diff mbox series

[07/15] mka: Detect duplicate MAC addresses during key server election

Message ID 20180302201103.16264-8-msiedzik@extremenetworks.com
State Accepted
Headers show
Series MKA bugfixes and enhancements | expand

Commit Message

Michael Siedzik March 2, 2018, 8:10 p.m. UTC 
From: Mike Siedzik <msiedzik@extremenetworks.com>

In the unlikely event the local KaY and the elected peer have the same
actor priority as well as the same MAC address, log a warning message
and do not elect a key server.  Resolution is for network administrator
to reconfigure MAC address.

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
---
 src/pae/ieee802_1x_kay.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--
2.11.1

Comments

Jouni Malinen March 12, 2018, 11:51 p.m. UTC | #1 
On Fri, Mar 02, 2018 at 03:10:55PM -0500, msiedzik@extremenetworks.com wrote:
> In the unlikely event the local KaY and the elected peer have the same
> actor priority as well as the same MAC address, log a warning message
> and do not elect a key server.  Resolution is for network administrator
> to reconfigure MAC address.

Thanks, applied.
diff mbox series

Patch

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 70fda1f2d..0c3101cd8 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2091,6 +2091,7 @@  ieee802_1x_kay_elect_key_server(struct ieee802_1x_mka_participant *participant)
        struct ieee802_1x_kay_peer *key_server = NULL;
        struct ieee802_1x_kay *kay = participant->kay;
        Boolean i_is_key_server;
+       int priority_comparison;

        if (participant->is_obliged_key_server) {
                participant->new_sak = TRUE;
@@ -2121,8 +2122,14 @@  ieee802_1x_kay_elect_key_server(struct ieee802_1x_mka_participant *participant)

                tmp.key_server_priority = kay->actor_priority;
                os_memcpy(&tmp.sci, &kay->actor_sci, sizeof(tmp.sci));
-               if (compare_priorities(&tmp, key_server) < 0)
+               priority_comparison = compare_priorities(&tmp, key_server);
+               if (priority_comparison < 0) {
                        i_is_key_server = TRUE;
+               } else if (priority_comparison == 0) {
+                       wpa_printf(MSG_WARNING,
+                                  "KaY: Cannot elect key server between me and peer, duplicate MAC detected");
+                       key_server = NULL;
+               }
        } else if (participant->can_be_key_server) {
                i_is_key_server = TRUE;
        }