[PATCH v2] MKA: Do not enable MACsec transmission if there is any risk of a duplicate SCI
Greg Goblirsch
gregg at thinklogical.com
Mon Apr 25 10:08:10 PDT 2022
It is obvious that restarting wpa_supplicant could result in a live peer and a potential peer having the same SCI.
9.4.2 Member identification and message numbers
The KaY will not enable MACsec transmission if there is any risk of a duplicate SCI
Signed-off-by: Greg Goblirsch <gregg at thinklogical.com>
@@ -466,6 +466,25 @@ ieee802_1x_kay_get_peer_sci(struct ieee802_1x_mka_participant *participant,
}
+/**
+ * ieee802_1x_kay_get_live_peer_sci
+ */
+static struct ieee802_1x_kay_peer *
+ieee802_1x_kay_get_live_peer_sci(struct ieee802_1x_mka_participant *participant,
+ const struct ieee802_1x_mka_sci *sci)
+{
+ struct ieee802_1x_kay_peer *peer;
+
+ dl_list_for_each(peer, &participant->live_peers,
+ struct ieee802_1x_kay_peer, list) {
+ if (sci_equal(&peer->sci, sci))
+ return peer;
+ }
+
+ return NULL;
+}
+
+
static void ieee802_1x_kay_use_data_key(struct data_key *pkey);
/**
@@ -683,6 +702,13 @@ ieee802_1x_kay_move_live_peer(struct ieee802_1x_mka_participant *participant,
if (!peer)
return NULL;
+ if (ieee802_1x_kay_get_live_peer_sci(participant,
+ &participant->current_peer_sci)) {
+ wpa_printf(MSG_WARNING,
+ "KaY: live peer and potential peer have the same SCI");
+ return NULL;
+ }
+
rxsc = ieee802_1x_kay_init_receive_sc(&participant->current_peer_sci);
if (!rxsc)
return NULL;
More information about the Hostap
mailing list