From a07b8a70b5b365b5aa10cb0e759587376b1e3937 Mon Sep 17 00:00:00 2001 From: Mike Siedzik Date: Mon, 7 Jan 2019 22:49:54 -0500 Subject: [PATCH] mka: New MI should only be generated when peer's key is invalid Two recent changes to MKA create a situation where a new MI is generated every time a SAK Use parameter set is decoded. The first change moved invalid key detection from ieee802_1x_decode_basic_body() to ieee802_1x_kay_decode_mpkdu(): commit db9ca18bbff1 ("mka: Do not ignore MKPDU parameter set decoding failures") The second change forces the KaY to generate a new MI when an invalid key is detected: commit a8aeaf41df95 ("mka: Change MI if key invalid") The fix is to move generation of a new MI from the old invalid key detection location to the new location. Fixes: a8aeaf41df95 ("mka: Change MI if key invalid") Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index c9948b7f6..b4455c8f4 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1422,12 +1422,6 @@ ieee802_1x_mka_decode_sak_use_body( } if (!found) { wpa_printf(MSG_INFO, "KaY: Latest key is invalid"); - if (!reset_participant_mi(participant)) - wpa_printf(MSG_DEBUG, "KaY: Could not update mi"); - else - wpa_printf(MSG_DEBUG, - "KaY: Selected a new random MI: %s", - mi_txt(participant->mi)); return -1; } if (os_memcmp(participant->lki.mi, body->lsrv_mi, @@ -3289,6 +3283,12 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, wpa_printf(MSG_INFO, "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", MKA_SAK_USE); + if (!reset_participant_mi(participant)) + wpa_printf(MSG_DEBUG, "KaY: Could not update mi"); + else + wpa_printf(MSG_DEBUG, + "KaY: Selected a new random MI: %s", + mi_txt(participant->mi)); return -1; }