Hello,
I am using the macsec MKA implementation to auto-configure the SAK
keys on 3 devices connected together via a switch:
a ------ b ------- c
The wpa_supplicant mka priority is set to 255, so the 3 devices elect
a key server and quickly setup SAKs and communicate via macsec.
However, if I kill the wpa_supplicant on any one of the devices and
restart it, sometimes one or more of the devices fails to create
receive secure channels for the other 2 peers.
I traced this to this line in src/pae/ieee802_1x_kay.c:
if (secy_create_receive_sc(participant->kay, rxsc)) {
wpa_printf(MSG_ERROR, "KaY: Can't create SC, discard peer");
os_free(rxsc);
os_free(peer);
return NULL;
}
Since wpa_supplicant previously succesfully created the SC, when it
is restarted, it negotiates correctly and when it tries to create the
receive channel, it fails because it exists already. I changed this
code to check if the return error is -6 (Object Exists), in which case
it does not discard the peer:
- if (secy_create_receive_sc(participant->kay, rxsc)) {
+ int ret = secy_create_receive_sc(participant->kay, rxsc);
+ if (ret != 0 && ret != -6) { // ignore if already present
Is this ok ? Does it break any other expected behavior in macsec ?
Thanks,
Ajit.
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
