[PATCH] mka: Using higher retry max value for PSK

Badrish Adiga H R badrish.adigahr at gmail.com
Fri Jan 6 01:43:09 PST 2017 

ignore this patch. this patch has got compilation errors. So I have
submitted another patch to fix the same issue

On Fri, Jan 6, 2017 at 2:40 PM, Badrish Adiga H R
<badrish.adigahr at gmail.com> wrote:
> Issue: When 2 peers are running MACsec in PSK mode with CA
> established, if the interface goes down and comes up after
> time > 10 seconds, CA does not get re-established.
>
> Root cause: This is because retry_count of both the peers
> would have reached MAX_RETRY_CNT and stays idle for other to
> respond. This is clear deadlock situation where peer A waits
> for MKA packets from peer B to wake up and vice-versa.
>
> Fix: Use maximum possible value of retry_max for PSK mode
> Signed-off-by: Badrish Adiga H R <badrish.adigahr at gmail.com>
> ---
>  src/pae/ieee802_1x_kay.c   | 10 +++++++---
>  src/pae/ieee802_1x_kay_i.h |  1 +
>  2 files changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
> index 1004b32..93d5f7d 100644
> --- a/src/pae/ieee802_1x_kay.c
> +++ b/src/pae/ieee802_1x_kay.c
> @@ -2422,7 +2422,7 @@ static void ieee802_1x_participant_timer(void
> *eloop_ctx, void *timeout_ctx)
>                 participant->new_sak = FALSE;
>         }
>
> -       if (participant->retry_count < MAX_RETRY_CNT) {
> +       if (participant->retry_count < participant->retry_max) {
>                 ieee802_1x_participant_send_mkpdu(participant);
>                 participant->retry_count++;
>         }
> @@ -2822,7 +2822,7 @@ int ieee802_1x_kay_enable_new_info(struct
> ieee802_1x_kay *kay)
>         if (!principal)
>                 return -1;
>
> -       if (principal->retry_count < MAX_RETRY_CNT) {
> +       if (principal->retry_count < participant->retry_max) {
>                 ieee802_1x_participant_send_mkpdu(principal);
>                 principal->retry_count++;
>         }
> @@ -3358,9 +3358,13 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay
> *kay, struct mka_key_name *ckn,
>          * create a "standby" MKA, and we need it to remain live until
>          * some peer appears.
>          */
> -       if (mode != PSK) {
> +       if (mode == PSK) {
> +               participant->mka_life = 0;
> +               participant->retry_max = 0xFFFFFFFF;
> +       } else {
>                 participant->mka_life = MKA_LIFE_TIME / 1000 + time(NULL) +
>                         usecs / 1000000;
> +               participant->retry_max = MAX_RETRY_CNT;
>         }
>
>         return participant;
> diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h
> index 0c4bb8e..a7acc72 100644
> --- a/src/pae/ieee802_1x_kay_i.h
> +++ b/src/pae/ieee802_1x_kay_i.h
> @@ -143,6 +143,7 @@ struct ieee802_1x_mka_participant {
>
>         struct data_key *new_key;
>         u32 retry_count;
> +       u32 retry_max;
>
>         struct ieee802_1x_kay *kay;
>  };
> --
> 2.6.1.133.gf5b6079

More information about the Hostap mailing list