summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavide Caratti <dcaratti@redhat.com>2016-07-22 15:07:58 +0200
committerDavid S. Miller <davem@davemloft.net>2016-07-25 10:55:39 -0700
commitf04c392d2dd97a985878f4380a1b054791301acf (patch)
treecbf6e16e690b6486b9a642a2614846f08da2368e
parent34aedfee22967236adc3d9147c8b47b7f5bad26c (diff)
downloadlinux-f04c392d2dd97a985878f4380a1b054791301acf.tar.gz
linux-f04c392d2dd97a985878f4380a1b054791301acf.tar.bz2
linux-f04c392d2dd97a985878f4380a1b054791301acf.zip
macsec: validate ICV length on link creation
Test the cipher suite initialization in case ICV length has a value different than its default. If this test fails, creation of a new macsec link will also fail. This avoids situations where further security associations can't be added due to failures of crypto_aead_setauthsize(), caused by unsupported user-provided values of the ICV length. Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/macsec.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 0045108d7159..d8b2b49d6d5f 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -3224,8 +3224,20 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[])
if (data[IFLA_MACSEC_CIPHER_SUITE])
csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);
- if (data[IFLA_MACSEC_ICV_LEN])
+ if (data[IFLA_MACSEC_ICV_LEN]) {
icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
+ if (icv_len != DEFAULT_ICV_LEN) {
+ char dummy_key[DEFAULT_SAK_LEN] = { 0 };
+ struct crypto_aead *dummy_tfm;
+
+ dummy_tfm = macsec_alloc_tfm(dummy_key,
+ DEFAULT_SAK_LEN,
+ icv_len);
+ if (IS_ERR(dummy_tfm))
+ return PTR_ERR(dummy_tfm);
+ crypto_free_aead(dummy_tfm);
+ }
+ }
switch (csid) {
case MACSEC_DEFAULT_CIPHER_ID: