macsec: allow CKN shorter than 64 characters
See wpa_supplicant commit [1]:
macsec: Make pre-shared CKN variable length
IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for
CKN:
"MKA places no restriction on the format of the CKN, save that it
comprise an integral number of octets, between 1 and 32
(inclusive), and that all potential members of the CA use the same
CKN. No further constraints are placed on the CKNs used with PSKs,
..."
Hence do not require a 32 octet long CKN but instead allow a
shorter CKN to be configured.
This fixes interoperability with some Aruba switches, that do not
accept a 32 octet long CKN (only support shorter ones).
[1] https://w1.fi/cgit/hostap/commit/?id=b678ed1efc50e8da4638d962f8eac13312a4048f
This commit is contained in:
Beniamino Galvani
@@ -403,6 +403,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
|
||||
const char *value;
|
||||
char buf[32];
|
||||
int port;
|
||||
gsize key_len;
|
||||
|
||||
g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
|
||||
g_return_val_if_fail(setting != NULL, FALSE);
|
||||
@@ -446,7 +447,16 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
|
||||
return FALSE;
|
||||
|
||||
value = nm_setting_macsec_get_mka_ckn(setting);
|
||||
if (!value || !nm_utils_hexstr2bin_buf(value, FALSE, FALSE, NULL, buffer_ckn)) {
|
||||
if (!value
|
||||
|| !nm_utils_hexstr2bin_full(value,
|
||||
FALSE,
|
||||
FALSE,
|
||||
FALSE,
|
||||
NULL,
|
||||
0,
|
||||
buffer_ckn,
|
||||
G_N_ELEMENTS(buffer_ckn),
|
||||
&key_len)) {
|
||||
g_set_error_literal(error,
|
||||
NM_SUPPLICANT_ERROR,
|
||||
NM_SUPPLICANT_ERROR_CONFIG,
|
||||
@@ -456,7 +466,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
|
||||
if (!nm_supplicant_config_add_option(self,
|
||||
"mka_ckn",
|
||||
(char *) buffer_ckn,
|
||||
sizeof(buffer_ckn),
|
||||
key_len,
|
||||
value,
|
||||
error))
|
||||
return FALSE;
|
||||
|
||||
@@ -236,7 +236,7 @@ need_secrets(NMSetting *setting, gboolean check_rerequest)
|
||||
static gboolean
|
||||
verify_macsec_key(const char *key, gboolean cak, GError **error)
|
||||
{
|
||||
int req_len;
|
||||
size_t len;
|
||||
|
||||
/* CAK is a connection secret and can be NULL for various
|
||||
* reasons (agent-owned, no permissions to get secrets, etc.)
|
||||
@@ -252,15 +252,26 @@ verify_macsec_key(const char *key, gboolean cak, GError **error)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
req_len = cak ? NM_SETTING_MACSEC_MKA_CAK_LENGTH : NM_SETTING_MACSEC_MKA_CKN_LENGTH;
|
||||
if (strlen(key) != (gsize) req_len) {
|
||||
len = strlen(key);
|
||||
if (cak) {
|
||||
if (len != NM_SETTING_MACSEC_MKA_CAK_LENGTH) {
|
||||
g_set_error(error,
|
||||
NM_CONNECTION_ERROR,
|
||||
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
||||
_("the key must be %d characters"),
|
||||
req_len);
|
||||
NM_SETTING_MACSEC_MKA_CAK_LENGTH);
|
||||
return FALSE;
|
||||
}
|
||||
} else {
|
||||
if (len < 2 || len > 64 || len % 2 != 0) {
|
||||
g_set_error_literal(
|
||||
error,
|
||||
NM_CONNECTION_ERROR,
|
||||
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
||||
_("the key must have an even number of characters between 2 and 64"));
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
if (!NM_STRCHAR_ALL(key, ch, g_ascii_isxdigit(ch))) {
|
||||
g_set_error_literal(error,
|
||||
|
||||
@@ -73,6 +73,8 @@ typedef enum {
|
||||
} NMSettingMacsecValidation;
|
||||
|
||||
#define NM_SETTING_MACSEC_MKA_CAK_LENGTH 32
|
||||
|
||||
/* Deprecated. The CKN can be between 2 and 64 characters. */
|
||||
#define NM_SETTING_MACSEC_MKA_CKN_LENGTH 64
|
||||
|
||||
NM_AVAILABLE_IN_1_6
|
||||
|
||||
Reference in New Issue
Block a user