Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 2 May 2020 01:00:29 +0000 (UTC)
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r360560 - head/sys/netipsec
Message-ID:  <202005020100.04210Tgm026239@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jhb
Date: Sat May  2 01:00:29 2020
New Revision: 360560
URL: https://svnweb.freebsd.org/changeset/base/360560

Log:
  Don't pass bogus keys down for NULL algorithms.
  
  The changes in r359374 added various sanity checks in sessions and
  requests created by crypto consumers in part to permit backend drivers
  to make assumptions instead of duplicating checks for various edge
  cases.  One of the new checks was to reject sessions which provide a
  pointer to a key while claiming the key is zero bits long.
  
  IPsec ESP tripped over this as it passes along whatever key is
  provided for NULL, including a pointer to a zero-length key when an
  empty string ("") is used with setkey(8).  One option would be to
  teach the IPsec key layer to not allocate keys of zero length, but I
  went with a simpler fix of just not passing any keys down and always
  using a key length of zero for NULL algorithms.
  
  PR:		245832
  Reported by:	CI

Modified:
  head/sys/netipsec/xform_ah.c
  head/sys/netipsec/xform_esp.c

Modified: head/sys/netipsec/xform_ah.c
==============================================================================
--- head/sys/netipsec/xform_ah.c	Sat May  2 00:10:25 2020	(r360559)
+++ head/sys/netipsec/xform_ah.c	Sat May  2 01:00:29 2020	(r360560)
@@ -215,8 +215,10 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp,
 
 	/* Initialize crypto session. */
 	csp->csp_auth_alg = sav->tdb_authalgxform->type;
-	csp->csp_auth_klen = _KEYBITS(sav->key_auth) / 8;
-	csp->csp_auth_key = sav->key_auth->key_data;
+	if (csp->csp_auth_alg != CRYPTO_NULL_HMAC) {
+		csp->csp_auth_klen = _KEYBITS(sav->key_auth) / 8;
+		csp->csp_auth_key = sav->key_auth->key_data;
+	};
 	csp->csp_auth_mlen = AUTHSIZE(sav);
 
 	return 0;

Modified: head/sys/netipsec/xform_esp.c
==============================================================================
--- head/sys/netipsec/xform_esp.c	Sat May  2 00:10:25 2020	(r360559)
+++ head/sys/netipsec/xform_esp.c	Sat May  2 01:00:29 2020	(r360560)
@@ -220,9 +220,11 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
 
 	/* Initialize crypto session. */
 	csp.csp_cipher_alg = sav->tdb_encalgxform->type;
-	csp.csp_cipher_key = sav->key_enc->key_data;
-	csp.csp_cipher_klen = _KEYBITS(sav->key_enc) / 8 -
-	    SAV_ISCTRORGCM(sav) * 4;
+	if (csp.csp_cipher_alg != CRYPTO_NULL_CBC) {
+		csp.csp_cipher_key = sav->key_enc->key_data;
+		csp.csp_cipher_klen = _KEYBITS(sav->key_enc) / 8 -
+		    SAV_ISCTRORGCM(sav) * 4;
+	};
 	csp.csp_ivlen = txform->ivsize;
 
 	error = crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005020100.04210Tgm026239>