Since I haven't contributed to the hostap code base previously (except
as below), I'd appreciate any feedback on these patches...
The first patch has been previously submitted to the mailing list and is
a prerequisite for the second patch.
Patch 2/2 allows the EAPOL destination mac address which wpa_supplicant
uses to be changed from the (currently hard-coded) default of
01:80:C2:00:00:03. The rationale for allowing this is that newer
versions of the 802.1X and 802.1AE standards explicitly expand MACsec to
allow the use of several alternative destination MAC addresses. The
patch 2 commit message describes a typical usage scenario.
A few notes and queries:
1. If a Linux MACsec link is set up with wpa_supplicant, then `wpa_cli
status` still shows a "bssid" of 01:80:C2:00:00:03 - because this is
hard coded. I assume it would be better to use the value of
eapol_dest_addr instead. If-so, what would be a reasonable way of
altering the code to feed the eapol_dest_addr config value through to
the macsec_linux (and other macsec) drivers?
2. Which of the built-in tests and related code should I run and/or
modify in relation to this (and any subsequent related) patch? I haven't
as-yet attempted to run any of the tests in the code base, but instead
have just created a manual test environment whilst developing (see
below).
3. I assume that adding an equivalent eapol_dest_addr setting to hostapd
would also be useful, but this looks like a potentially more complex
task. Again, any guidance would be welcome.
4. Additions to documentation and/or example conf files are not yet
included.
An example test wpa_supplicant conf is below:
# Test with e.g.
# ./wpa_supplicant -i untrust -dd -Dmacsec_linux -c wpa_supplicant_macsec.conf
#
# ./wpa_cli -p /tmp/wpa_supplicant_macsec/
#
ctrl_interface=/tmp/wpa_supplicant_macsec
eapol_version=3
ap_scan=0
fast_reauth=1
network={
key_mgmt=NONE
eapol_flags=0
macsec_policy=1
eapol_dest_addr=01:80:c2:00:00:1f
mka_cak=190afe23922225d56a1f1ee94ec254b7
# 16 bytes hexadecimal
mka_ckn=4a8a62b86a340c29d9b988f95713f0ed8ad6ccfa61258012ba46ecaac3422783
# 32 bytes hexadecimal
}
Thanks!
Tim.
Tim Small (2):
Improve MKPDU 802.1X conformance, don't require pae group dest address
wpa_supplicant: EAPOL MAC address customisation with eapol_dest_addr.
src/ap/ap_config.h | 1 +
src/ap/wpa_auth_kay.c | 1 +
src/common/ieee802_1x_defs.h | 8 ++++++
src/pae/ieee802_1x_kay.c | 16 +++++------
src/pae/ieee802_1x_kay.h | 5 +++-
wpa_supplicant/config.c | 51 ++++++++++++++++++++++++++++++++++++
wpa_supplicant/config_ssid.h | 11 ++++++++
wpa_supplicant/wpas_kay.c | 1 +
8 files changed, 85 insertions(+), 9 deletions(-)
--
2.39.5
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
