@@ -773,6 +773,7 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
struct ieee802_1x_kay_peer *peer;
size_t ckn_len;
size_t body_len;
+ time_t new_expire;
body = (const struct ieee802_1x_mka_basic_body *) mka_msg;
@@ -816,16 +817,20 @@ ieee802_1x_mka_decode_basic_body(struct ieee802_1x_kay *kay, const u8 *mka_msg,
peer = ieee802_1x_kay_get_peer(participant, body->actor_mi);
if (!peer) {
/* Check duplicated SCI */
- /* TODO: What policy should be applied to detect duplicated SCI
- * is active attacker or a valid peer whose MI is be changed?
- */
peer = ieee802_1x_kay_get_peer_sci(participant,
&body->actor_sci);
if (peer) {
wpa_printf(MSG_WARNING,
"KaY: duplicated SCI detected, Maybe active attacker");
- dl_list_del(&peer->list);
- os_free(peer);
+ /* Ignore this request. If it is valid peer whose MI is be changed
+ * just wait until the active one would be removed by timeout.
+ * Reduce timeout to speed up this process but left the chance for
+ * old one to prove aliveness.
+ */
+ new_expire = time(NULL) + MKA_HELLO_TIME * 1.5 / 1000;
+ if (peer->expire > new_expire)
+ peer->expire = new_expire;
+ return NULL;
}
peer = ieee802_1x_kay_create_potential_peer(