[PATCH 0/2] RFC DRAFT - Allow customisation of EAPOL dest MAC

Tim Small tim at seoss.co.uk
Wed Oct 23 09:35:01 PDT 2024 

Since I haven't contributed to the hostap code base previously (except
as below), I'd appreciate any feedback on these patches...

The first patch has been previously submitted to the mailing list and is
a prerequisite for the second patch.

Patch 2/2 allows the EAPOL destination mac address which wpa_supplicant
uses to be changed from the (currently hard-coded) default of
01:80:C2:00:00:03. The rationale for allowing this is that newer
versions of the 802.1X and 802.1AE standards explicitly expand MACsec to
allow the use of several alternative destination MAC addresses. The
patch 2 commit message describes a typical usage scenario.

A few notes and queries:

1. If a Linux MACsec link is set up with wpa_supplicant, then `wpa_cli
status` still shows a "bssid" of 01:80:C2:00:00:03 - because this is
hard coded. I assume it would be better to use the value of
eapol_dest_addr instead. If-so, what would be a reasonable way of
altering the code to feed the eapol_dest_addr config value through to
the macsec_linux (and other macsec) drivers?

2. Which of the built-in tests and related code should I run and/or
modify in relation to this (and any subsequent related) patch? I haven't
as-yet attempted to run any of the tests in the code base, but instead
have just created a manual test environment whilst developing (see
below).

3. I assume that adding an equivalent eapol_dest_addr setting to hostapd
would also be useful, but this looks like a potentially more complex
task. Again, any guidance would be welcome.

4. Additions to documentation and/or example conf files are not yet
included.

An example test wpa_supplicant conf is below:


# Test with e.g.
# ./wpa_supplicant -i untrust -dd -Dmacsec_linux -c wpa_supplicant_macsec.conf
#
# ./wpa_cli  -p /tmp/wpa_supplicant_macsec/
#
ctrl_interface=/tmp/wpa_supplicant_macsec
eapol_version=3
ap_scan=0
fast_reauth=1

network={
	key_mgmt=NONE
	eapol_flags=0
	macsec_policy=1

	eapol_dest_addr=01:80:c2:00:00:1f

	mka_cak=190afe23922225d56a1f1ee94ec254b7
	# 16 bytes hexadecimal
	mka_ckn=4a8a62b86a340c29d9b988f95713f0ed8ad6ccfa61258012ba46ecaac3422783
	# 32 bytes hexadecimal
}




Thanks!

Tim.

Tim Small (2):
  Improve MKPDU 802.1X conformance, don't require pae group dest address
  wpa_supplicant: EAPOL MAC address customisation with eapol_dest_addr.

 src/ap/ap_config.h           |  1 +
 src/ap/wpa_auth_kay.c        |  1 +
 src/common/ieee802_1x_defs.h |  8 ++++++
 src/pae/ieee802_1x_kay.c     | 16 +++++------
 src/pae/ieee802_1x_kay.h     |  5 +++-
 wpa_supplicant/config.c      | 51 ++++++++++++++++++++++++++++++++++++
 wpa_supplicant/config_ssid.h | 11 ++++++++
 wpa_supplicant/wpas_kay.c    |  1 +
 8 files changed, 85 insertions(+), 9 deletions(-)

-- 
2.39.5

More information about the Hostap mailing list