From patchwork Thu Oct 10 15:44:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Small X-Patchwork-Id: 1995573 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=RFyqEtI1; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=seoss.co.uk header.i=@seoss.co.uk header.a=rsa-sha256 header.s=asd201810 header.b=gEzuMgtH; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XPbyq1W93z1xtv for ; Fri, 11 Oct 2024 04:16:51 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=DR5H2uqAoEaQehLQPo22LpoUW2kZMkLm7dCR31utcPE=; b=RFyqEtI1rLpsn/ SZClGrCpA3nm7rLz10PRRXOo43hTQc1RGUM3CpQPiPIz74ThGsjq/7ZRqJRiZrFVeygQKc7TFNAtR F1rTt0Q/Iuqn19crUCj4cq73tFyQUFeBEb3inQ5iGyh7n008rhkbtcecCmi8nj6yekOJKt8rsEWMa 3HUeNOD5fwCKvLYNjIE/2Ap3hxveLx/hQT37LYSIaYD+4mIB3RoEgMkmKKl1IObWyCzGlM0dWRqih qWap7FmWehMQryH1HkxFj5/5GMbPECfJPSNHYAmGKYI1r1Egvmh048r3wrXM/4fBn8TS4OwXMHyCf 9O1lL8f99rWsrTv4yWxQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1sywm0-0000000Ddv0-45hu; Thu, 10 Oct 2024 17:16:25 +0000 Received: from relay0.allsecuredomains.com ([51.68.204.196]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1syvLY-0000000DOZC-2Fww for hostap@lists.infradead.org; Thu, 10 Oct 2024 15:45:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk ; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=23K3tldoW71G5wM2Ep/PQCRlK7nrgwHaVA9bwOyssQQ=; b=gEzuMgtHw7g6hmCT1y83MQP3kD wSLLTrRX5aWkehP3lYRhxFQZrGszkFRDxh7mzUkEW8pIT6KyUkE3ilQw9sVOg5+sw//3i81326OJq ys0Ur1a02JQ82Pgc+qkLAhBfKjvan3Y0XOWMs3hBJJKj6A1ER9D7EMQ2YDo+Ji+wsIrw=; Received: from [81.174.144.187] (helo=custard.lan) by relay0.allsecuredomains.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1syvLR-00035b-GS; Thu, 10 Oct 2024 15:44:53 +0000 From: Tim Small To: hostap@lists.infradead.org Cc: Tim Small Subject: [PATCH 1/1] Improve MKPDU 802.1X conformance, don't require pae group dest address Date: Thu, 10 Oct 2024 16:44:37 +0100 Message-Id: <20241010154437.1487856-2-tim@seoss.co.uk> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241010154437.1487856-1-tim@seoss.co.uk> References: <20241010154437.1487856-1-tim@seoss.co.uk> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20241010_084500_970458_C65B5194 X-CRM114-Status: GOOD ( 12.03 ) X-Spam-Score: -2.1 (--) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: 802.1X-2010 and 802.1X-2020 both specify that MKPDU packets should be discarded if their destination address is "an individual address". ieee802_1x_kay_mkpdu_validity_check() previously also rejected [...] Content analysis details: (-2.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [51.68.204.196 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [51.68.204.196 listed in sa-trusted.bondedsender.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [51.68.204.196 listed in bl.score.senderscore.com] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org 802.1X-2010 and 802.1X-2020 both specify that MKPDU packets should be discarded if their destination address is "an individual address". ieee802_1x_kay_mkpdu_validity_check() previously also rejected all destination addresses other than 01:80:c2:00:00:03 "Nearest non-TPMR Bridge group address" (in contradiction to its comments). This restriction may be a carry-over from 802.1X-2004, but is explicitly discouraged in the 2010 and 2020 revisions (see section 11.1.1 and its references). The additional restriction prevented wpa_supplicant and hostapd from participating in MACsec communication in environments such as third-party ("supplier") layer 2 networks. Signed-off-by: Tim Small --- src/pae/ieee802_1x_kay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index b0a418ef08..230c69d197 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -3125,9 +3125,9 @@ static int ieee802_1x_kay_mkpdu_validity_check(struct ieee802_1x_kay *kay, be_to_host16(eth_hdr->ethertype)); /* the destination address shall not be an individual address */ - if (!ether_addr_equal(eth_hdr->dest, pae_group_addr)) { + if (!is_multicast_ether_addr(eth_hdr->dest)) { wpa_printf(MSG_DEBUG, - "KaY: ethernet destination address is not PAE group address"); + "KaY: ethernet destination address is not a multicast adddress"); return -1; }