From 474a0dbfbeeda7504d6599abe4adf0ddf18bab1e Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Thu, 27 Sep 2018 16:51:56 +0200 Subject: [PATCH] libnm/macsec: tighten up verification and normalize mka_cak/mka_ckn properties --- libnm-core/nm-connection.c | 24 ++++++++++++++++++++++++ libnm-core/nm-setting-macsec.c | 24 +++++++++++++++++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/libnm-core/nm-connection.c b/libnm-core/nm-connection.c index 172f9c99e4..5f406cc64a 100644 --- a/libnm-core/nm-connection.c +++ b/libnm-core/nm-connection.c @@ -1124,6 +1124,29 @@ _normalize_wireless_mac_address_randomization (NMConnection *self, GHashTable *p return FALSE; } +static gboolean +_normalize_macsec (NMConnection *self, GHashTable *parameters) +{ + NMSettingMacsec *s_macsec = nm_connection_get_setting_macsec (self); + gboolean changed = FALSE; + + if (!s_macsec) + return FALSE; + + if (nm_setting_macsec_get_mode (s_macsec) != NM_SETTING_MACSEC_MODE_PSK) { + if (nm_setting_macsec_get_mka_cak (s_macsec)) { + g_object_set (s_macsec, NM_SETTING_MACSEC_MKA_CAK, NULL, NULL); + changed = TRUE; + } + if (nm_setting_macsec_get_mka_ckn (s_macsec)) { + g_object_set (s_macsec, NM_SETTING_MACSEC_MKA_CKN, NULL, NULL); + changed = TRUE; + } + } + + return changed; +} + static gboolean _normalize_team_config (NMConnection *self, GHashTable *parameters) { @@ -1564,6 +1587,7 @@ nm_connection_normalize (NMConnection *connection, was_modified |= _normalize_bond_mode (connection, parameters); was_modified |= _normalize_bond_options (connection, parameters); was_modified |= _normalize_wireless_mac_address_randomization (connection, parameters); + was_modified |= _normalize_macsec (connection, parameters); was_modified |= _normalize_team_config (connection, parameters); was_modified |= _normalize_team_port_config (connection, parameters); was_modified |= _normalize_bluetooth_type (connection, parameters); diff --git a/libnm-core/nm-setting-macsec.c b/libnm-core/nm-setting-macsec.c index 2f67a6c2b0..a9b1d550ad 100644 --- a/libnm-core/nm-setting-macsec.c +++ b/libnm-core/nm-setting-macsec.c @@ -256,7 +256,7 @@ verify_macsec_key (const char *key, gboolean cak, GError **error) req_len = cak ? NM_SETTING_MACSEC_MKA_CAK_LENGTH : NM_SETTING_MACSEC_MKA_CKN_LENGTH; - if (strlen (key) != req_len) { + if (strlen (key) != (gsize) req_len) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, @@ -342,6 +342,10 @@ verify (NMSetting *setting, NMConnection *connection, GError **error) g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MKA_CKN); return FALSE; } + if (!verify_macsec_key (priv->mka_cak, TRUE, error)) { + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MKA_CAK); + return FALSE; + } } else if (priv->mode == NM_SETTING_MACSEC_MODE_EAP) { if (!s_8021x) { g_set_error (error, @@ -352,6 +356,13 @@ verify (NMSetting *setting, NMConnection *connection, GError **error) g_prefix_error (error, "%s: ", NM_SETTING_MACSEC_SETTING_NAME); return FALSE; } + } else { + g_set_error_literal (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("must be either psk (0) or eap (1)")); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MODE); + return FALSE; } if (priv->port <= 0 || priv->port > 65534) { @@ -364,6 +375,17 @@ verify (NMSetting *setting, NMConnection *connection, GError **error) return FALSE; } + if ( priv->mode != NM_SETTING_MACSEC_MODE_PSK + && (priv->mka_cak || priv->mka_ckn)) { + g_set_error_literal (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("only valid for psk mode")); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, + priv->mka_cak ? NM_SETTING_MACSEC_MKA_CAK : NM_SETTING_MACSEC_MKA_CKN); + return NM_SETTING_VERIFY_NORMALIZABLE; + } + return TRUE; }