[PATCH 02/15] mka: Ignore MACsec SAK Use Old Key parameter if we don't remember our old key

msiedzik at extremenetworks.com msiedzik at extremenetworks.com
Fri Mar 2 12:10:50 PST 2018

From: Mike Siedzik <msiedzik at extremenetworks.com>

Upon receipt of the "MACsec MKPDU SAK Use parameter set" the KaY verifies
that both the latest key and the old key are valid.  If the local system
reboots or is reinitalizied, the KaY won't have a copy of it's old key.
Therefore if the KaY does not have a copy of it's old key it should not
reject MKPDUs that contain old key data in the MACsec SAK Use parameter.

Signed-off-by: Michael Siedzik <msiedzik at extremenetworks.com>
 src/pae/ieee802_1x_kay.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index beaae58f0..d77f81b7b 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1336,8 +1336,9 @@ ieee802_1x_mka_decode_sak_use_body(

-       /* check old key is valid */
-       if (body->otx || body->orx) {
+       /* check old key is valid (but only if we remember our old key) */
+       if ((participant->oki.kn != 0) &&
+           (body->otx || body->orx)) {
                if (os_memcmp(participant->oki.mi, body->osrv_mi,
                              sizeof(participant->oki.mi)) != 0 ||
                    be_to_host32(body->okn) != participant->oki.kn ||


This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.

More information about the Hostap mailing list