mka: Accept last two used MNs in Peers List of a received MKPDU

Previously, check for local MI,MN in a peer's Peers List accepted only
the cases that include the last used MN from an MKPDU sent by the local
device. This was problematic since it was possible to synchronize MKPDU
transmission between two devices in a way that made them always miss the
last MKPDU from the other device before filling in the Peers List.

Relax this matching requirement of "acceptably recent MN" to mean both
the last used MN and the one used just before it (i.e., copied from
either of the last two MKPDUs sent by the local device) are accepted.

While this might help in some real world scenarios in making the
protocol converge more quickly, the main help from this is to fix
consistent hwsim test cases failures in macsec_psk_ns when using UML
with time travel option which happened to practically guarantee the
inconvenient timing of MKPDU transmission/reception that ended up with
the MKPDU processing to see MI,MN with MN being the last used MN minus
1.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

src/pae/ieee802_1x_kay.c

@@ -1085,7 +1085,17 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant,
 				wpa_printf(MSG_DEBUG,
 					   "KaY: My MI - received MN %u, most recently transmitted MN %u",
 					   mn, participant->mn);
-				if (mn == participant->mn)
+				/* IEEE Std 802.1X-2010 is not exactly clear
+				 * which values of MN should be accepted here.
+				 * It uses "acceptably recent MN" language
+				 * without defining what would be acceptable
+				 * recent. For now, allow the last two used MN
+				 * values (i.e., peer having copied my MI,MN
+				 * from either of the last two MKPDUs that I
+				 * have sent). */
+				if (mn == participant->mn ||
+				    (participant->mn > 1 &&
+				     mn == participant->mn - 1))
 					return TRUE;
 			}
 		}