193 		mi = body->peer + i;
321 	struct ieee802_1x_kay_peer *peer;
323 	dl_list_for_each(peer, peers, struct ieee802_1x_kay_peer, list) {
324 		if (os_memcmp(peer->mi, mi, MI_LEN) == 0)
325 			return peer;
383 	struct ieee802_1x_kay_peer *peer;
385 	peer = ieee802_1x_kay_get_live_peer(participant, mi);
386 	if (peer)
387 		return peer;
443 	struct ieee802_1x_kay_peer *peer;
445 	dl_list_for_each(peer, &participant->live_peers,
447 		if (sci_equal(&peer->sci, sci))
448 			return peer;
451 	dl_list_for_each(peer, &participant->potential_peers,
453 		if (sci_equal(&peer->sci, sci))
454 			return peer;
576 static void ieee802_1x_kay_dump_peer(struct ieee802_1x_kay_peer *peer)
579 		   mi_txt(peer->mi), peer->mn, sci_txt(&peer->sci));
586 	struct ieee802_1x_kay_peer *peer;
588 	peer = os_zalloc(sizeof(*peer));
589 	if (!peer) {
594 	os_memcpy(peer->mi, mi, MI_LEN);
595 	peer->mn = mn;
596 	peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
597 	peer->sak_used = FALSE;
598 	peer->missing_sak_use_count = 0;
600 	return peer;
611 	struct ieee802_1x_kay_peer *peer;
614 	peer = ieee802_1x_kay_create_peer(mi, mn);
615 	if (!peer)
618 	os_memcpy(&peer->sci, &participant->current_peer_sci,
619 		  sizeof(peer->sci));
621 	rxsc = ieee802_1x_kay_init_receive_sc(&peer->sci);
623 		os_free(peer);
629 		os_free(peer);
632 	dl_list_add(&participant->live_peers, &peer->list);
635 	wpa_printf(MSG_DEBUG, "KaY: Live peer created");
636 	ieee802_1x_kay_dump_peer(peer);
638 	return peer;
649 	struct ieee802_1x_kay_peer *peer;
651 	peer = ieee802_1x_kay_create_peer(mi, mn);
652 	if (!peer)
655 	dl_list_add(&participant->potential_peers, &peer->list);
657 	wpa_printf(MSG_DEBUG, "KaY: Potential peer created");
658 	ieee802_1x_kay_dump_peer(peer);
660 	return peer;
671 	struct ieee802_1x_kay_peer *peer;
674 	peer = ieee802_1x_kay_get_potential_peer(participant, mi);
675 	if (!peer)
682 	os_memcpy(&peer->sci, &participant->current_peer_sci,
683 		  sizeof(peer->sci));
684 	peer->mn = mn;
685 	peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
687 	wpa_printf(MSG_DEBUG, "KaY: Move potential peer to live peer");
688 	ieee802_1x_kay_dump_peer(peer);
690 	dl_list_del(&peer->list);
692 		wpa_printf(MSG_ERROR, "KaY: Can't create SC, discard peer");
694 		os_free(peer);
697 	dl_list_add_tail(&participant->live_peers, &peer->list);
701 	return peer;
797 	struct ieee802_1x_kay_peer *peer;
828 	/* If the peer's MI is my MI, I will choose new MI */
843 	/* handler peer */
844 	peer = ieee802_1x_kay_get_peer(participant, body->actor_mi);
845 	if (!peer) {
849 		 * a valid peer whose MI is being changed. The latter scenario
851 		 * MKPDU must have had a valid ICV, indicating the peer holds
854 		 * Before creating a new peer object for the new MI we must
856 		 * old peer. An easy way to do this is to ignore MKPDUs with
857 		 * the new MI's for now and just wait for the old peer to
860 		 * This method is preferable to deleting the old peer here
863 		 * than to process it (and delete a valid peer as well).
865 		peer = ieee802_1x_kay_get_peer_sci(participant,
867 		if (peer) {
871 				   "KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU");
875 			if (peer->expire > new_expire)
876 				peer->expire = new_expire;
880 		peer = ieee802_1x_kay_create_potential_peer(
883 		if (!peer) {
885 				   "KaY: No potential peer entry found - ignore MKPDU");
889 		peer->macsec_desired = body->macsec_desired;
890 		peer->macsec_capability = body->macsec_capability;
891 		peer->is_key_server = (Boolean) body->key_server;
892 		peer->key_server_priority = body->priority;
893 	} else if (peer->mn < be_to_host32(body->actor_mn)) {
894 		peer->mn = be_to_host32(body->actor_mn);
895 		peer->macsec_desired = body->macsec_desired;
896 		peer->macsec_capability = body->macsec_capability;
897 		peer->is_key_server = (Boolean) body->key_server;
898 		peer->key_server_priority = body->priority;
901 			   "KaY: The peer MN did not increase - ignore MKPDU");
928 	struct ieee802_1x_kay_peer *peer;
930 	dl_list_for_each(peer, &participant->live_peers,
947 	struct ieee802_1x_kay_peer *peer;
957 	dl_list_for_each(peer, &participant->live_peers,
961 		os_memcpy(body_peer->mi, peer->mi, MI_LEN);
962 		body_peer->mn = host_to_be32(peer->mn);
988 	struct ieee802_1x_kay_peer *peer;
990 	dl_list_for_each(peer, &participant->potential_peers,
1007 	struct ieee802_1x_kay_peer *peer;
1017 	dl_list_for_each(peer, &participant->potential_peers,
1021 		os_memcpy(body_peer->mi, peer->mi, MI_LEN);
1022 		body_peer->mn = host_to_be32(peer->mn);
1093 				 * values (i.e., peer having copied my MI,MN
1116 	struct ieee802_1x_kay_peer *peer;
1153 		peer = ieee802_1x_kay_get_peer(participant, peer_mi->mi);
1154 		if (peer) {
1155 			peer->mn = peer_mn;
1370 	struct ieee802_1x_kay_peer *peer;
1385 	peer = ieee802_1x_kay_get_live_peer(participant,
1387 	if (!peer) {
1389 			   "KaY: The peer (%s) is not my live peer - ignore MACsec SAK Use parameter set",
1406 	/* TODO: what action should I take when peer does not support MACsec */
1412 	/* TODO: when the plain tx or rx of peer is true, should I change
1416 		wpa_printf(MSG_WARNING, "KaY: peer's plain rx are TRUE");
1419 		wpa_printf(MSG_WARNING, "KaY: peer's plain tx are TRUE");
1441 			peer->sak_used = TRUE;
1443 		if (body->ltx && peer->is_key_server) {
1468 	/* check all live peer have used the sak for receiving sa */
1470 	dl_list_for_each(peer, &participant->live_peers,
1472 		if (!peer->sak_used) {
1483 	/* if I'm key server, and detects peer member pn exhaustion, rekey. */
1648 	struct ieee802_1x_kay_peer *peer;
1683 	peer = ieee802_1x_kay_get_live_peer(participant,
1685 	if (!peer) {
1690 	if (!sci_equal(&kay->key_server_sci, &peer->sci)) {
2081 	struct ieee802_1x_kay_peer *peer;
2090 	 * must have one live peer
2092 	 * or potential peer is empty
2101 	 * the live peer list contains at least one peer and
2103 	 * or the Key server's potential peer is empty
2123 	dl_list_for_each(peer, &participant->live_peers,
2125 		ctx_len += sizeof(peer->mi);
2137 	dl_list_for_each(peer, &participant->live_peers,
2139 		os_memcpy(context + ctx_offset, peer->mi, sizeof(peer->mi));
2140 		ctx_offset += sizeof(peer->mi);
2193 	dl_list_for_each(peer, &participant->live_peers,
2195 		peer->sak_used = FALSE;
2213 static int compare_priorities(const struct ieee802_1x_kay_peer *peer,
2216 	if (peer->key_server_priority < other->key_server_priority)
2218 	if (other->key_server_priority < peer->key_server_priority)
2221 	return os_memcmp(peer->sci.addr, other->sci.addr, ETH_ALEN);
2232 	struct ieee802_1x_kay_peer *peer;
2246 	dl_list_for_each(peer, &participant->live_peers,
2248 		if (!peer->is_key_server)
2252 			key_server = peer;
2256 		if (compare_priorities(peer, key_server) < 0)
2257 			key_server = peer;
2260 	/* elect the key server between me and the above elected peer */
2272 				   "KaY: Cannot elect key server between me and peer, duplicate MAC detected");
2334 	struct ieee802_1x_kay_peer *peer;
2354 	dl_list_for_each(peer, &participant->live_peers,
2356 		if (!peer->macsec_desired)
2359 		if (peer->macsec_capability == MACSEC_CAP_NOT_IMPLEMENTED)
2362 		less_capability = (less_capability < peer->macsec_capability) ?
2363 			less_capability : peer->macsec_capability;
2505 	struct ieee802_1x_kay_peer *peer, *pre_peer;
2532 	dl_list_for_each_safe(peer, pre_peer, &participant->live_peers,
2534 		if (now > peer->expire) {
2535 			wpa_printf(MSG_DEBUG, "KaY: Live peer removed");
2536 			wpa_hexdump(MSG_DEBUG, "\tMI: ", peer->mi,
2537 				    sizeof(peer->mi));
2538 			wpa_printf(MSG_DEBUG, "\tMN: %d", peer->mn);
2542 				if (sci_equal(&rxsc->sci, &peer->sci)) {
2547 			dl_list_del(&peer->list);
2548 			os_free(peer);
2590 	dl_list_for_each_safe(peer, pre_peer, &participant->potential_peers,
2592 		if (now > peer->expire) {
2593 			wpa_printf(MSG_DEBUG, "KaY: Potential peer removed");
2594 			wpa_hexdump(MSG_DEBUG, "\tMI: ", peer->mi,
2595 				    sizeof(peer->mi));
2596 			wpa_printf(MSG_DEBUG, "\tMN: %d", peer->mn);
2597 			dl_list_del(&peer->list);
2598 			os_free(peer);
3168 	struct ieee802_1x_kay_peer *peer;
3200 	/* check i am in the peer's peer list */
3208 		/* accept the peer as live peer */
3306 	peer = ieee802_1x_kay_get_live_peer(participant,
3308 	if (peer) {
3309 		/* MKPDU is from live peer */
3311 			/* Once a live peer starts sending SAK-USE, it should be
3313 			if (peer->sak_used) {
3319 			/* Live peer is probably hung if it hasn't sent SAK-USE
3322 			if (++peer->missing_sak_use_count >
3329 			peer->missing_sak_use_count = 0;
3331 			/* Only update live peer watchdog after successful
3333 			peer->expire = time(NULL) + MKA_LIFE_TIME / 1000;
3336 		/* MKPDU is from new or potential peer */
3337 		peer = ieee802_1x_kay_get_peer(participant,
3339 		if (!peer) {
3340 			wpa_printf(MSG_DEBUG, "KaY: No peer entry found");
3344 		/* Do not update potential peer watchdog. Per IEEE Std
3347 		 * potential or live parameter sets). Whena potential peer does
3348 		 * include our MI/MN in an MKPDU, we respond by moving the peer
3735 	 * The peer(s) can take a long time to come up, because we
3737 	 * some peer appears.
3761 	struct ieee802_1x_kay_peer *peer;
3781 	/* remove live peer */
3783 		peer = dl_list_entry(participant->live_peers.next,
3785 		dl_list_del(&peer->list);
3786 		os_free(peer);
3789 	/* remove potential peer */
3791 		peer = dl_list_entry(participant->potential_peers.next,
3793 		dl_list_del(&peer->list);
3794 		os_free(peer);

Indexes created Fri Aug 23 12:13:05 MDT 2024