Commit e8660ded authored by Sabrina Dubroca's avatar Sabrina Dubroca Committed by David S. Miller
Browse files

macsec: restore uAPI after addition of GCM-AES-256 



Commit ccfdec90 ("macsec: Add support for GCM-AES-256 cipher suite")
changed a few values in the uapi headers for MACsec.

Because of existing userspace implementations, we need to preserve the
value of MACSEC_DEFAULT_CIPHER_ID. Not doing that resulted in
wpa_supplicant segfaults when a secure channel was created using the
default cipher. Thus, swap MACSEC_DEFAULT_CIPHER_{ID,ALT} back to their
original values.

Changing the maximum length of the MACSEC_SA_ATTR_KEY attribute is
unnecessary, as the previous value (MACSEC_MAX_KEY_LEN, which was 128B)
is large enough to carry 32-bytes keys. This patch reverts
MACSEC_MAX_KEY_LEN to 128B and restores the old length check on
MACSEC_SA_ATTR_KEY.

Fixes: ccfdec90 ("macsec: Add support for GCM-AES-256 cipher suite")
Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5e89cfac

drivers/net/macsec.c

+5 −7
Original line number Diff line number Diff line
@@ -396,8 +396,6 @@ static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb) 
#define MACSEC_GCM_AES_128_SAK_LEN 16

#define MACSEC_GCM_AES_256_SAK_LEN 32



#define MAX_SAK_LEN MACSEC_GCM_AES_256_SAK_LEN



#define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN

#define DEFAULT_SEND_SCI true

#define DEFAULT_ENCRYPT false
@@ -1605,7 +1603,7 @@ static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = { 
	[MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY,

				   .len = MACSEC_KEYID_LEN, },

	[MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY,

				 .len = MAX_SAK_LEN, },

				 .len = MACSEC_MAX_KEY_LEN, },

};



static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa)
@@ -2374,7 +2372,7 @@ static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb) 


	switch (secy->key_len) {

	case MACSEC_GCM_AES_128_SAK_LEN:

		csid = MACSEC_CIPHER_ID_GCM_AES_128;

		csid = MACSEC_DEFAULT_CIPHER_ID;

		break;

	case MACSEC_GCM_AES_256_SAK_LEN:

		csid = MACSEC_CIPHER_ID_GCM_AES_256;
@@ -3076,7 +3074,7 @@ static int macsec_changelink_common(struct net_device *dev, 
	if (data[IFLA_MACSEC_CIPHER_SUITE]) {

		switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) {

		case MACSEC_CIPHER_ID_GCM_AES_128:

		case MACSEC_DEFAULT_CIPHER_ALT:

		case MACSEC_DEFAULT_CIPHER_ID:

			secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;

			break;

		case MACSEC_CIPHER_ID_GCM_AES_256:
@@ -3355,7 +3353,7 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[], 
	switch (csid) {

	case MACSEC_CIPHER_ID_GCM_AES_128:

	case MACSEC_CIPHER_ID_GCM_AES_256:

	case MACSEC_DEFAULT_CIPHER_ALT:

	case MACSEC_DEFAULT_CIPHER_ID:

		if (icv_len < MACSEC_MIN_ICV_LEN ||

		    icv_len > MACSEC_STD_ICV_LEN)

			return -EINVAL;
@@ -3428,7 +3426,7 @@ static int macsec_fill_info(struct sk_buff *skb, 


	switch (secy->key_len) {

	case MACSEC_GCM_AES_128_SAK_LEN:

		csid = MACSEC_CIPHER_ID_GCM_AES_128;

		csid = MACSEC_DEFAULT_CIPHER_ID;

		break;

	case MACSEC_GCM_AES_256_SAK_LEN:

		csid = MACSEC_CIPHER_ID_GCM_AES_256;

include/uapi/linux/if_macsec.h

+3 −3
Original line number Diff line number Diff line
@@ -18,7 +18,7 @@ 
#define MACSEC_GENL_NAME "macsec"

#define MACSEC_GENL_VERSION 1



#define MACSEC_MAX_KEY_LEN 256

#define MACSEC_MAX_KEY_LEN 128



#define MACSEC_KEYID_LEN 16
@@ -26,9 +26,9 @@ 
#define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL

#define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL



#define MACSEC_DEFAULT_CIPHER_ID     MACSEC_CIPHER_ID_GCM_AES_128

/* deprecated cipher ID for GCM-AES-128 */

#define MACSEC_DEFAULT_CIPHER_ALT    0x0080020001000001ULL

#define MACSEC_DEFAULT_CIPHER_ID     0x0080020001000001ULL

#define MACSEC_DEFAULT_CIPHER_ALT    MACSEC_CIPHER_ID_GCM_AES_128



#define MACSEC_MIN_ICV_LEN 8

#define MACSEC_MAX_ICV_LEN 32

CRA Git | Maintained and supported by SUSTech CRA and CCSE