[PATCH 0/5] mka: Correct the interpretation of CP and PN exhaustion

Jouni Malinen j at w1.fi
Wed Sep 18 14:41:20 PDT 2019


On Tue, Aug 27, 2019 at 03:55:33PM +1200, Thomas Winter wrote:
> Hostap's implemented an interpretation of the CP state
> machine and PN exhaustion in IEEE 802.1X-2010 that is incorrect.
> A proposed amendment describes this interpretation
> and why it is wrong:
> http://grouper.ieee.org/groups/802/1/files/public/docs2017/xck-seaman-mka-pn-exhaustion-0917-v1.pdf
> This amendment was included into IEEE 802.1Xck-2018
> 
> To abide by this, the RECEIVE and RETIRE states are
> changed to match Figure 12-2. Then the correct PN needs
> to be inspected to determine exhaustion. This could be
> the "latest" or "old" key depending on where we are in
> the CP state machine. As stated in the amendment, the
> method implemented should maintain backwards compatibility.
> 
> This also includes a couple of other fixes:
> * The ABANDON->RECEIVE state change was impossible.
> * Key values are cleared out on CHANGE.
> 
> Thomas Winter (5):
>   mka: Change RECEIVE and RETIRE states to standard
>   mka: Don't set newSAK to FALSE on ABANDON
>   mka: Clear out old/latest key values on CHANGE
>   mka: Check OLPN for exhaustion on SAKuse encode
>   mka: Check OLPN for exhaustion on SAKuse decode

Thanks, applied with some cleanup.
 
-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list