The potential peers will not receive a key. Not installing the SAK will cause the key server to resend it. Peers that have installed the SAK will ignore it. @@ -1737,6 +1762,12 @@ ieee802_1x_mka_decode_dist_sak_body( return -1; } + if (!dl_list_empty(&participant->potential_peers)) { + wpa_printf(MSG_ERROR, + "KaY: I can't accept the distributed SAK as potential peer list is not empty"); + return -1; + } + if (body_len == 0) { kay->authenticated = true; kay->secured = false; @@ -2142,15 +2173,13 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant) return -1; } 9.8 SAK generation, distribution, and selection Address FIXME. - /* FIXME: A fresh SAK not generated until + /* A fresh SAK not generated until * the live peer list contains at least one peer and * MKA life time has elapsed since the prior SAK was first distributed, * or the Key server's potential peer is empty - * but I can't understand the second item, so - * here only check first item and ingore - * && (!dl_list_empty(&participant->potential_peers))) { */ - if ((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) { + if (((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) && + (!dl_list_empty(&participant->potential_peers))) { wpa_printf(MSG_ERROR, "KaY: Life time has not elapsed since prior SAK distributed"); return -1; _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap