Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f04c392d authored by Davide Caratti's avatar Davide Caratti Committed by David S. Miller
Browse files

macsec: validate ICV length on link creation 



Test the cipher suite initialization in case ICV length has a value
different than its default. If this test fails, creation of a new macsec
link will also fail. This avoids situations where further security
associations can't be added due to failures of crypto_aead_setauthsize(),
caused by unsupported user-provided values of the ICV length.

Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 34aedfee

drivers/net/macsec.c

+13 −1
Original line number Original line Diff line number Diff line
@@ -3224,8 +3224,20 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[]) 
	if (data[IFLA_MACSEC_CIPHER_SUITE])

	if (data[IFLA_MACSEC_CIPHER_SUITE])

		csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);

		csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);





	if (data[IFLA_MACSEC_ICV_LEN])

	if (data[IFLA_MACSEC_ICV_LEN]) {

		icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);

		icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);

		if (icv_len != DEFAULT_ICV_LEN) {

			char dummy_key[DEFAULT_SAK_LEN] = { 0 };

			struct crypto_aead *dummy_tfm;



			dummy_tfm = macsec_alloc_tfm(dummy_key,

						     DEFAULT_SAK_LEN,

						     icv_len);

			if (IS_ERR(dummy_tfm))

				return PTR_ERR(dummy_tfm);

			crypto_free_aead(dummy_tfm);

		}

	}





	switch (csid) {

	switch (csid) {

	case MACSEC_DEFAULT_CIPHER_ID:

	case MACSEC_DEFAULT_CIPHER_ID: