From 5762855abda14545eb3c27e27230c91802c863f2 Mon Sep 17 00:00:00 2001 From: Mike Siedzik Date: Tue, 20 Feb 2018 14:28:34 -0500 Subject: [PATCH] mka: Loss of live peers to result in connect PENDING not AUTHENTICATED When the number of live peers becomes 0 the KaY was setting kay->authenticated true and telling the CP to connect AUTHENTICATED. Per IEEE Std 802.1X-2010 Clause 12.2, MKA.authenticated means "the Key Server has proved mutual authentication but has determined that Controlled Port communication should proceed without the use of MACsec", which means port traffic will be passed in the clear. When the number of live peers becomes 0 the KaY must instead set kay->authenticated false and tell the CP to connect PENDING. Per Clause 12.3 connect PENDING will "prevent connectivity by clearing the controlledPortEnabled parameter." Signed-off-by: Michael Siedzik --- src/pae/ieee802_1x_kay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 94d6046ea..438cc8a32 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -2399,7 +2399,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) participant->orx = FALSE; participant->is_key_server = FALSE; participant->is_elected = FALSE; - kay->authenticated = TRUE; + kay->authenticated = FALSE; kay->secured = FALSE; kay->failed = FALSE; kay->ltx_kn = 0; @@ -2416,7 +2416,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) ieee802_1x_delete_transmit_sa(kay, txsa); } - ieee802_1x_cp_connect_authenticated(kay->cp); + ieee802_1x_cp_connect_pending(kay->cp); ieee802_1x_cp_sm_step(kay->cp); } else { ieee802_1x_kay_elect_key_server(participant);