mka: Stop trying to generate and distribute new SAK when not key server

It was possible for a participant to first be elected as a key server
and schedule a new SAK to be generated and distributed just to be
followed by another participant being elected as the key server. That
did not stop the participant that disabled key server functionality to
stop generating the new SAK and then trying to distribute it. That is
not correct behavior, so make these steps conditional on the participant
still being a key server when going through the timer.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 1d09e0b57160377ef60d5e34b35a138ff15b30bf..4c2e70a16b7d5ee02c9c42630128033443018815 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1528,7 +1528,8 @@ static Boolean
 ieee802_1x_mka_dist_sak_body_present(
        struct ieee802_1x_mka_participant *participant)
 {
-       return participant->to_dist_sak && participant->new_key;
+       return participant->is_key_server && participant->to_dist_sak &&
+               participant->new_key;
 }
 
 
@@ -2584,7 +2585,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
                }
        }
 
-       if (participant->new_sak) {
+       if (participant->new_sak && participant->is_key_server) {
                if (!ieee802_1x_kay_generate_new_sak(participant))
                        participant->to_dist_sak = TRUE;