From e54691106b29f41aa3081b00eb4f48e411cebc72 Mon Sep 17 00:00:00 2001 From: Badrish Adiga H R Date: Fri, 6 Jan 2017 15:27:10 +0530 Subject: [PATCH] mka: Some bug fixes for MACsec in PSK mode Issue: ------ The test setup has 2 peers running MACsec in PSK mode, Peer A with MAC address higher than MAC Address of peer B. Test sequence is 1. Peer B starts with actor_priority 255 2. Peer A starts with priority 16, becomes key server. 3. Peer A stops.. 4. Peer A restarts with priority 255, but because of the stale values participant->is_key_server(=TRUE) and participant->is_elected(=TRUE) it continues to remain as Key Server. 5. For peer B, key server election happens and since it has lower MAC address as compared to MAC address of A, it becomes the key server. Now we have 2 key servers in CA and is not correct. Root-cause & fix: ----------------- When number of live peers become 0, the flags such lrx, ltx, orx, otx, etc. need to be cleared. In MACsec PSK mode, these stale values create problems while re-establishing CA. Signed-off-by: Badrish Adiga H R --- src/pae/ieee802_1x_kay.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 79a6878d3..92fd7ba26 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -2378,6 +2378,12 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) participant->advised_capability = MACSEC_CAP_NOT_IMPLEMENTED; participant->to_use_sak = FALSE; + participant->ltx = FALSE; + participant->lrx = FALSE; + participant->otx = FALSE; + participant->orx = FALSE; + participant->is_key_server = FALSE; + participant->is_elected = FALSE; kay->authenticated = TRUE; kay->secured = FALSE; kay->failed = FALSE;