macsec: Make pre-shared CKN variable length

IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for CKN:

"MKA places no restriction on the format of the CKN, save that it comprise
an integral number of octets, between 1 and 32 (inclusive), and that all
potential members of the CA use the same CKN. No further constraints are
placed on the CKNs used with PSKs, ..."

Hence do not require a 32 octet long CKN but instead allow a shorter CKN
to be configured.

This fixes interoperability with some Aruba switches, that do not accept
a 32 octet long CKN (only support shorter ones).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This commit is contained in:
michael-dev 2017-08-15 17:21:03 +02:00 committed by Jouni Malinen
parent 61127f162a
commit b678ed1efc
3 changed files with 19 additions and 7 deletions

View file

@ -2020,8 +2020,18 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
struct wpa_ssid *ssid, int line, struct wpa_ssid *ssid, int line,
const char *value) const char *value)
{ {
if (hexstr2bin(value, ssid->mka_ckn, MACSEC_CKN_LEN) || size_t len;
value[MACSEC_CKN_LEN * 2] != '\0') {
len = os_strlen(value);
if (len > 2 * MACSEC_CKN_MAX_LEN || /* too long */
len < 2 || /* too short */
len % 2 != 0 /* not an integral number of bytes */) {
wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
line, value);
return -1;
}
ssid->mka_ckn_len = len / 2;
if (hexstr2bin(value, ssid->mka_ckn, ssid->mka_ckn_len)) {
wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.", wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
line, value); line, value);
return -1; return -1;
@ -2029,7 +2039,8 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
ssid->mka_psk_set |= MKA_PSK_SET_CKN; ssid->mka_psk_set |= MKA_PSK_SET_CKN;
wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn, MACSEC_CKN_LEN); wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn,
ssid->mka_ckn_len);
return 0; return 0;
} }
@ -2051,7 +2062,7 @@ static char * wpa_config_write_mka_ckn(const struct parse_data *data,
{ {
if (!(ssid->mka_psk_set & MKA_PSK_SET_CKN)) if (!(ssid->mka_psk_set & MKA_PSK_SET_CKN))
return NULL; return NULL;
return wpa_config_write_string_hex(ssid->mka_ckn, MACSEC_CKN_LEN); return wpa_config_write_string_hex(ssid->mka_ckn, ssid->mka_ckn_len);
} }
#endif /* NO_CONFIG_WRITE */ #endif /* NO_CONFIG_WRITE */

View file

@ -821,8 +821,9 @@ struct wpa_ssid {
/** /**
* mka_ckn - MKA pre-shared CKN * mka_ckn - MKA pre-shared CKN
*/ */
#define MACSEC_CKN_LEN 32 #define MACSEC_CKN_MAX_LEN 32
u8 mka_ckn[MACSEC_CKN_LEN]; size_t mka_ckn_len;
u8 mka_ckn[MACSEC_CKN_MAX_LEN];
/** /**
* mka_cak - MKA pre-shared CAK * mka_cak - MKA pre-shared CAK

View file

@ -414,7 +414,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
cak->len = MACSEC_CAK_LEN; cak->len = MACSEC_CAK_LEN;
os_memcpy(cak->key, ssid->mka_cak, cak->len); os_memcpy(cak->key, ssid->mka_cak, cak->len);
ckn->len = MACSEC_CKN_LEN; ckn->len = ssid->mka_ckn_len;
os_memcpy(ckn->name, ssid->mka_ckn, ckn->len); os_memcpy(ckn->name, ssid->mka_ckn, ckn->len);
res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE); res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE);