ieee802_1x_mka_decode_sak_use_body returns 0 for "KaY: We don't have a latest distributed key - ignore SAK use". Thus DIST-SAK is processed. Updating the MI breaks everything. I could find nothing in the spec for this.
Signed-off-by: Greg Goblirsch <gregg@xxxxxxxxxxxxxxxx>
@@ -3310,22 +3334,10 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
if (mka_body_handler[body_type].body_rx
(participant, pos, left_len) != 0) {
/* Handle parameter set failure */
- if (body_type != MKA_SAK_USE) {
- wpa_printf(MSG_INFO,
- "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
- body_type);
- return -1;
- }
-
- /* Ideally DIST-SAK should be processed before
- * SAK-USE. Unfortunately IEEE Std 802.1X-2010,
- * 11.11.3 (Encoding MKPDUs) states SAK-USE(3)
- * must always be encoded before DIST-SAK(4).
- * Rather than redesigning mka_body_handler so
- * that it somehow processes DIST-SAK before
- * SAK-USE, just ignore SAK-USE failures if
- * DIST-SAK is also present in this MKPDU. */
- bad_sak_use = true;
+ wpa_printf(MSG_INFO,
+ "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
+ body_type);
+ return -1;
}
} else {
wpa_printf(MSG_ERROR,
@@ -3334,19 +3346,6 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
}
}
- if (bad_sak_use && !handled[MKA_DISTRIBUTED_SAK]) {
- wpa_printf(MSG_INFO,
- "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
- MKA_SAK_USE);
- if (!reset_participant_mi(participant))
- wpa_printf(MSG_DEBUG, "KaY: Could not update mi");
- else
- wpa_printf(MSG_DEBUG,
- "KaY: Selected a new random MI: %s",
- mi_txt(participant->mi));
- return -1;
- }
-
/* Detect missing parameter sets */
peer = ieee802_1x_kay_get_live_peer(participant,
participant->current_peer_id.mi);
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
