mka: Some bug fixes for MACsec in PSK mode

Message ID	CAGNNFCZJx1cZY7eVgRh8C7V=u5SHKjw1eo097AKeVZXUCfRZTA@mail.gmail.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> MIME-Version: 1.0 From: Badrish Adiga H R <badrish.adigahr@gmail.com> Date: Fri, 6 Jan 2017 15:27:10 +0530 Message-ID: <CAGNNFCZJx1cZY7eVgRh8C7V=u5SHKjw1eo097AKeVZXUCfRZTA@mail.gmail.com> Subject: [PATCH] mka: Some bug fixes for MACsec in PSK mode To: hostap@lists.infradead.org summary: Content analysis details: (-2.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:4002:c05:0:0:0:243 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (badrish.adigahr[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Message ID

CAGNNFCZJx1cZY7eVgRh8C7V=u5SHKjw1eo097AKeVZXUCfRZTA@mail.gmail.com

State

Accepted

Headers

MIME-Version: 1.0
From: Badrish Adiga H R <badrish.adigahr@gmail.com>
Date: Fri, 6 Jan 2017 15:27:10 +0530
Message-ID: <CAGNNFCZJx1cZY7eVgRh8C7V=u5SHKjw1eo097AKeVZXUCfRZTA@mail.gmail.com>
Subject: [PATCH] mka: Some bug fixes for MACsec in PSK mode
To: hostap@lists.infradead.org
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Commit Message

Badrish Adiga H R Jan. 6, 2017, 9:57 a.m. UTC

Issue:
------
The test setup has 2 peers running MACsec in PSK mode, Peer A with
MAC address higher than MAC Address of peer B. Test sequence is
1. Peer B starts with actor_priority 255
2. Peer A starts with priority 16, becomes key server.
3. Peer A stops..
4. Peer A restarts with priority 255, but because of the stale values
participant->is_key_server(=TRUE) and participant->is_elected(=TRUE)
it continues to remain as Key Server.
5. For peer B, key server election happens and since it has lower MAC
address as compared to MAC address of A, it becomes the key server.
Now we have 2 key servers in CA and is not correct.

Root-cause & fix:
-----------------
When number of live peers become 0, the flags such lrx, ltx, orx,
otx etc. needs to be cleared. In MACsec PSK mode, these stale values
create problems, while re-establishing CA...

Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
---
 src/pae/ieee802_1x_kay.c | 6 ++++++
 1 file changed, 6 insertions(+)

                        kay->failed = FALSE;
--
2.6.1.133.gf5b6079

Comments

Jouni Malinen Feb. 6, 2017, 8:57 p.m. UTC | #1

On Fri, Jan 06, 2017 at 03:27:10PM +0530, Badrish Adiga H R wrote:
> Issue:
> ------
> The test setup has 2 peers running MACsec in PSK mode, Peer A with
> MAC address higher than MAC Address of peer B. Test sequence is
> 1. Peer B starts with actor_priority 255
> 2. Peer A starts with priority 16, becomes key server.
> 3. Peer A stops..
> 4. Peer A restarts with priority 255, but because of the stale values
> participant->is_key_server(=TRUE) and participant->is_elected(=TRUE)
> it continues to remain as Key Server.
> 5. For peer B, key server election happens and since it has lower MAC
> address as compared to MAC address of A, it becomes the key server.
> Now we have 2 key servers in CA and is not correct.
> 
> Root-cause & fix:
> -----------------
> When number of live peers become 0, the flags such lrx, ltx, orx,
> otx etc. needs to be cleared. In MACsec PSK mode, these stale values
> create problems, while re-establishing CA...

Thanks, applied.

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 1004b32..f420a16 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2378,6 +2378,12 @@  static void ieee802_1x_participant_timer(void
*eloop_ctx, void *timeout_ctx)
                        participant->advised_capability =
                                MACSEC_CAP_NOT_IMPLEMENTED;
                        participant->to_use_sak = FALSE;
+                       participant->ltx = FALSE;
+                       participant->lrx = FALSE;
+                       participant->otx = FALSE;
+                       participant->orx = FALSE;
+                       participant->is_key_server = FALSE;
+                       participant->is_elected = FALSE;
                        kay->authenticated = TRUE;
                        kay->secured = FALSE;

mka: Some bug fixes for MACsec in PSK mode

Commit Message

Comments

Patch