From patchwork Wed Oct 23 16:35:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Small X-Patchwork-Id: 2001228 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=2Xu4uLGr; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=Vbe78NFn; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=seoss.co.uk header.i=@seoss.co.uk header.a=rsa-sha256 header.s=asd201810 header.b=qB5dyGOE; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XYbFp6lk7z1xwf for ; Thu, 24 Oct 2024 04:12:30 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=EUWsPLkqJPpdWHE+/ayP30tyRBQ4okEtAIlKjsKvB3I=; b=2Xu4uLGrH+dYNN BL1GNgW+L3/XVL7u1Z7e4aubp0rTiElkh6SU7Q4rglDoB9798kRFAvF51hARSMeTXGV7VCbR05cTl AClHpsp8U5jA6vwy/C47Wn/77WTG7vR84drA39m+O1ZcLEheMzAZtDq087s7hrmuCTuKMePSDW7u7 cj7omv9DrFry8Q08J0IzOmjN0Ue9lNLJoUmoxjouY7un+KFPIGdoo792C9NQj7AI2AHXEytgPtlH8 49rNQXsmvX5h8fR11JDAz/pHqCFqxQslxq7UcojPLTALPOio4c1FSy1jKzJBl7NFF6T4m5v8UGgsS Hg/obntqPBx6ESc8mDuw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1t3eu0-0000000FK5r-1jWM; Wed, 23 Oct 2024 17:12:08 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1t3eKn-0000000FBcK-2ngS for hostap@bombadil.infradead.org; Wed, 23 Oct 2024 16:35:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=WC9uvjF7T0UW8w+78/EHyf2sK9/FfnXNNyB5IV/sjaA=; b=Vbe78NFnkAxqlxzBm4yM440+pO +akM22Lp+ki5dCuTF1KKHcsNIoht4ytrYBUiz+l6GKmapvu4//WP+/BcK4ZGQrVTud4SH+0LYobPS CNFNHh14rChUJH8w+ZSyklv1/aJgsD5jI9a1HiAtWBrUfPHT+Xstdc1LSyuKg94BKFPaZgOtBCPO3 Mtby9hr0ckORistZFYJ/g/rkNXuVNaNiJln+c/GcfrZYm0pt3/zZed7IhPVeLauzx6sLnLhojTUnO Fd0neADlDGoSXqHiuuVeWDrFQzt2g5MvHlPlHqAXgjeEO9Ls+lXVN2O1gKspW3TRtOADTwSxDCG/j Sc/p7BEA==; Received: from relay0.allsecuredomains.com ([51.68.204.196]) by desiato.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1t3eKj-00000008Sez-46qS for hostap@lists.infradead.org; Wed, 23 Oct 2024 16:35:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk ; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WC9uvjF7T0UW8w+78/EHyf2sK9/FfnXNNyB5IV/sjaA=; b=qB5dyGOEO7LHuDBsGR3rHnseI7 2OwXMrb7XDha8yiyEgB0b4umsVxspSD9TCQkHEkdfO1FlBbspkE/gXkdswT7zYLFeP4srNQ/e0UJP vdvAJji2ac0k18SDiUMeprZ9y51qT3NMiYPL8e7fD6N1OEq6X0u4CnROef0CThoBXbp4=; Received: from [81.174.144.187] (helo=custard.lan) by relay0.allsecuredomains.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1t3eKe-0006b3-PO; Wed, 23 Oct 2024 16:35:36 +0000 From: Tim Small To: hostap@lists.infradead.org Cc: Tim Small Subject: [PATCH 2/2] wpa_supplicant: EAPOL MAC address customisation with eapol_dest_addr. Date: Wed, 23 Oct 2024 17:35:03 +0100 Message-Id: <20241023163503.530897-3-tim@seoss.co.uk> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241010154437.1487856-2-tim@seoss.co.uk> References: <20241010154437.1487856-2-tim@seoss.co.uk> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20241023_173542_125115_CA62E098 X-CRM114-Status: GOOD ( 20.80 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: wpa_supplicant previously hard-coded the destination MAC address for EAPOL packets to 01:80:c2:00:00:03 (the "PAE Group Address"). The PAE Group Address continues to be the default value for the newly [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org wpa_supplicant previously hard-coded the destination MAC address for EAPOL packets to 01:80:c2:00:00:03 (the "PAE Group Address"). The PAE Group Address continues to be the default value for the newly introduced wpa_supplicant per-network eapol_dest_addr configuration setting, but alternative multicast addresses (e.g. 01:80:c2:00:00:1f - the "EDE-CC PEP Address") can now be specified so that outgoing packets can reach the desired destination station(s) in a wider variety of operating environments. For example third party ISP switches providing layer 2 forwarding services to a customer should filter or terminate packets which use the PAE Group Address according to 802.1D ("Ethernet MAC bridges"). This will effectively prevent a customer creating their own secure 802.1X + MACsec links atop the ISP-provided layer 2 network. The same ISP switches should instead forward packets which use the ECE-CC PEP Address (or a variety of other multicast addresses which may be better suited to the particular usage scenario). --- src/ap/ap_config.h | 1 + src/ap/wpa_auth_kay.c | 1 + src/common/ieee802_1x_defs.h | 8 ++++++ src/pae/ieee802_1x_kay.c | 12 ++++----- src/pae/ieee802_1x_kay.h | 5 +++- wpa_supplicant/config.c | 51 ++++++++++++++++++++++++++++++++++++ wpa_supplicant/config_ssid.h | 11 ++++++++ wpa_supplicant/wpas_kay.c | 1 + 8 files changed, 83 insertions(+), 7 deletions(-) diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index d42076785d..57e38c8be7 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -301,6 +301,7 @@ struct hostapd_bss_config { int eapol_version; int eap_server; /* Use internal EAP server instead of external * RADIUS server */ + u8 eapol_dest_addr[ETH_ALEN]; struct hostapd_eap_user *eap_user; char *eap_user_sqlite; char *eap_sim_db; diff --git a/src/ap/wpa_auth_kay.c b/src/ap/wpa_auth_kay.c index 625f405127..107924fa90 100644 --- a/src/ap/wpa_auth_kay.c +++ b/src/ap/wpa_auth_kay.c @@ -331,6 +331,7 @@ int ieee802_1x_alloc_kay_sm_hapd(struct hostapd_data *hapd, hapd->conf->macsec_port, hapd->conf->mka_priority, hapd->conf->macsec_csindex, + hapd->conf->eapol_dest_addr, hapd->conf->iface, hapd->own_addr); /* ieee802_1x_kay_init() frees kay_ctx on failure */ diff --git a/src/common/ieee802_1x_defs.h b/src/common/ieee802_1x_defs.h index e7acff108e..b193472a76 100644 --- a/src/common/ieee802_1x_defs.h +++ b/src/common/ieee802_1x_defs.h @@ -83,4 +83,12 @@ enum confidentiality_offset { #define DEFAULT_PRIO_GROUP_CA_MEMBER 0x70 #define DEFAULT_PRIO_NOT_KEY_SERVER 0xFF +/* + * Nearest non-TPMR (non Two Port MAC Relay) Bridge group address, + * also referred to as IEEE Std 802.1X PAE address + * IEEE Std 802.1X-2020 - Table 11-1 + */ + +#define PAE_GROUP_ADDRESS { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 } + #endif /* IEEE802_1X_DEFS_H */ diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 230c69d197..c76f7501f0 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -2451,10 +2451,6 @@ ieee802_1x_kay_decide_macsec_use( return 0; } -static const u8 pae_group_addr[ETH_ALEN] = { - 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 -}; - /** * ieee802_1x_kay_encode_mkpdu - @@ -2468,7 +2464,8 @@ ieee802_1x_kay_encode_mkpdu(struct ieee802_1x_mka_participant *participant, struct ieee802_1x_hdr *eapol_hdr; ether_hdr = wpabuf_put(pbuf, sizeof(*ether_hdr)); - os_memcpy(ether_hdr->dest, pae_group_addr, sizeof(ether_hdr->dest)); + os_memcpy(ether_hdr->dest, participant->kay->eapol_dest_addr, + sizeof(ether_hdr->dest)); os_memcpy(ether_hdr->src, participant->kay->actor_sci.addr, sizeof(ether_hdr->dest)); ether_hdr->ethertype = host_to_be16(ETH_P_EAPOL); @@ -3495,7 +3492,8 @@ struct ieee802_1x_kay * ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, bool macsec_replay_protect, u32 macsec_replay_window, u8 macsec_offload, u16 port, u8 priority, - u32 macsec_csindex, const char *ifname, const u8 *addr) + u32 macsec_csindex, + const u8 *eapol_dest_addr, const char *ifname, const u8 *addr) { struct ieee802_1x_kay *kay; @@ -3536,6 +3534,8 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->mka_algindex = DEFAULT_MKA_ALG_INDEX; kay->mka_version = MKA_VERSION_ID; + os_memcpy(kay->eapol_dest_addr, eapol_dest_addr, ETH_ALEN); + os_memcpy(kay->algo_agility, mka_algo_agility, sizeof(kay->algo_agility)); diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h index 11464f7fc6..fd16db3a07 100644 --- a/src/pae/ieee802_1x_kay.h +++ b/src/pae/ieee802_1x_kay.h @@ -234,6 +234,8 @@ struct ieee802_1x_kay { enum validate_frames vf; enum confidentiality_offset co; + + u8 eapol_dest_addr[ETH_ALEN]; }; @@ -243,7 +245,8 @@ struct ieee802_1x_kay * ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, bool macsec_replay_protect, u32 macsec_replay_window, u8 macsec_offload, u16 port, u8 priority, - u32 macsec_csindex, const char *ifname, const u8 *addr); + u32 macsec_csindex, + const u8 *eapol_dest_addr, const char *ifname, const u8 *addr); void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); struct ieee802_1x_mka_participant * diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 13043afe94..3c097476a2 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -21,6 +21,9 @@ #include "config.h" +static const u8 pae_group_addr[ETH_ALEN] = PAE_GROUP_ADDRESS; + + #if !defined(CONFIG_CTRL_IFACE) && defined(CONFIG_NO_CONFIG_WRITE) #define NO_CONFIG_WRITE #endif @@ -1663,6 +1666,30 @@ static int wpa_config_parse_eap(const struct parse_data *data, } +static int wpa_config_parse_eapol_dest_addr(const struct parse_data *data, + struct wpa_ssid *ssid, int line, + const char *value) +{ + wpa_printf(MSG_DEBUG, "value: '%s'", value); + + if (value[0] == '\0' || os_strcmp(value, "\"\"") == 0 || + os_strcmp(value, "default") == 0) { + os_memcpy(ssid->eapol_dest_addr, pae_group_addr, ETH_ALEN); + wpa_printf(MSG_DEBUG, "EAPOL using PAE (default) destination MAC address" MACSTR, + MAC2STR(ssid->eapol_dest_addr)); + return 0; + } + if (hwaddr_aton2(value, ssid->eapol_dest_addr) == -1) { + wpa_printf(MSG_ERROR, "Line %d: Invalid EAPOL destination MAC address '%s'.", + line, value); + return -1; + } + wpa_printf(MSG_DEBUG, "EAPOL destination MAC address " MACSTR, + MAC2STR(ssid->eapol_dest_addr)); + return 0; +} + + #ifndef NO_CONFIG_WRITE static char * wpa_config_write_eap(const struct parse_data *data, struct wpa_ssid *ssid) @@ -1697,6 +1724,28 @@ static char * wpa_config_write_eap(const struct parse_data *data, return buf; } + + +static char * wpa_config_write_eapol_dest_addr(const struct parse_data *data, + struct wpa_ssid *ssid) +{ + char *value; + int res; + + if (is_zero_ether_addr(ssid->eapol_dest_addr)) + return NULL; + + value = os_malloc(20); + if (value == NULL) + return NULL; + res = os_snprintf(value, 20, MACSTR, MAC2STR(ssid->eapol_dest_addr)); + if (os_snprintf_error(20, res)) { + os_free(value); + return NULL; + } + value[20 - 1] = '\0'; + return value; +} #endif /* NO_CONFIG_WRITE */ @@ -2549,6 +2598,7 @@ static const struct parse_data ssid_fields[] = { { INT(vht_center_freq2) }, #ifdef IEEE8021X_EAPOL { FUNC(eap) }, + { FUNC(eapol_dest_addr) }, { STR_LENe(identity, identity) }, { STR_LENe(anonymous_identity, anonymous_identity) }, { STR_LENe(imsi_identity, imsi_identity) }, @@ -3236,6 +3286,7 @@ void wpa_config_set_network_defaults(struct wpa_ssid *ssid) ssid->eap_workaround = DEFAULT_EAP_WORKAROUND; ssid->eap.fragment_size = DEFAULT_FRAGMENT_SIZE; ssid->eap.sim_num = DEFAULT_USER_SELECTED_SIM; + os_memcpy(ssid->eapol_dest_addr, pae_group_addr, ETH_ALEN); #endif /* IEEE8021X_EAPOL */ #ifdef CONFIG_MESH ssid->dot11MeshMaxRetries = DEFAULT_MESH_MAX_RETRIES; diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index d64c305082..1909a718d6 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -418,6 +418,17 @@ struct wpa_ssid { */ unsigned int eap_workaround; + /** + * eapol_dest_addr - mac addr for EAPOL packets (802.11AE-2018+ etc.) + * EAPOL packets may have their destination MAC address set to any + * non-individual (i.g. multi-cast) address, including the ethernet + * broadcast address (ff:ff:ff:ff:ff:ff). Choice of destination + * address is dictated by which types of entity (should) filter them + * out vs. act on their contents vs. relay them. + * See 802.11X-2020 Table 11-1 + */ + u8 eapol_dest_addr[ETH_ALEN]; + #endif /* IEEE8021X_EAPOL */ /** diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c index 600b3bc545..4712bcb221 100644 --- a/wpa_supplicant/wpas_kay.c +++ b/wpa_supplicant/wpas_kay.c @@ -249,6 +249,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) ssid->macsec_replay_window, ssid->macsec_offload, ssid->macsec_port, ssid->mka_priority, ssid->macsec_csindex, + ssid->eapol_dest_addr, wpa_s->ifname, wpa_s->own_addr); /* ieee802_1x_kay_init() frees kay_ctx on failure */ if (res == NULL)