* [PATCH net-next] macsec: restore uAPI after addition of GCM-AES-256
@ 2018-01-18 16:48 Sabrina Dubroca
2018-01-22 20:40 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Sabrina Dubroca @ 2018-01-18 16:48 UTC (permalink / raw)
To: netdev; +Cc: Sabrina Dubroca, Felix Walter, Davide Caratti
Commit ccfdec908922 ("macsec: Add support for GCM-AES-256 cipher suite")
changed a few values in the uapi headers for MACsec.
Because of existing userspace implementations, we need to preserve the
value of MACSEC_DEFAULT_CIPHER_ID. Not doing that resulted in
wpa_supplicant segfaults when a secure channel was created using the
default cipher. Thus, swap MACSEC_DEFAULT_CIPHER_{ID,ALT} back to their
original values.
Changing the maximum length of the MACSEC_SA_ATTR_KEY attribute is
unnecessary, as the previous value (MACSEC_MAX_KEY_LEN, which was 128B)
is large enough to carry 32-bytes keys. This patch reverts
MACSEC_MAX_KEY_LEN to 128B and restores the old length check on
MACSEC_SA_ATTR_KEY.
Fixes: ccfdec908922 ("macsec: Add support for GCM-AES-256 cipher suite")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
drivers/net/macsec.c | 12 +++++-------
include/uapi/linux/if_macsec.h | 6 +++---
2 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index f522715c6595..7de88b33d5b9 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -396,8 +396,6 @@ static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb)
#define MACSEC_GCM_AES_128_SAK_LEN 16
#define MACSEC_GCM_AES_256_SAK_LEN 32
-#define MAX_SAK_LEN MACSEC_GCM_AES_256_SAK_LEN
-
#define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN
#define DEFAULT_SEND_SCI true
#define DEFAULT_ENCRYPT false
@@ -1605,7 +1603,7 @@ static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = {
[MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY,
.len = MACSEC_KEYID_LEN, },
[MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY,
- .len = MAX_SAK_LEN, },
+ .len = MACSEC_MAX_KEY_LEN, },
};
static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa)
@@ -2374,7 +2372,7 @@ static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb)
switch (secy->key_len) {
case MACSEC_GCM_AES_128_SAK_LEN:
- csid = MACSEC_CIPHER_ID_GCM_AES_128;
+ csid = MACSEC_DEFAULT_CIPHER_ID;
break;
case MACSEC_GCM_AES_256_SAK_LEN:
csid = MACSEC_CIPHER_ID_GCM_AES_256;
@@ -3076,7 +3074,7 @@ static int macsec_changelink_common(struct net_device *dev,
if (data[IFLA_MACSEC_CIPHER_SUITE]) {
switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) {
case MACSEC_CIPHER_ID_GCM_AES_128:
- case MACSEC_DEFAULT_CIPHER_ALT:
+ case MACSEC_DEFAULT_CIPHER_ID:
secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
break;
case MACSEC_CIPHER_ID_GCM_AES_256:
@@ -3355,7 +3353,7 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[],
switch (csid) {
case MACSEC_CIPHER_ID_GCM_AES_128:
case MACSEC_CIPHER_ID_GCM_AES_256:
- case MACSEC_DEFAULT_CIPHER_ALT:
+ case MACSEC_DEFAULT_CIPHER_ID:
if (icv_len < MACSEC_MIN_ICV_LEN ||
icv_len > MACSEC_STD_ICV_LEN)
return -EINVAL;
@@ -3428,7 +3426,7 @@ static int macsec_fill_info(struct sk_buff *skb,
switch (secy->key_len) {
case MACSEC_GCM_AES_128_SAK_LEN:
- csid = MACSEC_CIPHER_ID_GCM_AES_128;
+ csid = MACSEC_DEFAULT_CIPHER_ID;
break;
case MACSEC_GCM_AES_256_SAK_LEN:
csid = MACSEC_CIPHER_ID_GCM_AES_256;
diff --git a/include/uapi/linux/if_macsec.h b/include/uapi/linux/if_macsec.h
index 2e522835a4af..98e4d5d7c45c 100644
--- a/include/uapi/linux/if_macsec.h
+++ b/include/uapi/linux/if_macsec.h
@@ -18,7 +18,7 @@
#define MACSEC_GENL_NAME "macsec"
#define MACSEC_GENL_VERSION 1
-#define MACSEC_MAX_KEY_LEN 256
+#define MACSEC_MAX_KEY_LEN 128
#define MACSEC_KEYID_LEN 16
@@ -26,9 +26,9 @@
#define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL
#define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL
-#define MACSEC_DEFAULT_CIPHER_ID MACSEC_CIPHER_ID_GCM_AES_128
/* deprecated cipher ID for GCM-AES-128 */
-#define MACSEC_DEFAULT_CIPHER_ALT 0x0080020001000001ULL
+#define MACSEC_DEFAULT_CIPHER_ID 0x0080020001000001ULL
+#define MACSEC_DEFAULT_CIPHER_ALT MACSEC_CIPHER_ID_GCM_AES_128
#define MACSEC_MIN_ICV_LEN 8
#define MACSEC_MAX_ICV_LEN 32
--
2.15.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net-next] macsec: restore uAPI after addition of GCM-AES-256
2018-01-18 16:48 [PATCH net-next] macsec: restore uAPI after addition of GCM-AES-256 Sabrina Dubroca
@ 2018-01-22 20:40 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2018-01-22 20:40 UTC (permalink / raw)
To: sd; +Cc: netdev, felix.walter, dcaratti
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Thu, 18 Jan 2018 17:48:18 +0100
> Commit ccfdec908922 ("macsec: Add support for GCM-AES-256 cipher suite")
> changed a few values in the uapi headers for MACsec.
>
> Because of existing userspace implementations, we need to preserve the
> value of MACSEC_DEFAULT_CIPHER_ID. Not doing that resulted in
> wpa_supplicant segfaults when a secure channel was created using the
> default cipher. Thus, swap MACSEC_DEFAULT_CIPHER_{ID,ALT} back to their
> original values.
>
> Changing the maximum length of the MACSEC_SA_ATTR_KEY attribute is
> unnecessary, as the previous value (MACSEC_MAX_KEY_LEN, which was 128B)
> is large enough to carry 32-bytes keys. This patch reverts
> MACSEC_MAX_KEY_LEN to 128B and restores the old length check on
> MACSEC_SA_ATTR_KEY.
>
> Fixes: ccfdec908922 ("macsec: Add support for GCM-AES-256 cipher suite")
> Signed-off-by: Davide Caratti <dcaratti@redhat.com>
> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Good catch, applied, thanks Sabrina.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-01-22 20:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-18 16:48 [PATCH net-next] macsec: restore uAPI after addition of GCM-AES-256 Sabrina Dubroca
2018-01-22 20:40 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).