macsec: restore uAPI after addition of GCM-AES-256
Commitccfdec9089
("macsec: Add support for GCM-AES-256 cipher suite") changed a few values in the uapi headers for MACsec. Because of existing userspace implementations, we need to preserve the value of MACSEC_DEFAULT_CIPHER_ID. Not doing that resulted in wpa_supplicant segfaults when a secure channel was created using the default cipher. Thus, swap MACSEC_DEFAULT_CIPHER_{ID,ALT} back to their original values. Changing the maximum length of the MACSEC_SA_ATTR_KEY attribute is unnecessary, as the previous value (MACSEC_MAX_KEY_LEN, which was 128B) is large enough to carry 32-bytes keys. This patch reverts MACSEC_MAX_KEY_LEN to 128B and restores the old length check on MACSEC_SA_ATTR_KEY. Fixes:ccfdec9089
("macsec: Add support for GCM-AES-256 cipher suite") Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
5e89cfac2e
commit
e8660ded7f
@ -396,8 +396,6 @@ static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb)
|
|||||||
#define MACSEC_GCM_AES_128_SAK_LEN 16
|
#define MACSEC_GCM_AES_128_SAK_LEN 16
|
||||||
#define MACSEC_GCM_AES_256_SAK_LEN 32
|
#define MACSEC_GCM_AES_256_SAK_LEN 32
|
||||||
|
|
||||||
#define MAX_SAK_LEN MACSEC_GCM_AES_256_SAK_LEN
|
|
||||||
|
|
||||||
#define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN
|
#define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN
|
||||||
#define DEFAULT_SEND_SCI true
|
#define DEFAULT_SEND_SCI true
|
||||||
#define DEFAULT_ENCRYPT false
|
#define DEFAULT_ENCRYPT false
|
||||||
@ -1605,7 +1603,7 @@ static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = {
|
|||||||
[MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY,
|
[MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY,
|
||||||
.len = MACSEC_KEYID_LEN, },
|
.len = MACSEC_KEYID_LEN, },
|
||||||
[MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY,
|
[MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY,
|
||||||
.len = MAX_SAK_LEN, },
|
.len = MACSEC_MAX_KEY_LEN, },
|
||||||
};
|
};
|
||||||
|
|
||||||
static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa)
|
static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa)
|
||||||
@ -2374,7 +2372,7 @@ static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb)
|
|||||||
|
|
||||||
switch (secy->key_len) {
|
switch (secy->key_len) {
|
||||||
case MACSEC_GCM_AES_128_SAK_LEN:
|
case MACSEC_GCM_AES_128_SAK_LEN:
|
||||||
csid = MACSEC_CIPHER_ID_GCM_AES_128;
|
csid = MACSEC_DEFAULT_CIPHER_ID;
|
||||||
break;
|
break;
|
||||||
case MACSEC_GCM_AES_256_SAK_LEN:
|
case MACSEC_GCM_AES_256_SAK_LEN:
|
||||||
csid = MACSEC_CIPHER_ID_GCM_AES_256;
|
csid = MACSEC_CIPHER_ID_GCM_AES_256;
|
||||||
@ -3076,7 +3074,7 @@ static int macsec_changelink_common(struct net_device *dev,
|
|||||||
if (data[IFLA_MACSEC_CIPHER_SUITE]) {
|
if (data[IFLA_MACSEC_CIPHER_SUITE]) {
|
||||||
switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) {
|
switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) {
|
||||||
case MACSEC_CIPHER_ID_GCM_AES_128:
|
case MACSEC_CIPHER_ID_GCM_AES_128:
|
||||||
case MACSEC_DEFAULT_CIPHER_ALT:
|
case MACSEC_DEFAULT_CIPHER_ID:
|
||||||
secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
|
secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
|
||||||
break;
|
break;
|
||||||
case MACSEC_CIPHER_ID_GCM_AES_256:
|
case MACSEC_CIPHER_ID_GCM_AES_256:
|
||||||
@ -3355,7 +3353,7 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[],
|
|||||||
switch (csid) {
|
switch (csid) {
|
||||||
case MACSEC_CIPHER_ID_GCM_AES_128:
|
case MACSEC_CIPHER_ID_GCM_AES_128:
|
||||||
case MACSEC_CIPHER_ID_GCM_AES_256:
|
case MACSEC_CIPHER_ID_GCM_AES_256:
|
||||||
case MACSEC_DEFAULT_CIPHER_ALT:
|
case MACSEC_DEFAULT_CIPHER_ID:
|
||||||
if (icv_len < MACSEC_MIN_ICV_LEN ||
|
if (icv_len < MACSEC_MIN_ICV_LEN ||
|
||||||
icv_len > MACSEC_STD_ICV_LEN)
|
icv_len > MACSEC_STD_ICV_LEN)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
@ -3428,7 +3426,7 @@ static int macsec_fill_info(struct sk_buff *skb,
|
|||||||
|
|
||||||
switch (secy->key_len) {
|
switch (secy->key_len) {
|
||||||
case MACSEC_GCM_AES_128_SAK_LEN:
|
case MACSEC_GCM_AES_128_SAK_LEN:
|
||||||
csid = MACSEC_CIPHER_ID_GCM_AES_128;
|
csid = MACSEC_DEFAULT_CIPHER_ID;
|
||||||
break;
|
break;
|
||||||
case MACSEC_GCM_AES_256_SAK_LEN:
|
case MACSEC_GCM_AES_256_SAK_LEN:
|
||||||
csid = MACSEC_CIPHER_ID_GCM_AES_256;
|
csid = MACSEC_CIPHER_ID_GCM_AES_256;
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
#define MACSEC_GENL_NAME "macsec"
|
#define MACSEC_GENL_NAME "macsec"
|
||||||
#define MACSEC_GENL_VERSION 1
|
#define MACSEC_GENL_VERSION 1
|
||||||
|
|
||||||
#define MACSEC_MAX_KEY_LEN 256
|
#define MACSEC_MAX_KEY_LEN 128
|
||||||
|
|
||||||
#define MACSEC_KEYID_LEN 16
|
#define MACSEC_KEYID_LEN 16
|
||||||
|
|
||||||
@ -26,9 +26,9 @@
|
|||||||
#define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL
|
#define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL
|
||||||
#define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL
|
#define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL
|
||||||
|
|
||||||
#define MACSEC_DEFAULT_CIPHER_ID MACSEC_CIPHER_ID_GCM_AES_128
|
|
||||||
/* deprecated cipher ID for GCM-AES-128 */
|
/* deprecated cipher ID for GCM-AES-128 */
|
||||||
#define MACSEC_DEFAULT_CIPHER_ALT 0x0080020001000001ULL
|
#define MACSEC_DEFAULT_CIPHER_ID 0x0080020001000001ULL
|
||||||
|
#define MACSEC_DEFAULT_CIPHER_ALT MACSEC_CIPHER_ID_GCM_AES_128
|
||||||
|
|
||||||
#define MACSEC_MIN_ICV_LEN 8
|
#define MACSEC_MIN_ICV_LEN 8
|
||||||
#define MACSEC_MAX_ICV_LEN 32
|
#define MACSEC_MAX_ICV_LEN 32
|
||||||
|
Loading…
Reference in New Issue
Block a user