diff mbox series

mka: Fix unexpected cleanup

Message ID CAM7ABg3qVJZ_RwAYsrgzNTubkuyD-bVMDY7NpjD+=VbXt59xww@mail.gmail.com
State Accepted
Headers show
Series mka: Fix unexpected cleanup | expand

Commit Message

Ze Gan April 23, 2023, 4:50 p.m. UTC 
Because the key server may not include dist sak and use sak in ONE packet,
Meanwhile, after dist sak, the current participant(Non-Key Server) will
install SC or SA(s) after decoding the dist sak which may take few seconds
in real physical platforms. Meanwhile, the peer expire time is always
initialized at adding the key server to peer list. The gap between adding
the key server to peer list and processing next use sak packet may exceed
the threshold of MKA_LIFE_TIME(6s). It will cause an unexpected cleanup
(delete SC and SA(s)). So, update the expire timeout at dist sak also.

Signed-off-by: Ze Gan <ganze718@gmail.com>
---
 src/pae/ieee802_1x_kay.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

 }

--
2.25.1

Comments

Jouni Malinen Nov. 5, 2023, 6:43 p.m. UTC | #1 
On Mon, Apr 24, 2023 at 12:50:46AM +0800, Ze Gan wrote:
> Because the key server may not include dist sak and use sak in ONE packet,
> Meanwhile, after dist sak, the current participant(Non-Key Server) will
> install SC or SA(s) after decoding the dist sak which may take few seconds
> in real physical platforms. Meanwhile, the peer expire time is always
> initialized at adding the key server to peer list. The gap between adding
> the key server to peer list and processing next use sak packet may exceed
> the threshold of MKA_LIFE_TIME(6s). It will cause an unexpected cleanup
> (delete SC and SA(s)). So, update the expire timeout at dist sak also.

Thanks, applied.
diff mbox series

Patch

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index b2905a792..548a52c24 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1945,6 +1945,18 @@  ieee802_1x_mka_decode_dist_sak_body(
    kay->rcvd_keys++;
    participant->to_use_sak = true;

+   /**
+    * Because the key server may not include dist sak and use sak in
ONE packet,
+    * Meanwhile, after dist sak, the current participant(Non-Key Server) will
+    * install SC or SA(s) after decoding the dist sak which may take
few seconds
+    * in real physical platforms. Meanwhile, the peer expire time is always
+    * initialized at adding the key server to peer list. The gap between adding
+    * the key server to peer list and processing next use sak packet may exceed
+    * the threshold of MKA_LIFE_TIME(6s). It will cause an unexpected cleanup
+    * (delete SC and SA(s)). So, update the expire timeout at dist sak also.
+    */
+   peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
+
    return 0;