summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-08-01 18:06:16 +0200
committerChristian Poessinger <christian@poessinger.com>2022-08-01 18:07:58 +0200
commitf6dddb5466c95e998582f7ec774b2626b9a9067c (patch)
tree29f13b78dbd80e62b9ef0b4a8f8598df186becbd /src/conf_mode
parent8c10a12251533c9e8f00d2f52dc5d23f8bb9a3ae (diff)
downloadvyos-1x-f6dddb5466c95e998582f7ec774b2626b9a9067c.tar.gz
vyos-1x-f6dddb5466c95e998582f7ec774b2626b9a9067c.zip
macsec: T3368: check key length for gcm-aes-128/gcm-aes-256
(cherry picked from commit a09359828e38c5b51a4579af16b5ea263a98233f)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 6ec34a961..5ae07dae0 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -84,6 +84,16 @@ def verify(macsec):
raise ConfigError('Missing mandatory MACsec security '
'keys as encryption is enabled!')
+ cak_len = len(dict_search('security.mka.cak', macsec))
+
+ if dict_search('security.cipher', macsec) == 'gcm-aes-128' and cak_len != 32:
+ # gcm-aes-128 requires a 128bit long key - 32 characters (string) = 16byte = 128bit
+ raise ConfigError('gcm-aes-128 requires a 128bit long key!')
+
+ elif dict_search('security.cipher', macsec) == 'gcm-aes-256' and cak_len != 64:
+ # gcm-aes-128 requires a 128bit long key - 64 characters (string) = 32byte = 256bit
+ raise ConfigError('gcm-aes-128 requires a 256bit long key!')
+
if 'source_interface' in macsec:
# MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad
# and 802.1q) - we need to check the underlaying MTU if our configured