Hi Jouni, In case if this got missed out in your list, a kind reminder to review... regards, Badrish On Fri, Jan 6, 2017 at 3:27 PM, Badrish Adiga H R <badrish.adigahr@xxxxxxxxx> wrote: > Issue: > ------ > The test setup has 2 peers running MACsec in PSK mode, Peer A with > MAC address higher than MAC Address of peer B. Test sequence is > 1. Peer B starts with actor_priority 255 > 2. Peer A starts with priority 16, becomes key server. > 3. Peer A stops.. > 4. Peer A restarts with priority 255, but because of the stale values > participant->is_key_server(=TRUE) and participant->is_elected(=TRUE) > it continues to remain as Key Server. > 5. For peer B, key server election happens and since it has lower MAC > address as compared to MAC address of A, it becomes the key server. > Now we have 2 key servers in CA and is not correct. > > Root-cause & fix: > ----------------- > When number of live peers become 0, the flags such lrx, ltx, orx, > otx etc. needs to be cleared. In MACsec PSK mode, these stale values > create problems, while re-establishing CA... > > Signed-off-by: Badrish Adiga H R <badrish.adigahr@xxxxxxxxx> > --- > src/pae/ieee802_1x_kay.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c > index 1004b32..f420a16 100644 > --- a/src/pae/ieee802_1x_kay.c > +++ b/src/pae/ieee802_1x_kay.c > @@ -2378,6 +2378,12 @@ static void ieee802_1x_participant_timer(void > *eloop_ctx, void *timeout_ctx) > participant->advised_capability = > MACSEC_CAP_NOT_IMPLEMENTED; > participant->to_use_sak = FALSE; > + participant->ltx = FALSE; > + participant->lrx = FALSE; > + participant->otx = FALSE; > + participant->orx = FALSE; > + participant->is_key_server = FALSE; > + participant->is_elected = FALSE; > kay->authenticated = TRUE; > kay->secured = FALSE; > kay->failed = FALSE; > -- > 2.6.1.133.gf5b6079 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
