[PATCH net-next 00/12] macsec: replace custom netlink attribute checks with policy-level checks

[Sabrina Dubroca <sd@queasysnail.net>]

We can simplify attribute validation a lot by describing the accepted
ranges more precisely in the policies, using NLA_POLICY_MAX etc.

Some of the checks still need to be done later on, because the
attribute length and acceptable range can vary based on values that
can't be known when the policy is validated (cipher suite determines
the key length and valid ICV length, presence of XPN changes the PN
length, detection of duplicate SCIs or ANs, etc).

As a bonus, we get a few extack messages from the policy
validation. I'll add extack to the rest of the checks (mostly in the
genl commands) in an future series.

Sabrina Dubroca (12):
  macsec: replace custom checks on MACSEC_SA_ATTR_AN with NLA_POLICY_MAX
  macsec: replace custom checks on MACSEC_*_ATTR_ACTIVE with
    NLA_POLICY_MAX
  macsec: replace custom checks on MACSEC_SA_ATTR_SALT with
    NLA_POLICY_EXACT_LEN
  macsec: replace custom checks on MACSEC_SA_ATTR_KEYID with
    NLA_POLICY_EXACT_LEN
  macsec: use NLA_POLICY_VALIDATE_FN to validate MACSEC_SA_ATTR_PN
  macsec: add NLA_POLICY_MAX for MACSEC_OFFLOAD_ATTR_TYPE and
    IFLA_MACSEC_OFFLOAD
  macsec: replace custom checks on IFLA_MACSEC_ICV_LEN with
    NLA_POLICY_RANGE
  macsec: use NLA_POLICY_VALIDATE_FN to validate
    IFLA_MACSEC_CIPHER_SUITE
  macsec: validate IFLA_MACSEC_VALIDATION with NLA_POLICY_MAX
  macsec: replace custom checks for IFLA_MACSEC_* flags with
    NLA_POLICY_MAX
  macsec: replace custom check on IFLA_MACSEC_ENCODING_SA with
    NLA_POLICY_MAX
  macsec: remove validate_add_rxsc

 drivers/net/macsec.c | 178 ++++++++++++-------------------------------
 1 file changed, 50 insertions(+), 128 deletions(-)

-- 
2.37.3