[PATCH 2.6.26-rc3] xfrm: Installing NULL encryption IPSec SAs fails

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 2.6.26-rc3] xfrm: Installing NULL encryption IPSec SAs fails
@ 2008-05-21 16:55 Martin Willi
  2008-05-21 20:37 ` David Miller
  0 siblings, 1 reply; 6+ messages in thread
From: Martin Willi @ 2008-05-21 16:55 UTC (permalink / raw)
  To: herbert; +Cc: linux-kernel

Installing NULL encryption IPSec SAs works using the .compat name
"cipher_null", but fails with the .name "ecp(cipher_null)" due the
missing check in key length verification. 

Signed-off-by: Martin Willi <martin@strongswan.org>

--- a/net/xfrm/xfrm_user.c 2008-05-21 11:34:56.000000000 -0500
+++ b/net/xfrm/xfrm_user.c 2008-05-21 11:20:08.000000000 -0500
@@ -57,6 +57,7 @@
 
        case XFRMA_ALG_CRYPT:
                if (!algp->alg_key_len &&
+                   strcmp(algp->alg_name, "ecb(cipher_null)") != 0 &&
                    strcmp(algp->alg_name, "cipher_null") != 0)
                        return -EINVAL;
                break;




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 2.6.26-rc3] xfrm: Installing NULL encryption IPSec SAs fails
  2008-05-21 16:55 [PATCH 2.6.26-rc3] xfrm: Installing NULL encryption IPSec SAs fails Martin Willi
@ 2008-05-21 20:37 ` David Miller
  2008-05-21 23:59   ` Herbert Xu
  0 siblings, 1 reply; 6+ messages in thread
From: David Miller @ 2008-05-21 20:37 UTC (permalink / raw)
  To: martin; +Cc: herbert, linux-kernel

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: Text/Plain; charset=utf-8, Size: 531 bytes --]

From: Martin Willi <martin@strongswan.org>
Date: Wed, 21 May 2008 11:55:06 -0500

> ï»¿Installing NULL encryption IPSec SAs works using the .compat name
> "cipher_null", but fails with the .name "ecp(cipher_null)" due the
> missing check in key length verification. 
> ï»¿
> Signed-off-by: Martin Willi <martin@strongswan.org>

Herbert does this look Ok to you?

Thanks.
ÿôèº{.nÇ+‰·Ÿ®‰†+%ŠËÿ±éÝ¶\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dÊ‡Ú™ë,j\a¢f£¢·hšïêÿ‘êçz_è®\x03(éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨èÚ&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 2.6.26-rc3] xfrm: Installing NULL encryption IPSec SAs fails
  2008-05-21 20:37 ` David Miller
@ 2008-05-21 23:59   ` Herbert Xu
  2008-05-22  0:23     ` David Miller
  0 siblings, 1 reply; 6+ messages in thread
From: Herbert Xu @ 2008-05-21 23:59 UTC (permalink / raw)
  To: David Miller; +Cc: martin, linux-kernel

On Wed, May 21, 2008 at 01:37:56PM -0700, David Miller wrote:
> From: Martin Willi <martin@strongswan.org>
> Date: Wed, 21 May 2008 11:55:06 -0500
> 
> > Installing NULL encryption IPSec SAs works using the .compat name
> > "cipher_null", but fails with the .name "ecp(cipher_null)" due the
> > missing check in key length verification. 
> > 
> > Signed-off-by: Martin Willi <martin@strongswan.org>
> 
> Herbert does this look Ok to you?

I think we should get rid of the zero check altogether as a
zero-length key will fail on setkey of a real algorithm anyway
because of the min_keysize/max_keysize checks in the crypto API.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 2.6.26-rc3] xfrm: Installing NULL encryption IPSec SAs fails
  2008-05-21 23:59   ` Herbert Xu
@ 2008-05-22  0:23     ` David Miller
  2008-05-22  0:30       ` Herbert Xu
  0 siblings, 1 reply; 6+ messages in thread
From: David Miller @ 2008-05-22  0:23 UTC (permalink / raw)
  To: herbert; +Cc: martin, linux-kernel

From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Thu, 22 May 2008 07:59:22 +0800

> I think we should get rid of the zero check altogether as a
> zero-length key will fail on setkey of a real algorithm anyway
> because of the min_keysize/max_keysize checks in the crypto API.

Ok, how does this look?

xfrm_user: Remove zero length key checks.

The crypto layer will determine whether that is valid
or not.

Suggested by Herbert Xu, based upon a report and patch
by Martin Willi.

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a1b0fbe..b976d9e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -50,19 +50,8 @@ static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type)
 
 	switch (type) {
 	case XFRMA_ALG_AUTH:
-		if (!algp->alg_key_len &&
-		    strcmp(algp->alg_name, "digest_null") != 0)
-			return -EINVAL;
-		break;
-
 	case XFRMA_ALG_CRYPT:
-		if (!algp->alg_key_len &&
-		    strcmp(algp->alg_name, "cipher_null") != 0)
-			return -EINVAL;
-		break;
-
 	case XFRMA_ALG_COMP:
-		/* Zero length keys are legal.  */
 		break;
 
 	default:

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 2.6.26-rc3] xfrm: Installing NULL encryption IPSec SAs fails
  2008-05-22  0:23     ` David Miller
@ 2008-05-22  0:30       ` Herbert Xu
  2008-05-22  0:36         ` David Miller
  0 siblings, 1 reply; 6+ messages in thread
From: Herbert Xu @ 2008-05-22  0:30 UTC (permalink / raw)
  To: David Miller; +Cc: martin, linux-kernel

On Wed, May 21, 2008 at 05:23:41PM -0700, David Miller wrote:
>
> Signed-off-by: David S. Miller <davem@davemloft.net>

Looks good to me!

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 2.6.26-rc3] xfrm: Installing NULL encryption IPSec SAs fails
  2008-05-22  0:30       ` Herbert Xu
@ 2008-05-22  0:36         ` David Miller
  0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2008-05-22  0:36 UTC (permalink / raw)
  To: herbert; +Cc: martin, linux-kernel

From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Thu, 22 May 2008 08:30:31 +0800

> On Wed, May 21, 2008 at 05:23:41PM -0700, David Miller wrote:
> >
> > Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> Looks good to me!
> 
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Thanks for reviewing.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2008-05-22  0:37 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-21 16:55 [PATCH 2.6.26-rc3] xfrm: Installing NULL encryption IPSec SAs fails Martin Willi
2008-05-21 20:37 ` David Miller
2008-05-21 23:59   ` Herbert Xu
2008-05-22  0:23     ` David Miller
2008-05-22  0:30       ` Herbert Xu
2008-05-22  0:36         ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.