[PATCH 1/1] macsec: make pre-shared ckn variable length

Tue Aug 15 09:41:42 PDT 2017

Hi,

How does this compare to the patch in
<20170509190449.7947-1-jaap.keuter at xs4all.nl> [PATCH] Handle preshared CKN sizes
from 1 to 32 octets
of April this year?

Thanks,
Jaap

On 15-08-17 17:16, Michael Braun wrote:
> From: michael-dev <michael-dev at fami-braun.de>
> 
> IEEE 802.1X-2010 Section 9.3.1 restricts CKN
>> MKA places no restriction on the format of the CKN, save that it comprise
>> an integral number of octets, between 1 and 32 (inclusive), and that all
>> potential members of the CA use the same CKN. No further constraints are
>> placed onthe CKNs used with PSKs, ... .
> 
> Hence do not require a 32 byte long CKN but instead allow a shorter ckn
> to be configured.
> 
> This fixes interoperability with some Aruba Switches, that do not accept
> 32 byte long ckn (only shorter ones).
> 
> Signed-off-by: Michael Braun <michae-dev at fami-braun.de>
> ---
>  wpa_supplicant/config.c      | 21 +++++++++++++++++----
>  wpa_supplicant/config_ssid.h |  5 +++--
>  wpa_supplicant/wpas_kay.c    |  2 +-
>  3 files changed, 21 insertions(+), 7 deletions(-)
> 
> diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
> index 37489f7..d03514c 100644
> --- a/wpa_supplicant/config.c
> +++ b/wpa_supplicant/config.c
> @@ -1946,8 +1946,20 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
>  				    struct wpa_ssid *ssid, int line,
>  				    const char *value)
>  {
> -	if (hexstr2bin(value, ssid->mka_ckn, MACSEC_CKN_LEN) ||
> -	    value[MACSEC_CKN_LEN * 2] != '\0') {
> +	size_t len;
> +
> +	len = os_strlen(value);
> +	ssid->mka_ckn_len = len / 2;
> +	if (len > 2 * MACSEC_CKN_MAX_LEN || /* too long */
> +	    len < 2 || /* too short */
> +	    len % 2 != 0 /* not an integral number of bytes */
> +	   ) {
> +		wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
> +			   line, value);
> +		return -1;
> +	}
> +	ssid->mka_ckn_len = len / 2;
> +	if (hexstr2bin(value, ssid->mka_ckn, ssid->mka_ckn_len)) {
>  		wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
>  			   line, value);
>  		return -1;
> @@ -1955,7 +1967,8 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
>  
>  	ssid->mka_psk_set |= MKA_PSK_SET_CKN;
>  
> -	wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn, MACSEC_CKN_LEN);
> +	wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn,
> +			ssid->mka_ckn_len);
>  	return 0;
>  }
>  
> @@ -1977,7 +1990,7 @@ static char * wpa_config_write_mka_ckn(const struct parse_data *data,
>  {
>  	if (!(ssid->mka_psk_set & MKA_PSK_SET_CKN))
>  		return NULL;
> -	return wpa_config_write_string_hex(ssid->mka_ckn, MACSEC_CKN_LEN);
> +	return wpa_config_write_string_hex(ssid->mka_ckn, ssid->mka_ckn_len);
>  }
>  
>  #endif /* NO_CONFIG_WRITE */
> diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
> index 81f64a5..c8b9a4d 100644
> --- a/wpa_supplicant/config_ssid.h
> +++ b/wpa_supplicant/config_ssid.h
> @@ -776,8 +776,9 @@ struct wpa_ssid {
>  	/**
>  	 * mka_ckn - MKA pre-shared CKN
>  	 */
> -#define MACSEC_CKN_LEN 32
> -	u8 mka_ckn[MACSEC_CKN_LEN];
> +#define MACSEC_CKN_MAX_LEN 32
> +	int mka_ckn_len;
> +	u8 mka_ckn[MACSEC_CKN_MAX_LEN];
>  
>  	/**
>  	 * mka_cak - MKA pre-shared CAK
> diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
> index d087e00..6c381a4 100644
> --- a/wpa_supplicant/wpas_kay.c
> +++ b/wpa_supplicant/wpas_kay.c
> @@ -415,7 +415,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
>  	cak->len = MACSEC_CAK_LEN;
>  	os_memcpy(cak->key, ssid->mka_cak, cak->len);
>  
> -	ckn->len = MACSEC_CKN_LEN;
> +	ckn->len = ssid->mka_ckn_len;
>  	os_memcpy(ckn->name, ssid->mka_ckn, ckn->len);
>  
>  	res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE);
> 