[PATCH] mka: Using higher retry max value for PSK

Badrish Adiga H R badrish.adigahr at gmail.com
Fri Jan 6 01:10:42 PST 2017


Issue: When 2 peers are running MACsec in PSK mode with CA
established, if the interface goes down and comes up after
time > 10 seconds, CA does not get re-established.

Root cause: This is because retry_count of both the peers
would have reached MAX_RETRY_CNT and stays idle for other to
respond. This is clear deadlock situation where peer A waits
for MKA packets from peer B to wake up and vice-versa.

Fix: Use maximum possible value of retry_max for PSK mode
Signed-off-by: Badrish Adiga H R <badrish.adigahr at gmail.com>
---
 src/pae/ieee802_1x_kay.c   | 10 +++++++---
 src/pae/ieee802_1x_kay_i.h |  1 +
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 1004b32..93d5f7d 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2422,7 +2422,7 @@ static void ieee802_1x_participant_timer(void
*eloop_ctx, void *timeout_ctx)
                participant->new_sak = FALSE;
        }

-       if (participant->retry_count < MAX_RETRY_CNT) {
+       if (participant->retry_count < participant->retry_max) {
                ieee802_1x_participant_send_mkpdu(participant);
                participant->retry_count++;
        }
@@ -2822,7 +2822,7 @@ int ieee802_1x_kay_enable_new_info(struct
ieee802_1x_kay *kay)
        if (!principal)
                return -1;

-       if (principal->retry_count < MAX_RETRY_CNT) {
+       if (principal->retry_count < participant->retry_max) {
                ieee802_1x_participant_send_mkpdu(principal);
                principal->retry_count++;
        }
@@ -3358,9 +3358,13 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay
*kay, struct mka_key_name *ckn,
         * create a "standby" MKA, and we need it to remain live until
         * some peer appears.
         */
-       if (mode != PSK) {
+       if (mode == PSK) {
+               participant->mka_life = 0;
+               participant->retry_max = 0xFFFFFFFF;
+       } else {
                participant->mka_life = MKA_LIFE_TIME / 1000 + time(NULL) +
                        usecs / 1000000;
+               participant->retry_max = MAX_RETRY_CNT;
        }

        return participant;
diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h
index 0c4bb8e..a7acc72 100644
--- a/src/pae/ieee802_1x_kay_i.h
+++ b/src/pae/ieee802_1x_kay_i.h
@@ -143,6 +143,7 @@ struct ieee802_1x_mka_participant {

        struct data_key *new_key;
        u32 retry_count;
+       u32 retry_max;

        struct ieee802_1x_kay *kay;
 };
--
2.6.1.133.gf5b6079



More information about the Hostap mailing list