From patchwork Fri Mar  2 20:10:52 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Siedzik <msiedzik@extremenetworks.com>
X-Patchwork-Id: 880854
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=extremenetworks.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="VpU7w6ja";
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3ztLBQ43bGz9s33
	for <incoming@patchwork.ozlabs.org>;
	Sat,  3 Mar 2018 07:14:54 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=klCnr09HbDG2ltdtFMDUKjFE4PESLn9hDC01aMRCpKI=;
	b=VpU7w6jaIsImNi
	puDh9sttCudOn9yDiToUJxZoUvO58QrSDspLNzSySO8f2NtRhbMXgYU5LpR7FR41zl3DumX4SVs3Q
	OPN+/GP15iFlUtZqxVDBgUR2yJdoSYEz2R+wiN8ghdirE+vb0zmpoEpfbL4DjZcccyD/8xjq3WFe4
	cwssD95NXdMPv4azyziqhh0zYA0OLpVtVbaNkykeQppVrfYbYbLQOSGJF10K6JOmy2kGxUXOLWzvt
	dku3I/OW3Brlw+pMh6o7rZu0gINdHA1hldgZRIni4KscICVI/8nh/ZDKrI70iIey9945QedWeTPHk
	kTXRuIXG17yuwyLkrguw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux))
	id 1err4j-0002GE-Ft; Fri, 02 Mar 2018 20:14:41 +0000
Received: from us-smtp-delivery-183.mimecast.com ([216.205.24.183])
	by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux))
	id 1err3M-0001J1-0d
	for hostap@lists.infradead.org; Fri, 02 Mar 2018 20:13:23 +0000
Received: from USNC-CASHT-P1.corp.extremenetworks.com
	(owamail.extremenetworks.com [134.141.9.1]) (Using TLS) by
	us-smtp-1.mimecast.com with ESMTP id
	us-mta-166-JNl4qr4SPGqCYKTy6gJCag-1;
	Fri, 02 Mar 2018 15:10:59 -0500
Received: from USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.62) by
	USNC-CASHT-P1.corp.extremenetworks.com (10.6.17.63) with Microsoft
	SMTP Server (TLS) id 15.0.1210.3; Fri, 2 Mar 2018 15:10:58 -0500
Received: from smtp1.extremenetworks.com (10.6.24.34) by
	USNC-CASHT-P2.corp.extremenetworks.com (10.6.17.64) with Microsoft
	SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport;
	Fri, 2 Mar 2018 15:10:58 -0500
Received: from cm-exos1.extremenetworks.com (a10-smtp.extremenetworks.com
	[10.6.24.14])
	by smtp1.extremenetworks.com (8.13.8/8.13.8) with ESMTP id
	w22KAwRg032592; Fri, 2 Mar 2018 12:10:58 -0800
Received: from cm-exos1.extremenetworks.com (localhost [127.0.0.1])
	by cm-exos1.extremenetworks.com (Postfix) with ESMTP id 7FF332C0211;
	Fri,  2 Mar 2018 15:11:09 -0500 (EST)
Received: (from msiedzik@localhost)
	by cm-exos1.extremenetworks.com (8.14.7/8.14.7/Submit) id
	w22KB9Wd016334; Fri, 2 Mar 2018 15:11:09 -0500
From: <msiedzik@extremenetworks.com>
To: <hostap@lists.infradead.org>
Subject: [PATCH 04/15] mka: Loss of live peers should result in connect
	PENDING not AUTHENTICATED
Date: Fri, 2 Mar 2018 15:10:52 -0500
Message-ID: <20180302201103.16264-5-msiedzik@extremenetworks.com>
X-Mailer: git-send-email 2.11.1
In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com>
References: <20180302201103.16264-1-msiedzik@extremenetworks.com>
MIME-Version: 1.0
X-MC-Unique: JNl4qr4SPGqCYKTy6gJCag-1
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180302_121316_630777_1992D339 
X-CRM114-Status: UNSURE (   7.88  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -2.6 (--)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-2.6 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
	low trust [216.205.24.183 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Mike Siedzik <msiedzik@extremenetworks.com>
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

From: Mike Siedzik <msiedzik@extremenetworks.com>

When the number of live peers becomes 0 the KaY is setting
'kay->authenticated' true and telling the CP to connect AUTHENTICATED.
Per IEEE802.1X-2010 Clause 12.2, MKA.authenticated means "the Key Sever
has proved mutual authentication but has determiend that Controlled Port
communication should proceed without the use of MACsec", which means
port traffic will be passed in the clear.
When the number of live peers becomes 0 the KaY must instead set
'kay->authenticated' false and tell the CP to connect PENDING.  Per
Clause 12.3 connect PENDING will "prevent connectivity by clearing the
controlledPortEnabled parameter."

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
---
 src/pae/ieee802_1x_kay.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--
2.11.1

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 41e5a07e6..fd329e610 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2393,7 +2393,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
                        participant->orx = FALSE;
                        participant->is_key_server = FALSE;
                        participant->is_elected = FALSE;
-                       kay->authenticated = TRUE;
+                       kay->authenticated = FALSE;
                        kay->secured = FALSE;
                        kay->failed = FALSE;
                        kay->ltx_kn = 0;
@@ -2410,7 +2410,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
                                ieee802_1x_delete_transmit_sa(kay, txsa);
                        }

-                       ieee802_1x_cp_connect_authenticated(kay->cp);
+                       ieee802_1x_cp_connect_pending(kay->cp);
                        ieee802_1x_cp_sm_step(kay->cp);
                } else {
                        ieee802_1x_kay_elect_key_server(participant);