[PATCH 03/15] mka: Incorrect conf_offset sent in MKPDU when in policy mode "SHOULD_SECURE"

Mon Mar 12 06:21:48 PDT 2018

Hi Jouni,

You are correct.  In the case where policy is set to SHOULD_ENCRYPT but MACsec capability is only MACSEC_CAP_INTEGRITY (i.e., integrity without confidentiality), my patch would have attempted to encrypt with offset 0.  The patch should have retained the macsec_capable comparison.  Something like this:

                if ((kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF) &&
                    (policy == SHOULD_ENCRYPT)) {
                        kay->macsec_encrypt = TRUE;
                        kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
                } else {  /* SHOULD_SECURE */
                        kay->macsec_encrypt = FALSE;
                        kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
                }

Thanks,
- Mike

-----Original Message-----
From: Jouni Malinen [mailto:j at w1.fi]
Sent: Sunday, March 11, 2018 10:37 AM
To: Michael Siedzik <msiedzik at extremenetworks.com>
Cc: hostap at lists.infradead.org
Subject: Re: [PATCH 03/15] mka: Incorrect conf_offset sent in MKPDU when in policy mode "SHOULD_SECURE"

On Fri, Mar 02, 2018 at 03:10:51PM -0500, msiedzik at extremenetworks.com wrote:

> diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c @@
> -3166,14 +3167,16 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
>         } else {
>                 kay->macsec_desired = TRUE;
>                 kay->macsec_protect = TRUE;
> -               kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
> +               if (policy == SHOULD_SECURE) {
> +                       kay->macsec_encrypt = FALSE;
> +                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
> +               } else {  /* SHOULD_ENCRYPT */
> +                       kay->macsec_encrypt = TRUE;
> +                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
> +               }
>                 kay->macsec_validate = Strict;
>                 kay->macsec_replay_protect = FALSE;
>                 kay->macsec_replay_window = 0;
> -               if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
> -                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
> -               else
> -                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
>         }

Is this change dropping the kay->macsec_capable check on purpose for SHOULD_ENCRYPT case? The new SHOULD_SECURE case looks fine, but should the SHOULD_ENCRYPT case still use this kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF before setting CONFIDENTIALITY_OFFSET_0?

--
Jouni Malinen                                            PGP id EFC895FA

________________________________

DISCLAIMER:
This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.