[PATCH 0/5] mka: Correct the interpretation of CP and PN exhaustion
j at w1.fi
Wed Sep 18 14:41:20 PDT 2019
On Tue, Aug 27, 2019 at 03:55:33PM +1200, Thomas Winter wrote:
> Hostap's implemented an interpretation of the CP state
> machine and PN exhaustion in IEEE 802.1X-2010 that is incorrect.
> A proposed amendment describes this interpretation
> and why it is wrong:
> This amendment was included into IEEE 802.1Xck-2018
> To abide by this, the RECEIVE and RETIRE states are
> changed to match Figure 12-2. Then the correct PN needs
> to be inspected to determine exhaustion. This could be
> the "latest" or "old" key depending on where we are in
> the CP state machine. As stated in the amendment, the
> method implemented should maintain backwards compatibility.
> This also includes a couple of other fixes:
> * The ABANDON->RECEIVE state change was impossible.
> * Key values are cleared out on CHANGE.
> Thomas Winter (5):
> mka: Change RECEIVE and RETIRE states to standard
> mka: Don't set newSAK to FALSE on ABANDON
> mka: Clear out old/latest key values on CHANGE
> mka: Check OLPN for exhaustion on SAKuse encode
> mka: Check OLPN for exhaustion on SAKuse decode
Thanks, applied with some cleanup.
Jouni Malinen PGP id EFC895FA
More information about the Hostap