From patchwork Tue Aug 15 15:16:55 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: michael-dev <michael-dev@fami-braun.de>
X-Patchwork-Id: 801643
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133;
	helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="okVAacc6";
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3xWx493G3Vz9sR9
	for <incoming@patchwork.ozlabs.org>;
	Wed, 16 Aug 2017 01:20:07 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=eBjfjqSCNAolgAZ6si6ohFEy4SN+2/Zto/KSxNuvBwA=;
	b=okV
	Aacc6eCJHfT4FBpNVkYqiGfhcIebFSHvW9lwa3KZCOYWhWXiv5Xq+TZJk48nMfES+ICpGomVpucAt
	3u6DB8GkZLBWMArpiKDZqpRDf5e5vtSiA4nrlTQq9dLUBlBBnKIHl899lykIoLOadLW1IgVD37IuO
	KN30q8xnSh3nH9w6uevfoGxzqxQfMl4MNPykJUlV9o6eFTlbLdO/Y2VhkKYr/Q1q+uAAeh9sMlOsl
	dCvaawEfu2V/bKz1GrWjNErRie0La31reaXaJymOT1ZjEID8KK9DxecHzeOuJ2rUU2tBaKkXY8trp
	PuoADx3K3c/+yNc+zUeYGt8ulmMOtPA==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1dhdd2-0003TI-9s; Tue, 15 Aug 2017 15:19:36 +0000
Received: from mail.fem.tu-ilmenau.de ([141.24.220.54])
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1dhdcc-0003JV-JX
	for hostap@lists.infradead.org; Tue, 15 Aug 2017 15:19:13 +0000
Received: from localhost (localhost [127.0.0.1])
	by mail.fem.tu-ilmenau.de (Postfix) with ESMTP id E52DB66E3;
	Tue, 15 Aug 2017 17:18:45 +0200 (CEST)
X-Virus-Scanned: amavisd-new at fem.tu-ilmenau.de
Received: from mail.fem.tu-ilmenau.de ([127.0.0.1])
	by localhost (mail.fem.tu-ilmenau.de [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id WZEsyi8JmzLA; Tue, 15 Aug 2017 17:18:42 +0200 (CEST)
Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de
	[10.42.51.234]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP;
	Tue, 15 Aug 2017 17:18:42 +0200 (CEST)
Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000)
	id A903E300280F; Tue, 15 Aug 2017 17:16:56 +0200 (CEST)
From: Michael Braun <michael-dev@fami-braun.de>
To: hostap@lists.infradead.org
Subject: [PATCH 1/1] macsec: make pre-shared ckn variable length
Date: Tue, 15 Aug 2017 17:16:55 +0200
Message-Id: <1502810215-22288-1-git-send-email-michael-dev@fami-braun.de>
X-Mailer: git-send-email 2.1.4
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20170815_081910_946537_56FBCA53 
X-CRM114-Status: GOOD (  11.75  )
X-Spam-Score: -4.2 (----)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-4.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
	medium trust [141.24.220.54 listed in list.dnswl.org]
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: projekt-wlan@fem.tu-ilmenau.de, Michael Braun <michael-dev@fami-braun.de>,
	Michael Braun <michae-dev@fami-braun.de>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

From: michael-dev <michael-dev@fami-braun.de>

IEEE 802.1X-2010 Section 9.3.1 restricts CKN
> MKA places no restriction on the format of the CKN, save that it comprise
> an integral number of octets, between 1 and 32 (inclusive), and that all
> potential members of the CA use the same CKN. No further constraints are
> placed onthe CKNs used with PSKs, ... .

Hence do not require a 32 byte long CKN but instead allow a shorter ckn
to be configured.

This fixes interoperability with some Aruba Switches, that do not accept
32 byte long ckn (only shorter ones).

Signed-off-by: Michael Braun <michae-dev@fami-braun.de>
---
 wpa_supplicant/config.c      | 21 +++++++++++++++++----
 wpa_supplicant/config_ssid.h |  5 +++--
 wpa_supplicant/wpas_kay.c    |  2 +-
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 37489f7..d03514c 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1946,8 +1946,20 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
 				    struct wpa_ssid *ssid, int line,
 				    const char *value)
 {
-	if (hexstr2bin(value, ssid->mka_ckn, MACSEC_CKN_LEN) ||
-	    value[MACSEC_CKN_LEN * 2] != '\0') {
+	size_t len;
+
+	len = os_strlen(value);
+	ssid->mka_ckn_len = len / 2;
+	if (len > 2 * MACSEC_CKN_MAX_LEN || /* too long */
+	    len < 2 || /* too short */
+	    len % 2 != 0 /* not an integral number of bytes */
+	   ) {
+		wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
+			   line, value);
+		return -1;
+	}
+	ssid->mka_ckn_len = len / 2;
+	if (hexstr2bin(value, ssid->mka_ckn, ssid->mka_ckn_len)) {
 		wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
 			   line, value);
 		return -1;
@@ -1955,7 +1967,8 @@ static int wpa_config_parse_mka_ckn(const struct parse_data *data,
 
 	ssid->mka_psk_set |= MKA_PSK_SET_CKN;
 
-	wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn, MACSEC_CKN_LEN);
+	wpa_hexdump_key(MSG_MSGDUMP, "MKA-CKN", ssid->mka_ckn,
+			ssid->mka_ckn_len);
 	return 0;
 }
 
@@ -1977,7 +1990,7 @@ static char * wpa_config_write_mka_ckn(const struct parse_data *data,
 {
 	if (!(ssid->mka_psk_set & MKA_PSK_SET_CKN))
 		return NULL;
-	return wpa_config_write_string_hex(ssid->mka_ckn, MACSEC_CKN_LEN);
+	return wpa_config_write_string_hex(ssid->mka_ckn, ssid->mka_ckn_len);
 }
 
 #endif /* NO_CONFIG_WRITE */
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 81f64a5..c8b9a4d 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -776,8 +776,9 @@ struct wpa_ssid {
 	/**
 	 * mka_ckn - MKA pre-shared CKN
 	 */
-#define MACSEC_CKN_LEN 32
-	u8 mka_ckn[MACSEC_CKN_LEN];
+#define MACSEC_CKN_MAX_LEN 32
+	int mka_ckn_len;
+	u8 mka_ckn[MACSEC_CKN_MAX_LEN];
 
 	/**
 	 * mka_cak - MKA pre-shared CAK
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index d087e00..6c381a4 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -415,7 +415,7 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
 	cak->len = MACSEC_CAK_LEN;
 	os_memcpy(cak->key, ssid->mka_cak, cak->len);
 
-	ckn->len = MACSEC_CKN_LEN;
+	ckn->len = ssid->mka_ckn_len;
 	os_memcpy(ckn->name, ssid->mka_ckn, ckn->len);
 
 	res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE);