From patchwork Wed Apr 20 18:16:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Goblirsch X-Patchwork-Id: 1619726 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Tw8QG5FN; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=thinklogical.com header.i=@thinklogical.com header.a=rsa-sha256 header.s=selector2 header.b=dUSyA9Dr; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Kk8XK0lDgz9s3q for ; Thu, 21 Apr 2022 04:36:49 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To :From:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=l+mnAr97+B/7FHdVhVbGM4ZW1WAD7+PZJYQr7dw2e9Y=; b=Tw8QG5FN+mSgjo CxQ4DOLzdk6kHiA++AHvSi/UgcOcFHf7doHbq/qfr03aT5e5JrdEizBdnpp1ZJSw2ofwUsyDrtu/4 0ZxYmMEh8Nlc77a4Lavcf+ugzo9t6WEk1mmIfIZRw5JpjvhPQ4BBf2iRlWXWRE88W10ZEHvkcSICX IS8qCIx5AHFgk9KlXCqbcOnz/o0ARJjkNc/JvfAmzePqQKZvLJHXBcZK1VLwlClshYXf7X3ujvk7r 50iUW325SSeNz/cAT4g/LMkjhvLcK5abBfuAHma+leAHORlFCj4FIfg0zs788bNRVxhulXvBp/7io kdxxLNkyIiqyksS+1N5w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhFAm-00A3do-SG; Wed, 20 Apr 2022 18:35:28 +0000 Received: from mail-mw2nam12on2071e.outbound.protection.outlook.com ([2a01:111:f400:fe5a::71e] helo=NAM12-MW2-obe.outbound.protection.outlook.com) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhEsF-00A2K9-SB for hostap@lists.infradead.org; Wed, 20 Apr 2022 18:16:21 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RhXCEnRBxTob6z7chN9G9owZVkOQ+cYAKdCJBwYdgrJlKk/LOpmkmbWpxNbWUMSGTuG0hR4qitOefleO35Xz5Iad7emmB93bQfRYRuXnUr3G3RpL6Une+sdzaTEaIb1Oxybpce169aGszMhuN02Dc5W0HqI+yi+xrDN3zdY7eDcPWNM2eQLXiYGDabThzEJwwaKBlYD6OaFFaGmYNfWPVuCs64e00o6wU0v9YZ6+mASM/+NT91Y/0rjmASq/iu0izqJpnmmClZDZRDsY1zOaT6f/t/VkkCEw/peJEg2rkbkyFoznPHlZswFuILTP+rYdUbUbWq7SLq57b56cJC91RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xeaqL3dCSl/nFmNCc8Tq3ao70EKvCuSdAvg3e+g4GQE=; b=M6QIOexxmsQPee0IlPfCum1ZVXgTxt6PJXsQ9a7gOsdvGXGyeNSj5EwwDO7Uz9KnOYCyDDl93qpEPyxCx/Ukr2MEt6qk+ATryOyQBP8W2pAla42QT+2Q6S2HX+/o5FJmb4Ts8UgZRMq7WUQsjKMnyBxSKLAy8LFGE9TyxtTHm0AKX3nw87ZKTtbQQ6pJAUGrOR906gNIovZrHbya2KWCMXyn8RIP3Iw/1CwG695XoGZBEPRwBdplHnGH5owBMvXvtcKmvtkJJwhR15FFb4pCuwNhwF0yhJsLsz/zs01ivmabiwIZVcO/JsuEzomkviMbtmvmKz/OAdvKdZF1FHB+GA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=thinklogical.com; dmarc=pass action=none header.from=thinklogical.com; dkim=pass header.d=thinklogical.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thinklogical.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xeaqL3dCSl/nFmNCc8Tq3ao70EKvCuSdAvg3e+g4GQE=; b=dUSyA9Drb9KC/HAJUrXUi1bcN33smzcXwlrZHMO/meQoembqv3vWkvpCydf3ZbobPAjBt9SZonDg8Y859lLrSv43Tdmw1PZAW8RFtv64eyQdni5Is/HHp3fi+poKwrBnQWAMlQmm7a3K+f3KKXJLTeP6iCQcn50udsPo9doz2ks= Received: from BN8PR06MB6307.namprd06.prod.outlook.com (2603:10b6:408:5e::17) by BN6PR06MB2306.namprd06.prod.outlook.com (2603:10b6:404:2e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Wed, 20 Apr 2022 18:16:14 +0000 Received: from BN8PR06MB6307.namprd06.prod.outlook.com ([fe80::ec1d:a77b:b86:740e]) by BN8PR06MB6307.namprd06.prod.outlook.com ([fe80::ec1d:a77b:b86:740e%7]) with mapi id 15.20.5186.014; Wed, 20 Apr 2022 18:16:14 +0000 From: Greg Goblirsch To: "hostap@lists.infradead.org" Subject: Key Server support for Group CAs Thread-Topic: Key Server support for Group CAs Thread-Index: AQHYVOHxgFQW2O45jEmUSbRRcfHUAg== Date: Wed, 20 Apr 2022 18:16:13 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=thinklogical.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5ed43e8f-dbbf-440c-41a3-08da22f9dad7 x-ms-traffictypediagnostic: BN6PR06MB2306:EE_ x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 7PhGGQwsDX4hfl3RntVxEkoa+H/jSHNlWOTh6QiOITGSAQM+kJrDOosT10iLawSc5Riia6sdHcd1qdEgLsPcAQmBzIhY4SvHRzpXPwcVFO1+spri9XhMUwBzAATApCB3WcPSYqDNNH9YqDTPnCFrNCHJI19ggOTHwdaA8q3cX9cRKdwfZVfzqy9AS1rj43/6qnsCMxeLMhvtDFs1ZwKwenXTtnFb7xhgixsV/s1VmOf45diUat5IfHaEmLZGF6OogxN2FgIAmfPsrs3XoT+ELT8Q3NJPGv53Smp8J3ZY2+xhhvbH/ovPqIoc226o6izeOB44k3nQ4zWdwuKQNdIPPcthfIgCUjEZyaI2xBZfHO8DvZuVS5+hyJ31CJ1ByM1CYrZOPQOvEuEpIRraelXlMg2m/pNSAqt+bShef2ESGpz5ZYswaWxUw/QH76lyzYGGSTUaUVdP3sabtTXko8AP+uLoQQeNVUkwutqZWgCnUHCUeT1gOuZce8x9Ls9kgW6n1blXw6dpq65iaiIt9A66l4l9CgJ/oL8CyodbaUIcqOhT3Nol0wOf/aH1TGb8UbQxpKrE9/TAmGBYVwFrwinWxGv1sX4Ox0t5S0baLVS2lAPqMvZ696Fb/1YdTj3Ai3ukRV3Ck+AHMvqKh4Aqy6Q0oISe8TeKd4KuFVf6qSyDTk/mN2oj/sEuKkj+JNFOTTSyjGtT5thZHAFNVYi4HXoE+w== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR06MB6307.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(39840400004)(346002)(366004)(396003)(136003)(376002)(26005)(6916009)(186003)(122000001)(38100700002)(83380400001)(9686003)(2906002)(38070700005)(7696005)(6506007)(316002)(71200400001)(5660300002)(55016003)(52536014)(86362001)(8936002)(33656002)(66476007)(91956017)(64756008)(508600001)(8676002)(66446008)(66556008)(76116006)(66946007); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?q?VjKt0AbXln8Bf0kAb+cykdo?= =?iso-8859-1?q?KJP78Z25IO8A/iLXdKId6VQIYn01ZPiwLUDIyRJExdgvkH1H0ZJHLV6w64OP?= =?iso-8859-1?q?YmSYii/lWxGVamBRgym2y1a0hMqmnb+PSIbTvgBobN5zPCouRfjrWpKpkRjM?= =?iso-8859-1?q?53J9Y1us2D6Tb3YIw+1sO6s0genDGovzhoWOoOn0QbV3SLT5fBmWoBvgjurt?= =?iso-8859-1?q?4zRBMi7jcgT0cGLTAt1VTLP8NEQXqC3Nl0qUgg+ZX//cw9ffwCbA0bTVa/sj?= =?iso-8859-1?q?5Hku0DVOAGNIAK8BMsj1YhXXN6f/X9DXH/mTvRyrzC7KBQOlRQkZIaL+Xap5?= =?iso-8859-1?q?+Q/JMTllzx3fa20wqPbvgbYPR24FmNZdooLBRPA2MjlMeGkSRXMqLU6JHOQi?= =?iso-8859-1?q?bqHvomq/QZZ7pmDGd6OamzsZ9Rp/jI50WujnaQaHxrtzB63emw8RUkWgLIxd?= =?iso-8859-1?q?nR8XofGYmzFmEagQPRSAPWSBx2NEBaY0WA0hxyDzxSp6ZMkwqhPlFn+WZm4b?= =?iso-8859-1?q?X12vL3NarWWVg3fQS4MWKdn/42WL4SjXfyrVj2JMUXC8mk/UIhFWVxd2FlDX?= =?iso-8859-1?q?uRiDEH8KnPxaSHst5wiBAU74PqPfxanAmHoR31wLf/83GGW1uTcxnwv9usnU?= =?iso-8859-1?q?z6952gHlpE98hC7j/Uuev6j5z68nBzrH3Ve8stdNoAm7X5a3diAAvcuvNlv8?= =?iso-8859-1?q?InL8iMHuu4uqZXo7IK3gOGu+TYSjJy/wLpcNRxoT2pLoXzBwyHgDoT3Dd2ul?= =?iso-8859-1?q?Moz2shAAgIXjFVnDqzfg3TzzJ0aI6S/25aSV2YHx0aZyQ8wkysQZYzczCR0f?= =?iso-8859-1?q?OsujQXEZd2pq6sOsiEvmE3SwXb8lbOdpVc4FqVRYt4DGIq+aJjk6iG3Kem05?= =?iso-8859-1?q?804sm7IXiqrZiQJqr1Uf+hsmrYBM/iWdYj2IvClAsn1QHJ6Hf87Q3/V8Xp6N?= =?iso-8859-1?q?fOA03wekqeb0Wi+xFWPrGgGJ4B4N/e0NXi/Il7LkBLV/kKtDSIx2E1unMxtO?= =?iso-8859-1?q?cQSFjAysI+1dcWAOMQQihmkVLxobWEfBjQecthl13+ikl4Ne/FrH8qew+qis?= =?iso-8859-1?q?HugwJcOyCmQHn7d4k6EbeLIYGAW7QCna6deAlR/3uHvmLZbAWsKfWCVyZQSG?= =?iso-8859-1?q?iWBNPK9cRzWM6w52TkWXjQfII2iugHoEERODyirdbjphzpcDAce5amPOII8L?= =?iso-8859-1?q?eiDid9ApzV/qHpJ2PlfL0hK6gmFtEpPcBdcwuCNm9rZL32PY7L8Mq4bEkDRa?= =?iso-8859-1?q?X/yJyvDnuDfGDu/wdW1x31nD33oyBYoO3NfG5xjUeAyPG4S36MYADMef8mNe?= =?iso-8859-1?q?67U2QRd5VqxH6uT7pp7lVaw7XNfs/t/dCZp9Gc2lwRE8eGngz43OtByYTGde?= =?iso-8859-1?q?z5NNkCPttSrpvqipBrGm6097i6jENbemAD5n/j4UgezyusEw0EmQCi+39dIa?= =?iso-8859-1?q?PAGvkAHNoAluz7Eu51I3MnfzrgqmW2s5JXml54034P0g6VwvdnmntmM3fXha?= =?iso-8859-1?q?kxUmCInAZKbuHYIC1Bn5lLq3UqgM8S5rAXVWHQA7v92iLcjXTYWMn4RTqmNc?= =?iso-8859-1?q?v5j69s50ZqL1dP03aOPT0SNOuKyGc4jpsW2veCF92bTsQ3PdMs+32Bmw5DL0?= =?iso-8859-1?q?4M3gIOgK3JrO5CWdotLipEgrJSah55PQxciJv2aqgCSuQm8sh9t7ntPq0IcU?= =?iso-8859-1?q?UrR5Lnga4CijO11+j9OtxH8ExnKOOXmjnyM0apwijmBN3Xhu/nJbhP1XxAin?= =?iso-8859-1?q?+WYEYOkD4di74jGz3h8s/ASvDCrIJkGDiUHkEW6lQDgEwKg=3D=3D?= MIME-Version: 1.0 X-OriginatorOrg: thinklogical.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN8PR06MB6307.namprd06.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5ed43e8f-dbbf-440c-41a3-08da22f9dad7 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2022 18:16:13.9775 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: afddbdf5-9d0e-403c-bc24-c29c640b1335 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 2h/KI11caBTdmvMWNDehOh6CfqoHsi+drijnGnICU46AvHdthpiYzKPJlnOz41uLOjlxZ4iUrpAAKUWC2UTfDQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR06MB2306 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220420_111619_987046_C3A88B31 X-CRM114-Status: GOOD ( 13.68 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Greg Goblirsch diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index a1f8ae934..c9441b394 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1159, 10 +1159,9 @@ static int ieee8 [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Mailman-Approved-At: Wed, 20 Apr 2022 11:35:27 -0700 X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Greg Goblirsch diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index a1f8ae934..c9441b394 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -1159,10 +1159,9 @@ static int ieee802_1x_mka_decode_live_peer_body( continue; peer = ieee802_1x_kay_get_peer(participant, peer_mi->mi); - if (peer) { - peer->mn = peer_mn; - } else if (!ieee802_1x_kay_create_potential_peer( - participant, peer_mi->mi, peer_mn)) { + if (!peer) { + if (!ieee802_1x_kay_create_potential_peer( + participant, peer_mi->mi, peer_mn)) return -1; } } @@ -1737,6 +1736,12 @@ ieee802_1x_mka_decode_dist_sak_body( return -1; } + if (!dl_list_empty(&participant->potential_peers)) { + wpa_printf(MSG_ERROR, + "KaY: I can't accept the distributed SAK as potential peer list is not empty"); + return -1; + } + if (body_len == 0) { kay->authenticated = true; kay->secured = false; @@ -2142,15 +2147,13 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant) return -1; } - /* FIXME: A fresh SAK not generated until + /* A fresh SAK not generated until * the live peer list contains at least one peer and * MKA life time has elapsed since the prior SAK was first distributed, * or the Key server's potential peer is empty - * but I can't understand the second item, so - * here only check first item and ingore - * && (!dl_list_empty(&participant->potential_peers))) { */ - if ((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) { + if (((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) && + (!dl_list_empty(&participant->potential_peers))) { wpa_printf(MSG_ERROR, "KaY: Life time has not elapsed since prior SAK distributed"); return -1; @@ -2290,9 +2293,6 @@ ieee802_1x_kay_elect_key_server(struct ieee802_1x_mka_participant *participant) /* elect the key server among the peers */ dl_list_for_each(peer, &participant->live_peers, struct ieee802_1x_kay_peer, list) { - if (!peer->is_key_server) - continue; - if (!key_server) { key_server = peer; continue; @@ -2645,10 +2645,10 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) } if (participant->new_sak && participant->is_key_server) { - if (!ieee802_1x_kay_generate_new_sak(participant)) + if (!ieee802_1x_kay_generate_new_sak(participant)) { participant->to_dist_sak = true; - - participant->new_sak = false; + participant->new_sak = false; + } } if (participant->retry_count < MAX_RETRY_CNT || @@ -3217,8 +3217,6 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, int i; const u8 *pos; bool handled[256]; - bool bad_sak_use = false; /* Error detected while processing SAK Use - * parameter set */ bool i_in_peerlist, is_in_live_peer, is_in_potential_peer; wpa_printf(MSG_DEBUG, "KaY: Decode received MKPDU (ifname=%s)", @@ -3310,22 +3308,10 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, if (mka_body_handler[body_type].body_rx (participant, pos, left_len) != 0) { /* Handle parameter set failure */ - if (body_type != MKA_SAK_USE) { - wpa_printf(MSG_INFO, - "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", - body_type); - return -1; - } - - /* Ideally DIST-SAK should be processed before - * SAK-USE. Unfortunately IEEE Std 802.1X-2010, - * 11.11.3 (Encoding MKPDUs) states SAK-USE(3) - * must always be encoded before DIST-SAK(4). - * Rather than redesigning mka_body_handler so - * that it somehow processes DIST-SAK before - * SAK-USE, just ignore SAK-USE failures if - * DIST-SAK is also present in this MKPDU. */ - bad_sak_use = true; + wpa_printf(MSG_INFO, + "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", + body_type); + return -1; } } else { wpa_printf(MSG_ERROR, @@ -3334,19 +3320,6 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, } } - if (bad_sak_use && !handled[MKA_DISTRIBUTED_SAK]) { - wpa_printf(MSG_INFO, - "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed", - MKA_SAK_USE); - if (!reset_participant_mi(participant)) - wpa_printf(MSG_DEBUG, "KaY: Could not update mi"); - else - wpa_printf(MSG_DEBUG, - "KaY: Selected a new random MI: %s", - mi_txt(participant->mi)); - return -1; - } - /* Detect missing parameter sets */ peer = ieee802_1x_kay_get_live_peer(participant, participant->current_peer_id.mi); @@ -3773,21 +3746,28 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, dl_list_add(&kay->participant_list, &participant->list); - usecs = os_random() % (kay->mka_hello_time * 1000); - eloop_register_timeout(0, usecs, ieee802_1x_participant_timer, - participant, NULL); - /* Disable MKA lifetime for PSK mode. * The peer(s) can take a long time to come up, because we * create a "standby" MKA, and we need it to remain live until * some peer appears. */ if (mode != PSK) { + usecs = os_random() % (kay->mka_hello_time * 1000); participant->mka_life = MKA_LIFE_TIME / 1000 + time(NULL) + usecs / 1000000; } participant->mode = mode; + if (participant->retry_count < MAX_RETRY_CNT || + participant->mode == PSK) { + ieee802_1x_participant_send_mkpdu(participant); + participant->retry_count++; + } + + eloop_register_timeout(kay->mka_hello_time / 1000, 0, + ieee802_1x_participant_timer, + participant, NULL); + return participant; fail: