diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-08-01 18:06:16 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-08-01 18:06:16 +0200 |
commit | a09359828e38c5b51a4579af16b5ea263a98233f (patch) | |
tree | e9b803b3b5134af06e38a9ec2a28db206fa0e442 | |
parent | d03248271c9610369c1b7d06ac81ca338117b545 (diff) | |
download | vyos-1x-a09359828e38c5b51a4579af16b5ea263a98233f.tar.gz vyos-1x-a09359828e38c5b51a4579af16b5ea263a98233f.zip |
macsec: T3368: check key length for gcm-aes-128/gcm-aes-256
-rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 03a010086..f5c98b664 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -87,6 +87,16 @@ def verify(macsec): if dict_search('security.mka.cak', macsec) == None or dict_search('security.mka.ckn', macsec) == None: raise ConfigError('Missing mandatory MACsec security keys as encryption is enabled!') + cak_len = len(dict_search('security.mka.cak', macsec)) + + if dict_search('security.cipher', macsec) == 'gcm-aes-128' and cak_len != 32: + # gcm-aes-128 requires a 128bit long key - 32 characters (string) = 16byte = 128bit + raise ConfigError('gcm-aes-128 requires a 128bit long key!') + + elif dict_search('security.cipher', macsec) == 'gcm-aes-256' and cak_len != 64: + # gcm-aes-128 requires a 128bit long key - 64 characters (string) = 32byte = 256bit + raise ConfigError('gcm-aes-128 requires a 256bit long key!') + if 'source_interface' in macsec: # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad # and 802.1q) - we need to check the underlaying MTU if our configured |