From patchwork Fri Jan 6 09:57:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Badrish Adiga H R X-Patchwork-Id: 711804 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3tw0N63v80z9ryk for ; Fri, 6 Jan 2017 20:57:42 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="gYdazVsz"; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1cPRHD-0003ra-Uw; Fri, 06 Jan 2017 09:57:35 +0000 Received: from mail-yw0-x243.google.com ([2607:f8b0:4002:c05::243]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cPRHA-0003o2-IK for hostap@lists.infradead.org; Fri, 06 Jan 2017 09:57:34 +0000 Received: by mail-yw0-x243.google.com with SMTP id k6so1951904ywk.0 for ; Fri, 06 Jan 2017 01:57:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=J7MSWkEJqI8YB2F/XFWbX6H6iy1ekKa1qWg3zM9SfQI=; b=gYdazVszm0uGjYZITKgBhwxx9DFAxB48BJ83op8nZrfIQ4KMNGZTK2fQHzScpMk079 Lq+dIw3TZbXeU2msGeat5KKvViqlHd+q4rUbpMkCMeC39e+w5Qcw2ZEcllNqC0YsJdex /5BATwQ156RirJUaDlw8sPyBsTVjjjd3hpigUUj+oATmeNeHKHGnImaJ3p6twtfPHXJ1 l6pItND6I5J7F/1Uej8qc94DwBwTjL86mt27Xvhu+2ppDnVjK/0uy7bXdZxwR7uu+vkN fO64pIeJaV/G8Wr+4nWT6l/LWRbqjNY9wMZO11u7FzoXKjrAeccWQxnal2HjVEiLyKA2 9S0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=J7MSWkEJqI8YB2F/XFWbX6H6iy1ekKa1qWg3zM9SfQI=; b=CtjoQfaZqeTo/yCL4sosTv7nXuIPrh7VD0dJNgd1tzegzVfQgq7bWyLSzBXOS31vok LDxrVzgCef0EjVuea431UYI5G9Gt6HxA6nrZNqqZsNERVDsCoS1dTzTeEJpmyogrezCi pmK57u7Jx5ZbWNdeUC0qbvSuMOmEShGuerXrCT1Gy6jDSRFyD3PRN/HnihuDHWI6lYwT Toq6EQF/+C1U9gDzhPmv7POFr5FpRijtbY5q066NRnUa1fZZ6zkPdHO1H+uILf56VgEV TI8BhmiY/BEWduLIWV8uWvRmbC+3yhbJYjXiyEmJnHh9BuggwvGZOv2QTr+xuQwewuYP n2hw== X-Gm-Message-State: AIkVDXIjXVVxMwold6RHwdTK2BuaXnOmrpV+cmFi1xIUycEWbAgRxpuOwCupa1d7prmbb/uVHklEeRsbfRHi6Q== X-Received: by 10.129.179.8 with SMTP id r8mr71736806ywh.156.1483696630608; Fri, 06 Jan 2017 01:57:10 -0800 (PST) MIME-Version: 1.0 Received: by 10.37.164.195 with HTTP; Fri, 6 Jan 2017 01:57:10 -0800 (PST) From: Badrish Adiga H R Date: Fri, 6 Jan 2017 15:27:10 +0530 Message-ID: Subject: [PATCH] mka: Some bug fixes for MACsec in PSK mode To: hostap@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170106_015732_719525_7CDDB88B X-CRM114-Status: UNSURE ( 7.00 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -2.7 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:4002:c05:0:0:0:243 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (badrish.adigahr[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Issue: ------ The test setup has 2 peers running MACsec in PSK mode, Peer A with MAC address higher than MAC Address of peer B. Test sequence is 1. Peer B starts with actor_priority 255 2. Peer A starts with priority 16, becomes key server. 3. Peer A stops.. 4. Peer A restarts with priority 255, but because of the stale values participant->is_key_server(=TRUE) and participant->is_elected(=TRUE) it continues to remain as Key Server. 5. For peer B, key server election happens and since it has lower MAC address as compared to MAC address of A, it becomes the key server. Now we have 2 key servers in CA and is not correct. Root-cause & fix: ----------------- When number of live peers become 0, the flags such lrx, ltx, orx, otx etc. needs to be cleared. In MACsec PSK mode, these stale values create problems, while re-establishing CA... Signed-off-by: Badrish Adiga H R --- src/pae/ieee802_1x_kay.c | 6 ++++++ 1 file changed, 6 insertions(+) kay->failed = FALSE; -- 2.6.1.133.gf5b6079 diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 1004b32..f420a16 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -2378,6 +2378,12 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) participant->advised_capability = MACSEC_CAP_NOT_IMPLEMENTED; participant->to_use_sak = FALSE; + participant->ltx = FALSE; + participant->lrx = FALSE; + participant->otx = FALSE; + participant->orx = FALSE; + participant->is_key_server = FALSE; + participant->is_elected = FALSE; kay->authenticated = TRUE; kay->secured = FALSE;