macsec: allow CKN shorter than 64 characters

See wpa_supplicant commit [1]: macsec: Make pre-shared CKN variable length IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for CKN: "MKA places no restriction on the format of the CKN, save that it comprise an integral number of octets, between 1 and 32 (inclusive), and that all potential members of the CA use the same CKN. No further constraints are placed on the CKNs used with PSKs, ..." Hence do not require a 32 octet long CKN but instead allow a shorter CKN to be configured. This fixes interoperability with some Aruba switches, that do not accept a 32 octet long CKN (only support shorter ones). [1] https://w1.fi/cgit/hostap/commit/?id=b678ed1efc50e8da4638d962f8eac13312a4048f
author: Beniamino Galvani <bgalvani@redhat.com> 2022-11-15 13:48:25 +0100
committer: Beniamino Galvani <bgalvani@redhat.com> 2022-11-16 10:36:39 +0100
commit: df999d1fca209767a235b5aaa6e3e7e5294746fc (patch)
tree: 6f4a1ec6c28a3e22614df5f94daf1f11acdbca45
parent: fb3be35b8b97ad045044ac8628f5069e1a087554 (diff)
download: NetworkManager-df999d1fca209767a235b5aaa6e3e7e5294746fc.tar.gz
3 files changed, 34 insertions, 11 deletions
diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c
index 6d3ea10220..c63a00585a 100644
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@@ -403,6 +403,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
     const char *value;
     char        buf[32];
     int         port;
+    gsize       key_len;
 
     g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
     g_return_val_if_fail(setting != NULL, FALSE);
@@ -446,7 +447,16 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
             return FALSE;
 
         value = nm_setting_macsec_get_mka_ckn(setting);
-        if (!value || !nm_utils_hexstr2bin_buf(value, FALSE, FALSE, NULL, buffer_ckn)) {
+        if (!value
+            || !nm_utils_hexstr2bin_full(value,
+                                         FALSE,
+                                         FALSE,
+                                         FALSE,
+                                         NULL,
+                                         0,
+                                         buffer_ckn,
+                                         G_N_ELEMENTS(buffer_ckn),
+                                         &key_len)) {
             g_set_error_literal(error,
                                 NM_SUPPLICANT_ERROR,
                                 NM_SUPPLICANT_ERROR_CONFIG,
@@ -456,7 +466,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
         if (!nm_supplicant_config_add_option(self,
                                              "mka_ckn",
                                              (char *) buffer_ckn,
-                                             sizeof(buffer_ckn),
+                                             key_len,
                                              value,
                                              error))
             return FALSE;
diff --git a/src/libnm-core-impl/nm-setting-macsec.c b/src/libnm-core-impl/nm-setting-macsec.c
index 3c928e0138..86949e1d2f 100644
--- a/src/libnm-core-impl/nm-setting-macsec.c
+++ b/src/libnm-core-impl/nm-setting-macsec.c
@@ -236,7 +236,7 @@ need_secrets(NMSetting *setting, gboolean check_rerequest)
 static gboolean
 verify_macsec_key(const char *key, gboolean cak, GError **error)
 {
-    int req_len;
+    size_t len;
 
     /* CAK is a connection secret and can be NULL for various
      * reasons (agent-owned, no permissions to get secrets, etc.)
@@ -252,14 +252,25 @@ verify_macsec_key(const char *key, gboolean cak, GError **error)
         return FALSE;
     }
 
-    req_len = cak ? NM_SETTING_MACSEC_MKA_CAK_LENGTH : NM_SETTING_MACSEC_MKA_CKN_LENGTH;
-    if (strlen(key) != (gsize) req_len) {
-        g_set_error(error,
-                    NM_CONNECTION_ERROR,
-                    NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                    _("the key must be %d characters"),
-                    req_len);
-        return FALSE;
+    len = strlen(key);
+    if (cak) {
+        if (len != NM_SETTING_MACSEC_MKA_CAK_LENGTH) {
+            g_set_error(error,
+                        NM_CONNECTION_ERROR,
+                        NM_CONNECTION_ERROR_INVALID_PROPERTY,
+                        _("the key must be %d characters"),
+                        NM_SETTING_MACSEC_MKA_CAK_LENGTH);
+            return FALSE;
+        }
+    } else {
+        if (len < 2 || len > 64 || len % 2 != 0) {
+            g_set_error_literal(
+                error,
+                NM_CONNECTION_ERROR,
+                NM_CONNECTION_ERROR_INVALID_PROPERTY,
+                _("the key must have an even number of characters between 2 and 64"));
+            return FALSE;
+        }
     }
 
     if (!NM_STRCHAR_ALL(key, ch, g_ascii_isxdigit(ch))) {
diff --git a/src/libnm-core-public/nm-setting-macsec.h b/src/libnm-core-public/nm-setting-macsec.h
index 52e4313d45..c2662b1f5e 100644
--- a/src/libnm-core-public/nm-setting-macsec.h
+++ b/src/libnm-core-public/nm-setting-macsec.h
@@ -73,6 +73,8 @@ typedef enum {
 } NMSettingMacsecValidation;
 
 #define NM_SETTING_MACSEC_MKA_CAK_LENGTH 32
+
+/* Deprecated. The CKN can be between 2 and 64 characters. */
 #define NM_SETTING_MACSEC_MKA_CKN_LENGTH 64
 
 NM_AVAILABLE_IN_1_6
author	Beniamino Galvani <bgalvani@redhat.com>	2022-11-15 13:48:25 +0100
committer	Beniamino Galvani <bgalvani@redhat.com>	2022-11-16 10:36:39 +0100
commit	df999d1fca209767a235b5aaa6e3e7e5294746fc (patch)
tree	6f4a1ec6c28a3e22614df5f94daf1f11acdbca45
parent	fb3be35b8b97ad045044ac8628f5069e1a087554 (diff)
download	NetworkManager-df999d1fca209767a235b5aaa6e3e7e5294746fc.tar.gz