Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-25 08:48:31 -05:00
Code Issues Projects Releases Wiki Activity

mka: Check OLPN for exhaustion on SAKuse encode

Browse Source 
Most of the time is spent in the CP state machine RETIRE state where LKI
is not set and OKI is the currently used SAK, so OLPN needs to be
checked for PN exhaustion.

hostapd/wpa_supplicant implemented an interpretation of the standard as
described in a proposed amendment titled "MKA pending PN exhastion"
which was deemed to be wrong. This amendment was included in IEEE Std
802.1Xck-2018.

Signed-off-by: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
This commit is contained in:
Thomas Winter 2019-08-27 15:55:37 +12:00 committed by Jouni Malinen
parent 547ba732d3
commit 84851007d9
1 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
src/pae/ieee802_1x_kay.c
View File

@ -1287,7 +1287,7 @@ ieee802_1x_mka_encode_sak_use_body(
struct ieee802_1x_mka_sak_use_body *body;
struct ieee802_1x_kay *kay = participant->kay;
unsigned int length;
u32 pn = 1;
u32 olpn, llpn;
length = ieee802_1x_mka_get_sak_use_length(participant);
body = wpabuf_put(buf, length);
@ -1307,18 +1307,31 @@ ieee802_1x_mka_encode_sak_use_body(
/* data delay protect */
body->delay_protect = kay->mka_hello_time <= MKA_BOUNDED_HELLO_TIME;
/* lowest accept packet number */
pn = ieee802_1x_mka_get_lpn(participant, &participant->lki);
if (pn > kay->pn_exhaustion) {
wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion");
if (participant->is_key_server)
participant->new_sak = TRUE;
/* lowest accept packet numbers */
olpn = ieee802_1x_mka_get_lpn(participant, &participant->oki);
body->olpn = host_to_be32(olpn);
llpn = ieee802_1x_mka_get_lpn(participant, &participant->lki);
body->llpn = host_to_be32(llpn);
if (participant->is_key_server) {
/* The CP will spend most of it's time in RETIRE where only
* the old key is populated. Therefore we should be checking
* the OLPN most of the time.
*/
if (participant->lrx) {
if (llpn > kay->pn_exhaustion) {
wpa_printf(MSG_WARNING,
"KaY: My LLPN exhaustion");
participant->new_sak = TRUE;
}
} else {
if (olpn > kay->pn_exhaustion) {
wpa_printf(MSG_WARNING,
"KaY: My OLPN exhaustion");
participant->new_sak = TRUE;
}
}
}
body->llpn = host_to_be32(pn);
pn = ieee802_1x_mka_get_lpn(participant, &participant->oki);
body->olpn = host_to_be32(pn);
/* plain tx, plain rx */
body->ptx = !kay->macsec_protect;
body->prx = kay->macsec_validate != Strict;