diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2022-11-16 10:38:22 +0100 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2022-11-16 10:38:22 +0100 |
commit | 8d6cba655574e25d8a08c58e87c9dbd8e6a1bc23 (patch) | |
tree | d5b1cbe35af1a08b73f7b81941e025e4aef2d49a | |
parent | fb3be35b8b97ad045044ac8628f5069e1a087554 (diff) | |
parent | dfe63d9eb3e11e67c0d4c5e1e64148e21a822d99 (diff) | |
download | NetworkManager-8d6cba655574e25d8a08c58e87c9dbd8e6a1bc23.tar.gz |
macsec: merge branch 'bg/macsec-ckn-len'
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1460
-rw-r--r-- | src/core/supplicant/nm-supplicant-config.c | 14 | ||||
-rw-r--r-- | src/libnm-core-impl/nm-setting-macsec.c | 34 | ||||
-rw-r--r-- | src/libnm-core-public/nm-setting-macsec.h | 2 | ||||
-rw-r--r-- | src/libnmc-setting/settings-docs.h.in | 4 | ||||
-rw-r--r-- | src/nmcli/gen-metadata-nm-settings-nmcli.xml.in | 4 |
5 files changed, 41 insertions, 17 deletions
diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c index 6d3ea10220..c63a00585a 100644 --- a/src/core/supplicant/nm-supplicant-config.c +++ b/src/core/supplicant/nm-supplicant-config.c @@ -403,6 +403,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self, const char *value; char buf[32]; int port; + gsize key_len; g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE); g_return_val_if_fail(setting != NULL, FALSE); @@ -446,7 +447,16 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self, return FALSE; value = nm_setting_macsec_get_mka_ckn(setting); - if (!value || !nm_utils_hexstr2bin_buf(value, FALSE, FALSE, NULL, buffer_ckn)) { + if (!value + || !nm_utils_hexstr2bin_full(value, + FALSE, + FALSE, + FALSE, + NULL, + 0, + buffer_ckn, + G_N_ELEMENTS(buffer_ckn), + &key_len)) { g_set_error_literal(error, NM_SUPPLICANT_ERROR, NM_SUPPLICANT_ERROR_CONFIG, @@ -456,7 +466,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self, if (!nm_supplicant_config_add_option(self, "mka_ckn", (char *) buffer_ckn, - sizeof(buffer_ckn), + key_len, value, error)) return FALSE; diff --git a/src/libnm-core-impl/nm-setting-macsec.c b/src/libnm-core-impl/nm-setting-macsec.c index 3c928e0138..bf48f049df 100644 --- a/src/libnm-core-impl/nm-setting-macsec.c +++ b/src/libnm-core-impl/nm-setting-macsec.c @@ -236,7 +236,7 @@ need_secrets(NMSetting *setting, gboolean check_rerequest) static gboolean verify_macsec_key(const char *key, gboolean cak, GError **error) { - int req_len; + size_t len; /* CAK is a connection secret and can be NULL for various * reasons (agent-owned, no permissions to get secrets, etc.) @@ -252,14 +252,25 @@ verify_macsec_key(const char *key, gboolean cak, GError **error) return FALSE; } - req_len = cak ? NM_SETTING_MACSEC_MKA_CAK_LENGTH : NM_SETTING_MACSEC_MKA_CKN_LENGTH; - if (strlen(key) != (gsize) req_len) { - g_set_error(error, - NM_CONNECTION_ERROR, - NM_CONNECTION_ERROR_INVALID_PROPERTY, - _("the key must be %d characters"), - req_len); - return FALSE; + len = strlen(key); + if (cak) { + if (len != NM_SETTING_MACSEC_MKA_CAK_LENGTH) { + g_set_error(error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key must be %d characters"), + NM_SETTING_MACSEC_MKA_CAK_LENGTH); + return FALSE; + } + } else { + if (len < 2 || len > 64 || len % 2 != 0) { + g_set_error_literal( + error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key must have an even number of characters between 2 and 64")); + return FALSE; + } } if (!NM_STRCHAR_ALL(key, ch, g_ascii_isxdigit(ch))) { @@ -490,7 +501,7 @@ nm_setting_macsec_class_init(NMSettingMacsecClass *klass) * NMSettingMacsec:mka-cak: * * The pre-shared CAK (Connectivity Association Key) for MACsec - * Key Agreement. + * Key Agreement. Must be a string of 32 hexadecimal characters. * * Since: 1.6 **/ @@ -521,7 +532,8 @@ nm_setting_macsec_class_init(NMSettingMacsecClass *klass) * NMSettingMacsec:mka-ckn: * * The pre-shared CKN (Connectivity-association Key Name) for - * MACsec Key Agreement. + * MACsec Key Agreement. Must be a string of hexadecimal characters + * with a even length between 2 and 64. * * Since: 1.6 **/ diff --git a/src/libnm-core-public/nm-setting-macsec.h b/src/libnm-core-public/nm-setting-macsec.h index 52e4313d45..c2662b1f5e 100644 --- a/src/libnm-core-public/nm-setting-macsec.h +++ b/src/libnm-core-public/nm-setting-macsec.h @@ -73,6 +73,8 @@ typedef enum { } NMSettingMacsecValidation; #define NM_SETTING_MACSEC_MKA_CAK_LENGTH 32 + +/* Deprecated. The CKN can be between 2 and 64 characters. */ #define NM_SETTING_MACSEC_MKA_CKN_LENGTH 64 NM_AVAILABLE_IN_1_6 diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in index 56b63760c4..2873abd127 100644 --- a/src/libnmc-setting/settings-docs.h.in +++ b/src/libnmc-setting/settings-docs.h.in @@ -226,9 +226,9 @@ #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_TOS N_("The type of service (IPv4) or traffic class (IPv6) field to be set on tunneled packets.") #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_TTL N_("The TTL to assign to tunneled packets. 0 is a special value meaning that packets inherit the TTL value.") #define DESCRIBE_DOC_NM_SETTING_MACSEC_ENCRYPT N_("Whether the transmitted traffic must be encrypted.") -#define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CAK N_("The pre-shared CAK (Connectivity Association Key) for MACsec Key Agreement.") +#define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CAK N_("The pre-shared CAK (Connectivity Association Key) for MACsec Key Agreement. Must be a string of 32 hexadecimal characters.") #define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CAK_FLAGS N_("Flags indicating how to handle the \"mka-cak\" property.") -#define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CKN N_("The pre-shared CKN (Connectivity-association Key Name) for MACsec Key Agreement.") +#define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CKN N_("The pre-shared CKN (Connectivity-association Key Name) for MACsec Key Agreement. Must be a string of hexadecimal characters with a even length between 2 and 64.") #define DESCRIBE_DOC_NM_SETTING_MACSEC_MODE N_("Specifies how the CAK (Connectivity Association Key) for MKA (MACsec Key Agreement) is obtained.") #define DESCRIBE_DOC_NM_SETTING_MACSEC_PARENT N_("If given, specifies the parent interface name or parent connection UUID from which this MACSEC interface should be created. If this property is not specified, the connection must contain an \"802-3-ethernet\" setting with a \"mac-address\" property.") #define DESCRIBE_DOC_NM_SETTING_MACSEC_PORT N_("The port component of the SCI (Secure Channel Identifier), between 1 and 65534.") diff --git a/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in b/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in index 8ce403e94f..941b1e353e 100644 --- a/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in +++ b/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in @@ -774,12 +774,12 @@ description="Whether the transmitted traffic must be encrypted." /> <property name="mka-cak" alias="cak" - description="The pre-shared CAK (Connectivity Association Key) for MACsec Key Agreement." /> + description="The pre-shared CAK (Connectivity Association Key) for MACsec Key Agreement. Must be a string of 32 hexadecimal characters." /> <property name="mka-cak-flags" description="Flags indicating how to handle the "mka-cak" property." /> <property name="mka-ckn" alias="ckn" - description="The pre-shared CKN (Connectivity-association Key Name) for MACsec Key Agreement." /> + description="The pre-shared CKN (Connectivity-association Key Name) for MACsec Key Agreement. Must be a string of hexadecimal characters with a even length between 2 and 64." /> <property name="port" alias="port" description="The port component of the SCI (Secure Channel Identifier), between 1 and 65534." /> |