macsec: merge branch 'bg/macsec-ckn-len'

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1460
2025-12-30 05:00:10 +01:00 · 2022-11-16 10:38:22 +01:00 · 2022-11-16 10:38:22 +01:00 · 8d6cba6555
commit 8d6cba6555
parent fb3be35b8b dfe63d9eb3
5 changed files with 41 additions and 17 deletions
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -403,6 +403,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
    const char *value;
    char        buf[32];
    int         port;
+    gsize       key_len;

    g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
    g_return_val_if_fail(setting != NULL, FALSE);
@ -446,7 +447,16 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
            return FALSE;

        value = nm_setting_macsec_get_mka_ckn(setting);
-        if (!value || !nm_utils_hexstr2bin_buf(value, FALSE, FALSE, NULL, buffer_ckn)) {
+        if (!value
+            || !nm_utils_hexstr2bin_full(value,
+                                         FALSE,
+                                         FALSE,
+                                         FALSE,
+                                         NULL,
+                                         0,
+                                         buffer_ckn,
+                                         G_N_ELEMENTS(buffer_ckn),
+                                         &key_len)) {
            g_set_error_literal(error,
                                NM_SUPPLICANT_ERROR,
                                NM_SUPPLICANT_ERROR_CONFIG,
@ -456,7 +466,7 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
        if (!nm_supplicant_config_add_option(self,
                                             "mka_ckn",
                                             (char *) buffer_ckn,
-                                             sizeof(buffer_ckn),
+                                             key_len,
                                             value,
                                             error))
            return FALSE;
--- a/src/libnm-core-impl/nm-setting-macsec.c
+++ b/src/libnm-core-impl/nm-setting-macsec.c
@ -236,7 +236,7 @@ need_secrets(NMSetting *setting, gboolean check_rerequest)
 static gboolean
 verify_macsec_key(const char *key, gboolean cak, GError **error)
 {
-    int req_len;
+    size_t len;

    /* CAK is a connection secret and can be NULL for various
     * reasons (agent-owned, no permissions to get secrets, etc.)
@ -252,14 +252,25 @@ verify_macsec_key(const char *key, gboolean cak, GError **error)
        return FALSE;
    }

-    req_len = cak ? NM_SETTING_MACSEC_MKA_CAK_LENGTH : NM_SETTING_MACSEC_MKA_CKN_LENGTH;
-    if (strlen(key) != (gsize) req_len) {
-        g_set_error(error,
-                    NM_CONNECTION_ERROR,
-                    NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                    _("the key must be %d characters"),
-                    req_len);
-        return FALSE;
+    len = strlen(key);
+    if (cak) {
+        if (len != NM_SETTING_MACSEC_MKA_CAK_LENGTH) {
+            g_set_error(error,
+                        NM_CONNECTION_ERROR,
+                        NM_CONNECTION_ERROR_INVALID_PROPERTY,
+                        _("the key must be %d characters"),
+                        NM_SETTING_MACSEC_MKA_CAK_LENGTH);
+            return FALSE;
+        }
+    } else {
+        if (len < 2 || len > 64 || len % 2 != 0) {
+            g_set_error_literal(
+                error,
+                NM_CONNECTION_ERROR,
+                NM_CONNECTION_ERROR_INVALID_PROPERTY,
+                _("the key must have an even number of characters between 2 and 64"));
+            return FALSE;
+        }
    }

    if (!NM_STRCHAR_ALL(key, ch, g_ascii_isxdigit(ch))) {
@ -490,7 +501,7 @@ nm_setting_macsec_class_init(NMSettingMacsecClass *klass)
     * NMSettingMacsec:mka-cak:
     *
     * The pre-shared CAK (Connectivity Association Key) for MACsec
-     * Key Agreement.
+     * Key Agreement. Must be a string of 32 hexadecimal characters.
     *
     * Since: 1.6
     **/
@ -521,7 +532,8 @@ nm_setting_macsec_class_init(NMSettingMacsecClass *klass)
     * NMSettingMacsec:mka-ckn:
     *
     * The pre-shared CKN (Connectivity-association Key Name) for
-     * MACsec Key Agreement.
+     * MACsec Key Agreement. Must be a string of hexadecimal characters
+     * with a even length between 2 and 64.
     *
     * Since: 1.6
     **/
--- a/src/libnm-core-public/nm-setting-macsec.h
+++ b/src/libnm-core-public/nm-setting-macsec.h
@ -73,6 +73,8 @@ typedef enum {
 } NMSettingMacsecValidation;

 #define NM_SETTING_MACSEC_MKA_CAK_LENGTH 32
+
+/* Deprecated. The CKN can be between 2 and 64 characters. */
 #define NM_SETTING_MACSEC_MKA_CKN_LENGTH 64

 NM_AVAILABLE_IN_1_6
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@ -226,9 +226,9 @@
 #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_TOS N_("The type of service (IPv4) or traffic class (IPv6) field to be set on tunneled packets.")
 #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_TTL N_("The TTL to assign to tunneled packets. 0 is a special value meaning that packets inherit the TTL value.")
 #define DESCRIBE_DOC_NM_SETTING_MACSEC_ENCRYPT N_("Whether the transmitted traffic must be encrypted.")
-#define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CAK N_("The pre-shared CAK (Connectivity Association Key) for MACsec Key Agreement.")
+#define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CAK N_("The pre-shared CAK (Connectivity Association Key) for MACsec Key Agreement. Must be a string of 32 hexadecimal characters.")
 #define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CAK_FLAGS N_("Flags indicating how to handle the \"mka-cak\" property.")
-#define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CKN N_("The pre-shared CKN (Connectivity-association Key Name) for MACsec Key Agreement.")
+#define DESCRIBE_DOC_NM_SETTING_MACSEC_MKA_CKN N_("The pre-shared CKN (Connectivity-association Key Name) for MACsec Key Agreement. Must be a string of hexadecimal characters with a even length between 2 and 64.")
 #define DESCRIBE_DOC_NM_SETTING_MACSEC_MODE N_("Specifies how the CAK (Connectivity Association Key) for MKA (MACsec Key Agreement) is obtained.")
 #define DESCRIBE_DOC_NM_SETTING_MACSEC_PARENT N_("If given, specifies the parent interface name or parent connection UUID from which this MACSEC interface should be created.  If this property is not specified, the connection must contain an \"802-3-ethernet\" setting with a \"mac-address\" property.")
 #define DESCRIBE_DOC_NM_SETTING_MACSEC_PORT N_("The port component of the SCI (Secure Channel Identifier), between 1 and 65534.")
--- a/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
+++ b/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
@ -774,12 +774,12 @@
                  description="Whether the transmitted traffic must be encrypted." />
        <property name="mka-cak"
                  alias="cak"
-                  description="The pre-shared CAK (Connectivity Association Key) for MACsec Key Agreement." />
+                  description="The pre-shared CAK (Connectivity Association Key) for MACsec Key Agreement. Must be a string of 32 hexadecimal characters." />
        <property name="mka-cak-flags"
                  description="Flags indicating how to handle the &quot;mka-cak&quot; property." />
        <property name="mka-ckn"
                  alias="ckn"
-                  description="The pre-shared CKN (Connectivity-association Key Name) for MACsec Key Agreement." />
+                  description="The pre-shared CKN (Connectivity-association Key Name) for MACsec Key Agreement. Must be a string of hexadecimal characters with a even length between 2 and 64." />
        <property name="port"
                  alias="port"
                  description="The port component of the SCI (Secure Channel Identifier), between 1 and 65534." />