macsec: Make pre-shared CKN variable length

IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for CKN:

"MKA places no restriction on the format of the CKN, save that it comprise
an integral number of octets, between 1 and 32 (inclusive), and that all
potential members of the CA use the same CKN. No further constraints are
placed on the CKNs used with PSKs, ..."

Hence do not require a 32 octet long CKN but instead allow a shorter CKN
to be configured.

This fixes interoperability with some Aruba switches, that do not accept
a 32 octet long CKN (only support shorter ones).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 46792e7f015c7f57db8401ac6a39d4b19fae07cf..a0293d2b74270a1a1f7003381fed061837d87f24 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2020,8 +2020,18 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
                                    struct wpa_ssid *ssid, int line,
                                    const char *value)
 {
-       if (hexstr2bin(value, ssid->mka_ckn, MACSEC_CKN_LEN) ||
-           value[MACSEC_CKN_LEN * 2] != '\0') {
+       size_t len;
+
+       len = os_strlen(value);
+       if (len > 2 * MACSEC_CKN_MAX_LEN || /* too long */
+           len < 2 || /* too short */
+           len % 2 != 0 /* not an integral number of bytes */) {
+               wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
+                          line, value);
+               return -1;
+       }
+       ssid->mka_ckn_len = len / 2;
+       if (hexstr2bin(value, ssid->mka_ckn, ssid->mka_ckn_len)) {
                wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
                           line, value);
                return -1;
@@ -2029,7 +2039,8 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
 
        ssid->mka_psk_set |= MKA_PSK_SET_CKN;
 
-       wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn, MACSEC_CKN_LEN);
+       wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn,
+                       ssid->mka_ckn_len);
        return 0;
 }
 
@@ -2051,7 +2062,7 @@ static char * wpa_config_write_mka_ckn(const struct parse_data *data,
 {
        if (!(ssid->mka_psk_set & MKA_PSK_SET_CKN))
                return NULL;
-       return wpa_config_write_string_hex(ssid->mka_ckn, MACSEC_CKN_LEN);
+       return wpa_config_write_string_hex(ssid->mka_ckn, ssid->mka_ckn_len);
 }
 
 #endif /* NO_CONFIG_WRITE */

diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index deba9d9736c861dbc9c909d865a06dcbf184fd6d..665437de1467f1625b4c334dd1927bf6bc036a43 100644 (file)
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -821,8 +821,9 @@ struct wpa_ssid {
        /**
         * mka_ckn - MKA pre-shared CKN
         */
-#define MACSEC_CKN_LEN 32
-       u8 mka_ckn[MACSEC_CKN_LEN];
+#define MACSEC_CKN_MAX_LEN 32
+       size_t mka_ckn_len;
+       u8 mka_ckn[MACSEC_CKN_MAX_LEN];
 
        /**
         * mka_cak - MKA pre-shared CAK

diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index d3d06b8ae231f60f21d316b8ed363bbef4eac48e..c662bbbebd7665b136701eaa25b8c8f7f8877eb5 100644 (file)
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -414,7 +414,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
        cak->len = MACSEC_CAK_LEN;
        os_memcpy(cak->key, ssid->mka_cak, cak->len);
 
-       ckn->len = MACSEC_CKN_LEN;
+       ckn->len = ssid->mka_ckn_len;
        os_memcpy(ckn->name, ssid->mka_ckn, ckn->len);
 
        res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE);