From patchwork Wed Oct 23 16:35:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Small X-Patchwork-Id: 2001226 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=p/VruQKj; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=JHxzKG2j; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=seoss.co.uk header.i=@seoss.co.uk header.a=rsa-sha256 header.s=asd201810 header.b=lAGgDkd+; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XYbFr0QPlz1xx1 for ; Thu, 24 Oct 2024 04:12:31 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=DR5H2uqAoEaQehLQPo22LpoUW2kZMkLm7dCR31utcPE=; b=p/VruQKjhMxt5w SNFRRv4bUFzpYw5tjQafkJwljwtNBA8jWEqU2JhEKvMPj1AdHclGY3Tctvr6ASWk396Mpi47i4yK0 jsDlfIv/BEiFlRUzKO3FtddUAcsicwZSWziuAygIuTC2slwCJfHWpCRo+piJ2Q9EUlZak4C+rmrbq pfLfL3SxPWpc+BOjvEMuspDTCoql1tsgxgxAYDDEAPBrQz3Qx8DYXHPzm0/P9Vet/cxWeFQqP/n50 NaOcThYTIZFElMMjGvvAP0wtl6hjqjtSnCQwQ12cHdlTbGf5STAqqXuymNhGWnesgovC2ODdkCidl osbEgWHmTYoUtje6CYzQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1t3ety-0000000FK5K-4C8P; Wed, 23 Oct 2024 17:12:07 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1t3eKn-0000000FBcJ-17jb for hostap@bombadil.infradead.org; Wed, 23 Oct 2024 16:35:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=23K3tldoW71G5wM2Ep/PQCRlK7nrgwHaVA9bwOyssQQ=; b=JHxzKG2jTPfVy5kKO2HeWMFdxw Nqjq4y5czW+jvC+uqy7fAVus/Y8cZHL0CIWXpCaBA5n1ASDejlVw+djXvtZSqUHmM/fnTqgRdZ5Cy CW7j22dzaxqJdoQg52kwRAaRpT4X3MXwKFW/ZM74E4VSndIh/3onCBGko3+PHnXhyjkAzpeG5vv/0 x4668i0G3lpENsor7fhApHpdH82aWt6UprbDW8wfvRSQuW89Sn2i9zxwQRdsZ8MaJ2FNkCtUyNIxF Ma17oZyZ7kvqVjSi7KwPNT+9X4K4XQuv4vV5vK2irtOhQeWcqrutvpyVTvcW+UZ8KwYf/MPHX8nl7 VJrYfuTw==; Received: from relay0.allsecuredomains.com ([51.68.204.196]) by desiato.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1t3eKj-00000008Sey-3xqU for hostap@lists.infradead.org; Wed, 23 Oct 2024 16:35:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk ; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=23K3tldoW71G5wM2Ep/PQCRlK7nrgwHaVA9bwOyssQQ=; b=lAGgDkd+z1E2NFDhgGNu7IvzTz PaN41iFqsk7iEuYxft/lrTMvnSZ785Vy3YVZjySLoFdcAR+ISQLuyJegPV+XXxH88c7FrBxNODQO6 JCn9hVC9kXcGZQjo1KSxhRBM6SNDycz1zd3gL1qWqvi2TQPGQGEZgyaKgpUv71ifYTko=; Received: from [81.174.144.187] (helo=custard.lan) by relay0.allsecuredomains.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1t3eKe-0006b3-JF; Wed, 23 Oct 2024 16:35:36 +0000 From: Tim Small To: hostap@lists.infradead.org Cc: Tim Small Subject: [PATCH 1/2] Improve MKPDU 802.1X conformance, don't require pae group dest address Date: Wed, 23 Oct 2024 17:35:02 +0100 Message-Id: <20241023163503.530897-2-tim@seoss.co.uk> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241010154437.1487856-2-tim@seoss.co.uk> References: <20241010154437.1487856-2-tim@seoss.co.uk> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20241023_173542_145627_3CBDB370 X-CRM114-Status: GOOD ( 11.74 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: 802.1X-2010 and 802.1X-2020 both specify that MKPDU packets should be discarded if their destination address is "an individual address". ieee802_1x_kay_mkpdu_validity_check() previously also rejected [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org 802.1X-2010 and 802.1X-2020 both specify that MKPDU packets should be discarded if their destination address is "an individual address". ieee802_1x_kay_mkpdu_validity_check() previously also rejected all destination addresses other than 01:80:c2:00:00:03 "Nearest non-TPMR Bridge group address" (in contradiction to its comments). This restriction may be a carry-over from 802.1X-2004, but is explicitly discouraged in the 2010 and 2020 revisions (see section 11.1.1 and its references). The additional restriction prevented wpa_supplicant and hostapd from participating in MACsec communication in environments such as third-party ("supplier") layer 2 networks. Signed-off-by: Tim Small --- src/pae/ieee802_1x_kay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index b0a418ef08..230c69d197 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -3125,9 +3125,9 @@ static int ieee802_1x_kay_mkpdu_validity_check(struct ieee802_1x_kay *kay, be_to_host16(eth_hdr->ethertype)); /* the destination address shall not be an individual address */ - if (!ether_addr_equal(eth_hdr->dest, pae_group_addr)) { + if (!is_multicast_ether_addr(eth_hdr->dest)) { wpa_printf(MSG_DEBUG, - "KaY: ethernet destination address is not PAE group address"); + "KaY: ethernet destination address is not a multicast adddress"); return -1; }