;
-       }
-
        /* Detect missing parameter sets */
        peer = ieee802_1x_kay_get_live_peer(participant,
                                            participant->current_peer_id.mi);
@@ -3773,21 +3746,28 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
 
        dl_list_add(&kay->participant_list, &participant->list);
 
-       usecs = os_random() % (kay->mka_hello_time * 1000);
-       eloop_register_timeout(0, usecs, ieee802_1x_participant_timer,
-                              participant, NULL);
-
        /* Disable MKA lifetime for PSK mode.
         * The peer(s) can take a long time to come up, because we
         * create a "standby" MKA, and we need it to remain live until
         * some peer appears.
         */
        if (mode != PSK) {
+               usecs = os_random() % (kay->mka_hello_time * 1000);
                participant->mka_life = MKA_LIFE_TIME / 1000 + time(NULL) +
                        usecs / 1000000;
        }
        participant->mode = mode;
 
+       if (participant->retry_count < MAX_RETRY_CNT ||
+           participant->mode == PSK) {
+               ieee802_1x_participant_send_mkpdu(participant);
+               participant->retry_count++;
+       }
+
+       eloop_register_timeout(kay->mka_hello_time / 1000, 0,
+                              ieee802_1x_participant_timer,
+                              participant, NULL);
+
        return participant;
 
 fail:


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux