[PATCH v2] MKA: delay allReceiving until potential peer list is empty

[Greg Goblirsch]

The potential peers will not receive a key. Not installing the SAK will cause the key server to resend it. Peers that have installed the SAK will ignore it.

Signed-off-by: Greg Goblirsch <gregg at thinklogical.com>

@@ -1737,6 +1762,12 @@ ieee802_1x_mka_decode_dist_sak_body(
                return -1;
        }
 
+       if (!dl_list_empty(&participant->potential_peers)) {
+               wpa_printf(MSG_ERROR,
+                       "KaY: I can't accept the distributed SAK as potential peer list is not empty");
+               return -1;
+       }
+
        if (body_len == 0) {
                kay->authenticated = true;
                kay->secured = false;


@@ -2142,15 +2173,13 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
                return -1;
        }

9.8 SAK generation, distribution, and selection

Address FIXME.

-       /* FIXME: A fresh SAK not generated until
+       /* A fresh SAK not generated until
         * the live peer list contains at least one peer and
         * MKA life time has elapsed since the prior SAK was first distributed,
         * or the Key server's potential peer is empty
-        * but I can't understand the second item, so
-        * here only check first item and ingore
-        *   && (!dl_list_empty(&participant->potential_peers))) {
         */
-       if ((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) {
+       if (((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) &&
+           (!dl_list_empty(&participant->potential_peers))) {
                wpa_printf(MSG_ERROR,
                           "KaY: Life time has not elapsed since prior SAK distributed");
                return -1;