macsec: allow CKN shorter than 64 characters (!1460) · Merge requests · NetworkManager / NetworkManager

Beniamino Galvani requested to merge bg/macsec-ckn-len into main Nov 15, 2022

See wpa_supplicant commit [1]:

macsec: Make pre-shared CKN variable length

IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for
CKN:

"MKA places no restriction on the format of the CKN, save that it
comprise an integral number of octets, between 1 and 32
(inclusive), and that all potential members of the CA use the same
CKN. No further constraints are placed on the CKNs used with PSKs,
..."

Hence do not require a 32 octet long CKN but instead allow a
shorter CKN to be configured.

This fixes interoperability with some Aruba switches, that do not
accept a 32 octet long CKN (only support shorter ones).

[1] https://w1.fi/cgit/hostap/commit/?id=b678ed1efc50e8da4638d962f8eac13312a4048f

macsec: allow CKN shorter than 64 characters

Merge request reports