macsec: restore uAPI after addition of GCM-AES-256

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Commit ccfdec908922 ("macsec: Add support for GCM-AES-256 cipher suite")
changed a few values in the uapi headers for MACsec.

Because of existing userspace implementations, we need to preserve the
value of MACSEC_DEFAULT_CIPHER_ID. Not doing that resulted in
wpa_supplicant segfaults when a secure channel was created using the
default cipher. Thus, swap MACSEC_DEFAULT_CIPHER_{ID,ALT} back to their
original values.

Changing the maximum length of the MACSEC_SA_ATTR_KEY attribute is
unnecessary, as the previous value (MACSEC_MAX_KEY_LEN, which was 128B)
is large enough to carry 32-bytes keys. This patch reverts
MACSEC_MAX_KEY_LEN to 128B and restores the old length check on
MACSEC_SA_ATTR_KEY.

Fixes: ccfdec908922 ("macsec: Add support for GCM-AES-256 cipher suite")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Sabrina Dubroca and committed by

David S. Miller 8 years ago e8660ded 5e89cfac

+8 -10

2 changed files

expand all

drivers

net

macsec.c

include

uapi

linux

if_macsec.h

+5 -7

drivers/net/macsec.c

··· 396 396 #define MACSEC_GCM_AES_128_SAK_LEN 16 397 397 #define MACSEC_GCM_AES_256_SAK_LEN 32 398 398 399 - #define MAX_SAK_LEN MACSEC_GCM_AES_256_SAK_LEN 400 - 401 399 #define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN 402 400 #define DEFAULT_SEND_SCI true 403 401 #define DEFAULT_ENCRYPT false ··· 1603 1605 [MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY, 1604 1606 .len = MACSEC_KEYID_LEN, }, 1605 1607 [MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY, 1606 - .len = MAX_SAK_LEN, }, 1608 + .len = MACSEC_MAX_KEY_LEN, }, 1607 1609 }; 1608 1610 1609 1611 static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa) ··· 2372 2374 2373 2375 switch (secy->key_len) { 2374 2376 case MACSEC_GCM_AES_128_SAK_LEN: 2375 - csid = MACSEC_CIPHER_ID_GCM_AES_128; 2377 + csid = MACSEC_DEFAULT_CIPHER_ID; 2376 2378 break; 2377 2379 case MACSEC_GCM_AES_256_SAK_LEN: 2378 2380 csid = MACSEC_CIPHER_ID_GCM_AES_256; ··· 3074 3076 if (data[IFLA_MACSEC_CIPHER_SUITE]) { 3075 3077 switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) { 3076 3078 case MACSEC_CIPHER_ID_GCM_AES_128: 3077 - case MACSEC_DEFAULT_CIPHER_ALT: 3079 + case MACSEC_DEFAULT_CIPHER_ID: 3078 3080 secy->key_len = MACSEC_GCM_AES_128_SAK_LEN; 3079 3081 break; 3080 3082 case MACSEC_CIPHER_ID_GCM_AES_256: ··· 3353 3355 switch (csid) { 3354 3356 case MACSEC_CIPHER_ID_GCM_AES_128: 3355 3357 case MACSEC_CIPHER_ID_GCM_AES_256: 3356 - case MACSEC_DEFAULT_CIPHER_ALT: 3358 + case MACSEC_DEFAULT_CIPHER_ID: 3357 3359 if (icv_len < MACSEC_MIN_ICV_LEN || 3358 3360 icv_len > MACSEC_STD_ICV_LEN) 3359 3361 return -EINVAL; ··· 3426 3428 3427 3429 switch (secy->key_len) { 3428 3430 case MACSEC_GCM_AES_128_SAK_LEN: 3429 - csid = MACSEC_CIPHER_ID_GCM_AES_128; 3431 + csid = MACSEC_DEFAULT_CIPHER_ID; 3430 3432 break; 3431 3433 case MACSEC_GCM_AES_256_SAK_LEN: 3432 3434 csid = MACSEC_CIPHER_ID_GCM_AES_256;

+3 -3

include/uapi/linux/if_macsec.h

··· 18 18 #define MACSEC_GENL_NAME "macsec" 19 19 #define MACSEC_GENL_VERSION 1 20 20 21 - #define MACSEC_MAX_KEY_LEN 256 21 + #define MACSEC_MAX_KEY_LEN 128 22 22 23 23 #define MACSEC_KEYID_LEN 16 24 24 ··· 26 26 #define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL 27 27 #define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL 28 28 29 - #define MACSEC_DEFAULT_CIPHER_ID MACSEC_CIPHER_ID_GCM_AES_128 30 29 /* deprecated cipher ID for GCM-AES-128 */ 31 - #define MACSEC_DEFAULT_CIPHER_ALT 0x0080020001000001ULL 30 + #define MACSEC_DEFAULT_CIPHER_ID 0x0080020001000001ULL 31 + #define MACSEC_DEFAULT_CIPHER_ALT MACSEC_CIPHER_ID_GCM_AES_128 32 32 33 33 #define MACSEC_MIN_ICV_LEN 8 34 34 #define MACSEC_MAX_ICV_LEN 32