diff options
author | Giga Murphy <giga1699@gmail.com> | 2023-08-18 08:42:08 +0000 |
---|---|---|
committer | Giga Murphy <giga1699@gmail.com> | 2023-08-18 08:42:08 +0000 |
commit | d110af71cb1c8b62758feae724e13877a278c578 (patch) | |
tree | e9fe7ef0d2b28adcecf115492673bfb88fc0f509 | |
parent | 94e8d4ad1fd4fe0dded91b941fed6b7de331f01b (diff) | |
download | vyos-1x-d110af71cb1c8b62758feae724e13877a278c578.tar.gz vyos-1x-d110af71cb1c8b62758feae724e13877a278c578.zip |
T5447: Add verification of peer rx-key length
-rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 5045a9856..023fcdffc 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -118,6 +118,17 @@ def verify(macsec): if 'disable' not in peer_config and ('mac' not in peer_config or 'rx_key' not in peer_config): raise ConfigError('Every enabled MACsec static peer must have a MAC address and rx-key defined.') + # check rx-key length against cipher suite + rx_len = len(peer_config['rx_key']) + + if dict_search('security.cipher', macsec) == 'gcm-aes-128' and rx_len != 32: + # gcm-aes-128 requires a 128bit long key - 32 characters (string) = 16byte = 128bit + raise ConfigError('gcm-aes-128 requires a 128bit long key!') + + if dict_search('security.cipher', macsec) == 'gcm-aes-256' and rx_len != 64: + # gcm-aes-256 requires a 256bit long key - 64 characters (string) = 32byte = 256bit + raise ConfigError('gcm-aes-256 requires a 256bit long key!') + # Logic to check MKA configuration else: if dict_search('security.mka.cak', macsec) == None or dict_search('security.mka.ckn', macsec) == None: |