[PATCH 04/15] mka: Loss of live peers should result in connect PENDING not AUTHENTICATED

<msiedzik@xxxxxxxxxxxxxxxxxxx> · Fri, 2 Mar 2018 15:10:52 -0500

From: Mike Siedzik <msiedzik@xxxxxxxxxxxxxxxxxxx>

When the number of live peers becomes 0 the KaY is setting
'kay->authenticated' true and telling the CP to connect AUTHENTICATED.
Per IEEE802.1X-2010 Clause 12.2, MKA.authenticated means "the Key Sever
has proved mutual authentication but has determiend that Controlled Port
communication should proceed without the use of MACsec", which means
port traffic will be passed in the clear.
When the number of live peers becomes 0 the KaY must instead set
'kay->authenticated' false and tell the CP to connect PENDING.  Per
Clause 12.3 connect PENDING will "prevent connectivity by clearing the
controlledPortEnabled parameter."

Signed-off-by: Michael Siedzik <msiedzik@xxxxxxxxxxxxxxxxxxx>
---
 src/pae/ieee802_1x_kay.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 41e5a07e6..fd329e610 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2393,7 +2393,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
                        participant->orx = FALSE;
                        participant->is_key_server = FALSE;
                        participant->is_elected = FALSE;
-                       kay->authenticated = TRUE;
+                       kay->authenticated = FALSE;
                        kay->secured = FALSE;
                        kay->failed = FALSE;
                        kay->ltx_kn = 0;
@@ -2410,7 +2410,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
                                ieee802_1x_delete_transmit_sa(kay, txsa);
                        }

-                       ieee802_1x_cp_connect_authenticated(kay->cp);
+                       ieee802_1x_cp_connect_pending(kay->cp);
                        ieee802_1x_cp_sm_step(kay->cp);
                } else {
                        ieee802_1x_kay_elect_key_server(participant);
--
2.11.1


________________________________

DISCLAIMER:
This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap






