[PATCH 03/15] mka: Incorrect conf_offset sent in MKPDU when in policy mode "SHOULD_SECURE"

msiedzik at extremenetworks.com msiedzik at extremenetworks.com
Fri Mar 2 12:10:51 PST 2018 

From: Mike Siedzik <msiedzik at extremenetworks.com>

Commit 7b4d546e introduced policy setting SHOULD_ENCRYPT (MACsec provides
integrity+confidentiality) in addition to SHOULD_SECURE (MACsec provides
integrity only).  In both cases the KaY is populating the
"Confidentiality Offset" parameter within the "Distributed SAK parameter
set" with CONFIDENTIALITY_OFFSET_0=1.  In the case of SHOULD_SECURE the
parameter should be populated with CONFIDENTIALITY_NONE=0.

IEEE802.1X-2010 Table 11-6 and Figure 11-11 define how the two
Confidentiality Offset bits in the "Distributed SAK parameter set" must
be set: "0 if confidentiality not used" and "1 if confidentiality with no
offset".  When policy is SHOULD_SECURE KaY should to send the former, and
when policy is SHOULD_ENCRYPT KaY should send the latter.

Signed-off-by: Michael Siedzik <msiedzik at extremenetworks.com>
---
 src/pae/ieee802_1x_kay.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index d77f81b7b..41e5a07e6 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3159,6 +3159,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
                kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED;
                kay->macsec_desired = FALSE;
                kay->macsec_protect = FALSE;
+               kay->macsec_encrypt = FALSE;
                kay->macsec_validate = Disabled;
                kay->macsec_replay_protect = FALSE;
                kay->macsec_replay_window = 0;
@@ -3166,14 +3167,16 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
        } else {
                kay->macsec_desired = TRUE;
                kay->macsec_protect = TRUE;
-               kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
+               if (policy == SHOULD_SECURE) {
+                       kay->macsec_encrypt = FALSE;
+                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
+               } else {  /* SHOULD_ENCRYPT */
+                       kay->macsec_encrypt = TRUE;
+                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
+               }
                kay->macsec_validate = Strict;
                kay->macsec_replay_protect = FALSE;
                kay->macsec_replay_window = 0;
-               if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
-                       kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
-               else
-                       kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
        }

        wpa_printf(MSG_DEBUG, "KaY: state machine created");
--
2.11.1


________________________________

DISCLAIMER:
This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.

More information about the Hostap mailing list