mka: New MI should only be generated when peer's key is invalid

Two recent changes to MKA create a situation where a new MI is generated every time a SAK Use parameter set is decoded. The first change moved invalid key detection from ieee802_1x_decode_basic_body() to ieee802_1x_kay_decode_mpkdu(): commit db9ca18bbf ("mka: Do not ignore MKPDU parameter set decoding failures") The second change forces the KaY to generate a new MI when an invalid key is detected: commit a8aeaf41df ("mka: Change MI if key invalid") The fix is to move generation of a new MI from the old invalid key detection location to the new location. Fixes: a8aeaf41df ("mka: Change MI if key invalid") Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
2019-01-07 22:49:54 -05:00 · 2019-01-07 22:49:54 -05:00 · a07b8a70b5
commit a07b8a70b5
parent d896874f86
1 changed files with 6 additions and 6 deletions
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@ -1422,12 +1422,6 @@ ieee802_1x_mka_decode_sak_use_body(
 		}
 		if (!found) {
 			wpa_printf(MSG_INFO, "KaY: Latest key is invalid");
-			if (!reset_participant_mi(participant))
-				wpa_printf(MSG_DEBUG, "KaY: Could not update mi");
-			else
-				wpa_printf(MSG_DEBUG,
-					   "KaY: Selected a new random MI: %s",
-					   mi_txt(participant->mi));
 			return -1;
 		}
 		if (os_memcmp(participant->lki.mi, body->lsrv_mi,
@ -3289,6 +3283,12 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
 		wpa_printf(MSG_INFO,
 			   "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
 			   MKA_SAK_USE);
+		if (!reset_participant_mi(participant))
+			wpa_printf(MSG_DEBUG, "KaY: Could not update mi");
+		else
+			wpa_printf(MSG_DEBUG,
+				   "KaY: Selected a new random MI: %s",
+				   mi_txt(participant->mi));
 		return -1;
 	}