commit f04c392d2dd97a985878f4380a1b054791301acf
author Davide Caratti <dcaratti@redhat.com> Fri Jul 22 15:07:58 2016 +0200
committer David S. Miller <davem@davemloft.net> Mon Jul 25 10:55:39 2016 -0700
tree cbf6e16e690b6486b9a642a2614846f08da2368e
parent 34aedfee22967236adc3d9147c8b47b7f5bad26c

macsec: validate ICV length on link creation

Test the cipher suite initialization in case ICV length has a value
different than its default. If this test fails, creation of a new macsec
link will also fail. This avoids situations where further security
associations can't be added due to failures of crypto_aead_setauthsize(),
caused by unsupported user-provided values of the ICV length.

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

drivers/net/macsec.c

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 0045108..d8b2b49 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -3224,8 +3224,20 @@
 	if (data[IFLA_MACSEC_CIPHER_SUITE])
 		csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);
 
-	if (data[IFLA_MACSEC_ICV_LEN])
+	if (data[IFLA_MACSEC_ICV_LEN]) {
 		icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
+		if (icv_len != DEFAULT_ICV_LEN) {
+			char dummy_key[DEFAULT_SAK_LEN] = { 0 };
+			struct crypto_aead *dummy_tfm;
+
+			dummy_tfm = macsec_alloc_tfm(dummy_key,
+						     DEFAULT_SAK_LEN,
+						     icv_len);
+			if (IS_ERR(dummy_tfm))
+				return PTR_ERR(dummy_tfm);
+			crypto_free_aead(dummy_tfm);
+		}
+	}
 
 	switch (csid) {
 	case MACSEC_DEFAULT_CIPHER_ID: