From: michael-dev <michael-dev@xxxxxxxxxxxxx>
IEEE 802.1X-2010 Section 9.3.1 restricts CKN
MKA places no restriction on the format of the CKN, save that it
comprise
an integral number of octets, between 1 and 32 (inclusive), and
that all
potential members of the CA use the same CKN. No further
constraints are
placed onthe CKNs used with PSKs, ... .
Hence do not require a 32 byte long CKN but instead allow a shorter
ckn
to be configured.
This fixes interoperability with some Aruba Switches, that do not
accept
32 byte long ckn (only shorter ones).
Signed-off-by: Michael Braun <michae-dev@xxxxxxxxxxxxx>
---
wpa_supplicant/config.c | 21 +++++++++++++++++----
wpa_supplicant/config_ssid.h | 5 +++--
wpa_supplicant/wpas_kay.c | 2 +-
3 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 37489f7..d03514c 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1946,8 +1946,20 @@ static int wpa_config_parse_mka_ckn(const
struct
parse_data *data,
struct wpa_ssid *ssid, int line,
const char *value)
{
- if (hexstr2bin(value, ssid->mka_ckn, MACSEC_CKN_LEN) ||
- value[MACSEC_CKN_LEN * 2] != '\0') {
+ size_t len;
+
+ len = os_strlen(value);
+ ssid->mka_ckn_len = len / 2;
+ if (len > 2 * MACSEC_CKN_MAX_LEN || /* too long */
+ len < 2 || /* too short */
+ len % 2 != 0 /* not an integral number of bytes */
+ ) {
+ wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
+ line, value);
+ return -1;
+ }
+ ssid->mka_ckn_len = len / 2;
+ if (hexstr2bin(value, ssid->mka_ckn, ssid->mka_ckn_len)) {
wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
line, value);
return -1;
@@ -1955,7 +1967,8 @@ static int wpa_config_parse_mka_ckn(const
struct
parse_data *data,
ssid->mka_psk_set |= MKA_PSK_SET_CKN;
- wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn,
MACSEC_CKN_LEN);
+ wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn,
+ ssid->mka_ckn_len);
return 0;
}
@@ -1977,7 +1990,7 @@ static char * wpa_config_write_mka_ckn(const
struct
parse_data *data,
{
if (!(ssid->mka_psk_set & MKA_PSK_SET_CKN))
return NULL;
- return wpa_config_write_string_hex(ssid->mka_ckn,
MACSEC_CKN_LEN);
+ return wpa_config_write_string_hex(ssid->mka_ckn,
ssid->mka_ckn_len);
}
#endif /* NO_CONFIG_WRITE */
diff --git a/wpa_supplicant/config_ssid.h
b/wpa_supplicant/config_ssid.h
index 81f64a5..c8b9a4d 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -776,8 +776,9 @@ struct wpa_ssid {
/**
* mka_ckn - MKA pre-shared CKN
*/
-#define MACSEC_CKN_LEN 32
- u8 mka_ckn[MACSEC_CKN_LEN];
+#define MACSEC_CKN_MAX_LEN 32
+ int mka_ckn_len;
+ u8 mka_ckn[MACSEC_CKN_MAX_LEN];
/**
* mka_cak - MKA pre-shared CAK
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index d087e00..6c381a4 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -415,7 +415,7 @@ void * ieee802_1x_create_preshared_mka(struct
wpa_supplicant *wpa_s,
cak->len = MACSEC_CAK_LEN;
os_memcpy(cak->key, ssid->mka_cak, cak->len);
- ckn->len = MACSEC_CKN_LEN;
+ ckn->len = ssid->mka_ckn_len;
os_memcpy(ckn->name, ssid->mka_ckn, ckn->len);
res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK,
FALSE);