diff options
author | Davide Caratti <dcaratti@redhat.com> | 2016-07-22 15:07:58 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-07-25 10:55:39 -0700 |
commit | f04c392d2dd97a985878f4380a1b054791301acf (patch) | |
tree | cbf6e16e690b6486b9a642a2614846f08da2368e /drivers/net/macsec.c | |
parent | 34aedfee22967236adc3d9147c8b47b7f5bad26c (diff) | |
download | linux-f04c392d2dd97a985878f4380a1b054791301acf.tar.gz linux-f04c392d2dd97a985878f4380a1b054791301acf.tar.bz2 linux-f04c392d2dd97a985878f4380a1b054791301acf.zip |
macsec: validate ICV length on link creation
Test the cipher suite initialization in case ICV length has a value
different than its default. If this test fails, creation of a new macsec
link will also fail. This avoids situations where further security
associations can't be added due to failures of crypto_aead_setauthsize(),
caused by unsupported user-provided values of the ICV length.
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/macsec.c')
-rw-r--r-- | drivers/net/macsec.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c index 0045108d7159..d8b2b49d6d5f 100644 --- a/drivers/net/macsec.c +++ b/drivers/net/macsec.c @@ -3224,8 +3224,20 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[]) if (data[IFLA_MACSEC_CIPHER_SUITE]) csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]); - if (data[IFLA_MACSEC_ICV_LEN]) + if (data[IFLA_MACSEC_ICV_LEN]) { icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); + if (icv_len != DEFAULT_ICV_LEN) { + char dummy_key[DEFAULT_SAK_LEN] = { 0 }; + struct crypto_aead *dummy_tfm; + + dummy_tfm = macsec_alloc_tfm(dummy_key, + DEFAULT_SAK_LEN, + icv_len); + if (IS_ERR(dummy_tfm)) + return PTR_ERR(dummy_tfm); + crypto_free_aead(dummy_tfm); + } + } switch (csid) { case MACSEC_DEFAULT_CIPHER_ID: |