macsec: validate ICV length on link creation
authorDavide Caratti <dcaratti@redhat.com>
Fri, 22 Jul 2016 13:07:58 +0000 (15:07 +0200)
committerDavid S. Miller <davem@davemloft.net>
Mon, 25 Jul 2016 17:55:39 +0000 (10:55 -0700)
Test the cipher suite initialization in case ICV length has a value
different than its default. If this test fails, creation of a new macsec
link will also fail. This avoids situations where further security
associations can't be added due to failures of crypto_aead_setauthsize(),
caused by unsupported user-provided values of the ICV length.

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/macsec.c

index 0045108d7159f9731cd1ea0bf4d604ea4b2e13ec..d8b2b49d6d5fc57239d0b76a0e96e6be9c6dd464 100644 (file)
@@ -3224,8 +3224,20 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[])
        if (data[IFLA_MACSEC_CIPHER_SUITE])
                csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);
 
-       if (data[IFLA_MACSEC_ICV_LEN])
+       if (data[IFLA_MACSEC_ICV_LEN]) {
                icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
+               if (icv_len != DEFAULT_ICV_LEN) {
+                       char dummy_key[DEFAULT_SAK_LEN] = { 0 };
+                       struct crypto_aead *dummy_tfm;
+
+                       dummy_tfm = macsec_alloc_tfm(dummy_key,
+                                                    DEFAULT_SAK_LEN,
+                                                    icv_len);
+                       if (IS_ERR(dummy_tfm))
+                               return PTR_ERR(dummy_tfm);
+                       crypto_free_aead(dummy_tfm);
+               }
+       }
 
        switch (csid) {
        case MACSEC_DEFAULT_CIPHER_ID: