[PATCH v2] MKA: delay allReceiving until potential peer list is empty
Greg Goblirsch
gregg at thinklogical.com
Mon Apr 25 10:19:51 PDT 2022
The potential peers will not receive a key. Not installing the SAK will cause the key server to resend it. Peers that have installed the SAK will ignore it.
Signed-off-by: Greg Goblirsch <gregg at thinklogical.com>
@@ -1737,6 +1762,12 @@ ieee802_1x_mka_decode_dist_sak_body(
return -1;
}
+ if (!dl_list_empty(&participant->potential_peers)) {
+ wpa_printf(MSG_ERROR,
+ "KaY: I can't accept the distributed SAK as potential peer list is not empty");
+ return -1;
+ }
+
if (body_len == 0) {
kay->authenticated = true;
kay->secured = false;
@@ -2142,15 +2173,13 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
return -1;
}
9.8 SAK generation, distribution, and selection
Address FIXME.
- /* FIXME: A fresh SAK not generated until
+ /* A fresh SAK not generated until
* the live peer list contains at least one peer and
* MKA life time has elapsed since the prior SAK was first distributed,
* or the Key server's potential peer is empty
- * but I can't understand the second item, so
- * here only check first item and ingore
- * && (!dl_list_empty(&participant->potential_peers))) {
*/
- if ((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) {
+ if (((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) &&
+ (!dl_list_empty(&participant->potential_peers))) {
wpa_printf(MSG_ERROR,
"KaY: Life time has not elapsed since prior SAK distributed");
return -1;
More information about the Hostap
mailing list