From: Mike Siedzik <msiedzik@extremenetworks.com>
Date: Tue, 20 Feb 2018 19:28:45 +0000 (-0500)
Subject: mka: Do not update potential peer liveness timer
X-Git-Tag: hostap_2_8~700
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=302bbad5ac0df0b96b67ac67244dae9ec2c7b6b9;p=thirdparty%2Fhostap.git

mka: Do not update potential peer liveness timer

To prevent a remote peer from getting stuck in a perpetual 'potential
peer' state, only update the peer liveness timer 'peer->expire' for live
peers and not for potential peers.

Per IEEE Std 802.1X-2010, 9.4.3 (Determining liveness), potential peers
need to show liveness by including our MI/MN in their transmitted MKPDU
(within potential or live parameter sets).

When a potential peer does include our MI/MN in an MKPDU, we respond by
moving the peer from 'potential_peers' to 'live_peers'.

If a potential peer does not include our MI/MN in an MKPDU within
MKPDU_LIFE_TIME, let the peer expire to facilitate getting back in sync
with the remote peer.

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
---

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index ddffdb26d..12bdf4edf 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3175,17 +3175,25 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
 			}
 		} else {
 			peer->missing_sak_use_count = 0;
+
+			/* Only update live peer watchdog after successful
+			 * decode of all parameter sets */
+			peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
 		}
 	} else {
 		/* MKPDU is from new or potential peer */
 		peer = ieee802_1x_kay_get_peer(participant,
 					       participant->current_peer_id.mi);
-	}
+		if (!peer)
+			return -1;
 
-	/* Only update live peer watchdog after successful decode of all
-	 * parameter sets */
-	if (peer)
-		peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
+		/* Do not update potential peer watchdog. Per IEEE Std
+		 * 802.1X-2010, 9.4.3, potential peers need to show liveness by
+		 * including our MI/MN in their transmitted MKPDU (within
+		 * potential or live parameter sets). Whena potential peer does
+		 * include our MI/MN in an MKPDU, we respond by moving the peer
+		 * from 'potential_peers' to 'live_peers'. */
+	}
 
 	kay->active = TRUE;
 	participant->retry_count = 0;