[PATCH 15/15] mka: do not update potential peer liveness timer

<msiedzik@xxxxxxxxxxxxxxxxxxx> · Fri, 2 Mar 2018 15:11:03 -0500

From: Mike Siedzik <msiedzik@xxxxxxxxxxxxxxxxxxx>

To prevent a remote peer from getting stuck in a perpetual 'potential
peer' state, only update the peer liveness timer 'peer->expire' for live
peers and not for potential peers.

Per IEEE802.1X-2010 9.4.3 Determining liveness, potential peers need to
show liveness by including our MI/MN in their transmitted MKPDU (within
potential or live parameter sets).

When a potential peer does include our MI/MN in an MKPDU, we respond by
moving the peer from 'potential_peers' to 'live_peers'.

If a potential peer does not include our MI/MN in an MKPDU within
MKPDU_LIFE_TIME, then let the peer expire to facilitate getting back in
sync with the remote peer.

Signed-off-by: Michael Siedzik <msiedzik@xxxxxxxxxxxxxxxxxxx>
---
 src/pae/ieee802_1x_kay.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 4323b6dc0..6ac7d02d1 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3180,14 +3180,21 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
                } else {
                        peer->missing_sak_use_count = 0;
                }
+
+               /* Only update live peer watchdog after successful decode of all parameter sets */
+               peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
        } else {
                /* MKPDU is from new or potential peer */
                peer = ieee802_1x_kay_get_peer(participant, participant->current_peer_id.mi);
-       }
+               if (!peer)
+                       return -1;

-       /* Only update live peer watchdog after successful decode of all parameter sets */
-       if (peer)
-               peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
+               /* Do not update potential peer watchdog.  Per IEEE802.1X-2010 9.4.3,
+                * potential peers need to show liveness by including our MI/MN in their
+                * transmitted MKPDU (within potential or live parameter sets).  When
+                * a potential peer does include our MI/MN in an MKPDU, we respond by
+                * moving the peer from 'potential_peers' to 'live_peers'. */
+       }

        kay->active = TRUE;
        participant->retry_count = 0;
--
2.11.1


________________________________

DISCLAIMER:
This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap






