mka: Loss of live peers to result in connect PENDING not AUTHENTICATED

When the number of live peers becomes 0 the KaY was setting
kay->authenticated true and telling the CP to connect AUTHENTICATED.
Per IEEE Std 802.1X-2010 Clause 12.2, MKA.authenticated means "the Key
Server has proved mutual authentication but has determined that
Controlled Port communication should proceed without the use of MACsec",
which means port traffic will be passed in the clear.

When the number of live peers becomes 0 the KaY must instead set
kay->authenticated false and tell the CP to connect PENDING. Per Clause
12.3 connect PENDING will "prevent connectivity by clearing the
controlledPortEnabled parameter."

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 94d6046eadc49afbea77f9fdbbaeca57a082f264..438cc8a326c84cb44537335d9b2863e2badd8632 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2399,7 +2399,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
                        participant->orx = FALSE;
                        participant->is_key_server = FALSE;
                        participant->is_elected = FALSE;
-                       kay->authenticated = TRUE;
+                       kay->authenticated = FALSE;
                        kay->secured = FALSE;
                        kay->failed = FALSE;
                        kay->ltx_kn = 0;
@@ -2416,7 +2416,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
                                ieee802_1x_delete_transmit_sa(kay, txsa);
                        }
 
-                       ieee802_1x_cp_connect_authenticated(kay->cp);
+                       ieee802_1x_cp_connect_pending(kay->cp);
                        ieee802_1x_cp_sm_step(kay->cp);
                } else {
                        ieee802_1x_kay_elect_key_server(participant);