[PATCH] mka: Some bug fixes for MACsec in PSK mode
Badrish Adiga H R
badrish.adigahr at gmail.com
Sun Feb 5 22:33:10 PST 2017
In case if this got missed out in your list, a kind reminder to review...
On Fri, Jan 6, 2017 at 3:27 PM, Badrish Adiga H R
<badrish.adigahr at gmail.com> wrote:
> The test setup has 2 peers running MACsec in PSK mode, Peer A with
> MAC address higher than MAC Address of peer B. Test sequence is
> 1. Peer B starts with actor_priority 255
> 2. Peer A starts with priority 16, becomes key server.
> 3. Peer A stops..
> 4. Peer A restarts with priority 255, but because of the stale values
> participant->is_key_server(=TRUE) and participant->is_elected(=TRUE)
> it continues to remain as Key Server.
> 5. For peer B, key server election happens and since it has lower MAC
> address as compared to MAC address of A, it becomes the key server.
> Now we have 2 key servers in CA and is not correct.
> Root-cause & fix:
> When number of live peers become 0, the flags such lrx, ltx, orx,
> otx etc. needs to be cleared. In MACsec PSK mode, these stale values
> create problems, while re-establishing CA...
> Signed-off-by: Badrish Adiga H R <badrish.adigahr at gmail.com>
> src/pae/ieee802_1x_kay.c | 6 ++++++
> 1 file changed, 6 insertions(+)
> diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
> index 1004b32..f420a16 100644
> --- a/src/pae/ieee802_1x_kay.c
> +++ b/src/pae/ieee802_1x_kay.c
> @@ -2378,6 +2378,12 @@ static void ieee802_1x_participant_timer(void
> *eloop_ctx, void *timeout_ctx)
> participant->advised_capability =
> participant->to_use_sak = FALSE;
> + participant->ltx = FALSE;
> + participant->lrx = FALSE;
> + participant->otx = FALSE;
> + participant->orx = FALSE;
> + participant->is_key_server = FALSE;
> + participant->is_elected = FALSE;
> kay->authenticated = TRUE;
> kay->secured = FALSE;
> kay->failed = FALSE;
More information about the Hostap