mka: Accept MKPDU sent to any multicast address

Improve MKPDU 802.1X conformance by not requiring the PAE group address
(01-80-C2-00-00-03) to be used as the destination, but instead, allowing
any multicast address to be used. IEEE Std 802.1X-2020, 11.11.2
(Validation of MKPDUs) disallows only individual addresses as the
destination address.

IEEE Sts 802.1X-2010 and 802.1X-2020 both specify that MKPDU packets
should be discarded if their destination address is "an individual
address". ieee802_1x_kay_mkpdu_validity_check() previously also rejected
all destination addresses other than 01:80:c2:00:00:03 "Nearest non-TPMR
Bridge group address" (in contradiction to its comments).

This restriction may be a carry-over from IEEE Std 802.1X-2004, but is
explicitly discouraged in the 2010 and 2020 revisions (see 11.1.1
(Destination MAC address) and its references).

The additional restriction prevented wpa_supplicant and hostapd from
participating in MACsec communication in environments such as
third-party ("supplier") layer 2 networks.

Signed-off-by: Tim Small <tim@seoss.co.uk>

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index b0a418ef0880881d2ae4bf1d3f070bec80f28421..230c69d197e4cb298eb28ff829fb96f4e23f6272 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3125,9 +3125,9 @@ static int ieee802_1x_kay_mkpdu_validity_check(struct ieee802_1x_kay *kay,
                   be_to_host16(eth_hdr->ethertype));
 
        /* the destination address shall not be an individual address */
-       if (!ether_addr_equal(eth_hdr->dest, pae_group_addr)) {
+       if (!is_multicast_ether_addr(eth_hdr->dest)) {
                wpa_printf(MSG_DEBUG,
-                          "KaY: ethernet destination address is not PAE group address");
+                          "KaY: ethernet destination address is not a multicast adddress");
                return -1;
        }