From: Davide Caratti <dcaratti@redhat.com>
To: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
Sabrina Dubroca <sd@queasysnail.net>,
Hannes Frederic Sowa <hannes@stressinduktion.org>
Subject: [PATCH net 3/3] macsec: validate ICV length on link creation
Date: Fri, 22 Jul 2016 15:07:58 +0200 [thread overview]
Message-ID: <2a7e1975d5613d733f7aa0f09584b2bbf9eb8a0c.1469191850.git.dcaratti@redhat.com> (raw)
In-Reply-To: <cover.1469191850.git.dcaratti@redhat.com>
Test the cipher suite initialization in case ICV length has a value
different than its default. If this test fails, creation of a new macsec
link will also fail. This avoids situations where further security
associations can't be added due to failures of crypto_aead_setauthsize(),
caused by unsupported user-provided values of the ICV length.
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
drivers/net/macsec.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 6d45ba6..5441517 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -3206,8 +3206,20 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[])
if (data[IFLA_MACSEC_CIPHER_SUITE])
csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);
- if (data[IFLA_MACSEC_ICV_LEN])
+ if (data[IFLA_MACSEC_ICV_LEN]) {
icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
+ if (icv_len != DEFAULT_ICV_LEN) {
+ char dummy_key[DEFAULT_SAK_LEN] = { 0 };
+ struct crypto_aead *dummy_tfm;
+
+ dummy_tfm = macsec_alloc_tfm(dummy_key,
+ DEFAULT_SAK_LEN,
+ icv_len);
+ if (IS_ERR(dummy_tfm))
+ return PTR_ERR(dummy_tfm);
+ crypto_free_aead(dummy_tfm);
+ }
+ }
switch (csid) {
case MACSEC_DEFAULT_CIPHER_ID:
--
2.5.5
next prev parent reply other threads:[~2016-07-22 13:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-22 13:07 [PATCH net 0/3] macsec: fix configurable ICV length Davide Caratti
2016-07-22 13:07 ` [PATCH net 1/3] macsec: limit ICV length to 16 octets Davide Caratti
2016-07-22 13:07 ` [PATCH net 2/3] macsec: fix error codes when a SA is created Davide Caratti
2016-07-22 13:07 ` Davide Caratti [this message]
2016-07-25 10:09 ` [PATCH net 0/3] macsec: fix configurable ICV length Sabrina Dubroca
2016-07-25 17:55 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2a7e1975d5613d733f7aa0f09584b2bbf9eb8a0c.1469191850.git.dcaratti@redhat.com \
--to=dcaratti@redhat.com \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).