From: Mike Siedzik Date: Tue, 8 Jan 2019 03:49:54 +0000 (-0500) Subject: mka: New MI should only be generated when peer's key is invalid X-Git-Tag: hostap_2_8~538 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a07b8a70b5b365b5aa10cb0e759587376b1e3937;p=thirdparty%2Fhostap.git mka: New MI should only be generated when peer's key is invalid Two recent changes to MKA create a situation where a new MI is generated every time a SAK Use parameter set is decoded. The first change moved invalid key detection from ieee802_1x_decode_basic_body() to ieee802_1x_kay_decode_mpkdu(): commit db9ca18bbff1 ("mka: Do not ignore MKPDU parameter set decoding failures") The second change forces the KaY to generate a new MI when an invalid key is detected: commit a8aeaf41df95 ("mka: Change MI if key invalid") The fix is to move generation of a new MI from the old invalid key detection location to the new location. Fixes: a8aeaf41df95 ("mka: Change MI if key invalid") Signed-off-by: Michael Siedzik --- diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index c9948b7f6..b4455c8f4 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1422,12 +1422,6 @@ ieee802_1x_mka_decode_sak_use_body( } if (!found) { wpa_printf(MSG_INFO, "KaY: Latest key is invalid"); - if (!reset_participant_mi(participant)) - wpa_printf(MSG_DEBUG, "KaY: Could not update mi"); - else - wpa_printf(MSG_DEBUG, - "KaY: Selected a new random MI: %s", - mi_txt(participant->mi)); return -1; } if (os_memcmp(participant->lki.mi, body->lsrv_mi, @@ -3289,6 +3283,12 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, wpa_printf(MSG_INFO, "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", MKA_SAK_USE); + if (!reset_participant_mi(participant)) + wpa_printf(MSG_DEBUG, "KaY: Could not update mi"); + else + wpa_printf(MSG_DEBUG, + "KaY: Selected a new random MI: %s", + mi_txt(participant->mi)); return -1; }