mka: Stop trying to generate and distribute new SAK when not key server

It was possible for a participant to first be elected as a key server
and schedule a new SAK to be generated and distributed just to be
followed by another participant being elected as the key server. That
did not stop the participant that disabled key server functionality to
stop generating the new SAK and then trying to distribute it. That is
not correct behavior, so make these steps conditional on the participant
still being a key server when going through the timer.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2018-12-29 01:27:22 +02:00
parent 4060cb272b
commit 626bc1fac2

View file

@ -1528,7 +1528,8 @@ static Boolean
ieee802_1x_mka_dist_sak_body_present(
struct ieee802_1x_mka_participant *participant)
{
return participant->to_dist_sak && participant->new_key;
return participant->is_key_server && participant->to_dist_sak &&
participant->new_key;
}
@ -2584,7 +2585,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
}
}
if (participant->new_sak) {
if (participant->new_sak && participant->is_key_server) {
if (!ieee802_1x_kay_generate_new_sak(participant))
participant->to_dist_sak = TRUE;