Hi,
How does this compare to the patch in
<20170509190449.7947-1-jaap.keuter@xxxxxxxxx> [PATCH] Handle preshared CKN sizes
from 1 to 32 octets
of April this year?
Thanks,
Jaap
On 15-08-17 17:16, Michael Braun wrote:
> From: michael-dev <michael-dev@xxxxxxxxxxxxx>
>
> IEEE 802.1X-2010 Section 9.3.1 restricts CKN
>> MKA places no restriction on the format of the CKN, save that it comprise
>> an integral number of octets, between 1 and 32 (inclusive), and that all
>> potential members of the CA use the same CKN. No further constraints are
>> placed onthe CKNs used with PSKs, ... .
>
> Hence do not require a 32 byte long CKN but instead allow a shorter ckn
> to be configured.
>
> This fixes interoperability with some Aruba Switches, that do not accept
> 32 byte long ckn (only shorter ones).
>
> Signed-off-by: Michael Braun <michae-dev@xxxxxxxxxxxxx>
> ---
> wpa_supplicant/config.c | 21 +++++++++++++++++----
> wpa_supplicant/config_ssid.h | 5 +++--
> wpa_supplicant/wpas_kay.c | 2 +-
> 3 files changed, 21 insertions(+), 7 deletions(-)
>
> diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
> index 37489f7..d03514c 100644
> --- a/wpa_supplicant/config.c
> +++ b/wpa_supplicant/config.c
> @@ -1946,8 +1946,20 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
> struct wpa_ssid *ssid, int line,
> const char *value)
> {
> - if (hexstr2bin(value, ssid->mka_ckn, MACSEC_CKN_LEN) ||
> - value[MACSEC_CKN_LEN * 2] != '\0') {
> + size_t len;
> +
> + len = os_strlen(value);
> + ssid->mka_ckn_len = len / 2;
> + if (len > 2 * MACSEC_CKN_MAX_LEN || /* too long */
> + len < 2 || /* too short */
> + len % 2 != 0 /* not an integral number of bytes */
> + ) {
> + wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
> + line, value);
> + return -1;
> + }
> + ssid->mka_ckn_len = len / 2;
> + if (hexstr2bin(value, ssid->mka_ckn, ssid->mka_ckn_len)) {
> wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
> line, value);
> return -1;
> @@ -1955,7 +1967,8 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
>
> ssid->mka_psk_set |= MKA_PSK_SET_CKN;
>
> - wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn, MACSEC_CKN_LEN);
> + wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn,
> + ssid->mka_ckn_len);
> return 0;
> }
>
> @@ -1977,7 +1990,7 @@ static char * wpa_config_write_mka_ckn(const struct parse_data *data,
> {
> if (!(ssid->mka_psk_set & MKA_PSK_SET_CKN))
> return NULL;
> - return wpa_config_write_string_hex(ssid->mka_ckn, MACSEC_CKN_LEN);
> + return wpa_config_write_string_hex(ssid->mka_ckn, ssid->mka_ckn_len);
> }
>
> #endif /* NO_CONFIG_WRITE */
> diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
> index 81f64a5..c8b9a4d 100644
> --- a/wpa_supplicant/config_ssid.h
> +++ b/wpa_supplicant/config_ssid.h
> @@ -776,8 +776,9 @@ struct wpa_ssid {
> /**
> * mka_ckn - MKA pre-shared CKN
> */
> -#define MACSEC_CKN_LEN 32
> - u8 mka_ckn[MACSEC_CKN_LEN];
> +#define MACSEC_CKN_MAX_LEN 32
> + int mka_ckn_len;
> + u8 mka_ckn[MACSEC_CKN_MAX_LEN];
>
> /**
> * mka_cak - MKA pre-shared CAK
> diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
> index d087e00..6c381a4 100644
> --- a/wpa_supplicant/wpas_kay.c
> +++ b/wpa_supplicant/wpas_kay.c
> @@ -415,7 +415,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
> cak->len = MACSEC_CAK_LEN;
> os_memcpy(cak->key, ssid->mka_cak, cak->len);
>
> - ckn->len = MACSEC_CKN_LEN;
> + ckn->len = ssid->mka_ckn_len;
> os_memcpy(ckn->name, ssid->mka_ckn, ckn->len);
>
> res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE);
>
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
