[PATCH] mka: Some bug fixes for MACsec in PSK mode

Badrish Adiga H R badrish.adigahr at gmail.com
Sun Feb 5 22:33:10 PST 2017 

Hi Jouni,

In case if this got missed out in your list, a kind reminder to review...

regards,
Badrish

On Fri, Jan 6, 2017 at 3:27 PM, Badrish Adiga H R
<badrish.adigahr at gmail.com> wrote:
> Issue:
> ------
> The test setup has 2 peers running MACsec in PSK mode, Peer A with
> MAC address higher than MAC Address of peer B. Test sequence is
> 1. Peer B starts with actor_priority 255
> 2. Peer A starts with priority 16, becomes key server.
> 3. Peer A stops..
> 4. Peer A restarts with priority 255, but because of the stale values
> participant->is_key_server(=TRUE) and participant->is_elected(=TRUE)
> it continues to remain as Key Server.
> 5. For peer B, key server election happens and since it has lower MAC
> address as compared to MAC address of A, it becomes the key server.
> Now we have 2 key servers in CA and is not correct.
>
> Root-cause & fix:
> -----------------
> When number of live peers become 0, the flags such lrx, ltx, orx,
> otx etc. needs to be cleared. In MACsec PSK mode, these stale values
> create problems, while re-establishing CA...
>
> Signed-off-by: Badrish Adiga H R <badrish.adigahr at gmail.com>
> ---
>  src/pae/ieee802_1x_kay.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
> index 1004b32..f420a16 100644
> --- a/src/pae/ieee802_1x_kay.c
> +++ b/src/pae/ieee802_1x_kay.c
> @@ -2378,6 +2378,12 @@ static void ieee802_1x_participant_timer(void
> *eloop_ctx, void *timeout_ctx)
>                         participant->advised_capability =
>                                 MACSEC_CAP_NOT_IMPLEMENTED;
>                         participant->to_use_sak = FALSE;
> +                       participant->ltx = FALSE;
> +                       participant->lrx = FALSE;
> +                       participant->otx = FALSE;
> +                       participant->orx = FALSE;
> +                       participant->is_key_server = FALSE;
> +                       participant->is_elected = FALSE;
>                         kay->authenticated = TRUE;
>                         kay->secured = FALSE;
>                         kay->failed = FALSE;
> --
> 2.6.1.133.gf5b6079

More information about the Hostap mailing list