diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2022-11-15 13:48:25 +0100 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2022-11-16 10:36:39 +0100 |
commit | df999d1fca209767a235b5aaa6e3e7e5294746fc (patch) | |
tree | 6f4a1ec6c28a3e22614df5f94daf1f11acdbca45 | |
parent | fb3be35b8b97ad045044ac8628f5069e1a087554 (diff) | |
download | NetworkManager-df999d1fca209767a235b5aaa6e3e7e5294746fc.tar.gz |
macsec: allow CKN shorter than 64 characters
See wpa_supplicant commit [1]:
macsec: Make pre-shared CKN variable length
IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for
CKN:
"MKA places no restriction on the format of the CKN, save that it
comprise an integral number of octets, between 1 and 32
(inclusive), and that all potential members of the CA use the same
CKN. No further constraints are placed on the CKNs used with PSKs,
..."
Hence do not require a 32 octet long CKN but instead allow a
shorter CKN to be configured.
This fixes interoperability with some Aruba switches, that do not
accept a 32 octet long CKN (only support shorter ones).
[1] https://w1.fi/cgit/hostap/commit/?id=b678ed1efc50e8da4638d962f8eac13312a4048f
-rw-r--r-- | src/core/supplicant/nm-supplicant-config.c | 14 | ||||
-rw-r--r-- | src/libnm-core-impl/nm-setting-macsec.c | 29 | ||||
-rw-r--r-- | src/libnm-core-public/nm-setting-macsec.h | 2 |
3 files changed, 34 insertions, 11 deletions
diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c index 6d3ea10220..c63a00585a 100644 --- a/src/core/supplicant/nm-supplicant-config.c +++ b/src/core/supplicant/nm-supplicant-config.c @@ -403,6 +403,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self, const char *value; char buf[32]; int port; + gsize key_len; g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE); g_return_val_if_fail(setting != NULL, FALSE); @@ -446,7 +447,16 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self, return FALSE; value = nm_setting_macsec_get_mka_ckn(setting); - if (!value || !nm_utils_hexstr2bin_buf(value, FALSE, FALSE, NULL, buffer_ckn)) { + if (!value + || !nm_utils_hexstr2bin_full(value, + FALSE, + FALSE, + FALSE, + NULL, + 0, + buffer_ckn, + G_N_ELEMENTS(buffer_ckn), + &key_len)) { g_set_error_literal(error, NM_SUPPLICANT_ERROR, NM_SUPPLICANT_ERROR_CONFIG, @@ -456,7 +466,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self, if (!nm_supplicant_config_add_option(self, "mka_ckn", (char *) buffer_ckn, - sizeof(buffer_ckn), + key_len, value, error)) return FALSE; diff --git a/src/libnm-core-impl/nm-setting-macsec.c b/src/libnm-core-impl/nm-setting-macsec.c index 3c928e0138..86949e1d2f 100644 --- a/src/libnm-core-impl/nm-setting-macsec.c +++ b/src/libnm-core-impl/nm-setting-macsec.c @@ -236,7 +236,7 @@ need_secrets(NMSetting *setting, gboolean check_rerequest) static gboolean verify_macsec_key(const char *key, gboolean cak, GError **error) { - int req_len; + size_t len; /* CAK is a connection secret and can be NULL for various * reasons (agent-owned, no permissions to get secrets, etc.) @@ -252,14 +252,25 @@ verify_macsec_key(const char *key, gboolean cak, GError **error) return FALSE; } - req_len = cak ? NM_SETTING_MACSEC_MKA_CAK_LENGTH : NM_SETTING_MACSEC_MKA_CKN_LENGTH; - if (strlen(key) != (gsize) req_len) { - g_set_error(error, - NM_CONNECTION_ERROR, - NM_CONNECTION_ERROR_INVALID_PROPERTY, - _("the key must be %d characters"), - req_len); - return FALSE; + len = strlen(key); + if (cak) { + if (len != NM_SETTING_MACSEC_MKA_CAK_LENGTH) { + g_set_error(error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key must be %d characters"), + NM_SETTING_MACSEC_MKA_CAK_LENGTH); + return FALSE; + } + } else { + if (len < 2 || len > 64 || len % 2 != 0) { + g_set_error_literal( + error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key must have an even number of characters between 2 and 64")); + return FALSE; + } } if (!NM_STRCHAR_ALL(key, ch, g_ascii_isxdigit(ch))) { diff --git a/src/libnm-core-public/nm-setting-macsec.h b/src/libnm-core-public/nm-setting-macsec.h index 52e4313d45..c2662b1f5e 100644 --- a/src/libnm-core-public/nm-setting-macsec.h +++ b/src/libnm-core-public/nm-setting-macsec.h @@ -73,6 +73,8 @@ typedef enum { } NMSettingMacsecValidation; #define NM_SETTING_MACSEC_MKA_CAK_LENGTH 32 + +/* Deprecated. The CKN can be between 2 and 64 characters. */ #define NM_SETTING_MACSEC_MKA_CKN_LENGTH 64 NM_AVAILABLE_IN_1_6 |