Blame SOURCES/macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch

6c9f0c
From e54691106b29f41aa3081b00eb4f48e411cebc72 Mon Sep 17 00:00:00 2001
6c9f0c
Message-Id: <e54691106b29f41aa3081b00eb4f48e411cebc72.1488376602.git.dcaratti@redhat.com>
6c9f0c
From: Badrish Adiga H R <badrish.adigahr@gmail.com>
6c9f0c
Date: Fri, 6 Jan 2017 15:27:10 +0530
6c9f0c
Subject: [PATCH] mka: Some bug fixes for MACsec in PSK mode
6c9f0c
6c9f0c
Issue:
6c9f0c
------
6c9f0c
The test setup has 2 peers running MACsec in PSK mode, Peer A with
6c9f0c
MAC address higher than MAC Address of peer B. Test sequence is
6c9f0c
1. Peer B starts with actor_priority 255
6c9f0c
2. Peer A starts with priority 16, becomes key server.
6c9f0c
3. Peer A stops..
6c9f0c
4. Peer A restarts with priority 255, but because of the stale values
6c9f0c
participant->is_key_server(=TRUE) and participant->is_elected(=TRUE)
6c9f0c
it continues to remain as Key Server.
6c9f0c
5. For peer B, key server election happens and since it has lower MAC
6c9f0c
address as compared to MAC address of A, it becomes the key server.
6c9f0c
Now we have 2 key servers in CA and is not correct.
6c9f0c
6c9f0c
Root-cause & fix:
6c9f0c
-----------------
6c9f0c
When number of live peers become 0, the flags such lrx, ltx, orx,
6c9f0c
otx, etc. need to be cleared. In MACsec PSK mode, these stale values
6c9f0c
create problems while re-establishing CA.
6c9f0c
6c9f0c
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
6c9f0c
---
6c9f0c
 src/pae/ieee802_1x_kay.c | 6 ++++++
6c9f0c
 1 file changed, 6 insertions(+)
6c9f0c
6c9f0c
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
6c9f0c
index 79a6878..92fd7ba 100644
6c9f0c
--- a/src/pae/ieee802_1x_kay.c
6c9f0c
+++ b/src/pae/ieee802_1x_kay.c
6c9f0c
@@ -2378,6 +2378,12 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
6c9f0c
 			participant->advised_capability =
6c9f0c
 				MACSEC_CAP_NOT_IMPLEMENTED;
6c9f0c
 			participant->to_use_sak = FALSE;
6c9f0c
+			participant->ltx = FALSE;
6c9f0c
+			participant->lrx = FALSE;
6c9f0c
+			participant->otx = FALSE;
6c9f0c
+			participant->orx = FALSE;
6c9f0c
+			participant->is_key_server = FALSE;
6c9f0c
+			participant->is_elected = FALSE;
6c9f0c
 			kay->authenticated = TRUE;
6c9f0c
 			kay->secured = FALSE;
6c9f0c
 			kay->failed = FALSE;
6c9f0c
-- 
6c9f0c
2.7.4
6c9f0c